Just create more ram out of thin air with zram. I’ve got 60gb now. 30 something actual ram (some of my 32gb gets allocated for the APU) and the same amount as zram. I can run 2 chrome instances now!
The problem I have with this meme post is that it gives a false sense of security, when it should not.
Open or closed source, human beings have to be very diligent and truly spend the time reviewing others code, even when their project leads are pressuring them to work faster and cut corners.
This situation was a textbook example of this does not always happen. Granted, duplicity was involved, but still.
In many ways, distributed open source software gives more social attack surfaces, because the system itself is designed to be distributed where a lot of people each handle a different responsibility. Almost every open source license includes an explicit disclaimer of a warranty, with some language that says something like this:
THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
Well, bring together enough dependencies, and you’ll see that certain widely distributed software packages depend on the trust of dozens, if not hundreds, of independent maintainers.
This particular xz vulnerability seems to have affected systemd and sshd, using what was a socially engineered attack on a weak point in the entire dependency chain. And this particular type of social engineering (maintainer burnout, looking for a volunteer to take over) seems to fit more directly into open source culture than closed source/corporate development culture.
In the closed source world, there might be fewer places to probe for a weak link (socially or technically), which makes certain types of attacks more difficult. In other words, it might truly be the case that closed source software is less vulnerable to certain types of attacks, even if detection/audit/mitigation of those types of attacks is harder for closed source.
It’s a tradeoff, not a free lunch. I still generally trust open source stuff more, but let’s not pretend it’s literally better in every way.
It’s a tradeoff, not a free lunch. I still generally trust open source stuff more, but let’s not pretend it’s literally better in every way.
Totally agree.
All the push back I’m getting is from people who seem to be worried about open source somehow losing a positive talking point, when comparing it to close source systems, which is not my intention (the loss of the talking point). (I personally use Fedora/KDE.)
But sticking our heads in the sand doesn’t help things, when issues arise, we should acknowledge them and correct them.
using what was a socially engineered attack on a weak point in the entire dependency chain.
An example of what you may be speaking about, indirectly. We can only hope that maintainers do due diligence, but it is volunteer work.
In the broader context of that thread, I’m inclined to agree with you: The circumstances by which this particular vulnerability was discovered shows that it took a decent amount of luck to catch it, and one can easily imagine a set of circumstances where this vulnerability would’ve slipped by the formal review processes that are applied to updates in these types of packages. And while it would be nice if the billion-dollar-companies that rely on certain packages would provide financial support for the open source projects they use, the question remains on how we should handle it when those corporations don’t. Do we front it ourselves, or just live with the knowledge that our security posture isn’t optimized for safety, because nobody will pay for that improvement?
There are two big problems with the point that you’re trying to make:
There are many open source projects being run by organizations with as much (often stronger) governance over commit access as a private corporation would have over its closed source code base. The most widely used projects tend to fall under this category, like Linux, React, Angular, Go, JavaScript, and innumerable others. Governance models for a project are a very reasonable thing to consider when deciding whether to use a dependency for your application or library. There’s a fair argument to be made that the governance model of this xz project should have been flagged sooner, and hopefully this incident will help stir broader awareness for that. But unlike a closed source code base, you can actually know the governance model and commit access model of open source software. When it comes to closed source software you don’t know anything about the company’s hiring practices, background checks, what access they might provide to outsourced agents from other countries who may be compromised, etc.
You’re assuming that 100% of the source code used in a closed source project was developed by that company and according to the company’s governance model, which you assume is a good one. In reality BSD/MIT licensed (and illegally GPL licensed) open source software is being shoved into closed source code bases all the time. The difference with closed source software is that you have no way of knowing that this is the case. For all you know some intern already shoved a compromised xz into some closed source software that you’re using, and since that intern is gone now it will be years before anyone in the company notices that their software has a well known backdoor sitting in it.
None of what I’m saying is unique to the mechanics of open source. It’s just that the open source ecosystem as it currently exists today has different attack surfaces than a closed source ecosystem.
Governance models for a project are a very reasonable thing to consider when deciding whether to use a dependency for your application or library.
At a certain point, though, that’s outsourced to trust whoever someone else trusts. When I trust a specific distro (because I’m certainly not rolling my own distro), I’m trusting how they maintain their repos, as well as which packages they include by default. Then, each of those packages has dependencies, which in turn have dependencies. The nature of this kind of trust is that we select people one or two levels deep, and assume that they have vetted the dependencies another one or two levels, all the way down. XZ did something malicious with systemd, which opened a vulnerability in sshd, as compiled for certain distros.
You’re assuming that 100% of the source code used in a closed source project was developed by that company and according to the company’s governance model, which you assume is a good one.
Not at all. I’m very aware that some prior hacks by very sophisticated, probably state sponsored attackers have abused the chain of trust in proprietary software dependencies. Stuxnet relied on stolen private keys trusted by Windows for signing hardware drivers. The Solarwinds hack relied on compromising plugins trusted by Microsoft 365.
But my broader point is that there are simply more independent actors in the open source ecosystem. If a vulnerability takes the form of the weakest link, where compromising any one of the many independent links is enough to gain access, that broadly distributed ecosystem is more vulnerable. If a vulnerability requires chaining different things together so that multiple parts of the ecosystem are compromised, then distributing decisionmaking makes the ecosystem more robust. That’s the tradeoff I’m describing, and making things spread too thin introduces the type of vulnerability that I’m describing.
PS. “but what about GIMP, or Krita, or Inkscape, or OpenOffice, or using rsync for cloud storage, or <YOUR_FAVORITE_TOOL>?” you may ask. Trust me, I tried it all. Every last presentation, raster/vector graphics software out there. Regardless of how much I hate Adobe, their software is top tier, and until GIMP becomes the Blender of graphic design, I can’t really rely use it for most of my purposes :(
The Trust me, I tried it all. and mentioning OpenOffice in one paragraph doesn’t feel quite right. OpenOffice is obsolete. Instead there is ONLYOFFICE and LibreOffice as open source choices for Linux users, available as Flatpak, Snap and probably AppImage.
Nobody should use OpenOffice. It is just an an ancient version of LibreOffice at this point.
The name OpenOffice is much better. Many people every year probably get pulled into OpenOffice without realizing what it is. I hate that Apache is just sitting on that codes and pretending it is still active.
Some people say that OnlyOffice has the best Microsoft Office interoperability. If LibreOffice is not good enough, maybe give OnlyOffice a try.
Okay. Your Arch Linux review ends with naming your favorite options which include Proton, Microsoft and Adobe. As you don’t seem to mind using closed source software, did you have a look at WPS Office (Some Linux distributions include this), SoftMaker Office (Available for Linux and Android), Zoho Office ?
As for The GIMP (People have complained about its project name, but developers refused any changes) : From what I read Krita and Inkscape seem more promising. Krita has David Revoy as open source advocate, vocal on Mastodon : www.davidrevoy.com
I used WPS, it was worse than Libre from the usability, plus quite bloated with all sorts of stuff (luckily, I don’t have to pay for the Office, and will never actually do that willingly). Haven’t used the other two, however, will have a look, thanks!
Both GIMP and Krita are very nice and decent, just not powerful enough for many things I need photoshop for. Inkscape is actually much closer to Illustrator (not as powerful, but still), so that might be the only one with the “getting used to it” issue.
Actually, one other thing I should have mentioned, is that I also transited from using Premiere Pro to Kdenlive (and sometimes even Blender for very light video editing). Kdenlive is an amazing success story for KDE, hope that happens to Krita as well.
PS. The name GIMP sounds amazing! Love it, they should never change it )
Actually, one other thing I should have mentioned, is that I also transited from using Premiere Pro to Kdenlive (and sometimes even Blender for very light video editing). Kdenlive is an amazing success story for KDE, hope that happens to Krita as well.
Hi, not the Original Commenter but an occasional user of Orion.
It is webkit based but has full compatibility for all Firefox and Chrome extensions. Plus in my experience it’s really fast at loading stuff - noticeably so.
It’s being developed by the people behind the Kagi search engine which is also really good
On an iPhone in specific it means there’s no real difference between them beyond mostly the cosmetic. It’s not just that it’s WebKit, it’s that it’s WebKit that’s also behind Apple’s walled garden.
Firefox that doesn’t render with gecko isn’t really Firefox, is it? I mean I get that Mozilla endorses the app, but it’s not the same Firefox as it would be almost anywhere else.
I agree. The recent EU ruling has atleast fixed that problem for EU citizens while the rest of the world catches up.
We were however discussing browsers in the context of desktops in the original thread. On MacOS, other engines are allowed.
Your issue is with apple’s draconian policy on ios, not webkit.
Further, two F1 cars using the same engine can perform vastly differently depending on how they’re tuned and how the car is built. While I do concur that it is criminal to not let us strap a jet engine to the f1 car, doesn’t mean that there aren’t differences between the currently legal cars beyond the coat of paint.
In the old days laptops were rare and accessible only to selected few. The others in the background were just admiring the flawless handwork the arch user is displaying with the command line.
Pockets? I’ve asked my family to have my organs removed and have my body filled with cherry bombs, as well as install more cherry bombs in my limbs and joints before having my remains cremated standing upright on a stage to be viewed by all my friends and acquaintances. As my body burns and the firecrackers go off, my limbs will flail around in a comically random way before the entire body just explodes.
Unrelated - I love that picture. I want it as a wallpaper but it’s way too square. Do you have some source where I could get a higher definition, wider and/or taller version?
unfortunately, it’s a product of imagination of an overpowered progenitor of our future overlords, otherwise known as GPT-4. and apparently, it still does not want to produce 16x10 images (that is, unless you give it a sacrifice in the form of monthly subscriptions). but feel free to use the image for whatever purposes )
As far as I know, you can use ChatGPT without a subscription, but still paid. I found nano-gpt.com/get-started the other day where you pay with cryptocurrency per request, I guess someone behind the scenes is paying the subscription and is offering this as a service. The model behind can be chosen. So in case you have some lying around, you can just use that, or if there’s more interest from others, give me the prompt and I’ll pay for it, still have Nano around.
I just switched to Linux for the first time last year, and I’ve been using EndeavourOS, which I’ve been told is like Arch with training wheels, and my experience has been fantastic. In case anyone wants a slightly easier way to peek at Arch.
Honestly EndeavourOS is Arch once it is installed. As I have said before, EOS is more of an alternative installer with sensible defaults. 99.9% of the packages installed will be from the Arch repos or the AUR. Even the kernel is vanilla Arch.
I can install Arch. If I am bringing up a new system, I almost always reach for EOS instead. EOS has switched to KDE as the default DE. I still prefer XFCE myself.
Hu? No, manjaro breaks if you use the AUR with it, at least any time I tried, lol Manjaro has drifted far from arch since it’s start of existence. What you are talking about sounds more like EOS.
I don’t use Arch at all but isn’t EOS using Calamares? You click a few times, selecting language, timezone and click install, then go make a coffee while it installs. Difficult to be way faster than that. You can save maybe 30sec by not having any options.
Archinstall is CLI tool where you choose same stuff as in Calamares. So you have same choices but it boots faster (because no GUI) and choosing the options is faster as well in cli, if you already know what you want.
Archinstall script is ready to use on the ArchISO, you just need internet and type “sudo archinstall”
Instead of fancy EOS GUI installer you can just use the archinstall pythonscript by typing sudo archinstall in the tty console of the booted archISO, I see no difference in the results 😇
honestly, i like the idea of Arch being completely bare bone. you can then keep track of everything you install afterwards, and that helps a lot when later you try to troubleshoot any issues, since you know exactly what’s installed, what’s modified, and what’s running in the background.
The winget package manager should already be installed on updated systems, but if not, you can install it from the Microsoft Store app. It is listed as ‘App Installer’ and is authored by Microsoft.
Oh whoops, I should close some windows, because I currently have 623 open tabs in Firefox across 107 windows. It’s working fine, even with all my plugins running. Firefox is good at unloading dormant tabs.
They’re probably talking about their experience on their hardware, we don’t know what machine or what version of Firefox they’re talking about. (It’s possible it’s a really old version and not really relevant now or it’s possible their experience is valid for their hardware)
Well, I HATE having many tabs open. Just bookmark them for later. So far, FF is friendlier with how I go whereas the last times I tried Chrome, it often allocates RAM at launch for a thousand tabs that will never exist (hyperbole but you get it)
lemmy.ml
Active