| ▲ | mjr00 5 hours ago |
| > Most of the world does not care. I suspect that is more true today than ever before. There are now adults that grew up in the age of social media that have no idea how local computing works. Yep. I was amazed when I was talking to a friend who's a bit younger (late 20s) and told him about a fangame you could just download from a website (Dr Robotnik's Ring Racers, for the record) and he was skeptical and concerned at the idea of just downloading and running an executable from somewhere on the internet. I suspect most adults these days are like this; their computing experience is limited to the web browser and large official corporate-run software repositories e.g. app stores and Steam. Which ironically means they would do just fine on Linux, but there's also no incentive for them to switch off Windows/MacOS. To them, Microsoft and Apple having control of their files and automatically backing up their home directory to Azure/iCloud is a feature, not a problem. |
|
| ▲ | Aurornis 4 hours ago | parent | next [-] |
| > and he was skeptical and concerned at the idea of just downloading and running an executable from somewhere on the internet Ironically, being concerned and skeptical about running random executables from the internet is a good idea in general. |
| |
| ▲ | mjr00 4 hours ago | parent [-] | | > Ironically, being concerned and skeptical about running random executables from the internet is a good idea in general. I agree you shouldn't run random executables, but the key word is "random". In this case, Ring Racers is a relatively established and somewhat well-known game, plus it's open-source. It doesn't guarantee it's not harmful of course, but ultimately for someone with the mindset of "I should never run any programs that aren't preapproved by a big corporation", they may as well just stick to Windows/MacOS or mobile devices where this is built into the ecosystem. | | |
| ▲ | Nextgrid 3 hours ago | parent | next [-] | | > plus it's open-source Open-source only matters if you have the time/skill/willingness to download said source (and any dependencies') and compile it. Otherwise you're still running a random binary and there's no telling whether the source is malicious or whether the binary was even built with the published source. | | |
| ▲ | MaxBarraclough 2 hours ago | parent | next [-] | | It's no guarantee, but it's a positive indicator of trustworthiness if a codebase is open source. I don't have hard numbers on this, but in my experience it's pretty rare for an open source codebase to contain malware. Few malicious actors are bold enough to publish the source of their malware. The exception that springs to mind is source-based supply chain attacks, such as publishing malicious Python code to Python's pip package-manager. You have a valid point that a binary might not correspond to the supposed source code, but I think this is quite uncommon. | |
| ▲ | mjr00 2 hours ago | parent | prev | next [-] | | Of course this is true. But you can keep going down the rabbit hole. How do you know there isn't a backdoor hidden in the source code? How do you know there isn't a compromised dependency, maybe intentionally? Ultimately there needs to be trust at some point because nobody is realistically going to do a detailed security analysis of the source code of everything they install. We do this all the time as software developers; why do I trust that `pip install SQLAlchemy==2.0.45` isn't going to install a cryptominer on my system? It's certainly not because I've inspected the source code, it's because there's a web of trust in the ecosystem (well-known package, lots of downloads, if there were malware someone would have likely noticed before me). > still running a random binary Again "random" here is untrue, there's nothing random about it. You're running a binary which is published by the maintainers of some software. You're deciding how much you trust those maintainers (and their binary publishing processes, and whoever is hosting their binary). | |
| ▲ | lutusp 27 minutes ago | parent | prev [-] | | > Open-source only matters if you have the time/skill/willingness to download said source (and any dependencies') and compile it. Not really. The fact that an application is open-source means its originator can't rug-pull its users at some random future date (as so often happens with closed-source programs). End users don't need to compile the source for that to be true. > Otherwise you're still running a random binary and there's no telling whether the source is malicious or whether the binary was even built with the published source. This is also not true in general. Most open-source programs are available from an established URL, for example a Github archive with an appropriate track record. And the risks of downloading and running a closed-source app are much the same. |
| |
| ▲ | wat10000 19 minutes ago | parent | prev [-] | | How do they know they’ve found the legitimate Ring Racers download and not some scammer who managed to get their search result above the real one? Nothing wrong with downloading and running programs you trust, but there needs to be a good answer to that question. |
|
|
|
| ▲ | wilsonnb3 4 hours ago | parent | prev [-] |
| To be fair, downloading and running random executables from the internet is a genuinely terrible security model when the OS (like Windows, Linux, or (to a lesser extent) MacOS) does nothing to prevent it from doing anything you can do. |
