Linked by Thom Holwerda on Wed 21st Sep 2011 22:06 UTC, submitted by kragil
Windows After the walled garden coming to the desktop operating system world, we're currently witnessing another potential nail in the coffin of the relatively open world of desktop and laptop computing. Microsoft has revealed [.pptx] that as part of its Windows 8 logo program, OEMs must implement UEFI secure boot. This could potentially complicate the installation of other operating systems, like Windows 7, XP, and Linux.
Permalink for comment 490430
To read all comments associated with this story, please click here.
RE[7]: Comment by OSbunny
by lemur2 on Fri 23rd Sep 2011 01:35 UTC in reply to "RE[6]: Comment by OSbunny"
Member since:

As an example: If an evil entity wanted to, they could create a new linux distro complete with it's own repository. This is certainly possible. Then, using the exact same technology other distros use, they could then distribute malware via that repository. Do you admit that there is nothing about the repository technology itself to make malware impossible? Isn't the only difference here the integrity of the maintainers?

These are all legitimate questions, I'd be grateful for legitimate answers.

This is getting way off topic, but the legitimate answer is to look at what actually happens.

Hundreds of millions of Windows PCs are compromised by trojan malware deliberately introduced into Windows executables and then distributed to unsuspecting users via channels that said users normally use.

In contrast, open source developers typically form groups to collaborate on products for their mutual benefit, with no other common ties other than their own self-interest in the integrity of the product, putting in thousands of hours work which necessarily involves pouring all over the code submitted by colleagues. The ONLY imaginable opportunity to inject malware in semi-secret would be after the source code is taken from the development server, compiled, tested and signed by a repository maintainer, and placed into the repository for distribution. The repository, however, requires both binary code and source code to be made available, so the repository maintainer could only get away with injecting intentional malware by having the binary not match the source code. However, downstream recipients of the code can compile it themselves, and check it against the binary, so such a ruse (if it was ever attempted) would easily be discovered.

So in effect we are talking about a scenario roughly equivalent to a bank robber attempting to rob a bank by submitting a withdrawal slip with his/her real, verifiable signature on it.

So no, we don't have to trust only the integrity of repository maintainers. We can absolutely rely simply on repository maintainers following their own best self-interest, a not incriminating themselves to all the world.

Have a think to yourself just how silly your suggestions really are in the real world, and then perhaps you might come to a realisation as to why they have never eventuated.

You are the one who is making the extraordinary claim that it is possible to put intentional malware into an open source product and then have it distributed to end users using the repository system, yet you have absolutely zero instances when this has ever happened.

Put up or shut up.

Edited 2011-09-23 01:49 UTC

Reply Parent Score: 2