I’m the administrator of kbin.life, a general purpose/tech orientated kbin instance.
Linux secure boot was a little weird last I checked. The kernel and modules don’t need to be secure boot signed. Most distros can use shim to pass secure boot and then take over the secure boot process.
There are dkms kernel modules that are user compiled. These are signed using a machine owner key. So the machine owner could for sure compile their own malicious version and still be in a secure boot context.
Yep. Also, I did clarify that I would usually do an overall upgrade at the same time.
I get the message there’s an upgrade. Say I’ll do it myself, go to console.
yay -S discord (or more likely just do an overall upgrade and reboot, what they hell)
Restart discord.
Should it, or should it be “1”? (just removing one, one)
But this is the crucial thing. It wasn’t in the repository. It was in the tarball. It’s a very careful distinction because, people generally reviewed the repository and made the assumption that what’s there, is all that matters.
The changes to the make process only being present in the tarball was actually quite an ingenius move. Because they knew that the process many distro maintainers use is to pull the tarball and work from that (likely with some automated scripting to make the package for their distro).
This particular path will probably be harder to reproduce in the future. Larger projects I would expect have some verification process in place to ensure they match (and the backup of people independently doing the same).
But it’s not to say there won’t in the future be some other method of attack the happens out of sight of the main repository and is missed by the existing processes.
Yeah but if you tick TCP and pay the extra postage you can get proof of receipt.
Actually how is your ISP giving out IPs to you? Mine uses IPv6 PD to give me a /48. And I then use SLAAC locally on the first /64 prefix on my LAN. Plus another /64 for VPN connections.
If you mean receiving RA/ND packets from your ISP (which are used to announce IPv6 prefixes) then you need to allow icmpv6 packets (if you don’t want to be able to be pinged, just block echo requests, ICMP in v4 and v6 carry important messages otherwise).
If your ISP uses DHCPv6 Prefix delegation you will need to allow packets to UDP port 546 and run a DHCPv6 client capable of handling PD messages.
If you have a fixed prefix, then you probably don’t need to use your ISPs SLAAC at all. You could just put your router on a fixed IP as <yourprefix>::1 and then have your router create RA/ND packets (radvd package in linux, not sure what it would be on pfsense) and assign IPs within your network that way.
If you have a dynamic prefix… It’s a problem I guess. But probably someone has done it and a google search will turn up how they handled it.
EDIT: Just clarified that the RA/ND packets advertise prefixes, not assign addresses.
I believe the privacy concerns are made moot if all consumer level routers by default blocked incoming untracked connections and you need to poke holes in the firewall for the ports you need.
Having said that, even knowing the prefix it’s a huge address space to port scan through. So it’s pretty secure too with privacy extensions enabled.
But for sure the onus is on the router makers for now.
I used HE for ages until my isp gave native ipv6. I also used sixxs back then too. Both provided good connectivity for the few sites that were around using it at the time.
This is my biggest bugbear about a lot of UK isps. They are dynamically allocating ipv6 prefixes for absolutely no good reason.
I’ve only ever done ipv6 using Linux directly as a firewall or a mikrotik router. So cannot help with pfsense I’m afraid.
You start by adding ipv6 and serving both. One side needs to move first. Content providers or isps.
The big tech companies are using ipv6. In the UK the isps are mostly offering it too.
Host both and help us move towards dropping Ipv4 some day. It’s not going to happen in a day.
Whenever anyone asks if I use AI. My answer is that, so far it hasn’t ever delivered working code. However the majority of times I used it, the code it did provide sent me in the right direction.
So it’s not useless. And I know tools have gotten better. But when I see companies seriously talking “AI first” and wanting vibe coding to be a main development strategy. I do really worry.
It’s for backup purposes mainly. A lot of cloud backup providers don’t store permissions.
So if I restore the data I can then restore the permissions after. So these are the folders I am backing up (with some exceptions in /var)
OK so it’s fairly simple. You need to install the acl package (or whatever equivalent package contains getfacl/setfacl. Then you can use that to dump the data from an entire structure into a file (I also then bzip that). Then I backup all installed packages to help with a restore too.
So the script looks like:
#!/bin/bash
cd /etc
/usr/bin/getfacl -R . | /usr/bin/bzip2 -9 >PERMISSION_BACKUP.bz2
chmod 600 PERMISSION_BACKUP.bz2
cd /home
/usr/bin/getfacl -R . | /usr/bin/bzip2 -9 >PERMISSION_BACKUP.bz2
chmod 600 PERMISSION_BACKUP.bz2
cd /root
/usr/bin/getfacl -R . | /usr/bin/bzip2 -9 >PERMISSION_BACKUP.bz2
chmod 600 PERMISSION_BACKUP.bz2
cd /var
/usr/bin/getfacl -R . | /usr/bin/bzip2 -9 >PERMISSION_BACKUP.bz2
chmod 600 PERMISSION_BACKUP.bz2
/usr/bin/apt list --installed | /usr/bin/bzip2 -9 >/root/INSTALLED-PACKAGES.bz2
chmod 600 /root/INSTALLED-PACKAGES.bz2
To restore you change to the folder the backup was taken from, unbzip the file (or uncompress live via pipe) and use setfacl --restore=<file>
Yeah. Only on my phone right now but will get it and post here later/tomorrow.
I mean, too late for you now. But I have a script that backs up just the permissions and owners for a given folder hierarchy.
I use it because I backup to a cloud backup platform that doesn’t save them. So these files are backed up with the data so the files and permissions/owners can be restored in an emergency.
But you could of course also use the file to restore permissions after a user generated mistake too.
Well, mainly you just need to keep the EFI entirely separate. That’s generally all you need. That’s what windows will decide to wipe and reinstall. I just didn’t do it this time. I think because of how disks were already partitioned.
I’m not using VST. There’s a few games I got on Microsoft store some years ago which there’s no way (yet) to make run in Linux (at least to my knowledge). But, I don’t feel that much need to play them. At least not enough to boot into windows, complete the huge updates likely waiting and then fix the grub install afterwards just to play a game.
I have it as a dual boot option. But, it’s not been booted since November. So I am assured I’ll need to rerun grub when I do decide I need to boot it for something I cannot do in either Linux, or a Windows VM in linux (that’s really a small number of things).
Wireguard vpn into my home router. Works on android so fire sticks etc can run the client.