Canonical, the company behind Ubuntu, will announce on Feb. 6 that it’s making Parallels Workstation for Linux available to users through the Ubuntu Partner Repository. Parallels, formerly SWSoft, the company behind the open-source virtualization program OpenVZ, is best known for its Parallels virtualization software that works with Mac OS X. Parallels Workstation for Linux won’t let you run Mac OS X, but it will enable you to run multiple versions of Windows or Linux with Ubuntu.
I have a different interpretation, which is that Ubuntu is becoming a middleman between ISVs and their customers. Why? Is it so hard to use the Web to find and install software, like Windows and Mac users do?
When a Windows user searches the Web to “find and install software” they run a significant risk that the software they downlaod and install is malware.
It is possible to do this and still avoid malware, but one needs to be software “savvy”.
If one uses Linux OTOH and adopts a simple policy of “always install software from repositories” … then anyone can avoid malware. Even non-savvy end users of software can ensure their system is clean and yet fully functional using a simple policy such as this.
You cannot follow such a policy on a Windows system.
Linux software in repositories is open source, and hence guaranteed to be open to inspection … and hence impossible to “hide” malware within it.
Nope; Parallels is closed source.
Sure you can, so please do not spread FUD here. I recommend Avast or AntiVir PE. Both are available for free. They update themselves automatically and could be set to auto scan files downloaded from Internet before run.
The policy the original poster was talking about is the install-from-repository-only policy. Do you really mean that Windows has something equivallent to that?
and what is the purpose of that policy, according to that person ? As far as I understood – it is about being “safe from malware”.
Leaving malware issues aside, if you stick to the packages found in the repos you can be sure that they’re absolutely compatible with your distro, avoiding libraries/misconfigurations issues.
And what to do when repos do not have thing I need – for example “GPRS_EasyConnect” ? All howtos I googled for failed, and that tool saved my day, when I needed Internet connection via GPRS on Ubuntu and my hardware.
so you are trusting a third party company with the security ? nice…
I’m always trusting third parties with my security. I don’t have the time or knowedge to do my own complete security audits on every piece of code I use. So at the end of the day I simply trust that OpenBSD, Sun, Red Hat, Ubuntu, the KDE team or whoever has done a good enough job.
Funny, I thought there was NO malware for linux.
I never have understood this. Just because you make the source available doesn’t mean that it is the same as the binary version. This would be correct if you ONLY built from source and were able to fully understand the author’s code.
Now you exposed them clearly. They just believe in Open Source. Its a sort of religious faith, there is no room for reason.
Shhhhhh……
The troll’s will mod you down!
Edited 2008-02-06 03:11 UTC
trolls….got……..me……..urk
sometimes your posts are so stupid….
the user does not need to understand the code, that is the job of the maintainer of the repository
A maintainer reads all code from all programs and is able to understand all of it? Wow!
Thankyou.
There is no malware in open source applications. That does not equate at all to the same thing as “there is NO malware for linux”.
It isn’t at all hard to understand.
The repositories contain compiled binary packages meant for particular distributions. The source code for said packages are held in source code management systems … git, cvs and subversion are typical ones used for Linux. There are the equivalent of approximately 1.5 million full-time programmers who contribute to open source projects, and they can read and understand and compile code, and they use such code on their own systems.
http://en.wikipedia.org/wiki/Concurrent_Versions_System
http://en.wikipedia.org/wiki/Git_%28software%29
http://en.wikipedia.org/wiki/Subversion_%28software%29
If there was ever a case where the binary package that was in the repository did not match the result when source code for the same version was compiled, then the complaints would be loud and immediate from the community. It does not matter if you cannot understand the source code yourself or compile it for yourself, as long as you are assured that there are programmers who can. People who use the same packages themselves and who can read the code and compile it and vet it independent of the maintainers of the repositories.
Ergo, AFAIK there has never been a case of malware “hidden” in packages from open source repositories.
If you know of a real case where this actually happened, then prey tell, enlighten us all.
Edited 2008-02-06 12:51 UTC
How would you know? There is no per-application packet filtering so any app could ‘phone home’ without you knowing. The maintainers would have to go though every line of code for every program and be able to understand the code as well. With the amount of app’s available, this would be impossible.
From my own coding experience, its very difficult to understand your own code if you leave it for a few weeks, let alone grab someone else’s code and understand whatall of it does.
‘Phone home’ to where, exactly? To the fictional ‘surreptitious malware inserter’? To the repository maintainers? To the distribution sponsors? To the application’s developers/owners/sponsors? To the world-wide 1.5 million+ open-source developers who can inspect the code?
You think all these independent parties & individuals, who all have a stake in the quality of the code, are colluding to steal your e-mail address? Ludicrous.
Pfft.
Not at all. The entire community (not just the maintainers) has access to the source code and the results of the maintainer’s compilations.
Not with 1.5 million developer’s and tools such as source code management it isn’t.
http://en.wikipedia.org/wiki/Concurrent_Versions_System
Every line of code, every change, every submission, every rejected submission over the entire history of the code is poured over. After all, the people who look at the submissions to open source projects have their own reputations to uphold, and they also fully intend to be using the code themselves.
Any free-market capiltalist will tell you, there is no motivator like self interest. It is in the self-interest of the open source community to produce & maintain quality code, written in the best interest of the end users. Without users, there is no project at all. Without quality, there will be no users.
It is called collaboration. Community development. Self-help. Meritocracy.
It works, too.
Edited 2008-02-07 05:53 UTC
Can or do? Having faith is one thing, proof is another.
Now come on, when did i state that?
As long as it is free you can.
I will repeat my statement from below:
“Many thousands of (open source) packages are managed with this process (repositories), through hundreds of versions, over many years, and there is not one case on record AFAIK where it has been documented to fail in the way that you suggest (malware inserted somehow). You are welcome to bring up a counter-example if you know of one to refute this contention. Otherwise, the empirical result then would tend to strongly favour my argument over yours.”
Blah, blah, blah.
Btw, exactly what distro do you use? Just curious.
There is closed source in repositories. You can install, for example, vmware-server in Ubuntu from the non-free repo.
Uh, it certainly is not impossible to hide malware in opensource. If a repository is compromised, then you cannot trust the repository. If nobody looks at the code for a particular app in the repository, then it could contain malware.
It is unlikely, but not impossible.
You clearly misunderstand the process here.
Package repositories typically do not contain source code. Source code management systems typically control the source code.
1.5 million full-time-equivalent programmers constantly look at the source code.
Repository maintainers take a particular point release of the source code, inspect it thouroughly, compile it, test it, make sure it works with the rest of the distribution, package it, digitally sign the packages and put it into the package repositories.
There is just no way imaginable that intentional malware can casually be submitted to source code management system, get accepted into the build, compile properly in test versions, get released to a point release, get taken up by a repository mainainer, compiled, tested again, digitally signed and placed into a distribution’s package repository without anyone even looking at the code.
Just won’t happen. Especially if the original submission of code patches was anonymous …
Even if a distribution’s repository server is hacked in to, there is no way that anyone could just slip in a doctored package with a correct digital signature …
You cannot hide malware in open source repositories.
I understand the process just fine.
“There is just no way imaginable that intentional malware can casually be submitted to source code management system, get accepted into the build, compile properly in test versions, get released to a point release, get taken up by a repository mainainer, compiled, tested again, digitally signed and placed into a distribution’s package repository without anyone even looking at the code.”
Uh, if malware is submitted with working code, and that code is not properly vetted (Human error does happen) then malware can make it into the repository. It’s that simple. If you cannot imagine away for it to happen does not mean that it cannot.
Do you actually know how hard it is to get code accepted into an open source project? Ask Con Kolivas. (Google it if you are interested).
It would take unbelievable chutzpah to submit source code of malware (and incredible effort to obscure it’s intent) to an open source project and effectively say … here, infect your community project with this for me, would you? It beggars belief that anyone would even try this.
Back to the point … when you say: “If you cannot imagine away for it to happen does not mean that it cannot” … you are quite correct. For me to argue otherwise would be “argument from incredulity” on my part, which is a logical fallacy.
http://en.wikipedia.org/wiki/Argument_from_incredulity
Having said that, as far as I am aware there is not one case on record, over the many years that this “source code management system + repository + package manager” mechanism of delivery & installation of open source packages has been in place, where deliberate malware has found its way via that mechanism on to end-users machines.
Bugs, yes. Package breakage, yes. Even system breakage … yes, unfortunately. Mistakes of many types … yes. Deliberate malware/spyware … no.
Many thousands of packages are managed with this process, through hundreds of versions, over many years, and there is not one case on record AFAIK where it has been documented to fail in the way that you suggest. You are welcome to bring up a counter-example if you know of one to refute this contention. Otherwise, the empirical result then would tend to strongly favour my argument over yours.
Edited 2008-02-07 23:05 UTC
“Bugs, yes. Package breakage, yes. Even system breakage … yes, unfortunately. Mistakes of many types … yes. Deliberate malware/spyware … no.”
I disagree, it could happen. It might be unlikely, which I have already stated. but not impossible.
End of Story
No. Most companies that offer their software on Linux also provides packages of it. It’s perfectly possibly to download, for example, a standalone .deb package, double-click on it it Nautilus and install it. You don’t HAVE to use the repositories.
True. You don’t HAVE to use repositories. You could adopt a policy similar to what Windows users are forced to follow, and download binary packages from assumed-reputable web sites and trustingly install these on your system.
… or you could adopt a policy of only installing software via the repositories, and avail yourself of the efforts of the repository maintainers to compile it correctly configured for your distribution, and enjoy the benefit of those packages being able to be vetted by any number of programmers who also use the selfsame packages and who can also independently compile from the source to check the integrity of packages from the repository.
Edited 2008-02-06 13:03 UTC
Many, many years ago (about Windows 3.1 time) someone told me jokingly that in the “next version of Windows you will be only able to use software approved by Microsoft”.
Seems to me that joke materialized today in form of “online repositories” and the Big Brother is watching all of us closely – but this time not from Redmond,WA 😉
Edited 2008-02-06 22:44 UTC
1. The repository maintainers typically do not write the code. They just compile it, test it, package it and digitally sign it. There is nothing to be gained by a repository maintainer in censoring the available packages, and indeed the diversity of and larger number of packages that any given distribution has in its repositories is a selling point. The fact that debian/Ubuntu has a larger number of packages in its repositories than other distributions is one of the main reasons why Ubuntu is popular.
2. Repository maintainers do not control you. If you adopt a policy of “always install from repositories” … it is you who decided to adopt that policy, not the repository maintainers. Repositories are a service that YOU decide if you want to use, or not.
3. There is no login required to access a distribution’s repository. You do not need to ID yourself. The major distributions have mirror sites for their repositories, and other independent sites, and a lot of businesses will happily sell you (for a few dollars at most) an “updates CD” with the latest contents of a repository without even requiring you to tell them your name. You are not being monitored by repositories.
4. You can make your own repository. You can add repositories from other parties.
You need to find out a bit about repositories before you make silly comments. Read up on the topic, then get back to me on how that “controls you” in any way at all.
https://help.ubuntu.com/community/Repositories/Ubuntu
BTW, if you dislike official software repositories: http://www.getdeb.net/
Enjoy!
Edited 2008-02-07 03:04 UTC
… and check the code carefully line by line, to assure us that there is no malware hidden in it, before they digitally sign packages. What a relief! Linux is really safe! There is no need to bother with anti viruses and firewalls on it!
In fact, they all live in NASA’s secret base on far side of the Moon. And we can be absolutely sure that none of those maintainers are working for web-targeting criminal organisations.
Edited 2008-02-07 12:06 UTC
What on earth have you got against the repository maintainers?
The point is this: the repositories contain packages, which purport to be compiled versions (targeted for a particular distribution and a particular system architecture) of source code which is visible to anyone and which is held in one online source code management system or another. Anyone can compile the same source code themselves, and confirm for themselves that the compiled binary indeed matches the source code that supposedly generated it.
Many developers actively track down bugs in said distributions, because they use that distribution themselves and have a self-interest in ensuring that it is well maintained and advanced, and they can perform, and do perform, such verifications.
Not once has there ever been a case of a repository maintainer “slipping” something malicious into the compiled version of a distribution’s package. Not once in however many years, through countless versions of however many packages in open source repositories.
The repository maintainers have nothing to gain from doing such, everything to lose, and would surely get caught out in very short order if they ever did try such a trick.
Ergo, there is no malware in code installed from repositories.
Are you following this yet? It should be fairly obvious, but I always seem to run into people who just cannot, or will not, see. There are anti-evolution sites and flat-earth societies on the web that are eminently reasonable and logical when compared to some people.
Edited 2008-02-07 12:27 UTC
I have no reason to trust them also. People are always the weakest point of any security. Do you trust them completely ? Why ? Or we just come back to the question of religious faith.
It has nothing whatsoever to do with faith.
1. It is in the best self-interest of the repository maintainers to do the right thing.
2. Everything they do is in the direct public view, and open to scrutiny.
3. The record of the repository maintainers is impeccable.
4. The ongoing continuous activities of a large community of people would quickly uncover anything wrong or malicious that any repository maintainer attempted to do.
You can directly measure the performance and trustworthiness of maintainers of open source repositories.
That puts them in a position worthy of trust far more so than the position of any author of any closed-source software, who after all jealously hides from everyone what they have done and how they have done it, and whose readily apparent best interests often diverge markedly from the best interests of people who might be using their software.
Who would you trust?
If you answer “the vendors of closed-source proprietary applications”, then I have got a very nice bridge that you might be interested in buying.
Edited 2008-02-07 13:04 UTC
Well, obeying the traffic lights is also in self-interest of pedestrians and drivers. But there are always people, who will try to do otherwise.
Money from criminal activity attract people much more than fifteen seconds “saved” by walking or driving under the red light. And criminal organisations are certainly aware of Linux marketshare at server market.
But right now I am not in the mood to do philosophical debate, so I leave you with your beliefs. Enjoy it.
All of which denies the actual record.
It is a matter of actual record, of actual fact, not mere belief, that there has never been an instance of delibearte malware introduced via installing software from open source repositories.
It is a matter of record, of fact, that there has been countless millions of installations of malware through the practice of downloading binary-only installation packages of closed-source software.
You can carry on with your so-claimed philosophical debate as long as you wish, you are still in the final analysis faced with the cold hard facts on record. Those facts speak volumes that your bias against open source is the only thing in this discussion that is based on religious belief.
Edited 2008-02-07 22:35 UTC
Regardless of whether the app is closed or open having it come through the repositories is a good thing, especially for the kinds of people who can’t keep their Windows installations clean.
When it comes from the repositories you have someone vouching for it. Someone who has tested it to see if it works and if there’s anything non-kosher about it. Going to a website to get it gives you none of those benefits. Sure you could do some research about it before downloading and see how other people feel about it’s safety, but that’s a lot of work and is still not as thorough as the people in control of the repository would be.
Those malware ridden p2p apps that were everywhere a few years ago would never have made it into our repositories.
And, even if one totally ignores the security aspect, going through a repository is easier and faster. I don’t want to do things the old way.
Are you saying that all repositories are safe? Install a package from ubuntu’s official ‘universe’ repository and you get a warning that you may get infected with malware.
Wrong, you get a warning saying that those packages are provided and supported by the community. If you’re going to troll (btw, did Ubuntu/GNU/Linux rape you sister or something?) at least do it right.
The point is it is still in the repository and I was replying to
Did you even read the message I was replying to? How does my reply make me a troll?
And I’m the troll? Sheesh!
How could they test for some malware like spyware. There are no linux app’s to do this. Plus, there is no per-application packet filtering on firewalls to catch any app that is secretly communicating over the net.
So how do they test, who are they and can we sue them if they get it wrong?
Edited 2008-02-06 03:39 UTC
At this point your are sounding like an irate fool. Canonical checks the software that goes into their repos. Some random guy can’t just go into the repos and insert malware. Do you go to Apple and ask them if the software on their downloads page is Malware? No, you assume that Apple isn’t going to try to f–k their users on purpose. Eventhough some of the responses about the repos have been misguided, you have to realize that having one central source has many benefits, one of them includes being able to update your WHOLE machine without having five system tray icons asking you to update or having to go to each respective apps site to download the latest version, or having said app pummel you into updating with annoying pop-ups. That to me is the major draw of using something like apt-get. The same argument you had was said about ubufox.
Lol! this is so funny, yep, you know how it works, Canonical checks the software. What a great reply. Cleared everything up for me.
When did I say that someone could? The point was that there is no tools to check for spyware. So how exactly do they check.
And what about my firewall point?
http://www.wireshark.org/
http://en.wikipedia.org/wiki/Wireshark
I’m trying to figure out what the advantage to Parallels on Linux would be over an equivalent/better open source solution, such as VirtualBox. I’ve seen several reviews giving it better marks for speed than both Parallels and VMWare products. VirtualBox also has the advantage of running on all three major platforms with a single user interface (naturally, since it’s written using C++/Qt).
However, if you have $49.99 that’s just burning a hole in your pocket, feel free to buy Parallels; I’m a college student, so I don’t have that problem.
Commercial advantage for Canonical and Parallels.
SmartSelect on Parallels Desktop for mac is amazing. It allows you to double-click on a windows-type file (say .doc or .xls) and have it open in Word for Windows, all automatically. The reverse is also true; you can open a Mac type file inside your VM and have it open in a mac program. This, to me, is worth the cost of Parallels. Of course, I’d love to have it for free, but until then, Parallels gets my $80 of hard-earned cash.
I was one of the earlier buyers of Parallels Workstation for Linux (from the time was still an inch away from SVista, the previous incarnation of the product). But once the product took of on the Mac, Parallels neglected the Linux version. For a long time you had to manually patch the included drivers, because they didn’t work with current kernels (though it seems they have updates packages of 2.2 now). Besides, the Linux version had no future parity with the Mac veriant.
If you want virtualization, it probably better to use a product from a vendor that cares at least a bit about Linux, like VMWare or Innotek (VirtualBox).