Skip Navigation
InitialsDiceBearhttps://github.com/dicebear/dicebearhttps://creativecommons.org/publicdomain/zero/1.0/„Initials” (https://github.com/dicebear/dicebear) by „DiceBear”, licensed under „CC0 1.0” (https://creativecommons.org/publicdomain/zero/1.0/)FE
federico3 @ federico3 @lemmy.ml
Posts
1
Comments
32
Joined
5 yr. ago

Any advice for a long-time Linux user, first-time Linux desktop user?

  • You can use firejail or other sandoxes with any application packaged in any distribution.

    • Why does nobody maintain PPAs anymore?

  • I am well aware of it. It is an example of the traditional distribution workflow preventing a backdoor from landing into Debian Stable and other security-focused distributions. Of course the backdoor could have been spotted sooner, but also much later, given its sophistication.

    In the specific case of xz, "Jia Tan" had to spend years of efforts in gaining trust and then to very carefully conceal the backdoor (and still failed to reach Debian Stable and other distributions). Why so much effort? Because many simpler backdoors or vulnerabilities have been spotted sooner. Also many less popular FOSS projects from unknown or untrusted upstream authors are simply not packaged.

    Contrast that with distributing large "blobs", be it containers from docker hub or flatpak, snap etc, or statically linked binaries or pulling dependencies straight from upstream repositories (e.g. npm install): any vulnerability or backdoor can reach end users quickly and potentially stay unnoticed for years, as it happened many times.

    There has been various various reports and papers published around the topic, for example https://www.securityweek.com/analysis-4-million-docker-images-shows-half-have-critical-vulnerabilities/

    They have to watch hundreds to thousands of packages so having them do security checks for each package is simply not feasible.

    That is what we do and yes, it takes effort, but it is still working better than the alternatives. Making attacks difficult and time consuming is good security.

    If there is anything to learn from the xz attack is that both package maintainers and end users should be less lenient in accepting blobs of any kind.

    • Why does nobody maintain PPAs anymore?

  • They do now have a verified tick in Flathub to show if a Flatpak is official

    Jia Tan liked your comment

    Without the traditional distribution workflow what prevents flatpaks to be full of security issues? Unfortunately sandboxing cannot protect the data you put in the application.

    • What open-source software would you like more people to know about?

  • Thanks!

    • Taking your ideas for my next linux app

  • A speech-to-text / dictation system geared towards writing documentation.

    • Taking your ideas for my next linux app

  • I would love a text based ActivityPub client focused on meaningful discussions: threaded view, ability to follow threads or branches, highlight posts based on keywords.

    • What open-source software would you like more people to know about?

  • How does it compare with Paperwork? https://www.openpaper.work/en/

    • Ferrari's first electric car will literally roar, CEO promises

  • alerting people to their presence

    Is many legal systems the driver is responsible for not running people over.

    • Are hardware security keys worth it? If so, which to pick?

  • You are better off with an encrypted password store and a 2FA on a phone. You can back up both, easily, and they are both protected with fingerprints and/or global passwords.

    • Forgejo or Radicle - Which do you prefer?

  • Radicle has plenty of red flags, see https://lemmy.ml/comment/8982169

    • 'Facial recognition' error message on vending machine sparks concern at University of Waterloo

  • People panic about face scan while the ongoing massive privacy breaches exist around online services and electronic devices. The amount of personal data that people pour into smartphones is enormous compared to using that vending machine. We need more GDPR.

    • Reddit: 'We Are in the Early Stages of Monetizing Our User Base'

  • I would come along a question that I was well educated on, and the top voted responses were all very clearly wrong, but sounded correct to someone who didn’t know better.

    This can be said to https://news.ycombinator.com/ as well. I wonder how much of this is due to sock puppets and bots.

    • Reddit: 'We Are in the Early Stages of Monetizing Our User Base'

  • This tends to give more influence to people who spend more time on it and write more. And they are less likely to be subject matter experts.

    • Reddit: 'We Are in the Early Stages of Monetizing Our User Base'

  • Honest question: deleted comments might be just hidden and still up for sale, do people know if GDPR can come to the rescue here?

    • What can you get to within a 15-minute walk of your house?

  • What can you get to within a 15-minute walk of your house?

    Shot.

    Just kidding, I live in Europe. :) All the things in the list except the arena.

    • Enshittification of GitHub?

  • Github is designed to centralize git (as the word "hub" suggests). You can still migrate away code, issues and wikis, but contributors, followers, wiki editors, issue subscribers, visibility in general and github stars are locked in. Discoverability matters to projects trying to attract contributors.

    • Could we add alternativeto.net to the sidebar?

  • Count me in! (Or shall I say: you have my sword?)

    • I'm looking for a privacy respecting vacuum robot

  • Because Valetudo is not a custom firmware, it cannot change anything about how the robot operates.

    Source: https://valetudo.cloud/pages/general/newcomer-guide.html

    • My internal fight over what device to buy

  • Hopefully like https://mobian-project.org/

    • Collecting feedbacks about fediverse experience

  • I did the survey but please would you mind identifying yourself and linking to the research paper when it's ready?

    • Libre Software @lemmy.ml
    federico3 @lemmy.ml