• 21 Posts
  • 662 Comments
Joined 2 years ago
cake
Cake day: March 19th, 2024

help-circle

  • It’s not an insult. It’s the widely accepted term for the ideology of the bourgeoisie. They self-describe as liberals. That’s been the usage of the term since its coining; USAmericans just decided to only use it to describe more left-leaning liberals rather than all liberals. If it’s used as an insult, it’s between communists accusing another communist of not being a communist, not because liberalism is inherently a pejorative. Like if a right-winger calls someone a communist as an insult, it’s not because communism is a pejorative, it’s because it’s a non-communist accusing another non-communist of not being not-communist enough.



  • I’m just confused as some comments seem to suggest it’s not possible. There are already idle daemons like swayidle, so you just need to have an idle daemon execute a program that plays an animation and exits when it receives any input? I don’t know of any such programs, but I don’t see how it’d be impossible.






  • DDG is fine. It’s hard to have a “completely private” search engine as currently only Big Tech has a comprehensive enough index of the internet to effectively provide a search engine.

    Obsidian isn’t FOSS though. I’d recommend Notesnook as an alternative. I haven’t tried any of the following but I also know of Logseq (which aims to do what Obsidian does but FOSS), Joplin, and Standard Notes, which you might want to look into.


  • if I aggressively block each offender in my logs permanently, then the next person assigned this IP who may be a legitimate user will be unable to access my site.

    temp bans exist for this reason. You can use something like fail2ban for it, or that may be overkill for your purposes, but any mechanism that blocks the IP address for a short amount of time will work. My f2b blocks spammers’ IP addresses for a day, and I don’t see repeat bans which means the spammers aren’t coming back on the same IP address, so the short ban works to stop a given spam attack.


  • I also used to use the same thing. Been a long time since I’ve had to remote access someone else’s PC for troubleshooting but I think I also used TeamViewer back in the day (which I assume might not work as well on Linux anymore now that Wayland is the norm?). Perhaps you could write a quick script to get your public ip address by curling some web service that tells you your public ip address, add a desktop shortcut to that script, and over the phone tell the person to double click that desktop shortcut and read out the number they see. It’d still trip up the most tech illiterate but hopefully if they’re at the “can follow clear and basic instructions” level they can manage that. And possibly there are still dyndns clients that do that; I’ve just not messed with any of that for a long time, but you can set that up on their PC if that stuff is still around.


  • It depends on your threat model again. Many people are able to live as fugitives for a long time because they’re not very high priority for the cops. I’ve personally known people who have been able to evade the state just by living nomadically because the state doesn’t put many resources towards finding you if you’re low-priority. Obviously if you’re actively wanted for idk terrorism or something then you’ll need more than just a nomadic lifestyle.





  • The forking option wouldn’t work as well as it does on github because AUR packages are not namespaced like GitHub repos, e.g. communism/mypackage; instead it’s just mypackage. So if adoption required a new name you’d have mypackage-cont, mypackage-cont-cont, or whatever. And it wouldn’t really be possible to introduce username namespacing because AUR packages are just Pacman packages that are community-contributed rather than official, and Pacman, like most package managers, doesn’t namespace their package names; firefox is just firefox rather than, say, mozilla/firefox. Some AUR packages get added to the official repos so when you do, e.g. yay -Syu, you’ll then install the official package if you previously had the AUR package installed as it has the same name.

    There isn’t a perfect solution. Even if package adoptions were moderated, someone could take over a package and initially push a genuine commit, and then their next commit is malicious. Reviewing every single AUR commit would be incredibly labour-intensive. Possibly you could add automated checks for commits that suddenly add an npm install or other suspicious command with regex, but attackers could just get cleverer about avoiding those regex checks. Imo the best solution is just more widespread warnings about the fact that AUR packages are community-contributed with no guarantees of safety (e.g. on the Arch wiki where it sometimes suggests users install AUR packages), and AUR helpers forcing users to read PKGBUILDs before installation.



  • I agree about the risks in terms of the way some sources present the AUR as just extra packages. But I don’t think you can object to the AUR more than any other place on the internet where anyone can upload software; unfortunately, the onus is going to be on the user to verify what they install. The AUR is moderated by volunteers and it wouldn’t be fair to expect them to vet all of the high volume of commits to the AUR. Possibly they could vet new maintainers or new packages or newly adopted packages, but nothing would stop someone from initially uploading a genuine package and then replacing it with something malicious. Or they could require identity verification to be an AUR maintainer but then far fewer genuine packages would be on there because people don’t want to give their real identity to contribute (I maintain some AUR packages, and would stop if required to verify my IRL identity).

    I can totally understand if the AUR is not for you; it’s more time-consuming as you have to read PKGBUILDs (I always do). But that doesn’t make it bad that it exists at all. I think there should be more warnings about it for new users, and possibly some more moderation, though like I said above there’s no perfect moderation solution that would simultaneously forgo users’ responsibility to check and keep the AUR as large as it is today. Ultimately the option should still exist for users who want it. If it didn’t exist, I’d have to hand-package every program that’s not in the official repos, and that’s even more time-consuming than pulling and reading through a PKGBUILD that someone else already wrote and shared.


  • It’s just a repository of user-contributed packages. It’s no different malware-ability-wise to, say, GitHub. If you are running code you found from a stranger on the internet then you are liable for it, and you need to do your due diligence in checking that you are not running malware. It is a good thing that the AUR exists because it means Arch user packages are all in one centralised repository instead of scattered across GitHub, Sourceforge, Codeberg, Pastebin, forums, whatever. If you are just installing random AUR packages then that’s on you. It’s basic internet safety to not automatically trust random scripts you find on the internet.