Hi, there!
Newbie question here: basically, the title. Perhaps what I’m asking is pretty obvious, but I’d like to double-check with the community on this.
I use Discover on my Debian KDE Plasma set-up, with Flatpaks enabled (but not Snaps). Sometimes, I come across apps (I did just yesterday, searching for translation apps to replace DeepL), that have according to its page, an unknown author and, sometimes, even an unkown licence, but which do require access permission to the whole system (this latter requirement applying specifically to Deb packages, from what I’ve seen).
Under these circumstances, is it safe to assume that such apps will still be safe because of the fact that they appear listed on Discover (in other words, is Discover a guarantee of safety for the apps it shows, as in, some type of checked or proved content), or should I still be wary of potentially malicious software included on it?
Thank you very much in advance :)
Stuff from the repository of your distribution generally can be considered save but everything involving a third party might not be.
This counts for both other Apt repositories as well as Flatpak. You likely have Flathub as an Flatpak source and while they have some checks and controll instances it is possible for untrusted third parties to upload packages including non-free ones there. I do not now of any incidents but some suspicion for packages with full system access can’t harm.
Thank you for your insightful comment. If I may incur once again in noobieness, what precisely do you mean when you say the “repository” of my distribution? Do you mean the pieces of software than come preinstalled with the OS itself?
A repository (or repo) is a server that hosts program files for your distribution. Distributions host their own repositories from which you can install software with your package manager, like APT or DNF or others. If you only install software from your distribution’s repository, there’s likely no clashes with software versioning and dependencies, and the packages are about as reliable as they can be (which doesn’t mean there’s never malware). If you add third party repositories for software not available from your distribution’s repository, it’s more likely there will be issues, because the distribution doesn’t guarantee the packages work well together.
For example, Debian and Arch don’t retrieve and install their software from the same source. They have their own servers (repositories) hosting software compiled to work with their particular distro and to be used by their chosen package manager.
Flatpak (or Snap or Guix) is a separate package manager that handles it’s own dependencies and doesn’t clash with your distribution’s own software manager.
Does this help?
Uhhhhhhhh…
Bruh. It’s not safe to assume any software from anywhere is safe… that’s kinda the essence of Zero Day exploits.
Even if you wrote it there have been Linux exploits that hid a root kit, and patched the gcc compiler and linker to create a level of persistence that is just other worldly. IIRC what that fucker was called, but it won’t be hard to find. You can probably still count Linux root kits on one hand.
Hell, I’ll look it up after I’m done with my morning duce… that shit was epic. And like, also, theoretically, you could be Mr. Robot, so… you know… it’s just a good idea not to trust yourself anyway.
I think you are thinking of this.
But, more recently, this should make anyone who is concerned about security shudder. And it was only discovered because some guy in Germany noticed ssh logins were taking a bit longer than in previous versions.
Spot on, thanks for finding that. I wonder if there was ever a proof of concept or something like that. I installed my first copy of Slackware some time in the early 90… Maybe late 80s… it’s getting a bit fuzzy, I want to say that the kernel was pre 0.9.
One of the scariest things I had ever done, but I learned so much more about computers than I would have otherwise. Point being there was definitely some years between Ken’s article… still very much the era of viruses for the same of proving you could create something novel and powerful. We kept collections of them like weirdos that keep poisonous snakes 🐍
Anyway, it’s past grandpas bed time. Thanks again for finding the article, I’ll definitely have to do a bit more research… It was a super fun time in my life and I enjoyed remembering.
I thought he did do a proof of concept, but I could be wrong. It’s been a while (many years) since I’ve read up on it.
My first Linux install was also Slackware, albeit Slackware 3.x, in the late 90s, while avoiding grad school work. I don’t remember what kernel it used at that time. So if you’re grampa, I guess I’m your son. :)
ROFL… I think there’s a quotable from Fight Club about his dad going around setting up “franchises…”
Honestly hoping to meet Patrick Vol… nope —not even going to take a swing at trying to spell his last name. But I seriously owe that guy a beer and pancakes.
On a semi related note, I think it took me a solid week of effort to get audio going (on Linux) just so I could be more confused about how to properly pronounce it. I want to say the file name was linux.au and it’s Linus saying something like “This is Linus Torvalds introducing UNIX as Linux.” Back in the day we had to spell UNIX with an asterisk because AT&T owned the trademark and aggressively enforced it.
All of this went down while I was working at a shitty little outfit called Los Gatos Computer Corporation. We built IBM PC clones in half the warehouse, the other half was full of old SGI computers. The scam there was that the business owners told SGI they were recycling the old hardware, but what they actually did was cobble together working systems from the broken bits. Basically one brilliant guy sat in a 10x10 room chain smoking and patching the busted SGI stuff back together. He hand soldered upwards of a hundred hair fine bodge wires, motherboards taped together… it was mental, but somehow they made enough cash to keep the whole crazy operation alive for a year or two.
Volkerding, I think! checks Yep that’s it!
I remember being an idiot and compiling my own kernel (“oh it’s so much faster!”). Lol. I guess if that’s the dumbest thing I’ve done, I’m doing well. I remember that sound clip, too.
Hey you were recycling them, just not into a dump!
