Announcement

Collapse
No announcement yet.

Security: Don't use PPAs or Debian? Huh?

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Security: Don't use PPAs or Debian? Huh?

    This originated with this video:
    https://www.youtube.com/watch?v=y_lhqg_p21k

    Notice he's disabled his comments. He so would have gotten rightfully flamed over his "proof" that Linux gets viruses. He used an anti-virus tool named Sophos to scan his Arch Linux PC and it found some malware. What he didn't tell his audience was that it found infected exe and DLL files. In other words, he found some Windows malware that would not run under Linux and was somehow on his PC. He also didn't show how it got there. It could not have run under Linux and therefore could not have replicated itself and moved freely around his hard drive or in his memory. What a crock. He must have just copied the infected files to his hard drive for the purpose of "proving" that Linux can get viruses.

    Note: I do know it's possible to get Linux malware in the form of a trojan horse if you're careless (and incredibly stupid). What I'm saying is this guy didn't prove that virus capable of replicating infected his Linux box.

    Now on to the main topic:
    Comments were disabled for the video, but people did discuss it on Reddit. A guy named Viccuad said:
    He has installed an application by downloading and installing it from a binary downloaded from a page. Well you dumbass, you just installed something you don't know anything about, and gave it the keys to your house. You don't gift strangers the keys to your house, so why would you do the same inside your computer. Lesson: stick with the official repos of your distro, or download code, review it and compile it on your machine. DO NOT download unknown applications from the internet, DO NOT use PPAs, DO NOT use Arch AUR, DO NOT use unofficial Debian repos (deb-multimedia, etc).. . Not until Linux has proper sandboxing of apps as Android does have now. So you will need to wait at least a couple of years.
    These comments sound mostly sensible, but aren't you okay using PPAs when you know the source is one you can trust? Isn't it also okay with any Debian package that you know where it's coming from and can therefore trust, even if it's unofficial?
    Kubuntu 22.04 (desktop & laptop), Windows 7 &2K (via VirtualBox on desktop PC)
    ================================

    #2
    A ppa is only as trustworthy as the person who uploads to it, basically. I would assume that launchpad has some way of scanning for some known Bad Things, but if I code something nasty into the Kmymoney packages in my PPA, how would anyone know? How do you determine what is trustworthy? At least the source code used to compile the software and build the package is present and accessible.

    Comment


      #3
      Originally posted by claydoh View Post
      A ppa is only as trustworthy as the person who uploads to it...
      For sure. Watch out for this guy ->
      Attached Files

      Please Read Me

      Comment


        #4
        sorry Clay - I couldn't resist!

        Please Read Me

        Comment


          #5
          I was waiting for that

          Comment


            #6
            i would have to agree with clay. if you can't trust the person with the ppa then you can't trust their packages. At very least you can look at the code and see what is happening behind the scenes.
            Mark Your Solved Issues [SOLVED]
            (top of thread: thread tools)

            Comment


              #7
              Intentional security vulnerabilities are easy to code and difficult to spot, even for highly trained eyes. Tools can help: static analysis examines source code for typical vulnerabilities; dynamic analysis runs the binaries in a sandbox and exercises them with intentionally malformed inputs to find bugs. But neither of these approaches can find everything.

              The injunction against AUR is weird. Only source code is available; you download it and compile it locally. Presumably, a concerned person could examine the code (plus the build scripts!) before compiling. Perhaps the Reddit author meant to say the Arch community repository, which contains binaries adopted by Trusted Users.

              The Reddit author also seems unaware of Linux containers, seccomp (in the kernel since 2005), and SELinux.

              Comment


                #8
                What I don't understand is why so many try so hard to and prove this.

                Comment


                  #9
                  Originally posted by MoonRise View Post
                  What I don't understand is why so many try so hard to and prove this.
                  Schadenfreude, perhaps?

                  Comment


                    #10
                    Thanks for the word to look up!!
                    Haven't had one is a while. Yes, I guess Schadenfreude explains it!

                    Comment


                      #11
                      wow ,,,,,a word that means "harm-joy" ,,,,,, a pity that the world needs a word to describe such a thing .

                      but leave it to Mr Riley to find/discover it ,,,,,,,,,, or do you practice it ,,,,,,,,,,,,,, Bawwwhaha

                      VINNY
                      i7 4core HT 8MB L3 2.9GHz
                      16GB RAM
                      Nvidia GTX 860M 4GB RAM 1152 cuda cores

                      Comment


                        #12
                        Originally posted by vinnywright View Post
                        wow ,,,,,a word that means "harm-joy" ,,,,,, a pity that the world needs a word to describe such a thing .
                        Given that it's a German word, are you surprised? LOL

                        Originally posted by vinnywright View Post
                        but leave it to Mr Riley to find/discover it ,,,,,,,,,, or do you practice it ,,,,,,,,,,,,,, Bawwwhaha
                        I studied German in high school.

                        Comment


                          #13
                          Originally posted by vinnywright View Post
                          a pity that the world needs a word to describe such a thing.
                          Pity or not, I have heard it described as the sincerest form of joy

                          Comment


                            #14
                            Originally posted by SteveRiley View Post
                            Given that it's a German word, are you surprised? LOL


                            I studied German in high school.


                            sory could not resist ,,,,,,,,,,

                            VINNY
                            i7 4core HT 8MB L3 2.9GHz
                            16GB RAM
                            Nvidia GTX 860M 4GB RAM 1152 cuda cores

                            Comment


                              #15
                              Originally posted by kubicle View Post
                              Pity or not, I have heard it described as the sincerest form of joy
                              which is why I asked Steve if he practiced it he is a very sincere joyful person ,,,,,or so it seams @hear

                              VINNY
                              i7 4core HT 8MB L3 2.9GHz
                              16GB RAM
                              Nvidia GTX 860M 4GB RAM 1152 cuda cores

                              Comment

                              Working...
                              X