No. There was malware in the releases. The issue was most likely accidental, something that spread from their computer. But they didn't handle it well.
Discussed here:
The emulation on android community definitely has a problem with ungrateful trolls though, particularly on the discords, which is why I am annoyed whenever projects bother to create one. I've seen 2-3 projects get shut down because of harassment on their discords.
Here's a fun fact not noted in the article: Temporary files in sqlite are named etilqs_something in order to prevent people from contacting the sqlite developers for support when other applications (specifically, McAfee) have decided dump and not prune temp files.
Source: https://github.com/sqlite/sqlite/blob/95f6df5b8d55e67d1e34d2bff217305a2f21b1fb/src/os.h#L57
So, you might be misunderstanding how BTRFS snapshots work.
A BTRFS snapshot is not a complete copy of the system, but rather, merely a recording point, and only CHANGES between the current system and the snapshotted system actually take up space. Like, if you snapshot a system, and then install 1 GB of updates, that snapshot only takes up that 1GB of differences in the system.
It's exactly because of this, that it's somewhat difficult to shuffle BTRFS snapshots around.
So, you can use BTRFS send/receive to send subvolumes to other btrfs devices.
So, snapshots are really just a subvolume that only takes up the difference between your main subvolume that you use, and the snapshot subvolume. You can use btrfs send/receive to send them them to another btrfs partition... but I don't know if sending subsequent backups will deduplicate data properly.
What you might want instead, are rsync backups. Timeshift also supports rsync backups, which copy all the data over to any device using rsync for the initial backup, but then use hardlinks to store only the changes between the backups for subsequent backups. Similar to btrfs — but simpler, is my understanding.
Fork of the older warsow, open source movement shooter. Think quake.
Sadly, it seems to be dead on steam.
Dockers manipulation of nftables is pretty well defined in their documentation
Documentation people don't read. People expect, that, like most other services, docker binds to ports/addresses behind the firewall. Literally no other container runtime/engine does this, including, notably, podman.
As to the usage of the docker socket that is widely advised against unless you really know what you’re doing.
Too bad people don't read that advice. They just deploy the webtop docker compose, without understanding what any of it is. I like (hate?) linuxserver's webtop, because it's an example of the two of the worst footguns in docker in one
To include the rest of my comment that I linked to:
Do any of those poor saps on zoomeye expect that I can pwn them by literally opening a webpage?
No. They expect their firewall to protect them by not allowing remote traffic to those ports. You can argue semantics all you want, but not informing people of this gives them another footgun to shoot themselves with. Hence, docker “bypasses” the firewall.
On the other hand, podman respects your firewall rules. Yes, you have to edit the rules yourself. But that’s better than a footgun. The literal point of a firewall is to ensure that any services you accidentally have running aren’t exposed to the internet, and docker throws that out the window.
You originally stated:
I think from the dev’s point of view (not that it is right or wrong), this is intended behavior simply because if docker didn’t do this, they would get 1,000 issues opened per day of people saying containers don’t work when they forgot to add a firewall rules for a new container.
And I'm trying to say that even if that was true, it would still be better than a footgun where people expose stuff that's not supposed to be exposed.
But that isn't the case for podman. A quick look through the github issues for podman, and I don't see it inundated with newbies asking "how to expose services?" because they assume the firewall port needs to be opened, probably. Instead, there are bug reports in the opposite direction, like this one, where services are being exposed despite the firewall being up.
(I don't have anything against you, I just really hate the way docker does things.)
Yes it is a security risk, but if you don’t have all ports forwarded, someone would still have to breach your internal network IIRC, so you would have many many more problems than docker.
I think from the dev’s point of view (not that it is right or wrong), this is intended behavior simply because if docker didn’t do this, they would get 1,000 issues opened per day of people saying containers don’t work when they forgot to add a firewall rules for a new container.
My problem with this, is that when running a public facing server, this ends up with people exposing containers that really, really shouldn't be exposed.
Excerpt from another comment of mine:
It’s only docker where you have to deal with something like this:
***
services:
webtop:
image: lscr.io/linuxserver/webtop:latest
container_name: webtop
security_opt:
- seccomp:unconfined #optional
environment:
- PUID=1000
- PGID=1000
- TZ=Etc/UTC
- SUBFOLDER=/ #optional
- TITLE=Webtop #optional
volumes:
- /path/to/data:/config
- /var/run/docker.sock:/var/run/docker.sock #optional
ports:
- 3000:3000
- 3001:3001
restart: unless-stopped
Originally from here, edited for brevity.
Resulting in exposed services. Feel free to look at shodan or zoomeye, internet connected search engines, for exposed versions of this service. This service is highly dangerous to expose, as it gives people an in to your system via the docker socket.
from the linked readme: https://steamdb.info/tech/Container/Electron/
From this list, I used to love krunker.io, but I never played the steam version because it wasn't native linux.
Considering I know someone, personally, who also made a scientific advancement at a young age, yes, it is possible.
They taught themselves python, then how to inference and train machine learning models, then used image recognition models to detect their sister's illness, which had visual signs.
They had to get help from someone with a phd to test this on a larger scale, cuz resources, but I absolutely believe a middle/high schooler could do it.
It's not that phd's are incapable of doing it, it's simply that they never bothered taking a crack at this problem, using this method.
My problem with this is, what stops people from simply violating the license anyways? Is futo going to go after every license violator? Do they even have the power to do so?
I've seen people make adware versions of closed source apps as well, so even not having the code public and online doesn't stop people.
I find this comparison unfair becuase k3s is a much more batteries included distro than the others, coming with an ingress controller (traefik) and a few other services not in talos or k0s.
But I do think Talos will end up the lighest overall because Talos is not just a k8s distro, but also a extremely stripped down linux distro. They don’t use systemd to start k8s, they have their own tiny init system.
It should be noted that Sidero Labs is the creator of Talos Linux, which another commenter pointed out.