←back to thread

Is it possible to allow sideloading and keep users safe?

(shkspr.mobi)
205 points ColinWright | 3 comments | 30 Aug 25 12:03 UTC | HN request time: 0.7s | source
Show context
m463 ◴[31 Aug 25 05:39 UTC] No.45080628[source]
"sideloading" connotates something that is negative.

On systems before apple's locked-down iphone, it was just called "installing".

The PC revolution started with people just inserting their software into the comptuer and running it. You didn't have to ask the computer manufacturer or the OS vendor permission to do it.

And note that apple doesn't allow you to protect yourself. You cannot install a firewall and block arbitrary software on your phone. For example, you can not block apple telemetry.

replies(8): >>45080727 #>>45080995 #>>45081451 #>>45082064 #>>45082687 #>>45083125 #>>45088266 #>>45100572 #
pjmlp ◴[31 Aug 25 06:01 UTC] No.45080727[source]
Which is why alongside freedom came the business of anti-virus.
replies(3): >>45081201 #>>45081373 #>>45083051 #
wiseowise ◴[31 Aug 25 07:39 UTC] No.45081201[source]
Never in 20 years of using Linux/Macs I’ve ever needed anti-virus.
replies(7): >>45081249 #>>45081507 #>>45081768 #>>45081860 #>>45082078 #>>45082191 #>>45082263 #
mike_hearn ◴[31 Aug 25 09:22 UTC] No.45081768[source]
Macs come with an Apple provided antivirus built in, it's called XProtect.

Apple also has enforced a similar policy to what Google is doing, but much stricter, and has done for ~13 years or so (devs must be identified, the OS rejects unsigned code in all territories by default, Apple pre-approves all binaries even outside the app store).

Linux distros have policies far more extreme than anything Google, Apple or Microsoft have ever done. They explicitly don't support installing any software not provided by their "app stores". Getting into those requires giving up your source code to them, and they reserve the right to modify it as they see fit without informing anyone, reject it for any reason or no reason at all (including reasons like "we don't have time"), and they tie getting new releases of your app to the user upgrading to new releases of the OS. If you do try and install stuff from outside of your distribution, not only are there security warnings to click through but an expected outcome is that the OS breaks and the vendor washes their hands of you.

Despite those policies, or perhaps because of them, botnets of Linux servers are common.

Of all consumer-facing platforms only Windows and Android allow installation of unsigned third party code out of the box via some obvious graphical path. And on Windows that right is somewhat theoretical. You can do it but the built in browser will try very hard to stop you, and the OS itself will happily break unsigned code by blocking file open syscalls heuristically. So in practice most apps don't go the unsigned route. On Android OTOH, unsigned (non ID verified) code is sandboxed and works just like regular apps after installation, the OS won't heuristically interfere with the app.

replies(6): >>45082250 #>>45082856 #>>45082983 #>>45083088 #>>45083113 #>>45085343 #
1. cherryteastain ◴[31 Aug 25 13:23 UTC] No.45082983[source]
> They explicitly don't support installing any software not provided by their "app stores".

Nonsense. You can and run install whatever you want. Tons of closed source commercial software available for Linux like Matlab come as a .tar file which you extract and run.

replies(1): >>45083172 #
2. mattdm ◴[31 Aug 25 13:55 UTC] No.45083172[source]
In Fedora, we don't "support" third-party packages or installation of software because we can't do much about it if something is wrong. You should go to the provider of the software for help.

But we certainly support your _ability_ to install and run whatever you want. It's your computer, and it's your OS.

replies(1): >>45090614 #
3. mike_hearn ◴[01 Sep 25 08:05 UTC] No.45090614[source]
Regardless of the party line, in practice there's no big distinction between not caring if it works or not and not allowing it. The difference only matters for highly technical people with lots of time on their hands. For everyone else, if it's not a paved road it's not a road they can travel on at all, and so in practice Linux historically did not "support" third party software in any meaningful way.

And although I was making that argument to Fedora decades ago, it's only recently that this point has been accepted with official support by Red Hat for stuff like Flatpak. Of course other distros developed their own thing as always so it's still not really ideal. But at least the principle was now accepted that third party apps should have a properly supported way to thrive. Far too late, but it's done.