The Linux Thread - The Autist's OS of Choice

  • Want to keep track of this thread?
    Accounts can bookmark posts, watch threads for updates, and jump back to where you stopped reading.
    Create account
Taser Confetti said:
It’s worthless to you. Not to everyone else.
Click to expand...

It's worthless to anyone with an iota of common sense and taste. Clearly, we're long past that conversation.

Taser Confetti said:
Chrome’s flatpak works just fine. I dare you to find a website that doesn’t work out of the box.
Click to expand...

I'm specifically pointing out how the SSL certificate for any given web browser (Chrome, Firefox, or otherwise) lasts, at most for two or three years. You never explicitly answered the question of whether or not those people in question you set up computers for ever actually upgraded from say... Fedora Kinoite 40 or 41 to 42 or 43. If they're still on the original image that you set up two or more years ago, they'd already be running into the SSL certificate deadline where the browser itself will refuse to work without you updating it. Flatpaks can only stay updated indefinitely for so long, considering how Flathub runtimes have a lifespan of two years. At this point, assuming that they're still on the same image you set up for them without any upgrades to newer versions of Fedora Kinoite, they would be running into the SSL problem if not now then almost certainly within the next couple of months.

Taser Confetti said:
We’re talking about a generation that never pirated media anyways. They moved seamlessly from watching NCIS on DirectTV to Watching it on the Paramount+ app on their smartTV. If the Chrome I installed from Flathub works flawlessly for Facebook and YouTube they’re happy. Grandma doesn’t need alternate subtitles for .mkv files in her anime.
Click to expand...

Yeah, anime fansubs aren't what I was gesturing at. I'm a dork who uses yt-dlp to rip memes from YouTube, Instagram, Reddit, Facebook, and so on, but niggas still have the ability to plug in the URL for any given video and download the raw MP4 file directly from video downloader websites. Also, grandma don't watch MKV anime fansubs, you are correct, but Grandma could still theoretically wish to download and play back the videos her grandkids send her via Facebook Messenger or WhatsApp. That's another use case where your utter lack of codecs and relying solely on Chrome and VLC will fuck them up. Not all MP4 files are universal considering how H.264 is but one of many backend codecs for the file format. That's yet another point you fail to take into account.

Taser Confetti said:
IMG_9610.png
Click to expand...

You're acting as if @Betonhaus isn't your kindred spirit considering how much flaccid tranny cock semen you're gargling by insisting on Bazzite over Nobara.
 
Dread First said:
I'm specifically pointing out how the SSL certificate for any given web browser (Chrome, Firefox, or otherwise) lasts, at most for two or three years. You never explicitly answered the question of whether or not those people in question you set up computers for ever actually upgraded from say... Fedora Kinoite 40 or 41 to 42 or 43. If they're still on the original image that you set up two or more years ago, they'd already be running into the SSL certificate deadline where the browser itself will refuse to work without you updating it. Flatpaks can only stay updated indefinitely for so long, considering how Flathub runtimes have a lifespan of two years. At this point, assuming that they're still on the same image you set up for them without any upgrades to newer versions of Fedora Kinoite, they would be running into the SSL problem if not now then almost certainly within the next couple of months.
Click to expand...

I already said I can either rebase these systems myself or copypasta it for them remotely. These systems are running the latest enough to keep them secure.


Dread First said:
Yeah, anime fansubs aren't what I was gesturing at. I'm a dork who uses yt-dlp to rip memes from YouTube, Instagram, Reddit, Facebook, and so on, but niggas still have the ability to plug in the URL for any given video and download the raw MP4 file directly. Also, grandma don't watch MKV anime fansubs, you are correct, but Grandma could still theoretically wish to download and play back the videos her grandkids send her via Facebook Messenger or WhatsApp. That's another use case where your utter lack of codecs and relying solely on Chrome and VLC will fuck them up. Not all MP4 files are universal considering how H.264 is but one of many backend codecs for the file format. That's yet another point you fail to take into account.
Click to expand...

Statistically, grandmas are viewing that same video attachment on their tablets and smartphones. You really overestimate what olds use computers for . They need Chrome to run correctly so they can bid on eBay, GunBroker and type angry paragraphs on Facebook. They like KPatience better than solitaire and are happy.

Dread First said:
flaccid tranny cock semen
Click to expand...

Are the troons in the room with us right now?
 
Taser Confetti said:
I already said I can either rebase these systems myself or copypasta it for them remotely. These systems are running the latest enough to keep them secure.
Click to expand...

That doesn't specifically answer the question I've been prodding you about for all this time: are they specifically running the latest Fedora Kinoite (43 as of the time of writing with Fedora 44 right around the corner)? Yes or no? If no, what exact version of Fedora Kinoite are they running at this exact moment in time?

Taser Confetti said:
Statistically, grandmas are viewing that same video attachment on their tablets and smartphones. You really overestimate what olds use computers. They need Chrome to run correctly so they can bid on eBay, GunBroker and type angry paragraphs on Facebook. They like KPatience better than solitaire and are happy.
Click to expand...

And you're specifically underestimating the very real call to action where an elderly relative is saying "Taser! I wanna take this video that my daughter sent me of my grandkids off my phone and onto the computer! Can you do that for me?" That you haven't yet experienced such a banal thing is pure luck at this point.

Taser Confetti said:
Are the troons in the room with us right now?
Click to expand...

They will be when the first of the month hits and the NEETBux get topped off so that they can continue paying for DDOS attacks against the site more broadly.
 
Dread First said:
That doesn't specifically answer the question I've been prodding you about for all this time: are they specifically running the latest Fedora Kinoite (43 as of the time of writing with Fedora 44 right around the corner)? Yes or no? If no, what exact version of Fedora Kinoite are they running at this exact moment in time?
Click to expand...

43

Dread First said:
And you're specifically underestimating the very real call to action where an elderly relative is saying "Taser! I wanna take this video that my daughter sent me of my grandkids off my phone and onto the computer! Can you do that for me?" That you haven't yet experienced such a banal thing is pure luck at this point.
Click to expand...

VLC runs .mov files from an iPhone just fine. I could be a smart ass and say my family come from good Anglo stock so I don’t have to worry about them being sent some esoteric video format recorded on an Android and sent via WhatsApp.

Dread First said:
They will be when the first of the month hits and the NEETBux get topped off so that they can continue paying for DDOS attacks against the site more broadly
Click to expand...

Sounds like they’re too busy to bother you then. :story:
 
Taser Confetti said:
43
Click to expand...

So, to this point, they've just been rolling with the standard Kinoite image, and upgrading without issue because they have absolutely no layered packages via rpm-ostree, including hardware acceleration via mesa-freeworld and local multimedia playback via ffmpeg-freeworld from RPM Fusion, am I understanding this correctly?

Taser Confetti said:
VLC runs .mov files from an iPhone just fine. I could be a smart ass and say my family come from good Anglo stock so I don’t have to worry about them being sent some esoteric video format recorded on an Android and sent via WhatsApp.
Click to expand...

That ain't the only thing I necessarily must worry about on my end; ain't no shortage of esoteric video formats I regularly come across by sheer virtue of video downloader websites my relatives use. In that instance, VLC has notable shortcomings where it can theoretically play the formats but at phenomenally shitty bitrates that MPV, SMPlayer, Celluloid, among others handle in a far superior fashion to VLC.

Taser Confetti said:
Sounds like they’re too busy to bother you then. :story:
Click to expand...

Uh... I shall invoke my fifth amendment right against self-incrimination and remain silent on the matter.
 
Dread First said:
So, to this point, they've just been rolling with the standard Kinoite image, and upgrading without issue because they have absolutely no layered packages via rpm-ostree, including hardware acceleration via mesa-freeworld and local multimedia playback via ffmpeg-freeworld from RPM Fusion, am I understanding this correctly?
Click to expand...

Yes. Fuck, I installed OpenMW and played 40 mins of Morrowind on these machines. Why do you think iPads and Chromebooks are so popular? 99% of these consumers just want the browser to work correctly.

Dread First said:
MPV, SMPlayer, Celluloid, among others handle in a far superior fashion to VLC.
Click to expand...

Here you go then.

Dread First said:
Uh... I shall invoke my fifth amendment right against self-incrimination and remain silent on the matter.
Click to expand...

Null has to deal with angry troons because it’s his job now. If that’s part of your daily life I suggest finding better work than managing a Bangkok brothel or being a Reddit janny.
 
acid_ra1n said:
someone asked me to do a guide on making the most unwoke OS setup and i honestly cant find any way out of the hell that is red hat/ibm dominance
they got their hands in like every pie
only thing i can think of is abandon linux entirely and go openbsd
Click to expand...
Sure, you might have an unwoke "FOSS OS" installed on a ThinkPad running Libreboot (doesnt that sound funny?). In the end this is just a hobby for tech literate people.
Use it as a second identity if you want, but not as your primary one.

2Lr6l.jpg
 
Last edited:
Why was this shit backported to LTS kernel? Linux-WD40 when? Now I can't update my meme kernel without installing TrannyLang, I'll have to edit PKGBUILD and disable Rust from kconfig.

1775767816129.png

In case you don't know.
 
Last edited:

Oh nice, now microsoft is moving to the same model google is moving android to (they already moved to it. The wireguard dev getting locked out by accidentally not complying is what the video is about).

Can't allow a pogram to run on your operating system if the person writing it hasn't doxed everything about themselves obviously
 
Dread First said:
Uh... what?! That's the most terrifying statement I've ever read coming out of a man who admits he set up computers for allegedly helpless normies. Chrome can't play certain file formats online without ffmpeg-freeworld because the stock ffmpeg that Fedora ships with is deliberately gimped for legal reasons. Not to mention that you're deliberately eschewing hardware acceleration, which necessarily forces everything to run in software mode. Intel iGPUs are more than capable of media transcoding with hardware acceleration, but you still need to enable RPM Fusion and download mesa-freeworld because the default Mesa in Fedora is deliberately gimped.
Click to expand...
shit like this is why i went with arch over debian bases or other distros. I hate this kind of gimping because you wont notice it until shit wont work and you wont know why without googling.
 
General Zoider said:
shit like this is why i went with arch over debian bases or other distros. I hate this kind of gimping because you wont notice it until shit wont work and you wont know why without googling.
Click to expand...
this is really just an issue with opensuse and fedora due to them being german and american respectively, and so they have strict copyright laws
ubutnu and mint just do a checkbox that says do you wanna install codecs, but opensuse and fedora make it more involved for idk some borderline arbitrary reason ig
 
Little Snitch - a popular network monitor on Mac, is now coming to Linux


Announcement: https://obdev.at/blog/little-snitch-for-linux/

Little Snitch for Linux — Because Nothing Else Came Close​

Click to expand...
Christian on Little Snitch — April 8, 2026
Click to expand...
Recent political events have pushed governments and organizations to seriously question their dependence on foreign-controlled software. The core issue is simple and uncomfortable: through automatic updates, a vendor can run any code, with any privileges, on your machine, at any time. Most people know this, but prefer not to think about it. Linux is the obvious candidate for reducing that dependency: no single company controls it, no single country owns it. So I decided to explore it myself.


I installed it on some older hardware we had around. Then installed apps. It turned out that I don't need a lot: browser, mailer, text editor, development environment, git client, Signal, Wireshark and a couple of others. I can't do Mac development on Linux, but that was to be expected.


Very soon after that, I felt kind of naked: being used to Little Snitch, it's a strange feeling to have no idea what connections your computer is making. I researched a bit, found OpenSnitch, several command line tools, and various security systems built for servers. None of these gave me what I wanted: see which process is making which connections, and in the best case deny with a single click.


Little Snitch was clearly missing, so I started building it.


To make a long story short: I decided to use eBPF for traffic interception at kernel level. It's high performance and much more portable than kernel extensions. The main application code is in Rust, a language I've wanted to explore for quite a while. And the user interface was built as a web application. That last choice might seem odd for a privacy tool, but it means you can monitor a remote Linux server's network connections from any device, including your Mac. Want to know what Nextcloud, Home Assistant, or Zammad are actually connecting to? Use Little Snitch on the server.
Click to expand...

Like an Old Friend on New Hardware​

Now, having a variant of Little Snitch on Linux, how does it feel? Is Linux better than a Mac in terms of privacy?

There are two questions to answer: one is about the system itself, the other about the apps you install.

A Surprisingly Quiet System​

I noticed a difference already during development: when testing on macOS, it takes at most 5 seconds before a process communicates and I see network traffic. When testing on Linux, on the other hand, it often takes a minute or more until I can spot a connection. It all depends on the Linux distribution you install, of course. I used Ubuntu just because it's so widespread, and as a developer, it's a good idea to use the same setup as your users.

Ubuntu is relatively calm on the network, but still sends feedback to Canonical via a declared metrics channel (ubuntu-insights connecting to metrics.ubuntu.com) and various software update channels. You can deny the metrics, but you won't want to disable updates — and there's the familiar problem again. You have traded dependence on one company for another. The difference with Linux is that you can choose: there are many distros, and you can choose whom you trust. And as a big organization, you could even maintain your own distribution.

But in summary: on Ubuntu, I found 9 system processes making internet connections over the course of one week. On macOS, we counted more than 100.

Not All Apps Phone Home​

The first app installed on every computer is usually the web browser. Only after installing the web browser can you search for software other than the basics provided with your distribution.

My Ubuntu came with Firefox pre-installed, so I can mainly speak to that one. The first thing I did was to start Firefox, but not use it for browsing. To my surprise it immediately showed me ads, and Little Snitch confirmed that it connected to ads.mozilla.org, incoming.telemetry.mozilla.org and many more. Knowing this, I went into the preferences and disabled most of the ads and tracking. But it still connects to some of these servers.

My recommendation: If you use a browser, start it and let it sit unused for at least a day. Then check the connection history and decide what you can disable in the settings, what you want to keep and what you want to deny in Little Snitch.

The next thing I did was web browsing. Needless to say that news sites live from tracking and ads, otherwise they could not provide their content for free. But did you know that some of these sites use somewhere between 50 and 100 trackers? I don't want to blame anyone here, so try it yourself.

As far as other apps are concerned: each app behaves more or less the same way on all supported platforms. If you install Thunderbird, Visual Studio Code or any other major player, expect the same kind of metrics you see on other platforms. I found one notable exception, though: LibreOffice. I started LibreOffice Writer just for testing, and it made no network connections at all! Quite unusual these days!

Free, Functional, and Open Where it Counts​

From a feature perspective, Little Snitch for Linux sits somewhere between Little Snitch Mini and the full Little Snitch: functional and useful, but without all the polish and depth of the macOS version. Think of it as an honest first version. The Mac version remains where our deepest work lives, and that isn't changing.

The kernel component, written for eBPF, is open source and you can look at how it's implemented, fix bugs yourself, or adapt it to different kernel versions. The UI is also open source under GPL v2, feel free to make improvements. The backend, which manages rules, block lists, and the hierarchical connection view, is free to use but not open source. That part carries more than twenty years of Little Snitch experience, and the algorithms and concepts in it are something we'd like to keep closed for the time being.

One important note: unlike the macOS version, Little Snitch for Linux is not a security tool. eBPF provides limited resources, so it's always possible to get around the firewall for instance by flooding tables. Its focus is privacy: showing you what's going on, and where needed, blocking connections from legitimate software that isn't actively trying to evade it.

And finally a word on compatibility: we developed on Ubuntu 25.10 with a 6.17 kernel, and have confirmed it works on kernel 6.12 and above. On older kernels we currently hit the eBPF verifier's maximum instruction limit. In theory, compatibility down to kernel 5.17, where bpf_loop() was introduced, should be achievable, which would cover Debian 12 (Bookworm) and Ubuntu 24.04 LTS (Noble). If you have the expertise to help, that's one of the areas where contributions would make a real difference.

You can find Little Snitch for Linux here. It is free, and it will stay that way.

Enjoy it.
Click to expand...

Nice, but I'll pass on proprietary software.

In case you didn't read it, the article references what's been available for sometime: Open Snitch, which I've never tried but have glanced at now and then with the passing thought to try it.

Thoughts?
 
Last edited:
Last edited:
thirstytux said:
Thoughts?
Click to expand...
I'm intrigued. I was trying to find a way to track network data use in one central way and couldn't really find anything that wasn't just noise I had to use three or more sources in order to find a connection. I wonder if it'll identify traffic from docker containers correctly.
 
YOU ARE said:
9/10 severity critical vulnerability. Guix seemingly unaffected (a)
Click to expand...
Note that just because a commit with the same hash isn't present in a related package doesn't mean it's not vulnerable to the same issue. Commit hashes are composed of many things, including authors and timestamps; it's difficult to even deliberately get the same commit hash, even with identical changes and commit message.

In particular, if we look at `nix/libstore/build.cc` in guix, we see:
C++: 
        if (fixedOutput) {
            /* Replace the output, if it exists, by a fresh copy of itself to
               make sure that there's no stale file descriptor pointing to it
               (CVE-2024-27297).  */
            for (auto& i : drv.outputs) {
                Path output = chrootRootDir + i.second.path;
                if (pathExists(output)) {
                    Path pivot = output + ".tmp";
                    copyFileRecursively(output, pivot, true);
                    int err = rename(pivot.c_str(), output.c_str());
                    if (err != 0)
                        throw SysError(std::format("renaming `{}' to `{}'",
                                       pivot, output));
                }
            }
        }

This is the exact same pattern that https://github.com/NixOS/nix/commit/a3163b9eabb952b4aa96e376dea95ebcca97b31a used: copy, then rename, rather than rename (atomic, doesn't follow symlinks) followed by copy. In fact, Guix was vulnerable to this until mid-2025, when copyFileRecursively was changed to never follow destination symlinks (or hardlinks, for that matter: the destination must always be created fresh).

As an aside, I would like to remark that std::filesystem::copy is hilariously bad. Try reading this. After carefully following its 25-point plan to copy a file, you may notice that something is not particularly clear: what happens if to is a symlink? Well, we reach point 21 then: "Otherwise, behaves as if copy_file(from, to, options) (copies the file)". Okay, so what does `copy_file` do? Well, if the destination file "does not exist" (from context this is presumably post-resolution), it will copy the source file to "the file to which to resolves (symlinks are followed)". And if the destination file does exist, and to is not a regular file as determined by !filesystem::is_regular_file(to), then it will report an error. One might think that, since to is here a std::filesystem::path, this means that it would do another lstat or something, but no, in this case one must read with Standards Literacy™ goggles, instead replacing "behaves as if copy_file(from, to, options)" with "behaves as if copy_file(from, to, options) except that all calls to is_regular_file(to) are magically replaced with the result you would get using the std::filesystem::file_status from this invocation of copy".
In other words, contrary to all reasonable expectation, symlinks in the target will be followed in all cases except when skip_symlinks or create_symlinks are specified.

But it gets even better, because the implementation is actually even worse than the specification. Go ahead, pull up your handy local gcc source distribution and have a look in libstdc++-v3/src/c++17/fs_ops.cc, specifically in fs:copy, and referencing do_copy_file in libstdc++-v3/src/filesystem/ops-common.h. You will notice that in do_copy_file, in absolutely zero cases, ever, is O_NOFOLLOW used. This means that even if you specify skip_symlinks, as long as an attacker can swap a source or target file with a symlink at just the right time, they can still get it to be followed.

Do not ever, EVER use std::filesystem::copy for anything that crosses privilege boundaries. First, because the implementation sucks and is subject to race conditions. Second, because the behavior is complex enough and far enough from reasonable that it requires you to rethink your entire concept of what "crosses privilege boundaries" even means, because even without any concurrent modification, if source and target have untrusted contents - even if owned by your user - you could end up modifying anything you have access to.

EDIT: on further study, I have discovered that is_regular_file(path) will actually return true for a symlink that points to a regular file, so it is possible for is_regular_file(path) && is_symlink(path)to evaluate to true. It's also possible for is_symlink(path) && !exists(path) to evaluate to true. With that background knowledge, the specification of copy at least makes a little more sense. The behavior is still awful, though.
 
Last edited:
thirstytux said:
- VeraCrypt Developer Says Microsoft Terminated Windows Signing Account
Click to expand...
Hahahah oh my god, the SourceForge thread where the VeraCrypt dev discusses this is just amazing.
The man has the patience of a saint. Can you imagine having your critical security software sabotaged, and getting helpful comments like 'just email the CEO of Microsoft bro, here's his email address and an email template I had ChatGPT write':
1775815419545.png
'Have you tried just using the shitty chatbot, but more'?
1775815561381.png
 
You must log in or register to reply here.
Back
Top Bottom