Linked by Thom Holwerda on Tue 10th Nov 2009 09:31 UTC
Windows Last week, security vendor Sophos published a blog post in which it said that Windows 7 was vulnerable to 8 our of 10 of the most common viruses. Microsoft has responded to these test results, which are a classic case of "scare 'm and they'll fall in line".
Permalink for comment 393952
To read all comments associated with this story, please click here.
RE[4]: Comment by satan666
by lemur2 on Wed 11th Nov 2009 04:02 UTC in reply to "RE[3]: Comment by satan666"
Member since:

"Secondly, the correct method of installing software on Linux is via the package manager. Package managers and the associated online repositories allow for a system where any piece of software can be audited and verified by any person on the planet. Anyone at all, not just the person who wrote the software. If everyone on the planet can see what is in a piece of software BEFORE it gets to end users, this makes it very difficult indeed to hide malware within that software.
The "package manager and associated online repositories" doesn't work with commercial/proprietary software, where you don't have the source code. The best that an auditor can do in that case is GUESS whether the software contains malware or not; for example, an application may only reveal itself as malware under timed conditions (only destroying your machine or turning it into a zombie after a period of time). And, since there is an unquestionable need for commercial/proprietary software, you don't have a solution. "

When package managers (on an end users system) are enabled to use an additional repository which holds binary-only software, then it is true that for that small set of packages the end users have no ability to audit them. They could potentially contain malware.

This is the risk one takes when one adds repositories for closed-source applications.

This is the PRECISE reason why such repositories are not enabled by default on most distributions.

You add the repository at your own risk.

My advice would be to refrain from ading such a repository until many thousands of expert users had had a chance to trial the applications. A few months after first release might be enough time. If there was any malware, it should have shown up by then.

Mind you, if a software supplier did set up a closed-source repository, and an application therein did contain malware, and end users did end up with malware as a result ... that story would be all over the net in days. You wouldn't hear the end of it. Windows fans would be jumping with glee, Linux users would be livid, and the site would be blacklisted (as a critical security update) almost immediately. You wouldn't have time to blink.

The fact that this has never actually happened also nicely illustrates the security of package managers and repositories as a distribution mechanism, even when it comes to closed-source applications.

Keep going with these posts, you are doing a very good job so far of highlighting the fact that this repository/package manager system for distribution of Linux software is vastly superior to anything for Windows.

Reply Parent Score: 2