Originally posted by lowflyer
View Post
Announcement
Collapse
No announcement yet.
openSUSE Tumbleweed Trying Out systemd-boot & systemd Full Disk Encryption
Collapse
X
-
Originally posted by evert_mouw View Post
I also don't like the new direction that much. BSDs become attractive, heck, maybe Haiku for my desktop needs, but to be honest, Linux has the best driver support (by far). One could consider Slackware as a temporary holdout.
- Likes 1
Comment
-
Originally posted by dremon_nl View Post
Both SD-boot and GRUB2 support booting with FDE and LUKS2.
See the warning here:
So the bug is still open:
Savannah is a central point for development, distribution and maintenance of free software, both GNU and non-GNU.
So pretty much every tutorial or answer out there warns you and tell you to use LUKS1 instead of LUKS2 if you really want FDE (which means actually the full disk, not leaving the /boot partition outside).
There are even videos out there showing that it's possible to change stuff in the /boot partition to make a small spyware that captures and saves on disk the password entered, if you leave the /boot partition outside.
I think it's enough that we have the EFI partition outside and that's probably impossible to fix.
- Likes 2
Comment
-
Originally posted by Danny3 View Post
GRUB2 doesn't!
See the warning here:
https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#Preparing_the_block_de vices
So the bug is still open:
Savannah is a central point for development, distribution and maintenance of free software, both GNU and non-GNU.
So pretty much every tutorial or answer out there warns you and tell you to use LUKS1 instead of LUKS2 if you really want FDE (which means actually the full disk, not leaving the /boot partition outside).
There are even videos out there showing that it's possible to change stuff in the /boot partition to make a small spyware that captures and saves on disk the password entered, if you leave the /boot partition outside.
I think it's enough that we have the EFI partition outside and that's probably impossible to fix.
Comment
-
Originally posted by Ananace View Post
In the case of IDEs and Firefox in particular, I've found that just creating a firefox script in PATH (~/.local/bin in my case) that launches the Flatpak has been enough for all those tools to work as expected, though I had to drop in geckodriver into the system path for Selenium to work properly.
Originally posted by hyperchaotic View Post
Yeah, Tumbleweed is amazing and openSuse is underrated in the community. It's the only rolling distro I want to use. It comes with good defaults out of the box and can be customized/handled like any Linux distro if need be. I never used Yast, I just do what I always did. Slowroll also looks promising for people who just wants to get work done but it may not be ready just yet.
Comment
-
The thing I really don't get is, ok, yeah, you can operate a local DNS cache where you resolve stuff and keep the entry in cache for however long your cache wants to wrt. the TTL or whatever.
But that's not all that scalable wrt having a local independent facility for not just things you've recently used but things you MIGHT / WILL use.
Why isn't there either something monolithic like a zone database snapshot where anyone can download the relevant TLD / root server's view of ".com", ".org", whatever as a whole (nicely compressed or whatever for transfer efficiency as desired) OR some more granular thing like feed in a SQL query or whatever REGEX / filter makes sense and some tailored DNS DB gets sent back to your site with just the information one has requested?
Obviously the results / data could be sharded by usual means of CDNs, torrent, mirrors, delegates, recursive / proxy resolving servers, whatever.
Yeah sure I know DNS records can change often like 30 minutes or whatever time but there's already the TTL for that so one could react accordingly or maybe (if possible) make some "if modified since X timestamp" query to a favorite resolver and just get back ACK,EOT if nothing's updated.
I guess one can manually make a list of the last 10,000 DNS resolutions one has done and have a cacheing server try to keep those "hot" for failure tolerance but it seems wasteful to not be able to bulk-query to fill a desired cache efficiently.
Originally posted by F.Ultra View Post
I hope that your post gets some light shined on the issues that you are experiencing so that they get fixed, however just wanted to comment on the last thing in your post:
It's not only for some nice use case, it's a caching resolver, aka it caches the dns replies locally so that you don't have to send out an external DNS request every single time you want to make a connection. Not only will it decrease connection latency, but it will also enable you to make connections even in the event the external DNS server is down.
Comment
-
Agreed, I appreciate opensuse tumbleweed as well!
The FDE / systemd / grub related limitations present in recently historical versions are a pain point but it sounds like these are getting ameliorated by the aforementioned changes cited in this article, so I'm looking forward to that!
The only other things I've noticed as friction are the lack of some packages in the official repos (e.g. things I'd have expected to find packages for in debian/ubuntu) that weren't there, or having to install non-repo third party packages directly and then having anxiety about how those dependencies' versions would interact poorly with the fast rolling tumbleweed package versions for libraries and stuff over time when you want the 3rd party package install not to break but you don't want to inhibit / break the rest of the system's update-ability either.
And VFIO's a big pain but that's not different than other distributions I've tried, though some could work to make some common use cases better supported / automated by a simple UI option.
IDK if there's a UI for changing the FDE/LUKS configuration & secrets vs. all / any volumes on the system but that has seemed a little lacking too (the CLI works but changing some password / token association with a given partition / volume is a pretty common need where I'd have thought there'd be a simple WYSIWYG tool).
Originally posted by CTown View PostI know in MicroOS the recommended way to install stuff is Flatpak and Podman. However, how do people with IDEs use a system like this? Let's say your IDE needs to be able to find Firefox and a few other dependencies; how does that work with the sandboxing? Do developers just avoid transactional distributions?
edit: I would also like to declare my appreciation for Tumbleweed. The other day I found my laptop that I haven't used in two years (Macbook Pro 2012). Upgraded from September X, 2021 to December Y, 2023 (I forgot the exact dates). Even wifi with it's awful Broadcom chip worked fine. I read no release notes first (unlike when I used Arch like 5 years ago.)
Flatpaks and Pipewire have seriously changed the way I use my OS.
Just yesterday I realized I can change Bluetooth profiles from the GUI. I installed a Zoom flatpak and sharing a specific screen OR application just worked. The microphone and video camera just works. 2023 was the year it takes no computer knowledge to use Linux.
- Likes 1
Comment
-
Not that it matters ad hoc if you've found the cause, but I'll mention what MIGHT be useful besides the resolver syslogs et. al.
IDK the exact usage support / models wrt. DNS slowdown / failure scenarios but I'd HOPE something as glaring as a N-second DNS resolution delay blocking a page would be blindlingly obvious in whatever diagnostic / network performance console logs & metrics your browser might supply q.v. below.
The browser & resolver logs might at least point to some reproducible regression testable specific pages / domains / something that could be used to
help confirm presence / resolution of the error case anyway.
Originally posted by user1 View Post
I don't know if you've actually read my Reddit post, but I'll just say this: I have a fairly conventional setup - just a regular desktop PC connected directly to the router via ethernet cable. I don't use Wi-Fi, VPN, or any other exotic stuff and I also never mess with my internet settings. For years I was experiencing insane slowdowns with website loading on distros that enable systemd-resolved by default (Fedora and Ubuntu). I didn't know what was causing them until I found out that they were caused by the "Using degraded feature set" Github issue I was talking about in my previous comment. I don't experience these slowdowns on Windows and on other distros that don't use resolved. I might be blunt, but if resolved fails to function properly under such conventional internet configuration that I have, then sorry, but it is a dumpster fire.
Remember, that's not the only open issue for a long time that seriously needs attention and people also experience other issues with it under different circumstances.
Comment
-
I believe it does.
I think a sufficiently new grub also supports LUKS2 partition boot with encrypted /boot though there's a caveat
mentioned about other possibly related limitations vs. LUKS2 per se q.v the grub / LUKS2 related sections in the below opensuse related article:
Here's one OpenSUSE article that may be of interest / relevant:
And re: FIDO2 token support on various distributions to the extent it may matter:
Update: The dracut configuration has been updated and now udev consistently recognizes the YubiKey in the initramfs. Unlocking LUKS encrypted drives with a YubiKey has been supported since systemd …
Originally posted by Danny3 View PostDoes systemd-boot support booting from LUKS2 partitions?
I mean really FDE, where the /boot partitioin is inside and encrypted too?
Because GRUB developers don't seem to give a crap about that and only LUKS1 is supported.
Anyway, nice to see that OPenSUSE developers really take privacy and security seriously!
Congrats to them!
Comment
-
Originally posted by pong View PostThe thing I really don't get is, ok, yeah, you can operate a local DNS cache where you resolve stuff and keep the entry in cache for however long your cache wants to wrt. the TTL or whatever.
But that's not all that scalable wrt having a local independent facility for not just things you've recently used but things you MIGHT / WILL use.
Why isn't there either something monolithic like a zone database snapshot where anyone can download the relevant TLD / root server's view of ".com", ".org", whatever as a whole (nicely compressed or whatever for transfer efficiency as desired) OR some more granular thing like feed in a SQL query or whatever REGEX / filter makes sense and some tailored DNS DB gets sent back to your site with just the information one has requested?
Obviously the results / data could be sharded by usual means of CDNs, torrent, mirrors, delegates, recursive / proxy resolving servers, whatever.
Yeah sure I know DNS records can change often like 30 minutes or whatever time but there's already the TTL for that so one could react accordingly or maybe (if possible) make some "if modified since X timestamp" query to a favorite resolver and just get back ACK,EOT if nothing's updated.
I guess one can manually make a list of the last 10,000 DNS resolutions one has done and have a cacheing server try to keep those "hot" for failure tolerance but it seems wasteful to not be able to bulk-query to fill a desired cache efficiently.
- Likes 1
Comment
Comment