I run the beautiful distro Deepin. Deepin is made in China. It is a private company, not the government that develops Deepin. But we all know about China's government's view on freedom so it is not unlikely that they can force a company to do their dirty work. A youtuber discovered in the beginning of this year that Deepin software center sent some generic information, basically the same stuff that any web page does as I understand it. Deepin claims that they have removed that function in the latest versions. The controversy was as I understood it that this behaviour was embedded in the OS even though it was relatively benign. Personally I don't feel so worried about that. In the debate there was this argument that since Deepin is open source everyone can audit the source code. The same goes for basically all Linux distros. The question I have: How do we know that anyone actually check the source code and all what it does? I don't know how one does that, but I guess it is quite a time consuming task to check hundreds of thousands, if not millions lines of code. I guess the security in open source really lies in that there is a potential to check the code rather than "real" security. Personally I trust Deepin (or any other distro I use and have used for that matter) with the hope that someone has audited all the source code already. I know, we cant check the code in proprietary software at all so it is as much a trust based security there too.
OpenSSL is tiny in comparison to OS and it was vulnerable for years, because no one bothered to check it, everyone expected that someone else will do it. Open source creates a false sense of security (privacy), just like installing AV does. I prefer a closed source from a reputable company rather than an open source, that everyone can review, including a potential hacker.
I'm not familiar with the incident you mentioned but I would think that it was a setting/modification/file specific to Deepin. And yes - somebody has to be there to check the source code in order to detect such changes. But keep in mind: 1. Most packages have been used in the many Linux distributions for many years. This means that many eyes have had the opportunity to check if there is any malicious behaviour by some packages. There is a strong probability that such behaviour would have been detected. 2. It's unrealistic to expect that the maintainers for a specific package check its complete source code every time it gets an update. But they check the diffs which show the changes in the source code compared to the previous version. This makes a very likely that any malicious changes would be detected as the number of new/changed code lines is limited. Needless to say that this approach hits the wall for big packages (like browsers or office suites) with potentially very many changes. 3. Additionaly, comprehensive automated tests are done for any update before the updates go to the testing repos - at least by big distros (I don't know if small distros have the means to perform such tests - that's one reason why I avoid them). Here's an example how Fedora does it. (You'll notice that, e.g., also a virus check and a security policy check are done although I'm not familiar with the details.) To sum up, I would say that the advantages of open source software are evident provided that you use big, well-maintained distros and stick to their repositories. Personally I would never use a distro from China because of what you said in the beginning.
The OpenSSL example is correct. You're referring to the Heartbleed vulnerability that existed for 27 months. As a result the OpenSSL developers received funding from various companies like Intel and Mozilla as it had become clear that software which is so important for critical infrastructure must be better supported. So this is an example that open source software is not perfect. But at least, there was an opportunity that such vulnerabilities could be found. You don't have that at all for closed source software (unless you're trying to do reverse engineering) so vulnerabilities can exist for ages and nobody notices (perhaps with the exception of hackers who exploit them). There have been many examples in the past. And that you seem to call a data kraken like Microsoft a "reputable company" is worthy of discussion (but, please, not in this thread).
Asking if you can trust open-source is like asking if you can trust all people from country A. Some yes, some no. There's no simple answer to that. Mrk
Personally I chose to trust open source, but I guess proprietary software companies has more to lose if compromised since that's their livelihood. Someone who makes a distro or OS software don't get any money (except from donations if they dont sell it, but I guess one doesn't get very rich) I am sure that most of the people who contribute to OS does it more or less altruistically, but at the same time open source would be a nice tool for the bad guys too.
I agree that the risk is very little with the well known distros, like Red Hat, Fedora or Ubuntu or other that make money on their distros. They have to protect their reputation/business. But for a distro like Deepin I would say that there can be a risk. A risk I am taking it because it is the most beautiful DE in the computer world imo, and runs fantastically on my computers. It has been around since 2004 (but the name was Hiweed Linux in the beginning) so I guess (hope) that it has been audited by people who knows how to do that during this time. At least partly. The incident was about their software center "The Store", that is basically a web page, collected information about screen size and some other stuff that webpages does and sent it to the chinese equivalent of google analytics. This "guidsup" guy looked into it https://www.youtube.com/watch?v=v25Dy66AtNI Deepin claim that they don't do that anymore, I guess as a result of the controversy. Personally I didn't find this so upsetting. But, since it is based in China I do have a little paranoia bug bugging me and wont let me completely enjoy my experience with deepin I am wary about USA/Russian based services too, I have a tiny bit paranoia against governments in general actually. Their wet dream is to monitor/control us all But I know, if I am worried I shouldn't use it and go with the well known distros, but I am trying to calm myself down by trying to educate myself on how this alleged security based on the concept "open source" works, because I really, really want to keep using this distro
This remark omits the distinction whether that software is part of the official repositories of a distro or not. Being open source is not sufficient if you can't assess its source code and/or judge its trustworthiness. If you get it from your distro you know that it's checked.
No, that's a technicality of implementation. I wasn't even talking on that level. Saying something is open source does not give it any outright credibility advantage. It's just easier to audit - sometimes. Mrk
