Distro Country of origin - Does it bother you?

Ice Tea · 21 Sep 2018 at 09:08

Not something i ever used to consider but i have noticed a lot more users comments around the web the last couple of years of negativity and mistrust towards the Country of origin of a Distro.

El Pew · 24 Sep 2018 at 09:23

Yes. Supply chain attacks are a big thing now - if you are using any OS, software or library published in a potentially "hostile" nation, or even an open-source project with a significant amount of input from such a country, you have to do enough due diligence to be sure that you aren't introducing a backdoor into your environment.

https://www.ncsc.gov.uk/guidance/example-supply-chain-attacks

Ice Tea · 24 Sep 2018 at 12:02

Thanks for the link.

Do you have a favourite mirror for your updates that you put more trust in?

stopper · 24 Sep 2018 at 16:06

You can't talk about "hostile nations" in software then post a "helpful" link from one of the most hostile nations in the computing world. The UK (and USA) governments are notorious for embedding backdoors in closed source software.
What matters is being fully open source. Because some one can and will always look over it and find any thing that's not supposed to be there, and it will be made big news in the open source world.

El Pew · 28 Sep 2018 at 14:48

stopper said:
You can't talk about "hostile nations" in software then post a "helpful" link from one of the most hostile nations in the computing world.

Of course I can. Conduct of the US and UK notwithstanding, the advice that you should understand where your software has come from and who controls it is a basic tenet of security practice. Just because the US and UK may exploit that kind of thing for their own ends doesn't change that.

stopper said:
What matters is being fully open source. Because some one can and will always look over it and find any thing that's not supposed to be there, and it will be made big news in the open source world.

This is frankly a load of ********. It's simply not true that someone "will always" look over open source code to check it, in fact the reason we're in a security mess with a great many applications is precisely because these checks haven't been done. There are many more applications and libraries out there than there are people checking them over for vulnerabilities or malicious code injection.

Ice Tea · 3 Oct 2018 at 08:47

Is see there is a lot of concern about Deepin Linux potentially being Government funded.

FatRakoon · 5 Nov 2018 at 01:50

El Pew said:
This is frankly a load of ********. It's simply not true that someone "will always" look over open source code to check it, in fact the reason we're in a security mess with a great many applications is precisely because these checks haven't been done. There are many more applications and libraries out there than there are people checking them over for vulnerabilities or malicious code injection.

You have completely miss-read what Stopper was saying. Quite unfairly I feel.

He NEver said about the people who wrote the distro will look over it... H clearly stated, that being OPEN SOURCE, anyone in the entire world is fully able to check out the code, and should anything be there, that is not wanted, no matter what it is, then they are fully able to expose the distro and its makers for including such software.

I agree, that the number of end users who will bother to read through all the code, will be minuscule compared to the number of users that just use the software, but the fact still remains, that the code is all there for anyoen who wants to, to look through it.

He never said anything about the programmers or the distributors looking at it.

El Pew · 5 Nov 2018 at 10:58

FatRakoon said:
You have completely miss-read what Stopper was saying. Quite unfairly I feel.

He NEver said about the people who wrote the distro will look over it... H clearly stated, that being OPEN SOURCE, anyone in the entire world is fully able to check out the code, and should anything be there, that is not wanted, no matter what it is, then they are fully able to expose the distro and its makers for including such software.

No I think it's you who misread what I said. I never made a distinction between internal project developers or external folks making these checks, and my assertion still stands - even for open source projects, with the entire OS world having visibility, the vast majority of software goes unchecked. For a few major, high-visibility projects then I'm sure there are, but for the majority - no way.

FatRakoon · 5 Nov 2018 at 13:21

El Pew said:
No I think it's you who misread what I said. I never made a distinction between internal project developers or external folks making these checks, and my assertion still stands - even for open source projects, with the entire OS world having visibility, the vast majority of software goes unchecked. For a few major, high-visibility projects then I'm sure there are, but for the majority - no way.

Ah ok, Maybe I misread.
For the vast majority of open source code, I will fully agree, that it all does go unchecked. However, the OP was asking about DISTROS, and not individual projects.

So,, I do disagree with you in that the code is never checked. Again, I'm not talking about all open source, but in the context of Distros, and not individual projects, which is pretty much what the OP was asking, they are released, and other organisations / companies get hold of these distros and they themselves will look into that distro to look for any thing, any code, to help them to improve their own distro.

This way, these distros are in a way, self regulated.

Many companies have coders, who are there purely to examine other distros, certainly the bigger companies do. Apple and Microsoft hire hundreds of them, just to rip apart other code to find some good code that they can use, or even just for ideas, and there are a fair few Linux companies now who are doing the same. SuSE and RedHat are two that also have dozens of programmers and hackers who are employed purely for that purpose .

Not just that, but globally, there are thousands of people all over the world ripping apart code, be it open or not, to get at anything that they can use, even if its for rotten purposes, but if they found out something nasty, it will soon get leaked.

Again, this also means that if a distro does have something unwanted, or downright nasty, they wont be able to hide it for long.

El Pew · 5 Nov 2018 at 13:35

FatRakoon said:
Ah ok, Maybe I misread.
Again, I'm not talking about all open source, but in the context of Distros, and not individual projects

What the hell is a distro if not the Linux kernel with a bunch of curated libraries and applications joined to it? Your argument doesn't make sense, and it isn't borne out by experience either.

Taken OpenSSL, for example. It's included in a lot of (most? all?) distros and relied upon for a lot of crypto stuff. According to your argument it should have been checked over by a whole host of security experts. But Heartbleed was a bug within it that lay undiscovered for two years. Luckily it wasn't a 0-day but the downstream effects were massive.

That's not to mention that open source means that attackers can submit code as well - there's been a huge increase in malicious code being introduced into open-source software simply by bad guys submitting it, and open-source teams failing to spot the issues.

There is a reason why the software supply chain is a key security focus at the moment, and the vast majority of that is focussed on open-source.

Rainmaker · 7 Nov 2018 at 23:30

El Pew said:
What the hell is a distro if not the Linux kernel with a bunch of curated libraries and applications joined to it? Your argument doesn't make sense, and it isn't borne out by experience either.

Taken OpenSSL, for example. It's included in a lot of (most? all?) distros and relied upon for a lot of crypto stuff. According to your argument it should have been checked over by a whole host of security experts. But Heartbleed was a bug within it that lay undiscovered for two years. Luckily it wasn't a 0-day but the downstream effects were massive.

That's not to mention that open source means that attackers can submit code as well - there's been a huge increase in malicious code being introduced into open-source software simply by bad guys submitting it, and open-source teams failing to spot the issues.

There is a reason why the software supply chain is a key security focus at the moment, and the vast majority of that is focussed on open-source.

I have to say I agree with you. Just because there could be eyes on the code, it unfortunately doesn't mean that there are. Heartbleed is but one example. As an Arch user (amongst other things), I've noticed more noises about malware being submitted to AUR lately.

h4rm0ny · 11 Nov 2018 at 09:11

Whether or not someone reviews a given piece of code, if it's Open Source that is a plus-point for guarding against State-level subversion. They might get something in there, but it has to be covert and look "accidental", like a certain encryption algorithm the NSA "assisted" RSA Security with. As opposed to Closed Source where you just have a line saying "If NSA == true { … }". Frankly, the "thousand eyes" argument some people use to say GNU/Linux must have fewer vulnerabilities than Windows is proven nonsense. But in this one regard (and it's an important regard for many), Open Source DOES have an advantage.

As to the argument going on here, the information from the UK site can be both valid and hypocritical at the same time. You don't have to fight.