144 points

Rustdesk looks good on the outside, but if you look inside, it has a really bad codebase and has done some sketchy stuff in the past.

Last year, it installed custom root certificates as trusted on windows, which is a huge security risk: https://github.com/rustdesk/rustdesk/discussions/6444

On linux systems, it forced its own autostart with no option to disable this behavior: https://github.com/rustdesk/rustdesk/issues/4863

In the past, when it didn’t have Wayland support yet, it edited your GDM config and just disabled wayland: https://github.com/rustdesk/rustdesk/blob/1.1.9/src/platform/linux.rs#L411-L422

Furthermore, the code quality is really bad. 90% of the linux platform-dependant code is just executing shell commands and parsing their output, while the same could be achieved in a safe way with proper rust builtins: https://github.com/rustdesk/rustdesk/blob/master/src/platform/linux.rs

While I agree that Rustdesk works pretty flawlessly, the codebase and the behavior of the developers made me distrust the software and I don’t recommend using it.

permalink
report
reply
42 points
*

@petsoi@discuss.tchncs.de you might want to add that warning to the post.

They also tried to submit the app to Flathub, but had way too broad permissions with no explanation why. “Users expect filesystem access” etc. In the end it was rejected and they publish a .flatpak file themselves.

https://github.com/flathub/flathub/pull/5233

The other points are far worse though.

permalink
report
parent
reply
9 points

Rustdesk controversy

The whole discussion on that pull request is extremely sketchy, IMO.

permalink
report
parent
reply
40 points
*

To add on:

  • There is no transparency about who is behind it. It just a Github account called “Rustdesk.” It could be a real company in Singapore or it could be some guy in China as people have speculated.

  • The Rustdesk software needs way more permissions than necessary. This became evident with the flatpak as they did sandbox escapes which prevented them from being on flathub

  • The Rustdesk distribution is entirely centralize release server run by Rustdesk. They could easily push out malware to lots of devices.

  • They have done some sketchy things in the past. One of the things they did was quietly switch Linux desktops back to X11.

  • The Rustdesk system is not terribly resistant to brute forcing. The weak password means they someone could try every combination.

  • Rustdesk docker deployment docker compose exposes all ports on the host. This is minor but it could lead to a sandbox excape.

  • Rustdesk servers keep getting hosted in countries that have freedom problems such as China and Russia.

permalink
report
parent
reply
16 points

Wow, I’m wondering how anyone would trust this software. It literally exposes your desktop. To me that requires top-tier trust level, i.e. nothing sketchy at all.

permalink
report
parent
reply
8 points

We need an alternative

permalink
report
parent
reply
7 points
*

could be some guy in China

I don’t see how that’s a problem, it’s not like it’s by a Chinese run company or like the Chinese government is spying on you; in the case you described it’d just be a rando with a hobby/vision.

The fact that it keeps getting hosted in countries that have freedom problems, such as China and Russia, does concern me, though.

permalink
report
parent
reply
2 points

The problem is that China makes developing privacy and freedom friendly tech illegal. You won’t find many Tor devs in China

permalink
report
parent
reply
15 points

Wow that’s so sketchy.

permalink
report
parent
reply
14 points

Okayyyy… thats not great. I just read one of the threads and thats scary.

The person(s?) maintaining this seems to be VERY BAD at communicating. They did fix the auto start problem but did not at all discuss this from what I see. Thats not great.

permalink
report
parent
reply
10 points

Really sad about this, because Rust Desk has been the absolute best remote access tool I’ve ever used in the IT world, and that includes many different professional tools like Ninja& Teamviewer.

It’s so clean, easy to install and run, fast and low latency, handles multi-monitors great, runs on mobile, Linux, Windows, etc.

Such a shame that it is mired in controversy.

permalink
report
parent
reply
3 points
*

Wth is that, that is the most anti-idiomatic code I have ever seen

https://github.com/rustdesk/rustdesk/blob/master/src%2Fplatform%2Flinux.rs#L176

pub fn get_cursor() -> ResultType<Option<u64>> {
    let mut res = None;
    DISPLAY.with(|conn| {
        if let Ok(d) = conn.try_borrow_mut() {
            if !d.is_null() {
                unsafe {
                    let img = XFixesGetCursorImage(*d);
                    if !img.is_null() {
                        res = Some((*img).cursor_serial as u64);
                        XFree(img as _);
                    }
                }
            }
        }
    });
    Ok(res)
}

I’m not an expert but this seems wrong.

permalink
report
parent
reply
2 points

Yep, I’m not a Rust expert either, but this is pretty cursed. The comments on this post have some more examples of bad rustdesk code: https://lobste.rs/s/njfvjb/rustdesk_with_tailscale_on_arch_linux

permalink
report
parent
reply
98 points

DO NOT USE THIS

This is a massive security risk and they have had so much controversy. They also routinely delete Github issues and discussions that question them. To top it off they are likely Chinese run.

permalink
report
reply
11 points

Is there a good, free, cross platform alternative?

permalink
report
parent
reply
14 points

Tail scale and sunshine/moonlight would work

permalink
report
parent
reply
6 points

Maybe meshcentral?

It depends on what you are trying to do. You also could do something like Tailscale + TightVNC

permalink
report
parent
reply
2 points

Meshcentral is discontinued because it was based on Intel ME (official program completely sucks) and when the dev was fired by Intel, he obviously lost any interest in the thing. All downloads even removed, only the source is available

permalink
report
parent
reply
4 points
*

HopToDesk. https://hoptodesk.com

It’s a fork of RustDesk.

permalink
report
parent
reply
12 points

Actually they seem kind of sketchy too. https://github.com/rustdesk/rustdesk/discussions/2778

permalink
report
parent
reply
8 points

Rustdesk but even more sketchy

permalink
report
parent
reply
2 points

How do they improve on security and privacy ?

permalink
report
parent
reply
3 points

I personally use nomachine, and tailscale for VPN access. Genuinely no complaints, it kinda “just works”.

permalink
report
parent
reply
1 point

I use DWService. Now everyone go ahead and tell me why I’m stupid.

permalink
report
parent
reply
-8 points

depends on your definition of good, and free

permalink
report
parent
reply
4 points

This comment is helpful

permalink
report
parent
reply
11 points

Source:

permalink
report
parent
reply
2 points

What?

Rust doesn’t solve all security issues in codebase?

People should take note of that; I surely did…

permalink
report
parent
reply
1 point

I had the impression that it has a Russian connection, but anyways, it’s good to be in the lookout for such things

permalink
report
parent
reply
-27 points

China is good though? At least that ensures they aren’t a CIA operation.

permalink
report
parent
reply
12 points

China bans encryption and doesn’t allow you to use anything to thwart surveillance. I can’t say I want that in a remote access tool.

permalink
report
parent
reply
4 points
*

China bans encryption

Most confidently wrong statement I have read all year.

permalink
report
parent
reply
10 points

Not really. At this point, you’re having to pick between two surveillance states.

permalink
report
parent
reply
3 points

or neither, when cloosing open source tools worth their salt. in more and more fields such tools appear, fortunately

permalink
report
parent
reply
2 points

in my book they are more of a risk than the USA. The USA already has political influence, for china to do it they need to use more extreme methods, like infiltrating your computer and use it and perhaps you as their tools

permalink
report
parent
reply
28 points

Itsfoss is blogspam and often have many mistakes and wrong info. People should really stop posting links from them.

permalink
report
reply
7 points

Itsfoss is indeed written by ChatGPT I think

permalink
report
parent
reply
2 points

It’s older than ChatGPT, but maybe this is true for their newer articles.

I also feel HowToGeek used to be great, now it’s just affiliations and misinformation. Shame.

permalink
report
parent
reply
26 points

Wasn’t there some controversy about this that it wasn’t entirely open-source?

permalink
report
reply
11 points

they have a pro server with more features that’s closed source and paid

permalink
report
parent
reply
3 points

But why do you need a server for such a program? Can’t it be P2P or with the server stuff running on the client machine?

permalink
report
parent
reply
11 points

The server is used for hole punching, to open up a P2P connection thorugh NATs and Firewalls. If it doesn’t work the server also relays the traffic between the clients.

Getting an end to end connection through todays internet is unfortunately not easy for an average user.

permalink
report
parent
reply
5 points
*

Theoretically, without the server, every time you want to connect to a peer you would have to figure out what’s their public IP address is, which can change. The server acts as a middleman between the peers so you dont have to do this manually, all peers only need to know the server’s IP address to connect to each other. The server is really only used for this initial linking up of peers, afterwards the connection is P2P (if possible, they fall back to a relay server if P2P fails).

permalink
report
parent
reply
1 point

Binary blobs i thought

permalink
report
parent
reply
19 points

I self-host my own rustdesk server and it’s awesome. It just works flawlessly.

permalink
report
reply

Linux

!linux@lemmy.ml

Create post

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

  • Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
  • No misinformation
  • No NSFW content
  • No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

Community stats

  • 6.4K

    Monthly active users

  • 4K

    Posts

  • 55K

    Comments