Notices by Aaron Toponce ⚛️:debian: (atoponce@fosstodon.org)

#Ubuntu is moving away from GNU coreutils to Rust-based uutils coreutils with Ubuntu 25.10. There are two big differences with this move:

1. uutils coreutils is MIT licensed, not GPL.
2. Obviously, it's written in Rust, a memory-safe compiled language, unlike C.

IMO, this is a good move.

https://discourse.ubuntu.com/t/carefully-but-purposefully-oxidising-ubuntu/56995

#gnu #rust #linux

@cks Agreed. I haven't looked over the source code, but 100% compatibility is an optimistic claim I think. GNU coreutils is 35 years old. That's a long time for one-off quirks to get implemented for all sorts of edge cases.

https://bugzilla.mozilla.org/show_bug.cgi?id=1950144

The SystemV filesystem is getting removed from the #Linux kernel, as it had a bad bug proving no one was actually using it.

https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git/commit/?h=vfs-6.15.sysv&id=448fa70158f9b348e71869cfe4a31988e07b20b2

@evan Why wouldn't I chose the max option?

Developer applies at @ubuntu, goes through extensive hiring filters and many interviews, gets an offer in hand, accepts the offer, quits their job, only for Canonical to retract the offer.

Don't work for Canonical.

#Ubuntu #Linux

https://www.reddit.com/r/linux/comments/1ij4itg/canonical_what_a_shame/

@dalias @dimpase I agree. What I don't understand why you would choose to leak metadata unnecessarily when stronger alternatives exist.

@dimpase @dalias I didn't call it grave.

@dimpase @dalias It is horrible. No password manager should be doing this. But it's not leading to the compromise of each account ("grave"), just leaking what they are ("bad", "horrible", "not good").

@dalias @dimpase The context is pass(1) however, not data in general. pass(1) reveals which accounts you're protecting, even if the password for each account is encrypted with your PGP keys.

Syncing encrypted pass(1) files to 3rd party cloud providers is a security vulnerability that other password managers does not have.

@dalias @dimpase I disagree. Provided your master password is sufficiently secure, you can sync a KeePass/KeePassXC database safely to 3rd party servers without risk of revealing any information as to the number of accounts they contain, or which accounts are stored.

@dalias I was just curious. As a moderator of r/Passwords on Reddit, a user messaged me concerned about a certain post, which led to the discussion of biased and fair reporting of different password managers.

I used subreddit subscriber counts as a poor metric for market share, and mentioned as much, which got me curious if actual research had been done in this area. I figured it would be via voluntary polling, which has its own problems.

@dalias @dimpase The vulnerability exposing accounts to the filesystem is closed if the data is not synced across computers and cloud providers. But if the data is synced, such as checked into GitHub or copied to Dropbox, the vulnerability is exposed.

Has there been any research on the market share of password managers? Both from the perspective of competition (Bitwarden vs 1Password), but also users versus non users.

#passwords

@dimpase I'm familiar with pass(1). It has a horrible vulnerability in that it leaks all accounts to the filesystem. No modern password manager today does this.

LastPass got heavily criticized for not encrypting URLs in the DB, rightfully so, because it leaks which accounts a user has stored in the DB. They've since fixed it.

Also, PGP can die in a fire. Heh.

@BeAware How so?

This slipped past my radar: LetsEncrypt is ending support for TLS cert expiration notification emails.

https://letsencrypt.org/2025/01/22/ending-expiration-emails/

Hard pass. I will not use #passkeys and will tell my friends and family to do the same.

So long as attestation part of the WebAuthn spec, it allows companies to lock consumers into using specific passkey managers.

It's exactly like streaming subscriptions. Attestation sets up the dystopia of a paid 1Password account for your email passkey, a paid LastPass account for your utility account passkey, a paid Bitwarden account for your health insurance, etc.

#passwords

https://www.ncsc.gov.uk/blog-post/passkeys-not-perfect-getting-better

Here are some published random number projects.

In 1955, the RAND corporation published a book titled "A Million Random Digits with 100,000 Normal Deviates".

The random number were produced via an electronic simulation of a roulette wheel attached to a computer. The results were filtered and tested before added to the large table.

The book is 400 pages each containing 50 lines of 50 digits. Columns and lines are grouped in fives and the lines are numbered 00000-19999.

https://www.rand.org/pubs/monograph_reports/MR1418.html

Happy Birthday #GNU #Bash.

#linux