i’m lizard 🦎
Technically always has, ROCm comes with a “backported” amdgpu module and that’s the one they supposedly test/officially validate with. It mostly exists for the ancient kernels shipped with old long-time support distros.
Of course, ROCM being ROCM, nobody is running an officially supported configuration anyway and the thing is never going to work to an suitably acceptable level. This won’t change that, since it’s still built on top of it.
Even worse than that, they need to be able to make an arbitrary container from an arbitrary attacker-provided Dockerfile, or make fairly arbitrary calls to the Docker daemon (in which case you’ve already lost).
They’re rather uninteresting for anyone self-hosting containers as the runc vuln doesn’t offer a way to escape from within an already running container, while the BuildKit vulns all have fairly odd preconditions or require passing untrusted input. Quite the annoyance if you’re running some kind of public cloud or public CI/CD service, though.
Takuro’s own JP Twitter bio (urokuta_ja) claims involvement with both Pocketpair’s games and Coincheck.
DMA-BUF being marked as “unstable” for a decade was a fucking joke. It’s a protocol that’s required to get any kind of meaningful hardware accel going, which nearly every app does nowadays. Within Wayland circles, it’s been understood it’s not going to change for years, as doing so would break nearly every single existing app, yet all kinds of bikeshedding prevented it from being moved to stable.
Hopefully this marks a turning point for many other similarly important protocols stuck in unstable/staging hell too, like pointer constraints and text input. If devs can’t rely on basic functionality to be present and it takes more than say three years to commit to it, it’s time to admit that either the process or the protocol is broken.
Windows software running in Wine/Proton can bypass the Windows layer and call Linux stuff directly. This is fine; Wine isn’t intended to be a security layer by itself. Some of the Proton bits that Valve made to build a bridge between Windows games & the Linux Steam client does this, as well as pretty much every other bit of Wine internals.
Easy Anti-Cheat detects that it’s running in Wine and if the game dev enabled Wine support, it downloads a binary that knows how to do that. That version of EAC doesn’t run at kernel level, but it does scan your Linux userspace for cheats, or whatever Epic feels like doing today. As with every userland anti-cheat, the company making it can update it more or less anytime you’re playing the game and since it’s running in the context of the game, it has access to everything the game does. Same thing for most anti-cheat software really.
Quest 64 French Vanilla more or less is that mod. Not totally sure what I think of it though. It’s a huge improvement over the game’s mechanics, but this is also one of those games where all the weird balancing quirks are part of the game’s charm.
Everything was forked and should eventually end up on F-Droid, but most things haven’t had a release yet. My understanding is that they’re hoping to do everything right immediately, including having proper new branding and all the shared functionality from Simple Thank You.
The F-Droid versions of SMT apps are perfectly safe and shouldn’t be going anywhere. (But if you have Google Play versions, I wouldn’t trust those anymore, those are owned by ZipoApps now.)
Well, my recommendations for anything semi-automated would be Ansible and Fabric/Invoke. Fabric is also a Python tool (though it’s only used on the controlling side, unlike Ansible), so if that’s a no-go, I’m afraid I don’t have much to offer.
Realistically, there is only a trivial pure security difference between logging in directly to root vs sudo set up to allow unrestricted NOPASS access to specific users: the attacker might not know the correct username when trying to brute force. That doesn’t matter in the slightest unless you have password auth enabled with trivial passwords.
But there is a difference in the ability to audit what happened after the fact if you have any kind of service storing system logs remotely or in a tamper-proof way. If there’s more than one admin user on a service, that is very very important. Knowing where the compromise happened is absolutely essential to make things safe.
If there’s only ever going to be one administrative user (personal machine), logging in directly as root for manual administrative tasks is fine: you already know who the user is. If there’s any chance there might be more administrative users later (small but growing business), you should consider doing it right from the start.
No, it comes together with a CLA being required to contribute. In other words, Canonical (and only Canonical) is still allowed to sell exceptions to the AGPL.
Yes, the post says there is no copyright assignment. That’s extremely carefully chosen wording to avoid mention of the CLA which was made required in the same commit as the license change. It’s “just” a super extended license that lets them do whatever, not assignment.
You can hardcode a specific version of nixpkgs, instead of a branch. With the new Nix CLI & flakes enabled you can do something like this:
nix run "github:NixOS/nixpkgs/b4372c4924d9182034066c823df76d6eaf1f4ec4#cowsay" "moo mooooooo"
That’s the commit I’m seeing for nixos-23.11 today, and it should still give you that exact version of cowsay years from now.
Of course, the better option is to make a dev shell with flakes. Flakes come with a lockfile builtin that accomplishes the same effect, and there’s no problems having different projects on different lockfiles/versions. It’s a bit more work to learn, the Zero to Nix tutorials are pretty decent at teaching and come with examples though (ultimately most things are ~30 lines of boilerplate and a list of packages that you want).
And they’re also deleting/deleted all classic Minecraft accounts from before that. They invented an incredibly weird and needlessly obtuse process to extend the migration deadline by 3 months (true final deadline is now mid December 2023), but that’s seemingly it. Everyone not paying too much attention to their email just gets $30 worth of game deleted because of a completely arbitrary decision.
A biggie you miss is the toolchain: the compiler/binutils/linux-headers/libc/libstdc++ combination. The libc and usually libstdc++ are key components of any install. The other parts usually don’t make it to non-dev-desktops, but the distro couldn’t be made without them, so they’re virtually always available as packages.
Only exception is if the entire distro is cross-compiled or it’s made exclusively for containers, but those kinds of special distros break every rule imaginable anyway. Some might not even ship a bootloader or a Linux kernel by themselves.
I think most people don’t realize how unusual their company structure is. It feels like it’s set up to let them do exactly that. As far as I can tell, once you look past the smoke and mirrors, the board effectively controls both the non-profit and the for-profit.
For the port thing, you can set the
net.ipv4.ip_unprivileged_port_startsysctl to a lower value like 80 (may need to go lower if you also do email). It also applies to IPv6.The default of 1024 is for security, but the actual security granted by it is not really that relevant nowadays. It stems from a time where ports < 1024 were used by machines to trust other machines using stuff like rsh & telnet, and before we considered man-in-the-middle attacks to be practical and relevant. Around the start of this millennium, we learned better. Nowadays we use SSH and everything is encrypted & authenticated.
The only particularly relevant risk is that if you lower it enough to also include SSH’s default port 22, some rogue process at startup might make a fake SSH server. That would come along with the scary version of the “host key changed” banner so the risk is not that high. Not very relevant if you’re following proper SSH security practices.