• 1 Post
  • 54 Comments
Joined 1 year ago
cake
Cake day: August 4th, 2023

help-circle

  • They don’t even have to be signed…

    Yeah. My understanding is that Microsoft has signed several tools made by other companies that boot as UEFI PE executables and aren’t supposed to allow loading arbitrary (including unsigned and malicious) UEFI PE binaries, but due to security vulnerabilities in the tool, they’ll load any old UEFI PE binary you give them.

    The payload/malicious UEFI PE binaries don’t have to be signed. But the third-party tools that contain the vulnerabilities have to be signed by a signer your UEFI firmware trusts. (And the tools are signed by Microsoft, which your UEFI firmware almost definitely trusts, unless you’ve already applied a fix).

    (And I don’t know exactly what sort of tools they are. Maybe they’re like UEFI Shell software or something? Not sure. Not sure it matters that much for purposes of understanding the impact or remediation strategy for this vulnerability.)

    The fix, I’d imagine is:

    • Everyone should untrust the certificates used to sign those vulnerable tools. (And by “untrust”, I really mean they need to apply the revocations.)
    • Microsoft needs to issue new certificates to replace the ones with which they signed the vulnerable tools.
    • The companies who made those tools need to release new, fixed, not-vulnerable versions of the same tools.
    • …and get Microsoft to sign those new versions with the replacement keys.
    • And users need to migrate from the vulnerable versions to the new versions of the tools in question.

    Now, I’m not 100% sure if there needs to be yet another step in there where individual users explicitly install/trust the replacement certs. Those replacement certs are signed by Microsoft’s root certificate, right? As long as all the certificates in the chain from the root certifcate down to the signature are included with the UEFI PE binary, the firmware should be able to verify the new binary? Or maybe having chains of certs is not how UEFI PE binaries work. Not sure.

    Here is an example of something similar that disables Windows Platform Binary Table…(I’m not advocating that anybody actually use this).

    Yuck. Thanks for letting me know of that. I’m still firmly in the “learning” phase when it comes to this UEFI stuff. It’s good to be aware of this.






  • I… doubt it?

    I took the liberty of looking in the developer tools as it failed, and there was a 500 response. The connection to Hulu’s servers was all over HTTPS and I didn’t get any certificate warning, so unless my ISP managed to get Hulu’s private key or got with a corrupt registrar willing to issue a valid replacement certificate, no ISP should be able to change response codes on a man-in-the-middle basis or a redirecting-traffic-to-a-hostile-server basis.

    And given how many people have reported issues, I doubt it’s specific to any particular ISPs.

    Net neutrality being dead is a huge bummer, but I don’t think this can be blamed on that.



  • Does it really do any good for the drive to be encrypted if it doesn’t require a password (or Yubikey or retinal scan or other authentication factor) on boot? If you’re just going to put the plaintext key/password on the same drive but in a partition that’s not encrypted, there’s no point encrypting the drive, right?

    So maybe “it asks for a password on boot” is more of a “works as intended” thing?

    How will I access the encrypted devices after installation? (System Startup) During system startup you will be presented with a passphrase prompt. …

    The quote above is from Fedora documentation here

    This is your root FS that’s encrypted that we’re talking about, correct?

    If you really want an encrypted root but no password on boot and the plaintext decryption password/key on the same drive, there are ways to do it. (It would probably require customizing the initramfs somehow. But it’s Linux, and Linux certainly isn’t going to prevent you from doing such things. Just try to dissuade you.)

    If we’re not talking about a root filesystem, that would likely change some things. If it’s Luks, I’m pretty sure it wouldn’t matter particularly where on your filesystem the key was so long as your /etc/crypttab refers to it. I’d say that sort of setup would probably only provide additional security if the encrypted drive is an external drive that you might worry could be stolen or physically accessed when the attacker doesn’t have physical access to your root filesystem.

    Also, if you shared what encryption scheme was in use (Luks, Anaconda, etc), that would probably help as well.

    Edit: Ah. Ok. You gave more info while I was typing the above response. What you want is unlocking via ssh. For sure.



  • TootSweet@lemmy.worldtoOpen Source@lemmy.mlIf we had libre AI
    link
    fedilink
    English
    arrow-up
    13
    ·
    edit-2
    11 days ago

    The GPL family of licenses was designed to cover code specifically. AI engines are code and are covered in most jurisdictions by copyright. (Disclaimer: I know a lot less about international intellectual property law than about U.S. intellectual property law. But I’m pretty confident what I’ll say here is at least true of the U.S…) But you don’t really have a functional generative AI system without weights. And it’s not clear that weights are covered by any particular branch of intellectual property in any particular jurisdiction. (And if they are, it’s not clear that the legal entity who trained the engine owns those rights on those weights rather than the rights holders who hold rights to the materials being used as training data.) It’s the weights that would make for any biases or purposefully nefarious output. Nothing that isn’t covered by intellectually property can meaningfully be said to be “licensed”, really. Under the AGPLv3 or any other license. To speak of something not covered by any intellectual (or non-intellectual, I suppose) property as “licensed” is just kindof nonsensical.

    Like, since Einstein’s General Relativity isn’t covered by any intellectual property, it’s not possible for General Relativity to be “licensed”. Similarly, unless some law is passed making LLM weights covered by, say, copyright law, one can’t speak of those weights being “licensed”.

    By the way, there are several high-profile cases of companies like Meta releasing LLMs that you can run locally and calling them “Open Source” when there’s nothing “Open Source” about them. As in, they don’t distribute the source code of LLaMa at all. That’s exactly the opposite of “Open Source” and the weights aren’t code and can’t really be said to be “Open Source”. More info here.

    Now, all that said, I don’t think there’s actually any inherent benefit to LLMs, AGPLv3 or otherwise, so I don’t have any interest even in AGPLv3 engines. But I’m all for more software being licensed AGPLv3. I just don’t think AGPLv3 is a concept that applies to any portion of LLMs aside from the engine.


  • Great question!

    So, first off, if I knew what app(s) specifically you have in mind, that’d help me answer better, but in general:

    • First off, I’ll say it’s mostly less that they support pacman than that Arch supports them. There may be some exceptions, but it’s usually Arch developers building the pacman packages rather than the author of the software in question. Even when it’s a proprietary application, it’s usually bundled into a packman package (or at least a PKGBUILD for it lives on AUR, but we’ll get to that) by one of the Arch developers or other volunteers.
    • Your first option for software that isn’t in the official Arch repositories is AUR. It’s for packages that aren’t as officially supported as those in the official Arch repositories. Anything in AUR, you’ll have to build the package itself (which usually involves compiling, unless it builds the package from an already-compiled binary), but the process is usually pretty straightforward. (Download and unzip the tarball from AUR somewhere, cd into the directory, and then makepkg -sf && sudo pacman -U <something>.tar.xz. You can also get some helper scripts that do some of those steps for you for convenience. Definitely worth having the experience of doing it manually a few times first, though, I’d say.) Even if the only way to get the software in question from the publisher is in .deb form, you may still find a package on AUR that will unpackage the .deb and package the result up into an Arch package.
    • You can run the software in an isolated way. There are snap packages and flatpacks, but… well, there are good reasons why they get a bad rap. Lol. Another option is to build an Ubuntu chroot in which to install the package in there. The cleanest and most straightforward option for running software isolated like this is probably Docker. (Running graphical apps in Docker can definitely be done, though it is a little tricky.)
    • You can grab the software in question and install it manually somewhere in your home directory. Somewhere like $HOME/install/<softwarename>. This can work even if the software is only available as a .deb file. You can just extract the .deb without installing it with the command ar x <blah>.deb and a tar -xf data.tar.gz and then put the files from within that .deb file where you want them.
    • There are some other options that I’ve never tried (and only learned of just now by googling) that… aren’t recommended. Here’s a link for reference, but to somewhat explain the problems that those approaches there can cause, when you install a package from any particular package manager, the package manager installs dependencies. (Typically those dependencies are shared libraries. Think ".dll"s.) And those dependencies live in specific places. But if, say, you had pacman and apt-get installed on the same system and install the same dependency (including if that dependency is installed automatically as part of installing something else) via both package managers, it’s likely to get one version of the dependency from one package manager and another from the other. Either one package manager is going to error out (“these files already exist in the filesystem, I think something’s wrong that a human should fix”) or overwrite files potentially breaking things. (Now, all that said, I know that pacman is actually in the official Ubuntu repositories and can be installed on Ubuntu alongside apt get. I have to admit I don’t know if and if so how it goes about avoiding problems if both are installed. Maybe it’s not a good idea to install pacman on Ubuntu for the same reason. Who knows!)
    • So, there is also the option to write your own PKGBUILD. (A “PKGBUILD” is a script that tells your Arch system how to build a Pacman package. They’re what you download from AUR when you want to build/install something from AUR. A couple of reference links.) It does require doing a little Bash programming, but It’s not as hard as it sounds. (And it’s easier than building Ubuntu packages.) I’ll talk about what to do if you truly can’t get the package in question anyhow except in .deb form. But first, if you can get the source code, you can typically grab a PKGBUILD from the official Arch repositories or from AUR that installs something “similar” to what you’re wanting to install and modify it. (Like, for a simple example, if you’re trying to install something written in C, you can look for a PKGBUILD for something written in C that would probably have similar dependencies.) If you can’t get the source code but can get a compiled distribution of the software in question, you can still write a PKGBUILD, and you’ll probably be able to find some PKGBUILDs to start from that would be pretty similar to what you need.
    • If you truly can’t get the software in question except in .deb form and you want to write a PKGBUILD for it, that can be done. It just involves writing a PKGBUILD that extracts the files from the .deb file and then packages them back up into an Arch package. I’ve done this before and I have a funny personal story about that. More info here in an answer to another question in this same Lemmy community.

    Just in case it’s useful to you, I’ll share the PKGBUILD I wrote for converting the Ubuntu kernel into an Arch package. It demonstrates how you’d go about extracting files from a .deb file in order to build them into an Arch package.

    pkgname='linux-ubuntu'
    pkgdesc='The Ubuntu kernel, modules, and headers'
    pkgver='5.15.0'
    _pkgver="$(cut '-d.' -f 1,2 <<< "${pkgver}")"
    _firmware_ver='1.187.29'
    _suffix_ver='20.04.2'
    pkgrel='25'
    arch=('x86_64')
    options=('!strip')
    url='http://ubuntu.com/'
    source=(
        'http://archive.ubuntu.com/ubuntu/pool/main/l/linux-firmware/linux-firmware_'"${_firmware_ver}"'_all.deb'
        'http://archive.ubuntu.com/ubuntu/pool/main/l/linux-hwe-'"${_pkgver}"'/linux-headers-'"${pkgver}"'-'"${pkgrel}"'-generic_'"${pkgver}"'-'"${pkgrel}"'.'"${pkgrel}"'~'"${_suffix_ver}"'_amd64.deb'
        'http://archive.ubuntu.com/ubuntu/pool/main/l/linux-hwe-'"${_pkgver}"'/linux-hwe-'"${_pkgver}"'-headers-'"${pkgver}"'-'"${pkgrel}"'_'"${pkgver}"'-'"${pkgrel}"'.'"${pkgrel}"'~'"${_suffix_ver}"'_all.deb'
        'http://archive.ubuntu.com/ubuntu/pool/main/l/linux-signed-hwe-'"${_pkgver}"'/linux-image-'"${pkgver}"'-'"${pkgrel}"'-generic_'"${pkgver}"'-'"${pkgrel}"'.'"${pkgrel}"'~'"${_suffix_ver}"'_amd64.deb'
        'http://archive.ubuntu.com/ubuntu/pool/main/l/linux-hwe-'"${_pkgver}"'/linux-modules-'"${pkgver}"'-'"${pkgrel}"'-generic_'"${pkgver}"'-'"${pkgrel}"'.'"${pkgrel}"'~'"${_suffix_ver}"'_amd64.deb'
        'http://archive.ubuntu.com/ubuntu/pool/main/l/linux-hwe-'"${_pkgver}"'/linux-modules-extra-'"${pkgver}"'-'"${pkgrel}"'-generic_'"${pkgver}"'-'"${pkgrel}"'.'"${pkgrel}"'~'"${_suffix_ver}"'_amd64.deb'
        'linux.preset'
    )
    noextract=(
        'linux-firmware_'"${_firmware_ver}"'_all.deb'
        'linux-headers-'"${pkgver}"'-'"${pkgrel}"'-generic_'"${pkgver}"'-'"${pkgrel}"'.'"${pkgrel}"'~'"${_suffix_ver}"'_amd64.deb'
        'linux-hwe-'"${_pkgver}"'-headers-'"${pkgver}"'-'"${pkgrel}"'_'"${pkgver}"'-'"${pkgrel}"'.'"${pkgrel}"'~'"${_suffix_ver}"'_all.deb'
        'linux-image-'"${pkgver}"'-'"${pkgrel}"'-generic_'"${pkgver}"'-'"${pkgrel}"'.'"${pkgrel}"'~'"${_suffix_ver}"'_amd64.deb'
        'linux-modules-'"${pkgver}"'-'"${pkgrel}"'-generic_'"${pkgver}"'-'"${pkgrel}"'.'"${pkgrel}"'~'"${_suffix_ver}"'_amd64.deb'
        'linux-modules-extra-'"${pkgver}"'-'"${pkgrel}"'-generic_'"${pkgver}"'-'"${pkgrel}"'.'"${pkgrel}"'~'"${_suffix_ver}"'_amd64.deb'
    )
    sha256sums=(
        '22697f12ade7e6d6a2dd9ac956f594a3f5e2697ada3a29916fee465cc83a34a1'
        '595794e8ad28ed130af60e6ec8699313e1935ae70f7530a00b06dff67fb4d40e'
        '22dbdc1895f91d3ad9d4c5b153352f1cc8359291dba6ea1a0e683cc6871b0f58'
        '5705cefab39dd5512bcc515918d09153715c7bb365d6bc29cc9b0580e5723eef'
        '3d207388812e957447162c067fb637b4d06eccb4f303b801e8402046a7d3cf48'
        '2f1214dbb04cb47ce8d096bff969fca9c78c26ec21a395c12922eca43cc18e26'
        '75d7d4b94156b3ba705a72ebbb91e84c8d519acf1faec852a74ade2accc7b0ea'
    )
    
    package() {
        for f in "${noextract[@]}" ; do
            ar x "${f}"
            tar -xf "data.tar.xz" -C "${pkgdir}"
        done
        rm -r "${pkgdir}"'/usr/share'
        rm -r "${pkgdir}"'/usr/lib'
        mv "${pkgdir}"'/lib' "${pkgdir}"'/usr'
        install -Dm644 'linux.preset' "${pkgdir}"'/etc/mkinitcpio.d/linux.preset'
    }
    

    (I omitted the linux.preset file. It’s just in the same directory with the PKGBUILD and it gets bundled into the Arch package. But it’s not really important for what you’re doing unless you’re trying to install a different kernel than the official Arch kernel on an Arch system.)

    The part that extracts the files from the .deb packages is the ar x command and the tar -xf command. The package() function there is what decides exactly what files will be in the Arch package and where. And makepkg builds the package archive after running package().

    That covers all the options for installing software not in the Arch repos that I can think of.


  • Yes I am op.

    Ha! That’s what I get for posting on Lemmy at 2:00 am. Lol.

    So I guess I should just skip anything with a desktop environment like manjaro and just figure out how to install bare arch?

    You can certainly start with a bare Arch install and install on top of that a graphical environment. (Without a graphical environment, you wouldn’t be able to run a full-featured browser like Firefox or Chromium or whatever, for instance. I’d think if you intend to use this system as your daily driver – and I’d recommend you do for learning sake – you’ll probably want a graphical environment.) But, yeah. I’d say Arch isn’t that unapproachable to install without going the Manjaro route or the “archinstaller” route.

    With Arch, everything’s just packages. The difference between non-graphical Arch and graphical Arch is just that non-graphical Arch doesn’t have any graphical system packages installed.

    Now, I keep talking about “graphical systems”. There are two ways to go with that. There is X11 which is mature but a bit dated. And there’s Wayland which is the new hotness but support for it is still a bit lacking, so some features like screen grab may not be supported by all programs and some programs won’t work as straightforwardly on Wayland. (Basically, any time a program grabs an image or video of any portion of the screen of your graphical environment, that uses the “screen grab” API. Wayland does that differently than X11, so a lot of programs aren’t updated to use Wayland’s way yet.)

    I guess I’d probably lean toward recommending X11 at this point. I personally use a Wayland compositor (Sway, specifically), but I don’t think running Wayland is going to teach you much that X11 won’t, and running Wayland at this point is likely to introduce frustrating wrinkles. If after you have your Linux “sea legs” you want to try switching, that’s always an option as well.

    As for minimal X11 environments, first off, I’d say avoid things that describe themselves as “desktop environments”. They’re likely to hide details from you. Prefer “window managers.” Tiling window managers tend to be more minimal, but if you want to go with a more draggy-droppy, mouse-driven window manager that feels more like what you’re probably used to (but also doesn’t hide details), I’d recommend IceWM.

    And, finally, as far as a “bare Arch install”, the place to start is the install guide on the Arch Wiki. It goes step-by-step on how to do things. And take the time to understand the commands you’re running as you’re running them. There are a lot of links in the install guide to more in-depth articles. For instance, the “partitioning” section links to an article called “partitions” that goes in depth on what a “partition” even is.

    There’s a lot to learn, but it also pays off. Both in terms of just having the power to do the stuff you want with your own systems and in terms of benefits to your career. And it’s just plain fun!



  • Is bash ultimately better than dolphin or another file manager?

    1. Yes. (Disclaimer, some statements contain opinion.)

    2. OP was specifically asking how to learn more about Linux. And it’s nearly unquestionable that OP is going to learn more about how Linux works if they use the lower-level tools rather than take-you-by-the-hand point-and-click-adventure programs your grandmother could probably figure out.

    I always thought that it just seamed slow having to read things out with no icons and having to type the filename instead of double clicking.

    So, again, this is just me spouting my own preferences here, but I don’t often touch the mouse. Moving my hand from keyboard to mouse takes time. I can use a keyboard shortcut to open a terminal, cd into the proper directory (using tab complete and set -o vi to make things quicker still), and start dealing with files much quicker than I could navigate a menu to get to, say, Dolphin, wait for it to load (if you use a minimal terminal, it should load basically instantaneously), and then start navigating.

    And I have been avoiding installing applications through terminal because I can’t find how to properly uninstall them including all data (the fedora software center does this really easily)

    Not sure I can help you there. I’ve never used Fedora. I used CentOS once for a short time, but it was a long time ago and I basically don’t remember it at all.

    I have also had some trouble going further back that my user folder in the terminal I still havn’t figured out how to do that.

    Like, to the parent directory of your home directory? cd .. should always go to the parent directory of your current working directory. (/ is its own parent, I believe, so you can’t go any further up the chain than that.)

    Lastly what are some “user friendly by virtiue of having few moving parts” distro’s that you recommend?

    Gentoo and Arch. I’ve never used Void, but it sounds to me like Void is very minimal (has few moving parts) while also being much less of a learning curve than Gentoo and Arch.

    When I say “few moving parts”, I mean, roughly speaking, fewer lines of source code. KDE (just for instance) is a huge beast. It tries to accomplish user friendliness by adding layers upon layers of abstraction, in the process obscuring what’s really going on at lower levels from the user. It… doesn’t really work. What it gains you in reduced learning curve becomes an obstacle the moment something goes wrong or you want to peek under the hood. Ubuntu (just as another example) installs tons of stuff to try to shield you from the nitty gritty details. But again, that causes more problems than it solves unless you’re dead set against ever looking under the hood for any reason.

    The term “user friendly” tends to mean “my grandmother can use it without having to learn anything in the process.” In the comment about “user friendly by virtiue of having few moving parts”, I didn’t mean “user friendly” in the same sense. I don’t think “user friendly” in the more common sense id mutually exclusive with “fewer moving parts.” At least not in theory. But in practice, that does seem to be the trend.


  • More than anything, what leveled up my Linux knowledge was switching to Gentoo back while I was in college.

    Before that, I used SuSE, and I switched specifically because I felt like I wasn’t learning anything really about Linux just by using point-and-click tools like YAST.

    I’ve used Arch for the last… 7-ish years? (Though now I’m basically in the process of switching back to Gentoo. In terms of learning Linux, Arch is… close to as good as Gentoo for that purpose. Not quite as good, but pretty close.)

    As for the best approach for learning, though, you know how they say the best way to learn a language is “immersion”? As in, to move to where they speak the language. In the same way, if what you’re going for is to learn, just take a dive. Install Arch over top of your current OS and don’t look back. Just commit to it.

    Also, use the most minimal stuff you can. Skip KDE and use dwm. Skip the login manager and start your GUI from the command line. Don’t install a file manager and instead use Bash directly. (It’s more than capable.) Don’t install anything you can do instead with a Bash one-liner or a small Bash script. If after you’ve gotten pretty used to minimal stuff you still want something that the heavier alternatives offer, you can of course switch, but if your aim is to learn, avoid using the kind of stuff that tries to be “user friendly” by hiding all the internal implementation details from you. (Instead use the stuff that is user friendly by virtue of having so few moving parts that understanding how it works under-the-hood is trivial.)

    And, don’t settle for “it’s fucked beyond repair.” If it’s fucked, google your ass off. If that doesn’t work, ask on the official Arch forums or here or wherever. (Don’t worry, they don’t bite.)


  • Remember the “Jitterbug” mobile phone made specifically for older users?

    Image of a Jitterbug flip phone.

    Kindof in the spirit of that.

    Don’t hide things in a “start menu” or anything like that. No task bar. Just put a small number of big icons on the “desktop”. Open all applications in fullscreen. Don’t allow two applications to run at the same time. Optimally, the browser wouldn’t be as general-purpose as Firefox or Chromium or whatever. No address bar. Just links to a few bookmarked sites. In fact, no home page on the browser would be good. Just make the websites they have available to go to more icons on the GUI’s main desktop. Don’t make them right-click for anything, only left-click. But make it easy for people’s family to get at the guts, including remotely, to customize the experience for the intended user.





  • Too little too late. The damage is already done.

    And even on that page, they’re still being assholes about Open Source (“Our use of the term ‘open source’ thus far has been not out of carelessness, but out of disdain for OSI approved licenses which nevertheless allow developers to be exploited by large corporate interests.”) while pretending what they’ve done with the FUTO license is some boon to consumer rights (“Fundamentally, our goals are to build great products that don’t abuse people, beat the tech oligopoly, and elevate the rights of programmers developing software that has source code open to public scrutiny and tinkering.”). And they’re still not dropping the effort to dilute the term “Open Source” (“The OSI, an organization with confidential charter members and large corporate sponsors, does not have any legal right to say what is and is not ‘open source’. It is arrogant of them to lay claim to the definition.”).

    Also, just as an aside, as page that the words “legal right” in that last quote link to says, the OSI attempted to trademark “Open Source.” I’m not sure why FUTO seems to think the same reasons why the “Open Source” trademark was rejected won’t apply just as much to the term “Source First” (but they do seem to think that: “we will be making our own term and trademarking it.”)