you could edit your post title

Have you tried https://mike-fabian.github.io/ibus-typing-booster/ ?

I have not, but I think it does what you’re looking for.

The demo video emphasizes its use as an emoji picker but it was originally created for typing Indic languages.

i figured this was likely astroturfing by one of the many shitty companies it is advertising, so i went looking for the source. somewhat to my surprise this image was apparently created by reddit user u/theFallenWalnut who’s actually been posting there for over 10 years 🤔

if you check their account you’ll see they’ve actually updated their recommendations to remove several companies (including proton and spotify) which are included in the older version of it posted here.

but, they’re still suggesting lots of garbage.

see also https://en.wikipedia.org/wiki/Ethical_consumerism#Criticism

and here i does it for free 🤡

At first i thought, wow, cool they’re still developing that? Doing a release or two a year, i see.

I used to use it long ago, and was pretty happy with it.

Nope.

Nope, it is.

It allows someone to use code without sharing the changes of that code. It enables non-free software creators like Microsoft to take the code, use it however they like, and not have to share back.

This is correct; it is a permissive license.

This is what Free Software prevents.

No, that is what copyleft (aims to) prevent.

Tired of people calling things like MIT and *BSD true libre/Free Software.

The no True Scotsman fallacy requires a lack of authority about what what constitutes “true” - but in the case of Free/Libre software, we have one: https://en.wikipedia.org/wiki/The_Free_Software_Definition

If you look at this license list (maintained by the Free Software Foundation’s Licensing and Compliance Lab) you’ll see that they classify many non-copyleft licenses as “permissive free software licenses”.

They’re basically one step away from no license at all.

Under the Berne Convention of 1886, everything is copyrighted by default, so “no license at all” means that nobody has permission to redistribute it :)

The differences between permissive free software licenses and CC0 or a simple declaration that something is “dedicated to the public domain” are subtle and it’s easy to see them as irrelevant, but the choice of license does have consequences.

The FSF recommends that people who want to use a permissive license choose Apache 2.0 “for substantial programs” because of its clause which “prevents patent treachery”, while noting that that clause makes it incompatible with GPLv2. For “simple programs” when the author wants a permissive license, FSF recommends the Expat license (aka the MIT license).

It is noteworthy that the latter is compatible with GPLv2; MIT-licensed programs can be included in a GPLv2-only work (like the Linux kernel) while Apache 2.0-licensed programs cannot. (GPLv3 is more accommodating and allows patent-related additional restrictions to be applied, so it is compatible with Apache 2.0.)

What is a U.S.-sanctioned place? Why does the U.S. government think this is a bad thing?

https://en.wikipedia.org/wiki/United_States_government_sanctions

🎉 sometimes US sanctions actually do lead to positive outcomes :)

I often see Rust mentioned at the same time as MIT-type licenses. Is it just a cultural thing that people who write Rust dislike Libre licenses?

The word “libre” in the context of licensing exists to clarify the ambiguity of the word “free”, to emphasize that it means “free as in freedom” rather than “free as in beer” (aka no cost, or gratis) as the FSF explains here.

The MIT license is a “libre” license, because it does meet the Free Software Definition.

I think the word you are looking for here is copyleft: the MIT license is a permissive license, meaning it is not a copyleft license.

I don’t know enough about the Rust community to say why, but from a distance my impression is that yes they do appear to have a cultural preference for permissive licenses.

fyi: GNU coreutils are licensed GPL, not AGPL.

there is so much other confusion in this thread, i can’t even 🤦

Apple makes the source code to all their core utilities available

Apple makes the source code for many open source things they distribute available, but often only long after they have shipped binaries. And many parts of their OS which they developed in-house which could also be called “core utilities” are not open source at all.

Every Linux distro uses CUPS for printing. Apple wrote that and gave it away as free software.

for example, on a linux distro, we could modify the desktop environment and make it waaaaay lighter by getting rid of jpg or png icons and just using pure svg on it.

this has largely happened; if you’re on a dpkg-based distro try running this command:

dpkg -S svg | grep svg$ | sort

…and you’ll see that your distro includes thousands of SVG files :)

A ctrl-d does nothing on a non-empty line.

ctrl-d actually is flushing the buffer regardless of if the line is empty or not.

See my other comment for how you can observe it.

Note: for readers who aren’t aware, the notation ^X means hold down the ctrl key and type x (without shift).

ctrl-a though ctrl-z will send ASCII characters 1 through 26, which are called control characters (because they’re for controling things, and also because you can type them by holding down the control key).

^D is the EOF character.

$ stty -a | grep eof
intr = ^C; quit = ^\; erase = ^?; kill = ^U; eof = ^D; eol = <undef>;
$ man stty |grep -A1 eof |head -n2
       eof CHAR
              CHAR will send an end of file (terminate the input)

Nope, Chuck Testa: there is no EOF character. Or, one could also say there is an EOF character, but which character it is can be configured on a per-tty basis, and by default it is configured to be ^D - which (since “D” is the fourth letter of the alphabet) is ASCII character 4, which (as you can see in man ascii) is called EOT or “end of transmission”.

What that stty output means is that ^D is the character specified to trigger eof. That means this character is intercepted (by the kernel’s tty driver) and, instead of sending the character to the process reading standard input, the tty “will send an end of file (terminate the input)”.

By default eof is ^D (EOT), a control character, but it can be set to any character.

For instance: run stty eof x and now, in that terminal, “x” (by itself, without the control key) will be the EOF character and will behave exactly as ^D did before. (The rest of this comment assumes you are still in a normal default terminal where you have not done that.)

But “send an end of file” does not mean sending EOT or any other character to the reading process: as the blog post explains, it actually (counterintuitively) means flushing the buffer - meaning, causing the read syscall to return with whatever is in the buffer currently.

It is confusing that this functionality is called eof, and the stty man page description of it is even more so, given that it (really!) does actually flush the contents of the buffer to read - even if the line buffer is not empty, in which case it is not actually indicating end-of-file!

You can confirm this is happening by running cat and typing a few characters and then hitting ^D, and then typing more, and hitting ^D again. (Each time you flush the buffer, cat will immediately echo the latest characters that had been buffered, even though you have not hit enter yet.)

Or, you can pipe cat into pv and see that ^D also causes pv to receive the buffer contents prior to hitting enter.

I guess unix calls this eof because this function is most often used to flush an empty buffer, which is how you “send an end of file” to the reader.

The empty-read-means-EOF semantics are documented, among other places, in the man page for the read() syscall (man read):

RETURN VALUE
      On success, the number of bytes read is returned (zero indicates end of
      file), and the file position is advanced by this number.

If you want to send an actual ^D (EOT) character through to the process reading standard input, you can escape it using the confusingly-named lnext function, which by default is bound to the ^V control character (aka SYN, “synchronous idle”, ASCII character 22):

$ man stty|grep lnext -A1
       * lnext CHAR
              CHAR will enter the next character quoted
$ stty -a|grep lnext
werase = ^W; lnext = ^V; discard = ^O; min = 1; time = 0;

Try it: you can type echo " and then ctrl-V and ctrl-D and then "|xxd (and then enter) and you will see that this is sending ascii character 4.

You can also send it with echo -e '\x04'. Note that the EOT character does not terminate bash:

$ echo -e '\x04\necho see?'|xxd
00000000: 040a 6563 686f 2073 6565 3f0a            ..echo see?.
$ echo -e '\x04\necho see?'|bash
bash: line 1: $'\004': command not found
see?

As you can see, it instead interprets it as a command.

$ echo -e '#!/bin/bash\necho lmao' > ~/.local/bin/$(echo -en '\x04')
$ chmod +x ~/.local/bin/$(echo -en '\x04')
$ echo -e '\x04\necho see?'|bash
lmao
see?

!meshtastic@mander.xyz is the more active of the two lemmy communities about it

sure. first, configure sudo to be passwordless, or perhaps just to stay unlocked for longer (it’s easy to find instructions for how to do that).

then, put this in your ~/.bashrc:

alias sudo='echo -n "are you sure? "; for i in $(seq 5); do echo -n "$((6 - $i)) "; sleep 1; done && echo && /usr/bin/sudo '

Now “sudo” will give you a 5 second countdown (during which you can hit ctrl-c if you change your mind) before running whatever command you ask it to.

to answer this question: if you’re on a dpkg-based system, check /var/log/dpkg.log (or /var/log/dpkg.log.2.gz to get logs from January, if your system rotates them once a month).

Nice post, but your title is misleading: the blog post is actually titled “Supply Chain Attacks on Linux distributions - Overview” - the word “attacks” as used here is a synonym for “vulnerabilities”. It is not completely clear from their title if this is going to be a post about vulnerabilities being discovered, or about them actually being exploited maliciously, but the latter is at least not strongly implied.

This lemmy post however is titled (currently, hopefully OP will retitle it after this comment) “Supply Chain Attack found in Fedora’s Pagure and openSUSE’s Open Build Service”. edit: @OP thanks for changing the title!

Adding the word “found” (and making “Attack” singular) changes the meaning: this title strongly implies that a malicious party has actually been detected performing a supply chain attack for real - which is not what this post is saying at all. (It does actually discuss some previous real-world attacks first, but it is not about finding those; the new findings in this post are vulnerabilities which were never attacked for real.)

I recommend using the original post title (minus its “Overview” suffix) or keeping your more verbose title but changing the word “Attack” to “Vulnerabilities” to make it clearer.

TLDR: These security researchers went looking for supply chain vulnerabilities, and found several bugs in two different systems. After responsibly disclosing them, they did these (very nice and accessible, btw - i recommend reading them) writeups about two of the bugs. The two they wrote up are similar in that they both involve going from being able to inject command line arguments, to being able to write to a file, to being able to execute arbitrary code (in a context which would allow attackers to perform supply chain attacks on any software distributed via the targeted infrastructure).