This week's KDE Commit Digest tells about an installer for KDE on Windows and the problems the developers encountered setting up a working environment for KDE to run on. Many screenshots included, showing the first applications (such as Konqueror) running natively.
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:2006-04-20
I wrote: "Really? There are enough people with enough time to pour over millions of lines of code across thousands of different packages across hundreds of different distributions that malicious code can't easily slip through from time to time, and not be picked up and corrected for several days if not weeks?"
You replied: "Yes, there is. Remember that this is not a centralized process. Take the kernel, for example: the kernel devs audit the kernel code. The distro makers then take copies of those kernels (digitally signed and checksummed) then make patches for them, which are also reviewed, and then packaged, checksummed and signed. There's virtually no room for someone to insert malicious code, which is why it has only happened a handful of times over the years.
This isn't Wikipedia - there's a method to the madness."
I would like to see your reasoning behind that assertion. How many hours does it take one person to audit 1000 lines of code? How many lines of code can any one person audit in, say, a week? How many people are available in any given week to do this? Debian has tens of thousands of packages in its repositories, constituting tens if not hundreds of millions of lines of code. Some of this code is unmaintained, or worked on sporadically, and would rarely be examined closely by anyone, especially if it was packaged in a debian derived distro where people are assuming that the software was automatically packaged.
Harmful code doesn't have to be deliberately malicious to do damage.
A coder who inserts a trojan into some network code that siphons out things like passwords and bank account details can gain a lot (or may think they have much to gain, even if in reality they don't) for the risk of ostracism from the OSS community.
I put it to you that there are simply not enough people with enough time and expertise to cover all of the bases, or even half of them.
Don't get me wrong, I like and support Free OS software, but I am a little sceptical about the security claims made about it at times. Just because anyone can theoretically audit the source code for the software they are using doesn't mean that they do, or have the expertise to do so, and there are simply too many gaps for things to slip through unnoticed until it is too late.
I am not saying closed source is any better - it is quite the opposite since you have no chance of reviewing the code, but the difference is that with closed commercial software there is someone to sue (in applicable jurisdictions) or press charges against if they stick trojans that skim bank account details into their software (for example - this is a cybercrime that is punishable by law), whereas OSS coders are often anonymous or use aliases, and may be very difficult to capture and prosecute.
Member since:
2005-07-02
Really? There are enough people with enough time to pour over millions of lines of code across thousands of different packages across hundreds of different distributions that malicious code can't easily slip through from time to time, and not be picked up and corrected for several days if not weeks?
Yes, there is. Remember that this is not a centralized process. Take the kernel, for example: the kernel devs audit the kernel code. The distro makers then take copies of those kernels (digitally signed and checksummed) then make patches for them, which are also reviewed, and then packaged, checksummed and signed. There's virtually no room for someone to insert malicious code, which is why it has only happened a handful of times over the years.
This isn't Wikipedia - there's a method to the madness.
I am sure that once detected, the response to the malicous coder would be as you describe, but that doesn't stop them from doing it at least once, and then the damage is done.
The "damage" is easily reversible, and as far as I know there have never been a serious incident like this for the kernel, and only a few rare ones for other projects.
For the coder, the risks outweigh whatever he could possibly hope to accomplish through such vandalism.
I also don't understand why people would think this would be more likely to happen in the FOSS world - in my mind, the risk of malicious code being loaded into your PC is *much* greater with closed-source software, especially from small projects. In fact, we can safely say that nearly all spyware and trojan horses are the product of a closed-source development environment.
You are probably right in saying there is a low probability of malicious code being inserted by distro packagers, but the probability of distro packagers producing a version of a package that has more bugs than the original may be quite a bit higher.
There's no reason this should happen: packaging a version doesn't mean changing the source code - in fact, 99% of the time the vanilla app is simply compiled and packaged using an automated packaging tool. The packagers don't touch the code at all, so again your fears are unfounded.