Slashdot Mirror

wpa_supplicant recently got patches for CVE-2019-9494, 9495, 9496, and 9497 through 9499.

They don't apply to the Debian 9 "stretch" package of wpa_supplicant because the fixes "heavily depends on the code added after wpa 2.4 release, so porting it is not practical." The maintainer recommends using a strong password until someone finishes a stretch-backports package.

wpa_supplicant recently got patches for CVE-2019-9494, 9495, 9496, and 9497 through 9499.

They don't apply to the Debian 9 "stretch" package of wpa_supplicant because the fixes "heavily depends on the code added after wpa 2.4 release, so porting it is not practical." The maintainer recommends using a strong password until someone finishes a stretch-backports package.

I would argue that mirroring CentOS is not "making, using, or selling" it. Therefore you would not violate a patent by distributing code which describes its implementation. No need to look for patents before distributing, only making, using, or selling.

I'm sceptical about that. FWIW, I did a quick search and found this: Debian Community Distribution Patent Policy FAQ

Can injunctions be issued against FOSS distributions?
Yes. If a FOSS distribution was found to infringe someone's valid patent, a permanent injunction against continued distribution of the infringing program or feature might well occur.

("Distribution" is confusingly used in two senses here, but I think the latter one is relevant.)

I have heard that distributing source code is safer than distributing object code. Is that true?
Yes. Distributing source code is probably safer than distributing binaries, for a few reasons. First, source code, like the patent disclosures themselves, teaches how the invention works, rather than being the invention. ...

So maybe you'd be alright if you were only going to distribute source.

I am wondering since a long time, why the Arch wiki does contain so much more (high-quality) content than the Debian wiki, although the developer and user base of Debian should be much higher.

One reason also here could be infrastructure. The Arch wiki

-> https://wiki.archlinux.org/

is a mediawiki instance, which looks much more attractive than Debian's wiki

-> https://wiki.debian.org/

which is a moinmoin wiki instance. I can understand that the motivation of users and developers is higher if they can create something beautiful.

Are the other reasons for the quality difference?

Oh hey look, another unfixed debian bug.

https://bugs.debian.org/cgi-bi...

What do you know.

I've got a long list of unfixed bugs as well.

https://bugs.debian.org/cgi-bi...

You can search by submitter. For example:

https://bugs.debian.org/cgi-bi...

The op set up his slashdot profile to hide his email address though.

If it bothered my I might, but I've been satisfied with their current system for hosting threaded mailing listed discussions. i guess he's just wishing there were a different user interface that would be more convenient?

Generally, as long as you have decent References and In-Reply-To headers, threading works fine on most decent mail clients.

Or perhaps mirror it to an NNTP server?

True, and contrary to quite a few other posts here, there is a lot of activity and updating/modernization going on. For example: Debian Continuous Integration which is only a few years old.

I think the disgruntled maintainer should consider running for the Debian Project Leader position which is open right now and advocate for changes he wants.

If it bothered my I might, but I've been satisfied with their current system for hosting threaded mailing listed discussions. i guess he's just wishing there were a different user interface that would be more convenient?

> Note that apt for both debian and ubuntu are all signed packages by default as well.

If you have a reference for that, I'd be really interested. Most of what I've read indicates that Debian and Ubuntu packages themselves are not signed, only checksummed (which is why this vulnerability exists to begin with). Only the package metadata is signed.

https://wiki.debian.org/Secure...

Nothing is more critical than keeping mega corporations from taking your data and spying on you.

Laptop and detachable computers sold in big box stores tend to come with one of three operating systems: Windows (which spies on its users), Chrome OS (which spies on its users), and Android with Google Play (which spies on its users). Though some can be coaxed to run third-party replacement operating systems, they aren't warranted to do so. In fact, many models have severe problems with broken or missing drivers when running anything but Windows (such as the ASUS Transformer Book T100TA, as reviewed by a Debian volunteer). Which is the least of three evils?

Or does Apple deserve a monopoly?

I would like to see more ARM, RISC-V, and MIPS chips out there to loosen this unnaturally bad dependence upon two vendors: AMD and Intel. Both make shitty processors but AMDs are just less so.

The architectures vulnerable to MELTDOWN are Intel Core, some variants of IBM POWER/PowerPC, and... arm64. Now tell us again how wonderful ARM is.

If someone can figure out how to get MIPS to scale up to reasonable clock rates, then maybe it has a future outside of embedded. But nobody has managed it yet. It's left down in low-performance limbo with SuperH. ARM made it out of that hole, but it's the only one of that ilk which has.

Appears so! Quite a food fight there. I wonder if the bug was ever reopened... Talk about security nightmares...

Don't tell them about "The Fuck"
https://packages.debian.org/fr...

It is actually a nice tool: if you mistyped a shell command, just type "fuck" and it will attempt to fix it for you.

The name "Debian" is a combination of the first names of Ian Murdock and his wife (Debra). By placing the woman's name before the man's, "Debian" is clearly misandristic (hatred of men, counterpart to misogynistic). The name should be replaced with something neutral which doesn't offend anyone.

But neither of those things actually happened, did they?

There have been two attempts to remove swearing recently, one for the Linux kernel and one for JRE. First was completely rejected despite Linux having recently adopted what was supposed to be the worst possible SJW-infested Code of Conduct imaginable, and the JRE one was mostly rejected except for a few small changes.

In this case the decision was not in any way based on the package name having the word "boob" in it, as you would know if you had bothered to read the actual post on the Debian mailing list. In fact, other packages with "boob" in the name remain because they were not doing the thing that Weboob was doing which got their package removed.

It's not in their heads, the project itself went out of its way to get boobs into everything. Look at the official list of apps, half of them work "boob" into the title for no reason by dropping the "we".

It already had to patch out homophobic slurs from the output. Not a comment in the source, the output of the binary.

The principal here is outlined in this post on the Debian mailing list.

This whole discussion reminded me of a campaign by the German project
pinkstinks.de called "Sexy yes, sexism no":

https://pinkstinks.de/sexy-ode...

Summary in my words:

It's fine to show a woman in underwear if you try to sell women's
underwear (left picture: "Bra 29 EUR").
It's not ok to show a woman in underwear if you try to sell a chair
(and the scantily clad woman is just decoration / an object to draw
attention to the ad) (right picture: "Chair 199 EUR").
I think that explains the issue of objectification quite well.

and knob.

As an American I'd argue that UK English is a minor dialect that we can safely ignore. Commonwealth English is more prominent and essentially the same as UK English with the most speakers in India, Nigeria, and UK. If we only count those who speak Commonwealth English as a first language then I believe the UK has the most speakers. Jamaica wins as a percentage of Commonwealth English as a first language (beating UK and Ireland).

Thank you for listening to my ridiculous reductionist rhetoric.

After digging deeper, I've decided to provide links and no commentary

https://translate.google.com/t...
(although some of it is in english)

http://weboob.org/applications...
https://lists.debian.org/debia...
http://laurent.bachelier.name/...
https://git.weboob.org/weboob/...
https://git.weboob.org/weboob/...

Sounds worse the Weboob in my opinion...

https://wiki.debian.org/freedi...

Would be for an ethereum client to be available in the debian ecosystem. At least from the debian perspective, ethereum is dependencies piled on top of dependencies, none of whom have been properly vetted, and some of which have recently been shown to be actively malicious.

Would be for an ethereum client to be available in the debian ecosystem. At least from the debian perspective, ethereum is dependencies piled on top of dependencies, none of whom have been properly vetted, and some of which have recently been shown to be actively malicious.

Would be for an ethereum client to be available in the debian ecosystem. At least from the debian perspective, ethereum is dependencies piled on top of dependencies, none of whom have been properly vetted, and some of which have recently been shown to be actively malicious.

This is just to announce the imminent completion of a brand-new Linux release, which I'm calling the Debian Linux Release -- Ian Murdock

There is no "Debian Linux."

"This operating system that we have created is called Debian."
"Debian systems currently use the Linux kernel or the FreeBSD kernel."
"A large part of the basic tools that fill out the operating system come from the GNU project; hence the names: GNU/Linux, GNU/kFreeBSD, and GNU/Hurd."

https://www.debian.org/intro/about

You still have get the user to somehow run this script.

Only the user?

Considering that scripts aren't even executables as such to begin with, and the considerably better average computer literacy among Linux users, this doesn't sound like too much of a threat.

Oh honey, I'm on a red team. Linux users are just as easily hacked as any other. Find what repos they use and choose one. Set up an in-line invisible proxy. Nearly every corporate client has one anyway in their security gateway. Inject the script into the install scripts, or the less used running scripts, or the commonly used package maintainer scripts. Pin the new modified package in the proxy cache. Next time the user updates the package our script will install with all the permissions the package had and ready to be executed.

How can you avoid this? Use the almost unheard of SecureApt, know if your employer is MITM your system (probably if you didn't install from bare metal yourself), and use a second channel to verify authenticity. That means being on a different network, going to every single package's website and getting the hash, then calculating the hash and comparing yourself. If you let a script do it, guess what I will find and do?

The trend of otherwise knowledgeable people knowing shit all about their own system's security keeps both my paychecks and stress-level high.

I was reading through the discussion on the Debian bug site and Martin has some crazy ideas. He thinks that eventually the default mail router should be gmail and that /etc/resolv.conf will be removed.

No apt-gettable bugfix as of this writing.
But it seems Debian doesn't even run systemd-networkd by default (at least my Stretch doesn't).
And I had already disabled IPv6.

OK, it's more nuanced than that. The Xorg server isn't suid, but there is an Xorg.wrap binary that is suid, which provides xstart/xinit functionality from a physical console. So not exploitable remotely, e.g., ssh, but shared public Linux machines are vulnerable. Those would be rare, but admins better move to get them updated. Debian already has fixes except for buster.

From the man page "By default Xorg.wrap will only allow executing the real X server from login sessions on a physical console."

My reading is, you are only vulnerable if you hand your computer over to a black hat complete with login details. I don't know about you, but I never do that. Likewise, hosting is not vulnerable because no physical access. School and public library computers are vulnerable. Those would be rare.

BTW, fixed in jessie, stretch and sid, but not yet in buster.

I installed debian stable to a bakery's boy's snsa eee 1000 netbook

You dodged one there, as the same company's Transformer Book T100TA has serious problems under Debian. Suspend, Bluetooth, backlight brightness, and camera are all broken, and you might need a separate USB network adapter to download nonfree drivers for the WLAN and audio.

Debian status of this vulnerability

Looks like fixed in Sid (I'm ok!) but testing and stable are still vulnerable as of right now.

Linux just works on modern laptops, including wifi, chipset power management, sound, GPU

With some big exceptions. See experiences installing Debian on an ASUS Transformer Book T100TA. Power management, suspend, hibernate, screen brightness, Bluetooth, and camera are all broken, and WLAN and sound are broken in Debian main because they require nonfree firmware distributed separately. Good luck downloading a WLAN driver with broken WLAN; you'll need to instead buy a supported USB Ethernet adapter.

The Debian logo is non-free because they used a non-free font.

Did that just blow your mind?

The debian logo is released under the LGPL v3 or CC BY-SA 3.0, the restricted use logo adds the bottle https://www.debian.org/logos/i...
(But you are correct that a commercial font was used in the creation).

Which other "ubiquitous and cheaper hardware options" for fully GNU/Linux-compatible laptops are any good, so that a city school system or a community college can compare their prices? Buying a Windows laptop just to wipe it and install GNU/Linux still involves paying the Windows tax. Nor does the maker of a Windows laptop offer guarantee that accelerated graphics, audio, WLAN, Bluetooth, backlight brightness, and suspend will work under GNU/Linux. See, for example, everything that's broken or missing on ASUS Transformer Book T100TA.

https://onion.debian.org/
https://onion.torproject.org/

Why would I want to run Windows, AT ALL, even in a VM, even with a gun to my head, when there's GNU/Linux?

One possibility is that the hardware you have isn't very compatible, such as an ASUS Transformer Book T100TA, and PC makers specializing in GNU/Linux (such as System76) don't offer replacement laptops in your preferred size range. WSL makes Windows into a hardware abstraction layer (HAL) for a GNU system.

Damnit, quit making sense! I was having a good time shitting on Microsoft...

LOL... Okay, that's... a grudgingly admitted point.

Why would I want to run Windows, AT ALL, even in a VM, even with a gun to my head, when there's GNU/Linux?

One possibility is that the hardware you have isn't very compatible, such as an ASUS Transformer Book T100TA, and PC makers specializing in GNU/Linux (such as System76) don't offer replacement laptops in your preferred size range. WSL makes Windows into a hardware abstraction layer (HAL) for a GNU system.

Allwinner is garbage. This is the shit you get in those chinese Raspberry Pi clones.

Uhm, what? They run circles around anything Raspberry Pi can do. Here's for example why rpi open firemware died because Raspberry is utter shit. And just see what the author recommends instead. Allwinner is a cheap-and-cut-corners alternative, but at least it gets shit done. Its support is also mostly non-existant, but the community managed to write free drivers — including beating the ATF into shape, so it's ready, included in Debian and mostly merged upstream (this one lacks a few patches for Pinebook/etc).

How is [console lock-in] different from being locked into windows?

Consider two differences between a PC running Windows and an Xbox One running the Windows 10-derived Xbox One system software:

In exchange for this lock-in, consoles offer alleged ease of use.

Half of humanity isn't even on the internet yet. Only a minority of internet users use cryptocurrency, and of the ones that do, many don't use it for very much that's substantial in their lives. We've got at *least* another doubling of value to go.
One way to get to the next billion would be, oh I don't know, a working ethereum client in debian .

why i would rather just buy a x86_84 laptop and wipe windows off and put Linux on it

Would you prefer a laptop on which accelerated graphics, audio, network, screen brightness, and suspend work or don't work? Because there are a lot of laptops for which these work in Windows but not GNU/Linux due to missing or broken drivers. See experiences installing Debian on an ASUS Transformer Book T100TA for example.

Probably hardware differences. Debian's own wiki acknowledges plenty of problems getting Debian GNU/Linux to behave on, say, an ASUS Transformer Book T100TA.

Debian calls 64-bit ARM "a first-class release architecture in Stretch, with almost all packages built, and the standard installer working on various machines, and quite likely to work on new ones." Among those few applications in Debian's repository that fail on ARM, which are most critical? Or by "application support" are you specifically referring to Wine, Steam, and Steam Wine?

Debian calls 64-bit ARM "a first-class release architecture in Stretch, with almost all packages built, and the standard installer working on various machines, and quite likely to work on new ones." Among those few applications in Debian's repository that fail on ARM, which are most critical? Or by "application support" are you specifically referring to Wine, Steam, and Steam Wine?

I do hate this defetist attitude. You use Debian without systemd (I do). You can turn to Devuan Or Slackware. In any case, if you characterize yourself as "professional", contribute to one of those options if you want to keep systemd-free Linux distros viable, instead of whining.

That's how it works around here.

A good way to thank them is at this link.

Debian is one of the good guys. In a world where more and more software scrapes your data and monetizes you out the rear, Linux distros like Debian are trying to hold the line of keeping YOU in control of your computing experience, rather than a huge multinational in control.

I'm sure someone will point out they are not perfect, and that is true, but compared to Windows, Android, iOS, and others, Debian does a damned fine job of keeping your computer, your computer.

I donate to them once a quarter, to try to tilt the balance away from user-hostile software, hyper-monetization, and corporate spyware everywhere.

Donatiions.

You will notice that while SteamOS claims to be open source, actually the critical parts of it like the client, are closed source.

SteamOS is Debian 7 or 8 for x86 and x64. The OS is completely open source.
100% of the OS source code is available here: https://sources.debian.org/

You are confusing the steam client application as being part of the OS, but it is just an application program.

Having a closed source program running on an open source OS does not ultimately make the OS anything else but open source.

There are lots of other closed source applications that run on Debian, steam client isn't the only one.
None of those being installed make Debian any less open source.
Hell, my wifi and nvidia drivers installed on my Debian system aren't open source, but that doesn't change the license of Debian what so ever.

If you don't like the steam client license, don't install their debian repo and apt-get it, and don't purchase a computer with that setup preloaded. It's that simple.