There is NO such mechanism (discriminated updates by user), of my knowledge, in:
- Linux (apt, pacman, rpm...),
- Android
And I would add Windows and iOS/MacOS but I'm not at all an expert so I leave others to confirm that their "app stores" don't do such exotic prowesses.
You can artificially insert a malicious script in a package that would scan your system, deduce your identity, and install something based on that, but in this case that means that it is just a malware in the first place. And that would mean that the app to be installed contains a "mutable" component of data that is not defined by the contents of the package but rather written upon post-install actions, so that is also dubious to include that for formally in the "app from that package" definition. In any case, such behavior would get your package banned from any app store or Linux distribution.
Yes, the US government and US courts (including the secret court FISC) have tools to compel Google, Apple and other vendors to install malware on users devices. This is exactly the point.
Would you mind showing me some evidence that software update systems are able to push to you e.g. a different Android update based on your device ID or specific IP? (not just country geolocation) (PS: your link is about deploying malware through other routes, not by normal software updates)
Because all the other means I can think of are just basic malwarfare.
As you need to rely on a vendor/distributor to get updates, then of course they are able to push you malware, there is absolutely no going around this first ring of trust.
Conclusion : there is no point in accusing Proton of anything... there are just being software providers (FOSS by the way!!!).
- Linux (apt, pacman, rpm...),
- Android
And I would add Windows and iOS/MacOS but I'm not at all an expert so I leave others to confirm that their "app stores" don't do such exotic prowesses.
You can artificially insert a malicious script in a package that would scan your system, deduce your identity, and install something based on that, but in this case that means that it is just a malware in the first place. And that would mean that the app to be installed contains a "mutable" component of data that is not defined by the contents of the package but rather written upon post-install actions, so that is also dubious to include that for formally in the "app from that package" definition. In any case, such behavior would get your package banned from any app store or Linux distribution.