Not fair take, cpuz and hwmonitor are often used on new installations of PCs (or at least for me) to verify hw specs and stuff. Or when I need to do some upgrade work for a desktop computer.
I just go to the trusted site, download what's there and get going. This is not an npm package that a dev is updating on day 0 of its release for being a "human shield", it's literally the first version which comes up when DLing the new software.
Seems like the kind of thing to just have on a bootable thumb drive, to inspect any machine without requiring installation on the fly.
In fact, I think I used to use memtest86+ this way as it is a baked in boot option on Fedora bootable ISO images. (Or at least was in the past, I haven't checked this recently.)
CPU-Z gets updated to recognise new CPUs and memory configs and thus must be downloaded new to recognise the new hardware in a new machine (otherwise it can’t recognise it properly). With Memtest sure but CPU-Z is something you actually need the latest version of when you first fire up a new PC.
OK, so a bootable thumb drive rather than a read-only ISO image?
I mean, it should be possible to give it an update function which you can run from any utility host, rather than requiring a live install at the moment you want to test a new machine.
That update function could do normal package management and repository things with digital signature checks, etc.
And it could be done ahead of time to support sneaker-net scenarios, i.e. where you won't have networking on the new machine that is being burned-in/validated.
Is there a tool out there that you can put software releases into and it will tell you how safe it is? I don't seem to be able to buy anything to do this. Crowdstrike and other modern antivirus may react to it once it's on a device, SAST / SCA tooling will help with CVEs, but there's nothing I can give my users where they can put in some piece of random software and get a reputation metric out the other side, is there?
> put in some piece of random software and get a reputation metric out the other side
Well, the enterprise version of ms defender will not only react to it if it does something "weird", but will specifically look at its "reputation" before it runs at all.
However, as another commenter pointed out, this generates a ton of false positives. Basically everything that's "brand new" is liable to trigger it. Think your freshly compiled hellow_world.exe. So, all in all, people may no longer pay attention to it and just click through all warnings.
I run software downloads through VirusTotal before installing or using. And I scan all releases I make on PortableApps.com through it as well. (Except those that are bigger than the max size in which case those get scanned with Defender, ClamAV, and at least one commercial Windows antivirus.)
Not exactly for software (although there is such section) but I use end of life [0] website. Besides time when certain software will be outdated it also tells you their release time.
I’m not one to chase the new and shiny, but how do you know a nominally months-old software package isn’t a newly compromised version at the time you download it?
I don't know about other managers, but nixpkgs has hashes of the package I'm installing, and is a git repo, so I can easily detect a history rewrite, and I have the full history of package changes over time. Since it's a git repo, I can also easily install things as of a given time.
You probably know this, but a note for the benefit of people who don’t. The entire git history, including metadata, can be modified. Unless you have an independent offline remote to compare to, this method is not 100% guaranteed to detect tampering in all cases, for example if the nixpkgs repo is compromised (or your machines’ connection to your git forge is being MITM’d)
Windows has this thing called digital signing with certificates that Linux users like to pretend doesn't exist or in the case of yesterday's Wireguard / VeraCrypt discussion, think it's an evil capitalist scheme to control the world.
Digital signing on Windows predates Mac developer certificates by years but arguably wasn't widely used outside of security-paranoid organizations.
Before someone says Linux offers GPG signing it's mostly useless without a central PKI. Developers offer the public key for download on the same server as the software. If someone uploaded compromised software, surely they would replace the key with their own.
I hope you don't think that waiting a month will protect you. Malicious software can wait to be triggered months or years before anything malicious happens.
It helps. If I were a malware/backdoor author, I have the choice to make it lie idle for a couple months; this would help me get more victims, BUT it gives more time for someone to notice it BEFORE I get any victims at all.
Whereas if it is active immediately, I'm likely to get at least a few victims.
I just go to the trusted site, download what's there and get going. This is not an npm package that a dev is updating on day 0 of its release for being a "human shield", it's literally the first version which comes up when DLing the new software.