These app stores are a terrible software distribution model. Every day we hear about another reason they harm users far more than community maintained repositories and only protect the interests of the OS vendor.
App stores are no more terrible than the previous software distribution model where you Google the name of the software you want to install, find some site that "mirrors" the download, realize they've repackaged the original app with extra ads and toolbars, keep searching, find the official download link, scroll past all the misleading ads containing download buttons, download the package, and then hope the download runs on your machine.
Anybody complaining about app stores has forgotten how bad the alternatives are. And community-maintained repositories aren't a solution, that's just the app store model but on a smaller scale so it's less of a Target for bad actors. If ubuntu's universe repo had to suffer the same amount of abuse as the play store does, it would crumble in a day.
> And community-maintained repositories aren't a solution, that's just the app store model but on a smaller scale so it's less of a Target for bad actors. If ubuntu's universe repo had to suffer the same amount of abuse as the play store does, it would crumble in a day.
I disagree strongly.
Most community supported Linux distributions have fairly arduous processes by which members of the community become trusted users / MOTUs / etc. It is not simply a matter of deciding to upload something, creating an account, and clicking a button. To deliberately upload a malicious package into Universe (or similar repos in other distributions), you would have to methodically worm your way into a community over time, participating on IRC, helping contribute innocuous changes to other packages, training new users, and so on. You'd then have to apply for the ability to upload, having demonstrated both skill and the ability to work with other members of the community, as well as the need for permission to upload a specific package. This process would take months or years.
And then, you'd have to keep any changes you made pretty cleverly hidden. Anything obviously phoning home or popping up full screen ads would instantly blow your cover, wasting the whole effort you put into it. It's simply not worth it. And that's before you realize how extensively open source the build pipelines for most distributions tend to be. (I can - and have - examined the actual build process used by multiple Arch Linux packages.)
This is completely incomparable to the process for uploading to Google Play. At best you're going to have to pass some automated checks. But it's an ecosystem built around closed-source (so no peer review) software, quasi-anonymous developers, and software funded by advertising. It's infinitely easier to sneak something into an app store, get a bunch of users, and get away with it (temporarily) than it is to put malware in the repositories of a modern Linux distribution.
>you would have to methodically worm your way into a community over time, participating on IRC, helping contribute innocuous changes to other packages, training new users, and so on. You'd then have to apply for the ability to upload, having demonstrated both skill and the ability to work with other members of the community, as well as the need for permission to upload a specific package. This process would take months or years.
sure. or you find somebody who's already done that and pay them some money.
And then, even if they're tempted by the large amount of money, they probably get caught pretty quickly and get banned. Again, even if you can use another person's account to reputation launder, it's still a very transparent platform that's hard to pull stuff like this on.
The usual process for this with mobile apps is not to pay someone a lot of money to ship malware, but rather to buy the person's account, app, and the source code outright. This has the advantage of not having to be explicit about what you're up to, gives the original developer plausible deniability, and gives you way more control. Plus it makes reputation laundering way easier and since the app is still closed source you can make any changes you want without anyone being the wiser.
All of this is completely different from how community supported repositories are run.
Would you call it the "previous" software distribution model? I still Google software for Mac and Windows, but I can't remember the last time i had to use a dodgy mirror site. Storage and bandwidth are cheap and plentiful now, most everything has an official source.
i call it "previous" because windows and mac both have actual app stores now, even if many developers shun the app stores and still encourage people to find their software by searching for it on google.
It really is pathetic. Looks more mafia-like every day - they grab control of a choke point, ensuring they get their vig, but otherwise show no interest in providing real security.
Yeah, people from areas that used to be run by the mob often say they ran things better than the government did. Mobs require some form of community support to operate from what I understand.
The "real" government is really just another mob anyway. Pay your [protection money/taxes] or get your shop [busted up/shut down] and have other bad things happen to you.
