Pantherina

joined 3 years ago
MODERATOR OF
[–] Pantherina@feddit.de 1 points 1 year ago (2 children)
[–] Pantherina@feddit.de 1 points 1 year ago

Edit: EndlessOS is the immutable Debian distro, not ElementaryOS.

[–] Pantherina@feddit.de 1 points 1 year ago

No KDE settings are all done in the homedir, there is nothing snapshotted here

https://bugs.kde.org/show_bug.cgi?id=240862

[–] Pantherina@feddit.de 18 points 1 year ago (6 children)

They didnt use Pipewire before??

[–] Pantherina@feddit.de 1 points 1 year ago (4 children)

Your distro should absolutely include that. And make sure to actually close all not needed ports, which is more work but the GUIs allow that easily.

[–] Pantherina@feddit.de 4 points 1 year ago* (last edited 1 year ago) (2 children)

Cannabinoide und Terpene sind fettlöslich. Am effektivsten ist es aber, nicht Fett zu nehmen, sondern ein Lösungsmittel wie Isopropanol. Das ist nicht trinkbar aber nicht vergällt wie Ethanol (Alkohol) und von daher 99,999% rein und billig.

Also kleinmachen, in Propanol liegen lassen für paar Tage, durch einen Kaffefilter Abkippen in Öl deiner Wahl, und dann zusammen unter Rühren das Propanol verdampfen lassen bei bis zu 100°C.

Das ganze kann man dann nochmal wiederholen, und man hat sicher das meiste extrahiert.

[–] Pantherina@feddit.de 2 points 1 year ago

Yes the data was lost on Windows, but I prefer Linux a lot as all good tools seem to be linux only anyways haha. But will remember recuva as a last option.

Also no the disk is not booted anymore.

[–] Pantherina@feddit.de 1 points 1 year ago

Oh nice, its from their repo not f-droid

[–] Pantherina@feddit.de 2 points 1 year ago

Du hast Kreck vergessen, die Kiffer die müssen ja jetzt ausweichen weil jetzt alle immer umsonst in Kindergärten kiffen können und nix mehr merken!

[–] Pantherina@feddit.de 2 points 1 year ago (2 children)

Ist eine Verdampferpfeife ;D punkt 6

Glühbirnen haben manchmal quecksilber drin oder sowas, um eventuelles UV licht in sichtbares Licht umzuwandeln.

50
submitted 2 years ago* (last edited 2 years ago) by Pantherina@feddit.de to c/linux@lemmy.ml
 

As part of the effort of making a "Chromebook-like" secure, autoupdating, cloud-native, "unbreakable" (but still free and privacy-friendly) Distro, I would like some of your recommendations on especially secure software, that could replace common ones like File managers, Archive Managers, PDF reader, Image viewer etc.

I am thinking of Loupe, GNOMEs new image viewer written in Rust, that opens SVGs in a sandbox to avoid issues here.

Memory safety, resonable simplicity, updated code, these should be requirements.

Any other recommendations? Thanks guys!

Btw Flatpaks are working now! Come and test Secureblue!

22
submitted 2 years ago* (last edited 2 years ago) by Pantherina@feddit.de to c/linux@lemmy.ml
 

I dont know if this is pretty common? I reported a bug about this an eternity ago on Fedora, but it is still happening.

I am also not sure what project is responsible, mesa?

Whenever I sleep my Fedora KDE Laptop, close the lid, open it and it turns on but no input works.

Sometimes my entire screen is corrupted too, like this and often only a hard shutdown fixes it, sometimes it reacts by itself.

Do you know something similar? Where should I report it and how can I circumvent this by now, disable S3 sleep?

15
submitted 2 years ago* (last edited 2 years ago) by Pantherina@feddit.de to c/science@beehaw.org
 

I am in Germany, so moin Leute.

Ich habe vor, in meiner Bachelorarbeit nur die DOIs anzugeben, was in der wunderbaren sci-hub suche so schön funktioniert.

Mein Uniprogramm ist reiner Müll. Anstatt einfach alles zu proxien mit meiner Authentifikation wird man mit Referrern hin und her geschickt auf Javscriptverseuchte Journal-Websites wo man Artikel für 50€ kaufen soll. Gehärtete Browser, Noscript oder Ublock gehen da schonmal nicht mehr.

Sci-Hub ist so viel besser? Ich nutze eine spezielle SearX-Einstellung die ich mit dem Firefox Addon "Add custom search" hinzugefügt und als Standard gesetzt habe.

Damit ist es super einfach Artikel zu finden, und mit dem Addon "SciHub X Now!" Bekomme ich mit einem Klick die PDF, und eine Zitation mit DOI.

Es ist sooo angenehm zu verwenden, und außerdem würde ich Scihub aus politischen Gründen gerne pushen.

Nun aber die Frage: ist das illegal? Ich rufe damit ja nicht zu Straftaten auf, aber behaupte indirekt, es verwendet zu haben.

Einfach was trauen?

 

I always see new GTK apps popup on Flathub. I dont really care and think GTK looks fancy, although CSD suck a bit and they waste space and often functionality.

But they work, are solid, and do what they should.

Qt on the other hand may seem more like a complex job to code with. I dont actually think so, but I heard especially writing rust with GTK is way better than with Qt.

I like KDE a lot, and even though I am excited for Cosmic I think Qt is the better toolkit for many things and a lot of time. But Dolphin seems to suffer from memory safety issues all the time, as well as other projects.

Do you have experience in rust, using GTK or Qt? How do they compare?

 

I have horrible ADHD and need such a thing.

Many tasks have a countdown, and I would like to:

  • on Android have a widget on the homescreen displaying the task and a countdown
  • sync it witg DavX5 to my mail provider and then to Thunderbird
  • easy interface, modern etc

Do you know the best app for that? Dont really want to try every app again, even though I did that (Simple Calendar is the best calendar!)

I am posting this here because the community is damn huge.


I tried ProgressBars and it is okay, but widget placement requires a new event (no no existing, weird workflow) and it doesnt support CalDav

336
submitted 2 years ago* (last edited 2 years ago) by Pantherina@feddit.de to c/linux@lemmy.ml
 

You can easily add them by following the instructions on their site.

On immutable fedora it can be done via

curl -o - https://repository.mullvad.net/rpm/stable/mullvad.repo | sudo tee /etc/yum.repos.d/mullvad.repo

rpm-ostree uninstall mullvad-vpn --install mullvad-vpn

# after reboot, if not working
sudo systemctl start mullvad-daemon
 

Thanks to the packaging efforts of the members of the KDE SIG (especially Alessandro Astone, Justin Zobel and Steve Cossette), we now have enough updated packages in Fedora to create Fedora Kinoite nightly images with KDE Plasma 6.

You can try it in a VM or even on your normal install, pin your current version first to have a backup

 

I use Linux for quite a while and would like to gather some security advice, well known and lesser known.

Well known

Dont install random apps from the internet

This is the (old) Windows way and the result of an OS not caring about its software. Often bundled with also outsourced antivirus, or scanning all files you download.

So use official repos nearly exclusively. If there is an app not in your distros repos, try Distrobox, create a Container of any image and install it there. You can display the images available by pressing tab after -i.

distrobox-create NAME -i IMAGE-NAME

This also goes for

  • Ubuntu PPAs
  • Arch AUR
  • Opensuse Build service repos
  • Fedora COPR
  • Random external repos

Some repos are more or less controlled, so be careful!

Some "external ones" are trusted, like:

  • Fedora/Derivates: rpmfusion
  • Flathub
  • Steam Fedora Repo
  • Google Chrome Fedora Repo (dont use Chrome lol)
  • Open-h264 from Cisco
  • ...

Not all Flathub repos are controlled, but here is a list

Update, update, update

Its best to enable automatic updates. If you have a slim system and install your apps as Flatpak apps (best if they are verified, look at flathub.org or directly add the verified repo), updates should never break something.

Wayland

X11 is an outdated security desaster with design flaws so big, that nobody cared to fix it. Instead, Wayland was created with way tighter (and more modern) restrictions, requiring Portals for apps to do stuff like

  • using your Camera
  • using your Microphone
  • viewing your screen or specific app Windows
  • simulating input devices
  • watching for keypresses

Only KDE and GNOME have full Wayland support for now, along with some Window Managers and RaspberryPi OS. This means

  • XFCE
  • LXQt, LXDE
  • Budgie
  • Mate
  • Cinnamon
  • ...

Should be avoided until at least a year when they have full Wayland support. Wayland is not a new protocol at all, but requires Desktops to do more work. It can be expected (and hoped) that at least some effords combine, Desktops use existing Compositors etc.

Wayland is backwards compatible (X11-only apps run through xwayland, and you can also force apps to use Xwayland if they otherwise lose features).

All apps work on Wayland that dont do weird stuff that uses insecure methods. Poorly this includes screen readers and lots of Remote Desktop Software, as well as Screen recording. But things will evolve, and there are Apps that only support Wayland.

Less known

Avoid stable Distributions

Stable Distros dont get regular updates of every package that... gets an update, but they get backported security fixes.

Correct me if I am wrong, but not all security related bugs get a CVE (Common Vulnerabilities and Exposures) and thus dont get backported.

Stable Distributions are used everywhere on the internet though, so this could be debatable.

Use an "immutable" distro

Immutability is implemented in various ways, there is no standard at all

  • Android, Chromeos
  • Fedora Atomic (Silverblue, Kinoite, ...)
  • Opensuse microOS (now Kalpa, Aeon)
  • VanillaOS
  • SteamOS

They are all different from each other, with Chromeos and Android being fully immutable, allowing no deviations from the OS at all, SteamOS being similar but allowing to run Flatpak apps natively.

VanillaOS and Opensuse microOS use a different form of "regular package management but atomic", so the change does not apply to the running system but to a clone of it, being applied on reboot.

Fedora Atomic goes the "Cloud way" with an image-based system that can be downloaded, swapped out but also modified. They use OSTree for keeping track of every single package on your system and also changes, a simple rpm-ostree reset will reset your base system. It is the most secure of the customizable ones to my knowledge.

Immutable Operating systems make sure that every update works, so they can easily be done automatically and on a running system.

Also, changes to the core system through malware are not possible, at least not directly.

secure directories and dotfiles

An exception here is, if a malware would simply create a bash alias to anything. So a sudo password can easily be grabbed, or a second command executed whenever you do something with sudo.

https://madaidans-insecurities.github.io/linux.html#examples

So this means that your shell configs should only be writable by sudo, all others can only read! The same for ~/.gnupg or ~/.ssh, maybe even only readable by sudo depending on your use case.

sudo chmod 755 ~/.bashrc && sudo chown root ~/.bashrc
sudo chmod -R 700 ~/.ssh && sudo chown -R root ~/.ssh
sudo chmod -R 700 ~/.gnupg && sudo chown -R root ~/.gnupg
sudo chmod 755 ~/.zshrc && sudo chown root ~/.zshrc
sudo chmod -R 755 ~/.config/fish/ && sudo chown -R root ~/.config/fish/
sudo chmod -R 755 ~/.config/autostart && sudo chown root -R ~/.config/autostart
#sudo chmod -R 755 ~/.local/share/applications && sudo chown -R root ~/.local/share/applications

(7: read write exexecute, 5: read execute, "-R", recursively)

This may still be incomplete, and the security is pretty flawed as long as random software can write to these directories at all, and as long as everything important is stored there.

Please report if any setting breaks something. Making the local applications directory read-only for everyone but root might be good, but will break for example KDEs GUI editor. But they put apps in ~/.local/share/applications/ons anyways for some reason.

SELinux or Apparmor

I dont know what is better, but I feel secure on Fedora with SELinux on enforcing. If any tools require you to disable it, they are poorly written.

Sandboxing

I am not nearly technical enough to explain details, but firejail is said to have many design flaws, a reason why bubblejail (using bubblewrap, which is used in Flatpak) should be preferred.

It is in early stages though.

Browser sandboxes are also not easy, Firefox Flatpak vs. Firefox native for example. Flatpaks need to replace the internal sandbox with bubblewrap. The same goes for Chromium and electron apps, and especially Chromium as a native app is said to be very secure.

For regular and especially privacy concerns, Flatpak with mostly manually hardened permissions is the best way. KDE has the permissions graphically integrated, otherwise Flatseal is nice.

Flatpak apps are always weakly isolated to make sure nothing breaks. In the future with portals for every (i.e. dynamic permissions) static permissions should be gone.

Firmware updates & Coreboot

While you may use the linux-libre Kernel and live full stallman, what Firmware does your PC use?

In most cases, especially for "Laptops with good Linux compatibility" that may be older Laptops, decommissioned Company devices, older Thinkpads... and they all probably dont get Firmware updates anymore!

My Thinkpad T495 has an outdated, bloated Lenovo Firmware. Firmware can read RAM, connect to the Internet and do anything. You cannot monitor that from the OS, you need a MITM proxy using another device.

And also, proprietary Firmware is everywhere. Only a vew people develop it, but it is there!

  • Novacustom for EU people, they partner with 3mdeb to support and ship Dasharo, a secure Coreboot Distro similar to Heads
  • System76 for US People
  • Starlabs also ships coreboot
  • 3mdeb sells PCs with Coreboot

Lots of Coreboot Distros only support old Hardware like Thinkpads up to T430. Nitrokey is a good vendor here, but keep in mind that these machines are now 11 years old. I still have one and it works great! But not for complex stuff like multiple VMs.

Secureboot

Also important to verify that your OS was not tempered with. Many Distros support it, even though they may not have an agreement with Microsoft so work out of the box, but they generate their own keys after installation.

Firmware like Dasharo or heads with integrity checks is better than Secureboot alone.


What other tips do you know?

 

I use KDE. Some use GNOME. Most other options are probably to be left out as X11 is unsafe.

Cosmic is not nearly finished, but will probably be a bit safer, as its in rust, even though not tested.

Then there are window managers like Sway, Hyprland, waymonad, wayfire, etc.

RaspberryPi also has their own Wayland Desktop.

Is every Wayland Desktop / WM equally safe, what are other variables here like language, features, control over permissions, etc?

 

Basically

  • Sandboxing is bad, bubblewrap (used in Flatpak) is a really good implementation though. Firefox and other apps are not very well sandboxed though
  • The kernel is endangered through user namespaces (used in Flatpak and Podman/Docker containers i.e. in Distrobox and Toolbox too)
  • the root password can be extracted veeery easily, especially when entering it through a terminal. Windows "okay" button might actually be more secure!
  • X11 is insecure, okay we know that
  • the kernel is very bloated and everything in there has all the permissions, which is not needed
  • Kernel bugs are often not fixed quickly or at all
  • Stable Distros are insecure if only CVE bugs are backported, as many security bugs dont get a CVE

I am currently experimenting with the hardened Kernel and hardened_malloc, I use GrapheneOS since over a year.

On Linux its a bit more difficult though, as Flatpak and Distrobox dont work anymore.

This would mean user namespaces need to be enabled again, which I can't seem to make work with

sudo sysctl -w kernel.unprivileged_users_clone=1

But the file doesnt exist and creating it doesnt work, probably needs to be a karg or something?

I am testing all this using the hardened mod of Ublue (a slight Fedora deviation using its image-based distribution model):

https://github.com/qoijjj/hardened-images

The images are rather opinionated though and have things like Flatpak removed, making them nearly unusable.

Maybe nix is a solution? Would this be a good idea?

Another point, bubblejail is not yet in the Fedora repos, which would be a way to make secure sandboxing accessible. Here is a spec file from rusty-snake.

What do you know about this?

 

Stolen from linuxmemes at deltachat

1196
submitted 2 years ago* (last edited 2 years ago) by Pantherina@feddit.de to c/linux@lemmy.ml
 

stolen from linux memes at Deltachat

view more: ‹ prev next ›