undefined | Better HN

0 pointsLeoPanthera1y ago0 comments

How is this different to Windows users downloading a .exe file and running it?

0 comments

Short answer: it's not, and that's the problem.

Long answer: Windows has a few conventions that make it "better", like a predictable place to install your files, a global authoritative "registry", and never having dynamically linked (and separately installed) dependencies. By sheer virtue of not having a good package manager, Windows has avoided dependency hell. That does, however, still leave it without the utility of a package manager.

wongarsu1y ago

Windows checks the code signing certificate of the exe, and if it isn't present and the binary not widely used shows you a big scary warning to discourage you from running it. And if the exe is signed that at least tells you where to send the police after you were infected.

Of course open source projects rarely sign their exes because those certificates are expensive ($300+/year).

wiktor-k1y ago

> Windows checks the code signing certificate of the exe, and if it isn't present and the binary not widely used shows you a big scary warning to discourage you from running it.

Actually even if the file is correctly signed but is new users will see the warning banners. (Unless using the more expensive EV Code Signing certs)

> Of course open source projects rarely sign their exes because those certificates are expensive ($300+/year).

I'm not sure where the $300/ year comes from but one can get valid certs for less than 50 EUR a year (https://shop.certum.eu/open-source-code-signing-on-simplysig...). I got a physical key one for 65 EUR and it worked just fine.

If the open source project is widely recognizable I'd suggest contacting https://signpath.org/ to get code signing for free (as in beer) via simple Github Action workflow.

wongarsu1y ago

That's great to see that they are so cheap now for open source work. I must have remembered the price of EV certificates (which are handy for completely getting rid of the warning screen and for getting Windows Defender off your back)

bee_rider1y ago

I skim little python or bash scripts after downloading them. Therefore, there’s at least one person who does it… sometimes. Nobody checks an exe!

Mostly it is the same though shrug. There thankfully don’t seem to be many hackers going after the niche of desktop Linux users.

duped1y ago

It's better because you almost never need to give root permissions to the installer, unlike on Windows

kevincox1y ago

Yeah, usually it is just your user account: https://xkcd.com/1200/

j / k navigate · click thread line to collapse

0 comments

thomastjeffery1y ago

Short answer: it's not, and that's the problem.

wongarsu1y ago

Of course open source projects rarely sign their exes because those certificates are expensive ($300+/year).

wiktor-k1y ago

> Windows checks the code signing certificate of the exe, and if it isn't present and the binary not widely used shows you a big scary warning to discourage you from running it.

Actually even if the file is correctly signed but is new users will see the warning banners. (Unless using the more expensive EV Code Signing certs)

> Of course open source projects rarely sign their exes because those certificates are expensive ($300+/year).

If the open source project is widely recognizable I'd suggest contacting https://signpath.org/ to get code signing for free (as in beer) via simple Github Action workflow.

wongarsu1y ago

bee_rider1y ago

I skim little python or bash scripts after downloading them. Therefore, there’s at least one person who does it… sometimes. Nobody checks an exe!

Mostly it is the same though shrug. There thankfully don’t seem to be many hackers going after the niche of desktop Linux users.

duped1y ago

It's better because you almost never need to give root permissions to the installer, unlike on Windows

kevincox1y ago

Yeah, usually it is just your user account: https://xkcd.com/1200/

j / k navigate · click thread line to collapse