OSNews

When a Windows user searches the Web to "find and install software" they run a significant risk that the software they downlaod and install is malware.

It is possible to do this and still avoid malware, but one needs to be software "savvy".

If one uses Linux OTOH and adopts a simple policy of "always install software from repositories" ... then anyone can avoid malware. Even non-savvy end users of software can ensure their system is clean and yet fully functional using a simple policy such as this.

You cannot follow such a policy on a Windows system.

Linux software in repositories is open source, and hence guaranteed to be open to inspection ... and hence impossible to "hide" malware within it.

Nope; Parallels is closed source.

Sure you can, so please do not spread FUD here. I recommend Avast or AntiVir PE. Both are available for free. They update themselves automatically and could be set to auto scan files downloaded from Internet before run.

Sure you can, so please do not spread FUD here. I recommend Avast or AntiVir PE. Both are available for free. They update themselves automatically and could be set to auto scan files downloaded from Internet before run. "

The policy the original poster was talking about is the install-from-repository-only policy. Do you really mean that Windows has something equivallent to that?

and what is the purpose of that policy, according to that person ? As far as I understood - it is about being "safe from malware".

so you are trusting a third party company with the security ? nice...

I'm always trusting third parties with my security. I don't have the time or knowedge to do my own complete security audits on every piece of code I use. So at the end of the day I simply trust that OpenBSD, Sun, Red Hat, Ubuntu, the KDE team or whoever has done a good enough job.

Funny, I thought there was NO malware for linux.



I never have understood this. Just because you make the source available doesn't mean that it is the same as the binary version. This would be correct if you ONLY built from source and were able to fully understand the author's code.

sometimes your posts are so stupid....

the user does not need to understand the code, that is the job of the maintainer of the repository

A maintainer reads all code from all programs and is able to understand all of it? Wow!



Thankyou.

How would you know? There is no per-application packet filtering so any app could 'phone home' without you knowing. The maintainers would have to go though every line of code for every program and be able to understand the code as well. With the amount of app's available, this would be impossible.

From my own coding experience, its very difficult to understand your own code if you leave it for a few weeks, let alone grab someone else's code and understand whatall of it does.

There is closed source in repositories. You can install, for example, vmware-server in Ubuntu from the non-free repo.

Uh, it certainly is not impossible to hide malware in opensource. If a repository is compromised, then you cannot trust the repository. If nobody looks at the code for a particular app in the repository, then it could contain malware.

It is unlikely, but not impossible.

Uh, it certainly is not impossible to hide malware in opensource. If a repository is compromised, then you cannot trust the repository. If nobody looks at the code for a particular app in the repository, then it could contain malware. It is unlikely, but not impossible. "

You clearly misunderstand the process here.

Package repositories typically do not contain source code. Source code management systems typically control the source code.

1.5 million full-time-equivalent programmers constantly look at the source code.

Repository maintainers take a particular point release of the source code, inspect it thouroughly, compile it, test it, make sure it works with the rest of the distribution, package it, digitally sign the packages and put it into the package repositories.

There is just no way imaginable that intentional malware can casually be submitted to source code management system, get accepted into the build, compile properly in test versions, get released to a point release, get taken up by a repository mainainer, compiled, tested again, digitally signed and placed into a distribution's package repository without anyone even looking at the code.

Just won't happen. Especially if the original submission of code patches was anonymous ...

Even if a distribution's repository server is hacked in to, there is no way that anyone could just slip in a doctored package with a correct digital signature ...

You cannot hide malware in open source repositories.

I understand the process just fine.

"There is just no way imaginable that intentional malware can casually be submitted to source code management system, get accepted into the build, compile properly in test versions, get released to a point release, get taken up by a repository mainainer, compiled, tested again, digitally signed and placed into a distribution's package repository without anyone even looking at the code."

Uh, if malware is submitted with working code, and that code is not properly vetted (Human error does happen) then malware can make it into the repository. It's that simple. If you cannot imagine away for it to happen does not mean that it cannot.

No. Most companies that offer their software on Linux also provides packages of it. It's perfectly possibly to download, for example, a standalone .deb package, double-click on it it Nautilus and install it. You don't HAVE to use the repositories.

No. Most companies that offer their software on Linux also provides packages of it. It's perfectly possibly to download, for example, a standalone .deb package, double-click on it it Nautilus and install it. You don't HAVE to use the repositories. "

True. You don't HAVE to use repositories. You could adopt a policy similar to what Windows users are forced to follow, and download binary packages from assumed-reputable web sites and trustingly install these on your system.

... or you could adopt a policy of only installing software via the repositories, and avail yourself of the efforts of the repository maintainers to compile it correctly configured for your distribution, and enjoy the benefit of those packages being able to be vetted by any number of programmers who also use the selfsame packages and who can also independently compile from the source to check the integrity of packages from the repository.

Edited 2008-02-06 13:03 UTC

Many, many years ago (about Windows 3.1 time) someone told me jokingly that in the "next version of Windows you will be only able to use software approved by Microsoft".

Seems to me that joke materialized today in form of "online repositories" and the Big Brother is watching all of us closely - but this time not from Redmond,WA ;-)

Edited 2008-02-06 22:44 UTC

Many, many years ago (about Windows 3.1 time) someone told me jokingly that in the "next version of Windows you will be only able to use software approved by Microsoft". Seems to me that joke materialized today in form of "online repositories" and the Big Brother is watching all of us closely - but this time not from Redmond,WA ;-) "

1. The repository maintainers typically do not write the code. They just compile it, test it, package it and digitally sign it. There is nothing to be gained by a repository maintainer in censoring the available packages, and indeed the diversity of and larger number of packages that any given distribution has in its repositories is a selling point. The fact that debian/Ubuntu has a larger number of packages in its repositories than other distributions is one of the main reasons why Ubuntu is popular.

2. Repository maintainers do not control you. If you adopt a policy of "always install from repositories" ... it is you who decided to adopt that policy, not the repository maintainers. Repositories are a service that YOU decide if you want to use, or not.

3. There is no login required to access a distribution's repository. You do not need to ID yourself. The major distributions have mirror sites for their repositories, and other independent sites, and a lot of businesses will happily sell you (for a few dollars at most) an "updates CD" with the latest contents of a repository without even requiring you to tell them your name. You are not being monitored by repositories.

4. You can make your own repository. You can add repositories from other parties.

You need to find out a bit about repositories before you make silly comments. Read up on the topic, then get back to me on how that "controls you" in any way at all.
https://help.ubuntu.com/community/Repositories/Ubuntu

BTW, if you dislike official software repositories: http://www.getdeb.net/
Enjoy!

Edited 2008-02-07 03:04 UTC

Are you saying that all repositories are safe? Install a package from ubuntu's official 'universe' repository and you get a warning that you may get infected with malware.

Wrong, you get a warning saying that those packages are provided and supported by the community. If you're going to troll (btw, did Ubuntu/GNU/Linux rape you sister or something?) at least do it right.

The point is it is still in the repository and I was replying to

Did you even read the message I was replying to? How does my reply make me a troll?



And I'm the troll? Sheesh!

How could they test for some malware like spyware. There are no linux app's to do this. Plus, there is no per-application packet filtering on firewalls to catch any app that is secretly communicating over the net.

So how do they test, who are they and can we sue them if they get it wrong?

Edited 2008-02-06 03:39 UTC

At this point your are sounding like an irate fool. Canonical checks the software that goes into their repos. Some random guy can't just go into the repos and insert malware. Do you go to Apple and ask them if the software on their downloads page is Malware? No, you assume that Apple isn't going to try to f--k their users on purpose. Eventhough some of the responses about the repos have been misguided, you have to realize that having one central source has many benefits, one of them includes being able to update your WHOLE machine without having five system tray icons asking you to update or having to go to each respective apps site to download the latest version, or having said app pummel you into updating with annoying pop-ups. That to me is the major draw of using something like apt-get. The same argument you had was said about ubufox.

Lol! this is so funny, yep, you know how it works, Canonical checks the software. What a great reply. Cleared everything up for me.



When did I say that someone could? The point was that there is no tools to check for spyware. So how exactly do they check.

And what about my firewall point?

http://www.wireshark.org/

http://en.wikipedia.org/wiki/Wireshark

Commercial advantage for Canonical and Parallels.

SmartSelect on Parallels Desktop for mac is amazing. It allows you to double-click on a windows-type file (say .doc or .xls) and have it open in Word for Windows, all automatically. The reverse is also true; you can open a Mac type file inside your VM and have it open in a mac program. This, to me, is worth the cost of Parallels. Of course, I'd love to have it for free, but until then, Parallels gets my $80 of hard-earned cash.