Regular users on linux shouldn't be downloading software through their web-broswer at all; that's a Windowsism. Regular users on linux should be using their package manager to install new software. Say what you want about Debian's volunteers, but they're a hell of a lot more trustworthy than the average windows software download website.
Shouldn't perhaps (with caveats, and therein lies the rub), but is there a reason to believe that they won't?
I'm torn on this. On the one hand, yes, a "regular" user should be using a distro that has a wide array of natively packaged software, and relying on that as much as possible. But not all software is distributed this way.
And many "regular" users will be coming from a Windows background, meaning they're not going to recognize the fact that the site they found when googling for "Install Spotify on Ubuntu" that tells them to open a command prompt and paste this command or download this .deb file is actually malicious.
In practice, they're susceptible to the same kinds of attacks they would be on Windows.
That blame still appropriately lies with maladaptive behaviors learned from Windows. The only way to completely stop users being susceptible to the "attack" of them phrasing their desires as web searches and then blindly following whatever malicious instructions come up is to fully remove administrator privileges and lock them out of "their" computers. But doing this at the level of the OS producer is utterly at odds with the foundation of a free and open society.
The incremental way to solve this problem is through various rules based around users engaging with details of the OS. One very simple one of these is "only install software through the system package manager". If users violate those rules, short of the above "solution", there is literally nothing that can be done to help them.
Yeah this conversation is borderline philosophical. What does "secure software" mean? As a software engineer I've always thought about secure software as software that does not have bugs that can be exploited by non-authorized users. Be it privilege execution, code injection, remote code execution etc.
As an end-user, I choose to use Linux because it does not stand between me and my computer. I am the master of the machine. I tell it what to do, and it obeys. That is the relationship I want to have with a piece of tangible property that I paid money for.
So if I do something unsafe, even through ignorance or naivety, I still see that as being my fault. Not the software's. In other words, the software was behaving as expected. There were no bugs. It did what the authorized user told it to do.
But I can see the point of view that secure software could also mean software that makes it difficult for the authorized user to do dangerous things. Especially in an organization setting where the user is not actually the owner of the machine, but is using company equipment and software.
> That blame still appropriately lies with maladaptive behaviors learned from Windows.
As a Linux nerd who started tinkering around 2001, I’m having a hard time with this framing. Being a Linux user around that era involved regularly compiling code that practically I couldn’t review. While the steps involved were different, the behaviors associated with installing software were not inherently more secure than windows at the time.
The main differences were: 1) I was more technically savvy and thus not as likely to install something obviously dangerous and 2) One just wasn’t very likely to run into a repo impacted by supply chain compromise or somesuch. Those same behaviors today are pretty risky in comparison, leading to threads like this one.
I’d argue that it’s less about windows being a source of maladaptive behavior, and more about windows attracting users who don’t know better than to behave the way they do. If those same low-tech users were somehow using Linux at the time, I don’t think they’d have learned anything more adaptive, and/or Linux would have been a much larger target, changing the threat landscape entirely.
But to go a step further, I guess the question that comes up for me is: why does it matter if it’s the fault of Windows? The typical “OS war” rhetoric never made much sense to me.
To me, the point of running Linux or really any desktop OS is to allow me to go beyond walled gardens.
My brother is a non-technical artist/creator type. If he relied only on the system package manager, he might as well use an iPad.
What you’re framing here as “violating rules” is really just “using the computer for its intended purpose”.
Following those rules may fix the security problem, in the same way that never leaving my apartment will probably protect me from most seasonal illnesses.
We need better ways to universally indicate trust in distributed software beyond system package managers.
> The main differences were: 1) I was more technically savvy and thus not as likely to install something obviously dangerous and 2) One just wasn’t very likely to run into a repo impacted by supply chain compromise or somesuch. Those same behaviors today are pretty risky in comparison, leading to threads like this one.
Yes, and I would add 3) there was no meaningful malware made for Linux back then, because it wasn't a target for malware authors. Otherwise you (and I!) would have been hit. I didn't understand half the stuff I installed on my Linux box back then, and many install instructions were positively arcane.
> To me, the point of running Linux or really any desktop OS is to allow me to go beyond walled gardens. My brother is a non-technical artist/creator type. If he relied only on the system package manager, he might as well use an iPad.
Fully agreed! Furthermore, anyone using Linux back then would have found your opinion entirely uncontroversial. The point of Linux back then was freedom to do whatever. Gardens -- even non-walled gardens -- were not the point.
Sure, if you turned the 90's/2000's herd of Windows users loose on Linux, you'd likely run into many of the same issues. But still modulo needed software being available in a package manager or at least with a higher barrier to entry of developing substantive source code, rather than needing to use sketchy warez or "legitimate" download sites that added in less-severe malware.
But the real condemnation of Windows isn't just an "OS war", but rather the fight is about the virtue of understanding the software in front of you. This is critical to security - not in the small (the idea that an individual can audit every line of code they run is a fallacious straw man), but rather on the large scale. Having published source code allows the building of a distributed consensus that something can be trusted, not beholden to the existing power structure, whereas without that you're stuck trusting the word of a single company and/of their auditors.
Like today we see malware continually being bundled with proprietary software, so often that it's considered banal and just how things are (eg web surveillance). Yet in Libre land when something like this happens it's still seen as an exceptional occurrence that needs to be stomped down hard. That directly follows from the underlying attitudes of unilateral "trust us" versus community consensus.
> We need better ways to universally indicate trust in distributed software beyond system package managers.
I'd love to hear you expound on this. The only two solutions I can see are are trusting and sandboxing. Sandboxing and capability security was a radical pie in the sky idea two decades ago, but now we've got two extremely popular implementations - web javascript and Android. So it feels a lot less like a lofty perfect solution, despite the current failings (both of those implementations have shirked being secure against many types of attacks!).
Is there some third way, especially that isn't just a combination of the two basic existing approaches? I'd love to hear one!
Gardens are the solution, but people shouldn't be locked into any garden against their will. Users should be free to choose the garden they prefer any time they wish, or to start their own garden and invite other's to visit it.
I choose the F-droid garden and the OpenSUSE garden. Other people may prefer other gardens, and they should be free to choose the ones they prefer as I am free to choose mine.
When people criticize walled gardens, it's because the wall is like the Berlin Wall; a wall designed to keep people in against their will.
> When people criticize walled gardens, it's because the wall is like the Berlin Wall; a wall designed to keep people in against their will.
Fair enough. You are right there.
But in essence, it's not that Linux is "safer" than Windows against malware. It's that it's a nerdier culture with different practices that don't translate well to the mainstream. Like user kbenson above who suggested "reviewing the installer"... I hope we all agree that's ridiculous, right?
That is not what I said, there was a conditional on that sentence. The real point I was making was the last paragraph of what I posted. Don't use that method if you care about security, it's never, ever been the sole option in any case I've seen which wasn't meant to be nefarious (at a minimum, there should be directions to manually do step by step what the script automates).
That everyone jumped on the "review what you run" part because they weren't paying attention to what I actually said and it looked similar to other arguments when this comes up I think has less to do with what I said and more to do with people wanting to argue that discussion yet again.
The bottom line is that Linux is no different than Windows in this respect (look at the Deno install directions if you want to see the powershell equivalent of curl piped to bash), and this is more a matter of the developer communities being okay with this method, and promoting it regardless of OS. In that respect, saying "Linux security best practices of curl | bash" was just inflammatory and wrong, and deserved to be called out as such. It's not only a Linux thing, it's not anything like a best practice (it's a convenience method provided that trades away security), and as such the statement is just plain wring.
Ok, I'll readily admit I misunderstood that part of your comment then. I stand corrected.
So let me rephrase what I think is the key point here:
Linux is only "safer" than Windows because it has fewer users and they tend to be more technically minded.
However, were Linux to somehow become as mainstream a desktop OS as Windows, two things would happen:
- The userbase would become less technically minded and security aware. I don't want to call them "stupid" however, they likely know other stuff instead. I can't drive a car for example, am I stupid?
- It would become a juicier target for malware creators, and therefore malware would be as widespread as in Windows-land.
There's nothing magical in Linux that would protect a large and careless enough userbase.
I would say Linux and Windows are likely roughly equivalent in almost all safety concerns for regular users (if we normalize for how good a target they are which makes Windows get targeted more in absolute terms, and ignore technical merits of the kernel and secure access/ACL systems, which I think aren't really what this discussion is about).
There might be a slight edge in Linux in that the main way of getting software, the base OS repos and package manager, are about as trustworthy as you can get if you trust the OS to run in the first place, and generally they are packaging and shipping a lot more software that they've vetted, and built themselves and verified with the system than Windows does, which allows the regular user to not lower that trust as much.
Windows is getting closer, in that they have their store now and you can even use winget to install things from it, but those things aren't packages by MS (even if they might be vetted to some degree), so it's note quite the same. In some aspects it's better and in some worse, actually (there's a benefit to the OS maintainers tracking and building stuff themselves).
Beyond the main OS software, it gets into trust relationships and quickly becomes the exact same regardless of OS, as long as you're allowed to install arbitrary software. This is as opposed to a walled garden, which is explicitly trading away convenience (of one type) and choice for security (and uniformity, but that's not a given), in the same way but the opposite direction as curl piping a script to bash which is trading away security for convenience. I wrote elsewhere in this thread (multiple times, to various degrees) how the trust relationship to the source is the real question, and not really different in the desktop OS cases (in case I wasn't clear and you want more words on it to clarify my opinion).
> There's nothing magical in Linux that would protect a large and careless enough userbase.
Nope, there isn't, just as there isn't in Windows or Mac OS (yet, but they're both heading that direction to some degree with their stores).
Yes, gardens are one answer, and likely the best one currently, for non-webapps. Distro package repositories themselves are the original gardens. People tend to give them a pass because having good incentives have kept them decently honest, but distro package repositories are fundamentally gardens.
Gardens allow you to make a small number of trust decisions, and then trust all the software they have vetted by extension.
Note that I'm leaving out "walled" because multiple software sources can coexist. "Walled" only comes about when some company tries to constrain you to their singular source.
If someone gives you a guarantee of safety, you get to blame them when things go wrong. If you demand to strike out on your own, you have no one to blame but yourself. And you should honestly be proud of taking the risk; it's literally the only reason to use all this proud, evocative language about being trapped and needing to be free.
Wait. Linux users "strike on their own" all the time!
Who here is a Linux user and never downloaded stuff outside the repo, or compiled sources and run them without reviewing every security loophole? Linux users are the most "demand-ey" of users, even starting flamewars over being forced to do things this way or that way!
I'm really skeptical that this wouldn't introduce malware if malware authors deemed Linux a worthy target.
But that's it. Games and games downloaded from dubious sources are one of the primary infection vectors. It doesn't happen enough in Linux because there aren't enough Linux users to make it a worthwhile target for malware authors!
For this and other reasons (including compatibility issues), when I want to download a game, I will prefer a version for DOS, NES/Famicom, Game Boy Advance, etc, instead of native code on Linux or Windows. (I also prefer FOSS when available, especially for native code; I will not run any non-FOSS program on my computer that is not running as native code.) (And, in some cases, the game might follow rules that I can just reimplement myself instead. For some types of puzzle games, it is relatively easy to reimplement it in Free Hero Mesh, so I am glad I wrote that program. Other times, other reimplementations can be written.)
Most people don't go on random torrent sites to get their games.
And most people that do also don't get infected because usually the top rated torrent is just fine. I pirated a lot as a dumb kid without income and haven't managed to catch anything at least.
> That blame still appropriately lies with maladaptive behaviors learned from Windows. The only way to completely stop users being susceptible to the "attack" of them phrasing their desires as web searches and then blindly following whatever malicious instructions come up is to fully remove administrator privileges and lock them out of "their" computers.
And making it a class at school. We have universal education in most places, we can use it for something useful. There's no reason that we have to capitulate to corporations and their moats. We can teach children how the devices that surround them and order them around work, and how to deal with the predators that they'll encounter while interacting with them.
I would argue that to make a distro that has a wide array of natively packaged up-to-date software in a world of significant (lets say 25% and above) desktop linux use, then it would be nessecary to discard the level of curation that serves the security that such distros currently uphold.
That is to say, if desktop linux use became significant enough to challenge windows and macos, then either the distros will lag out of date packages, not cover widely requested packages, or not have security through curation. Any of these will likely inherently lead to users downloading packages to install manually.
I say this as someone that has been running desktop linux on and off since 1992; and I wholeheartedly believe that there's no inherent reason linux desktop use cannot be popular.
In the specific case of running something blind with curl| bash instead of using a package manager or using something that maintains a degree of isolation (flatpak, docker containers, ...), yes it's the fault of users.
I don't criticize Windows when a user installed a malware and clicked on "Yes" when prompted to allow the app to make changes to the computer in the same way, I don't criticize linux distroes for allowing users to install something by piping directly a curl into bash without checking. I appreciate not having an os that's a walled garden unlike what happens with phones but that does put some responsibilities on users.
For a real world example, if someone gets an std from having unprotected sex without a condom, the blame lies on them for doing so.
Package manager is less safe than curl|bash, they do the same thing, but package manager does it with root privilege, while curl|bash can run in user context.
> Package manager is less safe than curl|bash, they do the same thing
This is so far from true, I wish this misconception didn't exist.
First, a package in a distro repo is maintained by known people, the package maintainers. Some do an exceptional job, some put in less effort, but at the very least there is some oversight on what gets into an official distro package. And there is an audit trail of who approved what and when.
Distro packages are signed and verified by the tooling, so inserting a malicious package is much more difficult.
Distro packages are also versioned and prior versions remain available, so if there is an issue we can trace who/when/why it was introduced and when it was fixed.
None of these protections exist when you just curl some random executable off from some third-party website and hope for the best.
Realize that the website might return a different executable every time. Even if you & I curl it within seconds, we might be served different content. It might return malware in a tiny percentage of cases to avoid detection. It may return code without any versioning, or code that claims a constant version even though the content changes. It is impossible to have reproducible installs when you just retrieve something via curl without any validation or versioning.
(You could, of course, curl it to a file and then compute a hash on the file, assign it a version number, store and look up known hash/versions and so on... but now you're down the path of building an adhoc package manager to resolve the problems with curl|bash. So... might as well use the mature package manager your distro already has because it already solved these problems.)
> while curl|bash can run in user context
No, it runs as whatever user you run it as. You can find plenty of websites saying their installer needs to be run as root.
That only makes sense if you don't understand all the things package managers generally do or why curl|bash is as bad as it is, and specifically why it's even worse than 'curl > file.sh; . file.sh'
- Package managers generally sign their packages, and provide ways to prove the integrity of the downloaded packages, so even if someone hijacks your DNS or exploits the box you're downloading your packages from and injects a malicious one, it will be rejected on your side. Yum/dnf do this with GPG, for example.
- Package managers usually track what was done and what files were put where, so there's an easy way to see what was installed and clean it up (which may also be automated). This isn't perfect, as the packages can run scripts as part of install usually, but it is helpful.
- Packages from package managers are vetted by the team that puts them out, and depending on the system built by that same team. For stores, often it's just vetted in some way and the submitter builds it, but package systems are almost always vouching for the packages you get. In the case of the OS package manager, you obviously trust them if you're running the OS, otherwise this discussion has no meaning.
- Whether things are installed as root or as a user (commonly. You can curl|bash as root too, and many instructions prefix it with sudo...), but I think it's usually more important how trusted the sources are. The OS packagers, a well trusted group or company with something to lose, etc is more likely to have put systems into place to ensure safety (and protect themselves from problems if they are hacked). See above. Regardless of whether they're run as root or not, I think they're somewhat safer and more trustworthy, but this is a personal choice, since it's largely based on your own trust of the sources and the systems used in the chain of getting the software to you.
Ultimately, it's less an OS issue and more an issue of what the individual is comfortable with, which spans operating systems. People do stuff just as unsafe as curl|bash on windows all the time too.
> At least on ubuntu and centos I had no problem installing unsigned packages, no warnings, nothing, it's allowed by design. Try it yourself.
Manually, through yum localinstall or by referencing a local RPM or a manual rpm command, or an unsigned package in the remote repos? I've seen repos configured with signing keys have problems and the install command fails, so I assume you're referring to manually.
I think what you're seeing is that the package manager utilities (yum/dnf/apt/whatever) are all capable of verification, but are also happy to install things without verification in many cases. But if the RPM you downloaded is signed and RPM has had signatures loaded into it and there's a mismatch between what the rpm utility knows about and what the RPM you're installing is signed with, rpm will complain very loudly and fail (I have had to add --nosignature to rpm commands in some cases and import keys into rpm in others).
In addition to at the RPM level, the repos themselves often indicate a gpg key that packages are signed with, which the system package maintainers, which is what I was somewhat ambiguously referring to in my prior comment as package managers (in which I meant the managers of the system packages), will sign all packages they publish with so the integrity of updates and additional software they provide can be confirmed.
Given that, I'm not sure how you can maintain that the package management utils on systems do the same thing as piping arbitrary internet content to a bash prompt. I think you were just possibly a bit mistaken about what the package management utilities are really doing and enforcing with their signatures.
> It's called distro repo, package managers don't contain packages.
It's called the packages the OS provides. It's called many things. My terminology was somewhat ambiguous.
> This has nothing to do with security, you can trust your system to run malware correctly too, just like any system does it.
Sure it does. If you trust your system to run malware from the OS providers, then you don't have to care what other software you're downloading and running, you've already set your trust level of the system to "none".
If you do trust the OS provider (whether that by a Linux distro, MS for Windows or Apple for Mac OS) to not be malicious (and please, let's forestall any digression into privacy, we're talking about malicious intent not allowed by EULAs), then you should trust the other software they provide that's verifiably from them.
I disagree, with the package manager you know that it's been vetted by the distribution maintainer, they ensure that when you install something through the package manager the package comes from them and they ensure the binaries do not change. The package maintainers will also remove packages that have major security issues and the package manager will track the apps installed and automatically update them if there's a security fix.
Curl | Bash usually runs in user context (although I've seen curl | sudo bash in the wild) but there's also concerns of vetting who wrote the instructions, if they actually point to the app or a modified version of the app containing malwares, etc...
It's called distro repo, package managers don't contain packages and can be used to install packages from any source. Some version sensitive programs are distributes as packages, because distro repo moves slowly.
> "Only download from here; if it doesn't have what you want, though luck".
It's not that doing otherwise is prohibited. It's that doing otherwise should get your hackles up.
Which is why it isn't this:
> this seems like an argument in favor of a walled garden.
There are no walls. It's just a garden. But you have to understand that if you leave the garden, you're on your own.
For software developers and IT professionals, that's fine. They have a professional knowledge of the reputation of the source or know how to read the code, or how to set up a virtual machine if they want to try it but don't trust it. And if an ordinary user who is rightly wary of doing that still wants to get the latest AI thing from github, they call up their friend the software developer or their company's IT department or pay a computer repair shop they trust to set it up for them.
But that should be rare, because anything which is both popular and safe should promptly get added to the package manager.
Agreed, not a "walled" garden but a garden. Essentially an app store.
So essentially if Windows had this, problem fixed?
Or put another way, if most users came to Linux and started downloading crap from everywhere, there would be incentive for malware authors to write it for Linux, bringing it to the current situation with Windows?
> So essentially if Windows had this, problem fixed?
The problem is that the nature of Windows isn't to have this. Linux package managers are run by the community. They basically include anything popular that meets the licensing requirements to allow them to redistribute it. Windows instead has a "store" that wants to extract a vig, but because most of the software people use on Windows is commercial, the vendors then avoid to store to avoid the vig and the default is to install things from random websites.
And even if they fixed that, people are used to doing it the other way, vendors have already spent the time to set up alternate distribution infrastructure and they don't trust Microsoft not to reverse course once a critical mass of things are using their system and they can increase the friction to installing things from outside of it and then turn the screws on anything inside it.
To make it work there you would need the distribution system to be run by multiple independent third parties so they'd have to compete with each other to keep distribution margins low. There probably is a market for a third party "store" for Windows that pays the 3% to the credit cards and then distributes the apps via P2P so they can charge no more than 5% to app developers, which the app developers might then actually use because they don't have to build their own system for payments and updates. But the stores want to charge 30% and then the developers don't want to use the stores.
> The problem is that the nature of Windows isn't to have this.
Interestingly, they're getting a version of it. The wingget command line package manager that windows ships with now has two sources, the MS store, and the winget community repo. The community repo is something anyone can submit to and it goes through some vetting process[1].
It's not quite the same though, as there are different considerations when using a repository of things a unified group has decided should be included and built (or slightly modified existing) packages for and a repo where anyone can submit a package that will go through some level of vetting. In the end I still believe most this discussion is really about individuals and how much trust they apply towards different groups and sources and is not really about Linux or Windows in particular as much.
The problem on Windows isn't exactly the lack of apt-get. It's the general problem of not making paid software distribution sufficiently fungible. Which is a cross-platform problem but manifests most on Windows because that's the platform where people use the most third party commercial software.
The Linux community "solves" this problem by directing commercial software vendors to the door and implementing anything they want as open source. But having something that works for this would help even there, for the cases where that hasn't worked, like AAA games.
Ironically the best way to solve this for proprietary software would be an open system. Have someone create a software distribution framework that uses open source code and federated P2P for distribution with pluggable payment processors. Make it an interoperable standard.
The idea is that it's a distribution system with no central distributor, a payments system which is independent of a payment processor. The vendor chooses which payment processors they want to accept (which might just be all of them), then the user chooses which ones they want to pay with, and if the vendor gets into a dispute with a payment processor their users automatically get diverted to a different one. If they get tired of their hosting provider they move to another one without the users ever noticing.
But then you need someone to develop it when its very purpose is to make sure nobody can extract high rents.
A coalition of mid-sized developers might be wise to pool their resources. Or, for that matter, get in with a bigger pool, because this is a problem that exists for subscription services and small businesses in general.
> But then you need someone to develop it when its very purpose is to make sure nobody can extract high rents.
It doesn't address a very important aspect of this which is trust, and that's most of the point of this discussion. People use repos usually because there's some level of trust in the repo maintainers. If anyone can push anything, then it's a liability to have that repo configured. If it requires careful vetting, then that costs money, and requires a central authority, which means it doesn't really matter whether it's P2P or not (except to lower cost), as it's centrally managed anyway.
Theoretically I could see a system like that in place where the "network" is all open and P2P and you just subscribe to sets of packages that have been "signed" by an authority you trust, but I'm not sure that the P2P portion is really all that useful then.
The whole reason the default repos in a linux Distro are things people feel safe running whatever they find in is because they know a group of people they trust has vetted it. If you're running Debian/Ubuntu/RHEL/Rocky/Windows/MacOS you've already trusted the maintainers of their default repos/etc by the nature of running their OS in the first place. People also often choose to trust large companies (Adobe, VMware, Google for Chrome in some cases) and/or well known groups/projects (Apache, ffmpeg, etc) when they distribute software separately, even it downloaded manually. Finally, people make ad-hoc choices about random less well known sites and people, and that's where random windows executable or Linux binaries, or installer scripts that are downloaded and run or piped to bash form curl happen.
All those levels of trust and those parties exist for every OS. Even Linux has it's fair share of third party downloaded applications people use, depending on what they use their system for. Some communities of people (e.g. developers) are much more comfortable with ad-hoc installation methods like curl|bash than others, and that's across OS boundaries. That's really what I meant way upthread when I said this isn't a Linux problem, it's a people problem.
Windows does have this, of course, so the question is, has security issues with windows decreased in line with the rise of users using the Windows Store to acquire packages, or is there just as much malware on the store?
(Genuine questions, I don't know the data, or even if the data exists outside of MS)
1) Download random shit from the internet at your own risk. If you're given a vast supply of safe software, and you choose not to use it, remember that you're a grown up and you should do what you like.
2) Nobody is objecting to walled gardens with no walls. Almost nobody, I should say; I've seen people tell Apple users that the fact that they are happy with the app store makes them bad in some way, but those people are shitheads. The reason to attack Apple is on behalf of their users, not some perverse brand nationalism.
If an Apple user can install whatever they want, and end their relationship with the Apple corporation at any time, that's winning. If the vast majority of Apple users decide that they value whatever contract (implicit or explicit) that Apple has made with them, and enjoy the relationship and the stewardship of the app store, that's a choice they're making as free people. And under the pressure of free people, the app store would have to improve anyway. I certainly have affection for what Debian does (and for everybody who wrote the software packaged in Debian.) Why shouldn't they feel that for Apple?
I misspoke, it's indeed a "garden", not a walled garden.
Linux users often rail against Apple's gardens, so it'd be dishonest to pretend otherwise. I should know! I've been a Linux user for 20 years now.
> If you're given a vast supply of safe software, and you choose not to use it, remember that you're a grown up and you should do what you like.
But lots of software in Linux isn't available in any repos. For example, games and stuff a typical mainstream user would expect. So Linux couldn't be turned into a "safe" mainstream OS unless it adopted a more diverse "app store", like macOS.
But this could very well be done by Windows, so it's not that one OS is "safe" or "safer" than the other. It's essentially a popularity thing.
> Download random shit from the internet at your own risk
And here we have it! Linux users "download random shit at their own risk" because they are not mainstream users; their needs are served by their distro's repo because their needs are different. If Linux was a mainstream OS, with the kinds of users that come with it, it would either have to turn into macOS or Windows. Either draconian measures (a single store where you can buy everything), or no measures at all (== malware).
Expecting people to "review the installer" is ridiculous.
Regular users on linux shouldn't be downloading software through their web-browser at all.
They should be adding a repository trusted with keys but so far UI/UX for it is horrible for regular users. Still better than... whatever the fuck windows is doing tho.
> Also, this seems like an argument in favor of a walled garden.
It is always entertaining to see HN's commentariat both rail against walled gardens by (for example) Apple or Android that are aimed at making life easier for regular people, while advocating them for Linux.
I think it's pretty common these days to have people git clone a repo and then build it. Not everything is on a package manager, and I see fewer new things on aptitude. At best, they're available as modules in npm or pip to be installed globally
Agreed about `git clone`, but installing things from the web is one of the expected usages of any system. For regular users. Lots of indie and non-commercial (and even commercial) stuff to download this way.
In Linux, .sh installers are common. GOG games get distributed this way. If your wife still metaphorically slaps you when you mention .sh installers, it's only because she doesn't play games on Linux. She wouldn't know how to use apt either.
I think in the end the truth is that Windows is more targeted by malware because it's more widespread than Linux.
Yeah but I think it's unfair to compare average linux users to average windows users. They're not the same kind of users. Most (desktop) linux users are software engineers
This is giving me flashbacks to my consulting days. The IT people were all forced to call it “JitLabs” and “JitHub” because HR considered git to be offensive.
I would guess most of those are tools aimed at developers, who can take that risk if they wish. For most users, almost anything they want is either in official repos, or in Flatpaks, which offer some sandboxing (although I guess a malicious Flatpak could just ask for excessive permissions, like a random apk)
Developers are less common than regular users, but still they are among the "common" users of operating systems, so that use case must be handled. Malware on Windows also gets distributed in tools supposedly for developers, after all.
No, but packaging a software package for every Linux distro that exists is unfeasible. Not that I care though, I don't run commercial software. But, you know, devil's advocate and all that. Still, I completely understand why someone might be frustrated by the way software is usually installed in Linux if they were, say, a game developer.
99% of software packed for Debian will just work with any of the derivatives. No idea how it looks like on the RPM side, but as long as your distro is new enough, 3rd party software packaged for Ubuntu usually works on Debian and 3rd party software packaged for Debian near-always works on derivatives.
Yes, packaging a software package for every Linux distro _is_ unfeasible, but have you ever used Linux? There are snaps, flatpaks, and AppImages, which can all run in any distro, and are generally more secure than "native" packages (for lack of a better word).
A technology superseded by Flatpaks, yet pushed incessantly by Canonical, a befuddling move that I still don't quite understand. Rough to use in any other distro.
> AppImages
Speaking from experience, these don't run on every distro. So they fail to fulfill their intended purpose. As far as I'm concerned, that makes distributing software as AppImages a no-go.
> Flatpak
Better than any of the technologies previously quoted, but it is not without it's own issues. The chances of a Flatpak working on any particular distro are acceptably high, but they still suffer from the same problem AppImages do. I've had an instance were a an app refused to run on OpenSUSE, even though it was working completely fine on Fedora (I was using Flathub's repo on both distros, I wasn't using Fedora's, just to clarify). I think it was Firefox, though I'm not 100% on that.
Still, I'm yet to see a commercial software being distributed as a Flatpak. My guess is that it's all more of a hassle than it is worth. Which, I guess you could say that about packaging commercial software for Linux in general. So, we're back to square one with the chicken and the egg problem that Linux suffers from. Though nowadays it's less severe what with the existence of SteamOS and all of that, so at least there is a substantial marketshare, small as it is.
How do you define "commercial software"? Spotify, Zoom, Steam, Discord, Postman, IDEA Ultimate, and lots of other end-user software that is built by companies and where people pay for things (i.e. commercial software?) is available through Flathub.
Most commercial software in general can be downloaded as a free demo version and then activated with a license key or account, and that model works really well with Flatpak and even Flathub.
Assuming this is a commercial vendor not available through your package manager, and that you must go to the website, pay and get a download link (with source in this scenario), how is this fundamentally different to a Windows user paying for and downloading something bundled with malware?
Were Linux to go mainstream, it'd be unrealistic to ask users to vet the source code! Who has the time and expertise? You fundamentally rely on others to tell you it's safe. On Linux it's a safe bet, since malware authors are less interested in targeting it.
>Regular users on linux should be using their package manager to install new software.
Unfortunately not at all feasible for a small dev releasing software on Linux. The choice is either to support 15 different package managers yourself (including QA!) or just hope that the community gets it right.
I eventually refused to support any user who didn't download the AppImage directly from my GitHub page because the distro-specific versions would frequently break.
Aside from Chromebook and Android, there aren't enough Linux users for this to mean much. I'd venture that "regular" Linux users aren't "regular" in the manner that you describe -- we build, and that's why we're on Linux. We "regulars" download software that moves faster than maintainers can keep up, because that's necessary for the things we're building.
>Say what you want about Debian's volunteers, but they're a hell of a lot more trustworthy than the average windows software download website.
Really? Software developers, who distribute through their websites, have an economic incentive to not give users malware. I'm not sure the same applies to Debian's volunteers. I don't even know who these volunteers are.
Average windows user does a websearch for software and very often finds not the first-party website operated by the developer, but instead finds websites like sourceforge, cnet, softpedia, etc. Downloading sketchy freeware from third parties is Windows culture. This culture is encouraged by Microsoft not vetting and packaging free software themselves like Linux distros do.
I don't know where you've gotten the idea that Windows will just run whatever software you provide it without saying anything. Executables must be signed with a trusted CA. You can get this trust by buying a CA and waiting for reputation to build (which means any malware you produce can be tracked back to your business), submitting the software to Microsoft for malware analysis, or waiting a very long time for reputation to build[0].
If your executable doesn't have trust, a scary warning pops up (or Windows blocks the app from running) and tells the user Windows Defender SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk. This seems about as effective as having a bunch of random people vetting packages for a Linux distro.
Sure, if by "scary warning" you mean the click through nags that Windows pops up early and often (sometimes multiple times for a single action) and that have trained generations to ignore software warnings and dialogs in general.
I honestly just installed my first non-throwaway Windows VM in a long while, and I was appalled how the state of the art in Windows "security" is still stuck where it was a decade ago.
Not only that, but for a while, a lot of Windows developers had links to sketchy mirrors right on their own web pages! They've normalized sending users to sites with names like DonkeyMirror.ru to download their official ZIP files.
> Downloading sketchy freeware from third parties is Windows culture
No, it's "computer illiterate" culture. Windows has a few package managers available these days (including a first party one). Developers on windows install things the same way that linux users do, though not usually building the software along the way (though I often have to use cmake with visual studio)
And how user is supposed to know that the company is a trustworthy company just selling their software and not a scam ?
Single Debian volunteer would have to do quite a bit of work to get into position of being able to just push malware into the repo; and if they did it lands in debian unstable/testing so there is also a pretty good chance it would be noticed.
> Software developers, who distribute through their websites, have an economic incentive to not give users malware
You're putting way too much faith in the efficient market fallacy. In reality, proprietary software companies are incentivized to distribute malware to increase their own control and their bottom line. Prominent examples being BonziBuddy, Sony Rootkit, Denuvo, all the crapware that comes bundled with Android/Windows, web ads, web surveillance, etc. Like every other day there is a new HN topic about how some company violated the trust they had built and screwed over users.
Downloading via web browser was the original means (besides ftp) of getting anything. Hell tarball distribution was how everyone used to move bits around.
Package maintainers are not Linux. Never will be, never have been. Linux may start with a distro or live CD, but from there it's you arranging things in a way that best works for you.
Or are you going to try to sell me on the fact that Linux From Scratch is basically pushing you to wget source tarballs, is peak windowsism?
If anything, distribution package managers are more of a windowsism than anything else. About the most I tend to allow myself is to use the apt-ified form of software install after I've torn apart an sbopkg build from source. Even on windows I've gotten to the point I've started dumping symbol tables from binaries, for all the cold comfort and reminder that the world is a capitalist hellhole that offers nothing but clients of servers looking to charge you rent anymore.
How do you ever expect to learn how your computer works and how to drive it if you don't read?
I'm surprised by some of the answers I'm getting -- and I'm both a Linux fan and an almost exclusive user for the past 20 years. Yet I don't delude myself about the ton of crap I download in order to get things to be the way I want. Sometimes it's Steam, sometimes it's GOG, sometimes it's the official repo, sometimes it's a PPA, sometimes it's just random stuff on the web.
And yes -- downloading stuff from the web is how it's supposed to be used. Have people really changed so much that this is now frowned upon?
In any case, I still think we're "safe" because malware authors don't think it's worth their time to target Linux.
> Regular users on linux shouldn't be downloading software through their web-broswer at all; that's a Windowsism.
Sure, downloading executables and running them in UAC-protected environment is a Windowsism. Linux way is to copy commands from a random web page and run them as root. Of course all the commands on how-to sites in search results are trustworthy!
