Nearly 100 bodies recovered under Al-Shifa hospital in Gaza; UAE-backed separatists claim control of southern Yemen
cross-posted from: lemmy.ml/post/40114112
Civil Defense teams recover 98 additional bodies of people trapped under the rubble of Al-Shifa hospital. A new report estimates the Gaza genocide has produced over 60 million tons of rubble in Gaza. Tony Blair appears to be out as the prospective head of Trump’s “Board of Peace.” The Israeli government to allocate an additional $843 million to West Bank settlements. Israeli warplanes strike southern Lebanon. Israeli National Security Minister Itamar Ben-Gvir and other party members wear a noose on their lapels to signal support for legislation that would allow for lynching Palestinian prisoners. Chairman and CEO of Paramount Skydance David Ellison launches a hostile takeover bid for Warner Bros. Discovery backed by Jared Kushner. The National Defense Authorization Act (NDAA) would force the U.S. to make up for any deficits in weapons sales caused by boycotts of Israel, Zeteo reports. The Supreme Court seems ready to green-light Trump’s firing of independent bureaucrats. President Donald Trump says the U.S. will place five percent tariffs on Mexico to rectify a water dispute. Sudan’s Rapid Support Forces seizes an oil field in west Kordofan. Yemen’s Southern Transitional Council claims control over south Yemen. Honduras AG issues a warrant for the arrest of a former President pardoned by Trump. A government airstrike in Myanmar kills 18. Fighting breaks out between former allies in eastern Congo.
Nearly 100 bodies recovered under Al-Shifa hospital in Gaza; UAE-backed separatists claim control of southern Yemen
Civil Defense teams recover 98 additional bodies of people trapped under the rubble of Al-Shifa hospital. A new report estimates the Gaza genocide has produced over 60 million tons of rubble in Gaza. Tony Blair appears to be out as the prospective head of Trump’s “Board of Peace.” The Israeli government to allocate an additional $843 million to West Bank settlements. Israeli warplanes strike southern Lebanon. Israeli National Security Minister Itamar Ben-Gvir and other party members wear a noose on their lapels to signal support for legislation that would allow for lynching Palestinian prisoners. Chairman and CEO of Paramount Skydance David Ellison launches a hostile takeover bid for Warner Bros. Discovery backed by Jared Kushner. The National Defense Authorization Act (NDAA) would force the U.S. to make up for any deficits in weapons sales caused by boycotts of Israel, Zeteo reports. The Supreme Court seems ready to green-light Trump’s firing of independent bureaucrats. President Donald Trump says the U.S. will place five percent tariffs on Mexico to rectify a water dispute. Sudan’s Rapid Support Forces seizes an oil field in west Kordofan. Yemen’s Southern Transitional Council claims control over south Yemen. Honduras AG issues a warrant for the arrest of a former President pardoned by Trump. A government airstrike in Myanmar kills 18. Fighting breaks out between former allies in eastern Congo.Nearly 100 bodies recovered under Al-Shifa hospital in Gaza; UAE-backed separatists claim control of southern Yemen
Drop Site Daily: December 9, 2025Drop Site News
Nearly 100 bodies recovered under Al-Shifa hospital in Gaza; UAE-backed separatists claim control of southern Yemen
Nearly 100 bodies recovered under Al-Shifa hospital in Gaza; UAE-backed separatists claim control of southern Yemen
Drop Site Daily: December 9, 2025Drop Site News
Zarah Sultana: Lammy claim he did not know about Palestine Action hunger strikers is a ‘lie’
cross-posted from: lemmy.ml/post/40113504
Published date: 9 Dec 2025 16:18 GMT
In footage posted on Instagram, Lammy is seen telling campaigners and the strikers’ families that he did “not know anything” about the prisoners’ cases.“I’ve written to David Lammy, so the fact he’s saying he doesn’t know about this is a lie,” Sultana told Middle East Eye.
In the video, Shahmina Alam, the sister of one of the strikers, confronted Lammy, saying that he and the Ministry of Justice had failed to respond to a letter alerting them of the planned strike and outlining the participants' demands.
Zarah Sultana: Lammy claim he did not know about Palestine Action hunger strikers is a ‘lie’
Published date: 9 Dec 2025 16:18 GMTIn footage posted on Instagram, Lammy is seen telling campaigners and the strikers’ families that he did “not know anything” about the prisoners’ cases.“I’ve written to David Lammy, so the fact he’s saying he doesn’t know about this is a lie,” Sultana told Middle East Eye.
In the video, Shahmina Alam, the sister of one of the strikers, confronted Lammy, saying that he and the Ministry of Justice had failed to respond to a letter alerting them of the planned strike and outlining the participants' demands.
Zarah Sultana: Lammy claim he did not know about Palestine Action hunger strikers is a ‘lie’
British MP Zarah Sultana has said that Justice Secretary David Lammy “lied” when he claimed he did not know about the eight Palestine Action-linked prisoners currently on hunger strike.Katherine Hearst (Middle East Eye)
Zarah Sultana: Lammy claim he did not know about Palestine Action hunger strikers is a ‘lie’
Published date: 9 Dec 2025 16:18 GMT
In footage posted on Instagram, Lammy is seen telling campaigners and the strikers’ families that he did “not know anything” about the prisoners’ cases.“I’ve written to David Lammy, so the fact he’s saying he doesn’t know about this is a lie,” Sultana told Middle East Eye.
In the video, Shahmina Alam, the sister of one of the strikers, confronted Lammy, saying that he and the Ministry of Justice had failed to respond to a letter alerting them of the planned strike and outlining the participants' demands.
Zarah Sultana: Lammy claim he did not know about Palestine Action hunger strikers is a ‘lie’
British MP Zarah Sultana has said that Justice Secretary David Lammy “lied” when he claimed he did not know about the eight Palestine Action-linked prisoners currently on hunger strike.Katherine Hearst (Middle East Eye)
Two US fighter jets circle Gulf of Venezuela in escalation of hostilities
Roque Planas
Tue 9 Dec 2025 21.37 EST
Two US fighter jets circled the Gulf of Venezuela on Tuesday, in what appeared to be an escalation of the Trump administration’s ongoing hostilities toward the South American country and its leftist leader, Nicolás Maduro.Venezuelans and South American media followed the flights in real time using websites like FlightRadar24, which showed a pair of F/A-18 Super Hornets flying together into the narrow Gulf of Venezuela for about 40 minutes. The jets flew just north of Maracaibo, Venezuela’s most populous city.
Two US fighter jets circle Gulf of Venezuela in escalation of hostilities
Trump had further said Nicolás Maduro’s ‘days are numbered’ as military has targeted alleged drug boatsRoque Planas (The Guardian)
In other news, ”Yeah, this is probably not a good thing”.
Can't get past the cookie-banner...
For me, cookie banner just won't go away...
Police conclude investigation into crash that killed 4 students and teacher from Walkerton, Ont.
Sounds like a reasonable case to make the intersection a 2-way stop and allow the hill side of traffic to take priority.
At the very least there should be more signage warning of the stop.
How Corporate Democrats Made Trump Possible: A 10-Year Timeline
How Corporate Democrats Made Trump Possible: A 10-Year Timeline
Saving the country from autocracy requires recognizing—and then overcoming—the chokehold that Democratic leaders have on the party.norman-solomon (Common Dreams)
Police conclude investigation into crash that killed 4 students and teacher from Walkerton, Ont.
Konsole now prompts for passwords and other questions in pop-ups??
I mean, who thought of this as a good idea? I find it rather distracting. I'm trying to SSH into a computer and blam...a massive pop-up blocks me from reading what was before or anything else...just the pop-up in front, blocking text. It has the hidden password text field thing, but this one is to type yes/no to whether accept the server's cert. Y hit enter after typing yes...and blam, another pop-up, this one is for the actual password.
How can I disable these pop-up prompts? I want to be prompted as text, on the konsole main screen, as it always was. I haven't changed anything, because well, this is a brand new install. It started happening on a different computer and found it equally irritating.
Any idea how can I disable this? Thanks so much!
it could be that a recent software update to Konsole or the environment variables which configure it, has it now using the ssh-askpass utility to prompt you for passwords. You can configure it to always prompt over the TTY of the parent process that executed the ssh-askpass command.
ssh-askpass utility to prompt you for passwords. You can configure it to always prompt over the TTY of the parent process that executed the ssh-askpass command.
Google is powering a new US military AI platform
“The future of American warfare is here, and it’s spelled A-I.”
Google is powering a new US military AI platform
The Department of Defense is announcing its own “bespoke” AI platform, GenAI.mil, and Google Cloud’s Gemini will be the first to be available on the platform.Jay Peters (The Verge)
UK spending half an hour longer online than in pandemic, says Ofcom
The survey found people in the UK spent on average four hours and 30 minutes online every day in 2025
Canada’s Big Banks are a ‘culprit’ driving housing prices out of control
Canada’s political and media class has spent years chasing convenient villains to blame for the housing crisis, pointing the finger at foreign buyers, immigrants, supply shortages, zoning rules, or an overheated market.
https://breachmedia.ca/canadas-big-banks-are-a-culprit-driving-housing-prices-out-of-control/
Every MP and MLA is a real estate investor and that's what is driving all of this madness. A home used to be a place for your family to live, for generations. Now, it's a quarterly, profit-driven investment.
Homes should be homes, not speculation.
like this
fif-t likes this.
This is not a new thing, access to housing has always been a fundamental mechanism of control in settlers colonial states. This was only recognised as a real problem once it affected privileged groups who have experienced enough generational wealth to normalize homeownership.
You're right, most representatives who make our decisions on housing happen to be members of a privileged class which is actively invested in profiting off that control. It does not end at housing, the exact problem with reform in a capitalist system is the link between privilege and material wealth ensures that the interests of capital remain paramount in society.
Government is a bigger player, they are expanding existing metropolises instead of building new metropolises.
Instead of providing incentives for housing in suburbs around Toronto and Ottawa they could increase taxes on those cities to build a new one halfway between them, connect it via high speed rail. Then use the increased taxes in the other cities to offset taxes in the new one.
That’s halfway by road not halfway.
Also Belleville is closer to half on the 401 than Kingston.
Even worse.
To be serious, the new Alto high speed rail line will go through Peterborough. Could be that it helps spur some development there.
The problem with Peterborough is kicking the people out to start building apartments and have no low density housing in the city.
That’s why it must be in an undeveloped place.
As seen in China, it only makes sense to build the city and then move people in. Intermittent building causes inefficiency as you have to build around people and people have to work around building.
Infilling keeps Canada separate and limited. As per the above we have to put the GTA people somewhere while we demo their homes.
If we can string together cities across Canada with rail that has a 30 minute to 1 hour between stops then it makes Canada function much stronger logistically and muvh more defensible.
This is an absolutely stupid take, especially considering the rough evidence we can literally see with our own eyes at this point.
Vancouver's housing prices are down ~4% this year, and have been edging down since ~2022. Rents have also been coming down, ever since the liberals reversed their policy on immigration.
"It's the banks!"... bullshit. It was the immigration situation, with 99% of our population growth from immigration, housing supply couldn't keep up, and locals got priced out. House prices and Rent prices have reversed course ever since they massively clipped immigration. We need immigration, of course, but not at the levels that the Liberals had jacked it up to for so long.
Linux audio stuttering when opening separate application, how to prioritise audio when using Linux?
What distribution, DE, browser, etc? Is hardware acceleration enabled? Do you have multiple audio outputs simultaneously enabled?
A bit more detail would be helpful
It's kinda not supposed to happen if your setup is correct.
Most likely reason is too short buffer. And on high CPU load it's just getting overrun. There are legitimate ways to mitigate it in pipewire. And even manage some rt prio things. Arch wiki and pipewire docs should have comprehensive info on how to properly setup things. It can be bit complicated because different sources can have different quantum values. So some can stutter and some not, but it should be all configurable. Pipewire is very good in that regard, just sad I don't see any good tools to manage these values w/o creating/editing configs, so people don't jump into this rabbit hole of research.
Please note that defaults on pipewire should not stutter regularly with proper interface, my main audio interface performs way above what pipewire set by default. But I did used different interfaces and some do struggle with default quantum values.
Does it stutter if you open Pavucontrol? I've seen a couple setups where Pipewire stutters when pipewire-pulse is used, as does Pavucontrol.
(In some setups this only happened when the volume indicator is enabled in Pavucontrol and disappeared when it was switched off.)
Run pw-top while you’re having the issue and post the output.
It’s probably a bad default setting that’s setting the buffer/quantum incorrectly.
none of these applications require particularly low latency, so if you're on Pipewire, you can increase both min, max and default quantum to something like [1024, 4096]. i have to do this on my N100 laptop and it helps a lot.
pw-top tells you which app uses which quantum too, and often times, your machine will slightly struggle with apps that suddenly demand lower quantums and cause stuttering. increasing the min quantum fixes this issue.
AI Surveillance Startup Caught Using Sweatshop Workers to Monitor US Residents
Bombshell new reporting from 404 Media found that Flock, which has its cameras in thousands of US communities, has been outsourcing its AI to gig workers located in the Philippines.
After accessing a cache of exposed data, 404 found documents related to annotating Flock footage, a process sometimes called “AI training.” Workers were tasked with jobs include categorizing vehicles by color, make, and model, transcribing license plates, and labeling various audio clips from car wrecks.
In US towns and cities, Flock cameras maintained by local businesses and municipal agencies form centralized surveillance networks for local police. They constantly scan for car license plates, as well as pedestrians, who are categorized based on their clothing, and possibly by factors like gender and race.
In a growing number of cases, local police are using Flock to help Immigration and Customs Enforcement (ICE) agents surveil minority communities.
It isn’t clear where all the Flock annotation footage came from, but screenshots included in the documents for data annotators showed license plates from New York, Florida, New Jersey, Michigan, and California.
Flock joins the ranks of other fast-moving AI companies that have resorted to low-paid international labor to bring their product to market. Amazon’s cashier-free “just walk out” stores, for example, were really just gig workers watching American shoppers from India. The AI startup Engineer.ai, which purported to make developing code for apps “as easy as ordering a pizza,” was found out to be selling passing human-written code as AI generated.
The difference with those examples is that those services were voluntary — powered by the exploitation of workers in the global south, yes, but with a choice to opt out on the front-end. That isn’t the case with Flock, as you don’t have to consent to end up in the panopticon. In other words, for a growing number of Americans, a for-profit company is deciding who gets watched, and who does the watching — a system built on exploitation at either end.
AI Surveillance Startup Caught Using Sweatshop Workers to Monitor US Residents
The powerful surveillance startup Flock was caught using workers in the Philippines to collate data on US residents.Joe Wilkins (Futurism)
Had an issue with an update and had no networl access after reboot. How many kernals can be available in grub?
Still pretty new to Linux, I'm on Ubuntu Studio 24.04 LTS and had some issues with updates through the updater with errors and so I did sudo apt update/upgrade instead. Something went wrong and had errors, and after a reboot I had no internet access, Ethernet or WiFi, and no options to connect to anything. Running sudo lshw -c network showed unclaimed networks.
In case anyone has a similar issue, I fixed it by:
1. Reboot, spam shift to get into grub
2. Advanced options
3. Recovery mode for the lower number kernel
4. Enable networking
5. Fix broken packages
My question is about number 3. There were 4 kernel options, 2 normal with a recovery for each (I can't remember the specifics but one had 37 and the other 36). I selected recovery 36 as it was the older kernel. Is that amount of options (2 for each kernel) normal or can I create more? Like 37, 36, 35, 34, etc.
I was in panic mode since this PC is for work, and thought it might be nice to have more older kernel options if possible. I've also learned my lesson and am currently running Timeshift.
If the partition where your OS stores boot images at is large enough, you can have practically infinitely many kernels in grub.
Some distros store those in a boot partition. Some store it in the root partition subdir. I don't know about ubuntu tbh.
I once had a 2gb boot partition and I needed to add a graphics stack to the boot image so I could use a touchscreen keyboard during boot to enter a LUKS password. That made a single kernel image over 1gb, so I could only have one...
It's been a long time since I used Ubuntu, but at the time I did I recall running into issues keeping too many old kernels. They were stored in a fixed space folder (or maybe partition?) that was like 100MB and sometimes wouldn't clear out automatically, so I remember this. May not be relevant now, but if it is, space in the storage folder is the limiting factor so you would need to change that. If it IS a partition, then you would need to deal with all that is involved with that.
edited to add that my current OS only stores three or four as well. I have never really dived into it.
The Quest for Reasonably Secure Operating Systems
The Quest for Reasonably Secure Operating Systems
I never worried on Windows about security as much as I should have, it just so happens I've been lucky to have never been hit with ransomware. By the time...yazomie > tech
What I want out of a secure Linux (or BSD) system is full (top-to-bottom) sandboxing of all components to enforce least privilege. I am want to learn how to make my own distro (most likely for personal use) which uses strong SELinux policies, in conjunction with syd-3 sandboxing, which seems like the most robust and feature rich, unprivileged sandbox in both the Linux/BSD worlds (also it's totally in safe Rust from what i can tell).
Another thing that I would love to make is a drop-in replacement for Flatpak that is backwards compatible but uses syd-3 instead. It has much better exploit protections than Bubblewrap, and is actually an OOTB secure sandbox. I dont know much about the internals of Flatpak, or how to use xdg-desktop-portal, but I am going to start more simple with a Bubblejail alternative. One major advantage of syd is that you can modify an already running sandbox, so theoretical you could show a popup that says something like "App1 is requesting microphone access.", where you could toggle on without needing to restart the app.
Need to get better at coding tho lol
SELinux is used on all the Fedora Immutable distros, and the OpenSUSE Immutable distro.
It's actually much easier to do SELinux in Immutable distros in a lot of ways than non-immutable. Especially the bootc-style ones where even more of the system is defined and prebuilt before deployment.
AppArmor is OK, but the whole issue is that you have to know what to throw into it. That's also its benefit, you can focus in the high risk things and ignore the low risk things. It keeps expanding profiles more and more though, and ironically the ultimate destination is everything being under MAC.
Syd3, and gvisor, a similar project in go aren't really sandboxes but instead user mode emulation of the linux kernel. I consider them more secure than virtual machines because code that programs run is not directly executed on your cpu.
Although syd3 doesn't seem to emulate every syscall, only some, I know rhat gvisor does emulate every syscall.
If you compare CVE's for gvisor and CVE's for xen/kvm, you'll see that they are worlds apart.
Xen has 25 pages: app.opencve.io/cve/?vendor=xen
Gvisor has 1: app.opencve.io/cve/?q=gvisor
Now, gvisor is a much newer product, but it is still a full 7 years old compared to xen's 22 years of history. For something that is a third of the age, it has 1/25th of the cve's.
There is a very real argument to be made that the hardened openbsd kernel, when combined with openbsd's sandboxing, is more secure than xen, which you brought up.
Xen CVEs and Security Vulnerabilities - OpenCVE
Explore the latest vulnerabilities and security issues of Xen in the CVE databaseapp.opencve.io
I could use gvisor inside distrobox inside an appVM in Qubes, couldn't I?
Many CVE's for Xen were discovered and patched by the Qubes folks, so that's a good thing...
As for OpenBSD, I thought I mentioned in the blog post that I'm intending to use it as sys-net VM inside Qubes if not as HVM alongside my Linux appVMs, for when I need Linux. The best of both worlds, so to say.
to answer your first question, kind of. Gvisor (by google btw) uses the linux kernels sandboxing to sandbox the gvisor process itself.
Distrobox also uses the linux kernels sandboxing, which is how linux based containers work.
Due to issues with the attack surface of the linux's kernels sandboxing components, the ability to create sandboxing or containers inside sandboxes or containers is usually restricted.
What this means is that to use gvisor inside docker/podman (distrobox) you must either loosen the (kinda nonexistent) distrobox sandbox, or you must disable gvisors sandboxing that it applies to itself. You lose the benefit, and you would be better off just using gvisor alone.
It's complicated, but basically the linux's kernels containers/sandboxing features can't really be "stacked".
sandboxing is not the best practice on Linux… So I’m better off with Qubes than with Secureblue
No, no, no.
It's no that sandboxing is the best practice, it's just that attempting to "stack" linux sandboxes is mostly ineffective. If I run kvm inside xen, I get more security. If I run a linux container inside a linux container, I only get the benefit of one layer. But linux sandboxes are good practice.
I do agree that secureblue sucks, but I don't understand your focus on Qubes. To elaborate on my criticisms let me explain, with a reply to this comment:
Many CVE’s for Xen were discovered and patched by the Qubes folks, so that’s a good thing…
If really, really care about security, it's not enough to "find and patch CVE's". The architecture of the software must be organized in such a way that certain classes of vulnerabilities are impossible — so no CVE's exist in the first place. Having a lack of separation between different privilege levels turns a normal bug into a critical security issue.
Xen having so many CVE's shows that is has some clear architectural flaws, and that despite technically being a "microkernel", the isolation between the components is not enough to prevent privilege isolation flaws.
Gvisor having very few CVE's over it's lifespan shows it has a better architecture. Same for OpenBSD — despite having a "monolithic" kernel, I would trust openbsd more in many cases (will elaborate later).
Now, let's talk about threat model. Personally, I don't really understand your fears in this thread. You visited a site, got literally jumpscared (not even phised), and are now looking at qubes? No actual exploit was done.
You need to understand that the sandboxing that browsers use is one of the most advanced in existence currently. Browser escapes are mostly impossible... mostly.
In addition, you need to know that excluding openbsd, gvisor, and a few other projects almost all other projects will have a regular outpouring of CVE's at varying rates, depending on how well they are architectured.
Xen is one of those projects. Linux is one of those projects. Your browser is one of those projects. Although I consider Linux a tier below in security, I consider Xen and browsers to exist at a similar tier of security.
What I'm trying to say, is that any organization/entity that is keeping a browser sandbox escape, will most definitely have a Linux privilege escalation vulnerability, and will probably also have a Xen escape and escalation vulnerability.
The qube with the browser might get compromised, but dom0 would stay safely offline, that’s my ideal, not the utopic notion of never possibly getting attacked and hacked.
This is just false. Anybody who is able to do the very difficult task of compromising you through the browser will probably also be able to punch through Xen.
not the utopic notion of never possibly getting attacked and hacked.
This is true actually. Browser exploits are worth millions or even tens of millions of dollars. And they can only really be used a few times before someone catches them and reports them so that they are patched.
Why would someone spend tens of millions of dollars to compromise you? Do you have information worth millions of dollars on your computer? It's not a "utopic notion", it's being realistic.
If you want maximum browser security, ~~disable javascript~~ use chromium on openbsd. Chromium has slightly stronger sandboxing than firefox, although chromium mostly outputs CVE's at the same rate as firefox. Where it really shines, is when combined with Openbsd's sandboxing (or grapheneos' for phones).
Sure, you can run Xen under that setup. But there will be no benefit, you already have a stronger layer in front of Xen.
TLDR: Your entire security setup is only actually as strong as your strongest layer/shield. Adding more layers doesn't really offer a benefit. But trying to add stronger layers is a waste of your time because you aren't a target.
I am excited to see Chimera Linux mature because iy seems like a distro which prioritizes a simple but modern software stack.
Features of Chimera that I like include:
- Not run by fascists
- Not SystemD (dinit)
- Not GNU coreutils (BSD utils)
- Not glibc (musl)
- Not jemalloc (mimalloc)
- Proper build system, not just Bash scripts in a trenchcoat
What I would like:
- MAC (SELinux)
- Switch to Fish over Bash (because it is a much lighter codebase)
- Switch from mimalloc to hardened_malloc (or mimalloc built with secure flag). Sadly hardened_malloc is only x64 or aarch64
- Hardened sysctl kernel policy
What are the pros/cons of GNU coreutils vs BSD utils?
EDIT : from their website : Desktop environment -> GNOME. What a choice, not for me.
First, I use either Niri or KDE Plasma on Chimera Linux. Both are just an “apk add” away. You do not have to use GNOME. There is even a KDE live image so you do not even have to run GNOME once to install if you do not want.
I really like the BSD utils and have come to prefer them. Well written. Sleek. Well documented. The man pages are a walk through UNIX history. They feel “right” to me.
That said, the BSD userland is frequently a pain when interacting with the rest of the Linux universe. You cannot even build a stock kernel.org kernel without running into compatibility problems. The first time I built the COSMIC desktop on Chimera, I had to edit a dozen files to make them “BSD” compatible.
Sed, find, tar, xargs, and grep have all caused me problems. And you need bash obviously. But bash is no big deal because it has a different name.
The key GNU utils are available in the Chimera repos. But you get files named gfind, gtar, gxargs, gsed, etc. so scripts will not find them.
You often have to either add the ‘g’ to the beginning of utilities in scripts or edit the arguments to work with the BSD versions.
I mean, most things are compatible and I bet most of the command-line switches you actually use will work with the BSD utils. But I would be lying if I did not say third-party scripts are a hassle.
If I could do Chimera all over again, I would make it bsdtar and bsdsed (or bsed maybe) for the BSD versions.
Maybe the regular names could be symlinks with sed pointing to bsdsed by default but you could point it to gsed instead of you want. The system Chimera scripts and tools could use the longer names (eg. bsdsed) instead of the symlinks. The GNU tools could be absent by default like they are now. That would be the best of both worlds. The base system would have the advantages of the BSD tools (like easier builds as outlined on the Chimera site), the system could be GNU free if you want, and you could have a system that actually works out of the box more often with third-party scripts.
It pains me to say this. I would prefer not to use the GNU stuff but the GNU tools are the de facto standard on Linux and many, many things assume them. No wonder UUtils aims for 100% compatibility.
Anyway, even with what I say above, Chimera is my favourite distro. The dev can be a little prickly, but they do nice work.
PATH modification:> type find
find is /bin/find
> type gfind
gfind is /usr/local/bin/gfind
> sudo mkdir -p /usr/local/opt/gnuutils/bin/
> sudo ln -s /usr/local/bin/gfind /usr/local/opt/gnuutils/bin/find
> PATH="/usr/local/opt/gnuutils/bin:$PATH" type find
find is /usr/local/opt/gnuutils/bin/findor in script form:
\#!/bin/sh
# install as /usr/local/bin/gnu-run
# invoke as gnu-run some-gnu-specific-script script-args
export PATH="/usr/local/opt/gnuutils/bin:$PATH"
exec "$@"/usr/local/opt/... is probably not the best place to put this but you get the idea, you can make it work with POSIX tools. I don't know that much about Chimera Linux but I'd be very surprised if nobody has thought of doing this systematically, e.g. as part of a distributable package.
Thank you for the suggestion. I am ashamed to confess that a temporary PATH variable had not occurred to me.
I first ran into these issues creating package templates. Chimera has a beautiful package build system where packages get built in containers and source code gets downloaded into the container and and built against a clean environment. As you point out, creating a package that creates the symlinks as a dependency (along with the GNU utils) could be a viable approach here. Maybe even just in /usr/local. The GNU utils get installed to /usr/bin in Chimera and the container gets recycled for every new package. The distro would never accept such hacky packages but I can use them myself.
For just generally working in the distro at the command-line, your temporary path idea could work well.
Thanks again. I appreciate it!
Chimera Linux is great. APK and cports are so good I cannot imagine going back to anything else.
Bash is not the default shell though. Chimera uses the Almquist Shell from FreeBSD. Other Linux distros have “dash” which is basically an Almquist variant.
Almquist is lighter than fish and fish is not POSIX compatible.
Bash is available in the Chimera Linux repos of course and is required for many common scripts.
“Not run by fascists”. Sometimes I wonder.
Oh dang!
I just posted
The Ironclad kernel intrigues
before reading other replies, presuming no one else would have mentioned it.
Well done Jay. :)
[Edit: Oh, I just got down to the PS in the original article. Heh. Ironclad mentioned there too. XD Good to see I'm not the one raising it first.]
It works decently with just 8 GB RAM, and I'm going to upgrade the RAM.
Secureblue is based on sandboxing rather than paravirtualization, and I'm not sure that's secure enough for me.
I do agree it's likely more secure, but the tradeoff for common use cases (gaming, development) is steep. I could see using it solely for browsing and messaging people
You can also just slot secure blue into a qube I believe
Well, I'm not sure why they didn't include Secureblue qubes...
I don't do gaming or intensive development, so it's fine for me.
You aren't going to like this:
Because if you got yourself pwned by a malicious link in discord, your account highjacked, etc., then having discord in a vm, container, chroot, jail, or whatever won't help you on the server-side api abuse that got you pwned. In this case, you yourself should have been more vigilant.
From your article, and with respect, I think its nice you're thinking more about security, but you're mixing up quite a few concepts, and you should probably make smaller moves toward security that you actually understand, instead of going all-in on qubes with only a vague concept of the difference between sandboxing and paravirtualization.
The weakest part of any security system is the people.
Well, maybe not any, but most ;D
Server-side API? I was talking about avoiding to get one's entire OS hijacked. The qube with the browser might get compromised, but dom0 would stay safely offline, that's my ideal, not the utopic notion of never possibly getting attacked and hacked.
As long as you don't explain what concepts am I mixing up, I don't see the respect, but as a random person on the Internet, feel free to troll, I'll move on.
edit: thought i was funny but it sounds mean now. but i know how you feel, i got pwned once like 10y ago and they sent spam from my skype...
Sure, but if the compromise stays within its own app, like for a browser, sandboxing won't help.
The bulk, and I mean like 95% of the compromises I see are normal employees clicking on things that "look legit".
Excel is now wrapped in a browser. Discord, almost all work apps are all wrapped in a browser. So you can be completely locked down between apps like grapheneos, but if you are choosing to open links, no amount of sandboxing is going to save you.
This is why we deploy knowbe4 and proofpoint, cause people are a liabilities, even to themselves.
Clicking on things that look legit is a critical part of interaction with computers. Programs should not be installed unintentionally, so first and foremost Office Macros should not be enabled by default (and eventually Microsoft did disable them).
Recently I think the main avenue for malware is to send a PDF with a fake popup for an update, that links to a phishing site and prompts you to download an exe with malware. That kind of thing is a harder issue to solve, but at the very least an OS should probably not let that program update your BIOS.
Yes, but I never said you won't get pwned. I said that it would limit how it could be done and what damage it could do.
For instance, if you click a link and download something shitty, it can't just steal your auth tokens on GrapheneOS because all of that is isolated to only the program that uses them. Meanwhile on Windows/Linux there are tons of Python scripts that do that. It would take extra steps on GrapheneOS for someone to use social engineering to hack someone's Discord/Bank/etc account, which could be enough to prevent it for some people.
Another step up is the confidential computing project. Requires hardware that supports it though, which sucks, but takes the virtual hardware concept and adds multi key memory encryption on top.
Remember though security without a threat model is just paranoia, so what level of hoops and investment you need really depends on what your threats actually look like.
I personally love containers and Macsec. It limits most of my concerns. I want to mess with confidential containers next, which is to say lightweight VMs in containers with memory encryption set, but thats all future to me. The irony is that I then I have to figure out attestation better for those machines since from the host they are black boxes.
grandel
in reply to jankforlife • • •Jentu
in reply to grandel • • •grandel
in reply to Jentu • • •eldavi
in reply to grandel • • •