They *are* doing the basic housekeeping. What do you think this announcement is, if not exactly that? AUR is very clearly documented as user-submitted, and automatic installs from it are heavily discouraged by the maintainers for this reason. Malware aside, there is very little quality control, and a poorly made AUR has the potential to break the system pretty badly. (Though, in my experience, most of the useful AUR packages are trivial to remove if something goes wrong.)
The officially maintained repositories (which are part of a default installation) were not affected. Users need to go somewhat out of their way to use an AUR.
The definition files are all plain text and not especially complicated. It's not too difficult to glance at the file before doing an install to get a basic idea of what it's about to do, just like you should do when running a random shell script or cloning a random git repo. Indeed, most AURs are implemented by cloning an upstream git repo and configuring it so it can be built. The same basic threat model applies: Do you trust the install script? Do you trust the upstream URL whose code it is about to compile?
i read all the pkgbuild diffs, still doesn't give me a good sense. sure, i can verify that it's coming from the official repo but even then there's no guarantee that there isn't junk in there or that the git ref is actually pointing at the right thing.
it would be better if there were stronger community moderation and review that has stamps i can trust rather than this idea that eyeballing build scripts is a reasonable security posture.
> it would be better if there were stronger community moderation and review that has stamps i can trust rather than this idea that eyeballing build scripts is a reasonable security posture.
Ok, so instead of having a reasonable security posture yourself, you'd rather rely on a number of random strangers who've eyeballed the PKGBUILD instead?
Generally, I think Arch tries to prevent users from relying on bad signals, and this principle might be applied here too.
> i read all the pkgbuild diffs, still doesn't give me a good sense. sure,
Do you have an example of a diff that doesn't give a good sense? I review all my diffs too, but I feel like all of them give me a good sense if it's safe to install or not. I mean, why would I otherwise, what's the point in reviewing if you don't use it to make a decision if to install it or not?
Well ArchLinux has a product for you if you want packages that were vetted: the official repositories.
AUR is just a centralized place to put user created packages, like npm is a place to put user created node packages.
Well I usually already have my browser open, and "Ctrl+T, 'fa', [enter]" loads up my email basically instantly. I don't want email notifications (or any notifications, really) so a local app just seems like it would introduce a lot of clunk for not much benefit.
Shopping in the US, these have entirely replaced zigbee and other sensible mesh-based options at hardware stores like Home Depot and Lowes. The only exception I can find is Phillips Hue, and those seem to be slowly getting phased out with (sigh) a new "hubless" (requires wifi) series.
I run my home automation network entirely offline, so anything that needs the internet doesn't get added to my cart. I just do not trust the security of these IoT vendors at all, and refuse to have their nonsense cluttering up my limited network bandwidth and causing unknown problems.
(Edit: maybe not obvious, this is in the "smart bulbs" product category. Regular bulbs are still much more common on store shelves, because why fix what isn't broken? Most people don't need to automate their light bulbs.)
> I run my home automation network entirely offline, so anything that needs the internet doesn't get added to my cart.
Absolutely support you in that. I don't really feel the urge to automate appliances around me in the first place, though. I feel like I'd just be locking myself into the schedule I'd automated, building my life around it. What good is free time without freedom?
A light bulb doesn't require a processor to turn on and off when power is applied, so the only reason to add one is for extra functionality. A TV requires a (relatively) powerful processor just for decoding the signal.
If we could started teaching Morse Code in standard curriculum then in about 18 years or so we could finally subsidize smart lightbulbs with blinking ads for products and then we could stop selling pesky "dumb" bulbs.
You're underestimating the potential of subsidizing smart bulbs with data collection. Someone smart is getting paid a lot right now somewhere to figure this out.
Speaking personally, I have the "must be covered" gene along with the "overheats easily at night" gene, so it's been a bit of a struggle hitting a balance. Right now a thin breathable quilt is the way to go, even in deep winter. Hard to explain really, but I feel anxious (and cold!) if my body is exposed, even if it's actually pretty hot in the room.
The best mitigation for this conflict seems to be those knitted blankets with the enormous holes. Terrible heat retention, and they're pretty heavy. That got the job done during a Texas summer on more than one occasion.
A pox specifically on my otherwise delightful samsung OLED, which immediately upon any sort of disconnect event (say, changing the resolution, or restarting the machine) decides to spend 10-15 seconds slow-scanning every other possible input. Exactly none of which have a physical cable attached, and exactly zero of which have ever been used once.
What the devil is taking so long? I'm sure there's some technical reason that the check isn't more instant, but gosh it is frustrating every damned time.
My Acer Predator can disable that option. The downside is specifically for MacOS, the Mac often gives up trying to sync before the monitor has finished its side of things, and since the Acer has a non-configurable, extremely short auto-power-off, so the two get into a death loop.
Still chugging away at my NES rhythm game. Currently, in addition to climbing the content mountain (so, SO much pixel art and music needs to be made) I'm also slowly learning video editing workflows. I was able to put together a brief gameplay trailer this last week:
Right this second I'm looking for an alternative to After Effects that runs on Linux systems, as kdenlive has some limitations with its layering implementation. I'll probably give Blender and Godot both a whirl, as I want to get more comfortable with those tools for future projects.
It is indeed also on Itch. I'm planning to release both, along with a physical cartridge at some point. It's a real NES game, so a ROM is included. (No DRM, of course. I'm not even sure how you would achieve DRM on a ROM chip.) I test on an Everdrive N8 Pro. It's a big game, so simpler flashcarts tend to not be able to run it.
Aye, the inspiration is not subtle. Technically it is the latest entry in the "rhythm-based roguelike" genre... which to my knowledge mostly includes CotN and its sequel, Cadence of Hyrule. Both are excellent, and I recommend them highly. Of course I'm unaffiliated, so this is more of a spiritual successor (... demake?) and is its own thing in terms of IP.
I've been having some success by configuring my RSS reader with simple rules, like "please don't tell me about shorts" and "I don't care if this person is live right now." Too bad the real homepage shows three enormous thumbnails and pretty much exclusively the things I want to not see.
I got lucky: the only creator doing that used a consistent name for the video, so I could pattern match on that. I haven't found anything that would work universally.
My tell is to recognize any room with a piano in it. I naturally want to sit down and play this piano, but the keys are totally wrong. No problem, I'll look around and, lo and behold, dozens more pianos all... with the keys in the wrong places. I can't play anything. "Oh, this again. I must be dreaming. How frustrating."
A very regularly occuring dream is that I'm in a train and realize that I don't have a ticket (never happened IRL), so I want to buy an e-ticket, but the ticketing app does not work. The text changes all the time, the buttons move around, weird errors, and then I realize 'yep I'm in a dream again'.
The nicer lucid dreams are those were you can fly or make spectacular light and colors, but I find that it's usually a difficult balance to avoid waking up.
The answer is loyalty programs. I wouldn't be surprised if many existing loyalty programs already violate this law in spirit. The customer is encouraged to scan their app, and offered personalized coupons. Anyone not participating pays the base (highest) price possible, and those who are price conscious get a tailored discount, which is not necessarily the same discount as their neighbor.
(As an added bonus, the data stream from the loyalty program is attractive to marketing teams. Want to not be tracked? Higher prices for you!)
I'll chime in with a really basic example. On my Android phone, I can have syncthing run as a background task. I can point other applications to use a data folder, in my syncthing share, and store their persistent state there. The Camera app, for example. Or Obsidian, my current favorite note taking app. Syncthing, by virtue of being always on and manipulating a decades old, very well understood filesystem concept, "magically" syncs all of these changes to every other device I own. Entirely offline, even if the internet is out, because the devices can just talk to each other.
So far, I have been utterly incapable of getting my iPad to do anything remotely similar. It can run syncthing, technically, but not in the background. Apps don't have a shared filesystem structure, so it's difficult to get anything else set up to "save within my shared folder" in a way that would work, and that disregards that the syncing cannot occur when anything else is open. There's all sorts of cloud backup options, but those require the internet and even when they're working, there's this awkward import/export flow that adds friction to the whole dance.
In isolation this would just be a small papercut, I guess, but these sorts of limitations are all over iOS. It's just terribly hostile to anyone not fully committed to the Cloud-first, Apple-hardware ecosystem. Android doesn't care, and doesn't have to care, because it lets me run the software I want. It's a really small set of programs too, at the end of the day. (Firefox with real extensions is the other one.)
This is the exact reason we switched my wife from iPhone to Android – because her iPhone couldn't sync reliably for our shared password vault or for Immich.
The officially maintained repositories (which are part of a default installation) were not affected. Users need to go somewhat out of their way to use an AUR.
The definition files are all plain text and not especially complicated. It's not too difficult to glance at the file before doing an install to get a basic idea of what it's about to do, just like you should do when running a random shell script or cloning a random git repo. Indeed, most AURs are implemented by cloning an upstream git repo and configuring it so it can be built. The same basic threat model applies: Do you trust the install script? Do you trust the upstream URL whose code it is about to compile?
reply