Linked by Thom Holwerda on Mon 11th Jul 2011 21:29 UTC, submitted by sawboss
Multimedia, AV This is a problem I hadn't yet heard of, so it fascinates me to no end. We all know VLC, right? It's one of the best video players out there, and while I myself generally just install the K-Lite Codec Pack, VLC is definitely a good alternative - and pretty much the norm on Linux. They're having a problem, though: malicious folk are bundling VLC with malware, offering it up for download as the official VLC, and misleading users in the process. Not only does this violate the GPL - it's pretty damn low, too.
Thread beginning with comment 480880
To view parent comment, click here.
To read all comments associated with this story, please click here.
lemur2
Member since:
2007-02-17

frajo,

I understand why you say that: the point was indeed irrelevant. But for what it's worth, I did it to show lemur2 that his absolute truth statements aren't absolutely true. He cracked, so to that end I did what I intended, but it's a minor victory to be sure. Was it worth it? Will he learn to tone down his "mine is the only possible truth" arguments? It's really hard to say.

Funny thing is, I agree repos offer an exceptional combination of security and functionality.


Hint: I have retracted exactly nothing.

So, quote please, or it didn't happen.

I'm still waiting.

Reply Parent Score: 2

Alfman Member since:
2011-01-28

lemur2,

In summation:

You initially made numerous claims about being "guaranteed no malware" due to key signing and peer review, and that "trust is not necessary". Your later claims did indeed acknowledge the point that while injecting malware is technically possible, you equated it to murdering one's close family member (I'm reminded of Hans Reiser).

So you clearly understand that your initial statements were exaggerated. You can continue being a narcissist and keep denying it if you want, I have no expectation of curing that, but my hope is that you will learn to be more careful with absolute claims.

Edited 2011-07-14 18:49 UTC

Reply Parent Score: 2

lemur2 Member since:
2007-02-17

lemur2, In summation: You initially made numerous claims about being "guaranteed no malware" due to key signing and peer review, and that "trust is not necessary".


Ah, so no quote.

What I actually said was that due to the collaboration of software development with independent open source developers from all over the world, one is guaranteed that there is no malware in the source code. On cross-platform projects such as VLC is, this is jsut as true for the Windows version as it is for the versions for other platforms. What was needed from that point was a way to ensure that the source code (which is guaranteed malware free) produces the binary that is distributed. You will find no claim that this step is guaranteed.

Your later claims did indeed acknowledge the point that while injecting malware is technically possible, you equated it to murdering one's close family member (I'm reminded of Hans Reiser). So you clearly understand that your initial statements were exaggerated.


No, what I said there was perfectly consistent with my original statements. With the open source repositories, there are myriad reasons why the repository admins should do a good job translating the malware-free source code from the projects into signed source code and matching binaries for their distributions repository. This is, in fact, their whole job, performance of which is what they are rated on. There is almost zero chance that they would get away with inserting malware into the signed binaries, and if they did by that act of signing it they advertise to the whole world who put the malware into that binary. This is rather akin to a bank robber signing a withdrawal slip, with his real name in a provble fashion to boot! It would be an act of pure insanity for a repository admin to insert malware into the binaries. You yourself said that for an admin to do that was just too risky.

For this reason we do not need to rely on trust that the repsoitory admins won't insert malware, since there are huge incentives for them not to and they are caught red-handed by the system once the malware is detected, as it is very likely to be (since the means to detect it is given to all recipients of the code, and it only takes one person to detect it). Although there is no absolute guarantee at this point of the process, as I noted several times (quote: "you cannot prove a negative"), we can nevertheless reasonably rely on the repository admins simply following their own best self-interest. We don't need to rely on trust alone.

Your problem was that you have no reading comprehension, you misunderstood, and you leapt to a false conclusion about what I had said.

Then you severly embarrassed yourself multiple times by trying to sprout misplaced insults.

You can continue being a narcissist and keep denying it if you want, I have no expectation of curing that, but my hope is that you will learn to be more careful with absolute claims.


And you still persist.

Obvious troll is obvious.

Edited 2011-07-14 23:33 UTC

Reply Parent Score: 2