How can you be sure that what you get from inkscape.org is what the developers of inkscape intended? How can you be suire that the site wasn't cracked? how can you be sure that there isn't an evil transparent proxy between you and the goods you want? Or how can I be sure that my DNS source isn't poisoned? What if you need to get your app from a mirror, how do you know if the mirror is 100% trustable?
The answer is with a signed package that is handled with a trusted binary in your computer, there is no need to worry. Signed packages mean I only need to trust the signer.
I never said I don't trust the developers of the program, that is implied, I don't trust the internet.
No I am not saying that I should only trut the designated distro, I do use packages from freshrpms, dag wienner and other in my computer, I have chosen to trust them becuase of their reputations (and they never let me down). What I want is to be able to verify that a package is from who they say they are before running or copying any files from them to my system.
When I install an RPM (I believe deb is the same) I run a truted binary in my computer, that will check the signature on the untrusted file I have downlkoaded. This check is made with public keys I have already authoriused (this means I already said to my system that I trust this packager). Only after this check is made that the RPM is installed (this can mean running stuff). The.package system simply do not offer me this kind of security.
There is another point, both Freshrpms, dag and others third party repositories make the packages to my desired distro and (I supose) test them. No automatic packaging system will be able to do this, as I stated I already seen packages fail that were instaled from source. This is true simply because a certain library version can be binary compatible and still have a bug that the developer is not expecting to be there.
There are other things that I don't like about autopackage, this talk that RPMs (or debs for that matter) are only good for the core distro is plain wrong (in my opinion). RPM (or deb) is good enougth to hold every piece of software I have installed, and having more then one software database in your computer is a problem waiting to happen. There is no way to be sure that one package manager is not steping in the other toes. A better solution would be a meta-packager that would simply create a RPM (or deb) for my current distro using the same data provided by the developer.
Running a package from an "untrusted source" really isn't an issue, because presumably you're about to run the program anyway.
It is a issue, a signed package has the warranty that this is what my packager meant for me to get it, so if I trust my packager I can trust this package. The problem of running a package I downloaded from a random link in the net is that it could have been tampered, I could easily get a.package add a few lines to the script and own me a (few) linux(es) box(es).
The problem with your proposal is that often there won't be a package for the users distro, or there will be but it's out of date. This would lead to you being able to install an app by clicking the link on your desktop machine, but not your laptop (because laptop is running an older version of the distro, or a different distro). It's addressing the usability aspects without dealing with the underlying issues. And a deeper usability issue is unpredictability.
I believe that usuability is a must, don't get me wrong, but I do pu security in front of it. I want to be reasonably sure that what I install in my computer will work correctly. If I have an outdate distro in my computer/laptop the latest version of the application may not even run correctly, since the code was not tested with the library versions I have installed. So this means that even if I download the sources, compile and install I could run into problems. Packagers do pass througth all this hops while installing and sometimes make patches to the apps so it can run. Installing a package that was crafted to my system is always predicatble that it will work effortless, other generic installations and compiles have at the best a good chance that they will work.
In other words if a user has an outdated distro e may not be able to install the latest package or you could simply (not that simple really) update all the libraries needed (witch is what.package does), this will be a pain for the user that will have to wait a few hours to get the package working and could lead to conflicts. This is even true for windows, I don't think you can install the latest photoshop or game in a win95 machine.
In a usuability way of thinking it is better to warn the user that his distro is outdated and adivise him that updating the distro is a better solution. Well at least this is what I believe.
Simplicity foir the sake of security? Most packages that come from your distro or a trusted repository are known to be secure and can be installed without worries. Sure the process is complicated and could be simplified in many ways, but those simplifications should not get in the way of security.
No part of a package should be ran before the package origen is verifies from a truted source. This is the first thing you do with a.package according to the description.
I am not familiar with macOSX but in windows is quite easy to install stuff without the user even knowing it has installed something, sure this is due to bugs in the windows code but all of this was due to poorly thougthed installation procedures that did not take into account security.
In my opinion the packaging system are quite ok. What we need is a easier way to make the user install native packages from the program site. A way to make a click on button start the UI for you r apt/yum/etc instructing it to search and attempt to install this package. The package system will know how to install it in a way that will work best with your distro.
All you need most of the time is a simple xml that will say for fedora use freshrpms, for debian use the sarge package, for ubuntu use I don't know what. The package can contain information on how to proceed in the case there is no native package, this fallback procedure could even be a.package that would be run, but in this way this "pre-install" process could inform the user about the danger he is running or even checking details like a SHA1 or signature before running the.package file.
So I call for prior art in the matrix series and few dozen movies, books and comics that explored this line of thought before. If they can patent imaginary inventions why there can't be an imaginary prior-art?
Tell me exactly what is better? What is better for one person may be worst to other and vice-versa. There is no universal standard for better, well at least on subjective stuff like UI design. That's why closed source does usuability test (similar to those made by SUN to create the gnome HID).
They often complain about their favourite programmes not being available under Linux. The poor Brazilians in question do not yet have such a collection of favourite programmes.
You forget that many of these poor people live very near to rich and middle class people. Many of them have seen computers and used in some friend home. It seems to me very probable that those people will fell bad that these computers are not capable of running "that game" he saw in his richer friend's computer.
Wow!! I am shure taking my hat to this one, this is the best post I read about americans and their lawcracy (or pehaps courtcracy). There is no individual responsibility, if something bad happen to you then it must be someone esle's fault.
I do not live in the US, but I hear from you people is X is suing Y for ABC and Y is suing back for damages in 123. I am sure that this is an exagerated view, that the media only shows the most absurd and exagerated cases, but it is still a lot.
Yes OE and IE are the main point of entry to those pesky malware. But there is another problem with windows, it's success. An infected machine can search the net for windows machines and it will find one very quickly, finding one unpatched could take some more time but it is somewhat easy.
In an ideal world there would be indepent versions of windows and a healthy mix of macs, linux, MS-Windows and others. This would slow down the advance of many viruses.
But when every application under the sun expects you to be "THE" adiministrator all your flexible security goes down the toilet. That is the problem with windows (security wise and it is my opinion).
Also most of the unixes out there, including linux, do suport ACLs and more flexible security then the standard unix file modes. The default security is based on file modes simply for simplicity, remember that a simple and easily understandable security is more secure then a complex and full of details ones. Just think on where it is easier to forget that little detail...
But talking and posting about something is not the same of doing it. Following the same line of thought you could object 80% of the film industry, since they "post" methods for committing crimes, many of them murders (that in my opinion is worst then attempt suicide).
I don't agree with censorship, talking about suicide is not incentive, someone who decide to do it will do it, no matter if he can find or not information on the net.
Is not like, you're browsing and you find some pointers on how to jump out of your window, and you go "wow, nice idea, I never thought of that, before, maybe I should try".
Warning: Jumping out of your window may hurt you and others, and could cause some material damage. consult your layer before attempting such feat.
Just a small question, are you sure of that all of those affirmations are true? Well I heard, not from a trusty source I admit, that brain cancer is getting more and more common and that some of them would be configured in a shape similar to a cell phone.
Sure this has the smell of "urban legend" all over it, but I am not going to accept this or your information without a carefully made research.
Fear of a million dolars suit, that will probably ruin the rest of your life isn't a good reason?
Fear of loosing your job isn't enougth?
I think that this hoole thing is blown out of proportion. This protect the trade secret for the sake of the secret is bullshit. Apple is the main beneficiary of those leaks. The comunity that loves apple products want to be able to know before hand, and the feeling of knowing by "someone inside" is precious. This aura creates both an expectation arrounf the product, and if it does not, this could mean that the product will be a bomb (maybe they should redisign it before it hits the street?).
Dangers to the public are most cerntainly trade secrets, Philip Morris most certainly didn't want anyone to discover that cigarrets caused cancer. Off course not all trade-secrets are about dangers to the public, but where to draw the line? What if apple is hiding that those mini are actually have some flaw that make them slower in some situations?
And in fact this "leaks" do benefit apple, they create an aura of expectation arround the product. It is marketing, I believe that they couldn't create this mistery if they wanted.
And why they would loose? Rival companies would very well know about those secrets anyway, they would simply keep quite about this knowledge and they will most certainly not say anything about their informers. The hole point of the patents is that you no longer need trade secrets.
But this is a question of trust, a anonymous source is not aways trusted. But a high rank journalist, that do have a name, is less likely to trust a john-doe with some important matter. It is the same as me (someone fell people know virutaly, much less in person) sending a patch with a root kit to red hat and expect them to publish it.
I believe that anonymous whistle blowers are important. And I certainly believe that apple is shooting their own feet. This rumors and leaked pictures is a free publicity and or a free market research for them. They should know how to use this events to their advantege.
If a blog or a journalist has to tell who are their sources, then there will be no more sources for government frauds, because as soon as you are pointed by paper you'll be tagged as a "anti-America terrorist, all arround bad guy", sent to Guantanamo, tortured and all of this without a trial (I'm not sure if this applies only to foreigner or it works with pure-Americans also). This means no more watergates.
Also you will not be able to blow the whistle on classified information, like for instance that cigarettes cause cancer, since you have a NDA signed and have no hope to maintain you anonymity. As soon as the paper gets their news, you will be sued for millions and probably loose.
If this is passed it will yet another dent in the so called "american freedom".
In animation you use a plain black frame to create a sensation of shock, like when a character takes a blow. This may not be visibly noticeable, but your brain gets the idea just fine.
I would bet that a flickering dark frame every 2 or 3 frames would be quite noticeable. But it could also give a feeling that the movie is in fact being projected by an old (15 fps) projector (pehaps not entirely undesirable).
A research paper at last year's ASPLOS suggested that a good way to work this problem is to have a program run on one core until it gets too hot, then move execution to the next core, and repeat. This way you always have one core doing work, and the others are cooling off. We may end up having to do this.
Or instead you override this cooling feature, making all cores running at once and imerse in cooled oil, or dismantle an air conditioning unit to cool the chip or some other crazy cooling system. The added bonus, you gain an instant/. history, or who knows maybe two or three?
Well, as I said, I remember reading that he was surprised and ashamed when he knew that his name was cited as this patent inventor. So I guess it was a little too late for asking that.
What I read, or at least what I understood, is that he believes that in these days of patenting the use of capital letter to start a sentence to help clarify the begining of it, the enterprises like microsoft must have a patent portfolio for defensive use. But he does not agree with all the move his employer do, he even states that he didn't even knew about the 'isnot' patent he "created" or "invented".
I don't think he is excusing him self, he just staing his opinion. He has as much power to influence MS decisions as me or you. Maybe even less, since he may risk his job by criticising his employers.
Slashdot Mirror
How can you be sure that what you get from inkscape.org is what the developers of inkscape intended? How can you be suire that the site wasn't cracked? how can you be sure that there isn't an evil transparent proxy between you and the goods you want? Or how can I be sure that my DNS source isn't poisoned? What if you need to get your app from a mirror, how do you know if the mirror is 100% trustable?
The answer is with a signed package that is handled with a trusted binary in your computer, there is no need to worry. Signed packages mean I only need to trust the signer.
I never said I don't trust the developers of the program, that is implied, I don't trust the internet.
No I am not saying that I should only trut the designated distro, I do use packages from freshrpms, dag wienner and other in my computer, I have chosen to trust them becuase of their reputations (and they never let me down). What I want is to be able to verify that a package is from who they say they are before running or copying any files from them to my system.
.package system simply do not offer me this kind of security.
:-D
When I install an RPM (I believe deb is the same) I run a truted binary in my computer, that will check the signature on the untrusted file I have downlkoaded. This check is made with public keys I have already authoriused (this means I already said to my system that I trust this packager). Only after this check is made that the RPM is installed (this can mean running stuff). The
There is another point, both Freshrpms, dag and others third party repositories make the packages to my desired distro and (I supose) test them. No automatic packaging system will be able to do this, as I stated I already seen packages fail that were instaled from source. This is true simply because a certain library version can be binary compatible and still have a bug that the developer is not expecting to be there.
There are other things that I don't like about autopackage, this talk that RPMs (or debs for that matter) are only good for the core distro is plain wrong (in my opinion). RPM (or deb) is good enougth to hold every piece of software I have installed, and having more then one software database in your computer is a problem waiting to happen. There is no way to be sure that one package manager is not steping in the other toes. A better solution would be a meta-packager that would simply create a RPM (or deb) for my current distro using the same data provided by the developer.
By the way I am the real Victor.
It is a issue, a signed package has the warranty that this is what my packager meant for me to get it, so if I trust my packager I can trust this package. The problem of running a package I downloaded from a random link in the net is that it could have been tampered, I could easily get a
I believe that usuability is a must, don't get me wrong, but I do pu security in front of it. I want to be reasonably sure that what I install in my computer will work correctly. If I have an outdate distro in my computer/laptop the latest version of the application may not even run correctly, since the code was not tested with the library versions I have installed. So this means that even if I download the sources, compile and install I could run into problems. Packagers do pass througth all this hops while installing and sometimes make patches to the apps so it can run. Installing a package that was crafted to my system is always predicatble that it will work effortless, other generic installations and compiles have at the best a good chance that they will work.
In other words if a user has an outdated distro e may not be able to install the latest package or you could simply (not that simple really) update all the libraries needed (witch is what
In a usuability way of thinking it is better to warn the user that his distro is outdated and adivise him that updating the distro is a better solution. Well at least this is what I believe.
Simplicity foir the sake of security? Most packages that come from your distro or a trusted repository are known to be secure and can be installed without worries. Sure the process is complicated and could be simplified in many ways, but those simplifications should not get in the way of security.
.package according to the description.
.package that would be run, but in this way this "pre-install" process could inform the user about the danger he is running or even checking details like a SHA1 or signature before running the .package file.
No part of a package should be ran before the package origen is verifies from a truted source. This is the first thing you do with a
I am not familiar with macOSX but in windows is quite easy to install stuff without the user even knowing it has installed something, sure this is due to bugs in the windows code but all of this was due to poorly thougthed installation procedures that did not take into account security.
In my opinion the packaging system are quite ok. What we need is a easier way to make the user install native packages from the program site. A way to make a click on button start the UI for you r apt/yum/etc instructing it to search and attempt to install this package. The package system will know how to install it in a way that will work best with your distro.
All you need most of the time is a simple xml that will say for fedora use freshrpms, for debian use the sarge package, for ubuntu use I don't know what. The package can contain information on how to proceed in the case there is no native package, this fallback procedure could even be a
So I call for prior art in the matrix series and few dozen movies, books and comics that explored this line of thought before. If they can patent imaginary inventions why there can't be an imaginary prior-art?
Tell me exactly what is better? What is better for one person may be worst to other and vice-versa. There is no universal standard for better, well at least on subjective stuff like UI design. That's why closed source does usuability test (similar to those made by SUN to create the gnome HID).
So you'll see two porn star swinging and think you're looking to two trees? Where is advantege?
You forget that many of these poor people live very near to rich and middle class people. Many of them have seen computers and used in some friend home. It seems to me very probable that those people will fell bad that these computers are not capable of running "that game" he saw in his richer friend's computer.
Wow!! I am shure taking my hat to this one, this is the best post I read about americans and their lawcracy (or pehaps courtcracy). There is no individual responsibility, if something bad happen to you then it must be someone esle's fault.
I do not live in the US, but I hear from you people is X is suing Y for ABC and Y is suing back for damages in 123. I am sure that this is an exagerated view, that the media only shows the most absurd and exagerated cases, but it is still a lot.
Yes OE and IE are the main point of entry to those pesky malware. But there is another problem with windows, it's success. An infected machine can search the net for windows machines and it will find one very quickly, finding one unpatched could take some more time but it is somewhat easy.
In an ideal world there would be indepent versions of windows and a healthy mix of macs, linux, MS-Windows and others. This would slow down the advance of many viruses.
But when every application under the sun expects you to be "THE" adiministrator all your flexible security goes down the toilet. That is the problem with windows (security wise and it is my opinion).
Also most of the unixes out there, including linux, do suport ACLs and more flexible security then the standard unix file modes. The default security is based on file modes simply for simplicity, remember that a simple and easily understandable security is more secure then a complex and full of details ones. Just think on where it is easier to forget that little detail...
But do exist large caliber fiber optics? It wouldn't help much have a tiny dot of light coming out of your window.
But they would probably would patent a "device made with the exact dimension to fit a bolt that can be used to fasten or loose the named bolt".
But talking and posting about something is not the same of doing it. Following the same line of thought you could object 80% of the film industry, since they "post" methods for committing crimes, many of them murders (that in my opinion is worst then attempt suicide).
I don't agree with censorship, talking about suicide is not incentive, someone who decide to do it will do it, no matter if he can find or not information on the net.
Is not like, you're browsing and you find some pointers on how to jump out of your window, and you go "wow, nice idea, I never thought of that, before, maybe I should try".
Warning: Jumping out of your window may hurt you and others, and could cause some material damage. consult your layer before attempting such feat.
All the people that succeed in this were not available for comments.
Just a small question, are you sure of that all of those affirmations are true? Well I heard, not from a trusty source I admit, that brain cancer is getting more and more common and that some of them would be configured in a shape similar to a cell phone.
Sure this has the smell of "urban legend" all over it, but I am not going to accept this or your information without a carefully made research.
Fear of a million dolars suit, that will probably ruin the rest of your life isn't a good reason?
Fear of loosing your job isn't enougth?
I think that this hoole thing is blown out of proportion. This protect the trade secret for the sake of the secret is bullshit. Apple is the main beneficiary of those leaks. The comunity that loves apple products want to be able to know before hand, and the feeling of knowing by "someone inside" is precious. This aura creates both an expectation arrounf the product, and if it does not, this could mean that the product will be a bomb (maybe they should redisign it before it hits the street?).
Dangers to the public are most cerntainly trade secrets, Philip Morris most certainly didn't want anyone to discover that cigarrets caused cancer. Off course not all trade-secrets are about dangers to the public, but where to draw the line? What if apple is hiding that those mini are actually have some flaw that make them slower in some situations?
And in fact this "leaks" do benefit apple, they create an aura of expectation arround the product. It is marketing, I believe that they couldn't create this mistery if they wanted.
And why they would loose? Rival companies would very well know about those secrets anyway, they would simply keep quite about this knowledge and they will most certainly not say anything about their informers. The hole point of the patents is that you no longer need trade secrets.
But this is a question of trust, a anonymous source is not aways trusted. But a high rank journalist, that do have a name, is less likely to trust a john-doe with some important matter. It is the same as me (someone fell people know virutaly, much less in person) sending a patch with a root kit to red hat and expect them to publish it.
I believe that anonymous whistle blowers are important. And I certainly believe that apple is shooting their own feet. This rumors and leaked pictures is a free publicity and or a free market research for them. They should know how to use this events to their advantege.
If a blog or a journalist has to tell who are their sources, then there will be no more sources for government frauds, because as soon as you are pointed by paper you'll be tagged as a "anti-America terrorist, all arround bad guy", sent to Guantanamo, tortured and all of this without a trial (I'm not sure if this applies only to foreigner or it works with pure-Americans also). This means no more watergates.
Also you will not be able to blow the whistle on classified information, like for instance that cigarettes cause cancer, since you have a NDA signed and have no hope to maintain you anonymity. As soon as the paper gets their news, you will be sued for millions and probably loose.
If this is passed it will yet another dent in the so called "american freedom".
In animation you use a plain black frame to create a sensation of shock, like when a character takes a blow. This may not be visibly noticeable, but your brain gets the idea just fine.
I would bet that a flickering dark frame every 2 or 3 frames would be quite noticeable. But it could also give a feeling that the movie is in fact being projected by an old (15 fps) projector (pehaps not entirely undesirable).
Or instead you override this cooling feature, making all cores running at once and imerse in cooled oil, or dismantle an air conditioning unit to cool the chip or some other crazy cooling system. The added bonus, you gain an instant
Well, as I said, I remember reading that he was surprised and ashamed when he knew that his name was cited as this patent inventor. So I guess it was a little too late for asking that.
What I read, or at least what I understood, is that he believes that in these days of patenting the use of capital letter to start a sentence to help clarify the begining of it, the enterprises like microsoft must have a patent portfolio for defensive use. But he does not agree with all the move his employer do, he even states that he didn't even knew about the 'isnot' patent he "created" or "invented".
I don't think he is excusing him self, he just staing his opinion. He has as much power to influence MS decisions as me or you. Maybe even less, since he may risk his job by criticising his employers.
You missed the first few lines in his post where he says that this was his opinion and not a MS opinion.