Before I start, let me explain that this topic is not intended to cause any flames. I'm not a Windows user/fanboy, I just want to know your opinion

When most Linux users want to install a program, they look up at their distro's repositories. So if you want to install VLC you just look for VLC on the package manager of your distro.

But what guarantees that the program you want to install doesn't contain any malicious features?

I wonder if there's a good scrutny by the distro developers/maintainers on most of the software they put up to download, because it seems that most just take the source packages and build the software, not analysing the source-code itself. So should we ultimately trust VLC? Cinnamon? GIMP? Has developers actually looked at the entire source code searching for any possible malicious code or there's some sort of "trust" in the Linux world that if I create a new software that becomes famous it'll probably be in most distros without people actually looking at the source-code?

Even TrueCrypt, people trusted it for 10 years without even a single audit being made on the software. Recently an audit was made and the source-code contained no backdoors, no malware, nothing malicious, but even though TC is Source Available I doubt many people actually got their eyes for too many hours searching for nasty things in these past 10 years.

What's your take on this?

My take is that it is difficult (but not impossible) to keep the existence of a hidden back-door secret from people working on the source code of an application. Therefore, since most (but not all) open source software is produced by teams of people it stands to reason that more than one person is likely to know about a back door. Once more than one person knows anything it is extremely difficult even for big companies and governments with threats of bankrupting, jail time or worse so for free projects where people of all kinds come and go it would be verging on the impossible to get everyone to keep the secret.
I have, though, actually used open-source software which contained instructions to make it part of DDoS. That was a small project lead mainly by one person and since that debacle the team has made sure that there is always more than one pair of eyes on any code changes.

1 members found this post helpful.

Good luck with looking at the source:

http://cm.bell-labs.com/who/ken/trust.html

1 members found this post helpful.

Of course nothing can be 100% trusted but when that compiler was written how many people were working on it and to what purpose? Has it been audited and by whom?
I think the idea here is that there is a lot more chance of a hidden nasty remaining undiscovered in closed-source software than open source. It doesn't mean that one is somehow immune just that there's a lower probability of malicious code remaining hidden in open source (or any other collaborative, including some closed-source) software.

1 members found this post helpful.

In my opinior it's a good question. But something that will not get you straight, 'this is like this' kind of solution. We can only discuss it and increase our awareness on security matters.

I'm not a developer or package maintainer but this is how I see it. All of this works on web-of-trust model. The developers sign the source package. Rest of the community trust these developers. The packagers verify the signature of downloaded source code and then compile and check if software works as intended. If OK, they create binary packages and sign it. We trust our distro's packagers and install the packages. Mostly the package manager software will have built-in function to verify the authenticity of the package.

However, if any of these guys put malicious code, or the bug slips in, we are not safe. Usually, the argument is 'it's opensource, everybody can see the code and fix (or help to fix) if there is any bug/malware'. But let's say we are ten friends working on a project. It's possible that each of us think that since the code is openly available, any of the nine others will look into the code and report and/or fix bugs. Even if somebody finds a bug and fixes it, we are vulnerable till the point of fixing and the fix being available to us.

But then again, FOSS is all about commitment, enthusiasm, pro-active work. People do put lot of efforts into chasing bugs and fixing them. All in their free time as volunteer effort. We should be thankful to them for this. This is where I and you come into play. We can all contribute to the effort in whatever way we can.

1 members found this post helpful.

If I trust the distro maintainers enough to use their distro, I think it's reasonable to trust the packages that they choose to include in their repositories. It's rather all of a piece, isn't it? It's not necessarily infallible, but reputable distros do vet the packages included in their repros.

Trusting those repos is certainly more reasonable than trusting some random Windows *.exe file downloaded from some random website somewhere on the innerwebs.

1 members found this post helpful.

I am not paranoid enough to worry about it.

---------------------
Steve Stites

2 members found this post helpful.

There really isn't much to be said about it.. Why do I trust most Linux packages? Same reason I trust most OS X or Windows binary files - no good reason, just "because."

It's essentially impossible to go through all the source of all the packages on your system and verify everything manually - especially since 95% of Linux distributions have non-free SW in there - making it literally impossible.

That being said, many many many many many more people trust that Windows (in its base, no programs) is free of malicious code and same goes for OS X, etc. though it's blind trust all around - you're putting your trust in the company that the product is free of it. This is the same way you put your trust in the waiter that he's not going to take a picture of your card.

There's no way to know for sure except to review it yourself. Even if a very popular person in the community reviews it, they may have missed something, or they may be in on the malicious nature of it and "missed" something. No options except review yourself or blind trust.

I mean screw end user packages - most of the OS isn't reviewed by many many people, so if somebody wanted it secured, they'd be best to start there.

1 members found this post helpful.

I, for one, don't trust binary packages. And with the vast myriad of distros out there, there's only a very few I trust, and then I just install bare-bones to get me to a login prompt, and compile from there. Although some things, like X, OpenOffice, web browser, Blender, etc, are nearly impossible to compile myself, so I end up installing a binary in spite of my best efforts and reluctance to do so.

Yeah, trust is a fragile thing. People blindly downloading apps for their Android OS sounds like a accident waiting to happen.

1 members found this post helpful.

Though what does that do? It's not a matter of whether you built the binary or the binary was built on a build server, as the OP mentioned, many many many people blindly trusted TrueCrypt and it FINALLY had an official audit (crowd sourced I believe) like 6mo or so ago after what, 10 years? It's been open source the whole time. The thing is that just because it's open source doesn't mean anybody is actually & actively reading it, and in order for the user to not have to trust anybody then they must review all code they compile manually, themselves.

1 members found this post helpful.

Surely it takes you months to work through all the source code for all the programs you install looking for back doors? How long did it take you to check your C compiler abd linker for starters?

1 members found this post helpful.

You mean that you don't trust binaries compiled by distributions' package maintainers? In other words you do trust the upstream source, but not precompiled binaries quite possibly patched by the distribution you use?

This actually implies that if Joe Bloggs produces package_foo and you just compile it and install it, that's somehow safer than a typical distribution having more sets of eyes on it.

As others have hinted, I'm pretty sure that you're not reading through the full source code of every piece of software you compile.

1 members found this post helpful.

I trust packages in the official repositories, and well known repositories. Usually if I need a package outside of a trusted repository, I'll look more into it before using it. I'm not going to be ultra paranoid about it though. Even if the upstream source is good, something could potentially be compromised between upstream and the repository.

1 members found this post helpful.

One thing to note: even if looking at the source doesn't guarantee that any malicious code can be detected, it would still be easier on an open source system to detect malicious behavior. It's the same with rootkits and ssh break-ins. You know something's wrong when the system starts acting up. Even if somehow the tools that one can use to detect an intrusion/malicious code injection have themselves been compromised, things like CPU load or the flashing lights on the nic would still be indicative that something is not right. If you think the system is compromised, nuke it and start over. If you think an entire distro is compromised, pick another one. The only thing that the above mentioned paper points out is that compiler level hacks are difficult to detect. That's true of all computer security.

1 members found this post helpful.

Things to consider:
1) open-source software has more eyes that look through the code than proprietary software. Sure, maybe not you or non-programmers, but others do.
2) open-source software has less of a chance of containing a backdoor in plain sight, because it would be easy to locate, however if properly obfuscated like OpenSSL is, then it would be much easier. It is even easier to hide it when you never release the code (proprietary).
3) other users use open-source software, so if it were malicious, they would have reported it as well as the programmers looking at the code.
4) If you're worried about hackers, always verify the .asc gpg signature of the package.
5) open-source and proprietary software are developed with different motives in mind. One is about developing something that you too will use, and the other is about mining as much data as possible from the "user" so you can feed them some more targeted advertising.

Why do I trust Linux packages, because I don't trust proprietary ones for the above reasons. I do program, and if I suspect any malware I will investigate. However, I've been using clamav for a quite a while and have only found one Windoze-only trojan on my system long ago. Experience also vouches for open-source, because using antivirus on Windoze I have found hundreds of different malware over the years I was using it. That plus the constant Windoze rot made me switch. Windoze just isn't a reliable enough OS to get meaningful work done on. I really am surprised how everyone else puts up with it. If you can put up with it then you should be good for the next inquisition ... you can stand a lot of pain and anguish.

1 members found this post helpful.