Originally posted by moonwalker
View Post
Announcement
Collapse
No announcement yet.
Ubuntu 24.10 To Enhance Snap Permissions Handling
Collapse
X
-
Last edited by IverCoder; 12 September 2024, 07:19 AM.
- Likes 2
-
Mmm... but if I get it right, that 'flatseal' program has nothing to do with this. That is only a manager of coarse permissions ("allow/deny access to the desktop folder", "allow/deny access to the Documents folder"...). This is different: here, when the snap tries to access a folder, it asks you what you want to do: allow it only now, allow it always, deny it now, deny it always... That allows for more fine-grained permissions.
- Likes 1
Comment
-
Originally posted by IverCoder View Post
You should look into hosting an internal Flatpak repo instead, it's also easy to integrate Flatpak into your CI. It also comes with the benefit over system packages that it is guaranteed to work on all distros consistently (not just Ubuntu), even on exotic desktops like NixOS, or non-systemd and non-glibc distros. Plus if your customers want good security measures and least-privilege sandboxing, developing your app to target XDG portals is the easiest way into that (and is something you must do for all Linux apps nowadays regardless of company requirements). If it needs low-level system access outside the Flatpak sandbox, then for most cases you can use flatpak-spawn.
People, please, please don't get ahead of yourself suggesting solutions to other people's problems without first making 100% certain you actually understand what the problem is. It'll help you in your careers, and will save the frustration both to you for your solutions being dismissed, and to other people for not being heard. The same rule applies just as well outside of technical issues, in interpersonal relationships. If you're not 100% sure you're actually addressing the right problem - ask questions first, seek to understand. Please.
- Likes 1
Comment
-
Originally posted by royce View Post
Total security is impossible. The most you can do is make it harder for hackers to break in. The methods you describe above are pretty exotic, and very hard to pull off, and impossible on many embedded systems because they lack the hardware you mention. So yes, air-gapping does offer an extra degree of security.
- Likes 2
Comment
-
Originally posted by krzyzowiec View Post
They don't interrupt anything on Ubuntu. The way they work is that while you have the application open, it won't update, but then it will if you close it or reboot the system.
For this reason nowadays offline updates or reboot in case among the updates there is the kernel, but still session reboot are encouraged.
Regardless, updates take away system resources and if I'm doing heavy work I don't want the system to update, also what's the problem with clicking on a button that says update after you've had the notification?
Comment
-
Originally posted by qarium View Postthere is a difference between linuxfoundation and ubuntu in case of linuxfoundation it is only money from microsoft but the managment is not in their hand..
with ubuntu it is different the complete managment of ubuntu is in hand of these microsoft evil people.
ROTFLMAO, now that's a good one.
Unless of course you actually believe this, in which case it's really sad.
Originally posted by qarium View Postyou claim you have a cyber security university degree then please explain this to me:
The company has decided not to extend these updates to its Ryzen 1000, 2000, and 3000 series processors or its Threadripper 1000 and 2000 models.
you claim in your writing that it is impossible to hide a virus on my system who could survive a full disk format...
i have a threadripper 1920X this means ZEN1 cpu architecture this means my cpu has the sinkclose vulnerability and zen1 and zen1+ and zen2 will never get a bios/uefi update with updated microcode.
this means as soon as someone has root access at kernel level he can use sinkclose to install a virus who can in fact survive a full disk format.
but you know what you talk here is older story it was about a vulnerability in the language pack of Firefox119
it used a chain of vulnerability from firefox119 as entry point over a glibc root exploit to get root access at kernel level and then it used the LogoFAIL vulnerability to install a poisoned /boot/efi/logo.jpg to be able to install a virus who did in fact survive a full disk format.
because of that story you sophisticles did post the poisoned link to the webserver who did this ity pretty sure my systems are trash and i have to buy a new system.
sinkclose will never get patches of my threadripper 1920x system and i am pretty sure the attackers did know sinkclose as well means they did not only use LogoFAIL they of course installed a trojan horse by sinkclose as well.
I'm going to try and help you.
Any time you get thoughts like the ones you just expressed, just tell yourself that you are not that important, no one cares about you and that in the grand scheme of things you are inconsequential.
Attempt to apply some logic to the situation.
If you really believe that a TR 1920X running a fully updated Fedora install can be compromised in the manner you describe, then why would you use either one of them, especially if you really believe that you are being targeted for being a dissenter?
If you must use a computer why not make the attack vector as small as possible, buy a M3 iPad Pro or a Qualcomm powered laptop that runs LFS and be as safe as possible.
Or don't use a computer at all.
It just doesn't make any sense, if you really believe the scenario you have described then logically Fedora and AMD' TR would be the last thing you would want to use.
Comment
-
Originally posted by qarium View Post
their idea that a airgrapped system is secure is really naive.
wikipedia is full of hacks and possibilities to break the air-gap...
"Circumvention measures Since November 2013, scientists have shown that air gaps can be tricked using various methods. They can be overcome using covert acoustic networks.[3][4]
A computer's graphics card can also be used to generate a radio signal.[5]
The air gap can even be overcome by temperature changes.[6]
Information can also be spied on via GSM devices (such as mobile phones).[7]
Small amounts of data can also be transmitted using the noise of a hard disk read/write head[8]
Another point of attack is optical transmission via manipulated hard disk activity indicators or other LEDs that are visible from the outside[9] The processor of a PC can be used to emit radio waves.[10] Network cables can also be used to generate radio signals.[11]"
how exactly can people claim that air gap alone is enough as security messurment and such systems do not need security updates...
if you can deliver security updates to air gap systems with .deb and .rpm and flatpak and the same task is not possible with snap then of course snap is a security disaster.
In the hands of someone with experience and no psychological issues knowledge is a good thing.
But in the hands of a person that suffers from paranoia, knowledge is a bad thing, especially when that person lacks the experience and formal education to understand the difference between theory and practical.
All the things you linked to above require a scenario that only exists in a lab setting.
A true airgapped system is in a room by itself, and the only people that use it are the people that are authorized to use it.
One of the supposed compromises requires the attacker to be within 3 meters, 10 feet, of the computer. If an unauthorized person is with 10 feet of an airgapped computer, you have bigger problems than the computer being hacked.
Everything you posted requires that security already be compromised, at which point the attacker can take whatever he wants.
Comment
-
Originally posted by moonwalker View Post
The reason I "decided to be so anal about the specific way of delivery" is one word - scale. It has to work at a very large scale, combined with potentially very stringent security requirements.
- Likes 2
Comment
-
Originally posted by Espionage724 View PostI want stability with a desktop; Ubuntu provides that. Fedora's only interested in chasing upstream, which broke GNOME for me since F38 or F39, and still F40 last month.
FreeBSD's where it's at now without the nonsense of systemd as an init being able to leak past OS VPNs with its own DNS, and being able to make the decision to use Xorg without prejudice
i used debian for a desktop for decades its a lie that you need ubuntu for that.Last edited by qarium; 12 September 2024, 07:41 PM.Phantom circuit Sequence Reducer Dyslexia
Comment
Comment