Installers are evil and here's why
There’s one aspect that’s always really annoyed me about Windows. Except this time, all major operating systems can be affected. Installers are one of the biggest cryptographic and social engineering security holes out there…
Okay, now what?
If you already saw my comments over on reddit and stuff, you may have figured out that I’m a proud Arch Linux User™ btw (there, I said it), with a little twist.
My particular install calls itself “Arch Linux Atomic”, and for good reason. Taking inspiration from the likes of Fedora Silverblue, I am trying to build an Arch system where most system directories (namely
/etc) remain read-only.
Wouldn’t that be a hassle? Doesn’t it break
There’s the thing. To me, Arch Atomic is a little experiment on trying to distinguish user-installed programs from the system state. The logic is that as long as the system state works, nothing can possibly break from user-side tinkering, and ideally the user won’t feel handcuffed by their OS.
The key to achieving this is to have the system precisely control the way software is installed. To pretty much no one’s surprise, that means that I try to rely as much as possible on package managers. Because I can tell the package manager how to install things on my particular system, and retain compatibility with official Arch Linux repos.
Signing is cool
Let me guess, you’re hating on installers because you prefer package managers? I knew it, you’re a Linux shill!
Woah, hold that thought. There’s one other thing that’s really nice about package managers, and that pretty much no one cares about except when it breaks. That neat little thing is cryptographic signing. The ability to ensure, within reasonable doubt, that the random program you’re downloading is in fact trustworthy.
As they say, “prevention is better than cure”. When a package manager sees a signing discrepancy, it outright blocks you from installing the program. That’s the best kind of safety feature – it gets out of the way and is simple to understand, yet very hard to break without direct machine access (but that’s another problem entirely).
Programs downloaded from a random place can only be trusted if the entire operating system implements that signing feature. For example, macOS does, and obviously are milking developers for it.
Still, it works.
Windows kinda does too, but only when UAC is involved, and it’s not remotely enforceable, and if you think end users are going to tell the difference between a yellow and red UAC box, you’re delusional.
Don’t trust strangers
Yeah, but as you said, macOS installers are signed, so we’re all good, right?
Say a malicious third-party somehow got through the signing and authoring process. Let’s review what they can, and cannot do:
- Installer: An installer (especially the system-wide kind) is like a black box. It does some voodoo with elevated access, on the basis that you trust it to install a program. It can choose not to and there’s nothing you can do about it.
- Package manager: Package management is simple. Read through some info, move files to where they should be, update software index, done. We know what’s going on, and at no point is the program needlessly elevated. Or run, for that matter. Package managers treat applications as inert data, meaning they cannot take advantage of elevated privileges.
The real strength of a package manager is that it makes privilege escalation requests unusual.
On Windows, for example, everything shows a boring, identical UAC dialog box. Annoying, get out of the way, done. Now your system’s broken.
On macOS, the permission dialog is not only more unusual, it’s also more detailed. It’s worth taking a good look at, because you don’t see it everyday, and instead of abstract concepts like administrator access, it gives you a down-to-earth explanation of what the app is asking for.
On the usual Linux system, there’s
root and there’s plebs. No in-between. Virtually no app will ask you for root access, save from the package manager and the occasional system utility. That makes it look like a dangerous red button, rather than a boring formality. When you see
sudo, you think twice (hopefully).
An installer is a random program that runs as Administrator and you trust will install something. Nothing is enforcing it to follow conventions (leading to bit rot) or do what it says at all (leading to viruses).
You could enforce signing. Signing in a curated app store is kind of a given. Signing on every single program on the system is frowned upon at best.
Your best weapon is to educate users. Eliminating installers removes a reason to accept administrator access prompts, making users more thoughtful about it.