Would MacOS or Debian give me more protection against potential supply chain attacks? I read that MacOS vets software in the appstore very carefully, even open source. So if there was any malicious library sneaked in they would catch it right?
Debian stable - they do not update libraries quickly enough, so a malicious library would probably be discovered first before it made it to Debian stable.
I am not in IT so i do not understand these issues very well. I just want to protect my system the best i can from these random supply chain attacks that i keep reading of like the XZ and npm incidents.
As far as I understand, macOS is superior when it comes to security by default and at large. Desktop Linux is not really security forward first though there are other security forward distros available but Debian is not that.
So, Mac will provide better protection here if security is a concern.
To be fair, this can happen for any OS any time. So, this doesnât necessarily show a history of problems for an OS.
Anyways, supply chain attacks are exceedingly rare but possible on both systems. Remember that it is possible for software developed even for MacOS to rely on FOSS packages that may be malicious.
In terms of reacting to known exploits, MacOS is better because of how they push security updates and due to the closed nature of the app ecosystem. However, I would be lying to you if I said that MacOS is more resistant to supply chain attacks just because they limit what apps you download. Anything is possible
But wouldnât you agree that Macs are better overall? Anything is possible is not really a logic one can work with when choosing a secure OS for themselves.
This isnât a conversation about macOS being more secure than Linux. I do agree with that statement generally of course, but answering OPâs question directly is best.
If you want to minimize supply chain attacks, you should minimize the software that you use. That is possible on both OSes, but macOS naturally makes it easier for you to not be impacted by a supply chain attack. That does not equate for a macOS user being resistant to them entirely as they can always download software not verified by apple and the occasional mistakes that occur for verified apps.
Those are packages that might have elevated privileges when run in production or on a local development server, if granted admin privileges: could run some malicious code from installed packages (or inner dependencies).
It is even more popular than nowadays with people running AI editors with almost full rights and companies not caring any bit about making the whole thing secure[1], so my attack surface is HUGE in comparison to yours.
It doesnât mean that youâre fully safe because any kind of software can be a target of supply chain attack if for example you use a .dmg or alike that got bundled with hard to detect malicious code in it.
But just like everything, you will need to install software on your machine (it being Linux or Mac), just consider updating your system often and maybe limit your apps to the mandatory necessary if feeling the need for extra safety.
Also, consider checking the quality of what you install by inspecting the (assumed open) source code like here. If youâre not sure about a specific app, feel free to ask for a recommendation for I donât knowâŚa video player.
TLDR: donât worry too much since youâre not into IT yourself.
Ask for recommendation here and you should be safe.
Also, stores are not a silver bullet: they do let stuff through cracks sometimes + you donât have everything on the AppStore to begin with.
why would they? it doesnât bring money you know âŠď¸
The distros that I am familiar with (Debian and Arch) cater to power users and tend not to make decisions for the users. For example, there is no firewall configured by default because a workstation generally does not need one. Does this make desktop Linux âinsecure?â Typically there is not much application-level sandboxing either because it isnât needed when running trusted software.
Thatâs a big âifâ. Iâm not sure what kind of web dev youâre doing if youâre running stuff with admin privileges.
Yes, there are still some packages that can run pre/post install scripts that can screw you over. The solution is to never install with npm and transition to pnpm which is much more secure. pnpm allows whitelisting of such scripts viaonlyBuiltDependenciesOf course after whitelisting you must stay extra vigilant of any updates to those packages. I think as long as you donât immediate update your deps to latest, maintain a lock file and listen to your dependabot/npm audit, you should be fine.
Itâs really not that scary. Iâm most familiar with gh copilot which requires that you whitelist commands for AI to run. It canât just run any arbitrary commands unless you allow it. Maybe just donât allow it to run whatever without approval and you should be fine.
Heâs probably talking about Qubes and how Linux doesnât have granular app permissions like Android does. It certainly make most distros seem much less secure in comparison. I also donât believe in any of this âtrusted softwareâ. All software is one commit and one update from potentially becoming malware, but hopefully your OS and good security practices will help mitigate it.
The mode of software distribution is also very different. Traditionally, the Linux world emphasizes building software from source, at least when trusted binaries provided by distributions arenât available. On the other hand, Android is âdumbed-downâ system for appliances used to run primarily proprietary software, a lot of which is malware that mistreats the user in some way or another. Android may provide some coarse app-level permissions, but it does not really put the user in charge. In fact, normally owners donât even have root access. Only some fairly exotic FOSS Android variants depart significantly from this model.
From my memory, stable release distros in general (including Fedora) were not impacted by the XZ backdoor, it only affected rolling releases. Debian releases major updates much slower than Fedora which gives them more time to test but that can also further delay security updates. You could argue thereâs give and take but the current recommendations prioritize update speed.
There are other reasons to avoid bleeding edge rolling release distros. For example, Fedora is recommended to beginners partly due to being more stable while still pushing releases much faster than Debian. openSUSE Slowroll might become another middleground option for those who want a slowly ârollingâ release cycle which sits in-between openSUSE Tumbleweed and Fedora.
Wonât get into the technical weeds but yes I do agree.
Yet, all of the current JS ecosystem relies on a single flag to protect itself against big issues + elevation of privilege is a thing that can happen quite quickly given recurring security news. So yes, it definitely happens quite more often than theory will make it appear.
Same, in theory yes. In practice, prompt injection + extensions + a lot of other abstractions just bypass those safeguards easily.
Haha yes, I rather have an updated windows 11 with issue 123 than unaffected windows XP by that same issue.
