Post AFoBayr4ElTCR5UIXw by avalos@mstdn.social
(DIR) More posts by avalos@mstdn.social
(DIR) Post #AFmUteU7hrEtZfS83M by avalos@mstdn.social
2022-01-24T23:56:37Z
1 likes, 4 repeats
According to what I read today, systemd is the best thing that ever happened to Linux and GNU/Linux: it helps ensure interoperability between distros so the Linux ecosystem is unified.Let's just make one thing clear: systemd is not an init system, but rather a set of components to build a Linux-based operating system on top of. It only happens to contain an init system. systemd is the intermediate layer that sits between Linux and the userspace.People claiming that systemd is an instrument for Red Hat and IBM to impose their evil agenda on the free software ecosystem are deluded. You're free to hate on everyone, but I personally believe Poettering is not doing anything bad or evil.I love systemd. Change my mind.Note: don't get me wrong, I don't hate other init systems, in fact, I'm glad they exist for those who dislike systemd.http://0pointer.de/blog/projects/the-biggest-myths.html
(DIR) Post #AFmViMBNVuM3ZyrYKe by be@fosstodon.org
2022-01-25T00:05:29Z
1 likes, 0 repeats
@avalos yeah I don't miss the days of having to learn different commands to start/stop/enable/disable services on every distro
(DIR) Post #AFmVjuqq6MYrON01Hk by alcinnz@floss.social
2022-01-25T00:06:03Z
0 likes, 0 repeats
@avalos Hear, hear! This is my stance.Let me add it's disingenous to claim systemd is a big complex beast & GNU CoreUtils isn't. And no, systemd init doesn't depend on udevd. It does depend on libudev, but despite the name it's more appropriate to think of libudev as part of the Linux project than UDev.
(DIR) Post #AFmW1XXTVzVsIpLULg by ariel@m.costas.dev
2022-01-25T00:09:13Z
0 likes, 0 repeats
@avalos systemd creates dependency onto it because it's one huge messy package. Some programs won't work well without systemd, what puts you in a weakness position against IBM, who is behind it. I could elaborate more, but I'd rather link to https://nosystemd.org/Systemd is a bloated mess that forces everyone into its ecosystem and then they can't escape, same that happens with the GNU Coreutils not being compliant with POSIX
(DIR) Post #AFmgguOORxhab1Sjc8 by avalos@mstdn.social
2022-01-25T02:08:45Z
0 likes, 0 repeats
@ariel Everything creates dependency onto everything, systemd is the rule rather than the exception.systemd is not one huge messy package, as its functionality is divided in several packages that make one thing each.IBM is not the only one behind systemd. The project is a collaboration between many distros and corporations, so we can rest assured systemd is on the interest of the community. Even if not, it is 100% free software that is well documented, well written and stable, so we can fork it and continue its development independently.systemd in fact does the opposite of locking you into something: it makes it possible for everyone to easily switch between Linux distributions, and ensures software that relies on core functionality can work reliably across distributions.
(DIR) Post #AFmgu9v424ewW63v1M by avalos@mstdn.social
2022-01-25T02:11:10Z
0 likes, 0 repeats
@ariel Besides, Linux the kernel itself is very bloated and a monolith, so you require a bloated layer of utilities to expose all its features in a friendly, consistent and interoperable way. I do agree with the fact that locking things to Linux is not great, though.
(DIR) Post #AFmhOrevyP52rR9vDk by avalos@mstdn.social
2022-01-25T02:16:42Z
0 likes, 0 repeats
@juliana Agreed. Linux lock-in isn't great, but well, Linux has a lot of non-standard features that don't exist in other *nixes, and it's great to be able to use them easily. Still, the BSD port sounds great and it will help things a lot.
(DIR) Post #AFmhZuvc9wREBXEPp2 by avalos@mstdn.social
2022-01-25T02:18:42Z
0 likes, 0 repeats
@alcinnz Linux itself id a big complex beast, as far as I know.
(DIR) Post #AFmhb3rqPQbqCP0uIq by avalos@mstdn.social
2022-01-25T02:18:56Z
0 likes, 0 repeats
@alcinnz Linux itself is a big complex beast, as far as I know.
(DIR) Post #AFmhjZhTwI35FAE5SK by alcinnz@floss.social
2022-01-25T02:20:26Z
0 likes, 0 repeats
@avalos Yeah, don't know how we avoid that.To me throwing out perfectly good hardware is a worse sin than Linux's complexity...
(DIR) Post #AFmrn0TRqol8gtwASm by avalos@mstdn.social
2022-01-25T04:13:07Z
0 likes, 0 repeats
@ariel Another point I just though about, is that even if it traps us into its «ecosystem», it's an open ecosystem/platform by design, with no imposed limitations or terms of service. You make it sound as if it was like Apple's, when in reality it doesn't compare at all. systemd is as open as an ecosystem can be for it to still be considered a platform.systemd doesn't push any anti-features or malware onto you, and it doesn't benefit one distro or corporation more than the others: it's perfectly vendor neutral (except for the Linux specific code that makes most of it). And even if it's not, you're free to patch it because it's free-as-in-freedom™ software.systemd doesn't spy on you, it doesn't give IBM superpowers over every GNU/Linux computer; it actually gives its users more control over their computers because it makes system administration easier by exposing kernel features as pretty config files and CLI tools.
(DIR) Post #AFnV2PhUEptfU9qCzQ by ariel@m.costas.dev
2022-01-25T11:32:53Z
0 likes, 0 repeats
@avalos the same you could say about the web: it's an open ecosystem, although implementing all of it is so complex you're practically in a duopoly between Google and Mozilla (or monopoly, considering Google pays Mozilla for existing)It doesn't spy on you but creates you dependency on it, because you replace systemd for (say) Runit and you'll have a bad time with many programs
(DIR) Post #AFnVMkrhG4KOuzJfTU by ariel@m.costas.dev
2022-01-25T11:36:34Z
0 likes, 0 repeats
@avalos Linux the kernel is absolute garbage, compared to (say) OpenBSD, but it's the popular guy among the Unix-like systems.The same shit happens with Linux that with systemd: programs are usually Windows/macOS compatible, sometimes also Linux (actually GNU/Linux, not POSIX-compliant linux). So Linux is another trap like systemd, because it's open but huge in LoC. Good luck replacing Linux for *BSD, same with Soystemd with OpenRC, Runit or any other
(DIR) Post #AFo7DQG4IkDYeuh1SC by avalos@mstdn.social
2022-01-25T18:40:41Z
0 likes, 0 repeats
@ariel It is very difficult to create software that leverages Linux specific functionality, and also make it run in other operating systems. Linux might be a trap, but then what happens when you start using pledge(2) and unveil(2) in OpenBSD? Or jails in FreeBSD? Your programs won't run anywhere else. It's the same shit, everything will lock you in at the end.And fyi, Hyperbola is switching to BSD quite successfully, Debian has supported the FreeBSD kernel for ages, Parabola supports OpenRC and Runit besides systemd, and maintains a nonsystemd repo. Artix, the distro you use, replaces systemd successfully. I could go on and the list is immense.
(DIR) Post #AFo8zA2A1fuWC6VzPM by avalos@mstdn.social
2022-01-25T19:00:31Z
0 likes, 0 repeats
@ariel But how do we make things usable while avoiding so much complexity? (*ping* @alcinnz) In the case of systemd, I'd argue it is necessary complexity. It isn't even that bad, a million lines of code are nothing compared to browsers, but that unit of measurement is meaningless anyway.
(DIR) Post #AFo9oy4LkuAy92F5l2 by alcinnz@floss.social
2022-01-25T19:09:52Z
0 likes, 0 repeats
@ariel I wouldn't say the dependency on systemd is that bad, though I will agree with you to the extent anyone (e.g. GNOME) is hard-depending on systemd! There are forks of the different daemons in it's suite. And there are (incompatible) alternatives.Agreeing with @avalos my impression reading systemd is that it's not a question of how much complexity there is (systemd is minimal), it's a question of how we organize it.
(DIR) Post #AFoAYdrrCEuKoOB6Su by ariel@m.costas.dev
2022-01-25T19:18:07Z
0 likes, 0 repeats
@avalos some programs still won't work without soystemd, or without the Linux kernel or the GNU coreutils. Any bash shell script won't run on a standard POSIX shell, but any POSIX-compliant shell script will be usable anywere.Programs should do one thing and do it well. Systemd is an init system, a boot manager, DNS resolver, syslog, policykit and more, and with many programs depending on those instead of doing it the standard way
(DIR) Post #AFoBayr4ElTCR5UIXw by avalos@mstdn.social
2022-01-25T19:29:46Z
0 likes, 0 repeats
@ariel The UNIX philosophy of programs doing only one thing and doing it well is deprecated and useless, grow over it.Even then, as I said, systemd is divided into several programs that do one thing each (i.e. systemd-*). And as I also said, systemd is NOT an init system, but rather a set of components to build a Linux-based OS on top of, that happens to contain an init system.systemd complies with the UNIX philosophy.
(DIR) Post #AFoBnVNr7amcnUnROC by alcinnz@floss.social
2022-01-25T19:25:15Z
0 likes, 1 repeats
@ariel @avalos Put it this way: Creating an operating system that actually runs & outputs graphics is a truly MASSIVE undertaking. No individual can tackle it alone.But we each tackle the subcomponents which interests us, and it (with the help of interested sysadmins/librarians) congeals into a loosely-compatible alternative to Unix.This is how I advocate we create an alternative to the Modern Web!
(DIR) Post #AFoCUsrFil3S3MEO2K by avalos@mstdn.social
2022-01-25T19:39:52Z
0 likes, 0 repeats
@ariel Besides, what is the actual standard and universal way of doing all of those things? Are the boot manager, the DNS resolver, the syslog, policykit and other things, standardized in POSIX?If not, then systemd serves as a de-facto standard for something that used to not be standardized at all.
(DIR) Post #AFoCocygTMHKar7bYO by werwolf@fosstodon.org
2022-01-25T19:43:25Z
1 likes, 0 repeats
@avalos @ariel @alcinnz it isn't necessary complexity. Has you ever used any of the *BSDs? rc is a simple, elegant solution to the service management and init problem.As you say, systemd does more than that, but everything that systemd does can be done by simpler, separated programs. And no, this doesn't add usability concerns. FreeBSD is as easy to use as most GNU/Linux distros.
(DIR) Post #AFoD4VinDdpwioGK2K by avalos@mstdn.social
2022-01-25T19:46:19Z
0 likes, 0 repeats
@werwolf @ariel @alcinnz Everything systemd does is actually done by simpler, separated programs. systemd is not a monolith.
(DIR) Post #AFoD6OLnavxmRNP6wK by bonifartius@qoto.org
2022-01-25T19:46:37Z
0 likes, 1 repeats
@avalos but why do we need different distributions anymore if everything is _unified_? package managers would be the sole difference, aside from musl/gnu gcc/clang. it's the corporate wet dream of course, don't like some software or who builds the software? just break some systemd stuff it relies on or invent another incompatible replacement everyone uses then.systemd isn't even _good_: systemd-resolved is the worst possible solution one can come up with. the init stuff is again a solution waiting for a problem, no sane distribution maintainer would just copy in service files. journald is syslog reinvented, and not better. no, searching binary logs is not an improvement. i don't know if journald even supports networked logging.putting on the tinfoil hat, i would even venture the thought that the "kde will have ads now" is a psyop because they nwver fully bought into poetterux.
(DIR) Post #AFoDKDqFSmXBtzF1sm by werwolf@fosstodon.org
2022-01-25T19:49:08Z
0 likes, 0 repeats
@avalos @ariel @alcinnz it isn't, but the ecosystem created upon it will be systemd specific and break if you use an alternative.
(DIR) Post #AFoDdusFh6dMrmZN1U by avalos@mstdn.social
2022-01-25T19:52:43Z
0 likes, 0 repeats
@werwolf @ariel @alcinnz systemd is not to blame then, but rather the fragile ecosystem that chose to depend on it to begin with.
(DIR) Post #AFoDfm5LLGR8BgZwtU by avalos@mstdn.social
2022-01-25T19:53:03Z
0 likes, 0 repeats
@werwolf @ariel @alcinnz systemd is not to blame then, but rather the fragile ecosystem that chose to depend on it exclusively to begin with.
(DIR) Post #AFoDgY2V38gOulcM7s by alcinnz@floss.social
2022-01-25T19:53:11Z
0 likes, 0 repeats
@avalos @werwolf @ariel Seconded: Despite popular misinformation, systemd is not a monolith!Sure there's confusing terminology around it's udev component.And again: While we are defending systemd we do not encourage projects to hard-depend on it. Let your programs run on BSD!
(DIR) Post #AFoDne2j7uIxYt6kZE by avalos@mstdn.social
2022-01-25T19:54:28Z
0 likes, 0 repeats
@alcinnz @werwolf @ariel Agree with the not hard-depend on it (FTR).
(DIR) Post #AFoGM2A2AB1Q7G3FJY by avalos@mstdn.social
2022-01-25T20:23:06Z
0 likes, 0 repeats
@k3vk4 @ariel @alcinnz Take my upvote!
(DIR) Post #AFoHSPmvKXrz5Pqex6 by fcktheworld587@social.linux.pizza
2022-01-25T20:35:27Z
0 likes, 0 repeats
@avalos Personally - I love using systemd. I've only been using Linux for a few years, and systemd made that journey _very_ easy.That said; I'm very glad that there are alternative systems being developed. For political reasons. In any instance, overcentralization of political power is _not_ a good thing. Viable alternatives are a necessity.
(DIR) Post #AFoHsa2bpgBGPlf5ai by avalos@mstdn.social
2022-01-25T20:40:11Z
0 likes, 0 repeats
@fcktheworld587 What I fail to understand is, how much political power does systemd give to its developers? As far as I know, its development is more or less decentralized and community driven. And there are no politics baked into systemd, and it is well-documented free software.
(DIR) Post #AFoIFltnuXZVqsbMVk by swansinflight@mastodon.nz
2022-01-25T20:40:49Z
0 likes, 0 repeats
@k3vk4 @avalos @ariel @alcinnz void (which uses runit) is the fastest booting distro I’ve ever used.
(DIR) Post #AFoIFmPM1EoDQjMYgi by avalos@mstdn.social
2022-01-25T20:44:20Z
0 likes, 0 repeats
@swansinflight @k3vk4 @ariel @alcinnz It boots fast because there's nothing to boot as it's void. *ba dum tss*
(DIR) Post #AFoIKzWGhLGDXi58oC by swansinflight@mastodon.nz
2022-01-25T20:45:17Z
0 likes, 0 repeats
@avalos 😆
(DIR) Post #AFoIhI6YHNRbYRgdEW by specter@eattherich.club
2022-01-25T20:49:20Z
0 likes, 0 repeats
@rgegriff @avalos I have never grokked or heard very clearly why "systemd is bad" and the more I've gotten familiar with it the more I too love it. I also don't know any other init system nor precisely what you mean by the distinctions but so far that's been fine
(DIR) Post #AFoJMDajxo27QkK40m by etam@im-in.space
2022-01-25T20:56:43Z
0 likes, 0 repeats
@avalos I think that's a very popular opinion. Just people hating it are more vocal about it. As a sysadmin I love systemd and when I show its features to colleges at work they love it too. I just don't spend time arguing with people on the internet who hate it for whatever reason.
(DIR) Post #AFoJQp8cJDTP2LMdsm by evilroda@wandering.shop
2022-01-25T20:57:01Z
0 likes, 0 repeats
@werwolf @avalos @ariel @alcinnz "FreeBSD is as easy to use as most GNU/Linux distros" No it fucking isn't, if Linux was on the same level as FreeBSD, I'd still be stuck on Windows.
(DIR) Post #AFoJvaiLzAAJHPkbqK by werwolf@fosstodon.org
2022-01-25T21:03:07Z
0 likes, 0 repeats
@evilroda @avalos @ariel @alcinnz well I was talking about the underlying system. Obviously, the default installation doesn't provide you with a graphical environment.But you have GhostBSD which is FreeBSD, it just provides an out of the box desktop ready installation. The same happens with Manjaro and Arch.
(DIR) Post #AFoK7rmaLsitguaEam by alcinnz@floss.social
2022-01-25T21:05:15Z
0 likes, 0 repeats
@werwolf @evilroda @avalos @ariel I'd agree to say the kernel (BSD vs Linux) *shouldn't* make a difference to the usability of the desktop environment...Beyond whether it actually runs on your computer...
(DIR) Post #AFoKUzQA7QqQ2d7ZjM by alcinnz@floss.social
2022-01-25T02:43:57Z
1 likes, 1 repeats
@juliana @avalos Agreed! I may not have a problem with systemd, but I do have problem with hard-depending on it!
(DIR) Post #AFoPnxqGiGfoPwCQ64 by bonifartius@qoto.org
2022-01-25T22:08:59Z
0 likes, 0 repeats
@avalos @ariel > The UNIX philosophy of programs doing only one thing and doing it well is deprecated and useless, grow over it.one thing and one thing well AND being composable. which systemd isn't. it's interfaces are so complicated that it's hard to switch out parts. the parts don't do one thing well, they all do too much. systemd is a defacto monolithic blob.
(DIR) Post #AFodSbiRBKEl4SFMbg by ariel@m.costas.dev
2022-01-26T00:37:07Z
0 likes, 0 repeats
@werwolf never heard of GhostBSD before, want to give it a try soon. Thanks!
(DIR) Post #AFomq2rlIoNfWYrKUq by notafurry@hulvr.com
2022-01-26T02:27:03Z
0 likes, 0 repeats
@avalos this assumes making all systems the same and / or interoperable is a positive thing.I don't think it is, and I really doubt anyone could provide a strong argument for it - but so many people assume it.Approachable or entirely consistent distros should exist, sure - but there's no reason why *all* Linux systems must be. I'm fine that systemd exists; but when it becomes an evangelical position, as it has, then it's an issue.
(DIR) Post #AForNlB9y7tAKaGRcW by fcktheworld587@social.linux.pizza
2022-01-26T03:17:58Z
0 likes, 0 repeats
@avalos It's my understanding that it's mainly a question of who's paying who
(DIR) Post #AFp13l03vKbJWfAqye by avalos@mstdn.social
2022-01-26T05:06:26Z
0 likes, 0 repeats
@fcktheworld587 But, how exactly does that money reflect on systemd itself? As far as I know, systemd tries to be neutral and benefit all distros equally.
(DIR) Post #AFq2W4JbzuOSeTLGVM by mig@mastodon.1984.cz
2022-01-26T16:57:27Z
0 likes, 0 repeats
@avalos the problem is not systemd's user interface - which is great - but it's internal design.. I always ask myself why Poettering repeated same mistakes, which have already been solved by other init systems.. why? because he dislikes unix, perhaps because he didn't understand it's principles.. it's a question of time when a bug found in the main process shuts down many systems at once...
(DIR) Post #AFqFK8FyogHUnyHWxU by avalos@mstdn.social
2022-01-26T19:20:58Z
0 likes, 0 repeats
@notafurry What makes you interoperability and unification are bad? The lack of diversity?
(DIR) Post #AFqGAcy7sJ417BxjXM by avalos@mstdn.social
2022-01-26T19:30:27Z
0 likes, 0 repeats
@mig If what you're mad about is the holy UNIX philosophy being disrespected, then know systemd is not a monolith, it is divided into several binaries, some of which can even work outside of systemd.
(DIR) Post #AFqGkSyIWPTUXB8FIO by colinsmatt11@gleasonator.com
2022-01-26T01:42:46.587937Z
0 likes, 0 repeats
GNU coreutils are POSIX compliance, but they add extra features. If you want to keep it POSIX only either use POSIX only features or enable the POSIX flag in the environment to disable all GNU extensions.
(DIR) Post #AFqGkTPasvJDtpu2qG by ariel@m.costas.dev
2022-01-26T11:06:45Z
0 likes, 0 repeats
@colinsmatt11 @avalos you can't enable any POSIX flag in the environment to disable GNU extensions.GNU doesn't comply with POSIX, just see commands such as cat:POSIX cat only allows one option: -uGNU cat allows a hell ton of options but NOT -u as POSIX specifiesPOSIX cat: https://www.man7.org/linux/man-pages/man1/cat.1p.htmlGNU cat: https://www.man7.org/linux/man-pages/man1/cat.1.html
(DIR) Post #AFqGkTrFE7QXHaq7wO by avalos@mstdn.social
2022-01-26T19:36:54Z
0 likes, 0 repeats
@ariel POSIX shell compatibility is useless the moment you start actually using your distro in a useful way.
(DIR) Post #AFqHus9Vr2jNTtu5VQ by mig@mastodon.1984.cz
2022-01-26T19:50:00Z
0 likes, 0 repeats
@avalos i know, internally is systemd similar to "postfix", which also consists of many binaries.. the problem is mostly in the main systemd process which does too much.. IMHO better design has daemontools & supervise (or latter variants).. I like it's simplicity.. actually it could be adopted by systemd - and I hope one day someone will do it..
(DIR) Post #AFqNO2ko1720Wv4n3I by ariel@m.costas.dev
2022-01-26T20:51:17Z
0 likes, 0 repeats
@avalos POSIX compatibility means you can write a script on a GNU+Linux machine and use it there, on Alpine Linux, *BSD and any Unix-like system.Writing a script using the GNU extensions means you're locked-in GNU, and although it's free/libre, you're still locked in.
(DIR) Post #AFqVxZioEbicXwb1k0 by ParadeGrotesque@mastodon.sdf.org
2022-01-26T22:27:22Z
0 likes, 0 repeats
@k3vk4 I am old enough to remember a time when Linux and the BSDs were more or less equal when it came to hardware: they sucked. Linux maybe a tiny bit less, but not by much.OpenBSD is almost as good as Linux if the hardware is supported. And once installed, it is a lot easier than 90% of Linux distros, because it is stable and predictable.@jollyrogue @avalos @ariel @alcinnz
(DIR) Post #AFqX28YujyzjiMhtmy by avalos@mstdn.social
2022-01-26T22:39:24Z
0 likes, 0 repeats
@ariel Not necessarily. A LOT of system functionality is not covered by POSIX, which means your pretty POSIX script won't run in other systems if you are using part of the non-standardized functionality, which is very likely. In most cases, you will need to port your script to other platforms anyway, which is easy as fuck.Also, when you use POSIX, you get locked into POSIX. How about non-POSIX operating systems?
(DIR) Post #AFqdDhVzj5uh1tErMu by ariel@m.costas.dev
2022-01-26T23:48:42Z
0 likes, 0 repeats
@avalos that's why I say to use the standard POSIX functionality and not all of the added GNU bsPOSIX is a standard with many implementations, and implementable by a human (unlike, say, web browsers). GNU is one single implementation not following the standard, so if you use GNU things, you're either locked into GNU or any copy of GNU, and can't easily switch to (say) a BSD
(DIR) Post #AFqeRPQzqX0Yxh09Gi by avalos@mstdn.social
2022-01-27T00:02:24Z
0 likes, 0 repeats
@ariel My point is, POSIX is limited in scope, so you'll always end up using stuff not covered by it (not talking about GNU), or else you can't do pretty much anything useful.Example: package management, system service management, advanced networking, firewall, etc, etc, etc. POSIX only defines the basic building blocks for basic OS interoperability, but it doesn't go beyond that.
(DIR) Post #AFqg95MFx2IfOLAsWe by avalos@mstdn.social
2022-01-27T00:21:31Z
0 likes, 0 repeats
@ariel https://emacsconf.org/2021/talks/unix/
(DIR) Post #AFqnZ7h0aoAnqCFBia by SciencePhysicist@fosstodon.org
2022-01-27T00:00:36Z
0 likes, 1 repeats
@avalos https://www.youtube.com/watch?v=o_AIw9bGogo
(DIR) Post #AFrNxJj76CTwSn43lY by avalos@mstdn.social
2022-01-27T08:32:24Z
0 likes, 0 repeats
@SciencePhysicist Thanks, I really loved that video. Turns out most of what I've been arguing so far based on the exactly two articles I read is true!1. systemd is a layer (the “system” layer) that sits between the kernel and the userspace. ✔️2. systemd is NOT a monolith. ✔️3. UNIX is dead, and it's a good thing. ✔️4. Contempt culture, hate and fear everywhere. ✔️5. Etc.Seriously, watch that video. He explains it in a very entertaining and relaxed way.
(DIR) Post #AFrO1aP52KupLOjIpc by tejr@mastodon.sdf.org
2022-01-27T08:33:10Z
0 likes, 0 repeats
@specter @rgegriff @avalos I made a presentation to my LUG about this. I don’t love systemd, but I don’t hate it, either. https://sanctum.geek.nz/presentations/systemd-heresy-and-hearsay.pdf
(DIR) Post #AFrObiwAmmM6EhRMP2 by SciencePhysicist@fosstodon.org
2022-01-27T08:39:42Z
0 likes, 0 repeats
@avalos I've changed a few minds of people who irrationally decided they didn't like systemd with it. It's great because you think with the title he's going to bag it.I love the bit about logind and also the fact that Benno is also a pretty big FreeBSD contributor. He knows his stuff
(DIR) Post #AFrS3uzBslVrZizHpg by klaatu@mastodon.xyz
2022-01-27T09:17:11Z
0 likes, 0 repeats
@avalos I agree. I think systemd is really neat, and has done amazing things for Linux. I wouldn't want alternatives to go away, but I don't believe anyone is proposing that. I run Slackware at home but RHEL at work (aa I have for the past decade+) and I enjoy both for different reasons.
(DIR) Post #AFs8hZeun6xv5Z5ziy by lanodan@queer.hacktivis.me
2022-01-27T17:16:06.583033Z
0 likes, 0 repeats
@k3vk4 @jollyrogue @avalos @ariel @alcinnz > OpenSolarisFunny you mention this one because back in it's era (it's been dead since 2010~2012), it was a pretty great system, it had a desktop that you could compare with Ubuntu 10.04 and in terms of hardware support and software it was quite comparable to Linux or the BSDs.What made Linux seriously rise from the pack are things like Steam, desura, … suddenly providing commercial Linux games, a thing you didn't really have since Yoki Games.And the fall of Sun probably made the desktop environments shift to a very RedHat Linux mindset.
(DIR) Post #AFsOi7jxfxny3ajxCq by Seirdy@pleroma.envs.net
2022-01-27T20:15:33.623715Z
0 likes, 0 repeats
@specter @rgegriff @avalos TLDR: I love what unit files try to do. I have huge issues with Systemd’s underlying insecure architecture, which I find problematic because Systemd can be hard to avoid.The traditional fossbro talking points against Systemd (“bloatware, red hat bad”) are dumb. Those aren’t the right reasons to dislike Systemd. Systemd is like that iceberg meme: On the surface is a beautiful approach to configuring services and their permissions. But below the surface, its architecture is something else.Systemd has a very insecure design. Systemd has privileged processes share tons of functionality, from text-processing to receiving untrusted messages from other programs (!!), without much privilege separation.It’s designed under the assumption that it is secure and bug-free, and doesn’t employ significant safeguards against itself. PID 1 still sets a umask of 0 right in the main() function (!!!). CVE-2016-10156 could have been prevented.Basically, I like the experience of using Systemd, but its design is a bit of a security nightmare. It needs some major privilege separation, but the devs will never do that.All of this wouldn’t be an issue if it were easy to just switch init systems, but Systemd is uniquely difficult to replace. resolved encourages programs to use the “org.freedesktop.resolve1” API, for instance, which other DNS implementations don’t use. Plenty of other Systemd-isms have proliferated throughout the Linux ecosystem, which means that everyone else can choose between re-implementing all of Systemd’s APIs (nearly impossible without way more resources) or using Systemd and trying to work around its security issues.I also much prefer the sandboxing employed by bubblewrap and minijail to what’s available in Systemd unit files. Systemd’s sandboxing is incredibly coarse: something as simple as mounting a ramfs would require loosening up a ton of Systemd sandboxing.I’m keeping an eye on s6; it seems to borrow a bit from Systemd’s approach to configuring services. Combined with something like bubblewrap or minijail for sandboxing, strict SELinux policies, a package manager using something like ostree+dm-verity+fs-verity with an immutable root, and verified boot: it could be the basis of a distro with actually decent security.Andrew Ayer wrote some great posts on Systemd that enumerate actual issues instead of just mentioning the typical fossbro “bloatware, red hat bad, etc” talking points: one, two, three.
(DIR) Post #AFsPDE8Px2x2rl0i00 by Seirdy@pleroma.envs.net
2022-01-27T20:21:11.094245Z
0 likes, 0 repeats
@jollyrogue @k3vk4 @avalos @ariel @alcinnz I can't recommend FreeBSD for desktop use, but I can recommend a derivative: HardenedBSD. FreeBSD is severely behind on exploit mitigations while HardenedBSD is actually *ahead* of most other *Nix distros.Their main weakness is their malloc implementation (jemalloc).
(DIR) Post #AFsQZKEO49nI69u6Bk by avalos@mstdn.social
2022-01-27T20:36:23Z
0 likes, 0 repeats
@Seirdy @jollyrogue @alcinnz @k3vk4 @ariel Tbh, people's choice on operating systems and distributions is subject to their threat model. 99.99% of people (including Netflix) don't care about the jemalloc() implementation or a handful of unlikely exploited security issues. FreeBSD is reasonably secure for them, and they aren't willing to make tradeoffs or switch to an obscure project.
(DIR) Post #AFsQiHBkkOSTGhwKdU by Seirdy@pleroma.envs.net
2022-01-27T20:38:00.590063Z
0 likes, 0 repeats
@avalos @jollyrogue @alcinnz @k3vk4 @ariel Netflix does not use FreeBSD as a desktop OS.
(DIR) Post #AFsR717tbSqggxvub2 by avalos@mstdn.social
2022-01-27T20:42:29Z
0 likes, 0 repeats
@Seirdy @jollyrogue @alcinnz @k3vk4 @ariel Netflix uses FreeBSD as a server OS, which is worse. Servers are orders of magnitude more likely to be exploited due to being publicly accessible via Internet. And running critical infrastructure means suddenly every single bit of stability, performance and security matters.
(DIR) Post #AFsRWMmeDduJ6I58j2 by Seirdy@pleroma.envs.net
2022-01-27T20:47:03.782015Z
0 likes, 0 repeats
@avalos @jollyrogue @alcinnz @k3vk4 @ariel The desktop, mobile, and server models of operating systems are radically different.On the server, different daemons run as different isolated users. On mobile, different programs cannot access each others' private storage.But on your desktop? All a user's programs get full access to a user's data and capabilities by default. Windows and macOS have since bolted on some attempts at sandboxing, and Qubes does its own thing with Xen hypervisors. The desktop model requires far more more modern exploit mitigations since everything runs in the same space.
(DIR) Post #AFsRv4VxHSqHgA3ROy by Seirdy@pleroma.envs.net
2022-01-27T20:51:31.840269Z
0 likes, 0 repeats
@avalos @alcinnz @ariel @jollyrogue @k3vk4 On the FLOSS side of things, the most usable approach we have is Flatpak (Linux-only), which has its own host of issues in its permissive sandboxing implementation.FreeBSD offers jails, which is a step up. OpenBSD has a(n easily bypassable) W^X implementation and full ASLR, which is yet another step in the right direction. HardenedBSD has a full MAC system, proper ASLR, and I believe it has a legitimate W^X policy too (I'll have to check). This puts it ahead of Linux, at least until support gets merged in the coming years
(DIR) Post #AFsStYk81KMco3Wi7k by Seirdy@pleroma.envs.net
2022-01-27T21:02:27.745316Z
0 likes, 0 repeats
@avalos @jollyrogue @alcinnz @k3vk4 @ariel Finally, Netflix only uses FreeBSD for its CDN, and it uses it for performance reasons AFAICT. It was behind the fbsd kTLS implementation. These servers are used for the specific purpose of content delivery; elsewhere, they use Linux IIRC.
(DIR) Post #AFsThHbC2I56783biy by avalos@mstdn.social
2022-01-27T21:11:26Z
0 likes, 0 repeats
@Seirdy @jollyrogue @alcinnz @k3vk4 @ariel Then again, threat models. There is less risk of security issues and viruses when you install software from the official repositories, rather than from some random website. Most of the risk actually comes from browsers, all of which are sandboxed environments by default anyway.
(DIR) Post #AFsUWULiOFEIQYEZto by alcinnz@floss.social
2022-01-27T21:20:41Z
0 likes, 0 repeats
@avalos @Seirdy @jollyrogue @k3vk4 @arielYou know, I trust software I can audit, and probably have already. Sandboxing is a good measure in case I missed something, but I don't trust it to prevent the attacks I care about.On the flipside locking things down too much, like on phones, can make it harder for apps to work together, and easier for data to get lost.
(DIR) Post #AFsVJk4yh8TVP1tKoS by Seirdy@pleroma.envs.net
2022-01-27T21:29:35.776099Z
0 likes, 0 repeats
@avalos @jollyrogue @alcinnz @k3vk4 @ariel Okay multiple issues here.1. Browsers depend on OS features for sandboxing. If an OS doesn't support something, a browser can't offer it. Windows, for instance, supports features such as the ACG, CFG, and Hyper-V which browsers make use of. Another example: distros that haven't yet switched to Wayland also offer no GUI isolation, but browser sandboxes don't magically fix that: your browser won't give you GUI isolation that your OS lacks unless it does something like Qubes' nested sessions using Xen.2. Browser sandboxes are not foolproof. Firefox and Webkit2GTK sandboxes are a hot mess: Firefox only just introduced an early attempt at site isolation (Fission) and managed to sandbox a spellcheck and graphics library through wasm transpilation (hunspell); its multi-process architecture is still radically behind and its own JITSploitation mitigation is trivially bypassable (like obsd, it implements W^X but not W!->X). It's been the low-hanging fruit of Pwn2Own for at least a decade. Chromium is way ahead on this front, but even it isn't foolproof; check your local CVE database.2. Users still have to run software that is certainly full of bugs, plenty of which are exploitable. Official repositories are no panacea (sometimes, they introduce new ones: c.f. Debian and OpenSSL. Other times they completely nerf a package's toolchain hardening: c.f. most Chromium packages, esp. Fedora's).3. The biggest issue: one of the main purposes of a desktop OS, regardless of its source model or the repository endpoints a user chooses, is to handle untrusted content. I elaborated on this here: https://pleroma.envs.net/notice/AFY9Idt5XDDAKAYxGa
(DIR) Post #AFsVthj6v40gWyoMKW by Seirdy@pleroma.envs.net
2022-01-27T21:36:06.216644Z
0 likes, 0 repeats
@alcinnz @avalos @jollyrogue @k3vk4 @ariel Sandboxing isn't a tool to lock things down from the user, unless you've only been exposed to the way iOS implements it. Sandboxing is a way that users can control how programs behave at run-time in a way that's easier and more bulletproof than patching source code.Toolchain hardening measures (assuming your distro packages don't nerf them, c.f. CFI-enabled programs like Chromium or maybe Firefox by the year 2030) don't let users control this at run-time; they control programming errors.Most importantly, proper audits don't actually depend on source code: they utilize binary analysis and black-box testing approaches like runtime analysis (e.g. strace) and fuzzing. If you don't believe me, check a CVE db for open-source libs like libcurl and openssl; fuzzers spot errors that programmers don't. In fact, the most recent Linux CVEs were spotted using black-box approaches (one of Google's fuzzers). The human eye is *terrible* at noticing subtle vulns in code.I elaborated more on this in this thread: https://pleroma.envs.net/notice/AFY9Idt5XDDAKAYxGaFinally, sandboxing doesn't stop you from auditing programs. If anything, it makes it easier to monitor how programs react to different runtime environments.
(DIR) Post #AFsWziVn0s1Qeq0lX6 by alcinnz@floss.social
2022-01-27T21:44:09Z
0 likes, 0 repeats
@Seirdy @jollyrogue @k3vk4 @ariel @avalos Fair enough!I'd still appreciate such an OCap language to help guide auditting efforts, but I can acknowledge that's more about addressing malfeatures (which I have zero faith in sandboxing to block) than security vulnerabilities (which I don't trust myself to catch). I like Haskell for this, but it's poor language to write an OS in.
(DIR) Post #AFsWzj4WvhoMOaGVgO by Seirdy@pleroma.envs.net
2022-01-27T21:48:23.746653Z
0 likes, 0 repeats
@alcinnz @jollyrogue @k3vk4 @ariel @avalos Sandboxing is a partial solution for malfeatures. If you block filesystem access, block/filter networking, etc. you can accomplish quite a bit. Binary analysis and run-time monitoring (e.g. using strace) can also tell you exactly what a program is doing, though it becomes difficult if a program employs binary obfuscation.These are partial solutions, and being able to patch a program to alter its functionality is where FOSS becomes critical.
(DIR) Post #AFsYy4HvHIOlWbro7U by alcinnz@floss.social
2022-01-27T21:54:59Z
0 likes, 0 repeats
@Seirdy @jollyrogue @k3vk4 @ariel @avalos Yeah, and what I'm advocating for to make auditting opensource easier can be viewed as "taking sandboxing to the extreme"! Sandbox every single function!That extreme would probably be entirely compiletime with a coarser-grained runtime sandboxes for hardening against vulnerabilities.Yes I am thinking about iOS sandboxing when I object, glad for clarification.1/2
(DIR) Post #AFsYy4pbG5KxD3chc0 by Seirdy@pleroma.envs.net
2022-01-27T22:10:29.566039Z
1 likes, 0 repeats
@alcinnz @jollyrogue @k3vk4 @ariel @avalos One of an infinite number of examples of how sandboxing is a net benefit to user freedom: I have two shell scripts that run a matrix client (gomuks), sandboxed by bubblewrap. Each script mounts a different profile+cache directory from the host to the sandbox. This means I can have two instances of the client open with two different accounts, without going through the trouble of implementing support for switching user accounts.Sandboxing literally gave me more control over how a piece of FLOSS behaved, and I didn't even have to know what language it was written in.Another example: there's a decent chance that the "file" command on your system uses sandboxing. It is typically built to link against libseccomp to filter the syscalls it's allowed to run. This is because the "file" command exists only to parse arbitrary untrusted content.But people don't think of this when they think of sandboxing. They think of how they can't run nginx on an iPhone easily.
(DIR) Post #AFsYy6DO77xXV7lDKS by alcinnz@floss.social
2022-01-27T22:02:21Z
0 likes, 0 repeats
@Seirdy @jollyrogue @k3vk4 @ariel @avalos Yes, I wish webapps weren't so heavily used. That we could stick more to the package repos. But no, that's not today's reality much as I'm working towards it.On the flipside: And yes, I would like to see our file viewers/editors be more hardened. I don't like seeing how little trust modern browsers seem to have in them. As long as it's not iOS extreme!2/2
(DIR) Post #AFst0XkefNNizO8ZYO by lxo@gnusocial.net
2022-01-28T01:25:22Z
1 likes, 0 repeats
lock-in doesn't sound right when you can build and use the software on any system you like. it sounds like "you're sentenced to enjoy life in happiness and freedom if you wish"
(DIR) Post #AFtJhHPhsqBVZvNUWG by Seirdy@pleroma.envs.net
2022-01-28T06:54:05.432584Z
0 likes, 0 repeats
@k3vk4 @jollyrogue @alcinnz @ariel @avalos SELinux is far more capable than AppArmor, though. While it's hard to write policies by hand, SELinux offers tools to help automate the process (e.g. audit2allow).bubblewrap and minijail are much easier, though.
(DIR) Post #AFuKkoqaKTAvFfA4Dg by Seirdy@pleroma.envs.net
2022-01-28T18:40:39.068497Z
0 likes, 0 repeats
@k3vk4 @alcinnz @ariel @avalos Pretty much every distro that uses Mandatory Access Controls (MAC), e.g. SELinux/Apparmor (and to a lesser extent, even Windows and macOS) has incredibly lax policies because userspace simply isn't designed for secure communication between programs. that's why Android had to re-implement everything when figuring out how to get programs to securely talk to each other before writing good selinux policies.The best effort I know of when it comes to stricter MAC for the Linux desktop is noatsecure's WIP Fedora-based hardhat project:- https://github.com/noatsecure/hardhat- https://github.com/noatsecure/hardhat-selinux- https://github.com/noatsecure/hardhat-selinux-templates- https://github.com/noatsecure/hardhat-configuration@jollyrogue: noatsecure also put together a great tutorial on getting started with writing SELinux policies in a semi-automated manner: https://github.com/noatsecure/tutorial-selinuxUltimately I think that the people in the best positions to write sandboxing/MAC policies for their software are the developers of the software themselves; these policies can then be refined by package maintainers. Developers already do the runtime analysis I've been talking a ton about when they run programs with sanitizers, and they often include sandboxed Systemd units (what I've said about Systemd having the right goals despite having poor architecture still stands). Tailoring/tightening sandboxing policies to a specific distro's quirks is an area where package maintainers can actually be a huge help: for instance, they know exactly which libraries a program will ink against and can figure out exactly which syscalls to allow.
(DIR) Post #AG3hh2rTUfKiVAOnPk by alcinnz@floss.social
2022-01-27T22:14:00Z
1 likes, 0 repeats
@Seirdy @jollyrogue @k3vk4 @ariel @avalos Yeah, I think we're more in agreement than we first thought...I NEED to learn these tools better, I need to learn how to harden my own software against parsing untrusted data.
(DIR) Post #AGSc5EvURNppQr5K2C by dhfir@expired.mentality.rip
2022-02-14T07:35:02.306432Z
1 likes, 0 repeats
@avalos @ariel @alcinnz neccessary complexity?half this shit is just new ways of doing shit that was already possible!all that achieves is invalidating old docs if your distro does things the systemd way.beyond that, one of the first complaints anyone made about systemd was that it's sheer colossal size makes it basically impossible to audit for security flaws (it has not been audited for security flaws).
(DIR) Post #AGScwjiOhPGWGnTCds by dhfir@expired.mentality.rip
2022-02-14T07:44:41.896536Z
0 likes, 0 repeats
@k3vk4 @avalos @ariel @alcinnz "takes several minutes to boot the machine"I use alpine, which uses openRC, and my machine sure as hell doesn't take multiple minutes to boot.beyond that, while I'll admit it generally does not matter, I left manjaro in part because said services were fucking with my ability to use my machine.would most users know or care that chsh stopped working yesterday cuz the distro uses sysd for that now? no.but goddamnit, it mattered to me.so now I use alpine.
(DIR) Post #AGSuYsOSa0CHPVutzE by alcinnz@floss.social
2022-02-14T07:40:55Z
0 likes, 0 repeats
@dhfir @ariel @avalos Yes, systemd isn't making anything new possible, it's just shuffling existing complexity around. I'll leave it to your judgement whether that was necessary.As for systemd's supposed collosal size: From auditting it myself I can tell you that's misinformation. There are few (early-boot) daemons in the same repository, but they're all very decoupled.
(DIR) Post #AGSuYsycPZ7XDepmLY by dhfir@expired.mentality.rip
2022-02-14T11:02:03.740402Z
0 likes, 0 repeats
@alcinnz @ariel @avalos so cancel the security complaints but +1 on unnecessary complexity.
(DIR) Post #AGTLD8gs0MykLWO4v2 by avalos@mstdn.social
2022-02-14T16:00:40Z
0 likes, 0 repeats
@dhfir @alcinnz @ariel Don't be so dramatic.
(DIR) Post #AGTLcV3E0Quow4w80m by dhfir@expired.mentality.rip
2022-02-14T16:05:15.832492Z
0 likes, 0 repeats
@avalos @alcinnz @ariel someone with greater experience than me corrected me, and I accepted it.as far as conversations go, I'd say I'm being reasonable.
(DIR) Post #AGTLnWPrGrqYM3mLc8 by avalos@mstdn.social
2022-02-14T16:07:15Z
0 likes, 0 repeats
@dhfir @alcinnz @ariel Sorry, I thought you were being sarcastic.