On Mon, Mar 23, 2015 at 9:18 AM, Robert Storey <[email protected]> wrote: > Puppy Linux is interesting. I used it for awhile and liked that it was fast, > and fun. A bit lacking in software, but with the Slacko packages you can > make it better. My main concern about it was that it logs you in as root > (without even a password). A lot of people have expressed concern about this > apparent security hole, but Puppyistas are insistent that it's no problem. I > remain somewhat sceptical.
I usually don't even think about that, but, when I do think about it, it worries me too. Thanks for bringing it up, I had forgotten all about that. My rather pitiful approach to security (other than burying my head in the sand) is mostly to just blindly hope that the people who think Puppy is secure enough are right. While running things as root and mostly not having to worry about user privileges, etc. certainly makes things simpler, I've always suspected it might be a dangerous and harmful oversimplification. But, I don't really know, and am definitely not really qualified to judge. Some Puppies are configured to run web browsers and other things as a less privileged user named "spot", but, again, I can't judge how much good that does or doesn't do. I've heard that Puppy can use chroot, but, I don't know the details, and am such a newbie I don't yet know how to use chroot in any Linux at all yet - but, I guess I'll learn in the process of trying to build my own Linux from scratch. I definitely am not saying everything about Puppy is great and worth reimplementing in every Linux! The thing about Puppy I think might be best for other OSes to emulate would be, the emphasis on making things really easy and intuitive even for non-technical users. That might give Devuan an obvious advantage over Debian (and other distros) even in the eyes of non-technical people who might have a difficult time understanding what systemd is and why it's bad, and could help increase the popularity of Linux in general. Another thing that interested me about Gobo Linux when I was reading about it yesterday was, the notion of trying some unconventional approaches to dealing with root, such as renaming root, minimizing root's powers, and other ideas to enhance security. Those ideas are currently mostly beyond my ability to understand or summarize, but, perhaps there are some good ideas that could be useful in Devuan or other Linuxes. Quoted from a page titled titled "I am not clueless - or, "Myths and misconceptions about the design of GoboLinux": http://www.gobolinux.org/index.php?page=doc/articles/clueless "Now that I'm through with the historical explanation, one thing I would like to point out that it is a well-known fact that the existence of a single god-like entity is one of the weaknesses of the Linux security model, and that is what bothered me with the notion of an arbitrary root versus the rest of users; it is akin to a single point of failure in a distributed system. The first thing every project aiming to improve the security of Linux does is to increase the granularity of the security model, do dilute the power of root: ACLs, capabilities, SELinux... It may be argued that some of those add excessive complexity to the model, but I won't dive into this discussion here. The one thing that is clear is that the root model is overly simplistic for today's complex systems, and that the ``setuid'' kludge is the source of most security issues. Plan 9, for example, doesn't have a superuser at all; it offers a virtualized view of the file system to each process. The gobo experiment was an interesting assessment on how ingrained in the Linux world is the expectation on having a root user; fortunately, not much (it does not measure how attached the security model is to the user #0, of course). One future direction I would like GoboLinux to take (and in fact Linux in general) is to adopt some of the technologies listed above as a way to improve the control over the system security and administration; to detach ourselves from root was the first step in this direction." > Anyway, kudos to the developers for remaining > systemd-free. On the other hand, I just took a look at their forum, and I > was dismayed to see several posts by users practically demanding that > systemd be brought into Puppy. Yes, even their 14-page long "boycott systemd" thread has a few people saying things in favor of (or not against) systemd. http://murga-linux.com/puppy/viewtopic.php?t=93586 But the overall impression I got from that thread was that most are against it. I guess if systemd-induced incompatibility keeps spreading throughout the Linux world, pressure to add systemd might increase over time even in the Puppy community. But, hopefully the alternatives provided by Devuan and others will help stop that. I finally noticed that DebianDog, which is somewhat related to Puppy, unfortunately has systemd: http://murga-linux.com/puppy/viewtopic.php?t=93225 But, fortunately, DebianDog doesn't qualify as a "mainline", official Puppy distro, since it's not built using Puppy's "woof" system. A blog post by Barry Kauler (creator of Puppy Linux) - http://bkhome.org/news/?viewDetailed=00124 - says: "Puppies built from woof-CE are following the "mainline"." and: 'The latest "official" Puppy, built from woof-CE, is Tahrpup 6.0' > Hopefully, the developers will resist the > urge to surrender. Yes. And hopefully someday there will be a DevuanDog. :-) > > Wolfgang Pirker wrote: >> There is also AntiX. The main developer behind it seems also not to be >> happy about how Debian Jessie users are forced to use SystemD: >> http://antix.freeforums.org/viewtopic.php?f=6&t=5280 >> >>(if anyone is more interested about a AntiX (Jessie-based) release >> without SystemD - a Beta release: >> http://distrowatch.com/?newsid=08851 ) Thanks for the info! > > Wow! I'm familiar with AntiX, having used it long ago, but I hadn't realized > that the latest beta is Jessie-based and systemd-free. So now I have to ask: > Isn't that pretty much what we're doing here with Devuan? Perhaps I should > rephrase that: In what ways is AntiX different from Devuan? And is there any > possibility of collaborating with Anticapitalista (the developer)? > > cheers, > Robert I'm just a newbie around here (and relatively new to Linux, only been using it since 2011), so I wouldn't know how to answer. But I like your questions. :-) Anyway, I don't normally post very much to the internet at all (except my own website and Tumblr), and I'm nowhere near as technically knowledgeable as I wish I was. I wish I had switched to Linux years ago - I have years and years of catching up to do, and don't know if I'll ever be able to reach the point of being an expert on anything. So, I don't know if I'll soon think of anything more that seems worthwhile to say, and I'll probably soon go back to being mostly quiet. But, I'll at least be silently cheering for Devuan. :-) Thanks to everyone in the Devuan community, and congratulations on all the progress! Best wishes, Apollia _______________________________________________ Dng mailing list [email protected] https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
