[pciexpgpu]

I wonder how legit are some of the most popular download sites: e.g ffmpeg windows binaries [1] are hosted from some random person’s site. Sure you can check the checksum etc but that still doesn’t guarantee any relationship with a specific git commit.

I would just assume that non-gh or official hosted downloads (where reproducible/attested builds are available) are just state actors by default. Am I paranoid? How do Linux/Mac package managers solve this?

[1] https://ffmpeg.org/download.html

[facorreia]

Even binaries hosted on an official website can be hacked, if they hack the website and change the checksums. It happened to Linux Mint.

https://www.trendmicro.com/vinfo/fr/security/news/cybercrime....

[makeworld]

This is why signing binaries is important.

[0xDEAFBEAD]

Why trust Github? The GetSymbol tool has 215 stars there. Looks perfectly legit unless you check the issues.

https://github.com/dbgsymbol/getsymbol

[diego_sandoval]

You don't trust Github to not host any malware, and you don't trust Github to not have malicious users.

You trust Github to have reasonably good security, and to not maliciously meddle with user content, so that if you see a repository under github.com/neovim, and you additionally trust the user called neovim, then you can reasonably trust that any repositories under github.com/neovim don't contain malware.

[archargelod]

Even when you trust the repo owner, you can't trust their projects. Bad actor could still sibmit a PR with malicious code and it could be merged just by negligence.

[diego_sandoval]

> ffmpeg windows binaries [1] are hosted from some random person’s site

The same thing happens with mpv: https://mpv.io/installation/

The Windows download is provided by "shinchiro" on SourceForge.

The MacOS download is provided by "stolendata", on stolendata.net

[account42]

Wait until you find out that useful programs like MPV are not developed by giant corporations but by individuals or small teams. Trust something hosted on mpv.io made by the MPV maintainer but freak out when that maintainer delegates release builds for some platforms to someone else he is comfortable linking to. MPV probably also uses many libraries developed by other individuals. A society build on trust is a GOOD thing.

[wheelerof4te]

"How do Linux/Mac package managers solve this?"

By building their binaries from source and hosting them on their servers?

[dewey]

Wouldn't help if the source code already has the backdoor in there though. Most people would just download and build a tool off GitHub if it has 200 stars and does what they need.

[pixl97]

Github stars are also complete bullshit that can be gamed itself.

[wheelerof4te]

It's extremely hard to sneak backdoors in open-source code.

Which is one of the reasons why a lot of people promote that openness.

[userbinator]

It's extremely easy to sneak backdoors in open-source code that contains automatic update functionality.

[dewey]

Into a popular repository yes, but into a small tool like that it would most likely be very possible.

[wheelerof4te]

Small tool = less code to read through.

If you want to use that suspicious tool, you should at least take a glance at the source code.

[dewey]

In an ideal world that would be the case, but people barely read the README or documentation.

[_xivi]

>> By building their binaries from source and hosting them on their servers

> Wouldn't help if the source code already has the backdoor in there though

I'm not sure if you're aware but random tools don't just spawn in official package repositories overnight.

There's a vetting process, for both new packages and new maintainers. Also in established distros, packages don't get accepted to official repositories unless it's a critical and highly demanded one.

So yeah, any software can have vulnerabilities, regardless of OS. But stray tools and dubious actors, are pretty much a solved problem in linux distros. The situation on Windows is laughable in comparsion. No need to spread FUD.

[zx14]

The maintainers can be compromised though. Is every single version of every single "vetted" package / maintainer also vetted?

[3np]

This is a good thing to consider when picking Linux distros. Who are the maintainers, is maintenance done in the open, do they enforce reproducible builds, how is review process done, what are requirements for mainters/packages/releases?

You also have the option of building from source yourself. Some package managers and distros (Gentoo, NixOS, Guix) do this for you.

This is BTW the main reason I wouldn't use derivate distros for anything serious.

Debian's generally trusted in the community - their slow pace come from risk-aversiveness.

[_xivi]

> The maintainers can be compromised though. Is every single version of every single "vetted" package / maintainer also vetted?

Pretty much, packaging is not a brainless process. One of the effort that specifically target this is the Reproducible builds project [0], along with many other security measures set by each distro.

There are also usually multiple testing and updates rolling stages.

The best evidence of how effective these measures is its actual reputation and record on the ground.

[0] https://reproducible-builds.org/

[dewey]

Package managers are not the only way to get software. People build software off GitHub all the time.

[_xivi]

> Package managers are not the only way to get software. People build software off GitHub all the time.

The question asked by parent comment was:

"How do Linux/Mac package managers solve this?"

[callalex]

Reproducible Builds is the search term/buzzword for this area. It is still in its infancy.

[gsuuon]

If I don't see a github action I'll usually pass on downloading. But what do you mean by "random person's site"? It's ffmpeg.org - is that not a reliable source?

[Pathogen-David]

> But what do you mean by "random person's site"? It's ffmpeg.org - is that not a reliable source?

The concern is that FFmpeg does not provide Windows binaries for themselves, they link to someone else who does.

You could argue that those providers are fine since they're implicitly being endorsed by FFmpeg, but it's not super clear whether they're trustworthy people involved in FFmpeg or randos that opened a GitHub issue saying "Hey I'm providing Windows binaries for people if they want them!"

[gsuuon]

Oh I see I didn't notice the additional links popping up on hover. Oof, that's not great.

[thecatspaw]

they also link to this repository: https://github.com/BtbN/FFmpeg-Builds

[account42]

I trust random developers more to host software that does not go against my interests than big tech corporations.