Is this worst-case scenario for linux users any worse than the average-case of windows users downloading an .exe from a vendor's website and running it?

If you do not already have a pubkey for which the code can be signed, then there is no chain of trust to verify in the first place. What signature would you check the code against in such a scenario? One you download from the vendor's same website?

>Is this worst-case scenario for linux users any worse than the average-case of windows users downloading an .exe from a vendor's website and running it?

Well in my case, I screw around a lot on my computer. So I end up copying and pasting a few lines of bash code that download god-knows-what because I accidentally deleted the entire /etc/ directory and the howto guide that was the 3rd result on Google says "run this it will totally work".

So at least for me, yes, it's often worse than installing an .exe from a vendor's website.

But I didn't mean to say Linux installs don't tend to be safer than Windows, just that it's not as rosy as the original comment made it seem like.

> "Is this worst-case scenario for linux users any worse than the average-case of windows users downloading an .exe from a vendor's website and running it?"

Uh, yes? The naïve Windows user has Windows Defender scanning downloads to offer at least some token protection against known threats.

A tiny bit, maybe. Those commands usually run as root, at least Windows warns you if the installer wants root.

But I think the main point is that this debunks "whilst files from other sources are never run at all".

That's always the problem with using the word "Never". That should have been "Almost Never" or "Rarely" (which is true for me at least) , and I didn't catch it when I proof-read my comment. Sorry about that.

And yes: while traditionally people might install just from their distribution, times have changed a bit and people now do install from pip, cargo, npm, etc; but these are _somewhat_ trusted repositories still (rightly or wrongly).

Some people sometimes use curl as well. Due to the nature and low volume, this still doesn't give literal viruses much leeway. This is because it's not a target-rich environment (only a few executables), it's not guaranteed to happen on many computers, and most importantly, people tend to only curl in one direction. When you curl, you're mostly going to end up downloading executables from some central location. Typically these executables don't subsequently get copied to (m)any other computers or back to the server. So a literal virus doesn't get a lot of traction to replicate the way a virus wants to.

If you do manage to curl some malware, what you'd get is probably going to be something that's properly called a Trojan. Trojans are definitely a thing.

Just because you're on Linux doesn't mean you're magically completely invulnerable to all kinds of malware, you still need to act with care.

On the upside many distributions are more or less designed to keep you safe by default, and won't suddenly do something crazy to get you into trouble. On the downside the human operators are not always similarly inclined. ;-)

Doesn't seem that different from running the application after installing it, to be honest.

What can I say, I enjoy living dangerously.