Linked by Thom Holwerda on Wed 16th Dec 2009 21:38 UTC, submitted by whorider
Privacy, Security, Encryption This news is already a week old, but it only got submitted to us today, and I didn't notice it all. As it turns out, two malicious software packages had been uploaded to, masquerading as valid .deb packages (a GNOME screensaver and theme, respectively).
Thread beginning with comment 400183
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[3]: Bottom Line
by lemur2 on Thu 17th Dec 2009 22:31 UTC in reply to "RE[2]: Bottom Line"
Member since:

"If anything, this incident just underlines the points: that one simply cannot trust downloading from websites, no matter how seemingly reputable; and that one should always use the package manager, and ONLY the package manager, to install applications and utilities for Linux systems.
In other words, if you had source code available for every Windows application you ran, and had eyes on that code that would package it for you, then Windows would probably be just as secure as Linux is. "

Possibly. The system with Linux relies on a bit more than just eyes on. It relies, for example, on the fact that one set of people, with a whole raft of different responsiblities, ties, and allegiences, write the code, as a collaboration, and that an entirely different set of groups of people package it in full and plain sight of what went in to it.

Duplicate that on Windows distribution channels and you may then one day approach the same level of trustworthiness.

Unfortunately, telling people that the only way to secure their systems is not to run any app who's source code hasn't been reviewed by a committee is just not very practical for a lot of folks, because it severely limits the apps you would be allowed to run. Not everything that is useful to me out in the wild is open source. If that wasn't the case, then those of us who use proprietary software wouldn't have to take the risk of downloading binaries from 3rd party websites and running them.

Actually, you would be very surprised at what you can do, and what power is available to you, even if you limit yourself to run ONLY Free Software.

However, it should be admitted that there are some critical application areas that are simply not covered well enough by Free Software. OK, so here is an approach: limit yourself to just the one or two critical commercial professional applications, and do the rest with open source, on an open source OS.

For example, if you are a CAD professional:

... then run it on a secure Linux system (Kubuntu and OpenSuse are recommended).

This way, you limit your exposure to getting a trojan to the installation of just that one or two critical-but-non-free commercial applications.

Reply Parent Score: 2