1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Distro Country of origin - Does it bother you?

Discussion in 'Linux & Open Source' started by Ice Tea, Sep 21, 2018.

  1. Ice Tea

    Mobster

    Joined: Nov 1, 2004

    Posts: 2,801

    Not something i ever used to consider but i have noticed a lot more users comments around the web the last couple of years of negativity and mistrust towards the Country of origin of a Distro.
     
  2. El Pew

    Wise Guy

    Joined: Sep 1, 2009

    Posts: 1,034

    Yes. Supply chain attacks are a big thing now - if you are using any OS, software or library published in a potentially "hostile" nation, or even an open-source project with a significant amount of input from such a country, you have to do enough due diligence to be sure that you aren't introducing a backdoor into your environment.

    https://www.ncsc.gov.uk/guidance/example-supply-chain-attacks
     
  3. Ice Tea

    Mobster

    Joined: Nov 1, 2004

    Posts: 2,801

    Thanks for the link.

    Do you have a favourite mirror for your updates that you put more trust in?
     
  4. stopper

    Wise Guy

    Joined: Sep 17, 2010

    Posts: 1,765

    You can't talk about "hostile nations" in software then post a "helpful" link from one of the most hostile nations in the computing world. The UK (and USA) governments are notorious for embedding backdoors in closed source software.
    What matters is being fully open source. Because some one can and will always look over it and find any thing that's not supposed to be there, and it will be made big news in the open source world.
     
  5. El Pew

    Wise Guy

    Joined: Sep 1, 2009

    Posts: 1,034

    Of course I can. Conduct of the US and UK notwithstanding, the advice that you should understand where your software has come from and who controls it is a basic tenet of security practice. Just because the US and UK may exploit that kind of thing for their own ends doesn't change that.

    This is frankly a load of ********. It's simply not true that someone "will always" look over open source code to check it, in fact the reason we're in a security mess with a great many applications is precisely because these checks haven't been done. There are many more applications and libraries out there than there are people checking them over for vulnerabilities or malicious code injection.
     
  6. Ice Tea

    Mobster

    Joined: Nov 1, 2004

    Posts: 2,801

    Is see there is a lot of concern about Deepin Linux potentially being Government funded.
     
  7. FatRakoon

    Sgarrista

    Joined: Oct 18, 2002

    Posts: 9,890

    Location: Behind you... Naked!

    You have completely miss-read what Stopper was saying. Quite unfairly I feel.

    He NEver said about the people who wrote the distro will look over it... H clearly stated, that being OPEN SOURCE, anyone in the entire world is fully able to check out the code, and should anything be there, that is not wanted, no matter what it is, then they are fully able to expose the distro and its makers for including such software.

    I agree, that the number of end users who will bother to read through all the code, will be minuscule compared to the number of users that just use the software, but the fact still remains, that the code is all there for anyoen who wants to, to look through it.

    He never said anything about the programmers or the distributors looking at it.
     
  8. El Pew

    Wise Guy

    Joined: Sep 1, 2009

    Posts: 1,034

    No I think it's you who misread what I said. I never made a distinction between internal project developers or external folks making these checks, and my assertion still stands - even for open source projects, with the entire OS world having visibility, the vast majority of software goes unchecked. For a few major, high-visibility projects then I'm sure there are, but for the majority - no way.
     
  9. FatRakoon

    Sgarrista

    Joined: Oct 18, 2002

    Posts: 9,890

    Location: Behind you... Naked!


    Ah ok, Maybe I misread.
    For the vast majority of open source code, I will fully agree, that it all does go unchecked. However, the OP was asking about DISTROS, and not individual projects.

    So,, I do disagree with you in that the code is never checked. Again, I'm not talking about all open source, but in the context of Distros, and not individual projects, which is pretty much what the OP was asking, they are released, and other organisations / companies get hold of these distros and they themselves will look into that distro to look for any thing, any code, to help them to improve their own distro.

    This way, these distros are in a way, self regulated.

    Many companies have coders, who are there purely to examine other distros, certainly the bigger companies do. Apple and Microsoft hire hundreds of them, just to rip apart other code to find some good code that they can use, or even just for ideas, and there are a fair few Linux companies now who are doing the same. SuSE and RedHat are two that also have dozens of programmers and hackers who are employed purely for that purpose .

    Not just that, but globally, there are thousands of people all over the world ripping apart code, be it open or not, to get at anything that they can use, even if its for rotten purposes, but if they found out something nasty, it will soon get leaked.

    Again, this also means that if a distro does have something unwanted, or downright nasty, they wont be able to hide it for long.
     
  10. El Pew

    Wise Guy

    Joined: Sep 1, 2009

    Posts: 1,034

    What the hell is a distro if not the Linux kernel with a bunch of curated libraries and applications joined to it? Your argument doesn't make sense, and it isn't borne out by experience either.

    Taken OpenSSL, for example. It's included in a lot of (most? all?) distros and relied upon for a lot of crypto stuff. According to your argument it should have been checked over by a whole host of security experts. But Heartbleed was a bug within it that lay undiscovered for two years. Luckily it wasn't a 0-day but the downstream effects were massive.

    That's not to mention that open source means that attackers can submit code as well - there's been a huge increase in malicious code being introduced into open-source software simply by bad guys submitting it, and open-source teams failing to spot the issues.

    There is a reason why the software supply chain is a key security focus at the moment, and the vast majority of that is focussed on open-source.
     
  11. Rainmaker

    Sgarrista

    Joined: Aug 18, 2007

    Posts: 7,800

    Location: Liverpool

    I have to say I agree with you. Just because there could be eyes on the code, it unfortunately doesn't mean that there are. Heartbleed is but one example. As an Arch user (amongst other things), I've noticed more noises about malware being submitted to AUR lately.
     
  12. h4rm0ny

    Mobster

    Joined: Jun 25, 2011

    Posts: 3,798

    Location: Yorkshire and proud of it!

    Whether or not someone reviews a given piece of code, if it's Open Source that is a plus-point for guarding against State-level subversion. They might get something in there, but it has to be covert and look "accidental", like a certain encryption algorithm the NSA "assisted" RSA Security with. As opposed to Closed Source where you just have a line saying "If NSA == true { … }". Frankly, the "thousand eyes" argument some people use to say GNU/Linux must have fewer vulnerabilities than Windows is proven nonsense. But in this one regard (and it's an important regard for many), Open Source DOES have an advantage.

    As to the argument going on here, the information from the UK site can be both valid and hypocritical at the same time. You don't have to fight.