Active Topics
-
The N900 is now 15 years old! (9)
to Nokia N900 by Arno_11 - 19 hrs, 53 mins ago -
Sailfish OS for the Motorola Moto G7 Power (XT1955-5) - (ocean) (4)
to SailfishOS by Maemish - 6 days, 8 hrs ago - more...
|
2010-01-12
, 13:44
|
|
Posts: 4,556 |
Thanked: 1,624 times |
Joined on Dec 2007
|
#22
|
Ah Flandry, but what about a trojan that sits until it hits extras and gets tons of downloads?
__________________
Originally Posted by ysss
They're maemo and MeeGo...
"Meamo!" sounds like what Zorro would say to catherine zeta jones... after she slaps him for looking at her dirtily...
|
|
2010-01-12
, 13:45
|
|
Posts: 20 |
Thanked: 7 times |
Joined on Dec 2009
|
#23
|
I do believe there is a certain amount of snobbery involved here.
Nokia could easily charge to repair bricked devices if RPM/install from .deb was used. They just need to make it clear to the end user (via manual/on screen dialogue/ warranty info).
Locking the unit down (or at least taking away the possibility of unlocking areas via GUI) appears to me to be antithetical to the Linux philosophy.
I won't cry though. As long as they don't kill root access.
By the way. There is an even more puritanical group of users out there who want all GUI's and even xterm deleted in favour of pure binary code.
If you can't make a phone call by writing the binary code to do so every time you want to make one, then you should not be using this phone.
Nokia could easily charge to repair bricked devices if RPM/install from .deb was used. They just need to make it clear to the end user (via manual/on screen dialogue/ warranty info).
Locking the unit down (or at least taking away the possibility of unlocking areas via GUI) appears to me to be antithetical to the Linux philosophy.
I won't cry though. As long as they don't kill root access.
By the way. There is an even more puritanical group of users out there who want all GUI's and even xterm deleted in favour of pure binary code.
If you can't make a phone call by writing the binary code to do so every time you want to make one, then you should not be using this phone.
|
|
2010-01-12
, 13:49
|
|
Posts: 1,224 |
Thanked: 1,763 times |
Joined on Jul 2007
|
#24
|
Originally Posted by Flandry
You are wrong.
The security is only as good as the testing. Your root-formatting package would not last a day in -testing. That's the whole point; thank you for making it.
All I need to do is write an actual application, jump through all the loops to get it to extras, and make sure it includes a code that does if(date==03/03/10)delete_all_files. If this code is somewhat obscure (or the application is not free), there is no chance that someone will discover it before it actually does it.
But this is irrelevant anyway. HAM allows repositories with no testing at all, so why not allow local packages?
 |
|
2010-01-12
, 13:53
|
|
Posts: 1,559 |
Thanked: 1,786 times |
Joined on Oct 2009
@ Boston
|
#25
|
Originally Posted by Laughing Man
As i said, security is only as good as the testing. Living is risk-taking but, given a hard pitch to climb, i'm going to go with the belayed approach over free climbing.
Ah Flandry, but what about a trojan that sits until it hits extras and gets tons of downloads?
I'm not opposed to improving security or the -testing process, but that's got nothing to do with this thread except that an attempt was made to suggest that repos are less secure than installing arbitrary .debs, which is clearly false.
__________________
Unofficial PR1.3/Meego 1.1 FAQ
Unofficial PR1.3/Meego 1.1 FAQ
***
Classic example of arbitrary Nokia decision making. Couldn't just fallback to the no brainer of tagging with lat/lon if network isn't accessible, could you Nokia?
|
|
2010-01-12
, 13:55
|
|
Posts: 1,224 |
Thanked: 1,763 times |
Joined on Jul 2007
|
#26
|
Originally Posted by Flandry
Where in this thread was such an attempt made?
except that an attempt was made to suggest that repos are less secure than installing arbitrary .debs, which is clearly false.
 |
|
2010-01-12
, 14:01
|
|
Posts: 2,869 |
Thanked: 1,784 times |
Joined on Feb 2007
@ Po' Bo'. PA
|
#27
|
They didn't lock anything down or take anything away. Installing from a file can always be done as pointed out in this thread.
Those who consider this action by Nokia "locking" may precisely be the reason "Red Pill" is no longer available.
The damage though may already be done. When PR 1.1 is released important or relevant information on these forums will be missed or obscured by the many "The update doesn't work" threads or threads that jump to incorrect conclusions.
This was posted by Kontorri yesterday on his blog:
I'm wondering how many "Red Pill" users have less than 45 megs of free space on the rootfs because they have installed non "optified" applications from where ever they find them?
Those who consider this action by Nokia "locking" may precisely be the reason "Red Pill" is no longer available.
The damage though may already be done. When PR 1.1 is released important or relevant information on these forums will be missed or obscured by the many "The update doesn't work" threads or threads that jump to incorrect conclusions.
This was posted by Kontorri yesterday on his blog:
Originally Posted by Kontorri
>> http://konttoristhoughts.blogspot.com/A word of warning: The next big update will require 45 megs of free space on the rootfs. This is pretty difficult for an end user to understand, so I'm calling all you developers who might have wasted end users rootfs space: please do what you can to optfy end users devices for every byte you can spare.
I'm wondering how many "Red Pill" users have less than 45 megs of free space on the rootfs because they have installed non "optified" applications from where ever they find them?
| The Following User Says Thank You to YoDude For This Useful Post: | ||
|
|
2010-01-12
, 14:43
|
|
Posts: 1,559 |
Thanked: 1,786 times |
Joined on Oct 2009
@ Boston
|
#28
|
Originally Posted by Matan
Sorry for the misstatement; the actual quote i was replying to was "The decision to only allow packages from repositories does nothing for security." and i was disputing that. Any sufficiently determined and able hacker can find a way to do malicious things, but it's still more secure to have some testing than none.
Where in this thread was such an attempt made?
My stance on the original topic is that we need to work to make it unnecessary for anyone not comfortable with the shell to have any reason to install individual .debs. I concede we are not there yet, but the way forward is not to facilitate that and thus remove incentive to fix the real problem, but to fix the real problem. That problem can be broken down into "repo issues" and "HAM/package type UI granularity issues". Let's focus on those and not beat the dead horse that died for good reason.
There will always be a need to install debs for devs, and they will always have dpkg.
__________________
Unofficial PR1.3/Meego 1.1 FAQ
Unofficial PR1.3/Meego 1.1 FAQ
***
Classic example of arbitrary Nokia decision making. Couldn't just fallback to the no brainer of tagging with lat/lon if network isn't accessible, could you Nokia?
|
|
2010-01-12
, 14:48
|
|
Posts: 1,224 |
Thanked: 1,763 times |
Joined on Jul 2007
|
#29
|
Originally Posted by Flandry
But HAM allows installation of packages from repositories with no testing at all, so saying that removal of red pill mode is done for security reasons is a red herring.
Sorry for the misstatement; the actual quote i was replying to was "The decision to only allow packages from repositories does nothing for security." and i was disputing that. Any sufficiently determined and able hacker can find a way to do malicious things, but it's still more secure to have some testing than none.
There will always be a need to install debs for devs, and they will always have dpkg.
|
|
2010-01-12
, 15:04
|
|
Posts: 1,559 |
Thanked: 1,786 times |
Joined on Oct 2009
@ Boston
|
#30
|
Originally Posted by Matan
I don't think it was done for security reasons; i think it was done because it makes it possible to do with a user-friendly GUI operations that have a good chance of breaking their OS.
But HAM allows installation of packages from repositories with no testing at all, so saying that removal of red pill mode is done for security reasons is a red herring.
I wish I could be so optimistic.
Look at the direction things are going here. It's not towards more restrictive, it's towards better general user appeal and safety of UI and more openness of software. It's evolving to more distinctly separate everyday user experience from hacker experience without any signs of cutting off either of them.
__________________
Unofficial PR1.3/Meego 1.1 FAQ
Unofficial PR1.3/Meego 1.1 FAQ
***
Classic example of arbitrary Nokia decision making. Couldn't just fallback to the no brainer of tagging with lat/lon if network isn't accessible, could you Nokia?
| The Following 4 Users Say Thank You to Flandry For This Useful Post: | ||
Unofficial PR1.3/Meego 1.1 FAQ
Accelemymote: make your accelerometer more joy-ful