Supply chain attacks are extremely cheap/easy and very effective, so get prepared for more of them in the future.
It really bothers me, is that many companies make billions utilizing open source without contributing money/employees etc. to secure/supply/maintain supply chains.
Agreed. I am more speaking of ‘in general’, for example there was a supply chain attack on a widely used npm package by writing an email to the author of the npm package. There are other ‘cheap’ attacks like dependency confusion, typo squatting etc.
Gonna take a bit. The dudes been doing the releases for over a year, everything they touched is suspect now even if nothing earlier is known. Also some other associated accounts have been doing shady stuff too.
And that’s just one project that had a burnt out maintainer who welcomed some help from this guy. There are probably others. The hobby project becoming a core piece is a big issue.
When upgrading to the beta, does it become the stable release once that’s out via regular dnf package upgrades? Or are you then on some kind of beta channel that you have to switch back from?
You’ll want to use the terminal and run “sudo dnf upgrade”. If there’s any issues after that, just run “sudo dnf distro-sync” to ensure everything’s using the final release repo’s. The sync command is strongly recommended but not always necessary.
Hopefully DNF5 gets in for F41, especially since it was supposed to get in as the default for the current release, F39. If anyone’s curious, here’s the vote for deferring: pagure.io/fesco/issue/3039
And the reasoning given by the DNF5 team for targeting F41 instead of F40: …fedoraproject.org/…/EYE2JY537OM7GFW46EK7YIBLHJ52… (though fesco also wanted to keep it in F41 to not disturb the mass branching from F40 to RHEL 10)
It has been a while since I used fedora. I believe the last time was fedora 31 and heard murmurings of a dnf rewritten in c++ to be faster. Glad they actually pulled it off.
Fedora may receive backing from RH, but it’s still community-ran. Similar to how Linux itself is backed by the likes of Google/Meta/Huawei/etc but is isn’t ran by them.
And they didn’t close-source RHEL. I don’t like the license changes they made either, but calling it closed source is inaccurate.
If you’re a customer of theirs, you can see the source code. The license customers agree to is certainly a restriction, but it’s not all of a sudden closed/proprietary software.
And finally, despite that recent move, RH remains probably the biggest contributor to desktop Linux. If you want to avoid their work… good luck. It’s literally everywhere.
I’m saying their source code is available to its users for auditing, changing, redistributing without risk of being sued for intellectual property violations.
That’s fine as far as the GPL goes. It doesn’t have to be public to non-users.
You’re basically saying that something isn’t wet, it just has water on it.
I’m saying their source code is available to its users for auditing, changing, redistributing without risk of being sued for intellectual property violations.
We’re saying the same thing, you just refuse to attach “closed source” to its definition. So answer me this: can anyone freely use it? Can only licensees use it? If the answers are no and yes respectively, that’s closed source.
I’m saying nothing of the sort.
You absolutely are. You’re using the word’s definition (source code available only to licensees), but won’t say the actual word (closed source).
No, we aren’t saying the same thing, because you’re talking nonsense and I am not.
Closed source means computer programs whose source code is not published except to licensees
Nowhere in your link does it actually say that. And amusingly, by that definition, software where the source code isn’t provided to licensees isn’t closed source. What? So software where the code is a total black box that nobody other than the programmer knows isn’t closed source in your mind?
But here’s something it does say:
Proprietary software is software that grants its creator, publisher, or other rightsholder or rightsholder partner a legal monopoly by modern copyright and intellectual property law to exclude the recipient from freely sharing the software or modifying it
Let’s go through the two listed criteria, shall we?
Legal monopoly to exclude the user from sharing the software: RHEL doesn’t have this. They can’t sue anybody for sharing the code.
Legal monopoly to exclude the user from modifying the code: RHEL doesn’t have this. RHEL users are free to modify the code as they wish.
Saying “if you clone and republish RHEL, taking advantage of our work to undercut us with minimal effort, we reserve the right to not have you as a continued customer” is perhaps against the spirit of many open source licences, on that I agree, but it’s a far cry from being closed source. RHEL isn’t like MacOS or Windows.
It’s hard for me to take you seriously when it does and I literally copy/pasted from the link. Even if you don’t read the whole page, you can’t even do a CTRL+F correctly.
It literally doesn’t. Please stop lying. Everybody can see you lying. It just makes you look like even more of an idiot. You don’t want to look like even more of a idiot, do you?
I’ve used your own source to dismiss your argument.
But here’s another, just to drive the point home even more:
Calling me a liar (when it’s easily provable I’m not, I even included a screenshot for you) devolving to insults, calling me a kiddie and an idiot? If you can’t even formulate an argument without insults and you fail twice to read a link, yep, we’re done. Enjoy your day/night.
Jorge Castro has been the head of this project and I am excited by his vision. Bluefin aims to be the immutable desktop distro with the most sane defaults that also supports Nvidia.
It’s a mascot for brand recognition purposes, just like Tux the penguin. I don’t quite understand what the problem is. I feel like if I were to call anything about it weird, it would be the use of a derpy, chonky dinosaur rather than the gender of said derpasaurus.
if I were to call anything about it weird, it would be the use of a derpy, chonky dinosaur
Bluefin is a Deinonychus antirrhopus, a theropod dinosaur whose name means “terrible claw”. Discovered in the 1960s, she revolutionized our understanding of dinosaurs. Before Deinonychus, dinosaurs were often seen as slow, dim-witted creatures. However, she shattered these misconceptions, offering insight into the dynamic world of hot-blooded, rapidly evolving animals that were masters of their domain. We aim for our desktop to embody a similar nimbleness. Power and adaptability.
I like them a lot, switched to Kinoite⏩uBlue: (Kinoite-main, -nokmods (until that got silently dropped), -main again; 37-39)⏩Secureblue kinoite-laptop-userns
The biggest Problem is that Fedoras Images are not usable.
Filemanager movie thumbnails dont work
Flatpak browsers are not feature-complete and probably not secure (because they can’t create usernamespace-isolated processes for tabs)
they have no NVIDIA support
powerusers will miss ffmpeg
The idea of immutable images is, to have a base that most people dont need to change. You can, but the moment you add NVIDIA proprietary drivers or full ffmpeg, you are in unprotected territory again.
So I like the Distros for their reproducible bugs and future possibility to be a very secure base (you could just verify the hash of the root system to check for viruses). But they cannot be produced in the US.
Fedora is nice but just like with rpmfusion, ublue is the key part that makes it work. And on immutable images this cannot just be added in a welcome dialog, as you need massive overrides by default.
I can’t find an open issue regarding security with flatpaks on librewolf codeberg.org/librewolf/issues/issues it would be nice if you could open one such that it may get adressed.
Just install ffmpeg in a distrobox or layer it if you desire
Filemanager thumbnails - I usually don’t use big icons (or thumbnails) hence, I don’t remember it too well but that should depend on the file manager, right? And aren’t there tools for thumbnail creation in case they are missing? (I remember something from my time when I used arch)
You cant layer ffmpeg, you need to override-remove everything libav and then install everything new from rpmfusion. I did that, its a mess.
If you just want video playback thats just libavcodec-freeworld, thats why I specifically mentioned ffmpeg.
I am not a fan of Distrobox for small tools. For sure possible but unnecessary and the workflow is a pain. And trust me, I use it daily and even ran libvirt in a rootful one, virt-manager in a rootless one, connected over ssh.
Chromium uses namespaces. Nowadays unprivileged user namespaces, but the legacy suid namespaces are still integrated.
If you want to run Chromium (and I think all Electron apps too) as Flatpak, you replace those namespaces with zypak, which instead isolates processes using flatpak and its seccomp filters.
These are the seccomp filters for every app though, so they are probably way too unrestricted. Also it has a small performance hit.
That is the reason why no Chromium Browser Flatpak is official.
Now the thing with Firefox is, I have no idea what isolation they use. Everyone says its less secure. And they adopted Flatpak as if it was nothing, without any comment on that topic.
The issue is that Flatpak uses a single seccomp filter for bubblewrap, that is used by every app. But browsers would need a different one, with just the added permission to create user namespaces.
Currently this is not even possible when using a seperate repo. Really, no idea. Bubblejail is an alternative with custom seccomp filters and usernamespace permission. But it is very different, uses system packages and is very alpha.
fedoramagazine.org
Hot