new | show | ask | jobs Github

charcircuit 3 days ago

>zoom through UAC prompts without reading.

UAC is not a security boundary, so it is not relevant when talking about security.

>SELinux and AppArmor already provide transparent system isolation for decades

If they are setup and most Linux distros only limit individual apps. So a brand new app can still run wild.

>you can install an immutable distro.

Even immutable distros let people download new software off the internet and run it.

>Plus, these repositories are generally well-vetted and observed by their maintainers.

This has been shown to be false in practice due to the xz backdoor. Maintainers do not actually vet anything other than that the code is coming from the developer. Which is also what app stores do.

▲

akimbostrawman 3 days ago | parent [-]

>UAC is not a security boundary, so it is not relevant when talking about security.

That is there excuses but you don't seem to realize that this makes it only worse because that means there is no boundary at all.

>If they are setup and most Linux distros only limit individual apps. So a brand new app can still run wild.

new apps will be either installed from a trusted repository (often with a MAC profile) or sandboxed by default from flatpak/snap store. You don't seem to understand that the entire install process is different. You don't get your software from random sites found on Google between malware ads on Linux.

>This has been shown to be false in practice due to the xz backdoor

XZ has nothing to to with a lack of vetting and even if it was it would be an argument for it because it got caught in testing.

▲

sugarpimpdorsey 3 days ago | parent [-]

> XZ has nothing to to with a lack of vetting and even if it was it would be an argument for it because it got caught in testing.

This is absolutely false, it was not caught in any sort of regular testing whatsoever.

It was caught by - of all people - a Microsoft employee who noticed SSH logins were taking a split second too long. Not distro packagers. The packages were already staged in the testing branches of the distros they were targeting and could have easily made it into the LTS versions had this one curious MS guy not noticed.

	▲	bayindirh a day ago \| parent \| next [-]
		> could have easily made it into the LTS versions had this one curious MS guy not noticed. LTS doesn't mean set in stone. Debian publishes fixes within 24 hours in most cases, even if the upstream doesn't provide any, plus some packages come with Debian's own security patches on top of upstream patches. Linux security landscape is very different than Windows' central "we'll patch it when we patch it" stance.
	▲	akimbostrawman 3 days ago \| parent \| prev [-]
		>This is absolutely false, it was not caught in any sort of regular testing whatsoever >The packages were already staged in the testing branches Thanks for making my argument for me. It was also literally caught in (Debian) TESTING. It does not matter for who he works unless you believe a cooperation owns there employees time and achievements 24/7. He notices something off, tested it, looked at the source code (impossible on windows ;) and reported the issue he found which got quickly and transparently (also impossible on windows) fixed. Again that is how FOSS should work and why it's superior to proprietary software.