• 0 Posts
  • 9 Comments
Joined 1 year ago
cake
Cake day: June 10th, 2023

help-circle

  • I agree because it is exactly what my claim is. It would still be foolish to say that open source software is by design more secure than proprietary. I know that this is not what you said and you most likely also don’t mean that, but there are enough people who think that way because they read everywhere that OSS=secure software.

    Your example with xz however does not really hold imo. The xz bug was not found because xz is open source but because someone realized, that their ssh session build up took longer than usual and they then used valgrind to check for issues and not because they looked in the source code. It wasn’t even really an easy to spot backdoor because it was a malicious compressed file that changed the build process while running the tests and injecting the actual backdoor in the compiled file. Therfore this would have been found with proprietary software with the same likelyhood.

    And regarding my analogy: I also like it more when things are recyclable, that is also why I like open source software more and have more trust in it. But now that I think about it, that wasn’t the best analogy I could’ve chosen but it was the first thing that came to my mind.


  • Could we please stop associating open source with security? Don’t get me wrong, I love open source software and it is easier to trust open source software than proprietary, because it is highly unlikely, that they hide stuff like trackers in there. It is also most of the time highly configurable and sometimes even hackable and as a software developer you are able to look into the mechanisms behind the APIs which is sometimes really helpful.

    But events like the lzma incident last year and predictable openssl RNG in Debian some time ago (https://lists.debian.org/debian-security-announce/2008/msg00152.html) should tell us, that open source doesn’t mean secure software. And the argument, that there are many people looking at the code is not really true. E.g. many maintainers of the linux kernel only look at specific parts/drivers in it and maybe into some other things they need for that. There are probably only a few people if any (apart from governments), that have read, understood and analyzed the linux kernel in its entirety with all the (open source) drivers built into it and all the possible combinations of configurations. And I don’t want to know how many have done all that for less popular projects. And even if that is done at some point for an upstream project, you would have to check the patches from your distro and if there are any do it all for yourself again. And when the next release arrives you would have to do all that in its entirety again (although with some head start) if a new version arrives (that has, say, at least a thousand lines of code changed, removed or added). And now think about how many big releases come with some software per year. And don’t forget to also include all the dependencies you have to check including the compiler and standard library of the language(s) used.

    Of course it is easier to do all that for OSS as an outside party because you don’t have to decompile it, but it is still increadibly hard. And only to be easier to analyze for security risks doesn’t mean to be more secure just like packaging being recyclable doesn’t mean that it will be recycled.


  • Yeah, it really is more like google play store or shopping websites and similiar apps/websites (although there are some that have a better design I guess). I’m not really a fan of it either, but I guess people being used to those (which is probably the majority of the userbase of flatpak) feel more comfortable with it.

    My guess with the difference between “trending” and “popular” is that the former means lots of recent downloads and the latter a lot of downloads in a longer timespan (e.g. a year or so)




  • Those not using it are playing with their computers.

    What is your definition of playing? I use it to code, access my server for some self-hosted services, do office stuff and sure, also for gaming and watching videos. Am I disallowed to wanting to develop at ease with a minimal setup compared to windows and avoid shit like forced cloud stuff because I am gaming on this os? Isn’t it my choice and compliant to free and open source software to have the freedom to use the OS one has the best experience with?

    About the gaming stuff: As I have said, I am just currently converting to wayland, so I don’t know of issues because I haven’t tried linux native games extensively. Wine doesn’t have working wayland support but is still (in my short experience) working with xwayland. Linux native games I will try soon are Cassette Beasts, Stardew Valley and maybe Cross Code at some time, all actually native games.


  • Why do you think waypipe should be the most important thing? Sure remote graphical sessions are neat but there are only a few people who really need it or not? At least I do not see how this is really that beneficial on linux compared to just basic shell stuff that most people are using when doing something remotely. Maybe it is something that the big businesses are using but then there will probably be a discussion to really add it to the protocol directly (if that is even actually needed, waypipe is a software stack that works (with limitations) with the current protocol; wayvnc for wlroots-based compositors seems to work fine and gnome and weston also implement some kind of RDP)

    Also, what do you mean “it is made for gamers who can’t be bothered to stand up for linux native games”? Are there actually that many issues with xwayland for native games until Wayland support is added, just like using the pulseaudio server for pipewire until pipewire is completely supported? I am currently slowly transitioning to wayland so I don’t know if there are actually any so please tell me if it is the case or if I am missing something.