XSF Discussion - 2023-04-12

  1. Guus

    I realize that it doesn't get more off-topic than this (feel free to answer in private), but as I expect this channel to have plenty of people with a comparable workload: what are your recommendations for a Linux desktop antivirus solution, for a developer machine (lots of compiling & associated disk activity)?

  2. Zash

    Guus: General security awareness?

  3. Kev

    Windows Defender :)

  4. Zash

    Only run code you wrote yourself. )

  5. Zash

    Only run code you wrote yourself. ;)

  6. Kev

    (Only half a flippancy, my Linux Desktop runs Windows, because WSL2 is yummy)

  7. MSavoritias (fae,ve)

    flatpak with flatseal to sandbox everything with selinux on top and a custom secure kernel

  8. MSavoritias (fae,ve)

    (half joking)

  9. intosi@ik.nu

    Switch to DragonflyBSD, nobody targets that.

  10. Zash

    Don't compile and run viruses. Easy!

  11. intosi@ik.nu

    I don't have a lot of experience with live anti-virus scanning on Linux machines, just mail.

  12. jonas’

    Guus, I'm not aware of any sensible antivirus solution.

  13. MSavoritias (fae,ve)

    I have heard of clamv that does scanning and works on linux but havent used it

  14. jonas’

    clamav exists, but is not online AFAIK and is mostly used with email

  15. MSavoritias (fae,ve)

    ah. then no then

  16. Guus

    Thanks for the (mostly) helpful answers :)

  17. Guus

    My current shortlist-under-construction contains Bitdefineder, Kaspersky and ClamAV - Sophos also seems to support Linux desktop, but I grew quite tired of them when trying to support that on my parents' machines.

  18. Zash

    I'll just assume those are spyware viruses until proven otherwise. :P

  19. jonas’

    I highly doubt any of those will save you from the next typosquatting attack on your favourite package registry anyway

  20. Zash

    Oh yeah, threat model?

  21. jonas’

    (I suspect the threat model is "an auditor comes by")

  22. jonas’

    (which is the most common and least useful threat model :))

  23. Guus

    There's no 100% solution for anything, but having _a_ solution is better than having none.

  24. Zash

    In which case, go read the policy document!

  25. Zash

    Having a bad solution is worse than having no solution and being aware of it.

  26. Zash

    Just be careful, use your Common Sense™

  27. jonas’

    *Having a bad solution and overestimating its effect […]

  28. Guus

    as for auditors: if that makes a difference between 'landing a contract' and 'not landing a contract', I'd say it is a very useful thread model (not that it's currently applicable to me, but still).

  29. jonas’

    Having a bad solution and being aware of the exact limitations is ok.

  30. jonas’

    Guus, it's not a useful threat model for IT security, at most for business continuity ;)

  31. Guus

    Without business continuity there's little use for a IT security model.

  32. jonas’

    also correct

  33. Zash

    Everything is connected.

  34. Kev

    > Everything is connected. And so you describe the thread model.

  35. jonas’

    (but that only means that killing business continuity means you can stop worrying about IT security, so that's great! ;-) )

  36. Kev

    > Everything is connected. And so you describe the threat model.

  37. Zash

    Become potato farmer, all IT problems gone!

  38. Zash

    (Welp, tractors have copy protection now???)

  39. jonas’

    you wouldn't download a ~car~ tractor!

  40. Guus

    "I asked software engineers a question and they told me to become a potato farmer."

  41. jonas’

    that sounds about right

  42. Guus

    This might go on my LinkedIn page.

  43. Guus

    (or maybe not)

  44. emus

    > Guus: > 2023-04-12 10:21 (GMT+02:00) > My current shortlist-under-construction contains Bitdefineder, Kaspersky and ClamAV - Sophos also seems to support Linux desktop, but I grew quite tired of them when trying to support that on my parents' machines. Why use them at all on a Linux system? I think ad-blockers are way more helpful. maybe you can also limit permissions for their users

  45. Guus

    I'm far from a security expert, but the "viruses don't affect/exist for Linux" argument feels dated to me. I like to err on the side of caution, provided that running an AV app doesn't dramatically impact my productivity.

  46. jonas’

    there definitely is malware targeting linux, and there's definitely also a lot which targets developers specifically (so-called "supply chain" attacks)

  47. Zash

    I had a virus once. I got it from the school Windows 3.11 machines on a 3½" floppy

  48. flow

    Guus, running an AV app likely dramatically increases your attack surface

  49. Zash

    Set up your stuff so you can easily wipe and restore from a clean image if you're worried? :)

  50. jonas’

    Zash, good luck doing that properly (i.e. including rotating all private keys)

  51. jonas’

    slightly more on-topic: does anyone happen to know if Jitsi runs on ARM64?

  52. Zash

    Client? Server?

  53. jonas’

    server, sorry

  54. jonas’

    and jitsi-meet to be precise

  55. flow

    that said, a better system architecture and a sensible AV implementation may help here. but right now, my gut feeling is that AV for Linux does more harm than good

  56. flow

    jonas’, isn't jitsi mostly java + prosody? if so, then at least the java part should run on arm64

  57. Zash

    Dunno why not, the Java and Lua bits should be fine.

  58. Zash

    But then I don't officially do any Jitsi Meet support at all, you should go ask their forum ;)

  59. jonas’

    I guess I'll just try it

  60. Guus

    there are some platform-specific things that they (used to?) have

  61. Guus


  62. jonas’

    that seems docker-specific, I don't use that.

  63. Guus

    The Openfire plugin that I used to maintain had platform specific binaries too. Never tried for ARM

  64. Guus

    The issue is docker-specific, but its comments mention libraries.

  65. Guus

    but yeah, try and see. Or ask them, they're pretty responsive.

  66. jonas’

    their venues are incompatible with me

  67. jonas’


  68. Guus

    less or more incompatible than their software on arm64? :D

  69. Guus

    Dele Olajide: do you happen to know if Jitsi Meet runs on arm64?

  70. Menel

    > Dele Olajide: do you happen to know if Jitsi Meet runs on arm64? Everyone changing their hetzner plan? 😄

  71. jonas’


  72. Kev

    Did something happen at Hetzner?

  73. jonas’

    they now offer ARM64 boxes

  74. jonas’

    for ~30% less bucks than the AMD64 boxes.

  75. Ge0rG

    > Makefile:109: target 'build/landing-example.html' doesn't match the target pattern I wasn't even trying to build that. I wanted to build 0198 only

  76. MSavoritias (fae,ve)

    Sounds like amazon and r6g that is happeninp now

  77. Ge0rG

    oh, looks like that was a forgotten proto-xep in my project root dir

  78. jonas’

    please keep editor tooling discussion to editor@

  79. Ge0rG


  80. Kev

    I'd have thought that the line between "discussions for people authoring XEPs" (which belong here) and "XEP Editor tooling" are probably fairly blurry in this case.

  81. Ge0rG

    I'd rather not have anyone die on that hill

  82. Guus

    I'd rather not have anyone die, period - but I tend to agree that it's more on-topic than the discussion on Linux AV...

  83. emus


  84. MattJ

    Regarding the recent-ish discussion about resumable file uploads, here's a thing: https://tus.io/

  85. raucao

    it's a good thing!