As long as some platform is capable and powerful for many things, there will be malware. The reason why most (consumer-facing at least) malware isn't targeting Linux is because its desktop market share is like 3%. It's way better to target Windows on desktop since you can reach way more users that way.

The only other alternative is turning your computer into a glorified phone (a.k.a. a locked-down media consumption device) where everything is nicely sandboxed and nothing has any kind of permission to do "bad" things. (Except tracking. Because guess what, the company who makes the OS also sells ads.)

Popularity was the canned cope for why Windows 95 through XP were riddled with so much malware. But then Microsoft started taking security more seriously with Vista and onwards. The situation didn't turn into sunshine and roses, but it did improve dramatically. It turns out that popularity wasn't the problem, the problem was the insecure nature of the software. There is of course still a lot of room for improvement.

As opposed to the Linux security best practices of curl | bash? I have no choice but to set up my computer to run untrusted code, on a CPU which itself might be spying on me -- I don't feel like my environment is inherently more secure than Windows at all. Just less popular.

> As opposed to the Linux security best practices of curl | bash?

Just because some people like to ask you to install their software that way doesn't make it "Linux security best practices" and it doesn't mean you need to follow those directions.

You can review whatever you're running, and you should if you want to install that way and feel it's insecure. At a minimum you can download the script to an actual file you keep around for a while and run it, so if something weird does seem to be happening you can at least see what the script was attempting.

Or, just refuse to install software that way. There's almost always a different way, and that's just provided for convenience. If people are opting for the unsafe method because it's convenient, I don't think that says as much about the OS as it does the people using it.

I don't disagree with what you're saying, but:

> You can review whatever you're running

How realistic is this for regular users? And even power users, in some cases. Let's say you download the install script. It's either hundreds of lines or it in turn downloads and runs some blob. Are you comfortable asserting your review is enough?

Is this truly so different to clicking on some random Windows installer?

If the same kind of Windows non-power users start running Linux and it becomes a really widespread desktop OS, would the situation be particularly different?

Regular users on linux shouldn't be downloading software through their web-broswer at all; that's a Windowsism. Regular users on linux should be using their package manager to install new software. Say what you want about Debian's volunteers, but they're a hell of a lot more trustworthy than the average windows software download website.

> Regular users on linux shouldn't be downloading software through their web-broswer at all; that's a Windowsism.

I strongly disagree. "Only download from here; if it doesn't have what you want, though luck".

Also, this seems like an argument in favor of a walled garden. If so, I suppose that would fix Windows.

> "Only download from here; if it doesn't have what you want, though luck".

It's not that doing otherwise is prohibited. It's that doing otherwise should get your hackles up.

Which is why it isn't this:

> this seems like an argument in favor of a walled garden.

There are no walls. It's just a garden. But you have to understand that if you leave the garden, you're on your own.

For software developers and IT professionals, that's fine. They have a professional knowledge of the reputation of the source or know how to read the code, or how to set up a virtual machine if they want to try it but don't trust it. And if an ordinary user who is rightly wary of doing that still wants to get the latest AI thing from github, they call up their friend the software developer or their company's IT department or pay a computer repair shop they trust to set it up for them.

But that should be rare, because anything which is both popular and safe should promptly get added to the package manager.

Agreed, not a "walled" garden but a garden. Essentially an app store.

So essentially if Windows had this, problem fixed?

Or put another way, if most users came to Linux and started downloading crap from everywhere, there would be incentive for malware authors to write it for Linux, bringing it to the current situation with Windows?

> So essentially if Windows had this, problem fixed?

The problem is that the nature of Windows isn't to have this. Linux package managers are run by the community. They basically include anything popular that meets the licensing requirements to allow them to redistribute it. Windows instead has a "store" that wants to extract a vig, but because most of the software people use on Windows is commercial, the vendors then avoid to store to avoid the vig and the default is to install things from random websites.

And even if they fixed that, people are used to doing it the other way, vendors have already spent the time to set up alternate distribution infrastructure and they don't trust Microsoft not to reverse course once a critical mass of things are using their system and they can increase the friction to installing things from outside of it and then turn the screws on anything inside it.

To make it work there you would need the distribution system to be run by multiple independent third parties so they'd have to compete with each other to keep distribution margins low. There probably is a market for a third party "store" for Windows that pays the 3% to the credit cards and then distributes the apps via P2P so they can charge no more than 5% to app developers, which the app developers might then actually use because they don't have to build their own system for payments and updates. But the stores want to charge 30% and then the developers don't want to use the stores.

> The problem is that the nature of Windows isn't to have this.

Interestingly, they're getting a version of it. The wingget command line package manager that windows ships with now has two sources, the MS store, and the winget community repo. The community repo is something anyone can submit to and it goes through some vetting process[1].

  PS C:\> winget search perl
  Name             Id                            Version                Match          Source
  --------------------------------------------------------------------------------------------
  Perl Formatter   9MSQVFZPRG3Z                  Unknown                               msstore
  Strawberry Perl  StrawberryPerl.StrawberryPerl 5.32.1001              Tag: perl      winget
  MAMP & MAMP PRO  MAMP.MAMP                     4.2.0                  Tag: perl      winget
  EditPlus         ES-Computing.EditPlus         5.6                    Tag: perl      winget
  XAMPP 8.1        ApacheFriends.Xampp.8.1       8.1.12-0               Tag: perl      winget
  XAMPP 8.2        ApacheFriends.Xampp.8.2       8.2.4                  Tag: perl      winget
  Sharperlight 5.4 PhilightPtyLtd.Sharperlight   5.4.60                                winget
  Wtils            Perlt.Wtils                   v1.0                                  winget
  Paperlib         FutureScholars.Paperlib       2.2.3                                 winget
  Teambition       Alibaba.Teambition            2.0.3                  Tag: paperless winget
  DingTalk         Alibaba.DingTalk              7.0.30-Release.6019103 Tag: paperless winget

It's not quite the same though, as there are different considerations when using a repository of things a unified group has decided should be included and built (or slightly modified existing) packages for and a repo where anyone can submit a package that will go through some level of vetting. In the end I still believe most this discussion is really about individuals and how much trust they apply towards different groups and sources and is not really about Linux or Windows in particular as much.

1: https://github.com/microsoft/winget-pkgs