 DistroWatch Weekly |
| Tip Jar |
If you've enjoyed this week's issue of DistroWatch Weekly, please consider sending us a tip.
(Tips this week: 0, value: US$0.00) |
|
|
|
 bc1qtede6f7adcce4kjpgx0e5j68wwgtdxrek2qvc4  lnurl1dp68gurn8ghj7ampd3kx2ar0veekzar0wd5xjtnrdakj7tnhv4kxctttdehhwm30d3h82unvwqhhxarpw3jkc7tzw4ex6cfexyfua2nr  86fA3qPTeQtNb2k1vLwEQaAp3XxkvvvXt69gSG5LGunXXikK9koPWZaRQgfFPBPWhMgXjPjccy9LA9xRFchPWQAnPvxh5Le paypal.me/distrowatchweekly • patreon.com/distrowatch |
|
| Linux Foundation Training |
|
| Reader Comments • Jump to last comment |
1 • Sign ISO Not Just Checksum (by Arch Watcher 402563 on 2016-03-14 00:47:32 GMT from North America)
Did the pirate Mint checksum match legit Mint? It's easy to do with junk pad bytes. Someone tell me I'm all wet, but an attacker need not change any original checksum file, just match the value. So the signature on the checksum file is don't-care. What needs signing is the full ISO file. Anything modified in the ISO will produce a bad signature.
2 • Checksums (by Jesse on 2016-03-14 01:16:03 GMT from North America)
@1: The fake Mint ISO did not match its checksums.
You can't make a file match a desired checksum simply by padding it with extra data, at least not within sane size restrictions. In trial runs researches found they could match the checksums of two different files if they controlled (and could pad) _both_ files. But they could not do it if they controlled just one file and did not control the checksum.
In other words, signing either the checksum file or the ISO will work for all practical cases. An attacker cannot simply change and pad the ISO and still have a valid checksum.
3 • System76 (by SkinnyJ on 2016-03-14 01:35:54 GMT from North America)
Concerning the poll, I purchased a laptop from System76 two weeks ago. System76 computers come with Ubuntu installed. The laptop feels really solid, the screen is great. My only complaints are the location of the touchpad, the touchpad could be smaller and the buttons on the touchpad are a bit flimsy. But, all the hardware (802.11ac wireless card, camera, video) work right away. A little expensive, but since I want to run Linux and not worry about the hardware not being supported, it was the way to go. https://system76.com/
4 • Zareason (by GeorgeB on 2016-03-14 01:41:31 GMT from North America)
Bought a Zareason Zini i3 with 8 GB ram and Ubuntu 14.04. Works well and boots faster than my other linux boxes with Ubuntu.
5 • Poll question... (by Tom Joad on 2016-03-14 02:06:12 GMT from North America)
Good question!
I build my towers myself. Well, I do a bare bones that I like and then fill up the box. That is pretty easy to make it Linux friendly. I get exactly what I want how I want.
Laptops are way, way trickier. First I have to know what is in them and I mean exactly. I used to have to look out for those pesky Broadcom network adapters. Those are not the issue they have been in the past but still, for me, no thanks. I stay away from ATI too, or AMD now, video cards.
The two new Sonys I bought had windows installed and the conversion was painless for the most part. The first one has an Nvidia card but Ubuntu had a star crossed driver for it at the time. That took some deep research to fix. Come to find out Nvidia had the correct driver buried somewhere deep in their web site. I got it figured out long before Ubuntu did. Oh, they knew it was an issue but were in not hurry to correct it. I think it was 11.04. A whole lot of folks suffered dearly with that SNAFU.
Lastly I bought a System 76 laptop several, several years ago. That is still running fine thought it is getting long in the tooth as they say. My son has it.
Yeah, I voted all or some of the above.
6 • Elaboration on Debian's switch (by D_CR on 2016-03-14 02:23:41 GMT from North America)
Any elaboration on why they went the IceWeasel route to begin with and what has changed to induce them to switch back to stock Firefox?
7 • Assembled from parts. (by Roy on 2016-03-14 02:36:33 GMT from North America)
I built this one from ordered parts and parts given to me. Some people know I like tinkering with computers and give me their old ones. Some part on it went bad or it just isn't the baddest thing out there so they just get rid of the whole computer, Case in point was a 2005 Dell XPS 710 desktop. It had a 1000 watt power supply and a 1 TB hard drive. I thanked the guy for the boat anchor. LOL The hard drive is still running great on my new computer..
8 • Poll (by slick on 2016-03-14 02:51:46 GMT from North America)
Build my own PC form parts, and prefer an AMD build.
Aware there are some vendors now selling personal computers with Linux pre-installed. Believe that is a good decision and choice is paramount with Linux, regardless of what Linux distribution is installed.
Choice is a step in the right direction. For everyone!
9 • gpg keys (by mroot on 2016-03-14 02:52:59 GMT from North America)
I don't think the problem is education. I think the problem is technical users expect non-technical users to be able to easily verify an iso using a process similar to the one detailed in the article and they can't. You may say that they need to do this but in many cases they don't have the ability. As a causal user I can do it but I struggle to get it done and I can use the command line, edit text config files, and am willing to do it even though I won''t remember how to do next time in 2 years when it is needed again. Now someone I am sure will comment on here that using a gpg key to check an iso is easy and it is for them because the they have the right technical background. But that same person would be miffed if you pointed out that they can't change the struts on their car, replace the drain in their sink or run a transesterification. The real answer to using gpg keys is to have an easy GUI application that does all steps detailed in the article. After all we have GUI applications to manage packages why can't we have something similar fro gpg keys.
10 • System76 and/or prebuilt.. (by Brad on 2016-03-14 03:18:41 GMT from North America)
I'd love a system76 system!! And like someone previously said, it's great they are built around Linux,specifically Ubuntu.. but I would buy one and throw a lightning fast install of Arch on it! Or if I were to build my own, I'd go with AMD/Nvidia (more bang for the buck$) and Nvidia drivers for linux are smoother in my experience.. that's my .02 and YMMV
11 • Firefox (by slick on 2016-03-14 03:19:46 GMT from North America)
@#6 D_CR: Found the wiki with an explanation to one of your questions, very curious myself.
https://en.wikipedia.org/wiki/Mozilla_software_rebranded_by_Debian
Hope that helps!
12 • Zareason laptop & old windows machines (by M.Z. on 2016-03-14 03:27:16 GMT from North America)
Depending on how you count I did a few different things from the poll. My current laptop is a Zareason Strata that came with an old version of Mint Cinnamon pre-installed on the SSD. I set up a /data partition on the spinning HDD so I could have a shared location for files on all my distros & put Mint KDE & Mint Debian on the SSD & later replaced Mint Cinnamon with Mageia (more interesting than 2 versions of Mint with Cinnamon). My old desktop came with Vista & now I only use PCLinuxOS on it, while my 2 other machines were free/second hand.
I don't think there is too much need to pre-install Linux on big desktops, but I think it's worth it to get a laptop that comes with a good distro on it just to be extra sure everything works. Of course if you have the money it could save time & hassle to get something with your preferred distro installed, but I don't think I would. Either way I'm glad Zareason gives a good choice of distros.
http://zareason.com/shop/Laptops/
13 • ReactOS Review (by Pauli on 2016-03-14 03:34:33 GMT from North America)
So, let me see if I have this straight.... The rocket scientists who have been working on the ReactOS project, starting in 1996... YES 1996.... have worked on this piece of crap for 20 YEARS and come up with: a cold-room, reversed engineered BLUE SCREEN OF DEATH, major lockups, malfunctions requiring reboot and failure of Windows programs to function to any degree of competence/usefulness.
Riiiigghhtt....
OK, let me give you ReactOS guys a tip: YOU ALL NEED TO DROP THIS PROJECT LIKE THE DEAD-IN-THE-WATER PIECE OF S#!* IT IS AND YOU ALL NEED TO GO BACK TO C, C++ CODING 101!!!!!!!!!!!!!!!!!! Everybody associated with the ReactOS project should be EMBARRASSED about this BAD open-source version of a relic OS that you have created!
Clowns! LOL!!!!!!!!!!!!
14 • @1 padding checksums (by Pearson on 2016-03-14 04:25:59 GMT from North America)
You may be confused by the terminology. The sha256sum is not, technically a checksum (where a checksum is merely adding bytes, ignoring overflow). The sha256 is more like (maybe exactly - it's been a while) a CRC calculation, using polynimials instead of simple arithmatic. The CRC approach is designed to make it very difficult to fake.
15 • ReactOS (by linuxista on 2016-03-14 06:13:47 GMT from North America)
@13 Why so harsh? If it's free software and they're having fun and learning, no harm done. It seems with the advent of virtual machines that the need for ReactOS, unless it were truly amazing, seems hard to defend. And it doesn't sound like it's anywhere near amazing, let alone functional, just something to play around with. I would say the fault, if any, doesn't lie with ReactOS as a hobby project, but Jesse not letting go of his hopes for the project and wasting his time reviewing it.
16 • not fault (by sam on 2016-03-14 06:37:41 GMT from North America)
In recent poll I ticked that I'd like to see "other, specialty" distros reviewed. ReactOS fits in "other" category. I say thank you for reviewing it, thereby sparing me from the disappointment I would have met in trying to use it in its current state.
17 • Verifying signatures (by g1 on 2016-03-14 07:18:54 GMT from Europe)
Using a public keyserver to fetch the public key needed to verify a file is equivalent to ask the signer of a check if the signature is genuine.
Nothing prevents you to generate a key, with a fake "distro X release manager" identity, and upload to a key server.
Public keys must be distributed via HTTPS from distro X web infrastructure, preferably a *different*, locked-down site from the one holding images.
18 • Poll (by Sondar on 2016-03-14 08:00:20 GMT from Europe)
Would be interesting to have a regional breakdown of answers to this week's poll. Is that possible? It used to be the case that most Brits built their own machines, the Americans and Euro-mainlanders nearly always bought built machines, with a mix of approaches in Australasia. But the worm has turned. Brits have suffered serious decline in education and motivation preferring to hug their mobiles, N Americans seem to have got the message that assembly only requires a screwdriver and the OS comes gratis! Pyschology and self-confidence might be in the mix? We live in interesting times.
19 • reactos (by peer on 2016-03-14 08:59:46 GMT from Europe)
I do not want WINE on my pc to run windows applications. At the moment I have windows installed in Virtualbox.
I use Garmin Mapsource for my (older) navigationsystem It runs under windows and with some effort it could also run in WINE (but I never tried). For me Reactos could be a serious alternative for windows if I could run Mapsource in it.
So I downloaded reactos and tried to install it in Virtualbox. It worked but the hardware wizzard could not find two drivers just like the experience of Jesse.
I tried to install the guest additions in Virtualbox. After rebooting I only got a black screen/ After a fress reinstall I tried to install Garmin Mapsource from a original cd. This also seemed to work but when i was asked to enter the unlockcode the screen freezed.
Then I stopped with my short tryout. Probably it is possible to repair this problems but have to little knowledge of reactos.
20 • @commenter #13 (by Peter Faasse on 2016-03-14 09:08:38 GMT from Europe)
To more or less paraphrase the needless rebuke..
When attempting to faithfully re-create the windows experience, we have -so far- managed to achieve:
- failure to install, check
- BSOD, check
- hard lockups at odd moments, check
- force users to hard-reset at odd moments, check
- incompatible and non-functional applications, check
- multitasking: crash and boot at the same time, check
+ add to this list as appropriate
Riiigghhttt...
Goals as of yet unachieved:
- virus infections (??)
- pulled-out hair caused by non-activations. Where *is* that 6 x 5 ASCII/HEX-code input field... Now that should not be hard to implement... ReactOS Genuine Advantage, anyone (??).
- frustrations caused by logical inconsistencies -for instance-:
+ 'keyboard failure: press F10 to continue' (that one is ooold..)
+ 'USB keyboard/mouse driver failed to load, can we attempt to reload them from the internet?', with a nice GUI 'OK/NO' button, but no functioning mouse/keyboard: Work in progress..
Reporting: we're well on our way to faithfully re-create the genuine windows experience / look & feel.
Other than that: agree with #15: Some folk are having fun building a 'Windows-From-Scratch'. They're not doing any harm that I can see. If their hobby makes any sense is not for me to judge.
@Jesse: Thanks for the review/warning... I'll not yet replace grandma's unsupported WinXP with this monstrosity.
Which brings me to another niche that ReactOS could -if/when actually usable- fill: There are those who have -sometimes at great trouble/investment- learned to more or less operate 'the old' windows. ReactOS could provide a safe haven against the sadistic streak @MS, and provide a place where the time/effort invested into learning how to operate MS-ish contraptions is not routinely nullified.
OT: I remember a www-post from a few years back when someone attempted (and failed..) to run Windows viruses on Wine... That is one test i'd enjoy seeing re-run on this ReactOS :-)
21 • Survey... (by Somewhat Reticent on 2016-03-14 09:19:53 GMT from North America)
When shopping for new hardware, my top priority is DIY support. One too many burns from monopolistic behavior, and real-world experience with support issues. My second priority is Freed software support. It's liberating, and avoids early obsolescence. Think Linux, ThinkPenguin.
I support what supports me.
Isn't ReactOS an academic project, whose main purpose is giving students experience in system development? (I don't recall any rocketry involvement. How's the Hurd coming along?) Perhaps a vulnerable/unsafe system should be confined to VM/jail?
22 • Educated users and Poll (by Stan on 2016-03-14 09:27:47 GMT from Europe)
I totally agree with Jesse about the lack of user education, one thing that was not mention in any of the news was that even the compromised ISO did NOT pass the built-in checksum option in the ISO boot menu.
Yes you read it right, the compromised ISO has a big flaw that any educated user will spot it right away.
Regarding the poll, it is a great insight so Distrowatch readers not only follow up on Linux but we also tend to build our own machines from the ground up. :)
23 • gpg keys (by Rufovillosum on 2016-03-14 10:07:13 GMT from North America)
I totally agree with #9. Moreover, those newbies we're always hoping to entice away from Windows will have neither the knowledge nor the software to do this extensive checking -- not a good introduction to linux.
24 • @18 Poll and DIY (by Antony on 2016-03-14 10:28:58 GMT from Europe)
I am from England. I have only bought one pre-built computer (apart from 80's Home Computers). That was a Pentium 100 machine. Since (and even prior to) the P100, I have built my own.
I will always prefer to build/upgrade computers for myself.
25 • Done Building Hardware (by joncr on 2016-03-14 10:32:32 GMT from North America)
I've never bought a pre-installed Linux system. I've built several and bought several with Windows pre-installs that were moved to Linux first thing.
For my purposes, though, I don't see the need of building any more boxes, or buying some beige or black box. Nothing I do, or expect to do, pushes the performance envelope. So, the next move is going to be to some small thing like an Intel NUC.
26 • @24 - Still education is missing (by Stan on 2016-03-14 10:36:14 GMT from Europe)
The point from #9 is to make it easier...
Unless the distribution maintainers, somehow, make the ISO verification a mandatory step, the user education will be always needed.
It does not matter how easy you make the ISO verification, what matter is the user must know that verifying the ISO is a crucial step for them to maintain good security.
They don't learn about ISO verification because they usually purchase proprietary OS that most of the time are pre-installed and such verification steps are non-existent from the platform that they are coming from.
The "problem" comes from how FOSS is distributed, there isn't a central of authority where everyone just go there and download the bits, thus is important to new users to know how this new ecosystem works, why they should verify and how can they verify (and of course make it easier for them).
This is like the chicken & egg discussion. :)
27 • computer (by greg on 2016-03-14 11:05:01 GMT from Europe)
desktops I prefer to assemble myself. although lately I do not have time to fight the components, so the next one will likely be preassembled with some OS installed (more than likely windows - depends where they are going...).
laptops - we got a SUSE Linux preloaded HP laptop. the plan was to replace SUSE with OpenSUSE which didn't work so well (many hardware things didn't work as they should). we ended up putting Kubuntu on it. at the time it was done to save some money on the OS. We will see what will happen next with this Linux install (AMD drivers will now lose support). If hardware support becomes an issue we might have to move to Windows. although Linux needs less maintenance and there is a reduced threat from viruses.
28 • ReactOS and life (by Andy Mender on 2016-03-14 11:23:02 GMT from Europe)
I'm not sure why the accumulated hate towards ReactOS. It's an open-source project and no one is forcing anyone to actually use it. For sure it's not ready to become a Windows alternative anytime soon, but it shows that combining sane GNU/Linux solutions (package management, etc.) and a Windows NT core makes sense to some extent. If it were to be safer than Windows, yet still let me play my old games that hate WINE, I would be all for it!
In terms of GNU/Linux pre-installed, I normally buy older laptops with solid components like Thinkpads or Dells (Latitude series, for instance) without an operating system, but I enjoy building rigs from scratch the most. AMD or Intel for both CPU and GPU, though since I don't game so much anymore, iGPU is fully sufficient ;).
29 • gpg keys (by frodopogo on 2016-03-14 11:24:04 GMT from North America)
@9 (mroot)
From my point of view, you've got it exactly right. Only I'm frustrated because I'm not exactly a noob. My sister whose laptop I'd like to install Linux Mint Cinnamon 17.3 on, says she thinks I'm a real computer geek. ;= )
But I don't read "do" Terminal, at least not more that one command at a time, and while I'm thankful for Jesse's VERY timely attempt at explanation, that article was WAY over my head.
I think I'll just use my 17,1 disk and upgrade it.
In the olden daze when I had an XP partition, I had downloaded a small Windows add-on to check ISO checksums.
And I do believe Mint 9 Isadora had an md5 tester built into the file manager menu.
30 • ReactOS, poll. (by Jeffrey Rollin on 2016-03-14 12:32:00 GMT from Europe)
Firstly, re: ReactOS. It's disappointing that ReactOS (and Haiku, whilst we're on the subject) have not been able to make as much progress as we (that is, alternative OS fans) hoped they would; however, there are (at least) two reasons why they haven't been able to get as far as Linux. Firstly, unlike Linux, they're trying to recreate closed, proprietary, often undocumented or poorly-documented targets, which in the case of Windows (and hardware) is a moving target, whereas the UNIX API is well-known and standardised. (Even Linux has extensions, but in that case the extensions are still developed out in the open). Secondly, everybody (including Microsoft!) who is involved in professional OS development (and still many hobbyists besides) is improving Linux, whereas ReactOS and Haiku seem to lack critical mass. From experience with recent versions of the BSD's, it seems like compared to where they were in the early 2000s, they are falling behind, too, at least on the desktop side. ReactOS and Haiku deserve credit for getting this far.
With regards to the poll, the last machine I bought was a Lenovo ThinkPad with Windows 8.1 preinstalled. I'm in the UK, and at the time, Entroware were not getting very good reviews. However, since then, they seem to have improved considerably, to the point where they could become the British System76. If they release a 17" laptop (and it's good), I'll definitely consider them next time.
31 • @20 Comment by Peter Faasse (by Ned on 2016-03-14 12:38:54 GMT from Europe)
Great Answer - keep on having fun with your project!
32 • ReactOS, poll (by Paraquat on 2016-03-14 12:45:09 GMT from Asia)
There was a time when I had a bunch of Windows apps and really wanted ReactOS. But it was never ready when I needed it, and from this week's review, is still not usable. By now, I've found substitute programs for all my needs, so the ability to run Windows' apps is no longer terribly interesting to me. I actually don't even have any Windows apps.
Too bad - ReactOS was a good idea back in the 1990s. But now Windows is no longer the dominant operating system anyway - Android actually boasts more users. At one time you had all kinds of websites claiming "best viewed by Microsoft Windows" but that is fast becoming ancient history. Windows may still dominate desktop systems, but a whole new generation is growing up without needing Microsoft for anything. To which I can only say, "good riddance."
Poll - my desktop system came with FreeDOS installed. Quite a few computer manufacturers do that on their cheapest models, just so you can see that the machine will boot OK. No one actually expects you to stick with using FreeDOS, and it's assumed you'll be installing Linux, the BSDs, possibly even Android-86. I prefer not having Windows pre-installed even if it's supposedly "free," because the machine might have "secure boot" enabled, which locks you into Windows unless you can disable it or find a workaround. As I see it, secure boot was Microsoft's last desperate attempt to hold off the competition, but hoping to pass this off as "protecting" us.
33 • pre installed (by Bonky on 2016-03-14 13:01:30 GMT from North America)
I travel a lot and have seen pre installed Linux machines for sale n 3rd world countries more than in anywhere else though still not a lot...
What i did find out was that most "repair" shops have no one conversant with Linux.. some know the name most quote "Ubuntu"...but mentioning Debian Gentoo Arch etc just draws blank gazes ....
many of these type of places it's easier to install and run a pirated windows 7..or even XP or Vista (not joking) even bigger businesses have been seen running them and probably Govt offices... though I recently spotted Open Suse ( maybe just wallpaper) on a large building supply company's computers.
I digress....what im getting at is that having a pre installed linux may sound good as its may be cheaper..and attractive for that ..if someone messes it up that isn't linux conversant..they will have issues getting it sorted and will soon re install a trusty XP !!!
I followed ReactOS for a while many years ago when i needed a lot more Windows programs it seems my needs have diminished greatly in 15 + yrs !!!!! I don't see me needing to keep checkig and trying it any more probably due to Wine not working for most of the things either..I hope they eventually succeed..though windows will have changed a lot before they finish i fear and won't be compatible for much..
34 • Verifying signatures (by Jesse on 2016-03-14 13:59:16 GMT from North America)
@17: "Using a public keyserver to fetch the public key needed to verify a file is equivalent to ask the signer of a check if the signature is genuine. Nothing prevents you to generate a key, with a fake "distro X release manager" identity, and upload to a key server."
That is not accurate. Public keys are typically signed by people who know or who work with the person who published the key. This creates a web of trust and most developers will have their key signed by multiple other developers. For example, if I check the Linux Mint key from the example in my article, I can see Clem's key is nearly seven years old and has been signed by Tobias Loose and Corey Sheldon of the Fedora Project, among others.
An attacker would not only need to create a false key, but would also have to make sure it was old enough and had been signed by enough developers to create a fake paper trail of trust. The attacker would then need to get the key up on multiple key servers, sign their fake checksum file, break into the project's web server and put the fake files in place without anyone noticing what they were doing.
35 • Buying computer with Linux pre-installed (by Tim on 2016-03-14 14:00:15 GMT from North America)
I bought my last computer in 2011. I ordered it from a custom system builder (one of the big ones, but I will not name them). One of the options was "No OS installed". I selected that, but it came with Windows7 installed, anyway. :(
To make matters worse, when I was trying to install Linux, I had some hardware issues and questions. When I contacted the PC builder's tech support, I was informed that they only supported systems with Windows.
So, to say the least, I will never order anything from that company, again. The reason I chose them in the first place was their very wide selection of components, which allowed me to specify my dream hardware for my system.
36 • @34 - PKI "Web Of Trust" (by Pearson on 2016-03-14 14:14:03 GMT from North America)
Thanks for the additional info, Jesse. Those steps are a bit ... cumbersome for some of the average user. Being time consuming, it is very easy (and tempting!) to skip them if you're in a hurry.
It would be nice if there were a trusted host or app that could do those in one step -- point to a download URL, choose the .iso, sha, and key and let it do all the work for you. To save time, the sha could be verified before even downloading the iso. It could even determine the "trustworthiness" of the key using methods you described -- age, number of signatures, authority of the signatures, etc.
37 • Checksums etc (by albinard on 2016-03-14 15:08:02 GMT from North America)
If you want to do the Full Jesse check, it would be wise to do the sha256sum check first, because it's quick and easy. In the real world, it is more likely that a download is corrupted than that someone has created a fake ISO.
38 • @34 verifying signatures (by g1 on 2016-03-14 16:08:26 GMT from Europe)
I was trying to point out that in the sentence "It looks like this key belongs to Clement Lefebvre of the Linux Mint team." the words "looks like" should probably be emphasized, because a name seen in the label of a key fetched from a keyserver has no or very little value to determine identity. Users who don't happen to know some trusted keys to bootstrap the chain of trust have no way to verify identities. Which is exactly what HTTPS was invented and is routinely used for (however flawed is the current certificate infrastructure).
"For example, if I check the Linux Mint key from the example in my article, I can see Clem's key is nearly seven years old and has been signed by Tobias Loose and Corey Sheldon of the Fedora Project, among others."
A tamperer might create (in a matter of minutes) different keys, with various dates, and names Jesse Smith, Clement Lefebvre, Mark Shuttleworth, Linux Torvalds, Bill Gates, Jeff Bezos, Barack Obama, cross sign them, and upload all of them to a keyserver, and then...
39 • Verifying signatures (by Jesse on 2016-03-14 16:41:12 GMT from North America)
@38: This is why webs of trust and proper use of keys are important. If people are properly using, collecting and verifying keys your suggested attack does not work because the attacker's keys will not match the known keys of those individuals.
If someone else makes up a fake key with my name/e-mail address, everyone I communicate with knows the attacker's key is fake because they already have my real key. Therefore any key signed with the fake Jesse's key is suspect.
Were someone to upload a fake Linus Torvalds or Clem Lefebvre key it would become clear quickly because those keys (and the fake accounts that signed them) would not match the known keys already in circulation.
40 • GPG, ReactOS (by Justin on 2016-03-14 16:51:32 GMT from North America)
@17, 34, 38: I agree that at some point, you just have to trust (like Aristotle said, at some point, you have to accept something as fact in order to build a logical argument; you can't doubt everything and expect to make any progress). Part of the point seems to be, the more steps involved, the harder it should be to copy. It can't ever be truly impossible because the legitimate users need to be able to do this work.
I also agree with the point that the primer probably should have pointed out you can go to the MIT website, search for, and click on the key. I didn't know that until the comments implied it (btw, you can do it over HTTPS). Perhaps it's coincidence, but a new Corey Sheldon key appeared today (3/14/16) and signed the Linux Mint key. I have other thoughts, but I'd rather not educate potential attackers. We also probably do need a GUI tool or some way of linking these together. The counter argument is, if you're going to do an install, that probably isn't very often, so you might be expected to go through these steps if you are concerned about such things. The problem is people who are so concerned are not the likely targets anyway as others have pointed out.
Finally, @Jesse, thanks so much for the ReactOS review! I appreciate your thoroughness. I've been following this project for 10 years, always hoping. It might have been worth mentioning in the review that this is alpha software (yes, everyone, ALPHA, which means stuff probably doesn't work because it's not all there yet).
The project deserves much more credit than it's getting in the comments. Perhaps people don't realize that Minix and Linux are open-source clones of UNIX. Our shared ecosystem came from people doing exactly what ReactOS is doing. Stuff just takes time, especially if you don't have a lot of developers or documentation. Look how long FreeDOS took! People also forget that mid-project they switched to being NT-based. There have been a few restarts in their history, so it's unfair to say after 20 years they have nothing. Besides, they owe us nothing. I think several haters were disappointed and hurt when ReactOS failed to deliver its promise in their personal timeframes.
41 • Fake LM Keys (by Jake on 2016-03-14 16:54:53 GMT from North America)
FYI, people are already trying fake keys. This one just appeared:
pub 1024R/4434C4D1 2016-03-14 ClemL <root@linuxmint.com%gt;
Is there a way for these to be taken down?
42 • Checksum (by DC on 2016-03-14 17:06:49 GMT from North America)
Why couldn't hackers just upload a checksum that matched the fake iso, if website was already compromised?
43 • ReactOS is exactly like Windows 95 (by Poet Nohit on 2016-03-14 17:24:06 GMT from North America)
Seems like it faithfully recreates the experience of running Windows to me. Any time I tried to run Windows (anything other than XP sp3) on a box that wasn't already preloaded, it would inevitably blue screen all the damn time.
44 • @42 Checksum (by Pearson on 2016-03-14 17:33:51 GMT from North America)
Your concern is valid. Much of Jesse's howto describes how to verify that the checksum is valid, based on the digital signature of the checksum file. The purpose of the digital signature is to be "cryptographically secure", meaning that the signature is a fingerprint of *that* file with *that* private key. In this case, *that* file is the file containing the sha256 "checksum" of the iso image. If someone uploads a new checksum file, the signature will no longer validate, which makes the entire thing questionable and/or suspicious.
45 • gpg --keyserver pgp.mit.edu --recv-keys (by Pearson on 2016-03-14 17:38:15 GMT from North America)
My question is about this step of Jesse's process. What kind of vetting is done to ensure that the keys on pgp.mit.edu aren't attempts to deceive? How can I know that the results are good? I hesitate to rely on "it's a few years old" and "the name looks official", especially since I don't recognize many of the names. I'm pretty geeky, and I barely recognize Clement's full name since he's usually just "Clem".
46 • ReactOS is ALPHA (by JB on 2016-03-14 18:03:18 GMT from North America)
@40 - thank you for mentioning what I thought would have been fairly obvious (if anyone had bothered to check) - ReactOS is in ALPHA stage!
Quite frankly, I fail to see the usefulness of reviewing something in ALPHA stage, at least reviewing it in the same manner as something that is a finished product, and then failing to mention that it is in ALPHA stage. Are BETA versions of Ubuntu ever reviewed here?
It is also worth noting that, a few years back, the project was the victim of some malicious behavior by a disgruntled volunteer, who alleged (later proven untrue, but at the cost of great time and expense) that they had based some of their work on actual Windows code. This could explain in part why the progress is so slow. Of course, someone has already mentioned that the project is trying to duplicate something that isn't exactly free and available in the wild.
Finally, the comments by Pauli @13 were very unhelpful, to say the least!
47 • Poll (by a on 2016-03-14 18:19:36 GMT from Europe)
I build my desktop systems. I enjoy it and it lets me pick exactly what I need and make very quiet computers.
For laptops, of course they cannot be self-built easily so the two I’ve had had Windows preinstalled (one new, one second hand, so I paid for only one Windows licence! :p). But nowadays it’s easier to find OS-free or even Linux laptops so if I had to buy a new one I’d look at that. Even if they are more expensive than the ones with Windows preinstalled, for some strange reason…
48 • @45 PKI (by g1 on 2016-03-14 18:38:27 GMT from Europe)
No vetting, except for the checks that you perform yourself based on signatures by other people and (more often than not) intuition. Can you guess the right key at http://pgp.mit.edu/pks/lookup?search=linus+torvalds&op=index ?
Names can be faked. Key creation dates can be faked. And it's alright: keyservers are for key distribution, not authentication.
You don't automatically trust a piece information just because you "found it on the internet".
You don't automatically trust a public key just because you received it from a keyserver.
IMHO, having all distros publish their software signing keys via HTTPS on a separate, secure and widely publicized site (perhaps mirrored on https://distrowatch.com :-), or across distros) would be a good step towards resolving the chicken-and-egg problem that the web of trust is for users.
49 • Microsoft (by gekxxx on 2016-03-14 19:08:04 GMT from Europe)
Seeing Microsoft as "the enemy" seems a discussion of 20 yrs ago. I do not use Linux coz Microsoft is the enemy. I use currently Linux Mint as I find Linux Mint a better OS than Windows 10.
50 • 28 • ReactOS (by Kragle von Schnitzelbank on 2016-03-14 19:40:55 GMT from North America)
"accumulated hate" reveals a normal reaction to repeatedly promising to service a passionate desire, like the one people have for an alternative to a robust but aggravating fairly-monopolized market. A typically amoral sociopathic corporation (only people and angels can be evil, but that's another topic) fostered the growth of a robust partly-free market which many people found valuable, and many of these people would love more competition in that market, especially as the current monopoly locks it down ever tighter (though not as tightly as Android was from the start).
If ReactOS had never been advertised with marketing hype implying it would satisfy that desire, there would be no accumulated reaction to repeated frustration.
Vast market opportunity, motivated community, powerful corporate monopoly - I'd anticipate effective devious sabotage, like a project in perpetual alpha stage advertising ... .
51 • My wife paid the windows tax. (by Arkanabar on 2016-03-14 22:00:02 GMT from North America)
Alas, my computers are Dells my wife bought with Win7 preinstalled. I will not upgrade to any later versions. It is to be hoped that the healthcare field will start investing in software certification (e.g. Meaningful Use) for FLOSS EMRs and practice management software by the time Win7 no longer gets security updates. In the meantime, I have PCLOS on my desktop and lappy. I'll probably add Matebunty 16.04 to the desktop when it comes out.
Most of our mid-towers we construct ourselves. Mine (a Dell) is the exception. When I get one of theirs, I generally wipe and install some suitable Linux distro.
@13: The whole point of FLOSS is that people can do what they like. ReactOS may be an entirely quixotic quest to provide a Better Windows XP, but I'm more than willing to let them do it.
52 • Signing Games (by Arch Watcher 402563 on 2016-03-14 22:27:34 GMT from North America)
@2 Jesse - So the Mint attack was just MITM I guess, or a plain old web hack.
@2 Jesse, @14 Pearson - A checksum is traditionally a single byte or word in a network communication packet. What we're calling a checksum is really a hash value.
The security of a hash comes out of length and collision metrics. Hash breaches hit the news all the time.
http://arstechnica.com/security/2016/01/fatally-weak-md5-function-torpedoes-crypto-protections-in-https-and-ipsec/
https://en.wikipedia.org/wiki/Collision_attack
@37 albinard - Agreed; I view hashes as a way to verify download integrity, not file authorship.
A MITM or hack attack can show arbitrary hashes or duplicate OEM hashes. What a MITM attack CANNOT do is sign the ISO file properly, even its own pirate ISO. It's more secure and no extra work to sign the actual ISO.
As noted by others, the real problem is that victims don't even check sigs at all, because the task is technical. On that subject:
@9 mroot, @23 Rufovillosum, @29 frodopogo - Browser devs ought to compile GnuPG into their browsers for webmail and ISO validation and other purposes. Most folks fetch ISOs via web browser.
@17 g1, @26 Stan - Browser-based GnuPG could easily handle key distribution security. As well as the JavaScript code download security problem, btw. I have no idea why dimwits at IE, Mozilla, Chrome, Konqueror, Midori, Opera, Palemoon, and Safari aren't doing it. How hard can it be to drop GnuPG source into a browser source tree with a thin JavaScript API, or even just a braindead, single-purpose, "verify download with signature" dialog?
@48 g1 (again) - It's an excellent idea for Distrowatch to host keys and/or fingerprints under its own https certificate security.
Also, I advocate distros package keys from other distros, FOSS projects, Linux Foundation, EFF, etc. In the Arch Linux User Repo (AUR) it's common for a package to fail over missing keys. Arch has no mechanism to handle this failure but manaul keyfetch in GnuPG (or pacman-keys). Package managers (pacman etc.) need more smarts on keys. Distros should package them officially, too. Then you have a simple package dependency, easily encoded. That moves the trust/verify problems to the distro maintainers, who know what they are doing, unlike Grandma and Bubba.
53 • @ 37 Checksum (by JZ on 2016-03-14 23:23:06 GMT from Europe)
I fully agree and would like to add that according to recent security findings, md5sum is not really safe, as it can be relatively easily forged by someone with average computer skills and hardware. Same is basically true for sha1sum. The safer option is sha256sum and sha512sum. To forge those, one has be a rather resourceful institution.
AN EASY GUIDE:
1. Open your file manager in the folder where your downloaded file is
2. Right click and choose "Open terminal here"
3. Type: sha256sum nameofyourfile
4. Compare the numbers in terminal with those on the download website
54 • Debian, Iceweasel and Firefox. (by Kubelik on 2016-03-15 00:39:00 GMT from Europe)
@6 and 11. Some extra links:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=354622
https://www.debian.org/social_contract#guidelines
http://lwn.net/Articles/118268/
http://www.heise.de/open/artikel/Debian-vs-Mozilla-oder-Namen-sind-Schall-und-Rauch-221989.html
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815006
https://twitter.com/sylvestreledru
https://glandium.org/blog/?p=3622
https://lwn.net/Articles/676799/
http://www.heise.de/open/meldung/Debian-gibt-Webbrowser-Iceweasel-auf-und-setzt-wieder-auf-Firefox-3132680.html
55 • Pre-Installed Linux (by Michael on 2016-03-15 01:05:33 GMT from Oceania)
In Australia, impossible to buy a bare bones laptop. There are companies that will remove Windows and install Linux for you but it adds to the cost. I believe in France the seller must remove/disable Windows if requested and reduce the price by the Windows cost.
For now I stick to self built desktop.
56 • survey (by tux on 2016-03-15 01:52:45 GMT from Europe)
It used to be a pleasure to build our own boxes, say 5-10 years ago. There were plenty of specialized sites in the net, with news, reviews, comparisions, benchmarking, how to's.... Most are discontinued, the survivors are more busy today on reviewing brain less smart phones than proper PC components, peripherals. That's too sad and reducer!
57 • Verifying ISO Images (by kenneth on 2016-03-15 04:33:09 GMT from North America)
I'm not exactly familiar with all that was compromised (Mint), but if the attacker gained control of the server, uploaded their ISO--would they not also upload their own md5, sha sums? If the server was compromised https is not going to save an end user either...
Hopefully they have straightened up and gotten some help beefing up security.
58 • ReactOS_test_and_review_by_DWW_Jesse (by k on 2016-03-15 07:12:30 GMT from North America)
Cannot thank enough for such a full and fair test and review, on laptop and desktop no less. Really happy to have this information technology expert resource and forum for users' comments and feedback.
59 • Pre installed linux (by Platypus on 2016-03-15 08:04:26 GMT from Oceania)
Haven't bought one because I don't know where to get one in Australia.
60 • difficulty getting started with ReactOS on modern computer (by Thomas Mueller on 2016-03-15 08:18:12 GMT from North America)
I've looked into ReactOS and am even on their emailing lists, but hard drive partitioned with GPT leaves me nowhere to install ReactOS considering inability to boot from USB. I might be able to cross-compile ReactOS, or I could try and hope, but having to burn a CD for every update is wasteful, and from what I read, I can not install ReactOS directly from the cross-build framework. If I really wanted, I suppose I could buy a cheap old hard drive just for ReactOS (FreeDOS too?) and even add a (Linux) ext2fs partition, which ReactOS can now read and write according to my latest reading; use that partition just for ReactOS to rebuild and update itself, but then I would want to install directly without burning a CD every time. But I guess there's more than enough to keep me busy between Linux, FreeBSD, NetBSD and Haiku.
61 • Poll (by Marco on 2016-03-15 15:25:37 GMT from North America)
In the USA anyway, the Windows tax is generally negative on consumer-grade laptops, so I buy them with Windows pre-installed.
62 • Checksum lazyness vs good old hover (by far2fish on 2016-03-15 18:52:29 GMT from Europe)
Frankly I am too lazy to test checksums, and if I do I never go beyond checking the checksum of the ISO vs the published checksum info. I would never take the extra step to validate against the public key signature.
However one important step that I always do when downloading something, is to let the mouse hover over the link for a bit so I am absolutely sure WHERE I download something wrong. Would the link point to another domain or an IP address I would think twice before clicking the link. Perhaps run the domain or IP through whois first.
63 • Negative Windows tax (by dbrion on 2016-03-15 19:34:35 GMT from Europe)
Ordissimo (a pre configured PC with Debian: has success in France) is more expensive than its Windows same set of hardware. I once bought a preconfigured "net" "book", a MSI wind and was very unsatisfied (recompiled everything); I am afraid it was not a commercial success (people do not dare to have anyhing they need recompiled)... and, except for RPis -they are not PCs-, one cannot find preconfigured linux desktop "gears"
64 • @26 (by NoBubbaEffect on 2016-03-15 19:46:27 GMT from North America)
I agree. The section that has the downloads for the ISOs, should have in big bold letters, that verifying the ISO for safety and security is strongly suggested. Then list in easy to understand steps how to verify and if failure occurs destroy ISO and post response to the issue.
Thanks for the checksum info and the good review, Jesse.
65 • why bother with preconfigured systems? (by dave on 2016-03-15 23:39:22 GMT from North America)
The best thing about linux is that you get the best experience by configuring your system yourself. Paying some idiot to do it their way instead of your way seems like a backwards idea.. especially when it always ends up costing more than a computer with windows pre-installed.
And I haven't encountered hardware incompatibilities with Linux since using old P4 systems. It's a thing of the past. I don't know where you guys are digging up all these machines that are missing drivers and what not.
Oh and rule #1 of not being a computer shyster is that if you can't make enough money off the components, you're doing it wrong. Installing the average distro takes like no time at all, compared with the building process. If you're charging extra for installing the OS after all that, you're a rip-off artist.
You want me to install linux on your existing computer? Fine. Small labor fee for the time unless I feel like doing it for free, which I often will. You want to buy a computer with linux preinstalled? Most if not all of the profit should come from the components. Charging for both is pushing it, big time.
The la-dee-da 'boutique' computer hustlers who typically pull this crap make me sick. Besides, it's not like using Linux is such a great blow against the power structure. Linux is just as much a part of the problem as Windows and OSX.
It's just so ridiculous the way so many of you act like you're somehow sticking it to The Man by using Linux. What a joke.
66 • @65 - why bother? (by Hoos on 2016-03-16 04:20:11 GMT from Asia)
As a matter of principle, would you not prefer if possible to get an OS-less system if you don't use Windows at all? In such an instance, why would you want to add to Microsoft's and the OEM's statistics as another Windows purchaser? That just helps paint an inaccurate picture. Note that I'm not talking about those who need Windows on their computer.
Unfortunately it is not so easy to get an OS-less laptop where I am. In those situations, if one is willing to put one's money where one's mouth is, perhaps it is better to get a laptop with pre-installed Linux than get a Windows one which you're going to wipe anyway. Perhaps it's a little more expensive without MS's economies of scale and the discounts they can offer OEM, but some might think it's worth it for a good cause.
67 • @13 (by Keith on 2016-03-16 13:02:28 GMT from Asia)
Pauli
Looks to me like they've done a good job of perfectly emulating that other OS. BSOD, Out Of Memory for no reason, doesn't run apps as expected. How much closer could it be to the real thing?
:D
68 • @9 reaction to verifying iso checksum (by hwms on 2016-03-16 13:29:32 GMT from North America)
Your comments were spot on for myself. At my age and limited computer expertise, I have trouble remembering how to get my deductible transactions out of Gnucash once a year. I also have trouble remembering any command line beyond the very simplest ones. Man pages are nearly useless to the average home computer user.
69 • Computer with Linux pre-installed (by Pablo saborio on 2016-03-16 15:34:44 GMT from North America)
I recently bought a System /6 Laptop with Ubuntu pre-installed.
Service and performance are really good.
70 • ReactOS review (by Randy Thompson on 2016-03-16 16:14:26 GMT from North America)
React is still an alpha release. Nowhere in your review did you mention this. I remember playing with React before it had half of the things it does in the 0.4.0 release, wireless capability for instance. Before people get the wrong idea, it is not meant for production consumption quite yet.
71 • Buying a computer (by Scatershot on 2016-03-16 16:19:45 GMT from North America)
It's hard to buy a computer with Linux preinstalled especially if you buy them from a big box store. Some stores only offer Windows systems and then charge you to remove Windows! I looked at systems being sold that have Linux preinstalled and they just didn't fit my needs. So I mostly buy older used systems on Craig's List and tweak them to what I need then keep them running for 6+ years saving money.
A big reason I use Linux is the ability to keep older systems running longer which helps keeps them out of the landfill.
Just my two cents...
72 • ReactOS status (by Jesse on 2016-03-16 16:23:02 GMT from North America)
Several people have pointed out that ReactOS is shipped under an Alpha label. Which is true. But at this point I really have to question whether that is worth mentioning. The ReactOS project is around 20 years old at this point. By now I think we need to acknowledge the alpha label does not mean the same thing with regards to ReactOS as it does to most Linux distributions. This 0.4.0 version is not an early test release, this is the cumulation of 20 years of work. ReactOS will probably never drop the Alpha label, which makes it somewhat meaningless. If every release is an alpha release, then the label loses its meaning.
73 • Re: Buying a computer (by Andy Mender on 2016-03-16 17:51:13 GMT from Europe)
@71,
I think it's an important 2 cents. When I recently looked through business-oriented desktops (standard 4 GB RAM, Intel iGPU, etc.), I noticed my old 6-7-year-old PC has the same parameters as the current 2-core Pentium PCs. Naturally, power-consumption and heat emission is higher, but thanks to GNU/Linux, my computing experience is great ;).
I think the role of GNU/Linux in keeping computers running should not be underestimated!
74 • Thanks slick (#11) (by Dr. David Johnson on 2016-03-17 01:19:24 GMT from North America)
Just wanted to thank slick for the link in post #11. Good to keep learning about Linux, especially Debian (my fav). Y'all keep learning, and using cool free software. Thanks to distrowatch for good resources.
75 • Debian Distros (by slick on 2016-03-17 08:35:05 GMT from North America)
@74 Dr. David Johnson: Debian is a great choice, Linux as whole is a learning experience that is quite rewarding.
DW is a great place for many resources, use it often.
I listed a couple of Debian distros on Sourceforge you may like to try, lightweight and quite fast.
Star - Debian and Devuan fork
ZephyrLinux - Debian and Devuan fork
VSIDO - Debian sid (unstable)
76 • PC Linux OS 2016.03 (by Bobbie Sellers on 2016-03-17 14:51:07 GMT from North America)
Reading the other day and spotted this in your
"Development, unannounced and minor bug-fix releases"
note, in the current issue. Downloaded 3 versions
and checked them out, maybe a little rough yet
but I got PCLOS64-KDE-2016.03 installed to my
notebook and once I got the kinks straightened
out it boots up fine from my Mageia 5 Grub2
The UEFI support works fine.
Mate Deluxe version looks fine but could not
get to a desktop with the Full Monty version.
PCLOS was the first fork of Mandriva which I used.
Just a draktools addict I guess.
bliss
77 • ReactOS "alpha" (by Jordan on 2016-03-17 21:57:35 GMT from North America)
@72. Yeah it's called "the ReactOS project" at their website. An ongoing project.
I have no fascination for that project, but I do find it interesting that many aspects of that one in particular are similar to most other linux distros. We could call Debian a "project," in that sense. Slackware, Arch as well. They're not alphas or betas at certain points in their development, but they are ongoing projects.
78 • Revew too harsh React OS (by Steven Shannon on 2016-03-17 22:02:52 GMT from North America)
React OS is in an ALPHA state, and thus is not fair to come to the conclusion that the system is not suitable for most situations. That is what Alpha means. It's not even in Bata state yet. How can one come to the conclusion that a piece of software is not suitable for in most situations? Of course it isn't. The react Web page says as much.
When one reviews a piece of software it should be done in context of it's current state of development, and it's current state of development must be stated in the review.
I am not saying that your review is not spot on, because I have ran in to the same issues on my own test install, but rather than tell people that the software isn't suitable in most situations, you need let them know why. Because you are testing something that is in an alpha state.
79 • Alpha status (by Jesse on 2016-03-18 00:00:03 GMT from North America)
@78: "rather than tell people that the software isn't suitable in most situations, you need let them know why."
I did explain why, and it's not because ReactOS carries the alpha label, it's because many of its features do not work yet. There are plenty of projects out there that are designated "alpha" that work just fine. Others are labeled "stable" and do not work. In the end, the label does not define behaviour.
80 • @78 Alpha state? (by Spacex on 2016-03-18 00:09:16 GMT from Europe)
Alpha state can not be used about a release, unless it sometimes are in a different state. But my major issue is that there is no need for the project at all, as there are no need to use Windows apps in Linux anymore.
Besides Gaming of course. But GB comes cheap these days. Anyone can afford a partition for Windows, so that they get to play their favorite Windows games. Nothing wrong with a good old-fashioned dual-boot, or even multi-boot :P
81 • Tails_Firefox_addon_to_automatically_verify_ISO (by k on 2016-03-18 10:23:23 GMT from Europe)
@ comment 9 • gpg keys by mroot
Firstly, quite agree with your honest and accurate appraisal of users' limited technical
abilities and inclination.
Regarding your most salient question "why can't we have something similar fro gpg keys?"
I used Tails excellent -- as usual -- tools and instructions to download and install Tails 2.0
over 1.82, and as described at https://tails.boum.org/news/version_2.0/index.en.html#index3h1 :
"can now verify the ISO image automatically from Firefox using a special add-on"
However, the developers included "If you are knowledgeable about OpenPGP, you can do
additional verification using the OpenPGP signature." :)
Anyway, the automatic "worked" exactly as described, all persistent data intact, so I was "satisfied", despite not knowing enough about technicals of web of trust, keyrings and keys for ISO verification.
So Jesse's tips and tricks in this DWW very helpful, much thanks.
82 • Alpha status (by Antony on 2016-03-18 11:29:53 GMT from Europe)
@79 Jesse said: "There are plenty of projects out there that are designated "alpha" that work just fine. Others are labeled "stable" and do not work. In the end, the label does not define behaviour."
Very well put. 'Nuff said, I reckon.
83 • PGP keys (by concerned on 2016-03-18 16:49:47 GMT from North America)
I have to agree with g1 @17 and similar comments. The web of trust is a great mechanism, -but- I have personally found it difficult (read: impossible) to get inserted into it via key signing or otherwise. Therefore, I have no starting point of trust on which to build my local trust database. Thus I eventually just have to assume that the keys I find either through websites or keyservers really belong to the people they say they do, even if I can't cryptographically "trust" the keys. I do not find it comforting that a key is "old enough" or "says" it belongs to anyone in particular. Perhaps, I'm too paranoid... ;)
That said, I always check both checksums and signatures before installing an OS or software I download outside of my distro's package manager... I at least make an effort to locate key fingerprints on the OS or package's website and check it against the fingerprint from the signature and keyservers. And then I cross my fingers that everyone's being honest with their keys.
84 • linux os on pc`s (by greg on 2016-03-18 19:29:11 GMT from North America)
i build my own pc [ right now running oil submerger /with xubuntu ] i have build a pc installed mint and sent to an old army friend ,him and wife love it . sent one to mother in law with xubuntu installed . all the kids that come over think it is windows os of some type .
85 • Browser Baked Web of Trust (by Arch Watcher 402563 on 2016-03-18 21:31:24 GMT from North America)
@83 concerned - See my comments on GnuPG baked into web browsers above. What good is all this FOSS if devs don't use it? I'll elaborate.
Right now you trust SSL certs shipping in your web browser. Those form a web of trust up to root CAs. A browser dev can compile GnuPG into the app and do the same thing with OpenPGP keys: form a web of trust that YOU trust.
Most people get their browsers with the OS. And you trust whatever method you put it on your PC when you visit https sites. A malware browser is possible but quickly attacked by the many eyeballs involved. Compiling GnuPG into the browser makes it impossible to replace/subvert as an "extension" or "plugin." It also makes it fast.
So we could have the same deal for OpenPGP keys as SSL certs in almost no time if the browser devs would just do it.
86 • How low can you go? (by Ben Myers on 2016-03-18 22:17:51 GMT from North America)
I had good reason to test a relic from the past, an Intel SE440BX-2 motherboard with Slot 1 550MHz Pentium III processor, 512MB memory and an IDE hard drive. Somebody needed this ancient hardware for a custom system with an ISA bus widget on it.
I chose Mint 17.3 x86 with the MATE desktop, because I am pretty familiar with Mint, and I knew that MATE was pretty lightweight and would run OK with the 128MB AGP graphics card I exhumed, made just for Pentium III AGP slots.
The good news is that Mint installed on an old IDE drive and ran flawlessly. The bad news is that the system tried my patience because it ran so S-L-O-O-O-W-L-Y. I do not think it was Mint per se. Most any modern Linux kernel combined with a lightweight desktop will run the about same. Maybe XFCE would have been better? 550MHz is just too slow, 512MB is not much, and old 5400 rpm IDE drives crawl along these days. Maybe there is another full-featured distro that would run better, but I am through with my testing and I can now set up the system for its intended special purpose.
87 • @86 - better low-end distros (by Uncle Slacky on 2016-03-18 23:28:57 GMT from Europe)
I'd suggest Puppy, Slitaz, antiX or MX-15 (in decreasing order of speed) for such a system, personally. You'd find any of them MUCH faster than any Mint variant.
88 • @87 - If I was seriously considering using a 550MHz P3... (by Ben Myers on 2016-03-19 00:46:32 GMT from North America)
If I was seriously considering using a 550MHz P3 myself, I would surely look at low-end distros which were somewhat full featured. But this was only to test (somewhat quickly) all the hardware and to identify some limits of the hardware. Somebody else actually will buy this system to use for his own somewhat obsolete purpose, not with Mint.
Also, were I to use this system, I would add more memory and maybe one of these old kludge boards that allow a faster Socket 370 CPU to run in a Slot 1 motherboard.
Still, isn't it good to know that even mainstream Mint will install and run in an old antique?
89 • @65 Linux Hardware Support (by imnotrich on 2016-03-19 05:09:33 GMT from North America)
You wrote, "And I haven't encountered hardware incompatibilities with Linux since using old P4 systems. It's a thing of the past. I don't know where you guys are digging up all these machines that are missing drivers and what not."
Excuse me but on what planet? Hardware incompatibilities, missing drivers, open source drivers that don't work properly and related issues still plague Linux to this day.
Ok, so I don't expect some high end brand new bleeding edge piece of hardware that came out three weeks ago to be fully supported, but video cards have been around for a while. Same for sound cards, wired and wireless networking, printing stuff that most folks would consider basic functionality.
In fact some distros like Debian deliberately gut the OS's hardware capabilities and every release is full of bugs forcing users to spend weeks or months searching web forums and other resources for solutions or a work around or two. Or three.
When I was a Linux hobbyist I loved Debian because nothing worthwhile is easy, but now that I'm using my Linux desktop for work and play it has to function like a normal computer from the moment I turn it on, and until I shut it off that night. I don't have the time an energy to fight my computer.
Switched to Mint a two years ago and it has some bugs too but hardware support is phenomenal. Still, some machines I still have to fight the hardware. And we're not talking about older PC's, I find most of the older machines are well supported even by those mini distros like Puppy. Why is it that Puppy can do things better than Debian? Weird.
90 • @89 Say What? (by mildlyinsane on 2016-03-19 22:58:01 GMT from North America)
//In fact some distros like Debian deliberately gut the OS's hardware capabilities\\
I would like someone to splain this if they may?
91 • preloaded computer (by jangkrik on 2016-03-19 23:34:59 GMT from Asia)
glad to see more people build there own pcs rather than buying ones that're preloaded with manufacturers crap
92 • 90 • 89 Hardware coverage (by FOSSilizing Dinosaur on 2016-03-20 01:06:18 GMT from North America)
"Main" distros often "deprecate" "obsolete" hardware accommodation, usually using "too much testing required" as a primary excuse and "saving ISO/server space" as a secondary excuse. And then there's code contributions from hardware vendors motivated to sell new products. ImNotRich@89 also may be thinking of a period after agents of Microsoft visited DebIan's founder, which resulted in about a decade of driver-compatibility setback.
…
Distros whose goals include accommodating "older" hardware work on considerably more variations with substantially less extra fiddling. One exemplar thereof would be PCLinuxOS in its prime, As.Far.As.I.Recall.
.•
There are tools for determining what hardware is in a particular computer. It would be nice to see accurate driver recommendations.
.•
Some efforts appear to be beginning to build databases of what hardware works to what degree with Linux (and BSD etc?); usually too little too late, but useful when checking used parts.
.•
For new parts, I prefer starting with vendors who support Freed Open-Source Software. If they provide DIY support, I support them - it's worthwhile in the long run.
93 • linux OS (by Ellis Essig on 2016-03-20 13:24:42 GMT from North America)
MintBox from Compulab. Works well.
Number of Comments: 93
Display mode: DWW Only • Comments Only • Both DWW and Comments
| | |
| TUXEDO |
TUXEDO Computers - Linux Hardware in a tailor made suite
Choose from a wide range of laptops and PCs in various sizes and shapes at TUXEDOComputers.com. Every machine comes pre-installed and ready-to-run with Linux. Full 24 months of warranty and lifetime support included!
Learn more about our full service package and all benefits from buying at TUXEDO.
|
| Archives |
| • Issue 1046 (2023-11-20): Slackel 7.7 "Openbox", restricting CPU usage, Haiku improves font handling and software centre performance, Canonical launches MicroCloud |
| • Issue 1045 (2023-11-13): Fedora 39, how to trust software packages, ReactOS booting with UEFI, elementary OS plans to default to Wayland, Mir gaining ability to split work across video cards |
| • Issue 1044 (2023-11-06): Porteus 5.01, disabling IPv6, applications unique to a Linux distro, Linux merges bcachefs, OpenELA makes source packages available |
| • Issue 1043 (2023-10-30): Murena Two with privacy switches, where old files go when packages are updated, UBports on Volla phones, Mint testing Cinnamon on Wayland, Peppermint releases ARM build |
| • Issue 1042 (2023-10-23): Ubuntu Cinnamon compared with Linux Mint, extending battery life on Linux, Debian resumes /usr merge, Canonical publishes fixed install media |
| • Issue 1041 (2023-10-16): FydeOS 17.0, Dr.Parted 23.09, changing UIDs, Fedora partners with Slimbook, GNOME phasing out X11 sessions, Ubuntu revokes 23.10 install media |
| • Issue 1040 (2023-10-09): CROWZ 5.0, changing the location of default directories, Linux Mint updates its Edge edition, Murena crowdfunding new privacy phone, Debian publishes new install media |
| • Issue 1039 (2023-10-02): Zenwalk Current, finding the duration of media files, Peppermint OS tries out new edition, COSMIC gains new features, Canonical reports on security incident in Snap store |
| • Issue 1038 (2023-09-25): Mageia 9, trouble-shooting launchers, running desktop Linux in the cloud, New documentation for Nix, Linux phasing out ReiserFS, GNU celebrates 40 years |
| • Issue 1037 (2023-09-18): Bodhi Linux 7.0.0, finding specific distros and unified package managemnt, Zevenet replaced by two new forks, openSUSE introduces Slowroll branch, Fedora considering dropping Plasma X11 session |
| • Issue 1036 (2023-09-11): SDesk 2023.08.12, hiding command line passwords, openSUSE shares contributor survery results, Ubuntu plans seamless disk encryption, GNOME 45 to break extension compatibility |
| • Issue 1035 (2023-09-04): Debian GNU/Hurd 2023, PCLinuxOS 2023.07, do home users need a firewall, AlmaLinux introduces new repositories, Rocky Linux commits to RHEL compatibility, NetBSD machine runs unattended for nine years, Armbian runs wallpaper contest |
| • Issue 1034 (2023-08-28): Void 20230628, types of memory usage, FreeBSD receives port of Linux NVIDIA driver, Fedora plans improved theme handling for Qt applications, Canonical's plans for Ubuntu |
| • Issue 1033 (2023-08-21): MiniOS 20230606, system user accounts, how Red Hat clones are moving forward, Haiku improves WINE performance, Debian turns 30 |
| • Issue 1032 (2023-08-14): MX Linux 23, positioning new windows on the desktop, Linux Containers adopts LXD fork, Oracle, SUSE, and CIQ form OpenELA |
| • Issue 1031 (2023-08-07): Peppermint OS 2023-07-01, preventing a file from being changed, Asahi Linux partners with Fedora, Linux Mint plans new releases |
| • Issue 1030 (2023-07-31): Solus 4.4, Linux Mint 21.2, Debian introduces RISC-V support, Ubuntu patches custom kernel bugs, FreeBSD imports OpenSSL 3 |
| • Issue 1029 (2023-07-24): Running Murena on the Fairphone 4, Flatpak vs Snap sandboxing technologies, Redox OS plans to borrow Linux drivers to expand hardware support, Debian updates Bookworm media |
| • Issue 1028 (2023-07-17): KDE Connect; Oracle, SUSE, and AlmaLinux repsond to Red Hat's source code policy change, KaOS issues media fix, Slackware turns 30; security and immutable distributions |
| • Issue 1027 (2023-07-10): Crystal Linux 2023-03-16, StartOS (embassyOS 0.3.4.2), changing options on a mounted filesystem, Murena launches Fairphone 4 in North America, Fedora debates telemetry for desktop team |
| • Issue 1026 (2023-07-03): Kumander Linux 1.0, Red Hat changing its approach to sharing source code, TrueNAS offers SMB Multichannel, Zorin OS introduces upgrade utility |
| • Issue 1025 (2023-06-26): KaOS with Plasma 6, information which can leak from desktop environments, Red Hat closes door on sharing RHEL source code, SUSE introduces new security features |
| • Issue 1024 (2023-06-19): Debian 12, a safer way to use dd, Debian releases GNU/Hurd 2023, Ubuntu 22.10 nears its end of life, FreeBSD turns 30 |
| • Issue 1023 (2023-06-12): openSUSE 15.5 Leap, the differences between independent distributions, openSUSE lengthens Leap life, Murena offers new phone for North America |
| • Issue 1022 (2023-06-05): GetFreeOS 2023.05.01, Slint 15.0-3, Liya N4Si, cleaning up crowded directories, Ubuntu plans Snap-based variant, Red Hat dropping LireOffice RPM packages |
| • Issue 1021 (2023-05-29): rlxos GNU/Linux, colours in command line output, an overview of Void's unique features, how to use awk, Microsoft publishes a Linux distro |
| • Issue 1020 (2023-05-22): UBports 20.04, finding another machine's IP address, finding distros with a specific kernel, Debian prepares for Bookworm |
| • Issue 1019 (2023-05-15): Rhino Linux (Beta), checking which applications reply on a package, NethServer reborn, System76 improving application responsiveness |
| • Issue 1018 (2023-05-08): Fedora 38, finding relevant manual pages, merging audio files, Fedora plans new immutable edition, Mint works to fix Secure Boot issues |
| • Issue 1017 (2023-05-01): Xubuntu 23.04, Debian elects Project Leaders and updates media, systemd to speed up restarts, Guix System offering ground-up source builds, where package managers install files |
| • Issue 1016 (2023-04-24): Qubes OS 4.1.2, tracking bandwidth usage, Solus resuming development, FreeBSD publishes status report, KaOS offers preview of Plasma 6 |
| • Issue 1015 (2023-04-17): Manjaro Linux 22.0, Trisquel GNU/Linux 11.0, Arch Linux powering PINE64 tablets, Ubuntu offering live patching on HWE kernels, gaining compression on ex4 |
| • Issue 1014 (2023-04-10): Quick looks at carbonOS, LibreELEC, and Kodi, Mint polishes themes, Fedora rolls out more encryption plans, elementary OS improves sideloading experience |
| • Issue 1013 (2023-04-03): Alpine Linux 3.17.2, printing manual pages, Ubuntu Cinnamon becomes official flavour, Endeavour OS plans for new installer, HardenedBSD plans for outage |
| • Issue 1012 (2023-03-27): siduction 22.1.1, protecting privacy from proprietary applications, GNOME team shares new features, Canonical updates Ubuntu 20.04, politics and the Linux kernel |
| • Issue 1011 (2023-03-20): Serpent OS, Security Onion 2.3, Gentoo Live, replacing the scp utility, openSUSE sees surge in downloads, Debian runs elction with one candidate |
| • Issue 1010 (2023-03-13): blendOS 2023.01.26, keeping track of which files a package installs, improved network widget coming to elementary OS, Vanilla OS changes its base distro |
| • Issue 1009 (2023-03-06): Nemo Mobile and the PinePhone, matching the performance of one distro on another, Linux Mint adds performance boosts and security, custom Ubuntu and Debian builds through Cubic |
| • Issue 1008 (2023-02-27): elementary OS 7.0, the benefits of boot environments, Purism offers lapdock for Librem 5, Ubuntu community flavours directed to drop Flatpak support for Snap |
| • Issue 1007 (2023-02-20): helloSystem 0.8.0, underrated distributions, Solus team working to repair their website, SUSE testing Micro edition, Canonical publishes real-time edition of Ubuntu 22.04 |
| • Issue 1006 (2023-02-13): Playing music with UBports on a PinePhone, quick command line and shell scripting questions, Fedora expands third-party software support, Vanilla OS adds Nix package support |
| • Issue 1005 (2023-02-06): NuTyX 22.12.0 running CDE, user identification numbers, Pop!_OS shares COSMIC progress, Mint makes keyboard and mouse options more accessible |
| • Issue 1004 (2023-01-30): OpenMandriva ROME, checking the health of a disk, Debian adopting OpenSnitch, FreeBSD publishes status report |
| • Issue 1003 (2023-01-23): risiOS 37, mixing package types, Fedora seeks installer feedback, Sparky offers easier persistence with USB writer |
| • Issue 1002 (2023-01-16): Vanilla OS 22.10, Nobara Project 37, verifying torrent downloads, Haiku improvements, HAMMER2 being ports to NetBSD |
| • Issue 1001 (2023-01-09): Arch Linux, Ubuntu tests new system installer, porting KDE software to OpenBSD, verifying files copied properly |
| • Issue 1000 (2023-01-02): Our favourite projects of all time, Fedora trying out unified kernel images and trying to speed up shutdowns, Slackware tests new kernel, detecting what is taking up disk space |
| • Issue 999 (2022-12-19): Favourite distributions of 2022, Fedora plans Budgie spin, UBports releasing security patches for 16.04, Haiku working on new ports |
| • Issue 998 (2022-12-12): OpenBSD 7.2, Asahi Linux enages video hardware acceleration on Apple ARM computers, Manjaro drops proprietary codecs from Mesa package |
| • Issue 997 (2022-12-05): CachyOS 221023 and AgarimOS, working with filenames which contain special characters, elementary OS team fixes delta updates, new features coming to Xfce |
| • Issue 996 (2022-11-28): Void 20221001, remotely shutting down a machine, complex aliases, Fedora tests new web-based installer, Refox OS running on real hardware |
| • Issue 995 (2022-11-21): Fedora 37, swap files vs swap partitions, Unity running on Arch, UBports seeks testers, Murena adds support for more devices |
| • Issue 994 (2022-11-14): Redcore Linux 2201, changing the terminal font size, Fedora plans Phosh spin, openSUSE publishes on-line manual pages, disabling Snap auto-updates |
| • Issue 993 (2022-11-07): Static Linux, working with just a kernel, Mint streamlines Flatpak management, updates coming to elementary OS |
| • Full list of all issues |
| Star Labs |
Star Labs - Laptops built for Linux.
View our range including the highly anticipated StarFighter. Available with coreboot open-source firmware and a choice of Ubuntu, elementary, Manjaro and more. Visit Star Labs for information, to buy and get support.
|
| Shells.com |
Your own personal Linux computer in the cloud, available on any device. Supported operating systems include Android, Debian, Fedora, KDE neon, Kubuntu, Linux Mint, Manjaro and Ubuntu, ready in minutes.
Starting at US$4.95 per month, 7-day money-back guarantee
|
| Random Distribution | 
Klikit-Linux
Klikit-Linux was an informal project focused on developing a modern, free, user-friendly and fun Linux distribution. It uses the well-known, award winning KDE environment. It can run as a live CD/DVD on practically any PC, and can be installed to a hard drive in just a few minutes. Klikit-Linux was based on Kubuntu, taking advantage of many of its best features, and then adds its own touch, depending on the desires of the community.
Status: Discontinued
|
| TUXEDO |
TUXEDO Computers - Linux Hardware in a tailor made suite
Choose from a wide range of laptops and PCs in various sizes and shapes at TUXEDOComputers.com. Every machine comes pre-installed and ready-to-run with Linux. Full 24 months of warranty and lifetime support included!
Learn more about our full service package and all benefits from buying at TUXEDO.
|
| Star Labs |
Star Labs - Laptops built for Linux.
View our range including the highly anticipated StarFighter. Available with coreboot open-source firmware and a choice of Ubuntu, elementary, Manjaro and more. Visit Star Labs for information, to buy and get support.
|
|
• 
• 
• 
• 
• 
• 
• 
