| DistroWatch Weekly
|DistroWatch Weekly, Issue 692, 19 December 2016
Welcome to this year's 51st issue of DistroWatch Weekly!
There is a saying that good things come in small packages and one of the smaller and more visually attractive distributions is Bodhi Linux. The Bodhi Linux project released version 4.0.0 earlier this year and Joshua Allen Holm presents his thoughts on the distribution and its custom Moksha desktop environment in this week's Feature Story. Also in this issue, Jesse Smith explores a security package called Cappsule which is designed to protect the operating system from compromised processes. In our News section we discuss a new configuration suite from Calculate Linux, a collaborative effort between Solus and Ubuntu MATE to improve the application menu and the CoreOS distribution's name change. As usual, we report on the distribution releases of the past week and supply a list of torrents we are seeding. In our Opinion Poll we talk about approaches to process isolation and security. This week we added a new search feature which makes it easier to find old reviews and articles from past editions of the Weekly. Plus we are happy to report this month's DistroWatch donation goes to the UBports project to assist in bringing GNU/Linux to a wider range of smart phones. We will be on holiday next Monday, but we will return with a new DistroWatch Weekly on January 2, 2017. We wish you all a wonderful week and happy reading!
Listen to the Podcast edition of this week's DistroWatch Weekly in OGG (26MB) and MP3 (34MB) formats.
|Feature Story (by Joshua Allen Holm)
Bodhi Linux 4.0.0 review
For users with older computers, some of the modern Linux distributions can be too resource intensive. Bodhi Linux 4.0.0 is a lightweight distribution designed for those users. The minimum system requirements are a 500MHz processor, 128MB of RAM, and 4GB of disk space. The recommended requirements are a 1.0GHz processor, 512MB of RAM, and 10GB of disk space. Available in both 32-bit and 64-bit versions, as well as a "Legacy" release for really old 32-bit systems, Bodhi Linux 4.0.0 can easily bring new life to older computers.
Bodhi Linux offers a couple of download options beyond the 32-bit/64-bit choice. There is a Standard release and an AppPack version. The Standard release is very bare-bones with only a minimal set of pre-installed options, while the AppPack version comes with a larger number of bundled applications. The ISO for the 64-bit Standard version is 647MB and the 64-bit AppPack version is 1.21GB (about twice the size). For the purposes of this review, I opted for the Standard version, so I could customize my system as I wished. However, I will be mentioning some of the AppPack version's additional software throughout this review.
Installing Bodhi Linux
The live USB I made using the ISO file I downloaded booted quickly, and I was presented with a very nice looking desktop with a helpful quick start guide, which provided a lot of useful information about Bodhi. Honestly, I did not spend much time poking around in the live environment and immediately started the installer. Though from my limited experience using the desktop while the installer ran, the live version is very usable.
Bodhi Linux 4.0.0 -- The Quick Start Guide
(full image size: 150kB, resolution: 1366x768 pixels)
Bodhi Linux 4.0.0 is based on Ubuntu 16.04 LTS, so there were no real surprises when it came to installing. The installer is the standard Ubiquity installer with just a few theme changes and Bodhi-specific information screens. The only problem I had was the fact that the custom theme used seems to not have an image for unchecked check boxes and unselected radio buttons. A selected option has a mark, but nothing is displayed in front of non-selected options, making it hard to figure out where to click. Users who have never used Ubiquity before might not even know they are being presented with options they can choose. Overall, it is a minor flaw, but something that should probably be addressed.
The Moksha desktop
Bodhi's desktop environment is called Moksha. The Bodhi website describes this desktop as "a continuation of the Enlightenment 17 desktop," which "consists of the back porting of bug fixes and features from future Enlightenment releases, as well as the removal of half finished/broken things E17 contained."
Bodhi Linux 4.0.0 -- The Moksha desktop
(full image size: 820kB, resolution: 1366x768 pixels)
For a lightweight desktop environment, Moksha is beautiful without needing a lot of system resources. On my system, with no extra applications running, the RAM usage was approximately 120MB, give or take a few megabytes either way. Despite low RAM usage, Moksha and the default applications have some wonderful graphical effects. The mouse cursor has a glowing green outline when the mouse or trackpad button is clicked. Terminology, the terminal application, has a glowing blue text cursor and, when doing something that would trigger a boring error beep on most systems, Terminology's window flashes red. This red flash is not a simple, quick color change, it is actually a polished animation. It alerts the user that something went wrong without being overpowering or needlessly distracting.
While I cannot find much wrong with Moksha overall, beyond a general sense of it being a little rough around the edges, I have to say that the graphical effect for the clock in the system tray is super distracting. The current time is displayed in glowing green numbers, which looks really nice, but all the non-current digits are also displayed in light gray. The effect is similar to a digital alarm clock using various lines to create the various numbers by only lighting certain elements, but in the case of Moksha's clock, the numbers are not the LED-style seen on alarm clocks, so you can see nine other digits stacked underneath the currently active digit. I will admit I am nitpicking here, but I found clock's display to be way too jumbled.
While Moksha is very nice, there are a few minor drawbacks with the default applications. The included text editor, ePad, is one of the most spartan text editors I have ever used. It is functional, but there are very few options to customize it. It is the same way for a lot of the bundled apps in the Standard version. The applications are nice, but basic. They might be enough for some people, but could be very limiting for others. Thankfully, the distribution does provide a nice selection of more robust alternatives through its package manager.
Installing and updating software
Like I noted above, I used the Standard version of the install media, so my system did not have much software installed. It came with the Midori web browser, the Terminology terminal emulator, PCManFM file manager, ePad text editor, ePhoto image viewer, and a handful of system utilities for adjusting various settings and updating software. The AppPack version includes a much longer list of bundled software including key applications like LibreOffice and the VLC media player.
Bodhi Linux 4.0.0 -- The AppCenter software manager
(full image size: 89kB, resolution: 1366x768 pixels)
The default method for installing software in the Standard version is the Bodhi AppCenter. This web-based AppCenter contains a rather limited number of packages, but the ones that are included are the big name applications. For web browsers, Chromium and Firefox are available to install and the office category provides lighter applications, like Abiword and Gnumeric, and full office suites, including both Apache OpenOffice and LibreOffice. It is the same for all the other software categories; the big name applications are there, but overall selection of software is very limited. This drawback can easily be bypassed by installing the Synaptic package manager (which comes included by default in the AppPack version) and installing software from a much larger selection of packages, basically anything available in the Ubuntu 16.04 LTS repositories.
Even without resorting to installing Synaptic, I was able to add enough software to my system to make it usable. I had a web browser, e-mail client, terminal, office suite, video player, and a few other utilities. While I could have easily installed from the AppPack install media and had most of these applications included by default, I like that I could start from a minimal desktop and select the packages I wanted.
Bodhi Linux 4.0.0 -- The update manager
(full image size: 690kB, resolution: 1366x768 pixels)
System updates are handled using the eepDater utility. This basic utility does exactly what it is supposed to, so there is not much to say about it. Run the updater, select which updates you want to install, and it installs them. For the entire time I used Bodhi Linux 4.0.0, I had zero problems with the updater, which is a testament both to the updater and the Bodhi team's ability to make their extra packages mesh with the Ubuntu base. When dealing with distributions that are a base distro plus extras, sometimes things can get broken or messed up, but I saw none of that when I was using Bodhi.
Bodhi Linux 4.0.0 is an excellent choice for anyone looking for a lightweight Linux distribution for their older computers, or anyone who wants something just a little different. While the Moksha desktop is not perfect and it still has a few minor rough edges, it is a functional, traditional desktop. The only real negative with Bodhi is the small number of applications available though Bodhi's AppCenter, but even that is easily bypassed by installing and using the Synaptic package manager.
* * * * *
Hardware used in this review
My physical test equipment for this review was a Lenovo Ideapad 100-15IBD laptop with the following specifications:
- Processor: 2.2GHz Intel Core i3-5020U CPU
- Storage: Seagate 500GB 5400 RPM hard drive
- Memory: 4GB of RAM
- Networking: Realtek RTL8723BE 802.11n Wireless Network Adapter
- Display: Intel HD Graphics 5500
|Miscellaneous News (by Jesse Smith)
Calculate's new Utilities package, Solus and Ubuntu MATE build new application menu, CoreOS becomes Container Linux
The Calculate Linux team has announced their first beta release of Calculate Utilities. The Utilities package features a suite of server configuration tools which will help the administrator perform common tasks. "The first beta of Calculate Utilities 3.5 has been made available. The brand new sys-apps/calculate-utils package now features server configuration tools, even though only basics are supported for the time being, such as database deployment, LDAP server configuration, creating accounts for Unix users, files and configuration backups, etc. We completely rewrote the server utilities. Server templates were moved to the Calculate overlay. Two more USE flags, backup and server, were added to the package, which stand respectively for creating backups and server configuration." Further information on the Utilities suite and its features can be found in the project's blog post.
* * * * *
The Solus and Ubuntu MATE projects are working in collaboration to build a better application menu for the MATE desktop environment. The new menu is called Brisk and is written in C in order to offer better performance. The This Week In Solus newsletter reports: "Brisk Menu will be featured in the ISO snapshot for our Solus MATE Edition and the work done on Brisk Menu will be ported back to Budgie 11. Additionally, we're proud to announce that the Ubuntu MATE project has expressed enthusiasm about Brisk Menu and is helping to fund development of it, so all MATE desktop users can benefit from a fast, modern menu implementation. The Ubuntu MATE project will be integrating Brisk Menu as soon as it can replace the core functionality of MATE Menu, and will see that Brisk Menu is packaged for Debian and made available in the Debian and Ubuntu archives." Ubuntu MATE's lead developer, Martin Wimpress, confirmed the ongoing collaboration in an Google+ post.
* * * * *
The CoreOS distribution is a Linux-based project for servers. The distribution is designed to be streamlined for running containers and provides rolling updates. The project has announced a change in the name of the distribution from CoreOS to Container Linux. "Over the years, CoreOS (the brand) has grown to represent not just a product but the leadership and expertise we provide to our customers and in the open community. So to differentiate our company from this widely used product, we have renamed CoreOS Linux to 'Container Linux by CoreOS' and have given it a new logo as well. Further information can be found in the project's announcement.
* * * * *
These and other news stories can be found on our Headlines page.
|Technology Review (by Jesse Smith)
Cappsule - Lightweight virtual machine security
One of our readers sent me a link to Cappsule and recommended I look into it. Cappsule is a product of Quarkslab which strives to improve security by isolating processes. The project's website states:
Cappsule is a new kind of hypervisor developed by Quarkslab (to our knowledge, there's no similar public project). Its goal is to virtualize any software on the fly (e.g. web browser, office suite, media player) into lightweight VMs called cappsules. Attacks are confined inside cappsules and therefore don't have any impact on the host OS. Applications don't need to be repackaged, and their usage remains the same for the end user: it's completely transparent. Moreover, the OS doesn't need to be re-installed nor modified.
At this time, Cappsule is still in development and carries the beta tag. The software can be installed from a Deb package on an existing instance of Ubuntu 16.04. Alternatively, there are VMware and VirtualBox appliances we can download in order to test the Cappsule software before we install it locally.
I decided to try the VirtualBox appliance first. I downloaded the 2.1GB compressed archive, confirmed the appliance's checksum and tried to import it into VirtualBox. Importing the appliance failed due to storage-related errors. I then created a new virtual machine and tried to attach the provided virtual hard disk, which again failed.
Though not off to a great start, I decided to try installing Cappsule directly on an existing copy of Ubuntu 16.04.1. I downloaded the 540kB Deb package and tried to install it. The package was missing a dependency, specifically the xserver-xorg-video-dummy package. I installed this missing item and then installed the Cappsule Deb package.
According to the project's documentation, Cappsule includes a background daemon which we need to start before using Cappsule. After that, we should be able to run commands inside cappsules by prefixing our commands with virt exec. For example, we might run "virt exec firefox" or "virt exec vi". At first, the virt command was not recognized and I found this was due to the program being installed in the /usr/local/cappsule/usr/bin directory which had to be added to my user account's command path. With this done, I tried running virt and got back an error: "Client error: cannot connect to cappsule server."
As it turned out, the server was not running yet. I launched the server (it needs to be run with root or sudo privileges) and tried again. Once more I was told virt could not connect to its server. A little experimenting showed the Cappsule server was terminating immediately upon launch, not running in the background as expected. To work around this, I ran the Cappsule server in debugging mode. The only thing debugging mode offered me was an error which read: "finit_module: File exists", followed by the daemon shutting down.
A trip back to the project's documentation lead me to realize Cappsule is available in two flavours, one apparently for desktop applications and another for command line programs or services. Since the Desktop version appears, judging by the documentation, to be trickier to get working smoothly, I removed the Desktop version of the package and installed the Server edition.
Trying to run the Server edition of Cappsule worked (or did not work) exactly the same as the Desktop edition. The daemon would crash and I could get no helpful error messages out of the debugging mode. A side-effect of installing the Server edition was, when I rebooted Ubuntu, my operating system would only boot to a command line interface. I was no longer brought to a graphical login screen at boot time. Even once the Cappsule packages had been removed, Ubuntu still only booted to a text console. I could login, but not launch a graphical environment as Cappsule had changed my X software settings.
At this point, Cappsule does not appear to be a practical tool. I could not import the virtual machine appliance and neither of the two Deb packages provided me with a working copy of the Cappsule daemon. Adding insult to injury, removing Cappsule effectively removed my ability to run graphical software on my installation of Ubuntu. The project has some documentation, but it's still sparse and mostly covers what Cappsule is without diving a great deal into how it works or how to trouble-shoot issues.
For now, people hoping to isolate their processes would probably be better served by Firejail, Qubes OS or a virtual machine.
|Released Last Week
Karanbir Singh has announced the release of CentOS 7-1611. The new release is derived from Red Hat Enterprise linux 7.3 and offers a number of new features, including SHA2 support in OpenLDAP, Bluetooth LE and a technology preview of Btrfs. "Since release 1503 (abrt>= 2.1.11-19.el7.centos.0.1) CentOS-7 can report bugs directly to bugs.centos.org. You can find information about that feature at this page. Various new packages include among others: python-gssapi, python-netifaces, mod_auth_openidc, pidgin and Qt5. Support for the 7th-generation Core i3, i5, and i7 Intel processors and I2C on 6th-generation Core Processors has been added. Various packages have been rebased. Some of those are samba, squid, systemd, krb5, gcc-libraries, binutils, gfs-utils, libreoffice, GIMP,SELinux, firewalld, libreswan, tomcat and open-vm-tools..." Further information can be found in the project's release notes.
OLPC OS 13.2.8
James Cameron has announced the release of OLPC OS 13.2.8, the latest version of a specialist distribution developed under the initiative of the One Laptop Per Child (OLPC) project to provide children in developing countries with low-cost laptops. This release is still based on Fedora 18, but it ships with updated Sugar, the distribution's default desktop user interface: "We're pleased to announce the release of OLPC OS 13.2.8 for XO-1, XO-1.5, XO-1.75 and XO-4. Features: new Sugar 0.110 with completed translations; updated activities Speak 52, Measure 53, Maze 26.1, Implode 17, GetBooks 16.2, Clock 18.1 and Chat 83; add sugar-erase-bundle feature, for use by deployment scripts. Fixes: fix Fedora secondary mirror references so yum can work; remove Sugar Web Account control panel as it does nothing; remove Simple-English-Wikipedia on XO-1.5 to fit into 2 GB limit for some models; add forward and back buttons in help view; display activity instance title in join requests...." Read the release announcement and release notes for further details and installation instructions.
Proxmox 4.4 "Virtual Environment"
Proxmox Virtual Environment (VE) is a Debian-based distribution used for running virtual appliances and containers. The latest release of Proxmox VE, version 4.4, allows for the creation of unprivileged contains through the distribution's graphical interface. The project has also a new dashboard: "Proxmox Server Solutions GmbH today released version 4.4 of its server virtualization platform Proxmox Virtual Environment (VE). In addition to numerous improvements and updates the open source solution Proxmox VE brings a new dashboard for Ceph and cluster. The new Ceph dashboard gives the administrator a comprehensive overview of the Ceph status, the Ceph monitors, the Ceph OSDs, and the current performance and utilization of the Ceph cluster. Together with the existing disk management the new dashboard simplifies the ease-of-use and administration of Ceph storage and paves the way to the complete software-defined data centre." Additional information can be found in the distribution's release announcement.
MX Linux 16
MX Linux is a mid-weight, Debian-based Linux distribution which uses Xfce as the project's default desktop environment. The project has announced the release of MX 16, code name "Metamorphosis". While based on Debian's Stable branch, MX Linux uses the SysV init software rather than the newer systemd init technology. "MX-16 (Metamorphosis) released. The dev team of MX Linux is pleased to announce the release of MX-16 - code named "Metamorphosis". Built on the reliable and stable Debian Jessie (8.6) base with extra enhancements from the antiX live system, it also comes with numerous up to date applications provided by the MX Linux packagers. Just like previous versions of MX, this release defaults to SysV init. Available in 32- and 64-bit. Both ISO files weigh in at around 1.2GB in size. The new release is available in 32-bit and 64-bit builds with the 32-bit ISO featuring a kernel that does not require PAE support to boot. Further information can be found in the project's release announcement.
MX Linux 16 -- Running the Xfce desktop
(full image size: 1.1MB, resolution: 1280x1024 pixels)
Lucas Villa Real has announced the release of GoboLinux 016, an independently-developed distribution characterised by a custom (and very un-UNIX-like) file system hierarchy. This release of GoboLinux, the first stable version in over 2.5 years, ships with a minimalist desktop based on the Awesome window manager: "We are pleased to present release 016 of GoboLinux, the Linux distribution featuring a re-thought file system structure. GoboLinux was created out of a desire to try new approaches in the Linux distribution design space. GoboLinux 016 continues this journey, with a focus on the exploration of novel ideas aiming to make the system simpler yet functional. The GoboLinux ISO image serves both as an installation disc and a live environment, with a graphical desktop featuring Awesome WM. In fact, due to the modular nature of the GoboLinux file system, every program available in the image can be used directly from the Live environment." Read the detailed release notes for further information.
GoboLinux 016 -- Running the Awesome window manager
(full image size: 713kB, resolution: 1280x1024 pixels)
Linux Mint 18.1
The Linux Mint team has announced the release of an update to the project's 18.x branch. The new version, Linux Mint 18.1, is available in two editions (Cinnamon and MATE) and is available in 32-bit and 64-bit builds. The new release offers Cinnamon users a new screen saver that displays more information and provides media controls even when the screen is locked. On computers which feature accelerometers, the Cinnamon desktop can now rotate when the device's orientation changes. Both editions offer upgrades to the X-apps programs with the Xplayer media player now offering the ability to blank screens not being used to display video. Also, the update manager can display a list of available kernel versions with recommendations. "The screensaver in Cinnamon 3.2 was redesigned and rewritten from scratch in Python. Not only does it look better, but it's also much faster, more responsive and more customizable than the old one. Background slide shows set in Cinnamon continue to play in the new screensaver. On laptops the battery power is shown, so you can see if you're running low without having to log in. We also thought about music fans. You no longer need to unlock the screen to mute the sound, and if you're throwing a party and using your computer as a jukebox, you can have the media controls right there in the screensaver, so you can let people skip to the next song without giving them access to your session. The screensaver can also show if you missed notifications (not their content, for privacy reasons, but how many)." Additional information can be found in the project's release announcements (Cinnamon, MATE).
The GeckoLinux project is an openSUSE-based, desktop oriented distribution. The project provides eight different editions with live discs for testing purposes. The latest version of the distribution, GeckoLinux 422.161213.0, is based on openSUSE 42.2 Leap and includes many package updates. "Changes to all GeckoLinux Static editions: The base system has been updated to openSUSE Leap 42.2, with updated versions of the Linux kernel (4.4.36), systemd (228), GTK3 (3.20), Qt (5.6.1), and glibc (2.22). Also the GeckoLinux language-installer.sh script for non-English language packs has been updated to be more reliable and easy to use. Also the script created by Mindaugas Baranauskas to ensure that Xorg correctly starts has been significantly improved, and SiS graphics support has also been included. Perhaps the most important change is that the old yast2-live-installer that served us well for past releases is no longer supported by openSUSE and no longer works. Therefore, it has been replaced by the Calamares universal installer framework." Further information can be found in the project's release announcement.
* * * * *
Development, unannounced and minor bug-fix releases
Bittorrent is a great way to transfer large files, particularly open source operating system images, from one place to another. Most bittorrent clients recover from dropped connections automatically, check the integrity of files and can re-download corrupted bits of data without starting a download over from scratch. These characteristics make bittorrent well suited for distributing open source operating systems, particularly to regions where Internet connections are slow or unstable.
Many Linux and BSD projects offer bittorrent as a download option, partly for the reasons listed above and partly because bittorrent's peer-to-peer nature takes some of the strain off the project's servers. However, some projects do not offer bittorrent as a download option. There can be several reasons for excluding bittorrent as an option. Some projects do not have enough time or volunteers, some may be restricted by their web host provider's terms of service. Whatever the reason, the lack of a bittorrent option puts more strain on a distribution's bandwidth and may prevent some people from downloading their preferred open source operating system.
With this in mind, DistroWatch plans to give back to the open source community by hosting and seeding bittorrent files. For now, we are hosting a small number of distribution torrents, listed below. The list of torrents offered will be updated each week and we invite readers to e-mail us with suggestions as to which distributions we should be hosting. When you message us, please place the word "Torrent" in the subject line, make sure to include a link to the ISO file you want us to seed. To help us maintain and grow this free service, please consider making a donation.
The table below provides a list of torrents we currently host. If you do not currently have a bittorrent client capable of handling the linked files, we suggest installing either the Transmission or KTorrent bittorrent clients.
Archives of our previously seeded torrents may be found here. All torrents we make available here are also listed on the very useful Linux Tracker website. Thanks to Linux Tracker we are able to share the following torrent statistics.
Torrent Corner statistics:
- Total torrents seeded: 264
- Total data uploaded: 49.1TB
|Upcoming Releases and Announcements
Summary of expected upcoming releases
Process isolation can improve security, especially when running network services which may be compromised by outside attackers. This week we discussed Cappsule, a technology created to help isolate running processes from each other. In past articles we have talked about other technologies, such as Qubes OS and Firejail, which seek to isolate processes from the rest of the operating system. There are several other ways to sandbox applications, including using Linux containers, virtual machines and FreeBSD jails.
This week we would like to know what, if any, technology you use to keep your applications and services isolated from the rest of the operating system. If you are using one we do not list here, please tell us about it in the comments.
You can see the results of our previous poll on the types of feature stories we publish here. All previous poll results can be found in our poll archives.
|Cappsule: ||6 (0%)|
| Firejail: ||169 (12%)|
| FreeBSD jail: ||79 (5%)|
| Linux container: ||79 (5%)|
| Qubes OS: ||50 (3%)|
| Virtual machine: ||465 (32%)|
| Other: ||33 (2%)|
| None: ||585 (40%)|
Search for past articles and mobile fonts
DistroWatch has been around, providing reviews and news, for over 15 years now. Over the past decade and a half we have accumulated well over a thousand reviews, tips and Questions & Answers columns. In order to make finding past articles and guides easier, we have introduced a new search page.
The new Articles Search page helps readers find past articles using key words. There are also filters to assist in finding articles of a specific type, such as a distribution review or Tips & Tricks column. We hope this search page will be useful for people looking for tutorials or a look back at older versions of distributions.
Last month, when we introduced the mobile version of the DistroWatch website, we received lots of constructive feedback. One requested feature was the use of larger font sizes, particularly on the front page. This has been implemented and it should now be possible to read the front page of DistroWatch in portrait mode, even on small smart phone screens, without zooming in.
* * * * *
December 2016 DistroWatch.com donation: UBports
We are pleased to announce the recipient of the December 2016 DistroWatch.com donation is UBports. The project receives US$300.00 in cash.
The UBports project works to port the Ubuntu Touch mobile operating system to additional devices, particularly Android-powered smart phones. "UBports is a team of developers and a meeting place for developers that wish to port Ubuntu Touch to as many devices as possible, this is a place where developers can talk to other developers, learn from each other and help push Ubuntu to more devices as a team, or by yourself but with community support if you wish." At the moment, phones with Ubuntu Touch pre-installed are all out of stock and UBports provides a method by which people can get Ubuntu running on their devices with relatively little effort. We reviewed Ubuntu Touch running on the Meizu Pro 5 earlier this year.
Launched in 2004, this monthly donations programme is a DistroWatch initiative to support free and open-source software projects and operating systems with cash contributions. Readers are welcome to nominate their favourite project for future donations. Those readers who wish to contribute towards these donations, please use our advertising page to make a payment (PayPal, credit cards, Yandex Money and crypto currencies are accepted). Here is the list of the projects that have received a DistroWatch donation since the launch of the programme (figures in US dollars):
Since the launch of the Donations Program in March 2004, DistroWatch has made 146 donations for a total of US$46,381 to various open-source software projects.
- 2004: GnuCash ($250), Quanta Plus ($200), PCLinuxOS ($300), The GIMP ($300), Vidalinux ($200), Fluxbox ($200), K3b ($350), Arch Linux ($300), Kile KDE LaTeX Editor ($100) and UNICEF - Tsunami Relief Operation ($340)
- 2005: Vim ($250), AbiWord ($220), BitTorrent ($300), NDISwrapper ($250), Audacity ($250), Debian GNU/Linux ($420), GNOME ($425), Enlightenment ($250), MPlayer ($400), Amarok ($300), KANOTIX ($250) and Cacti ($375)
- 2006: Gambas ($250), Krusader ($250), FreeBSD Foundation ($450), GParted ($360), Doxygen ($260), LilyPond ($250), Lua ($250), Gentoo Linux ($500), Blender ($500), Puppy Linux ($350), Inkscape ($350), Cape Linux Users Group ($130), Mandriva Linux ($405, a Powerpack competition), Digikam ($408) and Sabayon Linux ($450)
- 2007: GQview ($250), Kaffeine ($250), sidux ($350), CentOS ($400), LyX ($350), VectorLinux ($350), KTorrent ($400), FreeNAS ($350), lighttpd ($400), Damn Small Linux ($350), NimbleX ($450), MEPIS Linux ($300), Zenwalk Linux ($300)
- 2008: VLC ($350), Frugalware Linux ($340), cURL ($300), GSPCA ($400), FileZilla ($400), MythDora ($500), Linux Mint ($400), Parsix GNU/Linux ($300), Miro ($300), GoblinX ($250), Dillo ($150), LXDE ($250)
- 2009: Openbox ($250), Wolvix GNU/Linux ($200), smxi ($200), Python ($300), SliTaz GNU/Linux ($200), LiVES ($300), Osmo ($300), LMMS ($250), KompoZer ($360), OpenSSH ($350), Parted Magic ($350) and Krita ($285)
- 2010: Qimo 4 Kids ($250), Squid ($250), Libre Graphics Meeting ($300), Bacula ($250), FileZilla ($300), GCompris ($352), Xiph.org ($250), Clonezilla ($250), Debian Multimedia ($280), Geany ($300), Mageia ($470), gtkpod ($300)
- 2011: CGSecurity ($300), OpenShot ($300), Imagination ($250), Calibre ($300), RIPLinuX ($300), Midori ($310), vsftpd ($300), OpenShot ($350), Trinity Desktop Environment ($300), LibreCAD ($300), LiVES ($300), Transmission ($250)
- 2012: GnuPG ($350), ImageMagick ($350), GNU ddrescue ($350), Slackware Linux ($500), MATE ($250), LibreCAD ($250), BleachBit ($350), cherrytree ($260), Zim ($335), nginx ($250), LFTP ($250), Remastersys ($300)
- 2013: MariaDB ($300), Linux From Scratch ($350), GhostBSD ($340), DHCP ($300), DOSBox ($250), awesome ($300), DVDStyler ($280), Tor ($350), Tiny Tiny RSS ($350), FreeType ($300), GNU Octave ($300), Linux Voice ($510)
- 2014: QupZilla ($250), Pitivi ($370), MediaGoblin ($350), TrueCrypt ($300), Krita ($340), SME Server ($350), OpenStreetMap ($350), iTALC ($350), KDE ($400), The Document Foundation ($400), Tails ($350)
- 2015: AWStats ($300), Haiku ($300), Xiph.Org ($300), GIMP ($350), Kodi ($300), Devuan ($300), hdparm ($350), HardenedBSD ($400), TestDisk ($450)
- 2016: KeePass ($400), Slackware Live Edition ($406), Devil-Linux ($400), FFmpeg ($300), UBports ($300)
* * * * *
DistroWatch database summary
* * * * *
This concludes this week's issue of DistroWatch Weekly. The next instalment will be published on Monday, 2 January 2017. Past articles and reviews can be found through our Article Search page. To contact the authors please send e-mail to:
|Linux Foundation Training
|Reader Comments • Jump to last comment
1 • jails (by nolinuxguru on 2016-12-19 10:24:51 GMT from United Kingdom) |
I have been using Firejail for a while to isolate Firefox, Icedove [email]. I use the supplied profiles for these applications, but customise them to further restrict the ways programs such as Firefox can propagate any malware. I like the way that I can compile the Firejail program from source [it does not have the usual rats-nest of dependencies, and is small enough that even I can understand how it works].
2 • Bodhi Linux (by aguador on 2016-12-19 10:52:30 GMT from Spain)
Enlightenment is my DE of choice, but I have never quite managed to relate to Bodhi, in part because of its Ubuntu base, but more because of Midori and the AppCenter. Midori, while light on resources, in my experience has always seemed slow as well as limited. Firefox is an option, but (at least in the past) does not come enabled to use the AppCenter. So, one reverts to Synaptics, a great option for most, but more complicated for newbies who might be better served by a more traditional software center approach.
Jeff has made good contributions to Enlightenment, including ePad which has to be the absolute lightest notepad application around given its use of EFL and arguably better than Ecrire in some ways. I understand that E is undergoing constant development -- and improvement, so forking it due to momentary frustrations was a shame. Still, Bodhi seems to have found a niche and I wish the project well.
3 • Brisk Mate Menu (by aguador on 2016-12-19 11:01:23 GMT from Spain)
Mate was my first DE and I am amazed at the progress it has made. A recent test drive of a live version of Ubuntu Mate was a surprisingly pleasant experience with good configuration options. The thing that sets it apart from Linux Mint are the application menu and interface options. Mint Menu is good conceptually, but a bit wanting aesthetically. A faster, more aesthetic (Budgie- or Cinnamon-like) menu will, is sure to welcomed by regular users.
4 • Brisk Mate Menu (by sydneyj on 2016-12-19 11:56:38 GMT from United States)
I very much agree with @3 aguador regarding Brisk menu for Mate. I use Arch/Mate now, with the MintMenu. The menu is quite good, but a bit buggy (a couple of irretrievably broken links), presumably due to GTK2/3 issues. I would be happy to see the Cinnamon menu ported to Mate, since it doesn't require an extra click to get to Favorites, and the menu can grow in size as items are added. A hybrid Cinnamon/Budgie menu might be just the ticket, as well.
5 • Mate Menu (by Pikolo on 2016-12-19 12:19:00 GMT from United Kingdom)
Rewriting a menu in C sounds like a very anti-trend move to me. Isn't Gnome moving from C to Rust? Isn't C famous for buffer overflows? I've seen dozens of articles on "why we should limit the use of C" just this moonth. A truly bizarre development.
I'm surprised there are so many Qubes users on DW. I Joanna Rutkowska has shown a graph, on which there are <7k users, and already 16 of them voted. Though their % will probably drop over time. All in all, 60% of Linux users using process isolation is impressive.
6 • <3 bodhi (by meanpt on 2016-12-19 12:42:25 GMT from Portugal)
... been with bodhi since ... rats, I'm getting older. Since then I only miss one thing: the the original ram's 76 MB landing DE which I proudly showed off to the the wd$sy friends.
7 • New menu in C (by Jesse on 2016-12-19 13:01:38 GMT from Canada)
@5: >> "Rewriting a menu in C sounds like a very anti-trend move to me. Isn't Gnome moving from C to Rust? Isn't C famous for buffer overflows? I've seen dozens of articles on "why we should limit the use of C" just this moonth. A truly bizarre development."
In this case it makes a lot of sense. C is still one of the main languages to use when performance is a primary focus. And, in this case, the risk of buffer overflows or similar memory corruption errors are not really a concern. Remember, the application menu is run as the user who is logged in and sitting physically at the computer. If the user manages to somehow exploit a flaw in the code, all they end up with is the ability to run code at the computer where they are already sitting, running whatever code they want. In this instance, C gives a boost in performance with no practical downside.
8 • @ Joshua (by geert on 2016-12-19 13:06:56 GMT from Netherlands)
>For users with older computers, some of the modern Linux distributions can be too resource intensive. Bodhi Linux 4.0.0 is a lightweight distribution designed for those users. The minimum system requirements are a 500MHz processor, 128MB of RAM, and 4GB of disk space. The recommended requirements are a 1.0GHz processor, 512MB of RAM, and 10GB of disk space.<
Of course, if only you just boot the computer and don't do anything. All processes have to work in RAM, and more you have apps open, you need more RAM. And, remember 32 bit is "legacy" now.
9 • Bodhi Clock (by Thomas on 2016-12-19 13:20:50 GMT from France)
The clock widget in Bodhi mimics clocks made with Nixie Tubes or similar technology.
10 • Re: #2 / Midori (by Jeff Hoogland on 2016-12-19 13:34:03 GMT from United States)
Always amusing that we ship as few applications as possible and yet people still find a reason to dislike them. We know midori is feature light. It is also only 5~ MB to install so it isn't wasting much space like Firefox or Chrome would (because there are plenty of people who hate each of those). We expect and often encourage people to install their full browser of choice.
For reference the latest version of Bodhi as a dedicated "app center" menu launcher that opens a midori browser to just the appcenter URL. Pretty easy for a novice end user to always use that to grab software even if they use something else as a primary web browser.
Also - APTURL (the protocol the AppCenter uses to make the browser call the package manager) works with Chrome and Firefox if you configure them properly.
11 • Greetings (by Thom on 2016-12-19 13:55:41 GMT from Sweden)
A thank you to the team behind DW for another year of dedication and philanthropy.
Best wishes for the season and the new year.
12 • Bodhi (by jaws222 on 2016-12-19 15:17:44 GMT from United States)
I've always appreciated the fact that Bodhi was extremely lightweight. As far as the browser I usually go to the app center and install Chromium cause I like it and usually install whatever else I want or think I may need. I've never understood why people complain either Jeff.
13 • Firejail (by a on 2016-12-19 15:56:28 GMT from France)
I tried using firejail but it makes programs crash/exit without any message as to what the problem is.
14 • Firejail (by Jesse on 2016-12-19 16:08:08 GMT from Canada)
@13: If your application is crashing, it is probably because no one has created a Firejail profile for it yet. I ran into this with the Qupzilla browser and submitted a new profile for it to the project for future releases. You can request new application profiels here: https://github.com/netblue30/firejail/issues/825
15 • service isolation with systemd (by Scott Dowdle on 2016-12-19 17:18:03 GMT from United States)
Just wanted to mention that systemd has a number of security related features so you may separate services with isolated filesystems, /tmp, network name spaces, etc.
16 • Bodhi (by Gibson on 2016-12-19 17:35:32 GMT from United States)
I really appreciate that Bodhi offers install images without preinstalled software. Whenever I install a new distro the first thing I normally do is purge a bunch of default applications that I won't use and install my own choices. Bodhi's super lightweight text editor and web browser (which also serves as a software center) are just enough to get going without getting in the way of my own choices.
I actually really like their choice to use the web browser as a basic software center. It keeps with the pattern of minimalism and simplicity. I played with Bodhi for a while shortly after being introduced to Linux and as a total amateur I never had a problem with their approach to software installation. In fact their minimal selection of apps made it easier to find what I was looking for. Now that I've been around for a while the midori interface might not meet my needs, but at this point I just use apt-get.
17 • firejail crashes (by nolinuxguru on 2016-12-19 17:57:20 GMT from United Kingdom)
@13 If you haven't reported this elsewhere, it would help if you said which programs crashed [bit quiet this week].
18 • OpinionPoll-Process isolation (by CucumberLinux on 2016-12-19 18:07:39 GMT from Germany)
Nothing to technical, just my uneducated observation, if I may. Thank you.
I somewhat did write this in a hurry, but you will understand what I point out;
ISOLATING AND QUBES OS DATING
Currently I am not using any software in order
to isolate processes from the rest of the operating system from my GNU-Linux or LinuxDistributions, call it what you want. Generally we feel what I am talking about. Because this process is somehow new to me. However I have tried like 1 Year ago to install on quad core 16 Gb Ram PC (Boot Mode -Legacy), the QubesOS Distribution, with zero success. The Anaconda installer from Fedora, was a pain do work with ( freezing itself or just not detecting hardware). Ever sins I never bothered with it. But I find
the QubesOS as an very interesting Project in itself. Perhaps not that interesting for people with low specs Hardware.
FRESH INSTALL OF DISTRIBUTION
If something happens I have no problem with fresh installs. (Backing up the Data is priority all the time) At the same time I am refreshing my knowledge, by doing fresh Installs of the Distribution.
This way I do not forget, the basics, because I am not that
clever. Speaking here just for my tiny private needs.
FIREJAIL AND VIRTUALBOX AND MY DATING WITH LINUX
Firejail is something I am going to look at, when I get more time and my butt stops hurting from to much sitting in front of the PC, solving GNU-Linux like Sumerian stone Tablets puzzles, like why this stopped working.?. Because our Linux still is a pain to work with, when done some regular updates and they mess up previously made configurations! Or you want to install for Libreoffice the hunspell, but by doing so it removes the Thunderbird.. How can you not fell like the need to throw something against the Wall, when you see this happen over and over again?
And yea after, my Eyes recover from the LED monitor constantly bombarding my pretty eyes and my Pineal gland with its fantastic bright energy saving light..(Wait I need to grasp for Air)
Now, back to the subject;
Wish this Frejail would be already installed on the ISO. And after installation of the Distro to be asked,
if I feel like to configure the Firejail, or maybe just maybe later.
Now about Virtual boxing everything up;
Virtualbox is the easiest, but at the same time I use it only for testing never leave it on for long time, due to the fact that it is like having 2 Distributions pounding at the same time on 1 hardware. PC in my opinion is more vulnerable on top of it if access to the Net is given using same IP and Internet for
2 or more Distributions on one Hardware running long time..
I am not using Bodhi Linux 4.0.0, but I have enjoyed the insight look in it from DistroW.
Thank you for the detailed and precise as always tutorial of B.Linux.
Apologies for my Grammar and Greetings to you all Linux users.
19 • Enlightened Bodhi (by Kragle von Schnitzelbank on 2016-12-19 23:41:58 GMT from United States)
I commend Mr. Hoogland for the virtuosity in forking a DE constantly being re-invented with apparent disregard for those who would build on it. This illustrates just one of the many great strengths in Freed software.
I vaguely remember an Enlightenment GUI for parted that I perceived as better than the popular GTK GUI, but can't easily find it any more. ¿case in point?
20 • security overly locked down (by security sense on 2016-12-20 01:16:44 GMT from Netherlands)
Over time, security distros tend to become increasingly locked down internally and harder to use, like Qubes and Tails have become. i believe this is due to poor thought-out design, and just piling security feature upon security feature. after all, if the user can't easily use the OS what's the point? instead, it's quick nowadays to install linuxen to USB drives. so best form of isolation is to install linux on one USB, secure it from leaks and intrusions, and use it for work and don't connect it to any network. then make another linux USB and use that for network stuff. job done - and without any user restrictions.
@18 "I am refreshing my knowledge, by doing fresh Installs of the Distribution. This way I do not forget, the basics, because I am not that clever."
fresh installs are good security too. who said u were dum? people are intelligent in different ways. celebrate your brain - you've only got one!
21 • @20 security lockdown (by nolinuxguru on 2016-12-20 09:15:55 GMT from United Kingdom)
@20 most usb drives are writable, so your proposed solution does not seem to provide any added security. The greatest attack method these days is through the web browser and sites that carry malware: something like Firejail can reduce any damage to the files left writable [config, bookmarks etc].
There is much that can be done to secure your computer without the recourse to the likes of Qubes: good iptables firewall script [or just use ufw], tcpdump to see what gets through the firewall and Firejail to isolate web browsers etc. No actual programming is needed, but care is needed to pick out the bits of tcpdump output that should cause concern.
Someone who can package these simple methods for everyday users would do us all a big favour.
22 • Cappsule (by Al CiD on 2016-12-20 10:03:17 GMT from Portugal)
Perhaps the reason why it didn´t work as espected in VirtualBox
"Cappsule uses hardware virtualization to launch applications into lightweight VMs..."
23 • Stuff (by Andy Mender on 2016-12-20 11:34:19 GMT from Austria)
That's not really how it works. It doesn't matter if a script is run by the user only as long as system libraries are involved (for instance, gtk for the GUI). Any overflow can potentially lead to privilege escalation. C as a programming language is not specifically prone to overflows, but rather it requires extra care to avoid them. The more complex and intertwined the software is, the more difficult it is to avoid said overflows. Rust attempts to address this via more stringent code testing during compile time, though it will take time before it's considered reliable enough to be commonly used instead of C.
Jeff, what about the webkit-gtk engine? Surely it's not a mere ~5 mb. I personally love projects like surf, midori or qupzilla, but in my hands both qupzilla and midori segfault way too often. In addition, on non-Ubuntu distributions Midori would often fail to play Youtube videos via HTML5. I use Firefox simply because it's tried and tested, though it's a different weight class altogether, I agree.
24 • C and Cappsule (by Jesse on 2016-12-20 13:46:59 GMT from Canada)
@23: >> " It doesn't matter if a script is run by the user only as long as system libraries are involved (for instance, gtk for the GUI). Any overflow can potentially lead to privilege escalation.
For a privlege escalation to happen, the code would need to either be run as another user or exploit a bug in another part of the system. (Attacking GTK doesn't help the attacker since its code will run as the same user as the menu, not as root.) Having a buffer overflow in the application menu wouldn't result in a problem in itself. If there is a flaw in a library or system call the application menu uses, then the user (who has physical access to the system, remember) can run any code they like to exploit that component. Exploiting the application menu makes no sense in this scenario since the user can link any code they want to the libraries on the system.
Your argument is basically that the user could exploit a potential flaw in the application menu to try to get at another component on the system, when the user running the application menu (and any un-isolated program they run) can already access that other component of the system directly without exploiting the menu. Attacking the menu just adds an extra, unrequired step to the process.
@22: >> "Perhaps the reason why it didn´t work as espected in VirtualBox..."
The Cappsule project provides VirtualBox appliances for people to run and test their software. Any computer with hardware virtualization capacity should have no problem meeting the requirements. My computers all have hardwre virtualization so that's not the issue.
25 • RE: 24 (by Andy Mender on 2016-12-20 15:06:10 GMT from Austria)
Jesse, thank you for the clarification. It makes more sense to me now. I think my assumption was too far reaching.
26 • Opinion poll > Selection Principals (by Yuri on 2016-12-21 16:00:44 GMT from Russian Federation)
Why you do not include (widely used) technology like SELinux and AppArmore in your list?
27 • Opinion Poll (by Jesse on 2016-12-21 16:05:52 GMT from Canada)
@26: Because SELinux and AppArmor are not designed to isolate processes so much as use permissions to block them from doing bad things. They're different use cases.
28 • Opinion Poll - Process Isolation (by M0E-lnx on 2016-12-21 21:39:14 GMT from United States)
Docker is a great option for services, and with a few tricks even apps in general. I'm not sure if that was included in the 'Linux containers' option, but it would have been nice to see that option listed.
29 • Follow-up to @15 - systemd security features (by Scott Dowdle on 2016-12-21 22:46:35 GMT from United States)
LWN published a premium article today on security features in systemd. It will become freely available to non-subscribers Thursday, Dec 29. Here is the URL that will work for LWN subscribers and everyone else once freely available:
Using systemd for more secure services in Fedora
Intro paragraph: "The AF_PACKET local privilege escalation (also known as CVE-2016-8655) has been fixed by most distributions at this point; stable kernels addressing the problem were released on December 10. But, as a discussion on the fedora-devel mailing list shows, systemd now provides options that could help mitigate CVE-2016-8655 and, more importantly, other vulnerabilities that remain undiscovered or have yet to be introduced. The genesis for the discussion was a blog post from Lennart Poettering about the RestrictAddressFamilies directive, but recent systemd versions have other sandboxing features that could be used to head off the next vulnerability. "
30 • Bodhi (by slick on 2016-12-22 01:06:40 GMT from United States)
For one have always liked and appreciated Bodhi and especially the e17 Enlightenment experience. Would hope Jeff would consider it being a Debian only distribution.
Don't have Bodhi on my machine because only it's an Ubuntu distribution and to me is just not something desirable. However it is easy enough to install e17 and configure an nice e17 on Devuan without all the bloat.
Have notice that many distributions have drop there connection with Ubuntu and they have experienced a jump in popularity. Those that went back to Ubuntu like WattOs experienced a drop and myself one of them.
Appreciate greatly a small but fast distribution without systemd, Devuan on my desktop runs about 185mb of memory on login, how many distributions can do that?
Star is my distribution of choice and be found on Sourceforge, complimented with many Window manager choices and Xfce DE for a wide choice of flavours!
A few applications to have the distro functional and completely non-bloated, very nice!
31 • MX Linux 16 (by PhantomTramp on 2016-12-22 15:29:07 GMT from United States)
Anti and crew seem to always bless us with a holiday season gift. This one looks very cool. Downloading now...
32 • Bodhi (by More Gee on 2016-12-22 17:40:45 GMT from United States)
It has been awhile since I used Bodhi and really liked the wooden desktop environment without the tube clock. It did not have the radio button issues but I do remember them being a problem on the default. I also remember using Opera instead of Midori and it was a much more enjoyable internet experience and the mini version at that time would still keep ram usage under 128mb. I was thinking of making a VM of this for my 2gb RAM machines.
33 • Bodhi (by Simon Wainscott-Plaistowe on 2016-12-23 02:05:47 GMT from New Zealand)
The new Bodhi release looks impressive. In the past I've found Bodhi's enlightenment desktop a bit non-intuitive so I've been using Peppermint to refurbish old computers. Now I think it's time to give the Moksha desktop a try.
34 • Ultimate security (by Dave Postles on 2016-12-23 09:09:12 GMT from United Kingdom)
Tongue in cheek for Christmas: no HD, just run from DVD - slow but sure.
35 • Process isolation & Bodhi (by Greg Zeng on 2016-12-25 05:44:23 GMT from Australia)
Missing isolating types include the Linux container being on a USB-flash-stick, removable drive, or unique partition. My "unique" partition can be started by any of three partition-handlers (Grub-customizer, BIOS & UEFI).
Listing the DW isolation stuff in popularity order:
1. None: 510 (42%)
2. Virtual machine: 385 (31%)
3. Firejail: 136 (11%)
4. FreeBSD jail: 66 (5%)
5. Linux container: 60 (5%)
6. Other: 32 (3%)
7. Qubes OS: 34 (3%)
8. Other: 32 (3%)
9. Cappsule: 5 (0%)
The 5th & 8th favored option is interesting. Bodhi on a very small computer (Raspberry Pi?) as a Linux Container, or Virtualized machine between the main system and the rest of the network?
"Bodhi Linux 4.0.0 is based on Ubuntu 16.04 LTS, so there were no real surprises when it came to installing." is the first sentence of the independent reviwer in this issue of DW. This Ubuntu installation process also applies to the other 58 Ubuntu-based distributions http://distrowatch.com/search.php?basedon=Ubuntu
All of these can easily have their Linux kernels upgraded & downgraded to any already-compiled Linux kernel of any date, of any degree of readiness (alpha, beta, etc). http://kernel.ubuntu.com/~kernel-ppa/mainline/
Besides Bodhi, there are other micro-Linux's also based on Ubuntu: Web OS and Peppermint. All three can be extremely easily upsized into fully fledged Desktops, with all the needed applications, utilities, ear-candy and eye-candy.
It would be very interesting to compare the micro-Linux's with each other. They all show the inadequacies of the other Ubuntu-based distributions: crazy mixes of ethnic languages braille and usually, games. All show the poor selection of "gkrel" and none have DDCOPY (only PCLOS has these two properly available). Mint, another Ubuntu-derivative, persists with their poor flash-stick format & writing programs. All of these, including PCLOS, do not use Synaptic Package Manager at all well.
36 • Process isolation and other pets (by OpenBSD n00b on 2016-12-25 15:09:15 GMT from Brazil)
Firejail, Cappsule, or any other "sandboxing" tool, may be interesting to implement the concept of "security by isolation". But none of them can make an insecure OS like Linux as trustful as an almost invulnerable one like OpenBSD (which emphasizes correctness, proactive security, integrated cryptography, and standardization :).
So I have a recipe for building the perfect OS to surf the Tor network with the ultimate anonymity:
1. Take the latest snapshot of OpenBSD (better yet, the always uptodate FuguIta respin, which has a decent and also lightning fast graphical interface).
2. Configure the native firewall to run immediately after boot-up and make the host system as sthealthed as possible.
3. Install the VirtualBox package, then set it up to run Whonix Linux (both the two VM images: Gateway and Workstation).
4. Release the final result as an installable OpenBSD/FuguIta LiveDVD.
You can now call it "the Tails killer".
37 • "Sceure OS" (by M.Z. on 2016-12-25 18:43:35 GMT from United States)
"...But none of them can make an insecure OS like Linux as trustful as an almost invulnerable one like OpenBSD"
That seems to me to be more than a little disingenuous. In fact the only thing that convinced me you even halfway knew what you were talking about was that you hedged your bets by using the term '_Almost_ invulnerable...' to describe your OS of choice. Now I'm by no means an expert, but I do think about & research these things to some extent & I'd venture to guess that OpenBSD is likely among the most secure OSs around; however, there is no such thing as a secure OS let alone an invulnerable one. There have been deeply insecure OSs like versions ow Windows that basically ran everything as 'Administrator'/root through the 1990s, but that hasn't been an issue on Unix like systems such Linux and the BSDs for much if any of they time they have been around because of rules set up a long time ago on Unix.
At any rate most Unix like systems are reasonably secure by default when properly administered by folks that don't trust so called Nigerian princes, install random stuff from parts unknown, or forget to run updates. That being said no system is truly secure and there is always some funny vid that must be downloaded & viewed with special software that some are naive enough to believe is a real thing rather than malware. Of course there are also some people type in root passwords at the drop of a hat or simply make mistakes about communicating what is legitimate and what is not to be trusted. I think that last thing happened in a rather famous hacking incident just in the past few months, someone neither put big bold text saying 'DO NOT TRUST', nor put the the letters 'il' in front of illegitimate & there was massive fallout political & otherwise.
I firmly believe that security is all relative & it depends both on secure system design, as well as secure user habits & best practices. The truth is that all links in that chain are vulnerable to some extent even in places that use OSs as secure as OpenBSD. If there were a big enough target it would likely be hacked eventually regardless of which OS it used because everyone from the coders to the end users makes some mistakes. Personally I run Linux systems behind a pfSense/BSD firewall computer & I run some kind of security tool on every systems be it firejaill, MSEC, SELinux, or snort. Given all the problems I've had using BSD on my hardware I don't have the patience to try & get it working, but I'd still say I'm relatively secure for a self taught non expert. I'm sure I'm doing some things wrong, but it's all relative & I'm very solid for a tiny home network, and that due in part to all the different tools that I run.
38 • OpenBSD and isolation (by Ben on 2016-12-25 22:52:33 GMT from Canada)
@36: >> "Firejail, Cappsule, or any other "sandboxing" tool, may be interesting to implement the concept of "security by isolation". But none of them can make an insecure OS like Linux as trustful as an almost invulnerable one like OpenBSD (which emphasizes correctness, proactive security, integrated cryptography, and standardization"
Assuming you were not joking, I see a pretty big flaw in that reasoning. OpenBSD only pracitses active security, code audits and correctness on the base OS, not OpenBSD's ports/packages. Running Firefox (for example) on OpenBSD is not any more secure, really, than running Firefox on Debian. It's not any harder to compromise your web browser on OpenBSD than it is on, say, Fedora. The same applies to almost every desktop application or service you plan on running on OpenBSD that is not in the default installation.
So the key question then becomes; What happens after your attacker takes over your web browser? If it's sandboxed with Firejail or SELinux, then the attacker is pretty much stuck. They can read a bunch of files, but they should otherwise be unable to harm your OS or user's files. Without isolation (as on OpenBSD) then the attacker, having taken over your browser, has access to do whatever they like on your account. At that point, having a secure base OS does not do you a lot of good because the attacker has (unrestricted) access to run their code under your account.
I greatly respect the work OpenBSD devs do on their operating system and I'd like to see more Linux distros do the same. But the security of correctness OpenBSD offers doesn't help you much if the software that is being attacked is installed from their ports collection
39 • @34 • Ultimate security (by Marco on 2016-12-27 16:10:04 GMT from United States)
@34 Ultimate security: no HD, just run from DVD - slow but sure.
I know you were joking, but my father used to attract all sorts of malware on his Windows computer. I never converted him to Linux, but I did persuade him to only do his on-line banking off a live Linux DVD image.
40 • OpenBSD/Linux security (by Jordan on 2016-12-27 16:10:44 GMT from United States)
Has anyone posting here ever had their computer taken over and had code run via the browser, etc?
I've seen various virus and malware in the news, but never have I seen or heard of a non-Windows computer being hijacked, with the notable exception of for testing purposes by the owner or commissioned tester of the machine.
But I've only been with Linux since 1996.
41 • System security (by Jesse on 2016-12-27 16:47:04 GMT from Canada)
>> "Has anyone posting here ever had their computer taken over and had code run via the browser, etc? "
@40: While I have not had my machine compromised this way, I have been called in to clean up a few. Generally, I am interested in fixing things rather than figuring out exactly went wrong, but I suspect the Linux boxes I have cleaned up were originally compromised through network services like OpenSSH.
If you're interested strictly in browser compromises, you might want to check out the pwn to own competition as the systems tested are often taken down using browser exploits: https://en.wikipedia.org/wiki/Pwn2Own
>> "I've seen various virus and malware in the news, but never have I seen or heard of a non-Windows computer being hijacked"
Do you mean by people you know personally? There are often reports of macOS or Linux exploits being used in the wild. Particuarly against Linux servers.
42 • Linux hacking (by speaking from experience on 2016-12-27 23:59:14 GMT from United States)
@40 "Has anyone ever had their computer taken over"
Against Windows hackers can use malware that ppl download from the web. But against other OSs where malware is not so prevalent - like Linux - hackers can exploit wireless hardware and software insecurities to capture your login password. One key insecurity is that your wireless is always "on" unless both hardware and software switches are turned off. Attacks can include wireless sniffing, MAC address scanning, port scanning, fake ap's, etc. If they can't get at your computer directly, they can always hack nearby devices - like routers, mobile phones, CCTV cameras, etc - and then target your computer from them. When they get your login password they can then hack your wifi or bluetooth, login, and copy whatever data they want.
Ironically, Linux security distros - like Qubes and TAILS - focus on malware protection mainly coming from the Internet, because they want to promote their OS's as Windows alternatives. But malware is old school, and wireless sniffing and hacking - usually before you even connect to the Internet - is new school (just look at all the wireless exploit tools available). So don't expect any Linux security distro to protect you against persistent hackers.
43 • Attacks on Unix (by M.Z. on 2016-12-28 00:44:17 GMT from United States)
In addition to server systems being commonly targeted (mostly through unpatched software), there have been many attacks on another Unix like desktop system, namely Mac OS X. If you know a bit about the Unix family tree you may know that modern Mac systems are basically a modified version of BSD. I don't think the infections have reached the same proportions on Mac as they have on Windows, but there have been compromises that have affected many thousands of machines. This sort of thing if far more rare on Linux and BSD proper, but I've heard of Linux machines being hit, so it can happen. That's why I think tools like firejail and SSELinux are so valuable, they provide different ways to defend against and limit the damage of a serious compromise and create multiple potential barriers to attack. Of course that's just what I recall from reading up on that sort of thing on occasion, I've gotten an occasional paranoid feeling but never seen any real damage or serious problems since I've been using Linux.
44 • @40 Has a web browser ever hijacked my computer and run code (by imnotrich on 2016-12-28 06:50:08 GMT from Mexico)
Yes, sort of.
Google Chrome, and more recently Firefox offer a browser sync feature that syncs history, bookmarks, home page and other stuff across multiple computers.
With Chrome if you have a gmail account sync is forced on you. With FF you have to opt in.
Anyway, not so long ago running Chrome on my W7 laptop a website was able to change my home page to a windows .exe file, but that fact was hidden from me in the address field I still saw www.google.com.
A day or two later I booted up the Linux partition of my W10/Linux desktop and noticed Chrome trying to connect to a Windows .exe file as my home page. Thanks to this helpful "sync" feature I was able to intercept the attack before it did any damage, but it won't be long before evil bad people figure out how to successfully exploit this sync feature from one platform to another.
45 • Attacks on Linux (by Jordan on 2016-12-28 14:36:51 GMT from United States)
Thanks for the responses to my query. I understand the server hacks, as unix based servers are more common out there. But I'm wondering if *users* at their desktop machines/laptops, on a Linux distro, have ever seen their systems compromised, personally. Their own computer. I've never seen it in twenty years of using distros with all manner of browsers and open ports, etc.
46 • @45 (by Ricardo on 2016-12-28 20:30:44 GMT from France)
As a home user, there are quite few chances you'll see an attack on your computer in your life.
On a server, it's another story.
47 • @45 (by Ricardo on 2016-12-28 20:40:34 GMT from France)
I talked about Linux of course, not Windows.
48 • Best Linux Desktop 2016, thoroughly reviewed. (by Greg Zeng on 2016-12-29 05:25:24 GMT from Australia)
"Best Linux Desktop 2016", quidsup 7':12".
"Published on Dec 27, 2016
Looking back at my Top 3 Favourite Linux Distributions that I reviewed in 2016, which includes a selection for new and advanced users." (from 21 reviewed)
He summarizes many detailed examinations in the last few weeks of full testing, with clear, detailed on-screen examples of his reasons. Generally myself and most others agree with his choices and biases. Of course the emotional fan boys give their own narrow opinions in the following comments to his videos.
1) KDE NEON (Kubuntu based) 4'28"
2) UBUNTU MATE (Ubuntu-based) 1'59"
3) LINUX LITE (Xubuntu 16.04 based), 0'15"
I gave further opinions of my own, on his YouTube page.
49 • Kodachi or TAILS? (by Dave Postles on 2016-12-30 11:44:25 GMT from United Kingdom)
Would appreciate comments on the relative merits.
50 • Re: Kodachi_or_TAILS? (by k on 2016-12-31 07:13:14 GMT from Finland)
@49 by Dave Postles
Not having used or being familiar with Kodachi, I right away tried to compare
package lists -- just see if it is worth downloading, verifying ISO and testing
Kodachi --, as there are certain packages needed.
But, starting from TAILS page of Distrowatch, and trying the "compare packages"
tool, Kodachi does not appear in the pull down menu.
Best wishes to all for 2017, and beyond.
51 • Re: Kodachi_or_TAILS? (by k on 2016-12-31 07:39:07 GMT from United States)
Again @49 by Dave Postles
Starting from Linux Kodachi page of DW, one can use DW's "compare packages" tool
to compare full package lists of Kodachi and Tails.
The old Tails USB with persistence has worked really well for several years now, and
even on 32-bit UEFI with 64-bit processor, using hosts' hard disk(s) for more capacious
long-term storage, but welcome some experiential knowledge from others.
52 • Kodachi packages (by Jesse on 2016-12-31 13:34:01 GMT from Canada)
>> "But, starting from TAILS page of Distrowatch, and trying the "compare packages"
tool, Kodachi does not appear in the pull down menu."
@50: Yes, Kodachi is listed, but it is listed under its proper name, Linux Kodachi. https://distrowatch.com/dwres.php?firstlist=tails&firstversions=0&resource=compare-packages&secondlist=kodachi
53 • Linux Mint 18.1 (by Landor on 2016-12-31 19:24:33 GMT from Canada)
Quite some time ago I was forced to install a "simplistic" distribution for someone, I chose Mint Linux Mint 13 Mate Edition. Recently due to an update their wifi went for a dump. Instead of fixing the problem as 13 is closing in on its end of life, I did the upgrade to 17.3 and here I am typing it on this. I don't follow Linux as keenly as I once did, Gentoo works on what I use and that's enough to know for me. A look here showed me though that not only is 18 released, but now 18.1. Interesting that there is no upgrade to this release. Yet anyway.
@5 Good to see an old face/name kicking around. :) Happy New Year
Enjoy your distribution testing everyone. I for one am glad to see DW and DWW still going strong!
Keep your stick on the ice...
54 • 53 • Linux Mint 18.1... old timers ... Eventually. (by Greg Zeng on 2017-01-01 02:55:36 GMT from Australia)
"... forced to install a "simplistic" distribution for someone ... their wifi went for a dump"
Another old timer myself, so busy that I never published my works properly, anywhere. On updating any Linux operating system:
All Ubuntu-based operating systems (including Mint 18.1) eventually become "old" and "stale". In Linux, the easiest, simplest cure is just upgrading the Linux kernel. No need to change anything else. This then prevents malware created by past errors, bad hardware, updated hardware (poor drivers for new wifi, in this specific case), etc.
Ubuntu-based distros are days ahead of the other "leading" Linux distributions: Arch, and Arch-based. We have the advantaged of pre-compiled, ready-to install files, for a quick, immediate upgrade into the new kernel.
Using grub-customizer, we can then have an easy menu choice into any Linux kernel, at boot-time. These kernels could be old, the latest stable kernel, or any of the proposed Linux kernels. This has been frequently mentioned by myself here in DW and elsewhere on the internet. Unfortunately DW makes it extremely difficult to url the DW mentions that I have made on this easy solution to aging, atm.
55 • @54 (by Ricardo on 2017-01-01 14:42:11 GMT from France)
> "Ubuntu-based distros are days ahead of the other "leading" Linux distributions"
I hope you're joking because this is quite false... If not, you must have some problems, or you are just a hard Ubuntu fanboy, with all the exaggerations, nonsense etc. corresponding to this unhappy "state"...
Number of Comments: 55
Display mode: DWW Only • Comments Only • Both DWW and Comments
TUXEDO Computers - Linux Hardware in a tailor made suite
Choose from a wide range of laptops and PCs in various sizes and shapes at TUXEDOComputers.com. Every machine comes pre-installed and ready-to-run with Linux. Full 24 months of warranty and lifetime support included!
Learn more about our full service package and all benefits from buying at TUXEDO.
|• Issue 1037 (2023-09-18): Bodhi Linux 7.0.0, finding specific distros and unified package managemnt, Zevenet replaced by two new forks, openSUSE introduces Slowroll branch, Fedora considering dropping Plasma X11 session|
|• Issue 1036 (2023-09-11): SDesk 2023.08.12, hiding command line passwords, openSUSE shares contributor survery results, Ubuntu plans seamless disk encryption, GNOME 45 to break extension compatibility|
|• Issue 1035 (2023-09-04): Debian GNU/Hurd 2023, PCLinuxOS 2023.07, do home users need a firewall, AlmaLinux introduces new repositories, Rocky Linux commits to RHEL compatibility, NetBSD machine runs unattended for nine years, Armbian runs wallpaper contest|
|• Issue 1034 (2023-08-28): Void 20230628, types of memory usage, FreeBSD receives port of Linux NVIDIA driver, Fedora plans improved theme handling for Qt applications, Canonical's plans for Ubuntu|
|• Issue 1033 (2023-08-21): MiniOS 20230606, system user accounts, how Red Hat clones are moving forward, Haiku improves WINE performance, Debian turns 30|
|• Issue 1032 (2023-08-14): MX Linux 23, positioning new windows on the desktop, Linux Containers adopts LXD fork, Oracle, SUSE, and CIQ form OpenELA|
|• Issue 1031 (2023-08-07): Peppermint OS 2023-07-01, preventing a file from being changed, Asahi Linux partners with Fedora, Linux Mint plans new releases|
|• Issue 1030 (2023-07-31): Solus 4.4, Linux Mint 21.2, Debian introduces RISC-V support, Ubuntu patches custom kernel bugs, FreeBSD imports OpenSSL 3|
|• Issue 1029 (2023-07-24): Running Murena on the Fairphone 4, Flatpak vs Snap sandboxing technologies, Redox OS plans to borrow Linux drivers to expand hardware support, Debian updates Bookworm media|
|• Issue 1028 (2023-07-17): KDE Connect; Oracle, SUSE, and AlmaLinux repsond to Red Hat's source code policy change, KaOS issues media fix, Slackware turns 30; security and immutable distributions|
|• Issue 1027 (2023-07-10): Crystal Linux 2023-03-16, StartOS (embassyOS 0.3.4.2), changing options on a mounted filesystem, Murena launches Fairphone 4 in North America, Fedora debates telemetry for desktop team|
|• Issue 1026 (2023-07-03): Kumander Linux 1.0, Red Hat changing its approach to sharing source code, TrueNAS offers SMB Multichannel, Zorin OS introduces upgrade utility|
|• Issue 1025 (2023-06-26): KaOS with Plasma 6, information which can leak from desktop environments, Red Hat closes door on sharing RHEL source code, SUSE introduces new security features|
|• Issue 1024 (2023-06-19): Debian 12, a safer way to use dd, Debian releases GNU/Hurd 2023, Ubuntu 22.10 nears its end of life, FreeBSD turns 30|
|• Issue 1023 (2023-06-12): openSUSE 15.5 Leap, the differences between independent distributions, openSUSE lengthens Leap life, Murena offers new phone for North America|
|• Issue 1022 (2023-06-05): GetFreeOS 2023.05.01, Slint 15.0-3, Liya N4Si, cleaning up crowded directories, Ubuntu plans Snap-based variant, Red Hat dropping LireOffice RPM packages|
|• Issue 1021 (2023-05-29): rlxos GNU/Linux, colours in command line output, an overview of Void's unique features, how to use awk, Microsoft publishes a Linux distro|
|• Issue 1020 (2023-05-22): UBports 20.04, finding another machine's IP address, finding distros with a specific kernel, Debian prepares for Bookworm|
|• Issue 1019 (2023-05-15): Rhino Linux (Beta), checking which applications reply on a package, NethServer reborn, System76 improving application responsiveness|
|• Issue 1018 (2023-05-08): Fedora 38, finding relevant manual pages, merging audio files, Fedora plans new immutable edition, Mint works to fix Secure Boot issues|
|• Issue 1017 (2023-05-01): Xubuntu 23.04, Debian elects Project Leaders and updates media, systemd to speed up restarts, Guix System offering ground-up source builds, where package managers install files|
|• Issue 1016 (2023-04-24): Qubes OS 4.1.2, tracking bandwidth usage, Solus resuming development, FreeBSD publishes status report, KaOS offers preview of Plasma 6|
|• Issue 1015 (2023-04-17): Manjaro Linux 22.0, Trisquel GNU/Linux 11.0, Arch Linux powering PINE64 tablets, Ubuntu offering live patching on HWE kernels, gaining compression on ex4|
|• Issue 1014 (2023-04-10): Quick looks at carbonOS, LibreELEC, and Kodi, Mint polishes themes, Fedora rolls out more encryption plans, elementary OS improves sideloading experience|
|• Issue 1013 (2023-04-03): Alpine Linux 3.17.2, printing manual pages, Ubuntu Cinnamon becomes official flavour, Endeavour OS plans for new installer, HardenedBSD plans for outage|
|• Issue 1012 (2023-03-27): siduction 22.1.1, protecting privacy from proprietary applications, GNOME team shares new features, Canonical updates Ubuntu 20.04, politics and the Linux kernel|
|• Issue 1011 (2023-03-20): Serpent OS, Security Onion 2.3, Gentoo Live, replacing the scp utility, openSUSE sees surge in downloads, Debian runs elction with one candidate|
|• Issue 1010 (2023-03-13): blendOS 2023.01.26, keeping track of which files a package installs, improved network widget coming to elementary OS, Vanilla OS changes its base distro|
|• Issue 1009 (2023-03-06): Nemo Mobile and the PinePhone, matching the performance of one distro on another, Linux Mint adds performance boosts and security, custom Ubuntu and Debian builds through Cubic|
|• Issue 1008 (2023-02-27): elementary OS 7.0, the benefits of boot environments, Purism offers lapdock for Librem 5, Ubuntu community flavours directed to drop Flatpak support for Snap|
|• Issue 1007 (2023-02-20): helloSystem 0.8.0, underrated distributions, Solus team working to repair their website, SUSE testing Micro edition, Canonical publishes real-time edition of Ubuntu 22.04|
|• Issue 1006 (2023-02-13): Playing music with UBports on a PinePhone, quick command line and shell scripting questions, Fedora expands third-party software support, Vanilla OS adds Nix package support|
|• Issue 1005 (2023-02-06): NuTyX 22.12.0 running CDE, user identification numbers, Pop!_OS shares COSMIC progress, Mint makes keyboard and mouse options more accessible|
|• Issue 1004 (2023-01-30): OpenMandriva ROME, checking the health of a disk, Debian adopting OpenSnitch, FreeBSD publishes status report|
|• Issue 1003 (2023-01-23): risiOS 37, mixing package types, Fedora seeks installer feedback, Sparky offers easier persistence with USB writer|
|• Issue 1002 (2023-01-16): Vanilla OS 22.10, Nobara Project 37, verifying torrent downloads, Haiku improvements, HAMMER2 being ports to NetBSD|
|• Issue 1001 (2023-01-09): Arch Linux, Ubuntu tests new system installer, porting KDE software to OpenBSD, verifying files copied properly|
|• Issue 1000 (2023-01-02): Our favourite projects of all time, Fedora trying out unified kernel images and trying to speed up shutdowns, Slackware tests new kernel, detecting what is taking up disk space|
|• Issue 999 (2022-12-19): Favourite distributions of 2022, Fedora plans Budgie spin, UBports releasing security patches for 16.04, Haiku working on new ports|
|• Issue 998 (2022-12-12): OpenBSD 7.2, Asahi Linux enages video hardware acceleration on Apple ARM computers, Manjaro drops proprietary codecs from Mesa package|
|• Issue 997 (2022-12-05): CachyOS 221023 and AgarimOS, working with filenames which contain special characters, elementary OS team fixes delta updates, new features coming to Xfce|
|• Issue 996 (2022-11-28): Void 20221001, remotely shutting down a machine, complex aliases, Fedora tests new web-based installer, Refox OS running on real hardware|
|• Issue 995 (2022-11-21): Fedora 37, swap files vs swap partitions, Unity running on Arch, UBports seeks testers, Murena adds support for more devices|
|• Issue 994 (2022-11-14): Redcore Linux 2201, changing the terminal font size, Fedora plans Phosh spin, openSUSE publishes on-line manual pages, disabling Snap auto-updates|
|• Issue 993 (2022-11-07): Static Linux, working with just a kernel, Mint streamlines Flatpak management, updates coming to elementary OS|
|• Issue 992 (2022-10-31): Lubuntu 22.10, setting permissions on home directories, Linux may drop i486, Fedora delays next version for OpenSSL bug|
|• Issue 991 (2022-10-24): XeroLinux 2022.09, learning who ran sudo, exploring firewall tools, Rolling Rhino Remix gets a fresh start, Fedora plans to revamp live media|
|• Issue 990 (2022-10-17): ravynOS 0.4.0, Lion Linux 3.0, accessing low numbered network ports, Pop!_OS makes progress on COSMIC, Murena launches new phone|
|• Issue 989 (2022-10-10): Ubuntu Unity, kernel bug causes issues with Intel cards, Canonical offers free Ubuntu Pro subscriptions, customizing the command line prompt|
|• Issue 988 (2022-10-03): SpiralLinux 11.220628, finding distros for older equipment and other purposes, SUSE begins releasing ALP prototypes, Debian votes on non-free firmware in installer|
|• Issue 987 (2022-09-26): openSUSE's MicroOS, converting people to using Linux, pfSense updates base system and PHP, Python 2 dropped from Arch|
|• Issue 986 (2022-09-19): Porteus 5.0, remotely wiping a hard drive, a new software centre for Ubuntu, Proxmox offers offline updates|
|• Issue 985 (2022-09-12): Garuda Linux, using root versus sudo, UBports on the Fairphone 4, Slackware reverses change to grep|
|• Full list of all issues|
Star Labs - Laptops built for Linux.
View our range including the highly anticipated StarFighter. Available with coreboot open-source firmware and a choice of Ubuntu, elementary, Manjaro and more. Visit Star Labs for information, to buy and get support.
Your own personal Linux computer in the cloud, available on any device. Supported operating systems include Android, Debian, Fedora, KDE neon, Kubuntu, Linux Mint, Manjaro and Ubuntu, ready in minutes.
Starting at US$4.95 per month, 7-day money-back guarantee
|Random Distribution |
MURIX was a Linux distribution created with the goal to function on all hardware platforms. It was based on Linux From Scratch.
TUXEDO Computers - Linux Hardware in a tailor made suite
Choose from a wide range of laptops and PCs in various sizes and shapes at TUXEDOComputers.com. Every machine comes pre-installed and ready-to-run with Linux. Full 24 months of warranty and lifetime support included!
Learn more about our full service package and all benefits from buying at TUXEDO.
Star Labs - Laptops built for Linux.
View our range including the highly anticipated StarFighter. Available with coreboot open-source firmware and a choice of Ubuntu, elementary, Manjaro and more. Visit Star Labs for information, to buy and get support.