Post AL7W5h7SE7ipcCDM5Q by futureisfoss@fosstodon.org
(DIR) More posts by futureisfoss@fosstodon.org
(DIR) Post #AL7RAzQN63Yg43lhho by thebiologist1117@mk.nixnet.social
2022-07-03T15:43:50.190Z
0 likes, 1 repeats
@404zzz@stereophonic.space The GTK theme does look pretty cool though.
(DIR) Post #AL7RET1LVxsqizilge by 404zzz@stereophonic.space
2022-07-03T15:45:01.050069Z
0 likes, 0 repeats
Yes it is! It looks like you installed Manjaro? 🤔
(DIR) Post #AL7RHCiQaplJ1YB3nk by thebiologist1117@mk.nixnet.social
2022-07-03T15:45:17.235Z
1 likes, 0 repeats
@404zzz@stereophonic.space Yep, Manjaro!
(DIR) Post #AL7RQztl6OUiAT9BEe by inference@plr.inferencium.net
2022-07-03T15:47:15.313102Z
0 likes, 0 repeats
@thebiologist1117 @404zzz Manjaro...Oh... Oh no...
(DIR) Post #AL7Rqbvmpng7McJDrk by 404zzz@stereophonic.space
2022-07-03T15:51:52.930051Z
1 likes, 0 repeats
Do you like that big dock in the desktop? I personally don't. I use the default gnome style. It's more "distraction" free.
(DIR) Post #AL7S13KdoUznF3uhvs by thebiologist1117@mk.nixnet.social
2022-07-03T15:53:35.143Z
1 likes, 0 repeats
@404zzz@stereophonic.space I do prefer it without the dock...
(DIR) Post #AL7S4kqoT3nX59j8N6 by 404zzz@stereophonic.space
2022-07-03T15:54:27.382964Z
0 likes, 0 repeats
I see :blobhighfive:
(DIR) Post #AL7SDWNtcfu0p0NipE by thebiologist1117@mk.nixnet.social
2022-07-03T15:50:52.040Z
0 likes, 0 repeats
@inference@plr.inferencium.net @404zzz@stereophonic.space Is Manjaro bad?
(DIR) Post #AL7SDWz7OHg0gRnRqK by inference@plr.inferencium.net
2022-07-03T15:56:01.854373Z
2 likes, 0 repeats
@thebiologist1117 @404zzz They use a script to scan your system for what you have installed (WM/DE etc) for "updates", despite your package manager doing that for you.They have allowed their TLS certificates to expire multiple times (at least 2) and told their users to change their clocks back to bypass the security issue (which also bypasses security for every other website on the planet and makes TLS useless).They have unintentionally DDoSed Arch Linux's servers because they were too incompetent to do package management properly.
(DIR) Post #AL7T9Nmjkk6awmai2q by srestegosaurio@plr.inferencium.net
2022-07-03T15:55:58.311752Z
1 likes, 0 repeats
@404zzz @thebiologist1117 The wallpaper. xD
(DIR) Post #AL7TJw1DKQHU14OVPM by 404zzz@stereophonic.space
2022-07-03T16:08:24.248388Z
0 likes, 0 repeats
Cute, isn't it?
(DIR) Post #AL7W5d2hNrXcyHxV7Q by futureisfoss@fosstodon.org
2022-07-03T16:38:41Z
1 likes, 0 repeats
@inference @404zzz @thebiologist1117 Can you tell me a bit more about the update thing, I'm thinking its probably some kinda usability feature since they also supports Flatpacks and AURs in their package manager. But I've never heard about this before, weird.And the TLS thing, I don't know how easy it is to renew the the certificates, but considering they have a big team working behind this distro, maybe they could've better handled the situation. But this still wouldn't make them evil/bad IMO
(DIR) Post #AL7W5h7SE7ipcCDM5Q by futureisfoss@fosstodon.org
2022-07-03T16:32:03Z
1 likes, 0 repeats
@thebiologist1117 @404zzz I just have to say that Misskey looks absolutely stunning!
(DIR) Post #AL7XJVkzMu0INqrIES by inference@plr.inferencium.net
2022-07-03T16:53:07.764317Z
1 likes, 0 repeats
@futureisfoss @404zzz @thebiologist1117 The update thing is a script you can find in their Git repositories. It scans your system to find out what software you have so it can "update" it, even though your package manager already does this without a scanner script. Seems like spyware to me.TLS certificates can be renewed automatically, and take even just seconds manually. There is zero reason why any professional organisation would allow TLS certs to expire. None.Telling people to roll clocks back *is* the definition of an evil security sin. Not only is it incompetent, it is downright dangerous and malicious. TLS encryption relies on date and time being correct. Changing this to make expired certificates unexpired is putting the user at extreme risk and is worse than using unencrypted HTTP.
(DIR) Post #AL8LydRsfdlFoviwWe by pete@fedi.pimoore.ca
2022-07-03T18:55:34Z
2 likes, 0 repeats
@inference @404zzz @thebiologist1117 @futureisfoss Wow, that’s beyond bad. I remember hearing about this back in the day but didn’t know the whole story behind it.If I was going to use Linux now, it would hands down be Fedora.
(DIR) Post #AL8Lye7iA7DnufILj6 by futureisfoss@fosstodon.org
2022-07-03T19:13:26Z
1 likes, 0 repeats
@peteI don't think its as bad as it seems. The scanner script is probably a usability/functionality thing, I don't think manjaro is trying to spy on people, lol. The TLS one I understand why some people has a problem with that, they probably fucked up something on their servers, I don't know what but it should be bad enough to ask people to change their clocks - but only temporarily, and the security risks are of expired TLS which is kinda rare these days 🤔@inference @404zzz @thebiologist1117
(DIR) Post #AL8LzWXRqdtWg7kfL6 by mondstern@mastodon.technology
2022-07-03T16:01:45Z
0 likes, 0 repeats
@thebiologist1117 @404zzz misskey ?
(DIR) Post #AL8LzX6BlTgSPs0PUO by mondstern@mastodon.technology
2022-07-03T16:08:02Z
0 likes, 0 repeats
@thebiologist1117 @404zzz Teilst du dein Theme auch ?
(DIR) Post #AL8LzYtV5cirz65IzQ by thebiologist1117@mk.nixnet.social
2022-07-03T18:16:07.176Z
1 likes, 0 repeats
@mondstern@mastodon.technology @404zzz@stereophonic.space It came with the version of Brave from Manjaro's package manager. And yes, I'm using Misskey.
(DIR) Post #AL8M0DIirGfJIuC0rA by futureisfoss@fosstodon.org
2022-07-03T17:59:45Z
1 likes, 0 repeats
@inference @404zzz @thebiologist1117> Seems like spyware to meUnless it doesn't send this data back to them it doesn't seem like spyware to me. Though I wonder if it would break any functionality if we remove this script 🤔 We actually have a little fork of manjaro called Tromjaro, but I wouldn't wanna test removing such things and risk breaking functionality, haha 😄. We're just a small group of people (too small to even call a group), not a big team like manjaro :blobcatgiggle:
(DIR) Post #AL8XYeFMHPy0DTF212 by inference@plr.inferencium.net
2022-07-04T04:30:34.291846Z
0 likes, 0 repeats
@futureisfoss @pete @404zzz @thebiologist1117 > change their clocks - but only temporarily, and the security risks are of expired TLS which is kinda rare these daysNo, this is feeding the ridiculously bad and naive security practices seen here. I'm not trying to infer that you're stupid here, but you clearly don't understand the risks of TLS certificates and bypassing clocks, and how time sensitivity plays an enormous role in security as a whole.This should never have happened. No excuses. None. This is careless, reckless behaviour, which could get every one of their users middlemanned and backdoored in seconds.
(DIR) Post #AL8elL1nkG0U3QtlPk by AmpBenzScientist@qoto.org
2022-07-04T05:40:24Z
0 likes, 0 repeats
@inference @404zzz @thebiologist1117 The performance is good but it quickly becomes clear that it is a sketchy descendant of Arch Linux with some of the best wallpapers. Performance grows worse as new sketchy applications are installed.The wallpapers are pretty cool but the system as a whole makes me want to move back to an FSF Approved Distro. God forbid if you want to use it for development. It's a distribution that demonstrates that apt might not be perfect but it is better than pacman.The strong suit of the distribution is the wallpapers and some of the drivers. It will break on update just like Arch. Security is sketchy and perhaps the worst I've seen. There are many issues but I don't want to ramble on.
(DIR) Post #AL8elLenPHCO0N8uC8 by inference@plr.inferencium.net
2022-07-04T05:51:18.161488Z
0 likes, 0 repeats
@AmpBenzScientist @404zzz @thebiologist1117 The security issues alone make me wish it didn't exist. Most of its users will think it's safe because it's Linux, which simply isn't true.Manjaro users are in danger thanks to the incompetency of Majaro devs/maintainers. Simple as that.It's so bad, it should be illegal.
(DIR) Post #AL8hZU6kScLubPFfcm by dushman@shitposter.club
2022-07-04T06:22:48.959729Z
0 likes, 0 repeats
@AmpBenzScientist @inference @404zzz @thebiologist1117 >an FSF Approved Distro Which one? There like only 6 now iirc.
(DIR) Post #AL8hc3juxB9vgvnhFg by dushman@shitposter.club
2022-07-04T06:23:16.823149Z
0 likes, 0 repeats
@AmpBenzScientist @404zzz @inference @thebiologist1117 Wait no just checked, 8 as far as the desktop ones go.
(DIR) Post #AL8hnNu8K0RlPtyldY by inference@plr.inferencium.net
2022-07-04T06:25:17.552692Z
0 likes, 0 repeats
@dushman @thebiologist1117 @AmpBenzScientist @404zzz And don't they all use linux-libre without microcode?Eww...
(DIR) Post #AL8hqArzEyWVrLIzoG by AmpBenzScientist@qoto.org
2022-07-04T06:09:20Z
0 likes, 0 repeats
@inference @404zzz @thebiologist1117 Arch isn't much better. A common theme is that resources are being taken up on horrible ideas like snap and flatpack.
(DIR) Post #AL8hqBNtKM2nSIETXU by inference@plr.inferencium.net
2022-07-04T06:25:48.917630Z
0 likes, 0 repeats
@AmpBenzScientist @404zzz @thebiologist1117 At least Arch Linux doesn't tell users to bypass their own security and backdoor themselves.
(DIR) Post #AL8im46yWe29h8v8wy by AmpBenzScientist@qoto.org
2022-07-04T06:31:12Z
1 likes, 0 repeats
@inference @404zzz @dushman @thebiologist1117 That's correct. Not many people would realize that nor what Libre Linux is.I don't trust the microcode anyway. Perhaps it's safer to use it but if it was designed correctly, we wouldn't have to talk about bandages.
(DIR) Post #AL8im4bShIQ7DhBUTA by inference@plr.inferencium.net
2022-07-04T06:36:14.885045Z
1 likes, 0 repeats
@AmpBenzScientist @404zzz @dushman @thebiologist1117 Microcode is running in proprietary x86 and ARM CPUs whether installed or not. All you're doing by not installing it is not updating it. It's still built into mask ROM on the CPU die itself.If there's a backdoor, it's unavoidable, but you're at least protecting yourself against typical security issues against normal people, such as Spectre and Meltdown.
(DIR) Post #AL8nGx0nN66GTA0rPU by AmpBenzScientist@qoto.org
2022-07-04T07:02:40Z
0 likes, 0 repeats
@inference @404zzz @dushman @thebiologist1117 I'm aware of the microcode that goes back to 70s. I suspect that the patches aren't worth using and that the system can't be trusted even if fully patched. It's a flawed design and perhaps worth the risk in some uses to not patch the microcode.I could very well be wrong but I'm not suggesting that it's the best decision. Imagine screwing up so badly that most of the computers in the world are vulnerable and continuing to sell processors.
(DIR) Post #AL8nGxYpKZK2Ahw2SG by inference@plr.inferencium.net
2022-07-04T07:26:39.249239Z
0 likes, 0 repeats
@AmpBenzScientist @404zzz @dushman @thebiologist1117 That's literally security is. Nothing is 100% secure. Even the best systems, whether software such as Qubes OS or OpenBSD, or hardware such as HSMs and hardware encrypted drives. There are always flaws, and patches are essential to fixing issues which were not known.Microcode updates are the same as any other security patch and should be treated the same way.
(DIR) Post #AL8nMGc3vGOci0ylfs by inference@plr.inferencium.net
2022-07-04T07:27:38.395452Z
1 likes, 0 repeats
@AmpBenzScientist @404zzz @dushman @thebiologist1117 That's literally what security is. Nothing is 100% secure. Even the best systems, whether software such as Qubes OS or OpenBSD, or hardware such as HSMs and hardware encrypted drives. There are always flaws, and patches are essential to fixing issues which were not known.Microcode updates are the same as any other security patch and should be treated the same way.
(DIR) Post #AL8oEgqwZx4VjDtIIa by dushman@shitposter.club
2022-07-04T07:37:29.242467Z
1 likes, 1 repeats
@inference @thebiologist1117 @AmpBenzScientist @404zzz True. You might as well keep it up to date to avoid bugs and vulnerabilities.
(DIR) Post #AL8pUj9JuOQTRDhHcm by dushman@shitposter.club
2022-07-04T07:51:35.682270Z
3 likes, 1 repeats
@AmpBenzScientist @inference @404zzz @thebiologist1117 It's physically impossible to design literally perfect hardware or software. Something being flawed from the get go doesn't mean you should just avoid fixes or mitigations.
(DIR) Post #AL8ptBvyXU7tf87Xw8 by futureisfoss@fosstodon.org
2022-07-04T07:47:31Z
0 likes, 0 repeats
@inference @404zzz @pete @thebiologist1117 I don't know that much about TLS so maybe you're right, its a bigger threat than I assumed. When manjaro asked users to change their clocks, it was only a temporary thing, right ? Because it'd be a 100 times worse if it was permanent.
(DIR) Post #AL8ptCNGtzxd1mtLU0 by inference@plr.inferencium.net
2022-07-04T07:55:58.124075Z
0 likes, 0 repeats
@futureisfoss @404zzz @pete @thebiologist1117 Whether temporary or not is completely irrelevant. Changing date or time to an incorrect value, whether intentionally or unintentionally, is a major security risk and can (and will) cause issues with everything from verifying that the owner of the TLS certificate (and thus domain) is authentic and still owns that domain, and incorrect times affect sudo and doas, as well as login times and account lockouts on local systems using time-based lockouts.Maliciously and/or incompetently telling users to roll back clocks is *literally* breaking 80+% of the security on their system, even offline. They should have renewed their cert, or taken their website offline if that wasn't possible for some reason. What they did (multiple times!) was put their users in extreme danger. Even passwords are effectively useless in some situations where time is used as a base.
(DIR) Post #AL8rMvTyN1R9HQlUyu by AmpBenzScientist@qoto.org
2022-07-04T08:10:29Z
0 likes, 0 repeats
@inference @404zzz @dushman @thebiologist1117 I agree but some people like to explore. A flawed Lenovo Thinkpad UEFI allowed researchers to document what AMD's PSP was capable of.
(DIR) Post #AL8rMvt8rRZOXUXbDE by inference@plr.inferencium.net
2022-07-04T08:12:33.036512Z
0 likes, 0 repeats
@AmpBenzScientist @404zzz @dushman @thebiologist1117 > A flawed Lenovo Thinkpad UEFI allowed researchers to document what AMD's PSP was capable of.This just effectively reverse engineered what it does. Nothing special about it. It's well known that both AMD PSP and Intel ME control the x86 cores from a low-level system management interface and won't even unlock to start the cores if they are broken or the signature doesn't verify. Is irrelevant to microcode. Whether you install it or not, you simply can't escape PSP or ME; only way is to not use x86 or ARM. Even ARM has TrustZone (which is what PSP is based on).
(DIR) Post #AL8sfl2zUZteN8gilU by futureisfoss@fosstodon.org
2022-07-04T08:21:09Z
0 likes, 0 repeats
@inference @404zzz @pete @thebiologist1117I understand what you're saying, but I wouldn't say whether temporary or not is completely irrelevant. Every time a software vulnerability is found and an update is released to fix it, we tell everyone to quickly update to the latest version, why is that ? Because the longer they wait before updating, the more time they're vulnerable, and that increases their chance of being exploited. So a permanent vulnerability is 100 times worse than a temporary one
(DIR) Post #AL8sflfz9b5YK4vrXs by inference@plr.inferencium.net
2022-07-04T08:27:09.247343Z
0 likes, 0 repeats
@futureisfoss @404zzz @pete @thebiologist1117 You're completely missing the point and wandering further from the real issue here.They are *creating* a security issue, not fixing one.Real security is renewing your TLS certificates. Security vulnerabilities are created by setting incorrect clocks.I cannot state this any simpler. Manjaro have no defense for what they did, and you should not be defending them.
(DIR) Post #AL8sfmtqbXls7MQRn6 by futureisfoss@fosstodon.org
2022-07-04T08:27:10Z
0 likes, 0 repeats
@inference @404zzz @pete @thebiologist1117 I'm not trying to defend manjaro here, I know they fucked up and I agree what they did was wrong. You have every right to call them incompetent for that. But I wouldn't say they're malicious or evil though.
(DIR) Post #AL8sqAIuRWsTbI62cq by inference@plr.inferencium.net
2022-07-04T08:29:02.994260Z
0 likes, 0 repeats
@futureisfoss @404zzz @pete @thebiologist1117 Perhaps not malicious, but certainly incompetent.If you ask me, incompetence is worse, because they think what they're doing is right when it's not. At least malice knows what it's doing.
(DIR) Post #AL8y4x1oaFFyXbyECG by AmpBenzScientist@qoto.org
2022-07-04T09:18:40Z
1 likes, 0 repeats
@inference @404zzz @dushman @thebiologist1117 RISC-V is even getting something that should do the same thing.The researchers found that the firmware loaded from UEFI and it turns out that AMD wasn't fully honest about PSP.There's a rumor that Intel, AMD and ARM were included in SIGINT for the NSA.
(DIR) Post #AL98odkVau6jbuIgqm by futureisfoss@fosstodon.org
2022-07-04T08:41:54Z
0 likes, 0 repeats
@inference @404zzz @pete @thebiologist1117> If you ask me, incompetence is worse, because they think what they're doing is right when it's not. At least malice knows what it's doing.In my personal opinion I think malice is worse. I have worked on some projects and I know mistakes happen sometimes, we're all humans. But when we realize our mistake we should accept it and try to correct it, this is the important thing for me.