But by policy, it shouldn't possible that a package silently adds itself in the sources.list, and the user should be prompted (with a GUI dialog?) so that he can explicitely choose to trust or not. I'm not trying to impose you my choices, I just don't want Google to silently impose their view on both you and me. That's a big difference!
Which is what I agree on: there's the lack of a cool GUI to do that. But it shouldn't be restricted to "really popular packages like Chrome, Firefox, etc". That is a very narrow view of the usage of the "universal operating system"!:)
You are repeating yourself, so I'll do the same. In that case, Firefo^w Iceweasel in the Stable repository "just works" (tm) and nobody FORCES you to use the very latest backport, since it's fine for the vast majority of sites. You just have that option if you are a geek, and like to tweak your system. So again, what's the problem here? That you don't have the very latest version of software X by default? Then what would be software that would deserves an update that others wouldn't have, what should be the policy and rules? It doesn't make sense... We set a rule for all packages, and stick to it, then you have backports if you like it, as an option, and you are free to pickup the backports you like.
What I think is missing, by the way, is a very simple GUI so that you could easily pickup a backport for a given software if you would like to do that. But certainly not at all having some apps changing version in what we call "stable" because things don't change... And certainly not do that just with the browser, because you seem to like it this way. You know, there are some companies that have in-house software that do depend on a specific version of the browser (yes, most of the time, because of a very ugly web-based software, but that's not the debate). How would you address both YOU and THEM? Simple: give people a choice to use (or not) backported software. Don't force everyone to do something just because you like it this way!
This average desktop user that you are talking about doesn't care either to have the very latest version of anything, so he is fine with what's in Stable.
In that case do: System -> Administration -> Software source. Yes, we have that in Debian too... As well as the "Software Center" (the exact same one as in Ubuntu, just without the word "Ubuntu" in it, and without the non-free software like Skype and so on, of course...).
Gosh, hell no!!! I do want to do that manually, and I refuse that anyone touches my sources.list. This is my file and it's under my responsibility only. I totally refuse that someone else takes over something as important as my sources.list. You should never allow any package to have the rights to do that. And especially not the guys from Google.
Well, even with releases that are every 6 months, Ubuntu has so many issues. The reason of that is simple: they import stuff from SID without having much look into the bug tracker. I quite know, because I've seem some of the packages I maintain going this way. It's quite incredible and scary to see this happening with security issues too, especially when you know that this is for 75 to 80% of the packages (which are all coming from Debian). So when you are telling me about "regression tested before you allow them in" it just makes me laugh. This is simply not happening even right now already!
Do I have the guarantee with Debian backports? Does it get as much "love" as the main branch? I sincerely doubt it.
Did you realize that we moved from backports.org to backports.debian.org about 9 to 12 months ago (sorry, I can't remember the exact date)? Did you understand that it means that backports are now an official channel, on which you can submit bugs? That also mean that now, we consider security issues in backports as well. That's a lot of a difference compared to one year ago.
Turned out it was a PDF with a form and the built in PDF reader (evince, I think) didn't handle that. At least, I could remotely login and install Adobe Reader from the repository. I know Ubuntu has it. Debian might in the non-free section, but I'm not sure.
You didn't install Adobe PDF reader from the Ubuntu repository, because it's simply not there. You can make a search on http://packages.ubuntu.com/ if you don't trust me. What you did, I am guessing, is that you used the "software center" which shows some non-Ubuntu repositories. But anyway, even in Debian, you could have download it directly from Adobe: http://get.adobe.com/reader/
Still, for me, lacking compiz[...]
We do have Compiz, simply it's not there by default because not everyone runs with a fancy 3D card. About the "polished themes", frankly, I agree. The graphics in Debian just sux. We did some kind of competition, and there were not so many contributors, so finally, the space-fun theme won. It's funny, but not exactly very pretty, and this really is crap. Many Debian Developer regret this, but we simply don't have skilled enough people that want to contribute. I wish we had some very good designers...:/ About windows 7, frankly, when I need windows (which isn't often, mostly for my stupid bank here), I use XP, and it is running the win2k theme, because I hate the new ones which are anyway slowing down the system.
As for the language, well, I've setup some Debian system fully in Chinese, and I didn't have any issue doing that. So I don't get what the problem is, really. Even in Ubuntu, I had to spend some time to install the needed fonts which were not there by default, add a correct input method (namely, sunpinyin, because otherwise, it sux).
I've ran Ubuntu in few desktops, liked it for a while, after let's say 2008/2009, it started to have issues. During that same time, Debian got better, and especially since Squeeze, where the multimedia system now is rock solid, thanks to the huge effort of the multimedia team. There's still couples of issues (like it took me a long time to figure out I needed to add snd-seq-virmidi / snd-seq-midi-event / snd-seq-midi-emul in my/etc/modules.conf to be able to use jackd correctly), but that's only when you do advanced things (I don't think lots of people need jackd). All together, I'd advise people to try AGAIN Debian, since it got a way better on the desktop since Squeeze. I've also seen the latest LXDE, and frankly, I'm tempted to switch to it, since frankly, Gnome sux (it's incredible to have to wait few seconds when you double click on a folder when I have a multi-gigahertz processor).
It's also in backports.debian.org, which is the backport repository that is official, not the one you mention. In Debian, remember that all of the debian.org URL are to be considered official, and all the debian.net are just URL that one Debian Developer decided to create (any DD can create a debian.net subdomain using its PGP key, and for whatever usage he wants). So switch back from the mozilla.debian.net to backports.debian.org, and you wont have issues.
I would also add to this that since Squeeze, backports.debian.org is now officially supported (eg: we do security maintenance for packages there, and the security team is involved), and that more and more, we upload lots of things in there, especially for the desktop (like, X got recently backported thanks to the huge work of Kibi, firefo^w iceweasel, libre office, etc.).
Exactly since when Debian allows to have multiple version of a single package installed on your system? Have you been running RPM based system for too long for saying something like that?
And also, firefo^w iceweasel in Debian stable "just works". It's just simply a bit outdated, but that's fine with the vast majority of sites, and it gets maintained through the normal security process of Debian. So what are you talking about exactly? You have both the choice of running an old and an up-to-date version. The stable version is stable, meaning it's not updated often. If you're not happy with that, use testing/unstable, or use few backports. What do you want more? I think you're just whining with no valid reason here, and that you don't really know/used Debian.
I know one person that has been using Debian Unstable for 10 years without much issues. Most of the time, when you have a problem, you just need to wait few days, do an apt-get update/dist-upgrade, and it fixes by itself. There has been serious issues (like for example the lib64 symlink missing from libc6), but that gets fixed the next day.
I've been thinking of switching completely to Debian, but the amount of work to get that running right as a modern desktop is daunting.
What "daunting" work are you talking about here (despite the browser thing below)?
I can do it, I have done it, but for example, to have a modern browser you either have to manually install it bypassing the package management (bad!) or use backports to get modern compiles of iceweasel. Neither is optimal.
What's so wrong about using backports.debian.org? Is it so hard to add one line to your/etc/apt/sources.list? Why is this sub-optimal?
I know what PGP is. My real-estate agent, doctor, school business office, and parents do not.
So teach do a good action and them. Anyway, if they can't do that, they aren't safe persons which will be able to manipulate encryption the correct way.
Aside from that, PGP is *not* easy to use, especially when you have people who may have Macs or Windows or whatever
In all Macs or Windows or whatever, it is possible to install Thunderbird and Enigmail, which aren't that hard to use.
A fax machine has one standard implementation that is guaranteed to work no matter what
Which standard encryption are you talking about here? I never heard about such thing implemented as a standard on fax machines.
It's even worth than what you are saying. Samsung is the biggest initiator of Xen running on the ARM platform. If I'm not mistaking, they even are the host for the next Xen summit in Seoul in a month or 2. And that, it seems nobody spotted it here at slashdot, but if the news is correct, does that mean that Samsung is giving-up on Xen, and it's ARM port? I hope not! If so, that would be quite a bad move with lots of consequences for the Xen project. Maybe Samsung got tired of investing so much research and development in Xen? It'd really be interesting to know what's going on here.
Yes, you are right, people don't know how to use PGP. But that doesn't invalidate my point that email can be 100% safe if you use the proper tools, and that the technology exist.
My sentence still stand "every person that I meet is able to send me email", they "just" need to learn how to do it. Since I'm a Debian Developer and that I exchange so many email with the community, there's a quite big amount of people I know that actually do use GNUPG. In fact, we very often sign outbound emails, a lot more than we do use PGP encryption, since we need more often authentication than encryption (for example, to publicly voice an opinion or vote).
Just for the record, you wrote: "The last time i tried out PGP (years ago), the sender had to have it installed on their machine.". Well, it's not even that. The sender also needs to fetch the other party's public key, and make sure that this key hasn't been spoofed by a man in the middle. This is the exact reason why you want to put your fingerprint on your business card: people this way can actually check that they are encrypting with your public key, and not the one of the man in the middle. I guess you know that, since you tried PGP, but it's better to make sure everyone understands that we have the same exact authentication issue as with SSL certs.
Last thing, about availability on your mail client. Under Thunderbird, it's few clicks away. You just need the enigmail plugin (which by the way is packaged in Debian, so it's just an single "apt-get install" away). That plugin is extremely easy to use, once you know how PGP works.
Frankly, all together, the issue is only people (non-)knowledge of this system. Because it's safe, and really not hard to use once you have your keyring setup. In a large organization, it would be quite easy to setup by an administrator, if he had his hand on each workstation/laptop. Oh, and of course, it's the responsibility of everyone to keep its private key safe, and that's maybe a bigger issue. In Debian it's even a bigger one since we use these keys to upload packages in the archive, but in a corporate world, the keys wouldn't be use for something else than signing/encrypting message, so it's less of a concern (only the one who got his private key stolen would have the issue to receive emails that could be decrypted, and someone else possibly spoofing his identity).
Oh, about "poorly configured PBXs", that reminds me the "joke" from FreeSwitch maintainers, which made a Git version having a default user with password 123456. I found out... when one of my SIP provider blocked outbound calls after someone called 10 times Somalia!!! And that's not to count how many security holes found on Asterisk (which made us switch to FreeSwitch, to discover it wasn't much better (see above)).
Ever heard of PGP? I have put my PGP fingerprint on my business card, now every person that I meet is able to send me email, encrypted with my public key. That's as easy as it gets, and PGP is 100% safe and more than a decade old. No, you cannot have a man in the middle attack thanks to the fingerprint which you are supposed to manually check. If you add to this a web of trust and signed signatures, then it's a pretty good system.
It's really trivial to listen to a fax and print it, since there is absolutely zero encryption. Don't think that this is reserved for the high profile government organization, phone wires are most of the time quite accessible, and putting a device to listen to it is fairly easy for those who know a bit about them. Absolutely all telecoms employee working on the physical infrastructure will know how to do that.
This is a very bad advise that you are giving here. DKIM isn't an authentication mechanism for your message, it just attest that the server who is sending the mail really is the one he pretends to be. So it's an auth for the server not for the sender, plus it doesn't provide encryption. If you need a real system for encryption and auth, you want to used GNUPG / PGP, and of course... check the fingerprint of the sender in real life, or trust a web of trust (why do you think that in Debian, we waste so much time to check on each-other GPG fingerprint?).
No people don't setup linux just to run things under WINE that would be rather stupid. They do however use WINE to run proprietary windows apps, such as MS Office (which is usually installed from a CD) and Windows Games (which often have CD based DRM). This is the whole purpose of WINE which is apparently a very popular application with a big following and which I have seen used by a number of users.
No, people don't do that. Linux users use OpenOffice. As for games, we have a different experience, but none of the people I know running Linux are interested by games using WINE (some use PS3 / Wii though... which are a much better platform if you ask me).
I don't need to repeat myself again on the ease and cost of CDs vs. Flash drives, however you would be surprised how easy it is to install an OS these days compared to knowing how to change BIOS settings. FYI I have no problem with this, but I know many users who would.
I don't know how others are getting their USB keys, but for me, I got about a dozen that have been given for me as company gifts (various conferences and all). I never saw anyone giving CDRW as gifts. Even if you didn't have it as a gift, then it's really cheap: it starts at 2 USD for a 2GB!!!
So yes, continue your rant about CDs being cheaper if you like, but you're being either a fool (considering the price of the reader and the fact that CDs breaks so fast), or extremely stingy. FYI, 15 Yuan is a bit more than 2 USD.
I guess absolutely everyone using a computer holds at least one USB key anyway. These days, the smallest you will find is 1GB, which is really enough for setting-up an OS (the Debian netinst for example needs less than half of that). The only point with CD, is when you have DRM attached with it, but it's slowly fading away: if you are a company selling software and don't have the option to have your product bought online, you are 10 years in the past and will soon discover that you are loosing money fast... even worse if your competitor really is selling online.
At this point I'm beginning to wonder if English is your native language as you don't seem to understand it very well, otherwise you must be trolling.
What a jerk! At this point, I have no doubt that you are an intolerant USA native.
Slashdot Mirror
This is more or less what's happening, yes (on mozilla.debian.net).
But by policy, it shouldn't possible that a package silently adds itself in the sources.list, and the user should be prompted (with a GUI dialog?) so that he can explicitely choose to trust or not. I'm not trying to impose you my choices, I just don't want Google to silently impose their view on both you and me. That's a big difference!
Which is what I agree on: there's the lack of a cool GUI to do that. But it shouldn't be restricted to "really popular packages like Chrome, Firefox, etc". That is a very narrow view of the usage of the "universal operating system"! :)
You are repeating yourself, so I'll do the same. In that case, Firefo^w Iceweasel in the Stable repository "just works" (tm) and nobody FORCES you to use the very latest backport, since it's fine for the vast majority of sites. You just have that option if you are a geek, and like to tweak your system. So again, what's the problem here? That you don't have the very latest version of software X by default? Then what would be software that would deserves an update that others wouldn't have, what should be the policy and rules? It doesn't make sense... We set a rule for all packages, and stick to it, then you have backports if you like it, as an option, and you are free to pickup the backports you like.
... And certainly not do that just with the browser, because you seem to like it this way. You know, there are some companies that have in-house software that do depend on a specific version of the browser (yes, most of the time, because of a very ugly web-based software, but that's not the debate). How would you address both YOU and THEM? Simple: give people a choice to use (or not) backported software. Don't force everyone to do something just because you like it this way!
What I think is missing, by the way, is a very simple GUI so that you could easily pickup a backport for a given software if you would like to do that. But certainly not at all having some apps changing version in what we call "stable" because things don't change
This average desktop user that you are talking about doesn't care either to have the very latest version of anything, so he is fine with what's in Stable.
In that case do: System -> Administration -> Software source. Yes, we have that in Debian too... As well as the "Software Center" (the exact same one as in Ubuntu, just without the word "Ubuntu" in it, and without the non-free software like Skype and so on, of course...).
Gosh, hell no!!! I do want to do that manually, and I refuse that anyone touches my sources.list. This is my file and it's under my responsibility only. I totally refuse that someone else takes over something as important as my sources.list. You should never allow any package to have the rights to do that. And especially not the guys from Google.
Well, even with releases that are every 6 months, Ubuntu has so many issues. The reason of that is simple: they import stuff from SID without having much look into the bug tracker. I quite know, because I've seem some of the packages I maintain going this way. It's quite incredible and scary to see this happening with security issues too, especially when you know that this is for 75 to 80% of the packages (which are all coming from Debian). So when you are telling me about "regression tested before you allow them in" it just makes me laugh. This is simply not happening even right now already!
Do I have the guarantee with Debian backports? Does it get as much "love" as the main branch? I sincerely doubt it.
Did you realize that we moved from backports.org to backports.debian.org about 9 to 12 months ago (sorry, I can't remember the exact date)? Did you understand that it means that backports are now an official channel, on which you can submit bugs? That also mean that now, we consider security issues in backports as well. That's a lot of a difference compared to one year ago.
Turned out it was a PDF with a form and the built in PDF reader (evince, I think) didn't handle that. At least, I could remotely login and install Adobe Reader from the repository. I know Ubuntu has it. Debian might in the non-free section, but I'm not sure.
You didn't install Adobe PDF reader from the Ubuntu repository, because it's simply not there. You can make a search on http://packages.ubuntu.com/ if you don't trust me. What you did, I am guessing, is that you used the "software center" which shows some non-Ubuntu repositories. But anyway, even in Debian, you could have download it directly from Adobe: http://get.adobe.com/reader/
Still, for me, lacking compiz[...]
We do have Compiz, simply it's not there by default because not everyone runs with a fancy 3D card. About the "polished themes", frankly, I agree. The graphics in Debian just sux. We did some kind of competition, and there were not so many contributors, so finally, the space-fun theme won. It's funny, but not exactly very pretty, and this really is crap. Many Debian Developer regret this, but we simply don't have skilled enough people that want to contribute. I wish we had some very good designers... :/ About windows 7, frankly, when I need windows (which isn't often, mostly for my stupid bank here), I use XP, and it is running the win2k theme, because I hate the new ones which are anyway slowing down the system.
/etc/modules.conf to be able to use jackd correctly), but that's only when you do advanced things (I don't think lots of people need jackd). All together, I'd advise people to try AGAIN Debian, since it got a way better on the desktop since Squeeze. I've also seen the latest LXDE, and frankly, I'm tempted to switch to it, since frankly, Gnome sux (it's incredible to have to wait few seconds when you double click on a folder when I have a multi-gigahertz processor).
As for the language, well, I've setup some Debian system fully in Chinese, and I didn't have any issue doing that. So I don't get what the problem is, really. Even in Ubuntu, I had to spend some time to install the needed fonts which were not there by default, add a correct input method (namely, sunpinyin, because otherwise, it sux).
I've ran Ubuntu in few desktops, liked it for a while, after let's say 2008/2009, it started to have issues. During that same time, Debian got better, and especially since Squeeze, where the multimedia system now is rock solid, thanks to the huge effort of the multimedia team. There's still couples of issues (like it took me a long time to figure out I needed to add snd-seq-virmidi / snd-seq-midi-event / snd-seq-midi-emul in my
It's also in backports.debian.org, which is the backport repository that is official, not the one you mention. In Debian, remember that all of the debian.org URL are to be considered official, and all the debian.net are just URL that one Debian Developer decided to create (any DD can create a debian.net subdomain using its PGP key, and for whatever usage he wants). So switch back from the mozilla.debian.net to backports.debian.org, and you wont have issues.
I would also add to this that since Squeeze, backports.debian.org is now officially supported (eg: we do security maintenance for packages there, and the security team is involved), and that more and more, we upload lots of things in there, especially for the desktop (like, X got recently backported thanks to the huge work of Kibi, firefo^w iceweasel, libre office, etc.).
Exactly since when Debian allows to have multiple version of a single package installed on your system? Have you been running RPM based system for too long for saying something like that?
And also, firefo^w iceweasel in Debian stable "just works". It's just simply a bit outdated, but that's fine with the vast majority of sites, and it gets maintained through the normal security process of Debian. So what are you talking about exactly? You have both the choice of running an old and an up-to-date version. The stable version is stable, meaning it's not updated often. If you're not happy with that, use testing/unstable, or use few backports. What do you want more? I think you're just whining with no valid reason here, and that you don't really know/used Debian.
I know one person that has been using Debian Unstable for 10 years without much issues. Most of the time, when you have a problem, you just need to wait few days, do an apt-get update/dist-upgrade, and it fixes by itself. There has been serious issues (like for example the lib64 symlink missing from libc6), but that gets fixed the next day.
SID
I've been thinking of switching completely to Debian, but the amount of work to get that running right as a modern desktop is daunting.
What "daunting" work are you talking about here (despite the browser thing below)?
I can do it, I have done it, but for example, to have a modern browser you either have to manually install it bypassing the package management (bad!) or use backports to get modern compiles of iceweasel. Neither is optimal.
What's so wrong about using backports.debian.org? Is it so hard to add one line to your /etc/apt/sources.list? Why is this sub-optimal?
Oh, maybe you mean ... like SID? (see the rolling release BoF at the last Debconf 11 in Bosnia.)
If you need faster releases, just use Debian unstable.
Reminder: "unstable" doesn't mean "crashes often", it means that it's a moving target.
I know what PGP is. My real-estate agent, doctor, school business office, and parents do not.
So teach do a good action and them. Anyway, if they can't do that, they aren't safe persons which will be able to manipulate encryption the correct way.
Aside from that, PGP is *not* easy to use, especially when you have people who may have Macs or Windows or whatever
In all Macs or Windows or whatever, it is possible to install Thunderbird and Enigmail, which aren't that hard to use.
A fax machine has one standard implementation that is guaranteed to work no matter what
Which standard encryption are you talking about here? I never heard about such thing implemented as a standard on fax machines.
It's even worth than what you are saying. Samsung is the biggest initiator of Xen running on the ARM platform. If I'm not mistaking, they even are the host for the next Xen summit in Seoul in a month or 2. And that, it seems nobody spotted it here at slashdot, but if the news is correct, does that mean that Samsung is giving-up on Xen, and it's ARM port? I hope not! If so, that would be quite a bad move with lots of consequences for the Xen project. Maybe Samsung got tired of investing so much research and development in Xen? It'd really be interesting to know what's going on here.
Yes, you are right, people don't know how to use PGP. But that doesn't invalidate my point that email can be 100% safe if you use the proper tools, and that the technology exist.
My sentence still stand "every person that I meet is able to send me email", they "just" need to learn how to do it. Since I'm a Debian Developer and that I exchange so many email with the community, there's a quite big amount of people I know that actually do use GNUPG. In fact, we very often sign outbound emails, a lot more than we do use PGP encryption, since we need more often authentication than encryption (for example, to publicly voice an opinion or vote).
Just for the record, you wrote: "The last time i tried out PGP (years ago), the sender had to have it installed on their machine.". Well, it's not even that. The sender also needs to fetch the other party's public key, and make sure that this key hasn't been spoofed by a man in the middle. This is the exact reason why you want to put your fingerprint on your business card: people this way can actually check that they are encrypting with your public key, and not the one of the man in the middle. I guess you know that, since you tried PGP, but it's better to make sure everyone understands that we have the same exact authentication issue as with SSL certs.
Last thing, about availability on your mail client. Under Thunderbird, it's few clicks away. You just need the enigmail plugin (which by the way is packaged in Debian, so it's just an single "apt-get install" away). That plugin is extremely easy to use, once you know how PGP works.
Frankly, all together, the issue is only people (non-)knowledge of this system. Because it's safe, and really not hard to use once you have your keyring setup. In a large organization, it would be quite easy to setup by an administrator, if he had his hand on each workstation/laptop. Oh, and of course, it's the responsibility of everyone to keep its private key safe, and that's maybe a bigger issue. In Debian it's even a bigger one since we use these keys to upload packages in the archive, but in a corporate world, the keys wouldn't be use for something else than signing/encrypting message, so it's less of a concern (only the one who got his private key stolen would have the issue to receive emails that could be decrypted, and someone else possibly spoofing his identity).
Please define "military-grade". I've seen what they used, and I'm not impressed by the half-century old teletypes...
Oh, about "poorly configured PBXs", that reminds me the "joke" from FreeSwitch maintainers, which made a Git version having a default user with password 123456. I found out ... when one of my SIP provider blocked outbound calls after someone called 10 times Somalia!!! And that's not to count how many security holes found on Asterisk (which made us switch to FreeSwitch, to discover it wasn't much better (see above)).
Ever heard of PGP? I have put my PGP fingerprint on my business card, now every person that I meet is able to send me email, encrypted with my public key. That's as easy as it gets, and PGP is 100% safe and more than a decade old. No, you cannot have a man in the middle attack thanks to the fingerprint which you are supposed to manually check. If you add to this a web of trust and signed signatures, then it's a pretty good system.
It's really trivial to listen to a fax and print it, since there is absolutely zero encryption. Don't think that this is reserved for the high profile government organization, phone wires are most of the time quite accessible, and putting a device to listen to it is fairly easy for those who know a bit about them. Absolutely all telecoms employee working on the physical infrastructure will know how to do that.
This is a very bad advise that you are giving here. DKIM isn't an authentication mechanism for your message, it just attest that the server who is sending the mail really is the one he pretends to be. So it's an auth for the server not for the sender, plus it doesn't provide encryption. If you need a real system for encryption and auth, you want to used GNUPG / PGP, and of course ... check the fingerprint of the sender in real life, or trust a web of trust (why do you think that in Debian, we waste so much time to check on each-other GPG fingerprint?).
No people don't setup linux just to run things under WINE that would be rather stupid. They do however use WINE to run proprietary windows apps, such as MS Office (which is usually installed from a CD) and Windows Games (which often have CD based DRM). This is the whole purpose of WINE which is apparently a very popular application with a big following and which I have seen used by a number of users.
No, people don't do that. Linux users use OpenOffice. As for games, we have a different experience, but none of the people I know running Linux are interested by games using WINE (some use PS3 / Wii though... which are a much better platform if you ask me).
I don't need to repeat myself again on the ease and cost of CDs vs. Flash drives, however you would be surprised how easy it is to install an OS these days compared to knowing how to change BIOS settings. FYI I have no problem with this, but I know many users who would.
I don't know how others are getting their USB keys, but for me, I got about a dozen that have been given for me as company gifts (various conferences and all). I never saw anyone giving CDRW as gifts. Even if you didn't have it as a gift, then it's really cheap: it starts at 2 USD for a 2GB!!!
http://item.taobao.com/item.htm?id=12464357480 (and no, I'm not Chinese...)
So yes, continue your rant about CDs being cheaper if you like, but you're being either a fool (considering the price of the reader and the fact that CDs breaks so fast), or extremely stingy. FYI, 15 Yuan is a bit more than 2 USD.
I guess absolutely everyone using a computer holds at least one USB key anyway. These days, the smallest you will find is 1GB, which is really enough for setting-up an OS (the Debian netinst for example needs less than half of that). The only point with CD, is when you have DRM attached with it, but it's slowly fading away: if you are a company selling software and don't have the option to have your product bought online, you are 10 years in the past and will soon discover that you are loosing money fast... even worse if your competitor really is selling online.
At this point I'm beginning to wonder if English is your native language as you don't seem to understand it very well, otherwise you must be trolling.
What a jerk! At this point, I have no doubt that you are an intolerant USA native.