LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Stallman: Ubuntu Spyware: What to Do?

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 8, 2012 11:30 UTC (Sat) by oever (subscriber, #987)
In reply to: Stallman: Ubuntu Spyware: What to Do? by coriordan
Parent article: Stallman: Ubuntu Spyware: What to Do?

> > In that light it is hard to call the code spyware.

> Huh? And if a video player is free software, is it hard to call it a video player??

The source code is readable. It is not a secret that the software sends your keypresses to the amazon server. Spyware is secret.

An interesting point is how one can confirm that the binaries that Ubuntu ships are unadulterated results of the source code. There may be some binaries published by Ubunty, Debian, or any other distribution, but it is very hard to show that they are the result of compiling the exact published source code.

So GNU/Linux distributions *may* contain spyware. I am not aware of anybody that bothers to check.

(Log in to post comments)

There's latent checking and spot checks

Posted Dec 8, 2012 18:37 UTC (Sat) by coriordan (guest, #7544) [Link]

> So GNU/Linux distributions *may* contain spyware. I am not aware of anybody that bothers to check.

There's lots of latent checking. When people look at the code for any reason, they might spot the spyware (if there is spyware).

And there are spot checks when there's a suspicion. Someone accused me last year of running a site which sent info to a third-party server. I checked the code (it was WordPress) and found that the person was wrong.

The risks are pretty high since one person can remove the spyware and distribute a spyware-free version, so the original developer will lose face and will cease to be the upstream source of the software. With risks that high, latent checking and spot checks are generally enough to dissuade developers from putting in spyware in the first place.

There's latent checking and spot checks

Posted Dec 8, 2012 20:10 UTC (Sat) by ikm (subscriber, #493) [Link]

I believe OP meant that binary packages may not correspond to the sources they were supposed to be built from, and it's hard to check whether they actually do.

There's latent checking and spot checks

Posted Dec 8, 2012 21:22 UTC (Sat) by oever (subscriber, #987) [Link]

Yes, I meant that it is hard to match binary to source. Publishing a binary with spyware and claiming that it corresponds to source code which has no spyware can go undetected.

In the above example of WordPress, I assume OP checked the production PHP code. Since WordPress is shipped only as source (as far as I know), this would rule out the presence of spyware in the site.

If the site was running a compiled CGI plugin, finding that the source code has no spyware, does not mean that the binary has no spyware. The spyware might even be in the apache binary.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 10, 2012 11:52 UTC (Mon) by coriordan (guest, #7544) [Link]

Software that spies on you is spyware. It doesn't matter if it's free or prorietary.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 10, 2012 15:33 UTC (Mon) by dlang (✭ supporter ✭, #313) [Link]

> Software that spies on you is spyware. It doesn't matter if it's free or prorietary.

True, but is this really spying on you?

For me, Spyware is when the software claims to be doing one thing and is sending your information out to someone. They key here is being deceptive about it.

It's hard to argue that this is doing so without your knowledge, at least after the very first time that you use it and get results back from Amazon.

They are not being deceptive about this, they are advertizing the Amazon results as a feature.

If this was scanning your system to gather information and sending it out over the Internet while claiming to do something else, I would be up in arms about this as well, but sending something that you are searching for to a search engine is not being deceptive.

Calling this "spyware" dilutes the term and weakens fighting real spyware.

Stallman: Ubuntu Spyware: What to Do?

Posted Dec 10, 2012 22:06 UTC (Mon) by hummassa (subscriber, #307) [Link]

> Calling this "spyware" dilutes the term and weakens fighting real spyware.

I tend to agree with this. But it *is* adware. But, just like android adware, it's simple to turn it off.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds