Posts by alwayscurious@infosec.exchange
(DIR) Post #AYZT8xx3hRvu1jdwo4 by alwayscurious@infosec.exchange
2023-08-10T00:32:26Z
0 likes, 0 repeats
@mjg59 from a device maker’s perspective, is this attack possible to block?
(DIR) Post #AYhM7JZ3ECTa42MJDU by alwayscurious@infosec.exchange
2023-08-13T19:53:08Z
0 likes, 0 repeats
@mjg59 thoughts on speculative taint tracking? Or just refusing to speculatively access anything that is not already in L1 cache and the L1 TLB?
(DIR) Post #AYq90bhKZ3JgR6SUl6 by alwayscurious@infosec.exchange
2023-08-18T01:38:40Z
0 likes, 0 repeats
@mjg59 @daniel in what ways?
(DIR) Post #AZ8aeKVG6l22IaFxjc by alwayscurious@infosec.exchange
2023-08-26T23:12:51Z
0 likes, 0 repeats
@mjg59 which one?
(DIR) Post #AZSEJgpH4Czdsx85Ka by alwayscurious@infosec.exchange
2023-09-03T22:09:30Z
0 likes, 0 repeats
@gregkh Are you saying that people who cannot reboot every week should not use Linux?That’s a valid position to have, but if it is accurate, it needs to be much more widely known so that embedded systems vendors know not to use Linux for their uptime-critical products.
(DIR) Post #Aa0WKlwliax0w4NJC4 by alwayscurious@infosec.exchange
2023-09-21T23:38:16Z
0 likes, 0 repeats
@mjg59 why unfortunate?
(DIR) Post #AaAZIHMahNtIwkYTfE by alwayscurious@infosec.exchange
2023-09-26T19:58:43Z
0 likes, 0 repeats
@mjg59 UGA?
(DIR) Post #AaAaCVeWl5YhTrl1bE by alwayscurious@infosec.exchange
2023-09-26T20:07:33Z
0 likes, 0 repeats
@mjg59 why do you even care about it?
(DIR) Post #AaAc25hWaiBo0PJqwi by alwayscurious@infosec.exchange
2023-09-26T20:29:36Z
0 likes, 0 repeats
@mjg59 did anyone implement the standard, or is it useless?
(DIR) Post #AaBUwZXAFskwGvr2lk by alwayscurious@infosec.exchange
2023-09-26T19:26:02Z
0 likes, 0 repeats
The era of “get everything from your distro repository” is over, at least for desktop applications.Upstreams aren’t willing to wait on downstream distributions to ship the dependencies of their software. Why should they? Nowadays, they can just ship a flatpak on their own authority, include whatever dependencies they want in it, and do their QA on the same binary that end users will use, running in the same environment that end users will run it in.Is this a good thing? For upstreams, it is. For end users, it is good if (and only if) the upstream uses secure dependencies and keeps them up to date. For sysadmins who need to know every single piece of software installed on their system, it is a bad thing.However, such sysadmins generally work for companies that can (and should!) pay for commercial support contracts. That avoids expecting volunteers to do complience work for free. In fact, it could be a useful revenue source for upstream projects!
(DIR) Post #AaBUwaA9utwqDs6BY8 by alwayscurious@infosec.exchange
2023-09-26T20:06:23Z
0 likes, 0 repeats
This isn’t a case of flatpak = good and distro package = bad. Rather, it is an indication that the huge amount of QA work needed for complex desktop applications is difficult to automate, and that debugging problems one cannot reproduce locally is nearly impossible.
(DIR) Post #AaCWYQaCHH5ocwqck4 by alwayscurious@infosec.exchange
2023-09-27T16:52:28Z
0 likes, 0 repeats
@tyil Who is going to pay for all of that extra work? Upstream developers can spend their own time, working around downstream limitations, dealing with bug reports that should have gone to downstream package maintainers, etc. Or they can just ship a flatpak and say that everything else isn’t supported.This is not a technical problem. Whether a flatpak or a distribution package is technically better is irrelevant. What is relevant is that many of these projects are developed by volunteers, and these volunteers choose Flatpak and Flathub because it is what works best for them. And they are the only ones who have a say in these decisions.
(DIR) Post #AaDVI1wwBqHync3t20 by alwayscurious@infosec.exchange
2023-09-28T05:59:38Z
0 likes, 0 repeats
@tyil Insulting upstream developers is neither constructive nor acceptable.
(DIR) Post #AaFepublHPifmNJ7mi by alwayscurious@infosec.exchange
2023-09-28T20:41:40Z
0 likes, 0 repeats
@tyil I still think you are missing the point here.Suppose maintainer A maintains desktop application Z. Z depends on a recent version of library L. However, Debian stable and the most recent Ubuntu LTS only ship an old version of L, causing Z to break.A’s options are:Do not support Debian stable or Ubuntu LTS, and lose out on a large number of users.Change Z to support the old version of L as well. When this is possible at all, it is likely to be very uninteresting and tedious work.Try to get a new version of L included via backports. This is a bunch of extra work for A, and might well cause problems for A’s users because other programs or even parts of the system might require the old version of L (and be incompatible with the new one).Bundle L and support everyone, without any workarounds needed.In this situation, many maintainers will pick option 4 every single time, unless someone is paying them to pick one of the others. It’s the only solution that allows many people to use their product and does not require them to perform a lot of unpaid, uninteresting labor.This is not a result of “ridiculously low standards” or “a massive ego problem”. It is a result of the extreme difficulty of supporting many different Linux distributions without bundling dependencies.To be clear, Nix and Guix provide every single one of Flatpak’s advantages except for sandboxing, and provides much better visibility into what one has installed. However, neither Nix nor Guix is accessible to the average user, wheras Flatpak is thanks to various GUIs. Most distributions don’t have Nix or Guix packaged, whereas Flatpak is packaged by a huge number of Linux distros.
(DIR) Post #AcERayxbJCC7lIxpw0 by alwayscurious@infosec.exchange
2023-11-27T12:37:36Z
0 likes, 0 repeats
@tante Only if you care about privacy more than security. Otherwise use an up to date Chromium package or even Google Chrome.
(DIR) Post #AcrH4nJRfH7q5BBoX2 by alwayscurious@infosec.exchange
2023-12-16T06:12:02Z
0 likes, 0 repeats
@mjg59 @drsbaitso @lilstevie ASN.1 can be parsed safely in C but doing so is a total nightmare.
(DIR) Post #Av7awpTlyAewnG9h0y by alwayscurious@infosec.exchange
2025-06-11T15:45:19Z
0 likes, 0 repeats
@libreoffice @Endof10 Please note that that old computer is likely vulnerable to CPU vulnerabilities that can be exploited by untrusted code, such as web sites.
(DIR) Post #Av93o7mPeO7um52G48 by alwayscurious@infosec.exchange
2025-06-15T05:47:30Z
0 likes, 0 repeats
@pastelfluffyfox @mutualaid @edendestroyer @MutualAidVisibility do you have a plan for getting out of the hotel into an apartment?
(DIR) Post #Avz3VBpAcJjhAqOILY by alwayscurious@infosec.exchange
2025-07-10T07:22:02Z
0 likes, 0 repeats
@whitequark I believe there are military HSMs that detonate explosives if tampered with.
(DIR) Post #Avzq7Uql7kzYz7Swk4 by alwayscurious@infosec.exchange
2025-07-10T16:53:50Z
0 likes, 0 repeats
@futurebird @CatDragon @arclight @Okanogen@mastodon.social @FeralRobots Is that because they need to keeping their phones for emergency communication and they can have them on them without using them?