back to article You lost your ballpoint pen, Slack? Why's your Linux version unsigned?

Slack is distributing versions of its chatroom app for Linux machines that are not digitally signed, contrary to industry best practice. The absence of a digital signature creates a means for miscreants to sling around doctored versions of the software that users wouldn't easily be able to distinguish from the real thing. El …

  1. Doctor Syntax Silver badge

    ""Slack takes security very seriously."

    Why do you journalists let them (PR people in general) get away with this when the circumstances say otherwise? Follow it up with "Then how do you account for...?". Make the bar stewards work for their money.

    1. Teknogrot

      I think that John is trusting readers of El Reg to draw the logical conclusion from the statement based on our collective time exposed to PR bullshit.

      1. Doctor Syntax Silver badge

        "I think that John is trusting readers of El Reg to draw the logical conclusion from the statement"

        Sure we can. But that doesn't stop PR spouting the same self-serving crap every single time. I suspect they're simply saying it to get the statement on record to use in defence in any future court case. If they actually gave such a statement in court they'd be seriously challenged on cross-examination.

        They really need to be challenged in the media as well. Tell them they're not being believed. Tell them their statement isn't going to be used at all unless they enlarge on how the events contradict the statement. Tell them that instead there'll be something like "We asked X for a statement but their response was so anodyne and bore so little relationship to events that we won't trouble you with having to read it because you won't believe it any way.".

        1. Anonymous Coward
          Anonymous Coward

          >But that doesn't stop PR spouting the same self-serving crap every single time.

          Isn't that their job?

          1. Doctor Syntax Silver badge

            "Isn't that their job?"

            As long as they're allowed to get away with it, yes. But they shouldn't be allowed to get away with it.

    2. Anonymous Coward
      Anonymous Coward

      ""Slack takes security very seriously."

      Dead on! This game has been going on too long. GDPR must impose fines for companies who pull this bullshit! The last decade has seen corporations hiring more PR heads while firing Tech staff. Face it Slack, you're just another Equifux / Avast waiting to happen!

      The cybercrims have won this round. Lets hope the next decade goes better. Its not rocket science. Start by hiring talented tech pros and paying them accordingly. Don't like that, cos you see tech guys as plumbers? Then, watch your bonuses get flushed away!

      1. Dave559 Bronze badge

        Plumbers

        I think you are very unfairly disparaging plumbers: both plumbing and IT are jobs that require a good degree of technical knowledge and skills, and if either aren't treated with the relevant respect and importance, they don't work properly and the business gets covered in shit…

        (And sometimes techies have to use the equivalent of a drain unblocker, too…)

    3. mdava

      I agree, but perhaps it would be simpler to implement a this-is-bullshit font.

      1. Doctor Syntax Silver badge

        "perhaps it would be simpler to implement a this-is-bullshit font."

        No. The PR folk would just tell their masters that the text had been accepted with no further comment or request for clarification; job done.

      2. Anonymous Coward
        Anonymous Coward

        Re: perhaps it would be simpler to implement a this-is-bullshit font

        HTML6 should definitely have a <bs> tag.

        1. Ken Hagan Gold badge
          Unhappy

          Re: perhaps it would be simpler to implement a this-is-bullshit font

          HTML5 has <body>. That's almost the same thing.

          If you want finer-grain control, here are some other suggestions:

          <span class="bs">

          <span class="porn">

          <span class="terrrist">

          <span class="troll">

          1. Destroy All Monsters Silver badge

            Re: perhaps it would be simpler to implement a this-is-bullshit font

            Instead of slapping Nazis, slap PR bods.

            There are far more of them and it's a rewarding activity.

      3. GrumpenKraut Silver badge

        > ...a this-is-bullshit font.

        Comic Sans?

        1. AndyS

          > Comic Sans?

          This has my vote.

          Reg, pretty please, can you implement the use of Comic Sans when quoting any obviously-bullshit canned statement in the future?

    4. ThaumaTechnician

      That, and they need to ask questions like "the last six times you spoke to us, it turned out that what you said was untrue. Why should we believe you this time?"

    5. Psy-Q

      The multinational hotel chain I recently went to that wanted my credit card details sent in plain text said the same thing when I told them that this is bad security practice and surely a breach of PCI DSS. I think it's something that is taught to spokesdrones to always say as the very first thing when security is being questioned.

  2. Mark 110 Silver badge

    PR blurb

    "Slack takes security very seriously"

    Yes so seriously we have done nothing about it even though its been on the roadmap for ages and so seriously we didn't just implement the security from the start . . .

  3. alain williams Silver badge

    It isn't that hard to do

    Even I do it for the tiny repo that I have created - mainly for my own convenience.

    Words are always cheaper than actions; so do they have a blame-someone-else script already written if/when it is hacked again? I notice that it was hacked in February 2015.

    1. Anonymous Coward
      Anonymous Coward

      Re: It isn't that hard to do

      No, it is not hard, therefore taking it "seriously" and its on a "roadmap" suggest that the BS sniffometer is in the red zone with flashing light and klaxon on this one.

    2. Doctor Syntax Silver badge

      Re: It isn't that hard to do

      Slack by name, slack by nature.

  4. Adam 1 Silver badge

    it's ok

    I've scanned the download with CCleaner and it checks out safe.

    1. Cynical Observer
      Pirate

      Re: it's ok

      How could you miss adding the icon - for a product from a company called AVAST

      LMFTFY--------------------->

  5. Christoph Silver badge

    "It's been on our roadmap for quite some time and is coming very soon."

    We're just waiting for the horse to bolt first.

    1. Baldrickk Silver badge

      "It's been on our roadmap for quite some time and is coming very soon."

      Sounds like "a dev wants to do this, and wrote it in, but management is making him work on 'value added' features"

  6. druck
    FAIL

    How long?

    Red Hat have been signing their RPM's since 1999, should have been just about long enough for Slack to realise this is a good idea.

  7. RyokuMas Silver badge
    Trollface

    To quote...

    ... (or at least paraphrase) a lot of the commentards' response to anything when Windows Phone was still a thing:

    "Why worry? It's only 3% of the market!"

    1. hplasm Silver badge
      Windows

      Re: To quote...

      As you are fond of saying-

      "yaaaaaaawnnnn"

      You need new material.

  8. chivo243 Silver badge
    Facepalm

    "It's been on our roadmap for quite some time and is coming very soon." Yes, the road map with the ciggy burn, coffee stain, and a doodle that looks like Professor Farnsworth as a cowboy...

  9. Anonymous South African Coward Silver badge

    Obligatory Dr Evil meme : https://imgflip.com/i/1w93mq

  10. kain preacher Silver badge

    "Slack takes security very seriously."

    IS that the same as a hooker saying I take my health seriously so you don't need a condom ?

  11. Jonathan 27 Bronze badge

    This is partly the fault of yum's maintainers. There should be a blatantly obvious warning and acceptance prompt if you try to install an unsigned package. That would force companies to do it to prevent complaints from users.

    1. Bucky 2

      I was under the impression that yum would refuse to install unless you added --nogpgcheck to the command line.

      That said, exactly how much time on "the roadmap" does it take to change:

      rpmbuild -ba slack.spec

      to

      rpmbuild -ba --sign slack.spec

      1. Ken Hagan Gold badge

        Re: rpmbuild -ba --sign slack.spec

        Really? Is that it?

        I've come to expect some pretty slap-dash, corner-cutting gobshite from web-based startups, but if it is that easy to sort out then their failure to do it right in the first place is hideously embarrassing incompetence and their subsequent failure to fix it in August is wilful negligence.

    2. Maventi

      >This is partly the fault of yum's maintainers. There should be a blatantly obvious warning and acceptance prompt if you try to install an unsigned package. That would force companies to do it to prevent complaints from users.

      There is. By default yum will scream at you if you try to installed unsigned packages; you have to explicitly configure yum to ignore signatures. Given that even the most lowly back-alley free projects can quite happily manage signing (as someone who has built plenty of RPMs myself I assure you it's utterly trivial!) I'm completely astonished by Slack.

      Gotta live up to their name I guess.

  12. EVMonster
    Linux

    Linux

    Why dont you all upgrade your naff Linux to Windows 10?

    Your comments are appreciated ... the down vote button is on the right.

    1. Sierpinski

      Re: Linux

      "Why dont you all upgrade your naff Linux to Windows 10?"

      The sheer number of default settings that have been automatically adjusted away from "best practices" by automatically pushed updates is sufficient.

  13. x 7 Silver badge

    So who actually uses Slack anyway?

    Its a hobbyist distribution, no-one uses it in real life

    1. AZump

      Someone didn't read the article!

      Because if they did, they wouldn't have made a fool of themselves with such a moronic post. Since it was a bit TLDR for this person, let me explain to them.

      Application, NOT Operating System.

      BTW, *raises hand* Slackware 100% since 1997.

  14. J J Carter Silver badge
    Windows

    End of an era

    Can't risk this, so have migrated Nan from Slack to MSFT Teams and she's delighted.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019