1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Distro Country of origin - Does it bother you?

Discussion in 'Linux & Open Source' started by Ice Tea, Sep 21, 2018.

  1. Ice Tea

    Mobster

    Joined: Nov 1, 2004

    Posts: 2,770

    Not something i ever used to consider but i have noticed a lot more users comments around the web the last couple of years of negativity and mistrust towards the Country of origin of a Distro.
     
  2. El Pew

    Wise Guy

    Joined: Sep 1, 2009

    Posts: 1,029

    Yes. Supply chain attacks are a big thing now - if you are using any OS, software or library published in a potentially "hostile" nation, or even an open-source project with a significant amount of input from such a country, you have to do enough due diligence to be sure that you aren't introducing a backdoor into your environment.

    https://www.ncsc.gov.uk/guidance/example-supply-chain-attacks
     
  3. Ice Tea

    Mobster

    Joined: Nov 1, 2004

    Posts: 2,770

    Thanks for the link.

    Do you have a favourite mirror for your updates that you put more trust in?
     
  4. stopper

    Wise Guy

    Joined: Sep 17, 2010

    Posts: 1,762

    You can't talk about "hostile nations" in software then post a "helpful" link from one of the most hostile nations in the computing world. The UK (and USA) governments are notorious for embedding backdoors in closed source software.
    What matters is being fully open source. Because some one can and will always look over it and find any thing that's not supposed to be there, and it will be made big news in the open source world.
     
  5. El Pew

    Wise Guy

    Joined: Sep 1, 2009

    Posts: 1,029

    Of course I can. Conduct of the US and UK notwithstanding, the advice that you should understand where your software has come from and who controls it is a basic tenet of security practice. Just because the US and UK may exploit that kind of thing for their own ends doesn't change that.

    This is frankly a load of ********. It's simply not true that someone "will always" look over open source code to check it, in fact the reason we're in a security mess with a great many applications is precisely because these checks haven't been done. There are many more applications and libraries out there than there are people checking them over for vulnerabilities or malicious code injection.
     
  6. Ice Tea

    Mobster

    Joined: Nov 1, 2004

    Posts: 2,770

    Is see there is a lot of concern about Deepin Linux potentially being Government funded.