added to the list! i honestly thought you wrote down lynx again. but i reread it for the 3rd time and realized its not the same program LOL. name schemes,
Personally, I don’t see how a TPM module is more useful than full disk encryption with a password you enter on boot.
I struggle to see how it makes automatic login safer given it does nothing to protect against the really common threat of someone physically stealing your laptop or desktop.
I don’t trust any encryption or authentication system that I don’t have access to the keys for. Microsoft has also kinda made me feel it’s more for vendor lock in, like they did with secure boot.
Still, I’m probably being unreasonably pessimistic about it though - be interested to see any practical use cases of it.
In theory, the TPM can be used to verify that the bootloader, kernel and injtamfs haven’t been tampered with, which is very very useful as FDE (in the running machine) is only good if that remains true.
I’ve heard that before, but there are two main problems that stick out to me:
A lot of the marketing for TPM (at least when I was setting up bitlocker on Windows) suggests that it’s used to support decrypting drives without a password on boot. But that doesn’t seem to offer any protection from the devices being stolen. The bootloader may be safe but it’s not actually verifying that I’m the one booting the device.
I can’t think of a situation where someone would be able to actually modify the bootloader without also having full access to the files and secrets. Especially in a single-boot environment where every time the system is running, the device is decrypted.
I’m not saying that it’s all just a scam or anything like that, but it really feels like I’m missing something important and obvious.
The bootloader is stored unencrypted on your disk. Therefore it is trivial to modify, the other person just needs to power down your PC, take the hard drive out, mount it on their own PC and modify stuff. This is the Evil Maid attack the other person talked about.
I can’t see that being a reasonable approach for them to take, tbh. One option with TPM is that your system logs in automatically to the desktop, in which case they can just turn it on and use it normally. The other is that it requires a password at some point during startup, to which they could just use a (hardware) keylogger.
It only at most auto logs you into the display manager or more generally into login. Then you still need to get root access to modify anything from there. Login would still be based on user password/key/whatever.
Pretty easy to set up, can be taken out to not be modified at run time unless you want plus not being stolen with the computer itself.
I see only drawbacks with a TPM for a computer system like that. In embedded credentials, mobile applications, cold credential storage, etc… it works very well, but it doesn’t solve any problem that someone tech savvy doesn’t have a better solution for, in my opinion.
If you are a big enough target for an evil maid attack, you are either good enough to circumvent it better than an embedded TPM, or you are rich enough to hire someone who is.
If the device is stolen, your disk is still encrypted at all time. If you believe your OS’s login system is reasonably secure, then the attacker should have no way to access your data: they cannot access the data from software because it is blocked by login screen, they cannot access the data from hardware because it is protected by FDE.
One of the misconceptions I had before is that I assumed that the disk will be decrypted when you enter the LUKS password. This is not true, the password is loaded into the ram, and only decrypts necessary parts to RAM. All the data on the disk is never decrypted, even when you are working in your OS.
they cannot access the data from software because it is blocked by login screen
The system may still be vulnerable to over the network exploits. So for example, if the system is running sshd, and a couple of months from now a root exploit is found (à la heartbleed), the attacker may get inside.
It’s somewhat of a long shot, but it’s still a much larger attack surface than butting your head against a LUKS encrypted drive that’s at rest.
they cannot access the data from hardware because it is protected by FDE.
RAM is not protected by FDE. There are (obviously non-trivial) ways to dump the RAM of a running system (Cold Boot attacks, and other forensic tools exist). So if the attacker is dedicated enough, there are ways.
One of the misconceptions I had before is that I assumed that the disk will be decrypted when you enter the LUKS password. This is not true, the password is loaded into the ram, and only decrypts necessary parts to RAM. All the data on the disk is never decrypted, even when you are working in your OS.
Hah! That would be impractical :) Imagine having to decrypt your entire 32TB drive array everytime you booted your computer.
While I don’t use TPM myself (I dislike being tied to a specific hardware) the way it protects you is:
Disk is protected through encryption, so you can’t remove and inject anything/hack the password.
If boot is protected/signed/authorized only, a random person can’t load an external OS and modify the disk either.
All this together would say, even if someone acquires your computer, they can’t do anything to it without an account with access, or an exploit that works before a user logs.
In a way, the attack surface can be bigger than if you simply encrypted your disk with a key and password protect that key.
The key is only released into ram, so unless the thief can read content from ram they cannot easily decrypt your disk. And most common thief probably do not have that ability.
That being said, you do need a login password to prevent the thief straight up booting into your OS and copy everything using the file manager…
One of the advantage of using TPM with FDE, is that you can use a much longer random password. If I dont use TPM I am forced to use a password I can remember, which is likely the same password I use somewhere else. This means if someone close to me stole my laptop, they will have reasonable chance of guessing my password.
Outside of Microsoft and Windows, what’s the application for it? Does Linux or UNIX have much use for TPM? Pardon, my ignorance, but I bet this is a good place to ask!
Every couple of years I think to myself “You know, I can’t actually remember why I don’t like Ubuntu. It must have just been some weird one-off thing that soured me on it last time. Besides, I’ve got N more years of Linux experience under my belt, so I know how to avoid sticky situations with apt, and they’ve had N more years to make their OS more user friendly! I pride myself on not holding grudges, and if this distro still gets recommended to newbies, how bad can it possibly be, especially for someone with my level of expertise?”
Try Ubuntu Mate, it’s actually ok. I’m alot not the biggest fan of snaps. I try and get .debs or apt get, where I can. App Images seem a little odd to me, but Flatpack seems alright.
Would you mind to explain why? I have yet to try it, but the concept seems nice: predisposing a set of tools useful for linux gamers/creators for those who are not technical
While it has a bunch of patches that can boost gaming performance and such it’s stability takes a hit in some areas. It’s also not quite as user friendly as other options. It can be better for those looking for a fedora base if that’s what they prefer, tho.
It’s also extremely opinionated & while it’s a great fit for those who have a matching use case, for general uses it’s a bit too opinionated.
It’s neither the worst, nor the best. It just highly depends on use case.
I’ve watched a few comparison videos, and the performance gains are negligible when compared to other common distros, so that’s definitely not the point in installing it.
The good part about nobara is the set of tools that come preinstalled and the wecome program which lets you update the system, the drivers and the codecs.
Nothing you couldn’t replicate in a few minutes on another distro of course
Admittedly, it’s been a few years and I’m coming due, but let’s see what I can remember…
apt will brick itself if it gets interrupted mid transaction with no clear recourse apart from a total reinstall, so try not to get greedy and Ctrl+C if it looks like dpkg is hung
trying to install any software that isn’t already packaged explicitly for Ubuntu is a nightmare because there is no equivalent of the AUR for people to push build steps to and you’re quite often left guessing what dependencies you need to install to get something to compile
snapcraft, need I say more? Firefox takes several minutes to start up, we don’t talk about disk usage, installing a package with apt will sometimes install the snap version anyway requiring a Windows-registry-edit-esque hack to disable, and the last time I checked in, the loop devices it creates didn’t even get hidden in the file manager.
I’ve also definitely encountered my fair share of bugs and broken packages which are always fun to fix
What do you recommend for ubuntu alternative? I want to leave for something else, but I also want all my programs to install and work fine. If an app supports ubuntu, would it support debian as well?
You can start by trying Linux Mint, it’s based directly on Ubuntu but with most problematic bits of Ubuntu removed. Mint comes in several sub-flavors that mostly change the way your desktop looks and acts, start with the Cinnamon edition as it’s the safest bet.
apt will brick itself if it gets interrupted mid transaction with no clear recourse apart from a total reinstall, so try not to get greedy and Ctrl+C if it looks like dpkg is hung
You can dpkg -r the package you tried to install then apt won’t complain about missing dependency packages for your app as it won’t be marked for to be installed
trying to install any software that isn’t already packaged explicitly for Ubuntu is a nightmare because there is no equivalent of the AUR for people to push build steps to and you’re quite often left guessing what dependencies you need to install to get something to compile
There isn’t a big global community repo per say like aur but anyone can host their own repos with PPAs, you just need to add them to your lists
Most apt quirks are there with Debian too, not just an Ubuntu thing. The rest of the things you mentioned are fair.
trying to install any software that isn’t already packaged explicitly for Ubuntu is a nightmare because there is no equivalent of the AUR for people to push build steps to and you’re quite often left guessing what dependencies you need to install to get something to compile
In fairness it does have the PPA system which predates the AUR and does provide a good job of providing third party amd semi-third party software.
But you’re right that Ubuntu has sold out on building snaps for software instead of ppas.
The PPAs weren’t that useful. I mean they worked fine for the purpose, but if you used too many of them you’d eventually get your system into a dependency hell. That meant packages were stuck without updates and also blocking others from updating.
The other thing was that even if you kept clear of PPAs it was anybody’s guess if you could upgrade to the next release. Sometimes it worked, sometimes it didn’t and you’d have to reinstall from scratch.
Put together it meant after a while you didn’t bother upgrading period, or upgraded only major releases but by reinstalling from scratch every single time (and preserving /home). It was a chore and I resented it and kept putting it off.
That Ubuntu would install the snap version of certain apps when I installed them directly in the terminal was the main reason I left Ubuntu after a few years. So annoying!
Honestly, if you’re not using nix to deploy systems or need it to create reproducible environments across systems, then NixOS is a bit overkill.
I want to use NixOS for servers and embedded systems as well, so I run it on my laptop. But the user experience gives Gentoo a run for it’s money for being the most finnicky bastard in the distro world. They would both contend if there was a Razzy award for usability.
I tried it out, and it was so cumbersome to install packages that I gave up. I understand its application in servers, but for home computers it’s a pain in the ass
Gnome is amazing, without it I probably wouldn’t bother with Linux. Honestly nothing comes close UX-wise for me. I don’t want yet another Windows clone.
Minimising is a misuse of the gnome workflow, ideally you’d move a window to another desktop. Better than hiding it in some dock IMO.
Maximising I literally never used the button for anyway. I double clicked the title bar, dragged the program to the top, or pressed Super+Up. Aiming for a relatively small button just feels worse than all of those. It’s literally a pointless button and I feel like the only reason anybody has it it just because they’re used to seeing it/having a Windows UX.
It’s fine that you want your UX to work like Microsoft’s, but that doesn’t mean others are bad.
E: people get really upset when you point out that their Windows clones are windows clones lol. It’s not an insult.
They must have swapped roles at some point, Elementary lets you minimize windows the last time I checked (use toolbar or gesture), and GNOME doesn’t 😂
I honestly don’t mind lack of visual customization as long as the design language makes sense, is clear, is consistent, and applies to all the system apps and default utilities. In the case of Elementary and GNOME this is OK IMO because they are ridiculously consistent, and share some similarities
No you don’t understand bro. DNS is a useless service that serves no purpose other than increasing attack surface for hackers. Who needs dns when you can just type ip address?
It scares me. What if the chip dies? How am I gonna be able to get my stuff? I don’t fully understand how it works, but where is the encryption saved? On the chip itself or somewhere else?
“Not exactly Linux”, but FreeBSD. Gave it a couple tries but gave up when I realized its minimalism is a placebo at best and its “super security features” can (also) be achieved on any other standard Linux distribution.
Debian world - apt sucks. For something with a sole purpose of resolving a dependency tree, it’s surprisingly bad at that.
Redhat world - everything is soooo old. I can see why business people like it, buy I rarely, if ever, agree with business people.
Opensuse world - I’ve only tried it once, probably 15 years ago. Didn’t really know my way around computers all that much at the time, but it didn’t click and I’ve left it. Later on I found out about their selling out to Microsoft and never bothered touching it again.
Arch - it was my daily for a year or two. Big fan. It still runs my email. At some point the size of packages started to annoy me, though. Still has the best wiki. I’ve never really bothered with the spinoffs, as the model of Arch makes them useless and more problematic to deal with.
I’ve got the Gentoo bug now. For the first time I genuinely feel ~/. A lean, mean system of machines :)
Later on I found out about their selling out to Microsoft and never bothered touching it again.
Ah yes, when Microsoft looked for a contractor to develop FOSS implementations of some Windows technologies to meet demands by the EU and Mark Shullteworth made a big fuss of it until making deals with Microsoft himself…
What about that time Suse supported Microsoft’s claim that Linux infringes on their patents? Ms got enough grounds to sue everyone even marginally related to Linux for over a decade, Suse got a contract to sell licences that prevent Ms from suing companies for using Linux.
The wider company, that included Novell at that time, entered some cross patent licensing deal. It happens all the time. Didn’t kill Linux as we can comfortably say these days.
With enough sophistry anything can seem insignificant. The Linux we use today has developed within the constraints of Microsoft threatening to sue anyone and everyone. The only reason they could do that was due to suse, as the longest running commercial distro, publicly saying that Linux infringes on those patents.
I need to try Gentoo again. The installer used to be absolute garbage and required a ton of work to get the a usable system if you deviated too far from a normal computer setup.
There is no installer as such. You copy an archive, extract it and rebuild @world. Anything beyond that is up to you. I’m sticking to openrc - haven’t had any issues since libxcrypt news item. Can’t even recall what it was.
Mind to elaborate a little bit more about the Manjaro problem? I am driving it since a couple of years without any issue but I keep hearing this… now I am afraid :)
I hope it works for you forever. I am not going to get in an argument with the other Manjaro users here that will come to argue with you.
Just keep in mind that most of the people warning you away from Manjaro have a story that basically sums up as “I used to love Manjaro until, one day, it totally broke on me. Now I won’t touch it.” Sadly, this includes me. Will you join us one day? I hope not.
People who do stuff they shouldn’t, like using non-recommended kernel or driver versions or replace critical system components from AUR, then blame it on the distro when stuff breaks.
People who don’t understand how AUR works and think that Manjaro holding back binary packages for a couple of weeks has any effect on AUR (which is built from source…)
People who can’t get over the times when they didn’t renew their certs or when they accidentally DDoS’ed the AUR. It doesn’t matter if the distro is good or not. Those instances of carelessness should be held against it forever.
People who can’t stand the fact it’s a commercial distro.
People who can’t stand the thought of any Arch-based distro that dares to do anything different from Arch (other than make the install easier, that one seems to be acceptable for some reason; but there are more extreme people who dislike that too).
I am trying to think of how to respond to this without being a jerk.
Let me skip to the end. Until very recently, I thought of Manjaro users as innocents that just did not understand the risk. Like islanders living next to a volcano that had never erupted in their lifetime.
I still view most Manjaro users that way. Manjaro defenders though I now think of as dog owners whose animals have bitten multiple times. When told, the owner insists that “my dog would never do that” or “if it did, you must have done something wrong”. I am done arguing with those people. All I can do is warn others that this dog has bitten several of us and you may not want to enter that yard. If you do, who knows, the dog may be friendly. Or not. Again, all I can tell you is that many of us have scars. Use that information as you will.
Most “Manjaro detractors” I have encountered have years of experience with both Manjaro and other Arch distros. Their tales come from experience. When they share their cautionary tales, there are often Manjaro defenders whose best defence is just to deny that what the “detractors” are saying ( about their own experience ) is real.
My core question for the defenders would be, if it is our fault, why do we only encounter the problems on Manjaro?
Let’s go through the bullets above one by one:
I never did that on Manjaro. I probably do it more on EOS. Why only problems on Manjaro?
why does my lack of knowledge of how the AUR works only break things on Manjaro?
this bullet is the best. It admits that Manjaro has repeatedly broken things but we should not hold it against it. Literally this is saying that “Manjaro breaks things” is wrong because, while it does, we should just get over it. Hilarious.
how does attacking the “detractors” address the claim that Manjaro breaks things?
how does attacking the “detractors” address the claim that Manjaro breaks things?
I got in a lengthy back and forth with a Manjaro fan the other day where I repeatedly related the ways that Manjaro used to break on me and how that does not happen for me on vanilla Arch or EndeavourOS. They just kept coming back telling me that it could not have happened and, if I thought it could, that I did not understand how the AUR works. It was insane. Basically, this guy could not follow what I was saying to him. His response to his inability to understand the scenario that I was describing was to insult my intelligence and expertise.
Look loser. I don’t care if you believe me that your dog bites. I will continue to warn people and they can decide if they want to risk it or not.
Isn’t it funny how none of the people who claim that Manjaro “just broke” on them can recall what the problem was? They can’t point at a bug report. It’s nothing they did, naturally (they’re “experienced” users, after all). It just broke.
Meanwhile, it never broke for me or others, in years of use, with dozens of AUR packages installed. So yeah. I think I’ll stick to concrete evidence like a rational person, thanks.
A few years ago I wanted to get away from Ubuntu on my desktop PC so I sat down and considered about a dozen of the most recommended Linux distros install images.
My requirements were:
Image should be live so I could test it without installing.
Should work out of the box with everything I could think to throw at it: wifi, Bluetooth devices including controllers, network shares, play music/video out of the box, printing, audio devices on USB etc.
Easy to install and maintain. No need for brain-dead install or zero maintenance, I’m a seasoned Linux user and anyway I don’t want to be absurd, but I also don’t want to spend my spare time debugging or maintaining the desktop system. I have a server for that.
Recent packages and frequent updates, but stable.
Usable for everyday use, work (mostly Citrix and other forms of remote desktop) and of course gaming.
Rolling release.
Guess which distro ticked absolutely every single box.
Suit yourself. I’m telling you that you’re sleeping on one of the most user-friendly, up to date, gaming-ready, stable and generally hassle free distros out there, and it’s coming from someone who actually tried all the popular ones.
In exchange you just have to stick to a LTS kernel and not replace critical system components from AUR. Which I think you’ll agree are reasonable conditions for all Arch distros, heck, all distros.
Gentoo all the way since 20 years, on all kind of devices, going strong and never looked back.
Ubuntu, I hate you. A messy complex windows-esque caricature in the Linux world, where “somebody else” knows better than me and shoves it down my gully.
So there you go, my best and worst distros choice.
Been usig Debian for home and work and on hundreds of servers for 2 decades and it have been near flawless. Any issues i have had have always been my own fault.
While debian is the least offensive, I did explicitly say world. Add your buntus, mints, whathaveyou into the mix and shit hits the fan very quickly. Yes, real world runs that bollocks in prod. No, I do not agree with it.
I set mpv as the root window which worked well. I stopped using it a while back, but if you are interested, I could dig up the simple script for you (literally one or two lines iirc).
Sure. If you are using an nvidia optimus laptop, you should also add __NV_PRIME_RENDER_OFFLOAD=1 __GLX_VENDOR_LIBRARY_NAME=nvidia at the start of the last line when running in hybrid mode to run mpv on the dgpu. You should have a file at ~/.wallpaperrc that contains wallpaper_playlist: /path/to/mpv/playlist. You may want to add this script to your startup sequence via your wm/de.
linux
Active
This magazine is from a federated server and may be incomplete. Browse more on the original instance.