That would be “a pre-shared trusted signature to check against”, and is seldom available (in the real world where people live - yes, there are imaginary/ideal worlds where PGP is widespread and widely used) :)

Installing a .deb is what I was thinking about.

Even a signed tarball is better than curl|sh.

If you have a pre-shared trusted signature to check against (like with your distro’s repos), yes. But… that’s obviously not the case since we are talking installing software from the developer’s website.

Whatever cryptografic signature you can get from the same potentially compromised website you get the software from would be worth as much as the usual md5/sha checksums (ie. it would only check against transmission errors).

Binary packages have scripts (IIRC for .deb they are preinst/postinst to be run before/after installation and prerm/postrm before/after removal) that are run as root.

BTW the “unzip” part is also run as root, and a binary package can typically place stuff anywhere in your system (that’s their job after all)… even if you used literal zip files they could still install a script in ways that would cause the OS to execute it.

But you don’t have to develop anything.

I interpreted your “look for ways to do things separately” as “look for separate tools that do the various things” (and you have to integrate), but I see now that you meant “look for ways to do things differently”. My bad.

I’ve heard this over and over… what’s the difference security-wise between sudo running some install script and sudo installing a .deb (or whatever package format) ?

I don’t even understand why people like GitHub so much, its source management sucks.

It’s not that complicated… people use it because everyone has an account there and so your project gets more visibility (and your profile too, for those who plan to flex it when they look for the next job) and more contributions. Even a lot of projects that aren’t on github have some sort of mirror there for visibility.

Suppose you wanna contribute to gnu grep (or whatever)… do you happen to know off the top of your head where the source repo and bug tracker are? And do you know what’s the procedure to submit your patch?

If you are a company doing closed source, I agree that I don’t see why you would choose github over the myriad alternatives (including the self hosted ones).

Look for ways to do things separately and you will find much better tools

That’s a great way to spend your resources developing yet-another-source-forge-thingie instead of whatever your actual project/product is supposed to be :)

Yeah… does git have issue tracking? actions? C’mon: it’s not like github & co. are just git.

I bet that doesn’t exist: nobody would put work in a program that lets just restricts what you can do with zero usability advantages (ok someone might)

If you fear you might run unsafe commands just save whatever you are comfortable running in scripts and restrict yourself to run those instead of manually typing commands you don’t fully remember/understand.

BTW: topgrade will detect what needs updating in your system (your distro’s package manager, flatpak, python stuff, … whatever) and update all the things

BTW: “terminal emulator” is the program that shows you text in a window, the program that runs inside it and validates/interprets your commands is a “shell” (the one you are using is most probably bash)

Here’s what I get in fish when I start writing a rsync command and hit tab to ask for completions:

❱ rsync --append-verify --progress -avz -
-0  --from0                               (All *from/filter files are delimited by 0s)  --delete                   (Delete files that don’t exist on sender)
-4  --ipv4                                                               (Prefer IPv4)  --delete-after         (Receiver deletes after transfer, not before)
-6  --ipv6                                                               (Prefer IPv6)  --delete-before         (Receiver deletes before transfer (default))
-8  --8-bit-output                          (Leave high-bit chars unescaped in output)  --delete-delay                 (Find deletions during, delete after)
[more lines omitted]

I don’t see the reasoning in your answer (I do see its passive-aggressiveness, but chose to ignore it).

I asked “why?”; does your reply mean “because lack of manpower”, “because lack of skill” or something else entirely?

In case you are new to the FOSS world, that being “open source” doesn’t mean that something cannot be criticized or that people without the skill (or time!) to submit PRs must shut the fu*k up.

Those are outside Signal’s scope and depend entirely on your OS and your (or your sysadmin’s) security practices (eg. I’m almost sure in linux you need extra privileges for those things on top of just read access to the user’s home directory).

The point is, why didn’t the Signal devs code it the proper way and obtain the credentials every time (interactively from the user or automatically via the OS password manager) instead of just storing them in plain text?

Then your password (your other, “first” factor) is the only thing preventing an intruder impersonates you.

You’ll still have to go through the hassle the now useless second factor puts you through, so you might as well update your second factor even if you trust your first to be very secure.

https://en.wikipedia.org/wiki/X86-64#Microarchitecture_levels

TLDR: extra x86 instructions supported by modern chips

Out of curiosity: is Bocchi the Rock the first anime you watched that is not action-focused and has no monsters or extraterrestrial/extradimensional invaders?

As for my recommendation (but it’s really a shot in the dark, given the scarce detail you provided), there’s an older anime called “hitoribocchi something something” (I’m too lazy too look up the name) that I remember being pretty funny.

It may not be a scam per se, but it certainly is a misnomer at this point… it’s one of those words (like “enterprise” or “pro”) that have been appropriated by marketing and devoided of any meaning. AI as a word will gradually die while people gradually realize it doesn’t mean anything. Marketing consumes words (and people too).

The problem is that rm -rf shouldn’t scare you?

What are the chances something like

~/projects/some-project $ cd ..
~/projects $ rm -fr some-project

may delete unexpected stuff? (especially if you get into the habit of tab-completing the directory argument)

Nice, but the name should be AS Roma :)

It’s also on FDroid

Actually, it doesn’t seem to be there https://search.f-droid.org/?q=futo&lang=en

and available via Obtainium/Github

IDK about obtanium, but IIUC the sources are on their gitlab instance https://gitlab.futo.org/alex/latinime

I agree. The recent organizational changes gave me hope, but in the end it turns out Mozilla is still Mozilla.

Honestly, IMO the end-user benefit is mostly that it sounds cool.

All the benefits I’ve heard (including the ones in this discussion) don’t actually derive from “immutability” but from releases that stay the same for longer (which is what “more stable” used to mean), or the ability to roll back your system to some “known” working state (which you can do with snapshots and in a plethora of other ways).

What immutability means is that users are unable to alter their system, or at least not expected to… basically, it means what in corporate lingo would sound “altering your system is not supported” and that the distro actively makes it hard for you to do so.

This means users will not break their system because they followed badly some instructions they found on some badly written forum post anymore and blame the distro for it, but it also means that users who actually have a reason to alter their system and know what they are doing will have a hard time doing it (or be unable to), which is precisely why I left macos and went back to linux for my work computer some ten years ago (I spent half a day doing something I could have be done with in five minutes and said to myself “never again”).

For the team/company that builds it, an immutable distro will likely be easier to test and maintain than a “regular” one, which should then indirectly benefit the users (well… as long as the team/company interests are aligned with the users’ of course: shall windows get easier for microsoft to maintain, how much benefit would trickle down to its end users?).

Users who switch to an immutable distro should see a decrease in bugs short-term. In the longer run, I’d expect distros (especially the “commercial” ones) to reduce the effort they spend in QA until quality drops again to whatever level is deemed appropriate (if bread costs less I’m still not gonna buy more bread than I need… same goes for quality).

Basically, it all boils down to “immutable distros cost less to maintain” (which, don’t get me wrong, is a net positive).

I must say I find it slightly concerning to have heard several “veteran” linux users say that immutable distros are so great that they will install one on their parent/child/SO/friend’s PC but on their own.

It’s also a bit unnerving to notice that most of the push for immutability seems to come from companies (the likes of debian/arch/gentoo/etc. are not pushing for immutability AFAIK, and they certainly don’t have the initiative in this field).

I’m not sure how much immutable distros will benefit the community at large, and… I’m not even sure they will end up being very successful (windows/macos follow in whatever makes is more profitable for microsoft/apple, linux users have choice).

I hope that immutable distros will prove both successful and good for the user community at large.

edit: Forgot to explain the positives I hope for: since immutable distros should require less effort, I hope this will lead to more/better “niche” distros from small teams, and to distros with bigger teams doing more cool stuff with the extra manpower