Mind if I join the party?

To be explicit, with the exception of the Devuan logo (obviously), the images are created from scratch and are both released into the public domain. Credit would be nice but is not mandatory.

Devuan plasma theme:

Devuan planet/moon theme:

Feedback appreciated.

Do you mean like OpenBSD and FreeBSD? Me and a friend were digging into various OSes to see which ones don't have systemd.

I eyeballed Alpine whilst my friend eyeballed OpenBSD and Gentoo. Surprisingly enough, all had traces of systemd. Alpine doesn't have systemd initially (great if you like 1980s text command interface with no real functionality, I guess?), but the moment you install XFCE (seemingly the only desktop environment you can get working on there), udev dependencies come flying in along with systemd references. In the case of OpenBSD I was told by my friend that folders (/lib/systemd etc) were found on there, and in the case of Gentoo systemd was a running process(!).

In both Alpine and Gentoo's case they make a point of stating they're systemd-free, so it's quite surprising. OpenBSD not so much, but I regularly hear how BSD is systemd free.

I probably should download an ISO of FreeBSD and take a look. Perhaps people's ideas of 'systemd-free' is different to mine; I mean in the sense of absolutely no dependencies, files or folders referencing such a thing (even if such a thing isn't installed per se), what I'd call 'certifiably systemd-free'. If there's still a file poking it's head up, for all I know it might be creating yet another system vulnerability that just hasn't been discovered yet.

(Call me paranoid if you will, but paranoia kept me from moving onto a systemd based OS, and the DNS remote code execution and admin root privilege 'it's a feature not a bug' along with... other questionable practices means paranoia gets more screen time when it comes to OS decision making.)

This does not preclude the possibility of other also working systems that are more human friendly. One could easily ban everything and declare that also works, but that is not to say it's user friendly, and Devuan definitely stands to gain from an additional userbase.

Your question system almost thwarted me (I think it eventually defaulted to google's awful recaptcha system after numerous retries and I got in) and I would have gladly taken my hat and left had it continued for a bit longer - I take the view if a system is too difficult for entry, the person doesn't want me there. You might want to consider the fact that multiple users are reporting this issue and a view of 'it works for me' isn't quite how beta testing works.

I suspect by caught you mean bots that were filtered out during the registration period? If you're aiming to reduce server burdens, most shouldn't even be able to connect to the forum to begin with, and there are publicly available IP blacklists. I would strongly advise shuffling the anti-bot system around to find one more human friendly, because I suspect it's not just bots you're keeping out.

Better questions is a bit arbitrary because if they're too easy, bots get in, and if they're too hard you keep humans out, and keeping it all focused there is a single point of failure (there should be layers of filtrations). As mentioned, a bot handler could easily just preload the text answers for the questions and you'd have to rotate them out of service (if they hang around for long enough they could exhaust your entire supply), and more advanced piece of kit (like say, a Watson API) could likely do a lookup on the answers coupled with a bit of brute forcing guesswork (IE keeps an internal log of what answers succeed against which fail).

As irony would have it, I run a mechanize based python bot that updates my own forum on specific threads and specific topics, and despite the fact the main forum has guest posting enabled, the comedy style question coupled with a basic image captcha plus the two post minimum for URLs has dropped bot posting rates to zero (my bot gets around this because it has a manually registered account). I'd like to think the range bans on IP blocks also helps impede it but because they don't even arrive there's no figures to report (I probably get 150 bots on my forum in a 24 hour period).

Text based captchas are actually the easiest kind of captcha to adapt to. Having both a simple text question and image captcha means a more complex setup is required (you'd need an OCR at a minimum, and there's no decent free ones, and you can't have the bot 'learn' the answers because OCR failures would distort feedback).

Having spent the last couple of years outing military bot and sock accounts and flaws in captcha systems (in one case going so far as to write a bot to prove it in the case of two separate forums), this isn't out of ignorance. You can see some of FlynnBot's postings on another forum here. FlynnBot was reverse engineered from a piece of python code someone wrote trying to defraud the UK government petition (interesting piece of kit, could create temporary email addresses) that was published by Brietbart that I was trying to analyse.

Corporations have a vested interested in preventing systemd (didn't Google air some reservation over systemd?) because having it restricted defeats the point of both open collaboration (IE shared resources) and choice orientated (IE the ability to customise it to your particular needs). One of the major issues a lot of organisations are having with systemd is it's abusive practices on logging.

Specifically, systemd is such that it either 'logs everything' or it 'logs nothing' (my first reading of this is what prompted alarm bells it's surveillance state technology). For companies, this isn't acceptable, because logging more than you have to (IE user interactions) creates a legal liability, in the sense that if an agent turns up with a warrant, you can't honestly say you don't collect that information because all they'd have to do is point to systemd, point to the fact it logs everything (and if logging is disabled then good luck debugging anything) and handwave towards a judge.

If you had a pre-systemd configuration, you could set logging to specified levels and not capture what you're not interested in, so when a warrant turns up you can genuinely say you don't have that information on record.

Companies want less legal liability, not more. So why they aren't actively teaming up to defeat this monstrosity that is systemd (which will eventually pollute every specialist endeavour such as embedded systems and specialist services) is beyond me. Methinks the closed doors approach and removal of the ability of the average users to vote in how Linux as a whole is developed is part and parcel of this, and there's no denying there's clear vested interests involved (clearly both government and corporate), but if the other companies don't start siding with the anti-systemd crowd, if they're not careful, systemd might be the only 'viable' choice, between that and Windows 10.

I can always ditch my computer. Large scale server infrastructure? Not so much.

I must digress that the questions are, indeed, questionable. They're intrinsically Devuan specialism themed (how am I supposed to know which kernal version image it is?) and whilst I can understand this filters out the systemd cruft that insist theirs is the only way, it makes it difficult for people who aren't specialists (which are ironically the ones most likely in need of assistance).

The issues of captchas is a complex one, because, counter-intuitively, not all captcha solvers are done by bots (yes, they are outsourced to people who earn a couple of cents per solution), which is why usually bot unsolveable captchas like complex images are still seemingly solveable by spambots. More specialist bots have their own dedicated human handlers (especially when it comes to military software socks).

Defeating conventional spambots is fairly easy, you need to setup a deductive question that a bot cannot logically solve (a smarter bot handler will simply rotate through the text questions and preload answers for them, so you do also need to expire 'solved' questions). For example, on my forum, I ask the question 'In comedy, what does 2+2 equal?'. A bot will see the mathematics and answer '4', but a human will twig that the 'comedy' context changes the answer (which is either '5'/'five' or 'fish').

You'll want to include a number of natural answers rather than one 'right' answer (for example, the kernel image should include all valid kernel images in use by Devuan).

A couple of easy examples that easily thwart bots:
How is Devuan pronounced? (Dev-one, Devone, etc)
What is this forum's main colour theme? (Purple)
Devuan is to Debian as Lubuntu is to... (Ubuntu)

Leaps in logic or horribly general questions like this are nearly impossible for moderate complexity bots to answer. For example, how does the AI know how to pronounce Devuan? It doesn't (it likely doesn't have the speech processors to 'sound it out' either). Main colour theme 'seems obvious' but it has to know what a theme is, figure out the the colour codes, then covert those colour codes into the expected colour categorisation. Devuan to Debian is actually a rip on an IQ test question and requires categorical inference.

If the forum still wants to use 'proof of knowledge' questions (which discriminates against noobs), I strongly advise they be proof of knowledge questions that a person can reasonably achieve in a single non-specialised search, otherwise from a user interface standpoint this is adversely impeding the users.

From a long-term standpoint, the forum might want to acquire an IP blacklist of well known spambot associated IPs (perhaps even doing an automated whois style query to detect non-ISP based connections, with exceptions made for Tor nodes), and perhaps have a minimum two post limit before URLs in posts are enabled (which very quickly cripples bots even with guest post access because as a spambot they can never post without a URL and therefore always fail).

If someone has way too much time on their hands, they could likely do a plugin that determines the probability that a poster is likely a spambot and auto-ban (suspicious IP, suspicious email, drug/porn/offensive content themed post, excessive captcha failures, constant 'unable to post' failures involving URLs).

If you really want to stick it to systemd whilst keeping it factual, consider having a thread detailing systemd vulnerabilities and exploits (usually they have specific CVE names or well known titles), and make questions based around looking up the specific vulnerability code (be kind enough to link them in to the thread). That way you can both educate users and filter out spambots at the same time.

Word of warning of those of you who feel Mozilla have privacy at heart (I used to advocate firefox, I now don't), walk into your home user directory:

/home/<name>/.mozilla/firefox

Under there, you'll see a folder that ends with '.default'.

You first port of call is to eyeball "saved-telemetry-pings" folder, and look at the text data within. You will never see such a payload of so much system information in your life. This information appears to still transmit even if you explicitly unselect sending so-called 'health' reports, and why they're even there in the first place is even more disturbing. Contains everything from CPU, memory, harddrive, to plugins, what site you were browsing and tons of other data I don't comprehend. But that's not the worst of it.

I advise you browse for a bit on Firefox. The data saved from the session will still occur even if you tell Firefox to save nothing. Go into the Storage folder in the <garbage letters>.default folder. In the Storage folder will be three folders:
default, which appears to KEEP a history of sites visited (regardless of cookies) and extension data,
permanent, which keeps a set of SQLite databases (read: hidden cookies) which are also kept persistently, and
temporary, which is only used by sites that give a toss about privacy (I only see mega.nz in that one, good choice for ISO uploads, it seems).

Firefox developers absolutely insist if you try to delete the data yourself bad things will happen(tm) (probably to their profits and bottom line), however I believe they simply want you to retain the data and 'trust them' (because they worked so well for the NSA, GCHQ, US government etc). You can read more on the discoveries one person made here. Mozilla claim they'll fix it, but real question was, why did it take a public discovery for this to happen? Their bullshit argument is because of 'User Interface' designs.

I've dug around for suitable browsers, and the bad news is, basically, there are none. Browsers I've found fall into several categories:

1) Don't work too well, break a lot, and don't offer real protection (EG Midori)
2) Phone home (EG Chrome, Opera, Firefox)
3) Inherit from Chrome which leaks like a sponge with a running tap (EG SWIron, Brave browser [implied by user-agent identification by discord treating it as though Chrome])
4) Inherit from Firefox (EG Iceweasel, Icecat, Tor)

My proposal is not to look for a fully functional browser in this day and age, but instead a very simple solution that pwns even the most well researched of datamining: a VM browser host.

Specifically, an OS hosts a barebones VM container that loads the default state browser (plugins, updates etc included), which upon after the browser session is exited, the container discards the browser, and reloads it anew. There's a number of advantages:

1) Any data stored on the browser itself becomes useless, even if the browser developer cooperates, because the tracking is fundamentally defeated by way of disposable browsers.

2) Any exploits targeting a browser in order to hijack it encounters two problems: 1, it's sandboxed in a VM and thus can't escape (goodbye FOXACID), and 2, the malware is wiped upon discard (goodbye FOXACID).

3) The VM container can 'lie' to the browser as to the system specs, which means even if it 'phones home', all it phones home with is the stuff we gave it. I'd probably pay money if said stuff could include replacing every named system device with a phrase like STOPSPYING and similarly.

4) Everyone else indirectly gains, because VM users are indistinguishable from legitimate users.

5) If people want to be able to maintain browser persistence, make use of snapshots.

For people still on Firefox, I'd recommend the following plugins:

1) User-agent-spoofer. Despite the name it does a whole lot more than rotate what user agent you have (anyone who checks what I post with will see I'm supposedly using the Edge browser on Windows). You can subvert things like URL referrals and more in it. Doesn't allow settings to be saved, annoyingly.

2) NoScript. For advanced users. Even if you fully enable scripts it will still break some sites (payment gateways are notorious). Always have a second browser on hand for broken sites.

3) uBlock Origin (not to be confused with uBlock). Yes, there is a difference, different developers with different stances. I don't recall why I sided with Gorhill and chose uBlock Origin, but if it helps, he's the original developer of uBlock before it got, err 'hijacked'.

4) Decentraleyes, yes, that is how it's spelt. Used for sneaky trackers, being rebuilt for the nightmare that is WebExt.

5) HTTPS everywhere. Tries to enforce HTTPS on every site.

6) Privacy badger. This one is optional, doesn't seem to do a very good job. Supposedly 'learns', but so far it's marked every site I go on green. Ghostery would have had multiple fits where-as privacy badger is just 'meh'. Blocks facebook, google+ and twitter, so I guess there's that.

7) UnPlug. Allows you to get at media on pages for download, which is extremely helpful if your bandwidth is slow and the juttering splinky spring loading is unpleasant (no youtube, 240p at 'lag every 10 seconds' is not acceptable). Great for retrieving your own uploaded videos from youtube, which I've had to do a number of times when my own local files went missing.

Privacy wise there are other plugins but they either no longer work or they've become shady.

(Cash money from google for Adblock Plus anyone?)

Poe's law strikes again! I shall wear my dunce cap in shame. Which invariably has a d on it.

Thank you goadmin. I should have clarified I was on Jessie, my bad.

I took the blocked list from the link you provided, and set it as my blacklist and re-ran the program.

Here's a list of impacted services, note that it will include lxde-core (a desktop environment that Devuan presently supports, and I do like using LXDE minus it's systemd entanglements).

There's others there, but not many from a primitive scan. I know what I've got here isn't too particularly useful, but it's my small way of helping and showing discontent for systemd in the same move.

If you mean for systemd-free purposes, as it stands, the answer I can see is 'not really'. If one installs it and then runs the command:

dpkg -l | awk '$1=="ii" {print $2}' | xargs -rn1 -I+ sh -c "dpkg -L + | grep --label=+ -Hw systemd" > systemd-references.txt

And checks the file, they will find the aforementioned package references (or tries to reference) systemd.

I would like to see the Devuan developers offer even experimental access to alternatives to udev (such as eudev, vdev, etc) even if not necessarily working out of the box or particularly integrated.