trevor (he/they) @ trevor @lemmy.blahaj.zone

Hello, tone-policing genocide-defender and/or carnist 👋

---

Read more

Posts

0

Comments

450

Joined

2 yr. ago

I beg of you: try something that isn't going to shove a broken packaging format like Snaps down your throat.

Try Pop!_OS or Linux Mint if you want something like Ubuntu, only not broken.

If my first experience with Linux involved wasting time trying to figure out why the applications I installed appeared to freeze because they take 30-60 seconds to open after installation or updates, randomly didn't work because of dogshit sandboxing, etc., I probably would have turned away.

My ex long-term partner of 10 years went through a couple large spans of time where they couldn't find work, and so ended up being stay-at-home. This wasn't a huge problem for me because my income was enough to support the both of us pretty comfortably, but I knew they didn't feel great about not finding work :/

We had a pretty serious disagreement at some point in their long period without work, and the night after that happened, I considered the possibility that they might feel like they're being coerced into staying because they don't have a way to leave without being made poor if they did.

We already had a shared checking and savings account, but I knew they probably wouldn't feel comfortable pulling from that if they wanted to leave (even though they would be right to take some of it; it's theirs too), so I set aside a few thousand dollars and sent that to a checking account that only they have access to. I told them that if they ever feel like they were staying for financial reasons that they can use that as a safety net to help with becoming financially independent. I wanted them to have something that only have access to or knowledge of so they could leave on their own terms if they ever needed to. It's not perfect, but it would have covered rent and cost-of-living for them for a few months if it ever came to that.

That probably has the potential for the other person to take advantage of, but we were together for a long time before and after that, and when we did end things, it was mostly amicable, and I don't regret setting up a no-questions-asked way of getting out in the least bit.

Not really. IMO, the determining factor for this is how "sticky" a given service is.

Leta is a public search engine that you don't have to pay for their VPN to use, and switching search engines is quite trivial, making this a very easy switch in the event that either service is unsatisfactory.

That said, I have no idea why anyone would want Google search results in 2025 because their search engine is terrible, but more power to anyone that does.

Actually yeah. You're right. Even better 😌

A lot of incorrect assumptions in this article. If you don't like the idea of a key exchange over passwords, I hope you use password auth when you SSH into things 😁

The word passwordless is nonsense. In most cases, most passkey implementations, you need a PIN to unlock your private key to authenticate. PIN = password, except it's numbers only. Nonsense. Passkeys simply obfuscate the problem and move it somewhere else, most often into a PROPRIETARY key management tool. For example, Microsoft wants you to use THEIR authenticator app. Not just any app that adheres to the standard. Nope. This effectively means super-vendor-lock-in. Absolute nonsense.

You can argue that the term "password less" is nonsense, but there is literally nothing about the spec that prevents you from using passkeys as they were designed: with hardware keys that support the open FIDO2 authentication protocol. Yes, you still need a second factor to verify the authentication attempt (via a PIN), but unless you're mailing that key to hackers, the private key generated by your SoloKey, NitroKey, or another open source hardware key, is more secure than any password ever will be.

Passkeys usually require a phone - this is a single point of failure, and one that gives the big companies extra control over you. Phone, number, SIM, and so forth. A beautiful bevy of data. The whole idea of actually having to use your phone as an identity vector is horrible.

Phones support storing passkeys. Phones also support storing passwords. In no way does this mean you must use them for this. You can either use hardware keys, or you can use your favorite open source password manager to store passkeys where you should already be storing your passwords anyway.

You need "biometrics" to supposedly prove you're you to unlock your private key. Biometrics are a form of password, except you can't replace it, and it also gives yet more of your personal data to the big companies. More nonsense.

This is literally a direct contradiction of what the author said in their first bullet point. Use a PIN if you don't like using biometric auth.

The implementation of passkeys is fragmented, vendor-specific, and complicated. Only diehards who love technology can use this. The same kind of people who were "all in" when IoT/cloud crap came out, and now they see their smart homes slowly go offline as big vendors almost arbitrarily cut support for old gadgets and effectively kill products. Because cloud.

Most of this is actually a fair critique. The FIDO Alliance is still working on the spec, and I think they should require any implementation of passkeys to follow the spec to a tee without adding any kind of nonstandard bullshit to their authentication.

However, most advancements in tech begin with only appealing to enthusiasts and later become adopted by wider audiences. It doesn't make them bad that they aren't immediately popular with everyone.

Passkeys only solve one use case - phishing where the user inputs their password and MFA into a fake site.

I'm glad the author can at least recognize that there's at least one thing that passkeys solve that passwords can't. But it's not the only thing. When you enter a password on a site, you're hoping like hell that the service you're using hashes it and hashes it properly. When you authenticate with passkeys, you're sending the site a public key. This key will have way more entropy than any password will, so anyone trying to crack a hashed public key is in for a long, miserable time (obviously not impossible though). But even if they wasted their time doing that, it's a public key. Who cares?

Any service you use passkeys with instead of passwords won't put you in another leaked password database. The public key just needs to be invalidated and you can move on with your life.

What is the opposite of thoughts and prayers? Apathy and ill will?

Thoughts and prayers. It has the exact same effect as apathy and ill will.

Gross.

The same could be said about iOS and Android. We just gotta help people when we can.

The same could be said about Windows. It's a bad idea for people to use Windows without installing it themselves because they are dependent on MS and the OEM that installed it for them.

Better that they'd be dependent on someone that cares about them than soulless corps that just want to exploit them.

My issue with snaps is also the power that Canonical has to fuck you over one day, because of the centralization that you mentioned, but also that their shitty fucking packaging format sucks ass and breaks everything but the most basic of apps. I've wasted hours trying to help people with their broken applications that were hijacked when they typed apt install whatever and "whatever" was actually a fucking broken snap package.

Flatpaks and AppImages actually do the fucking things they're supposed to. Snaps don't, and Canonical is pulling a Microsoft by hijacking your package manager.

Also, Snap sandboxing only works with AppArmor, so if you were hoping that all the breakage was worthwhile because you get sandboxing, you don't if you're on anything but a handful of distros 🙂

The new indirect GPU driver is AMAZING. I've previously suffered through getting GPU passthrough on one of my systems before, but I no longer need to because Linux flawlessly plays every game that I could ever want.

But I never liked that the VMs that I used for more general purpose stuff had choppy display performance. The indirect GPU driver sounds like it's as easy as installing the driver in the VM and you'll get much smoother graphical performance without the headache of configuring GPU pass through, which is awesome! I'd love to see that functionality baked in to stuff like Virt Manager and GNOME Boxes.

Fuck that. The Linux gate is wide open! Anyone that wants to use Linux, come on in!

And for your own sake: use anything but Ubuntu and their buggy Snaps.

Sure, but that way of thinking seems to treat trying to avoid supporting bigots as some sort of "purity cult" game, and it's not. Just because there's no ethical consumption under capitalism, that doesn't excuse people to make highly unethical purchases.

Of course you can't perfectly avoid any bigoted shitheads from having worked on something you buy, but you wouldn't buy a game where the majority of the royalties go to David Duke, would you?

Some people are just doing the best they can to not support bigoted assholes, and when it comes to gaming, a market that exists purely for entertainment, and one that has millions of other options, that's rather easy and practical to do.

Thanks! That first link is an excellent resource for a security tool I'm working on. Specifically, gVisor, which I hadn't heard of, but looks like an excellent way to harden containers.

I may rebase to secureblue from Bluefin at some point to give it a try.

Do those one-off bigots that perhaps lended some labor to said games get royalties for the IP? If not, then this comparison is not even close to valid with a billionaire bigot raking in more wealth based on an IP they poisoned.

I'm asking this because I haven't tried secureblue: in what ways is Linux behind in security, and what does secureblue do to mitigate that?

And do any of those mitigations negatively impact usability?

Yeah. This is useless.

The problem with replacing GitHub with something that isn't owned by genocidal Microsoft is that GitHub provides a fuckload of free compute via their runners. If you migrate away from that to another smaller service, suddenly you've got to pay for your automated builds (or lose them).

I fear that many FOSS projects simply wouldn't be popular if they had to be built manually from source by end users.

Firefox's version of MV3 explicitly supports the things that uBlock Origin needs to do. It's not the same as Google's malicious MV3 that was targeted at destroying adblockers.

It would be annoying if they removed MV2, but it wouldn't break things like it did for Chromium.

Yup. It's a moral baseline that, sadly, most people trip and fall over.