XSF Discussion - 2023-04-12

I realize that it doesn't get more off-topic than this (feel free to answer in private), but as I expect this channel to have plenty of people with a comparable workload: what are your recommendations for a Linux desktop antivirus solution, for a developer machine (lots of compiling & associated disk activity)?

Guus: General security awareness?

Windows Defender :)

Only run code you wrote yourself. ;) ✏

(Only half a flippancy, my Linux Desktop runs Windows, because WSL2 is yummy)

flatpak with flatseal to sandbox everything with selinux on top and a custom secure kernel

(half joking)

Switch to DragonflyBSD, nobody targets that.

Don't compile and run viruses. Easy!

I don't have a lot of experience with live anti-virus scanning on Linux machines, just mail.

Guus, I'm not aware of any sensible antivirus solution.

I have heard of clamv that does scanning and works on linux but havent used it

clamav exists, but is not online AFAIK and is mostly used with email

ah. then no then

Thanks for the (mostly) helpful answers :)

My current shortlist-under-construction contains Bitdefineder, Kaspersky and ClamAV - Sophos also seems to support Linux desktop, but I grew quite tired of them when trying to support that on my parents' machines.

I'll just assume those are spyware viruses until proven otherwise. :P

I highly doubt any of those will save you from the next typosquatting attack on your favourite package registry anyway

Oh yeah, threat model?

(I suspect the threat model is "an auditor comes by")

(which is the most common and least useful threat model :))

There's no 100% solution for anything, but having _a_ solution is better than having none.

In which case, go read the policy document!

Having a bad solution is worse than having no solution and being aware of it.

Just be careful, use your Common Sense™

*Having a bad solution and overestimating its effect […]

as for auditors: if that makes a difference between 'landing a contract' and 'not landing a contract', I'd say it is a very useful thread model (not that it's currently applicable to me, but still).

Having a bad solution and being aware of the exact limitations is ok.

Guus, it's not a useful threat model for IT security, at most for business continuity ;)

Without business continuity there's little use for a IT security model.

also correct

Everything is connected.

(but that only means that killing business continuity means you can stop worrying about IT security, so that's great! ;-) )

> Everything is connected. And so you describe the threat model. ✏

Become potato farmer, all IT problems gone!

(Welp, tractors have copy protection now???)

you wouldn't download a ~car~ tractor!

"I asked software engineers a question and they told me to become a potato farmer."

that sounds about right

This might go on my LinkedIn page.

(or maybe not)

> Guus: > 2023-04-12 10:21 (GMT+02:00) > My current shortlist-under-construction contains Bitdefineder, Kaspersky and ClamAV - Sophos also seems to support Linux desktop, but I grew quite tired of them when trying to support that on my parents' machines. Why use them at all on a Linux system? I think ad-blockers are way more helpful. maybe you can also limit permissions for their users

I'm far from a security expert, but the "viruses don't affect/exist for Linux" argument feels dated to me. I like to err on the side of caution, provided that running an AV app doesn't dramatically impact my productivity.

there definitely is malware targeting linux, and there's definitely also a lot which targets developers specifically (so-called "supply chain" attacks)

I had a virus once. I got it from the school Windows 3.11 machines on a 3½" floppy

Guus, running an AV app likely dramatically increases your attack surface

Set up your stuff so you can easily wipe and restore from a clean image if you're worried? :)

Zash, good luck doing that properly (i.e. including rotating all private keys)

slightly more on-topic: does anyone happen to know if Jitsi runs on ARM64?

Client? Server?

server, sorry

and jitsi-meet to be precise

that said, a better system architecture and a sensible AV implementation may help here. but right now, my gut feeling is that AV for Linux does more harm than good

jonas’, isn't jitsi mostly java + prosody? if so, then at least the java part should run on arm64

Dunno why not, the Java and Lua bits should be fine.

But then I don't officially do any Jitsi Meet support at all, you should go ask their forum ;)

I guess I'll just try it

there are some platform-specific things that they (used to?) have

https://github.com/jitsi/docker-jitsi-meet/issues/1214

that seems docker-specific, I don't use that.

The Openfire plugin that I used to maintain had platform specific binaries too. Never tried for ARM

The issue is docker-specific, but its comments mention libraries.

but yeah, try and see. Or ask them, they're pretty responsive.

their venues are incompatible with me

(discourse)

less or more incompatible than their software on arm64? :D

Dele Olajide: do you happen to know if Jitsi Meet runs on arm64?

> Dele Olajide: do you happen to know if Jitsi Meet runs on arm64? Everyone changing their hetzner plan? 😄 ↺

:)

Did something happen at Hetzner?

they now offer ARM64 boxes

for ~30% less bucks than the AMD64 boxes.

> Makefile:109: target 'build/landing-example.html' doesn't match the target pattern I wasn't even trying to build that. I wanted to build 0198 only

Sounds like amazon and r6g that is happeninp now

oh, looks like that was a forgotten proto-xep in my project root dir

please keep editor tooling discussion to editor@

sorry

I'd have thought that the line between "discussions for people authoring XEPs" (which belong here) and "XEP Editor tooling" are probably fairly blurry in this case.

I'd rather not have anyone die on that hill

I'd rather not have anyone die, period - but I tend to agree that it's more on-topic than the discussion on Linux AV...

^^

Regarding the recent-ish discussion about resumable file uploads, here's a thing: https://tus.io/

it's a good thing!