… and rsyslog was never removed.
1 Like
Fixed, it looks like it was removed from “some things” and not “all the things”. Thanks
Because even if I try the distro, I would never have his “mad skillz” (just look at that beard) to do “security auditing”. So if a random guy that has a Linux channel with more than 50kpotential Linux users as a following says it is insecure… I will not even try it.
Here We can all agree to Fedora being great , and I am not going to move away from my fedora installs. But as a product owner I know what this kind of fud can do to the adoption of a product if any accusation is met with silence (specially when there are competing products).
Note that he didn’t beat on Linux. He did it on this community driven product explicitly.
An official post from fedora oficial account just inviting the dude to come and clear the things officially in the correct place (here, not YouTube) would put the ball on his side and provide the visibility to anyone who lands there doing a search for “is fedora any good” on YouTube.
But hey… As I said… I am not moving away.
Moving this to Water Cooler since it’s not really a support question. Carry on!
4 Likes
Anyone with a YT account can comment and tell the creator to come to this thread 
But an official entity responding to this kind of video just encourages more such videos because there’s a precedent of fame (a whole OS project responding to a random person? Maybe if I make a video I’ll get followers and my name mentioned for fame too ), and such videos go for quantity over quality.
I haven’t heard of that YT channel prior to this thread.
1 Like
Is DJ Ware safe? some of he comments are bogus eg: FIPS
In Federal Information Processing Standard (FIPS) mode, the kernel enforces FIPS 140-2 security standards. For example, in FIPS mode only FIPS 140-2 approved encryption algorithms can be used (see FIPS restrictions of the hardware capabilities).
FIPS actually limits security, IMO it makes easier for the US government to spy on it’s citizens 
As for Spectre mitigations, they all affect performance, some more than others.
$ lscpu
Vulnerabilities:
Gather data sampling: Not affected
Ghostwrite: Not affected
Itlb multihit: Not affected
L1tf: Not affected
Mds: Not affected
Meltdown: Not affected
Mmio stale data: Not affected
Reg file data sampling: Not affected
Retbleed: Not affected
Spec rstack overflow: Mitigation; Safe RET
Spec store bypass: Mitigation; Speculative Store Bypass disabled via prctl
Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Spectre v2: Mitigation; Retpolines; IBPB conditional; IBRS_FW; STIBP always-on; RSB filling; PBRSB-eIBRS Not affected; BHI Not affected
Srbds: Not affected
Tsx async abort: Not affected
Has any spectre vulnerability ever been used in the wild, none have to date as far as I know.
I doubt the migrations have any real use for most users, IMO it’s only useful for server farms hosting VM’s.
He didn’t even mention the biggest security issue that affects all PC’s, the user 
2 Likes
Most of the issues will likely exist in the same way on any distribution that makes use of the upstream components in question.
Yes, he should have made a bigger point of that. Anyone who chooses a different distribution that has systemd and a recent kernel will have the same issues. He just saw the issues first in Fedora because Fedora is one of the faster moving popular distributions.
1 Like
Oh wow, with the amount of fanboyism in this thread, I thought I had taken the wrong turn and ended up in Apple’s forums. After carefully reading the tone of some answers, I’m still trying to discern if I hadn’t.
A couple of colorful notes for those unaware of it:
- DJ has used Fedora forever as his daily driver GNU/Linux flavor.
- I saw him joining the two Fedora release parties I attended.
1 Like
And yet he is completely clueless on what he is talking about. As in completely. And your argument, even if it’s true, is not really an argument. Joining a release party or using a distro has absolutely zero correlation with knowing what you are talking about. And the verifiable truth here is that he doesn’t.
-FIPS was already explained in detail.
-Systemd bashing is systemd bashing and is done by people too stuck up in their ways with init systems that they completely dismiss the fact that it allows you to do in 15 secs what you would need an hour to write and test a shell script for and still have issues like race conditions etc as you tried to glue all your services together. It’s sad to even bother with systemd bashers. The usual argument that “it’s against unix philosophy and tries to do too many things”.. well, systemd is modular and no one forces you to use all of it. You can disable whatever sub service you don’t want and use alternatives. But it’s job of handling init, it does far better than any other available option.
-Kernel related issues are kernel related issues and have nothing to do with Fedora.
3 Likes
The day a service init has a network stack that somehow bypasses the OS VPN is when I started scrutinizing systemd a little Everyone uses it because it’s a convenient cover-all similar to Flatpak.
Although I’m pretty sure nobody went that detailed in YT comments though
What was the point in the video then?
If they know of issues, a long-time Fedora user probably knows the right channels to bring it up in (these discussion forums, or proper bug reports).
I’m not watching 20+ minutes but I get the idea the video was made to push an alternative distro or throw shade. Maybe DJ Ware got sponsored by another OS. I’m not sure their intent with the video, but it sounds made for sway.
Did DJ Ware come to these forums yet?
First of all, systemd-resolved is NOT service init. It is a systemd module that handles DNS resolvers. It IS part of the network stack. If you don’t like it you can always disable it and go back to /etc/resolve BUT also accept the problems that it had and systemd-resolved solves (eg handling internal and external DNS / split horizon etc). It is more advanced and capable than the previous option.
Also what you linked is NOT a bug and is classical USER error not knowing how to set up their use case. There is nothing wrong with systemd-resolved in that particular case. That particular user would have the exact same problem with any advanced DNS resolver handler.
Also your analogy with flatpak, means you don’t understand neither systemd nor flatpak.
Systemd is used because it is the best currently available tool for the job and Fedora, specifically, would switch in a heartbeat to any other option if it was actually better as it is a distro which is actually leading in implementing new tools and technologies, often paving the way for other distros to start adopting as well.
Flatpak is a way for developers to publish their software without having to package it for every single distro out there that is possibly packing different versions of dependencies. It is unrealistic to build your software against every combination of dependency versions that each of the 20000 distros out there is shipping. Which is why most packages are being packaged and maintained by volunteers but there’s so much they can do and obviously the x-y obscure software you may want to install may not qualify as popular enough for someone to prioritize their time on it so you have to build it from source. OR developer can just publish flatpak and got you covered regardless of what distro you use and what version of dependencies it is currently shipping.
That means you trust whoever publishes the flatpak, any flatpak, with installing stuff on your system. Since we are reinventing the wheel here, lets consider two examples, Windows “setup.exe” and Firefox extensions. Installations of third party software on Windows is the source of most if not all the issues and the security breaches. Firefox extensions had to be code reviewed and approved because they were spreading bad code that degraded the browser performance or even malware (it is still an issue with Chrome extensions BTW). End of the OT and sorry.
Almost all flatpaks are just generic builds of open source software that can be reviewed by anyone, similar to the versions that are installed as RPM. The build scripts are also open source and can be viewed through flathub. E.g. for a random flatpak app called Text Compare:
Yes, clearly flathub, like any other “store”, is meant to encourage people to inspecting code and everything. There isn’t any trust issue. I guess Fedora provides its own flatpaks just for fun.
I personally do not trust anything that I do not verify. I also do not use flatpaks because I have no use case for them. I was merely explaining what problem flatpaks were meant to solve because the person I was replying to clearly did not understand.
That said, you CAN actually check who publishes a flatpak on flathub.com, each package states who is the publisher and if they are verified or not. Also flatpak itself offers you the --subset=verified switch when you add a remote that limits flatpaks to only verified publishers. The tools are there for you to use if you want/need to use flatpaks or if you need to publish flatpaks as a software developer. So this analogy with random software on windows is not really accurate.
Not to mention that the same uncertainty stands for Fedora’s copr repos, Arch’s AUR etc etc. It’s up to you to verify and choose to trust or not third parties if you choose to use third party packages of any shape or form. Supply chain attacks are nothing new and certainly not tied to flakpaks, which at least offer you some tools to help you make a better decision.
Exactly. The same wrong ideas again and again.
I guess we are missing the point here. When you think about some tool you cannot design it for NASA engineers if it is meant for the general population. I bet many newcomers don’t even notice Gnome-Software offers both RPMs and flatpaks and don’t know what they install (which can lead to some drawbacks). Now you tell me the same people could verify the flatpaks. Yes, they could also inspect the code, since it is opensource. Or even write it. I never did that in my life and only seldom I compiled, when forced to. What I find a bit annoying is the excuses, when it is rather obvious when the idea came from and the reasons of it, which aren’t in “the user” interest.
Perhaps we take some things for granted. Perhaps there should be better documentation, with higher visibility, on things like that as most bad takes and practices are due to lack of awareness, I guess. Eg Gnome-Software, KDE’s Discover etc should come with a popup disclaimer and documentation links when you try to install a flatpak. Something that the user would have to consciously disable in the settings which would mean they are aware of what they are doing (installing third party packages) and they would need to verify what they are actually installing.
The only advantage of flatpaks from the user perspective is they can be the “current” release of some software.
Everything else is a disadvantage.
If the user can choose between Firefox as APT or RPM and Firefox as snap of flatpak, in the same version, she/he should always pick the APT and RPM.
Firefox is an interesting example.
Some time ago I was told Ubuntu was removing the APT version and forcing the snap and the explanation was it saved manpower because one package works across all Ubuntu versions. Mozilla helped with it.
Then Mozilla proposed their own repository with a Firefox APT package that basically works on any Debian derivatives, including Ubuntu, pretty much making the Ubuntu snap useless and wasted manpower.
Isn’t it ironic?
Like reinventing the wheel but this time lets make it square.
Proposing the users packages they need to verify is nonsense. Why should somebody install software from an untrusted source?
What exactly is your point? What is trust? Do you inherently trust the random person you’ve never met who packaged a piece of software for one of the many Fedora repos? Why? You don’t know who they are, or how sharp they were this morning when they packaged a new version of program X or Y. Do you think they spend their time scouring upstream repos for any signs of code vulnerabilities?
Flatpak is just another repo, one that is a bit more generic in nature. The idea that Fedora’s repos would be inherently secure and a trusted source and flathub not is just conjecture.
Again this this exactly the problem.
The very concept of “just another repo”.
I am not pulling software from “just another repo”, I come to Fedora right because I trust the whole structure/organization to have checks in place to reduce any issue to the less possibile. I expect all the pieces to be tested to work together and against hostile changes.
While “just another repo” means there aren’t any and the issues are the more possible.
Then here we are ignoring the secondary topics that is the bloat and difficulties with self-contained and sandboxed software.
I write it again: there is no advantage in installing flatpaks, only disadvantages but just ONE, the fact that whoever publishes the flatpak can update it at any given moment.
Sorry if I don’t see the coolness of this “not so new” new thing.