• 0 Post
  • 141 Comment
Joined 1Y ago
cake
Cake day: Oct 28, 2020

help-circle
rss

Traditionally all apps run on system libraries.

…and for good reasons: distributions need to provide timely but also well-tested security updates.

It’s already a significant effort to do so when you have only one copy of each library, imagine having a combinatorics explosion of dependencies…


Excellent points. Many “alternatives” to traditional distributions like docker, flatpak and similar harm security and stability in the long term. Users need systems that receive security updates for years without having to break functionality.


The article makes a lot of confusion between centralization vs distribution for technical reasons and issues around centralization of power. These are different topics and they don’t always go together.

Also claiming that in a p2p environment everybody would need to run a server or have technical skill is incorrect.


The way gossip protocol work fits very well on a mixture of intermittent and local-only connectivity between nodes. In addition, WiFi can cover much more than 30m in open space if you have good antennas on one side. Kilometers on a point-to-point link in line-of-sight even in urban areas.

As a side note, there is little reason to implement a mesh that uses only one technology. (e.g. Briar has an open issue to add LoRa)


There is already https://briarproject.org/how-it-works/ for this.

LoRa is too slow for most uses, while a store-and-forward p2p network over wifi and bluetooth could do a lot.


Essentially, it sounds like you want all discussion of this topic to be banned.

Are you referring to me? That’s quite harsh.


No. It depends on the distribution, but both Debian and paid distributions give maximum priority to patching vulnerabilities on stable/LTS releases. In various cases they are faster than the upstream developers.


The article is indeed one-sided and often makes exaggerated claims.

One example: "This is in contrast to a rolling release model, in which users can update as soon as the software is released, thereby acquiring all security fixes up to that point. "

This ignores that facts that new releases are the only source of new vulnerabilities.

Plus, new vulnerabilities are still to be reported. A 0-day in the wild is usually worse than a published vulnerability: at least you can learn about the latter and take decisions on how to handle it.


We shouldn’t believe anyone blindly. But this does not mean that random comments on social networks have similar credibility with papers published on Nature by PhDs and tenured professors.

People have finite time and energy to research knowledge and focusing. Wasting everybody’s time debunking falsehoods or reading unreliable sources or debating wacky theories is anti-intellectualism.


This statements can be profoundly misleading when taken without context.

Security is complex and multi-faceted. It needs to be understood with the proper context:

  • what type of user are we protecting: skilled, unskilled, an entire company? An entire nation?
  • what type of data are we protecting: a database? The user email address, browsing activity, connection metadata?
  • what is the threat model or the attacker: a simple email scam? Surveillance from big companies? Targeted attack from a nation state?

The majority of security breaches are surprisingly low-tech (phishing, guessable password…, stalkerware, built-in telemetries)

Without context an article that goes “Linux being secure is a common misconception in the security and privacy realm.” can easily fuel FUD.


There are many thousands of substances being tested as COVID treatments. There are dedicated forums to discuss research.

Trying to stir up conversations about a random substance in random forums creates a false impression of importance and legitimacy. This is an example of misinformation.


Besides being theft of other people’s paid service and illegal, this puts innocent people at risk. Can we please keep this kind of ideas out of lenny?


Install FreedomBox.

Buy sensors and contribute to https://sensor.community

Buy an SDR and contribute to https://www.adsbexchange.com/faq/


Hurd or not, we need a new kernel. Linux is showing its limits around security and modularity. Writing drivers is difficult, error prone and users need to trust drivers not to introduce vulnerabilities. Vendors often refuse to write drivers or to write them well enough to be accepted into mainline Linux. Also, Linux and Hurd are not under GPLv3.



Is this a marketing spin? The software industry does not need more hype.


TUXEDO Pulse 15. They are not a big faceless corporation and seem to care about users.


I did and it’s misleading. Debian itself is independent.


deleted by creator


Anonymous comments would be best, but only if it’s integrated with upvoting/downvoting/flagging to provide personalized ranking of comments.