How can Void be best the one day malware the next?

How can someone here, defend Void’s honor from a tremendously sloppy and unjustified criticism by the corporate rag (as in the piece of cloth used to wipe genitals after corporations take a crap, and they do all the time, especially on May Day and when strikes and mass protests are taking place around their headquarters) “distrowatch” ….  and the very next day attack void as being the worst form of malware that has hit the open and free software world?

Basically we are not a “fan club”, defending anyone as being god, or hating someone as being the antigod.   Criticism, for those that understand the term within rational thinking, has to and must be objective, to the best reasonable effort (that is all we human can do).  Only then can there be a dialectical agreement about reality, our best interpretation of it.  Despite of how many of you here, feel like they are finding a home at this systemd hate club of hooligans, enjoying braking knee caps of their opponents.  No, it is all objective criticism at something that is gradually becoming a “social danger”.  It is the Trojan Horse (and damn the damn Greeks for inventing this strategy to defeat the peace-loving Thracians and take over their land and resources, which they did, that is not Homer’s mythology but a historic fact) that is used by mega corporations to swallow and end this industry of open and free software, running on non-open and non-free hardware in lack of an alternative, which should be a social goal.  In this respect open and free software is an industry from those below against the interests of those above, a miracle or a mistake by those that rule and dominate.

We feel that Void is precious as a social construct, as a platform for good things that can come out of it.  Better than many.  But there have been signs of slippage recently.  Developers and maintainers getting so much into the details of packages working and cohabitating harmoniously (the packages not the devs) that harsh choices had to be made.

… Void, for those that didn’t know, was one of the earliest test beds of systemd.  They loved the stuff when everyone else was looking down on it.  One day they realized that it didn’t fit their bill.  They wanted to embrace different architectures and platforms, like making a parallel distribution based on musl instead of glibc, and have the two be equally functional and effective in all hardware architectures they catered to.  Short story is that systemd will not run on anything other than glibc, and would take enormous work to make it work with anything else other than linux.  So this is as far as systemd can go; linux and glibc, a sub-sector of unix forks.  Openrc, s6, runit, and many others are much more portable, in a true unix fashion…..

So devs, seem to be forcing the needs of their individual packages as policy for the entire team, and since other team members don’t have the time or the patience to provide better suggestions, they just let others do as it is necessary.  As long as things don’t conflict each other everyone in Void does their thing and the cumulative effort is what we see outside.  Yet another miracle, that this tower is holding up and not collapsing.  So, who made after years valid live-images for people to install void, when the previous ones were pointing to false inexisting repositories?  Are those official images, are they a collective effort and signed as void?  Nobody knows.  They just appeared.

The other autistic tendency void had was to support the most popular desktops and applications out there.  Yes, even the crappiest of all, gnome and cinnamon.  (I am sorry, are you one of their users, tough shit, go away).  With all the good efforts and struggle to make them work, some beaten and exhausted from continuously struggling, gave up and discovered this easy way out, using a piece of systemd (a good chunk of it) but which is easily portable (has been by others, not void, specifically I believe it was Gentoo’s work) and stop fighting the monster (systemd – gnome – pulseaudio – freedesktop – IBM).  All those other desktops, DMs, window managers, if and when it is necessary (not very often) used consolekit2 to satisfy their happy gui clicking customers.  Systemd believes in multileveled management.  Between user and the essential core system responsible of booting and providing a console, there are several layers of management.  It takes a labyrinth system like elogind to monitor and control all actions between those levels.  It is a pain in the neck to even audit a single machine single user system, let alone an enterprise system comprised of several machines and numerous users.  But it works.  Even a dummy entry level sys-admin can set a system up.  You plug in at the one end and go to the other end and it is working.  What happens in between only IBM would know.  If you trust IBM to sleep with your partner you have nothing to worry about.

When such discussions come up, the most hypocritical of all devs and coders will bring up the issue of security.  Security, as in real life politics, forces an issue to be withdrawn from the public social sphere of being political in becoming a “military issue” where experts are called to make the decisions instead of the “non-expert” public.  So when you hear “security” being drawn into a conversation, it is 99% sure someone who is bringing it in is denying to discuss a political matter and wants to convert it into a closed chambers meeting of expert generals in charge of security.  So don’t readily buy into the security “issues” as an argument as it is a common scapegoat by authoritarians to divert an issue to be discussed by common mortals.

Hypocritical!  Why?  Because those same idiots claiming expertise on security, want the “average user” to have access better kept for those better than the average user, but the transition of this power elevation must be handled by high security systems.  The clueless, retarded as I was called in the above mentioned thread, where at least two void devs are anonymously taking part, would ask if it is a security issue why give anyone other than root access to resources restricted as being threatening to the system’s integrity?  Some other clueless person may also ask, if the user has to have access to such system modifying resources, why restrict them in the first place?  But it is the elevation process stupid, that becomes a security issue.  Yes, but you are creating this complicating sub-system to be doing this elevation, subject to even more chances of being breached.

See, how simple matters are if you are not a military expert?  Just type % su and your system’s password, and do as you please.  But you’d rather click on things and let them work automatically.  Well, yes, you are not really secure minded anyway, you rely on the great fathers of void to protect you.

Now wait a minute!  Are we talking about one person installing software in their own machine for their own use or are we talking about a sys-admin having this mega-system in this mega-network, allowing users to login and use the resources?  Two different stories.  On the first it makes no sense, if the user wants to be root he can because it is his machine and he is root and user after all.  On the second example, are you going to trust any guest in your system root privileges to screw up the system for everyone else?  Am I making sense?  We can get lost here for days discussing the details and the sub-specific examples of should and shouldn’t for each one, and that is exactly what a login-daemon does.  It may allow some to some resources, prevent some from some others, and the when and how.  It gets very militaristic trust me.  You shouldn’t browse the net, especially chatting and loging into news-sites and social media as root.  You shouldn’t be able to format and repartition a disk as user.  You shouldn’t turn hardware on and off for the entire system as user.  Another user in the lab may be conducting an experiment with radio-isotopes and you just turned their hardware off measuring radio-activity, or took the transmitter out of a radio station.

So how does void relate to all this?  I will not reproduce all those things discussed in the above thread, I’ll let you take some time to digest it, take my word and wipe void off of your disk as malware, or at least malicious software (is it different?) or take some reddit ab-users’ advise and keep on “void”ing and block this site as a source of malware.

Keep this in mind though.  Many, many, really serious distributions, have no evidence of elogind and have many functional desktops.  Many still use gksu as they don’t buy all this propaganda on security issues with it.  Many are still using consolekit2 (the evolution of the abandoned consolekit which was systemd-IBM’s employees work) swear it is good enough, and even some really fresh really promising distributions just starting now ALSO utilize consolekit2.  Not to be extreme, for those gnome lovers (I almost slipped and said rags again), I don’t have an issue if a distribution says let them have it, we will build it for them to make their lives easier.  But keep consolekit2 for those that don’t want to use it.

THE WAY to go about removing software from a distribution, SHOULD (and here I accept discussion for which Void denies having any) first make a serious effort to alert users of dropping support, then remove it all together from their dependencies to it, then remove it from the repository, then remove it from the source repository showing how they built the thing they passed around.  What does void do?  Quitely, one piece at a time, cut the dependencies off.  Then had some little chat and comments on github, not really reflecting a “collective decision to”, just indicating that they MAY in the future, THEN ONE DAY, remove the source.  The binary still stands, has a dependency on the corresponding polkit, which now has a dependency on libelogind.  But tomorrow it may be removed all together.  For now, it is a binary blob, without any source to show what it is and how it was built.  You just have a size of a blob, and a name on it.  This is really slipping into unofficial microsoft off the torrent-land binaries with the name of popular games and applications territory.  It has never happened before in the unix world.  I had heard of the case of Kodachi not having sources, and it was reasonable to an extent, but Kodachi was just using debian repositories and scripts that you could read directly before you run them, I think they made a public source repository for their scripts to satisfy criticism from competition (tails, heads, kali, parrot, etc.) but this is the only case I had heard before.  Someone calling themselves open and free and offering binary blobs without a source, Void has broken the record for being irresponsible.

What else is there?  There is more.  There is recent history and several packages, that were removed by void from users’ installed system without their consent.  How?  Let’s say you take this package from upstream called gksu.  Let’s not start an irrelevant tangent here as well as whether gksu or consolekit are good pieces of software or not, this is not the issue.  You place the upstream source, you modify it and package it, you build it in your super-dooper-server void owns, and flood the users machines with this blob.  Then one day you make this package with the same name, leave it blank inside but have all the characteristics of a xbps package, signature and checksums for this piece of hot air, and name it after the original creator’s name, gksu-3,3-3, replacing gksu-3.3-2.  Not alert the user who didn’t pay attention of the size differential (do you, out of 20 upgraded packages becoming larger and smaller, do you pay attention to the differential size?) and effectively delete data (the original gksu) from your disk.  Then you click on this shortcut or hot-key you have for gksu nano /etc/hostname and it is not working.  Aaahhh… you should have been on irc 24/7 and have read comments elsewhere on github mentioning the removal of gksu, not on void’s github /gksu section (that has now vanished) but elsewhere …  and you would know about it.  You are responsible to know what different devs chat about somewhere.   None of those devs speak as they are void themselves, unless you are part of the little buddy group, you don’t know which one has rights to push software, who is just a contributor suggesting a patch, who is the “leader”, and who are the “lead”.  Nobody ever comes out and speaks as “Void”, except for the News section on the website, who shall remain nameless as well.

For years nobody knew that the “official void forum” listed on their own website was not held by them, but by some user who donated the amount to keep it running.  When other users declined his blackmail to have money sent to him to keep it up, he took this entire void resource and vanished.  All those discussions and historic documents displaying how void evolved, vanished.  Then the founder vanished.  Then the founder is back.  Then …

You get the picture, if I have the wrong one please tell me.  It is a madhouse and a babel tower about to collapse if some formal organization effort doesn’t hold it together.  I see clear signs of it.  I have also seen real outspoken devs, especially the one I had a serious argument on his fascism months ago about gksu, also vanish.  Where did they go?  Why?  None of our business.

 

WHEN you issue binary blobs without a source IT IS OUR BUSINESS VOIDers!

WHEN you fake popular software with their name and send out bubbles of emptiness replacing REAL AND FUNCTIONAL software out of my disk , It is my business.  You can’t use the name linux-5.5 and put nothing in the package just so you can delete linux-5.4 out of my disk.  What is on my disk is mine.  You are deceiving me of an improvement just so you can have your way on my disk.

How thick can those babel inhabitants be to think they are mini-gods doing any punk like act and getting away with it solely on fame and glory?

ENOUGH!!!

Shape up, and I am really sad void is allowing to collapse by the irresponsibility of its members, and I hate to delete it, and I am sure not upgrading anything any more, but I have to see some sign of improvement to turn positive again.  Till then I can only underline my criticism as stated in this thread at reddit.

 

WHY REDDIT?

 

It is the ONLY official forum Void lists (just click on the link that says forum on their website), I don’t trust to ever enter the hackerland called irc, or don’t expect anyone can keep up with chat on github on 20000 packages and 7 architectures.  Get serious when you make suggestions like this.  You should be serious about devising mechanisms to deceive users to have data removed from their machines.

I have rebroadcasted before Void news for anyone who have missed an announcement, you have gone as far as making April fools jokes on that medium, but you want to alert users of wanting to delete data from their disk PLEASE announce it somewhere with a low signal/noise ratio, or you are going to hear it, here and on reddit, and in your little buddy buddy chat rooms.

And keep your little pups and dogs (fan club) on a leash because we are a pack of wolves and we eat poodles for breakfast.

Is it a war against systemd?  No it is a war of people against corporations.  If you can’t handle it get out of the trenches, there is no room for apolitical flowerkids here.  And that is political, it is not a “security” issue.  Go smoke weed elsewhere while chatting on gnome, we have work to do.