@404zzz@stereophonic.space The GTK theme does look pretty cool though.
They have allowed their TLS certificates to expire multiple times (at least 2) and told their users to change their clocks back to bypass the security issue (which also bypasses security for every other website on the planet and makes TLS useless).
They have unintentionally DDoSed Arch Linux's servers because they were too incompetent to do package management properly.
@inference @404zzz @thebiologist1117 Can you tell me a bit more about the update thing, I'm thinking its probably some kinda usability feature since they also supports Flatpacks and AURs in their package manager. But I've never heard about this before, weird.
And the TLS thing, I don't know how easy it is to renew the the certificates, but considering they have a big team working behind this distro, maybe they could've better handled the situation. But this still wouldn't make them evil/bad IMO
TLS certificates can be renewed automatically, and take even just seconds manually. There is zero reason why any professional organisation would allow TLS certs to expire. None.
Telling people to roll clocks back *is* the definition of an evil security sin. Not only is it incompetent, it is downright dangerous and malicious. TLS encryption relies on date and time being correct. Changing this to make expired certificates unexpired is putting the user at extreme risk and is worse than using unencrypted HTTP.
@inference @404zzz @thebiologist1117 @futureisfoss Wow, that’s beyond bad. I remember hearing about this back in the day but didn’t know the whole story behind it.
If I was going to use Linux now, it would hands down be Fedora.
@pete
I don't think its as bad as it seems. The scanner script is probably a usability/functionality thing, I don't think manjaro is trying to spy on people, lol. The TLS one I understand why some people has a problem with that, they probably fucked up something on their servers, I don't know what but it should be bad enough to ask people to change their clocks - but only temporarily, and the security risks are of expired TLS which is kinda rare these days 🤔
@inference @404zzz @thebiologist1117
> change their clocks - but only temporarily, and the security risks are of expired TLS which is kinda rare these days
No, this is feeding the ridiculously bad and naive security practices seen here. I'm not trying to infer that you're stupid here, but you clearly don't understand the risks of TLS certificates and bypassing clocks, and how time sensitivity plays an enormous role in security as a whole.
This should never have happened. No excuses. None. This is careless, reckless behaviour, which could get every one of their users middlemanned and backdoored in seconds.
@inference @404zzz @pete @thebiologist1117 I don't know that much about TLS so maybe you're right, its a bigger threat than I assumed. When manjaro asked users to change their clocks, it was only a temporary thing, right ? Because it'd be a 100 times worse if it was permanent.
Maliciously and/or incompetently telling users to roll back clocks is *literally* breaking 80+% of the security on their system, even offline. They should have renewed their cert, or taken their website offline if that wasn't possible for some reason. What they did (multiple times!) was put their users in extreme danger. Even passwords are effectively useless in some situations where time is used as a base.
@inference @404zzz @pete @thebiologist1117
I understand what you're saying, but I wouldn't say whether temporary or not is completely irrelevant. Every time a software vulnerability is found and an update is released to fix it, we tell everyone to quickly update to the latest version, why is that ? Because the longer they wait before updating, the more time they're vulnerable, and that increases their chance of being exploited. So a permanent vulnerability is 100 times worse than a temporary one
@inference @404zzz @pete @thebiologist1117 I'm not trying to defend manjaro here, I know they fucked up and I agree what they did was wrong. You have every right to call them incompetent for that. But I wouldn't say they're malicious or evil though.
If you ask me, incompetence is worse, because they think what they're doing is right when it's not. At least malice knows what it's doing.
@inference @404zzz @pete @thebiologist1117
> If you ask me, incompetence is worse, because they think what they're doing is right when it's not. At least malice knows what it's doing.
In my personal opinion I think malice is worse. I have worked on some projects and I know mistakes happen sometimes, we're all humans. But when we realize our mistake we should accept it and try to correct it, this is the important thing for me.
@futureisfoss @inference @404zzz @thebiologist1117 I’m not a cybersecurity expert, but I know enough that doing something like this may as well be malicious; the result is the same. Our work server had an issue with the clock sync getting disabled, and it broke a key part of functionality and verification. Internal only, but still a huge impact.
You just don’t mess around with clock settings for any reason, ever.
@pete @futureisfoss @inference @404zzz @thebiologist1117 That brings back memories of Windows Vista refusing to update because it put itself in the wrong time zone.
@AmpBenzScientist @futureisfoss @inference @404zzz @thebiologist1117 😂 Ah, Vista. They still haven’t lived that OS down after all these years. I’ll just leave this here:
Vista was the first release of Windows to include any useful security, and is the basis of every version of Windows since. Even Windows 11 is heavily based on Vista.
@inference @AmpBenzScientist @404zzz @thebiologist1117 @futureisfoss That’s true, it was more the bugginess and hardware compatibility issues that plagued its reputation. XP tried to be the next Windows 98 SE—which was solid as a rock—and failed miserably at it. It wasn’t until at least SP2 that it improved enough, but by then that ship had sailed.
All of this is ignoring the fact XP looked like a Fischer Price toy. Whomever came up with that digital vomit should question their life choices. :)
@pete @inference @404zzz @thebiologist1117 @futureisfoss Window 2000 Professional was ugly but it was quick and mostly reliable. I remember ME and I loved it. Windows Media Player with internet radio and the malware taught me about system restore by using system restore to restore itself.
@inference@plr.inferencium.net It reminds me of Xfce!
@inference @AmpBenzScientist @404zzz @thebiologist1117 @futureisfoss 💯this. I still have to use the ugly Windows (7?)-based UI on my work software running under Server 2012, and it’s an absolute eyesore. I’d give anything to enable the Classic UI if it was still available.
@inference @AmpBenzScientist @404zzz @thebiologist1117 @futureisfoss Wait, the last time I looked at the interface options I didn’t see Classic in there. Where can I find this hidden gem?
Are you talking the narrower bars and such, or the grey, blocky theme?
@inference @AmpBenzScientist @404zzz @thebiologist1117 @futureisfoss Mine has the ugly turquoise coloured windows and taskbar, definitely not Classic. I need to do some digging when I’m back from vacation.
If you want to change the taskbar from the double height 7 taskbar to the half height Vista and older taskbar, right click the taskbar and change it to show small icons and also the full window title. After that, you have both Windows Classic UI and Windows 2000-style narrowness.
@AmpBenzScientist @inference @404zzz @thebiologist1117 @futureisfoss The hardcore people avoided Windows Malware Player and opted for WinAMP or Foobar2000. F2K was downright incredible, and essentially the Linux of music players. You could rice that program to the ends of the Earth and back, and it’s audio handling was top notch.
