DistroWatch Weekly |
DistroWatch Weekly, Issue 1065, 8 April 2024 |
Welcome to this year's 15th issue of DistroWatch Weekly!
Last week we discussed an exploit which was found in the xz compression software. While the compromise was discovered and worked around before it was packaged in most distributions, the fact a popular project like xz was hijacked at all was concerning. This week, in our Questions and Answers column, we talk about the xz exploit and the ripple effects from it. One distribution indirectly affected by the xz attack was Ubuntu. The distribution's next beta release is being delayed a week to give the developers time to make sure all traces of the malicious xz code are purged from the project's testing branch. Did the xz exploit make it into your distribution? Let us know in the Opinion Poll below. Also in our News section, we wish HardenedBSD a happy tenth anniversary and report on Linux Mint shipping a hardware enablement kernel by default. Plus there has been some discussion about which major desktop Fedora should use as the default in its Workstation edition and we cover this below. We then talk about AlmaLinux OS patching a flaw ahead of Red Hat's upstream distribution while Calculate makes changes to its release model. First though we discuss a young project which produces a system administration utility. The distribution is called Dr.Parted Live and it can be used to manage partitions, rescue data, and backup disks. Read on to hear Jesse Smith's first impressions of this live disc. This week we are also pleased to bring you details on recent releases and list the torrents we are seeding. We wish you all a fantastic week and happy reading!
This week's DistroWatch Weekly is presented by TUXEDO Computers.
Content:
|
Feature Story (By Jesse Smith) |
Dr.Parted Live 24.03
Before the tidal wave of new mainstream releases descends upon us this April, I want to take a moment to talk about a small project which provides live media for performing administrative tasks and data rescue. Specifically, I'm talking about a young project called Dr.Parted Live.
Dr.Parted Live is a bootable GNU/Linux distribution based on Debian Testing. Live CD/USB featuring a lightweight Openbox window manager and useful applications for data backup, restore and recovery.
The Dr.Parted distribution is available in a single edition for x86_64 computers with an ISO which is 758MB in size. Booting from this ISO provides us with a graphical interface powered by Openbox and featuring a few components from the LXDE project.
The ISO, while not particularly large, does include a lot of utilities for data rescue, partition management, and file transfers. These include, in no particular order:
- GParted for disk partition management and creation.
- Apart GTK and Clonezilla for partition cloning.
- GSmartControl for working with SMART information from disks.
- ddrescue, Testdisk, and Photorec for deleted file recovery.
- Rclone for managing files located in cloud storage.
- wipe and shred for secure file deletion.
- cfdisk, fdisk, and gdisk for managing partition tables.
- cURL and wget for fetching remote files.
- Xarchiver for creating, extracting, and editing archives.
- Grsync for transferring files between directories and computers.
- growpart for resizing a partition.
- USBImager for writing image files to a thumb drive.
- Netsurf for web browsing.
- PCManFM for managing local files.
- Text editors.
First impressions
Booting from the live media launches Openbox automatically. A thin panel is placed across the bottom of the screen. This panel holds a virtual desktop switcher, clock, and networking widget. Otherwise the interface is mostly bare. Though, depending on the environment I used, a Conky status panel was sometimes displayed on the desktop. This panel includes both some status information and a list of keyboard shortcuts for launching commonly used applications.
Dr.Parted Live 24.03 -- Exploring the application menu
(full image size: 85kB, resolution: 1920x1080 pixels)
The Openbox environment is light, fast, and responsive. it displays no pop-ups, no first-run wizard, and (apart from Conky) offers a very clean, empty workspace. We can right-click on an empty part of the background to bring up an applications and settings menu.
Hardware
I tested Dr.Parted in a VirtualBox environment and on a laptop from which I pretended to rescue files. The distribution ran well in the virtual machine and everything worked as expected. The Openbox interface worked well and I had no problems. I did note that the Conky panel did not launch when I ran the distribution in VirtualBox.
When I moved over to the laptop, Dr.Parted threw a different quirk at me. The Conky panel was displayed, and networking and audio worked. However, my system interpreted right-clicks as left-clicks on my laptop. My keyboard worked normally, as did mouse movement and left-clicking. However, any time I clicked my laptop's right mouse button it acted as a left-click on the screen. This is a notable problem because we need to right-click to open the application menu and adjust settings. As far as I can tell, there is no keyboard shortcut for opening the menu.
Dr.Parted Live 24.03 -- Adjusting Openbox settings
(full image size: 86kB, resolution: 1920x1080 pixels)
Luckily, there are keyboard shortcuts for opening the terminal, opening a run dialog, and launching a file manager. These shortcut combinations are helpfully displayed on the Conky panel. This meant I could still use Dr.Parted on my laptop, but the process was a bit awkward and required a good deal more work from the terminal compared to when I was running the distribution in VirtualBox. Oddly enough, right-clicks did work as expected inside the virtual machine.
Dr.Parted Live was able to boot in both UEFI and Legacy BIOS modes and consumed about 380MB of RAM when running an Openbox session.
Quick install options
Dr.Parted is based on Debian's Testing branch and can use Debian's command line tools, such as APT, to fetch additional software. To further make installing popular software straight forward, the distribution includes "quick install" options in its application menu. When we browse the application menu, one category, called Install Apps, lists additional software with entries including items such as Firefox, Chromium, and FileZilla. Clicking one of the launchers opens a terminal window and downloads the selected software, assuming we have a working Internet connection.
The newly fetched download doesn't show up in the application menu, but it is accessible from the command line. I tested a few of these quick install options and they worked for me. However, I did note that Firefox refuses to launch. This is because Dr.Parted automatically signs us in as the root user and Firefox will terminate itself to avoid running as root. It feels odd to have a launcher to install software that is designed not to run in the live environment, but the other programs worked as expected.
Dr.Parted Live 24.03 -- Trying to launch Firefox
(full image size: 51kB, resolution: 1920x1080 pixels)
I do wish to acknowledge that there is a regular, non-root, user account on the system. This extra account, appropriately called "user", can be accessed using the su command. From the "user" account we can then launch tools, like Firefox, which reject being run by root.
The default tools
The included utilities all worked as expected. Most of them are fairly standard items for a system recovery disc. Tools like TestDisk, Photorec, and Grsync are fairly common and work well for recovering deleted files. I was pleasantly surprised to find a desktop utility for checking SMART data as that is something I rarely see offered with these sorts of live environments.
The distribution offers a good range of software for copying, recovering, and manipulating partitions, files, and filesystems. I think it would be quite handy to have, especially for people who do system administration work.
Dr.Parted Live 24.03 -- Tools for copying files between computers
(full image size: 118kB, resolution: 1920x1080 pixels)
Conclusions
There are a few rough patches in this young distribution. The inconsistent environment (the Conky panel comes to mind) when moving between my laptop and VirtualBox was one example. The inability to right-click was a bit of a hurdle, and not being able to launch Firefox from the default account was inconvenient. However, these little bumps the road were not really significant.
On the whole, I think Dr.Parted Live provides a lot of useful tools for dealing with disks, filesystems, and files. Also, and just as importantly, while there are several useful tools included in the distribution, there isn't a lot of overlap or additional tools we might not find useful. Some live system admin distributions get cluttered, trying to fill every possible use case and they end up being harder to navigate due to all the extra items filling the application menu. Dr.Parted Live is more focused. It provides enough functionality to be useful, more than some single-purpose distributions (such as Clonezilla Live or GParted Live), while still remaining tuned into just doing one specific set of tasks well and I appreciate this.
* * * * *
Hardware used in this review
My physical test equipment for this review was an HP DY2048CA laptop with the following
specifications:
- Processor: 11th Gen Intel(R) Core(TM) i5-1135G7 @ 2.40GHz
- Display: Intel integrated video
- Storage: Western Digital 512GB solid state drive
- Memory: 8GB of RAM
- Wireless network device: Intel Wi-Fi 6 AX201 + BT Wireless network card
* * * * *
Visitor supplied rating
Dr. Parted Live has a visitor supplied average rating of: 9.7/10 from 7 review(s).
Have you used Dr. Parted Live? You can leave your own review of the project on our ratings page.
|
Miscellaneous News (by Jesse Smith) |
HardenedBSD celebrates its ten year anniversary, Linux Mint to ship HWE kernel by default, Fedora considers making Plasma the desktop for Workstation edition, Ubuntu delays 24.04 beta, AlmaLinux patches kernel flaw ahead of Red Hat, Calculate changes release model
The HardenedBSD project, a security-oriented fork of FreeBSD, celebrates its tenth anniversary this week and does so as the team rewrites a core component: "In src, the hbsdcontrol utility, and the library implementing the core logic (libhbsdcontrol) were rewritten from the ground up. While the implementation is now feature complete, there is still a bit of work to be done. Chiefly, rewriting the manual pages. After the documentation is updated, I plan to also integrate libucl support, to support JSON output and perhaps also support applying rules specified by a configuration file." Additional information on what is happening in the HardenedBSD project can be found in the project's March newsletter.
* * * * *
The Linux Mint team is planning to ship version 22 of their distribution with Ubuntu's hardware enablement kernel as the default kernel rather than an older, long-term support version of Linux. "To prioritize stability our 21.x releases shipped with Ubuntu LTS kernels (5.15). EDGE ISOs were made available, with HWE kernels, to bring support for new hardware. Ubuntu 22.04.x releases used HWE kernels, and version 24.04 is set to use kernel 6.8. During the last two years we didn't observe significant differences in terms of stability between LTS and HWE series. Both were pretty stable. A growing number of users with new laptops/chipsets relied on EDGE images to be able to install Linux Mint though. Linux Mint 22 will follow Ubuntu going forward and ship with new kernel series release after release." The project's March newsletter also mentioned PipeWire will be the default sound server in Linux Mint 22.
* * * * *
The Fedora project is currently considering a change for future versions of the distribution which would switch the default Workstation edition's desktop from GNOME to KDE Plasma. GNOME has always been the primary desktop for the Fedora distribution, but the change proposal outlines several areas where KDE's Plasma desktop would offer a better experience. Some of the features the proposal highlights are Plasma's system tray, Wayland support, and a reduced learning curve for new Linux users: "Plasma provides a more traditional user experience that could be viewed as being more approachable to everyday computing users, serving as a smoother 'on-ramp' to using Linux-based operating systems. Alongside its wide breadth of personalization capabilities, it provides an out-of-the-box desktop experience that is more predictable than some of its counterparts. As an example, Plasma provides a system tray for applications supporting StatusNotifierItem (e.g. Flameshot, OBS Studio, VPN clients), which is not functionality supported by default in GNOME Shell and requires an extension which may break between releases." The proposal is being discussed and whether it will be adopted has not been confirmed.
* * * * *
Following the news the xz package had been compromised, Canonical decided to rebuild its software repositories for the upcoming launch of Ubuntu 24.04. This will result in the 24.04 beta release being delayed a week, to April 11th, while the final release is still scheduled for April 25th. "Canonical made the decision to remove and rebuild all binary packages that had been built for Noble Numbat after the CVE-2024-3094 56 code was committed to xz-utils (February 26th), on newly provisioned build environments. This provides us with confidence that no binary in our builds could have been affected by this emerging threat. As a result of this, the Beta release for Ubuntu 24.04 LTS (Noble Numbat) has been pushed to April 11, 2024 (previously April 4, 2024)."
* * * * *
AlmaLinux OS is an open-source, community-driven project that is built from the source code of Red Hat Enterprise Linux (RHEL). While AlmaLinux OS originally started out as an exact "bug for bug" clone of RHEL, once Red Hat put restrictions in place to make creating clones of its Enterprise Linux distributions, AlmaLinux changed course slightly. AlmaLinux now strives to create a binary compatible clone of RHEL, but it now also introduces its own bug fixes and improvements. In a first for the project, AlmaLinux has patched a vulnerability ahead of Red Hat. FOSS Force reports: "AlmaLinux, a three year old Linux distribution that started life as a clone of Red Hat Enterprise Linux, on Tuesday announced that it had created a patch to fix CVE-2024-1086, a security vulnerability that Red Hat evidently doesn't think is important enough to patch in RHEL right away."
* * * * *
The developers of Calculate Linux, a user-friendly distribution based on Gentoo Linux, have decided to abandon the traditional release model and have started to treat its nightly builds as standard releases: "Calculate Linux is going release-free with its editions. Nightly builds will officially become the main releases, similar to Gentoo or Arch Linux. These nightly builds have, indeed, already been moved to the release folder. There are several advantages to this approach. Namely, the time we spent on prepping and promoting new releases can be dedicated to further improvements. And of course, you will always get the latest and greatest system updates. In fact, even before this change, you could use cl-update to, well, get a nightly build. Now, getting fresh images will be a breeze." The first of these new nightly releases has been published already; it can be found in the 20240401 folder on the project's main download server and its mirrors. The distribution continues do provide pre-built ISO images with KDE Plasma (CLD), Cinnamon (CLDC), LXQt (CLDL), Xfce (CLDX) and Xfce Scientific (CLDXS), as well as specialist images known as Container Manager, Directory Server, Calculate Linux Scratch and Scratch Server. See this forum post for further information.
* * * * *
These and other news stories can be found on our Headlines page.
|
Questions and Answers (by Jesse Smith) |
Follow-up questions after the xz exploit
Last week we reported on an exploit in the xz compression software. While this issue was caught early and was not widespread, its seriousness caused a lot of people to take notice and raise questions. We address some of those questions below.
Auditing-the-source asks: Are there any distributions which are audited entirely? Like every line of code checked?
DistroWatch answers: I don't think any Linux distribution has been fully audited line-by-line, at least not on an ongoing basis. There are some distributions which are checked fairly thoroughly, such as Red Hat Enterprise Linux and SUSE Linux Enterprise as part of their certification programs. And there are some totally libre (free software) distributions, such as Trisquel GNU/Linux, which contain no non-free parts which allow them to be audited entirely. Over in BSD land the OpenBSD code has probably received more careful attention than most open source projects. However, a full featured distribution contains hundreds of millions of lines of code, auditing one manually line-by-line on an ongoing basis isn't realistic.
With that said, many key open source projects do engage in peer review when new code is submitted. Many package maintainers check to see what new code is coming into new versions of software. It's common for code entering into major projects, such as the Linux kernel, to be combed over by multiple people to look for issues - bugs, exploits, or regressions. So the whole code base might not receive regular review, but changes entering into the ecosystem are usually checked.
* * * * *
Worried-about-more-backdoors asks: I'm getting paranoid about what other backdoors might be in key Linux packages. What are the chances there are other problems like the xz issue?
DistroWatch answers: Something to keep in mind is the xz exploit took years of work to slowly move into place. It required a lot of coordination for a new developer to take over an existing project, for the author to slowly insert lines of code which might be vulnerable in the future, and then for an exploit to be introduced. After those multiple years of slow work, the exploit was discovered and patched within two months, before the compromised version of xz made it into any fixed-release distributions and before it landed in some rolling release distributions. Very few users ever installed the exploit and those were people who were right on the cutting-edge (Arch Linux users, people testing out Debian Unstable, and Fedora Rawhide users). Almost no one outside of beta testers and people who update constantly on rolling releases was in danger of installing the exploit.
Since years of work went into crafting the exploit and manipulating the upstream project and it was caught quickly before most distributions even packaged the malicious version, I'd say it's unlikely there are other (successful) attempts to create backdoors working in the wild.
* * * * *
Checking-for-viruses asks: Will Linux distros start shipping with anti-virus to prevent issues like the xz backdoor?
DistroWatch answers: Probably not, for a few reasons. First, the testing and auditing process caught the backdoor quickly. The open source auditing process worked as expected so having another check might not be considered necessary.
Second, anti-virus tends to be unreliable (false positives, missing real issues) and takes up a lot of resources.
Third, anti-virus needs to have an idea of what to look for. In other words it needs to be trained to detect and flesh out issues (either known or suspicious). An anti-virus program would need to know to look for the xz exploit, or something like it. To do that the anti-virus needs to be kept up to date. This means there is very little benefit to running anti-virus on distributions where the user is just installing software from their distribution's repository.
Put another way, if the Linux community knows about an exploit and can teach anti-virus to detect and remove it, then the Linux community also knows to remove the malicious package from repositories and replace it with a good version. But if we don't know about a malicious package and its behaviour then we also don't know the signatures to feed the anti-virus software.
Anti-virus scanners can be helpful in some situations, but they don't offer much added protection when users are pulling from vetted repositories. They mostly benefit users who are downloading programs from untrusted, third-party sources.
* * * * *
On-the-lookout asks: How could an exploit like xz get by all the checks, isn't open source supposed to protect us against stuff like this?
DistroWatch answers: The reason we are talking about the xz exploit is because the checks did work. Someone noticed a problem with xz, investigated, and (thanks to the open source nature of all the software involved) was able to identify the problem. Within days, all the major distributions were aware of the issue and had either avoided packaging the exploited version of xz, or replaced it in their repositories.
An exploit which took over a year to create was discovered and countered before it make it into any major distribution releases, before it arrived in any fixed-release distributions, and before it was installed on any distributions where the exploit was likely to work. (The xz exploit required the distribution to be running xz version 5.6 or newer, an OpenSSH server, and systemd.) Very few people, outside of openSUSE Tumbleweed users running the OpenSSH service, would be affected.
To put it simply, the open source nature of the components involved, along with the testing processes in place, worked. The xz exploit had almost no impact in the Linux community, despite the months of work which went into compromising the xz project and introducing the exploit. This is not a case of open source practises failing, it's a shinning example of open source testing and auditing working very well. Not perfectly, perhaps, but very well. Chances are, unless you're a beta tester, your computer never had the xz exploit installed on it, so you were protected.
* * * * *
Additional answers can be found in our Questions and Answers archive.
|
Released Last Week |
ROSA 12.5
ROSA is a Russian Linux distribution which originally forked from the Mandriva family of distributions. The project's latest release, ROSA 12.5, provides two full features desktops (KDE Plasma and GNOME) along with two lightweight editions (LXQt and Xfce). "ROSA Fresh 12.5 offers a wide selection of installation images, allowing users to choose the optimal OS for their tasks. The updated version of the operating system includes five user environment options for three processor architectures (x64, i686, aarch64). Each version of the system contains a set of programs and components updated to the latest versions in the original ROSA design. You can choose from two fully functional graphical environments - KDE and GNOME, and two light systems with graphical interfaces - LXQt and Xfce; an option with a console, text interface for experienced users is also available - ROSA Fresh Server. The updated 6.6 kernel with long-term security support ensures optimal compatibility with the latest devices, and Mesa 23.3 graphics libraries, thanks to Steam support, open the door to the world of games and 3D graphics. Added expanded support for printers and scanners using ipp-usb and sane-airscan technologies, which makes it easier to use such peripheral devices." Additional information cab be found in the project's release announcement.
ROSA 12.5 -- Running the KDE Plasma desktop
(full image size: 689kB, resolution: 2560x1600 pixels)
OpenBSD 7.5
Theo de Raadt has announced the release of OpenBSD 7.5, the latest stable version of the free, multi-platform 4.4BSD-based UNIX-like operating system, in active development since 1996: "We are pleased to announce the official release of OpenBSD 7.5. This is our 56th release. We remain proud of OpenBSD's record of more than twenty years with only two remote holes in the default install. As in our previous releases, 7.5 provides significant improvements, including new features, in nearly all areas of the system: added bt(5) and btrace(8) support for binary modulo operator; added a TIMEOUT_MPSAFE flag to timeout(9); added IBM encoded version of the "Spleen 8x16" font, usable as console font; cleanup and machine-independent refactoring of three context switch paths outside of mi_switch(): when a process forks and the new proc needs to be scheduled by proc_trampoline, cpu_hatch: when booting APs, and sched_exit: when a proc exits; made vscsi(4) 'vscsi_filtops' mpsafe and extended the 'sc_state_mtx' mutex(9) to protect 'sc_klist' knotes list; made out-of-swap checking more robust, preventing potential deadlocks...." Read the detailed release announcement for further a complete list of changes.
Peropesis 2.5
Peropesis (personal operating system) is a small-scale, minimalist, command-line-based Linux operating system. The project's latest release, Peropesis 2.5, introduces several new tools: "Peropesis 2.5 is released. In the new edition part of the old software was updated and several new software packages were installed. Among the newly installed software are several build automation tools and one of the most popular file managers, Midnight commander, which is accessible by typing the mc command at the command line. New software was installed: 1. cmake 3.29.0. CMake is an open source software designed to build, test, and package software. 2. meson 1.3.2. Meson - an open source, high productivity build system. 3. ninja 1.11.1. Ninja is a small build system with a focus on speed. 4. packaging 0.24. This Python library provides utilities that implement the interoperability specifications which have clearly one correct behaviour or benefit greatly from having a single shared implementation." Additional information is available in the project's release announcement.
AV Linux MXE-23.2
Glen MacArthur has announced the release of AV Linux MXE-23.2, a bug-fix update of the project's earlier release. AVLinux is based on Debian 12 and MX Linux, it is designed primarily for content creators, and it uses Enlightenment as the default desktop user interface. "This is an ISO image update to AV Linux MX edition that addresses a few annoying and potentially show-stopping bugs that appeared in the first release of AVL-MXe 23.1. Obviously the jump to a new Debian platform ('Bookworm'), a completely new desktop environment (Enlightenment) and a whole new way of handling system audio(PipeWire) was bound to scare a few new bugs out of the woodwork and boy did it ever. Hopefully this ISO will help people get off to a better start with these various new features. Don't fade backlight is now set by default which should fix Enlightenment setting the backlight to 0 which was making the lightDM login screen invisible after installing AVL-MXe to hard disk and booting it with its default of SysVInit (systemd boot recommended). A shortcut to change the keyboard layout for Enlightenment to use is now easily found on the main panel." Read the rest of the release announcement for further information and screenshots.
AV Linux MXE-23.2 -- Running the Enlightenment desktop
(full image size: 4.3MB, resolution: 2560x1600 pixels)
Archcraft 2024.04.06
Aditya Shakya has announced the release of a new version of Archcraft, a lightweight, Arch-based Linux distribution with highly customised Openbox and bspwm window managers and a selection of lightweight applications. The new version, labeled as 2024.04.06, brings updated packages and window manager configurations, as well as various improvements and bug fixes: "April 2024 ISO image of Archcraft is now available to download. Changelogs: updated ISO profile; latest base with new packages; update all Archcraft and AUR packages; update all window manager configurations; added latest version of Calamares installer and its configuration (fixed autologin issue); added a new GRUB package (fixed issue with installation on XFS filesystem); added GRUB hooks package (to install GRUB on every update); added archcraft-arandr (GUI) package to manage screen layouts (save and restore them); fixed Qt theming issue, added configurations for Qt 6; improved Thunar action functionalities - open terminal according to session, open as root according to session, permanently sets the wallpaper in supported sessions; small improvements and bugs fixed. Run 'sudo pacman -Syyu' to update your existing installation." Continue to the release announcement for further details.
* * * * *
Development, unannounced and minor bug-fix releases
|
Torrent Corner |
Weekly Torrents
The table below provides a list of torrents DistroWatch is currently seeding. If you do not have a bittorrent client capable of handling the linked files, we suggest installing either the Transmission or KTorrent bittorrent clients.
Archives of our previously seeded torrents may be found in our Torrent Archive. We also maintain a Torrents RSS feed for people who wish to have open source torrents delivered to them. To share your own open source torrents of Linux and BSD projects, please visit our Upload Torrents page.
Torrent Corner statistics:
- Total torrents seeded: 2,983
- Total data uploaded: 44.2TB
|
Upcoming Releases and Announcements |
Summary of expected upcoming releases
|
Opinion Poll (by Jesse Smith) |
Did the xz/lzma exploit get packaged by your distribution?
Last week we reported on an exploit which was found in the xz project which affected the lzma compression software. The exploit could be triggered when people logged into a secure shell on distributions running systemd. The exploit did not get widely adapted with a developer catching the compromised 5.6 version when it was still winding its way through testing repositories.
Still, some fast-moving distributions did package and share the vulnerable 5.6 and 5.6.1 versions of the xz package. We'd like to hear if the exploit made it into your distribution's repositories or if your distribution was holding back enough to avoid the exploited package.
You can see the results of our previous poll on running GNU's Hurd kernel in our previous edition. All previous poll results can be found in our poll archives.
|
Did your distro package xz 5.6?
Yes - and I installed it: | 230 (16%) |
Yes - but I did not install it: | 84 (6%) |
No: | 750 (51%) |
I do not know: | 364 (25%) |
I am not running a Linux distro: | 35 (2%) |
|
|
Website News |
Weekend connection issues
Some of our gentle readers may have noticed connecting to the DistroWatch website on Thursday and Friday of this week was slow, or maybe the connection was dropped, resulting in an error in the browser. We apologize for the inconvenience and the interruptions of service.
What happened was we experienced a denial of service (DoS) attack which flooded our server with a lot of requests, at times maxing out our bandwidth and service capacity. The attack was crude - a simple attempt to slow down the server or spike a distribution's ranking, not an attempt to break in or do anything particularly malicious. We were able to simply let the firewall whittle away at the flood of traffic that was hammering us until things gradually returned to normal.
With that said, no doubt some people were having trouble getting through during the past few days. We're sorry about that and appreciate your patience.
One positive from this experience was seeing our server in action. DistroWatch has a limited budget and our server is approximately on par with a single low-to-medium spec workstation. Nonetheless, the server, which runs FreeBSD, didn't blink an eye at the traffic from thousands of aggressive clients. Even early on, when the server's load average topped 400, FreeBSD continued to perform its normal housekeeping tasks, provided status updates, and kept its packages up to date. It was impressive to see how much FreeBSD simply didn't care about being hammered with network traffic while it continued to perform local tasks. Kudos to the FreeBSD team!
* * * * *
DistroWatch database summary
* * * * *
This concludes this week's issue of DistroWatch Weekly. The next instalment will be published on Monday, 15 April 2024. Past articles and reviews can be found through our Weekly Archive and Article Search pages. To contact the authors please send e-mail to:
- Jesse Smith (feedback, questions and suggestions: distribution reviews/submissions, questions and answers, tips and tricks)
- Ladislav Bodnar (feedback, questions, donations, comments)
|
|
Tip Jar |
If you've enjoyed this week's issue of DistroWatch Weekly, please consider sending us a tip. (Tips this week: 1, value: US$14) |
|
|
|
bc1qxes3k2wq3uqzr074tkwwjmwfe63z70gwzfu4lx lnurl1dp68gurn8ghj7ampd3kx2ar0veekzar0wd5xjtnrdakj7tnhv4kxctttdehhwm30d3h82unvwqhhxarpw3jkc7tzw4ex6cfexyfua2nr 86fA3qPTeQtNb2k1vLwEQaAp3XxkvvvXt69gSG5LGunXXikK9koPWZaRQgfFPBPWhMgXjPjccy9LA9xRFchPWQAnPvxh5Le paypal.me/distrowatchweekly • patreon.com/distrowatch |
|
Extended Lifecycle Support by TuxCare |
|
Reader Comments • Jump to last comment |
1 • Good job!Freebsd! (by April on 2024-04-08 01:22:17 GMT from Japan)
Thank you for sharing the true story of the work Freebsd did during DoS attack.
2 • Did your distro package xz 5.6 (by John on 2024-04-08 01:26:06 GMT from Canada)
For my distro answering this is not a simple yes/no.
The release version the answer is no, the version in development is yes.
But, the distro does not use sysremd nor does it normally apply patches to upstream software. So 5.6.x would have not affected the distro.
FWIW my home distro is Slackware.
3 • xz in Fedora (by David on 2024-04-08 01:36:44 GMT from United States)
I answered "I don't know" because it is not clear in Fedora Magazine's article whether it is safe to use the nightly builds OR the Beta of version 40. Yes, the infected xz was there at some point (March 29?), but there is no clarity on whether it remains, or it has been removed, or whether there is a nightly build that has taken care of the issue. I don't know what to do except to keep using Fedora 39 until release.
4 • xz-utils 5.2.5 on Trisquel (by Andy Prough on 2024-04-08 01:46:33 GMT from Switzerland)
I use the fully libre software distro Trisquel, and we have xz-utils version 5.2.5 right now, so we were not even close to having this problem.
The latest Trisquel 11 is based on Ubuntu 20.04 LTS, so these kinds of core packages like xz-utils tend to be less new and more stable and better tested. However, we do get the latest libre-tized version of Firefox (called 'Abrowser' which is based on the ESR browser IceCat), and in our backports we get some of the most recent versions of productivity software such as LibreOffice. So it's a win-win-win for us Trisquel users - stable and safe distro without any black-box proprietary software and with recent productivity programs where they are useful.
5 • XZ (by David on 2024-04-08 01:49:45 GMT from United States)
"DistroWatch answers: The reason we are talking about the xz exploit is because the checks did work. Someone noticed a problem with xz, investigated, and (thanks to the open source nature of all the software involved) was able to identify the problem."
--Someone noticed a problem with openssh being slow, not xz. If openssh had not been slowed down then no one would have noticed anything.
6 • Small World (by Vinfall on 2024-04-08 02:13:40 GMT from Hong Kong)
I just literally setup Rocky Linux last week among all those CentOS/RHEL derived distros. Given that Rocky really rocks and offers a solid experience (pun intended), I did not take the time to try AlmaLinux, maybe someday when it breaks but I don't expect that happening anytime soon.
Regarding xz-utils, luckily I use Void Linux musl-libc (which uses runit by default) so was not affected even void-packages do offer 5.6.0 for a short time before the downgrade happens at https://github.com/void-linux/void-packages/commit/91928c86a196ab08f5dc8acb841fe56efdb6cc81.
Although Linux/BSD has an insane amount of distros, it's still a small world to notice something I'm interested in now and then via DW Weekly.
7 • Strange Rankings (by Aqua Fyre on 2024-04-08 03:12:11 GMT from Australia)
I like to watch the various Operating systems moving up or down in terms of their popularity. It's mostly a case of a few up or down uploads per week --- but that's not been the case between Mint & MX. It's been mostly within a range of less than 150 between them. All of sudden - Linux plummeted more than 300 - so that the gap is now well over 450. By anyone's analysis - that is a massive drop with no apparent explanation. Perhaps someone can explain how this comes about.
8 • Fedora Switching Desktops to KDE (by InvisinleInk on 2024-04-08 04:14:39 GMT from United States)
Fedora announcing a potential switch to KDE reads like an April Fools prank. No way that happens because of their long-running investments in GNOME desktop development. Nevertheless, I’d welcome it.
9 • Fedora moving to KDE (by Microlinux on 2024-04-08 05:07:49 GMT from France)
That's excellent news. Hope they adopt it.
10 • Weekend connection issues (by Terry on 2024-04-08 05:28:21 GMT from United States)
The disruption that occurred you say is: denial of service (DoS) attack
Was this the same problem a little while back..say a month or so ago the it was disrupted then a well for about the same length of time or days.
Very strange. Seem coincidental. Your comments please.
11 • Weekend connection issues (by Terry on 2024-04-08 05:39:12 GMT from United States)
#11-So the question is: Can this be prevented from not happening again? Very strange! 2 downtimes in a couple months apart!
12 • Dr.Parted Live (by David on 2024-04-08 06:33:16 GMT from Serbia)
@Jesse Super+M is a shortcut for Menu. Firefox can be started with Super+R and the firefox-esr command. Also, in PCManFM under Places there is an Apps item.
13 • XZ (by ThomasAnderson on 2024-04-08 08:09:53 GMT from Australia)
>DistroWatch answers: The reason we are talking about the xz exploit is because the checks did work
Did it though? I'm not so sure about your answer. It slipped through all the cracks, checks and balances and got into distros ... and was only discovered by accident by developer Andres Freund after investigating a performance regression in Debian Sid. Freund noticed that SSH connections were generating unexpectedly high amount of CPU usage as well as causing errors in Valgrind, a memory debugging tool.
So the checks did not work as you say. It was discovered accidentally and then, yes, checks happened, investigations happened and alerts were issued.
If it were not for Freund, nobody would be the wiser.
>Did the xz/lzma exploit get packaged by your distribution? Yes, in Devuan Daedalus. But as soon as I became aware of the issue I uninstalled the package/s
For me personally, this attack has opened my eyes to alternative OS's, not just systemd-free linux distros, but different OS's. I just tried the latest beta4 of HaikuOS and was pleasantly surprised by how good it is, especially as my laptop is on the supported hardware list. But, the only issue I found was unusually high cpu usage (spikes) when running their own web browser. I didn't try yet with an alternative browser like Falkon, which is now available.
I want to turn to BSD, but I had a weird issue with NomadBSD were the panels and logout just stopped working. GhostBSD has no encryption. Now I will have to try MidnightBSD and if that doesn't work, FreeBSD and manually install a desktop like Mate.
I wish, FreeBSD came with an updated installer whereby you can install xorg and a desktop of your choice, or not. It would be so much more user friendly.
14 • @14 Devuan Daedalus and the xz exploit (by DaveT on 2024-04-08 09:06:54 GMT from United Kingdom)
I run Devuan Daedalus. It has no problems with the xz exploit because it needs systemd which Devuan does not have! Also, the version of xz and in particular the compromised liblzma5 file has to be 5.6 or higher. Devuan Daedalus installs 5.4.1-0.2 which is clean. So feel free to re-install.
As for BSDs: NetBSD is fun, I run OpenBSD which is nicely secure - and sometimes almost irritatingly so! Whichever BSD you decide on, they all have a definite learning curve. Linux is "inspired by UNIX". The BSDs still are UNIX! (adding UNIX-ish to avoid tedious discussions about the innards of BSDs)
15 • xz (by Ludditus on 2024-04-08 09:19:54 GMT from Romania)
"First, the testing and auditing process caught the backdoor quickly. The open source auditing process worked as expected." TOTALLY FALSE! The xz backdoor was identified BY PURE CHANCE, NOT AS PART OF A REVIEW PROCESS!
Something ELSE was slower, and someone was curious enough to investigate why this happened.
Why am I even reading DW? You seem to be living in a parallel Universe.
16 • xz experience (by Morton on 2024-04-08 09:38:44 GMT from Belgium)
I had vulnerable library during several weeks on some snapshot of openSuze Tumbleweed but not being vulnerable due to inactive sshd service -- Tumbleweed installer provides an option to deactivate SSH during installation. Here is an excerpt from the log: 2024-02-02 14:04:30|install|xz|5.4.6-1.1 2024-02-05 10:36:18|install|xz|5.4.6-1.2 2024-03-08 23:10:55|install|xz|5.6.0-1.1 2024-03-22 10:10:13|install|xz|5.6.1-1.1 2024-03-29 10:19:38|install|xz|5.6.1.revertto5.4-3.1
17 • RE: Fedora moving to KDE (by Ludditus on 2024-04-08 09:39:09 GMT from Romania)
@Microlinux: Sorry, Niki, but Fedora won't adopt KDE. The discussion didn't go that well, and Matthew Miller, the current Fedora Project Leader, has eventually closed the thread. Nothing will change in Fedora regarding KDE.
18 • Dr. Parted (by James on 2024-04-08 10:16:49 GMT from United States)
Does anyone know Dr. Parted just another clone of Parted Magic of if it is actually something different?
19 • xz (by Daustin on 2024-04-08 10:17:06 GMT from United States)
The xz exploit illustrates why major Linux distros should not make systemd the only init option available for their software. Not only does that limit the choices of users, it also gives hackers a broad target to attack.
20 • DoS (by Jesse on 2024-04-08 10:34:40 GMT from Canada)
@10, @11 We didn't experience any down time a few months ago. In fact, apart from the DoS issue this past weekend we haven't had any disruptions to service in ages. I think the last time was a few years ago when we had some IPv6 issues when migrating to our new/current server.
21 • fedora kde (by RiversofJustice on 2024-04-08 10:59:16 GMT from Croatia)
this fedora kde thing looks too good to be true. honestly I don't think they are capable of making such a good decision. there is too much nerd fanatism which prevents them from rational thinking
22 • Fedora KDE (by kc1di on 2024-04-08 12:10:58 GMT from United States)
I too hope they adopt KDE, But have a hard time thinking that they would. Gnome is in their culture. Even if KDE would make a better choice.
PCLinuxOS is not affected by this :)
23 • PHR (by Jesse on 2024-04-08 12:14:33 GMT from Canada)
@7: "I like to watch the various Operating systems moving up or down in terms of their popularity. It's mostly a case of a few up or down uploads per week --- but that's not been the case between Mint & MX. It's been mostly within a range of less than 150 between them. All of sudden - Linux plummeted more than 300 - so that the gap is now well over 450. By anyone's analysis - that is a massive drop with no apparent explanation. Perhaps someone can explain how this comes about."
We don't measure install base, downloads, or popularity. We measure page hits. The number you see in the PHR tables is the average number of visits a distro's information page gets in a span of time (by default six months). You can see more details on this on our Page Hit Ranking page: https://distrowatch.com/dwres.php?resource=popularity
As for an explanation of why a project's rank would jump or drop, there are dozens of possibilities. Typically it's a new release that bumps up a project's PHR score, but it can be lots of other things. A project being in the news a lot, a bunch of YouTube reviews, one of the developers says something which catches attention, a project asks people to post reviews on various IT sites, etc.
On the flip side, six months after a bump in hits, those high scoring days are no longer part of the average and the average drops again.
24 • 503 error (by 503 error on 2024-04-08 12:16:57 GMT from Singapore)
I have had 503 error "at least"(can't recall the actual number of times) twice in the past one year.
25 • xz (by Jesse on 2024-04-08 12:19:56 GMT from Canada)
@15: "The xz backdoor was identified BY PURE CHANCE, NOT AS PART OF A REVIEW PROCESS! Something ELSE was slower, and someone was curious enough to investigate why this happened."
I think, at best, you're splitting hairs here. I sort of get what you mean. The developer who found the xz exploit was not looking specifically at xz as part of a formal code review process. That's true enough. But, I guess, my response to that is: so what?
The faulty xz package was found by a beta tester in Debian's development/Sid branch when it misbehaved and caused a problem (a slow down in this case). That's exactly what development branches are for, testing builds, looking for obvious problems, sorting out bad behaviour.
While the issue with xz manifested itself indirectly, the open source nature of each of the components and the way most Linux distributions set up testing branches before software hits production caused the flaw to become apparent to a beta tester and they tracked down the issue. This is why the systems we have are in place, this is proof they work.
Security is about layers, not one perfect solution. This is why some issues are found by users noticing issues, some are found in the build process, some are found by fuzzing attacks, some are found by code review. The point is, these layers caught the problem before the xz exploit made it to any stable releases. The process is working.
26 • Uninstalling SSH? Protective? (by eee shepherd on 2024-04-08 12:34:37 GMT from United Kingdom)
Started out uninstalling SSH along with 1000 other packages not needed on an eee pc with 3.23GiB ssd. Never needed it now always uninstall it.
Does not having SSH make one immune to this attack, or could a dastardly attack get around this one simple trick?
27 • xz exploit (by Jesse on 2024-04-08 12:52:18 GMT from Canada)
@26: "Does not having SSH make one immune to this attack, or could a dastardly attack get around this one simple trick?"
Yes, not having OpenSSH installed means the attacker can't trigger the exploit. Also not having systemd installed would protect you too. Or not having the latest version of xz would work too. The exploit really needs all three to line up together for the issue to work.
28 • Fedora and KDE (by Arvo on 2024-04-08 13:18:44 GMT from Italy)
Fedora will stick to GNOME, but Fedora KDE Spin is already much better than Workstation.
29 • Strange Rankings (by Aqua Fyre on 2024-04-08 14:38:30 GMT from Australia)
@23 - PHR -- Jesse - Thank you so much for explaining how these things come about. Your explanation throws a great deal of light on the matter. I appreciate your reply. Cheers
30 • xz exploit (by David on 2024-04-08 17:40:54 GMT from United Kingdom)
I got xz 5.6 in PCLinuxOS, but we are safe form the backdoor since we don't use systemd.
31 • Vulnerable xz (by Robert on 2024-04-08 20:38:48 GMT from United States)
Voted No. I run Arch, and they did have the package version installed, but as I understand openssh had to be patched to link against xz. Which Arch didn't do, thus there was no exploit installed.
But then the actual poll heading just says "was X version in the repos" in which case yes, it was in the repos but I didn't install it because I'm super lazy about updating. Once a month if I remember.
32 • XZ exploit could easily have passed unnoticed (by Martins on 2024-04-08 20:42:47 GMT from Portugal)
"The open source auditing process worked as expected", I don't think so, it was mere chance that a very attentive Microsoft engineer noticed the update XZ package took a second (or a fraction of a second as he put it) to complete, that led him to investigate the cause. It could easily have passed unnoticed.
33 • xz and Void Linux (by picamanic on 2024-04-08 21:00:59 GMT from United Kingdom)
Void Linux does not use systemd yet I noticed that the xz package was revised back to 5.4.6_2 , without comment. Just playing safe, I guess.
34 • @28 Fedora and KDE (by Jan on 2024-04-08 22:21:57 GMT from The Netherlands)
@28 "Fedora will stick to GNOME, but Fedora KDE Spin is already much better than Workstation"
However with my oldish CPU I experienced Fedora KDE is a little "laggier" at using Firefox. I have the hope that with KDE6, FF functions without the lag-irritation.
Fedora Gnome behaves almost good, but has an irritating UI, which needs adaptions to get it to my preferences. (PS: And I want the icons of my programs to show on my display, I am not interested a "clean" fancy display-background).
And Fedora has a very frequent (irritating) update frequency (however OpenSuse TW also has this).
@13 FreeBSD delivered with a standard DE (Gnome or KDE) I second that.
35 • XZ and Fedora KDE (by Pat on 2024-04-09 00:14:09 GMT from Canada)
I think the takeaway point here is that Linux is not immune to unscrupulous attack. I really hope the perpetrators were identified and criminally charged. The point is well made that with millions of lines of code, analyzing every line isn't going to happen by volunteers working in their spare time. It also goes to show that there are some very bright intuitive people helping to build Linux / BSD etc. This also highlights the risks of massive all encompassing, complex, and proprietary init systems and software. With say 90% of distros running that to start their systems, what better target to slip in some malware? I personally can't point to any identifiable problem I've had with systemD but it is that reaching its tentacles into everything that makes me very nervous. That is very microsoft! Everything tied together so that it can not be untangled. That creates easy targets. The bigger Linux gets, the more vigilance is needed. As for Fedora taking on KDE. Why? KDE-4 was the last real KDE. Plasma 5 was and is windows 10 for Linux. Same applies to Plasma 6. I'm sorry, but most Linux users are Linux users because they had enough of that wretched, insidious microsoft malware. Look at the documents on KDE's website. They work closely with microsoft! They are even working on a version of Plasma to run on windows. I and I suspect many Linux users don't want to get up in the morning or get to their office and log into something that looks and acts like microsoft windows. That's done! I have never understood that fetish in the Linux community to imitate ms windows. On the other side, you can't have Gnome without systemD. Fortunately, in this great Linux community we still have CHOICE! We can choose as light and minimalist as we desire, or as bloated, customized, and "eye candy" as we choose. We can still find a computing anchor point that suits us. I hope this level of freedom continues!
36 • systemd (by systemd on 2024-04-09 03:11:15 GMT from Singapore)
@35 "I hope this level of freedom continues!" This freedom is slowly and surely eroding away after the major distros switched to systemd. No major distros have a choice of an alternative init anymore!
37 • Freebsd desktop (by Freebsd on 2024-04-09 03:22:50 GMT from Australia)
@34 and @13 there is a script you can download after installing FreeBSD that will install a desktop for you, can't remember the name of it but I'm sure other users will be able to help. From memory it offers quite a few. Also plenty of easy to follow guides out there, Vermaden is particularly good while Trihexagonal (who comments here from time to time) used to have a great guide for Fluxbox WM.
38 • systemd (by ThomasAnderson on 2024-04-09 04:40:47 GMT from Australia)
How is it that people think systemd dependency in distros is freedom?
systemd-udevd, systemd-logind, systemd-homed, systemd-resolved, systemd-networkd, systemd-tmpfiles, systemd-localed, systemd-machined, systemd-nspawn, etc, libraries (libsystemd, libudev), a PAM module (pam_systemd.so) and a UEFI boot manager (systemd-boot), among other components. If any package needs any of these components, even if it is just one, would pull sys-apps/systemd as a dependency.
So much freedom. Thanks systemd.
39 • systemd-kitchen-sink (by systemd-kitchen-sink on 2024-04-09 05:08:57 GMT from Singapore)
systemd-kitchen-sink is coming soon!
40 • testing and xz (by Appalachian on 2024-04-09 10:45:50 GMT from United States)
I'm going to have to side with @25 over @15 on this whole xz testing business. I've tested hardware and software professionally for many years. In my experience, particularly when testing software, bugs are found by accident. You set out to test one thing, that thing has some interaction with another module, and a bug caused by that other module shows up and affects the thing you wanted to test. Rigid, well defined tests are fine for verifying features, or making sure that a discovered bug has been squashed, or even for regression testing. But for finding new bugs there is no substitute for using the code and seeing what weirdness shows up.
41 • Conky on Virtual Machine ( Dr.Parted Live 24.03 Review by Jesse Smith) (by SAMO on 2024-04-09 11:16:36 GMT from Sweden)
Thank you for the review. I will try Dr.Parted Live.
Jesse wrote: "... I did note that the Conky panel did not launch when I ran the distribution in VirtualBox...."
I have been playing with Conky on different Linux distros and also on VirtualBox. The reason Conky don't show on VM is due to the problem with nr of CPUs configured in .conkyrc or conky.config. I change my ~/.conkyrc and adjust the nr of CPUs (to the nr of CPUs I have configured in VM) as well as the name of the wired lan network etc.
I ran conky from terminal to see what the problem is when conky status does not show on desktop. Then I correct the configuration in my ~/.conkyrc.
Best Regards /Samo
42 • @7 • Strange Rankings (by James on 2024-04-09 11:31:45 GMT from United States)
Remember rankings are just downloads. They will reduce when a new release is near, and ramp up after the new release. Less downloads could also mean more people are happy with the OS they are using and not Distro hopping. Not every download is someone coming from another OS so does not necessarily reflect the popularity of Linux of of any one OS. Take Ubuntu, I am guessing adding 10 years of support will likely reduce downloads.
43 • xz (by Gerald on 2024-04-09 11:36:59 GMT from Austria)
@25 "Security is about layers, not one perfect solution. This is why some issues are found by users noticing issues, some are found in the build process, some are found by fuzzing attacks, some are found by code review. The point is, these layers caught the problem before the xz exploit made it to any stable releases. The process is working."
Does this mean that LTS distributions are tested longer and are now more secure than rolling release distributions? Projects with more developers are better tested? Would an immutable distribution prevent code from being downloaded and stored through a backdoor? The code would not be stored permanently.
44 • Freebsd desktop (by Jan on 2024-04-09 11:42:17 GMT from The Netherlands)
@37 Thanks for the suggestion.
I found this: https://forums.freebsd.org/threads/desktop-environments-installation-script.93020/
Very interesting.
45 • Rankings (by Otis on 2024-04-09 12:41:37 GMT from United States)
@42 "Remember rankings are just downloads."
No they are not downloads, as explained by Jesse and as explained in the Page Hit Rankings link at the top of DW. Those first two words, "Page Hit" seem to be lost on some users.
46 • Rankings (by Jesse on 2024-04-09 12:44:27 GMT from Canada)
@42: "Remember rankings are just downloads. They will reduce when a new release is near, and ramp up after the new release. "
As I said above, the page hit rankings do _not_ measure popularity or number of downloads. It only measures visits to a distribution's information page.
@43: "Does this mean that LTS distributions are tested longer and are now more secure than rolling release distributions?
Yes, almost always yes.
"Projects with more developers are better tested?"
Yes, definitely. More eyes on the code almost always leads to catching more bugs sooner and more testing.
"Would an immutable distribution prevent code from being downloaded and stored through a backdoor?"
No. You can still install new packages on an immutable distribution.
"The code would not be stored permanently."
It is, just not in the core of the filesystem. It's stored as a layer on top or in a user's home directory.
47 • Great writeups on xz & DW server! (by Luke on 2024-04-09 14:07:51 GMT from United States)
Great writeups on the xz shenanigans, Jesse! I don't do any distro hopping or bleeding edge stuff these days -- I've been happily chugging along using the latest Ubuntu LTS releases for many years at home -- so like most people I wasn't affected. And that was a very interesting tidbit on the DW server. It's stories like these that keep me coming back week after week despite not really paying much attention to distro releases. Thanks for all your hard work!
48 • about distros security (by frik on 2024-04-09 14:52:54 GMT from Moldova)
OpenSUSE security team has a nice article about their thorough audit of KDE 6, and how they patch upstream into their distro
https://security.opensuse.org/2024/04/02/kde6-dbus-polkit.html
it is lenghty but very interesting article.
Also Ubuntu has a very nice security podcast. https://ubuntusecuritypodcast.org/
So yes paid distros do very good job, cause customers pay for that, but through their work(RHEL, SUSE, Ubuntu, Linux Foundation) everyone else benefits too.
49 • Great American Eclipse 2024 (by Physics Fan on 2024-04-10 09:06:32 GMT from Germany)
April 8, 2024 had millions watching a total solar eclipse. DW site search for eclipse or astronomy only had a couple hits. Could you review what if any distros are good for astronomy, eclipse watching, related radio observations, etc?
50 • @ 48 (by kc1di on 2024-04-10 10:41:21 GMT from United States)
Thanks for the links. Appreciated.
51 • xz (and bug testing) (by dragonmouth on 2024-04-10 12:25:13 GMT from United States)
No matter how much testing of software the developers and Q&A people do, new bugs and exploits WILL be found once the software is released to the users. For two reasons - 1) There are many, many more users than there are developers/testers (monkeys, typewriters, Shakespeare), 2) there will always be users who (ab)use the software in a way unforeseen/unintended by the developers.
52 • @systemd: (by dragonmouth on 2024-04-10 12:38:48 GMT from United States)
"No major distros have a choice of an alternative init anymore! " Devuan, Artix, PCLinuxOS, just of the top of my head, are "systemd-free". Also MX Linux, if you overlook the systemd-stub.
There has been a determined and concerted effort on the part of "major distro" developers to make Linux look, feel and work like Windows. Systemd is a big part of that effort - "one init to control them (programs) all!"
53 • inits (by Otis on 2024-04-10 13:38:09 GMT from United States)
@52 There are many init choices, but systemd seems to be the only one being adopted on a rather mass scale by distro devs world wide. Many users, such as myself, don't like that, but most of us confess to having and using at least one distro with that init. My linux usage is split almost evenly between MX Linux and Nobara Linux.
Speaking of confessions, a great number of linux users also sport Windows (10 or 11) on their machines, either as a multi-boot or stand alone and probably OEM.
That's just the computing world.. along with MAC.
54 • @systemd (by Jan on 2024-04-10 15:20:38 GMT from The Netherlands)
If more and most applications are made for Linux with systemd, do the distros which are systemd-free, have to spend additional effort to make those applicatiobs to work?
If yes, how do relatively small systemd-free distros like PCLinuxOS and AntiX (and with a small management-team), manage to keep thousends of applications to work?
55 • systemd dependency (by JeffC on 2024-04-10 17:46:03 GMT from United States)
@54 Many of the applications are built upstream without any dependency on systemd because they are built to also work on the various BSDs and other OSes which have no systemd.
56 • systemd (by Jesse on 2024-04-10 21:28:54 GMT from Canada)
@54: "do the distros which are systemd-free, have to spend additional effort to make those applications to work?"
Yes, a little. A lot of services ship with systemd units now instead of init scripts. Some login functionality is often adjusted in non-systemd distros. Some projects need to build in shims to make it look like they are running systemd to make applications work.
It is not a huge deal, but it does keep getting harder to be a non-systemd entity in the open source community.
57 • systemd (by systemd on 2024-04-10 22:01:31 GMT from Singapore)
@52 What I meant by major distros are those "parent" distribution like Debian, Ubuntu, Red hat etc.
I started with Slackware and have used SalixOS, Ubuntu, Mint, antiX before switching to MX linux.
Have tried but not keen on PCLinuxOS due to it's small development team which might just disappeared overnight.
Looking to try FreeBSD next.
58 • Parent distro (by Jesse on 2024-04-11 10:12:50 GMT from Canada)
@57: One parent/independent distro that uses runit instead of systemd is Void. It tends to get overlooked, but it is remarkably fast, light, and cleanly designed.
59 • Parent distro (by systemd on 2024-04-11 12:49:10 GMT from Singapore)
@58 Thanks, Jesse. Have heard of Void but didn't try before. Might give it a try and see if I like it.
60 • Fedora GNOME vs KDE (by David on 2024-04-11 14:53:24 GMT from United States)
What I gather from reading some -- not all -- of the Fedora internal discussion, a consideration is to restore KDE from the "Spins" category to an equal status with GNOME, thereby removing the zero-sum aspect of the desktop competition that at times resembles disparagement. Because KDE was the Fedora default desktop until around 10 years ago, I personally have been puzzled by the position of KDE as a "Spin," which I view as a category that means "lesser alternative" than "Server," "IoT," "Cloud," or "CoreOS." Also, as I recall from my early days with Linux in the late 1990s Fedora KDE and GNOME were on equal footing, simply a choice that made neither superior.
61 • xz expolit and systemd (by anticapitalista on 2024-04-11 17:11:29 GMT from Greece)
From what I understand, the 'trigger' is not systemd as such, but sd_notify. sd_notify is used by elogind so any 'systemd-free' distros that use elogind will be affected.
62 • re: xz exploit (by Andrew on 2024-04-12 01:48:35 GMT from United States)
Methinks there should be one more poll option: a "Yes, BUT.." option for those distros that the exploit would have been impotent on (i.e., distributions that do not use the debian package manager or rpm, and ***SYSTEMS THAT DO NOT USE SYSTEMD*** :P. While my answer to the poll would have to be "Yes", although my system would not have been targetted by it.
It was the strangest thing though! Literally the DAY before the exploit was announced, I had discovered that I had two different versions of that very library installed: one version in /usr/lib and another in /usr/lib64, (one of them was the malware-injected version and the other was not), which caused a runtime error. So when the very next day I hear about the exploit, my first thought was that had something to do with it..but nah, just coincidence.
63 • Fedora/KDE (by Andrew on 2024-04-12 02:10:12 GMT from United States)
I have to say, I'm slightly puzzled over what all the fuss is for re: whether Fedora makes KDE or GNOME the "default" desktop...is not Fedora with a KDE desktop just as readily available to install as one with a GNOME desktop? And as Fedora is not the MOST beginner-friendly distro there is, I would think most folks installing it would likely already have a preference between the two...but maybe not?
FWIW, when I ran Fedora on my laptop, several years ago, for a few months or so, KDE was the desktop I picked to be installed with it, and it was a VERY nicely polished, clean & smooth running KDE installation..I would recommend to anyone installing fedora to go with KDE as the desktop.
64 • Re: #61, sd-notify (by Andrew on 2024-04-12 02:29:33 GMT from United States)
I can confirm that at least Gentoo, which does have elogind, but by default installs with SysVInit with OpenRC as its init system, does NOT appear to have anything called "sd-notify"
65 • Fedora and KDE (by Otis on 2024-04-12 11:02:44 GMT from United States)
@63 That would be Nobara, all that with KDE and more. Amazing distro (if you can live with systemd).
66 • fedora kde (by peer on 2024-04-12 12:46:38 GMT from The Netherlands)
I tried the fedora kde spin last week. It looks very nice and policed indeed. There was one problem. There was a 'system update´. When I installed the update I had to restart the pc and then the update was applied before I could login. The update had more then 900 packages in it. The update took a long time. All this time I could not use my pc. Is this normal behaviour??
67 • xz (by Jerdle on 2024-04-12 15:02:22 GMT from United Kingdom)
Yes, but it didn't affect my system. I use Arch (btw), and it had 5.6.0 and 5.6.1 packaged for it, but ssh doesn't have the systemd patch.
Right now, the current version is in theory safe, but I don't fully trust it, because it's still 5.6.1, albeit built from git rather than the tarball.
68 • fedora kde (by Arvo on 2024-04-12 15:18:27 GMT from Italy)
@66 Better to install using "Fedora Everything" (net installer): it allows you to choose any desktop.
Number of Comments: 68
Display mode: DWW Only • Comments Only • Both DWW and Comments
| | |
TUXEDO |
TUXEDO Computers - Linux Hardware in a tailor made suite Choose from a wide range of laptops and PCs in various sizes and shapes at TUXEDOComputers.com. Every machine comes pre-installed and ready-to-run with Linux. Full 24 months of warranty and lifetime support included!
Learn more about our full service package and all benefits from buying at TUXEDO.
|
Archives |
• Issue 1096 (2024-11-11): Bazzite 40, Playtron OS Alpha 1, Tucana Linux 3.1, detecting Screen sessions, Redox imports COSMIC software centre, FreeBSD booting on the PinePhone Pro, LXQt supports Wayland window managers |
• Issue 1095 (2024-11-04): Fedora 41 Kinoite, transferring applications between computers, openSUSE Tumbleweed receives multiple upgrades, Ubuntu testing compiler optimizations, Mint partners with Framework |
• Issue 1094 (2024-10-28): DebLight OS 1, backing up crontab, AlmaLinux introduces Litten branch, openSUSE unveils refreshed look, Ubuntu turns 20 |
• Issue 1093 (2024-10-21): Kubuntu 24.10, atomic vs immutable distributions, Debian upgrading Perl packages, UBports adding VoLTE support, Android to gain native GNU/Linux application support |
• Issue 1092 (2024-10-14): FunOS 24.04.1, a home directory inside a file, work starts of openSUSE Leap 16.0, improvements in Haiku, KDE neon upgrades its base |
• Issue 1091 (2024-10-07): Redox OS 0.9.0, Unified package management vs universal package formats, Redox begins RISC-V port, Mint polishes interface, Qubes certifies new laptop |
• Issue 1090 (2024-09-30): Rhino Linux 2024.2, commercial distros with alternative desktops, Valve seeks to improve Wayland performance, HardenedBSD parterns with Protectli, Tails merges with Tor Project, Quantum Leap partners with the FreeBSD Foundation |
• Issue 1089 (2024-09-23): Expirion 6.0, openKylin 2.0, managing configuration files, the future of Linux development, fixing bugs in Haiku, Slackware packages dracut |
• Issue 1088 (2024-09-16): PorteuX 1.6, migrating from Windows 10 to which Linux distro, making NetBSD immutable, AlmaLinux offers hardware certification, Mint updates old APT tools |
• Issue 1087 (2024-09-09): COSMIC desktop, running cron jobs at variable times, UBports highlights new apps, HardenedBSD offers work around for FreeBSD change, Debian considers how to cull old packages, systemd ported to musl |
• Issue 1086 (2024-09-02): Vanilla OS 2, command line tips for simple tasks, FreeBSD receives investment from STF, openSUSE Tumbleweed update can break network connections, Debian refreshes media |
• Issue 1085 (2024-08-26): Nobara 40, OpenMandriva 24.07 "ROME", distros which include source code, FreeBSD publishes quarterly report, Microsoft updates breaks Linux in dual-boot environments |
• Issue 1084 (2024-08-19): Liya 2.0, dual boot with encryption, Haiku introduces performance improvements, Gentoo dropping IA-64, Redcore merges major upgrade |
• Issue 1083 (2024-08-12): TrueNAS 24.04.2 "SCALE", Linux distros for smartphones, Redox OS introduces web server, PipeWire exposes battery drain on Linux, Canonical updates kernel version policy |
• Issue 1082 (2024-08-05): Linux Mint 22, taking snapshots of UFS on FreeBSD, openSUSE updates Tumbleweed and Aeon, Debian creates Tiny QA Tasks, Manjaro testing immutable images |
• Issue 1081 (2024-07-29): SysLinuxOS 12.4, OpenBSD gain hardware acceleration, Slackware changes kernel naming, Mint publishes upgrade instructions |
• Issue 1080 (2024-07-22): Running GNU/Linux on Android with Andronix, protecting network services, Solus dropping AppArmor and Snap, openSUSE Aeon Desktop gaining full disk encryption, SUSE asks openSUSE to change its branding |
• Issue 1079 (2024-07-15): Ubuntu Core 24, hiding files on Linux, Fedora dropping X11 packages on Workstation, Red Hat phasing out GRUB, new OpenSSH vulnerability, FreeBSD speeds up release cycle, UBports testing new first-run wizard |
• Issue 1078 (2024-07-08): Changing init software, server machines running desktop environments, OpenSSH vulnerability patched, Peppermint launches new edition, HardenedBSD updates ports |
• Issue 1077 (2024-07-01): The Unity and Lomiri interfaces, different distros for different tasks, Ubuntu plans to run Wayland on NVIDIA cards, openSUSE updates Leap Micro, Debian releases refreshed media, UBports gaining contact synchronisation, FreeDOS celebrates its 30th anniversary |
• Issue 1076 (2024-06-24): openSUSE 15.6, what makes Linux unique, SUSE Liberty Linux to support CentOS Linux 7, SLE receives 19 years of support, openSUSE testing Leap Micro edition |
• Issue 1075 (2024-06-17): Redox OS, X11 and Wayland on the BSDs, AlmaLinux releases Pi build, Canonical announces RISC-V laptop with Ubuntu, key changes in systemd |
• Issue 1074 (2024-06-10): Endless OS 6.0.0, distros with init diversity, Mint to filter unverified Flatpaks, Debian adds systemd-boot options, Redox adopts COSMIC desktop, OpenSSH gains new security features |
• Issue 1073 (2024-06-03): LXQt 2.0.0, an overview of Linux desktop environments, Canonical partners with Milk-V, openSUSE introduces new features in Aeon Desktop, Fedora mirrors see rise in traffic, Wayland adds OpenBSD support |
• Issue 1072 (2024-05-27): Manjaro 24.0, comparing init software, OpenBSD ports Plasma 6, Arch community debates mirror requirements, ThinOS to upgrade its FreeBSD core |
• Issue 1071 (2024-05-20): Archcraft 2024.04.06, common command line mistakes, ReactOS imports WINE improvements, Haiku makes adjusting themes easier, NetBSD takes a stand against code generated by chatbots |
• Issue 1070 (2024-05-13): Damn Small Linux 2024, hiding kernel messages during boot, Red Hat offers AI edition, new web browser for UBports, Fedora Asahi Remix 40 released, Qubes extends support for version 4.1 |
• Issue 1069 (2024-05-06): Ubuntu 24.04, installing packages in alternative locations, systemd creates sudo alternative, Mint encourages XApps collaboration, FreeBSD publishes quarterly update |
• Issue 1068 (2024-04-29): Fedora 40, transforming one distro into another, Debian elects new Project Leader, Red Hat extends support cycle, Emmabuntus adds accessibility features, Canonical's new security features |
• Issue 1067 (2024-04-22): LocalSend for transferring files, detecting supported CPU architecure levels, new visual design for APT, Fedora and openSUSE working on reproducible builds, LXQt released, AlmaLinux re-adds hardware support |
• Issue 1066 (2024-04-15): Fun projects to do with the Raspberry Pi and PinePhone, installing new software on fixed-release distributions, improving GNOME Terminal performance, Mint testing new repository mirrors, Gentoo becomes a Software In the Public Interest project |
• Issue 1065 (2024-04-08): Dr.Parted Live 24.03, answering questions about the xz exploit, Linux Mint to ship HWE kernel, AlmaLinux patches flaw ahead of upstream Red Hat, Calculate changes release model |
• Issue 1064 (2024-04-01): NixOS 23.11, the status of Hurd, liblzma compromised upstream, FreeBSD Foundation focuses on improving wireless networking, Ubuntu Pro offers 12 years of support |
• Issue 1063 (2024-03-25): Redcore Linux 2401, how slowly can a rolling release update, Debian starts new Project Leader election, Red Hat creating new NVIDIA driver, Snap store hit with more malware |
• Issue 1062 (2024-03-18): KDE neon 20240304, changing file permissions, Canonical turns 20, Pop!_OS creates new software centre, openSUSE packages Plasma 6 |
• Issue 1061 (2024-03-11): Using a PinePhone as a workstation, restarting background services on a schedule, NixBSD ports Nix to FreeBSD, Fedora packaging COSMIC, postmarketOS to adopt systemd, Linux Mint replacing HexChat |
• Issue 1060 (2024-03-04): AV Linux MX-23.1, bootstrapping a network connection, key OpenBSD features, Qubes certifies new hardware, LXQt and Plasma migrate to Qt 6 |
• Issue 1059 (2024-02-26): Warp Terminal, navigating manual pages, malware found in the Snap store, Red Hat considering CPU requirement update, UBports organizes ongoing work |
• Issue 1058 (2024-02-19): Drauger OS 7.6, how much disk space to allocate, System76 prepares to launch COSMIC desktop, UBports changes its version scheme, TrueNAS to offer faster deduplication |
• Issue 1057 (2024-02-12): Adelie Linux 1.0 Beta, rolling release vs fixed for a smoother experience, Debian working on 2038 bug, elementary OS to split applications from base system updates, Fedora announces Atomic Desktops |
• Issue 1056 (2024-02-05): wattOS R13, the various write speeds of ISO writing tools, DSL returns, Mint faces Wayland challenges, HardenedBSD blocks foreign USB devices, Gentoo publishes new repository, Linux distros patch glibc flaw |
• Issue 1055 (2024-01-29): CNIX OS 231204, distributions patching packages the most, Gentoo team presents ongoing work, UBports introduces connectivity and battery improvements, interview with Haiku developer |
• Issue 1054 (2024-01-22): Solus 4.5, comparing dd and cp when writing ISO files, openSUSE plans new major Leap version, XeroLinux shutting down, HardenedBSD changes its build schedule |
• Issue 1053 (2024-01-15): Linux AI voice assistants, some distributions running hotter than others, UBports talks about coming changes, Qubes certifies StarBook laptops, Asahi Linux improves energy savings |
• Issue 1052 (2024-01-08): OpenMandriva Lx 5.0, keeping shell commands running when theterminal closes, Mint upgrades Edge kernel, Vanilla OS plans big changes, Canonical working to make Snap more cross-platform |
• Issue 1051 (2024-01-01): Favourite distros of 2023, reloading shell settings, Asahi Linux releases Fedora remix, Gentoo offers binary packages, openSUSE provides full disk encryption |
• Issue 1050 (2023-12-18): rlxos 2023.11, renaming files and opening terminal windows in specific directories, TrueNAS publishes ZFS fixes, Debian publishes delayed install media, Haiku polishes desktop experience |
• Issue 1049 (2023-12-11): Lernstick 12, alternatives to WINE, openSUSE updates its branding, Mint unveils new features, Lubuntu team plans for 24.04 |
• Issue 1048 (2023-12-04): openSUSE MicroOS, the transition from X11 to Wayland, Red Hat phasing out X11 packages, UBports making mobile development easier |
• Issue 1047 (2023-11-27): GhostBSD 23.10.1, Why Linux uses swap when memory is free, Ubuntu Budgie may benefit from Wayland work in Xfce, early issues with FreeBSD 14.0 |
• Issue 1046 (2023-11-20): Slackel 7.7 "Openbox", restricting CPU usage, Haiku improves font handling and software centre performance, Canonical launches MicroCloud |
• Issue 1045 (2023-11-13): Fedora 39, how to trust software packages, ReactOS booting with UEFI, elementary OS plans to default to Wayland, Mir gaining ability to split work across video cards |
• Issue 1044 (2023-11-06): Porteus 5.01, disabling IPv6, applications unique to a Linux distro, Linux merges bcachefs, OpenELA makes source packages available |
• Issue 1043 (2023-10-30): Murena Two with privacy switches, where old files go when packages are updated, UBports on Volla phones, Mint testing Cinnamon on Wayland, Peppermint releases ARM build |
• Issue 1042 (2023-10-23): Ubuntu Cinnamon compared with Linux Mint, extending battery life on Linux, Debian resumes /usr merge, Canonical publishes fixed install media |
• Full list of all issues |
Star Labs |
Star Labs - Laptops built for Linux.
View our range including the highly anticipated StarFighter. Available with coreboot open-source firmware and a choice of Ubuntu, elementary, Manjaro and more. Visit Star Labs for information, to buy and get support.
|
Random Distribution |
Eagle Linux
Eagle Linux was a Linux distribution that boots and runs from a floppy or a CD-ROM, saving you the trouble of having to install Linux on your system - and you build it yourself! There was no longer a need to repartition your hard drive or uninstall your current operating system. This was a great feature for academic sectors who may have had systems donated by companies who don't allow the format of the hard drive to be changed (repartitioning). Eagle Linux was also a great embedded systems learning tool, and since you build it yourself, it can easily be created to run on any processor family. What's unique about Eagle Linux? It does not use a compressed file system for standard files, making file access faster. It detects and mounts your IDE and SCSI hard drives in write mode, allowing read/write media access. It also offers an easier way for less experienced Linux users to create their own bootable floppy or CD from scratch using the HOW-TOs available on the downloads page.
Status: Discontinued
|
TUXEDO |
TUXEDO Computers - Linux Hardware in a tailor made suite Choose from a wide range of laptops and PCs in various sizes and shapes at TUXEDOComputers.com. Every machine comes pre-installed and ready-to-run with Linux. Full 24 months of warranty and lifetime support included!
Learn more about our full service package and all benefits from buying at TUXEDO.
|
Star Labs |
Star Labs - Laptops built for Linux.
View our range including the highly anticipated StarFighter. Available with coreboot open-source firmware and a choice of Ubuntu, elementary, Manjaro and more. Visit Star Labs for information, to buy and get support.
|
|