/srv/irclogs.ubuntu.com/2022/01/11/#ubuntu-discuss.txt

=== JanC is now known as Guest4834
oerheksThe default search engines no longer include Linux Mint search partners (Yahoo, DuckDuckGo...) but Mozilla search partners (Google, Amazon, Bing, DuckDuckGo, Ebay...)02:32
ducassemorning07:47
mannequinMorning08:05
nicoz-o/08:08
=== RemoteHost is now known as A_Dragon
Aimmovo What are the downsides of debian over ubuntu when it comes to the desktop?  I actually use emacs for almost everything, including my window manager.  I just need everything else to stay really consistent until I have time to update them.  I just began having problems with my 18.04 ubuntu install when certain programs in the repository (like14:03
Aimobs) started becoming too outdated, but I don't think I want to have security updates and bleeding edge software updates rolled into one like I understand arch has14:03
ograjust use snaps 14:04
ograthen your underlying OS matters a lot less and yuor apps will always be up to date ...14:05
movoAim, i haven't used debian personally. But i also considered moving to it.. what kept me away is hearing that debian is even more conservative than ubuntu. ubuntu's out-of-box experience is bit more polished. easier support for proprietary drivers for example... ubuntu is the officially supported distro for many proprietary games and apps like steam .. so if you use debian you are on your own. 14:12
movoalso more documentation and discussion online w.r.t. ubuntu (this is becoming less true over the years tho)14:12
Aimogra You can't choose not to upgrade a snap package?  That's kind of a concern for me14:15
movoAim, actually you know what i might dual-boot debian one of these days...14:16
AimHah, I'm not trying to convince you.  I would have thought that a lot of discussions w.r.t ubuntu would apply to debain as well. I am concerned about the more 'conservatives' that you described though14:17
movoi am not sure you might find what you are looking for though. if you want up-to-date packages, debian-stable might be worse than ubuntu... debian-testing is supposed to be better mix of stability and updates for desktop users14:18
AimI guess I'm looking for something that's really consistent in how it behaves, such that I can have consistent behavior during school semesters when I can't afford to be tinkering with things, but I also want the ability to upgrade to newer releases of obs and gimp and things when I choose to14:18
Aimsnaps sounds almost perfect, expect it seems like I can't choose not to upgrade things, which is also a concern14:18
movodebian is the grandmaster of consistency... the problem i fear for you it may be too consistent (stale packages)14:18
Aimyeah, I agree14:19
movoi have never used debian though. i am looking more into it these days... 14:19
movoi wonder how fresh debian-testing packages are14:19
ograAim, you yan set a setting that auto-delays it and notifies yu about a new version (up to 60 days, then it will update regardless to not leav you with security holes)14:20
movoi have become disenchanted with snaps.. they come with their own shortcomings.. depends on the snap in question.. nowadays i am trying out flatpaks 14:20
AimI don't know, that.. just doesn't feel right.  Fighting with updates is one of the things that originally got me to leave other OSes14:21
ograit is not much different to the deb notifiction system about updates ... just that it has a time limit to not leave you with massive securit holes14:21
AimI don't feel like I need my music player to be update every 60 days14:22
movoyou dont have to update if you dont want to14:22
movoat least linux gives you that choice14:22
AimIt sounds like there's a 60 day limit even on the auto-delays?14:22
ograyou do ... with snaps you can only delay by 60 days 14:23
movoah for snaps okay.. yeah at least snaps handles it in bg without your input.14:23
ograit doesnt if you tell it to notify you 14:24
AimOh, sorry, I was responding to ogra's comment about snaps.  I appreciate the suggestion, it seems almost correct for what I want, but I'm ultimately looking to have more control about when things are updated, and to what eversions14:24
movoi have been looking to distro hop.. but more i learn about debian . more i think they are correct in their way of doing things. Does any other distro/repo code review and vet their packages?14:24
ograsudo snap set system experimental.refresh-app-awareness=true14:25
movoSnaps, flatpaks, Nix, redhat, Arch AURs14:25
ograthat will then not update quietly but give you notifications for updates of running apps14:25
ograand only update them after 60 days of notifying ...14:26
movoafai cant tell none of these actually review and vouch for the code in their repos (not sure about redhat fedora)14:26
ograerr14:26
ograsnaps are designed in a way that the review is builtin ... that the whole purpose of snaps to exist14:26
ogra*that's the whole ...14:26
movoogra, reviewed? by who? afaik any one can publish a snap.. noone reviews them.. does ubuntu review them?14:27
ograby the design of the format14:27
ograa snap can not access anything on the system by default 14:27
movodo you mean sandboxing? 14:27
ograto allow it to get access t any resources you need to use one of the pre-defined interfaces14:28
ograsome of these are harmless (i.e. audio-playback) and can auto-connet at install 14:28
ograas soon as your snap uses something less harmless you can not zpload it without human review14:29
ogra*upload14:29
ograhttps://forum.snapcraft.io/c/store-requests/1914:29
movoon x window sandboxing is  trivially bypassed... and even then if the app accesses home folder etc.. that is too much.. really depends on app.. but app still has access to confidential info 14:29
ograwell, with 22.04 wayland is default 14:30
ograif yu are paranoid about home access, snap disconnect <snapname>:home14:30
mannequinwhat kernel will 22.04 run?14:30
ograno idea, the guys in #ubuntu-next might know14:30
mannequinok, thanks14:31
ogramovo, note that home access does explicitly exclude all hidden dirs, so it can really only access your downloads and data but not something like passwords from apps (that are usually in hidden dirs) 14:31
AimI think I might go to debian to have almost everything just really consistent, but then use snaps/flatpacks for a few select things I want to keep a bit more up to date14:31
movoogra so ubuntu manually reviews the snaps? to debian standards? they also have proprietary apps so i never felt comfortable with them.. also lot of snaps are from randos and not the offical author of the software14:32
ogramovo, not ubuntu ... a team of reviewers ...14:32
ogranot to debian standards, to snap standards 🙂14:32
ograa deb style review would be useless 14:33
ogradiffernet technology14:33
movoogra, Ah okay. i guess i have to look into snaps more.. i was under impression it was similar to node dystopia14:33
ograand yes, that technology also applies to prop. SW ... it is in fact designed for this14:34
movosandboxing on linux is not up to mark of android/ios.. like i said trivially bypassed in x-window system. wayland hopefully patches up these flaws... 14:35
ograhuh ? what makes you think that 14:35
movoso you cant depend on sandboxing.. have to manually code review14:35
AimI thought one of the concerns about snaps were that they were all distributed from a central source controlled by canonial.  I would have thought that meant they were all at least somewhat reviewed/approved by canonical though14:35
jchittum> afai cant tell none of these actually review and vouch for the code in their repos (not sure about redhat fedora) : Unless i misunderstand ubuntu main, Canonical does vouch for software in that specific pocket. Canonical maintains the updates and does review patches. and many Canonical employees are debian maintainers.14:35
ograthe technologies used are all kernel features like in android(ios 14:35
movojchittum, oh yeah i include debian-based distros as debian (although i am not sure about ubuntu-multiverse universe whatever its called)14:37
movoogra, xwindow is fundamentally unsecurable last i heard .. as long as your linux desktop uses it .. all sandboxing can be bypassed https://mjg59.dreamwidth.org/42320.html 14:38
ograone massive difference to debs is that deb installation gives the packager full root access to your system ... this is not possible wih snaps 14:38
movoanyone correct me if i am wrong... Wayland is supposed to fix this..14:38
ograso debs actually *require* that kind of caution14:38
ograyes wayland is fixing this and as i said, default by 22.0414:38
movostill if i am using say an image editor snap whatever data that accesses is compromisable (if it has access to my home folder it has access to all my files, emails, browser history etc)14:40
AimI think I'm going to try and stick with software in the main repos whenever possible, but grab a snap/flatpack when I need something that is too outdated in the main repo next install, instead of adding ppa repositories14:40
Aimthat should keep things really stable, since everything is either supported or a snap/flatpack..?14:40
movoPPAs are fine if you verify the author.. such as if it is by the original developer or ubuntu developer14:41
movosnap/flatpaks probably wont ruin your system... true.14:41
Aimwell, I handled them badly, and now have a horrible dependency mess.  This is admittedly due to me handling my repos poorly14:41
ogramovo, wrong .. a snap does not have access to your emails, browser hstory or any app settings it does not own ... see above ... the home interface does not allow access to hidden files ... so if you dont use a browser that stores your histroy in clear text as ~/history on your home dir there is no way14:43
AimInteresting, I didn't realize putting a period before file names/directories actually change their security14:45
ograwell, it just makes the file hidden in gui tools 14:45
ograsnaps use that fact to recognize these files as "nt for me"14:45
ogra*not14:46
ogra(or rather the kernel does and tells the snap it cant access them)14:46
movoogra, i stand corrected... that is a very good feature...  still there are files in home folder that could compromise confidentiality14:46
ograsure14:46
ograbut if you are concerned you can always disconnect the home interface for that suspicious snap14:47
ograand use the app via the per-app home in ~/snap/<snapname>/current/14:47
movochrome web store, play store, all have excellent sandboxing yet 99% of their apps/addons i dont feel confident installing. my point is sandboxing isnt a replacement for code review. 14:48
ograwell, if you have an actual secure snapdbox and defined and controlled interfaces to grant exceptions it does 🙂14:49
ogra*snapdbox ... haha 14:49
ograsandbox indeed14:49
movoand i fear linux ecosystem is moving away from it.. debian reviews their repos, and debian-based distros benefit. ubuntu does.. snapcraft may do it ( i have to look into it how much they do) ... what about Arch, Fedora/Red Hat, NixOS, Flatpaks, etc.. 14:49
ograwell, flatpaks leave the whole security to the packager and have no upload reviews AFAIK14:51
movostill sandboxing wont protect from say analytics, phoning home and similar privacy concerns unless they also firewall14:51
ograsnap disconnect <snapname>:network ... 14:52
ograyu can prevent them 14:52
movoogra... ah thats unfortunate. i didnt know this... 1 point to snap over flatpaks...14:52
ograbut yeah, network is typically granted by default 14:52
movoI hear AUR scripts you can at least read and see what they are doing exactly... fetching code from which sources etc.14:52
ograwell, to the rescue of flatpaks i think you are always forced to publish your packaging code 14:54
ograso there *can* be reviews14:54
ograbut unlike snaps flatpaks do not generally have the "locked down by default" rule14:54
ogra(AFAIK ... i'm not doing anything wth flatpak so take my knowledge with a grain of salt)14:55
movooh so thats like AURs if i am correct (dunno, never used either)15:01
ograsame here ... 15:01
ograss ... probably ... 😛15:01
movostill anytime the publisher can push a malicious update and if you are on auto-update you are screwed. 15:02
ogra*/ss/s👋15:02
ogra*so15:02
movoopen source sounds good in theory but only if someone reads the actual code every update.. only debian does that afaik... (dunno about red hat)15:03
ograwell, you cant *just enable* any powerful interface in a snap that has not been granted before ... even a subsequent upload will go into manual review 15:04
movochrome apps are a perfect example. technically code is opensource since its javascript. even if you trust the author... someone can purchase the rights to the code from original author and push malicious updates. this HAS HAPPENED in chrome and in android play store15:06
movoIf you have a popular addon or app there are always shady parties willing to buy it15:07
movog2g bbl... 15:07
movoogra thanks for info on snaps... i had mostly written them off but you have convinced me to give them a revisit..15:08
ograif you have actual technical questions, there is #snappy ... and forum.snapcraft.io 15:09
ogra(or any doubts around security etc)15:09
movoi will check them out since i have some questions15:11
movoMozilla uses to review and vouch for all the addons in their marketplace but now they do it only for a subset of addons (probably due to their financial situation). At least they warn you when an addon has not been reviewed. Something that snaps and flatpaks dont do satisfactorily afaik. Snaps has that little asterix for official authors tho.. thats nice..15:15
=== unixlab is now known as nicoz-
=== nicoz- is now known as nicoz
=== jiggawatt is now known as Qazaqstan

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!