Installing Linux on your buttplug is a bold move, I say.
I always install openSUSE without removing my buttplug. Or any extra USB cables.
Oh yeah I have that too. Just sit on the PC case while you are installing. (  ̄▽ ̄)
Idk i think if it was my usb stick it would fry it
I dare you to use it for bios updates. Better don’t clensh your butt or you’ll brick your board
Two bricks would be made in that case. >!In that PC case.!<
Uhm… Where can I find that? For a friend, of course! (◕ᴗ◕✿)
Well, I only know of one and you’ll need 12 angry men to pull it out.
Solution: install windows for them, but complain and evangelize at every opportunity. You’ll be so insufferable they’ll never ask you again.
I do that every time I have to use windows. But I think my boss does not like that…
Or don’t
Use whatever you want to use. You can always say no to support requests.
I charge a consulting fee. If you have to ask, you can’t afford it.
Constable Odo treatment.
Thanks for reminding me that the DS9 box set is a high priority on my ripping list
I don’t need friends that are Windows users.
I don’t care what they use, be it linux, a BSD, OSX, Plan9… but windows?? that is pathetic!!
Another solution - install Windows 2000, which was the first and the last good Windows distro.
Another solution: install a Linux distro in kiosk mode and make the browser home page https://www.windows93.net/
lolll
Was the Ventoy binary blob issue resolved and it’s cool again?
No. But the argument itself is so stupid to me.
Ventoy has never been a secure tool. People are making the argument that it should be, which is just nutty.
If you’re one of those people that grab random fuckin’ ISO’s from all over the internet to test em out, then no. You really shouldn’t use Ventoy. If you run official ISO from recognized sources, then realistically the risk is ever present, but minimal.
Like getting in a wreck on the way to the store to pick up milk. It’s always a possibility, but not many people would stand around and make the argument that you should stay home forever because you might get into an accident, which is basically the argument against Ventoy. It’s “we’ll, it’s a crazy useful tool, but you shouldn’t use it because something might happen.”
It’s just such a bad argument. Fact of the matter is, is that if there were a non-hacky as shit way to do what Ventoy does, it would be available right now. But it’s not… Because it’s really not.
The only way to avoid the issues that Ventoy employs is to not use ISOs and use something like netboot.xyz, which presents its own set of issues. How do you know you’re not being MITM from the iPXE environment? Like, sure. You can technically verify it, but how do you know for sure on the fly?
Like, if you sit down you can pick apart any software for being an insufferable gaping asshole of security vulnerabilities.
The problem with Ventoy isn’t the ISOs.
The problem is they use binary versions of core tools like
cryptsetupin their source tree, vs compiling them at build time.This leaves the door open to supply-chain attacks. I.E. a PR with a bad
cryptsetupbinary, or an attack on crypt that makes its way downstream with no way to audit. This is how huge software distributions make their way to Wikipedia in a bad way: https://en.m.wikipedia.org/wiki/XZ_Utils_backdoorThe solution is the build those binaries at build time, which a fork is working on.
The advantage of Ventoy is its ability to work in any environment and handle 99% of ISOs. Compiling the binaries at build time requires a mature development environment to be able to build these utilities… Your exponentially increasing the size and complexity of the project to solve a relatively minor security issue.
Ventoy is not the only way to create a bootable drive… If you don’t trust the blobs then don’t run the software.
Forking ventoy to add the complexity of building these utilities is only going to be available for *nix base environments so Windows users are pretty much shit out of luck. Your exponentially increasing the size of the project, it’s complexity, and simultaneously significantly narrowing its usability…
I said it before and I’ll say it again it’s such a bad fucking argument. It’s not mature software. It’s a literal confluence of hacks… And if you’re not comfortable with using it then don’t use it. It really is a huge security risk. But advocating that nobody use it is such stupid fucking thing.
Advocate that people understand the risks of using it but to just run around and scream about how nobody should be using it for any reason whatsoever until the maintainer closes the security hole that makes it run is pretty stupid.
You:
solve a relatively minor security issue.
Wikipedia:
In February 2024, a malicious backdoor was introduced to the Linux build of the xz utility within the liblzma library in versions 5.6.0 and 5.6.1 by an account using the name “Jia Tan”.[b][4] The backdoor gives an attacker who possesses a specific Ed448 private key remote code execution through OpenSSH on the affected Linux system. The issue has been given the Common Vulnerabilities and Exposures number CVE-2024-3094 and has been assigned a CVSS score of 10.0, the highest possible score.[5]
Binary supply-chain attacks are not “minor security issues”. There is a reason many companies will not allow admins to use Ventoy.
I like Ventoy, it’s a fantastic project. I like that the author is transparent about where they won’t be spending their time. You can like a project, and recognize it’s flaws at the same time.
A contributor building a PR to solve the build concerns is not a bad thing, it’s to be celebrated. Even a short-term solution of having the build script pull the binaries from a release and checksum them would alleviate a lot of that concern. And the Windows vs Nix item would be alleviated by the GitHub build ENV. Binary releases isn’t the problem, it’s binary in the source. This is about audits and traceability more than the build itself.
Not having a security first posture on these kinds of attacks is how the
xzevent happened, and I would hate to see that happen to Ventoy. I look forward to contributors helping the author out.Binary supply-chain attacks are not “minor security issues”.
Yes they are. The binaries for Ventoy aren’t even updated from release to release. It’s not even evident how old they are. So crying about an attack that only matters if these binaries are bleeding edge is absolutely a minor issue. I don’t even understand how someone of sound mind and body could possibly believe otherwise.
Not having a security first posture on these kinds of attacks is how the xz event happened
No one is making the argument that security doesn’t matter. No one is pushing the idea that Ventoy is secure. I’m saying singularly and only that a supply chain attack is just about the dumbest goddamn angle possible to bitch about Ventoy because I could argue that Ventoy would be more vulnerable than it is now to a supply chain attack if the binary blobs are built and updated every time you build a bootable drive. It’s just a truly fucking insane argument that shows a lack of understanding of what a supply chain attack is. The built binaries may be vulnerable and it’s difficult to prove if they are or not, but if you update the binaries all the time they’re more (attack surface is larger) than if they’re only updated when absolutely necessary…
It’s just plain a poor argument and I’m tired of every armchair expert pretending that its not. People in high security environments aren’t using Ventoy. It’s just such a ridiculous argument.
Just gonna drop this one in here.
https://github.com/ventoy/PXE/issues/106
Ventoy PXE used by iVentoy installing malware and fraudulent CA certs from… you guessed it, binary blobs. The primary dev is now in damage control in another issue and moving forward on updating the primary repo. Good on them.
So, yea, not a minor thing, even for Ventoy.
Interesting! & longpanda*
Explains y’all paranoid and keeps using those binaries? Says “sorry I do this free and that would take forever”?
*
To clarify, asking if there has ever been an official developer response/debate on this.
Couldn’t you just compile those dependencies yourself and use your own blobs then?
Yes, but…
The build environment was not clean to start, which is why a contributor is working to correct that.
You could also have the build scripts that run on GitHub pull the binary releases directly from their original release locations at build time, vs a file that an individual can modify in the source tree. This isn’t as good as building from source, but it’s better than nothing.
Just have 500 thinkpads and you can avoid security issues all together! A thinkpad for every distro EZEZ
I read what sounded like an intelligent follow-up on this subject. But I’m not smart enough to verify for myself, so I still refrain from using ventoy - even though I’d love to start using it again.
It was basically “wacky code from all over the place, poor coding practices, can’t find anything bad, but methods used are sus af”
Says one dude I read on the internet :/
That’s it.
Sounds like a Chinese geek tried to make something useful, did a lot of dirty hacks to get it going.
And couldn’t properly explain because his social skills and English weren’t great.
The blobs weren’t super suspicious, just some gpld tools, basically busybox kind of stuff.
The real problem is what he made was so fucking insanely useful and needed by everyone that the standards for software skyrocketed.
Like you make a cure for cancer and everyone starts screaming at you because one of the side effects is temporary impotence.
Such a great post.
Just install Linux Mint, they’ll never find out.
Don’t actually do this as it is problematic. You should respect there wishes instead of trying to force Linux apron them. They don’t really need to know that Linux exists at all.
The other issue is that you instantly become the sole source of tech support.
I’ve done it to my family and friends over a decade ago.
Free tech support is for foss!
Yeah we are very different. I do IT for a living so I’m not exactly excited to do tech support outside of work.
If it works for everyone i involved that’s great but the problem with Linux is that there are far fewer people who use it which means that suddenly I’m the central point of support. I want something totally hands off for me which means something friends and family know and can help with.
I’ve worked in IT my whole career and if someone wants me yo install Linux on their machine, or has questions about bash scripting, I’m dropping whatever I’m doing to help them.
How else are my friends and family supposed to teach each other it nobody teaches them? Not everyone was as lucky as I was to be encouraged to pursue tech, that doesn’t mean they don’t deserve the same privacy and options that I benefit from.
I’m down helping once and I often will point people in the right direction
The problem is that help isn’t needed once. It can turn into a full time job very quickly if you don’t draw the line.
Since I’ve installed openSUSE Tumbleweed to everyone about 5 years ago I’ve actually done literally 0 tech support on that front so I’m superbly happy about that.
With Windows (albeit 7) there was always shit going wrong (not to mention XP before that which I basically regularly reinstalled). With various distros (Ubuntu & Debian mostly, but others too) there were frequent fuckeries of various flavours when upgrading.
I’m not totally against Linux. I just think that people here are so evangelical about Linux that they start installing it everywhere even when it isn’t a great fit. People don’t like change and installing Linux on there machine is a great way to piss people off.
Honestly I think iPads are the best for those who want a simple experience. The alternative to that is Android tablets.
People don’t say “install Windows”, they just want their PC to work. And if that PC isn’t for Adobe or kernel-level intrusive anti-cheat money-sucking games, there is no difference (except the spying).
Also the amount of maintenance with Windows after each update isn’t small (software like Shut Up Windows helps with regedits tho).
And most people don’t know what their OS even is.
But no, I’m not giving an iPad to people that want Windows :P.
or something with plasma
As a fresh convert not having my .exes work would be sus. But with MS locking more and more stuff in their app store, we’re not too far from a full-on windows troll distro.
It will obviously look different, but with binfmt, wine, and a sane initial setup, you could get a lot of .exe works from a click in the UI (or the CLI, after all, CLI apps exists on windows too).
Should mostly work through WINE and Proton?
Shoutout to Medicat toolkit. Takes ventoy to next level.
My 77 year old mother-in-law runs Pop cause of me and loves it.
My parents love Bazzite.
Is Pop as good and generally user friendly for those less familiar with Linux? Never heard of Pop before!
Why Bazzite for a non-gaming setup? Or are your parents gamers?
he hasn’t even heard of popos which is a good 50x more popular than bazzite. so obviously he’s here from a “gamers can use this distro” post/video and not familiar with much else
My brother set it up for my parents even though they don’t game. I just think he installed it because it as intuitive as Windows for lay people.
Instead of Bazzite, Aurora or Bluefin great options. They’re from the same people, but more general purpose. I use Aurora dx (developer) and my non technical wife uses Aurora.
There’s a game dev version they’re working on that I’m kinda hyped for.
PopOS is great, the installation process is like 5minutes, with 4 minutes being the download and boot from USB. From there on you click “next” 5 times and are rebooting into a working system.
To be absolutely honest, I had to do some googling and command line stuff to get my fingerprint reader in the laptop working but that was the only thing that needed any attention. But I never did a Windows install where I didnt have to configure at least 2-3 drivers, so I consider it a draw.
From there one it is the typical stuff: You need one proprietary software? You have to figure it out for hours how to get it to work. You are fine with open source options? Go enjoy a blazing fast ad-free non intrusive non annoying OS. For me the trade of is worth it. Been using Linux since I was 14, if I could do it from my kids room with parents switching of WLAN after 22:00 you can do it too.
Good for her
Just make sure you respect the wishes of the people around you. It is not ok to force someone to use Linux because you think its a good idea. You don’t get to take advantage of people to push your own agenda. Windows is going to be ideal for most people simply because it is widely supported.
Most sane people wouldn’t bring their some brand car to another brand car mechanic and expect service though, unfortunately most people are not that sane when it comes to it.
No linux? No free support from your frienfly neighborhood technician.
Oh Windows? Yeah that’ll cost…
For me personally I’m not supporting anyone if I can avoid it especially users running Linux. I don’t want to have to manage a custom system when I could instead get them either a plain Windows install or better yet an IPad.
How is me “forcing” somehow worse than Microsoft actually forcing people to use their ad-pushing, data mining spyware of an operating system? My “agenda” is simplifying an elderly person’s computing experience, protecting her from phishing/scams and allowing her the freedom of not having to worry about one other thing.
Weird take, bud.
Best I can do is 60 year old dad on Mint XFCE on a massive Phenom II x4 955. Salvaged from my first PC build.
Hey of it works for your pop and you keep stuff out of a landfill I say that’s a solid win.
Your father gave me his USB stick in Vietnam, son.
where did you keep it?
I carried this uncomfortable hunk of data up my ass for two years. And now little man, I give it to you.
I wouldn’t provide tech support unless you have a very good reason. You also want Windows as that’s what everyone knows. Stick to the beaten path when you can unless you have a very good reason to stray.
Hey if you don’t know how to do it just say so
I’m shy. ┐('~`;)┌
I’m just going to start pretending I know nothing about computers
“Sorry I got rid of windows 10 years ago. I can help you install win 7 but nothing newer than that”
Please at least (or, well, at most) make it 8.1…
the only ones i know how to install are vista and 8. sorry
Sorry I’m not tech savvy
“Don’t you work in IT?”
Umm… I’m bad at my job
I just pretend I can’t speak English.
A computer? Ahh yes, a person performing mathematical calculations! Likewise. (-)/
That’s a good idea as that’s how you avoid being tech support for family
deleted by creator
Ventoy is completely insane in terms of how it works fwiw: https://discourse.nixos.org/t/custom-nixos-installer-plug-install-play-how-to-achieve-this/61710/13
Thanks for the extra info and thanks for this useful nixos discourse post!
NixOS ftw (I use NixOS btw)
Just say youre installing wimdows 13
If you’re incapable of figuring out how to install Windows then you’re probably incapable of most things in life.
I think without instructions most people would need help due to not knowing what a partition is. So depending on your interpretation of incapable this seems like a huge exaggeration. The Linux installers with GUIs I’ve seen at least explained how to set them up.
Most people would rather go to the store and get a new computer, than go to a webpage and download an iso. They can figure it out. They are just lazy and have little motivation to try it. They also want what they already know, with as little change as possible.
I am not incapable, I just don’t want to.
To be fair, Windows wasn’t meant to be installed by the end user that often. It comes preinstalled.
Just saying that it’s brain dead easy to install. You don’t need any technical skill at all.
There are no tricks. Just mouse through a couple of prompts and it’s done.
I’ve installed Linux just as many times as windows and these days Linux is more complicated to set up and install than windows.
Like I get it. Yall have a deep bias for Linux but Jesus Christ can you at least be accurate?
You are vastly overestimating the technical ability of the average computer user. I don’t even mean that in an elitist/disparaging way, they just don’t care about this stuff because they don’t need to.
Jesus Christ can you at least be accurate?
Speaking of accuracy, your comment seems to identify the wrong issue. Navigating the install menus in a non-Arch linux distro is pretty much analogous to Windows. The biggest difference is that Linux distros don’t have 3-4 pages where they sneakily try to include privacy-breaching clauses during the installation.
The real issue is starting the installation in the first place. Windows is easy, because hardware manufacturer’s have en masse bent over to willingly present themselves to Microsoft, Linux doesn’t have this advantage and users must figure out how to get around the 7,000 different Secure Boot UEFI configurations before they can even start the installation process.
It was just as easy to install linux, it came with a graphical installer
I find you still have to fuss with partitions. There isn’t a simple wipe everything and install option. You have to manually select the partitions on the disk, delete them and create a new one which somehow triggers it to create several partitions.
There is an upgrade option.
And then they tell you they don’t want a Microsoft account and you have to look up what’s the current hack to get around that if possible.
You had it right until the “create a new one” bit.
You can choose empty space instead of a partition and the setup will create the partitions for you. I mean even if you were to choose a partition, I believe it’ll delete it and create new ones because it needs more than just one partition. So on a clean disk, you can pretty much just hit next at that bit.
Lolwat. Last time I installed windows it literally created 3 partitions exactly when I told it “this clean disk - here ya go”
That’s exactly what I said, it creates its own partitions if you make free space or already have a clean disk. No need to manually make a partition.
Aand why the hell does it do that? And why the hell count is more than one? And while we are at it, what is so deadly and frightening with Linux installer creating a partition?
Windows isn’t hard to install but it does require some computer knowledge
Is it mandatory to have in your ass or can you just put it in your pocket?
Prison pocket.
It’s mandatory.
It will become obvious once youve used linux for long enough
What’s the difference?
