Hacker News new | ask | show | jobs
by roel_v 4014 days ago
"A closed source binary being silently downloaded and executed without explicit action by the user or notification to the same is a security incident."

Whereas source code being downloaded, compiled and run is not? Or a script being downloaded and run?
2 comments
vbezhenar 4014 days ago
You can't realistically audit binary blob. But you can audit source code. So if download is protected by the digital signature, it's OK.
link
mavhc 4014 days ago
You can't realistically audit the Chromium source code either.
link
shit_parade2 4014 days ago
? Why do you think people are discussing this, might it be because, gasp, the source code is being audited?
link
luso_brazilian 4014 days ago
The source code being downloaded, compiled and run or a script being download and run would be a as much a security incident as what happened.

In this context (Chromium on Debian) having a closed source binary downloaded and executed is an additional problem to the security incident and that's the reason it is mentioned in the statement. There are two problems conflated in the same sentence:

1. A binary was downloaded and executed without explicit user intervention or consent.

2. A closed source binary was downloaded and executed by a primarily free and open source software in a free and open source distribution without explicit user intervention or consent.

So, answering the questions, having the source available would not make it ok but being closed source in this context is a problem on its own.

link
rockdoe 4014 days ago
>a script being download and run would be a as much a security incident as what happened.

Like opening a webpage?

link
luso_brazilian 4014 days ago
Yes. If opening a webpage downloaded a script that permanently altered the browser adding or removing functionality without explicit user intervention or consent it would be a security incident. There is even a class of scripts that warrants a special name because of this exactly behaviour: malware.

Considering the more general case of scripts being downloaded and executed in the browser (javascript, for instance) the more apt analogy would be one being downloaded and executed in a system with NoScript installed.

Just like NoScript is a tool that gives its users the power to decide on a case by case basis which scripts are executed by the browser, Debian is a tool that gives its users the power to decide on a case by case basis which closed source binaries are executed by their system.

Preventing this choice in this context is a security incident.

link
JupiterMoon 4014 days ago
Just use no-script.
link