Comment by gf000
7 days ago
> The (desktop) Linux security model is different
In that it doesn't really exist. Sure, linux has all the capabilities to do it properly, but defaults matter in security so the way it currently works, basically every program has access to everything actually important (personal files, photos, ssh keys, etc). It just can't upgrade your GPU driver.
Security goes way beyond a technical checklist.
I trust my Linux distribution because there's a chain of trust, from the maintainers, the contributors down to the user to make sure that the software is respecting the user.
You can't fix the lack of trust you have on Android with just sandboxing.
I do trust the Linux distro maintainers that they don't have nefarious purposes. But they can't and won't verify third party projects' code, nor the huge number of contributors that come and go on any of these projects, or their transitive dependencies.
As has been shown, it's almost trivial to get malicious code merged into open source projects, so not really sure where your "trust" comes from. It's not trust, it's naiveness.
The proof is in the pudding at the end of the day, how many privacy scandals Debian had vs how many privacy scandals Android had? One model seems to clearly work better than the other. Talk is cheap, I like to see the results.
And to answer your question, of course they can't check everything, that's why it's a model based on trust and not a model based on verify.
What would happen if let's say VLC would upload your user documents in the background? They would get nuked out of the repository and never be seen again. That's why apps do not tend to do that.
I'm not against sandboxing and a strong technical model myself, it's just that if I have to pick between a trust model and technical features, well the trust model wins hands down 10 times out of 10 as it has a better proven track record.
1 reply →
> I trust my Linux distribution because there's a chain of trust, from the maintainers, the contributors down to the user to make sure that the software is respecting the user.
Nope, that's not actually how it works. In reality, there's little to no review of what's being packaged. The distribution packagers are additional trusted parties. You're also trusting the upstream developers and their dependencies which are largely not very interested in privacy and especially security. There's extremely little systemic work on privacy and security in desktop Linux operating systems which is why they still haven't fully deployed basic exploit protections from the early 2000s, let alone providing a strong privacy and security model with strong defenses throughout the OS.
> You can't fix the lack of trust you have on Android with just sandboxing.
Contrary to what you keep saying, Android has a large open source app ecosystem. Those open source apps run in a sandbox avoiding them being a single point of failure for the entirety of privacy and security of the OS. The vast majority of open source developers are not writing privacy and security focused software. Security is extremely neglected in the vast majority of open source projects and many do privacy invasive things. Open source does not provide privacy and security itself. Publishing sources under an open source license doesn't make software more private or secure itself. Most open source projects aren't getting significant privacy and security benefits from doing so since little of it gets deeply reviewed. Most projects do not get a lot of external contributions to the code. Open source code doesn't mean the developers aren't heavily trusted and only theoretically provides the ability to check everything extremely thoroughly which simply doesn't happen. If it worked the way you believe, there wouldn't be an endless stream of vulnerabilities being fixed which have often been present for a long time including years or decades. See https://lore.kernel.org/linux-cve-announce/ for a major example.