Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
victorbjorklund 3 hours ago

I don’t think that is a useful definition even if technically true. With that logic even Linux isn’t privacy because in theory they can push code that will only run for you.

palata 2 hours ago | parent | next [-]

I think the argument is that when you load a webpage, you download the code everytime you want to run it, from servers owned by the company building the service. So they can choose to serve you different software (e.g. with a backdoor), just this one time and just for you, and you won't know (not that it would be impossible, but it is generally impossible in practice).

When you download a program on Linux through the distro package manager, you download it once and run this, every time. You know very well when it gets updated. You can compare the hash of your program/package with the one distributed by the distro, and the distro is not the developer of the program (so there is another layer there). You can audit that code (if open source), and at the very least you can compare with others to see if they receive the same code. And again, the program is served by the distro, not by the developer. The backdoor situation would require asking the developer to implement a backdoor, and then asking the distro to server you a different executable, and then hoping that you never, ever check the hash of that program that you own offline. It's a lot harder.

In a way, for ProtonMail (in your browser) to be "end-to-end encrypted", you have to trust Proton. But that kind of defeats the purpose of end-to-end encryption.

Same applies to e.g. WhatsApp Web, which is an interesting example because there exists a browser extension allowing you to "validate" that you run the code Meta expects you to run. Though you still have to trust Meta: the extension only helps making sure that nobody other than Meta is abusing you. The WhatsApp mobile app doesn't have that problem, as it is distributed as an archive by a third party (Play Store).

IAmBroom an hour ago | parent [-]

> In a way, for ProtonMail (in your browser) to be "end-to-end encrypted", you have to trust Proton. But that kind of defeats the purpose of end-to-end encryption.

Yes, and every VPN in the world (that isn't self-hosted) relies on trust that they won't share your info, not even your fingerprint - which defeats the purpose of VPNs. It's very hard to have perfect security. OK, impossible.

maweaver 3 hours ago | parent | prev | next [-]

Using what mechanism? Most Linux updates are not pushed but rather pulled at the user request. You can use Linux totally offline. This is fundamentally different than a webapp, where code is sent with every visit

izacus 2 hours ago | parent [-]

The automatic updates most distros have enabled by default. Signal desktop outright stops working if you don't constantly pull updates from them.

63stack 2 hours ago | parent | next [-]

Debian requires unattended-upgrades to be installed (it's not installed by default), Mint and Fedora has the option of enabling automatic updates (disabled by default), Arch has no mechanism for automatic updates.

Which ones are these "most distros"?

the8472 an hour ago | parent | prev | next [-]

Distros have mirrors and they don't know which one you use. The updaters don't send user IDs and downloading the package lists is separate from downloading the packages. So targeted backdoor distrubution is much harder than a company's web UI with user logins targeting a specific user.

littlestymaar 2 hours ago | parent | prev [-]

Signal pushing updates every other day is pretty much a security anti-pattern though. It makes it almost as vulnerable as a web app to this kind of thing, but this isn't the typical Linux software experience by any stretch.

progbits 3 hours ago | parent | prev | next [-]

How will they push it?

63stack 3 hours ago | parent | prev [-]

Linux as in the kernel? Who is "they"? Torvalds?