Bibliography LIVE about the xz/lzma backdoor compromised to sshd through systemd

Bibliography of this mini-tragedy for systemd and the “provocative” vindication of zstd (which usually is compiled using lib-lzma).

Here is some reading material to print and keep on your bedside:

• https://nvd.nist.gov/vuln/detail/CVE-2024-3094
• https://security.archlinux.org/CVE-2024-3094
• https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27?permalink_comment_id=5008221
• https://www.openwall.com/lists/oss-security/2024/03/29/4
• https://archlinux.org/news/the-xz-package-has-been-backdoored/
• https://boehs.org/node/everything-i-know-about-the-xz-backdoor   (this I don’t like, it is very race/ethnic finger pointing oriented with some very very dumb or naive assumptions of “persons” instead of corporate/agency entities).
• https://web.archive.org/web/20240329223553/
• https://github.com/tukaani-project/xz/issues/92
• https://www.reddit.com/r/archlinux/comments/1bqxnsm/was_the_xz_rebuild_better_or_worse/
• https://news.ycombinator.com/item?id=39867126

The list will be enhanced as good material and analysis is found, and please make suggestions for more through comments

Continue reading →

Fall 2023 hardcore list of 17 linux distributions without elogind and other systemd parts

Welcome antiX and Noir linux to the strict list, with edition 23 antiX is fully functional and lighter than ever without a trace of elogind!

        Edited:  September 24th 2023 (replacing older strict list)

This list is going to be short and there may be a sublist of distros with a medium strict standard.  We shall explain what the object is, below the short list (which we hope the community will assist in making longer as we have not been able to currently review the work of every distro and fork).

Fall 2023 list of “healthy” hardcore distros in alphabetical order with date/activity indicator (xxx)

1.    antiX —> antixlinux.com debian fork without systemd/elogind nearly as famous and popular as Debian itself now
2.    CarbsLinux —> carbslinux.org (Kiss fork with CPT pkg manager shinit/sinit/runit/busybox 02/2023 )
3.     Glasnost —> www.glasnost.org (Kiss fork – multi-arch tarballs 05/2022)
4.     Glaucus linux –> glaucuslinux.org (active 09/2023)
   
5.     Hyperbola Linux —> hyperbola.info A libre gnu-linux  distro like debian with pacman, or arch but stable as debian in transition to a BSD system – so it will be removed again (active 09/2023)
6.     Iglunix Linux —> https://github.com/iglunix/iglunix/releases, https://iglunix.xyz. (musl busybox no-gnu + alt kernels + wayland NoX) (active 09/2023)
7.     Joborun Linux —> http://pozol.eu Arch based w/o systemd building env runit (default) + s6/66 (optional). (active 09/2023)
8.    Kiss Linux –> kisslinux.org independent from community influence (dormant for quite some time) (neglected but still a strong base to start something new)
9.     Kwort Linux –> kwort.org  (active 09/2023)
10.     Mere Linux —> merelinux.org  (alpha project – active 1/2023 Musl + pacman  – it boots now!)
11.     NOIR linux –> github.com/noirlinux a promising kiss-linux fork with a more aumated building system (may 2023)
12.     Oasislinux –> oasislinux/oasis (active 09/2023)
13.     Obarun Linux –> obarun.org (the most extensive general use distribution that meets the criteria) (active 09/2023)
14.     PCLinuxOS —> pclinuxos.com a long term distro with wide variety of ready made sw without elogind or systemd
15.     Sabotage Linux  –> sabotage-linux  (most inspiring commitments and goals) (active 09/2023)
16.     Superboxon Linux –> superboxon.com  Slackware  based BSD type init, no elogind,PAM (active 09/2023)
17.     Venom Linux —> venomlinux.org  (forked from LFS – glibc now with runit –  active 9/23)

recently removed:

1.     Mutiny linux –> mutiny.red   site vanished/down

Please keep the recommendations going, for inclusion and exclusion from the list.  We can not keep and maintain installations for all of them, we count on you.

Hardcore because they seem honest and dedicated to the war against totalitarianism by IBM and other mega corporations to dominate the Open and Free software world.

Continue reading →

Popular mythology spread by IBM parrots elogind vs consolekit2 1.2.2

Thanks to the great work by Eric Koegel and Antoine Jacoutot we were not wrong again!

Parrots never think of what it is they say, they hear things (generally things are heard through highly paid and supported media that serve corporate and state interests) and reproduce the sound of them.  Not that they are dumb, but they can’t process rational language based communication. 

QUESTION: Why are you dumping consolekit2 and use elogind, that you know is just a significant piece of systemd, which further makes upstream reliance to systemd more acceptable and wide spread?

EXCUSE:  Consolekit is deprecated, it is unmaintained, it will never work with Wayland, and we must support wayland because that is the future.

QUESTION: Could consolekit2 be able to work with wayland?

EXCUSE: No, it never will!

QUESTION: Elogind, being a piece of the most convoluted piece of opensource software ever encountered is very big.  Shouldn’t this be a performance concern?

EXCUSE: No, because consolekit was also huge!

---

ANSWER:  Consolekit2 1.2.2 was released Dec.20 2020 and among its changes is a memory leak fix, NetBSD/OpenBSD fixes/compliance and more.  If you notice in the list of issues and discussion there has been a workaround to get ck2 to work with wayland in Gentoo since 2018. 

Consolekit2 is between a 1/5 to 1/6 of the size of elogind!

---

Continue reading →

Why was Nutyx dropped from our lists

NO PUBLICITY IS BAD PUBLICITY

In our initial review of Nutyx, more than a year ago, we did not see a distro struggling for identity, we applauded their effort to make a linux system work without components of the pest (systemd, pulseaudio, gnome, wayland, etc.) but independently using the “stable” consolekit2, sysvinit as tried and refined for decades, and their very own tool for package management, cards.  Revisiting it now, after comments on our list of linux distributions without systemd, we were both disappointed and curious on why and how they did such a thing.  We have seen others go, but they were more like forks of a system than an independent distribution.  Like ArchBang, the fleadog of flea dogs. Continue reading →

Sabotage Linux on the “progress” of Linux

Since we agree with every word and punctuation in this article, we proudly republish it from the Sabotage Linux website:

When “progress” is backwards

Lately I see many developments in the linux FOSS world that sell themselves as progress, but are actually hugely annoying and counter-productive.

Counter-productive to a point where they actually cause major regressions, costs, and as in the case of GTK+3 ruin user experience and the possibility that we’ll ever enjoy “The year of the Linux desktop”.

Continue reading →

Ataraxia and the need for a stricter list of distros

A while ago someone I didn’t know contacted me in reddit about the list of distributions without systemd, suggesting I should add ataraxia linux.  Ataraxia Linux was very similar to kiss-linux, source based, musl, but featuring an array of init and service supervision systems available to choose.  A few weeks ago, someone (turns out to be the same person) added a comment to this blog to this more precise list of “linux distributions without systemd” and suggested I should add Ataraxia to the list, and I did.

Then a comment comes in by someone who is really going through the list of distributions and also has been reviewing the narrow list of distributions, or systems, built on musl instead of glibc.  He alerted me to the fact that Ataraxia is now using systemd as its default init system.  It didn’t strike me as odd in the beginning, even though I had recently given it a try.  I was under the impression, never tried, that systemd couldn’t be built on musl as it wasn’t even written in C.  So I asked that same guy, who turns out to be the distro owner of ataraxia, how has he  achieved this, and I got a single word response:  “patching”. Continue reading →

Everybody knows that the employer takes all the moral responsibility …

… the employee is just doing “his job”, and if he doesn’t do it someone else will.  Were you as tired of listening to such excuses when your colleagues were asked whether they were willing to work for the “defense industry” or surveillance agencies?  Everyone has heard this one time or another as an excuse, “I am just doing the job I am paid to do”, but rarely do we hear from those who turned the offer down.  Those who are not rich by any means, and not have high executive positions in larger organizations, and were fully capable to do much more, but not willing to violate their own principles.

WARNING:  This has everything to do with open/free software, linux, init systems, and “choices” people make.

Continue reading →

We are a systemd free linux community

Edited again: 2023-02-23

Antix is to Debian what Joborun is to Arch, and Devuan is to debian what Artix is to arch.  Such projects/distributions seem to be very promising in concept and execution.  Equally promising, if not more, is Void, Sabotage, and Kiss linux taking an independent path.  Continue reading →

kernelKurtz: What’s up with the hate towards Freedesktop?

kernelKurtz, aka kK, has been a supporter and contributor of this site since its inception.  This came as a comment to an article by FigOSdev on dbus but it deserves its own space.

Here he takes a shot at Freedesktop and gang.

reddit:  What’s up with the hate towards Freedesktop?

It’s not about hate, random reddit OP. But it is about a severe difference in what people think is important.

These corporate persons want standardization and homogeneity on their own terms. They want open source cachet and finding a way to monetize it, and they don’t give a rat’s ass about the four freedoms, or what happens to the people that Bill Gates once sneered at as “hobbyists”. They are Google and Microsoft and everyone else who can afford to buy a seat on the board of the Linux Foundation. Red Hat probably too, sad to say. Their motto is do no evil, until evil is profitable, and then pick another slogan, because buttering the bread is what life is all about. Continue reading →

Should We Rank Systemd-free Distros By Their Success In That Very Thing?

Adapted from a post on the new forum: https://nosystemd.icyboards.net 
<by FigOSdev>

Ranking systemd-free distros by how much they have managed to remove systemd doesn’t seem like a crazy idea to me at all. I don’t believe anyone thinks that’s the only factor in choosing a distro, nor are they going to switch just because one ranks higher than another.

There are certainly other merits in a systemd-free distro. Continue reading →

Ubuntu, red-hat, fedora, google, debian, dod, MS-Monsanto?

On the article titled Will the non-systemd community run out of steam?  an interesting discussion took place and a serious amount of explanations were provided on the how-abouts of the systemd phenomenon, how it spread, how it is supported, who the key players are, and how bad the odds against other distributions choosing to stay free of systemd are.  For technical counts against systemd you can visit sites such as systemd-free.org

The discussion takes place betweem two anonymous advocates (against the systemd conspiracy) under the nicknames Jack and the Beanstalk and punkznotdead.  Continue reading →

U/EFI secure boot and debian/microsoft-ization

A short story: In recent years PCs have increasingly shifted from having a bios in charge of booting, whatever system can possibly boot from, to a system called EFI.  EFI in brief seeks a boot partition on disk that can be edited and filled with OS instructions on how the kernel of a system will be initialized and built.  A UEFI is a more specific form of an EFI that also introduces secure boot.  This means that only certain systems that are considered as “safe” can boot and such systems are certified and are issued a key (for a hefty fee of course). Continue reading →