1
2
Most Linux distros are "binary", i.e. users install binary, pre-built packages. But is it guaranteed that packages are built from as-is source packages?
How do you know distro's building process is intact? I can't find any statements on this point. It'd be extremely difficult for some third party, say organization, if such one ever exists, to check it, since it'd involve bootstrapping the whole environment.
teika kazura
Posted 2012-10-12T12:07:31.963
Reputation: 540
1
Most Linux distros are "binary", i.e. users install binary, pre-built packages.
Not necessarily, the user can choose in which way he progresses. You can turn an Ubuntu into a Gentoo and the other way around if you want, it's what you choose to do with it. It of course makes sense that one installs Ubuntu to use its package manager and proceed with the pre-built packages.
As for statistical numbers, I'm not sure whether "most" is the case but it's an irrelevant detail to your question as far as I can see.
But is it guaranteed that packages are built from as-is source packages? Put differently, how do you know distro's building process is intact? It'd be extremely difficult for some third party, say organization, if such one ever exists, to check it, since it'd involve bootstrapping the whole environment.
You will never have a guarantee unless there is someone to watch them built them and you trust the instance that would do so, but this is rarely going to be the case in an open-source world. Surely some of distros "patch" user code to make it work on their distro and for their users without waiting for upstream to apply or even first agree with certain patches.
And exactly, unless they publish their configuration, used source code and patches; you can't replicate the exact same binaries. So even this way of checking would not be easy...
People often say that Linuces are safer than Microsoft Win, but I don't think so.
I would never call out such thing simply because you can't possibly know what is the case. One is simply comparing apples with pears here. Linux is open-source and has a ton of developers.
Try to subscribe to the LKML mailing list, that's pretty high volume and that's just the kernel mailing list; then there are even more mailing lists, one for laptops for instance. And besides a mailing list, you also have a bugzilla that's also pretty high traffic. But you can also tell a lot already by the amount of code that changes over time in the kernel. And well, tha's just the kernel.
On the other side, you have Windows which is closed-source; this makes it harder to find security problems as you'll have to reverse engineer from the outside. While a lot of documentation about the internals of Microsoft already exists (both by Microsoft itself, in a broad way; and by hackers, in a more detailed way) people don't have to start from scratch. But that still makes it hard enough to find isues. And once someone finds such an issue and the issue is shared with Microsoft (under disclosure) or makes it way to a more public place, they deal with it in a reasonable amount of time.
So yeah, these are really two different approaches in which you can't tell which one is really more secure. I mean, if I were to know a security issue in Linux, I can just see them pass by and they are only patched by the point that they make it into every user's stable kernel (which also takes time). On Windows, they aren't so open and you'll have to look for it carefully or be lucky to find an unpatched exploit online; but once they are closed Windows Update normally assures that they are patched everywhere so I'd call this vulnerability Windows much smaller than the vulnerability window on Linux.
And ignoring this side of the story, you also have the fact that much more people use and target Windows; so whenever something happens security related on Windows it makes the global news more; while on Linux it stays in some news sites, the mailing lists and Bugzilla mostly. I don't think that these kind of volume differences make up for whether one product is more secure than the other. Both are written by people, both contain bugs, both get patched; the only difference is closed-source VS open-source, which both bring their own world. I wouldn't compare both.
This is all pretty much open to debate, but I don't think this will ever lead to an objective conclusion.
If agents are to work as Microsoft engineers, they risk their body.
I don't think a human mistake at Microsoft has ever resulted in death.
They surely have enough measurements in place to avoid very bad things from happening.
But they don't have to meet anyone as a Linux distro developer. (The point is that it must be so easy to intrude to Linux. ...
You don't have to, but people might attempt to meet you if you screw up big time.
As for Linux kernel developers, be sure that your patch is reviewed a lot and it isn't simple to intodruce abug into the kernel.
... Forget Microsoft, which everyone knows is full of vulnerability.)
As vulnerable as Linux, until someone proves otherwise. The reason you might think it is more vulnerable is just because more people use and target it, so it makes the news more as stated above. Linux's lower volume doesn't make you as much aware of its vulnerabilities, but if you care to lake a closer look they are present. They didn't invent a hardened kernel for nothing, and that probably still isn't completely safe either...
Believing that using another OS makes you more secure is a false sense of security.
There's no reason to believe that US or Communist China (or Mossad, Russia, etc) ignore Linux.
There's also no reason to believe that the US or Communist China solely use Linux.
This is pretty much out of context and subjectively loaded, which I will outright ignore...
I've been seeking for going out of Gentoo, a source-based distro, for years, but miserably have been failing.
We're always willing to help you on #gentoo at FreeNode, I'm TomWij there.
Been using Gentoo for a while now, absolutely love it....
(Though this question is not the main concern. I don't claim sources are free from backdoors, either.)
Exactly, and even when you patch most out of them you introduce others elsewhere; regression.
Tamara Wijsman
Posted 2012-10-12T12:07:31.963
Reputation: 54 163
As far as I know, Repositories and Packages are signed with keys to guarantee that those were not altered. Also many Distributions are using their own patches when compiling from source, f.e. if those patches are not integrated upstream. – Bobby – 2012-10-12T12:29:28.993
Sources of the packages are published on distro's sites and the mainstream sites as well- always available for audit. If you are paranoid- create your own distribution and collect programs from source code from mainstream sites. I.E. kernel.org, kde.org, sourceforge.net. Use ideas from linuxfromscratch.org – jet – 2012-10-12T12:38:58.543
1@Bobby: The OP is talking about the distro itself altering the source, not about someone altering the repositories or packages on their way; so your first sentence is irrelevant to this question. As for the second sentence, I've already mentioned that: Surely some of distros "patch" user code to make it work on their distro and for their users without waiting for upstream to apply or even first agree with certain patches. Without statistical reference, you can't assume the word 'many' to be the case; but that detail is irrelevant here anyway. – Tamara Wijsman – 2012-10-12T12:51:26.387
@jet: I'm the wrong man to address this to, I'm a Gentoo user whom does all that. – Tamara Wijsman – 2012-10-12T12:52:11.097
@Tom Thanks. Your comments to others exactly clarified what I asked. It's an important point, and serious intellectual efforts to improve the situation are desired (and they'll really deserve respect). But most didn't understand (wow!), and they closed this question. – teika kazura – 2012-10-14T06:59:14.117
With linux you always may verify that the binary packages are build from the sources that are provided as well. If it looks complicated to you then it is not complicated to all other people. If you like to build everything yourself you can do it yourself. With Windows you have to believe without even a chance to verify. – Serge – 2012-10-12T12:22:02.540
1@Serge: The problem is that you can't verify your first sentence as you have no instance that inspects the distro developers doing so, and without sufficient details about their system you can't replicate the build process to compare; which I outlined (including patches) in my answer. For your last sentence, you can monitor the exterior of the box to see how it behaves; I've never seen Windows do the wrong thing so there's well enough reason to trust and believe them. You can't actually do anything without trusting anyone, like... do you read all of the source code before bootstrapping LFS? – Tamara Wijsman – 2012-10-12T12:58:33.507
@TomWijsman I do not want to argue, as the source packages for the distros I have been using (not many, but RH, Fedora, Suse) all have all patches included. As for trusting into black box behavior - you can apply the same to linux. But! With windows you always have only one choice - to believe. With linux you have the option to see yourself if you have any doubts. I do not want to say that Linux is safer than Windows, I agree that you can't trust anyone to the full extent. I just don't like the idea that people who packages Debian, Ubuntu, e.t.c., are less decent than Microsoft employees. – Serge – 2012-10-12T18:37:15.027
@Serge: There's no argument as my statement is simple: How can you be sure that the binaries were compiled using the source and patches? You need to actually replicate their build environment (same GCC version, libraries and so on) to be able to verify that... For the rest, I agree with you. :) – Tamara Wijsman – 2012-10-12T18:41:17.563
@TomWijsman You get the distro, install it, and build the source package supplied by the distro's vendor. The only thing that you can't do the same - is the package digital signature. Both source and binary packages are distributed being signed by the packager. This ensures that both of them are not tampered anyhow. Then it is up to you to believe that people working at Redhat or Suse are honest ones or not to believe. And you can always verify if they did their job properly. – Serge – 2012-10-12T18:49:38.587
@TomWijsman (after build you just compare the binaries bit by bit) – Serge – 2012-10-12T18:52:38.253
@Serge: That won't work, because a different compiler version will impose different bits, different compiler settings (-O, -pipe, ...) will also result in different bits, the libraries that get statically linked will also result in different bits. If you don't have the exact same build environment, comparing bit by bit is useless... – Tamara Wijsman – 2012-10-12T20:00:25.687
@TomWijsman I did not mean that this is easy. But this is possible (in contrary to Windows). OK, let's stop this discussion. You are right. I am not. – Serge – 2012-10-12T20:11:14.603