DigitalDilemma

Absolutely.

These services are also used by many governments around the world and considered critical infrastructure.

Terrifying, right?

I’m not American, but CVE’s absolutely form the cornerstone of IT security, and are the trusted keystone of industry security globally.

Canonical is UK based, so scrub that.

But Redhat, Rocky, Alma are all owned by US legal entities and can absolutely be legally forced to do as you describe.

Technically blocked is something else, mind. We’re clever, resourceful and motivated people and US laws wouldn’t directly affect us.

However - you’re thinking small. US influence of IT is massive. Routers, servers, hardware of all levels. The most enterprise level software is US led. All of these things can be restricted, or tarriffed heavily, or sanctioned entirely. If the US wants to hurt the rest of the world, it just has to tell Broadcom to turn off vmware outside of America. Ditto Cisco, Ditto Dell, Ditto… etc etc. Sure, it would be illegal, but does the American government care about that?

Anyone telling you that “Y won’t happen because it’s unthinkable” clearly hasn’t been paying attention this year.

Good news. Tourism is far more important to Iceland than the few people who were still eating whalemeat, and they’re smart enough to realise how many people were turned away because of it.

subordinate to the U.S. because 'murica.

Not quite - he wants them to be subordinate to him.

In olden days, Kings would force fealty by forcing others to “kiss the ring”. That’s exactly what he tries to do - and what was behind the ridiculous display with his guest, President Zelensky.

We’ve seen him hide behind his title again and again when people challenge him “You don’t speak to the president like that!” Yet any small successes are entirely his doing. Shameful, if the man had any shame whatsoever.

“I know you are, but what about the critic?”

Of course it is.

His interfering with European politics is despised over here - promoting far-right groups in Germany, France and the UK deliberately to destabilise our countries. The man is genuinely dangerous to all democracies, not just the US.

Debian stable is as hassle-free as you’ll get.

It sounds like your issue is more with having to migrate to a new laptop. Firstly - buy laptops that are more linux compatible and you’ll have fewer niggles like with sound, suspend and drivers.

Secondly - use “dpkg --get-selections” and “–set-selections” to transfer your list of installed software across to your new laptop. Combined with transferring your /home directory, user migration can be speeded up.

I think you make a good point, but it’s one that affects any anti-malicious protection. How do you know that the anti-virus warning you get on Windows is legitimate and not a false alert? Or that the Apparmor block wasn’t a misfire? Selinux is no better nor worse in principle than those.

In all cases, you need to stop and figure out what’s actually going on. That’s one benefit of all these things - they make you pause and, hopefully, think, when something is outside the norm.

And yep, they can be bypassed and they need to be able to be bypassed. If someone is lazy or not knowledgeable enough to make the right decision, or even just in a hurry, then they are at risk. No automated system can protect entirely against that.

Permissive mode, and yes, you absolutely can. That shows warnings but doesn’t actively block. But you still benefit from running setroubleshoot to actually figure out what and why it’s blocked something, and how to mitigate that.

Permissive is also good in that you can get a bunch of blocks reported at once, instead of having to step through one at a time, which can be useful.

I have a saying, “If it’s not DNS, then it’s Selinux”. It blocks stuff so frequently it’s a major time sink for us.

It is overly complex and difficult to understand, especially if you’re developing and deploying software that does not have correct pre-rolled policies. A regular job for me is to help developers solve this - which generally means running their service, seeing what Selinux blocks on, and then applying a fix. Repeat 2-8 times until every way Selinux is trying to access a file is explicitly allowed. And sometimes, even software that comes via official repos has buggy selinux policies that break things.

Fortunately, there are tools to help you. Install setroubleshooter amd when something doesn’t work, “grep seal /var/log/messages” and if it’s selinux causing the problem, you’ll find instructions showing you what went wrong and how to create an exception. I absolutely consider this tool essential when using any system with selinux enabled.

Already done, along with a bunch of other stuff including cloudflare WAF and rate limiting rules.

I am still annoyed that it took me over a day’ of my life to finally (so far) restrict these things. And several other days to offload the problem to Cloudflare pages for sites that I previous self hosted but my rural link couldn’t support.

this advice is just for “unintentional” DDoS attacks, not intentionally malicious ones.

And I don’t think these high volume AI scrapes are unintentional DDOS attacks. I consider them entirely intentional. Not deliberrately malicious, but negligent to the point of criminality. (Especially in requesting the same pages again so frequently, and all of them ignoring robots.txt)

“Avoid US based software and services”

TLDR; you can’t. At least not if you’re running any kind of business.

I did a quick audit at work a few weeks ago. Over 90% of our stack is US based. Windows, office, 365, vmware, even our linux distros. And that’s without even thinking about supply chain. And most of the the hardware we use and has support licences.

Surprised at the level of negativity here. Having had my sites repeatedly DDOSed offline by Claudebot and others scraping the same damned thing over and over again, thousands of times a second, I welcome any measures to help.

Fuck this project, but… their source code can be free and open source even if they distribute binaries which aren’t.

An example of how this didn’t work for one project. (From memory, and it was a long time ago - 2005/2008 ish)

Xchat was once the best IRC client for Windows (after Mirc). It was free software, but the developer started charging for the Windows builds of it. Linux binaries were still free, but he claimed that it was time consuming to build on Windows and etc etc (A bit rich considering it was mostly his code - and there were suspicions he made it deliberately so)

Some people were pretty pissed off about this, especially as it used some other code that was foss and it was felt against the spirit.

Anyway, it was cloned into Hexchat which is fully free on all platforms and apparently not so difficult to build binaries after all.

15 years later to today, Hexchat is thriving and Xchat has been completely dead for 15 years.

Fair point about systemd, or any of the other core components - I don’t know.

But I don’t think we’d be fucked - we’re ingenious and motivated and have a proven record of adapting and innovating to solve problems that stop us playing with our toys.

We’re an ingenious and motivated bunch (See all the Redhat attempts to stop clones, and lots of other examples), so yes, I think we’d absolutely work around the problem if it was to happen.

Point? I was replying about Mint and Ubuntu - what has Fedora got to do with them?

Well, all the distros being discussed are open source - it’s kind of a requirement when making a linux distro because the licences require it and you wouldn’t be able to make it closed source. (Unless there’s a huge shift in the law)

And being open source doesn’t necessarily prevent it falling under sanctions legislation. I have seen a linux distro being legally required to “take reasonable steps” to geo-block Russian access to its repos, and I’ve personally read disclaimers when installing linux that “This software is not allowed to be used in Russia”. (That distro is ‘owned’ by an organisation that was controlled by a single person, so it’s probably not comparable to Debian) We’re all technical people so we can all probably think of half a dozen ways around that, but it was still ordered by the US Government (even before the current government)

And you may be right in that it would be excempt. Debian isn’t owned by anyone, but its trademark is(Software in the Public Interest), and it feels possible that those who help distribute foss (by mirroring repos for example) may be restricted if they fall under US jurisdiction. I don’t know for certain - and unless someone here is a qualified lawyer specialising in software licences as well as how software rooted in the US relates to sanctions - we’re all probably guessing.

Three months ago any of this would have felt ridiculous - who would want to stop free software? But now? In this era of the ridiculous? I certainly feel unsure about predicting anything.