the_sisko @ the_sisko @startrek.website

Posts

2

Comments

109

Joined

2 yr. ago

The reason is simple: in order to be a signed piece of secure boot software, the kernel needs to do everything possible to prevent unsigned code from running at the kernel's privilege level, or risk its signing key getting revoked by Microsoft.

I assume your kernel is from Fedora and is signed. If your kernel, once loaded, allowed the loading of unsigned kernel modules, then any attacker could use it as part of an exploit that allows them to break secure boot. They would simply include a copy of the Fedora kernel, and then write a custom kernel module which takes control of the machine and continues their attack. The resulting exploit could be used on any system to bypass and defeat secure boot. In essence, secure boot is only as secure as the weakest signed implementation out there.

So, Linux distributors need to demonstrate to Microsoft that they don't allow unsigned kernel code execution. Linux contains a feature called lockdown, which implements this idea. In order to be effective, lockdown must be automatically enabled by the kernel if secure boot is enabled. Interestingly, Linus flat out refuses to include the code to do that, I guess he disagrees with it. So a little discussed reality of secure boot is that, all Linux kernels which are signed have this extra patch included in order to enable lockdown during secure boot.

And that is why you can't load an unsigned module when secure boot is enabled.

I use two monitors, and also KDE's virtual desktops for work. A killer feature for me is that KDE has a window manager option to "pin" specific windows so that they are present on every desktop. This means I can have my terminal and slack client split across one screen and pinned, and then the other screen can contain my "main focus" on each of the virtual desktops - browser, editor, or email. I always can see the chat/terminal but can easily swap the desktop to get to a different focus.

I know that I could just have everything on one desktop and use the alt-tab to change that main window. But the alt tab is slow and non-deterministic. I may have to cycle between five things before I get to the browser, for example. With virtual desktops, I know where each focus is geometrically, and I can always swap over quickly with my key shortcuts.

I actually loved Fontaine, but he was the exception for me, otherwise I totally agree with the sentiment. TNG and Voyager really overused them spectacularly, at least for me. At least Enterprise had the sense to take place before holodecks were invented (by the federation at least...)

I just started SNW (like I said, release order ish, I was trying to save best for last). It's such a breath of fresh air! It's quite funny that they kept the "previously on" narration, but at least so far, it's mainly just doing character intros and not explaining the entirety of the season leading up to that point 😂

Fully agreed on Lower Decks!

For some reason "filler" sounds negative to me, but I thought it was excellent filler. Stuffing is my favorite part of Thanksgiving dinner though 😁

Yeah, having watched in release order (ish) and just recently finished Discovery & Picard, I feel this sentiment in my bones! For sure, I don't want the actors and writers to have to be worked to the bone churning out 26-episode seasons each year.

But it's also really frustrating how they insist that every 10 episode season, their characters must save the entire galaxy. There's no actual space to get to know the characters who aren't the main ones.

The Dominion war brewed for 3 seasons and then played out over 2 more. I think. That's a time scale that allows for amazing character development.

If you can’t remember or don’t know the syntax well you can still understand a systemd timer, but that is much hard for the crontab.

I will agree that it is easier to read a timer than a Cron entry, especially if you've seen neither of them before.

Granted, crontab uses fewer characters, but if you only set up either once in a blue moon you’ll need the docs to write either for a long time.

This is where I disagree. I very rarely setup a Cron job, but when I do, I don't need to look anywhere for docs. I run crontab -e and the first line of the editor contains a comment which annotates each column of the Cron entry (minute, hour, dom, mon, dow). All that's left is to put in the matching expressions, and paste my command.

Compare that to creating a new timer, where I need to Google a template .service and .timer file, and then figure out what to put in what fields from the docs. That's probably available in the manual pages, but I don't know which one. It's just not worth it unless I need the extra power from systemd.

This is from somebody who has several systemd timers and also a few Cron jobs. I'm not a hater, just a person choosing the best and easiest choice for the job.

Cron may be old but I don't think it's "legacy" or invalid. There's plenty of perfectly good, modern implementations. The interface is well established, and it's quite simple to schedule something and check it. What's more, Cron works on new Linux systems, older non-systemd ones, and BSD and others. If all you need is a command run on a schedule, then Cron is a great tool for the job.

Systemd services and timers require you to read quite a bit more documentation to understand what you're doing. But of course you get more power and flexibility as a result.

The answer is to use a car. Ideally the smallest and most efficient one that fits your common use cases.

Fuck Cars is not anti-rural but it's more applicable in urban and suburban places, where your essentials are within a few miles and there are viable alternatives. There are areas where cars can't be avoided, and nobody is suggesting you never leave your house.