Hacker News new | ask | show | jobs
by _xivi 1020 days ago
>> By building their binaries from source and hosting them on their servers

> Wouldn't help if the source code already has the backdoor in there though

I'm not sure if you're aware but random tools don't just spawn in official package repositories overnight.

There's a vetting process, for both new packages and new maintainers. Also in established distros, packages don't get accepted to official repositories unless it's a critical and highly demanded one.

So yeah, any software can have vulnerabilities, regardless of OS. But stray tools and dubious actors, are pretty much a solved problem in linux distros. The situation on Windows is laughable in comparsion. No need to spread FUD.
2 comments
zx14 1020 days ago
The maintainers can be compromised though. Is every single version of every single "vetted" package / maintainer also vetted?
link
3np 1020 days ago
This is a good thing to consider when picking Linux distros. Who are the maintainers, is maintenance done in the open, do they enforce reproducible builds, how is review process done, what are requirements for mainters/packages/releases?

You also have the option of building from source yourself. Some package managers and distros (Gentoo, NixOS, Guix) do this for you.

This is BTW the main reason I wouldn't use derivate distros for anything serious.

Debian's generally trusted in the community - their slow pace come from risk-aversiveness.

link
_xivi 1020 days ago
> The maintainers can be compromised though. Is every single version of every single "vetted" package / maintainer also vetted?

Pretty much, packaging is not a brainless process. One of the effort that specifically target this is the Reproducible builds project [0], along with many other security measures set by each distro.

There are also usually multiple testing and updates rolling stages.

The best evidence of how effective these measures is its actual reputation and record on the ground.

[0] https://reproducible-builds.org/

link
dewey 1020 days ago
Package managers are not the only way to get software. People build software off GitHub all the time.
link
_xivi 1020 days ago
> Package managers are not the only way to get software. People build software off GitHub all the time.

The question asked by parent comment was:

"How do Linux/Mac package managers solve this?"

link