“Difficult to recover from” was referencing setting all of your accounts back up. I should have also included “lost” and “broken” to make that more obvious. Many hardware (most? all?) passkeys do not allow for backup and restore.

But I do see an issue with stolen hardware passkeys being used for access too if they’re a primary factor. With the mitigations you mentioned hopefully holding up.

They will almost certainly lead to vendor lock in. Why do you think they won’t? Apple’s password manager is definitely an example of vendor lock in. Many others have a simple to use export feature to CSV or something that others can understand

Edit: it could be that you don’t know what the WebAuthn/FIDO2 specification says or we understand it differently? Do you know how the attestation mechanism works? That ties the key to a device or software authenticator (the software authenticator is likely going to tie it to the device somehow, possibly even via a TEE).

There is no full stop there… A password that is sufficiently long will never be cracked no matter the hashing algorithm in use. Passwords are easily transferrable and can be communicated to a third party in the event of an emergency. They also provide tunable security, where you can trade off security for convenience if you want.

Some (not all, I know) passkeys are tied to a device. Stolen device means stolen passkey, and it’s potentially very difficult to recover from that. Passkeys are also locked to a certain standard, passwords have no such restrictions.

Tbh I don’t understand the move for passkeys replacing passwords. They should become the second factor when a user wants additional security. They’re perfect for that niche.

I’ve used Fedora for ages and it has never forced a reboot.

Would you prefer a long winded explanation of which services need to be restart and what it means that your kernel version was updated along with a description of kexec and when/how to use it? I think it makes more sense to recommend a reboot and let people who know those lower level details do as they please.

Logging in as the root user hasn’t been the way to “be root” on Linux systems in decades. sudo/doas/whatever are there for that purpose and you can use those to set a root password if you want. This isn’t ironic at all and you have full control of your system.

We seem to have a very different view of the discussion of “open source” and “open source models” above. I don’t entirely see how you arrived there, but that’s OK. I don’t think I took it on a tangent at all. No biggie I guess it’s just a forum.

Does that actually match with the discussion in your opinion? The discussion about building open source projects? Does the information I provided not help in understanding my response?

Are you being serious or just trying to be pedantic…?

I don’t follow CVEs: when was the last time a remotely exploitable kernel bug was a concern? Ignoring the fact that this is a home server and they likely care about uptime a lot more than exploitation on their LAN.

Generally I expect kernel bugs to be LPEs so updating user space would probably be sufficient for most home servers

I agree, but given the context of the discussion and the commonly accepted definition of Linux from Scratch, what else do you think they could have meant other than building a complete Linux based operating system from source?

The average person wouldn’t be building an open source LLM either. I don’t think I follow. I was just saying that your comparison wasn’t going to hit correctly at all due to how easy it actually is to build Linux and a full Linux distribution.

… Then why did you use it as an example?

It’s mad easy to build your own Linux from scratch in comparison to building an LLM. You can have your own distro running in like an hour. With buildroot you can have it in even less than that.

Yea, it doesn’t matter too much in most instances, but there are times when it might, especially if the URL itself has some meaning embedded in it. For example if part of the path is a SHA sum of some content, which is fairly common, it might be bad to allow someone to determine if that resource exists

I pretty much always recommend throttling. It’s a very low severity issue generally, but of course it depends on the product. There might be some products where it is a very big deal

Yea that made me laugh; I just updated my resume from LaTeX to typst a few months ago actually

What I think though is that it’s particularly hard on Linux to fix programs, especially if you are not a developer (which is always the perspective I try to see things from). Most notable architectural difference here between f.e. Windows and Linux would be how you’re able to simply throw a library into the same folder as the executable on Windows for it to use it (an action every common user can do and fully understand). On Linux you hypothetically can work with LD_PRELOAD, but (assuming someone already wrote a tutorial and points to the file for you to grab) even that already requires more knowledge about some system concepts.

You’re not even realizing how advanced of a user on Windows you have to be to realize that putting a DLL in the correct directory will make that the library used by the program running from that directory. Most users won’t even know what a DLL is. Also I work in security professionally and I’ve used this fun little fact to get remote code execution multiple times, so I don’t see how it’s a good thing, especially when you consider that Linux’s primary use case is servers. You can do the exact same thing on Linux, as you said, it’s just opt in behavior. If you are knowledgeable enough to know what a DLL is and what effects placing one in a given folder have, you’re knowledgeable enough to know what a shared library is and how to open a text editor and type LD_LOAD_PATH or LD_PRELOAD. I don’t buy this argument at all.

Linux Desktop is predominantly a volunteer project. It is not backed by millions of dollars and devs from major corporations like the kernel or base system. It is backed by people who are doing way too much work for free. They likely care about accessibility and people using their project, but they also care about the myriad of other issues that they face for the other 90+% of their user base. Is that hugely unfortunate? Yes, it sucks. I wish there was money invested in Linux as a desktop platform, but compared to macOS and Windows it’s fair to say there is a rounding error towards $0.

This is not semantics at all. You earlier say that Linux not having a stable ABI is the cause of a ton of problems.

This shit is the exact reason Linux doesn’t just have ridiculously bad backwards compatibility but has also alienated literally everyone who isn’t a developer, and why the most stable ABI on Linux is god damn Win32 through Wine.

Android doesn’t make any more Linux ABI guarantees than anyone else: because it’s using the Linux kernel. I can easily compile a program targeting a generic aarch64 with a static musl C and run the binary on Android. So no, it isn’t semantics, it is good proof that you’re not correct in claiming that Linux ABI stability is terrible. Maybe you’re using the term “Linux ABI” more loosely than everyone else, but that’s not “just semantics”, the Linux ABI is a well defined concept and the parts of it that are stable are well defined.

Life is Strange: Before the Storm shipped with native Linux support back in 2017. That was a different era - glibc 2.26 was current, and some developers made the unfortunate choice of linking against internal, undocumented glibc symbols.

The very first line of your blog post that you shared. That has nothing do do with Linux ABI stability, or honestly even glibc ABI stability, if you’re going to use symbols that are explicitly internal you can’t get annoyed when they change…? That’s a terrible example.

Adobe still shipped CS6 until 2017, so it’s 9 years old. That’s not particularly ancient, and it’s backed by… well Adobe. They have a bit of money. [EDIT: https://helpx.adobe.com/creative-suite/kb/cs6-install-instructions.html actually it’s still available on their site so… I wouldn’t expect any issues]

Did you run Total Annihilation through Steam? I found this link https://steamcommunity.com/app/298030/discussions/0/1353742967805047388/ and people even had to modify things that way. It’s very impressive that it runs at all and yes, Windows is most definitely the king of backwards compatibility. Or at least it used to be, I’m happy to know very little about modern Windows, and it’s definitely not backwards compatible with hardware…

The person who wrote the “filtered out comment” was batshit crazy and clearly didn’t even know what they were talking about. “Stable ABIs are what lead to corpo-capital interests infecting every single piece of technology and chaining us to their systems via vendor lock-in” is one of the most nonsense statements I’ve read on Lemmy. I wish I had more downvotes available.

It’s important to remember that the Linux kernel has millions of dollars and full time devs from companies like Google and Microsoft working on it. The Linux Desktop space does not have that. Like at all. Linux Desktop is predominantly a volunteer project. Valve has started putting money into it which is great, but that’s very recent.

Android

Android is Linux! You’re running your decades old software, on Linux. What was the last completely unmaintained binary that you pulled on Windows and ran (with no tweaking) and the last one that failed on Linux?

Why do you keep sharing that link instead of this one? https://fireborn.mataroa.blog/blog/i-want-to-love-linux-it-doesnt-love-me-back-post-4-wayland-is-growing-up-and-now-we-dont-have-a-choice/ The one where the same person you’ve been posting says clearly people are working on accessibility and things are improving?

Have you considered joining the community and working with it – like the author of the blog that you keep sharing – instead of trying to insult every one who works on it and calling it a disgrace?

Running 20 year old binaries is not the primary use case and it is very manageable if you actually want to do that. I’ve been amazed at some completely ancient programs that I’ve been able to run, but I don’t see any reason a 20 year old binary should “just work”, that kind of support is a bit silly. Instead maybe we should encourage abandonware to not be abandonware? If you’re not going to support your project, and that project is important to people, provide the source. I don’t blame the Linux developers for that kind of thing at all.

devs are often being discouraged from compiling tools in a way that makes them work forever (since that makes the app bigger and potentially consume more memory)

This is simply not true. If you want your program to be a core part of a distribution, yes, you must follow that distribution’s packaging and linking guidelines: I’m not sure what else a dev would expect. There is no requirement that your program be part of a distribution’s core. Dynamic linking isn’t some huge burden holding everyone back and I have absolutely no idea why anyone would pretend it is. If you want to static link go for it? There is literally nothing stopping you.

Linux desktop isn’t actively working against disabled people, don’t be obtuse. There is so much work being done for literally no money by volunteers and they are unable to prioritize accessibility. That’s unfortunate but it’s not some sort of hypocritical alienation. That also has likely very little to do with the Linux kernel ABI stability like you claimed earlier.

But this idea that “finally we have people that want Linux to work” is infuriating. Do you have any idea how much of an uphill battle it has been to just get WiFi working on Linux? That isn’t because the volunteer community is lazy and doesn’t want things to work: that’s because literally every company is hostile to the open source community to the point of sometimes deliberately changing things just to screw us over. The entitlement in that statement is truly infuriating.