←back to thread

Is it possible to allow sideloading and keep users safe?

(shkspr.mobi)
205 points ColinWright | 1 comments | 30 Aug 25 12:03 UTC | HN request time: 0.241s | source
Show context
m463 ◴[31 Aug 25 05:39 UTC] No.45080628[source]
"sideloading" connotates something that is negative.

On systems before apple's locked-down iphone, it was just called "installing".

The PC revolution started with people just inserting their software into the comptuer and running it. You didn't have to ask the computer manufacturer or the OS vendor permission to do it.

And note that apple doesn't allow you to protect yourself. You cannot install a firewall and block arbitrary software on your phone. For example, you can not block apple telemetry.

replies(8): >>45080727 #>>45080995 #>>45081451 #>>45082064 #>>45082687 #>>45083125 #>>45088266 #>>45100572 #
pjmlp ◴[31 Aug 25 06:01 UTC] No.45080727[source]
Which is why alongside freedom came the business of anti-virus.
replies(3): >>45081201 #>>45081373 #>>45083051 #
wiseowise ◴[31 Aug 25 07:39 UTC] No.45081201[source]
Never in 20 years of using Linux/Macs I’ve ever needed anti-virus.
replies(7): >>45081249 #>>45081507 #>>45081768 #>>45081860 #>>45082078 #>>45082191 #>>45082263 #
mike_hearn ◴[31 Aug 25 09:22 UTC] No.45081768[source]
Macs come with an Apple provided antivirus built in, it's called XProtect.

Apple also has enforced a similar policy to what Google is doing, but much stricter, and has done for ~13 years or so (devs must be identified, the OS rejects unsigned code in all territories by default, Apple pre-approves all binaries even outside the app store).

Linux distros have policies far more extreme than anything Google, Apple or Microsoft have ever done. They explicitly don't support installing any software not provided by their "app stores". Getting into those requires giving up your source code to them, and they reserve the right to modify it as they see fit without informing anyone, reject it for any reason or no reason at all (including reasons like "we don't have time"), and they tie getting new releases of your app to the user upgrading to new releases of the OS. If you do try and install stuff from outside of your distribution, not only are there security warnings to click through but an expected outcome is that the OS breaks and the vendor washes their hands of you.

Despite those policies, or perhaps because of them, botnets of Linux servers are common.

Of all consumer-facing platforms only Windows and Android allow installation of unsigned third party code out of the box via some obvious graphical path. And on Windows that right is somewhat theoretical. You can do it but the built in browser will try very hard to stop you, and the OS itself will happily break unsigned code by blocking file open syscalls heuristically. So in practice most apps don't go the unsigned route. On Android OTOH, unsigned (non ID verified) code is sandboxed and works just like regular apps after installation, the OS won't heuristically interfere with the app.

replies(6): >>45082250 #>>45082856 #>>45082983 #>>45083088 #>>45083113 #>>45085343 #
Der_Einzige ◴[31 Aug 25 13:45 UTC] No.45083113[source]
How can you be so aggressively wrong about so many things in a single post? It’s impressive.

The stuff about Linux not letting you install stuff flies far in the face of like everyone’s knowledge of Linux. Your description of how Linux installation works is pure fantasy.

replies(1): >>45083254 #
1. mike_hearn ◴[31 Aug 25 14:08 UTC] No.45083254[source]
I didn't say it didn't "let" you. I said it's not supported, as in, the Linux vendors don't consider that to be a feature of the OS that you should actually use.

I've been a Linux user for 25 years. You can reconfigure the OS to use additional repositories. It may or may not work, and only if there is a repository specific to both your distro and its version. But it's not a good idea.

In particular, OS upgrades are very likely to break. Being able to upgrade itself is a basic requirement of any modern OS. If your Linux distro corrupts itself on upgrade or fails to do so and you file a bug report you'll be told to remove any third party software because that's not supported.

This would be like if your Mac started crashing on boot because you downloaded a word processor from a website, and then Apple say "sorry, we only support apps coming from the app store". They don't do that, but Red Hat or Canonical will.