To try everything Brilliant has to offer for free for a full 30 days, visit brilliant.org/thelinuxEXP/ . You'll also get 20% off an annual premium subscription.
13:00 - The Winamp situation is hilarious. The maintainer released Proprietary code, Dolby Code Lol, they had no right to release, among code from several other projects they had no right to release. They packaged git with a git repro. They packaged 2 versions of 7zip, one portable, and one in exe format as build tools, etc. The person " " Open Sourcing " " Winamp was a complete moron and in reality it's not open sourcing anything. It's just some moron who has no idea what he is doing and it's hilarious.
Nick, a video idea for you... Maybe we could have a live chat with you and the folks at Tuxedo so we can ask questions about their laptops? I'd love to buy one and use it but I'm not a Linux pro and still run into issues that I can't figure out. What kind of customer support (paid or not) do they offer to help you get things working like printing/scanning etc. or other issues someone might run into.
@Trident_Euclid Yes. It has been extremely smooth since I started using it in 2021, moving to it full-time later that year because of the horror that is Windows 11. Apart from the 2022 GRUB issue, which to be fair, EndeavourOS posted fixes for pretty damn quickly.
Valve has become the new Red Hat imo. What IBM did after buying Red Hat basically made it into a joke of a company, but Valve has been really cool. Windows 8 was the catalyst for Valve working on Linux support for Steam in the first place. Thank you Microsoft for screwing over Valve and helping Linux support pick up!
Linux being the only way to run games on arm would be pretty insane Windows gamers cannot complain anymore about linux having less support then windows lol
@@BigTyltthats wrong. desktop pc's will use arm chips in the future. the arm architecture scales performance wise better than 64bit architecures. its just a question of time. i think it also allready happened, but the software isn't there yet? i'm not sure about that. there is a reason why apple switched to the arm architecure with their own chip design.
Regarding the `cups` RCE: The arbitrary command is not executed as the current user, as stated in your comments. It is executed as the `lp` user, a generally useful thing that the Linux permission system strongly encourages. The `lp` user is one generated for you during the installation of `cups` and should have even more limited permissions than the current interactive user, considering it should have no shell (login shell is usually something like `/usr/bin/nobody`) and will not be the owner or group of anything on the system. RCE is very bad, but at least this one executes under an early version of permissions sandboxing. What it can have read access to, however, is vast. So much of your user data is `r-x`.
The RCE also shows the issues with grading agencies. It's a pretty bad vulnerability, but you need to print something with the created printer. 9.9 for that when the windows ipv6 got 9.8? Come on now
@@prahalb CUPS is open source and also used on Linux. It probably would also be in WSL unless they use a stripped down version for their virtual machine but I have zero idea if/to what extent it translates to any potential danger for the host. But Linux isn't just something you can put into a little software box, it's something a pretty large number of people¹ are using as their everyday OS, not to mention running the majority of servers and supercomputers. (Though I'm unsure how common having to worry about printing would be for the latter two.) No idea why other systems weren't mentioned, but it could be a variety of reasons possibly including lack of clarity about whether there's any protection against it outside of CUPS itself since Apple's not exactly open source and BSD is even more niche than Linux (and not just on the desktop side). ¹ Around 4,5%, which doesn't look like a lot until you consider the sheer number of computer users and/or that that means one in every 22 people use Linux on desktop.That's also not yet counting Chromebooks which are apparently also affected.
Winamp already removed the section about denying forks before you released this video, but this is the least of their problems as they left copyrighted code in the repo and are frantically trying to remove it, in the open so its still accessible.
They left copyrighted code that they don't have a license to distribute, or is GPL. But it's even worse - they left music files that they don't have a license to distribute, and playlist files that link to unlicensed music files hosted on the nullsoft website.
Is does beg the question of who has to respect who's TOS or License? It's just funny to think about that they accepted the terms of service on GitHub that said if it's public it's forkable and then put in their license you can't fork it. Reminds me of that meme of "You looked at this page so you've accepted our TOS. You can opt-out by submitting a ten page essay to our office at the center of the earth."
Isn't the CUPS vulnerability also an issue for Mac systems? I believe CUPS was "borrowed" as the core print server for OSX 10 versions, and possibly continued on to later 11-13 OS versions.
It's a huge nothing-burger, you literally have to have that port 631 open in order for it to work and if you have basic server admin knowledge the only ports that will be open are 80, 443 and 22, which is a good 99% of web servers in existence. Also requiring to be on the same public wifi for it to work makes this entire vulnerability almost impossible to do for all public facing web servers. Literally the chances of being able to successfully pull it off are almost 0.
@@s1nistr433 Thanks for the debunk details. Based on the descriptions of all the conditions needed for the flaw to be exploited, I found the severity of the issue suspect from the start. Won't be worrying about it unduly, though I'd still like to know if my understanding of Mac using CUPS is accurate. ? 🤔
That ""9.9"" vulnerability is only relevant for computers with the port 631 exposed, so IPv6 devices or computers connected without a NAT or if the port 631 is forwarded for some reason, so it probably doesn't affect most desktop users. It also doesn't affect pretty much any DIY distro (Arch, Void, ...) since the CUPS daemon is just not installed by default. I dunno why every video talking about this vulnerability fails to mention this.
Maybe not a huge concern for Linux users on a home LAN, but could be a big concern for people who connect to public or semi-public networks such as at a university, a library, coffee shop, etc. CUPS is installed by default on lots of distros. I run Linux Mint, and it automatically detected and configured my network printer as soon as I connected it to my network, and even popped up a notification. This would be extremely easy to exploit in some cases, for example at a library or university. Just impersonate an existing printer, and wait for people to print to it to execute the command you implanted.
It's also not a issue on public facing servers as they don't have cups-browsed running which is what this vulnerability uses. The 9.9 rating is highly inflated, it was lowered afterwards
To mitigate the CUPS vulnerability run "sudo systemctl status cups-browsed" and if you see "Active: inactive (dead)" you're safe, otherwise run "sudo systemctl stop cups-browsed && sudo systemctl disable cups-browsed"
Tip: To both stop and disable, you can type: systemctl disable --now cups-browsed It really saves you time if you are troubleshooting or managing a lot of services.
The Winamp situation is worse. The license is contradictory in at least two places, making me suspect that it's generated by ChatGPT without human interference/review afterwards at all.
@@guss77 Someone in GitHub issues suspected AI as well, not just me. You don't need to be a lawyer to spot the contradictions. 1. it says "free" and "copyleft" (or at least the first version did), while saying basically "all your copyright belong to us". 2. it says basically "all your copyright belong to us", while also saying something like "you grant us a license to use your work". The latter expression is used when the author (contributor) *retains the copyright*, while the company only receives permission to use the work, and not the copyright. If the company gets the copyright, the work no longer belongs to the author, and the author would not be able to grant any permission to anybody. In addition, a friend of mine pointed out that the repo contains third-party code that Winamp devs should have no say on how to license them.
I use WinAmp 5.6. It's fast, small, simple, and easy to use. I use the MAD plug-in, which I doubt most people have even heard of. MAD automatically reduces MP3 output if the recording level is too high. I also listen to hour long podcasts. WinAmp only uses 12 MB RAM in Windows. Don't even ask me which Windows I use. ;^)
I still have it in my Windows 10, though I haven't used Windows since last year. Winamp is one program that I do miss. The linux clones of it all seem to lack one thing or another.
I love Arch, but ever since they switched from their old bug tracker to gitlab, then disabled registration, the bug tracker has been absolutely useless. Nobody files bugs, nobody can file bugs, nothing ever gets fixed in the core repos, it's better to discuss issues with core packages in the aur's git version comments.
I don't mind the simpler setup. I usually don't focus to much on you or the background. I mostly listen and then look at the screen when you talk about something that I'm intrested to look at lika new app or something. So keep it simple 😀
The technical preview I watched the other day indicated the following: the vulnerability can be as simple as sending a UDP packet containing your code. It gets rights equal to the kernel, so no need for authorization, and from that point you can do anything you want to the persons system. And, as typical in Linux, it took something like 1 week to document the vulnerability but over a month to make the Linux groups listen because "Linux is secure and has no flaws".
An interesting bit is that in the datamining from SteamDB about the android proton version, there are several frog banners and resources. Maybe those wayland protocols are needed for the android proton emulation?
we've been getting linux native ports from some companies for the past 10 years, so hopefully nobody feels like it's an enormous risk to try steamOS before windows at this point
it might be convenient if you need an android app on the deck for whatever reason, but are there any worthwhile phone games that would impress someone who plays on pc?
The gacha crowd would gulp it all up. There are some worthwhile titles that you can't really play on PC unless you use an emulator. Regardless of how you look at gacha overall, games like FGO, Blue Archive etc. are pretty big titles a lot of players use emulators to play on PC. I do play FGO myself, and run waydroid to play it when there is new story to play through (I mainly play for story).
@@krykry606 That's if the game does not have anti-root unless Waydroid has a way of preventing anti-root systems from triggering. Some gacha games have what's called "anti-root" which triggers on most VirtualBox-based Android x86 virtualizers preventing them from playing the game.
@@neliaironwood7573 That is in case of out-of-play-ecosystem game distribution, usually those games work without any issues when installed from .apk or .xapk (tested on the top 5 or 6 gacha's out there). But what I meant was actually something else. With libhoudini or linbdk translation layer and waydroid, mobile game devs could actually distribute their games directly on steam. Also Waydroid is not a virtual PC, it's an app that takes advantage of native PC libraries and does not create a separate system. It's a completely different from virtualbox-based systems or even android emulators like memu or bluestacks.
X11 is still needed for old hardware that is completely usable today or am I wrong? Have played with various distros with Wayland enabled and always find going back to Mint with X11 gives me the best performance and compatibility.
I think the Android support that Valve is trying to do is for the VR games that are being developed for Meta's VR systems. If they succeed, then Valve could probably release a VR system and this will indirectly improve support for VR on Linux and more! :D
+1 for Arch I guess. I didn't even have CUPS installed. Also, Frog protocols is intended more for developers to quickly iterate rather than to provide bespoke implementations. It's intended to be a testing platform because no-one was using wayland staging for... well, staging.
Winamp is one of those names that have actually been dead for a good couple of decades now, but people still think of it because of nostalgia. And perhaps because people don't know that there is no one left of the team that made it a success in the first place. It has been an empty carcass being exploited by others for 20 years now. I don't know of anyone who used Winamp past the Nullsoft days... I personally have never used it past Winamp 3. After that, the software passed through a bunch of hands, and even dabbled with NFTs, so it's not really a surprise that they'd do a move like that, wanting to make the cake and eat it too. We're opening the code up so people can work for free for us. Yeah... if they are going to keep playing with a dead corpse like that, I'd rather forget it exists entirely.
9:25 Is there a source that this is Valve and not just a developer that happens to work on Valve? So far this approach of adding yet another protocol extension repository has been critizied by other Wayland developers. From my point of view this nothing new the only danger to this that this is to compete with Freedesktop where as other do not compete with Freedesktop but simply have their own private extensions.
just recently started python and ill say it has been simple but also still looking up simple things i probably should know by now it feels good to work on something fix problems and finally get something to work after a week
My big problem with Wayland is that the client controls how it renders. The thing I like most about X11 is that the display server can force the client to behave. One of the biggest problems I always had with Windows is that graphical clients can't be controlled by the user, you can ask the program to behave itself, but you can't force it to behave.
Now I understand why one meme made OpenSUSE a Gigachad distro, actually Nick had complains about CUPS being firewalled in default settings of OpenSUSE... it isn't that bad now ;)
10:14 this is _already_ the case with how wayland is currently done, though (and my biggest issue with it as both a developer and a user. on X, I can use `feh` to set my wallpaper, on wayland, it's a different utility for every compsitor)
One thing I'm wondering about the Android support in Proton is how it'll handle all those Android games that run in portrait mode on devices that have landscape screens. Providing virtual screens, so you can run several side-by-side, perhaps?
Valve trying to make android games run in Proton would actually have a huge effect on Microsoft and Windows: say Valve manages to make it work, Windows games with Android versions and cross play features would incite their players to play on the Android versions through Proton; that would lead to Windows's market share to drop a few, and to retaliate Microsoft would have to provide a layer that simulates kernel level for kernel level anticheats and thus making Windows more invulnerable to stuff like crowdstrike.
Wayland is having talks about being more like CSS, where different protocols are implemented in different compositers while being fleshed out. This should make the changes happen much faster, but there will be software that will not be updated to the stable version. If they do this, it should be highly expressed that only large desktop environment projects are expected to implement the experimental version of a protocol, as they have a much higher chance of reworking the code to support the changes.
The nice thing about Linux and especially quickly updated distros like Fedora is that I don't have to care about apmost all critical vulnerabilities when I hear about it. It's probably fixed before or shortly after it's in the news.
Me waiting for merge request 216 action binder protocol for what? 6 years now... Action binder is global shortcuta BTW. Basoc functionality missing such as using a hotkey is missing...
About winamp, the classic version runs somewhat fine (including the milkdrop virtualizations) through bottles, in a game type bottle. Use the default skin.
No idea whether you ever got a kick-back on the deal, but I bought this current laptop from Tuxedo basically on the back of your recommendations, and it's wonderful.
Regarding Proton arm64 build - Alyssa Rosenzweig is contracted by Valve and she’s lead GPU developer for Asahi Linux. Maybe this is how mac gaming is going to success.
Valve mentions ARM64EC - Windows 11 ABI some games already compiled to, executes on ARM, supports mixing of ARM and x64 code. There is no Proton for mac, right?
5:20 It's interesting that this info comes as I'm currently searching for a way to play Roblox on Linux. Hopefully Proton will support the Android version!
I've heard Waydroid runs Roblox. Valve mentions ARM64EC - Windows 11 ABI some games already compiled to, executes on ARM, supports mixing of ARM and x64 code.
Valve mentions ARM64EC - Windows 11 ABI some games already compiled to, executes on ARM, supports mixing of ARM and x64 code. That is running Windows on ARM games on Linux ARM.
It's not even about stability with frogs protocols. Regular Wayland protocols *need* to be extremely well thought out for every edge case and every use, because it aims to be *the* standard for something as generic as displaying stuff on screen. This is why decisions can take years. Frog protocols will allow devs to just go and implement something so that current users can just use Wayland normally, meanwhile the regular Wayland protocols can still decide on the exact specification that is good for everyone. Then once it's done, the desktops will implement the wayland protocol which is now set in stone. In other words, frog protocols are just temporary solution to implement things such that they're ready for production use but with knowledge that the exact spec might change later and it's not a universal protocol everyone should rely on.
After that CVE, I hurried to GRC/ShieldsUp to check my network for open ports (again). 😅 All good! Hopefully patches manifest soon (nothing for Garuda/Arch yet AFAICT) . 🤞🏻
I actually think that some of their work also could be used to expand their presence on android. Google may start letting people run linux VMs on android. Combine that with that google is being required to allow 3rd party app stores in the play store itself and you could get a scenario where valve may allow you to use proton and linux to play desktop games on android. It would be a wile implementation with a lot of things a user would need to consider but maybe they would simply have another rating system for android playable games.
Winamp's repo also contains some utilities they're not allowed to distribute, as well as commercial QT binaries. Obviously the current holders of the app have no idea what they're doing and how software works.
For some reason having a door in shot annoys me , i like a wall with a poster or the stereotypical fake book case, yes i understood the background is temporary
Proton on ARM and Android would be insane... Pc games on your phone. Your phone these days probably has enough power to handle indie titles, especially the gaming phones. Just needs physical controls. EDIT: nevermind, just realized they meant android games on desktop, not desktop games on Android :(
Wayland dragging its feet is just how it is. They need to get their act together. The ball may be rolling, but it's doing it so slowly it's gathering moss.
I don't understand the odd traction around the frog protocols of Valve. Kwin has it's own set of protocols it implement, Mutter has it's own set of protocols they implement, wlroots has its own wlr-protocols but when Valve does the exact same thing it's revolutionary?
I think the Winamp criticism is absolutely unfair. Yes, it should not be advertised as "open-source" but that is the only problem. It is still better that we can see the source, learn from it, and even though our trusted organizations (distro maintainers) cannot distribute binaries, they can still be generated and checksummed to confirm that the official distribution is made from the same source as advertised. Also being able to contribute code to an, essentially, proprietary project is still an improvement because you can fix things that personally frustrate you. This is still better than using the thing anyway because it's good but accepting that, for what you know, it might as well be malware, and being unable to do anything when something is broken. On top of that, knowing the source will also make it quite easy to patch the binary if that is, for some reason needed. Distributing binary patches has never been stopped in court yet
I wish Vavle brought Proton to Android instead of Android to Proton. With current performance you wouldn't be able to run AAA games but having few indie games on your phone on the go could be nice. You wouldn't have to rely on games in google play that are infested by predatory microtransactions, you wouldn't have to rely on having good data plan and connection for streaming and you could play new games instead of playing only retro games. Maybe in the future this will happen.
10:30 imagine if a very popular desktop didn't support a very important protocol and breaked some apps? Gnome proves that Wayland is already fragmetned. Wayland devs spend a lot of time dsicussing uselles stuff. This will be better than what we have now. Less drama, more working situations.
So how is it run with no authorization or user input if the user has to utilize that fake printer? It's definitely RCE but the seriousness of it I don't feel fits what's capable. With this exploit I can send a packet to your computer that says that I'm a specific printer with whatever information I want and that's fine but you still have to select me to print. So there does have to be user input.
The entire thing about the Valve proposal leading to fragmentation is ridiculous. Wayland already is fragmented, because not every compositor supports all the things others support. The reason for this is the exact thing the Valve person is seeking to fix. If you are worried your DE will not implement some thing in Wayland that is proposed by the Valve thing, switch DE's. Otherwise, you need to not count on compositors to implement all the features of Wayland. You can't have it both ways. Right now we simply sit without features while being told whose "fault" it is over and over by developers who don't want to take the blame. So I see good on Valve for taking the "blame" on themselves and attempting to do something to fix it, and screw everyone else who has something against that. You had something like 15 years to come up with an alternative.
with regards to the winamp source, i don't think we will ever see a port to Linux, but thats ok - maybe perhaps the devs of Audacious can look at the code for some , inspiration, and yea, the no forking thing is dumb, just like the dev of duckstation changing the source license to a non-gpl non open source friendly license , but one can already fork the last gpl release .
Sometimes developers have a passion for creating something without knowing how to monetise it, which they’ll figure out later. That’s totally normal, Nick
Not for a startup ;) Yes, for an individual making something for fun, but if you hired developers to work on a product, not knowing how you’ll sell it is ill advised at best
I'm glad that Valve is doing all this work for Linux and ARM, However it's sad that Valve feels the need to do this work when I feel it should be Devs job. I know Linux is not that big of a market
They are not doing it out of goodness of their heart, they are doing it for their benefit(so they don't need to rely on Microsoft or some other third party like Google....), while they are doing a lot at the moment it is mostly just building up on stuff that has been worked on for ages by FOSS community and in some areas they get too much credit, proton for example is a glorified version of wine with some extras, still mostly wine.
To try everything Brilliant has to offer for free for a full 30 days, visit brilliant.org/thelinuxEXP/ . You'll also get 20% off an annual premium subscription.
Thanks
13:00 - The Winamp situation is hilarious. The maintainer released Proprietary code, Dolby Code Lol, they had no right to release, among code from several other projects they had no right to release. They packaged git with a git repro. They packaged 2 versions of 7zip, one portable, and one in exe format as build tools, etc.
The person " " Open Sourcing " " Winamp was a complete moron and in reality it's not open sourcing anything. It's just some moron who has no idea what he is doing and it's hilarious.
Nick, a video idea for you... Maybe we could have a live chat with you and the folks at Tuxedo so we can ask questions about their laptops? I'd love to buy one and use it but I'm not a Linux pro and still run into issues that I can't figure out. What kind of customer support (paid or not) do they offer to help you get things working like printing/scanning etc. or other issues someone might run into.
I like Tuxedo, but just don't like buying something from overseas vendors. Too much of a pain to deal with support and potential RMAs.
Proven to be 6x better? No doubt you'll be posting the link to the studies for your sponsor?
Valve once again proving to be the best thing to ever happen to the Linux desktop. Crazy they're finally tackling the Wayland-Protocols bureaucracy
They also now collaborate on developing Arch Linux directly.
Yeah, I use an Arch-based distro that uses the stock Arch repos, so hopefully we see some nice funding for Arch proper!
@@cameronbosch1213 especially arm64 version, lol. It sucks right now. That’s why I’m forced to use Fedora on my M1 mac.
@@cameronbosch1213EndeavorOS?
@Trident_Euclid Yes. It has been extremely smooth since I started using it in 2021, moving to it full-time later that year because of the horror that is Windows 11. Apart from the 2022 GRUB issue, which to be fair, EndeavourOS posted fixes for pretty damn quickly.
Valve embraced Linux is all in for improving it overall.
Valve has become the new Red Hat imo. What IBM did after buying Red Hat basically made it into a joke of a company, but Valve has been really cool. Windows 8 was the catalyst for Valve working on Linux support for Steam in the first place. Thank you Microsoft for screwing over Valve and helping Linux support pick up!
Really about the only ones while everyone else is actually dropping support for it 😆
@@kolz4ever1980 Mostly older things. Microsoft is obviously involved in this somehow.
@@cameronbosch1213 obviously.... 😂 Older things like space marine 2 that don't work online now huh? Such an oldie but goodie I guess lol
@@kolz4ever1980 Damn you are really pissed that online stop working on space marine 2 huh
Linux being the only way to run games on arm would be pretty insane
Windows gamers cannot complain anymore about linux having less support then windows lol
Windows gamers don't care about arm when their multiplayer games doesn't work.
Windows gamers wouldn't even be considering buying ARM laptops.
@@BigTyltthats wrong. desktop pc's will use arm chips in the future. the arm architecture scales performance wise better than 64bit architecures. its just a question of time. i think it also allready happened, but the software isn't there yet? i'm not sure about that. there is a reason why apple switched to the arm architecure with their own chip design.
@@annon2910 bruh 99% app doens't work in windows ARM bro 😂 , even android and rasbary PI is better then windows in ARM support for now 😭
One word... Peripherals
Good Initiation from Valve. Now we just have to wait and have faith in Valve.
Valve fans are pretty good at waiting
@@xXx_Regulus_xXx yeah. yeah
Regarding the `cups` RCE: The arbitrary command is not executed as the current user, as stated in your comments. It is executed as the `lp` user, a generally useful thing that the Linux permission system strongly encourages. The `lp` user is one generated for you during the installation of `cups` and should have even more limited permissions than the current interactive user, considering it should have no shell (login shell is usually something like `/usr/bin/nobody`) and will not be the owner or group of anything on the system.
RCE is very bad, but at least this one executes under an early version of permissions sandboxing. What it can have read access to, however, is vast. So much of your user data is `r-x`.
The RCE also shows the issues with grading agencies. It's a pretty bad vulnerability, but you need to print something with the created printer. 9.9 for that when the windows ipv6 got 9.8? Come on now
@@rmidifferent8906and why tag it as Linux when CUPS Is Apple and used on BSD (is it on WSL?)
That's also why your users home directory should be 0750 for permissions. You can even go 0700 if you want. But it should never be 0755.
@@prahalb CUPS is open source and also used on Linux.
It probably would also be in WSL unless they use a stripped down version for their virtual machine but I have zero idea if/to what extent it translates to any potential danger for the host.
But Linux isn't just something you can put into a little software box, it's something a pretty large number of people¹ are using as their everyday OS, not to mention running the majority of servers and supercomputers. (Though I'm unsure how common having to worry about printing would be for the latter two.)
No idea why other systems weren't mentioned, but it could be a variety of reasons possibly including lack of clarity about whether there's any protection against it outside of CUPS itself since Apple's not exactly open source and BSD is even more niche than Linux (and not just on the desktop side).
¹ Around 4,5%, which doesn't look like a lot until you consider the sheer number of computer users and/or that that means one in every 22 people use Linux on desktop.That's also not yet counting Chromebooks which are apparently also affected.
Winamp already removed the section about denying forks before you released this video, but this is the least of their problems as they left copyrighted code in the repo and are frantically trying to remove it, in the open so its still accessible.
They left copyrighted code that they don't have a license to distribute, or is GPL. But it's even worse - they left music files that they don't have a license to distribute, and playlist files that link to unlicensed music files hosted on the nullsoft website.
Is does beg the question of who has to respect who's TOS or License? It's just funny to think about that they accepted the terms of service on GitHub that said if it's public it's forkable and then put in their license you can't fork it. Reminds me of that meme of "You looked at this page so you've accepted our TOS. You can opt-out by submitting a ten page essay to our office at the center of the earth."
@@guss77That they didn't get a DMCA from one of the various companies they violated licenses of is very weird.
@@vidal9747 give it time.
the whole repo is a joke. seems like they don't know what they are doing or even how git works.
Isn't the CUPS vulnerability also an issue for Mac systems? I believe CUPS was "borrowed" as the core print server for OSX 10 versions, and possibly continued on to later 11-13 OS versions.
It's a huge nothing-burger, you literally have to have that port 631 open in order for it to work and if you have basic server admin knowledge the only ports that will be open are 80, 443 and 22, which is a good 99% of web servers in existence. Also requiring to be on the same public wifi for it to work makes this entire vulnerability almost impossible to do for all public facing web servers. Literally the chances of being able to successfully pull it off are almost 0.
@@s1nistr433 Thanks for the debunk details. Based on the descriptions of all the conditions needed for the flaw to be exploited, I found the severity of the issue suspect from the start. Won't be worrying about it unduly, though I'd still like to know if my understanding of Mac using CUPS is accurate. ? 🤔
@@s1nistr433 this isn't a server venerability, it's a person computer or workstation venerability.
That ""9.9"" vulnerability is only relevant for computers with the port 631 exposed, so IPv6 devices or computers connected without a NAT or if the port 631 is forwarded for some reason, so it probably doesn't affect most desktop users. It also doesn't affect pretty much any DIY distro (Arch, Void, ...) since the CUPS daemon is just not installed by default. I dunno why every video talking about this vulnerability fails to mention this.
Maybe not a huge concern for Linux users on a home LAN, but could be a big concern for people who connect to public or semi-public networks such as at a university, a library, coffee shop, etc. CUPS is installed by default on lots of distros. I run Linux Mint, and it automatically detected and configured my network printer as soon as I connected it to my network, and even popped up a notification. This would be extremely easy to exploit in some cases, for example at a library or university. Just impersonate an existing printer, and wait for people to print to it to execute the command you implanted.
A guy made a scan with his server and found like 15k ip addresses on the internet with said vulnerable port open
It's also not a issue on public facing servers as they don't have cups-browsed running which is what this vulnerability uses.
The 9.9 rating is highly inflated, it was lowered afterwards
Should I sudo dnf remove cups-* to be safe???
so just close the 631 port when your out and about?
To mitigate the CUPS vulnerability run "sudo systemctl status cups-browsed" and if you see "Active: inactive (dead)" you're safe, otherwise run "sudo systemctl stop cups-browsed && sudo systemctl disable cups-browsed"
Tip: To both stop and disable, you can type:
systemctl disable --now cups-browsed
It really saves you time if you are troubleshooting or managing a lot of services.
WinAmp: Screws up the source code access.
Us Linux and FOSS users: "What!? A llama!? *He's supposed to be **_dead!"_*
Man, I absolutely love Valve!
Edit: They just announced an Arch partnership, huge!!!!
seems like they want to keep their OS Arch-based for the foreseeable future, then
Hopefully the AUR doesnt go corporate in the worst way
The Winamp situation is worse. The license is contradictory in at least two places, making me suspect that it's generated by ChatGPT without human interference/review afterwards at all.
if that turns out to be the case I would laugh my ass off 😂
That is actually pretty possible!
It's more likely that it's just devs writing their own license - which is always a bad idea.
@@guss77 Someone in GitHub issues suspected AI as well, not just me. You don't need to be a lawyer to spot the contradictions.
1. it says "free" and "copyleft" (or at least the first version did), while saying basically "all your copyright belong to us".
2. it says basically "all your copyright belong to us", while also saying something like "you grant us a license to use your work". The latter expression is used when the author (contributor) *retains the copyright*, while the company only receives permission to use the work, and not the copyright. If the company gets the copyright, the work no longer belongs to the author, and the author would not be able to grant any permission to anybody.
In addition, a friend of mine pointed out that the repo contains third-party code that Winamp devs should have no say on how to license them.
Forgot to say: IANAL
Winamp 😂
They want free work to rebuild their aoo and then make proprietary again. Made me laugh.
Winamp really whips the devs ass
Did Winamp stole some license agreement from Adobe? Anyway, I think we have passed Winamp era a long time ago.
I use WinAmp 5.6. It's fast, small, simple, and easy to use. I use the MAD plug-in, which I doubt most people have even heard of. MAD automatically reduces MP3 output if the recording level is too high. I also listen to hour long podcasts. WinAmp only uses 12 MB RAM in Windows. Don't even ask me which Windows I use. ;^)
I still have it in my Windows 10, though I haven't used Windows since last year. Winamp is one program that I do miss. The linux clones of it all seem to lack one thing or another.
I love Arch, but ever since they switched from their old bug tracker to gitlab, then disabled registration, the bug tracker has been absolutely useless. Nobody files bugs, nobody can file bugs, nothing ever gets fixed in the core repos, it's better to discuss issues with core packages in the aur's git version comments.
I don't mind the simpler setup. I usually don't focus to much on you or the background. I mostly listen and then look at the screen when you talk about something that I'm intrested to look at lika new app or something.
So keep it simple 😀
Hot damn, i cant wait for linux to flip the script and become the default for gaming.
would be amazing
wishful thinking
@@zocker1600 never say never , it looks like ms pushing people to linux
Also, the cups vulnerability can be used as a staging ground to perform another exploit like a privilege escalation.
I love the style of the European handle on the door.
The technical preview I watched the other day indicated the following: the vulnerability can be as simple as sending a UDP packet containing your code. It gets rights equal to the kernel, so no need for authorization, and from that point you can do anything you want to the persons system. And, as typical in Linux, it took something like 1 week to document the vulnerability but over a month to make the Linux groups listen because "Linux is secure and has no flaws".
Winamp can no longer kick the llama's ass.
idk about other distros, but on my system, the user that runs the CUPS daemon does NOT have access to any of my files.
An interesting bit is that in the datamining from SteamDB about the android proton version, there are several frog banners and resources. Maybe those wayland protocols are needed for the android proton emulation?
Valve can finally be a reason that some companies develop a linux first game.
we've been getting linux native ports from some companies for the past 10 years, so hopefully nobody feels like it's an enormous risk to try steamOS before windows at this point
The fastest i clicked a notification
Fastest I clicked a video
Imagine Google Play games migrating to Steam... possibly huge.
it might be convenient if you need an android app on the deck for whatever reason, but are there any worthwhile phone games that would impress someone who plays on pc?
The gacha crowd would gulp it all up. There are some worthwhile titles that you can't really play on PC unless you use an emulator.
Regardless of how you look at gacha overall, games like FGO, Blue Archive etc. are pretty big titles a lot of players use emulators to play on PC.
I do play FGO myself, and run waydroid to play it when there is new story to play through (I mainly play for story).
Guardian Tales.
@@krykry606 That's if the game does not have anti-root unless Waydroid has a way of preventing anti-root systems from triggering. Some gacha games have what's called "anti-root" which triggers on most VirtualBox-based Android x86 virtualizers preventing them from playing the game.
@@neliaironwood7573 That is in case of out-of-play-ecosystem game distribution, usually those games work without any issues when installed from .apk or .xapk (tested on the top 5 or 6 gacha's out there).
But what I meant was actually something else. With libhoudini or linbdk translation layer and waydroid, mobile game devs could actually distribute their games directly on steam.
Also Waydroid is not a virtual PC, it's an app that takes advantage of native PC libraries and does not create a separate system. It's a completely different from virtualbox-based systems or even android emulators like memu or bluestacks.
Good luck getting the Wayland devs to do anything. They're even worse than Gnome devs.
My favorite Linux news show, at it again!
Can't wait to play my steam games on android
The Winamp thing is even funnier. They released the source code of some proprietary components like dolby, alongside their own code.
"Two flaws, one cups". LOL
X11 is still needed for old hardware that is completely usable today or am I wrong? Have played with various distros with Wayland enabled and always find going back to Mint with X11 gives me the best performance and compatibility.
Why even release the winamp source if it's only going to be source-available and not open source
Honestly, I tend to not skip your sponsors, they're so useful. I will take a look at them rn.
NO. NOOO.
>Two Flaws One Cups
NO. You sick sonna’va…
And I was happy to have forgotten that.
LoL
A steam deck competitor with an arm cpu would be insane considering the battery life implications
Bring modern developing practices for projects such as Wayland, 100% agree
On Fedora, cups is not enabled, others i don't know.
It was on my Fedora KDE before I disabled it after the news broke. They pushed a CUP's update earlier today.
@@notjustforhackers4252 I noticed that update too
I think the Android support that Valve is trying to do is for the VR games that are being developed for Meta's VR systems. If they succeed, then Valve could probably release a VR system and this will indirectly improve support for VR on Linux and more! :D
It would be REALLY funny if Stean gave support for Arm and Android games only to Linux and never gave that to Windows.
There are plenty of open source Winamp compatible players for Linux. No need for their source code.
+1 for Arch I guess. I didn't even have CUPS installed. Also, Frog protocols is intended more for developers to quickly iterate rather than to provide bespoke implementations. It's intended to be a testing platform because no-one was using wayland staging for... well, staging.
Winamp is one of those names that have actually been dead for a good couple of decades now, but people still think of it because of nostalgia. And perhaps because people don't know that there is no one left of the team that made it a success in the first place. It has been an empty carcass being exploited by others for 20 years now.
I don't know of anyone who used Winamp past the Nullsoft days... I personally have never used it past Winamp 3.
After that, the software passed through a bunch of hands, and even dabbled with NFTs, so it's not really a surprise that they'd do a move like that, wanting to make the cake and eat it too. We're opening the code up so people can work for free for us.
Yeah... if they are going to keep playing with a dead corpse like that, I'd rather forget it exists entirely.
thanks for yet another great video !
All the best from La Norvege !
Winamp whipped their own llamas ass. 😁
9:25 Is there a source that this is Valve and not just a developer that happens to work on Valve? So far this approach of adding yet another protocol extension repository has been critizied by other Wayland developers. From my point of view this nothing new the only danger to this that this is to compete with Freedesktop where as other do not compete with Freedesktop but simply have their own private extensions.
Other linux news channel mentioned valve themselves won't gonna do anything to this protocol extension, they're out of scene
Any idea when tuxedo will release an ARM laptop?
Nice to hear you are working on your background. Keep it up, bro!
just recently started python and ill say it has been simple but also still looking up simple things i probably should know by now it feels good to work on something fix problems and finally get something to work after a week
My big problem with Wayland is that the client controls how it renders. The thing I like most about X11 is that the display server can force the client to behave. One of the biggest problems I always had with Windows is that graphical clients can't be controlled by the user, you can ask the program to behave itself, but you can't force it to behave.
Now I understand why one meme made OpenSUSE a Gigachad distro, actually Nick had complains about CUPS being firewalled in default settings of OpenSUSE... it isn't that bad now ;)
10:14 this is _already_ the case with how wayland is currently done, though (and my biggest issue with it as both a developer and a user. on X, I can use `feh` to set my wallpaper, on wayland, it's a different utility for every compsitor)
One thing I'm wondering about the Android support in Proton is how it'll handle all those Android games that run in portrait mode on devices that have landscape screens. Providing virtual screens, so you can run several side-by-side, perhaps?
Valve trying to make android games run in Proton would actually have a huge effect on Microsoft and Windows: say Valve manages to make it work, Windows games with Android versions and cross play features would incite their players to play on the Android versions through Proton; that would lead to Windows's market share to drop a few, and to retaliate Microsoft would have to provide a layer that simulates kernel level for kernel level anticheats and thus making Windows more invulnerable to stuff like crowdstrike.
Wayland is having talks about being more like CSS, where different protocols are implemented in different compositers while being fleshed out. This should make the changes happen much faster, but there will be software that will not be updated to the stable version. If they do this, it should be highly expressed that only large desktop environment projects are expected to implement the experimental version of a protocol, as they have a much higher chance of reworking the code to support the changes.
The nice thing about Linux and especially quickly updated distros like Fedora is that I don't have to care about apmost all critical vulnerabilities when I hear about it. It's probably fixed before or shortly after it's in the news.
Me waiting for merge request 216 action binder protocol for what? 6 years now... Action binder is global shortcuta BTW. Basoc functionality missing such as using a hotkey is missing...
About winamp, the classic version runs somewhat fine (including the milkdrop virtualizations) through bottles, in a game type bottle. Use the default skin.
No idea whether you ever got a kick-back on the deal, but I bought this current laptop from Tuxedo basically on the back of your recommendations, and it's wonderful.
Regarding Proton arm64 build - Alyssa Rosenzweig is contracted by Valve and she’s lead GPU developer for Asahi Linux. Maybe this is how mac gaming is going to success.
Has she still got the restraining order on you 😅
Valve mentions ARM64EC - Windows 11 ABI some games already compiled to, executes on ARM, supports mixing of ARM and x64 code. There is no Proton for mac, right?
5:20 It's interesting that this info comes as I'm currently searching for a way to play Roblox on Linux. Hopefully Proton will support the Android version!
I've heard Waydroid runs Roblox.
Valve mentions ARM64EC - Windows 11 ABI some games already compiled to, executes on ARM, supports mixing of ARM and x64 code.
I've been a Valve fan for a long time, and news like this just further reinforces that.
Valve mentions ARM64EC - Windows 11 ABI some games already compiled to, executes on ARM, supports mixing of ARM and x64 code. That is running Windows on ARM games on Linux ARM.
It's not even about stability with frogs protocols. Regular Wayland protocols *need* to be extremely well thought out for every edge case and every use, because it aims to be *the* standard for something as generic as displaying stuff on screen. This is why decisions can take years. Frog protocols will allow devs to just go and implement something so that current users can just use Wayland normally, meanwhile the regular Wayland protocols can still decide on the exact specification that is good for everyone. Then once it's done, the desktops will implement the wayland protocol which is now set in stone. In other words, frog protocols are just temporary solution to implement things such that they're ready for production use but with knowledge that the exact spec might change later and it's not a universal protocol everyone should rely on.
The 9.9 was lowered fwiw, it isn't as sever as the original reporter..........reported
After that CVE, I hurried to GRC/ShieldsUp to check my network for open ports (again). 😅 All good! Hopefully patches manifest soon (nothing for Garuda/Arch yet AFAICT) . 🤞🏻
I have the feeling that your audio setup is different... I am not sure, if I like it or not 🤔
7:01 just btw Fortnite for Android wouldn't work on x86_64 even with Arm translation since it requires an actual Arm chip
Many Android games have the x86_64 builds too
@@p0358 Yes I am aware, that many games also work through Arm translation I was stating that Fortnite will NOT work since it requires an Arm-based CPU
I actually think that some of their work also could be used to expand their presence on android. Google may start letting people run linux VMs on android. Combine that with that google is being required to allow 3rd party app stores in the play store itself and you could get a scenario where valve may allow you to use proton and linux to play desktop games on android. It would be a wile implementation with a lot of things a user would need to consider but maybe they would simply have another rating system for android playable games.
Winamp's repo also contains some utilities they're not allowed to distribute, as well as commercial QT binaries. Obviously the current holders of the app have no idea what they're doing and how software works.
BTW the rule about not forking the project was removed from the license since it literally breaks Github's TOS for public repos
You mentioned WinAmp but not that they leaked the source code for a bunch of stuff that they do not have the right to distribute in source form?
Bro Valve is actually so kind 🥰
For some reason having a door in shot annoys me , i like a wall with a poster or the stereotypical fake book case, yes i understood the background is temporary
Just had to check if the firewall is still enabled in my router 😊.
The way wayland project has been handling protocols have done more to fracture the community than Valve could do if they were trying. Good on Valve.
Regarding CUPS, doesnt Mac OS use it too ?
I know Mac OS used to, but not sure if it still does
Proton on ARM and Android would be insane... Pc games on your phone. Your phone these days probably has enough power to handle indie titles, especially the gaming phones. Just needs physical controls.
EDIT: nevermind, just realized they meant android games on desktop, not desktop games on Android :(
Wayland dragging its feet is just how it is. They need to get their act together. The ball may be rolling, but it's doing it so slowly it's gathering moss.
I don't understand the odd traction around the frog protocols of Valve. Kwin has it's own set of protocols it implement, Mutter has it's own set of protocols they implement, wlroots has its own wlr-protocols but when Valve does the exact same thing it's revolutionary?
Does the antivirus, anti-malware software by Kaspersky, work on Linux?
If so, can it be used against this vulnerability you're talking about?
Comment for the algorithm.
Yay algorithm woo! This video made me click a bunch of ads!
I think the Winamp criticism is absolutely unfair. Yes, it should not be advertised as "open-source" but that is the only problem. It is still better that we can see the source, learn from it, and even though our trusted organizations (distro maintainers) cannot distribute binaries, they can still be generated and checksummed to confirm that the official distribution is made from the same source as advertised. Also being able to contribute code to an, essentially, proprietary project is still an improvement because you can fix things that personally frustrate you. This is still better than using the thing anyway because it's good but accepting that, for what you know, it might as well be malware, and being unable to do anything when something is broken. On top of that, knowing the source will also make it quite easy to patch the binary if that is, for some reason needed. Distributing binary patches has never been stopped in court yet
When is Tuxedo releasing their ARM64 laptop?
I wish Vavle brought Proton to Android instead of Android to Proton. With current performance you wouldn't be able to run AAA games but having few indie games on your phone on the go could be nice. You wouldn't have to rely on games in google play that are infested by predatory microtransactions, you wouldn't have to rely on having good data plan and connection for streaming and you could play new games instead of playing only retro games.
Maybe in the future this will happen.
10:30 imagine if a very popular desktop didn't support a very important protocol and breaked some apps? Gnome proves that Wayland is already fragmetned. Wayland devs spend a lot of time dsicussing uselles stuff. This will be better than what we have now. Less drama, more working situations.
Droid on Linux will be what pushes me finally to Linux only!
Missed another great news from Valve, they are now collaborating with Arch Linux.
Oh nice, this wasn’t out when I posted the video, but I’ll check it out
Regarding winamp, they allowed forming in the license, because not doing so would be agaisnt gtihub TOS
Thanks Nick.
So how is it run with no authorization or user input if the user has to utilize that fake printer? It's definitely RCE but the seriousness of it I don't feel fits what's capable. With this exploit I can send a packet to your computer that says that I'm a specific printer with whatever information I want and that's fine but you still have to select me to print. So there does have to be user input.
The entire thing about the Valve proposal leading to fragmentation is ridiculous. Wayland already is fragmented, because not every compositor supports all the things others support. The reason for this is the exact thing the Valve person is seeking to fix. If you are worried your DE will not implement some thing in Wayland that is proposed by the Valve thing, switch DE's. Otherwise, you need to not count on compositors to implement all the features of Wayland. You can't have it both ways. Right now we simply sit without features while being told whose "fault" it is over and over by developers who don't want to take the blame. So I see good on Valve for taking the "blame" on themselves and attempting to do something to fix it, and screw everyone else who has something against that. You had something like 15 years to come up with an alternative.
with regards to the winamp source, i don't think we will ever see a port to Linux, but thats ok - maybe perhaps the devs of Audacious can look at the code for some , inspiration, and yea, the no forking thing is dumb, just like the dev of duckstation changing the source license to a non-gpl non open source friendly license , but one can already fork the last gpl release .
Sometimes developers have a passion for creating something without knowing how to monetise it, which they’ll figure out later. That’s totally normal, Nick
Not for a startup ;) Yes, for an individual making something for fun, but if you hired developers to work on a product, not knowing how you’ll sell it is ill advised at best
CUPS Fix.. My Linux Mint 22 machine has already updated.
Yep, on Ubuntu 24.04 LTS I got the updates too, so I feel secure now.
All I can see is the lint on your mic ... I might have an OCD problem though :)
Ubuntu and Mint released patches yesterday. (Friday 27th)
I'm glad that Valve is doing all this work for Linux and ARM, However it's sad that Valve feels the need to do this work when I feel it should be Devs job. I know Linux is not that big of a market
They are not doing it out of goodness of their heart, they are doing it for their benefit(so they don't need to rely on Microsoft or some other third party like Google....), while they are doing a lot at the moment it is mostly just building up on stuff that has been worked on for ages by FOSS community and in some areas they get too much credit, proton for example is a glorified version of wine with some extras, still mostly wine.