Submitted by This is a problem I hadn’t yet heard of, so it fascinates me to no end. We all know VLC, right? It’s one of the best video players out there, and while I myself generally just install the K-Lite Codec Pack, VLC is definitely a good alternative – and pretty much the norm on Linux. They’re having a problem, though: malicious folk are bundling VLC with malware, offering it up for download as the official VLC, and misleading users in the process. Not only does this violate the GPL – it’s pretty damn low, too.
Some websites, companies, and people are bundling VLC with loads of spyware, crapware, and malware, only to offer it up for download as the official VLC. Not only does this violate VideoLAN’s intellectual property, it also violates the GPL. VideoLAN, understandably, isn’t happy about this.
“At VideoLAN we’re really fed up with all those websites/companies that are tricking our users to download malware and violate our IP by distributing misleading versions of VLC without conforming to the GPL license,” writes VideoLAN developers Ludovic Fauvet, “What bothers us the most is that many of them are bundling VLC with various crapware to monetize it in ways that mislead our users by thinking they’re downloading an original version. This is not acceptable. The result is a poor product that doesn’t work as intended, that can’t be uninstalled and that clearly abuses its users and their privacy.”
The problem isn’t specific to VLC, and it would appear there’s very little VideoLAN can do about this. “They have the money to buy adwords, we don’t. Sadly, as a non-profit organization we don’t have the money to sue them,” Fauvet sighs. A case where an IP lawsuit would be totally justified? Yes, they exist.
Interestingly enough, VideoLAN tried contacting Google to get this issue resolved – but Google didn’t care, as Fauvet notes in the comments to the blog post, since of course, Google is making money off these scammers (you stay classy, Google). It wasn’t until Fauvet’s blog post got a lot of media attention over the weekend that Google contacted them; they are now trying to work out a solution.
Google should take a proactive approach to blocking these scammers from AdWords, but considering they didn’t even kick drug scammers off AdWords, I’m not sure they really care about VLC.
This is a problem with a lot of free software, (both senses of the word free) media players and converters in particular. I’ve had to train myself and others to just ignore the yellow highlighted Google search results. Soon as you tell someone those people paid for their high search ranking, like buying an ad, they quickly learn to avoid those results.
Type in “free audio converter” into Google, and TRY and find a legitimate piece of software. They’re in there, sure, but buried under piles and piles of the same shit repackaged maliciously.
“Free Video Player” on the other hand has the official VLC as the top item.
“This is a problem with a lot of free Windows software”
There, FTFY.
It is only a problem for binary blob packages distributed via the web (as opposed to software repositories with signed keys).
Typically, one does not use Google to search for software for a Linux distribution.
http://www.ubuntu.com/ubuntu/features/ubuntu-software-centre
If one searches for “VLC” in the Ubuntu Software Centre, one is guaranteed that the software offered for installation is a legitimate version of VLC.
Edited 2011-07-11 23:39 UTC
***groan***
Oh not this bullshit again.
Technically savvy Windows users also check the source of their downloads.
If these users where educated in the first place about getting their software from the correct place i.e. vlc’s homepage … this problem would’t exist.
Coverting everyone to Linux isn’t a silver bullet solution as regards to everything.
Oh and Lemur2 … please read this.
https://nonlinux-manifesto.jottit.com/
Yeah, people just have to think for a second and check where they’re downloading their software from. If they’re downloading it from http://www.vlc-millenium-4-you.ws, of course they should be wary… It’s about common sense.
I would like to add this to the end of manifesto:
Ho and “lucas_maximus”… Please read this:
http://uptime.netcraft.com/up/graph?site=nonlinux-manifesto.jottit….
;-P
So it is running Linux … your point being?
I honestly don’t care that that particular website is running Linux, the fact that it is running Linux is irrelevant since all I care about is that the application is working as expected.
The same service can be hosted on Windows, Solaris, FreeBSD … it doesn’t matter.
If Linux worked as a desktop for me and my need[s/i] I would certainly use it … however it doesn’t.
[i]Edited 2011-07-12 11:33 UTC
… And we should care because? *
– Gilboa
* Point being: Lemur2 pointed out that the problem was -not- open / free source, but the broken software distribution model (or lack of) that’s being to distribute 99% of all software under Windows – a problem that was solved years ago in Linux, *BSD and Solaris.
In response a useless link was posted (I don’t like Linux! Baah! in your face!) and just as irrelevant why-I-don’t-use-Linux story.
… It would have been far easier to conceded that the Windows ecosystem does indeed have an issue with software distribution and continue, no?
gilboa,
“… It would have been far easier to conceded that the Windows ecosystem does indeed have an issue with software distribution and continue, no?”
Well, I agree with the point that repos solve the unauthenticated download issue.
However, a repository is only useful for times when the binaries/sources are available from the repository.
The moment we step outside the repository (source or not), a large chain of dependencies can start to break.
I’ve encountered countless times when I’m working with source code with numerous dependencies, which require external library dependencies which are not fulfilled by the repos.
Asterisk is a good example, openssl is another, dbus is another, etc. When I try to compile these projects using the latest source (newer than the repos) they break during the ./configure phase.
Configure spits out “XYZ is not satisfied”.
The first thing I due is verified XYZ installed from repo (often heuristic guessing is needed to even find the package name corresponding to the automake script).
If the package is not there, there’s sometimes no choice but to locate the source via web search. What I download may or may not be from an official site (how would I know?) and then compile that, which may rope in even more dependencies. At this point, I’m desperately trying to get the original source to compile, I just don’t have the resources to check everything for malware.
What linux dev hasn’t faced this problem? This is particularly problematic when working on bleeding edge source code.
Arguably, this may just be a matter of bad practices between developers and repositories. However I tend to think the problems stem from centralized repositories. What we need is decentralized repositories. The decentralized repo should continue to authenticate packages, possibly serve as a mirror, but unlike today, it should be possible for properly authenticated authors to provide direct upstream repo access such that devs can explicitly apt-get the latest upstream libraries.
This would allow proper authentication of authors, even though their code hasn’t yet been (or will not be) accepted in the distro repo.
This would address all the times that I have no choice but to go outside of my linux distro’s repo to get.
I guess there’s functional overlap between this and version control systems, but I think we’d benefit from improved integration.
I get your point, and I do agree that the repository system has it shortfalls (when certain software does not exist) – though this problem can be partially negated by selecting distribution (E.g. Debian / Fedora / etc) with wider selection of software.
As for the decentralized repo, to some effect this already exists (PPAs in Ubuntu, personal repository infrastructure in Fedora, etc) – though I do agree that this is still somewhat spartan.
… In the end, while not perfect, the idea of software repository (be that Linux style or *BSD style) solves the problem for >90% of all users and all use-cases. A similar tool, running under Windows would greatly reduce the software distribution problem under Windows – even if it doesn’t solves the problem completely. (Read: The lack of system-based package and dependency management system).
– Gilboa
Edited 2011-07-13 04:21 UTC
You have to be technically savvy enough to make that decision … it comes down always to user expertise.
😉
That exists already for some distributions. Webmin and Mondo Rescue both provide Debian specific repositories. You get your Debian from the distro repositories and your Webmin/Mondo from the applicable developer managed repositories.
It does indeed work well provided the third party repo maintainer manages it well.
No it hasn’t been solved by them.
It is not a solved issue considering every distro does it differently as well, with varying results … Arch for example have f–k load of dependancies that are often not needed … why??
Things like delta RPMS are a step in the right direction … but the last time I typed Yum upgrade in my Fedora 15 box there was 200mbs of upgrades about a week after install and I grabbed it as soon as the ISO came out.
Also there is no clear seperation what is OS updates and what is Application updates. BSD does this perfectly I give you that and OpenBSD pkg tools are the best I have used … but downloading .exes with a bit of common sense seems to work quite well also.
Again swings and roundabouts … it is not black and white … which is the issue I have with the statements.
It wasn’t a story … it was a manifesto and wasn’t written by me … I wish I had wrote it since it put many of my feelings into concise statements.
The point was I have chosen Windows and millions of users don’t have any problems with it. Some have chosen using macs .. because they like using them.
It is really people like Lemur2 go on and on about problems that really don’t exist unless you are fringe edge cases … These comments had some value in the pre Windows XP SP2 days … but not now which is 7 years later (an eternity) in the tech world, much of these issues don’t exist.
I was trying to get through to him/her that you don’t have to promote your OS of choice all the time … if it really is that good … it will promote itself and I will use it because it is the better option … not because of some dubious made up reason taken straight from FSF.org.
I say I like Windows 7 but I don’t try converting everyone to Windows 7 … because I don’t have to the sales speak for themselves .. and the OEM argument is invalidated by the Beta download numbers which were massive also.
There is nothing broken about Windows Software distribution. You download an executable from it’s website and you have zero problems … funnily enough if you go to warez.com and dodgy websites you will have the same problem ….
Ironically this was the exact same argument that Lemur2 was using against downloading binaries … except he was insisting the codez is open … because that magically fixes all bugs and exposes badness.
yes people can do shitty things … with closed source software …
I gotta deal with it first hand everyday with 3rd bespoke CMS software …
but some open source software is f–king shitty too (Rainbow CMS, check it out I gotta support that shit until 2011 with no docs)
Ultimately it is swings and roundabouts and pretending any different is ridiculous.
I use whatever works for me … I use OpenBSD on a soekris box, Linux on a PHP/Ruby/Python dev box, iBook for a laptop (6 hours battery life ) and a Windows 7 PC for .NET development … I am only pragmatic … and I do not care for dogmatism unless a company is doing something exceptionally shitty.
So forgive me for disagreeing when someone is being a free software zealot … because I honestly don’t care about your ideals … and most of the world doesn’t either.
Edited 2011-07-13 21:06 UTC
Yes, it has been solved. The fact that different distributions use different methods means only that it has been solved in a number of different ways.
There are only two essential steps required to prevent malware being distributed via trojan horses:
(1) Have a wide collaboration (meritocracy) of independent developers developing the project with source code in the open (everyone able to inspect it), and
(2) Have a distribution system which ensures that the binary which is the result of compiling THAT source code is the binary that is distributed to all recipients.
In the case of the VLC project (the topic of this thread) requirement (1) is available for all platforms, since VLC is a cross-platform application.
Requirement (2) is only in place for the Linux platform. Distribution of VLC to recipients running Windows is demonstrably an abysmal failure, and this is clearly not the fault of VLC itself. The culprit is the system of distributing and installing Windows applications expected to be followed by Windows users.
Edited 2011-07-13 23:58 UTC
Why are there countless implementations of it then. Some work some don’t
No it is malicious people doing nasty things with the VLC source code.
You have an anti-Windows agenda because you are a GPL Zealot … all one has to do is download the software from the supplier and you are fine … this is no different from making sure you install from an official repo.
Stop making up problem that don’t exist.
These issues certainly do exist for Windows 7. If a user downloads a trojan horse installer, which they have no real reason at all to trust, yet they still run it and give permission at UAC prompts, then the malware payload will often install just fine. Anti-malware software cannot possibly keep up with 2 million new pieces of Windows malware code per year.
You are told of better options and you just deny that they exist!
Ordinary users not wanting malware on their systems; and the observation that the Windows paradigm of downloading un-verifiable stuff from god-knows-where and then clicking Allow, Next, Next, Next is well entrenched … both have nothing at all to do with FSF.org.
Edited 2011-07-14 00:32 UTC
Oh not this bullshit again. There hasn’t been any large Malware breakouts for Windows in years. Anti Virus is good enough 99% of the time … nothing is 100% not even Linux.
Stop making problems up … when there isn’t any.
They aren’t better because the software flat out doesn’t work well enough. Never have a install of Windows left me at the terminal after an update, typing in esoteric commands … never has my wireless suddenly broken because of the driver system is stable … the third party software doesn’t stop working because some arsehat has decided he wants a newer library version for the sake of it.
Windows and Mac work … Linux works if you willing to endlessly fuck about with it.
Be Blind to the problems if you wish … this is the reason that Linux on the desktop will never get any better and Windows and Macintosh will always dominate.
The comment is to do with the fact that you are a zealot …
You are plain making shit up … if you go to free-pirate-software.com and install stuff you will have problems … going to vlc.org, winamp.com, mozilla.com you will not have problems …
The same shit would happen if you downloaded and executed a script on Linux from some unverified website …
The only way one tells the difference is by being knowing enough to tell when it is dodge or not …
Skirt the issue all you want, evangelize all you wish … this won’t change.
Amongst my modest circle of friends and acquaintances alone, I have been asked to “rescue” no less than four Windows systems so far this year (only one of them XP).
It keeps me supplied in gift chocolates. Yum. I’ll post a link to a photo of the latest empty box if you like … sorry, belay that, my wife has just today thrown out the box. Oh well.
Every time I encounter a new malware that has borked a Windows machine, it seems (to me anyway) that it gets harder and harder to get rid of that malware.
On a couple of occasions after following all of the advice I could find online about a particular infection, the malware was still present. I had to boot the machine with a Linux LiveCD, save all the data, and nuke the thing from orbit (including the MBR) … it was the only way to be sure.
My wife’s friend had to apologise to all of her facebook and email contacts after her machine was compromised and started spamming everyone. She also had to cancel credit cards, close and then re-open her banks accounts, and change passwords everywhere she could think of. It has cost her many, many days to clean up, it cost her a fair bit to get the machine “cleaned” professionally, and she has lost a bit of money as well.
OTOH, my half-dozen Linux installations have had not one whit of trouble. For years.
Clearly my experience is very, very different to yours.
Edited 2011-07-14 10:42 UTC
We you are one of the lucky ones that doesn’t seem to have his wireless nuked every update.
Yes, I obviously don’t have friends that install any old crap on their desktop and have the ability to read dialog boxes
(most of my friends have modest computing skills in that they have been trained on how to use Office).
My circle of friends is obviously a bit wider then, as it includes people who use computers but who do not know how computers work. Many of them are unfortunately so unfamiliar with the way that computers work that they believe the advertising which tries to tell them that “computer” means “Windows”. Some of them even believe that “word processor” means “Word” (as in, MS Word).
We can’t expect everyone to be a computer expert, or for that matter to even have any desire to find out even a little bit about them. Unfortunately, big businesses exploit this to its absolute fullest, and hence many people end up paying many, many times more for their computing experience than they need to.
To me, this is an absolute crying shame. I try to do what I can to point out how people can save themselves a lot of money, and avoid getting ripped off. For my friends, when they do end up getting ripped off and harmed by the system, I do my best to help them out, all for the price of a box of chocolates. (Actually, I don’t even ask for that, I just get given the chocolates).
I wasn’t replying to him then … I was replying to the fact that I linked something that happened to be hosted on Linux … it doesn’t invalidate my response.
This shit is ridiculous.
Of course there are two problems here
1) Not all Windows users are tech savvy (most aren’t) and why should you need to be a expert in Computer security to use your PC?
2) Drivers – on an older PC with Windows you usually end up finding that the manufacture doesn’t have the driver on it’s site any more – almost all the Free Drivers sites are just there to install scumware and the only site you can find the driver is located in Romania and as tech savvy as you might be it’s a case of having faith in your AV – Not surprising many mom and dad Windows users don’t stand a chance.
I know that they aren’t. However seriously explaining to 4 things works wonders
1) Keep Windows Updated.
2) Keep AV updated.
3) Explain basic things like password security, the padlock and what it means etc.
4) Using Common Sense … if you are unsure you can always decline.
I am the most tehcnically savvy in my family and this works for them and their PCs are Virus Free and they run Windows … Anedotal I know … but I absolutely believe user education is better than pretending that Linux is the cure for all computer problems.
But there is always going to be debate about this … tbh as Macs are easier to look after by “normals” I would suggest those, however I am not impressed with their recent track record of responding to security problems and in some cases it seesm actively denying them.
That is a fair point tbh. I have had this problem myself.
Although Vista and 7 are very good at finding and installing drivers.
Exactly.
Neither do we in the eComStation community search for our sw via Google.
Yes, we also use VLC. Personally, I prefer VLC to firefox for watching YouTube clips.
We can trust our sources – that’s one of the advantages of living in a small village – and, of course, no existing malware would be successful on OS/2.
Now, dear Windows proponents, it’s your turn again. “BS”, anyone?
Don’t Linux users also stray from official repositories?
Not usually, though if you look at Ubuntu you might think it sometimes. Even then that is mostly just addin another PPA repository to your list. The only time i have ever needed to look outside my repository was when i was looking on Gnomelook for some themes, other than that i really don’t know of anyone that gets stable software from anywhere but the distro’s repository
Edited 2011-07-12 09:30 UTC
For certain software the best choice on Linux is closed source. Here is one example:
http://www.bricsys.com/en_INTL/
For users, this carries exactly the same risk for the Windows version as it does for the Linux version. It is highly, highly unlikely to carry malware.
However, it is a risk. A small risk, but a risk nevertheless.
With Linux, it is very possible to keep this risk to an absolute minimum.
Both Windows users and Linux users can benefit from downloads (even outside of repositories) as long as one downloads from the same site as the source code is available from.
http://www.videolan.org/vlc/
http://www.mozilla.com/en-US/firefox/fx/
Edited 2011-07-12 09:55 UTC
Different distributions target different users. If your straying from the distro repositories, chances are good that there is a better distribution for your needs.
In my personal case I find only two programs outside of Debian’s official repositories; Webmin for remote admin by browser and Mondo Rescue for drive imaging, both provide third party Debian repositories.
I also go outside of the distro repositories for various security related programs. They are not programs the average user is going to look for but they are one case where having the bleeding edge latest can make a difference. Metasploit by svn download would be an example.
With Backtrack, I’ve never had reason to go outside the distro repositories. It’s a pretty specialized distribution though too so if one is going outside the repos, they should probably re-consider why they are using Backtrack.
Part of how distributions compete is available selection in the repositories. If one distro doesn’t have all or the majority of software you are looking for, find out if another distro does. Your user data is not tided to any one distribution branding so switching to a new distro is pretty easy.
(ah.. good 28th update down from Windows Update.. now to visit the several third party update utilities.)
Uhm, they’re assholes distributing malware. Anything they do is going to be low by default. Heck, the lower the better is probably a sound strategy for this kind of stuff.
Wonder if there’s anything Google can/should legitimately do about these kinds of things. The minute they start removing sites that are distributing malware from search results, I’m sure Big Content will want them to also remove torrent sites and the like. Maybe it’s better that they stay neutral.
At least they could stop selling them advertising services.
Already happened back in January: http://www.osnews.com/story/24334/Google_Censors_BitTorrent_RapidSh…
thanks the heads up, very interesting news.
I agreed with you that this is low. But how does it violates the GPL license? are this scammers modifying VLC source code to included malware and not released the source code under the same license?
Or the malware is on the installer as an include binary for Windows?
Or it is because this scammers are violating the VLC name trademark?
Edited 2011-07-11 22:19 UTC
They have to notify the person that downloads that the software is under GPL and they can get the code at videolan.org if they wish to.
Since they are modifying the source to include additional functions (read;malware), they have to make the modified source code available for download rather than simply directing users back to videolan’s unmodified source.
My understanding is that the license would allow them to modify and destribute malicious versions of the software if they included the source for the malicious version. The malicious source would get publicised and these folks would be blackballed in the FOSS community. Hopefully loudly enough to also be blackballed among average users.
Granted, they are distributing malware so respect for licensing terms is unlikely.
“Do not be evil” is their saying. Well guess what. If you KNOW that a website has infected files and ESPECIALLY if they are buying add words, I would cut off that site until they got rid of any malware associated with any downloads coming for their site.
THAT, is “Do not be evil”. Anything else, is corrupt. Corruption is Evil. There are no two ways about it.
So the stopbadware.org warning pages when accessing these pages doesn’t count for anything?
Delisting them outright gets them in a massive quagmire with MAFIAA whack-a-mole with warez sites and more dicking around with despots ilke the chinese.
Maybe we just need an OSS repo for windows? Dn’t the the ReactOS guys have something in the works already?
Because then it would be okay: They’d be doing their part to comply with the GPL and give back to the community. LOL.
Edited 2011-07-12 00:11 UTC
Somewhat paradoxically, this is exactly the reason why source code availability guarantees absence of malware.
If anyone can look at the source code, and compile it for themselves to check that the distributed version matches that source code, then the distributed version won’t contain malware. It would take only one person to spot any malware and blow the whistle, it isn’t as though everyone has to look at the source code. As long as it is available, and can be inspected and vetted by anyone who wants to … guaranteed no malware.
Mind you, you have to be able to get the binary version and the source code from the same place. If you can’t do that … all bets are off. If you can do that … this is the ONLY reliable known way to be assured that software that you download is malware free.
Except that in this case it didn’t help at all.
Anyone can get the VLC source and compile however, the problem was that users were getting the .exe and just installing it and not caring where it came from which is a problem with users not being aware of the threats.
Also people don’t spot problems for years in source code …
http://www.theinquirer.net/inquirer/news/1033925/openssl-bug-debian…
I await your circular argument.
Bugs are not malware, they are bugs.
Der.
Only Windows users are rountinely in the habit of installing un-vettable .exe binary blobs from god-knows-where and thereby infecting their own systems with malware.
This is a problem unique to Windows … open source or not, Windows binary blobs are routinely downloaded from god-knows-where, without source code being available, and installed on users systems by the users themselves.
Classic trojan horse scenario. The very same people who wrote this ( https://nonlinux-manifesto.jottit.com/ ) probably wonder why the Trojans were stupid enough to let the wooden horse, made by their enemies, inside the gates of Troy, without first checking what was inside it.
Der.
Edited 2011-07-12 02:45 UTC
I just invalidated the “you can spot stuff in the source” argument you brought up since it was left there for years … so if this error can be left for years, why can’t malicious code be left undetected for years … but I am just repeating myself.
No Der to you for missing the point.
Except if you want 3d acceleration in Linux you also need to install Binary Blobs, If you want to install Skype on Linux you need to install binary blobs, If you want to use professional 3d apps you need to install binary blobs on Windows.
Most users download them from the application distributor or places like CNET and softpedia which ensure that there is no-malware in the downloads …
** shakes head ** … seriously … one was a military siege and the other is my computer … having a bit of dodgy code on your machine does not mean that a group of warriors will comes out and slay me in my sleep … FFS …
The whole point is that some of us are perfectly good enough at looking after our kit and don’t want twats like you jumping in saying “but you should use Linux because the codez are free” … Guess what I haven’t had a virus on any of my Windows Machines … ever … because I do sensible things.
Way to go to miss the point again. Evangelise somewhere else. You bore us.
Edited 2011-07-12 11:45 UTC
http://www.x.org/wiki/RadeonFeature
3D acceleration works for open source drivers for my video card (ATI).
http://www.phoronix.com/scan.php?page=news_item&px=OTY1NQ
OpenGL 2 is supported, OpenGL 3 should be available by the end of this year.
http://www.phoronix.com/scan.php?page=news_item&px=OTY1OQ
VDPAU video acceleration API has just been merged to master.
One solution: http://www.mhspot.com/sts/siptosis.html
One solution: http://www.blender.org/
ATI and OpenGL have always had poor performance … even with the fglrx driver … Nvidia and Nvidia driver has always been superior … so it works doesn’t mean it works well.
The next version is always coming “soon” with Open Source … I got fed up of hearing it a long time ago … I only care about what currently works.
Intel and ATI have no plans to support it on Linux, so will it only work with Nvidia driver and the S3 driver?
Why do you google for “GNU version <insert popular software” and think that is anyway a solution.
Nobody I know uses that Skype alternative so it is no good for me. I suspect if you asked a lot of people they would probably agree as well.
Also blender is only any good at doing key frame animation … and I would be interested to see how blender measures up to tool like Maya … is big FX company using Blender? According to their website not.
Suggesting sub standard alternatives is not an argument.
You said that a binary blob driver was required. I showed you that it wasn’t. The open source ATI drivers are still in the “get it working everywhere” phase, so tuning for performance has yet to be done. Even so, these drivers run KDE’s kwin composited desktop at 60Hz, which is frame-locked to the monitor refresh rate. For use on a desktop OS, what more performance is required?
For use with roles like blender, the open source driver has already reached about 40% of the performance of fglrx, and as I said, tuning has yet to be done, so expect performance to increase as the driver matures.
What currently works, as I said, is OpenGL 2. Do you have a reading comprehension problem or something?
And now the open source ATI-GPU Gallium3D driver, written by Xorg. It should also work with Intel’s open source Gallium3D driver, given a bit of extra work from Intel.
Because that is what you said did not exist. It does exist, and despite your attempt at disparagement, blender is very good software. I didn’t have to Google it, blender is already famous.
Edited 2011-07-13 23:35 UTC
When I say it is required … I mean that they actually work properly
Another example of “it is coming soon!! promise”
Excellent … I get 40% of the performance of hardware because I believe in “freedomz of the code” …
40%, when anything gets complicated with 3d you need all the computing power you can get … 40% of best just isn’t good enough.
No, do you??
I was commenting about OpenGL coming soon part, which is blatently apparent by my post … the OpenGL spec is at something like 4, and 3 is still being implemented.
It is coming soon … honest guv …
The ati driver that at the moment only has 40% performance of fglrx … and intel actually do the work …
I don’t doubt it is pretty decent, There is some very good
however I don’t see any large professional organisations using it … and if I was learning with an eye at getting a job in it I would rather learn their tools (many can be downloaded for free with watermarks over in the corner) …
With Skype alternative, who am I am to video chat with when no-one I know uses it??
Lucas, Alfman, I hope, after arguing with Lemur for days, you took the time to look at his profile. He does explain why he’s so argumentative. Seems temperatures are rising so thought I ought to mention that.
I have looked at the profile.
I know I am effectively playing him … but tbh … someone needs to tell him he is a zealot … tbh … It do these comments most of the time while I am uploading stuff and watching progress bars
I would probably buy him a beer.
Edited 2011-07-14 23:53 UTC
I know what you think you are doing.
From my point of view, this discussion is an excellent opportunity to show people how much vested interests are absolutely desperate to try to convince ordinary folk that the proprietary software distribution paradigm is fine and that open source is broken, when we all know that the reverse is the reaal truth.
Speaking pragmatically???
You believe what you want. If you are too thick to work out my point of view … so be it.
I use Open Source software everyday … however I don’t claim it is the
“solution for every IT problem”
Which you do.
I linked the anti linux manifesto … if you didn’t get the overall message that is your problem … not mine … the whole point is
“I will use whatever works best for me”
You zealously defending GPL and Linux seems to blind you to this. It is a religious devotion you have to a license made up by a guy who is jealous of commercial software …
BTW I have no vested interests in anything except for myself, I wish I could work for Microsoft or Google … but I don’t
So I don’t have any vested interests … I am only interested in what works for me and I get pissed off about slagging Microsoft for the sake of it.
Edited 2011-07-15 00:19 UTC
No our discussions are an excellent to expose the religious like devotion you have to code that you haven’t written and make up scenarios that really don’t exist …
Open Source software isn’t useful to anyone else except those who have accepted to take a hit in functionality
Edited 2011-07-15 00:44 UTC
Not at all … since I don’t use PCs for gaming, and hence I don’t need high-preformance 3D rendering, everything that I ever done on a PC I am able to do, better and cheaper, on my Linux machines. What is more I enjoy a malware-free, worry-free, low maintenance setup.
As for your devotion to Windows, thanks but no thanks, I’ll keep my money and save heaps of my time as well, if it is all the same to you.
I only wish other people weren’t harmed so much by the pervasiveness of Windows. Oh well, life is not all a bed of roses.
Edited 2011-07-15 00:55 UTC
lucas_maximus,
“Open Source software isn’t useful to anyone else except those who have accepted to take a hit in functionality”.
I know your talking about well known linux graphic driver issues, but yikes man, that incendiary grenade you just launched was probably overkill.
Au contraire, it is useful for web hosting, no?
http://uptime.netcraft.com/up/graph?site=nonlinux-manifesto.jottit….
In actual fact, there is a huge array of computing/IT which runs on Linux. Linux rules the embedded, server, infrastructure and supercomputer arenas.
Since Linux does not advertise, and one cannot buy it pre-installed on desktop machines in stores, Linux does not rule that space. Linux is dominant everywhere else, though …
Edited 2011-07-15 03:50 UTC
Good for Server != Good For Desktop
Yes there are very good open source tools but lets face it they are mainly for other devs
Good for Server (! necessarily =) Good For Desktop
Clumsy syntax, I know, but I think I fixed that for you.
The Linux kernel has many options. The many choices available make it suitable in a wide array of different roles.
The BFS scheduler, for example, is an optional scheduler for the Linux kernel which is optimised for desktop workloads.
http://en.wikipedia.org/wiki/Brain_F%75%63k_Scheduler
BFS has been reported to improve responsiveness on light-NUMA (non-uniform memory access) Linux mobile devices and desktop computers with fewer than 16 cores
My desktop computers all have considerably fewer than 16 cores.
The Completely fair Scheduler is the default:
http://en.wikipedia.org/wiki/Completely_Fair_Scheduler
This is probably a better choice for servers.
The Linux kernel can be made to support pre-emption
http://en.wikipedia.org/wiki/Kernel_preemption
This kernel is good for professional audio applications, but it is not the default because it has impacts on other workloads.
Sorry, but that statement just isn’t fixable.
Linux is, after all, the OS that probably more CPUs run than any other.
Edited 2011-07-16 12:05 UTC
And this somehow disproves my point? How.
The fact is that most Linux is either embedded or on servers … i.e. they are configured for specialist purposes not as a general purpose desktop OS.
Just because you have a kernel scheduler that works well for desktop use, does not mean the thing is good enough for a desktop OS … that is the first building block …
Most open source projects that aren’t developers tools suck big time … because building a set of developer tools, api etc is relatively easy compared to developing a user interface.
Would you oppose me buying you a beer?
I live here:
http://en.wikipedia.org/wiki/Adelaide
It is a pretty spot, but very much out of the way, wouldn’t you say? It is a bit far to send a beer from the UK, and besides, we drink it cold here.
Edited 2011-07-15 01:04 UTC
vitae,
“Lucas, Alfman, I hope, after arguing with Lemur for days, you took the time to look at his profile. He does explain why he’s so argumentative. Seems temperatures are rising so thought I ought to mention that.”
Yea, I know, but should we let him get away with it? He behaves like an obnoxious child with temper tantrums. Is it best to call him out or ignore him?
I really do believe lemur2 has a narcissistic personality disorder.
http://en.wikipedia.org/wiki/Narcissism
http://en.wikipedia.org/wiki/Narcissistic_personality_disorder
“People who are diagnosed with narcissistic personality disorder use splitting (black and white thinking) as a central defense mechanism. They do this to preserve their self-esteem, by seeing the self as purely good and the others as purely bad. The use of splitting also implies the use of other defense mechanisms, namely devaluation, idealization and denial.”
Psychological projection
http://en.wikipedia.org/wiki/Psychological_projection
“Psychological projection or projection bias is a psychological defense mechanism where a person subconsciously denies his or her own attributes, thoughts, and emotions, which are then ascribed to the outside world, usually to other people.”
Which they do. They work perfectly correctly, and performance is improving. I’m glad we cleared that up.
Meh. Currently you get 40% performance on average (in some case you get 110% performance).
http://www.phoronix.com/scan.php?page=article&item=amd_hd6000_open&…
A few months ago you would have got only 20% performance. In a few months time … you do the math.
Indeed, preformance isn’t good enough yet for demanding roles. Isn’t that exactly what I said? However, in a few months time … you do the math.
Well, it is. Deal with it.
Err, no, the open source developers at Xorg have done the work. Support for video hardware acceleration via VDPAU landed in open source Xorg driver code on 13th July.
http://www.phoronix.com/scan.php?page=news_item&px=OTY2OQ
What Intel need to do is fix a very few deficiencies in their Gallium3D driver code, and they too can take advantage of the VDPAU state tracker for Gallium3D.
Next up is VP8 support for this state tracker, it is being worked on now:
http://www.phoronix.com/scan.php?page=news_item&px=OTY3Mg
When this is done, the open source drivers from Xorg will be the only drivers for standard video GPUs which will support hardware acceleration of VP8 video. You simply don’t get that capability with the closed-source drivers. You don’t get that capability on Windows.
The code I pointed out is a gateway between skype and video chat programs using the standard protocol, which is SIP.
http://en.wikipedia.org/wiki/Comparison_of_VoIP_software
“Most softphone clients run on the open Session Initiation Protocol (SIP) supporting various codecs. Skype runs on a closed proprietary network, though the network (but not the official Skype client software) also supports SIP clients”
Using such a gateway, Linux clients using software such as Ekiga, for example, can make calls to other people using Skype, and vice versa.
http://en.wikipedia.org/wiki/Ekiga
I’m glad we cleared that up.
Edited 2011-07-15 00:45 UTC
I just found out that despite what the Phoronix article said, this project was eventually accepted as a GSoC project.
http://phoronix.com/forums/showthread.php?57281-VP8-Gallium3D-Suppo…
This means effectively that the effort is now funded. A very good outcome for everybody, even Google who are now paying for it.
Say what?
In this case, the source code was not available, and the trojan horse binary blob malware executable was disguised as VLC.
What on earth has that got to do with actual bona-fide open source practice, other than the fact that the VLC project saved the malware authors the trouble of writing their own multimedia application as the bait?
Edited 2011-07-12 02:58 UTC
lucas_maximus,
“I await your circular argument.”
Haha, been there. Once you’ve proven that he’s full of it and he’s got nothing left, he accuses you of being a troll! Ironic isn’t it?
http://www.osnews.com/thread?480289
I’ll just wait for an actual point from you rather than simple-minded ad hominems.
lemur2,
“I’ll just wait for an actual point from you rather than simple-minded ad hominems.”
Fair enough, however don’t be a hypocrite. Will you agree to cease posting hostile comments? That includes unfairly calling other people trolls and blaming other people’s motives when they provide evidence which disagrees with a claim? Can we both agree that there is merit in other’s points of views, and that we must try to understand them before coming to judgment, at which point we can agree to disagree instead of resorting to attacks?
Edited 2011-07-12 04:06 UTC
Have a look at recent trends on this site. I think you might find, looked at objectively, that I am the one who is consistently attacked, even though I am the one who actually posts the backed-up facts.
In few threads I actually got accused of posting too many links backing up what I said!
Every now and then I get snitchy, especially against a poster who is posting stupid things (always without backup that makes any sense).
A couple of posters have tried to jump on to this topic with an apparent agenda to try to paint open source software (such as VLC in this case) as unreliable, low quality, and a source of malware. Not to be trusted. The very title of this sub-thread is an example.
In actual fact, the precise opposite is the case. Malware needs to be a payload hidden inside a binary executable (without the corresponding source code being available) in order to achieve a successful trojan horse “infection vector” strategy.
This is a fairly self-evident point that some interests do not want generally known. It is also a point that, in the best interests of end users, should be shouted from the rooftops as often as possible.
So, when someone does start pointing out this truth, a lot of people are keen to jump on anyone pointing it out. Having no actual valid counter-argument, ad hominem attacks are frequently used … right out of the box in many cases, without even trying to discuss the point.
This is where I thought you were going. Certainly other posters on this thread have already tried to go there.
If that was not your actual intent, then I am perfectly willing to actually discuss the issues if you are (without ad hominem attacks, if you don’t mind).
PS: Just so you know, the first personal attack in this topic was this: “***groan*** Oh not this bullshit again.”. The second personal attack was this: “I await your circular argument.”
Neither comment was mine.
Edited 2011-07-12 04:39 UTC
Well those (on topic) points are not my concern right now. At some point we will bump up into something which one of us disagrees with and unless we’ve done something to curb overly aggressive behavior we’re back to where we started. I want to know if we can commit to a more civil discourse, and not blow things up out of proportion?
Edited 2011-07-12 04:59 UTC
Absolutely. I am all for civil discourse. I just hope you are.
You do this ad nauseum …
You – “If they inspected the codez they could see the problem”
Me – “But you have to be savvy enough to do that”
You – “but Linux magically does this”
Me – “But you have to be technically savvy enough to choose Linux”
and continues something like that while ignoring that the fact that only technically savvy people know to look for this in the first place.
(Even though I believe the Linux vs. Windows sub-thread is completely OT, I’ll chime in)
… I guess that at this point, I should point out that in my experience, you should be technically savvy to install and maintain ***Windows*** just as well, and I’ve got a looooooooo<duplicate x 1000>oooong list of family/friends/co-workers/heck, neighbor’s Windows machine that I have serviced in the last God-knows-how-many-years to back this claim. (Hence the reason I’m sick’n’tired of Windows as an eco-system, even though I write cross-platform Windows/Linux software for a living).
– Gilboa
That is more of a problem with Desktop Operating systems in General. Even Macs need a certain amount of looking after as the cruft builds up.
Strawman.
Savvy users and non-savvy users get the same packages. Only one person, who did not write the source code, has to be savvy enough to compile the source code package and compare it to the binary package. That one person can vet the source code for all users (savvy or not), because … all users get the same packages.
Strawman bollox …
The fact of the matter is that reading source code is hard … and spotting bugs and malicious code is hard … being able to see the “codez” does magically rectify this.
Lots of Money and various books have been written about Software Quality and Testing … from the original “The Art of Software Testing” to todays TDD and BDD test patterns …
So don’t pretend you can just “spot the bugs” because even the creators of software who wrote the code often can’t see the problems … it is total bollox.
Stop defending you ideologies which simply don’t stand up to any critical evaluation.
Well, not necessarily. If the code for the malware itself has been embedded in the source code by the original author of the program, then you’re not guaranteed shit, except maybe a human looked through the source code at one time.
Sure, all it takes is one person to find the malware, but what if the app itself has been installed on 100,000 computers before anybody discovers it? Do distro repository admins have the ability to remote wipe apps off computers like Google does with Android?
I will grant you that having people looking through the source code is probably the best way to avoid distributing apps with malware, but unless they scan every line of code in the app, you still don’t have any guarantees.
Edited 2011-07-12 05:08 UTC
The whole point of making your project open source is to get other developers involved. Together, in collaboration, using a principle of “meriotcracy” where the best code available is adopted, the entire point is to “evolve” the code into better and better versions, in a process very akin to “survival of the fittest”.
This just won’t happen if no-one reads the code.
So, if you have an active open source project that has released multiple versions over time, you can bet that humans have read the code. The source code for a project like VLC will have been poured over by hundreds of people.
As for your two questions:
(1) but what if the app itself has been installed on 100,000 computers before anybody discovers it?
This is a nightmare situation. Disaster. Fortunately, in the history of open source software distribution via package managers, well over a decade, for many thousands of packages, hundreds of versions, tens of Linux distributions, millions of users, this has never happened.
Contrast this to the millions upon millions of compromised Windows machines that are members of botnets right now.
The proof, as they say, is in the pudding.
(2) Do distro repository admins have the ability to remote wipe apps off computers like Google does with Android?
No, they don’t.
The only recourse I suppose is that it is good practice in a Linux installation to separate userland data into a separate partition from the OS itself. It takes about 30 minutes, and zero cost, to put in a new LiveCD, completely wipe the old OS partition and the MBR, then install a fresh version of the OS from the clean LiveCD, re-enter the user account names and passwords, and carry on.
I can’t think of any Windows malware, recently, that I have been able to purge in 30 minutes (and perhaps even upgrade the OS and applications at the same time).
Edited 2011-07-12 05:56 UTC
lemur2,
“This is a nightmare situation. Disaster. Fortunately, in the history of open source software distribution via package managers, well over a decade, for many thousands of packages, hundreds of versions, tens of Linux distributions, millions of users, this has never happened.”
It doesn’t mean that the code is always secure however. I remember the OpenSSL random number generator glitch on debian which caused keys for SSH/SSL/OpenVPN to be predictable. There was an ~18 month window during which the updated systems generated insecure keys.
http://www.itwire.com/opinion-and-analysis/open-sauce/18213-remote-…
The vulnerability was fixed very quickly once it was reported, but it took a long time to be detected. Not that I think closed source would have been any better – most likely it is never fixed.
This was a bug introduced by a well-meaning Debian maintainer who introduced some “clean-up” code to set some un-initialised variables to zero. Normally this is sound practice, but in this particular instance this change reduced the “randomness” of the generated keys. There was reduced security for SSL on Debian while this bug was in the code, not zero security.
What you are saying here is perfectly correct … having open source code does not guarantee there will be no unintentional bugs. All code can have bugs, open source or not.
The only thing guaranteed by having the source code visible is that there will be no intentional malware. (By its very nature malware cannot be unintentional).
The point of the argument is that just because the source was open doesn’t mean problems are easily detected … whether it was malicious or not is not the point … have access to the code does not automatically make that code safe … whatever the intentions of the author.
But whatever continue with your rhetoric.
Edited 2011-07-12 11:53 UTC
The methods of open source development and distribution do not provide any assurances against unintentional errors. Neither do the methods of closed source development and distribution. Bugs occur in both.
The only difference, really, is that people find out about the bugs that occurred in open source, whereas as closed source bugs are often hushed up, and surprisingly often they are not even fixed.
As for intentional malware … this is introduced into the distribution of closed source Windows executables at the rate of approximately two million new pieces of malware code every year.
http://bnn-news.com/kaspersky-20-million-malware-created-2010-30390
https://www.infosecisland.com/blogview/11462-Nearly-Twenty-Million-N…
(Not even I would credit claims of twenty million by anti-malware vendors)
In comparison, intentional malware is introduced into open source repository/package manager distribution channels at the approximate rate of … never in its history.
Edited 2011-07-13 00:05 UTC
Err they didn’t for 2 years in the debian example … so
And there are bugs that are blatently there for years in bugzilla that aren’t fixed ever and the bugs are just closed down after a while …
That because it is worth doing … Because there are a decent percentage of actual Desktop Windows installations. Android has malware too because there are enough devices to make it worth it … People are even taking shots at the mac market now … nobody produces malware for Linux because it isn’t worth it.
Yeah well now they have found away around it by pretending to be open source software … just as dangerous IMO … and you are still going to have to be technically savvy enough to spot it.
If Linux had over 20% of a desktop share, you would find repos with malicious software … But we will never find out since Desktop Linux hasn’t been over 2% ever.
lemur2,
“There was reduced security for SSL on Debian while this bug was in the code, not zero security.”
From what I’ve read, there were only 15 bits of seed material per key.
“Q: How long does it take a crack a SSH user account using these keys?
A: This depends on the speed of the network and the configuration of the SSH server. It should be possible to try all 32,767 keys of both DSA-1024 and RSA-2048 within a couple hours, but be careful of anti-brute-force scripts on the target server.”
http://digitaloffense.net/tools/debian-openssl/
“The only thing guaranteed by having the source code visible is that there will be no intentional malware. (By its very nature malware cannot be unintentional).”
But why not? If a developer was able to introduce a bug which seriously broke security, what prevents someone from doing the same thing deliberately?
A regular contributer (as opposed to a one time patcher) is in a great position to add obscure vulnerabilities. I would hope that regular project contributers are unlikely to have malicious intent, but that’s simply an assumption on my part.
This is reasonable, but it is beside the point. It hasn’t happened IRL in the history of open source repositories/package managers.
Intentional malware is introduce into Windows binary execuatble distribution channels at the approximate rate of two million new pieces of malware every year.
Just getting a handle on the scope of the problem and the performance of the distribution systems here, to help anyone who is having similar difficulties …
(2) Do distro repository admins have the ability to remote wipe apps off computers like Google does with Android?
No, they don’t.
Kind of. They could “upgrade” the package in the repo with one containing a text file saying ‘this package removed because the author is a bad person.’
Similar to the dummy package in Ubuntu that ‘provides’ mono but doesn’t really have anything in it.
AND NO ONE DOES. Get over it. You’re neither safe nor secure and, even when you get it straight from the source, there could be malware code embedded in the sources that hasn’t been caught yet. It all comes down to trust and credibility.
WTF?
Of course people read the code. What is more, they contribute to it, there are multiple versions released, it gets improved over time.
Here is the story for VLC, which we are using as a convenient example:
http://www.videolan.org/videolan/team/
People from all over the world, totally independent from each other, read the code, contribute to it, and hence end up vetting each other.
There is no need to trust anyone, everyone’s self interest alone is enough to ensure the integrity of the resulting code.
Result: there is no malware embedded in the open source code (as produced by this team). Guaranteed. The only thing from that point is that one needs to make sure that the binary one installs one one’s system is made from THAT exact same source code.
So, may I ask … what in heaven’s name is wrong with you? WTF is your issue?
Edited 2011-07-12 23:17 UTC
You’re the one that asserted that the user just needs to look at the source code to match up their binaries.
A. They probably don’t have that level of capability.
B. They wouldn’t know where to look, even if they did.
C. There’s no guarantee that the sources don’t have time-bomb malware embedded in them; because the end -user has to trust that the maintainers are doing the due diligence, looking at the code, etc.
In other words, it all comes down to TRUST and CREDIBILITY of the maintainers. That’s it. But since the end user doesn’t know how to validate that TRUST and CREDIBILITY — may not even know where the project is located — the end result is a crap shoot. Ergo, do I feel lucky enough to install this POS package…
No, you have misunderstood. Just ONE person, somewhere, needs to compile the source code downloaded from source code repositories to make sure that it produces the same binary as that in the repository.
This is always done, purely through self interest, because at least one person somewhere (out of millions of users) won’t trust the repository maintainers.
Everyone else who uses the distribution’s package manager to install software necessarily gets the same independently vetted binary, even if they never download the source code.
http://www.ubuntu.com/ubuntu/features/ubuntu-software-centre
There is no way to give just one person a correct, clean package, and everyone else a malware-infected one. This is assured twice over, firstly because the repository people cannot tell if a given downloader is competent to compile the package or not, and secondly because the packages are signed at the repository by the repository private key, and every running copy of the package managers has a copy of the corresponding repository public key.
Edited 2011-07-13 01:45 UTC
lemur2,
“there is no way to give just one person a correct, clean package, and everyone else a malware-infected one.”
The scenario I mentioned with the nefarious repo admin was the exact opposite though. Everyone gets a legit package except special targets. I think doing it the opposite way would be too risky.
“…the packages are signed at the repository by the repository private key, and every running copy of the package managers has a copy of the corresponding repository public key.”
I just want you to understand that this is precisely where I think the weakness lies. The repository admin has the ability to deliberately sign malicious code. Once he’s done that, he is free to distribute it to specific targets.
… and I just want you to understand the levels of risk
http://www.osnews.com/permalink?480641
Imagine a repository maintainer IRL who did actually sign a piece of code which included (in plain sight) malicious code such as a keylogger … ready to be picked up by millions of users any of whom potentially could see (in plain sight) that the keylogger code was one of the additions since the previous version …
Talk about “easy ways to quickly become more unpopular than Hitler” …
lemur2,
“… and I just want you to understand the levels of risk ”
Oh, so I think you are agreeing with my point then? I just wanted to make sure you understood it.
If a repo admin ever abused their signing ability, it’d be very hard to prove if they deleted the evidence at the target. The victim themselves would probably never even think to blame the repository admin.
It’s not something that concerns me, but just something to think about.
Errr, no … I don’t see how what you describe could possibly happen, but no-one can prove a negative …
From my perspective it seems that you are desperately trying to seek a negative and then trying to keep discussion focussed on that, all the while you are in “la la la I can’t hear that” mode about the risk of trojans in the closed-source model of software distribution.
FOSS is a reputation economy. A meritocracy. A package maintainer could potentially slip in malicious code but they’d only have a chance to do it once. The code would be discovered and distro maintainer kicked to the curb. There is more social pressure motivating them to maintain clean code than there is motivating injection of malicious code.
Consider how one earns access to the repository signing keys. You don’t just turn up at the front door and sign them out from the consierge; “high.. could I have the key for OpenSSH.. I have some malware I need to bundle into it.. thanks..”
In a reputable distribution, you are going to have to be known and trusted by the other maintainers. This is earned through proven performance. If you are going to put in the time to earn signing keys for Debian you’d better make your one malware injection big because you will be found out and no reputable distro is going to trust in in future once known as the developer who snuck malware into repo packages.
I mean, if you have a case of a malicious package maintainer intentionaly doing evil then that is news that needs to get out. That should be the link you offer up. I want to know what distro was affected and how someone was able to affect it.
I can only think of a few recent cases though:
Debian’s OpenSSL – human error, the maintainer made a change without consulting OpenSSL’s own cryptographers.
Gentoo’s Quakeircd – human error, poor processes, the maintainer did not check the source downloaded from a secondary server against the hash value on the developer’s clean primary server.
Vftpd backdoor – this one is pretty recent so I don’t have all the details. I mention it only to be complete.
So that’s what.. three since 2008 which don’t consistantly affect the same distribution. Meh.. they all lack any malicious intent.
jabbotts,
“So that’s what.. three since 2008 which don’t consistantly affect the same distribution. Meh.. they all lack any malicious intent.”
I agree with you. I was merely debunking the claim that trust isn’t needed. If they wanted to they could technically break that trust.
“FOSS is a reputation economy. A meritocracy. A package maintainer could potentially slip in malicious code but they’d only have a chance to do it once. The code would be discovered and distro maintainer kicked to the curb.”
A minor quibble: they’d need to be caught first. If the malicious package attacks a single target, noone else would have been whitness to the attack. If the target doesn’t uncover the attack, then no one will.
“There is more social pressure motivating them to maintain clean code than there is motivating injection of malicious code.”
Do you see this any differently than rogue employees existing in any other organization?
Please don’t misread this as discrediting the repositories, I think they work very well in practice. This whole discussion started from the notion that repo admins are unable to distribute malware, which is an exaggeration.
Edited 2011-07-13 19:00 UTC
Strawman.
Put it this way … I could ask you “what keeps you from killing a close relative”?
Technically, you could do it, but that fact doesn’t mean there are hundreds of reasons why you don’t, not the least being that you just wouldn’t want to. All of those things are things which are preventing you from doing that malicious act. I can pretty much rest assured that you won’t do that without even knowing you.
This is all so bleeding obvious I just can’t see why you are in denial about it.
Edited 2011-07-14 00:03 UTC
lemur2,
“Technically, you could do it, but that fact doesn’t mean there are hundreds of reasons why you don’t”
Wow, I never expected you to cave and actually admit that one could do it, which was my point all along. It is a big step for you. You still need to address some vengeance issues. Baby steps lemur2, you’ll get there if you work on it.
Sigh! Still trying to win silly points? My oh my.
There are millions of things that one can do that have absolutely no point whatsoever. Technically I could get a can of bright orange oil-based paint and paint over my expensive plasma TV screen … this doesn’t mean that I am going to do it. Sheesh!
An Ubuntu repository admin taking the source code from VLC, signing that source code, then adding a keylogger, compiling it, and then signing that binary would likewise be one of those things. That is, a thing that is technically possible to do, but no-one who was sane enough to be able to do it would do it.
In all liklihood, some of the VLC developers will themselves be Ubuntu users. This hypothetical “insane malicious admin” would be discovered, then hung, drawn and quartered the very next day, in all liklihood.
Even though this is all technically possible to do, what exactly would be the point?
Everyone can rest assured that this will NOT happen, even without having to invest even the slightest modicum of trust in any Ubuntu repository admins. Self-interest alone is assurance enough that this WON’T ever happen.
PS: Not even Ubuntu would be stupid enough to let just one person sign malicious binaries and ALSO have control over a man-in-the-middle IP redirection scam. No, the hypothetical insane malicious Ubuntu admin could NOT “target” the infected binary at just one user. It would be everyone, or no one.
Edited 2011-07-14 01:28 UTC
lemur2,
Though this must be extremely tiresome for other readers, these past few posts I finally “get” you and understand why it has been so difficult for you to cope with admitting fault.
You have a narcissistic personality disorder.
These past few posts, you’ve shifted your stance from denial that something was possible to why it doesn’t matter that it is. I think that is progress.
Edited 2011-07-14 03:07 UTC
I think I finally get you, too. You are a bona fide idiot.
You seem to think that the existence of hundreds of very good valid reasons to not do something somehow does not qualify as “prevention”. Then, by the simple fiat of your imagination eliminating anything which might qualify as “prevention”, it follows to your mind that we all are therefore reduced to mere good-faith trust that other people won’t do insane things.
Oooookaaaaay then. Thanks for that input, we are all grateful for your unique view. Really, we are. Trust us.
Edited 2011-07-14 04:05 UTC
No, not at all tiresome. Once upon a time Alfman has been a very knowledgeable commenter for me. Now, I feel disenchanted. Insisting on an irrelevant point in order to avoid relevant facts makes bad reputation.
The same holds true for another commenter, lucas_maximus, whose remarks in this thread (“millions of users don’t have any problems”, “people like Lemur2 go on and on about problems that really don’t exist”) are textbook examples of bad rhetorics.
frajo,
I understand why you say that: the point was indeed irrelevant. But for what it’s worth, I did it to show lemur2 that his absolute truth statements aren’t absolutely true. He cracked, so to that end I did what I intended, but it’s a minor victory to be sure. Was it worth it? Will he learn to tone down his “mine is the only possible truth” arguments? It’s really hard to say.
Funny thing is, I agree repos offer an exceptional combination of security and functionality.
Thanks for bringing up this point. I agree that it is important to separate absolute statements from others (and definitely not to hold on too tightly if absolute statements were made and contested). I’m certain more productive and civil conversations would be the result.
Opinions should be influenced by facts, not the other way around.
You too. Quote please.
Err, quote? I was giving an opinion on how I believe conversations should be conducted.
What would you like me to quote?
Your opinion how conversations should be conducted is a perfectly valid one.
However, you said: “it is important to separate absolute statements from others (and definitely not to hold on too tightly if absolute statements were made and contested)”
I am simply trying to illustrate that in fact that there were no such “absolute” statements made in this thread. The poster to whom you were replying has yet to identify any, even though he has claimed three times that I have “retracted” them, or that I have “backed down” on a position I am supposed to have tried to claim, but I never stated.
I’m getting a bit riled about incessant false accusations made against me, so I am asking accusers to put up or shut up. I would like to apologise profusely if I have unfairly tarred you with a brush, because I most assuredly know how THAT feels from this thread.
Edited 2011-07-14 10:52 UTC
Hint: I have retracted exactly nothing.
So, quote please, or it didn’t happen.
I’m still waiting.
lemur2,
In summation:
You initially made numerous claims about being “guaranteed no malware” due to key signing and peer review, and that “trust is not necessary”. Your later claims did indeed acknowledge the point that while injecting malware is technically possible, you equated it to murdering one’s close family member (I’m reminded of Hans Reiser).
So you clearly understand that your initial statements were exaggerated. You can continue being a narcissist and keep denying it if you want, I have no expectation of curing that, but my hope is that you will learn to be more careful with absolute claims.
Edited 2011-07-14 18:49 UTC
Ah, so no quote.
What I actually said was that due to the collaboration of software development with independent open source developers from all over the world, one is guaranteed that there is no malware in the source code. On cross-platform projects such as VLC is, this is jsut as true for the Windows version as it is for the versions for other platforms. What was needed from that point was a way to ensure that the source code (which is guaranteed malware free) produces the binary that is distributed. You will find no claim that this step is guaranteed.
No, what I said there was perfectly consistent with my original statements. With the open source repositories, there are myriad reasons why the repository admins should do a good job translating the malware-free source code from the projects into signed source code and matching binaries for their distributions repository. This is, in fact, their whole job, performance of which is what they are rated on. There is almost zero chance that they would get away with inserting malware into the signed binaries, and if they did by that act of signing it they advertise to the whole world who put the malware into that binary. This is rather akin to a bank robber signing a withdrawal slip, with his real name in a provble fashion to boot! It would be an act of pure insanity for a repository admin to insert malware into the binaries. You yourself said that for an admin to do that was just too risky.
For this reason we do not need to rely on trust that the repsoitory admins won’t insert malware, since there are huge incentives for them not to and they are caught red-handed by the system once the malware is detected, as it is very likely to be (since the means to detect it is given to all recipients of the code, and it only takes one person to detect it). Although there is no absolute guarantee at this point of the process, as I noted several times (quote: “you cannot prove a negative”), we can nevertheless reasonably rely on the repository admins simply following their own best self-interest. We don’t need to rely on trust alone.
Your problem was that you have no reading comprehension, you misunderstood, and you leapt to a false conclusion about what I had said.
Then you severly embarrassed yourself multiple times by trying to sprout misplaced insults.
And you still persist.
Obvious troll is obvious.
Edited 2011-07-14 23:33 UTC
Quote, please.
That’s kind of a strength for repository distribution.
A buggy program gets through and installed on a thousand systems. The bug is discovered and fixed promptly. Those thousand systems have access to the update as soon as it’s available in the repository. Tada.. no more thousand computers with that previous vulnerability.
Heck, how is this any different than Windows? A buggy program gets through and installed on a thousand systems. The bug is discovered and fixed (er.. promptly?). Those thousand systems access to the update as soon as the next month’s second Tuesday hits. Tada.. no more thousand computers with that previous vulnerability.
The strength is the fact that the central repo distributes the updated version to all those machines previously affected. If it’s a well run repo they will also re-evaluate management processes and fix what allowed the malicious code to remain undetected during vetting.
Granted, some distributions manage repositories better than other’s. There has really been very little issue with Debian’s Unstable to Testing and periodic Testing to Stable management process. OpenSSL had a Debian specific vulnerability that remained undetected for about a year then was promptly fixed when discovered (the openssl maintainer made changes without consulting cryptographic experts; ie.
I think your argument is somewhat contradicted by the topic we are actually discussing.
There’s nothing stopping the bad guys from still distributing malware in the binary to people who do not know better.
That’s not the point. It’s no big secret that the wares these low-lives peddle is malware. Even if it was open-source it would still be downloaded by people who, for one reason or the other, do not know better (I dont mean this in a negative way, btw).
No, the only way to be assured that it is malware free is by building it yourself from source that you also inspected. In every other case you’re putting a certain amount of trust into the system and the people.
Why did you omit the critical bit of text in my post?
Here, I will replicate it for you: “Mind you, you have to be able to get the binary version and the source code from the same place. If you can’t do that … all bets are off.”
Without that proviso, as I said, all bets are off. In fact this very case shows this point quite well … the source code for the fake VLC (+malware) was NOT avialable to anyone. It certainly was not available from the same place as people were downloading it from.
With that proviso … the record is pretty damn good.
As far as “trust” goes … as long as someone can download the source code and compile it, and verify that the source code does actually make the binary that is being distributed … and also that the development involves multiple people and can be seen by everyone in plain sight … then no, trust is not necessary. Pure self-interest is enough to ensure the integrity of the project in this case.
Edited 2011-07-12 06:06 UTC
lemur2,
“As far as ‘trust’ goes … as long as someone can download the source code and compile it, and verify that the source code does actually make the binary that is being distributed … and also that the development involves multiple people and can be seen by everyone in plain sight … then no, trust is not necessary. Pure self-interest is enough to ensure the integrity of the project in this case. ”
I do have some questions here:
1. Even if some source were provided, how would a typical user get it compiled?
Even as a dev, source code can be frustratingly difficult to compile. Wrong compiler, wrong switches, external dependencies, etc.
2. How does a user/dev confirm that a binary was generated by the provided source?
The user may not have the exact same compiler and switches and libraries as the dev. The compilation step may be non-deterministic (compile time info in exe). The result would be binaries which do not match, and we have no idea if the binary contains malware.
This depends on the particular distribution. Gentoo and Sabayon package managers download, compile and then install the resulting binaries automatically. Ubuntu, Debian, RedHat, OpenSuse and others have duplicate repositories … one for the source code and one for the resulting binary as compiled by the repository maintainers. Software can be downloaded and installed from either repository. Each and every user is in a position to verify that the source code does indeed produce the binary. Most users just install from the binary repositories, safe in the knowledge that other users audit this for them.
All taken care of automatically by the package managers.
Download both the source and the binary (integrity of downloads is assured via key pair encryption. Repository public keys are distributed with the LiveCD initial distribution installer). Compile the source locally. Compare the binaries using diff, cmp or md5.
The compiler is part of the Linux distribution. Normally it is gcc.
The switches for the compiler are set by the scripts run by the package managers. Make files and whatever else needed are part of the source code packages.
Edited 2011-07-12 09:50 UTC
Not really, see for example Debian’s instructions on how to build from source:
http://www.debian.org/doc/FAQ/ch-pkg_basics.en.html#s-sourcepkgs
This isn’t really something a normal user would want to get into, I think. It’s certainly not performed by the package manager.
For source-based distributions this would work though, as their package managers are also essentially build systems.
Binary comparison wouldn’t work unless you had the exact same development toolchain (versions of gcc, ld, etc) as whomever compiled the original. Even within a particular distribution version this may not be the case through updates and fixes to the toolchain.
Yep, it would be very hard to compare binaries resulting from source compilation on different versions of toolchains, especially since alot of effort and tools are made exactly to ensure that you may compile something everywhere given some basic toolchain and the right library.
That said, I’m not a novice, and I’d trust official repositories. Bad things may happen, but that’s true of any platform, the less likely the better!
PS : to the post-scriptum to the manifesto before, could you stop being a gigantic manichean ass and accept that some people do NOT bash Linux nor OSS, but may prefer paid and/or closed software? I use Windows, FreeBSD and Linux, what does that make me, multiple personality disorder or something? -_-“
The toolchain which builds the distribution is distributed along with the distribution.
The toolchain components are also updated via the package managers just the same as any other packages are.
Savvy users who keep their systems up to date are able to build source code packages in exactly the same way as the repository maintainers do, using the exact same toolchain. Why should they NOT be able to? It is not as though there is an expensive toolcahin for anyone to buy …
I was talking about binary comparison, (like you were, and like you included in the quote from me in your post), not the ability to get the source compiled at all.
GCC 4.5.0 may produce a binary with a different arrangement of assembly instructions than GCC 4.5.1, and therefore the binaries will be different, and fail a comparison (md5 check, whatever).
True.
This is why Ubuntu, for example, ships with a particular gcc version which all users receive. This is why anyone hoping to vet binaries has to keep their local version of gcc in sync with the version in the distribution repositories. This is why repository maintainers must compile packages with the version of gcc that is shipped in the repositories. This is why updating gcc is a big deal. This is one reason for the auto-updater.
Edited 2011-07-13 04:06 UTC
Yes, Ubuntu ships with a certain version, but they could update it after shipping (especially true in an LTS release). Other distributions have less strict update policies than Ubuntu as well, so it would be more prevalent there.
Essentially, binary comparison isn’t something you could rely on.
so effectively to a non-savvy user … it is effectively a compiled binary blob and you are only trusting on the good intentions of the package maintainer …
Your arguements are ridiculous.
Look, give him his illusion of safety/security wrt GPL. He’s clearly not dealing well with our present reality.
Edited 2011-07-12 20:04 UTC
Indeed, non-savvy users are of no help in vetting that the downloaded source code produces the same binaries as the downloaded binaries.
However, because of the key pair encryption, all users of package managers are guaranteed to get the same packages from the repositories. The packages are all signed using the private key of the repository maintainers, and the package managers all have a copy of the public key.
This means that savvy users and non-savvy users get the same packages. Guaranteed.
Savvy users ARE able to verify that the source code packages produce the same executable as is contained in the binary packages. If any single such a user receives any packages for which this is not so, they will blow the whistle. News of such an event would be all over the Internet is hours, it would be a sensation. Windows apologists such as yourself would jump all over such a story with glee.
Bear in mind that IRL it has never happened, though.
This is the story of open source software distribution using repositories and package managers. There is no “trusting” required, the simple operation of self-interest is sufficient.
Argue against this story … and not some fantasy you have imagined. Your actual argument above is a logical fallacy called a “strawman”.
Edited 2011-07-12 23:48 UTC
I don’t know how downloading a signed package from repo is any different of downloading the binary executable from anysite and checking the SHA/MD5 sum against that listed on VLC.org???
Binary distribution of .exes isn’t the problem, it is people downloading dodgy .exe from some dodgy domain and not actually knowing whether it is legit … and the only way to protect against that is being technically savvy and using common sense.
But you will ignore this fact because you have a pro GPL/Linux agenda … it is pathectic .. it is boring and you will skirt the issue.
Certainly that would be the most secure option, of course then you are assuming that VLC itself has not been maliciously tampered with by one of the developers. It’s all a matter of trust, and that trust very much relies on past experience. I trust my official repo, so I won’t verify the SHA myself. If someone doesn’t trust their repo, they can get it/build it from the source rather than through a repository.
Well obviously it’s better to have the possibility of spotting malicious code than not having it.
Well, you certainly have an anti-GPL/Linux agenda so I guess that makes you two even.
Precisely.
The same goes for open and propriety software.
We have a Video Server that was written by a third party and the developer provides quality software on each and every feature request for cheap.
We have another provider who provides a CMS, it is propriety as well however the company are clearly only out to get cash money and the quality sucks and it reeks of Friday @5.30pm after an lunch down the pub development.
I don’t actually have an anti-GPL agenda … I have a Fedora 15 machine running next to me.
What I don’t like it out and out zealotry because it just isn’t helpful to anyone … I actually commented how I like TinyCore Linux in another post on this site.
Fair point.
My issue is with the fact that this somehow magically solves the problem instantly. There are other ways to see if application is malicious other than seeing the source code.
lemnur2,
“Each and every user is in a position to verify that the source code does indeed produce the binary. Most users just install from the binary repositories, safe in the knowledge that other users audit this for them.”
I think we’re overlooking an obvious attack vector though, if I’m a malicious repository maintainer and want to attack a target, then I will release legitimate source/binaries to everyone except my target, who might feel safe in the knowledge that other users have audited it for them.
The exchange between the repositories (which everyone uses) and the end users system is protected via key pair encryption. The public key of the repository is distributed to users via the installation CD of the Linux distribution … so a user cannot install Linux without getting a correct copy of the public key. Therefore, users are assured, via the package managers, that downloaded packages were prepared using the secret private key of the repository.
There is no way to “release legitimate source/binaries to everyone except my target”. Everyone gets the same packages.
lemur2,
“The exchange between the repositories (which everyone uses) and the end users system is protected via key pair encryption. The public key of the repository is distributed to users via the installation CD of the Linux distribution … so a user cannot install Linux without getting a correct copy of the public key. Therefore, users are assured, via the package managers, that downloaded packages were prepared using the secret private key of the repository.”
Hmm, I’m not sure you understand what I was trying to say. A repository admin may very well be able to send modified packages to specific targets since they are the ones authenticating all packages in the first place.
The certificate authority is the weakest link in all (bug free) public key cryptosystems. There is implicit trust there. Take HTTPS for example, a malicious (or imprudent) CA could create a false certificate, which web browsers would happily validate without error. The same is true of linux distro repositories.
I’m not alleging that this has ever happened, only that it would be possible.
Nitpick re bolded text: During development many open source projects are developed, maintained, and reviewed via code management tools such as git or SVN. Repository maintainers don’t “send” anyone code packages.
http://en.wikipedia.org/wiki/Git_%28software%29#Characteris…
But anyway, this topic is already addressed in these posts:
http://www.osnews.com/permalink?480607
http://www.osnews.com/permalink?480590
In terms of the methods of distribution of software to end users commonly employed, we are talking about a relative risk of about two million new pieces of malware uncovered per year for Windows executables versus approximately never in the entire history for Linux distribution repositories.
It is nice to get a handle on the relative risk, don’t you think?
Edited 2011-07-13 02:58 UTC
“Nitpick re bolded text: During development many open source projects are developed, maintained, and reviewed via code management tools such as git or SVN.”
Yes, absolutely. However the end result is mass distributed through distro repositories.
“Repository maintainers don’t ‘send’ anyone code packages”
Oh right, but that’s just semantics, let me rephrase:
A repository admin may very well be able to direct specific targets to malicious packages when the target requests updates from the repo.
I don’t see how. More importantly, I don’t see why a repository admin would do such a thing, what the repository admin could possibly expect to gain, or how a repository admin could possibly expect to get away with it for more than a minute or two …
Edited 2011-07-13 03:14 UTC
lemur2,
“I don’t see how. More importantly, I don’t see why a repository admin would do such a thing, or how a repository admin could possibly expect to get away with it for more than a minute or two … ”
What do you mean? I was thinking that the admin could target a specific victim by IP address (wait for the victim to request an update), but I suppose if he wanted to attack very few people at random he could do that too. He might even try to explicitly avoid people who recently downloaded source pages or devs who requested updates for GCC.
In any of these scenarios, I think it is unlikely that he would be caught in a minute or two.
“Errr, no … I don’t see how what you describe could possibly happen, but no-one can prove a negative …
From my perspective it seems that you are desperately trying to seek a negative and then trying to keep discussion focussed on that, all the while you are in ‘la la la I can’t hear that’ mode about the risk of trojans in the closed-source model of software distribution.”
I’m really hoping that you try to understand the weaknesses that I’m pointing out.
What you are saying about the risk of trojans in closed source software is fine, but it doesn’t have a bearing on the element of trust required from a repository admin.
The system doesn’t need any level of trust of the repository admin if there is no realistic way for a repository admin to do what you suggest, no reason for them to do it, no way that they could hope to get away with doing it, and no-one has ever done it or even tried to.
It still seems to me that you are desperately trying to direct attention to phantom risks cooked up by your imagination, and thereby draw attention away from the absolute certainty of the disaster that is the closed source model of software distribution, and the field day being had by malware authors exploting that.
lemur2,
“The system doesn’t need any level of trust of the repository admin if there is no realistic way for a repository admin to do what you suggest, no reason for them to do it,”
I’m trying to explain it to you.
Q. Who has the private repository signing keys?
Q. What is preventing them from deliberately signing malicious code?
You say an admin has no reason to do it, but I say that you have to “trust” they wont.
” no way that they could hope to get away with doing it”
What if they target one victim? How likely is it that’d be caught assuming the installed a trojan and then deleted the evidence of the malware package?
“, and no-one has ever done it or even tried to.”
Like you said, you cannot prove a negative.
“It still seems to me that you are desperately trying to direct attention to phantom risks cooked up by your imagination, and thereby draw attention away from the absolute certainty of the disaster that is the closed source model of software distribution, and the field day being had by malware authors exploting that.”
Please not this again, your attacking my person rather than my logic.
It wouldn’t be an “attack”, and I wouldn’t have to point it out, if you didn’t keep doing it.
Now, back to the point
… this is all one statement, it runs together, each step adds to the previous one, the point it makes is only debunked by considering the whole set and not by trying to pick quibbles with each part.
All I’m asking if for you to demonstrate that you understand what I’m saying by answering my questions.
You are jumping to the conclusion that I am wrong without having first understood my point. This is exactly the aggressive behavior I was hoping we could avoid.
What is preventing a roque repository admin in possession of the signing keys from signing a malicious version of a package?
There you go again … I haven’t said anything agressive at all, I merely point out what you are doing. I can’t help what you are doing, but I have every right to point out that you are doing it. You still are. As I said, it wouldn’t be an “attack”, and I wouldn’t have to point it out, if you didn’t keep doing it.
I already told you … “there is no realistic way for a repository admin to do what you suggest, no reason for them to do it (no point, nothing to be gained except vilification), no way that they could hope to get away with doing it, and no-one has ever done it or even tried to”. That is what is “is preventing any repository admin in possession of the signing keys from signing a malicious version of a package”.
This set of things that is preventing “a roque repository admin from signing a malicious version of a package” has been entirely and utterly effective to date.
<sarcasm>Its a good thing too, because it is a hell of a job keeping all those rougue repository admins in line.</sarcasm>
Sheesh!
Edited 2011-07-13 04:33 UTC
lemur2, stop avoiding the question!
What prevents a maligned repo admin from signing malicious code using the legitimate key?
Stop avoiding the answer.
I already told you … “there is no realistic way for a repository admin to do what you suggest, no reason for them to do it (no point, nothing to be gained except vilification), no way that they could hope to get away with doing it, and no-one has ever done it or even tried to”. That is what is “is preventing a maligned repo admin from signing malicious code using the legitimate key”.
You might say there is an utter lack of desire, motive, method and opportunity to do it.
BTW, this is 100% effective “prevention”.
Edited 2011-07-13 04:42 UTC
I guess you don’t have an answer then since I’ve already addressed your previous comment.
I’m left with the feeling that this may actually be how your personality comes to terms with defeat. You simply deny it, become combative and non-objective. Looking back, this actually explains a whole lot of our communication problems.
Is this an argumentum ad hominem? Damn strait it is, but in this case I think it reflects the truth, since you most likely are in agreement with what I’ve said, you are just unable to come out and say it. Of course you can deny this, but I’m actually quite comfortable that we have an unspoken understanding.
I do regret having broken my promise to you, however that knife cuts both ways.
Edited 2011-07-13 05:03 UTC
You did no such thing, you haven’t even got close to addressing the lack of desire, motive, method and opportunity for repository maintainers to attempt to sneak malicious code into a repository, let alone addressing the fact that the absence of all those things has been 100% effective to date in preventing malicious code ever getting into a repository.
I am astounded by the sheer chutzpah and audacity of this, it is epic.
Obvious troll is obvious.
Edited 2011-07-13 05:07 UTC
Yeah, that’s what people thought about the Morris worm too.
You’re wasting your time.
Let me attack your logic a little bit.
While it is true that you cannot prove a negative statement like “and no-one has ever done it or even tried to do”
it is easy to disprove a negative statement like that by showing just one single example where someone has “done it or even tried to”.
What you are trying to accomplish here is to equate the importance of
the reality of millions of malware downloads already having affected certain systems
to the importance of
the mere one-time possibility of a malevolent repository admin in some hypothetical future.
Meh. Perhaps I have poorly expressed it.
What I mean is that there is no possible motive, purpose, reasonable expectation of being able to get away with it, or desire for any hypothetical “malevolent repository admin” to ever emerge. It just doesn’t make any sense.
The fact that no “malevolent repository admin” has ever emerged, and no-one has even attempted to become one, over the entire operational history of open source repositories, is merely evidential back-up for this observation.
It is not “proof” because, as you say, no-one can ever prove a negative. It is just exceptionally strong supporting evidence, that is all.
I was attacking Alfman‘s logic.
I’m perfectly d’accord with yours.
So Google provides a search engine and adwords that promote these fake downloads….
and they also provide the Chrome browser that has a “check malicious downloads” feature.
I guess they really did think this thing through
I’m not sure about that … “Irony” is saying the opposite of what you really mean.
http://dictionary.reference.com/browse/irony
“the use of words to convey a meaning that is the opposite of its literal meaning”
What Google have effectively said is self-consistent! … twice they have indicated that you really need something to check Windows binary executable downloads, otherwise if you don’t somehow check you may well get malware.
I agree that these two occurences are self-consistent. There is malware on the net, so Google is correct in providing a scan-mechanism.
The irony is of course that Google helps to promote (adwords) and find (searchengine) the malware which is not behavior that you would expect from someone who builds a browser with a scan-mechanism for malware:
from the same link as you provided (http://dictionary.reference.com/browse/irony)
5. an outcome of events contrary to what was, or might have been, expected.
Fair enough. My comment was a bit tounge-in-cheek and I shouldn’t expect people to pick up on that. I guess we need <humour> tags as well as <sarcasm> tags, hey?
Edited 2011-07-13 03:23 UTC
Could someone please explain to me why anyone would download something from a non-official website? ok, I’ll put my ‘novice’ hat on for a moment and I’m surfing the internet – do I download something off a non-official website or do I decide to get the file straight from the source? It truly is amazing when I see idiots go off to ‘file download websites’ (‘BrotherSoft’ and ‘FileHippo’ being two that come to mind) when they could easily go directly to the official website and grab it off there.
I feel sorry for VLC (btw, is their name trademarked?) but I have absolutely no sympathy for end users who download stuff from third parties.
To me, it is a question of user expectations. The “paradigm”, if you will.
In Linux distributions these days, to install software the natural first port of call is the package manager.
On Windows machines, for many, many users, the first port of call might be a site like this:
http://majorgeeks.com/
Now such a site will do its best to protect its users, but no matter how hard they try, if the normal case is that authors of the software they link to can hide their source code from inspection by anyone else, then some malware trojans will get through. It is inevitable.
It is just the way it is. Hence the multi-million-strong legions of Windows machine botnets.
http://blog.l0cal.com/2011/07/07/these-companies-that-mislead-our-u…
VLC say: “We now have trademarks in most European countries, unfortunately still not in the US”
Oh, dang it … !!!
Just download from the ORIGINAL source. If someone is just plain stupid and downloads from some popup/ad, then it is not your problem, VLC guys!
You did some really outstanding job with VLC player. It is a swiss-army video knife, one of the best codecs-free [bundled] players out there. That’s the problem – popularity. Just get over it and do your work explaining everything on your website.
Stupid people need to educate themselves, really …
You’re right, but the problem here is dual:
1) The users that downloaded the program actually downloaded VLC + other cr@p. Infected users could say “I installed VLC and my computer now is 3x slower”, blaming VLC for a crime it didn’t commit
2) The malware could potentially make the host computer part of a botnet, potentially harming other people. Malware should NEVER be allowed in a computer!
Hey, come on, mate … it’s illogical.
Here’s the correct chronology:
USER downloads something from WRONG source => USER gets infected and its computer becomes part of the botnet.
It has NOTHING to do with VLC, really.
It’s all about STUPID [unskilfull if you wish] USERS.
Please, don’t blame your god for the murders people commit …
Of course it has nothing to do with VLC; “unskillful” users could be infected through *any* malware lure (fake antivirus, etc.).
But then, what the VLC guys are complaining about ?
To quote Fauvet
They do not want their (potential) users to become infected with malware, simple.
Let’s hope that Google will try to countermeasure this. It already did with fake sites that replicated content from stackoverflow.com and the likes.
While I don’t agree with what they are doing, they are not necessarily violating the GPL. It is a matter of whether they make the source available for the VLC software to whomever they distribute or not. (They do not necessarily need to make the source for their malware available if it is just sharing the installer.)
IANAL that’s just how I see it.
“so it fascinates me to no end”
the use of “to no end” AFAIK implies to no avail. i.e you were fascinated but alas, it was a waste of time”
on the other hand to say “it fascinates me no end” is english informal that implies there was no end to your fascination.
You may now go about your business. And please feel free to correct me if I’m wrong and if you have nothing better to do…. like me.
VLC just should stop releasing and close its web site until the “affair” is solved. I’m sure that would move people…
Kochise
He’s so busy being in the pockets of the MPAA and RIAA, making news laws to regulate the web, he ought to make himself useful in doing something about malware instead.
http://leahy.senate.gov/
Or failing that, ask him how much of a campaign contribution (bribe) it takes to buy him.