|
Sapozhnik posted:it's always the fruit company employees itt lol oh go gently caress yourself just what does my employer have to do with this? I’ve been dealing with UNIX variants for literally decades now
|
# ? Nov 30, 2021 07:50 |
|
|
# ? Apr 24, 2024 02:44 |
|
Sapozhnik posted:When the system works right then it works very well, a maintainer is an invaluable advocate for the user's interests.I'm paraphrasing that Maintainers Matter article at this point but adware and spyware simply does not exist in mainstream Linux desktop environments as a direct consequence of the existence of maintainers, not just because the whole stack is free software or open source or whatever; that's necessary, but not sufficient. gonna need a citation or argument on that one, i am not at all convinced there's a causal link i've been a mac user since the 1990s. there was a long time when mac users in online my-computer-is-better-than-yours fights were hanging their hats on "oho winturds, macs basically don't have malware" but it was really because nobody fuckin' bothered, there weren't enough macs. desktop linux works the same way quote:Also the main reason why distro-packaged software tends to have maintenance problems is because there are problems in the upstream software itself. Perhaps it embeds outdated forks of third-party software libraries. Perhaps it uses a screwy build system. Perhaps it pulls in a hundred tiny lovely libraries via some cesspit like npm that came from god knows where. It is no coincidence that these traits are commonly found inside commercial software, because commercial software does not consider these traits to be defects. "Move fast and break stuff" is the order of the day, and first mover advantage is everything. Clean up enough bugs to keep pulling in money from users later, but if you don't make it to market before your competitor does then there won't be a later. Security holes? No company has ever gone bankrupt from security holes. lmao, linux package maintainers were responsible for creating one of the most hellfucked security flaws i ever read about. trying to point blame for the problems this system creates back at upstream is p. hosed, too, given that few of them even exist on other platforms. do i care if a mac app has a fucky build system or embeds a forked library? nope, i just use it. also, protecting user accounts from each other isn't enough. today you have to protect the user's data from programs the user installed. relying on amateur review of distro packages is not enough; even if you assume perfect reviewers no distro ever has everything and the system's straining with the quantity of software already out there. if linux is ever to scale out of its current limited userbase it's going to have to adapt to people runing fart apps they downloaded from butt.net. (news flash: lots of linux users already do that and you're just being saved by obscurity) this is why things like flatpak not only attempt to move beyond the bad package manager model but also introduce sandboxing. if you want a good future for linux start looking at efforts like that and constructively critique them because the distro/package model ain't getting it done. quote:Use a judiciously-chosen set of reputable dependencies, use a standard build system, make regular time-based releases, follow platform conventions. Do that and distributors will not get in your way. And yes this is a rather idealistic attitude i would call it positively panglossian, not merely idealistic
|
# ? Nov 30, 2021 08:03 |
|
BobHoward posted:also, protecting user accounts from each other isn't enough. today you have to protect the user's data from programs the user installed. relying on amateur review of distro packages is not enough; even if you assume perfect reviewers no distro ever has everything and the system's straining with the quantity of software already out there. if linux is ever to scale out of its current limited userbase it's going to have to adapt to people runing fart apps they downloaded from butt.net. (news flash: lots of linux users already do that and you're just being saved by obscurity) quoting this, hard shower thought: if i'm on windows and i want to try running a very trustworthy strip_poker.exe because I want to see pixelated titties, i can use Sandboxie and it's easy as pie, then that arbitrary executable can't steal my ssh keys or my family pictures googling tells me the linux equivalent is firejail, and it looks pretty straightforward, just `firejail strip_poker.sh`. does it actually work well? would it make sense to have a distro that runs all untrusted executables and shell scripts under firejail by default, unless you invoke a specific sudo-like command ('unjail' or whatever)? e: for the purpose of this discussion let's ignore exactly what 'untrusted' means, assume it can be configured to your liking during setup. but it always definitely includes poo poo you manually downloaded from the internet, whether by right clicking in firefox or via curl | bash NihilCredo fucked around with this message at 12:35 on Nov 30, 2021 |
# ? Nov 30, 2021 12:31 |
|
firejail kind of beside the point i think, obviously all the technology necessary to sandbox and otherwise limit stuff is there on linux, but expecting users to deal with it is as you touch upon kind of nonsense. the point of flatpak is to make it possible to actually ship software on linux without having to care about a billion details, without pushing all the concerns onto the users.
Cybernetic Vermin fucked around with this message at 13:02 on Nov 30, 2021 |
# ? Nov 30, 2021 12:57 |
|
i like debian but i forgot about this, lol: https://wiki.debian.org/Chromium quote:As of 2021-10-14 19:19:07, Debian's Chromium package in buster, bullseye and bookworm repository remains vulnerable to numerous CVEs as outlined in the Chromium Security Tracker. Consider using an alternative browser like Firefox, Brave or ungoogled-chromium. https://security-tracker.debian.org/tracker/source-package/chromium for me, it entirely nullifies the idea that debian is more secure because of its package review/release/maintenance process (which is something i have occasionally bought into) . that's okay, i'll still keep using that garbage. ps: why in earth don’t they just remove it? why keep it up there? mawarannahr fucked around with this message at 13:28 on Nov 30, 2021 |
# ? Nov 30, 2021 13:17 |
|
Cybernetic Vermin posted:firejail kind of beside the point i think, obviously all the technology necessary to sandbox and otherwise limit stuff is there on linux, but expecting users to deal with it is as you touch upon kind of nonsense. i think we're in agreement, because i think that right now it's not even usable for 'power users', let alone regular users for comparison, i use ublock origin in advanced mode and with 3rd party requests blocked by default, so 90% of websites are broken by default for me until i whitelist the CDNs that are actually serving content instead of ads. ditto for android apps, no permissions by default and trackercontrol as a firewall so i need to whitelist them to let them phone home it's a bit much for regular users who want their adware-infested recipe sites and malware-full candy crush clones to Just Work®. but if you're ok with taking responsibility over what's happening in your browser / phone, it's quite usable, because surgically unblocking stuff takes like two clicks i would like the same thing for desktop apps. i want to cheerfully download fart apps from xxxgoku79xxx's profile and they just run in their neat little sandbox without disk or network access by default, instead of needing to launch firejail from the cli. if they want to phone home or browse my ~, i want to click on a little icon to let them do it if i actually trust them, instead of having to create a firejail .profile file with a text editor, or having to open firewall-config and manually create a whitelist rule quote:the point of flatpak is to make it possible to actually ship software on linux without having to care about a billion details, without pushing all the concerns onto the users. flatpak, much like docker, is about dependency management first and security a distant second (and there's nothing wrong with that). i'm talking about security
|
# ? Nov 30, 2021 14:58 |
|
NihilCredo posted:i would like the same thing for desktop apps. i want to cheerfully download fart apps from xxxgoku79xxx's profile and they just run in their neat little sandbox without disk or network access by default, instead of needing to launch firejail from the cli. if they want to phone home or browse my ~, i want to click on a little icon to let them do it if i actually trust them, instead of having to create a firejail .profile file with a text editor, or having to open firewall-config and manually create a whitelist rule you just described macos sandboxing! except that macos allows outbound connections because not allowing that would be insanely bad UX. inbound requires permission, reading from random directories requires permission
|
# ? Nov 30, 2021 16:03 |
|
Optimus_Rhyme posted:Apt for life. thats because the teams app is an electron piece of poo poo that installs to your user profile instead of a real app
|
# ? Nov 30, 2021 16:09 |
|
Shaggar posted:thats because the teams app is an electron piece of poo poo that installs to your user profile instead of a real app doesn’t this apply to vscode too.
|
# ? Nov 30, 2021 16:53 |
|
yes
|
# ? Nov 30, 2021 17:22 |
|
Nomnom Cookie posted:you just described macos sandboxing! except that macos allows outbound connections because not allowing that would be insanely bad UX by default, sure. i would still want something like this though: "Spotify wants to connect to spotify-cdn.com [ ignore / >allow< ]" "Spotify wants to connect to amazonaws.com [ ignore / >allow< ]" "Spotify wants to connect to facebook.com [ >ignore< / allow ]" "legit-calculator wants to connect to wikipedia.org [ ignore / >allow< ]" "legit-calculator wants to connect to ebfyiqwbvoiy.7xz [ >ignore< / allow ]"
|
# ? Nov 30, 2021 18:10 |
|
you can do that with Little Snitch but yes it should be built in linux of course gets the good stuff for free https://github.com/evilsocket/opensnitch
|
# ? Nov 30, 2021 18:13 |
|
Perplx posted:you can do that with Little Snitch but yes it should be built in holy poo poo this is pretty much exactly what i wanted, thanks. i'll be installing it asap
|
# ? Nov 30, 2021 18:20 |
|
Yesterday our company was about to switch from NetExtender to AnyConnect for the Linux users, but quickly learned (from me) that: - Docker doesn't have access to the VPN with AnyConnect, as AnyConnect reconnects every time a container is started. - OpenConnect doesn't work because of course SSO support isn't baked in yet.
|
# ? Nov 30, 2021 18:50 |
|
NihilCredo posted:flatpak, much like docker, is about dependency management first and security a distant second (and there's nothing wrong with that). i'm talking about security docker is a user interface around cgroups
|
# ? Nov 30, 2021 19:25 |
|
DoomTrainPhD posted:Yesterday our company was about to switch from NetExtender to AnyConnect for the Linux users, but quickly learned (from me) that: lmao your poo poo is so hosed. no offense. dockers that need VPN access lmao
|
# ? Nov 30, 2021 19:29 |
|
Progressive JPEG posted:docker is a user interface around cgroups cgroups v2 now!
|
# ? Nov 30, 2021 19:29 |
|
Nomnom Cookie posted:lmao your poo poo is so hosed. no offense. dockers that need VPN access lmao Yes, for containers used for development, yanking files from a file share behind the VPN is pretty standard. Also: - Accessing the sonarqube server - Uploading artifacts - Deploying updates Lmao your poo poo is so hosed if you don't have the "D" part of CI/CD. FlapYoJacks fucked around with this message at 19:33 on Nov 30, 2021 |
# ? Nov 30, 2021 19:30 |
|
Progressive JPEG posted:docker is a user interface around cgroups youre talking about what it is, op was talking about what it enables DoomTrainPhD posted:Yes, for containers used for development, yanking files from a file share behind the VPN is pretty standard. this may be true but it doesn't make me wrong Perplx posted:you can do that with Little Snitch but yes it should be built in this is pretty neat is there a linux version of the rest of macos sandboxing or is flatpak the state of the art (cue that annoying "just make an selinux module" post)
|
# ? Nov 30, 2021 19:34 |
|
DoomTrainPhD posted:Yes, for containers used for development, yanking files from a file share behind the VPN is pretty standard. you think i want devs to do poo poo-all from their laptops? at my job we have infrastructure, not a bunch of people who can't tell a reproducible build from a manually modified docker image pushing whatever from their laptop to production
|
# ? Nov 30, 2021 19:36 |
|
Nomnom Cookie posted:you think i want devs to do poo poo-all from their laptops? at my job we have infrastructure, not a bunch of people who can't tell a reproducible build from a manually modified docker image pushing whatever from their laptop to production Well our containers are used for building/maintaining an embedded Linux project, so perhaps my use case is slightly different.
|
# ? Nov 30, 2021 19:39 |
|
no, it's not. no matter what you're building for the love of god do not have a workflow where artifacts get built on a random loving developer laptop and deployed directly. come on
|
# ? Nov 30, 2021 20:01 |
DoomTrainPhD posted:cgroups v2 now!
|
|
# ? Nov 30, 2021 20:02 |
Phobeste posted:no, it's not. no matter what you're building for the love of god do not have a workflow where artifacts get built on a random loving developer laptop and deployed directly. come on if it's good enough for them, why is it not good enough for you?
|
|
# ? Nov 30, 2021 20:02 |
|
Phobeste posted:no, it's not. no matter what you're building for the love of god do not have a workflow where artifacts get built on a random loving developer laptop and deployed directly. come on What the gently caress are you talking about? Deployment happens in a pipeline, no random loving developer laptop get's to deploy anything, nor did I even insinuate such a thing. However, when building the container (even for development), there are several files that live on the VPN that are required. How is this a hard concept to grasp? What short-circuited in your head that made you jump to that conclusion?
|
# ? Nov 30, 2021 20:09 |
|
LOL. "We use the docker container for development" "OH, SO YOU LET ANY RANDOM ENGINEER DEPLOY FROM A LAPTOP???"
|
# ? Nov 30, 2021 20:10 |
|
the important thing to remember is that if it is not working properly out of the box it means that your use-case is bad, criminally negligent really. your linux is just enforcing best practices by refusing to function.
|
# ? Nov 30, 2021 20:13 |
|
when you use a docker, you are ...docking
|
# ? Nov 30, 2021 20:13 |
|
Nomnom Cookie posted:Linux: this may be true but it doesn't make me wrong
|
# ? Nov 30, 2021 20:18 |
|
Phobeste posted:no, it's not. no matter what you're building for the love of god do not have a workflow where artifacts get built on a random loving developer laptop and deployed directly. come on docker is linux cancer, but let's talk more about the embedded linux use-case 1. There's a project (embedded Linux image) that needs a ton of finnicky tool dependencies to build. 2. A full build probably takes 10-20 minutes minimum, and maxes out all CPU cores 3. Developers want to run builds locally, because it's faster and easier than waiting for CI. Probably some of them also install test-builds onto lab hardware. 4. You want your developer test-builds to turn out the same as your CI server, which runs the actual production builds I get why somebody would do a docker for this, although I'd encourage "don't do a docker" instead CI is the right tool for building prod images. It's also expensive and slow for building every single busted-rear end commit that some developer makes in a private branch. Not every company has infinite money to waste on cloud spend. Poopernickel fucked around with this message at 20:32 on Nov 30, 2021 |
# ? Nov 30, 2021 20:23 |
|
DoomTrainPhD posted:What the gently caress are you talking about? Deployment happens in a pipeline, no random loving developer laptop get's to deploy anything, nor did I even insinuate such a thing. However, when building the container (even for development), there are several files that live on the VPN that are required. you were the one talking about the D in CI/CD. what do you think that stands for?
|
# ? Nov 30, 2021 20:46 |
|
CI/CD is generally done by a pipeline. Why would you think I was talking about anything else?
|
# ? Nov 30, 2021 21:15 |
|
How the hell did y'all go from quote:Yes, for containers used for development Straight into arguing that he said he's deploying to prod straight from a development machine lmbo
|
# ? Nov 30, 2021 21:16 |
|
Lol if your in charge of company infrastructure and this is your level of reading comprehension
|
# ? Nov 30, 2021 21:25 |
|
Poopernickel posted:docker is linux cancer, but let's talk more about the embedded linux use-case This is essentially what's going on yes. It's much easier to onboard a new engineer when the instructions are: - Get docker, docker-compose, and vpn access running on your machine. - run "docker-compose build && docker-compose up -d" and now you can build the images.
|
# ? Nov 30, 2021 21:27 |
|
Poopernickel posted:docker is linux cancer, but let's talk more about the embedded linux use-case yeah, that's what i do, but this series of posts: Nomnom Cookie posted:you think i want devs to do poo poo-all from their laptops? at my job we have infrastructure, not a bunch of people who can't tell a reproducible build from a manually modified docker image pushing whatever from their laptop to production DoomTrainPhD posted:Well our containers are used for building/maintaining an embedded Linux project, so perhaps my use case is slightly different. is what created the confusion. big scary. any doomtrain that's weird that the vpn is somehow that broken lol. can't even bind the container to the vpn adapter?
|
# ? Nov 30, 2021 21:29 |
|
Phobeste posted:is what created the confusion. big scary. If I did bind the container to the vpn adapter it would break the CI/CD pipeline because that's behind the VPN and thus wouldn't have the adapter. Edit* I do have IT finally looking at pritunl for a VPN. It only took a year for someone to listen. The magic words were "yubikey support."
|
# ? Nov 30, 2021 21:31 |
|
DoomTrainPhD posted:If I did bind the container to the vpn adapter it would break the CI/CD pipeline because that's behind the VPN and thus wouldn't have the adapter. Yubikey support sounds pretty cool. More user friendly and possibly just as secure as certificates. Maybe even more secure, since certificates can still be vulnerable to malware swiping them, necessitating frequent changeovers to be safe. Getting vpn working for developer machines is always a headache but it's satisfying to find a solution that simply works.
|
# ? Nov 30, 2021 21:54 |
|
sb hermit posted:Yubikey support sounds pretty cool. More user friendly and possibly just as secure as certificates. Maybe even more secure, since certificates can still be vulnerable to malware swiping them, necessitating frequent changeovers to be safe. Pritunl is cool and good. - It supports OpenVPN and Wireguard - Supports SSO with yubikey, okta, onelogin, azure, active directroy, google, and even slack. - Has a client for MacOS, Windows, and Linux (although the client is just a very nice wrapper around .ovpn/wireguard files) - Integrates with AWS, Azure, GCP, Ubiquiti - Has support to auto-renew the ssl cert using letsencrypt. I highly recommend using it if possible.
|
# ? Nov 30, 2021 21:59 |
|
|
# ? Apr 24, 2024 02:44 |
|
just use SSH and tunnel everything boom, problem solved you're welcome
|
# ? Nov 30, 2021 22:05 |