DistroWatch Weekly |
DistroWatch Weekly, Issue 652, 14 March 2016 |
Welcome to this year's 11th issue of DistroWatch Weekly!
Open source software development, particularly in the Linux community, tends to feature many individual developers working on various projects without any central design or authority to direct effort. This development models gives us a great deal of variety, but it can also cause some problems when new technologies and older designs are brought together. This week in our News section we look at examples of distributions moving forward while continuing to use older technologies. We start with Fedora, a cutting edge distribution that is trying to replace the aging X display software with Wayland. We also look at Ubuntu's struggle to drop legacy versions of the Python programming language. Plus we talk about Debian replacing Iceweasel with Firefox and feature a status report from the strictly libre Trisquel GNU/Linux distribution. Our Feature Story this week looks at ReactOS, an open source implementation of Windows. In our Tips and Tricks column we discuss how to verify that an installation ISO image has not been compromised using checksums and signatures. Then we share the torrents we are seeding and provide a list of the distributions released last week. In our Opinion Poll we ask whether our readers buy computers with Linux pre-installed. We wish you all a wonderful week and happy reading!
Content:
|
Feature Story (by Jesse Smith) |
ReactOS 0.4.0
Many people in the open source community see Microsoft's Windows operating system as an enemy, or at least an unwelcome competitor. Still, the fact remains many people find being able to run Windows applications useful, sometimes even necessarily for one reason or another.
ReactOS is an open source operating system which seeks to re-implement the design and technology of Microsoft Windows. Written from scratch, without using any code from Windows, ReactOS uses its own implementation of the NT kernel and cooperates with the WINE project to offer compatibility with Windows software, file systems and device drivers. The latest release, version 0.4.0, includes the following features:
- ext2 read/write and NTFS read support
- New explorer shell and theme support
- SerialATA support
- Sound support
- USB support
- VirtualBox and VirtualPC support
- Wireless networking
There are two editions of ReactOS we can download: a live CD and an installation disc. The installation disc is 94MB in size while the live disc is a mere 66MB. These files are compressed to provide faster downloads and, once decompressed, the ISO images take up 113MB and 198MB of space, respectively.

ReactOS 0.4.0 -- The application menu and file manager
(full image size: 59kB, resolution: 1280x1024 pixels)
I downloaded both editions of ReactOS and tried to use both. At first I attempted to write the images to a USB drive as USB support was mentioned in the project's release notes. However, I was unable to get either of my test computers to boot from the USB thumb drives and I burned copies of the ISO files to CDs. When trying to boot the operating system on my laptop computer, ReactOS immediately displayed an error message saying the operating system was "out of memory". When attempting to boot the operating system on my desktop machine, the operating system started to load, but after about 15 seconds displayed the classic Blue Screen Of Death, reporting the system could not continue to run and had shut down to avoid damaging the computer's hardware.
Not yet deterred, I tried booting both discs in a VirtualBox virtual machine. The live disc booted to a Windows-like desktop. The background was soft blue. Icons for accessing the file system were displayed in the upper-left corner. The operating system's application menu, task switcher and system tray were displayed along the bottom of the screen. The interface closely resembles a Windows 98 or Windows 2000 desktop system.
While playing with the live disc can give us a feel for what ReactOS looks like, if we want to really explore the operating system we will want to install it. I rebooted my virtual machine with the ReactOS installation disc mounted. The disc boots directly into the project's text-based installer which looks and acts a good deal like the Windows installer from the XP era. We are asked to select our keyboard's layout from a list and then warned ReactOS supports installing on partitions formatted with the FAT file system exclusively. We are then asked to select our screen's resolution from a list. Next, we are shown a list of partitions on our disk and given the chance to delete the existing partitions or add new ones. We are then asked which partition should play host to ReactOS. The last question the installer asks us is if it should install a boot loader, either on our hard drive or on a floppy disk. With our answers given, the ReactOS installer then copies its files to our drive and reboots.
When the system starts up for the first time, it loads a graphical environment and a configuration wizard walks us through the remaining steps of setting up the operating system. We are shown licensing information for ReactOS and then given the chance to change our keyboard and language settings. We are asked to provide our name and then set a hostname and administrator password for our system. The final screen gives us the chance to change the system clock and set out time zone. The system then reboots again and, when ReactOS starts, it brings us straight to the desktop environment, logged in as the administrator.
Whenever I started ReactOS, the system always logged me in automatically, even after I had created additional user accounts. If I logged out of the administrator account I would be presented with a graphical login screen. I tried to sign in as other users I had set up on the system, including a regular user account and a guest account. Attempting to sign into any account, even the administrator's account, would simply return me to the login screen again. This meant that if I logged out of the administrator account I would need to reboot the system in order to get signed in again.
Each time I logged into the ReactOS system, a hardware wizard would appear and offer to try to find device drivers for two pieces of virtual hardware. The wizard was unable to find drivers for either of the devices (identified as System Device and Audio Device). The hardware wizard appeared every time I logged in, even after I checked the box telling the system not to show the window again. Also on the topic of hardware, according to the ReactOS task manager, the operating system used about 100MB of RAM when sitting at the desktop. I was a little sceptical of this reading as the task manager incorrectly detected the amount of total RAM available. This memory detection error appears to be a problem with the task manager itself rather than ReactOS in general as the system information panel (found in the My Computer->Properties menu) displayed the correct amount of available RAM.

ReactOS 0.4.0 -- Managing services and device drivers
(full image size: 76kB, resolution: 1280x1024 pixels)
ReactOS has an interface that looks and feels very much like earlier versions of Microsoft Windows. The file manager, control centre and application menu all have a very familiar appearance. I spent a lot of my time exploring the settings panel and had mixed results. As I mentioned before, I was able to create user accounts and set passwords for them, but I was unable to log into the accounts. There is a module for dealing with printers, but ReactOS was unable to detect printers on my network and I could not find a way to add printers to the system. Changing the desktop's appearance worked well enough and the networking configuration settings worked for me. Unlike earlier versions of Windows, ReactOS has a software manager and I had some good and some bad experiences with managing packages, which I will cover later.
ReactOS ships with some familiar applications, including a text editor, image editor and calculator. There are a few small games, including Mine Sweeper and Solitaire. These programs work, but tend to be limited in their functionality. For instance, the image editor is only able to work with bitmap (BMP) image files and cannot save images in other formats. Transferring files posed a problem early on too as ReactOS does not ship with an OpenSSH client. There is an FTP command line client available in the default installation, but upon connecting to a remote FTP server using the default client, the entire ReactOS system locked up, forcing a hard reboot.

ReactOS 0.4.0 -- The control centre and networking settings
(full image size: 72kB, resolution: 1280x1024 pixels)
While older versions Windows had a configuration module which would facilitate removing applications, they did not feature a software manager in the same way most Linux distributions do. ReactOS has taken the initiative of adding a package manager, called Applications Manager. This program displays a list of software categories down the left side of the window and a list of items in the selected category on the right. When we highlight an application with our mouse, a brief description of the software, its size, license and website are displayed at the bottom of the screen. There are 172 available applications in total, most of them popular open source programs such as LibreOffice, the GNU Image Manipulation Program (GIMP), VLC and GnuCash.
Since one of the main advantages of running ReactOS appears to be the ability to run applications developed for Windows, I decided to try installing a handful of the programs listed in Applications Manager, along with a few programs I installed from the Web that were not listed. The GIMP software installed, but upon starting up GIMP displays dozens of error messages and then locks up. I tried to terminate the GIMP process using ReactOS's task manager, which caused the task manager to also lock-up. A reboot was required to resolve the situation. Firefox was available in the software manager and worked as expected. I was able to browse web pages and play HTML 5 videos, though videos played without sound. I tried to install Flash, but the Adobe Flash installer failed to connect to Adobe's servers. I'm not sure if this is a compatibility issue with ReactOS or a glitch on Adobe's side of things.

ReactOS 0.4.0 -- Installing software with Applications Manager
(full image size: 70kB, resolution: 1280x1024 pixels)
Filezilla was not available in the software manager and, while I was able to install the software from Filezilla's website, the application would not launch. The Putty implementations of secure shell and secure FTP are in the software manager and worked perfectly. Both LibreOffice and OpenOffice are listed in the software manager, the former refused to download due to a broken URL, but OpenOffice did install. However, OpenOffice would not launch due to a missing file. Steam was listed in Applications Manager, but would not download and the error message given seems to suggest an incorrect checksum was the problem. In short, less than half the programs I tried worked and installing software from outside sources tended not to deliver the desired experience.
Conclusions
The ReactOS project appears to be trying to recreate the experience of Windows 95 through to Windows 2000 as faithfully as possible and, from a look and feel perspective, the developers have done an amazing job. However, from a practical point of view ReactOS rarely delivered the functionality I would expect from its closed source cousin. The system refused to run on either of my test machines and, though it would install in VirtualBox, I regularly ran into system crashes, sound didn't work and most of the Windows applications I tried to run failed in some way. I have had better luck running Windows software with WINE on Linux boxes than I did with ReactOS.
In the end, while I admire the ReactOS team's attention to detail in recreating the Windows interface, I do not think running ReactOS is practical for most situations. WINE will run most Windows software passably well and there are lots of good open source alternatives to most closed source applications. Running an old copy of Windows in a virtual machine would probably offer a better experience in most circumstances. The one area where I think ReactOS would shine would be if a person needed to run a Windows clone on hardware that also required Windows specific drivers. ReactOS reports itself to be compatible with drivers written for Microsoft's operating system and I think that may prove to be the project's strong point. Some old systems are very particular when it comes to applications and drivers and I think ReactOS might fill in nicely in those situations.
* * * * *
Hardware used in this review
My physical test equipment for this review consisted of a de-branded HP laptop and a desktop HP Pavilon p6 Series with the following specifications, respectively:
- Processor: Intel i3 2.5GHz CPU
- Display: Intel integrated video
- Storage: Western Digital 700GB hard drive
- Memory: 6GB of RAM
- Wired network device: Realtek RTL8101E/RTL8102E PCI Express Fast
- Wireless network device: Realtek RTL8188EE Wireless network card
- Processor: Dual-core 2.8GHz AMD A4-3420 APU
- Storage: 500GB Hitachi hard drive
- Memory: 6GB of RAM
- Networking: Realtek RTL8111 wired network card
- Display: AMD Radeon HD 6410D video card
|
Miscellaneous News (by Jesse Smith) |
Wayland coming to Fedora in stages, Ubuntu seeks to remove Python 2 from installation media, Debian switches back to Firefox and Trisquel's status
The Fedora distribution has been a leader when it comes to adopting the Wayland display technology which is intended to be a modern replacement for the aging X display software. For a while it looked as though Fedora 24 would ship with Wayland as the default display technology, but the Fedora developers have decided, for now, to keep using X as the default technology and use Wayland as a session option. A blog post on the GNOME website talks about work that has gone into GNOME Shell running on Wayland and the desktop features we can expect to see in Fedora 24.
"The Fedora Workstation working group decided this week that we're not quite there yet for making the Wayland session the default in Fedora 24. That is a bit of a disappointment for me, since we have worked very hard this cycle to close the gaps; you can see the progress we've made here: primary selection, kinetic scrolling, drag-and-drop, start-up notification, pointer confinement have all landed this cycle. Not to mention countless smaller bug fixes and robustness improvements. But gaps are gaps, so we will take one more cycle to address them."
* * * * *
Fedora is not the only distribution trying to shake off older technologies. The Ubuntu team is currently trying to remove older versions of the Python interpretive language from their Desktop edition. Major versions of the Python language, specifically versions 2 and 3, are similar, but not compatible with each other. This means software originally developed with Python 2 needs to be altered to work with Python 3. The result is that most distributions need to ship both versions of Python in order to support all the software that has been developed using the language. Barry Warsaw reported earlier this month that Ubuntu is very close to removing all dependencies on Python 2 from its Desktop edition: "A long standing goal for Ubuntu has been the demotion of Python 2 off of the default installation images. This is something many folks have been working on for quite a few cycles, and it's finally within our reach for Desktop (Server and Touch already have no Python 2 on them). Of course this is within the context of a much longer term, cross distro effort to port the entire world to Python 3. We have one last thing holding Python 2 on the Desktop image, and it's a problematic one: system-config-printer. Actually s-c-p is already itself ported to Python 3, but it transitively depends on Python 2 through the chain of python3-smbc -> libsmbclient -> samba-libs -> libpython2.7. So the real problem is fully porting Samba to Python 3. Ubuntu is not the only distro converging on this bottleneck. Clearly, we won't have untangled the Samba stack in time for 16.04." Some alternative plans for reducing dependency on Python 2 are mentioned in Warsaw's e-mail.
* * * * *
Last month we reported that Debian developers were considering dropping their modified edition of Firefox, named Iceweasel, in order to resume packaging Mozilla's Firefox complete with the "Firefox" name and branding. Last week the Debian project moved forward with this plan, packaging the Firefox web browser in place of Iceweasel. People who currently use the re-branded Iceweasel browser will automatically receive the new Firefox package as an update. "This took longer than it should have, but a page is now officially turned. I uploaded Firefox and Firefox ESR to Debian Unstable. They will have to go through the Debian NEW queue because they are new source packages, so won't be immediately available, but they should arrive soon enough. People using Iceweasel from Debian Unstable will be upgraded to Firefox ESR."
* * * * *
Trisquel GNU/Linux is a distribution that is built from Ubuntu packages with all of the non-free components removed. This results in an entirely free (as in liberty) operating system. Last week the Trisquel project released a status report which talks about the project's improved build system, upcoming plans for Trisquel 8 and the project's finances: "This year will bring us Trisquel 8, codename "Flidas". We have already started the development, aiming to produce the first testing images in a couple of months followed by a final release not long after the upstream distro (Ubuntu 16.04) is released in April. Editions will continue to include a main GTK-based desktop, a lighter environment and a Sugar-based image, but we hope to extend that list with new additions." The rest of the report contains further details.
|
Tips and Tricks (by Jesse Smith) |
Verifying ISO images
In the wake of the attack against the Linux Mint website last month there have been many concerns raised that distributions are not doing enough to protect their users from downloading compromised ISO files. People have written to us and asked why there are not more checks in place against people installing corrupted ISO images. We have received e-mails asking us to set up a database of checksums so people can verify the one their distribution's website provides is correct. Others have asked us to put a big banner on our website to warn people when a project's download servers are compromised.
While we have received a number of interesting technical suggestions for checking the legitimacy of ISO images (with varying degrees of practicality), the reason we are not implementing most of them is the problem the Linux community faces with regard to corrupted ISO files is not technical, but (I believe) educational.
The truth is, Linux Mint, like most of the major open source operating systems, not only provides checksums (digital fingerprints) for their ISO files, the project also digitally signs the checksums. This means, in short, that if an attacker replaces a good ISO image with a corrupted one, the bad ISO's checksum will not be correct. And, if the attacker is smart enough to replace the distribution's checksum too, then the checksum's signature will not be valid. Put another way, there is a chain of trust. We know the ISO file is correct because the checksum is correct. And we know the checksum is correct because it was digitally signed by the development team. If the signature is bad, then the chain of trust collapses and the ISO cannot be considered safe to install.
All of this probably sounds a little abstract, so why don't we look at an example? Let's use Linux Mint's latest release, version 17.3, and walk through how to confirm the ISO image available for download is legitimate. If we look at one of the Linux Mint download mirrors we will find a collection of ISO images; a file called sha256sum.txt which contains checksums (digital fingerprints) of the ISO files; and a signature file, sha256sum.txt.gpg. Let us assume, in this example, we are downloading the linuxmint-17.3-cinnamon-64bit.iso file, which we plan to install. While the ISO file is downloading, we will also download the sha256sum.txt and sha256sum.txt.gpg files.
The first thing we should do is attempt to verify the checksum file, sha256sum.txt, is valid. That means it has been signed by a developer working for Linux Mint. We can do this with the gpg command line program. Running the following command will attempt to verify the checksum file is correct:
gpg --verify sha256sum.txt.gpg sha256sum.txt
In this case, I get back the information:
gpg: Signature made Wed 06 Jan 2016 12:06:20 PM AST using DSA key ID 0FF405B2
gpg: Can't check signature: public key not found
We know when the file was signed and with which key (0FF405B2), but we do not know whose key that is. We need to download and verify the key. We can do this by asking a special server, called a key server. A key server holds a collection of keys and information on those keys. Here we check out information on the key 0FF405B2. I use the pgp.mit.edu server, which is a popular one for holding digital keys:
gpg --keyserver pgp.mit.edu --recv-keys 0FF405B2
Here is the information I get about the requested key:
gpg: requesting key 0FF405B2 from hkp server pgp.mit.edu
gpg: key 0FF405B2: public key "Clement Lefebvre (Linux Mint Package Repository v1) <root@linuxmint.com>" imported
It looks like this key belongs to Clement Lefebvre of the Linux Mint team. That is a good sign. Now we try to verify the checksum file again:
gpg --verify sha256sum.txt.gpg sha256sum.txt
Since we have data on the digital key now, gpg gives us the following information:
gpg: Signature made Wed 06 Jan 2016 12:06:20 PM AST using DSA key ID 0FF405B2
gpg: Good signature from "Clement Lefebvre (Linux Mint Package Repository v1) <root@linuxmint.com>"
Now we know when the checksum was signed and by whom. The information looks correct so we know we can use the checksum file to verify our ISO download. We can do this with the following command:
sha256sum -c sha256sum.txt
Assuming the ISO image is correct, we will see several lines, one of which should read:
linuxmint-17.3-cinnamon-64bit.iso: OK
If the above line does not appear in the output from the sha256sum command then the ISO file cannot be trusted. Either it was corrupted during the download and should be deleted or the file has been replaced on the server and should not be trusted. Whatever the cause, a bad ISO file will result in sha256sum displaying a warning:
sha256sum: WARNING: 1 computed checksum did NOT match
Hopefully more projects will start signing their checksum files and those that already do will make it easier to find their signatures. Often times it is necessary to browse project mirrors to find checksum files and their signatures and the attack on Linux Mint's servers has demonstrated this information needs to be easier to find. The Peppermint OS team has a fine example on their website of how this can be done. Clicking on one of the project's download buttons brings up a page with links to the ISO, its checksum and step-by-step instructions explaining how to verify the downloaded ISO has not been corrupted. I believe the Peppermint OS team deserves some credit for being community leaders in educating their users and keeping them safe.
We will also be helping to keep our readers safe. In our front page release announcements we will provide links to signature files as well as checksums, when they are available.
|
Torrent Corner |
Weekly Torrents
Bittorrent is a great way to transfer large files, particularly open source operating system images, from one place to another. Most bittorrent clients recover from dropped connections automatically, check the integrity of files and can re-download corrupted bits of data without starting a download over from scratch. These characteristics make bittorrent well suited for distributing open source operating systems, particularly to regions where Internet connections are slow or unstable.
Many Linux and BSD projects offer bittorrent as a download option, partly for the reasons listed above and partly because bittorrent's peer-to-peer nature takes some of the strain off the project's servers. However, some projects do not offer bittorrent as a download option. There can be several reasons for excluding bittorrent as an option. Some projects do not have enough time or volunteers, some may be restricted by their web host provider's terms of service. Whatever the reason, the lack of a bittorrent option puts more strain on a distribution's bandwidth and may prevent some people from downloading their preferred open source operating system.
With this in mind, DistroWatch plans to give back to the open source community by hosting and seeding bittorrent files. For now, we are hosting a small number of distribution torrents, listed below. The list of torrents offered will be updated each week and we invite readers to e-mail us with suggestions as to which distributions we should be hosting. When you message us, please place the word "Torrent" in the subject line, make sure to include a link to the ISO file you want us to seed. To help us maintain and grow this free service, please consider making a donation.
The table below provides a list of torrents we currently host. If you do not currently have a bittorrent client capable of handling the linked files, we suggest installing either the Transmission or KTorrent bittorrent clients.
Archives of our previously seeded torrents may be found here. All torrents we make available here are also listed on the very useful Linux Tracker website. Thanks to Linux Tracker we are able to share the following torrent statistics.
Torrent Corner statistics:
- Total torrents seeded: 172
- Total data uploaded: 31.5TB
|
Released Last Week |
Tails 2.2
The developers of The Amnesic Incognito Live System (Tails), a Debian-based live disc for anonymous communication and on-line web browsing, have released a minor update to their distribution. The new release, Tails 2.2, features support for viewing DRM-protected DVDs, automatically saves the KeePassX database after each update and includes an update to the Tor Browser. "This release fixes many security issues and users should upgrade as soon as possible. New features: Add support for viewing DVDs with DRM protection. Upgrades and changes: Replace Vidalia, which has been unmaintained for years with a system status icon indicating whether Tails is connected to Tor or not, Onion Circuits to display a list of the current Tor circuits and connections. Automatically save the database of KeePassX after every change to prevent data loss when shutting down...." Additional details can be found in the project's release notes.
Linux From Scratch 7.9
Bruce Dubbs has announced the release of Linux From Scratch (LFS) 7.9, a book of step-by-step instructions on how to build a base Linux system from scratch. Beyond Linux From Scratch (BLFS) 7.9, a separate book that extends the base system with additional software packages for desktops and servers, is also out: "The Linux From Scratch community is pleased to announce the release of LFS version 7.9 and BLFS version 7.9. This release is a major update to both LFS and BLFS. The LFS release includes updates to glibc 2.23, Binutils 2.26 and GCC 5.3.0. In total, 25 packages were updated and changes to text have been made throughout the book. The BLFS variant includes approximately 800 packages beyond the base Linux From Scratch 7.9 book. This release has 597 updates from the previous version including numerous text and formatting changes. A major change to BLFS includes the addition of the KDE Plasma 5 desktop." Read the rest of the release announcement for more information.
Qubes OS 3.1
Joanna Rutkowska has announced the launch of Qubes OS 3.1, a new stable release of the Qubes operating system which enforces strong isolation between tasks. Version 3.1 of the security-oriented project features a new management system that centrally controls Qubes configuration: "The major new architectural feature of this release has been the introduction of Qubes Management infrastructure, which is based on popular Salt management software. In Qubes 3.1 this management stack makes it possible to conveniently control system-wide Qubes configuration using centralized, declarative statements. Declarative is a key word here: it makes creating advanced configurations significantly simpler (the user or administrator needs only to specify what they want to get, rather than how they want to get it). This has already allowed us to improve our installation wizard (firstboot) so that it now offers the user ability to easily select various options to pre-create some useful configurations, such as e.g. Whonix or USB-hosting VMs." The new release of Qubes OS also supports booting on machines with UEFI and introduces additional hardware support for a range of video cards. The release announcement and release notes have additional details.

Qubes OS 3.1 -- Exploring the application menu
(full image size: 142kB, resolution: 1366x768 pixels)
ClearOS 7.2.0
Devin Johnson has announced the release of ClearOS 7.2.0, the latest stable version of the project's CentOS-based distributions designed for servers: "ClearOS 7.2.0 final for all editions has arrived. ClearOS 7 is available in three editions - Community, Home and Business. All editions can be installed from the same ISO image, but each edition provides access to different repositories with a mix of applications, support and services to meet different environment needs. This release is the second in the ClearOS 7 series and provides primarily maintenance and bug fixes. ClearOS 7.2.0 introduces: support for LVM caching; improved VM support." The brief release announcement links to a more detailed changelog which provides a comprehensive list of changes and update since the release of ClearOS 7.1.0 in November 2015: "Dashboard unusable in FF - resolved; prevent Zarafa from being installed when Samba directory used - resolved; Suva daemon is not reloadable - resolved...."
* * * * *
Development, unannounced and minor bug-fix releases
|
Upcoming Releases and Announcements |
Summary of expected upcoming releases
|
Opinion Poll |
Do you buy computers with Linux pre-installed?
In the past it was often difficult to find companies which sold computers with Linux pre-installed on their hard drives. Over time, the situation has gradually improved with more and more companies selling computers with Linux already installed.
This week we would like to know if you buy your computer(s) with Linux pre-installed or if you purchase computers with another operating system in place and install Linux later? If you have purchased computers with Linux (or BSD) already installed on the drive, please let us know where you bought your computer in the comments.
You can see the results of our previous poll on reviewing Ubuntu community editions here. All previous poll results can be found in our poll archives.
|
Do you buy computers with Linux pre-installed?
I buy computers with Linux/BSD pre-installed: | 183 (7%) |
I buy computers with blank hard drives: | 401 (15%) |
I buy computers with another OS pre-installed: | 565 (21%) |
I assemble my own computers from parts: | 961 (35%) |
Some or all of the above: | 570 (21%) |
None of the above: | 52 (2%) |
|
|
DistroWatch.com News |
Distributions added to waiting list
- Minux. Minux is a lightweight/minimalist Linux distribution based on Tiny Core Linux.
Minux is loaded with FLTK and GTK based applications.
* * * * *
DistroWatch database summary
* * * * *
This concludes this week's issue of DistroWatch Weekly. The next instalment will be published on Monday, 21 March 2016. To contact the authors please send e-mail to:
- Jesse Smith (feedback, questions and suggestions: distribution reviews/submissions, questions and answers, tips and tricks)
- Ladislav Bodnar (feedback, questions, donations, comments)
|
|
Tip Jar |
If you've enjoyed this week's issue of DistroWatch Weekly, please consider sending us a tip. (Tips this week: 0, value: US$0.00) |
|
|
|
 bc1qtede6f7adcce4kjpgx0e5j68wwgtdxrek2qvc4  lnurl1dp68gurn8ghj7ampd3kx2ar0veekzar0wd5xjtnrdakj7tnhv4kxctttdehhwm30d3h82unvwqhhxarpw3jkc7tzw4ex6cfexyfua2nr  86fA3qPTeQtNb2k1vLwEQaAp3XxkvvvXt69gSG5LGunXXikK9koPWZaRQgfFPBPWhMgXjPjccy9LA9xRFchPWQAnPvxh5Le paypal.me/distrowatchweekly • patreon.com/distrowatch |
|
Linux Foundation Training |
|
Reader Comments • Jump to last comment |
1 • Sign ISO Not Just Checksum (by Arch Watcher 402563 on 2016-03-14 00:47:32 GMT from North America)
Did the pirate Mint checksum match legit Mint? It's easy to do with junk pad bytes. Someone tell me I'm all wet, but an attacker need not change any original checksum file, just match the value. So the signature on the checksum file is don't-care. What needs signing is the full ISO file. Anything modified in the ISO will produce a bad signature.
2 • Checksums (by Jesse on 2016-03-14 01:16:03 GMT from North America)
@1: The fake Mint ISO did not match its checksums.
You can't make a file match a desired checksum simply by padding it with extra data, at least not within sane size restrictions. In trial runs researches found they could match the checksums of two different files if they controlled (and could pad) _both_ files. But they could not do it if they controlled just one file and did not control the checksum.
In other words, signing either the checksum file or the ISO will work for all practical cases. An attacker cannot simply change and pad the ISO and still have a valid checksum.
3 • System76 (by SkinnyJ on 2016-03-14 01:35:54 GMT from North America)
Concerning the poll, I purchased a laptop from System76 two weeks ago. System76 computers come with Ubuntu installed. The laptop feels really solid, the screen is great. My only complaints are the location of the touchpad, the touchpad could be smaller and the buttons on the touchpad are a bit flimsy. But, all the hardware (802.11ac wireless card, camera, video) work right away. A little expensive, but since I want to run Linux and not worry about the hardware not being supported, it was the way to go. https://system76.com/
4 • Zareason (by GeorgeB on 2016-03-14 01:41:31 GMT from North America)
Bought a Zareason Zini i3 with 8 GB ram and Ubuntu 14.04. Works well and boots faster than my other linux boxes with Ubuntu.
5 • Poll question... (by Tom Joad on 2016-03-14 02:06:12 GMT from North America)
Good question!
I build my towers myself. Well, I do a bare bones that I like and then fill up the box. That is pretty easy to make it Linux friendly. I get exactly what I want how I want.
Laptops are way, way trickier. First I have to know what is in them and I mean exactly. I used to have to look out for those pesky Broadcom network adapters. Those are not the issue they have been in the past but still, for me, no thanks. I stay away from ATI too, or AMD now, video cards.
The two new Sonys I bought had windows installed and the conversion was painless for the most part. The first one has an Nvidia card but Ubuntu had a star crossed driver for it at the time. That took some deep research to fix. Come to find out Nvidia had the correct driver buried somewhere deep in their web site. I got it figured out long before Ubuntu did. Oh, they knew it was an issue but were in not hurry to correct it. I think it was 11.04. A whole lot of folks suffered dearly with that SNAFU.
Lastly I bought a System 76 laptop several, several years ago. That is still running fine thought it is getting long in the tooth as they say. My son has it.
Yeah, I voted all or some of the above.
6 • Elaboration on Debian's switch (by D_CR on 2016-03-14 02:23:41 GMT from North America)
Any elaboration on why they went the IceWeasel route to begin with and what has changed to induce them to switch back to stock Firefox?
7 • Assembled from parts. (by Roy on 2016-03-14 02:36:33 GMT from North America)
I built this one from ordered parts and parts given to me. Some people know I like tinkering with computers and give me their old ones. Some part on it went bad or it just isn't the baddest thing out there so they just get rid of the whole computer, Case in point was a 2005 Dell XPS 710 desktop. It had a 1000 watt power supply and a 1 TB hard drive. I thanked the guy for the boat anchor. LOL The hard drive is still running great on my new computer..
8 • Poll (by slick on 2016-03-14 02:51:46 GMT from North America)
Build my own PC form parts, and prefer an AMD build.
Aware there are some vendors now selling personal computers with Linux pre-installed. Believe that is a good decision and choice is paramount with Linux, regardless of what Linux distribution is installed.
Choice is a step in the right direction. For everyone!
9 • gpg keys (by mroot on 2016-03-14 02:52:59 GMT from North America)
I don't think the problem is education. I think the problem is technical users expect non-technical users to be able to easily verify an iso using a process similar to the one detailed in the article and they can't. You may say that they need to do this but in many cases they don't have the ability. As a causal user I can do it but I struggle to get it done and I can use the command line, edit text config files, and am willing to do it even though I won''t remember how to do next time in 2 years when it is needed again. Now someone I am sure will comment on here that using a gpg key to check an iso is easy and it is for them because the they have the right technical background. But that same person would be miffed if you pointed out that they can't change the struts on their car, replace the drain in their sink or run a transesterification. The real answer to using gpg keys is to have an easy GUI application that does all steps detailed in the article. After all we have GUI applications to manage packages why can't we have something similar fro gpg keys.
10 • System76 and/or prebuilt.. (by Brad on 2016-03-14 03:18:41 GMT from North America)
I'd love a system76 system!! And like someone previously said, it's great they are built around Linux,specifically Ubuntu.. but I would buy one and throw a lightning fast install of Arch on it! Or if I were to build my own, I'd go with AMD/Nvidia (more bang for the buck$) and Nvidia drivers for linux are smoother in my experience.. that's my .02 and YMMV
11 • Firefox (by slick on 2016-03-14 03:19:46 GMT from North America)
@#6 D_CR: Found the wiki with an explanation to one of your questions, very curious myself.
https://en.wikipedia.org/wiki/Mozilla_software_rebranded_by_Debian
Hope that helps!
12 • Zareason laptop & old windows machines (by M.Z. on 2016-03-14 03:27:16 GMT from North America)
Depending on how you count I did a few different things from the poll. My current laptop is a Zareason Strata that came with an old version of Mint Cinnamon pre-installed on the SSD. I set up a /data partition on the spinning HDD so I could have a shared location for files on all my distros & put Mint KDE & Mint Debian on the SSD & later replaced Mint Cinnamon with Mageia (more interesting than 2 versions of Mint with Cinnamon). My old desktop came with Vista & now I only use PCLinuxOS on it, while my 2 other machines were free/second hand.
I don't think there is too much need to pre-install Linux on big desktops, but I think it's worth it to get a laptop that comes with a good distro on it just to be extra sure everything works. Of course if you have the money it could save time & hassle to get something with your preferred distro installed, but I don't think I would. Either way I'm glad Zareason gives a good choice of distros.
http://zareason.com/shop/Laptops/
13 • ReactOS Review (by Pauli on 2016-03-14 03:34:33 GMT from North America)
So, let me see if I have this straight.... The rocket scientists who have been working on the ReactOS project, starting in 1996... YES 1996.... have worked on this piece of crap for 20 YEARS and come up with: a cold-room, reversed engineered BLUE SCREEN OF DEATH, major lockups, malfunctions requiring reboot and failure of Windows programs to function to any degree of competence/usefulness.
Riiiigghhtt....
OK, let me give you ReactOS guys a tip: YOU ALL NEED TO DROP THIS PROJECT LIKE THE DEAD-IN-THE-WATER PIECE OF S#!* IT IS AND YOU ALL NEED TO GO BACK TO C, C++ CODING 101!!!!!!!!!!!!!!!!!! Everybody associated with the ReactOS project should be EMBARRASSED about this BAD open-source version of a relic OS that you have created!
Clowns! LOL!!!!!!!!!!!!
14 • @1 padding checksums (by Pearson on 2016-03-14 04:25:59 GMT from North America)
You may be confused by the terminology. The sha256sum is not, technically a checksum (where a checksum is merely adding bytes, ignoring overflow). The sha256 is more like (maybe exactly - it's been a while) a CRC calculation, using polynimials instead of simple arithmatic. The CRC approach is designed to make it very difficult to fake.
15 • ReactOS (by linuxista on 2016-03-14 06:13:47 GMT from North America)
@13 Why so harsh? If it's free software and they're having fun and learning, no harm done. It seems with the advent of virtual machines that the need for ReactOS, unless it were truly amazing, seems hard to defend. And it doesn't sound like it's anywhere near amazing, let alone functional, just something to play around with. I would say the fault, if any, doesn't lie with ReactOS as a hobby project, but Jesse not letting go of his hopes for the project and wasting his time reviewing it.
16 • not fault (by sam on 2016-03-14 06:37:41 GMT from North America)
In recent poll I ticked that I'd like to see "other, specialty" distros reviewed. ReactOS fits in "other" category. I say thank you for reviewing it, thereby sparing me from the disappointment I would have met in trying to use it in its current state.
17 • Verifying signatures (by g1 on 2016-03-14 07:18:54 GMT from Europe)
Using a public keyserver to fetch the public key needed to verify a file is equivalent to ask the signer of a check if the signature is genuine.
Nothing prevents you to generate a key, with a fake "distro X release manager" identity, and upload to a key server.
Public keys must be distributed via HTTPS from distro X web infrastructure, preferably a *different*, locked-down site from the one holding images.
18 • Poll (by Sondar on 2016-03-14 08:00:20 GMT from Europe)
Would be interesting to have a regional breakdown of answers to this week's poll. Is that possible? It used to be the case that most Brits built their own machines, the Americans and Euro-mainlanders nearly always bought built machines, with a mix of approaches in Australasia. But the worm has turned. Brits have suffered serious decline in education and motivation preferring to hug their mobiles, N Americans seem to have got the message that assembly only requires a screwdriver and the OS comes gratis! Pyschology and self-confidence might be in the mix? We live in interesting times.
19 • reactos (by peer on 2016-03-14 08:59:46 GMT from Europe)
I do not want WINE on my pc to run windows applications. At the moment I have windows installed in Virtualbox. I use Garmin Mapsource for my (older) navigationsystem It runs under windows and with some effort it could also run in WINE (but I never tried). For me Reactos could be a serious alternative for windows if I could run Mapsource in it. So I downloaded reactos and tried to install it in Virtualbox. It worked but the hardware wizzard could not find two drivers just like the experience of Jesse. I tried to install the guest additions in Virtualbox. After rebooting I only got a black screen/ After a fress reinstall I tried to install Garmin Mapsource from a original cd. This also seemed to work but when i was asked to enter the unlockcode the screen freezed. Then I stopped with my short tryout. Probably it is possible to repair this problems but have to little knowledge of reactos.
20 • @commenter #13 (by Peter Faasse on 2016-03-14 09:08:38 GMT from Europe)
To more or less paraphrase the needless rebuke..
When attempting to faithfully re-create the windows experience, we have -so far- managed to achieve:
- failure to install, check - BSOD, check - hard lockups at odd moments, check - force users to hard-reset at odd moments, check - incompatible and non-functional applications, check - multitasking: crash and boot at the same time, check + add to this list as appropriate
Riiigghhttt...
Goals as of yet unachieved:
- virus infections (??) - pulled-out hair caused by non-activations. Where *is* that 6 x 5 ASCII/HEX-code input field... Now that should not be hard to implement... ReactOS Genuine Advantage, anyone (??). - frustrations caused by logical inconsistencies -for instance-: + 'keyboard failure: press F10 to continue' (that one is ooold..) + 'USB keyboard/mouse driver failed to load, can we attempt to reload them from the internet?', with a nice GUI 'OK/NO' button, but no functioning mouse/keyboard: Work in progress..
Reporting: we're well on our way to faithfully re-create the genuine windows experience / look & feel.
Other than that: agree with #15: Some folk are having fun building a 'Windows-From-Scratch'. They're not doing any harm that I can see. If their hobby makes any sense is not for me to judge.
@Jesse: Thanks for the review/warning... I'll not yet replace grandma's unsupported WinXP with this monstrosity.
Which brings me to another niche that ReactOS could -if/when actually usable- fill: There are those who have -sometimes at great trouble/investment- learned to more or less operate 'the old' windows. ReactOS could provide a safe haven against the sadistic streak @MS, and provide a place where the time/effort invested into learning how to operate MS-ish contraptions is not routinely nullified.
OT: I remember a www-post from a few years back when someone attempted (and failed..) to run Windows viruses on Wine... That is one test i'd enjoy seeing re-run on this ReactOS :-)
21 • Survey... (by Somewhat Reticent on 2016-03-14 09:19:53 GMT from North America)
When shopping for new hardware, my top priority is DIY support. One too many burns from monopolistic behavior, and real-world experience with support issues. My second priority is Freed software support. It's liberating, and avoids early obsolescence. Think Linux, ThinkPenguin.
I support what supports me.
Isn't ReactOS an academic project, whose main purpose is giving students experience in system development? (I don't recall any rocketry involvement. How's the Hurd coming along?) Perhaps a vulnerable/unsafe system should be confined to VM/jail?
22 • Educated users and Poll (by Stan on 2016-03-14 09:27:47 GMT from Europe)
I totally agree with Jesse about the lack of user education, one thing that was not mention in any of the news was that even the compromised ISO did NOT pass the built-in checksum option in the ISO boot menu.
Yes you read it right, the compromised ISO has a big flaw that any educated user will spot it right away.
Regarding the poll, it is a great insight so Distrowatch readers not only follow up on Linux but we also tend to build our own machines from the ground up. :)
23 • gpg keys (by Rufovillosum on 2016-03-14 10:07:13 GMT from North America)
I totally agree with #9. Moreover, those newbies we're always hoping to entice away from Windows will have neither the knowledge nor the software to do this extensive checking -- not a good introduction to linux.
24 • @18 Poll and DIY (by Antony on 2016-03-14 10:28:58 GMT from Europe)
I am from England. I have only bought one pre-built computer (apart from 80's Home Computers). That was a Pentium 100 machine. Since (and even prior to) the P100, I have built my own.
I will always prefer to build/upgrade computers for myself.
25 • Done Building Hardware (by joncr on 2016-03-14 10:32:32 GMT from North America)
I've never bought a pre-installed Linux system. I've built several and bought several with Windows pre-installs that were moved to Linux first thing.
For my purposes, though, I don't see the need of building any more boxes, or buying some beige or black box. Nothing I do, or expect to do, pushes the performance envelope. So, the next move is going to be to some small thing like an Intel NUC.
26 • @24 - Still education is missing (by Stan on 2016-03-14 10:36:14 GMT from Europe)
The point from #9 is to make it easier...
Unless the distribution maintainers, somehow, make the ISO verification a mandatory step, the user education will be always needed.
It does not matter how easy you make the ISO verification, what matter is the user must know that verifying the ISO is a crucial step for them to maintain good security.
They don't learn about ISO verification because they usually purchase proprietary OS that most of the time are pre-installed and such verification steps are non-existent from the platform that they are coming from.
The "problem" comes from how FOSS is distributed, there isn't a central of authority where everyone just go there and download the bits, thus is important to new users to know how this new ecosystem works, why they should verify and how can they verify (and of course make it easier for them).
This is like the chicken & egg discussion. :)
27 • computer (by greg on 2016-03-14 11:05:01 GMT from Europe)
desktops I prefer to assemble myself. although lately I do not have time to fight the components, so the next one will likely be preassembled with some OS installed (more than likely windows - depends where they are going...). laptops - we got a SUSE Linux preloaded HP laptop. the plan was to replace SUSE with OpenSUSE which didn't work so well (many hardware things didn't work as they should). we ended up putting Kubuntu on it. at the time it was done to save some money on the OS. We will see what will happen next with this Linux install (AMD drivers will now lose support). If hardware support becomes an issue we might have to move to Windows. although Linux needs less maintenance and there is a reduced threat from viruses.
28 • ReactOS and life (by Andy Mender on 2016-03-14 11:23:02 GMT from Europe)
I'm not sure why the accumulated hate towards ReactOS. It's an open-source project and no one is forcing anyone to actually use it. For sure it's not ready to become a Windows alternative anytime soon, but it shows that combining sane GNU/Linux solutions (package management, etc.) and a Windows NT core makes sense to some extent. If it were to be safer than Windows, yet still let me play my old games that hate WINE, I would be all for it!
In terms of GNU/Linux pre-installed, I normally buy older laptops with solid components like Thinkpads or Dells (Latitude series, for instance) without an operating system, but I enjoy building rigs from scratch the most. AMD or Intel for both CPU and GPU, though since I don't game so much anymore, iGPU is fully sufficient ;).
29 • gpg keys (by frodopogo on 2016-03-14 11:24:04 GMT from North America)
@9 (mroot) From my point of view, you've got it exactly right. Only I'm frustrated because I'm not exactly a noob. My sister whose laptop I'd like to install Linux Mint Cinnamon 17.3 on, says she thinks I'm a real computer geek. ;= )
But I don't read "do" Terminal, at least not more that one command at a time, and while I'm thankful for Jesse's VERY timely attempt at explanation, that article was WAY over my head. I think I'll just use my 17,1 disk and upgrade it.
In the olden daze when I had an XP partition, I had downloaded a small Windows add-on to check ISO checksums. And I do believe Mint 9 Isadora had an md5 tester built into the file manager menu.
30 • ReactOS, poll. (by Jeffrey Rollin on 2016-03-14 12:32:00 GMT from Europe)
Firstly, re: ReactOS. It's disappointing that ReactOS (and Haiku, whilst we're on the subject) have not been able to make as much progress as we (that is, alternative OS fans) hoped they would; however, there are (at least) two reasons why they haven't been able to get as far as Linux. Firstly, unlike Linux, they're trying to recreate closed, proprietary, often undocumented or poorly-documented targets, which in the case of Windows (and hardware) is a moving target, whereas the UNIX API is well-known and standardised. (Even Linux has extensions, but in that case the extensions are still developed out in the open). Secondly, everybody (including Microsoft!) who is involved in professional OS development (and still many hobbyists besides) is improving Linux, whereas ReactOS and Haiku seem to lack critical mass. From experience with recent versions of the BSD's, it seems like compared to where they were in the early 2000s, they are falling behind, too, at least on the desktop side. ReactOS and Haiku deserve credit for getting this far.
With regards to the poll, the last machine I bought was a Lenovo ThinkPad with Windows 8.1 preinstalled. I'm in the UK, and at the time, Entroware were not getting very good reviews. However, since then, they seem to have improved considerably, to the point where they could become the British System76. If they release a 17" laptop (and it's good), I'll definitely consider them next time.
31 • @20 Comment by Peter Faasse (by Ned on 2016-03-14 12:38:54 GMT from Europe)
Great Answer - keep on having fun with your project!
32 • ReactOS, poll (by Paraquat on 2016-03-14 12:45:09 GMT from Asia)
There was a time when I had a bunch of Windows apps and really wanted ReactOS. But it was never ready when I needed it, and from this week's review, is still not usable. By now, I've found substitute programs for all my needs, so the ability to run Windows' apps is no longer terribly interesting to me. I actually don't even have any Windows apps.
Too bad - ReactOS was a good idea back in the 1990s. But now Windows is no longer the dominant operating system anyway - Android actually boasts more users. At one time you had all kinds of websites claiming "best viewed by Microsoft Windows" but that is fast becoming ancient history. Windows may still dominate desktop systems, but a whole new generation is growing up without needing Microsoft for anything. To which I can only say, "good riddance."
Poll - my desktop system came with FreeDOS installed. Quite a few computer manufacturers do that on their cheapest models, just so you can see that the machine will boot OK. No one actually expects you to stick with using FreeDOS, and it's assumed you'll be installing Linux, the BSDs, possibly even Android-86. I prefer not having Windows pre-installed even if it's supposedly "free," because the machine might have "secure boot" enabled, which locks you into Windows unless you can disable it or find a workaround. As I see it, secure boot was Microsoft's last desperate attempt to hold off the competition, but hoping to pass this off as "protecting" us.
33 • pre installed (by Bonky on 2016-03-14 13:01:30 GMT from North America)
I travel a lot and have seen pre installed Linux machines for sale n 3rd world countries more than in anywhere else though still not a lot... What i did find out was that most "repair" shops have no one conversant with Linux.. some know the name most quote "Ubuntu"...but mentioning Debian Gentoo Arch etc just draws blank gazes .... many of these type of places it's easier to install and run a pirated windows 7..or even XP or Vista (not joking) even bigger businesses have been seen running them and probably Govt offices... though I recently spotted Open Suse ( maybe just wallpaper) on a large building supply company's computers. I digress....what im getting at is that having a pre installed linux may sound good as its may be cheaper..and attractive for that ..if someone messes it up that isn't linux conversant..they will have issues getting it sorted and will soon re install a trusty XP !!!
I followed ReactOS for a while many years ago when i needed a lot more Windows programs it seems my needs have diminished greatly in 15 + yrs !!!!! I don't see me needing to keep checkig and trying it any more probably due to Wine not working for most of the things either..I hope they eventually succeed..though windows will have changed a lot before they finish i fear and won't be compatible for much..
34 • Verifying signatures (by Jesse on 2016-03-14 13:59:16 GMT from North America)
@17: "Using a public keyserver to fetch the public key needed to verify a file is equivalent to ask the signer of a check if the signature is genuine. Nothing prevents you to generate a key, with a fake "distro X release manager" identity, and upload to a key server."
That is not accurate. Public keys are typically signed by people who know or who work with the person who published the key. This creates a web of trust and most developers will have their key signed by multiple other developers. For example, if I check the Linux Mint key from the example in my article, I can see Clem's key is nearly seven years old and has been signed by Tobias Loose and Corey Sheldon of the Fedora Project, among others.
An attacker would not only need to create a false key, but would also have to make sure it was old enough and had been signed by enough developers to create a fake paper trail of trust. The attacker would then need to get the key up on multiple key servers, sign their fake checksum file, break into the project's web server and put the fake files in place without anyone noticing what they were doing.
35 • Buying computer with Linux pre-installed (by Tim on 2016-03-14 14:00:15 GMT from North America)
I bought my last computer in 2011. I ordered it from a custom system builder (one of the big ones, but I will not name them). One of the options was "No OS installed". I selected that, but it came with Windows7 installed, anyway. :(
To make matters worse, when I was trying to install Linux, I had some hardware issues and questions. When I contacted the PC builder's tech support, I was informed that they only supported systems with Windows.
So, to say the least, I will never order anything from that company, again. The reason I chose them in the first place was their very wide selection of components, which allowed me to specify my dream hardware for my system.
36 • @34 - PKI "Web Of Trust" (by Pearson on 2016-03-14 14:14:03 GMT from North America)
Thanks for the additional info, Jesse. Those steps are a bit ... cumbersome for some of the average user. Being time consuming, it is very easy (and tempting!) to skip them if you're in a hurry.
It would be nice if there were a trusted host or app that could do those in one step -- point to a download URL, choose the .iso, sha, and key and let it do all the work for you. To save time, the sha could be verified before even downloading the iso. It could even determine the "trustworthiness" of the key using methods you described -- age, number of signatures, authority of the signatures, etc.
37 • Checksums etc (by albinard on 2016-03-14 15:08:02 GMT from North America)
If you want to do the Full Jesse check, it would be wise to do the sha256sum check first, because it's quick and easy. In the real world, it is more likely that a download is corrupted than that someone has created a fake ISO.
38 • @34 verifying signatures (by g1 on 2016-03-14 16:08:26 GMT from Europe)
I was trying to point out that in the sentence "It looks like this key belongs to Clement Lefebvre of the Linux Mint team." the words "looks like" should probably be emphasized, because a name seen in the label of a key fetched from a keyserver has no or very little value to determine identity. Users who don't happen to know some trusted keys to bootstrap the chain of trust have no way to verify identities. Which is exactly what HTTPS was invented and is routinely used for (however flawed is the current certificate infrastructure).
"For example, if I check the Linux Mint key from the example in my article, I can see Clem's key is nearly seven years old and has been signed by Tobias Loose and Corey Sheldon of the Fedora Project, among others."
A tamperer might create (in a matter of minutes) different keys, with various dates, and names Jesse Smith, Clement Lefebvre, Mark Shuttleworth, Linux Torvalds, Bill Gates, Jeff Bezos, Barack Obama, cross sign them, and upload all of them to a keyserver, and then...
39 • Verifying signatures (by Jesse on 2016-03-14 16:41:12 GMT from North America)
@38: This is why webs of trust and proper use of keys are important. If people are properly using, collecting and verifying keys your suggested attack does not work because the attacker's keys will not match the known keys of those individuals.
If someone else makes up a fake key with my name/e-mail address, everyone I communicate with knows the attacker's key is fake because they already have my real key. Therefore any key signed with the fake Jesse's key is suspect.
Were someone to upload a fake Linus Torvalds or Clem Lefebvre key it would become clear quickly because those keys (and the fake accounts that signed them) would not match the known keys already in circulation.
40 • GPG, ReactOS (by Justin on 2016-03-14 16:51:32 GMT from North America)
@17, 34, 38: I agree that at some point, you just have to trust (like Aristotle said, at some point, you have to accept something as fact in order to build a logical argument; you can't doubt everything and expect to make any progress). Part of the point seems to be, the more steps involved, the harder it should be to copy. It can't ever be truly impossible because the legitimate users need to be able to do this work.
I also agree with the point that the primer probably should have pointed out you can go to the MIT website, search for, and click on the key. I didn't know that until the comments implied it (btw, you can do it over HTTPS). Perhaps it's coincidence, but a new Corey Sheldon key appeared today (3/14/16) and signed the Linux Mint key. I have other thoughts, but I'd rather not educate potential attackers. We also probably do need a GUI tool or some way of linking these together. The counter argument is, if you're going to do an install, that probably isn't very often, so you might be expected to go through these steps if you are concerned about such things. The problem is people who are so concerned are not the likely targets anyway as others have pointed out.
Finally, @Jesse, thanks so much for the ReactOS review! I appreciate your thoroughness. I've been following this project for 10 years, always hoping. It might have been worth mentioning in the review that this is alpha software (yes, everyone, ALPHA, which means stuff probably doesn't work because it's not all there yet).
The project deserves much more credit than it's getting in the comments. Perhaps people don't realize that Minix and Linux are open-source clones of UNIX. Our shared ecosystem came from people doing exactly what ReactOS is doing. Stuff just takes time, especially if you don't have a lot of developers or documentation. Look how long FreeDOS took! People also forget that mid-project they switched to being NT-based. There have been a few restarts in their history, so it's unfair to say after 20 years they have nothing. Besides, they owe us nothing. I think several haters were disappointed and hurt when ReactOS failed to deliver its promise in their personal timeframes.
41 • Fake LM Keys (by Jake on 2016-03-14 16:54:53 GMT from North America)
FYI, people are already trying fake keys. This one just appeared: pub 1024R/4434C4D1 2016-03-14 ClemL <root@linuxmint.com%gt;
Is there a way for these to be taken down?
42 • Checksum (by DC on 2016-03-14 17:06:49 GMT from North America)
Why couldn't hackers just upload a checksum that matched the fake iso, if website was already compromised?
43 • ReactOS is exactly like Windows 95 (by Poet Nohit on 2016-03-14 17:24:06 GMT from North America)
Seems like it faithfully recreates the experience of running Windows to me. Any time I tried to run Windows (anything other than XP sp3) on a box that wasn't already preloaded, it would inevitably blue screen all the damn time.
44 • @42 Checksum (by Pearson on 2016-03-14 17:33:51 GMT from North America)
Your concern is valid. Much of Jesse's howto describes how to verify that the checksum is valid, based on the digital signature of the checksum file. The purpose of the digital signature is to be "cryptographically secure", meaning that the signature is a fingerprint of *that* file with *that* private key. In this case, *that* file is the file containing the sha256 "checksum" of the iso image. If someone uploads a new checksum file, the signature will no longer validate, which makes the entire thing questionable and/or suspicious.
45 • gpg --keyserver pgp.mit.edu --recv-keys (by Pearson on 2016-03-14 17:38:15 GMT from North America)
My question is about this step of Jesse's process. What kind of vetting is done to ensure that the keys on pgp.mit.edu aren't attempts to deceive? How can I know that the results are good? I hesitate to rely on "it's a few years old" and "the name looks official", especially since I don't recognize many of the names. I'm pretty geeky, and I barely recognize Clement's full name since he's usually just "Clem".
46 • ReactOS is ALPHA (by JB on 2016-03-14 18:03:18 GMT from North America)
@40 - thank you for mentioning what I thought would have been fairly obvious (if anyone had bothered to check) - ReactOS is in ALPHA stage!
Quite frankly, I fail to see the usefulness of reviewing something in ALPHA stage, at least reviewing it in the same manner as something that is a finished product, and then failing to mention that it is in ALPHA stage. Are BETA versions of Ubuntu ever reviewed here?
It is also worth noting that, a few years back, the project was the victim of some malicious behavior by a disgruntled volunteer, who alleged (later proven untrue, but at the cost of great time and expense) that they had based some of their work on actual Windows code. This could explain in part why the progress is so slow. Of course, someone has already mentioned that the project is trying to duplicate something that isn't exactly free and available in the wild.
Finally, the comments by Pauli @13 were very unhelpful, to say the least!
47 • Poll (by a on 2016-03-14 18:19:36 GMT from Europe)
I build my desktop systems. I enjoy it and it lets me pick exactly what I need and make very quiet computers.
For laptops, of course they cannot be self-built easily so the two I’ve had had Windows preinstalled (one new, one second hand, so I paid for only one Windows licence! :p). But nowadays it’s easier to find OS-free or even Linux laptops so if I had to buy a new one I’d look at that. Even if they are more expensive than the ones with Windows preinstalled, for some strange reason…
48 • @45 PKI (by g1 on 2016-03-14 18:38:27 GMT from Europe)
No vetting, except for the checks that you perform yourself based on signatures by other people and (more often than not) intuition. Can you guess the right key at http://pgp.mit.edu/pks/lookup?search=linus+torvalds&op=index ?
Names can be faked. Key creation dates can be faked. And it's alright: keyservers are for key distribution, not authentication.
You don't automatically trust a piece information just because you "found it on the internet". You don't automatically trust a public key just because you received it from a keyserver.
IMHO, having all distros publish their software signing keys via HTTPS on a separate, secure and widely publicized site (perhaps mirrored on https://distrowatch.com :-), or across distros) would be a good step towards resolving the chicken-and-egg problem that the web of trust is for users.
49 • Microsoft (by gekxxx on 2016-03-14 19:08:04 GMT from Europe)
Seeing Microsoft as "the enemy" seems a discussion of 20 yrs ago. I do not use Linux coz Microsoft is the enemy. I use currently Linux Mint as I find Linux Mint a better OS than Windows 10.
50 • 28 • ReactOS (by Kragle von Schnitzelbank on 2016-03-14 19:40:55 GMT from North America)
"accumulated hate" reveals a normal reaction to repeatedly promising to service a passionate desire, like the one people have for an alternative to a robust but aggravating fairly-monopolized market. A typically amoral sociopathic corporation (only people and angels can be evil, but that's another topic) fostered the growth of a robust partly-free market which many people found valuable, and many of these people would love more competition in that market, especially as the current monopoly locks it down ever tighter (though not as tightly as Android was from the start). If ReactOS had never been advertised with marketing hype implying it would satisfy that desire, there would be no accumulated reaction to repeated frustration. Vast market opportunity, motivated community, powerful corporate monopoly - I'd anticipate effective devious sabotage, like a project in perpetual alpha stage advertising ... .
51 • My wife paid the windows tax. (by Arkanabar on 2016-03-14 22:00:02 GMT from North America)
Alas, my computers are Dells my wife bought with Win7 preinstalled. I will not upgrade to any later versions. It is to be hoped that the healthcare field will start investing in software certification (e.g. Meaningful Use) for FLOSS EMRs and practice management software by the time Win7 no longer gets security updates. In the meantime, I have PCLOS on my desktop and lappy. I'll probably add Matebunty 16.04 to the desktop when it comes out.
Most of our mid-towers we construct ourselves. Mine (a Dell) is the exception. When I get one of theirs, I generally wipe and install some suitable Linux distro.
@13: The whole point of FLOSS is that people can do what they like. ReactOS may be an entirely quixotic quest to provide a Better Windows XP, but I'm more than willing to let them do it.
52 • Signing Games (by Arch Watcher 402563 on 2016-03-14 22:27:34 GMT from North America)
@2 Jesse - So the Mint attack was just MITM I guess, or a plain old web hack.
@2 Jesse, @14 Pearson - A checksum is traditionally a single byte or word in a network communication packet. What we're calling a checksum is really a hash value.
The security of a hash comes out of length and collision metrics. Hash breaches hit the news all the time. http://arstechnica.com/security/2016/01/fatally-weak-md5-function-torpedoes-crypto-protections-in-https-and-ipsec/ https://en.wikipedia.org/wiki/Collision_attack
@37 albinard - Agreed; I view hashes as a way to verify download integrity, not file authorship.
A MITM or hack attack can show arbitrary hashes or duplicate OEM hashes. What a MITM attack CANNOT do is sign the ISO file properly, even its own pirate ISO. It's more secure and no extra work to sign the actual ISO.
As noted by others, the real problem is that victims don't even check sigs at all, because the task is technical. On that subject:
@9 mroot, @23 Rufovillosum, @29 frodopogo - Browser devs ought to compile GnuPG into their browsers for webmail and ISO validation and other purposes. Most folks fetch ISOs via web browser.
@17 g1, @26 Stan - Browser-based GnuPG could easily handle key distribution security. As well as the JavaScript code download security problem, btw. I have no idea why dimwits at IE, Mozilla, Chrome, Konqueror, Midori, Opera, Palemoon, and Safari aren't doing it. How hard can it be to drop GnuPG source into a browser source tree with a thin JavaScript API, or even just a braindead, single-purpose, "verify download with signature" dialog?
@48 g1 (again) - It's an excellent idea for Distrowatch to host keys and/or fingerprints under its own https certificate security.
Also, I advocate distros package keys from other distros, FOSS projects, Linux Foundation, EFF, etc. In the Arch Linux User Repo (AUR) it's common for a package to fail over missing keys. Arch has no mechanism to handle this failure but manaul keyfetch in GnuPG (or pacman-keys). Package managers (pacman etc.) need more smarts on keys. Distros should package them officially, too. Then you have a simple package dependency, easily encoded. That moves the trust/verify problems to the distro maintainers, who know what they are doing, unlike Grandma and Bubba.
53 • @ 37 Checksum (by JZ on 2016-03-14 23:23:06 GMT from Europe)
I fully agree and would like to add that according to recent security findings, md5sum is not really safe, as it can be relatively easily forged by someone with average computer skills and hardware. Same is basically true for sha1sum. The safer option is sha256sum and sha512sum. To forge those, one has be a rather resourceful institution.
AN EASY GUIDE: 1. Open your file manager in the folder where your downloaded file is 2. Right click and choose "Open terminal here" 3. Type: sha256sum nameofyourfile 4. Compare the numbers in terminal with those on the download website
54 • Debian, Iceweasel and Firefox. (by Kubelik on 2016-03-15 00:39:00 GMT from Europe)
@6 and 11. Some extra links:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=354622
https://www.debian.org/social_contract#guidelines
http://lwn.net/Articles/118268/
http://www.heise.de/open/artikel/Debian-vs-Mozilla-oder-Namen-sind-Schall-und-Rauch-221989.html
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815006
https://twitter.com/sylvestreledru
https://glandium.org/blog/?p=3622
https://lwn.net/Articles/676799/
http://www.heise.de/open/meldung/Debian-gibt-Webbrowser-Iceweasel-auf-und-setzt-wieder-auf-Firefox-3132680.html
55 • Pre-Installed Linux (by Michael on 2016-03-15 01:05:33 GMT from Oceania)
In Australia, impossible to buy a bare bones laptop. There are companies that will remove Windows and install Linux for you but it adds to the cost. I believe in France the seller must remove/disable Windows if requested and reduce the price by the Windows cost. For now I stick to self built desktop.
56 • survey (by tux on 2016-03-15 01:52:45 GMT from Europe)
It used to be a pleasure to build our own boxes, say 5-10 years ago. There were plenty of specialized sites in the net, with news, reviews, comparisions, benchmarking, how to's.... Most are discontinued, the survivors are more busy today on reviewing brain less smart phones than proper PC components, peripherals. That's too sad and reducer!
57 • Verifying ISO Images (by kenneth on 2016-03-15 04:33:09 GMT from North America)
I'm not exactly familiar with all that was compromised (Mint), but if the attacker gained control of the server, uploaded their ISO--would they not also upload their own md5, sha sums? If the server was compromised https is not going to save an end user either...
Hopefully they have straightened up and gotten some help beefing up security.
58 • ReactOS_test_and_review_by_DWW_Jesse (by k on 2016-03-15 07:12:30 GMT from North America)
Cannot thank enough for such a full and fair test and review, on laptop and desktop no less. Really happy to have this information technology expert resource and forum for users' comments and feedback.
59 • Pre installed linux (by Platypus on 2016-03-15 08:04:26 GMT from Oceania)
Haven't bought one because I don't know where to get one in Australia.
60 • difficulty getting started with ReactOS on modern computer (by Thomas Mueller on 2016-03-15 08:18:12 GMT from North America)
I've looked into ReactOS and am even on their emailing lists, but hard drive partitioned with GPT leaves me nowhere to install ReactOS considering inability to boot from USB. I might be able to cross-compile ReactOS, or I could try and hope, but having to burn a CD for every update is wasteful, and from what I read, I can not install ReactOS directly from the cross-build framework. If I really wanted, I suppose I could buy a cheap old hard drive just for ReactOS (FreeDOS too?) and even add a (Linux) ext2fs partition, which ReactOS can now read and write according to my latest reading; use that partition just for ReactOS to rebuild and update itself, but then I would want to install directly without burning a CD every time. But I guess there's more than enough to keep me busy between Linux, FreeBSD, NetBSD and Haiku.
61 • Poll (by Marco on 2016-03-15 15:25:37 GMT from North America)
In the USA anyway, the Windows tax is generally negative on consumer-grade laptops, so I buy them with Windows pre-installed.
62 • Checksum lazyness vs good old hover (by far2fish on 2016-03-15 18:52:29 GMT from Europe)
Frankly I am too lazy to test checksums, and if I do I never go beyond checking the checksum of the ISO vs the published checksum info. I would never take the extra step to validate against the public key signature.
However one important step that I always do when downloading something, is to let the mouse hover over the link for a bit so I am absolutely sure WHERE I download something wrong. Would the link point to another domain or an IP address I would think twice before clicking the link. Perhaps run the domain or IP through whois first.
63 • Negative Windows tax (by dbrion on 2016-03-15 19:34:35 GMT from Europe)
Ordissimo (a pre configured PC with Debian: has success in France) is more expensive than its Windows same set of hardware. I once bought a preconfigured "net" "book", a MSI wind and was very unsatisfied (recompiled everything); I am afraid it was not a commercial success (people do not dare to have anyhing they need recompiled)... and, except for RPis -they are not PCs-, one cannot find preconfigured linux desktop "gears"
64 • @26 (by NoBubbaEffect on 2016-03-15 19:46:27 GMT from North America)
I agree. The section that has the downloads for the ISOs, should have in big bold letters, that verifying the ISO for safety and security is strongly suggested. Then list in easy to understand steps how to verify and if failure occurs destroy ISO and post response to the issue.
Thanks for the checksum info and the good review, Jesse.
65 • why bother with preconfigured systems? (by dave on 2016-03-15 23:39:22 GMT from North America)
The best thing about linux is that you get the best experience by configuring your system yourself. Paying some idiot to do it their way instead of your way seems like a backwards idea.. especially when it always ends up costing more than a computer with windows pre-installed.
And I haven't encountered hardware incompatibilities with Linux since using old P4 systems. It's a thing of the past. I don't know where you guys are digging up all these machines that are missing drivers and what not.
Oh and rule #1 of not being a computer shyster is that if you can't make enough money off the components, you're doing it wrong. Installing the average distro takes like no time at all, compared with the building process. If you're charging extra for installing the OS after all that, you're a rip-off artist.
You want me to install linux on your existing computer? Fine. Small labor fee for the time unless I feel like doing it for free, which I often will. You want to buy a computer with linux preinstalled? Most if not all of the profit should come from the components. Charging for both is pushing it, big time.
The la-dee-da 'boutique' computer hustlers who typically pull this crap make me sick. Besides, it's not like using Linux is such a great blow against the power structure. Linux is just as much a part of the problem as Windows and OSX.
It's just so ridiculous the way so many of you act like you're somehow sticking it to The Man by using Linux. What a joke.
66 • @65 - why bother? (by Hoos on 2016-03-16 04:20:11 GMT from Asia)
As a matter of principle, would you not prefer if possible to get an OS-less system if you don't use Windows at all? In such an instance, why would you want to add to Microsoft's and the OEM's statistics as another Windows purchaser? That just helps paint an inaccurate picture. Note that I'm not talking about those who need Windows on their computer.
Unfortunately it is not so easy to get an OS-less laptop where I am. In those situations, if one is willing to put one's money where one's mouth is, perhaps it is better to get a laptop with pre-installed Linux than get a Windows one which you're going to wipe anyway. Perhaps it's a little more expensive without MS's economies of scale and the discounts they can offer OEM, but some might think it's worth it for a good cause.
67 • @13 (by Keith on 2016-03-16 13:02:28 GMT from Asia)
Pauli
Looks to me like they've done a good job of perfectly emulating that other OS. BSOD, Out Of Memory for no reason, doesn't run apps as expected. How much closer could it be to the real thing?
:D
68 • @9 reaction to verifying iso checksum (by hwms on 2016-03-16 13:29:32 GMT from North America)
Your comments were spot on for myself. At my age and limited computer expertise, I have trouble remembering how to get my deductible transactions out of Gnucash once a year. I also have trouble remembering any command line beyond the very simplest ones. Man pages are nearly useless to the average home computer user.
69 • Computer with Linux pre-installed (by Pablo saborio on 2016-03-16 15:34:44 GMT from North America)
I recently bought a System /6 Laptop with Ubuntu pre-installed. Service and performance are really good.
70 • ReactOS review (by Randy Thompson on 2016-03-16 16:14:26 GMT from North America)
React is still an alpha release. Nowhere in your review did you mention this. I remember playing with React before it had half of the things it does in the 0.4.0 release, wireless capability for instance. Before people get the wrong idea, it is not meant for production consumption quite yet.
71 • Buying a computer (by Scatershot on 2016-03-16 16:19:45 GMT from North America)
It's hard to buy a computer with Linux preinstalled especially if you buy them from a big box store. Some stores only offer Windows systems and then charge you to remove Windows! I looked at systems being sold that have Linux preinstalled and they just didn't fit my needs. So I mostly buy older used systems on Craig's List and tweak them to what I need then keep them running for 6+ years saving money. A big reason I use Linux is the ability to keep older systems running longer which helps keeps them out of the landfill. Just my two cents...
72 • ReactOS status (by Jesse on 2016-03-16 16:23:02 GMT from North America)
Several people have pointed out that ReactOS is shipped under an Alpha label. Which is true. But at this point I really have to question whether that is worth mentioning. The ReactOS project is around 20 years old at this point. By now I think we need to acknowledge the alpha label does not mean the same thing with regards to ReactOS as it does to most Linux distributions. This 0.4.0 version is not an early test release, this is the cumulation of 20 years of work. ReactOS will probably never drop the Alpha label, which makes it somewhat meaningless. If every release is an alpha release, then the label loses its meaning.
73 • Re: Buying a computer (by Andy Mender on 2016-03-16 17:51:13 GMT from Europe)
@71,
I think it's an important 2 cents. When I recently looked through business-oriented desktops (standard 4 GB RAM, Intel iGPU, etc.), I noticed my old 6-7-year-old PC has the same parameters as the current 2-core Pentium PCs. Naturally, power-consumption and heat emission is higher, but thanks to GNU/Linux, my computing experience is great ;).
I think the role of GNU/Linux in keeping computers running should not be underestimated!
74 • Thanks slick (#11) (by Dr. David Johnson on 2016-03-17 01:19:24 GMT from North America)
Just wanted to thank slick for the link in post #11. Good to keep learning about Linux, especially Debian (my fav). Y'all keep learning, and using cool free software. Thanks to distrowatch for good resources.
75 • Debian Distros (by slick on 2016-03-17 08:35:05 GMT from North America)
@74 Dr. David Johnson: Debian is a great choice, Linux as whole is a learning experience that is quite rewarding.
DW is a great place for many resources, use it often.
I listed a couple of Debian distros on Sourceforge you may like to try, lightweight and quite fast.
Star - Debian and Devuan fork
ZephyrLinux - Debian and Devuan fork
VSIDO - Debian sid (unstable)
76 • PC Linux OS 2016.03 (by Bobbie Sellers on 2016-03-17 14:51:07 GMT from North America)
Reading the other day and spotted this in your "Development, unannounced and minor bug-fix releases" note, in the current issue. Downloaded 3 versions and checked them out, maybe a little rough yet but I got PCLOS64-KDE-2016.03 installed to my notebook and once I got the kinks straightened out it boots up fine from my Mageia 5 Grub2 The UEFI support works fine. Mate Deluxe version looks fine but could not get to a desktop with the Full Monty version.
PCLOS was the first fork of Mandriva which I used. Just a draktools addict I guess.
bliss
77 • ReactOS "alpha" (by Jordan on 2016-03-17 21:57:35 GMT from North America)
@72. Yeah it's called "the ReactOS project" at their website. An ongoing project.
I have no fascination for that project, but I do find it interesting that many aspects of that one in particular are similar to most other linux distros. We could call Debian a "project," in that sense. Slackware, Arch as well. They're not alphas or betas at certain points in their development, but they are ongoing projects.
78 • Revew too harsh React OS (by Steven Shannon on 2016-03-17 22:02:52 GMT from North America)
React OS is in an ALPHA state, and thus is not fair to come to the conclusion that the system is not suitable for most situations. That is what Alpha means. It's not even in Bata state yet. How can one come to the conclusion that a piece of software is not suitable for in most situations? Of course it isn't. The react Web page says as much. When one reviews a piece of software it should be done in context of it's current state of development, and it's current state of development must be stated in the review.
I am not saying that your review is not spot on, because I have ran in to the same issues on my own test install, but rather than tell people that the software isn't suitable in most situations, you need let them know why. Because you are testing something that is in an alpha state.
79 • Alpha status (by Jesse on 2016-03-18 00:00:03 GMT from North America)
@78: "rather than tell people that the software isn't suitable in most situations, you need let them know why."
I did explain why, and it's not because ReactOS carries the alpha label, it's because many of its features do not work yet. There are plenty of projects out there that are designated "alpha" that work just fine. Others are labeled "stable" and do not work. In the end, the label does not define behaviour.
80 • @78 Alpha state? (by Spacex on 2016-03-18 00:09:16 GMT from Europe)
Alpha state can not be used about a release, unless it sometimes are in a different state. But my major issue is that there is no need for the project at all, as there are no need to use Windows apps in Linux anymore.
Besides Gaming of course. But GB comes cheap these days. Anyone can afford a partition for Windows, so that they get to play their favorite Windows games. Nothing wrong with a good old-fashioned dual-boot, or even multi-boot :P
81 • Tails_Firefox_addon_to_automatically_verify_ISO (by k on 2016-03-18 10:23:23 GMT from Europe)
@ comment 9 • gpg keys by mroot
Firstly, quite agree with your honest and accurate appraisal of users' limited technical abilities and inclination.
Regarding your most salient question "why can't we have something similar fro gpg keys?"
I used Tails excellent -- as usual -- tools and instructions to download and install Tails 2.0 over 1.82, and as described at https://tails.boum.org/news/version_2.0/index.en.html#index3h1 : "can now verify the ISO image automatically from Firefox using a special add-on" However, the developers included "If you are knowledgeable about OpenPGP, you can do additional verification using the OpenPGP signature." :)
Anyway, the automatic "worked" exactly as described, all persistent data intact, so I was "satisfied", despite not knowing enough about technicals of web of trust, keyrings and keys for ISO verification. So Jesse's tips and tricks in this DWW very helpful, much thanks.
82 • Alpha status (by Antony on 2016-03-18 11:29:53 GMT from Europe)
@79 Jesse said: "There are plenty of projects out there that are designated "alpha" that work just fine. Others are labeled "stable" and do not work. In the end, the label does not define behaviour."
Very well put. 'Nuff said, I reckon.
83 • PGP keys (by concerned on 2016-03-18 16:49:47 GMT from North America)
I have to agree with g1 @17 and similar comments. The web of trust is a great mechanism, -but- I have personally found it difficult (read: impossible) to get inserted into it via key signing or otherwise. Therefore, I have no starting point of trust on which to build my local trust database. Thus I eventually just have to assume that the keys I find either through websites or keyservers really belong to the people they say they do, even if I can't cryptographically "trust" the keys. I do not find it comforting that a key is "old enough" or "says" it belongs to anyone in particular. Perhaps, I'm too paranoid... ;)
That said, I always check both checksums and signatures before installing an OS or software I download outside of my distro's package manager... I at least make an effort to locate key fingerprints on the OS or package's website and check it against the fingerprint from the signature and keyservers. And then I cross my fingers that everyone's being honest with their keys.
84 • linux os on pc`s (by greg on 2016-03-18 19:29:11 GMT from North America)
i build my own pc [ right now running oil submerger /with xubuntu ] i have build a pc installed mint and sent to an old army friend ,him and wife love it . sent one to mother in law with xubuntu installed . all the kids that come over think it is windows os of some type .
85 • Browser Baked Web of Trust (by Arch Watcher 402563 on 2016-03-18 21:31:24 GMT from North America)
@83 concerned - See my comments on GnuPG baked into web browsers above. What good is all this FOSS if devs don't use it? I'll elaborate.
Right now you trust SSL certs shipping in your web browser. Those form a web of trust up to root CAs. A browser dev can compile GnuPG into the app and do the same thing with OpenPGP keys: form a web of trust that YOU trust.
Most people get their browsers with the OS. And you trust whatever method you put it on your PC when you visit https sites. A malware browser is possible but quickly attacked by the many eyeballs involved. Compiling GnuPG into the browser makes it impossible to replace/subvert as an "extension" or "plugin." It also makes it fast.
So we could have the same deal for OpenPGP keys as SSL certs in almost no time if the browser devs would just do it.
86 • How low can you go? (by Ben Myers on 2016-03-18 22:17:51 GMT from North America)
I had good reason to test a relic from the past, an Intel SE440BX-2 motherboard with Slot 1 550MHz Pentium III processor, 512MB memory and an IDE hard drive. Somebody needed this ancient hardware for a custom system with an ISA bus widget on it.
I chose Mint 17.3 x86 with the MATE desktop, because I am pretty familiar with Mint, and I knew that MATE was pretty lightweight and would run OK with the 128MB AGP graphics card I exhumed, made just for Pentium III AGP slots.
The good news is that Mint installed on an old IDE drive and ran flawlessly. The bad news is that the system tried my patience because it ran so S-L-O-O-O-W-L-Y. I do not think it was Mint per se. Most any modern Linux kernel combined with a lightweight desktop will run the about same. Maybe XFCE would have been better? 550MHz is just too slow, 512MB is not much, and old 5400 rpm IDE drives crawl along these days. Maybe there is another full-featured distro that would run better, but I am through with my testing and I can now set up the system for its intended special purpose.
87 • @86 - better low-end distros (by Uncle Slacky on 2016-03-18 23:28:57 GMT from Europe)
I'd suggest Puppy, Slitaz, antiX or MX-15 (in decreasing order of speed) for such a system, personally. You'd find any of them MUCH faster than any Mint variant.
88 • @87 - If I was seriously considering using a 550MHz P3... (by Ben Myers on 2016-03-19 00:46:32 GMT from North America)
If I was seriously considering using a 550MHz P3 myself, I would surely look at low-end distros which were somewhat full featured. But this was only to test (somewhat quickly) all the hardware and to identify some limits of the hardware. Somebody else actually will buy this system to use for his own somewhat obsolete purpose, not with Mint.
Also, were I to use this system, I would add more memory and maybe one of these old kludge boards that allow a faster Socket 370 CPU to run in a Slot 1 motherboard.
Still, isn't it good to know that even mainstream Mint will install and run in an old antique?
89 • @65 Linux Hardware Support (by imnotrich on 2016-03-19 05:09:33 GMT from North America)
You wrote, "And I haven't encountered hardware incompatibilities with Linux since using old P4 systems. It's a thing of the past. I don't know where you guys are digging up all these machines that are missing drivers and what not."
Excuse me but on what planet? Hardware incompatibilities, missing drivers, open source drivers that don't work properly and related issues still plague Linux to this day.
Ok, so I don't expect some high end brand new bleeding edge piece of hardware that came out three weeks ago to be fully supported, but video cards have been around for a while. Same for sound cards, wired and wireless networking, printing stuff that most folks would consider basic functionality.
In fact some distros like Debian deliberately gut the OS's hardware capabilities and every release is full of bugs forcing users to spend weeks or months searching web forums and other resources for solutions or a work around or two. Or three.
When I was a Linux hobbyist I loved Debian because nothing worthwhile is easy, but now that I'm using my Linux desktop for work and play it has to function like a normal computer from the moment I turn it on, and until I shut it off that night. I don't have the time an energy to fight my computer.
Switched to Mint a two years ago and it has some bugs too but hardware support is phenomenal. Still, some machines I still have to fight the hardware. And we're not talking about older PC's, I find most of the older machines are well supported even by those mini distros like Puppy. Why is it that Puppy can do things better than Debian? Weird.
90 • @89 Say What? (by mildlyinsane on 2016-03-19 22:58:01 GMT from North America)
//In fact some distros like Debian deliberately gut the OS's hardware capabilities\\
I would like someone to splain this if they may?
91 • preloaded computer (by jangkrik on 2016-03-19 23:34:59 GMT from Asia)
glad to see more people build there own pcs rather than buying ones that're preloaded with manufacturers crap
92 • 90 • 89 Hardware coverage (by FOSSilizing Dinosaur on 2016-03-20 01:06:18 GMT from North America)
"Main" distros often "deprecate" "obsolete" hardware accommodation, usually using "too much testing required" as a primary excuse and "saving ISO/server space" as a secondary excuse. And then there's code contributions from hardware vendors motivated to sell new products. ImNotRich@89 also may be thinking of a period after agents of Microsoft visited DebIan's founder, which resulted in about a decade of driver-compatibility setback. … Distros whose goals include accommodating "older" hardware work on considerably more variations with substantially less extra fiddling. One exemplar thereof would be PCLinuxOS in its prime, As.Far.As.I.Recall. .• There are tools for determining what hardware is in a particular computer. It would be nice to see accurate driver recommendations. .• Some efforts appear to be beginning to build databases of what hardware works to what degree with Linux (and BSD etc?); usually too little too late, but useful when checking used parts. .• For new parts, I prefer starting with vendors who support Freed Open-Source Software. If they provide DIY support, I support them - it's worthwhile in the long run.
93 • linux OS (by Ellis Essig on 2016-03-20 13:24:42 GMT from North America)
MintBox from Compulab. Works well.
Number of Comments: 93
Display mode: DWW Only • Comments Only • Both DWW and Comments
| | |
TUXEDO |

TUXEDO Computers - Linux Hardware in a tailor made suite Choose from a wide range of laptops and PCs in various sizes and shapes at TUXEDOComputers.com. Every machine comes pre-installed and ready-to-run with Linux. Full 24 months of warranty and lifetime support included!
Learn more about our full service package and all benefits from buying at TUXEDO.
|
Archives |
• Issue 1046 (2023-11-20): Slackel 7.7 "Openbox", restricting CPU usage, Haiku improves font handling and software centre performance, Canonical launches MicroCloud |
• Issue 1045 (2023-11-13): Fedora 39, how to trust software packages, ReactOS booting with UEFI, elementary OS plans to default to Wayland, Mir gaining ability to split work across video cards |
• Issue 1044 (2023-11-06): Porteus 5.01, disabling IPv6, applications unique to a Linux distro, Linux merges bcachefs, OpenELA makes source packages available |
• Issue 1043 (2023-10-30): Murena Two with privacy switches, where old files go when packages are updated, UBports on Volla phones, Mint testing Cinnamon on Wayland, Peppermint releases ARM build |
• Issue 1042 (2023-10-23): Ubuntu Cinnamon compared with Linux Mint, extending battery life on Linux, Debian resumes /usr merge, Canonical publishes fixed install media |
• Issue 1041 (2023-10-16): FydeOS 17.0, Dr.Parted 23.09, changing UIDs, Fedora partners with Slimbook, GNOME phasing out X11 sessions, Ubuntu revokes 23.10 install media |
• Issue 1040 (2023-10-09): CROWZ 5.0, changing the location of default directories, Linux Mint updates its Edge edition, Murena crowdfunding new privacy phone, Debian publishes new install media |
• Issue 1039 (2023-10-02): Zenwalk Current, finding the duration of media files, Peppermint OS tries out new edition, COSMIC gains new features, Canonical reports on security incident in Snap store |
• Issue 1038 (2023-09-25): Mageia 9, trouble-shooting launchers, running desktop Linux in the cloud, New documentation for Nix, Linux phasing out ReiserFS, GNU celebrates 40 years |
• Issue 1037 (2023-09-18): Bodhi Linux 7.0.0, finding specific distros and unified package managemnt, Zevenet replaced by two new forks, openSUSE introduces Slowroll branch, Fedora considering dropping Plasma X11 session |
• Issue 1036 (2023-09-11): SDesk 2023.08.12, hiding command line passwords, openSUSE shares contributor survery results, Ubuntu plans seamless disk encryption, GNOME 45 to break extension compatibility |
• Issue 1035 (2023-09-04): Debian GNU/Hurd 2023, PCLinuxOS 2023.07, do home users need a firewall, AlmaLinux introduces new repositories, Rocky Linux commits to RHEL compatibility, NetBSD machine runs unattended for nine years, Armbian runs wallpaper contest |
• Issue 1034 (2023-08-28): Void 20230628, types of memory usage, FreeBSD receives port of Linux NVIDIA driver, Fedora plans improved theme handling for Qt applications, Canonical's plans for Ubuntu |
• Issue 1033 (2023-08-21): MiniOS 20230606, system user accounts, how Red Hat clones are moving forward, Haiku improves WINE performance, Debian turns 30 |
• Issue 1032 (2023-08-14): MX Linux 23, positioning new windows on the desktop, Linux Containers adopts LXD fork, Oracle, SUSE, and CIQ form OpenELA |
• Issue 1031 (2023-08-07): Peppermint OS 2023-07-01, preventing a file from being changed, Asahi Linux partners with Fedora, Linux Mint plans new releases |
• Issue 1030 (2023-07-31): Solus 4.4, Linux Mint 21.2, Debian introduces RISC-V support, Ubuntu patches custom kernel bugs, FreeBSD imports OpenSSL 3 |
• Issue 1029 (2023-07-24): Running Murena on the Fairphone 4, Flatpak vs Snap sandboxing technologies, Redox OS plans to borrow Linux drivers to expand hardware support, Debian updates Bookworm media |
• Issue 1028 (2023-07-17): KDE Connect; Oracle, SUSE, and AlmaLinux repsond to Red Hat's source code policy change, KaOS issues media fix, Slackware turns 30; security and immutable distributions |
• Issue 1027 (2023-07-10): Crystal Linux 2023-03-16, StartOS (embassyOS 0.3.4.2), changing options on a mounted filesystem, Murena launches Fairphone 4 in North America, Fedora debates telemetry for desktop team |
• Issue 1026 (2023-07-03): Kumander Linux 1.0, Red Hat changing its approach to sharing source code, TrueNAS offers SMB Multichannel, Zorin OS introduces upgrade utility |
• Issue 1025 (2023-06-26): KaOS with Plasma 6, information which can leak from desktop environments, Red Hat closes door on sharing RHEL source code, SUSE introduces new security features |
• Issue 1024 (2023-06-19): Debian 12, a safer way to use dd, Debian releases GNU/Hurd 2023, Ubuntu 22.10 nears its end of life, FreeBSD turns 30 |
• Issue 1023 (2023-06-12): openSUSE 15.5 Leap, the differences between independent distributions, openSUSE lengthens Leap life, Murena offers new phone for North America |
• Issue 1022 (2023-06-05): GetFreeOS 2023.05.01, Slint 15.0-3, Liya N4Si, cleaning up crowded directories, Ubuntu plans Snap-based variant, Red Hat dropping LireOffice RPM packages |
• Issue 1021 (2023-05-29): rlxos GNU/Linux, colours in command line output, an overview of Void's unique features, how to use awk, Microsoft publishes a Linux distro |
• Issue 1020 (2023-05-22): UBports 20.04, finding another machine's IP address, finding distros with a specific kernel, Debian prepares for Bookworm |
• Issue 1019 (2023-05-15): Rhino Linux (Beta), checking which applications reply on a package, NethServer reborn, System76 improving application responsiveness |
• Issue 1018 (2023-05-08): Fedora 38, finding relevant manual pages, merging audio files, Fedora plans new immutable edition, Mint works to fix Secure Boot issues |
• Issue 1017 (2023-05-01): Xubuntu 23.04, Debian elects Project Leaders and updates media, systemd to speed up restarts, Guix System offering ground-up source builds, where package managers install files |
• Issue 1016 (2023-04-24): Qubes OS 4.1.2, tracking bandwidth usage, Solus resuming development, FreeBSD publishes status report, KaOS offers preview of Plasma 6 |
• Issue 1015 (2023-04-17): Manjaro Linux 22.0, Trisquel GNU/Linux 11.0, Arch Linux powering PINE64 tablets, Ubuntu offering live patching on HWE kernels, gaining compression on ex4 |
• Issue 1014 (2023-04-10): Quick looks at carbonOS, LibreELEC, and Kodi, Mint polishes themes, Fedora rolls out more encryption plans, elementary OS improves sideloading experience |
• Issue 1013 (2023-04-03): Alpine Linux 3.17.2, printing manual pages, Ubuntu Cinnamon becomes official flavour, Endeavour OS plans for new installer, HardenedBSD plans for outage |
• Issue 1012 (2023-03-27): siduction 22.1.1, protecting privacy from proprietary applications, GNOME team shares new features, Canonical updates Ubuntu 20.04, politics and the Linux kernel |
• Issue 1011 (2023-03-20): Serpent OS, Security Onion 2.3, Gentoo Live, replacing the scp utility, openSUSE sees surge in downloads, Debian runs elction with one candidate |
• Issue 1010 (2023-03-13): blendOS 2023.01.26, keeping track of which files a package installs, improved network widget coming to elementary OS, Vanilla OS changes its base distro |
• Issue 1009 (2023-03-06): Nemo Mobile and the PinePhone, matching the performance of one distro on another, Linux Mint adds performance boosts and security, custom Ubuntu and Debian builds through Cubic |
• Issue 1008 (2023-02-27): elementary OS 7.0, the benefits of boot environments, Purism offers lapdock for Librem 5, Ubuntu community flavours directed to drop Flatpak support for Snap |
• Issue 1007 (2023-02-20): helloSystem 0.8.0, underrated distributions, Solus team working to repair their website, SUSE testing Micro edition, Canonical publishes real-time edition of Ubuntu 22.04 |
• Issue 1006 (2023-02-13): Playing music with UBports on a PinePhone, quick command line and shell scripting questions, Fedora expands third-party software support, Vanilla OS adds Nix package support |
• Issue 1005 (2023-02-06): NuTyX 22.12.0 running CDE, user identification numbers, Pop!_OS shares COSMIC progress, Mint makes keyboard and mouse options more accessible |
• Issue 1004 (2023-01-30): OpenMandriva ROME, checking the health of a disk, Debian adopting OpenSnitch, FreeBSD publishes status report |
• Issue 1003 (2023-01-23): risiOS 37, mixing package types, Fedora seeks installer feedback, Sparky offers easier persistence with USB writer |
• Issue 1002 (2023-01-16): Vanilla OS 22.10, Nobara Project 37, verifying torrent downloads, Haiku improvements, HAMMER2 being ports to NetBSD |
• Issue 1001 (2023-01-09): Arch Linux, Ubuntu tests new system installer, porting KDE software to OpenBSD, verifying files copied properly |
• Issue 1000 (2023-01-02): Our favourite projects of all time, Fedora trying out unified kernel images and trying to speed up shutdowns, Slackware tests new kernel, detecting what is taking up disk space |
• Issue 999 (2022-12-19): Favourite distributions of 2022, Fedora plans Budgie spin, UBports releasing security patches for 16.04, Haiku working on new ports |
• Issue 998 (2022-12-12): OpenBSD 7.2, Asahi Linux enages video hardware acceleration on Apple ARM computers, Manjaro drops proprietary codecs from Mesa package |
• Issue 997 (2022-12-05): CachyOS 221023 and AgarimOS, working with filenames which contain special characters, elementary OS team fixes delta updates, new features coming to Xfce |
• Issue 996 (2022-11-28): Void 20221001, remotely shutting down a machine, complex aliases, Fedora tests new web-based installer, Refox OS running on real hardware |
• Issue 995 (2022-11-21): Fedora 37, swap files vs swap partitions, Unity running on Arch, UBports seeks testers, Murena adds support for more devices |
• Issue 994 (2022-11-14): Redcore Linux 2201, changing the terminal font size, Fedora plans Phosh spin, openSUSE publishes on-line manual pages, disabling Snap auto-updates |
• Issue 993 (2022-11-07): Static Linux, working with just a kernel, Mint streamlines Flatpak management, updates coming to elementary OS |
• Full list of all issues |
Star Labs |

Star Labs - Laptops built for Linux.
View our range including the highly anticipated StarFighter. Available with coreboot open-source firmware and a choice of Ubuntu, elementary, Manjaro and more. Visit Star Labs for information, to buy and get support.
|
Shells.com |

Your own personal Linux computer in the cloud, available on any device. Supported operating systems include Android, Debian, Fedora, KDE neon, Kubuntu, Linux Mint, Manjaro and Ubuntu, ready in minutes.
Starting at US$4.95 per month, 7-day money-back guarantee
|
Random Distribution | 
SaxenOS
SaxenOS was a lightweight Slackware and Zenwalk-based distribution with the Xfce desktop. It was designed for older, low-specification computers.
Status: Discontinued
|
TUXEDO |

TUXEDO Computers - Linux Hardware in a tailor made suite Choose from a wide range of laptops and PCs in various sizes and shapes at TUXEDOComputers.com. Every machine comes pre-installed and ready-to-run with Linux. Full 24 months of warranty and lifetime support included!
Learn more about our full service package and all benefits from buying at TUXEDO.
|
Star Labs |

Star Labs - Laptops built for Linux.
View our range including the highly anticipated StarFighter. Available with coreboot open-source firmware and a choice of Ubuntu, elementary, Manjaro and more. Visit Star Labs for information, to buy and get support.
|
|