It’s a guy babbling about an anonymous website with the same-old stuff against Stallman, and how that is part of a conspiracy to harm free software.

I watched it (most of it) despite having formed my opinion on the quality of that DistroTube channel a while ago… you might want to be wiser than me and do something else with your time.

PS:

Before you put me in the pro-Stallman faction, let me clarify that I think the FSE (non the FSFe - BTW you should change your name guys) is largely irrelevant and so I’ve never investigated the allegations to Stallman enough to take a stance pro or against: I do not care.

I must say, this whole shitshow has been pretty funny to watch :)

I hate them (seriously).

It’s basically a second distro inside your distro (try du -chs /var/lib/flatpak/) and if something breaks (eg. last year mesa with my graphics card) it isn’t easy to identify were the problem is (because all libs update at the same time), plus you can’t just try a newer (or older) version of some lib as you would in your distro.

Moreover, you can’t flatpak CLI tools (also servers and OS components, but I guess the ubuntu folks are the only ones who care about those).

btw :)

There’s AsteroidOS but I couldn’t find any of the supported watches (all quite old IIRC) at a reasonable price.

Gadgetbridge with some proprietary watch is fine privacy-wise (I had an Amazfit GTR3 pro, I needed to register an account with the Zapp app and use it once, but then uninstalled it once I got the required password and used Gadgetbridge exclusively).

Bangle and the Pine Watch are low-res and IMHO quite ugly compared to alternatives from big brands.

My bad for causing confusion: when I wrote “trusted signature” I should have said “trusted public key”.

The signatures in an apt repo need to be verified with some public key (you can think of signatures as hashes encrypted with some private key).

For the software you install from your distro’s “official” repo, that key came with the .iso back when you installed your system with (it may have been updated afterwards, but that’s beyond the point here).

When you install from third-party repos, you have to manually trust the key (IIRC in Ubuntu it’s something like curl <some-url> | sudo apt-key add -?). So, this key must be pre-shared (you usually get it from the dev’s website) and trusted.

That would be “a pre-shared trusted signature to check against”, and is seldom available (in the real world where people live - yes, there are imaginary/ideal worlds where PGP is widespread and widely used) :)

Installing a .deb is what I was thinking about.

Even a signed tarball is better than curl|sh.

If you have a pre-shared trusted signature to check against (like with your distro’s repos), yes. But… that’s obviously not the case since we are talking installing software from the developer’s website.

Whatever cryptografic signature you can get from the same potentially compromised website you get the software from would be worth as much as the usual md5/sha checksums (ie. it would only check against transmission errors).

Binary packages have scripts (IIRC for .deb they are preinst/postinst to be run before/after installation and prerm/postrm before/after removal) that are run as root.

BTW the “unzip” part is also run as root, and a binary package can typically place stuff anywhere in your system (that’s their job after all)… even if you used literal zip files they could still install a script in ways that would cause the OS to execute it.

But you don’t have to develop anything.

I interpreted your “look for ways to do things separately” as “look for separate tools that do the various things” (and you have to integrate), but I see now that you meant “look for ways to do things differently”. My bad.

I’ve heard this over and over… what’s the difference security-wise between sudo running some install script and sudo installing a .deb (or whatever package format) ?

I don’t even understand why people like GitHub so much, its source management sucks.

It’s not that complicated… people use it because everyone has an account there and so your project gets more visibility (and your profile too, for those who plan to flex it when they look for the next job) and more contributions. Even a lot of projects that aren’t on github have some sort of mirror there for visibility.

Suppose you wanna contribute to gnu grep (or whatever)… do you happen to know off the top of your head where the source repo and bug tracker are? And do you know what’s the procedure to submit your patch?

If you are a company doing closed source, I agree that I don’t see why you would choose github over the myriad alternatives (including the self hosted ones).

Look for ways to do things separately and you will find much better tools

That’s a great way to spend your resources developing yet-another-source-forge-thingie instead of whatever your actual project/product is supposed to be :)

Yeah… does git have issue tracking? actions? C’mon: it’s not like github & co. are just git.

Note that even most “permissive” licenses are by definition conditional

You do realize the whole discussion is about what terms to use for differentiating between GPL-like “restrictive” licenses and BSD-like “permissive” ones? Saying that both are “conditional” really doesn’t help anyone.

(also “by definition” the license’s grants may be “conditional”, not the license itself - it’s not as if it looses validity under some condition)

Man, people do love arguing about words without providing (or looking up) their definitions.

Does the GPL being non “restrictive” mean I can use GPL code in my proprietary software? What word that doesn’t offend you should I use to describe this fact?

This is as useless as the git main/master branch debate a while ago.

but this most likely is against the ToS of every anime tracking website

AFAIK scraping publicly accessible websites is fine in most countries (IANAL, look into it)

Thinkpad A485

I had one of those, but the trackpad occasionally wouldn’t work until I rebooted several times (I was using fedora). Did you run into any similar issue?

I wouldn’t know what to recommend, but… are you looking for a web based thing or a desktop app?

almost every website has some sort of tracking

Yeah… and most send info to the same mega companies, which is why it’s creepy :)

BTW: I’m 100% ok with a website collecting stats on which of their pages are more popular and even with profiling my session to see which pages correlate to which - I’m not ok with websites remembering me across sessions and definitely not ok with Google (and others) tracking my whole web history and using/selling it to show me shitty ads.

Great list, thanks!

Are you the author? Because I might have some additions to suggest. (one is Equate which combines a calculator with unit/currency conversion - I have not gone through the whole list)