How do we know this is the code they build? Is it possible to build it?
You have to sign non-disclosure agreement anyway.

I can't find a source but either the NSA or FBI uses OpenBSD workstation and servers. Not that this bug can't affect OpenBSD either, I don't think XZ is installed by default. The DOD invented SELinux and uses Linux machines. Everyone who cares about security either runs a secure linux distro or OpenBSD.

You have it backwards, open source can not be controlled, as this exploit makes perfectly clear.

Open source, especially the way it applies to Linux based OSes, gives people a false sense of security.

Consider a person that decides he will create a custom distro based on one of the more popular distros.

This custom distro gets reviewed and people love it, maybe it has a custom theme they find appealing, maybe there's some optimizations that make it run faster in benchmarks, maybe it has some custom tools.

It gets a loyal following and all the source code is available under GPL for inspection.

As is standard practice, they also release binary versions in the form of ISOs.

Everything is great right?

What happens if the ISOs that are available for install are not using the same code that is available online?

For instance, during the build process the developer manually add 3 lines of code to the DE that allows a remote attacker to gain root access when certain conditions are met.

How would you know about it?

This is the fallacy of open source, you are assuming that the code that is being offered online is the same code being used to build the OS.

There is no way for you to know what was done during the build process, and if you respond with what i think you will respond with, then you will confirm for me that you don't have a programming background.

It is just documentation.

You can't find a single post of mine where i have said this.

Nothing prevents Microsoft (or Dell, or Apple, etc.) from pushing different update to few selected users. Most companies will do so if instructed by the government, or give the authorities a hidden access to users data (like Apple does in China).

Phoning home to tell about user’s listening habits despite user rejected the EULA (this is what Sony did) is a malware.

Yes, ASUS was hacked, and didn’t spread the malware willingly. Microsoft also didn’t spread the infected CDs on purpose. So what? Do you think Gentoo, Arch, and other distros spread the infected XZ willingly?

CCleaner was not minor, it used to have millions of users worldwide.

——

At first you just stated that big corporations such as Microsoft, Google or Apple endorse every line of code that reaches you as a customer, no such thing exists in the Linux world​ - you got a ton of examples, and for every single one you reply like:
- yes, but they were hacked
- yes, but this malware is not malware in my opinion
- yes, but this malware does not have an official CVE
- yes, but they are smaller than Microsoft
- …

You are a TROLL, that’s what you are. There will always be some insignificant difference, as such cases (with the exception of maladvertising or malware in the online software store) are not common.

You don't see the contradiction in your statement, do you?

If you don't know that there is a virus in there then how do you know that malicious code is already built into the OS such as Windows?

Not the sharpest knife in the drawer, are you?

BTW, the Windows source has been reviewed numerous times:

That's being very slowly and piecemeally tackled by using reproducible builds.

AFAIK not a single Linux distro has managed to release every package in this manner but work is being done.

And then, the worst part of it, since distros are built differently (different compilers, compiler flags, patches, dependencies, etc) it only gets applied to a single build of a single distro. This will not work across the entire Linux ecosystem.

What I proposed earlier makes a little bit more sense: have a single library (shared between e.g. Linux distros) of verified applications/libraries which lists known to be "good" packages, their versions and hash sums.

Right now every distro has its own implementation of this protocol which of course is quite counterproductive.

"Nothing prevents" is a conspiracy theory and not an example. Here in this topic we are discussing the real world and the real malware that found its way into a large number of systems. Google/MS/Apple has had decades to do something nefarious, yet you cannot show a single example.

You've demonstrated zero examples of malware ever having been distributed by Google/MS/Apple, added some random companies to the mix for good measure (why? because you can), decided you could call "phoning home" malware (why? because you can) and now calling me a troll which as ad hominem. And I'm sorry I couldn't give two shits about CCleaner. This example is 100% irrelevant. I can show you this for good measure since you are a fan of random facts of life being your counter argument, I mean being your whataboutism.

I have nothing else to discuss with you. Goodbye.

The Win XP code was supposedly used to build a functional copy of XP.

BTW, the argument you are using here is the same one I have used against Linux for years, you have no way of knowing if the code listed on a distros site is the same that was used to build the ISO you install from.

Thank you for confirming the weakness of open source for me.