hello

  • 57 Posts
  • 144 Comments
Joined 9M ago
cake
Cake day: Jan 17, 2022

help-circle
rss



On a computer that is online, you can say apt install --download-only foo to download (and not actually install) the .deb files for foo and its dependencies to the directory /var/cache/apt/archives/. You can then copy them from the online computer to the offline computer, and install them with dpkg -i *deb (assuming the debs are in your current working directory). Note however that apt on the online computer will only download dependencies which aren’t already installed. To force re-downloading of a specific package which is already installed, you can say apt install --reinstall --download-only foo.

Instead of downloading with apt install --download-only you could also find the download paths for individual .deb packages using https://packages.debian.org/foo and then download them using a browser.

You could also copy the contents of /var/lib/apt/lists/ (after running apt update) and the contents of /var/cache/apt/archives/ both to the corresponding locations on the offline computer and, if your sources.list files have the same entries, then you can offline install the things you’ve put in the cache folder using apt instead of dpkg.

Or, if you have lots of disk space, you can create an offline mirror of all (or some) of debian and point your sources.list file at a local file:/// source and then you can use apt like normal but completely offline.




any peertube experts have any idea why this comment i just made on a peertube post via lemmy didn’t federate back there? it’s supposed to now, right?


maybe it depends on what you mean by “effective”, but generally, no.





@nutomic@lemmy.ml any idea why is the lemmy.ml/pictrs/... image in this post 404?

(there are also currently a bunch of other 404’d pictrs resources on this instance, such as the icons for ~half of the communities on the first page here: https://lemmy.ml/communities …)




I have not said about metadata, but contested your claims of conflating security with phone number identifier causing lack of anonymity.

Huh? My first comment in this thread did not say anything about metadata or anonymity; it was (like the linked blog post) discussing the attack surface that comes with using phone numbers for authentication.

It was you that brought up both metadata and anonymity when you said this:

Wrong. Anonymity from your contacts or phone carrier or government is different from security of messages and metadata.

(emphasis added). Phone numbers are also terrible for those issues, of course.

do you think organisations like Riseup are also backdoored

I did not say signal is “backdoored”. I think their client and server software is most likely doing what they say it is, and Signal employees can probably honestly say they don’t retain any data that they could give to governments. The backdoors, if you want to call them such, are in the phone number based design and the choice of company (Amazon) that they rely on to keep the promises that Signal makes to their users.

My understanding of Riseup is that they own their own hardware, which puts them in a better category than Signal already. They also don’t require phone numbers. They do however use an invite code system to prevent spam/abuse, which they say they don’t retain a social graph from… but it isn’t clear to me how that system is actually useful to them if they don’t. Unlike Signal, Riseup is explicitly for activists, which makes me reluctant to recommend it. I don’t think it is intentionally backdoored and I think the people behind it mean well, but I think having a system explicitly for activists seems wrong as (1) it is a very attractive target and (2) merely using it can make you seem suspicious. The use of riseup has actually been cited as evidence of wrongdoing in an arrest warrant in Spain.


Signal’s “sealed sender” metadata protection is a farce.

Their use of phone number identifiers is a gift to police and other violent adversaries around the world, including those that amazon doesn’t cooperate with. When one person’s phone gets seized or otherwise compromised, that adversary gets a list of the phone numbers - aka strong selectors in intelligence lingo - of all of the victim’s contacts.

Signal’s initial growth was funded with millions of USD from the US government, ostensibly for use by dissidents in places like China and Iran. The former requires ID to obtain a phone number, and the latter requires fingerprints. Even people who support the US’s soft power efforts to aid dissidents in those countries should be disturbed by the promotion of the use of phone numbers for “secure communication” in those contexts.


so… a bunch of twilio employees had (and still have) exactly the capability that the attackers gained with this phishing attack. As do employees of Signal, Amazon, and various telecom companies, not to mention governments.

“Secure messenger” and “requires a telephone number” are not compatible concepts.


+1 to the other replies here recommending starting over with a single partition.

However, if you want to apply some duct tape to fix your immediate problem without reinstalling, to point a filesystem location (path) from a full partition at a location on another partition which has available space, two options you have are symbolic links or bind mounts. The former is conceptually a little bit simpler, but it won’t satisfy some applications. The latter is a bit more complicated, but the unix stack exchange answer i just linked to has a good explanation of the ins and outs (but on Linux you should ignore the parts of that answer about bindfs and nullfs and just follow the instructions under Linux bind mount). And if you want a bind mount to persist after a reboot, be sure to follow the instructions there about adding it to your /etc/fstab file.


update: via this post (as well as the comments on the linked pine64 blog post) TIL that this open letter was written in response to Manjaro (an arch-based distro which is now shipped preinstalled on the pinephone) which has shipped some alpha quality software which developers did not consider ready to ship to users yet.


Would it change your opinion if he was paid for working on the software by the criminals?

Yes, it would change my armchair not-a-lawyer-but-i-play-one-online legal opinion. If there is evidence that he was (knowingly) hired to write the software by people who were planning to violate laws using the software, then it is not as much of an open-and-shut first amendment case (assuming they’re planning to extradite him to the US…).

It is currently unknown and given the nature of the software involved might never be known

Indeed. Which is why your assessment of his arrest should not be based on the assumption that that is what happened.


if the developer was unaware of this risk, they were very naive

Well, their security audit didn’t seem spot the risk…

Seriously, though, are you condoning someone being arrested for publishing software?


A buyer should be as much as possible anonymous, but a seller should not

GNU Taler is a payment system built on this philosophy





Happy Sysadmin Day today to all Lemmy instance operators! Thanks for keeping things running.


Terraform Industries: gigascale atmospheric hydrocarbon synthesis
"[We're going to need a lot of solar panels](https://caseyhandmer.wordpress.com/2022/07/22/were-going-to-need-a-lot-of-solar-panels/)"
fedilink


use cryptography, for decentralized identities and content addressability.

the “fediverse” is ostensibly decentralized but that actually just means it has more single points of failure than the centralized model it is attempting to replace. (a failure doesn’t necessarily take the whole thing down, but, “federated” generally means there are more people and systems which could individually prevent information from flowing from point A to B; eg, I can’t message someone on another server if my server is down or if their server is down.)

Secure Scuttlebutt has a much better data model but is doing other things wrong so I haven’t used it much. Maybe Twitter’s Bluesky thing will produce something good, but I’m not holding my breath. What is clear is that ActivityPub is not a good long-term answer (but it is fun today).



torrents, and yt-dlp (works with bandcamp, soundcloud, etc, not only youtube).

with a few exceptions i only pay for music when i can do so without an intermediary taking a big cut and my data (eg, mostly only in-person at a show), but i have paid for things through bandcamp a few times.