Notices by Billy O'Neal (malwareminigun@infosec.exchange)

@mcc @PeterSommerlad obligatory @lmanul https://goomics.net/62/

@lanodan sorry I don’t know why I said snap, I meant flatpak.

@lanodan If I make a snap package or similar I don't have to manage that, because my app comes with all its dependencies.

Similarly if my app is a bash script or I can statically link everything that matters.

Again, putting that into an rpm or deb does not fix the original argument, since that rpm or deb won't be signed by the distro. Installing malicious code through an rpm or deb is no different than installing malicious code through curl|sh.

If you require it to be signed by the distro, you are back in 'supporting Linux actually means supporting ~10 different platforms since there are ~5 distros that matter and their different versions are different universes'. This is a big part of why there's almost no commercial software on Linux.

@lanodan It isn't 'just deb/rpm', since any given deb/rpm often will not install unless it was produced on a matching distro, because the distros pick particular dependencies.

@lanodan so to ship my software I now need a paid contract with every distro every one of my customers use? That’s great.

@drewdevault @werdahias I did. I don’t see how it changed this equation. Saying “Don’t worry about how long it takes distros to ship you” does not solve the problem. I can’t tell customers “sorry, I fixed that bug last year, but your system runs Ubuntu 20.04 or RHEL8 and we haven’t waited around long enough for the unpaid voulentrers that maintain those to ship our update so there’s just nothing I can do for you”.

@werdahias @drewdevault Great, that means 2 groups of people have to be convinced to ship anything before one can ship anything.

The amount of folks I deal with who want to ship to Windows, Linux and Mac but drop Linux when they realize it’s actually like supporting at least 5 different platforms (RHEL, Fedora, Debian, Ubuntu, Arch, Alpine, …) is depressing.

Reinventing another package manager just makes N+1 package managers one has to support. This is why we explicitly refuse requests to make vcpkg into an application deployment system, as we don’t want to make the fragmentation of that universe even worse.

@drewdevault @marcan if the server is exploited whether you put the exploiting script in a file first means nothing. This is running code. The user needs to trust where they get that code.

@drewdevault @marcan 1. Ok but who really checks the sig in these scenarios? (Do 99% of users even know how?)
2. If I owned the distributor I probably can get something signed too?

@drewdevault great, so to ship software you want the distributor to go through approval processes at all N distros.

Oh wait there isn’t such a package manager that does that on macos.

Wait, wasn’t this discussion about curl | sh?

@drewdevault homebrew’s installer does curl | sh. 🤷

@drewdevault I don’t see how this is specific to macOS. The only solution presented is “all software must come from the distro” which is a terrible answer.

@drewdevault all bow to our RedHat and Canonical overlords. No thanks.

@inthehands I doubt it. It's a contract between his private company and the military, that behavior isn't setting US policy

@aral I'm referring to Google the search engine, not Google the company, in my post.

@aral I don't agree.

1. There are lots of things where there is benefit in aggregate usage statistics etc. where there's no reason a user would go looking to turn it on because it doesn't affect immediate product function, but which will make the product better over time when designers can see how and what gets used.

2. In the 'advertising' cases which are what tend to make people angry, the opt out is functionally the price of the product. Which makes the statement "if you're making something that wouldn't exist if nobody was willing to pay for it, maybe the thing you're making shouldn't exist". By which logic we would have none of the modern commercial internet. The world is better for things like Google existing than not.

@patrickcmiller SolarWinds? Seems misugided. Equifax? Now we talkin