This isn't true. And supply chain wise just look at the xz backdoor. A random person was able to compromise the supply chain of many Linux distros. Security also is not just supply chain integrity.
>Windows is designed to be able to protect the will of proprietary software publishers against the will of users
I'm not sure what you mean by this. Just because Micrsoft cares about developers, it doesn't mean they don't care about users.
>that it's a violation of freedoms 0 and 1
It's not. Freedom 0 and 1 does not give you the freedom to cheat against other players without being banned. You can be free to modify the game client, but you aren't entitled to play with others using it.
For a multiplayer game, I'd argue that playing with others (even if you're restricted to private servers, not that most games support that anymore..) is running the software. Being able to use a piece of software for its intended purpose is more relevant than a literal reading "you are allowed to exec the binary and nothing more"
It's very obviously true. Linux culture is installing software from trusted repositories. Windows culture is downloading random .exe or .msi from websites and then immediately running them with full permissions.
That's why Windows has a lot of malware and Linux doesn't. It's trivial really to smuggle malware into closed-source applications that are distributed like the wild west.. If I google a popular Windows program right now, I'm going to get a lot of download websites that supply me a sketchy exe.
Some of the malware differences is because of popularity, sure. But ultimately it's 10x easier for me to add a virus to photoshop and upload that exe to download.com as opposed to smuggling malware in an open-source software in the Debian repository.
> I'm not sure what you mean by this.
It means that when companies want capabilities X Y Z which limit user actions on their own computers, Microsoft will cave. They do it all the time. Microsoft cares about making companies happy and they don't care too much about keeping power users happy.
> It's not.
It is. You're constructing a strawman. You're saying that freedoms 0 and 1 don't allow you to cheat freely. Okay, you're correct - nobody has ever said that.
What we're saying is that building kernel-level APIs to hook in anti-cheat or other anti-user software is antithetical to freedoms 0 and 1. Which it is.
I was talking more about the supply chain of the operating system itself, but lets not forget Linux has a culture of people running random commands off the internet which is also an easy vector to get people to install malware. Also I think you are overconfident in how much vetting repositories like npm do. I'm sure Linux people download random stuff off of github too like appimages.
>it's 10x easier for me to add a virus to photoshop and upload that exe to download.com
You can do the same thing but with a Linux binary of "photoshop."
>That's why Windows has a lot of malware and Linux doesn't.
This is due to more consumers using Windows than Linux.
>You're constructing a strawman.
I'm trying to assume what you mean due to this being asynchronous communication since the claim of attestation being related to freedom 0 and 1 is not true. One is about proving information to another party and the other is about having freedom of what you are running on your computer.
>What we're saying is that building kernel-level APIs to hook in anti-cheat or other anti-user software is antithetical to freedoms 0 and 1.
In this case being able to prove with relatively high confidence that no one in a game is cheating is a pro-user feature.
Being able to attest to the system state does not limit freedom 0. Anyone is still free to run any system they want, they just can't attest to their system being trusted if they are not running something trusted. Attestation doesn't make software any harder to modify than before, freedom 1, it only prevents you from attesting that you are using unmodified software when you aren't. Linux distros are not arms of the free software foundation so I don't think trying to argue about what they think is free or not is necessarily relevant to something like this being created.
It's really not and the culture is not that big.
In Windows, ALL software is installed through suspicious means. In Linux world, MOST software is not. That's the difference.
If some dumbass wants to curl a random URL into a shell that's their problem. That's a very rare occurrence.
> You can do the same thing but with a Linux binary of "photoshop."
Yes, but it seems to me you are choosing to be dense on purpose and it's irritating me.
Please read what I am actually saying. I'm not saying it's impossible to make malware for Linux systems. I'm saying the CULTURE of Linux users is not to download random executables. So if I do that, it wouldn't be very effective. If I upload a random ELF executable to download.com, close to nobody is going to download it. On Windows, this is not the case.
> This is due to more consumers using Windows than Linux.
Again, I've already addressed this. It seems you cut off the quote too early.
This is PART of the reason, but we have to acknowledge how much easier it is to actually distribute malware on Windows.
The "popularity" argument is also just a bad argument. Linux is absolutely not unpopular - almost all the servers worldwide run some Linux distro. Those servers, lots of them, contain valuable data. They are absolutely a target for malware authors. There's probably more servers running Debian alone than Windows Server and it's not even close. Even still, there's a lot more malware that runs on Windows Server than Debian.
> Linux Distros...
There seems to be a fundamental misunderstanding here.
What you are proposing is a change to the Linux kernel which allows it to not be modified in some way. That's not something that is a distribution concern - that's a kernel API concern. Which will never be implemented in the kernel for the reasons already specified.
>What you are proposing is a change to the Linux kernel which allows it to not be modified in some way.
Linux already supports attestation and it doesn't prevent the kernel from being modified.
>That's not something that is a distribution concern
It is because distros like Android already support such an API to apps.
>Which will never be implemented in the kernel for the reasons already specified.
Again it already exists in the kernel.
As for `curl ... | bash` that's a developer only thing. No user space normal applications are installed that way. I've never seen it.
Is this method good? No. Is it used exclusively by power users who presumably know what they're installing and from where? Yes.
The difference here is ALL software on Windows is installed this way. There's basically no exceptions. And don't even try bringing up the Windows store.
The xz backdoor was successfully caught before it landed in mainstream release branches, because it's free software.
But broadening the scope a bit, the norms of using package managers as opposed to the norm on Windows of "download this .exe" is a much stronger security posture overall.
I am aware the Windows Store exists, it's not widely used enough to make exes a marginal distribution pathway. I am aware curl | bash exists, it's more common than it should be, but even in those cases the source is visible and auditable, and that's very uncommon for non-technical users to ever do (unlike downloading random exes).
> Freedom 0 and 1 does not give you the freedom to cheat against other players without being banned.
That's a strawman, I never claimed you should have the right to cheat against other players.
> You can be free to modify the game client, but you aren't entitled to play with others using it.
And that's the issue, Windows has functionality to impede your ability to run the software as you see fit and modify it to your needs. Perhaps you want to run your own server, with different moderation policies.
What? It literally got included with several distros. It wasn't caught before it shipped to end users. Just because it got caught before slower to update distros got it, that doesn't mean it is okay. It reveals how low the barrier is for an anonymous person to get code into the OS.
>I never claimed you should have the right to cheat against other players.
Attestation doesn't take away your ability to modify and run software which means that you still have freedom 0 and 1. It just means that you can not prove to a remote server that you bare running unmodified software. To me you were implying that the server being able to kick people who modified the client to cheat was violating their freedom.
>Perhaps you want to run your own server, with different moderation policies.
Nothing would stop you from running your own server like that.
The issue is that Windows is designed to be able to protect the will of proprietary software publishers against the will of users that want to assert control over the software running on their computer. It's very similar to the story with DRM.
Linux desktop OSes will never put in place the measures to make a Vanguard-like system work, because it's just unethical for a bunch of reasons, the most basic of which being that it's a violation of freedoms 0 and 1.