Regarding the questions on Bluetooth security, his great presentation from last month covers a lot of your questions and more.

https://media.ccc.de/v/39c3-bluetooth-headphone-jacking-a-key-to-your-phone

Bluetooth hacking is quite rare.

I wouldn’t be so sure.

Watch this.

Partitioning in the Debian installer being half-broken is something nobody talks about but IME still a thing.

What do is step through the installer to the point where you’re at, ctrl+F* to get a shell, set it up manually using fdisk/mdadm/lvm/cryptsetup/mkfs, and then back again to rescan and just assign the mounts and filesystems

I think I still have a half-written guide for just this in drafts somewhere actually. If you get stuck you can DM and maybe I dig something up

oversimplifying a bit:

TLS (https) provides transport security that whatever is served by the mirror is really associated with the domain name for that mirror domain name. Each HTTPS response is signed live so the private key must be “hot” and loaded in memory on the mirror (or its reverse proxy).

PGP signatures provides integrity and authentication that the package files themsvelves have been signed by the repo signing key. This signing can be done once per package and the private key can be offline.

HTTPS is not a replacement for PGP sigs. They are for different things. HTTPS will provide a bit better privacy (and now that I think of it, theoretically some package manager could be vulnerable to downgrade mitm - substitute a package with a legit and signed but older vulnerable version - or other bugs).

PGP on the other hand is such a mess that even some cryptographers don’t like it.

I’ve seen plenty of critique on PGP for email encryption but that’s not relevant here.

sq (sequoia) is great alternative implementation you can use instead of GnuPG.

deleted by creator

I think it depends a lot on what you are building.

For bigger projects and apps leveraging the mobile platform I’m 100% with you.

These kinds of frameworks can still be a good fit for a quick MVP demo, as a stepping stone for porting an existing web app, or if all you really want is a glorified web view (or are PWAs enough for the last one these days?)

Specifically RN is in terrible shape and IMO something to avoid though.

Everything in there is relevant and applies to flatpaks too. Being aware of the risks is important when using alternative distribution methods. With power, responsibility.

Tricking users into using Snap without realizing it, making them unknowingly vulnerable to exploits like this, would be really really bad and unethical on Canonical’s part.

That is not what is happening at all.

Just so nobody is confused or gets afraid of their install: Getting the Firefox snap installed via Ubuntus apt package does not make users vulnerable to what is talked about here and is just as safe as the apt package version. For Firefox snaps might even be safer since you will probably get security patches earlier than with apt upgrades and get some sandboxing. In both cases you are pulling signed binaries from Canonical servers.

The post is about third-party fake snaps. If you run a snap install command from a random web site or LLM wkthout checking it, or making a typo, then you are at risk. If Ubuntu didnt have snaps, this would be malicious flatpaks. If Ubuntu didnt have flatpaks, it would be malicious PPAs. And so on. Whatever hosted resource gets widely popular and allows users to blindly run and install software from third-parties will be abused for malware, phishing, typosquatting and so on. This is not the fault of the host. You can have access to all the apps out there you may ever want or you can safely install all your apps from one trusted source. But it’s an illusion that you can never have both.

People have opinions about if snaps are a good idea or not and thats fine but there shouldnt be FUD. If you are using Canonicals official snaps and are happy with them you dont have to switch.

I do not ask you to read?

So that’s the mistake I made and the important part. Thanks for clarifying.

I still feel misled that it’s labelled as somehing it isn’t (“my reasoning”).

It is indeed with the help of llm. But reasoning is still solid and very curated.

It isn’t your reasoning and promoting it as such when asking us to read doesn’t feel honest at all.

Try answering the questions I asked for yourself and see if anything comes up!

Debian has this (well, for sources at least) and I think it’s somewhere between 20-30 DVD images for actually-everything. Maybe not something for the day-to-day but great to keep on hand for preppers and the paranoid (:

Linux MATE desktop is pretty established and I think has a similar audience. Pretty confusing name choice… “want to install mate on linux? Try linuxmate (no relation)”

BTW are those actually your reasonings on the blog as you say? It reads very LLMy.

What makes you suspect the Nginx config instead of Lemmy? Do you have any failing requests (timeout or statuscode >= 400) in nginx log? What are the failing endpoints?

Both can be true.

I think such character assessment and calling names is unnecessary and off-topic here though. Better engage with substance than judging by vibes and doing ad-hominem.

Called it.

https://feddit.online/post/1372107/comment/6758185

No one listen grug til chicken come to roost

I guess they now have large enough number of users that it would be wise to shift some focus to supply-chain security from growth-hacking.

This is growing pains.

Ventoy is risky and a bit sus for such a security-critical software.

Glim is another solution for ISO-multiboot-USB that doesn’t require as much trust.

https://glee.thias.es/GLIM

https://github.com/thias/glim

QuickEmu makes distrohopping in VMs easy.

https://github.com/quickemu-project/quickemu

Cool! Keeping up with platform changes is a challenge for projects like this. I think to be successful beyond initial popularity you need an active community that can do this together. It’s draining for just one person - especially once you get big enough that they might actively break things just to mess with your integration. Following maintenance of alternative YouTube clients as well as searx-ng is illustrative.

Not to discourage but be prepared. Best of luck!

https://cadence.moe/blog/2022-09-01-discontinuing-bibliogram