careful with PPA

30 respostas [Última entrada]
Andresm

I am a member!

Desconectado
Joined: 11/21/2010

Hello all,
just read this I know either don't use PPA (i recommend this option) or normally trisquel users do check that their sources are free software but you might want to check that it is also not malware.

http://www.techrepublic.com/blog/linux-and-open-source/hand-of-thief-malware-could-be-dangerous-if-you-install-it/?ftag=TRE475558a&s_cid=e011&tag=nl.e011&ttag=e011

ssdclickofdeath
Desconectado
Joined: 05/18/2013

"Distributions like Ubuntu actually do review all packages that are submitted. So, if someone attempts to submit a package with the Hand of Thief trojan, ready to wreck havoc on unsuspecting users machines, they'll catch it and the submitted user will be reported."

Where do the packages come from that make up the Trisquel repository?

G4JC
Desconectado
Joined: 03/11/2012

"Where do the packages come from that make up the Trisquel repository?"

Mostly directly from Ubuntu, there's a few coming direct from Debian.org. Both of which should be fine. (You can find them on the wiki under "Package Helpers") You'd mostly just have to be careful on personal launchpad PPAs.

You can also install more security software to evade this problem, but it becomes difficult to simply use your computer.

Tripwire
AppArmour
SELinux (everyone trusts who makes it....) :P
etc.

ssdclickofdeath
Desconectado
Joined: 05/18/2013

Does Trisquel compile the source code, or mirror the binaries?

lembas
Desconectado
Joined: 05/13/2010
GNUser
Desconectado
Joined: 07/17/2013

Honestly, one shouldn't trust anything that comes from canonical anymore. I Don't think they would allow HoT on their system, but they have done other things that I think are a signal of their secret agendas.
HoT apparently affects the most secure distros out there (Fedora and Debian for example) so it really comes down to " be prepared" rather than "trust your OS".

A LiveCD is a good countermeasure but it is not very practical for long time use.
Trisquel would be more trustworthy if it started to work on top of Debian Stable instead of Ubuntu. Not against HoT (it's actually better this way, because more people look at the code) but against the other things that made many people reject Ubuntu (amazon spyware, anyone?).

ssdclickofdeath
Desconectado
Joined: 05/18/2013

The good part about it is that Hand of Thief needs to be given root permissions, so the user must be tricked, instead of gaining root from a security flaw.

jxself
Desconectado
Joined: 09/13/2010

Okay, let's stop the hysteria. There is absolutely no reason to distrust Trisquel merely because it's based on Ubuntu. None whatsoever.

http://jxself.org/stop-the-hysteria.shtml

ssdclickofdeath
Desconectado
Joined: 05/18/2013

Are you talking about me?

onpon4
Desconectado
Joined: 05/30/2012

No, that was a reply to GNUser.

GNUser
Desconectado
Joined: 07/17/2013

Excuse me, where do you read any hysteria in my comment?? -.^

Also, your webpage was not very clear, please answer me a question: which is worse in your opinion, the fact that Ubuntu gives you the option of using non free software to use your computer, or the fact that they used free software to deliberately spy on their users profiting out of it?
Thanks for the clarification.

jxself
Desconectado
Joined: 09/13/2010

> Excuse me, where do you read any hysteria in my comment?? -.^

Perhaps you should re-read your message: "Trisquel would be more trustworthy if it started to work on top of Debian Stable instead of Ubuntu."

Hysteria includes "delusions of threats." That you perceive a problem with Trisquel merely because it is based on Ubuntu -- and for no other reason -- is where it starts.

That Ubuntu includes proprietary software -- and induces people to install even more -- is bad. So is spying on their users. Both are bad. The solution is to not use Ubuntu. They need to be admonished but that doesn't automatically extend to derivatives that don't have these problems.

MagicFab
Desconectado
Joined: 12/13/2010

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2013-08-26 12:10, name at domain wrote:
>> Excuse me, where do you read any hysteria in my comment?? -.^
>
> Perhaps you should re-read your message: "Trisquel would be more
> trustworthy if it started to work on top of Debian Stable instead
> of Ubuntu."
>
> Hysteria includes "delusions of threats." That you perceive a
> problem with Trisquel merely because it is based on Ubuntu -- and
> for no other reason -- is where it starts.
>
> That Ubuntu includes proprietary software -- and induces people to
> install even more -- is bad. So is spying on their users. Both are
> bad. The solution is to not use Ubuntu. They need to be admonished
> but that doesn't automatically extend to derivatives that don't
> have these problems.

Unfortunately Trisquel is bound to include whatever privacy/security
problems may have been introduced in Ubuntu. Some of this is very
obvious, some is not.

The recent problem with Google DNS servers being included as default
fallback is one.

As long as Trisquel is based on Ubuntu, there will be an additional
effort required for this, an effort that would not be required if it
was based on Debian.

No hysteria here, just logic.

F.

- --
Fabián Rodríguez
http://trisquel.magicfab.ca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: PGP/Mime available upon request
Comment: Using GnuPG with Icedove - http://www.enigmail.net/

iEYEARECAAYFAlIbtoQACgkQfUcTXFrypNUe1wCfR0N9U+E6hOLqYPNsxL75JANJ
PaEAoL4Fgxy9u9RbRFBv60gWu8qegoxX
=m4mi
-----END PGP SIGNATURE-----

GNUser
Desconectado
Joined: 07/17/2013

Agreed =)

Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

The Google DNS configuration does *not* come from Ubuntu. It was a bug Trisquel developers introduced and is now solved.

GNUser
Desconectado
Joined: 07/17/2013

That means we have to worry about Ubuntu bugs AND trisquel bugs. Need anymore reason to have Debian as a base? Or maybe even to have the Trisquel team joining Debian project and incorporate some of Trisquel into it, to make it better??

I don't see your logic, starting to think that there is none to see actually.

Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

Please stop doing the exegesis of what I write. There is indeed no "logic" in my previous post. Just a fact:
The Google DNS configuration does *not* come from Ubuntu.

As a consequence, that example is no reason to doubt about Ubuntu as Trisquel's base. In fact, there exists no example of any malware in Trisquel that would have been inherited from Ubuntu.

Of course, no observation of a fact does not mean the fact does not exist. However, the one pretending that the fact exists is in charge of proving it.

GNUser
Desconectado
Joined: 07/17/2013

So you think it's better to have ubuntu as a base instead of Debian for example?
Trying to make a "free software only" OS out of a "non free software only" OS that comes from a "free software only" OS makes no sense. That is a fact. Deal with it. Debian would be a better base to work with. That's all I am saying. Why do you try to reject that so much??

> As a consequence, that example is no reason to doubt about Ubuntu as Trisquel's base. In fact, there exists no example of any malware in Trisquel that would have been inherited from Ubuntu.

What you mean is there is no KNOWN malware that comes from ubuntu. You trust canonical? That's dumb. And because you trust ubuntu you also trust trisquel? You should trust trisquel IN SPITE of it being ubuntu based, not because of it. Seriously, i am done trying to explain it to you. Don't expect a lot more replys from me. You are just trying to close your eyes on everything you don't like. Do so alone.

Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

Where on earth did you read that I "trust Trisquel because of it being Ubuntu based"? Where did you read me expressing any opinion against Debian as Trisquel's base? Where?! It is the fourth post you write where you make this thing up!

As I have already expressed in this post, Debian would make a great base for Ubuntu.

Stop making things up (especially when it comes to other users' opinions). Show us facts. Not FUD. What you called a fact in your previous post (stating that "it makes no sense to make a free software only OS out of a non free software only OS") is not a fact!

It is amazing how you seem to believe that whatever comes through your brain (e.g., that Trisquel inherits malware from Ubuntu) immediately becomes an indisputable fact. Something that then allows you to call people, who want real facts to back the accusation, as "dumb".

onpon4
Desconectado
Joined: 05/30/2012

If you're expecting no bugs to ever exist, you're living in a fantasy world. Bugs *always* happen.

GNUser
Desconectado
Joined: 07/17/2013

Sure, but we can eliminate some of them if we don't use Ubuntu. That's all I am trying to say.

quantumgravity
Desconectado
Joined: 04/22/2013

Many people in this forum (including me) think Debian would be a better choice for trisquel.
On the one hand I don't know which technical reasons prevent the trisquel developers from moving to another base.
On the other hand, the developers of Gnewsense managed to to it, too (ok, their OS is extremely old, so perhaps this is no good example for a great success).

We have to bear in mind that Debian already is an almost-fsf-friendly OS, so I can't imagine that it should be easier making ubuntu fsf-friendly than debian.

Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

As far as I remember, quidam's rationale is "Ubuntu being the most popular GNU/Linux distribution, its many users who value their freedoms want a free software only derivative: here is Trisquel".

Trisquel up to version 1.5 was based on Debian and, as far as I understand, no technical difficulty fundamentally prevents Trisquel from going back to a Debian base.

Now, in addition to quidam's rationale above, it must be pointed out that gNewSense, which is now based on Debian (it used to be base on Ubuntu!) seems to be "reborn". If the objective is the liberation of as many users as possible, isn't it better to have the two projects differ up to their bases?

quantumgravity
Desconectado
Joined: 04/22/2013

> If the objective is the liberation of as many users as possible, isn't it better to have the two projects differ up to their bases?

Not in this case; we suffer too little man-power.
The gnewsense developer, as far as I know, is overcharged with all the work. I think there is a reason why they release so rarely a new version.
Trisquel does not have a single full time developer;
This has consequences, like thunderbird being still included in Trisquel though recommending non-free add-ons.

Because there is too little man power, the best thing is:
1. to choose a distribution which can be converted into freedom-friendly with little effort as possible
2. to unify with people who make almost the same / have almost the same goals. This means putting work power together.

GNUser
Desconectado
Joined: 07/17/2013

We better be careful... we are starting to agree too much :P

If there were enough people working on both projects, I would still suggest for Trisquel to be based on Debian. Because of reasons I have already stated in the forum, like Debian being more mature project, being above canonical suspicions, having a more stability/security minded goal, etc. But since we don't even have one of the distros providing timely updates, I would agree that some common working ground should be found to help everyone.

Now, magic banana, please, explain to me WHY is it so bad that people suggest Debian as a base for Trisquel? You and Jxself for example seem to be upset whenever someone suggests that (especially me, but that is becoming a norm these days xD)

quantumgravity
Desconectado
Joined: 04/22/2013

"If there were enough people working on both projects, I would still suggest for Trisquel to be based on Debian."

Of course we can suggest this, but in the end trisquel is kind of quidams hobby project afaik and he decides how he want to spend his free time.
Our decision is whether we leave trisquel or not.

By the way:
it might frighten you a bit (it frightens me also) but I thought very deeply about the whole "illegal sharing" discussion and I have to admit that I can't consider it to be ethical anymore.
I realised this when I thought of purchase of a cd being connected to a kind of "promise" not to copy it and give it to your friend, just like you promise this when buying proprietary software.
Once you did this, you can find yourself in the same moral dillema. Should I betray my friend or break my promise?
Though I think such a licence is unjust, but breaking my promise isn't good anyway.
The only solution is to refuse stuff under such a licence completely and limit myself to the usage of creative commons, consumer respecting media.

I don't think anyone is interested in this discussion anymore, but nevertheless I might perhaps start a thread in the troll hole later on where I explain this ideas, just in case someone is interested.
BUT sorry, I thought about the name discussion also, and though I think it's unethical now, I still think it is not sensible to use the word "piracy". But I will write about it in another thread and think the normal trisquel forum is not the right place for this.

onpon4
Desconectado
Joined: 05/30/2012

Something Richard Stallman said (I might be paraphrasing a little, since this is from memory):

"If you use software which doesn't have freedom 2 [the freedom to share exact copies], you can be faced with a moral dilemma which can happen at any moment. If your good friend says, 'That program is nice, can I have a copy?' you have to choose between two evils: give your friend a copy and violate the license of the program, or refuse your friend a copy and comply with the license of the program. When faced with this situation, you ought to choose the lesser evil, which is to give your friend a copy and violate the license of the program.

"Why is that the lesser evil? Because if you can't avoid doing wrong to one or the other, it's better to do wrong to someone who deserves it than to someone who doesn't. We can assume that your good friend is a good member of your community who normally deserves your cooperation. But the owner of the software has deliberately attacked your freedom.

"Even so, this isn't good. It's never a good thing to make an agreement and then break it; even when the agreement is inherently evil and keeping it is worse than breaking it, still, breaking it doesn't rise to the level of good. And if you give your friend the program, what will she have? She will have an unauthorized copy of a free program, and that's a nasty thing, almost as nasty as an authorized copy of the same program.

"So ideally, you should avoid falling into the dilemma. I know two ways. First way, don't have any friends. That's the way the proprietary software developers have in mind for you. The other way, my way, reject the software that doesn't have freedom 2."

In short, he agrees with you: making an agreement and breaking it is not good, but he also thinks keeping the inherently evil agreement "I won't share with my neighbor" is worse than breaking it. I tend to agree.

Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010
GNUser
Desconectado
Joined: 07/17/2013

> Perhaps you should re-read your message: "Trisquel would be more trustworthy if it started to work on top of Debian Stable instead of Ubuntu."

I was not hysteric. Debian is a much more mature project, it has a "free software only" approach, it favors stability and security above usability and looks, they put the users first (which canonical does not, refusing to remove amazon spyware from ubuntu), they move their system towards the future (trying to support different kernels and architectures), etc etc etc.... Being based on Debian would help the Trisquel project. Do you have any doubts in this??

> Hysteria includes "delusions of threats." That you perceive a problem with Trisquel merely because it is based on Ubuntu -- and for no other reason -- is where it starts.

If you truly believe that amazon spyware is the last malicious feature will ever be discovered in Ubuntu.... lol, well, you have the right to think that way, but I can't honestly trust a company that, like Canonical, refuses to remove a feature that nearly EVERY user complained about. We will still discover many bad things about Ubuntu in the near future, and Trisquel is in danger of incorporating those things.

> That Ubuntu includes proprietary software -- and induces people to install even more -- is bad. So is spying on their users. Both are bad. The solution is to not use Ubuntu. They need to be admonished but that doesn't automatically extend to derivatives that don't have these problems.

Let's clear this out: I would rather use proprietary software that was not spying on me, than use free software that was spying on me and selling me out. Pure and simple. I don't treasure software above all else, I treasure people above all else. As for free software, since it can be used for any purpose, that allowed the NSA and (from memory, not 100% sure) Iran's government to use modified versions of BackTrack to spy on people. THAT is wrong. A person who for one reason or another, uses a proprietary driver or program, that is not wrong, it can be stupid, but it's not wrong. Got it?? -.^

jxself
Desconectado
Joined: 09/13/2010

> I was not hysteric.

Oh indeed - There *might* be some undefined and as-yet-uknown future problem. This is where the hysteria is starting. Nevermind that -- should it happen -- people will ensure it's addressed and handled properly. No, not that - just ignore and overlook that part. We must instead advocate for people to not use it *at all* because there's absolutely no reason to use Ubuntu as a base.

> Sure, but we can eliminate some of them if we don't use Ubuntu. That's > all I am trying to say.

But also lose the benefits. See below.

> Being based on Debian would help the Trisquel project. Do you have any > doubts in this??

Absolutely. It's been discussed before - Check the archives. Canonical does lots of work to make their distro easy for new people to use. Trisquel gets to inherit all of that work. There's a definite benefit to having a 100% free distro available based on Ubuntu that new users can be referred to and use in freedom.

> I would rather use proprietary software that was not spying on me

But how would you ever know?

> than use free software that was spying on me and selling me out.

At least with the free one you'd (or others) could find out and then know with certainty if it was or not and if so could change it so that it stopped and then share that modified version. Other people would likely prefer not to be spied upon (all else being equal) and this modified version becomes the typical version of the program.

It's ultimately Ruben's time spent on the project. While you may disagree with how how he chooses to spend his time it's ultimately his decision how to spend it and Trisquel isn't going to Debian unless he decides that it is. If you're convinced that Debian is so much better then please go use it. There's no need to be hanging out on the Trisquel forums going on about how the project should switch to Debian.

quiliro@congresolibre.org
Desconectado
Joined: 10/28/2010

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

El 26/08/13 21:40, name at domain escribió:

>
> It's ultimately Ruben's time spent on the project. While you may
disagree with how how he chooses to spend his time it's ultimately his
decision how to spend it and Trisquel isn't going to Debian unless he
decides that it is. If you're convinced that Debian is so much better
then please go use it. There's no need to be hanging out on the Trisquel
forums going on about how the project should switch to Debian.
>

I would like a Debian testing free software alternative that would use.
Maybe gNewSense developers will be interested in having someone
contribute to their project on this issue. Would you be interested, gnuser?

- --
Saludos libres,

Quiliro Ordóñez
Presidente (en co-gobierno con los socios)
Asociación de Software Libre del Ecuador - ASLE
6008579

Recuerda que todas tus comunicaciones están siendo vigiladas. Lo que
puedes hacer para restar su eficacia es eliminar el software privativo
de tus computadores, evitar el software como servicio, almacenar tus
datos en tus propios equipos y encriptar todas tus comunicaciones.

Toda la información contenida en este mensaje es libre de uso y
distribución con o sin modificaciones y todo correo que reciba implica
que el remitente acepta que tendrá las mismas libertades sin importar
cualquier clausula de confidencialidad o restricción anterior o posterior.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJSHhv1AAoJELMnJLlh/t+6594P/ia4QX2+YqjW8BlRkOIZ2g+O
utX0JrFi/fx1wO4vqQ9tvVw6lmSHJesQPPCwpU4T+dgnrG1oCWgs/ba6UtVrHAZH
PAkjNmTuuhQVbSh4alXtd0v38Mug/OSZJdrOwY8Om/YvDEojOxvRwgWBm1KABFbN
H5F0qXl4yyEYY51MmymKiT2AhNRGmjmK4TOMggxb2eDHB8b5guLFbrI2SB2PSiNt
z74cdIFWQgj/4/0S3QMClqZu+MoQji2JMfGoCZie7JbhqXvqCfL2BxYV0Jp0Xtuc
hT7DKETNA9Bi4BR0elRi9j0WdPx9MURv9r4EJLoE9YEaLvJs0/GBiqiafU2Tfpld
9fdTXvdVDGxXJcYJPmhWGadqh+14LA/M2zBIldMw+uKs+KrA3cEmWVu81ziZfRQB
KxcjX3toCJjV28jo/3e/liKo/SEHVC8S7hzbhjzR6hQS1JvfBfxkNbWna/SFxn5a
qf6MJOyqbV88H4xwNy9f6ZkVaFJ3QFNxvPTKCj/q165U5kG1i4BghJAwyxfKccOK
voGornFnL+sjh3HAgwOzbQ5Yihv4BNgiA8PqdpNK/lMCLYokTGzYnDw4o6Wggmog
uzNoe2F89Tvg+B+U51NpxuWgLWF060vJccs9oKYGIz0JYmW+sXZiGm/Wb/xCHwiU
gBLKKjgvVXQmpjCksuWa
=9E6Q
-----END PGP SIGNATURE-----