Announcement

Collapse
No announcement yet.

What to trust...??

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    What to trust...??

    Noobie Linux user here, and I'm checking out Kubuntu to see if it's the one for me. But I have a more general question about Linuxes, regarding how you know what apps/programs you can trust to install? I ask as a Windows user who is used to offerings of malware-infected programs left right and centre, and trying to judge which is ok based off things like reviews, website/company reputation etc.

    For Ubuntu, I believe there is an apt-get function that can pull things directly off the Ubuntu servers, and I assume this stuff has been checked for security and is ok to use??

    But what about stuff that is found e.g. by Discover or Muon? Is that all safe to use? For example, I found "Thunderbird Mail" through Muon and installed it, but I have no idea if the copy I found was a safe/original copy from Mozilla, or some malware-infected fake version. What about non-open source programs like Skype - Discover finds a 'Skype', but it has no ratings, and I'm not sure how I know if it's a safe/original version?

    I'm assuming stuff downloaded from websites is the least safe, but I really don't know for sure if any of the others are more secure. Can anyone advise?

    #2
    The apt-get is the same as what Discover and Muon use. It gets stuff from the repositories. It's as safe as it gets.
    I wasn't aware Skype was in the repositories - it does have "ratings" though.

    About stuff that is not in them... use common sense

    Comment


      #3
      Discover, Muon, Synaptic and a host of other similar utility make use of basic command line units such as dpkg, apt, and a few others. The one thing they all have in common is the use of a sources list. The standard sources are authoritative, tested, and contain trusted software. There are some others that can end up in the same sources list, commonly referred to a "PPAs". These can be authoritative, and even traustworthy or useful, but on a case by case basis.

      You can find Linux software on all kinds of other sites, that may or may not be trustworthy. Just be careful, and liten to what others are saying.
      The next brick house on the left
      Intel i7 11th Gen | 16GB | 1TB | KDE Plasma 5.27.11​| Kubuntu 24.04 | 6.8.0-31-generic



      Comment


        #4
        Discover and Muon are getting the software from the same places as apt does, with Discover also including the options of snaps and flatpaks.

        Trust of course is earned. Having the source code easily available helps, as is the way distros provide and deliver software. The software is physically compiled by the distro for the distro, and there are checksums and other methods to make sure that something has not been replaced or modified, and your local system also checks these before installing as well. The major distros all have a long track record of great security over a long period of time now (I do not consider Mint to be a large, 'major' distro, and this one did have an issue some years ago due to poor security practices, since dealt with)

        In Linux, pre-compiled, standalone executables are not as common as they are on Windows, but they do exist, and for the most part are trustworthy as the code and development is done in the open. If it is a closed-source product, the trust is up to the user, same as in Windows.


        Now, for examples related to your post:

        Thunderbird can be downloaded directly from Mozilla as a standalone generic thing, for sure. And I trust Mozilla. But Ubuntu (and the other distros) takes the source code directly from Mozilla, and compiles it specifically to use the system libraries that already exist in Ubuntu, and do so specifically for each supported release (18.04, 19.04, etc). So, you get Tbird from a highly specific source, and one considered safe, no third party download sites.
        This also gives the benefit of getting updates for your installed software from one trusted source, as opposed to many possibly unknown sources. You don't have to go to Mozilla every time Tbird is updated

        Now, with the advent of Snaps and Flatpaks, which in many ways is a combination of an all-in-one executable and an 'app' store (like apt ,Muon, and Discover), it does get blurry, but if you have trust in the community who creates these for a particular project, and the group who manages the infrastructure, you should not have to worry. Snaps and Flatpaks run in a sandbox, outside of your normal system, which adds that extra security layer.


        In Ubuntu, there are also PPAs, or Personal Package Archives, which are mini Ubuntu repos created by users, and you do have to trust that person, but like normal repos, the source code used to build a package is still open and visible.



        So, in essence, Linux has a focus on software security, and a culture of paying attention to it to a higher degree, and not just OS level considerations.

        Comment


          #5
          Thanks for the replies. The source for Skype that Discover brought up was indeed a Snap, so I'm not sure how I would assess its trustworthiness.

          Comment


            #6
            Like was already mentioned, if going outside repos, use your own judgement in assessing the security of the package. Although, having said that, I don't actually run most of my programs from the repos. Only programs that I have that are connected through the repos are the programs that installed through the min install of the OS. I prefer binary archives or appimages (appimages are akin to snap/flats, but have to have a repos for snaps/flats not with appimages). I prefer to have libraries that a program needs to be isolated from the system. That way updates don't break the programs (and I have had that on numerous occasions), especially if these programs are production programs (my animation, embroidery digitizing programs, programs that I make money with). They all have their pros and cons. Just have to go with what fits the best for your needs and exercise good judgement.
            Lenovo Thinkstation: Xeon E5 CPU 32GB ECC Ram KDE Neon

            Comment


              #7
              Originally posted by KubuntuNoob View Post
              Thanks for the replies. The source for Skype that Discover brought up was indeed a Snap, so I'm not sure how I would assess its trustworthiness.
              Snap is run by Ubuntu/Canonical. The snap is created using the official Microsoft binaries. Ubuntu is trustworthy., I'd say, else it would not be so widely used in all areas of the Linux ecosophere.
              While some may dislike Ubuntu for various reasons, their software packaging is till considered trustworthy by most everyone. Or any other major distro, for that matter.

              Again, it is up to you.

              I won't even get in to whether Skype itself is very trustworthy to begin with, making all this talk rather moot
              Or the overall difficulty in getting malicious software installed on desktop Linux.

              Comment


                #8
                Originally posted by claydoh View Post
                Snap is run by Ubuntu/Canonical. The snap is created using the official Microsoft binaries. Ubuntu is trustworthy., I'd say, else it would not be so widely used in all areas of the Linux ecosophere.
                While some may dislike Ubuntu for various reasons, their software packaging is till considered trustworthy by most everyone. Or any other major distro, for that matter.

                Again, it is up to you.

                I won't even get in to whether Skype itself is very trustworthy to begin with, making all this talk rather moot
                Or the overall difficulty in getting malicious software installed on desktop Linux.
                Yeah I'm probably not going to be using Skype going forward - it's more of an example to explore what sources are trustworthy on Ubuntu. Unfortunately, with very little Linux experience, I have no basis for assessing whether a source is dodgy or not.

                Comment


                  #9
                  I've been using Linux full time for more than 20 years. I've never seen a virus. That's a Windows user problem. Oh, and don't let your Windows using friends say it's because Windows is more prevalent the Linux. It's because Windows is insecure by design.

                  Anyway, my point is viruses don't need to be a concern. The only thing you have to worry about is breaking your install by doing something silly or really poorly done outside software. As others said, as long as you stick to main line software - that is software supplied by Canonical (Ubuntu is their main product) - you won't encounter any show-stoppers.

                  As far as judging outside sources - one thing about the Linux world is we talk to each other. If someone puts out bad software it doesn't live very long. Some basic research on forums and reviewing bug reports will be a good start. Also, coming here or other forums and asking will usually get results.

                  Please Read Me

                  Comment


                    #10
                    It's been said already but I'll repeat it the safest way to secure your system from malware is to use Linux and stay with programs in the repositories of the Distro you choose. Also make sure your online passwords are strong. I've been using linux since 1998 and never have been bothered by virus infections. Snaps are self secure and don't present many problems. Use PPA's with care though.
                    And Wine can be a problem just like windows. But it's more likely to infect your windows friends machine than your linux install.
                    here is a good article on Linux security. https://easylinuxtipsproject.blogspo.../security.html
                    Dave Kubuntu 20.04 Registered Linux User #462608

                    Wireless Script: http://ubuntuforums.org/showthread.p...5#post12350385

                    Comment


                      #11
                      Originally posted by KubuntuNoob View Post
                      Yeah I'm probably not going to be using Skype going forward - it's more of an example to explore what sources are trustworthy on Ubuntu. Unfortunately, with very little Linux experience, I have no basis for assessing whether a source is dodgy or not.
                      In the years that I have been using Kubuntu I have not had any problem with security even though I adventure into using ppa's for extra packages that I need, eg. for booting alternative operating systems I use grub customizer. This allows me to have a more picturesque boot menu to choose between say Windows and Kubuntu when I boot my computer.

                      Now regarding the installation of Skype. I have had it on my system for quite a long time without any problems other than getting the video camera to work. You can download it from this site https://answers.microsoft.com/en-us/...4-08b131da1840. As part of the installation, it installs an entry into you package management. The Muon package Software Source that I have is shown below.

                      Click image for larger version

Name:	skype.png
Views:	1
Size:	34.2 KB
ID:	644234

                      Microsoft provide updates on a regular basis. As you can see the package is already built for a Debian system and I consider it safe to use.

                      I certainly hope you enjoy Kubuntu as it lets you alter your desktop to whatever suites your taste as well as giving you a secure environment to work in.

                      Comment

                      Working...
                      X