You are not logged in.

#1 2022-06-08 03:48:44

linktogunner
Member
Registered: 2022-06-08
Posts: 1

General package security.

Hello everyone. First time Arch user, first time poster.

I just recently installed Arch. I had used Ubuntu and Mint in the past for probably about 20 hours all together, took a massive break from computing, and came back and installed Arch on my laptop. Install went good, and I really do like this distro and linux in general. Years ago, before I used linux, I was a windows only user.

I have looked up various articles, reddit posts, posts on this forum, and the wiki. I have got some decent info from all of these sources but nothing that has explicitly pointed me in the right direction. My main two questions boil down to these:

In the linux world, we are dealing with primarily f/oss. With all this free software, packages, etc how in the world can it be secure in terms of a users personal data, passwords, baking info and the like? How can someone be reasonably sure that among the thousands of lines of code in their packages, software, etc that there is not some malicious code in there sending information back out?

And lastly, are there any helpful resources out there that do somewhat of a deep dive into this topic that I can read, watch or listen to? Specifically as it pertains to the threat model I just described above (malicious code in packages that a normal user would download from official repositories)?

At the end of the day, I continue to use linux because I just think its cool. It makes computing fun, and its something I don't have experience with and so it makes it an adventure to learn and grow. I use my computer for CAD, and to do work that entails sending emails, banking... normal user stuff. I would just like to hear some input on this topic and possibly have an open discussion. Like I said earlier, I am specifically interested in the meat and potatoes, day to day security of my personal information, especially in regards to banking information and passwords being intercepted somehow. Thanks for your time everyone.

Offline

#2 2022-06-08 04:03:17

jasonwryan
Anarchist
From: .nz
Registered: 2009-05-09
Posts: 30,424
Website

Re: General package security.

linktogunner wrote:

With all this free software, packages, etc how in the world can it be secure in terms of a users personal data, passwords, baking info and the like? How can someone be reasonably sure that among the thousands of lines of code in their packages, software, etc that there is not some malicious code in there sending information back out?

Why would you assume that this is only an issue with FOSS? Proprietary software has a much worse track record for not respecting users privacy/data. At least with FOSS, the code is available for people to read, rather than just relying on some corporation saying "trust us".


Arch + dwm   •   Mercurial repos  •   Surfraw

Registered Linux User #482438

Offline

#3 2022-06-08 13:09:39

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,449
Website

Re: General package security.

Is a medication or nutritional supplement safer because the manufacturer can get away with not listing any of the ingredients and instead just calling it a proprietary formula?  Contrast that to a manufacturer that not only lists the ingredients, but has crystal clear transparency in their entire production process including regularly inviting in independent third parties (including those who are critical of the product) to inspect their factories while publishing their R&D steps in creating the supplement in peer-reviewed journals accessible to any interested party.

I'd not claim that this transparency would assure any certainty of safety / security, but it's certainly a huge step in that direction - and it's beyond certainly not a detriment to security!

Last edited by Trilby (2022-06-08 13:10:31)


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#4 2022-06-08 15:34:40

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 19,740

Re: General package security.

I would also add that FOSS is heavily dependent on it's reputation.  If a project were caught deliberately abusing the user that project would likely die a swift death -- possibly through forking.  For some reason, abuse is historically tolerated from proprietary vendors, starting way back in the bygone days of mainframes and continuing with most of the current cloud vendors.  What's worse, forking is not an option for proprietary stuff.


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#5 2022-06-08 18:18:45

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,449
Website

Re: General package security.

ewaller wrote:

For some reason, abuse is historically tolerated from proprietary vendors

Because of the all-or-nothing offering.  If some of the proprietary OSs software is good, but other bits are problematic, one generally is not able to pick and choose.  Bad software gets a free-ride along with the good stuff.  This is compounded, of course, by the fact that many schools and workplaces may expect / require one uses a specific proprietary OS; this then acclimates people to sucking it up and living with some bad software.

With FOSS, if most of a system is great, but a bit sucks, that last bit gets tossed and replaced by another alternative.  The modularity, and lack of a singular all-or-nothing suite of software is what allows for this.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#6 2022-06-08 20:14:42

dogknowsnx
Member
Registered: 2021-04-12
Posts: 648

Re: General package security.

Trilby wrote:
ewaller wrote:

For some reason, abuse is historically tolerated from proprietary vendors

Because of the all-or-nothing offering.  If some of the proprietary OSs software is good, but other bits are problematic, one generally is not able to pick and choose.  Bad software gets a free-ride along with the good stuff.  This is compounded, of course, by the fact that many schools and workplaces may expect / require one uses a specific proprietary OS; this then acclimates people to sucking it up and living with some bad software.

With FOSS, if most of a system is great, but a bit sucks, that last bit gets tossed and replaced by another alternative.  The modularity, and lack of a singular all-or-nothing suite of software is what allows for this.

Exactly, but what's more disturbing (to me at least) is that the "Bad software gets a free-ride along with the good stuff" aka "subject matter" into children's developing brains within said "institutions" and the snake bites its own tail (pun intended)...

Last edited by dogknowsnx (2022-06-08 20:19:41)


Notifications for Arch Linux package updates
RI - Rest your Eyes and Self

"We are eternal, all this pain is an illusion" - Maynard James Keenan

Offline

Board footer

Powered by FluxBB