I just wanted to throw out a question as to how many users check out PET packages before they install them to make sure they do not install software that could put a user's security at risk.
For example, one makes a PET package of a game and includes in it a means to remotely access the computer it is installed on.
The unwanted code could set itself up to even activate at a given time using the scheduler.
I usually do not examine the contents of a Pet package before I install it.
Just imagine if a dd command was included and what the dd command is capable of!
Pet packages and security.
Anything is possible unless you are able to audit/inspect the code. This is why the inclusion/distribution of pre-built binaries is such a bad practice. Of course, most users are not smart enough to audit a piece of software -even a script, for example. One hopes to be able to trust the distributor, but I see that BK often includes binary packages which have been built by others. He should at least insist that submissions be made in the form of a build script which compiles and builds the package. Of course, you/he still has to be able to either trust the source or be capable/willing to inspect it.
I would never (and never have) trusted anyone's binaries from this forum. And I also don't trust any scripts from here without going through them first to see what they really do. The problem is that nearyl everything offered here is done in such a shoddy manner, taht the scripts aere basically unreadable. BK sets a bad precedent there, as well, because even his stuff is nearly impossible to decipher.
These days, I don't depend on *anyone* for any binaries -I build everything myself -except for Opera and Flash-player. I do not really trust the flash-player at all -it has always been crap. Opera I do trust, as far as possible. They seem to do a better job than either the Seamonkey or FireFox teams -security alerts on Opera are rare indeed.
To be fair, most of the 'crap' offered here is not maliciously intended -it's just that the authors have no idea what they are doing and so they easily can cause a disaster -at my expense.
I do trust the intentions of most major distros, but I'm always careful about their *implementations* of those intentions. Very few distros have adequate methods for vetting software. For any sort of mission-critical or security-minded system, I would only trust myself or debian. debian is the *only* distro which tests software anywhere near adequately.
I would never (and never have) trusted anyone's binaries from this forum. And I also don't trust any scripts from here without going through them first to see what they really do. The problem is that nearyl everything offered here is done in such a shoddy manner, taht the scripts aere basically unreadable. BK sets a bad precedent there, as well, because even his stuff is nearly impossible to decipher.
These days, I don't depend on *anyone* for any binaries -I build everything myself -except for Opera and Flash-player. I do not really trust the flash-player at all -it has always been crap. Opera I do trust, as far as possible. They seem to do a better job than either the Seamonkey or FireFox teams -security alerts on Opera are rare indeed.
To be fair, most of the 'crap' offered here is not maliciously intended -it's just that the authors have no idea what they are doing and so they easily can cause a disaster -at my expense.
I do trust the intentions of most major distros, but I'm always careful about their *implementations* of those intentions. Very few distros have adequate methods for vetting software. For any sort of mission-critical or security-minded system, I would only trust myself or debian. debian is the *only* distro which tests software anywhere near adequately.
I do extract and inspect every package I put to the woof. Mostly I have to do this because often woof non compliant pinstall.sh scripts brakes woof building. I also check that the package does not install something which overwrites existing binaries or libs or overwrite configuration scripts without improved intention.
Backdoors in Puppies. Might be. There are quite a lot people which searches under the hood and strange behavior is frequent topic and the cause many times has been hunted down. I havent heard in 3 years that ever backdoor or malicious content ( intentional ) has been found
Of course it can be there.
You can also have car accident tomorrow, but still you go to the work.
My medication is in balance.
About script content. Good to hear that it is not only poor understanding about scripting that I dont understand most of the code. It is helpful to hear that the content is incomprehensible to the talented coder also. Thanks.
It could be said that the content Puppy coders use gives also security by obscurity. lol.
Every force has equal counterforce.
Backdoors in Puppies. Might be. There are quite a lot people which searches under the hood and strange behavior is frequent topic and the cause many times has been hunted down. I havent heard in 3 years that ever backdoor or malicious content ( intentional ) has been found
Of course it can be there.
You can also have car accident tomorrow, but still you go to the work.
My medication is in balance.
About script content. Good to hear that it is not only poor understanding about scripting that I dont understand most of the code. It is helpful to hear that the content is incomprehensible to the talented coder also. Thanks.
It could be said that the content Puppy coders use gives also security by obscurity. lol.
Every force has equal counterforce.
-
- Posts: 452
- Joined: Thu 20 Mar 2008, 01:48
It is good to hear others opinions on this subject!
At least we are using an open source OS in Puppy and other versions of linux. That gives us at least a chance to examine the software we install as well as the base it is installed on.
We are not at the mercy of MS, its closed source OS and lord knows what gets added by its update manager that one does not know about and cannot legally examine.
The MS users license as an example prohibits that sort of checking of their software.
At least with Puppy, the source code for most of it is available although not included with the SIOs.
I have read on Barry's site of one being able to request the source code for any puppy version he makes.
So thank you for your views on this and others that have read this thread feel free to join in and make your thoughts known.
At least we are using an open source OS in Puppy and other versions of linux. That gives us at least a chance to examine the software we install as well as the base it is installed on.
We are not at the mercy of MS, its closed source OS and lord knows what gets added by its update manager that one does not know about and cannot legally examine.
The MS users license as an example prohibits that sort of checking of their software.
At least with Puppy, the source code for most of it is available although not included with the SIOs.
I have read on Barry's site of one being able to request the source code for any puppy version he makes.
So thank you for your views on this and others that have read this thread feel free to join in and make your thoughts known.
-
- Posts: 452
- Joined: Thu 20 Mar 2008, 01:48