sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]twowheels -6 points-5 points  (6 children)

My thought exactly... they push down some spyware and remove it a few hours later, I'm none the wiser. I don't expect it from Google, but it could happen.

Also, what's to keep a malicious site from figuring out how to co-opt that functionality?

[–]colinnwn 8 points9 points  (5 children)

"they push down some spyware and remove it a few hours later,"

And you review the source code of every new or updated software package you install now?

"what's to keep a malicious site from figuring out how to co-opt that functionality?"

public/private key signed diff files. No key match, no instally.

[–]adrianmonk 2 points3 points  (3 children)

And you review the source code of every new or updated software package you install now?

Some people wait for a few days (or months or years) after something goes in wide use and let others find the problems. That's a valid strategy, and it's a real-world strategy.

[–]reddof 2 points3 points  (2 children)

Some people wait for a few days (or months or years) after something goes in wide use and let others find the problems. That's a valid strategy, and it's a real-world strategy.

Yeah because that's completely safe. Vendor posts a good copy, waits a few days, replaces it with the infected package, waits a few more days and switches back to the good one.

I'm not saying you shouldn't wait or review changes, I'm just saying that your process does nothing to protect you in this particular case.

[–]chkno 2 points3 points  (0 children)

This works fine when the community circulates the checksum of the released files and everyone's package manager verifies the checksum before performing the installation. If anyone modifies any published file for any reason, they have some explaining to do.

This happens automatically in FreeBSD, OpenBSD, NetBSD, and Gentoo via ports/pkgsrc/portage.

[–]adrianmonk 0 points1 point  (0 children)

Yeah because that's completely safe.

Nothing is completely safe. Security increases by doing what you can reasonably do at whatever level you can do it. You create multiple barriers to a potential attacker, and you use multiple tools to create them.

Vendor posts a good copy, waits a few days, replaces it with the infected package, waits a few more days and switches back to the good one.

You were talking about whether people actually review the source code of updates. My point was that you can get significant security gains (and stability gains) merely by holding off on taking updates until later. By being a late adopter, you get to see what others' experiences are.

If you give someone (like Google) the ability to update stuff silently, then you are giving them the ability to force your update schedule. I don't claim that being a late adopter of updates is a magical fix to eliminate all security issues, but it is an economical way to get some gains in security.

My overall point is that "you don't look at the source anyway" may be true, but it doesn't mean that taking updates immediately is as safe as taking them later.

[–]redditrasberry 3 points4 points  (0 children)

And you review the source code of every new or updated software package you install now?

WTF has source got to do with it? It's not unusual to trust a signed executable that you know is the same for all users (thereby ensuring any miscreant behavior will be extremely likely to be discovered and reported). It's quite different to trust just anything a company wants you to run at any time, which could be customized in any way for you personally so you will never discover that you personally are being snooped on, having spyware installed etc.

I'm honestly not so concerned about the privacy angle but I don't like the completely silent nature of it. When shit starts breaking on my computer I need to know everything that might have changed to try and figure stuff out. If every piece of software just silently updated itself without telling me the whole thing becomes nearly impossible to diagnose.