DistroWatch Weekly |
DistroWatch Weekly, Issue 1028, 17 July 2023 |
Welcome to this year's 29th issue of DistroWatch Weekly!
We live in an interconnected world. So much of our lives happen on-line these days - whether it's shopping, communicating, consuming entertainment, or learning. With interactions happening increasingly on-line it is useful to be able to share information between devices. We begin this week with a look at KDE Connect, an application which runs on virtually any device to allow multiple computers and smart phones to share files, notifications, photos, and text messages. Read on to learn more about KDE Connect and how to perform basic actions with this software. Do you use KDE Connect or a similar application to link together personal devices? Let us know in this week's Opinion Poll. Last week the Linux community continued to react to Red Hat's announcement that the company would no longer publicly share its source code. Both Oracle and SUSE have responded with plans to assure their customers and offer alternatives to Red Hat Enterprise Linux (RHEL). Meanwhile the AlmaLinux team, which publishes a clone of RHEL, are adjusting their mission goals slightly. We also report on the KaOS team addressing an issue with last month's snapshot of their independent distribution as Slackware Linux turns 30 years old. Then, in our Questions and Answers column, we talk about immutable distributions and how these read-only platforms apply software updates. Plus we are pleased to share the releases and torrents of the past week. We wish you all a wonderful week and happy reading!
Content:
|
Feature Story (by Jesse Smith) |
KDE Connect on phones and desktops
KDE Connect is an application which can run on a wide variety of platforms, including Linux desktop distributions, Android mobile devices, Sailfish, Windows, macOS, and iOS. Typically KDE Connect is used to link a mobile device and a desktop machine, allowing them to share information, services, and files. For example, we might install the software on an Android phone and a Linux desktop, providing a bridge between the two devices. However, KDE Connect can also be used to join two or more of virtually any type of device, including linking one laptop to another, linking two phones, or a workstation with a phone.
I was recently asked about the capabilities of KDE Connect. Specifically the person wanted to know if it would be possible to set up a job (crunching numbers or compiling software) running on a workstation and then use KDE Connect to send a notification to a mobile device when the task was completed. This is possible - I'll share an example in a moment - and I also want to share some of the other ways in which KDE Connect can be a helpful tool when used to link two (or more) devices.
Installing and connecting
Installing KDE Connect is typically quite easy. Most Linux distributions include the KDE Connect software in their repositories. Android users can find the app through Google's Play store and F-Droid, iOS users can find it in the App Store, and Windows users can access it through the Microsoft Store. Despite the application's name, KDE Connect is not dependent on the KDE Plasma desktop and can be run from any Linux desktop environment. People who want to avoid KDE dependencies can even install a related tool called GSConnect which is intended to integrate with the GNOME Shell desktop. I will be focusing on using the KDE Connect application (and command line tools) on a desktop Linux distribution and the mobile version of the service on Android for the purposes of this article.
Once the software is installed the software will either run quietly in the background automatically, or it can be started by launching the KDE Connect application from the device's application menu. At this point that's usually all the preparation we need to do. However, if your device is running a firewall, it will be necessary to open network ports 1714 through 1764. The KDE documentation has an overview of how to open network ports using a variety of firewall utilities.
KDE Connect -- Linking to a new mobile device from the desktop
(full image size: 25kB, resolution: 900x500 pixels)
To link any two devices so they may communicate with each other and share information we open the KDE Connect application (on either device). On the desktop version of the application we will see a list of detected devices on our network. We can then select a device and click the button labelled "Pair". On the other device we should see a notification which asks if we'd like to accept a new connection and the name of the device initiating the link. Tapping the Accept button links the two devices.
On the mobile version of KDE Connect, when we open the application we want to visit the menu in the upper-left corner of the app. Then select the entry labelled "Pair new device" and select the name of the remote computer to which we want to link. Again, on the other device, a notification will appear letting us know we can accept an incoming connection.
KDE Connect -- Finding new devices from the mobile app
(full image size: 123kB, resolution: 1440x960 pixels)
From that moment onward, any time both devices are on the same network, they should automatically detect each other and synchronize information between them.
Configuring modules
Once we have linked two (or more) devices together, the next thing we should do is decide which plugins we want to enable. KDE Connect's capabilities are delivered through a series of plugins and we can enable or disable these plugins as a way to determine which features our devices can access. This is important because we may want our devices to be able to share files, but not remotely control our camera, or we might want to be able to send SMS messages from our desktop computer, but not share a clipboard due to sensitive information we could be copying.
KDE Connect -- Enabling plugins through the desktop application
(full image size: 88kB, resolution: 949x664 pixels)
To see which plugins are enabled on your desktop machine, launch the KDE Connect Settings application. Down the left side of the window we find a list of linked devices. Over on the right there is a list of modules. We can check a box next to each module we want to enable. By default, KDE Connect tends to enable most plugins - sharing a clipboard, battery level information, disabling the media player during phone calls, and allowing us to send SMS messages from the desktop.
I think it's worth considering these options carefully. It's certainly useful to be able to remotely control the volume settings on your computer and share notifications across all devices, but if you share your phone with anyone else in your household you might not want to let them blast your speakers or see e-mail notifications from your boss.
When using the mobile version of KDE Connect, you can determine which plugins are enabled by opening the KDE Connect app. Then select the linked device for which you want to enable plugins. Tap the menu in the upper-right corner and select Plugin Settings. This will bring up the same (or a similar) list of available features which can be toggled on/off.
KDE Connect -- Enabling plugins through the Android app
(full image size: 267kB, resolution: 1440x2960 pixels)
Share files
One of the main reasons I use KDE Connect is its ability to share files between devices. From my Android phone I can select any photo or file I wish, tap the share button, and then select my desktop computer from the list of possible destinations. It's quite a straight forward experience and works just like sending a file over text messaging or Bluetooth.
KDE Connect -- Sharing a file from the desktop application
(full image size: 29kB, resolution: 900x500 pixels)
From my desktop machine there are two approaches I can take to share a file. One is to open the KDE Connect application. I then select my phone from the list of linked devices available and click the Share File option on the right side of the window. Then I can browse for the target file. Alternatively, if I have the KDE Connect icon in my system tray, I can right-click on it, selected the name of the device to receive a file, and then pick "Send a file/URL" from the menu that comes up. Then, once again, I can browse to the file I wish to send, or paste a URL into the box to send a link my phone can open.
There is also the option of right-clicking on the KDE Connect icon in the system tray, selecting a target device and choosing "Browse Device". This will open a file manager which can navigate the phone's filesystem. It's a handy way to find, transfer, or delete multiple files on the mobile device.
Sending and receiving text messages
Another key reason I enjoy KDE Connect is the desktop version includes a SMS messaging client which can operate when linked to a phone. Launching the KDE Connect SMS application displays a list of active message threads on the linked phone. We can then click on a message thread to read its entries and send texts. When new messages come in, we're shown a desktop notification. We can click a button in the notification to reply. This means I can correspond with people through SMS texts without picking up my phone or switching between windows, I just need to click the incoming notification bubble.
KDE Connect -- Responding to text messages from the desktop
(full image size: 36kB, resolution: 800x600 pixels)
Media control
Another handy feature KDE Connect offers is the ability to remotely control a media player running on another device. For example, if I have an audio player or a movie playing on my laptop, a notification bar will appear on my phone's screen which shows the name of the video or track being played. Tapping this bar will open a simple media player where I can see how far along the track is, my volume level, buttons to pause/play and skip the track. This allows us to jump through the track or switch to a different song or video from anywhere the local wireless network reaches.
KDE Connect -- Remotely controlling my desktop's media player from the Android app
(full image size: 110kB, resolution: 1440x2960 pixels)
Sharing clipboards and notifications
The sharing of notifications between devices, when enabled on the plugin page, happens automatically. This allows one device to send any desktop (or home screen) notifications to other linked devices.
For the most part, sharing a clipboard happens the same way from a desktop user's point of view. When we copy text on a desktop machine, it's automatically sent to the clipboard on linked devices. We can then paste text on another laptop or mobile device and it will automatically use the clipboard text sent from the desktop machine.
There is an extra step when data flows in the other direction. When we are using a mobile device we first need to copy text to the clipboard and then open the KDE Connect app. From within the mobile app tap the button labelled "Send clipboard" to transfer data to the linked device.
Send notification of an event
The original question I set out to answer was whether it was possible to monitor a task in progress on a workstation and then send a notification to the user's phone when the task completes. While KDE Connect won't monitor tasks, it can be used to send notifications and we can choose when those notifications are sent.
To do this, we should first find the name of devices linked to our workstation. We can do this using the kdeconnect-cli command line program:
$ kdeconnect-cli --list-devices
- Galaxy S9: 8f420d3562d61339 (paired and reachable)
In the above example we can see there is one device linked to our workstation, a Galaxy S9 phone running Android. Its name is "Galaxy S9" and its unique identifying code is "8f420d3562d61339". We can then send a notification to the remote phone using its name and a message. Specific messages are sent using the "--ping-msg" parameter.
In the following example we run the make command to compile a program and then run kdeconnect-cli to notify our phone when the compile job is finished. On the command line we specify the message to send along with the name of our device which we found in the previous step.
$ make ; kdeconnect-cli --ping-msg "Task complete" --name "Galaxy S9"
This gives us a good degree of flexibility as we can receive a notice from anywhere on the network when any task or scheduled event occurs.
|
Miscellaneous News (by Jesse Smith) |
Oracle responds to Red Hat's source code policy change, SUSE plans to fork Red Hat Enterprise Linux, AlmaLinux changes its mission focus, KaOS releases install media fix, Slackware turns 30
For several years Oracle has maintained a clone of Red Hat Enterprise Linux which, in its current form, is called Oracle Linux. When Red Hat eliminated public access to its source code in June many people saw it as a way for the company to cut off Oracle's ability to repackage, customize, and release their own clone of Red Hat's distribution. Oracle has since responded and, in an unusual move for the company, taken a stance of promoting openness and collaboration while offering to do their best to keep Oracle Linux binary compatible with Red Hat Enterprise Linux: "As for Oracle, we will continue pursuing our goal for Linux as transparently and openly as we always have while minimizing fragmentation. We will continue to develop and test our software products on Oracle Linux. Oracle Linux will continue to be RHEL compatible to the extent we can make it so. In the past, Oracle's access to published RHEL source has been important for maintaining that compatibility. From a practical standpoint, we believe Oracle Linux will remain as compatible as it has always been through release 9.2, but after that, there may be a greater chance for a compatibility issue to arise. If an incompatibility does affect a customer or ISV, Oracle will work to remediate the problem." The company has also offered to help independent software vendors, who usually test their products on Red Hat Enterprise Linux clones, maintain their software on Oracle Linux.
* * * * *
In the wake of Red Hat cutting off public access to their Red Hat Enterprise Linux (RHEL) source code, SUSE has announced the company is making a fork of RHEL. "A key priority is to continue to provide choice for customers. SUSE announced today we will build, support and contribute a hard fork of the RHEL codebase to the community. This is what we excel at, and it will give long-term compatibility and choice for customers. The best way to explain this is by the following comparison:
If you are a mobile phone user, you want the ability to switch telco provider while keeping your number, to maximize the value you are consuming.
Equally, as an Enterprise Linux user, you can switch to SUSE while keeping your existing Linux. At SUSE, we are experts at providing enterprise value to users of open source software in a highly competitive way without compromising what is important to customers."
It seems the company's plan is to maintain a fork of RHEL and attempt to keep it as binary compatible as possible to Red Hat's offering. This should allow people running RHEL or its clones to migrate their applications and services seamlessly to SUSE's offering without worrying about future access to source code or support options.
* * * * *
The AlmaLinux team have announced a change in their mission following the announcement Red Hat would no longer be making its source code for Red Hat Enterprise Linux (RHEL) available to the public. The project is still aiming to be compatible with RHEL, but is no longer striving for 1:1 (bug-for-bug) compatibility. "For a typical user, this will mean very little change in your use of AlmaLinux. Red Hat-compatible applications will still be able to run on AlmaLinux OS, and your installs of AlmaLinux will continue to receive timely security updates. The most remarkable potential impact of the change is that we will no longer be held to the line of 'bug-for-bug compatibility' with Red Hat, and that means that we can now accept bug fixes outside of Red Hat's release cycle. While that means some AlmaLinux OS users may encounter bugs that are not in Red Hat, we may also accept patches for bugs that have not yet been accepted upstream, or shipped downstream." The announcement offers additional details.
* * * * *
The KaOS team have identified an issue with the project's 2023.06 install media and quickly released a fix in the form of KaOS 2023.07. The issue affected systems running non-free NVIDIA drivers, other users should be unaffected. "This July release is a quick update from the June release a little over a week ago. A major issue was found on that ISO with the use of non-free NVIDIA, resulting in systems not booting, thus a new ISO is needed right away." Additional information on the 2023.07 media and changes arriving in the KaOS distribution can be found in the project's announcement.
* * * * *
The Slackware Linux project is the world's oldest surviving Linux distribution. Slackware, which is still actively maintained and is well regarded for its unusual level of stability, celebrated its 30th birthday this week: "Hey folks! It's time to acknowledge another one of those milestones... 30 (!) years since I made the post linked below announcing Slackware's first stable release after months of beta testing. Thanks to all of our dedicated contributors, loyal users, and those who have helped us to keep the lights on here. It's really been a remarkable journey that I couldn't have anticipated starting out back in 1993. Cheers!" Happy birthday, Slackware!
* * * * *
These and other news stories can be found on our Headlines page.
|
Questions and Answers (by Jesse Smith) |
Security and immutable distributions
Unable-to-write asks: My understanding is that immutable distributions have a read-only filesystem. If that's the case then doesn't that mean software is left unpatched and vulnerable? Is running an immutable distro a security risk?
DistroWatch answers: You're correct that immutable distributions have a read-only root filesystem. In other words, the core of the system is typically run in read-only mode to make sure it is not modified. The core of the operating system is typically treated as single, whole piece. This core can be tested, transferred, and installed as one atomic component. This helps with quality assurance because everyone using the same version of the distribution should be running the same software with the same configuration.
An immutable operating system can also improve security since the core system cannot be easily modified. Exploits which would overwrite system components or change the core system's configuration will fail due to the read-only nature of the filesystem.
As to the idea an immutable distribution will be unpatched or vulnerable to old exploits, this is happily not the case. The core system is read-only while it is running, but it can still be upgraded. An upgrade is typically achieved by fetching a new copy of the core system, rebooting, and swapping out the old version of the system for the new one we downloaded. This allows us to keep the core system up to date with patches while leaving the main filesystem read-only while the distribution is running.
People who have run most mobile operating systems, such as Android or UBports will have seen this approach to updating the operating system in action. Typically once a month a new version is released with fixes and security patches. The phone downloads the new version, reboots, and applies the new core image over top of the old one. When you finish booting the phone your root filesystem is read-only.
I'd also like to point out that most immutable operating systems only make the core system (the low-level components like the common command line tools, kernel, and essential services) read-only. Desktop applications and other add-ons are almost always installed as portable packages or containers to parts of the filesystem which can be updated without restarting the computer. This means end-user applications can almost always be updated easily through the package manager whenever the user wishes without requiring a reboot.
This approach to updating applications can be seen on projects like UBports using the software centre, Android using the software store, Fedora Silverblue via Flatpak packages, and Ubuntu's Core edition using Snap packages. These are all immutable operating systems that offer a read-only core that allow the user to both install and upgrade applications at will. This is possible because key parts of the filesystem (typically the user's home directory and /var) are set up to be writable.
The idea is for just the core system, the parts needed to boot and run common tasks on the operating system, to be read-only. To change the core system usually requires a reboot to overwrite the old system image with an update. The user's data and desktop applications are usually stored in an area that can be modified and these applications can be updated as desired without a reboot.
* * * * *
Additional answers can be found in our Questions and Answers archive.
|
Released Last Week |
Void 20230628
The Void team have announced a new snapshot of their rolling release distribution. Void features an unusual combination of init (runit), package manager (XBPS), and multiple options for C libraries. The project's release announcement reports: "Some highlights of this release: Installing using the network source no longer fails to create the non-root user. The xbps mirror can now be selected in the installer using xmirror. The Xfce live ISO now uses LightDM. GRUB will no longer fail to be installed in some partition layouts/orders. Various improvements to the installer. Xfce live ISOs now use PipeWire for audio, and base ISOs now include ALSA. Live ISOs now include several new boot options, including screenreader-enabled, memtest86+, reboot, shutdown, and EFI firmware setup. The console screenreader espeakup, the braille TTY driver brltty, and the GUI screenreader orca are now included in all live ISOs for x86_64 and i686. To learn more about this, read the documentation in the Void Linux Handbook."
Void 20230628 -- Running the Xfce desktop
(full image size: 815kB, resolution: 1920x1080 pixels)
pfSense 2.7.0
pfSense is a free, open source customized distribution of FreeBSD specifically tailored for use as a firewall and router that is entirely managed via web interface. pfSense 2.7.0 ships with improvements to firewall performance, fixes some uPnP issues related to running multiple gaming systems on the same network, and upgrades OpenVPN. "Captive portal and limiters moved from ipfw to pf: pf is the default packet filter in pfSense software. These changes leverage L2 features previously added to pf and upstreamed to FreeBSD, and improve performance and stability of the captive portal by eliminating the need for packets to traverse both pf and ipfw. UPnP and multiple game systems: A fix has been added to address an issue with UPnP and multiple game systems. This resolves the problems some game systems experienced connecting to the internet when UPnP was enabled and multiple consoles are in use. New gateway state killing options: These options give the user more flexibility in how the firewall decides to kill states automatically during failover events and also adds several new manual ways to selectively remove states. Improved Firewall/NAT rule usability: The Firewall/NAT rule interface has been improved to make it easier to create and manage rules. This includes new buttons to toggle multiple rules and copy rules to other interfaces." These, and other changes, are detailed in the release announcement and in the release notes.
IPFire 2.27 Core 176
IPFire is a Linux distribution that focuses on easy setup, good handling and high level of security and is mostly used on routers and firewalls. The project's latest release focused on bug fixes and minor upgrades, including fixing IPsec certificate generation in some situations. The release announcement shares the highlights: "An edge case related to bug #13138, which caused IPsec root/host certificate generation to fail on the first attempt only, has been fixed. While editing OpenVPN static IP address pools, spaces are now handled correctly again. udev rules for LVM volumes have been fixed, allowing for configured LVM volumes to start properly on boot again. Remove entries for additional mass storage via the web interface of the ExtraHD add-on have been fixed, partially resolving #12863. Filesystem journal features are now always enabled for cloud images, and as soon as a disk with SMART support is detected. misc-progs, the safety net between IPFire's web interface and the core system, have been improved under the hood to allow for better return code enumeration. Stéphane Pautrel has contributed improvements to the French translation of IPFire's web interface."
Linux Mint 21.2
The Linux Mint team have announced the release of Linux Mint 21.2 "Victoria" which is based on Ubuntu 22.04 and offers support through to the year 2027. The new release includes a number of improvements to the login screen, Flatpak packages can now be included as Featured items in the software centre, and the layout of the Pix application has been overhauled. "Slick Greeter, which is in charge of the login screen, was given support for multiple keyboard layouts. The indicator located on the top-right corner of the screen opens a menu which lets you switch between layouts. System layouts defined in /etc/default/keyboard are listed first for easy access. Below that a sub-menu lists all supported layouts. Touchpad support was also improved. Tap-to-click is detected and enabled automatically in the login screen. The layout used for Onboard, the on-screen keyboard is configurable. The keyboard navigation was improved. The arrow keys can be used to edit the password which is being typed. A revealer icon appears when the password is clicked or edited. This revealer can be used to toggle the visibility of the password. Among other small improvements Slick-greeter also received support for Wayland sessions, LXQT/Pademelon badges and a scrollable session list." The release announcements for each edition (Cinnamon, MATE, Xfce) offer additional information.
Linux Mint 21.2 -- Running the Cinnamon desktop
(full image size: 676kB, resolution: 1680x1050 pixels)
* * * * *
Development, unannounced and minor bug-fix releases
|
Torrent Corner |
Weekly Torrents
The table below provides a list of torrents DistroWatch is currently seeding. If you do not have a bittorrent client capable of handling the linked files, we suggest installing either the Transmission or KTorrent bittorrent clients.
Archives of our previously seeded torrents may be found in our Torrent Archive. We also maintain a Torrents RSS feed for people who wish to have open source torrents delivered to them. To share your own open source torrents of Linux and BSD projects, please visit our Upload Torrents page.
Torrent Corner statistics:
- Total torrents seeded: 2,887
- Total data uploaded: 43.4TB
|
Upcoming Releases and Announcements |
Summary of expected upcoming releases
|
Opinion Poll (by Jesse Smith) |
Linking together multiple devices with KDE Connect
We started this week with a look at KDE Connect, an open source tool for linking together multiple desktop and mobile devices, regardless of which operating system they are running. We'd like to hear whether you run KDE Connect or another utility to link together your various devices. Let us know your favourite solutions for sharing files and other resources in the comments.
You can see the results of our previous poll on filesystem mount flags in last week's edition. All previous poll results can be found in our poll archives.
|
Linking together multiple devices with KDE Connect
I use KDE Connect: | 294 (25%) |
I use a GSConnect (or other KDE Connect-based alternative): | 38 (3%) |
I use an unrelated utility to link together devices: | 138 (12%) |
I do not link my devices: | 638 (54%) |
I do not have multiple computing devices: | 65 (6%) |
|
|
Website News |
DistroWatch database summary
* * * * *
This concludes this week's issue of DistroWatch Weekly. The next instalment will be published on Monday, 24 July 2023. Past articles and reviews can be found through our Weekly Archive and Article Search pages. To contact the authors please send e-mail to:
- Jesse Smith (feedback, questions and suggestions: distribution reviews/submissions, questions and answers, tips and tricks)
- Ladislav Bodnar (feedback, questions, donations, comments)
|
|
Tip Jar |
If you've enjoyed this week's issue of DistroWatch Weekly, please consider sending us a tip. (Tips this week: 0, value: US$0.00) |
|
|
|
bc1qxes3k2wq3uqzr074tkwwjmwfe63z70gwzfu4lx lnurl1dp68gurn8ghj7ampd3kx2ar0veekzar0wd5xjtnrdakj7tnhv4kxctttdehhwm30d3h82unvwqhhxarpw3jkc7tzw4ex6cfexyfua2nr 86fA3qPTeQtNb2k1vLwEQaAp3XxkvvvXt69gSG5LGunXXikK9koPWZaRQgfFPBPWhMgXjPjccy9LA9xRFchPWQAnPvxh5Le paypal.me/distrowatchweekly • patreon.com/distrowatch |
|
Extended Lifecycle Support by TuxCare |
|
Reader Comments • Jump to last comment |
1 • Immuatble update (by DC on 2023-07-17 00:56:11 GMT from United States)
Rebooting to update an 'immutable' core filesystem sounds like a Windowsy thing to do. Also, updating the immutable filesystem image instead of individual files would be pretty band-width intensive I should think.
2 • Slackware (by mnrv-ovrf-year-c on 2023-07-17 00:59:53 GMT from Puerto Rico)
HAPPY 30TH ANNIVERSARY! LONG LIVE THE SLACK! 30 YEARS AND BEYOND!
I have 32-bit v15.0 that I'm rarely going into, and my Slackel installation was performing poorly so I had to set it away for now. I still have Porteus MATE v5 though but want something with more "oomph", not necessarily a rolling release. So I'm a wimp...
I wish I were an intermediate-class developer able to produce useful software. I would use Slackware first of all and nothing else. I'd be one of those guys on that official forum of the distribution. :)
3 • KDEConnect does not connect (by Guido on 2023-07-17 01:05:25 GMT from Philippines)
I use iptables on Manjaro KDE. I try to find my phone, but cannot. Nothing is listed.
The KDE site tells in that case: "sudo iptables -I INPUT -i ...". See the link in the text.
But what is my and where can I find it? Any help?
4 • Security and immutable distributions (by lincoln on 2023-07-17 03:12:27 GMT from Brazil)
@Jesse Smith: "The core of the operating system is typically treated as a single, whole piece. This core can be tested, transferred, and installed as one atomic component. This helps with quality assurance because everyone using the same version of the distribution should be running the same software with the same configuration."
From an attacker's perspective, isn't an immutable distribution preferable? I make an analogy to target shooting: isn't it easier to aim/focus/hit a fixed, immobile, and immutable target than a shapeless (unfixed libraries), moving (smaller, faster updates delivered as soon as available) target like a traditional distribution?
@Jesse Smith: "People who have run most mobile operating systems, such as Android or UBports, will have seen this approach to updating the operating system in action. Typically, once a month, a new version is released with fixes and security patches."
Doesn't this scenario of monthly updates imply that the system is vulnerable for an average of three weeks each month? Considering that, on average, the Linux kernel receives bug fixes weekly (considering the changelog at https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ and semantic versioning at https://access.redhat.com/documentation/en-us/red_hat_jboss_fuse/6.3/html/managing_osgi_dependencies/versioning).
I believe that monthly updates for immutable systems should be applied more in the developed world. For example, in Brazil, Android phone manufacturers often release only two or three security updates, or sometimes no security updates at all (the legal warranty mainly covers hardware, and I have never heard of a cell phone manufacturer in Brazil being legally held accountable as a co-responsible party for intrusions due to lack of security updates).
5 • Couldn't use KDEConnect (by Brandon on 2023-07-17 03:33:17 GMT from United States)
I tried KDEConnect a little while ago, but my phone wouldn't show up on the devices list. Oh well, I'll just use my computer the old fashioned way.
6 • Immutable systems (by Bobbie Sellers on 2023-07-17 05:03:28 GMT from United States)
Well truly immutable systems may have their place as does Easy OS 5.4 which I have on a 32 GB Flash Drive which is reconfigured on First Boot. It can be plugged into x86 computers if you have access to the BIOS and to the Boot List and runs on the chosen computer and has persistent storage so that you can do useful work securely. That strikes me as really great though I am perfectly happy with PCLinuxOS 64. Other systems that claim Immutable File System but which are subject to updates are just another word for "Rolling Releases" which I happen to prefer to iso updates. I used that system on Mandriva as long as it would run on my computer of the time until 2011 when I could not get it work nor find competent advice at my then relatively low level of expertise. I am much happier with PCLinux 64 which is of course a Rolling Release system. Back in the days when Mandriva had failed and I moved to PCLOS 64 it was sort of rough but a few months later and I found that for me system failures of any sort are now quite rare. The very excellent PCLinux User Forum is more like the BBSes I started using with my Amiga 1000 and BBS terminal programs but even better. The people who stand behind the system are there every day with wise and sound advice as well as the jokers with their wittiness. look at my sig file below and you may have an idea why I like it. All my working computers are presently Dell Latitudes. Shortly I will either move to a larger display or more cores.
bliss - Dell E7450- PCLinuxOS 64- Linux 6.4.3- KDE Plasma 5.27.6
7 • Immutable systems (by Robin on 2023-07-17 05:35:02 GMT from United Kingdom)
If you want to see an immutable system done well - take a look at Endless OS.
8 • Immutable OS, on android device (by Hank on 2023-07-17 06:37:52 GMT from France)
People who have run most mobile operating systems, such as Android or UBports will have seen this approach to updating the operating system in action. Typically once a month a new version is released with fixes and security patches. The phone downloads the new version, reboots, and applies the new core image over top of the old one. When you finish booting the phone your root filesystem is read-only.
A phrase is missing, actually 2 If you are lucky, Not for long if at all.
My Huawei 9X Pro has never received an update ever despite a lot of promises. The hardare is top quality, the OS Locked.
In India updates are provided, they are blocked by OEM for rest of world devices.
I loved Huawei device Quality, the service and support is abominable...
9 • Slackware 30 ! (by eb on 2023-07-17 07:10:11 GMT from France)
@2 : off topic, I apologize, but thank you to celebrate this remarkable birthday of Slackware ; I have been using it since 2005, and never was disappointed. I can do with it *all* what I want, even recycle my old hardware : I have just transformed a 2006 Mac-mini_core-duo in a server that runs fine on the last release !
10 • @4 • Immutable (by lincoln from Brazil) (by Cubehead on 2023-07-17 08:34:16 GMT from Netherlands)
"From an attacker's perspective, isn't an immutable distribution preferable?"
No. The immutable files are impossible to change during runtime.
"I make an analogy to target shooting: isn't it easier to aim/focus/hit a fixed, immobile, and immutable target than a shapeless (unfixed libraries), moving (smaller, faster updates delivered as soon as available) target like a traditional distribution?"
No. The name "immutable" is misleading if you try to use "common logical reasoning." It is actually a "layered" system. The basic, core system is "immutable," and the applications are in another layer, each in its own container. Most security holes are usually in the applications, and nothing stops Firefox from bringing the updates 221.0.1, 221.0.2, 221.0.3, and 221.0.4 in one day—if necessary. Only the "core" system is replaced in one single step during a reboot.
"Shapless target" is the biggest misconcept since there is an OS, and it makes Linux basically the worst OS ever made and unsuitable for desktop computing. It is conceptually wrong to pull single files (dependencies) from the repository and combine them together into a working system. That misconcept also has another huge issue because installation and uninstallation require different dependencies to be added or removed.
There have been many examples in the past. There were times when removing Xawtv would also uninstall Xorg. Then the user reboots and lands on the prompt. Upon installing Steam, the installer "forgot" to install 32-bit support. One could theoretically still be playing games if only so many of them were not dependent on 32-bit libraries. Recently, someone came to me "crying" because auto-removing Steam left him on the "black screen of death."
"Doesn't this scenario of monthly updates imply that the system is vulnerable for an average of three weeks each month?"
It comes down to what part of the "layered system" is affected. If there is no serious threat to the core system, then updating it once a month (as a general rule) would work fine. If there is a serious vulnerability issue, that schedule can be changed, and an "unplanned emergency update" can be issued—just like Microsoft is doing it too.
It is also important to understand that "immutable" doesn't mean "absolute security," but that it just minimizes the attack surface and improves security and reliability. It doesn't solve all the problems on its own.
That said, if there is some unpatched Xorg vulnerability over the course of 20 years and you build one new immutable Linux image with it every month, the security issue still won't be solved despite updating it every month.
However, there is an important "immutable" advantage. If the core OS gets compromised, one reboot later, and it is clean again—still vulnerable though, but the attacker has to start all over again.
The only drawback is that it needs little bit more space on your harddrive. I say little, because that's how btrfs and zfs work, and nothing else should be used in 2023. The feature is called "deduplication", and that's also the reason why most file-size utilities "lie".
Imagine having three images installed, each of them 30 GB in size. Most utilities would show 90 GB used, where in reality, only 35 GB are used--because of deduplicated files.
https://kairos.io/blog/2023/03/22/understanding-immutable-linux-os-benefits-architecture-and-challenges/
11 • clipboard sharing (by Tobias on 2023-07-17 09:53:26 GMT from Czechia)
I wonder how KDE Connect (and other similar solutions) implement clipboard sharing. Namely, do they propagate a deletion of a clipboard item? Because e.g. KeePassXC can be set to delete copied credentials after a set amount of seconds; if KDE Connect does not propagate the deletion, then the phone's clipboard will be full with credential information... Not very privacy-conscious.
12 • KDE Connect and clipboard (by Jesse on 2023-07-17 11:16:34 GMT from Canada)
@11: "I wonder how KDE Connect (and other similar solutions) implement clipboard sharing. Namely, do they propagate a deletion of a clipboard item? Because e.g. KeePassXC can be set to delete copied credentials after a set amount of seconds; if KDE Connect does not propagate the deletion, then the phone's clipboard will be full with credential information... Not very privacy-conscious."
You don't need to worry about this, at least not with KDE COnnect. KDE Connect does implement deletion of data when a clipboard item is removed. For example, if you copy a password in KeePass then it is available on KDE Connect linked devices for 12 seconds. However, after that 12 seconds the linked devices can no longer paste the password. It's removed automatically.
KDE Connect links are also encrypted so the clipboard data (along with other information) is not exposed to the network.
13 • KDE connect (by Dr.J on 2023-07-17 11:26:43 GMT from Germany)
I do not use KDE. Never again. The guys kicked themselves out when they switched from version 4 to 5 (later Plasma) back then. So many bugs over such a long time. Not possible at all. Also, every KDE installation is accompanied by a mountain of dependencies; one small program, but 40 additional dependencies. They're nuts. It looks like KDE connect is just another superfluous tool. File sharing between desktop and phone? You can do that via all sorts of protocols, like FTP, via the browser and so on. Many Android File Manager can do that. In Linux you can mount your phone. With other PCs?? via Samba or NFS etc. So who needs KDE connect?
14 • Linking devices (by Bob McConnell on 2023-07-17 12:34:30 GMT from United States)
I use something else here as well. I have a dedicated computer running Apache2 with Nextcloud, on Slackware64 15.0. I use F-Droid on the tablets and phones to install DAVx5, Notes, etc. The F-Droid search function makes it simple to find apps that work with Nextcloud (or ownCloud). The only significant issue I have is that when an F-Droid update fails, due to an older kernel or library on the device, it does not leave the previous working version of the app installed. Nor is there any way to revert to an older release. That means that half of my usable tablets will no longer stay in sync, because the vendors no longer exist or update those devices. I particularly miss my two ten inch tablets, an Emerson EM1000B and a Polaroid P10. Even after cataract surgery, I am more comfortable with the larger screens. Also, in about two months, I will have been running almost exclusively on Slackware for 30 years. It replaced my first Linux installation from Soft Landing Systems, a year after they folded their tents. I am also testing Slackware-ARM for my three Raspberry Pi. On a sadder note, Lightlink, the mail sever I currently use, will be closing down at the end of August, after 28 years of operation, due to the death of the owner. I am still negotiating for an account on an alternate server.
15 • linked devices (by Otis on 2023-07-17 13:45:46 GMT from United States)
For that portion of my computing world I'm in the iOS/Mac ecosystem; MacBook Pro Max, iPhone 14 Pro Max, Apple Watch Ultra, and iPad Pro. Everything that one sees the rest of them see, from texts and emails to web history and bookmarks, etc.
Linux efforts to do similar things seems like a great direction for distros to explore and implement, but I don't need that for my distros as they serve other purposes for me that don't have much at all to do with inter-device compatibility.
16 • KDE Connect (by Robert on 2023-07-17 15:23:10 GMT from United States)
I used KDE Connect in the past mostly to use my phone as a remote control for my PC. Somewhere along the line that stopped working.
One problem was that the link wasn't stable devices would disconnect and unpair rather frequently. Might have been network issues on my end, but still if it isn't working, it's no use.
Secondly, even with the devices paired, that remote control function doesn't work. This I think is down to Wayland's security model inconveniently blocking it.
17 • Immutable OS (by Charlie on 2023-07-17 15:54:50 GMT from Hong Kong)
I have tried different immutable systems (MicroOS, Silverblue & Kinoite) for months.
So far I must say I'm still not enjoying the benefits of an immutable system. I am a CJK users which needs input methods to be utilized, and certainly I would prefer my system to support codecs. for playing media. In a traditional system I can simply pull the packages I want, many of them even take effect before I log out-and-in. But for immutable OS I better need to do this once and all because for every change I made to take effect, I need to reboot my OS. So it's really inconvenient. Also, in my use case I broke GRUB after an update under Kinoite, and I found no way to recover or simply reinstall it from a live system like what I usually did. I guess MicroOS would be better under this situation because they can boot into a read-only snapshot but it seems it's not the case for Fedora,
But I understand what a properly set-up immutable OS would bring.
Yesterday was my first time to taste the good side of immutable OS. I found the system update is more swift with rpm-ostree than dnf, esp the speed of post-installation.
18 • cp * /please/be/the/right/mount/ (by Cheker on 2023-07-17 17:57:06 GMT from Portugal)
I am a firm believer in cables and pen drives but lately I've found myself using Warpinator pretty much everywhere.
The ire that IBM/RHEL have invoked has been fun to witness.
19 • Slackware (by Semiarticulate on 2023-07-17 18:08:33 GMT from United States)
Happy 30th Slackware! I installed that mountain of floppies all those years ago, and I still run it on one desktop and on my favorite laptop. My gratitude and thanks to the development team for the years of hard work and dedication. Slack on!
20 • immutability (by GrumpyGranpa on 2023-07-18 00:34:14 GMT from Australia)
I love the development work regarding immutable linux distros. In a short time we now have MicroOs from OpenSuse, Fedora has Silverblue with every desktop available, not juat Gnome, Vanilla OS which is rebasing to Debian, BlendOS, Endless and a few others.
That is a lot of choice in a very short period of time.
The desktop user who wants an immutable OS is looking for security and stability. From the choices available, and the approach taken, some are better than others. They are not the same.
I am also interested jn testing this and would like to make it my daily driver, but i am looking for string development and long term support, so Fedora with its short cycle releases doesn't work for me nor their decision for telemetry. The others are small projects with a small dev team, so, MicroOs is probably the way to go for me.
Primarily, with malware becoming increasingly common in Linux, an immutable system makes sense to me for the maximum protection and security.
21 • KDE Connect (by Jack on 2023-07-18 10:52:59 GMT from Australia)
On my Debian (testing) desktop, files sent from my phone end up in the user's Download directory.
22 • Defense of KDE (by Bobbie Sellers on 2023-07-18 20:09:17 GMT from United States)
Yes there are a lot of dependencies but on PCLinuxOS 64, Synaptic finds them reliably.
I don't like the changes from Plasma 4 to Plasma 5 but KDE Plasma 5 remains the most adaptable of Desktop Environments. Even KDE 3.xx showed the same characteristics when I started using it in 2006 and I was able to essentially give myself an environment similar to my AmigaOS 3.9. Plus in Mandriva 2006 there were plenty of tools to help me explore the Filesystem especially Midnight Commander and Dolphin, as there were in AmigaOS after I paid for SID 2. Those tools are present today in PCLinuxOS 64 so despite KDE's Plasma version changes the useful tool remain.
bliss - Dell E7450- PCLinuxOS 64- Linux 6.4.3- KDE Plasma 5.27.6
23 • File sharing (by Martin on 2023-07-19 00:29:17 GMT from Czechia)
I share files using an FTP server on my phone.
24 • @10 • Immutable (by Cubehead from Netherlands) (by lincoln on 2023-07-19 22:08:55 GMT from Brazil)
You may be right, Cubehead, but let me raise some points.
"No. The immutable files are impossible to change during runtime."
Data/instructions from immutable files can indeed be altered when they are in RAM. In fact, even in secondary memory if the attack compromises the kernel and hardware privilege system.
"No. The name "immutable" is misleading if you try to use "common logical reasoning.""
Logical reasoning can still be used in an immutable universe/scope/domain/group. What basis claims it as misleading?
"It is actually a "layered" system. The basic, core system is "immutable," and the applications are in another layer, each in its own container. Most security holes are usually in the applications."
Layers or containers are also code, meaning they are subject to security holes as well. Some relevant quotes:
"Some people make the mistake of thinking of containers as a better and faster way of running virtual machines. From a security point of view, containers are much weaker." –Dan Walsh (Mr. SELinux)
"You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes can then turn around and suddenly write virtualization layers without security holes." Theo de Raadt, OpenBSD project lead
"It is also important to understand that "immutable" doesn't mean "absolute security," but that it just minimizes the attack surface and improves security and reliability."
Minimizing the attack surface? By adding layers and containers? Or just by introducing a standardized and fixed attack vector/hole?
"It comes down to what part of the "layered system" is affected. If there is no serious threat to the core system, then updating it once a month (as a general rule) would work fine. If there is a serious vulnerability issue, that schedule can be changed, and an "unplanned emergency update" can be issued"
In the core immutable Android system, just in this month of July, numerous vulnerabilities were found https://source.android.com/docs/security/bulletin/2023-07-01. Now, tell me how many Android users received an "unplanned emergency update"? By 2020, over a billion vulnerable devices were already reported due to lack of security updates, and that number keeps increasing https://www.bbc.com/news/technology-51751950.
"However, there is an important "immutable" advantage. If the core OS gets compromised, one reboot later, and it is clean again—still vulnerable though, but the attacker has to start all over again."
Eureka, the solution to vulnerability for Android or immutable systems in general is to keep rebooting the system every few hours or milliseconds?
""Shapeless target" is the biggest misconception since there is an OS, and it makes Linux basically the worst OS ever made and unsuitable for desktop computing. It is conceptually wrong to pull single files (dependencies) from the repository and combine them into a working system."
Incredible, immutable systems don't gather simple compiled source code files from a repository to create a working system.
25 • @24 (by GrumpyGranpa on 2023-07-20 00:42:15 GMT from Australia)
So to clarify your position, you are stating that any immutable system is not anymore secure than a normal system because 1) the OS runs in ram and 2) dockers/containers may have vurnerabilities that permit exploitation to gain root (i assume).
Your conclusion therefore is that immutable systems are nothing more than a gimmick to lull users into a false sense of security.
What then, in your opinion would be a more secure system than a standard updated installed os?
26 • Slackware (by Werewolfc on 2023-07-20 05:58:05 GMT from Romania)
Happy birthday Slackware! Was my first distro that I've used .... long time ago! Then I quit Linux all together and when I got back on the wagon I joined the Arch Linux band.
27 • @25 (by lincoln on 2023-07-20 07:19:18 GMT from Brazil)
"Your conclusion therefore is that immutable systems are nothing more than a gimmick to lull users into a false sense of security."
Exactly.
"What then, in your opinion would be a more secure system than a standard updated installed os?"
An operating system whose implementation has been completely proven and formally verified (mathematically) as secure. This means the system never performs an unsafe operation. Its proofs validate the following propositions:
"P1: There shall be no unauthorized alteration of information. P2: There shall be no unauthorized acquisition of information. P3: There shall be no unauthorized denial of service. P4: There shall be no unauthorized leakage of information."
https://apps.dtic.mil/sti/tr/pdf/ADA088601.pdf
An example of such an approach would be the microkernel seL4. https://sel4.systems/ Thus, we can even read sentences like: "Theorem shows that subsystems can neither exceed their authority over physical memory nor their authority over communication channels to other subsystems." https://www.trustworthy.systems/publications/nicta_full_text/1474.pdf
Other interesting articles:
https://www.cse.unsw.edu.au/~kleing/papers/sosp09.pdf https://www.trustworthy.systems/publications/nicta_full_text/6464.pdf https://dl.acm.org/doi/pdf/10.1145/2517349.2522720 https://sel4.systems/About/seL4-whitepaper.pdf https://www.usenix.org/legacy/events/hotos11/tech/final_files/Klein.pdf
28 • @24 RAM (by lincoln from Brazil) (by Cubehead on 2023-07-20 10:47:01 GMT from Netherlands)
In the old days, there were fixed addresses in RAM. Hackers learned them. Then address randomization was implemented. Hackers soon learned how to predict or even change it.
If one thinks of Rawhammer and RAMBleed, an attacker could theoretically steal confidential data from RAM. But is that practicable?
What data and how much? Only the data that temporarily resides in RAM. It ain't your private data—your documents, music, or videos—they don't reside in RAM.
Even if there were a way for the attacker to force your 2 TB of data to load in the processor cache piece by piece, memory would have to be allocated in a predictable manner (see “Foreshadow”), and the reading memory rate is around 3–4 bits/sec.
Let's suppose that we have 16 MB of cached data; transferring them at a speed of 3 Kbps (note 'kilo') would take 12 hours, 25 minutes, and 39 seconds at 375 B/sec. How long does it take with a speed of 3 bps instead of 3 Kbps and with 2 TB instead of 16 MB of data? So, your private data won't be stolen through RAMBleed. If you are not using faulty memory but memory with targeted row refresh (TRR) enabled, the attack won't work at all.
That means, RAM attacks will stay reduced on functions such as obtaining root privileges, compromising Linux virtual machines on cloud servers, evading sandboxes, and remotely attacking Android devices to name a few.
All in all, this isn’t a real threat and is safe to ignore.
https://www.hackread.com/rambleed-attack-steals-data-from-computer-memory/ https://downloadtimecalculator.com/
29 • @27 "Immutable Linux" vs. "microkernel" (by lincoln from Brazil) (by Cubehead on 2023-07-20 11:04:28 GMT from Netherlands)
“An operating system whose implementation has been completely proven and formally verified (mathematically) as secure. This means the system never performs an unsafe operation. Its proofs validate the following propositions:
P1: There shall be no unauthorized alteration of information. P2: There shall be no unauthorized acquisition of information. P3: There shall be no unauthorized denial of service. P4: There shall be no unauthorized leakage of information.
An example of such an approach would be the microkernel seL4. https://sel4.systems/”
This all sounds nice and well, but in the end:
1. The kernel doesn't surf the web or (insert anything people do with their computers). 2. It's just a collection of VMs—see Theo de Raadt quote @24. 3. Who mathematically verifies system implementation? 4. Hackers don't use anything "unauthorized." 5. seL4 could be packed as "immutable."
Also note that the microkernel and immutable OS have absolutely nothing to do with each other, and the microkernel is not a guarantee for security per se.
Your seL4 is basically just the old AmigaOS, Mach QNX, or Minix, or partially macOS or Windows NT. All of them can be packed as mutable or immutable OSes. ;)
In other words, you proved that you completely misunderstood what an "immutable" OS is about.
It isn't necessary that we discuss the advantages or disadvantages of a microkernel vs. a monolithic kernel, as that is completely irrelevant for an "immutable" OS.
https://stackoverflow.com/questions/4537850/what-is-difference-between-monolithic-and-micro-kernel
The main point of "immutable Linux" is that even if the attacker did somehow gain unauthorized access, it wouldn't be able to change any core component of your system as the system files, once set to "immutable," can't be changed by absolutely anybody—not even the one who set up the "immutable" state.
The applications will, of course, still be at risk—there is no way around it—but the attack surface is greatly minimized if they are containerized (Flatpak, Snap) and have only limited access to private data and are well isolated from each other.
In other words, for the end user, the "magic" is in: if KeyPass can't integrate with Firefox because they are Snap's or Flatpak's, the attacker can't steal all of the KeyPass information through the Firefox security issue but can get only one single password that is currently typed in, and on reboot, everything will be clean again.
30 • @24 Android (by lincoln from Brazil) (by Cubehead on 2023-07-20 11:09:20 GMT from Netherlands)
"In the core immutable Android system, just in this month of July, numerous vulnerabilities were found https://source.android.com/docs/security/bulletin/2023-07-01. Now, tell me how many Android users received an "unplanned emergency update"? By 2020, over a billion vulnerable devices were already reported due to lack of security updates, and that number keeps increasing https://www.bbc.com/news/technology-51751950."
Did you mix up "well-thought-out concept" with "proper everyday usage of the well-thought-out concept"?
31 • KDE Connect (by txm0523 on 2023-07-21 01:13:58 GMT from United States)
Does anyone know what the security risks are by connecting a mobile to your Linux PC and syncing it with KDE Connect ? I only connect my Android phone to transfer photos from mobile device to a specific folder on my PC, then I run ClamAV on that folder. With all the malicious files that are placed on mobile apps, is there a remote possibility you can infect your Linux PC ? Thanks
32 • "Immutable Linux" vs. "microkernel" (by Cubehead from Netherlands) (by lincoln on 2023-07-21 02:04:42 GMT from Brazil)
I am not debating "immutable vs microkernel".
My point is to state that immutability does not guarantee safety. What guarantees safety are formal demonstrations (mathematically) of the operating system and hardware implementation. Ideally, it should also contain the compiler implementation, the assembly code and the boot code.
"All in all, this isn’t a real threat and is safe to ignore."
In fact, it is not a threat to read/modify data and instructions in your RAM (including in privileged mode), being able to execute any code over time.
"1. The kernel doesn't surf the web or (insert anything people do with their computers). 2. It's just a collection of VMs—see Theo de Raadt quote @24. 3. Who mathematically verifies system implementation?"
Did you actually read the references? If you can prove that the OS has no security holes, you can use abstractions like subsystems or vms without compromising your hardware (processor/memory) and privileged environment. I only cited seL4 as an example of an OS kernel used in billions of devices worldwide, including safety-critical systems from Boeing and DARPA.
"Your seL4 is basically just the old AmigaOS, Mach QNX, or Minix, or partially macOS or Windows NT."
You must be joking.
"In 2009, seL4 became the world’s first OS kernel with a machine-checked functional correctness proof at the source-code level. This proof was 200,000 lines of proof script at the time, one of the largest ever (we think it was the second largest then). It showed that a functionally correct OS kernel is possible, something that until then had been considered infeasible"
"We then extended the verification down to the binary and up to security-enforcement properties"
Field testing:
"A great example is the work our HACMS project partners did on cyber-retrofitting the Boeing ULB autonomous helicopter. The original system ran on Linux, and in a first step, the team put seL4 underneath. The next step broke out two components: The particularly untrusted camera software was moved to a second VM, also running Linux, with the two Linux VMs communicating via CAmkES channels. At the same time, the network stack was pulled out of the VM and converted to a native CAmkES component, also communicating with the main VM. The final step pulled all other critical modules, as well as the (untrusted) GPS software, into separate CAmkES components, removing the original main VM. The final system consisted of a number of CAmkES components running seL4-native code, and a single VM running just Linux and the camera software. The upshot was that while the initial system was readily hacked by the professional penetration testers hired by DARPA, the end state was highly resilient. The attackers could compromise the Linux system and do whatever they wanted with it, but were unable to break out and compromise any of the rest of the system. The team was confident enough to demonstrate an attack in-flight."
33 • @32 (by GrumpyGranpa on 2023-07-21 05:23:50 GMT from Australia)
I understand what you saying as well as the other people, well maybe not the part about Sel4 being an Amiga box, but the other points yes
This is essentially the famous "compiler issue", which could be compromised with a backdoor and asit is the building block could insert the backdoor into all other programs during compilation, compromising the entire system regardless of what security measures are used.
What about using an additional layer on immutable os's such as hashes for key files or directories, which are checked on boot to verify integrity?
I wonder though, as Edward Snowden is satisfied with using Cubes or Tails, should we also not be satisfied with security in its current form, or should we live like Ted in the woods using old hardware and compiling everything ourselves from scratch?
34 • @32 (by Cubehead on 2023-07-21 10:29:20 GMT from Netherlands)
Trying to build a secure system on a kernel that is not secure is a hopeless effort; we know that, but that is also not the main goal behind the immutable Linux concept. What we need is reasonable and affordable security with improved reliability and versatile usability for everybody and for everyday computing. Your HACMS example is the wrong example to use as an argument against the immutable Linux concept. It is a millitary project where the bunch of specialists ensured that the bunch of VMs were running well isolated from each other, built upon a trusted platform, and where some monitoring thread rebooted the system to insure integrity... "... we are working on proving that these mechanisms are effective on SUITABLE hardware ... we have not yet solved the problem of verifying seL4 for multicore platforms ..." Verified platforms and configurations might work for some use cases, but what might work for medical devices, space flight, or a military project wouldn't necessarily help Joe Average, at least not in its present state. "Verification of the multicore kernel is in progress (but presently as an unfunded background activity). The multicore kernel uses a big-lock approach, which makes sense for tightly-coupled cores that share an L2 cache. It is not meant to scale to many cores ... is presently not supported, though." An OS kernel with a machine-checked functional correctness proof alone does not guarantee system safety. Is the entire system secure if one uses sel4 kernel? There would still be a userland built atop of it, with the applications running in it, and that's also where the drivers would be, which still means that any exploit in the driver code or the application would result in total system compromise. Immutability does not guarantee safety, and nobody ever claimed that. It is an additional layer that adds to security and reliability. Proven-no-security-holes-OS can also be mutable or immutable, and immutability would further add to its security and reliability. Immutability is just a state something is in. Immutability says nothing about the quality of the code itself. The idea behind "immutable Linux" is to improve security and reliability through layering, isolation, and simple rollover if things go wrong.
https://docs.sel4.systems/Hardware/ https://docs.sel4.systems/projects/sel4/frequently-asked-questions.html https://microkerneldude.org/2021/05/31/trustworthy-systems-research-is-done-are-you-kidding-csiro/
35 • Congrats (by garcia on 2023-07-21 20:47:36 GMT from Puerto Rico)
... to both Mr. Lincoln from Brazil and Mr. Cubehead from Netherlands for an amicable "mano a mano" on exposing the pros and cons of inmutable systems and allowing readers like me to learn a lot in the process.
Number of Comments: 35
Display mode: DWW Only • Comments Only • Both DWW and Comments
| | |
TUXEDO |
TUXEDO Computers - Linux Hardware in a tailor made suite Choose from a wide range of laptops and PCs in various sizes and shapes at TUXEDOComputers.com. Every machine comes pre-installed and ready-to-run with Linux. Full 24 months of warranty and lifetime support included!
Learn more about our full service package and all benefits from buying at TUXEDO.
|
Archives |
• Issue 1090 (2024-09-30): Rhino Linux 2024.2, commercial distros with alternative desktops, Valve seeks to improve Wayland performance, HardenedBSD parterns with Protectli, Tails merges with Tor Project, Quantum Leap partners with the FreeBSD Foundation |
• Issue 1089 (2024-09-23): Expirion 6.0, openKylin 2.0, managing configuration files, the future of Linux development, fixing bugs in Haiku, Slackware packages dracut |
• Issue 1088 (2024-09-16): PorteuX 1.6, migrating from Windows 10 to which Linux distro, making NetBSD immutable, AlmaLinux offers hardware certification, Mint updates old APT tools |
• Issue 1087 (2024-09-09): COSMIC desktop, running cron jobs at variable times, UBports highlights new apps, HardenedBSD offers work around for FreeBSD change, Debian considers how to cull old packages, systemd ported to musl |
• Issue 1086 (2024-09-02): Vanilla OS 2, command line tips for simple tasks, FreeBSD receives investment from STF, openSUSE Tumbleweed update can break network connections, Debian refreshes media |
• Issue 1085 (2024-08-26): Nobara 40, OpenMandriva 24.07 "ROME", distros which include source code, FreeBSD publishes quarterly report, Microsoft updates breaks Linux in dual-boot environments |
• Issue 1084 (2024-08-19): Liya 2.0, dual boot with encryption, Haiku introduces performance improvements, Gentoo dropping IA-64, Redcore merges major upgrade |
• Issue 1083 (2024-08-12): TrueNAS 24.04.2 "SCALE", Linux distros for smartphones, Redox OS introduces web server, PipeWire exposes battery drain on Linux, Canonical updates kernel version policy |
• Issue 1082 (2024-08-05): Linux Mint 22, taking snapshots of UFS on FreeBSD, openSUSE updates Tumbleweed and Aeon, Debian creates Tiny QA Tasks, Manjaro testing immutable images |
• Issue 1081 (2024-07-29): SysLinuxOS 12.4, OpenBSD gain hardware acceleration, Slackware changes kernel naming, Mint publishes upgrade instructions |
• Issue 1080 (2024-07-22): Running GNU/Linux on Android with Andronix, protecting network services, Solus dropping AppArmor and Snap, openSUSE Aeon Desktop gaining full disk encryption, SUSE asks openSUSE to change its branding |
• Issue 1079 (2024-07-15): Ubuntu Core 24, hiding files on Linux, Fedora dropping X11 packages on Workstation, Red Hat phasing out GRUB, new OpenSSH vulnerability, FreeBSD speeds up release cycle, UBports testing new first-run wizard |
• Issue 1078 (2024-07-08): Changing init software, server machines running desktop environments, OpenSSH vulnerability patched, Peppermint launches new edition, HardenedBSD updates ports |
• Issue 1077 (2024-07-01): The Unity and Lomiri interfaces, different distros for different tasks, Ubuntu plans to run Wayland on NVIDIA cards, openSUSE updates Leap Micro, Debian releases refreshed media, UBports gaining contact synchronisation, FreeDOS celebrates its 30th anniversary |
• Issue 1076 (2024-06-24): openSUSE 15.6, what makes Linux unique, SUSE Liberty Linux to support CentOS Linux 7, SLE receives 19 years of support, openSUSE testing Leap Micro edition |
• Issue 1075 (2024-06-17): Redox OS, X11 and Wayland on the BSDs, AlmaLinux releases Pi build, Canonical announces RISC-V laptop with Ubuntu, key changes in systemd |
• Issue 1074 (2024-06-10): Endless OS 6.0.0, distros with init diversity, Mint to filter unverified Flatpaks, Debian adds systemd-boot options, Redox adopts COSMIC desktop, OpenSSH gains new security features |
• Issue 1073 (2024-06-03): LXQt 2.0.0, an overview of Linux desktop environments, Canonical partners with Milk-V, openSUSE introduces new features in Aeon Desktop, Fedora mirrors see rise in traffic, Wayland adds OpenBSD support |
• Issue 1072 (2024-05-27): Manjaro 24.0, comparing init software, OpenBSD ports Plasma 6, Arch community debates mirror requirements, ThinOS to upgrade its FreeBSD core |
• Issue 1071 (2024-05-20): Archcraft 2024.04.06, common command line mistakes, ReactOS imports WINE improvements, Haiku makes adjusting themes easier, NetBSD takes a stand against code generated by chatbots |
• Issue 1070 (2024-05-13): Damn Small Linux 2024, hiding kernel messages during boot, Red Hat offers AI edition, new web browser for UBports, Fedora Asahi Remix 40 released, Qubes extends support for version 4.1 |
• Issue 1069 (2024-05-06): Ubuntu 24.04, installing packages in alternative locations, systemd creates sudo alternative, Mint encourages XApps collaboration, FreeBSD publishes quarterly update |
• Issue 1068 (2024-04-29): Fedora 40, transforming one distro into another, Debian elects new Project Leader, Red Hat extends support cycle, Emmabuntus adds accessibility features, Canonical's new security features |
• Issue 1067 (2024-04-22): LocalSend for transferring files, detecting supported CPU architecure levels, new visual design for APT, Fedora and openSUSE working on reproducible builds, LXQt released, AlmaLinux re-adds hardware support |
• Issue 1066 (2024-04-15): Fun projects to do with the Raspberry Pi and PinePhone, installing new software on fixed-release distributions, improving GNOME Terminal performance, Mint testing new repository mirrors, Gentoo becomes a Software In the Public Interest project |
• Issue 1065 (2024-04-08): Dr.Parted Live 24.03, answering questions about the xz exploit, Linux Mint to ship HWE kernel, AlmaLinux patches flaw ahead of upstream Red Hat, Calculate changes release model |
• Issue 1064 (2024-04-01): NixOS 23.11, the status of Hurd, liblzma compromised upstream, FreeBSD Foundation focuses on improving wireless networking, Ubuntu Pro offers 12 years of support |
• Issue 1063 (2024-03-25): Redcore Linux 2401, how slowly can a rolling release update, Debian starts new Project Leader election, Red Hat creating new NVIDIA driver, Snap store hit with more malware |
• Issue 1062 (2024-03-18): KDE neon 20240304, changing file permissions, Canonical turns 20, Pop!_OS creates new software centre, openSUSE packages Plasma 6 |
• Issue 1061 (2024-03-11): Using a PinePhone as a workstation, restarting background services on a schedule, NixBSD ports Nix to FreeBSD, Fedora packaging COSMIC, postmarketOS to adopt systemd, Linux Mint replacing HexChat |
• Issue 1060 (2024-03-04): AV Linux MX-23.1, bootstrapping a network connection, key OpenBSD features, Qubes certifies new hardware, LXQt and Plasma migrate to Qt 6 |
• Issue 1059 (2024-02-26): Warp Terminal, navigating manual pages, malware found in the Snap store, Red Hat considering CPU requirement update, UBports organizes ongoing work |
• Issue 1058 (2024-02-19): Drauger OS 7.6, how much disk space to allocate, System76 prepares to launch COSMIC desktop, UBports changes its version scheme, TrueNAS to offer faster deduplication |
• Issue 1057 (2024-02-12): Adelie Linux 1.0 Beta, rolling release vs fixed for a smoother experience, Debian working on 2038 bug, elementary OS to split applications from base system updates, Fedora announces Atomic Desktops |
• Issue 1056 (2024-02-05): wattOS R13, the various write speeds of ISO writing tools, DSL returns, Mint faces Wayland challenges, HardenedBSD blocks foreign USB devices, Gentoo publishes new repository, Linux distros patch glibc flaw |
• Issue 1055 (2024-01-29): CNIX OS 231204, distributions patching packages the most, Gentoo team presents ongoing work, UBports introduces connectivity and battery improvements, interview with Haiku developer |
• Issue 1054 (2024-01-22): Solus 4.5, comparing dd and cp when writing ISO files, openSUSE plans new major Leap version, XeroLinux shutting down, HardenedBSD changes its build schedule |
• Issue 1053 (2024-01-15): Linux AI voice assistants, some distributions running hotter than others, UBports talks about coming changes, Qubes certifies StarBook laptops, Asahi Linux improves energy savings |
• Issue 1052 (2024-01-08): OpenMandriva Lx 5.0, keeping shell commands running when theterminal closes, Mint upgrades Edge kernel, Vanilla OS plans big changes, Canonical working to make Snap more cross-platform |
• Issue 1051 (2024-01-01): Favourite distros of 2023, reloading shell settings, Asahi Linux releases Fedora remix, Gentoo offers binary packages, openSUSE provides full disk encryption |
• Issue 1050 (2023-12-18): rlxos 2023.11, renaming files and opening terminal windows in specific directories, TrueNAS publishes ZFS fixes, Debian publishes delayed install media, Haiku polishes desktop experience |
• Issue 1049 (2023-12-11): Lernstick 12, alternatives to WINE, openSUSE updates its branding, Mint unveils new features, Lubuntu team plans for 24.04 |
• Issue 1048 (2023-12-04): openSUSE MicroOS, the transition from X11 to Wayland, Red Hat phasing out X11 packages, UBports making mobile development easier |
• Issue 1047 (2023-11-27): GhostBSD 23.10.1, Why Linux uses swap when memory is free, Ubuntu Budgie may benefit from Wayland work in Xfce, early issues with FreeBSD 14.0 |
• Issue 1046 (2023-11-20): Slackel 7.7 "Openbox", restricting CPU usage, Haiku improves font handling and software centre performance, Canonical launches MicroCloud |
• Issue 1045 (2023-11-13): Fedora 39, how to trust software packages, ReactOS booting with UEFI, elementary OS plans to default to Wayland, Mir gaining ability to split work across video cards |
• Issue 1044 (2023-11-06): Porteus 5.01, disabling IPv6, applications unique to a Linux distro, Linux merges bcachefs, OpenELA makes source packages available |
• Issue 1043 (2023-10-30): Murena Two with privacy switches, where old files go when packages are updated, UBports on Volla phones, Mint testing Cinnamon on Wayland, Peppermint releases ARM build |
• Issue 1042 (2023-10-23): Ubuntu Cinnamon compared with Linux Mint, extending battery life on Linux, Debian resumes /usr merge, Canonical publishes fixed install media |
• Issue 1041 (2023-10-16): FydeOS 17.0, Dr.Parted 23.09, changing UIDs, Fedora partners with Slimbook, GNOME phasing out X11 sessions, Ubuntu revokes 23.10 install media |
• Issue 1040 (2023-10-09): CROWZ 5.0, changing the location of default directories, Linux Mint updates its Edge edition, Murena crowdfunding new privacy phone, Debian publishes new install media |
• Issue 1039 (2023-10-02): Zenwalk Current, finding the duration of media files, Peppermint OS tries out new edition, COSMIC gains new features, Canonical reports on security incident in Snap store |
• Issue 1038 (2023-09-25): Mageia 9, trouble-shooting launchers, running desktop Linux in the cloud, New documentation for Nix, Linux phasing out ReiserFS, GNU celebrates 40 years |
• Issue 1037 (2023-09-18): Bodhi Linux 7.0.0, finding specific distros and unified package managemnt, Zevenet replaced by two new forks, openSUSE introduces Slowroll branch, Fedora considering dropping Plasma X11 session |
• Issue 1036 (2023-09-11): SDesk 2023.08.12, hiding command line passwords, openSUSE shares contributor survery results, Ubuntu plans seamless disk encryption, GNOME 45 to break extension compatibility |
• Full list of all issues |
Star Labs |
Star Labs - Laptops built for Linux.
View our range including the highly anticipated StarFighter. Available with coreboot open-source firmware and a choice of Ubuntu, elementary, Manjaro and more. Visit Star Labs for information, to buy and get support.
|
Random Distribution |
Phayoune Secure Linux
Phayoune Linux was a live distribution based on Linux From Scratch and optimised for USB storage devices. Besides standard desktop software, it also includes a variety of server applications, including a firewall, web server, mail server, database server, file server and application server.
Status: Discontinued
|
TUXEDO |
TUXEDO Computers - Linux Hardware in a tailor made suite Choose from a wide range of laptops and PCs in various sizes and shapes at TUXEDOComputers.com. Every machine comes pre-installed and ready-to-run with Linux. Full 24 months of warranty and lifetime support included!
Learn more about our full service package and all benefits from buying at TUXEDO.
|
Star Labs |
Star Labs - Laptops built for Linux.
View our range including the highly anticipated StarFighter. Available with coreboot open-source firmware and a choice of Ubuntu, elementary, Manjaro and more. Visit Star Labs for information, to buy and get support.
|
|