Personally I'd never put one of these on the open Internet and expect to be secure.
That said, I do have a Linksys packet filtering router that I use behind an OpenBSD packet filtering bridge.
It makes more sense to have my servers sitting behind the bridge, and my desktops behind the router. I think Zwicky et. al in Building Internet Firewalls call this a "screened subnet."
Having the packet filtering bridge operating on the outside edge of your network means that the number of people who have access to the machine have been dramatically decreased; since it exists on the link layer, the only machine that has access to it is on the other side of the wire plugged into it. For all intents and purposes (a cracker may have) the machine is invisible.
I guess I should have known better... Don't bite and the troll goes away.
My apologies, as my awkward remark regarding Mac OS sounded as if I was also propagating the stereotype of Mac OS users.
My intent was never to declare myself to be more than I am: a guy who has a history using Linux and BSD predating OS X, and continues to use them on a daily basis (you know, use the right tool for the job).
I'm trying to declare myself some kind of authority regarding UNIX in general, nor am I trying to compare my expertise against anyone else's, but rather I was openly declaring my history as an example of a Mac user who has some history with other OS's.
My big mistake was to follow the troll into the "Mac users" trap. Instead of differentiating between the Mac OS and the Mac user, I glibly followed the moron into the idea that there is some kind of typical Mac user. I should have been more careful about this distinction. I was foolish to believe that my response would illicit anything other than more childish attacks against me; it required a sincerity of the respondent.
Yep, you used to see that happening all the time, didn't you... Them were the heady days, weren't they; people were switching in droves from Windows to Linux in 1998 because it was easier.
Translation:
Was too stupid to make a decent troll.
Switched to Anonymous Coward.
Come on, if you're going to waste my time with trolls, at least use that crap between your ears and think of one that actually has some merit as a troll.
It's not that I don't get that the x86 is a dinosaur architecture, and there needs to be an exit strategy, but it seems to me that the days of shade-tree computer building with expensive proprietary OS's is about over. If you are looking to support Linux on PPC, then hats off to you; Linux provides a quality software analog to the best-of-breed computer componentry out there. But trying to graft OS X onto Pegasos is the exact wrong way to go; no one wins.
Apple loses money spent on unsupported hardware. Linux loses the time that would otherwise be invested making Linux run better on PPC, and the buyer loses the support, service and integration that Apple and Linuxprovide.
I guess maybe it's that some people are somehow angry with Apple for not providing the kind of craphouse of componentry that the x86 world has been for the last seven years.
And I guess when you approach a computer as a bundle of hardware components, then all it's ever going to be is a bundle of hardware that does stuff. When you look as a computer as the amalgamation of hardware, software, support and service, then you start seeing exactly what I don't get.
Apple provides the support, service and integration on Apple hardware. Linux provides support, service and integration on supported hardware. No one provides support, service or integration with OS X on Pegasos. Even those that would try could not publicly support it for fear of legal reprisal.
As more people change their idea of what a computer is--from a bunch of hardware that does stuff, to a sum total of hardware, software support, service and their integration--need for cheap off-the-wall components will die out. Microsoft is going to be at the front of this push, making systems like the X-Box for office workers everywhere.
This may be true to some degree, but I think you've overstated it quite a bit.
But then, maybe you were being facetious and I'm too dense to see it (but since this has been modded "+5 Insightful," not "+5 Funny" I don't think I'm alone).
Anyway, there's lots of different kinds of geeks around, let me tell you about one:
He's had his Amateur Extra Ham license for well over 20 years now.
He's been hobby programming for a good fifteen years.
He's been working with Novell Networks for about ten years; he's Novell certified to do so.
And I just built him his _first_ Linux box. This is someone who hasn't touched a *nix system for well over ten years. Although he's a very smart guy, he's still trying hard to understand the Linux zeitgeist. Consequently I'm providing support via SSH and VNC on a pretty regular basis.
So, although I don't disagree--the correlation between Ham hobbyists and computer geeks is definitely not spurious--I do think that you can't just take for granted that someone who knows Ham knows Linux, or would be interested in Linux just to geek-out on.
Linux is already a cornerstone in this community because of the kind of people you're talking about. I think Linux is growing in this community faster than it is for your average "Joe 56k" Home PC user, but I think in great part it's because of the applications that are available. The excellent development tools and open platform are definitely pluses, but the big draw seems to be the number of Ham applications that are already available.
My OpenBSD packet filtering bridge silently drops all ICMP coming into the network.
I'm not trying to see who's packet filter is longer, but rather, point out that you can fairly easily cut down on the damage being done by blocking all incoming ICMP traffic at your packet filtering bridge/router.
Sure, traceroute is nice, but things like this mean it's just not worth the ICMP overhead.
Although it's a third-party item, Launchbar has to be one of the most innovative, helpful pieces of software that I've purchased in a long, long time. It uses the inherent benefits of OS X, and adds to them.
LaunchBar for Mac OS X uses a powerful, fault-tolerant abbreviation search algorithm and a sophisticated rating system to deliver fast, accurate search results from abbreviations typed on the fly. Intuitive and adaptive, LaunchBar allows a user to enter a range of abbreviations for any term. It analyzes the user's behavior and adapts rating criteria dynamically, so search results become more accurate as LaunchBar "learns" how to serve the user.
I mean, I can see this actually working if you do something like rsync between two servers or sync two directories, one preserving file ownerships a la the UNIX security paradigm, one owned by webserver, using WebDAV security.
The shortcoming here is that you couldn't use groups very easily, but you could work around this without too much difficulty.
WebDAV was never meant to mirror the UNIX user/group paradigm. I think as close as you can get is the Apple.Mac services, but.Mac doesn't try to fit the square peg of UNIX user/groups into the round peg of WebDAV. It utilizes individual users as the entire security paradigm. It's not nearly as sophisticated, but it could work.
I don't know, but when I think about it, forking httpd as arbitrary users seems like a security nightmare.
just so long as none of your users actually want to write to their files or folders.:-)
WebDAV needs the permissions on files to be at least 660 to www:www, and at least 770 to www:www (assuming you want your users to actually be able to do something other than read files from the server.
BSD already went through this same thing a decade ago. The litigation that tied up BSD for years was actually one of the reasons that Linux became so popular to begin with.
SCO can't touch BSD because UC Berkeley and AT&T already went to court and settled on this matter.
My argument said nothing against Linux. I said nothing against X. I did speak against useless costumes that are put over the UI in the name of somehow making the computer more usable. My argument was against the idea that Mac OS X was somehow inferior because it doesn't bother with time-wasting, trivial customizations like themes. Did you read the post I was responding to?
My point was, and is, that the OS is a tool. I believe OS X is built around this fundamental paradigm. For years, there's been this funny idea that a computer UI is somehow a reflection of its user. There's this funny idea that making the UI more familiar, more customized for the user somehow makes it more useable. I liken OS X to the shell. It's customizable, but its customizations are for usability, not to make it look neat.
At the other end end of the spectrum, you've got Microsoft Bob, Microsoft Plus, and all the useless themes. Hey, don't get me wrong, if that's what you want to do with your computer and that's the kind of thing you have time for--then go for it. I'm not about to tell you that you can't make all your widgets neon green, that you can't make your pointer whatever shape you want. That's your prerogative.
But saying that OS X is somehow inferior because it doesn't allow you to make your pointer into a Mona Lisa, or doesn't allow you to have green Matrix style type flashing down your screen doesn't sit well with me.
Although I may not mince words about the subject, I'm not advocating against the use of Linux. I use Linux every day. I couldn't get by without it.
I think if anyone's insecure about their choice of operating systems, it's not me. I didn't say anything against using Linux. To my mind, there's two fundamentally different ideas being intermingled here. The use of themes and OS vanity customizations, and true time-saving customizations.
The true time-saving customizations are available in the same form that you find them in Linux. You can use shell scripts, ImageMagick, multiple desktops, point-to-focus... pretty much anything you're used to with X. What you can't do is decide whether you want Dinosaur or DaVinci style pointers this week.
My apologies for making you feel like I was somehow attacking you, or your choice of tools. I wasn't.
The irony is, the lack of costume features is part of what makes OS X a much better platform for just getting work done.
A computer is a tool, not a home, it's not a fashion statement. OS X gets this right. Trivial time-wasters like themes--while they may keep you from getting bored--really don't have much practical value. Customization can be a blessing, when you want to shortcut some common tasks, but the fact is, customization is really impractical under most circumstances. And the kind of short-cut customization that you can get out of X is still available in OS X through Applescript and tools like Launchbar.
Control is nice, but control--simply for the sake of having control--is unnecessary, is expensive for business and is a headache for support staff.
Can't say much about the other installs, but I can offer a couple of hints for FreeBSD.
First, I wouldn't use 5. Try installing 4.8; it's a good, stable platform. The installer on 5 has some issues. Personally, I'm not going to be upgrading to 5 anytime soon.
Second, I've used FreeBSD for four years now and I don't bother with CD-ROM installs anymore (why have a CD-ROM in a server anyway?).
Try the FreeBSD floppy install. You never really need an ISO because FreeBSD was made for the Internet. Updates and installation of software can take place over the Internet.
Two floppies and you have a whole OS installed.
It's simple, effective, and quicker than downloading and burning an ISO image. Try it. I've often wondered why more OS's don't use it.
Doesn't seem too sad when you look at the state of the economy, when you take into account that many purchases of Apple Macintosh computers were put off until next quarter because of the upcoming next generation hardware.
But the existence of the duplicate receipt, kept in a controlled environment means that any claims of fraud could be verified.
Anonymity at the voting booth is, anymore, somewhat outdated; democracy in the US has matured enough that we no longer need to worry about intimidation, but rather manipulation. The system should be adjusted accordingly.
(As the article says, intimidation is a less effective means of scuttling democracy than manipulation.)
I appreciate the good uses that SSH tunnel forwarding can be put to, but extensions to SMTP (RFC 2487), as well as POP3 and IMAP ( RFC 2595 allow secure connections without requiring the tunnel.
These extensions are integrated into most mail clients. Installing a server that supports the secure connection isn't hard either.
I always try to keep it simple. When I start having to troubleshoot three different systems in order to find out why my mail isn't being sent or received, I'm making my system too complex (too complex for the likes of me, anyway:-)
I don't see anyone feigning some kind of grassroots effort here. The people who post are using their own accounts (which have been around much longer than you probably have), so you know where these people stand.
Mandrakesoft has no need to astroturf. They've been a good community member, and the employees of Mandrakesoft have long been posting to Mandrake related stories on Slashdot.
Pixar can afford to write exactly what they want, and they made the right choice in using Linux. Big companies that can afford to build their own applications know that Linux and Open Source software is a good investment. They can control everything from start to finish. Pixar knows exactly what's on each machine that is a part of the rendering farm. They can afford that.
It's a sad but true fact that most businesses can't afford that. That's why software houses like Adobe, Macromedia and Microsoft are so successful. They build assembly-line applications that can be used by many different kinds of people in many different kinds of projects.
It should stand to reason that the industrial software houses like Adobe, will catch on eventually--so long as Microsoft doesn't try to underhandedly scuttle the process. But it seems to me, the real risk for them is in the myriad of Linux systems that are out there. Testing and support would be a nightmare. Unless the industrial software houses either a) build their own distribution, or b) partner with Linux vendors to ensure compatibility.
I'd love to see Mandrake and RedHat partner with these industrial software houses, contracting out support and helping with porting costs. I mean, if they could make some kind of sweetheart deal with just one, I think there would be others following quite soon.
Don't get me wrong, I've long since hopped off the Microsoft treadmill and enjoy working with Linux and BSD on the server side and OS X and Mandrake Linux to get my work done.
But no matter how much I don't like it, the fact remains, without the applications, Linux won't become a viable solution for the overwhelming majority of businesses which don't have the kind of capital resources or brainshare to make custom-apps work.
These software houses build the kind of mass-market software that Linux needs in order to become competitive on the desktop.
This goes back to what I think is the highest hurdle Linux has yet to leap: application support by industrial software houses like Adobe.
Without applications a platform is dead. It doesn't matter how good it is, how easy it is to use, how intuitive or how much it costs. What matters is having professional grade applications available for your platform. Linux is thriving in the server arena just because the best server-side applications (like Apache) are available.
People don't buy Windows because they like the "look and feel" of it. They buy Windows because it has the applications they need.
No matter how good the Mandrake installer is, no matter how nice and easy KDE is to use, no matter how much support is available, Linux won't win on the desktop until it has the application portfolio that people need.
Slashdot Mirror
That said, I do have a Linksys packet filtering router that I use behind an OpenBSD packet filtering bridge.
It makes more sense to have my servers sitting behind the bridge, and my desktops behind the router. I think Zwicky et. al in Building Internet Firewalls call this a "screened subnet."
Having the packet filtering bridge operating on the outside edge of your network means that the number of people who have access to the machine have been dramatically decreased; since it exists on the link layer, the only machine that has access to it is on the other side of the wire plugged into it. For all intents and purposes (a cracker may have) the machine is invisible.
Heh, so much for "Preview."
That should read that I'm not trying to declare myself some kind of authority regarding UNIX in general...
I guess I should have known better... Don't bite and the troll goes away.
My apologies, as my awkward remark regarding Mac OS sounded as if I was also propagating the stereotype of Mac OS users.
My intent was never to declare myself to be more than I am: a guy who has a history using Linux and BSD predating OS X, and continues to use them on a daily basis (you know, use the right tool for the job).
I'm trying to declare myself some kind of authority regarding UNIX in general, nor am I trying to compare my expertise against anyone else's, but rather I was openly declaring my history as an example of a Mac user who has some history with other OS's.
My big mistake was to follow the troll into the "Mac users" trap. Instead of differentiating between the Mac OS and the Mac user, I glibly followed the moron into the idea that there is some kind of typical Mac user. I should have been more careful about this distinction. I was foolish to believe that my response would illicit anything other than more childish attacks against me; it required a sincerity of the respondent.
Thanks for being a good auditor.
Translation:
Was too stupid to make a decent troll.
Switched to Anonymous Coward.
Come on, if you're going to waste my time with trolls, at least use that crap between your ears and think of one that actually has some merit as a troll.
I'll bite anyway.
Been using Linux since 1998.
Been using BSD since 1999.
Been using Mac OS X since 2001.
Now who doesn't get it?
Maybe you need to realize that the Mac stereotypes no longer hold true.
It's not that I don't get that the x86 is a dinosaur architecture, and there needs to be an exit strategy, but it seems to me that the days of shade-tree computer building with expensive proprietary OS's is about over. If you are looking to support Linux on PPC, then hats off to you; Linux provides a quality software analog to the best-of-breed computer componentry out there. But trying to graft OS X onto Pegasos is the exact wrong way to go; no one wins.
Apple loses money spent on unsupported hardware. Linux loses the time that would otherwise be invested making Linux run better on PPC, and the buyer loses the support, service and integration that Apple and Linuxprovide.
I guess maybe it's that some people are somehow angry with Apple for not providing the kind of craphouse of componentry that the x86 world has been for the last seven years.
And I guess when you approach a computer as a bundle of hardware components, then all it's ever going to be is a bundle of hardware that does stuff. When you look as a computer as the amalgamation of hardware, software, support and service, then you start seeing exactly what I don't get.
Apple provides the support, service and integration on Apple hardware. Linux provides support, service and integration on supported hardware. No one provides support, service or integration with OS X on Pegasos. Even those that would try could not publicly support it for fear of legal reprisal.
As more people change their idea of what a computer is--from a bunch of hardware that does stuff, to a sum total of hardware, software support, service and their integration--need for cheap off-the-wall components will die out. Microsoft is going to be at the front of this push, making systems like the X-Box for office workers everywhere.
This may be true to some degree, but I think you've overstated it quite a bit.
But then, maybe you were being facetious and I'm too dense to see it (but since this has been modded "+5 Insightful," not "+5 Funny" I don't think I'm alone).
Anyway, there's lots of different kinds of geeks around, let me tell you about one:
He's had his Amateur Extra Ham license for well over 20 years now.
He's been hobby programming for a good fifteen years.
He's been working with Novell Networks for about ten years; he's Novell certified to do so.
And I just built him his _first_ Linux box. This is someone who hasn't touched a *nix system for well over ten years. Although he's a very smart guy, he's still trying hard to understand the Linux zeitgeist. Consequently I'm providing support via SSH and VNC on a pretty regular basis.
So, although I don't disagree--the correlation between Ham hobbyists and computer geeks is definitely not spurious--I do think that you can't just take for granted that someone who knows Ham knows Linux, or would be interested in Linux just to geek-out on.
Linux is already a cornerstone in this community because of the kind of people you're talking about. I think Linux is growing in this community faster than it is for your average "Joe 56k" Home PC user, but I think in great part it's because of the applications that are available. The excellent development tools and open platform are definitely pluses, but the big draw seems to be the number of Ham applications that are already available.
Excellent information, thank you very much.
One of those golden moments of Slashdot.
Ah I guess I'll cheeze out and reply to my own comment.
Just for the sake of clarity--because dropping incoming ICMP just makes sense--it should say ALL ICMP traffic gets dropped at the firewall.
My OpenBSD packet filtering bridge silently drops all ICMP coming into the network.
I'm not trying to see who's packet filter is longer, but rather, point out that you can fairly easily cut down on the damage being done by blocking all incoming ICMP traffic at your packet filtering bridge/router.
Sure, traceroute is nice, but things like this mean it's just not worth the ICMP overhead.
took longer than usual to open "Navigator," but it opened just fine. Don't know if you restarted or not -- I haven't yet.
But, I only use Navigator on rare occasions; testing session based problems was the order of the day today.
Here's the writeup from this year's innovators contest:
gadzooks!
Sorry. Too much Chimay last night.
I seem to have missed the part about chowning and chgrouping.
Ah well.
Is that even possible?
.Mac services, but .Mac doesn't try to fit the square peg of UNIX user/groups into the round peg of WebDAV. It utilizes individual users as the entire security paradigm. It's not nearly as sophisticated, but it could work.
I mean, I can see this actually working if you do something like rsync between two servers or sync two directories, one preserving file ownerships a la the UNIX security paradigm, one owned by webserver, using WebDAV security.
The shortcoming here is that you couldn't use groups very easily, but you could work around this without too much difficulty.
WebDAV was never meant to mirror the UNIX user/group paradigm. I think as close as you can get is the Apple
I don't know, but when I think about it, forking httpd as arbitrary users seems like a security nightmare.
And that will work...
:-)
just so long as none of your users actually want to write to their files or folders.
WebDAV needs the permissions on files to be at least 660 to www:www, and at least 770 to www:www (assuming you want your users to actually be able to do something other than read files from the server.
um, sorry?
BSD already went through this same thing a decade ago. The litigation that tied up BSD for years was actually one of the reasons that Linux became so popular to begin with.
SCO can't touch BSD because UC Berkeley and AT&T already went to court and settled on this matter.
My argument said nothing against Linux. I said nothing against X. I did speak against useless costumes that are put over the UI in the name of somehow making the computer more usable. My argument was against the idea that Mac OS X was somehow inferior because it doesn't bother with time-wasting, trivial customizations like themes. Did you read the post I was responding to?
My point was, and is, that the OS is a tool. I believe OS X is built around this fundamental paradigm. For years, there's been this funny idea that a computer UI is somehow a reflection of its user. There's this funny idea that making the UI more familiar, more customized for the user somehow makes it more useable. I liken OS X to the shell. It's customizable, but its customizations are for usability, not to make it look neat.
At the other end end of the spectrum, you've got Microsoft Bob, Microsoft Plus, and all the useless themes. Hey, don't get me wrong, if that's what you want to do with your computer and that's the kind of thing you have time for--then go for it. I'm not about to tell you that you can't make all your widgets neon green, that you can't make your pointer whatever shape you want. That's your prerogative.
But saying that OS X is somehow inferior because it doesn't allow you to make your pointer into a Mona Lisa, or doesn't allow you to have green Matrix style type flashing down your screen doesn't sit well with me.
Although I may not mince words about the subject, I'm not advocating against the use of Linux. I use Linux every day. I couldn't get by without it.
I think if anyone's insecure about their choice of operating systems, it's not me. I didn't say anything against using Linux. To my mind, there's two fundamentally different ideas being intermingled here. The use of themes and OS vanity customizations, and true time-saving customizations.
The true time-saving customizations are available in the same form that you find them in Linux. You can use shell scripts, ImageMagick, multiple desktops, point-to-focus... pretty much anything you're used to with X. What you can't do is decide whether you want Dinosaur or DaVinci style pointers this week.
My apologies for making you feel like I was somehow attacking you, or your choice of tools. I wasn't.
The irony is, the lack of costume features is part of what makes OS X a much better platform for just getting work done.
A computer is a tool, not a home, it's not a fashion statement. OS X gets this right. Trivial time-wasters like themes--while they may keep you from getting bored--really don't have much practical value. Customization can be a blessing, when you want to shortcut some common tasks, but the fact is, customization is really impractical under most circumstances. And the kind of short-cut customization that you can get out of X is still available in OS X through Applescript and tools like Launchbar.
Control is nice, but control--simply for the sake of having control--is unnecessary, is expensive for business and is a headache for support staff.
Can't say much about the other installs, but I can offer a couple of hints for FreeBSD.
First, I wouldn't use 5. Try installing 4.8; it's a good, stable platform. The installer on 5 has some issues. Personally, I'm not going to be upgrading to 5 anytime soon.
Second, I've used FreeBSD for four years now and I don't bother with CD-ROM installs anymore (why have a CD-ROM in a server anyway?).
Try the FreeBSD floppy install. You never really need an ISO because FreeBSD was made for the Internet. Updates and installation of software can take place over the Internet.
Two floppies and you have a whole OS installed.
It's simple, effective, and quicker than downloading and burning an ISO image. Try it. I've often wondered why more OS's don't use it.
Doesn't seem too sad when you look at the state of the economy, when you take into account that many purchases of Apple Macintosh computers were put off until next quarter because of the upcoming next generation hardware.
It doesn't seem sad at all.
But the existence of the duplicate receipt, kept in a controlled environment means that any claims of fraud could be verified.
Anonymity at the voting booth is, anymore, somewhat outdated; democracy in the US has matured enough that we no longer need to worry about intimidation, but rather manipulation. The system should be adjusted accordingly.
(As the article says, intimidation is a less effective means of scuttling democracy than manipulation.)
I appreciate the good uses that SSH tunnel forwarding can be put to, but extensions to SMTP (RFC 2487), as well as POP3 and IMAP ( RFC 2595 allow secure connections without requiring the tunnel.
These extensions are integrated into most mail clients. Installing a server that supports the secure connection isn't hard either.
I always try to keep it simple. When I start having to troubleshoot three different systems in order to find out why my mail isn't being sent or received, I'm making my system too complex (too complex for the likes of me, anyway :-)
Do you understand what astroturfing is?
I don't see anyone feigning some kind of grassroots effort here. The people who post are using their own accounts (which have been around much longer than you probably have), so you know where these people stand.
Mandrakesoft has no need to astroturf. They've been a good community member, and the employees of Mandrakesoft have long been posting to Mandrake related stories on Slashdot.
My point exactly.
Without the applications, a platform is dead.
Pixar can afford to write exactly what they want, and they made the right choice in using Linux. Big companies that can afford to build their own applications know that Linux and Open Source software is a good investment. They can control everything from start to finish. Pixar knows exactly what's on each machine that is a part of the rendering farm. They can afford that.
It's a sad but true fact that most businesses can't afford that. That's why software houses like Adobe, Macromedia and Microsoft are so successful. They build assembly-line applications that can be used by many different kinds of people in many different kinds of projects.
It should stand to reason that the industrial software houses like Adobe, will catch on eventually--so long as Microsoft doesn't try to underhandedly scuttle the process. But it seems to me, the real risk for them is in the myriad of Linux systems that are out there. Testing and support would be a nightmare. Unless the industrial software houses either a) build their own distribution, or b) partner with Linux vendors to ensure compatibility.
I'd love to see Mandrake and RedHat partner with these industrial software houses, contracting out support and helping with porting costs. I mean, if they could make some kind of sweetheart deal with just one, I think there would be others following quite soon.
Don't get me wrong, I've long since hopped off the Microsoft treadmill and enjoy working with Linux and BSD on the server side and OS X and Mandrake Linux to get my work done.
But no matter how much I don't like it, the fact remains, without the applications, Linux won't become a viable solution for the overwhelming majority of businesses which don't have the kind of capital resources or brainshare to make custom-apps work.
These software houses build the kind of mass-market software that Linux needs in order to become competitive on the desktop.
This goes back to what I think is the highest hurdle Linux has yet to leap: application support by industrial software houses like Adobe.
Without applications a platform is dead. It doesn't matter how good it is, how easy it is to use, how intuitive or how much it costs. What matters is having professional grade applications available for your platform. Linux is thriving in the server arena just because the best server-side applications (like Apache) are available.
People don't buy Windows because they like the "look and feel" of it. They buy Windows because it has the applications they need.
No matter how good the Mandrake installer is, no matter how nice and easy KDE is to use, no matter how much support is available, Linux won't win on the desktop until it has the application portfolio that people need.