Conversation

Notices

1. Kinmen Rising Project-金門最後才子🇺🇦 (kinmenrisingproject@g0v.social)'s status on Thursday, 28-Jul-2022 14:05:37 UTC Kinmen Rising Project-金門最後才子🇺🇦

   I cleaned the folder of the ppa repositories... it was time. Still had commented repos of bionic... tools not developed anymore, various garbage

   • Bernie (codewiz@mstdn.io)'s status on Thursday, 28-Jul-2022 14:43:00 UTC Bernie

     in reply to

     Last week I had to use the #Skype on my #fedora laptop. As a precaution, before installing the rpm I checked for post-install scripts:
     https://codewiz.org/pub/skype-rpm-scripts.txt

     This adds a dnf repo and a GPG key to the rpm keyring. This enables automatic updates, but there's no corresponding post-uninstall script to remove these.

     From this point on, #Microsoft is permanently trusted to "update" any software on my laptop 😱

     @KinmenRisingProject

   • Bernie (codewiz@mstdn.io)'s status on Thursday, 28-Jul-2022 15:04:48 UTC Bernie

     in reply to

     A user would have to know how to delete their repo and uninstall Microsoft's RPM key.

     So I got curious. Who else is trusted to install rpms on my Laptop? Here's how you could tell:

     rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{INSTALLTIME:date}\t%{SUMMARY}\n'

     I had dozens of old keys from all sorts of vendors, including Google (Chrome) and another one for Microsoft (for VSCode).

     @KinmenRisingProject

   • Bernie (codewiz@mstdn.io)'s status on Thursday, 28-Jul-2022 15:05:56 UTC Bernie

     in reply to

     Perhaps it's worth restating that downloading binaries directly from vendor websites is bad security practice.

     Linux security is no better than Window's if you effectively give anyone root access to your machine.

     @KinmenRisingProject #linux #security

   • Bernie (codewiz@mstdn.io)'s status on Thursday, 28-Jul-2022 15:12:48 UTC Bernie

     in reply to

     Installing #Skype via #flatpak would have been marginally better.

     Kudos to Gnome Software for prominently displaying the risks.

     @KinmenRisingProject

   • Bernie (codewiz@mstdn.io)'s status on Thursday, 28-Jul-2022 15:24:21 UTC Bernie

     in reply to

     Though for some reason #Gnome Software shows a version of Skype that's 2 years out of date.

     Not very secure either!

   • Bernie (codewiz@mstdn.io)'s status on Thursday, 28-Jul-2022 15:26:40 UTC Bernie

     in reply to

     Strange, #Flathub has the latest version of Skype from this month:
     https://flathub.org/apps/details/com.skype.Client

   • Bernie (codewiz@mstdn.io)'s status on Thursday, 28-Jul-2022 15:32:07 UTC Bernie

     in reply to

     • Martín Abente Lahaye

     Oh, the old version is from flathub-beta.

     @tchx84, is this a bug in Gnome Software? Or is it expected that older packages in flathub-beta would always take precedence over flathub?

   • Bernie (codewiz@mstdn.io)'s status on Thursday, 28-Jul-2022 15:46:45 UTC Bernie

     in reply to

     • Martín Abente Lahaye

     Oh, I see. It happens because the flathub-beta repo was a --system repo, while flathub was a --user repo.

     If both are configured as --user, then Gnome Software lets me pick one. Otherwise, it shows only the --system one.

     Still smells like a bug, @tchx84. Do you know a developer who could look into it?

   • Bernie (codewiz@mstdn.io)'s status on Sunday, 31-Jul-2022 00:41:49 UTC Bernie

     in reply to

     • Martín Abente Lahaye

     #Plasma Discover recently merged a nice fix for this sort of problems:
     https://invent.kde.org/plasma/discover/-/merge_requests/339

     @tchx84