Even if the original issue had anything to do with ISOs, he's way overestimating the level of protection on many install ISOs, in my experience—they're just disk images, and presumably all the files read off them are passing through Ventoy itself. Even if you find one that performs some kind of verification, easy enough to change a jump instruction to a no-op somewhere in the machine code guts of a file as it passes through Ventoy, and prevent the verification from executing. (The difficult part is figuring out which instruction to change, but people have done it before.)
- Posts
- 0
- Comments
- 190
- Joined
- 2 yr. ago
- Posts
- 0
- Comments
- 190
- Joined
- 2 yr. ago
It can’t inject anything into the ISO files at rest without bricking then, and I don’t know if an OS that doesn’t verify it’s own image before booting.
As far as I can tell, this is not talking about ISOs installed using Ventoy, but precompiled blobs of things like Busybox that are included in the Ventoy install package. It's an important distinction. The developer could bundle a tampered blob, include in the documentation the checksum that matches that blob, and then if someone checks with the upstream project and calls them out, say something along the lines of, "Oh, they must have withdrawn that release," and replace it with an untampered blob. If they don't fight to preserve the tampered blob, they might even get away with it.
Configuring captive portal wifi without network manager or any aids beyond what's provided by wpa-supplicant. Eventually I gave up, since it wasn't really that important.
Adjusting freetype so that it works more-or-less the way I want it to, because the maintainers hate anyone who disagrees with their current hinting algorithm and make the setting as opaque as possible. I would prefer it if they allowed me to have hinting on some fonts and exclude only the ones that were designed to be pixel-aligned, but unless something's changed recently, that option isn't even offered.
Gentoo is its own thing. You can bump packages yourself a lot of the time with a few commands. Or have the package manager install directly from upstream source control, if that's your bag. Or you can hold on to older package versions for periods ranging from months to years, by stashing ebuilds in a local repository. At the same time, portage has reached the point where it bends over backwards to keep you from breaking stuff by accident. If you've done your setup right and use primarily stable keywords, breaking changes are very rare. And you're free to install things outside the protection of the package manager, or package things yourself if you don't mind working with bash scripting.
The tradeoff for all of this is that you have to spend a fair amount of time setting up and configuring stuff, and a fair amount of time compiling software if you want a USE flag combination other than what's on the binhost. It also helps to spend time learning the ins and outs of the portage/ebuild ecosystem if you're going to do anything unusual.
As for the proprietary nvidia drivers specifically, Gentoo currently has versions 390.157, 470.256.02, 525.147.05, 535.183.01, and four different 550+ available, which should cover most hardware of the past several years.
If you want to see whether certain software has been packaged without installing Gentoo, the best place to check is gpo.zugaina.org. The search function isn't all that bright, but it's the only site I know of that indexes all the official overlays and the Gentoo bugzilla along with the main repository.
I don't know how Debian's solution works, so I couldn't say for certain. Gentoo usually installs the different package versions to their own directories, and there are methods for selecting a "system python" (or lua, etc) which is the target of the
/usr/bin/pythonsymlink. Other versions have to be called with qualifiers (for instance,python3.10). Python libraries installed through the package manager may install to one or several versions depending on the content of a couple of environment variables, and applications that need python can request a specific version if they need to, or accept the system python if they don't care. (Note that python2 is no longer eligible to be the system python—you need at least one python3, although 2.7.18 remains in the package repository and can be installed as well if you really need it.)Of course, if you're not a programmer, you can leave the defaults for everything alone, and most of the time it should Just Work.
One problem with distro packages is that you can only install one version.
This isn't technically true for all distros—Gentoo has a mechanism that will allow multiple package versions to be installed in parallel. I have multiple distro-packaged Python and Lua interpreter versions on my system, for instance. But it does require some extra work by the packager, so it isn't done universally for all packages.
It used to be much, much more difficult than it is today, but your experiences will still vary according to what type of printer you have. The problem is drivers. There are still printers out there that have no working Linux driver (mostly old, non-Postscript-supporting, with no Mac drivers either). Some will work with a generic driver, but some features aren't available. The more annoying case is the one where the manufacturer put out a driver once, many years ago, it doesn't work properly with modern versions of CUPS, and they can't be arsed to revise it.
But most printers these days will do basic one-sided 100%-size prints out of the box, and that's all many people need.
Some level of self-discharge happens over time with even a disconnected battery, but that does seem greater than expected. I'd suspect hardware issues, to be honest. Batteries are fickle little creatures that deteriorate over time no matter what you do. Maybe it's misreporting the amount of charge left to the OS.
One thing people reading this should remember is that you cannot guarantee all packages on a Gentoo system will be updated simultaneously. It just can't be done. Because several of the arches affected by this are old, slow, and less-used (32-bit PowerPC, anyone?), it's also impossible to test all combinations of USE flags for all arches in advance, so sooner or later someone will have something break in mid-compile. For this change, that could result in an unbootable system, or a badly broken one that can't continue the upgrade because, for example, Python is broken and so portage can't run.
The situation really is much more complicated than it would be on a binary distro whose package updates are atomic. Not intractable, but complicated.
That being said, even a completely borked update would not make the system unrecoverable—you boot from live media, copy a known-good toolchain from the install media for that architecture over the borked install, chroot in, and try again (possibly with USE flag tweaks) until you can get at least
emerge --emptytree systemor similar to run to completion. It's a major, major pain in the ass, though, and I can understand why the developers want to reduce the number of systems that have to be handled in that way to as few as possible.So, Poettering wants to make life difficult for everyone using something other than his precious again by transitioning from the normal standard for IPC to something hardly anyone has ever heard of or uses that's based on JSON? Seriously? 🤢
Yup, called it: non-mandatory piece of software. Plus you have to have been dumb enough to deliberately forward the port at your router for the general-case attack, and you have to print something (which I do maybe twice a month) for any command injection to take place.
This does need to be patched, since there is some risk if you have CUPS running and another device on your LAN has already been compromised, but it's definitely not the earthshattering kaboom the discoverer misrepresented it as.
I can't think of anything except the kernel that is genuinely obligatory on all Linux systems, including embedded. Not glibc (musl). Not udev (mdev). Not systemd (OpenRC/runit/etc). My guess is that this is another exploit of something the reporter hasn't realized isn't mandatory because they're not familiar with non-mainstream distros. I suppose it could be a kernel issue that Android has specifically patched, but if that's it it'll be fixed in short order.
In other words, not exactly holding my breath.
To be exact, OpenRC was developed to be run on top of sysV init, and still can be. (Many distros had their own "on top of sysV" things, but most of them stopped being maintained as systemd became common. OpenRC started its life as Gentoo's "on top of sysV", but was then cleaned up and made distro-agnostic.)
s6 is apparently a daemontools-like process supervisor that can be run as an init or in company with some other init.
Gentoo's comparison of init systems lists Artix as the preferred service file supplier for s6 (although that may be outdated), so I expect it is or was used extensively by that distro.
Or, if you can't find any of those other settings, try decreasing the font size by 1 pt or 1-2 px (not sure what unit KDE6 uses for font sizes) and see if that works better with the new font's letter widths and kerning.
Nor does Forth (which used to be a common choice for "first thing to bootstrap on this new chip architecture we have no real OS for yet"). Alas, they're just not popular languages these days.
Actually, I don't think you could break a system in quite this way in Gentoo these days. Portage generally doesn't remove packages during upgrades (certainly not unrelated ones that would break the depgraph!). It would have exited with (in this case) a message about version conflicts before changing any packages and left it for the user to sort out. Modern versions of portage do a pretty good job of keeping you from shooting yourself in the foot by accident, while leaving you with a lot of leeway for doing so on purpose.
Assume anything you can buy has a shelf life and set a yearly reminder on your calendar to copy forward stuff more than five or so years old, if those files are of significant value to you. Or for the documents, print them out—paper has better longevity than any consumer-available electronic storage.
That being said, quality optical discs are probably the best option in terms of price to longevity ratio for the average person right now. Just keep in mind that they are not guaranteed to last forever and do need to be recopied from time to time.
(I have yet to have a DVD fail on me, but I keep them in hard plastic jewel cases in climate-controlled conditions, and I've probably just been lucky.)
I prefer Claws Mail. It does what I need it to.
- JumpDeleted
Permanently Deleted
It was a legitimate but extremely rare concern with some early printers, yes (Wikipedia points out a particular early laser model from Xerox, plus an experimental machine from 1959, as printers that have legit caught on fire, but also points out that there is no known report of one of the old industrial-sized line or drum printers ever catching fire from friction despite it being a hypothesized failure mode). Thing is, those printers were, I believe, all obsolete by the time the Linux kernel was written. So the "on fire" error message is not likely to have been congruent with reality for any machine actually running Linux.
The GPU doesn't care about the CPU, or vice-versa. AMD is probably better value for money right now if you're intending to replace both CPU and mobo, but Intel will work.
The reason you don't see AMD CPU + nVidia GPU in premade machines these days has to do with corporate contracts, not interoperability. Before AMD bought out ATI, it wasn't an uncommon combination.