Every bugfix is a CVE. Even if it is maybe not a security problem in first place, but it might be one in the kernel context, so everything is a CVE. Also other CVEs from other applications, open source or not, doesn’t have to mean that much. You have to see those database quite critical. Especially if you need very esoteric, almost magical methods to exploit.

When the people of the Linux Kernel started flooding them, because every bug is a security problem, those Database providers were and are very happy. It makes good money, those data is seller from other providers to companies. And now you really have to use their service, because the kernel have soooooooo many security problems! It is not like developers or security teams are happy about this shit. But if the senior leaders insist on use those CVEs, you don’t have any choice. And it is not that unusual, that it is not needed to address them.

The Linux Kernel can provide and provides more security when you use them. It is the decision of the distribution if they want to enable selinux or apparmor, enable kernel options, which make your system more hardened with memory encryption, page poison or kernel lock down and and and. Since this is only the kernel, the userland can provide more features, which some distributions also enables.

The way you can elevate applications and define special rights for the usage of devices or OS functions, is incomparable to standard Windows. Would only user, group and rwx exist, they wouldn’t be any lxc, podman, docker or whatever today. Windows does not the same now. Windows does it different and can’t do some things regarding elevation of rights and their restriction by design.

Linux Kernel provides more security techniques than Windows indeed, but they need to be used. To point out CVEs is kind of stupid. The Linux kernel never commited any entries to the CVE database for years, they started since February 2024 doing so, because they gave up on their opposition. They warned, if they do this now, the databases will get flooded with CVEs. Because in the kernel context, every bug counts as a security problem, if you look at it from the right perspective. This is a difference to Windows CVEs.

Of course this is great for those CVEs database providers because they now can sell their stuff happily.

What you need are not CVE entries for the Linux Kernel, but the latest supported Linux Kernel installed.

And srsly: Antivirus is snake oil. Using software with Administrator rights in Windows or even Linux, which parses every file, is fucking dangerous. It is usable on a mailserver, where the antivirus process is containerised or virtualized.

And what is the point with firewalls I read here? The most distros have firewalls enabled. When were they not there? Iptables was always there and I had to configure it, so I could allow or disallow incoming traffic. I almost never had to install it manually.

Edit:

Regarding CVEs, here the what Linux CNA tells:

Note, due to the layer at which the Linux kernel is in a system, almost any bug might be exploitable to compromise the security of the kernel, but the possibility of exploitation is often not evident when the bug is fixed. Because of this, the CVE assignment team is overly cautious and assign CVE numbers to any bugfix that they identify. This explains the seemingly large number of CVEs that are issued by the Linux kernel team.

Source

Any bugfix is a CVE

I did it few times between 2008 and 2010 when I was way younger. Idk how I did it, but after two times I was used to it and learned also a lot. Today I don’t have the nerves to install arch without archinstall or anarchy. The wiki helped me a lot. The wiki gives an excellent guide to install arch and to set up everything you need. It is well written enough, that no deep Linux knowledge is needed

The archlinux wiki is great for everything. I used it when I had Fedora, Debian or sometimes if I used OpenBSD.

Just a guess, but I think it is also somehow connected to an handler object

To fully grasp how containers actually work, you should read the Linux kernel documentation on namespaces and permission control via capabilities.

Hmm, I thought the aspect of demystification would also include a brief explanation on, how namespaces and capabilities work.

I am more disgusted, that they are here implying, that national unity is something good. Reading from them, that the division of the German national unity has to be stopped, gives me some 1933 vibes.

It’s not security debt, it’s just general technical debt.

I would also say, that this is just technical debt. I also fully understand, that there are things like breaking changes. I remember clearly when we used asyncore in the past for Python at work and then it became deprecated. It was still possible to use it for a long time, but a change was needed. Such breaking changes caused work and are not nice. Especially if it is a big software.

On the other side, I am not happy if I buy software or hardware, which has probably insecure dependencies. I understand the developers, I am also one, and I know that many things are not under their control. I am also not blaming them. But it is a no-go if something new is sold with 10-year-old OpenSSH Server, 15-year-old curl or other things.

But I am not taking exotic vulnerabilities that seriously. Like, if you need specific constellations, so this is somehow hackable.

The best thing I always hear is that Putin is the cause of the rise of the far right in Germany. And he wants to divide the german nation!

As I already said, I am sorry if that sounded harsh, but my explanation is still valid. I was not sure about your seriousness simply because you ended with the question: ‘unless being anti-trotsky = anti-communist?)’

I have had enough contact with ‘Marxists’ who will even repeat straight far-right propaganda if it is something against Trotsky, even spreading antisemitic lies. His Jewish heritage is one of the most popular attack points. I have a Russian book here, named ‘Leaders and Tyrants’ from the 90s, which loves to point out every time that he is Jewish.

Considering all this and how your question was formulated, it could have been a non-serious question. A person asking this non-seriously would gain nothing, but rather reveal their hatred against Trotsky, even if it is done in an anti-semitic manner.

especially someone who’s been in the grad for way more than you ever have

I don’t know what you have read or not, how far you are already. But if I were to assume that you are well-read in Marxist literature, then your question would have everything of what I have described above. With the people I deal with, such a scenario is very likely, even online. Such is also possible on Lemmygrad, of course.

But now I know that it doesn’t apply to you. That’s why I also wrote that I am sorry for the harshness due to the uncertainty regarding your seriousness.

I hope you understand now why I answered the way I did.

However, it wasn’t my intention to offend you. I am sorry if I did. But my explanation is still valid; you can ignore the harshness, or I can rewrite it in a manner that is not harsh.

unlike you i’m not aware of every single little thing about soviet history and culture.

I am also not aware of everything. I am still learning. But it is not about soviet culture or history. If you are interested in soviet culture, I encourage you to take look on soviet films.

You only see, that it is somehow against trotsky, isnt? This is a propaganda poster of the white army. It would be naive to think, that there is nothng anti-communist about this poster. So you have to take a look under which conditions this poster was made:

The white army blamed jews for bolshevism. Remeber the progroms? The protocols of the elders of zion and the black hundreds? In the propaganda of the white army Trotsky often had demonic features because he was jewish and played an important role in the civil war. This is a continuity of the anti-semitic agenda of tsarist russia. And it was in fact so, that young jews became revolutioners, they saw a better life in socialism, than in antisemitic tsarism.

the flag still says RSFSR, so im also confused how this would be anticommunist as well (unless being anti-trotsky = anti-communist?)

So what is the poster transtlated? “Peace and Freedom in the Soviet Russia” is written on the top. And you see a red demonic Trotsky, a jew with millions of skulls under him.

Should you be not conviced, then look here for the original poster, which i didnt post:

Also other posters from that time exist.

It is even without the david star antisemitic considering under which conditions it was created. The Nazis later extended it clearly with the idea of judeo-bolshevism, which also had its roots in all of the anti-semitic attacks (Dont forget Marx, he was often attacked of simply having jewish heritage) marxism received.

And if you look what the far right is saying about communism: Jews. October revolution: Jews. Marxism: Founded by jews and continued by jews. Jews, jews jews.

Sorry if I sound harsh, but it’s not so easy to understand the seriousness of your comment

Wouldnt say that, their anticommunist propaganda is also kind of anti-semitic

Its worth reading wsws articles about ukraine

It has the same possibility to serve data to others as the SMART function of your hard serve does, if you use it together with a monitoring system.This is telemetry. You still dont understand what telemetry is, dont you?

This means the machine has the ability to serve data to others, to the network, and to the admin collecting it

You can activate the function to collect specific data, which can be send to somewhere else, if you wanrt so. You decide what happens. I am getting mail reports about my OPNsense Firewall if something is not going well. This is also telemetry. Those drivers simply can give you the possibility to access data natively. You have a direct API and you can work with it. Its same for SMART. It is the same. Even the information the sensors on your computer are showing to you, are exposed through a driver. Look here. You have to load modules. This modules are getting data. Telemetry.

And to answer what you wrote first:

Telemetry is a way for machines to passively allow another to collect data. Any chance this can be exploited? Why have it if your intention is a sole user/admin of a single machine?

Telemtry is away to collect data. Those “another” can probably be youself. So whats about lm_sensors, does the average user need the information how the voltage is? Answer it for yourself.

And also not everyone is a sole user/admin of a single machine. Even as a developer I am depending on log files which can be collected, so this all is quite handy. You still dont have a point.

With the complexities of a self regulated system as systemd such abilities can’t be controlled or audited by a user, but look at what most users of linux have.

Dont switch the topic. Tell me what is bad about lm_sensors and SMART.

For non-industrial use no telemetry is needed or should be allowed.

dmesg not allowed anymore? Try “ip a” or “ifconfig”. Be ready to receive some collected data.

But you pick up on a detail of what the original post is aiming to state to discredit it on a technicality that is meaningless.

No. The claim that the Linux kernel is likely to send collected data to large companies is a huge accusation. This would have tremendous implications. Back then there was already an outcry with a Linux distribution because the internet connectivity was checked by a ping to 8.8.8.8. And now the Linux kernel is sending telemetry data to big companies? Do you understand what this would mean? And also rust. But the rust thing has alreary been pointes out by an other user.

The point is DO NOT let your anti-windows rhetoric blind and confuse users that this is an easy and safe alternative that provides security, privacy, and other goodies, when 99% choose windows that is just as automated and “user friendly” as windows.

Never used anti-windows rhetoric.

You tell me if your average linux user (especially those using gnome and plasma) know where, how, and why to disable kernel modules. Whether those modules are optionally disabled, enabled, included in the kernel, or awaiting someone to trigger them. Look at forums and boards, people mess up their boot-loader or fstab and their ms-win reaction is to format the disk and reinstall something like ubuntu.

Stop pretending that those modules are collecting and sending something. You clearly dont understand what you are talking about. This is not a problem, but you pretend to understand it and repeat it over and over again. Those modules are not doing something bad. If you dont like that data is collected, try to remove /var/log somehow. And also disable dmesg somehow.

There is nothing wrong with being wrong and you can ask. But you are stating things as facts that are absolutely not true. You are absolutely stubborn (sorry, I have to say that) about telemetry. You don’t understand the difference between data that is sent to a company and data that is made available through an interface. Telemetry for you means that somehow data is collected and then sent to Microsoft. And because the module in Linux has the word “telemetry” in its name, it is the same for you. You also don’t understand that all monitoring programmes use telemetry, even htop. gkrellm has the possibility to connect externally, that is already telemetry that is sent.

You are also wrong about rust. Supply chain attacks are indeed a problem. This applies to every programing language and there is only little you can do about. Who said, that the rust developer even use modules from random third party? Thats the point.

You can say “Ok, I am wrong with that all, but my point about security still applies, because everything is complex and systemd etc”. But stop insist on things that are obviously wrong.

And that is exactly the point. Working with many servers means that you have to collect data. How am I supposed to know when it’s time to replace something and so on? I remember my boss not wanting to spend money on Nagios (servers etc.) until one day everything blew up. No one could work for two days. After that the idiot finally spent money on a monitoring system and you could finally see when the RAID failed.

No they cant. What are you talking about? Its like an agent writing specific things to /var/log. Telemetry means, that data is collected for your usage. Not for corporations. Intel PMT gives you the ability to access data. You can collect them and do stuff with them.

Have ever seen software which helps you to see how your assets are doing? Look at Nagios. This thing collects data from your assets and visualise it. And this is a kind of telemetry. With Nagios you can see when its time to replace your harddisks on a server because the SMART values are bad. This is all telemetry. And here you have a possibility in a driver to access certain stuff. No stupid workarounds, direct access. Access which is under your control. Have you ever seen a datacenter or worked somewhere, where you have to manage a bunch of servers? You can check every instance one by one or simply collect data and see whats going on.

You are simply misunderstanding the word “telemetry”.

Show me the code, where something is beeing send to Intel. Not, that a module is loaded. Telemetry has also the meaning, that you collected data of your assets in a datacenter. I couldnt find anything in the code of Intel-PMT.

It is beeing used in datacenters. You load the module, you can aggregate your dara and then visualise it.

This as an example. I couldnt find anything how something is beeing sendet to Intel.

This is kind of telemetry which is usefull: The collected monitoring data is exposed to user-space via a new XML format for interested tools to parse.

And this for those wilco stuff. Also look here. I could not found anything, that it is going to be send to a corporation.

What is wrong if i have a bunch of servers and I want to collect telemetry data for them? I can collect them whereever I want.

There is no telemetry in the sense, that something is sendes to Intel. Look here. And this is quite hand, if you use Linux in a datacenter

I dont really understand your point. What is so bad about those telemetry drivers? Thay have to be loaded and there is no use for them for simple users.

Ah ok, thought it is a game