Linux mint Software Manager safety

Quick to answer questions about finding your way around Linux Mint as a new user.
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions use the other forums in the support section.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Locked
AverageDude
Level 1
Level 1
Posts: 10
Joined: Thu Dec 02, 2021 11:16 am

Linux mint Software Manager safety

Post by AverageDude »

Now that I've realized that some packages offered in the software manager might offer security risks (like the bitwarden flatpak package) I wanted to ask the general question whether one can trust the linux mint software manager to be spyware and malware free?

Is there anybody controlling and reviewing the packages offered there?

Wasn't the idea behind linux that in contrast to windows one doesn't just randomly downloads and installs software from the internet but has a centralized appstore that is safe?

Thanks!
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
User avatar
ricardogroetaers
Level 6
Level 6
Posts: 1368
Joined: Sat Oct 27, 2018 3:06 am
Location: Rio de Janeiro, Brasil

Re: Linux mint Software Manager safety

Post by ricardogroetaers »

What is the security problem with the bitwarden flatpak package?
There are also AppImage and deb versions. Do these also have a security problem? Which ones?

I find it very difficult for a "logger" or even a repository "administrator" to "thoroughly" check all programs.

According to Synaptic (on Mint 19.3) there are 74498 deb packages in the repository. To believe that someone does maintenance or deep checking on this is mere utopia.

We have a presumable security but not 100% guaranteed.
timbol
Level 2
Level 2
Posts: 94
Joined: Tue Sep 05, 2017 2:27 pm

Re: Linux mint Software Manager safety

Post by timbol »

Not a proper answer to your question, but in addition to ricardo's points you'll find that the some/many/all of the packages are behind the developers' versions, e.g. for Scribus, Software Manager is on 1.5.5, whereas the developer has announced 1.5.7. LibreOffice is on 7.2, Software Manager version is 6.4.7, etc.
The packages are often Ubuntu versions and the bottom line for me is that they'll all have been thoroughly road-tested by other users, some with extensive security experience, on different OS. If there was a problem it would have popped up before you installed a package
SimonPeter
Level 5
Level 5
Posts: 582
Joined: Tue Jul 13, 2021 5:13 am

Re: Linux mint Software Manager safety

Post by SimonPeter »

AverageDude wrote: Sat Dec 04, 2021 7:06 pm Now that I've realized that some packages offered in the software manager might offer security risks (like the bitwarden flatpak package) I wanted to ask the general question whether one can trust the linux mint software manager to be spyware and malware free?

Is there anybody controlling and reviewing the packages offered there?

Wasn't the idea behind linux that in contrast to windows one doesn't just randomly downloads and installs software from the internet but has a centralized appstore that is safe?

Thanks!
TL; DR Trust the official repositories (except the closed-source apps which have been recently added to them).
DO NOT trust flatpaks, snaps, debs, AppImages etc., until and unless you've checked them thoroughly.

The Linux Mint repository (and the Ubuntu repository, on which Linux Mint is based on) is stringently reviewed by the packagers.
NOTE: No one is perfect, except God.
The reviewing process might contain some errors, but they are very rare compared to the number of bugs in upstream code.
NOTE: Some closed-source apps were added to the repos recently. They intentionally hide their source code from us.
So, I trust everything else in the official repos (except those closed-source apps, which I don't trust.).

But, just about anyone can publish a Flatpak, deb, snap or AppImage (and about anyone can bundle malware, adware etc.,).
The review process for their repositories (like Flathub, Snap store or AppImageHub) is very loose.
That review process is similar to (not the same as) Google Play Store -- apps are NOT required to publish their internal working (source code), and apps are removed only after a clear violation is found and reported.
Hoser Rob
Level 20
Level 20
Posts: 11806
Joined: Sat Dec 15, 2012 8:57 am

Re: Linux mint Software Manager safety

Post by Hoser Rob »

NO software source is 100% safe. Many exploits are caused by things like stack overflow or underflow bugs which were not placed there as malware in the original source. This is what many software updates address, even the tested repo stuff. You just have to live with this. It's a shame how paranoia levels seem to be inversely proportional to the understanding of this sort of thing.
For every complex problem there is an answer that is clear, simple, and wrong - H. L. Mencken
acerimusdux
Level 5
Level 5
Posts: 635
Joined: Sat Dec 26, 2009 3:36 pm

Re: Linux mint Software Manager safety

Post by acerimusdux »

There's nothing especially wrong with the Bitwarden flatpak. But Bitwarden produces an official .deb and an official appimage which you can get direct from their website. They don't produce an official flatpak. So someone not affiliated with Bitwarden has taken the official offering and repackaged it for flatpak. Now in this case, the majority of the work in maintaining that flatpak seems to be being done by a very experienced developer who is also very active with debian and maintains a number of debian packages as well. So I think it's probably fine. Only one other developer has made more than a single commit there.

So for myself, I've actually gone with the flatpak in this case, which runs sandboxed, over the .deb or appimage not running sandboxed. But that is a debatable choice. Probably better, but more work for me, is running one of the official offerings sandboxed. This may be as simple as running the appimage with firejail and an appimage profile. But I don't know, I haven't tried that yet.

And sandboxed or not isn't the most important factor for an app which you are giving all of your passwords to. The greatest risk here isn't something infecting your system, it's the security of the data you are storing with that app itself.

But the point here is nothing is foolproof. But because the software is open source, there's at least a decent chance that there are experienced developers looking at it all along the way, who might catch anything wrong, especially something of the nature of malware or spyware. Linux has never been immune to such attacks. They have just been very rare because of the difficulty of accomplishing them when everyone can see the code, and when it is possible to prevent any piece of code from having more access than is necessary for the task which it is supposed to be performing.

The Mint software manager is **relatively** secure, because it uses stable open source software from other *mostly* trustworthy sources like debian and ubuntu, along with the contributions of the Mint team. The Mint team wouldn't have the time to thoroughly review ever bit of code in these packages from other sources. They are relying that stable offerings from debian or ubuntu are reasonably trustworthy.

As for flatpaks, partly because the flatpak system itself isolates any code running in the flatpak from the rest of the system, software from the flathub.org remote is also considered sufficiently trustworthy to show in the software manager. A flatpak isn't going to break anything else in your system. But you still have to be careful about what data and what parts of your system you decide to give a flatpak program access to.
dave0808
Level 5
Level 5
Posts: 973
Joined: Sat May 16, 2015 1:02 pm

Re: Linux mint Software Manager safety

Post by dave0808 »

AverageDude wrote: Sat Dec 04, 2021 7:06 pm Wasn't the idea behind linux that in contrast to windows one doesn't just randomly downloads and installs software from the internet but has a centralized appstore that is safe?
Linux was around long before the concept of "App Stores". Back then, you would be lucky to find pre-compiled binaries that you'd download from somewhere that was relatively well-known. In lieu of that, you'd download the source and compile it yourself.

Even Windows has an "App Store" now.
Locked

Return to “Beginner Questions”