![](https://lemmy.world/pictrs/image/a4f5ab03-1fad-4f61-9e1d-58c40ad08fa8.png)
![](https://lemmy.ml/pictrs/image/2QNz7bkA1V.png)
They probably fear that the failed Windows mobile lineup tainted the brand name for the product’s target demographic.
Sometimes I call the numbers on missing dog posters and just bark into the phone. I learn from the mistakes of those who take my advice.
They probably fear that the failed Windows mobile lineup tainted the brand name for the product’s target demographic.
OMG is it bad. We used a couple WD drives for a surveillance camera array and they didn’t last a year. Two drives failed 9 months apart. Ended up going on Blackblaze and picking what looked best for our XFS Raid 10 having learned that lesson the hard way.
This 1000%. Since basically High School I’ve been on Ubuntu for the machines I need to work, because at the end of the day it usually does. Some of the people I meet see that I use a Chromebook with the containers enabled and have similar reactions. “How can you use that it’s not even real Linux?”, as if it isn’t literally a Linux kernel. The Steam Deck is popular because you don’t need to know Linux to use it, and Ubuntu is popular because you don’t need to know a lot of Linux to use it.
I have a lot of love for OpenSuse. Back in my teenage years, I used it and Ubuntu a lot. zypper is the best package manager, and YaST made configuration easier since I didn’t know config files yet.
Japan too. The U.S. Congress threatened Japan with a trade war if they didn’t shutter their TRON project to create a domestic Unix. Nowadays it’s almost entirely Windows, and Japan has stagnated in terms of technology. They might have another chance at it with the world searching for an alternative to Taiwan for semiconductors and the potential legal status of AI training in Japan.
I don’t care whose indexes they use so long as the results are good. The problem isn’t the index, it’s how the contents get prioritized and presented. Kagi happens to do so well for me.
He offered to start a conversation about the blog post and give his perspective. The only thing I see here is the author refusing to stand on their post.
A company made me an offer last year when I was looking for startups, but they required me to move to Austin. Austin is a nice place, but it’s unfortunately surrounded by Texas. Fast forward to today and they are moving out of Texas because it’s too expensive and they are having trouble retaining talent. The incentives the city has been offering to foster their own Silicon Valley are stalling because it’s not much cheaper and the state legislature is a Barnum circus of inhumanity.
Honestly it isn’t. Support for anything front-end related is way more sparse compared to Linux.
Man I wish FreeBSD hadn’t fallen to the wayside. It’s really cohesive and feels put together in a way not Linux distro ever has.
Haha Mint was my first distro! I wiped Windows 7 and installed Mint, then quickly learned that a tarball is in fact more work than an exe. Good times and a great learning experience! Back then it was the only thing not slow, ugly, or wildly unfamiliar.
I admire your gusto! I think it’s doable, and you can definitely pull it off if you want to. To replace MD5 and implement signatures you need to do the following, as a high level overview:
Extend dpkg to know what SHA2 is, and reliably detect it. (maybe measure hash length or specifying a new version using the control file?)
dpkg must also know what a signature is. More on that below.
Providing automatic/mandatory signing will require code to handle PKI as well as a place to store the signing information. I would do it by signing the two archives found within Deb packages, then placing information about the signing in the top-level of the package. Existing tools need to be able to ignore or handle whatever you implement as a rule of thumb.
Note that this is just my approach and maybe you can do better.
I also recommended looking into https://lists.debian.org/debian-dpkg/2001/03/msg00024.html. This is the thread I mentioned earlier, in which package signatures were discussed and ultimately turned down. Maybe the easiest approach is to re-implement what the contributor was trying to do back then, but with modern code and standards? If you want more resources, including my presentation on the topic to HackCFL and CitrusSec, let me know. I am here for whatever technical assistance or industry contacts I can provide. The white paper might be done in a month, minus peer review. I’m very busy and so is he. Good luck in any case!
To save you some effort, they do not consider it a priority to fix. Code was attempted to merge that would make package signatures the default, but it was removed because it “was a waste of cpu cycles” when “md5 and the https was just as good”. I’m not kidding, you can find the whole conversation in the Debian mailing archives. So instead I’m going to make it known how dumb it is, and encourage people to use something else.
In theory (whitepaper is still being written), if you MITM the connection to the APT mirror it’s using you can also carry out the attack over the network by injecting it into the package on the fly. Cert pinning might be a blocker, but local (LAN) package mirrors might still be valid attack targets. Enterprises often use MITM certs for things like DLP and packet inspection we might be able to leverage at least.
The use of MD5 becomes a bigger issue when paired with the lack of package signatures. You can inject code into a package and find a colliding digest absurdly fast. I and a friend from Threatlocker created a Metasploit module to use Deb packages for local privesc based on the concept. If it touches the filesystem outside of the APT cache it becomes a vector.
Did they ever make good on this plan?
RPM must accept SHA-1 hashes and DSA keys for Fedora 38, ideally with a deprecation warning that it will be disabled in F39.
And MD5 for package integrity checking, and not using per-package PKI signatures.
DDG has had cost issues with some of the more complex queries. Exclusions (-) for example are very expensive, as Bing recently raised their prices. I think this is why search has gotten worse with DDG recently.