Hacker News new | ask | show | jobs
by jraph 1013 days ago
I agree with you, now for completeness I should mention that Linux package formats usually allow packagers to provide arbitrary pre- and post- install shell scripts ran as root.

(which means that if you don't trust a provider, not only it's not safe to run the program, but it's also unsafe to install it)
3 comments
ateng 1013 days ago
>if you don't trust a provider, not only it's not safe to run the program, but it's also unsafe to install it

Isn't it same for windows right now? `.msi` and `.exe` can execute arbitrary code right?

link
bee_rider 1013 days ago
The only difference is that you usually trust the repo in Linux, but that’s a pretty significant “only thing,” in the sense that the repo is already the source of your whole system, so it better be trustworthy!
link
simiones 1013 days ago
The "elegant" way of distributing 3rd party software for Linux is to ask the user to add your APT/RPM/[...] repo to their system. And most Linux distro maintainers anyway don't vouch for software in the main repos, beyond basic install-ability. The Debian project for example definitely doesn't do in-depth security analysis of every package in the repos: they just check the license, re-package it, and keep an eye on security updates in upstream.
link
jraph 1013 days ago
Yes, absolutely.
link
pxc 1013 days ago
Right. You should generally never install a proprietary software package provided by the vendor in RPM, DEB, or similar. What keeps the use of those hooks safe is purely social convention and review internal to the Linux distribution, and vendors routinely use those hooks to do unacceptable things.

If you must install proprietary software on your Linux system, either package it yourself or use something like Flatpak or Snap (or even AppImage).

Hopefully in the future vendors will increasingly move to providing well-sandboxed Flatpak packages by default.

link
mjan22640 1013 days ago
The packages are cryptographically signed, you have the option to abort the install of an untrusted package before it does something malicious.
link
jraph 1013 days ago
> packages are cryptographically signed

packages are cryptographically signed by the packager, by the way on Debian you add the key when you install a new repository. The signature tells you "This package has been built by X and has not been tempered in the meantime", not "X and this package are not malicious, I promise".

> you have the option to abort the install of an untrusted package before it does something malicious

How do you do this in practice?

If I run apt install p or or dpkg -i p.deb, the thing is installed. APT asks you for confirmation if it has to install additional dependencies but that's it.

I don't have no guaranty such like for any package, I can install it without worrying something bad won't happen during its installation.

Of course you should not install untrusted packages, but still. The same could not be said if the package format didn't have anything to specify arbitrary install scripts.

link