Ask / Submit

How can I trust apps from openrepos? [answered]

asked 2016-09-25 09:02:16 +0300

bhavasagar gravatar image

updated 2016-09-25 09:28:22 +0300

coderus gravatar image

Very simple question, how to trust apps from open repos and conclude that they aren't malware or spyware.

edit retag flag offensive reopen delete

The question has been closed for the following reason "the question is answered, an answer was accepted" by pawel
close date 2016-09-30 13:56:41.387379



how do you trust apps downloaded from internet? by users feedback/rating and app source code.

coderus ( 2016-09-25 09:29:23 +0300 )edit

Is the question bad enough to deserve a down-vote for some people? Come on... Be somewhat nicer, especially to newcomers. BTW, welcome @bhavasagar!

luen ( 2016-09-25 10:05:25 +0300 )edit

Its a fair question. Unfortunately, there is no simple reply. For paranoid - you cannot trust. Its easy to upload any rpm which would do whatever is specified there. Compared to other sources (Harbor), there are no checks that I know of. However, for paranoid, I don't think that the checks in Harbor and, as we have all heard in other OS stores, are 100% trustworthy either.

In sum, as @coderus stated, look for users feedback, check if its open-source. If it is open-source and you would like to at least have a source code for the version that you install, compile it yourself. This would allow you to check the source if something happens. Fortunately, so far, I haven't heard about any malware distributed via openrepos for SFOS, but maybe I just wasn't around long enough or didn't pay attention. [and welcome!]

rinigus ( 2016-09-25 10:55:01 +0300 )edit

No way to trust, ever.

That is why for all patches I read the QML through, and all the binaries I compile myself.

here is no other way.

juiceme ( 2016-09-25 13:31:07 +0300 )edit

Thanks @luen

bhavasagar ( 2016-09-26 09:38:05 +0300 )edit

3 Answers

Sort by » oldest newest most voted

answered 2016-09-25 09:41:17 +0300

tvicol gravatar image

updated 2016-09-25 09:42:32 +0300

Simple response, by looking at the source code, which is available for almost all openrepos published apps. Can you do the same with your Windoze OS ? Or you trust only closed source "NSA certified" apps ?

edit flag offensive delete publish link more



And of course self-compiling from the said sources, not using the prebuilt binaries.

juiceme ( 2016-09-25 13:32:00 +0300 )edit

Yes, as @juiceme said, the only way to be really sure is to compile from the given sources yourself, because the source and the actual binary could still be different. Of course this is highly unlikely, but it's something you should keep in mind.

nthn ( 2016-09-25 14:04:08 +0300 )edit

Openrepos is particularly bad for this though, anyone can sign-up and upload anything they like, they can create sockpuppet accounts to give it fake feedback and rating.

Looking at the source isnt really enough, compiling it yourself or at minimum taking a build off Mer OBS is the only way to really know that your binaries have been built from the given source.

r0kk3rz ( 2016-09-25 17:22:20 +0300 )edit

Whole internet is bad, openrepos is good.

coderus ( 2016-09-25 18:46:45 +0300 )edit

@cocderus openrepos is good, but still, it is not safe. How could it be??

juiceme ( 2016-09-25 22:40:08 +0300 )edit

answered 2016-09-26 08:44:01 +0300

tortoisedoc gravatar image

jolla rpm validator is available on github; it might be a start for a safety validation step.

edit flag offensive delete publish link more



Thanks for such a quick reply.

bhavasagar ( 2016-09-26 09:34:59 +0300 )edit

Even tho I personally do not believe it's the only verification they perform in harbour. Perhaps Jolla could share more about the process, and it could be implemented to a certain extent in openrepos. But not my call :).

tortoisedoc ( 2016-09-26 09:37:43 +0300 )edit

answered 2016-09-25 21:08:53 +0300

247 gravatar image

can i can trust openrepos because we are at jolla and we almost know everyone each other?of course some patch can conflict with another and cause trouble but since an app is published by a sailfish devs there shouldnlt be any problem with it... :)

edit flag offensive delete publish link more



Unfortunately it does not work like that, You cannot trust me or anyone else if you really want to be sure.

Even as SFOS users and developers are a small community, still there has been kind of malevolent software even in the official Jolla Harbour, think about that for a while...

juiceme ( 2016-09-25 22:39:11 +0300 )edit

Question tools



Asked: 2016-09-25 09:02:16 +0300

Seen: 968 times

Last updated: Sep 26 '16