Hello.

Maybe we can not get 100% certainty, but even so, how could the average user afford to have reasonable trust in a certain Gnu/Linux distro?

By ‘average user’ I mean someone who can only do a base install and is not an IT professional and therefore cannot inspect the source code by themselves, nor use/understand specialized tools for analyzing the software in detail; a ‘newbie’, in other words.

Simply saying something like “Hey, look, the code is freely available there on the web!” does not really help, because one cannot easily find out if that code is exactly the same as the one that is in the compiled file.

Making a parallel with the food industry: If you know that after an audit company X was found out of mismatching the ingredients in the actual product with those on the product’s label, how much would you be inclined to still buy and eat their product, assuming decent alternatives exist?

Hopefully this topic will help more people make an informed decision when choosing their operating system. What answers would not help are those:

-dealing solely with the nature of closed/proprietary code vs free/open source code (that area is already clear – we are interested in how much can we trust a free open source project)

-stating only that ultimately there is impossible to have trust in any software (such an answer does not help one make an informed decision)

-off-topic or derogatory statements (such an answer, besides being offensive, does not help one make an informed decision)

Please, keep the topic on the linux distros, on the operating system; do not divert it on how Google and Facebook are the greater concerns etc.

Let’s try to put this query into a few more concrete questions:

1. Considering Ubuntu’s susceptibility of spyware (Amazon searches in Unity) in the recent past, how can one have faith that current Ubuntu is to be trusted on other, more hidden to an average user, levels of software?

2. How would distributions based on Ubuntu be affected by such practices? Could they correct the bad parts?

3. Is it relevant in this context of trust how much patching a distro does to the upstream sources?

4. Based on what concrete factors would you trust a distro with your personal data on a daily basis? Why would you trust one distro over another?

Someone who falls in that category does not have the problem that you describe in much detail. Though your thoughts are valid and pertinent sometimes and in some contexts, these moments do not coincide with the presence of your “average user” in the same room.

On the other hand. An average user who seeks to advance somewhere, will open her/his eyes and her/his ears wide enough to gain the sovereignty needed to put precise questions.

For the general palaver, try a web-search in Usenet-discussions since the 1990s. It is all there. Though mostly unrelated to Linux Distributions, the outcome of all those brainstorms are significant in any security-related context.

What's nebulous? Am I nebulous?

1 members found this post helpful.

Surely part of the problem with Ubuntu is that it is marketed by a company and that makes it Windows-like in some respects. Yes, it's free software, but Canonical (like Microsoft) are ultimately in the business of making money, and this might create a conflict of interest with the users. They can't legally use some of the tricks that MS uses to swindle their users but there is always the temptation to use others. Of course that could apply to Red Hat too, and I'd be interested to know what Fedora users think about this.

For myself, I prefer distros like Debian that are run by community organisations, but that might just be a reflection of my socialist upbringing.

1 members found this post helpful.

Unless, of course, you compile that code and use the resulting program.
Wouldn't bother me, since company X would have violated so many laws they'd either be shut down, go out of business due to bad press, or change their production methods to such high standards because of that scrutiny, they'd be more trustworthy in the end.
Telling a group of volunteers what kind of answers you're willing to accept isn't good, especially considering:
...these sound VERY much like a set of homework questions. And also considering you asked such a question TWO YEARS ago:
https://www.linuxquestions.org/quest...ty-4175544821/

Short answer: if you're concerned about Ubuntu, then don't use it or its derivatives.
Longer answers:

1. Audit the code.
2. Either they have or not...there are many Ubuntu based distros. What they *COULD* do is different than what they may have done.
3. Too nebulous to answer, and also impossible. "Patching" meaning what in this context? Updating a program, or a real patch to the kernel/crypto?
4. Because security is a process not a destination. Use good practices and be aware, and you mitigate the risk. Don't, and anything you do with any OS you can name is bad.

I can't vet the source code, but there are plenty of people who can and a lot of them work on distros as developers! At least some-one can see what's in it, unlike with Windows.

If you want to be ultra-careful, use distros that make a point of using vanilla code, like Slackware, Arch, Gentoo, and their derivatives like Salix and Manjaro. But policy that might rule out enterprise distros like Red Hat / CentOS, where bug-fixes have to be backported to avoid using newer, less tested versions of programs.

Hello again and thank you for taking the topic seriously.

What if that "average user" is one of our even less tech savvy relatives to whom we want to show the wonderland of the FLOSS world and confidently install distro X to, only to find out later that Amazon and their parteners know about their health concerns? Would that be a very unlikely scenario? Should we simply ignore such a possibility?

Marx -- a genius centuries above his time. Humanity is simply not ready for that. We see it all around us. Maybe in a Star Trek kind of world... Ah, but I won't digress...

I tried Debian, but I didn't have quite the satisfactory experience. There were still bugs in the Xfce version and they are not very friendly to newcomers either. These two facts alone influence trust, don't you think?

And assuming we trust the compiler, of course

I often tell myself: "If only the world were at least 50/50. 50% made of bad guys and 50% made of good guys... Still a miniature paradise that'd be!... If only Justice could escape more often its bureaucratic confines... If only..."

Have I offended anyone? I want more people to be aware of their choices and options.

That old topic was not quite the same as this one. A distro may have good security features and still spy on its users. The two possibilities are quite compatible.

Let me put it in different words: You may hire a guard for your house but that guard may still record your behaviour and sell it to interested parties for some extra cash. You may have nothing to hide, of course, but even so, is it fair? Should others simply ignore similar happenings?

I meant distros that modify upstream projects (like for ex. Firefox) that are already fine the way they are. I've read some opinions saying that this act consumes resources uselessly and may create more problems than it solves in the end.
.....

Be well.

I'm just going to try and focus on this question here. An average user (non computer person) would trust almost any Operating System that is other than windows. The reason being, is because linux/Unix machines are less prone to virus's than a Windows OS. Granted that there are vulnerabilities out there, and virus's out there for linux/unix OS, it is way less common. If you personally want a secure distro, than I would suggest using some of the security minded distros that are out on the web.

To add to the conversation, if you are really against Ubuntu with their amazon integration, than why not go to one of its derivatives, or better yet use Debian.

edit: Secure distro's do not spy on the user, they are made for security in mind, and to protect the user from any threat that is out there, Qubes is a good example of this.

one word: community - communication.
oh, that was two words.

if that was the case, word would get out pretty quick.
as it does.
no, nothing is 100%, but this is as near as it gets.
before installing software, look what the community has to say about it.
if it was phoning home, word would get out.
as it usually does.

now, getting a good signal-to-noise ratio on the internet, that's a different thing.
might take a little practice.

This shows a good deal of confusion between SYSTEM security and INTERNET security. The two are vastly different.
No, they don't. If you're waiting for a magical distro that has ZERO bugs, then my best suggestion for you would be to get an abacus. Because ANY software ANYWHERE has bugs, period. And if the forum isn't 'friendly to newcomers'...what exactly does that have to do with stability and security of the software????
And assuming you can't view the source of the compiler...which you can. Again, you seem to be a bit confused about things. Read up on the LFS project.
If you want something perfect, then I'd suggest you go and create it yourself.
We ARE aware of them, and if you don't think that telling a group of volunteers what kinds of answers you will/won't accept isn't fairly rude, I'm not sure what you WOULD consider rude.
Nope, but let me put it more simply for you. If the system itself is secure, then I should be able to turn off anything in it that I desire, including whatever 'spying' you seem to think is rampant. In the 'guard' scenario you describe, if I can't be bothered to read up on what that guard is going to do/can't make them stop, then whatever happens is MY FAULT. Basics of web browsing security are VERY available and pretty easy to follow for most, and will keep most safe (enough). I can install the best locks/doors/windows/alarms, and guess what? My house can STILL get broken into. You only ever mitigate risks, but you can't eliminate them.
So use another browser; use Chrome or any of the other FOSS browsers. Load Windows in a virtualbox and use any of THEIR browsers and blow away the machine on each reboot. Run tails off USB stick. Many choices.

Again, you are confusing system security with browser/internet security. And no matter what you're talking about, security IS A PROCESS. You don't say "I'm loading Debian 8.43.23.4432 with this SPECIFIC kernel and these SPECIFIC settings and I will now be 100% SECURE FOREVER!". It doesn't work that way. Threats evolve...either you change with them or get caught by them. A 'secure' browser from ten years ago is swiss cheese now. The most current crypto/browser NOW will be that way in 2027.

2 members found this post helpful.

- Should we simply ignore such a possibility?
Of course. None of my relatives cares, and I do not want to show nothing, especially not any kind of wonderland (hey, I am no US-American!)... don't know what distro X is. Are we in a comic strip ? I would not do anything of what you suppose I should do sometimes. Ignore the possibility... Yes, in deed.

- How can one trust a Linux distribution
Formulate precise questions to someone who knows stuff and draw your conclusions.

Ω

2 members found this post helpful.

So why are you using Linux? Like the others said, the only way to be sure about software is build it yourself. I know its hard.... but if you aren't willing to do that, than you are at the mercy of those who will.

BTW... There are a lot of opensource developers on this forum...How can you be >>100%<< sure about what they say

This is exactly why it is secure. When something is proprietary and closed no one outside of the company can see the source. They pay their people, the people will do what they tell them. When the code is open you have so many more eyes on it, more eyes that aren't connected or being paid off to say it's ok. Just because I can't read the code myself doesn't mean that one person is paying every single person who can read code to keep quiet.

Another reason is that once a security vulnerability is found in linux it is usually patched or fixed or otherwise within a few days. Microsoft as an example only releases major patches on certain days of the month if I recall, they don't patch immediately upon finding something. That alone tells me which I should trust.

But are they completely unrelated? Is it the user’s fault to be connected to the Internet if their operating system transmits their local searches to Amazon or similar interests? What else they may be transmitting?...

We should not care, some say. Yes, let’s not care what we eat, what treatments the doctors prescribe us, nor how much the companies which we support and encourage by using their products pollute the environment etc. etc.

“Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.” (Benjamin Franklin)

I thank only those who took the topic seriously and tried to address the concept of trust as it was requested by the initial post, without resorting to arrogance and truisms.

This topic may be closed now. Farewell.

Hi,
Most Gnu/Linux will have a hash code signature that can be used to verify the download is correct and not modified. A new user is not always aware that a hash code can be used to verify a valid copy has been acquired.
Most new users should learn to read! Most Gnu/Linux will provide README files that have valuable information that can inform the user of any necessary actions. Most modern Gnu/Linux will also have a web site that supports the distribution. Valuable information for those that wish to investigate in order to get a working copy. Again learn to investigate & read information to allow you to get a good working install.

Gnu/Linux is not Windows; Learn to think for yourself!
Hope this helps.
Have fun & enjoy!

1 members found this post helpful.

Yes
Again...their OPERATING SYSTEM is not transmitting anything...it's their web browser, internet settings, cookies, whatever else that website uses. You aren't understanding the difference between the two
Sorry, but there was very little to take seriously in this. You asked a nebulous question, and seem to take things to the Nth degree ("What if we can't trust the COMPILER?", etc.), and don't understand the difference between the operating system and browser, nor seem to get the basics of security. You started this whole thread by TELLING a group of volunteers what kinds of answers you were willing to take, then follow it up with the passive-aggressive "I thank those...", line about 'arrogance and truisms'. Right after you post a Ben Franklin quote.

And if you don't realize that security is a process, and want to go on about how it is an 'arrogant truism', there is again nothing else we can tell you.

2 members found this post helpful.