 DistroWatch Weekly |
| Tip Jar |
If you've enjoyed this week's issue of DistroWatch Weekly, please consider sending us a tip.
(Tips this week: 5, value: US$25.29) |
|
|
|
 bc1qxes3k2wq3uqzr074tkwwjmwfe63z70gwzfu4lx  lnurl1dp68gurn8ghj7ampd3kx2ar0veekzar0wd5xjtnrdakj7tnhv4kxctttdehhwm30d3h82unvwqhhxarpw3jkc7tzw4ex6cfexyfua2nr  86fA3qPTeQtNb2k1vLwEQaAp3XxkvvvXt69gSG5LGunXXikK9koPWZaRQgfFPBPWhMgXjPjccy9LA9xRFchPWQAnPvxh5Le paypal.me/distrowatchweekly • patreon.com/distrowatch |
|
| Extended Lifecycle Support by TuxCare |
|
|
| Reader Comments • Jump to last comment |
1 • jails (by nolinuxguru on 2016-12-19 10:24:51 GMT from United Kingdom)
I have been using Firejail for a while to isolate Firefox, Icedove [email]. I use the supplied profiles for these applications, but customise them to further restrict the ways programs such as Firefox can propagate any malware. I like the way that I can compile the Firejail program from source [it does not have the usual rats-nest of dependencies, and is small enough that even I can understand how it works].
2 • Bodhi Linux (by aguador on 2016-12-19 10:52:30 GMT from Spain)
Enlightenment is my DE of choice, but I have never quite managed to relate to Bodhi, in part because of its Ubuntu base, but more because of Midori and the AppCenter. Midori, while light on resources, in my experience has always seemed slow as well as limited. Firefox is an option, but (at least in the past) does not come enabled to use the AppCenter. So, one reverts to Synaptics, a great option for most, but more complicated for newbies who might be better served by a more traditional software center approach.
Jeff has made good contributions to Enlightenment, including ePad which has to be the absolute lightest notepad application around given its use of EFL and arguably better than Ecrire in some ways. I understand that E is undergoing constant development -- and improvement, so forking it due to momentary frustrations was a shame. Still, Bodhi seems to have found a niche and I wish the project well.
3 • Brisk Mate Menu (by aguador on 2016-12-19 11:01:23 GMT from Spain)
Mate was my first DE and I am amazed at the progress it has made. A recent test drive of a live version of Ubuntu Mate was a surprisingly pleasant experience with good configuration options. The thing that sets it apart from Linux Mint are the application menu and interface options. Mint Menu is good conceptually, but a bit wanting aesthetically. A faster, more aesthetic (Budgie- or Cinnamon-like) menu will, is sure to welcomed by regular users.
4 • Brisk Mate Menu (by sydneyj on 2016-12-19 11:56:38 GMT from United States)
I very much agree with @3 aguador regarding Brisk menu for Mate. I use Arch/Mate now, with the MintMenu. The menu is quite good, but a bit buggy (a couple of irretrievably broken links), presumably due to GTK2/3 issues. I would be happy to see the Cinnamon menu ported to Mate, since it doesn't require an extra click to get to Favorites, and the menu can grow in size as items are added. A hybrid Cinnamon/Budgie menu might be just the ticket, as well.
5 • Mate Menu (by Pikolo on 2016-12-19 12:19:00 GMT from United Kingdom)
Rewriting a menu in C sounds like a very anti-trend move to me. Isn't Gnome moving from C to Rust? Isn't C famous for buffer overflows? I've seen dozens of articles on "why we should limit the use of C" just this moonth. A truly bizarre development.
I'm surprised there are so many Qubes users on DW. I Joanna Rutkowska has shown a graph, on which there are <7k users, and already 16 of them voted. Though their % will probably drop over time. All in all, 60% of Linux users using process isolation is impressive.
6 • <3 bodhi (by meanpt on 2016-12-19 12:42:25 GMT from Portugal)
... been with bodhi since ... rats, I'm getting older. Since then I only miss one thing: the the original ram's 76 MB landing DE which I proudly showed off to the the wd$sy friends.
7 • New menu in C (by Jesse on 2016-12-19 13:01:38 GMT from Canada)
@5: >> "Rewriting a menu in C sounds like a very anti-trend move to me. Isn't Gnome moving from C to Rust? Isn't C famous for buffer overflows? I've seen dozens of articles on "why we should limit the use of C" just this moonth. A truly bizarre development."
In this case it makes a lot of sense. C is still one of the main languages to use when performance is a primary focus. And, in this case, the risk of buffer overflows or similar memory corruption errors are not really a concern. Remember, the application menu is run as the user who is logged in and sitting physically at the computer. If the user manages to somehow exploit a flaw in the code, all they end up with is the ability to run code at the computer where they are already sitting, running whatever code they want. In this instance, C gives a boost in performance with no practical downside.
8 • @ Joshua (by geert on 2016-12-19 13:06:56 GMT from Netherlands)
>For users with older computers, some of the modern Linux distributions can be too resource intensive. Bodhi Linux 4.0.0 is a lightweight distribution designed for those users. The minimum system requirements are a 500MHz processor, 128MB of RAM, and 4GB of disk space. The recommended requirements are a 1.0GHz processor, 512MB of RAM, and 10GB of disk space.<
Of course, if only you just boot the computer and don't do anything. All processes have to work in RAM, and more you have apps open, you need more RAM. And, remember 32 bit is "legacy" now.
9 • Bodhi Clock (by Thomas on 2016-12-19 13:20:50 GMT from France)
The clock widget in Bodhi mimics clocks made with Nixie Tubes or similar technology.
10 • Re: #2 / Midori (by Jeff Hoogland on 2016-12-19 13:34:03 GMT from United States)
Always amusing that we ship as few applications as possible and yet people still find a reason to dislike them. We know midori is feature light. It is also only 5~ MB to install so it isn't wasting much space like Firefox or Chrome would (because there are plenty of people who hate each of those). We expect and often encourage people to install their full browser of choice.
For reference the latest version of Bodhi as a dedicated "app center" menu launcher that opens a midori browser to just the appcenter URL. Pretty easy for a novice end user to always use that to grab software even if they use something else as a primary web browser.
Also - APTURL (the protocol the AppCenter uses to make the browser call the package manager) works with Chrome and Firefox if you configure them properly.
11 • Greetings (by Thom on 2016-12-19 13:55:41 GMT from Sweden)
A thank you to the team behind DW for another year of dedication and philanthropy.
Best wishes for the season and the new year.
12 • Bodhi (by jaws222 on 2016-12-19 15:17:44 GMT from United States)
I've always appreciated the fact that Bodhi was extremely lightweight. As far as the browser I usually go to the app center and install Chromium cause I like it and usually install whatever else I want or think I may need. I've never understood why people complain either Jeff.
13 • Firejail (by a on 2016-12-19 15:56:28 GMT from France)
I tried using firejail but it makes programs crash/exit without any message as to what the problem is.
14 • Firejail (by Jesse on 2016-12-19 16:08:08 GMT from Canada)
@13: If your application is crashing, it is probably because no one has created a Firejail profile for it yet. I ran into this with the Qupzilla browser and submitted a new profile for it to the project for future releases. You can request new application profiels here: https://github.com/netblue30/firejail/issues/825
15 • service isolation with systemd (by Scott Dowdle on 2016-12-19 17:18:03 GMT from United States)
Just wanted to mention that systemd has a number of security related features so you may separate services with isolated filesystems, /tmp, network name spaces, etc.
16 • Bodhi (by Gibson on 2016-12-19 17:35:32 GMT from United States)
I really appreciate that Bodhi offers install images without preinstalled software. Whenever I install a new distro the first thing I normally do is purge a bunch of default applications that I won't use and install my own choices. Bodhi's super lightweight text editor and web browser (which also serves as a software center) are just enough to get going without getting in the way of my own choices.
I actually really like their choice to use the web browser as a basic software center. It keeps with the pattern of minimalism and simplicity. I played with Bodhi for a while shortly after being introduced to Linux and as a total amateur I never had a problem with their approach to software installation. In fact their minimal selection of apps made it easier to find what I was looking for. Now that I've been around for a while the midori interface might not meet my needs, but at this point I just use apt-get.
17 • firejail crashes (by nolinuxguru on 2016-12-19 17:57:20 GMT from United Kingdom)
@13 If you haven't reported this elsewhere, it would help if you said which programs crashed [bit quiet this week].
18 • OpinionPoll-Process isolation (by CucumberLinux on 2016-12-19 18:07:39 GMT from Germany)
Nothing to technical, just my uneducated observation, if I may. Thank you.
I somewhat did write this in a hurry, but you will understand what I point out;
ISOLATING AND QUBES OS DATING
Currently I am not using any software in order
to isolate processes from the rest of the operating system from my GNU-Linux or LinuxDistributions, call it what you want. Generally we feel what I am talking about. Because this process is somehow new to me. However I have tried like 1 Year ago to install on quad core 16 Gb Ram PC (Boot Mode -Legacy), the QubesOS Distribution, with zero success. The Anaconda installer from Fedora, was a pain do work with ( freezing itself or just not detecting hardware). Ever sins I never bothered with it. But I find
the QubesOS as an very interesting Project in itself. Perhaps not that interesting for people with low specs Hardware.
FRESH INSTALL OF DISTRIBUTION
If something happens I have no problem with fresh installs. (Backing up the Data is priority all the time) At the same time I am refreshing my knowledge, by doing fresh Installs of the Distribution.
This way I do not forget, the basics, because I am not that
clever. Speaking here just for my tiny private needs.
FIREJAIL AND VIRTUALBOX AND MY DATING WITH LINUX
Firejail is something I am going to look at, when I get more time and my butt stops hurting from to much sitting in front of the PC, solving GNU-Linux like Sumerian stone Tablets puzzles, like why this stopped working.?. Because our Linux still is a pain to work with, when done some regular updates and they mess up previously made configurations! Or you want to install for Libreoffice the hunspell, but by doing so it removes the Thunderbird.. How can you not fell like the need to throw something against the Wall, when you see this happen over and over again?
And yea after, my Eyes recover from the LED monitor constantly bombarding my pretty eyes and my Pineal gland with its fantastic bright energy saving light..(Wait I need to grasp for Air)
Now, back to the subject;
Wish this Frejail would be already installed on the ISO. And after installation of the Distro to be asked,
if I feel like to configure the Firejail, or maybe just maybe later.
Now about Virtual boxing everything up;
Virtualbox is the easiest, but at the same time I use it only for testing never leave it on for long time, due to the fact that it is like having 2 Distributions pounding at the same time on 1 hardware. PC in my opinion is more vulnerable on top of it if access to the Net is given using same IP and Internet for
2 or more Distributions on one Hardware running long time..
BODHY LINUX
I am not using Bodhi Linux 4.0.0, but I have enjoyed the insight look in it from DistroW.
Thank you for the detailed and precise as always tutorial of B.Linux.
Apologies for my Grammar and Greetings to you all Linux users.
19 • Enlightened Bodhi (by Kragle von Schnitzelbank on 2016-12-19 23:41:58 GMT from United States)
I commend Mr. Hoogland for the virtuosity in forking a DE constantly being re-invented with apparent disregard for those who would build on it. This illustrates just one of the many great strengths in Freed software.
.
I vaguely remember an Enlightenment GUI for parted that I perceived as better than the popular GTK GUI, but can't easily find it any more. ¿case in point?
20 • security overly locked down (by security sense on 2016-12-20 01:16:44 GMT from Netherlands)
Over time, security distros tend to become increasingly locked down internally and harder to use, like Qubes and Tails have become. i believe this is due to poor thought-out design, and just piling security feature upon security feature. after all, if the user can't easily use the OS what's the point? instead, it's quick nowadays to install linuxen to USB drives. so best form of isolation is to install linux on one USB, secure it from leaks and intrusions, and use it for work and don't connect it to any network. then make another linux USB and use that for network stuff. job done - and without any user restrictions.
@18 "I am refreshing my knowledge, by doing fresh Installs of the Distribution. This way I do not forget, the basics, because I am not that clever."
fresh installs are good security too. who said u were dum? people are intelligent in different ways. celebrate your brain - you've only got one!
21 • @20 security lockdown (by nolinuxguru on 2016-12-20 09:15:55 GMT from United Kingdom)
@20 most usb drives are writable, so your proposed solution does not seem to provide any added security. The greatest attack method these days is through the web browser and sites that carry malware: something like Firejail can reduce any damage to the files left writable [config, bookmarks etc].
There is much that can be done to secure your computer without the recourse to the likes of Qubes: good iptables firewall script [or just use ufw], tcpdump to see what gets through the firewall and Firejail to isolate web browsers etc. No actual programming is needed, but care is needed to pick out the bits of tcpdump output that should cause concern.
Someone who can package these simple methods for everyday users would do us all a big favour.
22 • Cappsule (by Al CiD on 2016-12-20 10:03:17 GMT from Portugal)
Perhaps the reason why it didn´t work as espected in VirtualBox
"Cappsule uses hardware virtualization to launch applications into lightweight VMs..."
23 • Stuff (by Andy Mender on 2016-12-20 11:34:19 GMT from Austria)
@7,
That's not really how it works. It doesn't matter if a script is run by the user only as long as system libraries are involved (for instance, gtk for the GUI). Any overflow can potentially lead to privilege escalation. C as a programming language is not specifically prone to overflows, but rather it requires extra care to avoid them. The more complex and intertwined the software is, the more difficult it is to avoid said overflows. Rust attempts to address this via more stringent code testing during compile time, though it will take time before it's considered reliable enough to be commonly used instead of C.
@10,
Jeff, what about the webkit-gtk engine? Surely it's not a mere ~5 mb. I personally love projects like surf, midori or qupzilla, but in my hands both qupzilla and midori segfault way too often. In addition, on non-Ubuntu distributions Midori would often fail to play Youtube videos via HTML5. I use Firefox simply because it's tried and tested, though it's a different weight class altogether, I agree.
24 • C and Cappsule (by Jesse on 2016-12-20 13:46:59 GMT from Canada)
@23: >> " It doesn't matter if a script is run by the user only as long as system libraries are involved (for instance, gtk for the GUI). Any overflow can potentially lead to privilege escalation.
For a privlege escalation to happen, the code would need to either be run as another user or exploit a bug in another part of the system. (Attacking GTK doesn't help the attacker since its code will run as the same user as the menu, not as root.) Having a buffer overflow in the application menu wouldn't result in a problem in itself. If there is a flaw in a library or system call the application menu uses, then the user (who has physical access to the system, remember) can run any code they like to exploit that component. Exploiting the application menu makes no sense in this scenario since the user can link any code they want to the libraries on the system.
Your argument is basically that the user could exploit a potential flaw in the application menu to try to get at another component on the system, when the user running the application menu (and any un-isolated program they run) can already access that other component of the system directly without exploiting the menu. Attacking the menu just adds an extra, unrequired step to the process.
@22: >> "Perhaps the reason why it didn´t work as espected in VirtualBox..."
The Cappsule project provides VirtualBox appliances for people to run and test their software. Any computer with hardware virtualization capacity should have no problem meeting the requirements. My computers all have hardwre virtualization so that's not the issue.
25 • RE: 24 (by Andy Mender on 2016-12-20 15:06:10 GMT from Austria)
@24,
Jesse, thank you for the clarification. It makes more sense to me now. I think my assumption was too far reaching.
26 • Opinion poll > Selection Principals (by Yuri on 2016-12-21 16:00:44 GMT from Russian Federation)
Hi, Jesse.
Why you do not include (widely used) technology like SELinux and AppArmore in your list?
27 • Opinion Poll (by Jesse on 2016-12-21 16:05:52 GMT from Canada)
@26: Because SELinux and AppArmor are not designed to isolate processes so much as use permissions to block them from doing bad things. They're different use cases.
28 • Opinion Poll - Process Isolation (by M0E-lnx on 2016-12-21 21:39:14 GMT from United States)
Docker is a great option for services, and with a few tricks even apps in general. I'm not sure if that was included in the 'Linux containers' option, but it would have been nice to see that option listed.
29 • Follow-up to @15 - systemd security features (by Scott Dowdle on 2016-12-21 22:46:35 GMT from United States)
LWN published a premium article today on security features in systemd. It will become freely available to non-subscribers Thursday, Dec 29. Here is the URL that will work for LWN subscribers and everyone else once freely available:
Using systemd for more secure services in Fedora
https://lwn.net/Articles/709755/
Intro paragraph: "The AF_PACKET local privilege escalation (also known as CVE-2016-8655) has been fixed by most distributions at this point; stable kernels addressing the problem were released on December 10. But, as a discussion on the fedora-devel mailing list shows, systemd now provides options that could help mitigate CVE-2016-8655 and, more importantly, other vulnerabilities that remain undiscovered or have yet to be introduced. The genesis for the discussion was a blog post from Lennart Poettering about the RestrictAddressFamilies directive, but recent systemd versions have other sandboxing features that could be used to head off the next vulnerability. "
30 • Bodhi (by slick on 2016-12-22 01:06:40 GMT from United States)
For one have always liked and appreciated Bodhi and especially the e17 Enlightenment experience. Would hope Jeff would consider it being a Debian only distribution.
Don't have Bodhi on my machine because only it's an Ubuntu distribution and to me is just not something desirable. However it is easy enough to install e17 and configure an nice e17 on Devuan without all the bloat.
Have notice that many distributions have drop there connection with Ubuntu and they have experienced a jump in popularity. Those that went back to Ubuntu like WattOs experienced a drop and myself one of them.
Appreciate greatly a small but fast distribution without systemd, Devuan on my desktop runs about 185mb of memory on login, how many distributions can do that?
Star is my distribution of choice and be found on Sourceforge, complimented with many Window manager choices and Xfce DE for a wide choice of flavours!
A few applications to have the distro functional and completely non-bloated, very nice!
31 • MX Linux 16 (by PhantomTramp on 2016-12-22 15:29:07 GMT from United States)
Anti and crew seem to always bless us with a holiday season gift. This one looks very cool. Downloading now...
The Tramp
32 • Bodhi (by More Gee on 2016-12-22 17:40:45 GMT from United States)
It has been awhile since I used Bodhi and really liked the wooden desktop environment without the tube clock. It did not have the radio button issues but I do remember them being a problem on the default. I also remember using Opera instead of Midori and it was a much more enjoyable internet experience and the mini version at that time would still keep ram usage under 128mb. I was thinking of making a VM of this for my 2gb RAM machines.
33 • Bodhi (by Simon Wainscott-Plaistowe on 2016-12-23 02:05:47 GMT from New Zealand)
The new Bodhi release looks impressive. In the past I've found Bodhi's enlightenment desktop a bit non-intuitive so I've been using Peppermint to refurbish old computers. Now I think it's time to give the Moksha desktop a try.
34 • Ultimate security (by Dave Postles on 2016-12-23 09:09:12 GMT from United Kingdom)
Tongue in cheek for Christmas: no HD, just run from DVD - slow but sure.
35 • Process isolation & Bodhi (by Greg Zeng on 2016-12-25 05:44:23 GMT from Australia)
Missing isolating types include the Linux container being on a USB-flash-stick, removable drive, or unique partition. My "unique" partition can be started by any of three partition-handlers (Grub-customizer, BIOS & UEFI).
Listing the DW isolation stuff in popularity order:
1. None: 510 (42%)
2. Virtual machine: 385 (31%)
3. Firejail: 136 (11%)
4. FreeBSD jail: 66 (5%)
5. Linux container: 60 (5%)
6. Other: 32 (3%)
7. Qubes OS: 34 (3%)
8. Other: 32 (3%)
9. Cappsule: 5 (0%)
The 5th & 8th favored option is interesting. Bodhi on a very small computer (Raspberry Pi?) as a Linux Container, or Virtualized machine between the main system and the rest of the network?
"Bodhi Linux 4.0.0 is based on Ubuntu 16.04 LTS, so there were no real surprises when it came to installing." is the first sentence of the independent reviwer in this issue of DW. This Ubuntu installation process also applies to the other 58 Ubuntu-based distributions http://distrowatch.com/search.php?basedon=Ubuntu
All of these can easily have their Linux kernels upgraded & downgraded to any already-compiled Linux kernel of any date, of any degree of readiness (alpha, beta, etc). http://kernel.ubuntu.com/~kernel-ppa/mainline/
Besides Bodhi, there are other micro-Linux's also based on Ubuntu: Web OS and Peppermint. All three can be extremely easily upsized into fully fledged Desktops, with all the needed applications, utilities, ear-candy and eye-candy.
It would be very interesting to compare the micro-Linux's with each other. They all show the inadequacies of the other Ubuntu-based distributions: crazy mixes of ethnic languages braille and usually, games. All show the poor selection of "gkrel" and none have DDCOPY (only PCLOS has these two properly available). Mint, another Ubuntu-derivative, persists with their poor flash-stick format & writing programs. All of these, including PCLOS, do not use Synaptic Package Manager at all well.
36 • Process isolation and other pets (by OpenBSD n00b on 2016-12-25 15:09:15 GMT from Brazil)
Firejail, Cappsule, or any other "sandboxing" tool, may be interesting to implement the concept of "security by isolation". But none of them can make an insecure OS like Linux as trustful as an almost invulnerable one like OpenBSD (which emphasizes correctness, proactive security, integrated cryptography, and standardization :).
So I have a recipe for building the perfect OS to surf the Tor network with the ultimate anonymity:
1. Take the latest snapshot of OpenBSD (better yet, the always uptodate FuguIta respin, which has a decent and also lightning fast graphical interface).
2. Configure the native firewall to run immediately after boot-up and make the host system as sthealthed as possible.
3. Install the VirtualBox package, then set it up to run Whonix Linux (both the two VM images: Gateway and Workstation).
4. Release the final result as an installable OpenBSD/FuguIta LiveDVD.
You can now call it "the Tails killer".
37 • "Sceure OS" (by M.Z. on 2016-12-25 18:43:35 GMT from United States)
@36
"...But none of them can make an insecure OS like Linux as trustful as an almost invulnerable one like OpenBSD"
That seems to me to be more than a little disingenuous. In fact the only thing that convinced me you even halfway knew what you were talking about was that you hedged your bets by using the term '_Almost_ invulnerable...' to describe your OS of choice. Now I'm by no means an expert, but I do think about & research these things to some extent & I'd venture to guess that OpenBSD is likely among the most secure OSs around; however, there is no such thing as a secure OS let alone an invulnerable one. There have been deeply insecure OSs like versions ow Windows that basically ran everything as 'Administrator'/root through the 1990s, but that hasn't been an issue on Unix like systems such Linux and the BSDs for much if any of they time they have been around because of rules set up a long time ago on Unix.
At any rate most Unix like systems are reasonably secure by default when properly administered by folks that don't trust so called Nigerian princes, install random stuff from parts unknown, or forget to run updates. That being said no system is truly secure and there is always some funny vid that must be downloaded & viewed with special software that some are naive enough to believe is a real thing rather than malware. Of course there are also some people type in root passwords at the drop of a hat or simply make mistakes about communicating what is legitimate and what is not to be trusted. I think that last thing happened in a rather famous hacking incident just in the past few months, someone neither put big bold text saying 'DO NOT TRUST', nor put the the letters 'il' in front of illegitimate & there was massive fallout political & otherwise.
I firmly believe that security is all relative & it depends both on secure system design, as well as secure user habits & best practices. The truth is that all links in that chain are vulnerable to some extent even in places that use OSs as secure as OpenBSD. If there were a big enough target it would likely be hacked eventually regardless of which OS it used because everyone from the coders to the end users makes some mistakes. Personally I run Linux systems behind a pfSense/BSD firewall computer & I run some kind of security tool on every systems be it firejaill, MSEC, SELinux, or snort. Given all the problems I've had using BSD on my hardware I don't have the patience to try & get it working, but I'd still say I'm relatively secure for a self taught non expert. I'm sure I'm doing some things wrong, but it's all relative & I'm very solid for a tiny home network, and that due in part to all the different tools that I run.
38 • OpenBSD and isolation (by Ben on 2016-12-25 22:52:33 GMT from Canada)
@36: >> "Firejail, Cappsule, or any other "sandboxing" tool, may be interesting to implement the concept of "security by isolation". But none of them can make an insecure OS like Linux as trustful as an almost invulnerable one like OpenBSD (which emphasizes correctness, proactive security, integrated cryptography, and standardization"
Assuming you were not joking, I see a pretty big flaw in that reasoning. OpenBSD only pracitses active security, code audits and correctness on the base OS, not OpenBSD's ports/packages. Running Firefox (for example) on OpenBSD is not any more secure, really, than running Firefox on Debian. It's not any harder to compromise your web browser on OpenBSD than it is on, say, Fedora. The same applies to almost every desktop application or service you plan on running on OpenBSD that is not in the default installation.
So the key question then becomes; What happens after your attacker takes over your web browser? If it's sandboxed with Firejail or SELinux, then the attacker is pretty much stuck. They can read a bunch of files, but they should otherwise be unable to harm your OS or user's files. Without isolation (as on OpenBSD) then the attacker, having taken over your browser, has access to do whatever they like on your account. At that point, having a secure base OS does not do you a lot of good because the attacker has (unrestricted) access to run their code under your account.
I greatly respect the work OpenBSD devs do on their operating system and I'd like to see more Linux distros do the same. But the security of correctness OpenBSD offers doesn't help you much if the software that is being attacked is installed from their ports collection
39 • @34 • Ultimate security (by Marco on 2016-12-27 16:10:04 GMT from United States)
@34 Ultimate security: no HD, just run from DVD - slow but sure.
I know you were joking, but my father used to attract all sorts of malware on his Windows computer. I never converted him to Linux, but I did persuade him to only do his on-line banking off a live Linux DVD image.
40 • OpenBSD/Linux security (by Jordan on 2016-12-27 16:10:44 GMT from United States)
Has anyone posting here ever had their computer taken over and had code run via the browser, etc?
I've seen various virus and malware in the news, but never have I seen or heard of a non-Windows computer being hijacked, with the notable exception of for testing purposes by the owner or commissioned tester of the machine.
But I've only been with Linux since 1996.
41 • System security (by Jesse on 2016-12-27 16:47:04 GMT from Canada)
>> "Has anyone posting here ever had their computer taken over and had code run via the browser, etc? "
@40: While I have not had my machine compromised this way, I have been called in to clean up a few. Generally, I am interested in fixing things rather than figuring out exactly went wrong, but I suspect the Linux boxes I have cleaned up were originally compromised through network services like OpenSSH.
If you're interested strictly in browser compromises, you might want to check out the pwn to own competition as the systems tested are often taken down using browser exploits: https://en.wikipedia.org/wiki/Pwn2Own
>> "I've seen various virus and malware in the news, but never have I seen or heard of a non-Windows computer being hijacked"
Do you mean by people you know personally? There are often reports of macOS or Linux exploits being used in the wild. Particuarly against Linux servers.
42 • Linux hacking (by speaking from experience on 2016-12-27 23:59:14 GMT from United States)
@40 "Has anyone ever had their computer taken over"
Against Windows hackers can use malware that ppl download from the web. But against other OSs where malware is not so prevalent - like Linux - hackers can exploit wireless hardware and software insecurities to capture your login password. One key insecurity is that your wireless is always "on" unless both hardware and software switches are turned off. Attacks can include wireless sniffing, MAC address scanning, port scanning, fake ap's, etc. If they can't get at your computer directly, they can always hack nearby devices - like routers, mobile phones, CCTV cameras, etc - and then target your computer from them. When they get your login password they can then hack your wifi or bluetooth, login, and copy whatever data they want.
Ironically, Linux security distros - like Qubes and TAILS - focus on malware protection mainly coming from the Internet, because they want to promote their OS's as Windows alternatives. But malware is old school, and wireless sniffing and hacking - usually before you even connect to the Internet - is new school (just look at all the wireless exploit tools available). So don't expect any Linux security distro to protect you against persistent hackers.
43 • Attacks on Unix (by M.Z. on 2016-12-28 00:44:17 GMT from United States)
@40
In addition to server systems being commonly targeted (mostly through unpatched software), there have been many attacks on another Unix like desktop system, namely Mac OS X. If you know a bit about the Unix family tree you may know that modern Mac systems are basically a modified version of BSD. I don't think the infections have reached the same proportions on Mac as they have on Windows, but there have been compromises that have affected many thousands of machines. This sort of thing if far more rare on Linux and BSD proper, but I've heard of Linux machines being hit, so it can happen. That's why I think tools like firejail and SSELinux are so valuable, they provide different ways to defend against and limit the damage of a serious compromise and create multiple potential barriers to attack. Of course that's just what I recall from reading up on that sort of thing on occasion, I've gotten an occasional paranoid feeling but never seen any real damage or serious problems since I've been using Linux.
44 • @40 Has a web browser ever hijacked my computer and run code (by imnotrich on 2016-12-28 06:50:08 GMT from Mexico)
Yes, sort of.
Google Chrome, and more recently Firefox offer a browser sync feature that syncs history, bookmarks, home page and other stuff across multiple computers.
With Chrome if you have a gmail account sync is forced on you. With FF you have to opt in.
Anyway, not so long ago running Chrome on my W7 laptop a website was able to change my home page to a windows .exe file, but that fact was hidden from me in the address field I still saw www.google.com.
A day or two later I booted up the Linux partition of my W10/Linux desktop and noticed Chrome trying to connect to a Windows .exe file as my home page. Thanks to this helpful "sync" feature I was able to intercept the attack before it did any damage, but it won't be long before evil bad people figure out how to successfully exploit this sync feature from one platform to another.
45 • Attacks on Linux (by Jordan on 2016-12-28 14:36:51 GMT from United States)
Thanks for the responses to my query. I understand the server hacks, as unix based servers are more common out there. But I'm wondering if *users* at their desktop machines/laptops, on a Linux distro, have ever seen their systems compromised, personally. Their own computer. I've never seen it in twenty years of using distros with all manner of browsers and open ports, etc.
46 • @45 (by Ricardo on 2016-12-28 20:30:44 GMT from France)
As a home user, there are quite few chances you'll see an attack on your computer in your life.
On a server, it's another story.
47 • @45 (by Ricardo on 2016-12-28 20:40:34 GMT from France)
I talked about Linux of course, not Windows.
48 • Best Linux Desktop 2016, thoroughly reviewed. (by Greg Zeng on 2016-12-29 05:25:24 GMT from Australia)
https://www.youtube.com/watch?v=1iR6cx0_Zgs&t=323s
"Best Linux Desktop 2016", quidsup 7':12".
"Published on Dec 27, 2016
Looking back at my Top 3 Favourite Linux Distributions that I reviewed in 2016, which includes a selection for new and advanced users." (from 21 reviewed)
He summarizes many detailed examinations in the last few weeks of full testing, with clear, detailed on-screen examples of his reasons. Generally myself and most others agree with his choices and biases. Of course the emotional fan boys give their own narrow opinions in the following comments to his videos.
1) KDE NEON (Kubuntu based) 4'28"
2) UBUNTU MATE (Ubuntu-based) 1'59"
3) LINUX LITE (Xubuntu 16.04 based), 0'15"
I gave further opinions of my own, on his YouTube page.
49 • Kodachi or TAILS? (by Dave Postles on 2016-12-30 11:44:25 GMT from United Kingdom)
Would appreciate comments on the relative merits.
50 • Re: Kodachi_or_TAILS? (by k on 2016-12-31 07:13:14 GMT from Finland)
@49 by Dave Postles
"Relative merits"?
Not having used or being familiar with Kodachi, I right away tried to compare
package lists -- just see if it is worth downloading, verifying ISO and testing
Kodachi --, as there are certain packages needed.
But, starting from TAILS page of Distrowatch, and trying the "compare packages"
tool, Kodachi does not appear in the pull down menu.
Best wishes to all for 2017, and beyond.
51 • Re: Kodachi_or_TAILS? (by k on 2016-12-31 07:39:07 GMT from United States)
Again @49 by Dave Postles
Starting from Linux Kodachi page of DW, one can use DW's "compare packages" tool
to compare full package lists of Kodachi and Tails.
The old Tails USB with persistence has worked really well for several years now, and
even on 32-bit UEFI with 64-bit processor, using hosts' hard disk(s) for more capacious
long-term storage, but welcome some experiential knowledge from others.
52 • Kodachi packages (by Jesse on 2016-12-31 13:34:01 GMT from Canada)
>> "But, starting from TAILS page of Distrowatch, and trying the "compare packages"
tool, Kodachi does not appear in the pull down menu."
@50: Yes, Kodachi is listed, but it is listed under its proper name, Linux Kodachi. https://distrowatch.com/dwres.php?firstlist=tails&firstversions=0&resource=compare-packages&secondlist=kodachi
53 • Linux Mint 18.1 (by Landor on 2016-12-31 19:24:33 GMT from Canada)
Quite some time ago I was forced to install a "simplistic" distribution for someone, I chose Mint Linux Mint 13 Mate Edition. Recently due to an update their wifi went for a dump. Instead of fixing the problem as 13 is closing in on its end of life, I did the upgrade to 17.3 and here I am typing it on this. I don't follow Linux as keenly as I once did, Gentoo works on what I use and that's enough to know for me. A look here showed me though that not only is 18 released, but now 18.1. Interesting that there is no upgrade to this release. Yet anyway.
@5 Good to see an old face/name kicking around. :) Happy New Year
Enjoy your distribution testing everyone. I for one am glad to see DW and DWW still going strong!
Keep your stick on the ice...
Landor
54 • 53 • Linux Mint 18.1... old timers ... Eventually. (by Greg Zeng on 2017-01-01 02:55:36 GMT from Australia)
"... forced to install a "simplistic" distribution for someone ... their wifi went for a dump"
Another old timer myself, so busy that I never published my works properly, anywhere. On updating any Linux operating system:
All Ubuntu-based operating systems (including Mint 18.1) eventually become "old" and "stale". In Linux, the easiest, simplest cure is just upgrading the Linux kernel. No need to change anything else. This then prevents malware created by past errors, bad hardware, updated hardware (poor drivers for new wifi, in this specific case), etc.
Ubuntu-based distros are days ahead of the other "leading" Linux distributions: Arch, and Arch-based. We have the advantaged of pre-compiled, ready-to install files, for a quick, immediate upgrade into the new kernel.
Using grub-customizer, we can then have an easy menu choice into any Linux kernel, at boot-time. These kernels could be old, the latest stable kernel, or any of the proposed Linux kernels. This has been frequently mentioned by myself here in DW and elsewhere on the internet. Unfortunately DW makes it extremely difficult to url the DW mentions that I have made on this easy solution to aging, atm.
55 • @54 (by Ricardo on 2017-01-01 14:42:11 GMT from France)
> "Ubuntu-based distros are days ahead of the other "leading" Linux distributions"
I hope you're joking because this is quite false... If not, you must have some problems, or you are just a hard Ubuntu fanboy, with all the exaggerations, nonsense etc. corresponding to this unhappy "state"...
Number of Comments: 55
Display mode: DWW Only • Comments Only • Both DWW and Comments
| | |
| TUXEDO |
TUXEDO Computers - Linux Hardware in a tailor made suite
Choose from a wide range of laptops and PCs in various sizes and shapes at TUXEDOComputers.com. Every machine comes pre-installed and ready-to-run with Linux. Full 24 months of warranty and lifetime support included!
Learn more about our full service package and all benefits from buying at TUXEDO.
|
| Archives |
| • Issue 1147 (2025-11-10): Fedora 43, the size and stability of the Linux kernel, Debian introducing Rust to APT, Redox ports web engine, Kubuntu website off-line, Mint creates new troubleshooting tools, FreeBSD improves reproducible builds, Flatpak development resumes |
| • Issue 1146 (2025-11-03): StartOS 0.4.0, testing piped commands, Ubuntu Unity seeks help, Canonical offers Ubuntu credentials, Red Hat partners with NVIDIA, SUSE to bundle AI agent with SLE 16 |
| • Issue 1145 (2025-10-27): Linux Mint 7 "LMDE", advice for new Linux users, AlmaLinux to offer Btrfs, KDE launches Plasma 6.5, Fedora accepts contributions written by AI, Ubuntu 25.10 fails to install automatic updates |
| • Issue 1144 (2025-10-20): Kubuntu 25.10, creating and restoring encrypted backups, Fedora team debates AI, FSF plans free software for phones, ReactOS addresses newer drivers, Xubuntu reacts to website attack |
| • Issue 1143 (2025-10-13): openSUSE 16.0 Leap, safest source for new applications, Redox introduces performance improvements, TrueNAS Connect available for testing, Flatpaks do not work on Ubuntu 25.10, Kamarada plans to switch its base, Solus enters new epoch, Frugalware discontinued |
| • Issue 1142 (2025-10-06): Linux Kamarada 15.6, managing ZIP files with SQLite, F-Droid warns of impact of Android lockdown, Alpine moves ahead with merged /usr, Cinnamon gets a redesigned application menu |
| • Issue 1141 (2025-09-29): KDE Linux and GNOME OS, finding mobile flavours of Linux, Murena to offer phones with kill switches, Redox OS running on a smartphone, Artix drops GNOME |
| • Issue 1140 (2025-09-22): NetBSD 10.1, avoiding AI services, AlmaLinux enables CRB repository, Haiku improves disk access performance, Mageia addresses service outage, GNOME 49 released, Linux introduces multikernel support |
| • Issue 1139 (2025-09-15): EasyOS 7.0, Linux and central authority, FreeBSD running Plasma 6 on Wayland, GNOME restores X11 support temporarily, openSUSE dropping BCacheFS in new kernels |
| • Issue 1138 (2025-09-08): Shebang 25.8, LibreELEC 12.2.0, Debian GNU/Hurd 2025, the importance of software updates, AerynOS introduces package sets, postmarketOS encourages patching upstream, openSUSE extends Leap support, Debian refreshes Trixie media |
| • Issue 1137 (2025-09-01): Tribblix 0m37, malware scanners flagging Linux ISO files, KDE introduces first-run setup wizard, CalyxOS plans update prior to infrastructure overhaul, FreeBSD publishes status report |
| • Issue 1136 (2025-08-25): CalyxOS 6.8.20, distros for running containers, Arch Linux website under attack,illumos Cafe launched, CachyOS creates web dashboard for repositories |
| • Issue 1135 (2025-08-18): Debian 13, Proton, WINE, Wayland, and Wayback, Debian GNU/Hurd 2025, KDE gets advanced Liquid Glass, Haiku improves authentication tools |
| • Issue 1134 (2025-08-11): Rhino Linux 2025.3, thoughts on malware in the AUR, Fedora brings hammered websites back on-line, NetBSD reveals features for version 11, Ubuntu swaps some command line tools for 25.10, AlmaLinux improves NVIDIA support |
| • Issue 1133 (2025-08-04): Expirion Linux 6.0, running Plasma on Linux Mint, finding distros which support X11, Debian addresses 22 year old bug, FreeBSD discusses potential issues with pkgbase, CDE ported to OpenBSD, Btrfs corruption bug hitting Fedora users, more malware found in Arch User Repository |
| • Issue 1132 (2025-07-28): deepin 25, wars in the open source community, proposal to have Fedora enable Flathub repository, FreeBSD plans desktop install option, Wayback gets its first release |
| • Issue 1131 (2025-07-21): HeliumOS 10.0, settling on one distro, Mint plans new releases, Arch discovers malware in AUR, Plasma Bigscreen returns, Clear Linux discontinued |
| • Issue 1130 (2025-07-14): openSUSE MicroOS and RefreshOS, sharing aliases between computers, Bazzite makes Bazaar its default Flatpak store, Alpine plans Wayback release, Wayland and X11 benchmarked, Red Hat offers additional developer licenses, openSUSE seeks feedback from ARM users, Ubuntu 24.10 reaches the end of its life |
| • Issue 1129 (2025-07-07): GLF OS Omnislash, the worst Linux distro, Alpine introduces Wayback, Fedora drops plans to stop i686 support, AlmaLinux builds EPEL repository for older CPUs, Ubuntu dropping existing RISC-V device support, Rhino partners with UBports, PCLinuxOS recovering from website outage |
| • Issue 1128 (2025-06-30): AxOS 25.06, AlmaLinux OS 10.0, transferring Flaptak bundles to off-line computers, Ubuntu to boost Intel graphics performance, Fedora considers dropping i686 packages, SDesk switches from SELinux to AppArmor |
| • Issue 1127 (2025-06-23): LastOSLinux 2025-05-25, most unique Linux distro, Haiku stabilises, KDE publishes Plasma 6.4, Arch splits Plasma packages, Slackware infrastructure migrating |
| • Issue 1126 (2025-06-16): SDesk 2025.05.06, renewed interest in Ubuntu Touch, a BASIC device running NetBSD, Ubuntu dropping X11 GNOME session, GNOME increases dependency on systemd, Google holding back Pixel source code, Nitrux changing its desktop, EFF turns 35 |
| • Issue 1125 (2025-06-09): RHEL 10, distributions likely to survive a decade, Murena partners with more hardware makers, GNOME tests its own distro on real hardware, Redox ports GTK and X11, Mint provides fingerprint authentication |
| • Issue 1124 (2025-06-02): Picking up a Pico, tips for protecting privacy, Rhino tests Plasma desktop, Arch installer supports snapshots, new features from UBports, Ubuntu tests monthly snapshots |
| • Issue 1123 (2025-05-26): CRUX 3.8, preventing a laptop from sleeping, FreeBSD improves laptop support, Fedora confirms GNOME X11 session being dropped, HardenedBSD introduces Rust in userland build, KDE developing a virtual machine manager |
| • Issue 1122 (2025-05-19): GoboLinux 017.01, RHEL 10.0 and Debian 12 updates, openSUSE retires YaST, running X11 apps on Wayland |
| • Issue 1121 (2025-05-12): Bluefin 41, custom file manager actions, openSUSE joins End of 10 while dropping Deepin desktop, Fedora offers tips for building atomic distros, Ubuntu considers replacing sudo with sudo-rs |
| • Issue 1120 (2025-05-05): CachyOS 250330, what it means when a distro breaks, Kali updates repository key, Trinity receives an update, UBports tests directory encryption, Gentoo faces losing key infrastructure |
| • Issue 1119 (2025-04-28): Ubuntu MATE 25.04, what is missing from Linux, CachyOS ships OCCT, Debian enters soft freeze, Fedora discusses removing X11 session from GNOME, Murena plans business services, NetBSD on a Wii |
| • Issue 1118 (2025-04-21): Fedora 42, strange characters in Vim, Nitrux introduces new package tools, Fedora extends reproducibility efforts, PINE64 updates multiple devices running Debian |
| • Issue 1117 (2025-04-14): Shebang 25.0, EndeavourOS 2025.03.19, running applications from other distros on the desktop, Debian gets APT upgrade, Mint introduces OEM options for LMDE, postmarketOS packages GNOME 48 and COSMIC, Redox testing USB support |
| • Issue 1116 (2025-04-07): The Sense HAT, Android and mobile operating systems, FreeBSD improves on laptops, openSUSE publishes many new updates, Fedora appoints new Project Leader, UBports testing VoLTE |
| • Issue 1115 (2025-03-31): GrapheneOS 2025, the rise of portable package formats, MidnightBSD and openSUSE experiment with new package management features, Plank dock reborn, key infrastructure projects lose funding, postmarketOS to focus on reliability |
| • Issue 1114 (2025-03-24): Bazzite 41, checking which processes are writing to disk, Rocky unveils new Hardened branch, GNOME 48 released, generating images for the Raspberry Pi |
| • Issue 1113 (2025-03-17): MocaccinoOS 1.8.1, how to contribute to open source, Murena extends on-line installer, Garuda tests COSMIC edition, Ubuntu to replace coreutils with Rust alternatives, Chimera Linux drops RISC-V builds |
| • Issue 1112 (2025-03-10): Solus 4.7, distros which work with Secure Boot, UBports publishes bug fix, postmarketOS considers a new name, Debian running on Android |
| • Issue 1111 (2025-03-03): Orbitiny 0.01, the effect of Ubuntu Core Desktop, Gentoo offers disk images, elementary OS invites feature ideas, FreeBSD starts PinePhone Pro port, Mint warns of upcoming Firefox issue |
| • Issue 1110 (2025-02-24): iodeOS 6.0, learning to program, Arch retiring old repositories, openSUSE makes progress on reproducible builds, Fedora is getting more serious about open hardware, Tails changes its install instructions to offer better privacy, Murena's de-Googled tablet goes on sale |
| • Issue 1109 (2025-02-17): Rhino Linux 2025.1, MX Linux 23.5 with Xfce 4.20, replacing X.Org tools with Wayland tools, GhostBSD moving its base to FreeBSD -RELEASE, Redox stabilizes its ABI, UBports testing 24.04, Asahi changing its leadership, OBS in dispute with Fedora |
| • Issue 1108 (2025-02-10): Serpent OS 0.24.6, Aurora, sharing swap between distros, Peppermint tries Void base, GTK removinglegacy technologies, Red Hat plans more AI tools for Fedora, TrueNAS merges its editions |
| • Issue 1107 (2025-02-03): siduction 2024.1.0, timing tasks, Lomiri ported to postmarketOS, Alpine joins Open Collective, a new desktop for Linux called Orbitiny |
| • Issue 1106 (2025-01-27): Adelie Linux 1.0 Beta 6, Pop!_OS 24.04 Alpha 5, detecting whether a process is inside a virtual machine, drawing graphics to NetBSD terminal, Nix ported to FreeBSD, GhostBSD hosting desktop conference |
| • Issue 1105 (2025-01-20): CentOS 10 Stream, old Flatpak bundles in software centres, Haiku ports Iceweasel, Oracle shows off debugging tools, rsync vulnerability patched |
| • Issue 1104 (2025-01-13): DAT Linux 2.0, Silly things to do with a minimal computer, Budgie prepares Wayland only releases, SteamOS coming to third-party devices, Murena upgrades its base |
| • Issue 1103 (2025-01-06): elementary OS 8.0, filtering ads with Pi-hole, Debian testing its installer, Pop!_OS faces delays, Ubuntu Studio upgrades not working, Absolute discontinued |
| • Issue 1102 (2024-12-23): Best distros of 2024, changing a process name, Fedora to expand Btrfs support and releases Asahi Remix 41, openSUSE patches out security sandbox and donations from Bottles while ending support for Leap 15.5 |
| • Issue 1101 (2024-12-16): GhostBSD 24.10.1, sending attachments from the command line, openSUSE shows off GPU assignment tool, UBports publishes security update, Murena launches its first tablet, Xfce 4.20 released |
| • Issue 1100 (2024-12-09): Oreon 9.3, differences in speed, IPFire's new appliance, Fedora Asahi Remix gets new video drivers, openSUSE Leap Micro updated, Redox OS running Redox OS |
| • Issue 1099 (2024-12-02): AnduinOS 1.0.1, measuring RAM usage, SUSE continues rebranding efforts, UBports prepares for next major version, Murena offering non-NFC phone |
| • Issue 1098 (2024-11-25): Linux Lite 7.2, backing up specific folders, Murena and Fairphone partner in fair trade deal, Arch installer gets new text interface, Ubuntu security tool patched |
| • Issue 1097 (2024-11-18): Chimera Linux vs Chimera OS, choosing between AlmaLinux and Debian, Fedora elevates KDE spin to an edition, Fedora previews new installer, KDE testing its own distro, Qubes-style isolation coming to FreeBSD |
| • Issue 1096 (2024-11-11): Bazzite 40, Playtron OS Alpha 1, Tucana Linux 3.1, detecting Screen sessions, Redox imports COSMIC software centre, FreeBSD booting on the PinePhone Pro, LXQt supports Wayland window managers |
| • Full list of all issues |
| Star Labs |
Star Labs - Laptops built for Linux.
View our range including the highly anticipated StarFighter. Available with coreboot open-source firmware and a choice of Ubuntu, elementary, Manjaro and more. Visit Star Labs for information, to buy and get support.
|
| Random Distribution | 
OpenMediaVault
OpenMediaVault is a Network-Attached Storage (NAS) solution based on Debian GNU/Linux. It contains services like SSH, (S)FTP, SMB/CIFS, DAAP media server, rsync, BitTorrent and many more. Thanks to a modular design it can be enhanced via plugins. OpenMediaVault is primarily designed to be used in home environments or small home offices, but is not limited to those scenarios. It is a simple and easy-to-use out-of-the-box solution that will allow everyone to install and administrate a Network-Attached Storage without deeper knowledge.
Status: Active
|
| TUXEDO |
TUXEDO Computers - Linux Hardware in a tailor made suite
Choose from a wide range of laptops and PCs in various sizes and shapes at TUXEDOComputers.com. Every machine comes pre-installed and ready-to-run with Linux. Full 24 months of warranty and lifetime support included!
Learn more about our full service package and all benefits from buying at TUXEDO.
|
| Star Labs |
Star Labs - Laptops built for Linux.
View our range including the highly anticipated StarFighter. Available with coreboot open-source firmware and a choice of Ubuntu, elementary, Manjaro and more. Visit Star Labs for information, to buy and get support.
|
|
• 
• 
• 
• 
• 
• 
• 
