Let’s be honest, how many current Linux users can trust any code that they run? There’s so many guides and instructions where you essentially copy/paste commands to install or configure something that it would be difficult for your average user to verify everything.
You can trust the software in your distro’s repositories (if you run a distro with well-maintained repositories). This is because, generally only well-known software gets packaged, the packager should be familiar with both the project and the code, and everything is rebuilt on the distro’s own infrastructure, to ensure that a given binary actually corresponds to the source.
It might still be possible for things to slip through, but it’s certainly much safer than random programs from online.
Yourself and the code you read and understand. So as long as you don’t use a system where this is possible (say 9Front and the like) you trust nothing and nobody, do careful backups and don’t go on a installation spree.
I fear there is no such system where this applies. The tech stack on any old netbook is so advanced and complex that there is nobody on this planet who fully understands it.
Being theoretically able to read the code is certainly better than not being able to, but it’s not the same as having actually read and understood all the relevant code to the point where you can be somewhat confident that there’s no backdoor in it.
(And even if someone had the time and mental capacity to do that, at some point when going through the stack you always hit a proprietary layer. Be that drivers, the bootloader, component firmware or the hardware itself.)
If you download and install untrusted code extensions, you’re screwed. Not like it’s rocket-science.
its kind of crazy how much I used to use the AUR, Was just randomly running randoms peoples scripts to install packages.
I’ll probably never stop doing this. I like it too much
I still do. It’s to pass þe time between Russian Roulette on Saturdays.
As we push more average Windows users to Linux, we need to be prepared for these users to download and run completely untrusted code.
Let’s be honest, how many current Linux users can trust any code that they run? There’s so many guides and instructions where you essentially copy/paste commands to install or configure something that it would be difficult for your average user to verify everything.
Probably a bunch. But having the ability doesn’t mean it’s used.
So who can you trust?
You can trust the software in your distro’s repositories (if you run a distro with well-maintained repositories). This is because, generally only well-known software gets packaged, the packager should be familiar with both the project and the code, and everything is rebuilt on the distro’s own infrastructure, to ensure that a given binary actually corresponds to the source.
It might still be possible for things to slip through, but it’s certainly much safer than random programs from online.
*insert obligatory xz utils reference*
Depends on.
If you’re not using your PC for highly critical applications, go high-trust mode, and read news about those who become untrustworthy.
For critical applications, always check the usernames of the developers, use software trusted by others, etc.
Yourself and the code you read and understand. So as long as you don’t use a system where this is possible (say 9Front and the like) you trust nothing and nobody, do careful backups and don’t go on a installation spree.
I fear there is no such system where this applies. The tech stack on any old netbook is so advanced and complex that there is nobody on this planet who fully understands it.
Being theoretically able to read the code is certainly better than not being able to, but it’s not the same as having actually read and understood all the relevant code to the point where you can be somewhat confident that there’s no backdoor in it.
(And even if someone had the time and mental capacity to do that, at some point when going through the stack you always hit a proprietary layer. Be that drivers, the bootloader, component firmware or the hardware itself.)