Friday, August 29, 2014

The Linux Distro Repository System Safety Assurance

(Image credit:

Most people don't give a thought to this subject.  In fact, with Legacy Windows (x86), including Windows 8.1, there is no such concept as a 'repository'.

Every Linux Distribution (call it a 'flavor' if that helps), provides its own repository.  What is a repository?  Imagine a Castle (Library of Applications) with a moat around it and a draw bridge.  Only keyholders can get in and get out.

The keyholder conceptually is provided by a technology used extensively with Linux, called GNU Privacy Guard (GnuPG or GPG for short).  The idea is to guard all software in the library to assure that no 'tampering' can ever occur.  Tampering scenarios include adding rogue software (applications with hidden trojan viruses), unauthorized code edits which have negative repurcussions and usually include software exploits, such as the kind that politely advises the user that their drive is now officially encrypted/locked and cannot be used unless a monetary consideration (extortion) is provided that will cause the encryption to be unlocked (CryptoLocker being one such application aka Ransomware targets Windows, not Linux).

This GPG technology allows each piece of software in the Library to be linked to your Linux on the Desktop GPG-keyring and will not install, per se, unless it can be unlocked by your Desktop keyring (Fedora is my Distribution of choice).

The advantage is clear.  The maintainers of the repository for your Distribution are thus able to  maintain strict control over who can contribute code, vetting of software and the author's background, all done to assure that the program being considered for acceptance into the Library is safe for general use, devoid of any rogue code.

The absence of a repository of protected software applications has been an historic security problem of endemic proportions for Microsoft who must continually apply Zero-Day security patches to the operating system once a month to thwart introduction of rogue software onto the operating system.  It is a hopeless, unending situation and the fact that such software as CryptoLocker and Stuxnet exist should be a flashing neon roadside billboard to the average user, but, sadly isn't.  The public is bamboozled and has bought into the accepted practice  of running third-party Anti-Virus software, lulled by its false sense of security and done by the user at their additional out-of-pocket expense for purchasing said software, time and effort.  

Indeed, the Windows Legacy security software business produces multi-billion annual sales all of which does nothing to deflect a Drive-by Download, for example.  The user won't see it, but their machine is infected and there isn't anything they or Microsoft can do about it, short of a complete redesign effort which has gone into their ARM processor based product which has suffered languishing sales.

Below is my system running an update download from the GPG keyring-protected repository at Fedora.  If you run automated updates, this will occur daily with Linux, not monthly as Microsoft does on Patch Tuesday.

Fedora Linux:  The safest operating system on the Planet

Users of Windows Legacy must therefore 'fend for themselves' and go into the 'wild' so to speak in search of software, whatever that may be, with no assurance that it isn't laden with trojans ready to deploy silently, unbeknownst to the victim user, who believes they have found a nice game program, for example.

You may think things are safe with Windows.  They are not.

Fedora Linux: The safest operating system on the Planet.

I stake my reputation on it.  -- Dietrich


Post a Comment