undefined | Better HN

0 pointsroel_v10y ago0 comments

"A closed source binary being silently downloaded and executed without explicit action by the user or notification to the same is a security incident."

Whereas source code being downloaded, compiled and run is not? Or a script being downloaded and run?

0 comments

vbezhenar10y ago

You can't realistically audit binary blob. But you can audit source code. So if download is protected by the digital signature, it's OK.

mavhc10y ago

You can't realistically audit the Chromium source code either.

shit_parade210y ago

? Why do you think people are discussing this, might it be because, gasp, the source code is being audited?

luso_brazilian10y ago

The source code being downloaded, compiled and run or a script being download and run would be a as much a security incident as what happened.

In this context (Chromium on Debian) having a closed source binary downloaded and executed is an additional problem to the security incident and that's the reason it is mentioned in the statement. There are two problems conflated in the same sentence:

1. A binary was downloaded and executed without explicit user intervention or consent.

2. A closed source binary was downloaded and executed by a primarily free and open source software in a free and open source distribution without explicit user intervention or consent.

So, answering the questions, having the source available would not make it ok but being closed source in this context is a problem on its own.

rockdoe10y ago

>a script being download and run would be a as much a security incident as what happened.

Like opening a webpage?

luso_brazilian10y ago

Yes. If opening a webpage downloaded a script that permanently altered the browser adding or removing functionality without explicit user intervention or consent it would be a security incident. There is even a class of scripts that warrants a special name because of this exactly behaviour: malware.

Considering the more general case of scripts being downloaded and executed in the browser (javascript, for instance) the more apt analogy would be one being downloaded and executed in a system with NoScript installed.

Just like NoScript is a tool that gives its users the power to decide on a case by case basis which scripts are executed by the browser, Debian is a tool that gives its users the power to decide on a case by case basis which closed source binaries are executed by their system.

Preventing this choice in this context is a security incident.

JupiterMoon10y ago

Just use no-script.

j / k navigate · click thread line to collapse

0 comments

vbezhenar10y ago

You can't realistically audit binary blob. But you can audit source code. So if download is protected by the digital signature, it's OK.

mavhc10y ago

You can't realistically audit the Chromium source code either.

shit_parade210y ago

? Why do you think people are discussing this, might it be because, gasp, the source code is being audited?

luso_brazilian10y ago

The source code being downloaded, compiled and run or a script being download and run would be a as much a security incident as what happened.

1. A binary was downloaded and executed without explicit user intervention or consent.

2. A closed source binary was downloaded and executed by a primarily free and open source software in a free and open source distribution without explicit user intervention or consent.

So, answering the questions, having the source available would not make it ok but being closed source in this context is a problem on its own.

rockdoe10y ago

>a script being download and run would be a as much a security incident as what happened.

Like opening a webpage?

luso_brazilian10y ago

Preventing this choice in this context is a security incident.

JupiterMoon10y ago

Just use no-script.

j / k navigate · click thread line to collapse