mrl5 Posted March 17, 2019 Report Share Posted March 17, 2019 So I had to update my desktop system from version 1.2 to 1.3 and I've chosen to do the fresh install from the stage3 (stage3-core2_64-1.3-release-std-2019-02-05). But.. During the process I've noticed some (at least for me) ugly things that I would like to inform developers about: TL;DR: metalog is NOT added to any runlevel by default. I think it should be added to default/boot runlevel by default sshd IS added to the default runlevel by default. I think it's bad - this should be disabled by default ... if you want to read further please be advised that I'll be grumpy from now on: I've noticed that version 1.3 is out because there were no updates for a while yep it was announced but I'm not checking neither funtoo.org nor forums.funtoo.org on a regular basis - what happened with good old eselect news? I can not find any information when the support for 1.2 version ends - LTS schedule could help with planning the upgrade ... (please consider sth like this: https://nodejs.org/en/about/releases/ ) and yeah performing a fresh install is time consuming, at least for a desktop machine - so it would be cool to be aware early that end of support for 1.2 is coming and that it's recommended to do a fresh install I think that funtoo.org web page should be rearranged. Here is what I mean: there are a lot of useful articles there but often they are hidden and I can find them only via google there should be a section where you can see all of the articles examples: https://www.funtoo.org/Security https://www.funtoo.org/Installing_a_Logger forums.funtoo.org I was not able to write this post using vanilla firefox-bin-65.0 (w/o any addons) I had to do it by using google-chrome ... wow you've came that far now I'll be sentimental: Gentoo was my first distro back in early 2000s When Daniel started Funtoo, for me it was something cool, something fresh I have a feeling that now the Funtoo Project is going in some weird direction (from end user perspective) that is different to what I was used to back in the days. People on the #funtoo IRC channel used to be more responsive I wrote this post in a good faith. I like funtoo but I'm close to the point where I will switch to other distro ... TBH it strongly depends how long and how smooth will be the process of building rest of desktop environment. Ofc everyone has his own point of view but I really wanted to give you some feedback. If I somehow missed something and somebody disagrees - I look forward to know your point of view. s4uliu5 1 Link to comment Share on other sites More sharing options...
digifuzzy Posted March 17, 2019 Report Share Posted March 17, 2019 1 hour ago, mrl5 said: I have a feeling that now the Funtoo Project is going in some weird direction (from end user perspective) that is different to what I was used to back in the days. You're not alone in this department. There's a direction...just not sure exactly to what destination. Link to comment Share on other sites More sharing options...
leprosys Posted March 23, 2019 Report Share Posted March 23, 2019 I have that feeling that maybe Funtoo needs more devs. jhan 1 Link to comment Share on other sites More sharing options...
digifuzzy Posted March 23, 2019 Report Share Posted March 23, 2019 I recall watching a talk about open source and the presenter used the phrase "bus factor equals one". I had similar situation at previous workplace. We kept asking "What happens if you get hit by bus?". After there were two deaths (1 unexplained and another a heart attack) of co-workers and a near-fatal heart attack all in the company in the span of about a year, our group switched it up to "What happens if you win the lottery?". The point? We have lots of really cool tools and piles of knowledge - is this knowledge spread around enough for others to keep going should @drobbins suddenly find he won a power ball lottery and is moving to a tropical island w/o computers? I just look at the FreeBSD ports collection or Gentoo repositories. All those indications of "unmaintained"... That should scare some people. Link to comment Share on other sites More sharing options...
nrc Posted March 24, 2019 Report Share Posted March 24, 2019 It seems to me that metalog and sshd defaults should depend on what flavor you're installing. A desktop flavor shouldn't have either by default while a server flavor should have metalog. I'd say that neither should have sshd by default unless you have the amazon-ec2 or some kind of "headless" mix-in. Funtoo hasn't used `eselect news` since probably 2015. I think the problem was managing news in too many different places. Originally the intent was to put them on a wiki News page but that appears abandoned. The News and Announcements forum here seems to be the best source. It looks like if you hit follow at the top of forum you can get an email notification of news items. Funtoo has gone from being just a slightly different spin on Gentoo to something really unique among distros. I think that's great. I'm happy with what I understand of the new direction. I enjoy the fact that we're not saddled with systemd and that customization is virtually limitless, but the "rolling release" model means that you can never truly have a stable system. On a regular basis something gets rolled in that breaks things badly and you are forced to drop everything and fix it right now to get a working system again. If this new stepping release model provides a more stable system that is still more flexible and current than your typical binary release, I think it will be a win. The key will be keeping updates coming on a regular basis. @drobbins launched Funtoo to work on new directions for Gentoo without dealing with the mess that Gentoo had become. Whether or not Funtoo is the right distro for someone probably depends on how closely your goals for a distro align with his. As I read his comments and see the direction of progress I'm on board. But part of the mess that Gentoo had become was lack of communication between developers and the user base, so I think your criticism of some of the communication gaps is fair. lazlo.vii 1 Link to comment Share on other sites More sharing options...
lazlo.vii Posted March 24, 2019 Report Share Posted March 24, 2019 2 hours ago, nrc said: ...I enjoy the fact that we're not saddled with systemd and that customization is virtually limitless, but the "rolling release" model means that you can never truly have a stable system. On a regular basis something gets rolled in that breaks things badly and you are forced to drop everything and fix it right now to get a working system again. If this new stepping release model provides a more stable system that is still more flexible and current than your typical binary release, I think it will be a win. The key will be keeping updates coming on a regular basis. This is where I am at as well. Many times over the last 15 years I have looked at Debian, Ubuntu, and (more recently) Devuan. I always say to myself "I like the stability but I don't need the cruft. I wish I had a distro I could customize and optimize without worrying about stability." Funtoo was as close to that as I could get until 1.3 and now I am hoping that it is a dream come true. Do we need more devs in Funtoo? As long as they are the right devs then sure. I think what might make an even bigger difference is a small group of dedicated documentation writers. Years ago when I worked with Sun Solaris my favorite site on the entire Internet was bigadmin.sun.com but it started to change for the worse when Oracle bought Sun. Fifteen years ago it was hands down the the best FAQ, docs, HowTo, and Cool Projects site any OS had ever seen. Not even the Debian Wiki or the FreeBSD handbook came close. Now it's a shadow of what it once was. Anyway my point is that a high quality OS to will never reach it's full potential if the only people that ever master it's use are those who can read the source code. Should your system have a logger installed and running by default? I think that is a good a idea but it's not a deal breaker. Should sshd be installed and running by default? I think it should be installed but I think there should be a reminder in the install guide to enable it and to create a .shh/authorized_keys file. I think password logins should be disabled by default. Secure remote access is far too important an item to leave out of the default system base. Link to comment Share on other sites More sharing options...
savasten Posted March 24, 2019 Report Share Posted March 24, 2019 Sorry for the questions? sshd running by default - did you file a bug report? Have you all checked out the youtube videos on contributing? Lets fix these things. We are Funtoo, @drobbins, @Oleg Vinichenko and other regulars are the directors. If it is broken fix it. mrl5 1 Link to comment Share on other sites More sharing options...
mrl5 Posted March 24, 2019 Author Report Share Posted March 24, 2019 Thank you for so many answers. 3 hours ago, savasten said: Sorry for the questions? sshd running by default - did you file a bug report? Have you all checked out the youtube videos on contributing? Lets fix these things. We are Funtoo, @drobbins, @Oleg Vinichenko and other regulars are the directors. If it is broken fix it. @savasten good point, thanks! FL-6294, FL-6295 and FL-6297. 11 hours ago, nrc said: (...) but the "rolling release" model means that you can never truly have a stable system. On a regular basis something gets rolled in that breaks things badly and you are forced to drop everything and fix it right now to get a working system again. If this new stepping release model provides a more stable system that is still more flexible and current than your typical binary release, I think it will be a win. The key will be keeping updates coming on a regular basis. (...) And I'm okay with it - I would be even more okay if Funtoo would adopt something like this: https://nodejs.org/en/about/releases/ or make it more visible, because I've searched for it and after 5-10 minutes I stopped to search Link to comment Share on other sites More sharing options...
nrc Posted March 24, 2019 Report Share Posted March 24, 2019 1 hour ago, mrl5 said: And I'm okay with it - I would be even more okay if Funtoo would adopt something like this: https://nodejs.org/en/about/releases/ or make it more visible, because I've searched for it and after 5-10 minutes I stopped to search I agree that the status of the different releases should be better documented. Updates to 1.2 just kind of ended. The 1.3 release was communicated but if it was discussed how that would impact 1.2 then it was easily missed. One thing that should be clearly laid out is that part of the objective (as I understand it) is to minimize all the firefighting that occurs in a rolling release so that devs can focus on advancing the platform. That's a good idea in theory, but can you put off all that firefighting and still maintain a release schedule that keeps things fresh? And what is the standard for what will be updated outside of the normal release cycle? There should be a documented standard for security issues - something like CVE >5 gets rolled out immediately, everything else waits until the next point release. Link to comment Share on other sites More sharing options...
nrc Posted March 26, 2019 Report Share Posted March 26, 2019 @drobbins nixed the sshd suggestion in FL-6294, but I looked at the latest baselayout and it looks like the default configuration has PasswordAuthentication set to "no" which should minimize any risk. I still think it's better not to have this running if it's not needed or specifically wanted. My build process always includes setting openssh the configuration according to my standards but there's some risk there for the unaware if openssh is compromised. mrl5 1 Link to comment Share on other sites More sharing options...
lazlo.vii Posted March 27, 2019 Report Share Posted March 27, 2019 22 hours ago, nrc said: ...it looks like the default configuration has PasswordAuthentication set to "no" which should minimize any risk. The implementation of PAM and Challenge-Response Authentication means that you can ssh into the system without a key pair and with only a valid username and password. It's easy to test. Just launch a VM or container and use it to ssh back into the host. In order to change this behavior you must turn it off in /etc/ssh/sshd_config or edit the related PAM modules in /etc/pam.d which is why I like to set up Google Authenticator. If I am going to have to edit PAM modules any way I might as well add 2FA while I am doing it. Link to comment Share on other sites More sharing options...
nrc Posted March 28, 2019 Report Share Posted March 28, 2019 Thanks. I hadn't realized that "PasswordAuthentication" doesn't affect PAM authentication. I've always secured my machines by only allowing ssh access to accounts that I specifically configure. It's @drobbins call but I still think it's a bad idea to configure ssh by default on machines where novice users may believe that their physical console is the only vector for someone to attack their trivial password. There definitely should be some documentation in the install procedure for locking that down. mrl5 1 Link to comment Share on other sites More sharing options...
Recommended Posts