naptera

joined 1 year ago
[–] naptera@feddit.de 0 points 5 months ago

Well, the majority still seems to be unhappy. I think it is mainly because I chose Linux as an example and it reads like I think that Linux is not secure software which is not at all what I intended to say and also (obviously?) not what I think is true.

[–] naptera@feddit.de 0 points 5 months ago

I agree because it is exactly what my claim is. It would still be foolish to say that open source software is by design more secure than proprietary. I know that this is not what you said and you most likely also don't mean that, but there are enough people who think that way because they read everywhere that OSS=secure software.

Your example with xz however does not really hold imo. The xz bug was not found because xz is open source but because someone realized, that their ssh session build up took longer than usual and they then used valgrind to check for issues and not because they looked in the source code. It wasn't even really an easy to spot backdoor because it was a malicious compressed file that changed the build process while running the tests and injecting the actual backdoor in the compiled file. Therfore this would have been found with proprietary software with the same likelyhood.

And regarding my analogy: I also like it more when things are recyclable, that is also why I like open source software more and have more trust in it. But now that I think about it, that wasn't the best analogy I could've chosen but it was the first thing that came to my mind.

[–] naptera@feddit.de 0 points 5 months ago (4 children)

Could we please stop associating open source with security? Don't get me wrong, I love open source software and it is easier to trust open source software than proprietary, because it is highly unlikely, that they hide stuff like trackers in there. It is also most of the time highly configurable and sometimes even hackable and as a software developer you are able to look into the mechanisms behind the APIs which is sometimes really helpful.

But events like the lzma incident last year and predictable openssl RNG in Debian some time ago (https://lists.debian.org/debian-security-announce/2008/msg00152.html) should tell us, that open source doesn't mean secure software. And the argument, that there are many people looking at the code is not really true. E.g. many maintainers of the linux kernel only look at specific parts/drivers in it and maybe into some other things they need for that. There are probably only a few people if any (apart from governments), that have read, understood and analyzed the linux kernel in its entirety with all the (open source) drivers built into it and all the possible combinations of configurations. And I don't want to know how many have done all that for less popular projects. And even if that is done at some point for an upstream project, you would have to check the patches from your distro and if there are any do it all for yourself again. And when the next release arrives you would have to do all that in its entirety again (although with some head start) if a new version arrives (that has, say, at least a thousand lines of code changed, removed or added). And now think about how many big releases come with some software per year. And don't forget to also include all the dependencies you have to check including the compiler and standard library of the language(s) used.

Of course it is easier to do all that for OSS as an outside party because you don't have to decompile it, but it is still increadibly hard. And only to be easier to analyze for security risks doesn't mean to be more secure just like packaging being recyclable doesn't mean that it will be recycled.

[–] naptera@feddit.de 0 points 6 months ago

Yeah, it really is more like google play store or shopping websites and similiar apps/websites (although there are some that have a better design I guess). I'm not really a fan of it either, but I guess people being used to those (which is probably the majority of the userbase of flatpak) feel more comfortable with it.

My guess with the difference between "trending" and "popular" is that the former means lots of recent downloads and the latter a lot of downloads in a longer timespan (e.g. a year or so)

[–] naptera@feddit.de 0 points 6 months ago (2 children)

What about the search bar at the top? It has category filters as well.

[–] naptera@feddit.de 0 points 6 months ago

Just recently I have skill issue'd myself by doing git clean -rf in my home directory where my dotfiles live and therefore deleted all of my home files. I was tired and looked for a quick way to resolve my conflicts and made the stupidest mistake one can do: execute a command you do not really understand.

At least I know what it does now and now I also do hourly local backups of my files with cron and borg.

[–] naptera@feddit.de 0 points 10 months ago

Just asking as I don't have that much knowledge about static and dynamic linking: When you link statically my understanding was that the compiler directly integrates the implementations of the directly or indirectly used functions and other symbols into the resulting binary but ignores everything else. Wouldn't that mean that it is either smaller over all or at least as small as a dynamic library + executable? Because the dynamic library obviously has to contain every implementation as it doesn't know about the executables of the system.

So the only way where using static linking results in overall bigger sizes than dynamic linking would be many (at least 2) executables using the same library. And you even said that you only use one algorithm from a big library so static should be way smaller than dynamic even with many executables.

When you meant memory usage then I thought that dynamic libraries would have to be completely preloaded because you can't know which function will be needed in the near future and just in time loading would be way too slow while static binaries will only load what will be needed as I understand it.

[–] naptera@feddit.de 0 points 1 year ago* (last edited 1 year ago)

For the purpose of algorithm verification, the final and/or pushdown automaton or probably sometimes even Turing Machines are used, because they are easier to work with. "Real" regular expressions are only nice to write a grammar for regular languages which can be easily interpreted by the computer I think. The thing is, that regexs in the *nix and programming language world are also used for searching which is why there are additional special characters to indicate things like: "it has to end with ..." and there are shortcuts for when you want that a character or sequence occurs

  • at least once,
  • once or never or
  • a specified number of times back to back.

In "standard" regex, you would only have

  • () for grouping,
  • * for 0 or any number of occurances (so a* means blank or a or aa or ...)
  • + as combining two characters/groups with exclusive or (in programming, a+ is mostly the same as aa* so this is a difference)
  • and sometimes some way to have a shortcut for (a+b+c+...+z) if you want to allow any lower case character as the next one

So there are only 4 characters which have the same expressive power as the extended syntax with the exception of not being able to indicate, that it should occur at the end or beginning of a string/line (which could even be removed if one would have implemented different functions or options for the tools we now have instead)

So one could say that *nix regex is bloated /s

[–] naptera@feddit.de 0 points 1 year ago

You could also use Void Linux with glibc but install base-minimal instead of base-system when following this guide: https://docs.voidlinux.org/installation/guides/chroot.html They also have a docker image using busybox (the other thing that makes alpine that minimal). So you could have a look at how they setup it and try that yourself. It is not well tested tho, so it's probably not a good idea for a server.