An operating system with all the usual tools, but without news and ads
Ralf Mardorf
kde.lists at yahoo.com
Wed Jun 8 07:11:40 UTC 2022
On Tue, 7 Jun 2022 23:37:39 -0400, Jon LaBadie wrote:
>[...] several online stores I regularly use, my router's admin page,
>etc. The shortcuts are dynamic, if I visit a site several times, it
>will replace one of the existing shortcuts.
>
>Have you visited the ADIDAS website. Perhaps the shortcut system was
>just doing its thing helping you revisit a previously visited site.
>
>Don't like them? Turn off the shortcuts like you have the recent
>activity feature.
Hi,
I'm using pinned shortcuts. I never visited ADIDAS, nor do I ever use
AMAZONE, LinkIn, Pinterest, Facebook, Twitter, OTTO or similar links
Firefox and other browsers tend to add after one or the other upgrade.
Soon or later all of them add this to me completely useless, but
annoying advertising links. A lot of people for sure don't note it,
since they anyway order from AMAZONE and have got a Facebook account.
The point is, that I do not want to remove or turn off something to get
rid of it. I expect not to get something like this without having to do
anything at all.
On Tue, 7 Jun 2022 11:57:32 +0200, Liam Proven wrote:
>Waterfox?
Btw. there are two very different products named Waterfox:
https://waterfox.heliopas.ai/en/
https://www.waterfox.net/
There's a big problem. I can't find a signed checksum. I even can't
find an unsigned checksum.
"Verify the releases
It is essential that you verify the integrity of the downloaded files
using the SHA signatures. Most operating systems support the `shasum`
command. Download the accompanying .SHA512 file and check the contents
of its file using cat. Compare that value to the output of shasum.
cat $DOWNLOADED_FILE.SHA512
# Output of cat command here.
shasum -a 512 $DOWNLOADED_FILE
# Output of shasum command here.
# If the output of both commands is the same, the file is likely to be
safe." - https://www.waterfox.net/download/
Where can I find the unsigned checksum?
Now I want to know how it's done when distros build packages. Since I'm
running an Arch Linux session and the PKGBUILDs (package build scripts)
are easier to check, than the Ubuntu package sources, because by Arch
those are accessible in a BSD ports-like way, I checked those for Arch.
An Arch PKGBUILD allows to skip security checks, but usually it should
look like this:
source= array of the source, e.g. an URL
validpgpkeys= array of the long gpg key IDs
sha256sums= array of the signed checksums, no checksum should be
skipped
All build scripts I checked didn't contain the array for the long gpg
key IDs, the sources were checked against unsigned checksums. Taking a
look at the projects I noticed that the projects don't provide signed
checksums. IOW I don't need to check how packages are build for Ubuntu
or other distros. No distro can check the source code of common web
browsers against a signed checksum, Upstream simply don't provide it.
At least the packages provided by official Ubuntu, Arch and almost all
other distro's repos are signed, but this doesn't gain much for packages
that were build without a sane security check in the first place.
However, since a lot of people are installing packages of much used web
browsers and it at least is for sure all are using the same packages, a
security issue is more likely noticed, than when installing software
that isn't used that much and from a third party source. So it at least
gains a little bit more security to install Firefox from an official
Ubuntu repository than to install Waterfox from a third party source.
Now I'm still worried about the ads, but also about the insecureness of
web browser packages.
Regards,
Ralf
More information about the ubuntu-users
mailing list