> at this point a Windows machine only belongs to you in name. Microsoft can run arbitrary code on it.
I get what the author is trying to say, but...like... obviously?
> at this point a Windows machine only belongs to you in name. Microsoft can run arbitrary code on it.
I get what the author is trying to say, but...like... obviously?
I get what you're saying, but OS vendors could prevent themselves from running arbitrary code, even from themselves, without the user's authorization if they really wanted to. I'm not sure it is in anyone's best interest since it would affect everything from security updates to automatically installing device drivers (e.g. people would be left with insecure systems or would claim Windows is broken since most would not understand the prompts). It would also be difficult to prevent Microsoft's marketing department from sneaking a trojan horse into things like security update.
The average user is not able to understand the code that is running and the 99th percentile user does not want to spend the time to understand the code.
Make it do the security stuff out-of-the-box, allow the user to change ANYTHING they want, including turning off the security stuff. Linux! It's in everyone's best interest.
Holds for Apple devices just as well.
I mean, the free software community has been saying this for 40 years now.
In 1985, there were no autoupdates/forced updates/or really any available updates that didn't come on physical media.
And it went from unrealistic paranoia to 'like... obviously?' seamlessly.
I mean.. how is this different from any OS distribution? Apple can push whatever. So can Red Hat or Ubuntu or Gentoo. Unless im literally running Linux From Scratch im at the mercy of maintainers to do whatever they want.
I'm not sure what the current state of most distributions is, but I remember update applications providing an option to accept or reject individual packages. Even without that, you could preview the list of pending updates and delay them indefinitely, do manual updates of individual packages, or configure it to ignore particular packages during updates. Historically, I believe that you could block certain updates on Windows as well - or maybe you could just rollback and update. Of course none of this is considered user friendly so things may have changed.
Provide a way to show that your compiled code is what you say it is.
https://wiki.debian.org/ReproducibleBuilds
But where does the original compiler come from? Reproducible builds are only as good as the compiler used to compile them. That's the point of Trusting Trust. If you build with a backdoored compiler and I reproduce your build with the same backdoored compiler, that solves nothing. This is why full-source bootstrap is important[0].
[0]: https://guix.gnu.org/en/blog/2023/the-full-source-bootstrap-...
It would be very very hard to actually accomplish something like that on mainstream x86/arm compilers. And hide it from every debugger in the world. If it diminishes the value of reproducible builds, it's by something like 1%.
> Reproducible builds are only as good as the compiler used to compile them.
Which is so so so much better than "as good as nothing".
Is that true? Can Ubuntu download and install and run new code without me doing anything? I am not sure that's the case.
Of course every time I run an update, they can install whatever. But that's different from what Windows is doing as I understand it...
"Ubuntu will apply security updates automatically, without user interaction. This is done via the unattended-upgrades package, which is installed by default."
https://documentation.ubuntu.com/server/how-to/software/auto...
Right, but it's a minor annoyance, get rid of it with:
(doesn't trigger removal of anything else, and you'll enjoy 420kb of additional disk space).OTOH the real issue with Ubuntu is snap(d). Snap packages definitely do auto-update. You may want to uninstall the whole snap system - it's (still?) perfectly possible, if a little bit convoluted, due to some infamous snaps like firefox, thunderbird, chromium, or eg. certbot on servers
Or just use Debian or any snap-free fork for the matter.
Edit: fixed
I mean.. how is this different from any OS distribution?
The other OS distributions let you turn it off.
There are a lot more distros than RH, Ubuntu, Gentoo and LFS. And none of them will show you ads except maybe Ubuntu. Plus you can also look at *BSD.
None of them comes close to what Microsoft is doing. To me, your comment looks like you do not understand the Linux eco-system. Plus IIRC, LFS can now come with compiled binaries.
> Apple can push whatever. So can Red Hat or Ubuntu or Gentoo
In the case of Ubuntu and Debian, and to a lesser extent RedHat, I trust the developers not to do that because they have a history of not "just pushing whatever".
Also in many cases I actually know these developers, and I can go round and ask them / remonstrate with them / put a brick through their window / other response if required about it.
Probably influenced by the Microsoft history of sneaky things over last 45 years
What are you talking about? It's my machine. I authorized the running of certain kinds of software from Microsoft. It's not supposed to be a running authorization for them to reach in and do whatever they want on it.