NekkoDroid

NekkoDroid , 1 day ago

I dont think home directory files should handled by something named tmpfiles.

The only reason its still called tmpfiles is because of backwards compatibility

NekkoDroid , 22 hours ago

I dunno, I don’t have a camera feed into your life. But considering that is the first thing you respond to a clarification it most certainly wouldn’t surprise me if you did.

NekkoDroid , 3 days ago

There were talks a few years ago about changing sd-tmpfiles name but it was decide not worth it due to the churn and bikeshedding it would cause.

sd-tmpfiles is generally used to create, modify (e.g. permissions) and remove directories on the system. The home.conf is intended for systems that only ship /usr/ (e.g. containers) to create /home/ and /srv/ as a separate subvolume on btrfs

NekkoDroid , 4 days ago

This is a proposal by people funded by companies that would provide the services for this (balkaninsight.com/…/who-benefits-inside-the-eus-f… ).

A lot of actual politicians oppose this tbbacherle.eu/2024/06/18/open-letter/

NekkoDroid , 4 days ago

which definitely seems out of scope.

Doesn’t seem out of scope for a system and service management suite. Like, the timeperiod where systemd was “just an init” was relativly brief (like half a year).

NekkoDroid , 4 days ago

The BSOD really isn’t something to be mad at, it actually in theory is good but there is only so much you can do when a kernel panics. What you should be mad at is shitty drivers causing BSODs

NekkoDroid , 10 days ago

(I think that’s their goal, either ads or no watch)

NekkoDroid , 13 days ago

A friend sent me this image today…

NekkoDroid , 1 month ago (edited 1 month ago)

They should test this much more often and frequently. Unlike Gnome, KDE do actually care about their users, not just about themselves.

It’s not like GNOME is the only outlier here (for the specific icon problem sure), someone on the linux subreddid also posted this screenshot imgur.com/a/1ELtsJb. It seems to really just be that KDE apps kinda struggle out side of KDE. And most of the GNOME devs do care about the users as well, just they also care that their apps look as intended.

NekkoDroid , 1 month ago

It’s been a thing I personally have been wondering why this is how it is for a while. Personally I like most of the GNOME stuff, but this decision has always stood out as odd.

But then again I almost always use ctrl+w or alt-f4 to close apps, so I am mostly unaffected.

NekkoDroid , 1 month ago

Sometimes (almost always) I wish that the refunded money wouldn’t come out of Steams/Valves pocket…

NekkoDroid , 1 month ago

Fun fact: open source has a definition: opensource.org/osd

I don’t know much about Grayjay, but how you are describing it, it at best is “source open”

NekkoDroid , 1 month ago

doas is relativly simple (a few hundred LOC), especially compared to sudo. The main benefit of run0 over doas is that it isn’t a SUID binary, they are similary complex.

NekkoDroid , 1 month ago

Lossless is pointless

I wouldn’t say its pointless, but it really doesn’t help much considering the quality of your average headset/earpieces.

NekkoDroid , 1 month ago

But the funny thing is that even with a larger user base, Spotify has NEVER posted a profit

I honestly doubt if you’d isolate Apple Music it’d be any different for them.

NekkoDroid , 1 month ago

bless the drive with a boot loader that doesn’t suck, like Grub

Ah yes, I need a whole separate OS just to boot my actual OS…

I would in no world call GRUB a bootloader that doesn’t suck.

NekkoDroid , 1 month ago

It’s incredibly easy to fuck your partitions to hell and back, especially through Windows.

Fun fact: Windows won’t allow you to delete any EFI partition (that is the only one I know of/tried) unless its through diskpart with a specific override/force option.

But then again, I somehow nuked my recovery partition by accident at some point as well.

NekkoDroid , 1 month ago (edited 1 month ago)

The thing with this is: its just a symlink to the systemd-run binary, which talks to PID1 to spawn new processes (in separate cgroups IIRC). Its one of the most fundamental parts of systemd. Even the debian systemd package includes systemd-run.

I guess the other question is if some tools the distro provides might switch to supporting it by default. For example on Arch there is makepkg that should never be executed as root, but does internally call some things with elevated privileges (mostly pacman to install and remove packages). Currently it checks for sudo and if not falls back to su, but maybe it might be worth considering changing su for run0 if its guaranteed to be there.

NekkoDroid , 1 month ago

homed isn’t exactly a home directory replacement, more of an extension. You can mix and match homed and normal home directories like you want (on a per-user basis at least, not within a single user). It does have some nice things, such as user-password based encryption of the home directory, so the password is required to unlock it (no admin access) or automatically using subvolumes on btrfs.

NekkoDroid , 1 month ago

One way to notice a person has “systemd derangement syndrome” is by looking at how they write systemd: if they write it SystemD they are already in late stages of SDS and it isn’t curable anymore.

NekkoDroid , 1 month ago

it does its authorization with polkit (which IIRC defaults to allow all wheel group members) and giving users that shouldn’t be allowed root access, root access, is not something you ever want. This is usually referred to as unauthorized privilege escalation. Also, it isn’t like sudo doesn’t need configuration.

NekkoDroid , 1 month ago

This isn’t exactly a “new” attack surface, so removing the attack surface that sudo (and alternatives) is, is probably a net positive.

NekkoDroid , 1 month ago

I think what they meant is that there are people that think: “Wayland is too fragmented, there should be 1 ‘Wayland Compositor’ and the rest should be window managers”

NekkoDroid , 1 month ago

I guess my interpretation was too charitable.

Nothing in the protocol prevents you from splitting the server from the window manager, just everyone implementing the wayland server protocol didn’t see any benefit in splitting it out.

NekkoDroid , 1 month ago

1. The attack surface is there either way, this is just functionality repackaged that existed already before (systemd-run, which is calling into PID1)
2. all compression libraries (actually most libraries at this point) are dlopened on demand (which was planned even before the attack, which is speculated that the attack was accelerated in timeline because he was on a timer before the change was released)

NekkoDroid , 1 month ago

I don’t know, unless I personally allow the admin to have that kinda access to my files I wouldn’t really want it. And for that case you can enroll recovery keys (which would need to be manually stored, but still) or a fido token or whatever other supported mechanism there is, its LUKS2 backed encryption after all. Then there is also the possibility to just not encrypt the home directory at all.

NekkoDroid , 1 month ago

I don’t understand how this is any improvement over pkexec

That has the same problem as sudo: the SUID bit is set for it.

The fact that run0 uses polkit is more of a byproduct that this kinda authentication is already done with polkit all over the place in systemd. You can have individual subcommand accessible to different users (for example everyone can systemctl status, but systemctl reboot needs to be in the wheel group) which is why its generally used within systemd already. And it wouldn’t surprise me if again you can do it with this as well, limiting what commands can unconditionally run, need prompt or are completely blocked.

NekkoDroid , 1 month ago

Sure, the other option is having it tied to an email, which is reliant on your single vendor and is also an easier way to create an army of spam bots. Phone numbers at least are transferable between carriers.

NekkoDroid , 1 month ago

You should see the comments on the Phoronix forums…

NekkoDroid , 2 months ago

1. SUSE is an in germany founded company (now in Luxembourg)
2. www.sovereigntechfund.de
3. Not having a government direktly develop a “blessed OS” is probably for the better

NekkoDroid , 2 months ago

Overwatch

Don’t worry, the person behind Overwatch 2 left in 2021 and is still held in high regard by a lot of people :)

NekkoDroid , 2 months ago

He is the one that still wanted to make Project Titan work. Overwatch was the crawl, PvE was suppose to be the walk and then they’d have the run with the MMORPG.

twitter.com/jasonschreier/…/1771227101112205572

NekkoDroid , 2 months ago

Got myself an IFixit Mako a while ago, really nice even if I mostly just use the philips head ones

NekkoDroid , 2 months ago

www.sovereigntechfund.de

NekkoDroid , 2 months ago

The EU already has one for anyone interested social.network.europa.eu

NekkoDroid , 3 months ago

The actual reason is to hide the fact they’re probably not gonna have much if any pve content soonish

They literally out right said multiple times that PvE content is mostly shelved and to not expect anything. This isn’t some sort of secret they are keeping

NekkoDroid , 3 months ago

they probably made more money from OW1 lootboxes, overall

I really doubt it considering how many boxes you got thrown after you, with coins for dups with which you can just buy skins. Was a great system for the player, but probably terrible monitarily.

NekkoDroid , 3 months ago

I genuinly hate NV as a company and their propriatary software, but I can say that the software they provide is decent/good. Like… good cards and software, terrible company and philosophy/moral

NekkoDroid , 3 months ago

I don’t really bother with AV on my linux system. What I do is just use trusted software from my repos and run containerized applications.

What I am currently working on is using secure boot with a Unified Kernel Image (already doing that) that boot into a read-only /usr/ partition with verity + signature (one UKI only loads a certain partition with a specific signature, or nothing at all). Any other things I need I create a systemd sysext that gets overlayed ontop of /usr/ (also read-only) or they get installed as flatpak. For development I would just be using nspawn containers and podman/OCI containers for services that are outside of the other scopes.

This is all based on 0pointer.net/…/fitting-everything-together.html which is a nice write down of what I am doing/following.

That already covers a lot of different attack vectors by just not having my system be modifyable outside of my control or apps just being containerized.

NekkoDroid , 4 months ago

The thing with Wayland and X11 is: this couldn’t really be done because of how fundamentally broken incompatible X11 is (and there is XWayland for most clients that mostly works)

NekkoDroid , 4 months ago

Arch: Move more of the things shipped by the distro to /usr/, too many things are still in /etc/, /var/ and /srv/. Generally this isn’t a problem, but when you want to make an A/B updated image where only /usr/ is shipped it is a bit annoying. Also, bash has no way to have a “distro” version of /etc/profile.

Another benefit is: no .pacnew files in /etc/ (or anywhere else) since those would all be managed by the system maintainer and aren’t touched by the package manager

NekkoDroid , 4 months ago

Those benchmarks under “Upstream” does not include esync/fsync from my understanding

NekkoDroid , 5 months ago

I have NekkoDesktop, NekkoLaptop, NekkoLaptopJr (new laptop) and NekkoServer :) (Phones are just Nekko <Release> with release being S9 and S21 for Samsung or G6 for LG)

NekkoDroid , 5 months ago

It’s not ifn’t

NekkoDroid , 5 months ago (edited 5 months ago)

The thing with AppImages is: it requires FUSE2 which doesn’t really get packaged/included by default anymore in a lot of places and the recommendation is “build on the most old and crusty distro you want to support” which just sounds like a nightmare in multiple ways :)

And with snaps the sandboxing only really works on Ubuntu and nowhere else last time I looked into it (then there is also the entire problem if you want to host your own repository/“storefront”).

So really the only universal sandboxing method that effectivly makes sense is Flatpak.

NekkoDroid , 5 months ago

Wouldn’t that need them to get the fu.ck domain itself? I have a feeling that is already used by someone else, but there currently isn’t any website at that domain (doesn’t mean it isnt used)

NekkoDroid , 5 months ago

I would have guessed that Ubuntu would install it by default since its a very common way to get stuff from the internet (when in the terminal), but apparently not (the other option is wget which is most likely installed, but that uses a different way to get the stuff).

You should be able to install curl with sudo apt install curl

NekkoDroid , 5 months ago

IMO my favorite launcher to use out of all is probably Battle.net, even over Steam. This is probably mostly because Steam is terrible unresponsive and its startup is still kinda ass (I just tested the start and noticed its 3 fucking loading screens: Verifying installtion, Logging in and finally loading the page. All as separate windows).