[02:32] <oerheks> The default search engines no longer include Linux Mint search partners (Yahoo, DuckDuckGo...) but Mozilla search partners (Google, Amazon, Bing, DuckDuckGo, Ebay...)
[07:47] <ducasse> morning
[08:05] <mannequin> Morning
[08:08] <nicoz-> o/
[14:03] <Aim> movo What are the downsides of debian over ubuntu when it comes to the desktop?  I actually use emacs for almost everything, including my window manager.  I just need everything else to stay really consistent until I have time to update them.  I just began having problems with my 18.04 ubuntu install when certain programs in the repository (like
[14:03] <Aim> obs) started becoming too outdated, but I don't think I want to have security updates and bleeding edge software updates rolled into one like I understand arch has
[14:04] <ogra> just use snaps 
[14:05] <ogra> then your underlying OS matters a lot less and yuor apps will always be up to date ...
[14:12] <movo> Aim, i haven't used debian personally. But i also considered moving to it.. what kept me away is hearing that debian is even more conservative than ubuntu. ubuntu's out-of-box experience is bit more polished. easier support for proprietary drivers for example... ubuntu is the officially supported distro for many proprietary games and apps like steam .. so if you use debian you are on your own. 
[14:12] <movo> also more documentation and discussion online w.r.t. ubuntu (this is becoming less true over the years tho)
[14:15] <Aim> ogra You can't choose not to upgrade a snap package?  That's kind of a concern for me
[14:16] <movo> Aim, actually you know what i might dual-boot debian one of these days...
[14:17] <Aim> Hah, I'm not trying to convince you.  I would have thought that a lot of discussions w.r.t ubuntu would apply to debain as well. I am concerned about the more 'conservatives' that you described though
[14:18] <movo> i am not sure you might find what you are looking for though. if you want up-to-date packages, debian-stable might be worse than ubuntu... debian-testing is supposed to be better mix of stability and updates for desktop users
[14:18] <Aim> I guess I'm looking for something that's really consistent in how it behaves, such that I can have consistent behavior during school semesters when I can't afford to be tinkering with things, but I also want the ability to upgrade to newer releases of obs and gimp and things when I choose to
[14:18] <Aim> snaps sounds almost perfect, expect it seems like I can't choose not to upgrade things, which is also a concern
[14:18] <movo> debian is the grandmaster of consistency... the problem i fear for you it may be too consistent (stale packages)
[14:19] <Aim> yeah, I agree
[14:19] <movo> i have never used debian though. i am looking more into it these days... 
[14:19] <movo> i wonder how fresh debian-testing packages are
[14:20] <ogra> Aim, you yan set a setting that auto-delays it and notifies yu about a new version (up to 60 days, then it will update regardless to not leav you with security holes)
[14:20] <movo> i have become disenchanted with snaps.. they come with their own shortcomings.. depends on the snap in question.. nowadays i am trying out flatpaks 
[14:21] <Aim> I don't know, that.. just doesn't feel right.  Fighting with updates is one of the things that originally got me to leave other OSes
[14:21] <ogra> it is not much different to the deb notifiction system about updates ... just that it has a time limit to not leave you with massive securit holes
[14:22] <Aim> I don't feel like I need my music player to be update every 60 days
[14:22] <movo> you dont have to update if you dont want to
[14:22] <movo> at least linux gives you that choice
[14:22] <Aim> It sounds like there's a 60 day limit even on the auto-delays?
[14:23] <ogra> you do ... with snaps you can only delay by 60 days 
[14:23] <movo> ah for snaps okay.. yeah at least snaps handles it in bg without your input.
[14:24] <ogra> it doesnt if you tell it to notify you 
[14:24] <Aim> Oh, sorry, I was responding to ogra's comment about snaps.  I appreciate the suggestion, it seems almost correct for what I want, but I'm ultimately looking to have more control about when things are updated, and to what eversions
[14:24] <movo> i have been looking to distro hop.. but more i learn about debian . more i think they are correct in their way of doing things. Does any other distro/repo code review and vet their packages?
[14:25] <ogra> sudo snap set system experimental.refresh-app-awareness=true
[14:25] <movo> Snaps, flatpaks, Nix, redhat, Arch AURs
[14:25] <ogra> that will then not update quietly but give you notifications for updates of running apps
[14:26] <ogra> and only update them after 60 days of notifying ...
[14:26] <movo> afai cant tell none of these actually review and vouch for the code in their repos (not sure about redhat fedora)
[14:26] <ogra> err
[14:26] <ogra> snaps are designed in a way that the review is builtin ... that the whole purpose of snaps to exist
[14:26] <ogra> *that's the whole ...
[14:27] <movo> ogra, reviewed? by who? afaik any one can publish a snap.. noone reviews them.. does ubuntu review them?
[14:27] <ogra> by the design of the format
[14:27] <ogra> a snap can not access anything on the system by default 
[14:27] <movo> do you mean sandboxing? 
[14:28] <ogra> to allow it to get access t any resources you need to use one of the pre-defined interfaces
[14:28] <ogra> some of these are harmless (i.e. audio-playback) and can auto-connet at install 
[14:29] <ogra> as soon as your snap uses something less harmless you can not zpload it without human review
[14:29] <ogra> *upload
[14:29] <ogra> https://forum.snapcraft.io/c/store-requests/19
[14:29] <movo> on x window sandboxing is  trivially bypassed... and even then if the app accesses home folder etc.. that is too much.. really depends on app.. but app still has access to confidential info 
[14:30] <ogra> well, with 22.04 wayland is default 
[14:30] <ogra> if yu are paranoid about home access, snap disconnect <snapname>:home
[14:30] <mannequin> what kernel will 22.04 run?
[14:30] <ogra> no idea, the guys in #ubuntu-next might know
[14:31] <mannequin> ok, thanks
[14:31] <ogra> movo, note that home access does explicitly exclude all hidden dirs, so it can really only access your downloads and data but not something like passwords from apps (that are usually in hidden dirs) 
[14:31] <Aim> I think I might go to debian to have almost everything just really consistent, but then use snaps/flatpacks for a few select things I want to keep a bit more up to date
[14:32] <movo> ogra so ubuntu manually reviews the snaps? to debian standards? they also have proprietary apps so i never felt comfortable with them.. also lot of snaps are from randos and not the offical author of the software
[14:32] <ogra> movo, not ubuntu ... a team of reviewers ...
[14:32] <ogra> not to debian standards, to snap standards 🙂
[14:33] <ogra> a deb style review would be useless 
[14:33] <ogra> differnet technology
[14:33] <movo> ogra, Ah okay. i guess i have to look into snaps more.. i was under impression it was similar to node dystopia
[14:34] <ogra> and yes, that technology also applies to prop. SW ... it is in fact designed for this
[14:35] <movo> sandboxing on linux is not up to mark of android/ios.. like i said trivially bypassed in x-window system. wayland hopefully patches up these flaws... 
[14:35] <ogra> huh ? what makes you think that 
[14:35] <movo> so you cant depend on sandboxing.. have to manually code review
[14:35] <Aim> I thought one of the concerns about snaps were that they were all distributed from a central source controlled by canonial.  I would have thought that meant they were all at least somewhat reviewed/approved by canonical though
[14:35] <jchittum> > afai cant tell none of these actually review and vouch for the code in their repos (not sure about redhat fedora) : Unless i misunderstand ubuntu main, Canonical does vouch for software in that specific pocket. Canonical maintains the updates and does review patches. and many Canonical employees are debian maintainers.
[14:35] <ogra> the technologies used are all kernel features like in android(ios 
[14:37] <movo> jchittum, oh yeah i include debian-based distros as debian (although i am not sure about ubuntu-multiverse universe whatever its called)
[14:38] <movo> ogra, xwindow is fundamentally unsecurable last i heard .. as long as your linux desktop uses it .. all sandboxing can be bypassed https://mjg59.dreamwidth.org/42320.html 
[14:38] <ogra> one massive difference to debs is that deb installation gives the packager full root access to your system ... this is not possible wih snaps 
[14:38] <movo> anyone correct me if i am wrong... Wayland is supposed to fix this..
[14:38] <ogra> so debs actually *require* that kind of caution
[14:38] <ogra> yes wayland is fixing this and as i said, default by 22.04
[14:40] <movo> still if i am using say an image editor snap whatever data that accesses is compromisable (if it has access to my home folder it has access to all my files, emails, browser history etc)
[14:40] <Aim> I think I'm going to try and stick with software in the main repos whenever possible, but grab a snap/flatpack when I need something that is too outdated in the main repo next install, instead of adding ppa repositories
[14:40] <Aim> that should keep things really stable, since everything is either supported or a snap/flatpack..?
[14:41] <movo> PPAs are fine if you verify the author.. such as if it is by the original developer or ubuntu developer
[14:41] <movo> snap/flatpaks probably wont ruin your system... true.
[14:41] <Aim> well, I handled them badly, and now have a horrible dependency mess.  This is admittedly due to me handling my repos poorly
[14:43] <ogra> movo, wrong .. a snap does not have access to your emails, browser hstory or any app settings it does not own ... see above ... the home interface does not allow access to hidden files ... so if you dont use a browser that stores your histroy in clear text as ~/history on your home dir there is no way
[14:45] <Aim> Interesting, I didn't realize putting a period before file names/directories actually change their security
[14:45] <ogra> well, it just makes the file hidden in gui tools 
[14:45] <ogra> snaps use that fact to recognize these files as "nt for me"
[14:46] <ogra> *not
[14:46] <ogra> (or rather the kernel does and tells the snap it cant access them)
[14:46] <movo> ogra, i stand corrected... that is a very good feature...  still there are files in home folder that could compromise confidentiality
[14:46] <ogra> sure
[14:47] <ogra> but if you are concerned you can always disconnect the home interface for that suspicious snap
[14:47] <ogra> and use the app via the per-app home in ~/snap/<snapname>/current/
[14:48] <movo> chrome web store, play store, all have excellent sandboxing yet 99% of their apps/addons i dont feel confident installing. my point is sandboxing isnt a replacement for code review. 
[14:49] <ogra> well, if you have an actual secure snapdbox and defined and controlled interfaces to grant exceptions it does 🙂
[14:49] <ogra> *snapdbox ... haha 
[14:49] <ogra> sandbox indeed
[14:49] <movo> and i fear linux ecosystem is moving away from it.. debian reviews their repos, and debian-based distros benefit. ubuntu does.. snapcraft may do it ( i have to look into it how much they do) ... what about Arch, Fedora/Red Hat, NixOS, Flatpaks, etc.. 
[14:51] <ogra> well, flatpaks leave the whole security to the packager and have no upload reviews AFAIK
[14:51] <movo> still sandboxing wont protect from say analytics, phoning home and similar privacy concerns unless they also firewall
[14:52] <ogra> snap disconnect <snapname>:network ... 
[14:52] <ogra> yu can prevent them 
[14:52] <movo> ogra... ah thats unfortunate. i didnt know this... 1 point to snap over flatpaks...
[14:52] <ogra> but yeah, network is typically granted by default 
[14:52] <movo> I hear AUR scripts you can at least read and see what they are doing exactly... fetching code from which sources etc.
[14:54] <ogra> well, to the rescue of flatpaks i think you are always forced to publish your packaging code 
[14:54] <ogra> so there *can* be reviews
[14:54] <ogra> but unlike snaps flatpaks do not generally have the "locked down by default" rule
[14:55] <ogra> (AFAIK ... i'm not doing anything wth flatpak so take my knowledge with a grain of salt)
[15:01] <movo> oh so thats like AURs if i am correct (dunno, never used either)
[15:01] <ogra> same here ... 
[15:01] <ogra> ss ... probably ... 😛
[15:02] <movo> still anytime the publisher can push a malicious update and if you are on auto-update you are screwed. 
[15:02] <ogra> */ss/s👋
[15:02] <ogra> *so
[15:03] <movo> open source sounds good in theory but only if someone reads the actual code every update.. only debian does that afaik... (dunno about red hat)
[15:04] <ogra> well, you cant *just enable* any powerful interface in a snap that has not been granted before ... even a subsequent upload will go into manual review 
[15:06] <movo> chrome apps are a perfect example. technically code is opensource since its javascript. even if you trust the author... someone can purchase the rights to the code from original author and push malicious updates. this HAS HAPPENED in chrome and in android play store
[15:07] <movo> If you have a popular addon or app there are always shady parties willing to buy it
[15:07] <movo> g2g bbl... 
[15:08] <movo> ogra thanks for info on snaps... i had mostly written them off but you have convinced me to give them a revisit..
[15:09] <ogra> if you have actual technical questions, there is #snappy ... and forum.snapcraft.io 
[15:09] <ogra> (or any doubts around security etc)
[15:11] <movo> i will check them out since i have some questions
[15:15] <movo> Mozilla uses to review and vouch for all the addons in their marketplace but now they do it only for a subset of addons (probably due to their financial situation). At least they warn you when an addon has not been reviewed. Something that snaps and flatpaks dont do satisfactorily afaik. Snaps has that little asterix for official authors tho.. thats nice..