Trisquel is less secure than Ubuntu at this point
I made a post about this earlier, but OpenJDK 7 has not been updated to u25 in the Trisquel repos and leaves everyone who has an older version installed vulnerable. If anyone follows the Java world, it is always targeted for attacks (especially the web plugin) and having the latest is ALWAYS encouraged.
Has the script that pulls Ubuntu repos into Trisquel broken the past 10 days or so? I haven't gotten many updates outside of PPAs for my Trisquel 6 box this week, yet my Ubuntu 12.04 server has.
http://us.archive.ubuntu.com/ubuntu/pool/universe/o/openjdk-7/ has the OpenJDK7 u25 as of July 16th for Precise.
http://mirror.fsf.org/trisquel/pool/main/o/openjdk-7/ is stuck on u21 as of April 24th.
This issue needs to be fixed ASAP and Ruben needs to be aware of it.
You are totally right! I also started a thread about this some time ago. [1]
This really needs to be adressed! Is there anything we as "normal users" could do?
Yeah, being stuck at 21 for Abrowser isn't helping either. I may have to manually update my OpenJDK from the Ubuntu repos if the Trisquel ones are not updated.
I've been using the latest stable Chromium (v28) from https://launchpad.net/~alt-os/+archive/chromium while waiting for Abrowser to be updated to 22.
Maybe Trisquel should put Abrowser on the long term support release of Mozilla.
The ESR versions of Firefox still get updates, but those updates are point releases like 20.1 and 20.2. I don't see the point of moving to ESR since the browser has to be "cleaned" by Ruben with each update either way.
Well, this is indeed a very important issue, and we should all look at it as a priority.
I don't have Java installed (any kind of it, free or not), and I don't have flash either (gnash or flash or whatever). And for people who don't need them, I would suggest you uninstall them.
Another thing I have noticed some time ago... when I try to install UFW, it says that it's "not a verified source" or something like that. Every time I install Trisquel it happens. Why? I thought all the packages in Trisquel repositories were from the same source and all verified by Ruben...???
So, yeah, if you don't need openjava and gnash, uninstall them and that will actually make you a little bit safer.
Also, using UFW and ClamAV might actually help a little bit.
But, still, we need to help Ruben make Trisquel more up to date in terms of security issues. Problem is, how? I don't know programming enough to help him =S
I fixed the OpenJDK issue by creating a separate ubuntu.list file in my /etc/apt/sources.list.d/ directory with my local Ubuntu mirror for 12.04 to nab the main and universe repos. I had to manually import the Ubuntu Archives key (since Trisquel does not have it), install OpenJDK u25, disable the Ubuntu repos, and re-run apt-get update.
Want to know another issue? There were at least 30+ updates for software like apt that were available in Ubuntu 12.04 that were not yet available for Trisquel 6.
PLEASE PLEASE PLEASE SYNC THE TRISQUEL REPOS!!!
"PLEASE PLEASE PLEASE SYNC THE TRISQUEL REPOS!!!"
I second this!
I think Trisquel needs more developers, when you see the develpoment team, you see only two people managing the project.
The good part is that even with this limitation, Trisquel is one of the best "pure free" distros... but it still needs more.
I posted this in another thread, maybe it's the proper place for it?
-
Does anyone have any direct contact with quidam, to ask him for official clarification? There is, obviously, a reason for the lack of upates lately, and the community can deal with that, but lack of communication about difficulties can hurt the project on the long run...
-
Problem seems to be solved now - updates for abrowser, openJDK, kernel and more today. Abrowser is now at 22.0, OpenJDK7 at u25 :)
Hooray! That's great news!
Trisquel is once again keeping up with the needs of the users. Still the best operating system that I could use right now ;)
I thought the Trisquel repos automatically mirrored the Ubuntu ones daily and blacklisted certain packages from being integrated. If that was the case, updates like OpenJDK would show up that day and not a week later.
There is much to learn, young padawan.
Great to see so many updates coming in but why did this even happen? I also thought that there is some kind of automatic synchronization with the Ubuntu repositories. What if this happens again in the future?
I would be very happy to get an official response to clarify this stuff. Is there any way for us to help?
Yes, solve this bug
https://trisquel.info/en/issues/4528#
become a associate member
https://trisquel.info/en/member#
:)
I doubt that more money will directly lead to more updates, though I agree that it is a good way to show your love.
If it's true that only two guys are running this whole distribution, there needs to be another solution. Either:
1.) More core members
2.) A way to sync the Ubuntu repos with the Trisquel repos
Well,
I hesitate to become a member because of the concept of the "benevolent
dictator for life".
I don't know quidam and he may be a nice person, but I don't think a
"dictatorship" will encourage more people to join the development team
or is a good idea for any other reason.
Why not make community decisions? This would be the best solution for
everyone.
Since quidam founded the project and put much effort in it, I'm sure he
want it to become a success, and for this we need decisions pleasing the
majority of users with respect to a kind of "manifest".
I think of ubuntu. Same problem here. The dictatorship had disastrous
consquences. I don't trust this concept.
There's a big difference between Canonical, who runs Ubuntu, and Trisquel.
Canonicial puts a lot of effort into taking the Debian repositories and making them stable for Ubuntu. These Ubuntu repositories are also used by Ubuntu deriatives like Linux Mint and Trisquel. The big difference is that Linux Mint uses the Ubuntu repositories directly and Trisquel takes the Ubuntu ones and cleans them out for non-free packages.
Canonical is not "dictatorship" because it is a company and not a one man show. On top of that, you don't have to use the main Ubuntu OS and there are many deriatives (like Linux Mint) that only use Ubuntu as a base and add their own changes. They provide an excellent base and large choice of packages to use.
The problem with Trisquel is that there's an extra effort to sanitize Ubuntu to make it fit into the FSF's guidelines on what a true free operating system is. Its just that one guy who handles the project and thinks he can do it alone. It would be fine and dandy if this was his full time job, but it isn't. He has a full time job working for another company and Trisquel is only maintained in the free time he has from that.
There was a point where Trisquel felt more active and moving to LTS releases was going to soften the blow on the maintenance on this project. I truely champion them for keeping it stable, but they also need to keep the people that use it secure by keeping the repositories up to date.
The Trisquel developers are doing more than just cleaning the Ubuntu repositories, they take packages from others distros too, even directly from Debian. I've also seen some other packages that are not from other distro.
What i want to tell is that they are working hard to make this distro and they deserve more merit.
I guess one solution would be to stick with older machines for as long as possible. If you can, avoid laptops, and use a tower with free software only friend hardware.
It's not perfect but is a solution.
As for laptops, if you can get one from a trusted friend (someone who you know didn't mess with the Bios) you can try to get one second hand with 5 years or so. It won't be a gaming machine of course, but thanks to free software you can still keep using it for 10 more years to come (i am being optimistic, lol).
Libreoffice, simonlistens, GIMP, firefox, etc, allow us to use a lower end computer, so you don't need to buy new computer with that technology.
And what's it with you wanting to marry little girls? You have been talking about that for some time now, how old are you? You can't find anyone your own age? There must be some women who will get your eye, why want little girls? -.^
He does talk about marrying little girls a lot around here, doesn't he?
There's probably some way to do it if you really wanted to, but why would you want to? I honestly can't think of any positives of marrying a kid, or, hell, even a kid that would want to be married at such a young age to a much older person. Honestly with all the work of trying to marry a little kid, it'd be a hell of a lot easier to marry someone who's actually your age.
Anyway, off the subject of marrying little girls. A lot of stuff he says is fairly disturbing, but back to the subject at hand.
Now, your point is to stick with older machines, and while that is a solution, that won't end the issue at hand. In, say 10 or so years, when that computer dies (motherboard issues, CPU issues, anything), you're going to need another computer. You can either try to track down an old computer to use it (and it might break again because it's just as old), or you can go for a new computer. So, honestly, a better solution would be to try to advocate hardware that respects both your privacy and your freedom, that way we can have computers that aren't ridiculously outdated and don't have any privacy issues. I know you're just being optimistic, but you gotta remember that all hardware breaks eventually.
If vPro really wants to marry little girls, the only possible reason I can think of is being a pedophile. But given the ramblings, how there is clearly little thought put into them, and how the same ones are copied and pasted everywhere, I'd bet he's just a troll. I mean, really, why would a real pedophile make such a point of announcing to a free software community that he wants to marry little girls?
I don't think he is a pedophile (not what we would normally call one at least).
Nor a troll. There seems to be something more to him than we see right now...
But yeah, he is annoying and a little crazy, agree on that.
Even RMS thinks child pornography is ok along with adultry, prositution and necrophilia: https://en.wikiquote.org/wiki/Richard_Stallman
> Even RMS thinks child pornography is ok along with adultry, prositution and necrophilia: https://en.wikiquote.org/wiki/Richard_Stallman
This is absolutely wrong.
He thinks those things are ok as *long es no one gets coerced*;
this statement excludes almost every child porn on the net, so he doesn't think they are ok.
Don't spread false information.
Yeah right, 'cause there's totally an easy way to determine "coersion" and consent in the cases of child abuse, beastiality and necrophilia.. Please. That's just a downright disgusting thing to say.
It's also unrelated, because what RMS has said on the issue has nothing to do with what vPro has said. vPro advocates the right to marry children, RMS says he thinks child pornography can be consensual (he hasn't said whether or not he thinks it's possible to know whether or not it's consensual, despite what you say; he just said that the cases we are aware of are non-consensual and that it can't be used to judge cases that are consensual). Necrophilia, bestiality, prostitution, and adultery are completely unrelated.
Stallman lumps all those things together, thus he apparently thinks they're related.
Really? I didn't see him do that. I only saw him mention them together because they all have being illegal in common.
Looking at the actual source, he didn't even mention them together. Some politician did, and he was just responding to that politician:
> The nominee is quoted as saying that if the choice of a sexual partner were protected by the Constitution, "prostitution, adultery, necrophilia, bestiality, possession of child pornography, and even incest and pedophilia" also would be. He is probably mistaken, legally--but that is unfortunate. All of these acts should be legal as long as no one is coerced. They are illegal only because of prejudice and narrowmindedness.
...Yeah, so Stallman DOES lump them all together as equal and says that fucking little kids up the ass is fine so long as they say yes.
So.. Thanks for proving my point..?
Where does he equate saying "yes" with lack of coercion?
How is this related to Trisquel? Why not discuss it in the offtopic
forum at https://trisquel.info/en/forum/troll-hole?
Last I checked "coersion" simply means forcing someone to do something against their will. Thus the antonym would be consent.
He stated clearly that just "saying yes" is not enough, since we can't be sure if this "yes" was only spoken because of fear.
He meant real consent.
In my opinion, we can never be sure whether it's real consent or not in case of children.
We would need the possibility to ask the child 30 years in the future as an adult "Did you really want this to happen? Did it any harm to you or your life?".
I guess almost everyone would say no to the first and yes to the last question.
Since we can't ask this question to someone in the future, this kind of sexuality should be illegal.
I wish stallman had stressed this more clearly, but never the less, he didn't say something else.
On 03/08/13 05:32, erikthorsen wrote:
> fucking little kids up the ass is fine so long as they say yes.
How exactly does a discussion about security in Trisquel evolve into a
discussion about anal sex?
Andrew.
I didn't claim there is an easy way to determine coersion.
I think when we're talking about child abuse, we almost never can determine the lack of coersion with certanty and so these things have definitely to be forbidden and get punished very hard;
but talking about necrophilia - I think it's easy to determine if someone gets coerced.
I find this topic really disgusting, but if two people agree on this (one of them when he was still alive) and no one gets forced or harmed - why should it be illegal?
But yeah, this is a topic for the troll hole.
I just wanted to correct the very incomplete quote of stallman.
Ahaha, your avatar actually looks like she just read vPro comments, asking to marry her xD xD
Anyway, the point is... I totally agree with you, open standards are the future! And I totally support them. But I was talking about a solution for now, as in "I need a free clean computer to use NOW, I will change the world tomorrow".
For now, the best way is to use old computers.
For me it seems like we are right now bounded to a no win situation, because:
1. Modern computers HAVE backdoors in hardware.
2. Old computers have limited hardware resources (and might also have backdoors we don't know about).
3. Open source hardware are limited, and will usually run only gnewsense or some other "not so stable" distro. Also, involve a lot of do it yourself, which I am not good at (i am good with software, not hardware).
So....Old computers are not a solution, but a compromise for now. But, once a open hardware project gets to the point that I can use them and they are within my price range... I get one ;)
What would really kick things off is a freedom friendly version of the Raspberry Pi. Those computers are really cool (and for all we know, the future of computing), but unfortunately there exists no freedom friendly device like that yet (that I know of).
But just imagine, a ~$35 freedom friendly computer roughly the size of a credit card. I would buy that SO MUCH.
(and my avatar was quite coincidential, but would be a reasonable reaction to reading vPro's comments. "Why would you do that?!")
The closest thing we have to a freedom friendly computer board is the Cubieboard.
From memory, the only proprietary thing it has is the Mali400 GPU which the free driver replacement project, Lima, will support in a matter of time.
I'm thinking of getting one to host my own email server, especially now after the NSA/PRISM revelations.
Check out BeagleBone. The chip is closed-source (Texas Instruments), but the rest of the board is very FOSS friendly. Also, check out http://opencores.org/ and https://www.olimex.com/Products/OLinuXino/open-source-hardware
Well, for those who want the latest and greatest all day, every day, there's always Parabola.. =P Flip side of course being that you'd have to properly install and configure Parabola.
That being said, quite frankly, anyone stupid enough to allow a something as powerful as java to be executed willy-nilly by any random website...
As for hardware without vPro or UEFI or any of that garbage.. Hey, suppose one could always get a NanoNote or a YeeLoong. =P
I totally agree with you, and I forgot to mention yeeloong. But as far as I know, yeeloong won't run trisquel. =S
What are those nanonote?
True. =x But you could put Parabola or gNewSense on there.
It's a tiny pocket computer which can run LibreWRT. Open hardware and the whole shebang. Think it's more or less out of production at this stage though. =(
http://en.qi-hardware.com/wiki/Ben_NanoNote
I went to read about Nano, it seems interesting, but yes, still can't think of a use for it. Maybe soon I hope.
As for the Yeeloong, I don't really think I would change from Trisquel to GNewSense. Just.... no comparison. Trisquel is more or less updated, it has a solid users community, I think gnewsense delivered last stable release in 2009. IF they started providing updates every six months, maybe that would be worth considering. Too bad I think getting a yeeloong would cost around 400 euros. =S
Well, least you can be sure it's not phoning home or anything.. 'cause there are no radios.. And u'know. Music player and graph calculator I guess. =P
True, true. Not to mention it's quite a significant compromise in terms of hardware. x) There is active development going on with gNewSense though, 3.0 Beta 2 got out a few weeks back. =x
And at the risk of repeating myself and sounding like a shill, Parabola - It's rollin' baby. =P
The 8089D goes for 265 euros from tekmote. =P
Not phoning home? A friend in my book :P But honestly, if I wanted a music player and a calculator... I would buy a music player and a calculator :P
As for gnewsense, well, their latest stable was 2009 and ever since they released 2 betas... Not what I call a solid development and support. So, that's a no (for now) in my book.
I haven't checked Parabola yet, mainly because the website has a "unknown" certificate.
Well, I saw it more expensive in other website, but anyway, try shipping that to my country and the costs doubles =S
A project that actually caught my eye was this https://en.wikipedia.org/wiki/Beagle_Board
Do you think that, given the fact it can run android and ubuntu (took a look in their website) it would also run trisquel???
Thanks for the link!
From what I read, the beagle board can actually use a "free bios" and can work without proprietary drivers except for 3d acceleration. Let's face it, it's the same problem we have in most laptops (graphics cards usually won't have free drivers providing 3d acceleration) but with the plus that is "free bios".
I understand is not THE BEST solution, but it would still be better than many solutions we have right now.
>I haven't checked Parabola yet, mainly because the website has a "unknown" certificate.
sudo apt-get install ca-certificates
Thanks Lembas. But, I know that I need to install that and I know how to dot it. It's just that in order to keep my system safe I don't go around installing anything just because some website says me "trust me, install this and dive in!"
But yeah, If I need to actually take a look at parabola I will follow your advice. Thanks ;)