View Single Post
  #27  
Old March 16th 19, 12:50 AM posted to alt.comp.os.windows-10
Paul[_32_]
external usenet poster
 
Posts: 11,873
Default Can I install Win 10 like this?

Jonathan N. Little wrote:
Paul wrote:
It is, after all, a fork of another tool. Which
means a miscreant *could* be a malware expert and
not a boot expert, just reusing the boot-making code
and be up to monkey-business.


1) The PPA is on launchpad and is copen for all to review
2) The code is on github https://github.com/slacka/WoeUSB and the
source is also reviewable and open for comments by others.

Big difference in transparency with OpenSource where the code is open
for review, whereas Win-folks have to trust the binaries they install
without hesitation. You only install things from the Microsoft Store?


Not all open source is open source.
Some of it is a sham.

How this works, is someone pretends to release code.
You see a directory full of files. Now, you're relaxed,
cause "well, he showed you the files, and obviously,
a million eyes will examine it".

Then, for ****s and giggles, you download that directory.
Of course, makefiles and .proj files are "magically
missing". "How could he forget those" ? Etc.

Then, after about a week of scrambling to put a project
file together, to build it, you get "cannot find X".
And you have a look around and realize... there's
a file missing. And none of the other "million eyes"
saw this ?

The million eyes are selective. For poorly packaged
goods, the eyes tend to glaze over. And you're really
not a lot safer.

Wasn't there some OpenSSL package where that happened ?
No subject matter experts to review the code. Poorly
formatted source, causing potential reviewer to turn away.
And the code had problems.

When things are in an actual tree, there's upstream
and downstream, at least "three or four eyes" looked
at it. You have the assurance someone noticed it
wouldn't compile, or they couldn't package it and
put it in the tree because it was broken.

All I'm doing, is encouraging people to be skeptical,
to think about the "what ifs". And use your experience
with these things, to decide what you're going to
trust or not trust. Like, everyone knows that a
promotional web site with spelling mistakes on it,
is a danger sign. You'd better know how to
spell, to use this detection method :-)

Paul
Ads