Yet another, “well, yeah, technically it has security ramifications, but I’m not admin’ing any multiuser machines, so I’m not losing any sleep over it” bug.
Yet another, “well, yeah, technically it has security ramifications, but I’m not admin’ing any multiuser machines, so I’m not losing any sleep over it” bug.
I have at least four libraries, then, it seems. (My ex-librarian mother estimated ~3000 twenty years ago based on board-feet of occupied shelving, and I’ve only acquired more since.)
Gentoo supports either configuration, as it does with a lot of things. My systems were installed with split /usr and I have no intention of changing that, because the merge adds no value for me.
Um, if your primary use is typing accented letters, why don’t you just set a compose key? The character sequences you need to type are much more intuitive, and you don’t get this type of problem.
In my case, I have scroll lock (the most useless key on the keyboard) set as a compose key. To get “é”, I type scroll lock, then e, then '.
You can set a compose key using setxkbmap, for instance setxkbmap -option compose:sclk
. (If scroll lock isn’t to your liking, there are a number of other modifier keys that can be used instead—list here, starting around line 810.) You can also specify it permanently using X configuration files, although I don’t know the exact method.
The GPU doesn’t care about the CPU, or vice-versa. AMD is probably better value for money right now if you’re intending to replace both CPU and mobo, but Intel will work.
The reason you don’t see AMD CPU + nVidia GPU in premade machines these days has to do with corporate contracts, not interoperability. Before AMD bought out ATI, it wasn’t an uncommon combination.
Even if the original issue had anything to do with ISOs, he’s way overestimating the level of protection on many install ISOs, in my experience—they’re just disk images, and presumably all the files read off them are passing through Ventoy itself. Even if you find one that performs some kind of verification, easy enough to change a jump instruction to a no-op somewhere in the machine code guts of a file as it passes through Ventoy, and prevent the verification from executing. (The difficult part is figuring out which instruction to change, but people have done it before.)
It can’t inject anything into the ISO files at rest without bricking then, and I don’t know if an OS that doesn’t verify it’s own image before booting.
As far as I can tell, this is not talking about ISOs installed using Ventoy, but precompiled blobs of things like Busybox that are included in the Ventoy install package. It’s an important distinction. The developer could bundle a tampered blob, include in the documentation the checksum that matches that blob, and then if someone checks with the upstream project and calls them out, say something along the lines of, “Oh, they must have withdrawn that release,” and replace it with an untampered blob. If they don’t fight to preserve the tampered blob, they might even get away with it.
-o PubkeyAuthentication=no
should only work if the server is configured to allow password auth at all. I believe the advice these days is to disable password auth completely for security.
Configuring captive portal wifi without network manager or any aids beyond what’s provided by wpa-supplicant. Eventually I gave up, since it wasn’t really that important.
Adjusting freetype so that it works more-or-less the way I want it to, because the maintainers hate anyone who disagrees with their current hinting algorithm and make the setting as opaque as possible. I would prefer it if they allowed me to have hinting on some fonts and exclude only the ones that were designed to be pixel-aligned, but unless something’s changed recently, that option isn’t even offered.
Gentoo is its own thing. You can bump packages yourself a lot of the time with a few commands. Or have the package manager install directly from upstream source control, if that’s your bag. Or you can hold on to older package versions for periods ranging from months to years, by stashing ebuilds in a local repository. At the same time, portage has reached the point where it bends over backwards to keep you from breaking stuff by accident. If you’ve done your setup right and use primarily stable keywords, breaking changes are very rare. And you’re free to install things outside the protection of the package manager, or package things yourself if you don’t mind working with bash scripting.
The tradeoff for all of this is that you have to spend a fair amount of time setting up and configuring stuff, and a fair amount of time compiling software if you want a USE flag combination other than what’s on the binhost. It also helps to spend time learning the ins and outs of the portage/ebuild ecosystem if you’re going to do anything unusual.
As for the proprietary nvidia drivers specifically, Gentoo currently has versions 390.157, 470.256.02, 525.147.05, 535.183.01, and four different 550+ available, which should cover most hardware of the past several years.
If you want to see whether certain software has been packaged without installing Gentoo, the best place to check is gpo.zugaina.org. The search function isn’t all that bright, but it’s the only site I know of that indexes all the official overlays and the Gentoo bugzilla along with the main repository.
I don’t know how Debian’s solution works, so I couldn’t say for certain. Gentoo usually installs the different package versions to their own directories, and there are methods for selecting a “system python” (or lua, etc) which is the target of the /usr/bin/python
symlink. Other versions have to be called with qualifiers (for instance, python3.10
). Python libraries installed through the package manager may install to one or several versions depending on the content of a couple of environment variables, and applications that need python can request a specific version if they need to, or accept the system python if they don’t care. (Note that python2 is no longer eligible to be the system python—you need at least one python3, although 2.7.18 remains in the package repository and can be installed as well if you really need it.)
Of course, if you’re not a programmer, you can leave the defaults for everything alone, and most of the time it should Just Work.
One problem with distro packages is that you can only install one version.
This isn’t technically true for all distros—Gentoo has a mechanism that will allow multiple package versions to be installed in parallel. I have multiple distro-packaged Python and Lua interpreter versions on my system, for instance. But it does require some extra work by the packager, so it isn’t done universally for all packages.
It used to be much, much more difficult than it is today, but your experiences will still vary according to what type of printer you have. The problem is drivers. There are still printers out there that have no working Linux driver (mostly old, non-Postscript-supporting, with no Mac drivers either). Some will work with a generic driver, but some features aren’t available. The more annoying case is the one where the manufacturer put out a driver once, many years ago, it doesn’t work properly with modern versions of CUPS, and they can’t be arsed to revise it.
But most printers these days will do basic one-sided 100%-size prints out of the box, and that’s all many people need.
Some level of self-discharge happens over time with even a disconnected battery, but that does seem greater than expected. I’d suspect hardware issues, to be honest. Batteries are fickle little creatures that deteriorate over time no matter what you do. Maybe it’s misreporting the amount of charge left to the OS.
One thing people reading this should remember is that you cannot guarantee all packages on a Gentoo system will be updated simultaneously. It just can’t be done. Because several of the arches affected by this are old, slow, and less-used (32-bit PowerPC, anyone?), it’s also impossible to test all combinations of USE flags for all arches in advance, so sooner or later someone will have something break in mid-compile. For this change, that could result in an unbootable system, or a badly broken one that can’t continue the upgrade because, for example, Python is broken and so portage can’t run.
The situation really is much more complicated than it would be on a binary distro whose package updates are atomic. Not intractable, but complicated.
That being said, even a completely borked update would not make the system unrecoverable—you boot from live media, copy a known-good toolchain from the install media for that architecture over the borked install, chroot in, and try again (possibly with USE flag tweaks) until you can get at least emerge --emptytree system
or similar to run to completion. It’s a major, major pain in the ass, though, and I can understand why the developers want to reduce the number of systems that have to be handled in that way to as few as possible.
So, Poettering wants to make life difficult for everyone using something other than his precious again by transitioning from the normal standard for IPC to something hardly anyone has ever heard of or uses that’s based on JSON? Seriously? 🤢
Yup, called it: non-mandatory piece of software. Plus you have to have been dumb enough to deliberately forward the port at your router for the general-case attack, and you have to print something (which I do maybe twice a month) for any command injection to take place.
This does need to be patched, since there is some risk if you have CUPS running and another device on your LAN has already been compromised, but it’s definitely not the earthshattering kaboom the discoverer misrepresented it as.
I can’t think of anything except the kernel that is genuinely obligatory on all Linux systems, including embedded. Not glibc (musl). Not udev (mdev). Not systemd (OpenRC/runit/etc). My guess is that this is another exploit of something the reporter hasn’t realized isn’t mandatory because they’re not familiar with non-mainstream distros. I suppose it could be a kernel issue that Android has specifically patched, but if that’s it it’ll be fixed in short order.
In other words, not exactly holding my breath.
To be exact, OpenRC was developed to be run on top of sysV init, and still can be. (Many distros had their own “on top of sysV” things, but most of them stopped being maintained as systemd became common. OpenRC started its life as Gentoo’s “on top of sysV”, but was then cleaned up and made distro-agnostic.)
s6 is apparently a daemontools-like process supervisor that can be run as an init or in company with some other init.
Gentoo’s comparison of init systems lists Artix as the preferred service file supplier for s6 (although that may be outdated), so I expect it is or was used extensively by that distro.
TDE. Functional, stays out of my way, but still reasonably full-featured. The development team is dedicated to adding useful features while keeping the original look and feel, so I don’t have to go hunting for settings that have inexplicably moved or changed defaults every time I update. It doesn’t support Wayland, but I’m Wayland-neutral (that is, I have nothing against it, but I have nothing against X either).