My problem is that we’ve normalised pulling massive amounts of random stuff from the internet without knowing what all of it does. Package managers make this effortless. For example NPM gets pwned seemingly every month. Also the whole XZ Utils fiasco from a copule of years ago. This is not normal
The AUR is explicitly covered in warnings telling you to vet everything yourself and that you could easily get pwned. Admittedly the process for taking over packages is too lax. The official linux repos are extremely good in general because they are subject to code review and more stringent requirements. Debian is moving to requiring signed packages which is good.
Software library management is different, and pointing to JS as an example of terrible computing practices is well, duh. JS is horrible and used by lowest common denominator people pushing slop out to make the web work worse. But library package managers are solving a different problem, not “how do we make computing safe and easy” which is the OS ones, but rather “how do we make development fast and avoid dependency conflicts”. The names are overlaps but the purpose is separate.
Shitty devs will get just as owned and own others by copying random unsafe code anyway, don’t use software written by shitty devs
The AUR is explicitly covered in warnings telling you to vet everything yourself and that you could easily get pwned.
Approximately 0 people saw those warnings. Ever. They all use some frontent like yay which will happily install whatever malware you ask it to
Software library management is different, and pointing to JS as an example of terrible computing practices is well, duh. JS is horrible and used by lowest common denominator people pushing slop out to make the web work worse. But library package managers are solving a different problem, not “how do we make computing safe and easy” which is the OS ones, but rather “how do we make development fast and avoid dependency conflicts”. The names are overlaps but the purpose is separate.
I don’t see how they are conceptually different. Sure, one of them has better quality control but we still get backdoors sneaking through into popular distros. OS package managers also have an effect on development. Devs rely on them to resolve a massive net of dependencies they create when the goal should be to reduce the number of dependencies
Shitty devs will get just as owned and own others by copying random unsafe code anyway, don’t use software written by shitty devs
What if the software was written by a great dev deliberately to own you? What if this dev was hired specifically to place a malicious line of code into do_some_basic_stuff.so library that everyone is using for some reason?
With a Linux distro package manager there is usually a single version of a dependency and the maintainers try to keep that secure.
With programming package managers each project has it’s own decency tree. With npm there can even be multiple versions of the same decency in the tree.
Yay is itself an unofficial piece of software with terrible security defaults such as not showing diffs by default. To install yay you go outside the official repositories, it is no more trustworthy than going to enthusiastsite.com and downloading some makewindowsawesome.exe
The AUR is still a better solution than everyone (mis)managing their own systems and never updating anything but it is not vetted, it’s in the bloody name what it is.
The rest is just social problems, if you’re not fit to audit code and have to rely on trusting maintainers why would you expect removing them would make it better. Look at windows for an indication of the ludicrous mess of out of date and vulnerable software or ransomeware etc that will happen.
There is a substantial difference between distribution package repositories and systems like NPM. NPM just pulls shit from random third-party git repositories. NPM gets pwned every month because the weakest link in the chain is some javascript developer, and the chain has tens of thousands of links. On NPM (and other similar programming language package managers) if the upstream developer pushes a malicious update, you’re already fucked. Could be a malicious developer, or it could be one of the credential-stealing ShitHub worms we’ve see go around.
Distribution package repositories are maintained and hosted by a third party (the distribution). If the upstream developer pushes a malicious update, nothing happens. If it is very well disguised, it could potentially slip into an unstable or testing branch, but there is also a time delay before things make their way from unstable to testing to stable, so there is a very high likelyhood the problem will be discovered before it hits the average person, assuming the maintainers don’t spot it immediately. The xz-utils attack was discovered and mitigated before it could be exploited as a result of this due diligence - though it certainly was a wake-up call.
Another part of the problem with “convenient” PLPMs is that it allows developers to choose whatever version of a dependency they want, so on a good day you only end up with 10 different versions of each installed. It is all about expedience. A lot of more conventional software releases vendor their own dependencies in as well. Distribution package managers go through great lengths to un-bundle these dependencies, such that everything included in the repository is depending on the one version of e.g. librsvg they ship, rather than every rust package pulling in whatever random versions of the 300 crates they happen to have listed in their cargo.lock. This substantially lowers the attack surface and constrains the amount of places malicious code can be hidden or un-patched vulnerabilities can linger indefinitely.
Distribution package repositories aren’t impervious, but they are substantially more secure than what’s going on when you put thousands of random upstream developers in the drivers seat.
Every developer targeting Windows learning that having a self-update mechanism in your app is required because A: users don’t update when prompted and B: getting onto the Microsoft Store is a PITA.
I haven’t dealt with package management on Windows through exes because that sounds like a nightmare.
If you look at the Python PEP history, there’s like 10 just for Windows installer bullshit and like every other month there’s some IT guy coming in and screaming about how they want the installer to be a specific way which is usually met with “if you want that you should do that then” since literally no one wants to deal with the installer since it currently functions and 90% of people are just using venv now anyways.
My problem is that we’ve normalised pulling massive amounts of random stuff from the internet without knowing what all of it does. Package managers make this effortless. For example NPM gets pwned seemingly every month. Also the whole XZ Utils fiasco from a copule of years ago. This is not normal
The AUR is explicitly covered in warnings telling you to vet everything yourself and that you could easily get pwned. Admittedly the process for taking over packages is too lax. The official linux repos are extremely good in general because they are subject to code review and more stringent requirements. Debian is moving to requiring signed packages which is good.
Software library management is different, and pointing to JS as an example of terrible computing practices is well, duh. JS is horrible and used by lowest common denominator people pushing slop out to make the web work worse. But library package managers are solving a different problem, not “how do we make computing safe and easy” which is the OS ones, but rather “how do we make development fast and avoid dependency conflicts”. The names are overlaps but the purpose is separate.
Shitty devs will get just as owned and own others by copying random unsafe code anyway, don’t use software written by shitty devs
Approximately 0 people saw those warnings. Ever. They all use some frontent like
yaywhich will happily install whatever malware you ask it toI don’t see how they are conceptually different. Sure, one of them has better quality control but we still get backdoors sneaking through into popular distros. OS package managers also have an effect on development. Devs rely on them to resolve a massive net of dependencies they create when the goal should be to reduce the number of dependencies
What if the software was written by a great dev deliberately to own you? What if this dev was hired specifically to place a malicious line of code into do_some_basic_stuff.so library that everyone is using for some reason?
With a Linux distro package manager there is usually a single version of a dependency and the maintainers try to keep that secure.
With programming package managers each project has it’s own decency tree. With npm there can even be multiple versions of the same decency in the tree.
Everyone knows the warnings, nobody does the reviewing. It’s a shit approach to community safety.
Yay is itself an unofficial piece of software with terrible security defaults such as not showing diffs by default. To install yay you go outside the official repositories, it is no more trustworthy than going to enthusiastsite.com and downloading some makewindowsawesome.exe
The AUR is still a better solution than everyone (mis)managing their own systems and never updating anything but it is not vetted, it’s in the bloody name what it is.
The rest is just social problems, if you’re not fit to audit code and have to rely on trusting maintainers why would you expect removing them would make it better. Look at windows for an indication of the ludicrous mess of out of date and vulnerable software or ransomeware etc that will happen.
There is a substantial difference between distribution package repositories and systems like NPM. NPM just pulls shit from random third-party git repositories. NPM gets pwned every month because the weakest link in the chain is some javascript developer, and the chain has tens of thousands of links. On NPM (and other similar programming language package managers) if the upstream developer pushes a malicious update, you’re already fucked. Could be a malicious developer, or it could be one of the credential-stealing ShitHub worms we’ve see go around.
Distribution package repositories are maintained and hosted by a third party (the distribution). If the upstream developer pushes a malicious update, nothing happens. If it is very well disguised, it could potentially slip into an unstable or testing branch, but there is also a time delay before things make their way from unstable to testing to stable, so there is a very high likelyhood the problem will be discovered before it hits the average person, assuming the maintainers don’t spot it immediately. The xz-utils attack was discovered and mitigated before it could be exploited as a result of this due diligence - though it certainly was a wake-up call.
Another part of the problem with “convenient” PLPMs is that it allows developers to choose whatever version of a dependency they want, so on a good day you only end up with 10 different versions of each installed. It is all about expedience. A lot of more conventional software releases vendor their own dependencies in as well. Distribution package managers go through great lengths to un-bundle these dependencies, such that everything included in the repository is depending on the one version of e.g. librsvg they ship, rather than every rust package pulling in whatever random versions of the 300 crates they happen to have listed in their cargo.lock. This substantially lowers the attack surface and constrains the amount of places malicious code can be hidden or un-patched vulnerabilities can linger indefinitely.
Distribution package repositories aren’t impervious, but they are substantially more secure than what’s going on when you put thousands of random upstream developers in the drivers seat.
Nah, people upload packages to npm. Some of the attacks actually relied on attackers uploading different code to npm than to the linked git repos.
Windows already normalized this over 20 years ago, by lacking any alternative. Nowadays there’s the Microslop store of course.
The alternative is the classic .exe fiasco that exists on Windows, with manual updating off sketchy sites.
the alternative is flathub
just kill internet access with flatseal to any apps that dont need it, done
Flatpak next is going to have even more fine grained network sandboxing (per-app DNS, VPN portal, apps can’t talk to each other in the same network).
But then we have to deal with permissions?!?! And the bloat! Oh god, the bloat!
price to pay to not have some 1337t dprk haxor in your computer
Every developer targeting Windows learning that having a self-update mechanism in your app is required because A: users don’t update when prompted and B: getting onto the Microsoft Store is a PITA.
Honestly most software shouldn’t require regular updates to begin with.
How else do you handle security vulnerabilities and bugs?
Just make better software to start with. Adding networking and software deployment to everything is a significant attack surface.
Updating software doesnt require networking or software deployment.
does
Your comment was definitely a broader scope than the rest of the conversation. Most software isnt self-updating.
I haven’t dealt with package management on Windows through exes because that sounds like a nightmare.
If you look at the Python PEP history, there’s like 10 just for Windows installer bullshit and like every other month there’s some IT guy coming in and screaming about how they want the installer to be a specific way which is usually met with “if you want that you should do that then” since literally no one wants to deal with the installer since it currently functions and 90% of people are just using venv now anyways.