this post was submitted on 24 Mar 2024
390 points (96.0% liked)
Privacy
32120 readers
970 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Fdroid is the obvious answer me thinks. Anyway love you guys/gals at videolan still haven't come across a piece of software that destroys every other in its field in every aspect.
Have people actually checked the versions there before making the suggestion?
F-Droid: Version 3.5.4 (13050408) suggested Added on Feb 23, 2023
Google Play: Updated on Aug 27, 2023
https://f-droid.org/en/packages/org.videolan.vlc/
https://play.google.com/store/apps/details?id=org.videolan.vlc
The problem seems to be squarely with VLC themselves.
I dont think that works for windows?
On Windows you should be downloading from the website.
Or winget if they provide it.
Doesnt winget use the same store?
Or use scoop or something similar. Or better yet don't use Windows
Thats not secure. Isn't the pount of the Windows Store that packages are signed by developers and verified when downloaded?
No, the point of the windows store is that Microsoft gets more control over your machine.
Code downloaded from websites can still be (and is) signed; when it’s not you get that box where you have to click “Run Anyway”
You can pay a one time fee if $25 to get Microsoft to sign your app on the Microsoft store, or you can pay $400+ per year to buy your own certificate. So Microsoft Store is sadly the cheap way to release apps on Windows. (Without users getting scary warnings from Windows and AV about installing unsigned aoftware)
The certs are sold by certificate authority companies, and Microsoft doesn't get a share of that, though I'm not sure.
Yeah, software being signed says nothing about it not being malicious or insecure, but it does prove the author is what it says, and if it is malicious then the responsible party is clearly visible.
For non-commercial hobby/open-source software the certificate price is prohibitive, so the only 2 options are Microsoft Store or accepting that users will see the scary warnings, and of course complain to the developer about it.
The assumption is that legitimate companies who sell software will sign it and that signature proves it came from that company who you trust because of their publicly known legitimacy. It's a bit of circular reasoning. But it does round back towards that legitimacy - if it is found that they violate your trust, they lose public trust and thus lose sales.
Luckily new OSes (cough NOT WINDOWS) are able to sandbox applications and prevent them from accessing resources without declaring the need to access it.
And as for the signing certificate, I think the MS Store will allow any signed app. They just offer the cheaper signing service.
You don't have to use the visual studio to package in MSIX
Come on man, every single software developer in existence uses package managers. It should not be complicated to understand the point of the store.
Pretty sure they're signed by Microsoft instead? At least that's what other app stores do.
It's all a game of shifting the point of trust around. Personally, I'd trust most small time developers more than the likes of Microsoft and Google, however I'd trust Fdroid more than unknown developers (but still go direct to the developers I do trust).
The good ones are signed by the devs, otherwise there's a risk of malicious modifications at upload or on the publishing infrastructure. This is how Maven works. All packages MUST be signed with PGP by the devs.
Apt isn't signed by the devs but its signed by the package maintainers, whose job it is to verify the packages that they prepare (devs can't upload software in Debian)
You can try chocolatey store then. Community maintained.
And also no.security. what's the point?
How about winget or the other commandline package managers? winget does have VLC according to winget-pkgs. This is the kind of "stores" we need, ones that emulate Linux repositories instead of locked down smartphone garbage.
Is singer secure tho? Iirc chocolaty isnt
Asking if something is secure on an insecure OS. Seriously, both the program and the repositories are on github:
https://github.com/microsoft/winget-cli
https://github.com/microsoft/winget-pkgs
So you be the judge.
Unfortunately even FlatPak is insecure, so OS doesn't really matter
Maybe don't check all the permission boxes in flatseal and you might find it's more secure than you think.
It's all about default permissions
Winrar?
7zip.
PeaZip is something you should check out too
What does 7zip do better?
Not show annoying popups about licenses?
7z is better than rar and its algorithm is fully open source
Check out PeaZip
Oh shit I did not know that. Switching now, thanks
Encryption?
I tried it and went back so winrar.