Pet packages and security.

For discussions about security.
Post Reply
Message
Author
User avatar
8-bit
Posts: 3406
Joined: Wed 04 Apr 2007, 03:37
Location: Oregon

Pet packages and security.

#1 Post by 8-bit »

I just wanted to throw out a question as to how many users check out PET packages before they install them to make sure they do not install software that could put a user's security at risk.
For example, one makes a PET package of a game and includes in it a means to remotely access the computer it is installed on.
The unwanted code could set itself up to even activate at a given time using the scheduler.

I usually do not examine the contents of a Pet package before I install it.
Just imagine if a dd command was included and what the dd command is capable of!

amigo
Posts: 2629
Joined: Mon 02 Apr 2007, 06:52

#2 Post by amigo »

Anything is possible unless you are able to audit/inspect the code. This is why the inclusion/distribution of pre-built binaries is such a bad practice. Of course, most users are not smart enough to audit a piece of software -even a script, for example. One hopes to be able to trust the distributor, but I see that BK often includes binary packages which have been built by others. He should at least insist that submissions be made in the form of a build script which compiles and builds the package. Of course, you/he still has to be able to either trust the source or be capable/willing to inspect it.

I would never (and never have) trusted anyone's binaries from this forum. And I also don't trust any scripts from here without going through them first to see what they really do. The problem is that nearyl everything offered here is done in such a shoddy manner, taht the scripts aere basically unreadable. BK sets a bad precedent there, as well, because even his stuff is nearly impossible to decipher.

These days, I don't depend on *anyone* for any binaries -I build everything myself -except for Opera and Flash-player. I do not really trust the flash-player at all -it has always been crap. Opera I do trust, as far as possible. They seem to do a better job than either the Seamonkey or FireFox teams -security alerts on Opera are rare indeed.

To be fair, most of the 'crap' offered here is not maliciously intended -it's just that the authors have no idea what they are doing and so they easily can cause a disaster -at my expense.

I do trust the intentions of most major distros, but I'm always careful about their *implementations* of those intentions. Very few distros have adequate methods for vetting software. For any sort of mission-critical or security-minded system, I would only trust myself or debian. debian is the *only* distro which tests software anywhere near adequately.

User avatar
pemasu
Posts: 5474
Joined: Wed 08 Jul 2009, 12:26
Location: Finland

#3 Post by pemasu »

I do extract and inspect every package I put to the woof. Mostly I have to do this because often woof non compliant pinstall.sh scripts brakes woof building. I also check that the package does not install something which overwrites existing binaries or libs or overwrite configuration scripts without improved intention.

Backdoors in Puppies. Might be. There are quite a lot people which searches under the hood and strange behavior is frequent topic and the cause many times has been hunted down. I havent heard in 3 years that ever backdoor or malicious content ( intentional ) has been found
Of course it can be there.

You can also have car accident tomorrow, but still you go to the work.

My medication is in balance.

About script content. Good to hear that it is not only poor understanding about scripting that I dont understand most of the code. It is helpful to hear that the content is incomprehensible to the talented coder also. Thanks.

It could be said that the content Puppy coders use gives also security by obscurity. lol.
Every force has equal counterforce.

jpeps
Posts: 3179
Joined: Sat 31 May 2008, 19:00

#4 Post by jpeps »

pemasu wrote:
You can also have car accident tomorrow, but still you go to the work.

My medication is in balance.
There's also the problem of aging, although I suppose you could try stem cells.

Master_wrong
Posts: 452
Joined: Thu 20 Mar 2008, 01:48

#5 Post by Master_wrong »

@jpep
or cloning... ? :lol:
i mean backing up the important data. infact i am more worried that my harddisk are fried due to electrical glitch (it happen to me once) than a crappy pet.
Cluster-Pup v.2-Puppy Beowulf Cluster
[url]http://www.murga-linux.com/puppy/viewtopic.php?p=499199#499199[/url]

User avatar
8-bit
Posts: 3406
Joined: Wed 04 Apr 2007, 03:37
Location: Oregon

#6 Post by 8-bit »

It is good to hear others opinions on this subject!
At least we are using an open source OS in Puppy and other versions of linux. That gives us at least a chance to examine the software we install as well as the base it is installed on.

We are not at the mercy of MS, its closed source OS and lord knows what gets added by its update manager that one does not know about and cannot legally examine.
The MS users license as an example prohibits that sort of checking of their software.
At least with Puppy, the source code for most of it is available although not included with the SIOs.
I have read on Barry's site of one being able to request the source code for any puppy version he makes.

So thank you for your views on this and others that have read this thread feel free to join in and make your thoughts known.

Master_wrong
Posts: 452
Joined: Thu 20 Mar 2008, 01:48

#7 Post by Master_wrong »

linux generally also easier to backup.
in Puppy we just need to copy the savefile...
Cluster-Pup v.2-Puppy Beowulf Cluster
[url]http://www.murga-linux.com/puppy/viewtopic.php?p=499199#499199[/url]

Bligh
Posts: 480
Joined: Sun 08 Jan 2006, 11:05
Location: California

#8 Post by Bligh »

When Win xp came out, I was desperate to find an alternative. I used Lindows/Linspire untit it ended. I still have one install of Linspire and it still runs. I started following Puppy during it's early development. I never checked the box {always trust M$}.
Cheers

Post Reply