• 3 Posts
  • 48 Comments
Joined 1 year ago
cake
Cake day: August 10th, 2023

help-circle

  • Stallman doesn’t seem to get that pedophilia is wrong because of the hierarchy of power, and the power imbalances between older/younger people, not because of some inherent wrongness about being attracted to a prepubescent person. This is shown by how he condemns some pedophilia, but is accepting of 12+/past puberty. (I despise this logic, because it would also make gay sex and sodomy wrong, as well).

    I find this deeply ironic, because his primary issue with proprietary software is the way that it gives developers levels of power over users. From his article Why Open Source Misses the Point

    But software can be said to serve its users only if it respects their freedom. What if the software is designed to put chains on its users? Then powerfulness means the chains are more constricting, and reliability that they are harder to remove.

    You would expect someone who is so in tune with the hierarchies that appear with software developers, publishers, and users, to also see those same hierarchies echoed in relationships between people of vastly different ages, but instead, we get this. I’m extremely disappointed.

    These failures to understand hierarchy and power, are exactly why Stallman shouldn’t be in a position of power. Leaders should continually prove that they understand hierarchy and the effects of their actions on those below them. Someone who doesn’t understand how their power could affect another, shouldn’t be a leader.



  • Because forgejo’s ssh isn’t for a normal ssh service, but rather so that users can access git over ssh.

    Now technically, a bastion should work, but it’s not really what people want when they are trying to set up git over ssh. Since git/ssh is a service, rather than an administrative tool, why shouldn’t it be configured within the other tools used for exposes services? (Reverse proxy/caddy).

    And in addition to that, people most probably want git/ssh to be available publicly, which a bastion host doesn’t do.


  • So based on what you’ve said in the comments, I am guessing you are managing all your users with Nixos, in the Nixos config, and want to share these users to other services?

    Yeah, I don’t even know sharing Unix users is possible. EDIT: It seems to be based on comments below.

    But what I do know is possible, is for Unix/Linux to get it’s users from LDAP. Even sudo is able to read from LDAP, and use LDAP groups to authorize users as being able to sudo.

    Setting these up on Nixos is trivial. You can use the users.ldap set of options on Nixos to configure authentication against an external LDAP user. Then, you can configure sudo

    After all of that, you could declaratively configure an LDAP server using Nixos, including setting up users. For example, it looks like you can configure users and groups fro the kanidm ldap server

    Or you could have a config file for the openldap server

    RE: Manage auth at the reverse proxy: If you use Authentik as your LDAP server, it can reverse proxy services and auth users at that step. A common setup I’ve seen is to run another reverse proxy in front of authentik, and then just point that reverse proxy at authentik, and then use authentik to reverse proxy just the services you want behind a login page.



  • Why is SSPL not considered FOSS while other restrictive licenses like AGPL and GPL v3 are?

    So I have an answer for this. Basically all of the entities listed that relicensed their projects to the SSPL, also relicensed their projects using the dual licensing scheme, including one proprietary license. That’s important later.

    The SSPL’s intent is probably that the deployment framework used to open source this software must be open sourced. I like this intent, and I would consider it Free/Libre Software, but it should be noted that another license, the open watcom license, which requires you to open source software if you simply deploy it, is not considered Free Software by the FSF. I don’t really understand this decision. I don’t count “must share source code used” as a restriction on usage cases. It seems that the FSF only cares about user freedom, whoever is using the software, and views being forced to open source code only used privately as a restriction.

    Now, IANAL… but the SSPL’s lettering is problematic. What is part of the deployment system? If I deploy software on Windows, am I forced to open source windows? If I deploy it on a server with intel management engine, am I forced to open source that? Due to the way it is worded, the SSPL is unusable.

    And a dual license, one proprietary and one unusable means only one license — proprietary. There’s actually a possibility that this is intentional, and that the intent of the SSPL was never to be usable, but rather so that these companies could pretend they are still Open Source while going fully proprietary.

    But, for the sake of discussion, let’s assume the SSPL’s intent was benevolent but misguided, and that it’s intent was not to be unusable, but rather to force companies to open source deployment platforms.

    Of course, the OSI went and wrote an article about how the SSPL is not an open source license but that’s all BS. All you need to do is take a look at who sponsors the OSI (Amazon, Google, other big SAAS providers) to realize that the OSI is just protecting their corporate interests, who are terrified of an SSPL license that actually works, so they seek to misrepresent the intent of the SSPL license as too restrictive for Open Source — which is false. Being forced to open source your deployment platform still allows you to use the code in any way you desire — you just have to open source your deployment platform.

    Is there some hypothetical lesser version of SSPL that still captures the essence of it while still being more restrictive than AGPL that would prevent exploitation by SaaS providers?

    AGPL. There’s also Open Watcom, but it’s not considered a Free Software license by the FSF, meaning software written under that wouldn’t be included in any major Linux distros.

    I think in theory you could make an SSPL that works. But SSPL ain’t it.

    Of course, there are problems with designing an SSPL that works, of course. Like, if you make it so that you don’t have to open source proprietary code by other vendors, then what if companies split themselves up and one company makes and “sells” the proprietary programs to another.



  • Old version docs tend to offer you a redirect to more recent docs

    Sadly, the docs, I’ve worked with (openstack and ansible) frequently, don’t do this. They have a button to go to the latest version of the docs, but not to the equivalent page on the latest version. This means I have to find the equivalent page again, from the integrated search usually.

    And yes, a lot can change between versions. New features can get added that solve your problems or older stuff can get removed.


  • Putting something on GitHub is really inconsequential if you’re making your project open source since anyone can use it for anything anyway,

    Except for people in China (blocked in China) or people on ipv6 only networks, since Github hasn’t bothered to support ipv6, cutting out those in countries where ipv4 addresses are scarce.

    So yes, it does matter. Both gitlab and codeberg, the two big alternatives, both support ipv6 (idk about them being blocked in china). They also support github logins, so you dob’t even need to make an account.

    And it’s not a black or white. Software freedom is a spectrum, not a binary. We should strive to use more open source, decentralized software, while recognizing that many parts are going to be out of our immediate control, like the backbone of the internet or little pieces like proprietary firmware.



  • sn1per is not open source, according to the OSI’s definition

    The license for sn1per can be found here: https://github.com/1N3/Sn1per/blob/master/LICENSE.md

    It’s more a EULA than an actual license. It prohibits a lot of stuff, and is basically source-available.

    You agree not to create any product or service from any par of the Code from this Project, paid or free

    There is also:

    Sn1perSecurity LLC reserves the right to change the licensing terms at any time, without advance notice. Sn1perSecurity LLC reserves the right to terminate your license at any time.

    So yeah. I decided to test it out anyways… but what I see… is not promising.

    FROM docker.io/blackarchlinux/blackarch:latest
    
    # Upgrade system
    RUN pacman -Syu --noconfirm
    
    # Install sn1per from official repository
    RUN pacman -Sy sn1per --noconfirm
    
    CMD ["sn1per"]
    

    The two pacman commands are redundant. You only need to run pacman -Syu sn1per --noconfirm once. This also goes against docker best practice, as it creates two layers where only one would be necessary. In addition to that, best practice also includes deleting cache files, which isn’t done here. The final docker image is probably significantly larger than it needs to be.

    Their kali image has similar issues:

    RUN set -x \
            && apt -yqq update \
            && apt -yqq full-upgrade \
            && apt clean
    RUN apt install --yes metasploit-framework
    

    https://www.docker.com/blog/intro-guide-to-dockerfile-best-practices/

    It’s still building right now. I might edit this post with more info if it’s worth it. I really just want a command-line vulnerability scanner, and sn1per seems to offer that with greenbone/openvas as a backend.

    I could modify the dockerfiles with something better, but I don’t know if I’m legally allowed to do so outside of their repo, and I don’t feel comfortable contributing to a repo that’s not FOSS.





  • LXD/Incus. It’s truly free/open

    Please stop saying this about lxd. You know it isn’t true, ever since they started requiring a CLA.

    LXD is literally less free than proxmox, looking at those terms, since Canonical isn’t required to open source any custom lxd versions they host.

    Also, I’ve literally brought this up to you before, and you acknowledged it. But you continue to spread this despite the fact that you should know better.

    Anyway, Incus currently isn’t packaged in debian bookworm, only trixie.

    The version of lxd debian packages is before the license change so that’s still free. But for people on other distros, it’s better to clarify that incus is the truly FOSS option.


  • Dockers manipulation of nftables is pretty well defined in their documentation

    Documentation people don’t read. People expect, that, like most other services, docker binds to ports/addresses behind the firewall. Literally no other container runtime/engine does this, including, notably, podman.

    As to the usage of the docker socket that is widely advised against unless you really know what you’re doing.

    Too bad people don’t read that advice. They just deploy the webtop docker compose, without understanding what any of it is. I like (hate?) linuxserver’s webtop, because it’s an example of the two of the worst footguns in docker in one

    To include the rest of my comment that I linked to:

    Do any of those poor saps on zoomeye expect that I can pwn them by literally opening a webpage?

    No. They expect their firewall to protect them by not allowing remote traffic to those ports. You can argue semantics all you want, but not informing people of this gives them another footgun to shoot themselves with. Hence, docker “bypasses” the firewall.

    On the other hand, podman respects your firewall rules. Yes, you have to edit the rules yourself. But that’s better than a footgun. The literal point of a firewall is to ensure that any services you accidentally have running aren’t exposed to the internet, and docker throws that out the window.

    You originally stated:

    I think from the dev’s point of view (not that it is right or wrong), this is intended behavior simply because if docker didn’t do this, they would get 1,000 issues opened per day of people saying containers don’t work when they forgot to add a firewall rules for a new container.

    And I’m trying to say that even if that was true, it would still be better than a footgun where people expose stuff that’s not supposed to be exposed.

    But that isn’t the case for podman. A quick look through the github issues for podman, and I don’t see it inundated with newbies asking “how to expose services?” because they assume the firewall port needs to be opened, probably. Instead, there are bug reports in the opposite direction, like this one, where services are being exposed despite the firewall being up.

    (I don’t have anything against you, I just really hate the way docker does things.)



  • Yes it is a security risk, but if you don’t have all ports forwarded, someone would still have to breach your internal network IIRC, so you would have many many more problems than docker.

    I think from the dev’s point of view (not that it is right or wrong), this is intended behavior simply because if docker didn’t do this, they would get 1,000 issues opened per day of people saying containers don’t work when they forgot to add a firewall rules for a new container.

    My problem with this, is that when running a public facing server, this ends up with people exposing containers that really, really shouldn’t be exposed.

    Excerpt from another comment of mine:

    It’s only docker where you have to deal with something like this:

    ---
    services:
      webtop:
        image: lscr.io/linuxserver/webtop:latest
        container_name: webtop
        security_opt:
          - seccomp:unconfined #optional
        environment:
          - PUID=1000
          - PGID=1000
          - TZ=Etc/UTC
          - SUBFOLDER=/ #optional
          - TITLE=Webtop #optional
        volumes:
          - /path/to/data:/config
          - /var/run/docker.sock:/var/run/docker.sock #optional
        ports:
          - 3000:3000
          - 3001:3001
        restart: unless-stopped
    

    Originally from here, edited for brevity.

    Resulting in exposed services. Feel free to look at shodan or zoomeye, internet connected search engines, for exposed versions of this service. This service is highly dangerous to expose, as it gives people an in to your system via the docker socket.



  • I recently noticed that it’s now integrated into Canvas, a FOSS online learning management software which my college (and my high school, and my middle school) have used.

    To bad no one bothers with it, forcing everyone to use zoom instead. Which sucks, because the first day of online classes, zoom permissions weren’t set up properly, meaning no one could join the meeting. Probably wouldn’t have happened with BigBlueButton.