The officially official Devuan Forum!

You are not logged in.

#1 Re: Off-topic » Beware of the Zeitgeist... and a reminder to inspect packages/source. » 2022-12-16 05:48:19

zephyr wrote:

Imagine it is in other apps, these two I'm aware of and don't use.

cheers

zephyr

It's been around the block for a while....

image.png

And in 2009 it was GNOME Zeitgeist. 13 years old at minimum, and still active.

#2 Re: Off-topic » Beware of the Zeitgeist... and a reminder to inspect packages/source. » 2022-12-16 05:03:24

Altoid wrote:

The point is that, independently of whether it can be disabled/masked, such a package has no place in the Debian/Devuan repositories.

Anyone know how it is that it got there?
And most important, how it eluded proper scrutiny from the devs?

I'd say it has to be banned.

They don't have time to sift though thousands of packages, so it's understandable. Zeitgeist I agree should be blacklisted, for the simple fact that it can send personal user data to an insecure remote server.  That would affect some other packages that depend on it though.  Gnome tracker is much more difficult to deal with because of its integration with GTK.

I would like to see package repositories add some kind of public reporting system, and forks of package managers that show flags for packages that have been reported by other users as potentially harmful.  I'm actually kind of surprised that a system like this doesn't already exist as a standard practice across all of linux.

Devuan actually has a page specifically devoted software without d-bus.  Hugely commendable.  In my opinion, d-bus should be ditched just like systemd.  It is useful, but dangerous as hell.  https://www.devuan.org/os/documentation/dev1fanboy/en/dbus-free-software.html

#3 Re: Off-topic » Beware of the Zeitgeist... and a reminder to inspect packages/source. » 2022-12-16 04:11:25

User479 wrote:

The tracker service can be disabled and masked.  Whether it gets surreptitiously enabled again is a question. Changing the directory where it stores its data to read-only might also hinder it.

symlink it to /dev/null tongue

#4 Off-topic » Beware of the Zeitgeist... and a reminder to inspect packages/source. » 2022-12-16 02:56:30

pungentweasel
Replies: 21

There's a software package called Zeitgeist that's been finding its way into nearly every Linux and BSD package repository.  It's also on Devuan.  Be sure to read the note at the bottom of this post even if you are not impacted by this.

It reads your emails, it monitors the websites you visit, listens to private conversations, and logs the files on your computer.. and then it shares this information freely over D-Bus to any application that wishes to use it.  You are given no warning and have no option to say which software can access it, and which can't.  Any software can access D-bus, including closed-source software like Discord or Telegram (whether they do or not, who knows).

If this is running on your computer, it will have created a SQLite database in your home directory full of your private information and there will be services running in the background 24/7 collecting data.

Official website: https://zeitgeist.freedesktop.org/
Old website (archive): https://archive.vn/gMDQq

It originated as a GNOME project.. surprise, surprise.  It used to be called GNOME Zeitgeist (https://web.archive.org/web/20090418021015/http://live.gnome.org/GnomeZeitgeist)

image.png

From the old website:

Zeitgeist is a service which logs the users’ activities and events, anywhere from files opened to websites visited and conversations had.
It makes this information readily available for other applications to use.

People are sometimes scared that information Zeitgeist has logged can be dangerous if it gets leaked. If you feel worried that malware might gain access to your information you need to be a bit more paranoid.
Zeitgeist events are available in the same way your Firefox and Chrome browsing history is very easily accessible. Pidgin even saves your password in plain text in your home directory.
Now remember the two golden rules of security on a Linux installation.
* Don’t run as root
* Don’t install untrusted applications

Not only that, but there is code in the source to send user data to a remote server over unencrypted HTTP

https://gitlab.freedesktop.org/zeitgeist/zeitgeist/-/blob/main/datahub/telepathy-observer.vala#L33

using Zeitgeist;
using TelepathyGLib;
using Json;

public class TelepathyObserver : DataProvider
{

  private const string actor = "dbus://org.freedesktop.Telepathy.Logger.service";
  private const string tp_account_path = "x-telepathy-account-path:%s";
  private const string tp_identifier = "x-telepathy-identifier:%s";
  private const string ft_json_domain = "http://zeitgeist-project.com/1.0/telepathy/filetransfer";
  private const string call_json_domain = "http://zeitgeist-project.com/1.0/telepathy/call";

  private TelepathyGLib.DBusDaemon dbus = null;
  private TelepathyGLib.AutomaticClientFactory factory = null;
  private TelepathyGLib.SimpleObserver observer = null;
  private HashTable<string, Timer> call_timers = null;

Final note:

GNOME currently ships packages called gnome-tracker and gnome-tracker-miners (may be called tracker-miners or tracker3-miners, etc) that do something similar.  There was another called gnome-online-miners that logged online activity, I think the name is changing and I'm having trouble finding it. 

Gnome Tracker is a hard dependency of GTK4, which means if you have GTK4, you have GNOME Tracker on your system.   Like Zeitgeist, Gnome tracker keeps a SQLite database in your home directory and collects data via background service.  If you check out the database tables, it was developed with the intent of collecting an extraordinary amount of user data.  If you use gnome, you can tame Tracker's data collection a bit using dconf-editor (navigate to org.freedesktop.tracker).

#5 Re: Devuan » Setting up User accounts - needs improvement » 2022-12-15 22:54:36

I think the tool SL used in 6.5 might be "system-config-users". It was removed in RH 7.  (SL uses the same version numbering as RH)

It looks like the application has been abandoned now, but Fedora still has it:
https://than.fedorapeople.org/system-config-users/

You can also get source here:
https://gitlab.com/tallero/system-config-users

You could always try compiling it yourself and see if it works for you. It requires libuser which is available in the Devuan repos.

Also... here you go: https://www.devuan.org/os/donate

#6 Re: Off-topic » Revival of the Linux Framebuffer & DirectFB » 2022-12-15 21:52:50

Head_on_a_Stick wrote:

Dear me, what a bloat monster tongue
...
As a gamer I can happily confirm this. Linux is now a better platform for gaming than Windows, which pleases me much more than these shiny new toys irritate you.

Very childish.  If you don't care about the linux framebuffer, then I'm not sure why you're even involving yourself in a conversation about it.

Nobody is suggesting that old framebuffer tech is in any way better than modern graphics backends... nor is anyone expecting a flawless experience, much less trying to "game" on the framebuffer.  It's old tech and it's fun to mess around with, and it's good to see that someone is doing the work to resuscitate and improve it. To some of us, this is what makes linux fun to use and tinker with.  If that's not you, then that's fine.

#7 Re: Off-topic » Revival of the Linux Framebuffer & DirectFB » 2022-12-14 15:23:22

Head_on_a_Stick wrote:
directfb2.github.io wrote:

Components running on DirectFB graphics backend are based on libdirectfb.so library. Compositing windowing system is performed by the default libdirectfb.so window manager module with libdirectfbwm_default.so plugin.

It's using both a compositor and a window manager...

To be clear, it's only a plugin.  Wayland might be the "latest and greatest", but there's something fun about using older, much simpler tech that's built directly into the kernel and compatible on any and all hardware you throw at it

One practical example of the usefulness of the raw framebuffer:  My laptop has AMD graphics.. and I can use the open source amdgpu driver. That's great... except, in order for the kernel to load amdgpu, it requires closed-source non-free firmware and there's no way to know what that code is doing. Not so great.

steve_v wrote:

Because you can, windows are bloat, and who needs a window manager anyway when you have 12 TTYs?
Or maybe, because needing to run a full-blown WM and compositor on something with no use for windowing or a GUI (e.g. a "digital picture frame" type device or monitor for a video stream) just to get basic framebuffer video output is patently silly?

Exactly 👍  Running a complete system directly from TTYs is a completely viable option, and probably by far the most resource-friendly option available.  Check out the Awesome TUIs project

Camtaf wrote:

Yes, if I remember right, you could play video with the likes of mplayer, & maybe have graphics in a text type web browser in a command line installation - it's been a long time since, but I'm pretty sure I used to watch videos.

Yep.. you can give it a try now.. it works surprisingly well and runs very smooth.   mplayer -vo fbdev2 file.mp4

If you compile sdl2 with fbdev support, and run mpv media player with --vo=sdl, you can use the invidtui software for a full-featured Youtube client in the console using Invidious instances, running entirely from the framebuffer.  Without fbdev it will use kms/drm, which also works well, but requires the graphics driver which likely requires non-free firmware.

#8 Off-topic » Revival of the Linux Framebuffer & DirectFB » 2022-12-12 17:24:35

pungentweasel
Replies: 15

I've lately become intrigued by the Linux Framebuffer as a graphics backend.  There is a strong push to move away from the classic Linux framebuffer and towards more modern technologies, but there's at least one effort to preserve and advance the use of the LFB. 

This is a super interesting project, worthy of some attention.  I thought some of you might be interested.  Here are a few links:

https://higfxback.github.io/
https://directfb2.github.io/ & https://github.com/directfb2/DirectFB2

He's given a couple talks at FOSDEM about his work:

FB: https://archive.fosdem.org/2020/schedule/event/fbdev/
DirectFB: https://archive.fosdem.org/2022/schedule/event/directfb/

#9 Re: Devuan » Brave New Trusted Boot World » 2022-12-11 23:31:51

I highly recommend giving this a thorough read .. one of the best tech articles I've found on the topic

https://gabrielsieben.tech/2022/07/29/remote-assertion-is-coming-back-how-much-freedom-will-it-take/

Board footer

Forum Software