Most Loonix (linux) users are in for a world of hurt :

[JamesBond007]

Pulling down open source code as a dependency without ever reading the code and verifying that it doesn't contain any backdoors or other malicious content has become one of the easiest ways to introduce malicious content into a code base.

All you have to do is this:

Fix some code and create a pull request.
Fix some more code, perhaps add a new feature, and create more pull requests.
Upstream "rewards" you with commit access.
Keep a low profile for a while longer.
Make a few mistake to check how fast "mistakes" are discovered.
Create some malicious code disguised as a bug, an honest programming mistake.
Repeat.

Of course you cannot validate every single line of code in every open source projects you might use, but I cannot fathom how just about everyone today are completely and blindly trusting every package out there. This is a madness and level of ignorance and naivety in the software industry not previously seen.

In the past many honest mistakes were made, and many systems were not originally programmed with security in mind. But as the industry has progressed and matured, many efforts have been made on many different levels and fronts to improve security, yet for some reason, with the improved access to online cooperation, this has been almost completely set back to a status even worth than in the beginning.

Another different subject, yet just as relevant, is how people keep making popular third party packages "hard" dependencies for their own code base. This is a mistake that very easily can blow up your code base completely, just like this for example: https://github.com/pyca/cryptography/issues/5771

My point with this minor "rant" is that you need to carefully consider what packages you pull down. Don't just trust a project because it is open source. The idea that open source has many eyes watching is a myth. Nobody wants to read other peoples code, so very rarely does anyone do that.

Remember the Heartbleed bug?

If your code base is important, make sure (as much as possible) that you can trust the code you pull down as a dependency. Read as much of the third party code as possible, create diffs when changes are made, and investigate and understand how the project handles security. If you don't, you're only asking for trouble.

http://www.unixsheikh.com/articles/a...d-of-hurt.html

[JamesBond007]

You’ve got millions of open-source software components to choose from... and so do cybercriminals

Just who is running your favourite project these days? :

see below for more :

https://www.theregister.com/2021/02/..._your_project/

[Token]

Linux users need to be a bit neurotic, one wrong step and you can fuck up all of your servers. I've always used Debian. This year i've changed to Mac and i don't regret.

[JamesBond007]

One sure way to determine if you are stupid

Published on 2021-02-10.

Stupidity is defined as:

Slow to learn or understand; obtuse.
Tending to make poor decisions or careless mistakes.
Marked by a lack of intelligence or care; foolish or careless.

One sure way to determine if what you're doing is stupid is if you do what you do, or say what you say, because that is what the majority is doing!

Here are some examples of sayings that reveal utter stupidity:

*Since most major Linux distributions has adopted systemd, then surely systemd cannot be bad.

*Clearly Linux is more popular than BSD, hence it must be better.

*It's the "modern way" of doing things, everyone does it, I will do it too!

In either case, you're stupid or naive or both if you follow what the majority does, just because it is the majority!

The majority has never, not even once - in the entire history of mankind - been any indication of what is right or correct.

Whenever you find yourself on the side of the majority, it is time to reform (or pause and reflect).

-- Mark Twain

You need to think independently and be brave enough to go against what the majority is saying or doing, even if that makes you stand all alone. The truth never take sides. Either you're right, or you're wrong. Make sure that if you're wrong, you're wrong because you made an honest mistake, and not because you disconnected your brain and let others think for you!

https://unixsheikh.com/articles/one-...re-stupid.html

[Radimir]

I've never used Linux and Mac book. Haha, for me. It's Windows.

[Token]

I've never used Linux and Mac book. Haha, for me. It's Windows.

Windows admittedly spies its users. I don't like the idea of being spied in my house.

[Lemminkäinen]

I have Linux, because it is simple and gives the full CPU power. Also, Linux gives possibility to use most academic softwares. Another option would be Mac, but even then the open source availability would be limited compared to linux. The security is not a problem because it is connected to network only while downloading softwares and once done it is again disconnected.

Windows - I would get a nervous breakdown.

[JamesBond007]

I have Linux, because it is simple and gives the full CPU power. Also, Linux gives possibility to use most academic softwares. Another option would be Mac, but even then the open source availability would be limited compared to linux. The security is not a problem because it is connected to network only while downloading softwares and once done it is again disconnected.

Windows - I would get a nervous breakdown.

I currently use Debian bullseye on a chromebook because I need zoom and I doubt OpenBSD will install on the chromebook (maybe it will) but it won't have zoom. Still, I see a lot of tutorials on the internet for Ubuntu and others that use pip and add external repos to the apt sources list etc... :

The success of Linux is extraordinary, but it could be better. Google has said that its security is not good enough and that Linux needs at least another 100 engineers. "I don't necessarily think that means that we just need to add more security people and that will solve it," said McGrath. "I do think that security will be more at the centre of the processes that we have. That's certainly going to be true at Red Hat. I think it will also be true in the open source communities where we will probable see more security being built into CI (Continuous Integration) pipelines."

https://www.theregister.com/2021/08/...linux_red_hat/

About half of Python libraries in PyPI may have security issues, boffins say

Boffins in Finland have scanned the open-source software libraries in the Python Package Index, better known as PyPI, for security issues and said they found that nearly half contain problematic or potentially exploitable code. ...

https://www.theregister.com/2021/07/...pypi_security/

[JamesBond007]

Linux users need to be a bit neurotic, one wrong step and you can fuck up all of your servers. I've always used Debian. This year i've changed to Mac and i don't regret.

I currently use Debian because the world is too mentally retarded to make OpenBSD as popular as Linux.

[JamesBond007]

Windows admittedly spies its users. I don't like the idea of being spied in my house.

Apple spies on its users too and probably ubuntu to some extant (at least ubuntu used to) :

An open letter against Apple’s privacy-invasive content scanning technology

Thom Holwerda 2021-08-06 Apple 4 Comments

A large number of security and privacy experts, legal experts, and more, in an open letter to Apple:

On August 5th, 2021, Apple Inc. announced new technological measures meant to apply across virtually all of its devices under the umbrella of “Expanded Protections for Children”. While child exploitation is a serious problem, and while efforts to combat it are almost unquestionably well-intentioned, Apple’s proposal introduces a backdoor that threatens to undermine fundamental privacy protections for all users of Apple products.

The open letter contains tons of arguments, scenarios, and examples from experts about just how bad this technology is, and just how easily it can be abused.

https://appleprivacyletter.com/

https://www.osnews.com/story/133797/...ng-technology/