1

When I ask someone about Linux, people always say it's really safe and this OS doesn't collect your data and these are not spy operating systems.

When I ask them "how?" they say, "because it's open source."

In wiki, open source means:

Open source is source code that is made freely available for possible modification and redistribution.

But if we can see and have access to the source code, who really checks that those are harmful or not? (I mean there may be a million lines of code)

Is there any other thing (despite being open-source) that can convince us that Linux is really safe?

schroeder
  • 123,438
  • 55
  • 284
  • 319
The Epic
  • 21
  • 2
  • 1
    I would say it is "as safe as it gets" Because: You can check the code. Code submited is reviewed for errors and harmful code would likely be detected. It is widely used and many system administrators have monitorized the network trafic of their companies and have detected nothing wrong. There are some things distributions could/should do to improve it (signing all packages, try to use less third party binary drivers) but IMHO it is safer that regular close-source operative systems. – bradbury9 Jul 09 '21 at 08:26
  • 1
    OpenSSL is open source too, and yet one of the most devastating security flaws - which some consider to be deliberately placed - "Heartbleed", went undetected for two years. – René Roth Jul 09 '21 at 11:18
  • Related: https://security.stackexchange.com/questions/4441/open-source-vs-closed-source-systems – mti2935 Jul 09 '21 at 11:36
  • 2
    Didn't canonical get a lot of backlash a few years ago for sending searches in ubuntu Desktop directly over AWS by default? – Nomad Jul 09 '21 at 12:44

4 Answers4

8

Yes, for large open-source projects that hundreds of millions of people depend on, including governments, there are entire organisations that inspect the code. Over the years, there are have also been automated tools that look for strange and undesirable behavior in the code.

It is still possible for undesired behavior to hide, but unlikely in a project as important as Linux. Smaller projects are not scrutinized in the same way, but there are more and more automated tools that one can use to look for undesired behavior.

In addition, people look for strange behavior in how Linux runs. Is it sending traffic that doesn't make sense, etc.? Since Linux is used by expert server admins, things like unexpected traffic in a running system can be quite noticeable because there is so much monitoring of a live server, for instance.

Aside from having "a million eyes" looking at it, both in code form and when it runs, there is no way to "prove a negative". You can prove that something does something. You can only be assured that there have not been instances that it has done something you don't want it to do, i.e. "I have yet to see something I don't like".

"Because it is open source" is not a very useful answer, as you already suspected. The better answer is "because it is not closed source". In a closed source system, like Windows, you have no option to know what it is doing. You can only make guesses about what is normal and what isn't. And you have no idea how a patch might change a system's behavior. With open source, you have the option to be able to know. It doesn't provide certainty, but an opportunity for understanding.

schroeder
  • 123,438
  • 55
  • 284
  • 319
3

It depends quite a bit on your definition of 'spying'. For example, the Ubuntu distribution as a default has "Yes send the systeminfo to Canonical", which means that Canonical collects information about your system (which you can turn off if you want to). A quote:

The data includes information about your PC’s hardware, including the manufacturer, BIOS version, and the model of your CPU. It also includes information about your software, such as the version of Ubuntu you installed, your chosen desktop environment, whether you’re using the Xorg or Wayland display server, and the options you chose while installing Ubuntu. Other information, such as your time zone, information about your partitions, and your display’s resolution is also sent.

According to Canonical’s Will Cooke, this data is designed to help Ubuntu learn how many users it has, what features they use, and what hardware they have, allowing Ubuntu’s developers to focus on what’s important. Ubuntu doesn’t keep the IP address associated with each report and has no way of tying it back to an individual PC.

If you use Gnome,

GNOME has its own set of spyware, for example geoclue2 tries to detect your geographical location and shares it with other software, iio-sensor-proxy gathers intelligence about your devices and hardware and shares that data with other software

The Gnome example illustrates that, although Linux may perhaps be spyware-free, other software may allow spying anyway. So be careful what you install.

If spying is being done, the data needs to be send out to the spy. If you monitor you network traffic, you should not see any unexpected traffic. But you'll need to monitor that closely. And the data streams may be encrypted, so you would probably need a proxy or firewall that breaks open the SSL session (MITM proxies). There are people doing this, actually, and they have not raised concerns (yet).

On the other hand, there are (despite the lack of real evidence) concerns that the Deepin distribution actually contains spyware, just because it is made in China.

Ljm Dullaart
  • 1,897
  • 4
  • 11
0

But if we can see and have access to the source code, who really checks that those are harmful or not? (I mean there may be a million lines of code)

It's worth remembering that (in most cases) updates to the code are made one merge/pull request at a time, and open source projects should have a robust review process before merges are accepted. Of course this isn't always bulletproof, but remember that checks for harmful code don't need to be made across the entire code base in one go.

Gethin LW
  • 71
  • 3
0

Since Microsoft Windows is the elephant in the room, it is worth noting that they have a source code access program for governments. But indeed it is restricted, the mere mortals do not have access.

Having access to the source code is only part of the issue. Obviously, nobody has the time to scrub millions of lines of code, and some bugs/vulnerabilities can be very subtle.

So glaring vulnerabilities have long remained undiscovered in popular software such as OpenSSL (but have probably been noticed and exploited by intelligence agencies).

Most Linux users, even the experienced/paranoid ones, do not compile from source but install binaries available for their distro. Those should always be signed but that still does not rule out supply chain attacks. Plus, many packages are distributed not in their original form but as a fork or repackaged version (eg. Firefox -> Iceweasel). So what you see (original code) may not be what you effectively get (compiled binary).

The decision to trust or distrust a program or OS depends a lot on the reputation of the provider. Unsurprisingly, industry actors with a poor history, a weak stance on privacy or cozy relationships with the government (or anti-competitive practices...) are viewed with suspicion.

Releasing the source code is the best affirmation that you have nothing to hide. At least you get the benefit of the doubt.

Kate
  • 6,967
  • 20
  • 23