|
https://github.com/systemd/systemd/issues/12499 Just saw this making the rounds again and it looks like it's still accurate, did they end up changing something or has systemd been spyware for this long?
|
#
?
Jul 2, 2020 17:32
|
|
|
|
| # ? Apr 19, 2024 04:38 |
|
|
I mean he has a point and asks for high quality open source alternatives, sounds like your finding reasons to get upset at Peoterring to me  Is the a good tool for keeping track of which packages you install for building a source project other than a text file? On fedora for what its worth
|
|
#
?
Jul 2, 2020 17:54
|
|
|
Pöttering is a loving dipshit, non-shocker. You fall back to whatever DHCP tells you or you break noisily. You fall back to whatever NTP DHCP tells you or you complain in syslog. Making insane defaults that downstream has to be aware of is bad.
|
|
#
?
Jul 2, 2020 17:59
|
|
|
I don't have any real issue with using google's services, but I really don't want my servers to silently use a workaround when I hosed up the config so badly I don't point to a valid DNS server. Log that poo poo and make me be a good admin.
|
|
#
?
Jul 2, 2020 18:12
|
|
|
If you cant or choose not to configure DNS or NTP then your already a bad admin. The list of programs choosing functionality over security is probably as long as there are lines of code in the kernel. SSH has had terrible defaults since forever and yet nobody is up in arms over that. Lets not get into yet another Poettering/Systemd  debate. We get it you liked SysV init.
|
|
#
?
Jul 2, 2020 20:37
|
|
|
Devops^wBadmins are a dime a dozen.
|
|
#
?
Jul 2, 2020 20:49
|
|
|
A decade ago: You guys are overreacting, it's not like they're going to add spyware to systemd or anything Today: First of all "spyware" is a slur Eta ok I'll go back to yospos.
|
|
#
?
Jul 2, 2020 20:51
|
|
|
YOSPOS: Where BSD is notorious.
|
|
#
?
Jul 2, 2020 21:54
|
|
|
"these new things suck, i should be able to configure my system goddammit" "wait you WANT me to configure my system how dare you" every distro already uses different NTP/DHCP defaults, and it already warns you at build time if you dont configure these
|
|
#
?
Jul 2, 2020 21:56
|
|
|
xtal posted:A decade ago: You guys are overreacting, it's not like they're going to add spyware to systemd or anything but they didnt add spyware to systemd
|
|
#
?
Jul 2, 2020 21:56
|
|
|
"It's not spyware, it just defaults to sending your data to an advertising company!" xtal fucked around with this message at 22:23 on Jul 2, 2020 |
|
#
?
Jul 2, 2020 22:11
|
|
|
Suspicious Dish posted:but they didnt add spyware to systemd
|
|
#
?
Jul 2, 2020 22:30
|
|
|
xtal posted:"It's not spyware, it just defaults to sending your data to an advertising company!" wait until you learn about kubernetes!!!
|
|
#
?
Jul 2, 2020 22:35
|
|
|
Don't use that either! On topic, what should I set as my IO scheduler for a RAID 1 ZFS pool? Could changing it cause data corruption?
|
|
#
?
Jul 2, 2020 22:50
|
|
|
I usually use deadline on systems with heavy I/O but i'm no expert and don't remember how i came to that conclusion. Its me, im the badmin.
|
|
#
?
Jul 2, 2020 23:28
|
|
|
There's some explanation about it in the source code. It seem to me to indicate that if you're using whole-disk pools attached via IDE, SATA, or something else which has only a single queue you should use noop, whereas if you're using NVMe disks or have disks with partitions, you should use none. There's no mention of deadline, so I would probably avoid that, unless someone had a very good reason backed by code or empirical data. BlankSystemDaemon fucked around with this message at 00:17 on Jul 3, 2020 |
|
#
?
Jul 3, 2020 00:12
|
|
|
I'd rather use google's dns than my isp's
|
|
#
?
Jul 3, 2020 03:18
|
|
|
hifi posted:I'd rather use google's dns than my isp's Good news, you can configure that. The opt-out behavior is an important distinction of spyware, like the spyware in Chrome, Firefox, Homebrew, and more. If it makes personally identifiable connections that you didn't ask for, it is spyware. If you want analytics or improved UX at the expense of privacy, it must be opt-in to not be spyware. This has been the definition since we first built software. It is a recent phenomenon that people say "it's not spyware, it's just software that spies on you for analytics" or "it's not spyware, it's just software that spies on your for sysadmin convenience." Now we have stretched the goalposts so far that we have ended up with browsers, package managers and init systems all packaging spyware that we refer to as other terms, like a rose by another name. This is what people warned me about on download.com 20 years ago. xtal fucked around with this message at 03:30 on Jul 3, 2020 |
|
#
?
Jul 3, 2020 03:23
|
|
|
With your definition of spyware you should probably be writing your posts on a chalkboard and erasing them at the end of the day instead of doing anything online or with electricity.
|
|
#
?
Jul 3, 2020 04:05
|
|
|
Electricity is overrated. What's it ever done for us, anyway?
|
|
#
?
Jul 3, 2020 08:12
|
|
|
xtal posted:.... According to who?
|
|
#
?
Jul 3, 2020 15:06
|
|
|
According to literally the first google searchquote:spyware, noun, spy·ware | \ ˈspī-ˌwer xtal fucked around with this message at 15:50 on Jul 3, 2020 |
|
#
?
Jul 3, 2020 15:14
|
|
|
xtal posted:According to literally the first google search oh so you trust google when it helps your argument.
|
|
#
?
Jul 3, 2020 15:39
|
|
Associate Christ
|
Now it's you who has to go back to YOSPOS
|
|
#
?
Jul 3, 2020 15:46
|
|
|
Cite a source! No, not THAT source! It's gotta be one that agrees with me.
|
|
#
?
Jul 3, 2020 19:48
|
|
|
D. Ebdrup posted:Electricity is overrated. What's it ever done for us, anyway? Beyond that, electricity is the cause of many deaths
|
|
#
?
Jul 3, 2020 19:50
|
|
|
other people posted:oh so you trust google when it helps your argument.  He does have a point though and its pretty stupid to argue against it and then use it in your argument. " Amazon is terrible and a monopoly and treats their employees like poo poo!" Also me : " hey checkout this great deal on Amazon for WD Reds" Also Google is spyware only in the loosest and most generous definition of the term. You can have them delete any and all information on you pretty easily and your not being forced to use any of their services against your will. If you suggest ad services is spyware ill direct you to literally every other ad company on the planet for the past 100 years and then to ad block.
|
|
#
?
Jul 3, 2020 21:13
|
|
|
You can attempt to delete it, but a proper backup system isn't worth poo poo if any action taken by users can remove data permanently. It's always been the major flaw of GDPR, too.
|
|
#
?
Jul 3, 2020 21:50
|
|
|
I don't remember the exact wording, but IIRC the GDPR has some exceptions for backups and logs that boil down to "if it's too impractical to completely delete, then ok sure, just don't keep it longer than actually necessary and for god's sake don't look at it". Which is honestly a reasonable solution, and probably the only realistic one.
|
|
#
?
Jul 4, 2020 20:57
|
|
|
That's also why the GDPR starts with advice to map what data you actually really need to keep and to collect only that. Can't lose data you don't collect in the first place. You should also know who has needs access to what and restrict access to the minimum. I don't remember if backups are specifically called out, but most of the GDPR doesn't enshrine specific technologies in law anyway. Nobody is going to come at you if a tape backup containing data a user wanted you to delete sits in a safe somewhere, though you should know of its existence and have its life cycle mapped out. Exfiltrating people's browsing habits to an unaccountable third party without their informed consent is a pretty glaring GDPR violation though.
|
|
#
?
Jul 4, 2020 21:27
|
|
|
Looking at it further, it seems there is no specific carveout for backups, but it has been confirmed by the relevant French agency that it can be ok. The legal argument seems to be that "having untouched and safe backups" is a legitimate business reason to keep the data even after a deletion request. It's obviously not a good enough reason to actually use it again, so you'll have to delete it again if you ever restore from those backups. (GDPR compliant "delete these upon restore" registry implementation left as an exercise). Oh, and you have to explain this in clear language to the person making the request.
|
|
#
?
Jul 5, 2020 00:40
|
|
|
Google never deletes anything, but the backups are all encrypted with per-user encryption keys, so they can delete the key and the backup is just so much random noise. That seems like a good approach.
|
|
#
?
Jul 5, 2020 02:13
|
|
|
how do they backup those encryption keys though
|
|
#
?
Jul 5, 2020 02:27
|
|
|
Paul MaudDib posted:Google never deletes anything, but the backups are all encrypted with per-user encryption keys, so they can delete the key and the backup is just so much random noise. That seems like a good approach. I mean, if you have per-user backups the whole problem doesn't apply in the first place, since you could just delete them along with the data even if they weren't encrypted. It's a problem for multi-tenant companies that don't have per-user backup.
|
|
#
?
Jul 5, 2020 09:13
|
|
|
very carefully
|
|
#
?
Jul 5, 2020 09:48
|
|
|
What would be the recommended approach for having a single login to all Linux boxes on your LAN? Like, I have a few various Linux bare-metal machines (tiny HTPC attached to TV in bedroom, a couple of ThinkPads running Linux, a couple of Linux servers running various VMs). These are all on the same internal LAN and I have the same primary UID (1000) on just about everything, with the same password. So I come home, boot up my ThinkPad, log into it with my UID 1000 account, turn the TV on and log into my HTPC using the same creds for the same UID and password on the TV box, then I might log into one of my VM's (either with SSH or a a VNC session or whatever. Same primary (UID 1000) account and password). You get the idea: guy has a bunch of machines in the home, all with the same account and password and when he gets home he ends up using the same login multiple times when messing around on his LAN. What I would like to do, is to come home and log into my ThinkPad (or HTPC or whatever) and my LAN then unlocks all of my machines so I'm not constantly typing the same username and password mutliple times. I'm just granted access to everything because I've already authenticated myself to everything on my LAN, just by using one device. Obviously, there'd be some kind of automatic timeout (similar to when you've used sudo and your terminal leaves sudo unlocked for 5 minutes). So, let's say I specify a lockout time of 10 minutes or something. This 10 minute lockout period would begin counting from the last time I was active on my home network, so I could effectively come home and type my username and password once and be logged into all my machines all night if I continued to be active on my network (unless I went for a particularly long poo poo or something and then had to quickly auth again). I leave the house and then realise I'd left myself logged into something, but I know that within the next 10 minutes everything will have locked back up again, so if anyone were to intrude after 10 minutes they would have to auth with my LAN again. What I've just described is probably something that's already handled by LDAP or Kerberos or something. I could see it actually encouraging me to use a more complicated password, though. Because I know that I would change my default password for everything to something more complicated if I knew I wasn't going to be typing the same password every 5 mintues. Can I set up some kind of authentication server to do things as I've described? I do have a couple of Windows machines but these aren't used as much. If Kerberos or some kind of AD/LDAP setup would be appropriate in this situation then I'd expect this to work with the Windows machines, too.
|
|
#
?
Jul 5, 2020 15:08
|
|
|
FreeBSD is already getting support for doing NFS over TLS, so if you go with kerberos, there's an RFC being worked on, which uses TLS on NFS, which should let you get hardware accelerated AES encrypted+MAC integrity secured NFS sharing over LAN and WAN. I assume Linux is getting it too, but the ZFS tree that Linux uses doesn't yet support NFSv4 ACLs, so you'll be limited to NFSv3 unless you use FreeBSD, or until the NFSv4 code from FreeBSDs implementation gets merged.
|
|
#
?
Jul 5, 2020 15:24
|
|
|
apropos man posted:What would be the recommended approach for having a single login to all Linux boxes on your LAN? Afaik there is no way to push an authentication from one machine to another, and that is inherently an insane giant security risk.
|
|
#
?
Jul 5, 2020 15:39
|
|
|
You could probably do it with MAC?
|
|
#
?
Jul 5, 2020 16:03
|
|
|
|
| # ? Apr 19, 2024 04:38 |
|
|
Look into FreeIPA. Microsoft uses a similar mix of LDAP+Kerberos for Active Directory, while FreeIPA is a RHEL thing with more of a focus on Linux. If you do more Kerberos you can ignore UID/GID matching because it doesn't matter anymore, you're sending your user@REALM string over the wire. Lockouts are handled a bit differently though. You request a master key (ticket granting ticket) from the central kdc (key distribution center) when you log in and use this key to create short-lived tickets for each service you access. You can set up your screen locker to destroy the keys, though realistically that's not really necessary. Kerberised NFS is pretty nifty. You can finally export everything for the whole subnet and use standard UNIX permissions to restrict user accounts. Users that mount the share have to present a service ticket so the server knows exactly who that user is. NFS4 doesn't use UID/GID over the wire so you can't pretend to be someone else. e: it's pretty finicky to set up and debug though, YMMV
|
|
#
?
Jul 5, 2020 16:25
|
|
