Hacker News new | past | comments | ask | show | jobs | submit login

How would you know what "this" should be without using a browser?



1. You search info about "this" in your browser

2. You install "this" with your package manager

3. Even if the "this" installed wasn't the "this" you read about in your browser, it still came from your package manager repos, which you could consider safe, and you'll be able to uninstall it cleanly.

Then I look at the Windows Store and weep.


“apt search this”


apt search chrome. Good luck with that on a default Debian install.


chromium-browser is the one. Although on Ubuntu it's in the Universe repository, so you have to add the chromium-team ppa in order to get on-time updates.

I will admit that Chrome/Chromium is one of the few things you can't easily get from the repos, on Ubuntu at least.


So how does that prevent a malicious PPA or repo that the attacker could push up in the search rankings? Just like the attacker here pushed up a malicious download page in the search rankings?


It doesn't in this case, however you can determine that the chromium-team ppa is the official one in Ubuntu by following links from the Chromium website.

The security of the package repository system falls down when people add apt signing keys that are untrusted/unverified, which is what happens when you add a ppa in Ubuntu.


> you can determine that the chromium-team ppa is the official one in Ubuntu by following links from the Chromium website.

We're sort of in a loop here -- how can I know what is the official Chromium website?


> We're sort of in a loop here

Yeah, unfortunately that's what verifying the legitimacy of the chromium-team Ubuntu ppa requires...

Anyway, there are two quick ways I found:

* Go to chrome://settings/help and see the link to Chromium.org (but obviously this doesn't work if you don't have Chrome already)

* At the bottom of google.com/chrome there is a link to Chromium.org


Debian prioritizes being open source over being user friendly.

Googling debian google chrome results in instructions for getting chrome on debian.

I have 3 different distros installed on 3 different computers. Chrome is listed on all app searches.


> Googling debian google chrome results in instructions for getting chrome on debian.

Yes. I know. I'm not picking on debian specifically here, fedora's dnf doesn't help you install chrome either.

My point is rather the following: The GP asserts that the way to find (and subsequently install) software is "apt search `software`" and that way breaks down on exactly the piece of software that the article is about. You have to google instructions and then install either the .deb or add googles repo. And that's where the attacker could just as well insert an ad pointing you to a malicious repo. Just as the attacker currently points people to a malicious download. So the GPs solution isn't a solution at all. Not to this problem.


GP's solution is valid for the majority of software - at least the sort of software that us HN folk probably use.

Unfortunately Google Chrome is a bad example here as it's not available in most repos (since it's closed source).


> GP's solution is valid for the majority of software - at least the sort of software that us HN folk probably use.

That’s a bold statement to make, especially since a single piece of malicious software is sufficient. And yes, I want chrome. I need chrome. I need to test stuff on chrome.


Going to googles official webpage will tell you how to get chrome for Debian/Ubuntu/Opensuse/Fedora. This is about as good as it can be because chrome is closed source.

Chromium is available in the repos.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: