[sf-lug] Additional information: attention John S. and anyone interested in Slackware 15.0, RPi

Rick Moen rick at linuxmafia.com
Mon Feb 14 13:31:38 PST 2022


Quoting Bobbie Sellers (bliss-sf4ever at dslextreme.com):

[Mandriva LX:]

> Living thru the Cold War and following the news.  The Russians
> who package it may be completely honest but how closely can they inspect
> all the code coming in.  The Russians have attacked via hacking but with
> a package in the very large distribution they could collect as much
> information as they pleased, use our private machines in Denial of
> Service Attacks and use them to propagate malware.  Is this paranoia
> or excessive caution? 

No, it's a reasoned concern.  I was just curious, and what you say is
what I suspected after reading about the project's history.

It is always well worth bearing in the back of one's mind that you are
always going to be putting a certain amount of trust in one's software
gatekeepers.  In the case of proprietary software, that's the software
OEMs (publishers) and their software supply chains.  In the case of open
source within[1] Linux distros, that's the distro packagers and to a
degree the upstream maintainers.  And so, it's always worth considering
how competent and reliable (and beneficent) the gatekeepers are.

The concern you raise is one reason why I have a strong bias in favour
of distros with a well-developed, enforced packaging policy and a
relatively sane approach to quality control and auditing, e.g., Debian
and its independent satellite project Devuan.

> I personally don't know but do you want to try it out, Rick?

No, I don't have a lot of interest in RPM-based distros unless someone
is paying me to have an interest, and even less interest in bloated
desktop distros based on KDE Plasma.  (Chacun à son goût, or, as the
English say, 'Horses for courses.')

Creeping weirdness in the open source world coming out of Russia is not
new.  Check out the history of Audacity, for example, most recently
involving so-called "telemetry data".  The evil mischief got so much
attemption as to inspire multiple forks.
https://www.ghacks.net/2021/07/04/the-best-free-audacity-alternatives/

On that same theme, here's a thing to check with _whatever_ distro one
is using.  

1.  Is there a Firefox package?
2.  If so, does the distro package disable, by default, Firefox's recent 
    privacy-violating, and bandwidth-sucking collection of of
    "telemetry" in recent Firefox versions?

Here's a verbose page that covers that and many adjacent topics:
https://privacysavvy.com/security/safe-browsing/firefox-privacy-security-ultimate-guide/

Anyway, ask yourself this:  If the answer to question #2 is "no", then
why isn't the distro packager taking that step for the users' benefit?
Whom is he/she working for?  (That is a deliberately provocative
question.  I am not _seriously_ suggesting that packagers are corporate
shills if they don't take obvious steps to preserve user privacy, but
it's enough to make you worry about package quality.)

I should stress that, as the above-cited page points out, Firefox
is head-and-shoulders above its most-commonly-cited competition such as
the proprietary Google Chrome Web browser and its open-source Chromium
base.  (OTOH, I note with approval the curated variant called "Ungoogled
Chromium" that strips the corporate junk out.)

Less-verbose HOWTO page about Firefox telemetry:
https://www.howtogeek.com/557929/how-to-see-and-disable-the-telemetry-data-firefox-collects-about-you/

Anyway, ask yourself, if your distro's Firefox package doesn't default
the browser to telemetry-collection off, why not?  Go ask the distro.




More information about the sf-lug mailing list