Can I trust linux?
 

I was having a chat with a friend lately, he was talking about migrating osx and I adviced him to try linux. I explained briefly how linux is free developed by nonprofit indivials. He asked how could I trust repos full of compiled code of hundreds of random strangers. I didn't had an answer for this question.

The matter here is not quality of code, stability nor effiency. His doubts was more malware/virus related. I know that its open and I can review the code but passes through lots of people before hitting to the repositories and I can't review compiled packages that I download from repository.

Repos of ubuntu and fedora are huge, I'm pretty sure most and them must be user submitted and user reviewed. I read the fedora review process and its appear anyone can submit and any member of team can review and approve. Makes me wonder how hard it is to get into the team?

How can a person can be sure, that no one will slip something nasty into repos?

Please don't take this wrong way. I love linux and I have been using it for years. Help me understand and make a case here.

I wouldn't exactly call them 'hundreds of random strangers'. Usually packages/patches go through a thorough approval process before they hit the repos.

As to the authenticity of packages provided by some repository, you can always verify a package's signature. As far as I remember it's:

rpm --checksig package.rpm
and
debsig-verify [options] <deb>


I think it's a common misconception about open-source development. Once I heard a guy saying the linux kernel is developed by random strangers scattered all over the world. Each of them just chip in some portion of code and that's how a linux kernel gets developed:)

The question comes down to: How can I trust anyone that I don't know? Packages from the bigger distributions are well revised, so normally you can trust them. This is of course different if you add random Ubuntu-PPAs to your system, they are set up by non-Canonical people mostly, and therefore you have to have a good look before using that software. A simple way to get around this dilemma is to use Slackware. You have a rather small base repository and compile yourself most additional software from source. This way you have the most trustworthy package maintainer you can think of: yourself.

But you may ask your friend a question: What is more trustworthy: Having a repository with software from your distribution that is well revised, like on most Linux distributions, or collecting your software from hundreds of sites scattered around the net, compiled from people no one ever heard of, like on MacOS X and Windows? Seeing the malware situation on Windows I would say the repository approach works much better.

This is a very valid question. I would answer it with another question.

Can you trust ANY software you have not written yourself?

The answer is NOT, YOU CAN'T, NEVER, EVER. Nothing guarantees the upstream authors to be playing fair, nor the distro packagers.

But there is a fact that turns GNU/Linux a better option if you are concerned about your packages been evil. When you use an Open Source OS, you know there could be malware. When you use a Closed Source OS, you know it has backdoors for sure. Plese, read Windows' EULA for more details, but basically any propietary OS (and other propietary applications) could be more easily backdoored by their authors without being noticed. Many chinesse Windows computers where taken down some time ago because Microsoft used a backdoor in the system to discover piracy evidences and screw the units down. I don't like piracy, but this shows that Microsoft can break your computer whenever it wants. I have heared of anti-malware companies getting paid by software vendors so their anti-spyware products don't detect backdoors and rootkits purposely placed by the seconds.

Of course, the security of the repositories dependes of the policy of each distribution. With Slackware, I use to only compile from source, so there is no warning of packagers putting malware in my computer. Any distribution that has tough addmision rules, however, is unlikely to have malware in their repositories.

See the bold.

How do you KNOW this? You mention Windows. He's not talking about MS. He's trying to get someone to migrate to Linux from Mac OS X. Are you trying to say that all non-open OSs are backdoored? Based on the MS example that you mentioned? That's quite a stretch. It is quite possible that someone that codes in Linux CAN be nefarious and add some malicious code into the mix. What lessens the effect of that is code auditing. That doesn't always work, though. There have been cases of malware injected into Linux code in the past that made it through security layers. It is always said that you have the option of viewing the code yourself. I don't know about you, but my code review skillset is seriously lacking, and really, not every Linux user should be required to review the code before installing. Authentication of packages that you pull from a repository won't alert on malware that was injected during the coding of the application, either. Building packages and binaries from source isn't 100% safe either, as you could be building something from code that has already been fscked with.

It's all about who you trust and why. The OP's colleage is right, in a sense. The people that code are NOT familiar to you. Sure, some of you may know a few coders that contribute to the cause, but I'm almost 100% positive that you won't know ALL of them. The OP's colleage is also a bit aloof. He hasn't even thought about his Mac's code and the fact that what he suggest as a weakness of Linux also affects OS X. I'm betting some of his installed software isn't created and maintained by Apple's coders.

Basically, this is another risk that each computer user, regardless of platform, has to evaluate before committing to a chosen OS.

My 2 cents is that if someone asks such a question, they don't care about moving to Linux. You're better off spending your time finding someone that is a bit more receptive, IMO. Dunno...maybe you planted the seed of curiosity and he'll investigate Linux on his own? Again, I don't know.

dual boot osx and say Ubuntu or OpenSUSE 11.4
ans see for YOURSELF
you decide .

in your circumstances OSX might be better OR NOT ?

give a few distros a spin run one for a few months and then switch , then repeat

soon you will find a distro you like , then use it .

Ubuntu is targeted at the VERY new user ( thought is also used by system admins )
OpenSUSE - is a good all around system and targeted at the moderate to very experienced user, though a VERY new to linux user would not have too much of a problem .

Fedora -- apples and oranges .Fedora is a special case and most new users will NOT find it good to use .Some will and those are the tinkerers .


as to security
use the main software repos and you will be 99.9999% fine
there is NO SUCH thing as 100% safe

I dug deeper and deeper into this subject and I had been amazed by the fact that how little linux users cared. Most of the linux users have this feeling of supremacy that no virus can hurt them. This is not true and this never was. Hackers just didn't cared about us because it didn't worthed the effort. If nvidia bothers to write a driver for us, if adobe bothers to release flash even for 64bit, I'm pretty sure hackers are already writing viruses for us.

Here are few interesting stuff I found;

A fbi backdoor in openBSD -> http://www.linuxjournal.com/content/...rs-may-be-true
Hiding Backdoors in plain sight contest -> https://backdoorhiding.appspot.com/
Hackers forcefully planted malicious code into opensource software -> http://www.zdnet.com/blog/security/o...urce-code/7787

You are right, but it was a pretty good question and I want to have an answer for it if it pops up again.

I'm not talking about OSX vs linux and I'm definitely not looking for distro advice.

I just want to learn more about what are the precautions that repos have. For example should I trust rpmfusion for my packages?why?

there are a few viruses that run on linux ( about 6 to 12 - might be up to 24 by now )
BUT
As far as know NONE are in the wild
compared to the what 750,000 on MS

Now windows CAN be locked down as secure as any system can be BUT
the DEFAULT settings on most Linux distros , in comparison to windows , are night and day

now i do keep a locked down windows install ( XP and now win7 ) 3 major infections on xp in 8 years , not bad .
since 2004/05, 0 infections on linux and 0 rootkits


now it is easy to set up a linux install to be VERY VERY insecure

see:"Damn Vulnerable Linux" or "Metasploitable"
http://distrowatch.com/table.php?distribution=dvl
http://blog.metasploit.com/2010/05/i...ploitable.html


It all comes down to trust and the fact that there is NO 100% safe( bullet proof) computer OS
one can go to the EXTREME and loch a non-networked computer in a bank vault
BUT
you would still have to trust the owner of the vault .

Mr. unixfool, you have completly lost my point. What I pretended to show is that you can trust nobody. The Microsoft backdoor was an example, just that, but there are many others around (confirmed an unconfirmed) with different levels of severity.

JonJAN's friend says that free software is not trustworthy because its authors are not trustworthy. What I say is that no software is trustworthy at all. Even the software you write can be compromised if you use a compromised compiler (I have seen an example where a compiler was troyanized to generate modified programs). The fact that the software is developed by a firm and released closed source does not mean that it is more secure: it only means that backdoors can be easily concealed. OK, Linus and his team could put malware in the kernel itself and it's likely nobody would notice because there are tons of lines of code, but... there are a lot of freaks, universities and academics that could have a look at the code for educative purposes, or just for fun, or just to adapt a module to a particular circumstance (a friend of mine had to modify the software for his WIFI card once). Serious packagers do look (fast, but they do it) at the code of the apps before packagin it. There is an slightly bigger chance to discover malicious code. A rootkit made by Sony could remain unoticed by years.

By the way, all this chat is not new. I have seen exactly the same subjetc discussed in SlackBuilds.org and Porteus forums. I myself have talked with many people about this, even with some software developers. This is what I suggest: if you don't trust the packagers, use the source code; if you don't trust the source code, sell your computer and return to the paper&pencil age.

EDIT

It is a matter of trust. I use source code when it comes from not-untrusted authors (if the author has not been proven to be a son of a @#~&). This is not to mean I trust that software, it only means that you have no other options that use some kind of software or use your machine as a decoration object. SElinux, for me, is not trustworthy, because the american goverment has already placed backdoors and rootkits in many products. This is what I call "untrustworthy author". I compile my kernels without SElinux support.

I don't know, for example, who wrote lrzip, but I need a compression tool even when I can trust no coder. So I use lrzip because there is little chance for lrzip to contain malware and because it offers no less guarantees that any other tool.

Now, can you trust packagers? Not much. Anyway, if the distribution has hard admision rules, you can say that each packager has demostrated to be of some value to the OSS movement and that some big player has decided he is trustworthy. Do you think Patrick hires a Jo Doe to work in Slackware?

With comunity repositories, the things change. SLAX, for example, offers no much guarantees for the modules the users post. As of today, anyone can put software for download and it will have only a fast check for bizzarre malfunctions. SLAX developer has already told in the forums that he his going to change the repository model.

IMO, you can't. BUT, you can download the source code and see for yourself there's nothing in it, then you can. You can't verify that on Windows/OSX. Therein lies the reason I will ONLY truly trust Open Source.

You can't trust linux. All OS's are subject to more holes than some rash statement like Linux is secure.

To be sure one of the BSD's have been suggested as the most secure. Problem is that statement like all OS's only involve a very basic OS. The holes exist in the apps installed and the way use user opens holes. It takes less than an hour each year to hack into OS's. See pawn2own contests.

Trading tit for tat on critical vulnerabilities should see *nix regularly come out ahead. I would imagine you can find a couple instances of slight problems with Microsoft's and/or Apple's operating systems as well.

On a very basic level, I (personally) would not trust any package that has not been cryptographically signed by the repository maintainer. That said, there are usually a number of weak links with public key cryptography (public key distribution, for instance; are you sure you got the real key?). But if a repo is not even providing signed packages (or source tarballs), you should view it as a serious red flag.

But that's something of a digression. You're really asking whether open source is "more trustworthy" than closed source. IMO, well vetted, widely used open source projects should theoretically produce cleaner, safer code. Period. But I truly don't know whether good, regularly updated empirical evidence is available to demonstrate this point. I have read many, many biased and editorialized comparisons.

If you're here gathering information just so you can tell off your smart @ss friend, then treat it like any (supported) debate. Put together references that support your position, and tear him a new one.

If you're here with a practical angle, and would like to learn more about a well-designed Linux distro with security in mind, then learn about: http://www.openwall.com/Owl/

That only works if you know how to read the source code. And even if you know how to read it, you might not recognize the exploit code.

I'm not trying to stir the pot, but really, what you're saying is a bit unrealistic. Let's get fundamental. You use a bank to store your money, right? Banks are hardly open but people use them anyways. What I'm getting at is that trust is implied.

I'm not being negative about open source (hell, I use it too, but I'm not zealous -- not pointing fingers), but there has to be something more than the example you just gave. That's not really enough to trust. You can't honestly think that everyone that uses Linux knows how to read source code (or that they should be forced to learn to read code)....at least I hope you don't think that.

From anomie:

THAT'S pretty much on the money. It ain't much to work with, but it's about as clear as it gets with what the OP is dealing with.

No, this subject isn't new, even in these forums.

I'd say if you don't trust the source code, don't use the app. There is usually more than one flavor of a particular app. Selling a computer because you don't trust source code is a bit out there. Maybe, figure a way to make the code more trustworthy (informing the maintainer...having someone who can read source code from a security audit perspective...there are better options than telling someone to use paper and pencil). If there's something hokey and you can somewhat substantiate the claim, I'm pretty sure the maintainer would want to know, as well as the security community.