Best practices are not determined by whether or not a device is running Linux. Best practices are determined upon the context of the use-case scenario of the product/device/etc... Then a cost/benefit analysis should be applied to determine the best practices for that particular context.
That's not true.
What will an updated linux kernel do for us gamers?Solskogen wrote: ↑Mon Apr 12, 2021 1:40 pmThat's not true.
I'd like to know how the userland and kernel are compiled and packaged, but I didn't get a reply. I'd love to see a newer and more up to date kernel, and with a newer userland. If I knew how that process is done, I could help keep it updated.
@solskogen you are the minority, I appreciate your desire to get to the linux compilation bits. You will quickly find GPL "open source", isn't done properly, and some folks here on the dev team refuse to let the buildroot from their clutches.Bas wrote: ↑Mon Apr 12, 2021 3:17 pm Not much for the MiSTer's primary use case. A properly maintained OS keeps your appliance from becoming a potential springboard for attackers who are intent on abusing your home network. Of course the SSH root shell with a fixed default password that simply keeps reverting is a bigger bullseye on MiSTer's back, but running proper maintenance should be a priority for the owner of any networked device. If nothing else, it's good citizenship and the decent thing to do on the internet we all share.
Personally I don't use bluetooth anything, I literally only plug the net in to the mister to do an update, the rest of the time it isn't online or linked to any network. That's just me..hostile wrote: ↑Mon Apr 12, 2021 4:13 pm I'm gonna guess none of the folks that use Bluetooth Keyboards & keep MiSTer connected to their home LAN care that CVE-2020-12351 is remotely exploitable on kernel 4.19 over the air. In essence making MiSTer a backdoor into their home LAN that someone outside their home can use to compromise their network.
Yes...you are.hostile wrote: ↑Mon Apr 12, 2021 5:10 pm I'm beating a dead horse at this point, many of you clearly have no background in embedded devices, security, or linux, never mind threat modeling.
"NASA hacked because of unauthorized Raspberry Pi connected to its network"
https://www.zdnet.com/article/nasa-hack ... s-network/
These excuses and attempts to reason literally only support my original statement. Please... go on.
viewtopic.php?t=525 Let me get this straight, the MiSTer has a password "1" for the root user account, and you are worried about this 80% effective and somewhat complicated bluetooth exploit that will give an unauthenticated user escalated privileges?hostile wrote: ↑Mon Apr 12, 2021 4:13 pm I'm gonna guess none of the folks that use Bluetooth Keyboards & keep MiSTer connected to their home LAN care that CVE-2020-12351 is remotely exploitable on kernel 4.19 over the air. In essence making MiSTer a backdoor into their home LAN that someone outside their home can use to compromise their network.
https://security-tracker.debian.org/tra ... 2020-12351
https://security-tracker.debian.org/tracker/DSA-4774-1 (fixed version 4.19.152-1)
/root# uname -a
Linux MiSTer 4.19.0-socfpga-r1 #1 SMP Mon Mar 15 01:16:44 CST 2021 armv7l GNU/Linux
What benefit would fixing BleedingTooth Bluez exploits do for gamers that use bluetooth keyboards?
https://access.redhat.com/security/vuln ... edingTooth
Linux Bluetooth Zero-Click Remote Code Execution over Bluetooth on your MiSTer is certainly nothing to worry about!
https://www.youtube.com/watch?v=qPYrLRausSw
https://www.exploit-db.com/exploits/49754
No one claimed that the MiSTer linux build uses best practices. You are claiming that it doesn't follow best practices and I challenged you to back up your claim and you went to such an absurdly irrelevant thing, hoping that no one would fact check you.We get it, no one cares. It is just unfortunate as I said before. The excuses on what you THINK makes a best practice need not apply.
Ah yes, because the average user has a target on their home network's back the size of NASA's network. Good job bro. Lemme read up on the 49 page OIG report and get back to you to see if this is relevant to the MiSTer by doing a risk analysis. lol jk that would be stupid to compare to NASA.hostile wrote: ↑Mon Apr 12, 2021 5:10 pm I'm beating a dead horse at this point, many of you clearly have no background in embedded devices, security, or linux, never mind threat modeling.
"NASA hacked because of unauthorized Raspberry Pi connected to its network"
https://www.zdnet.com/article/nasa-hack ... s-network/
These excuses and attempts to reason literally only support my original statement. Please... go on.
I'll maybe test this out up close in person at some point tonight then, if I can get the exploit figured out from your sources. We'll see if the older versions prior to the CVE you linked cites are also exploitable.hostile wrote: ↑Mon Apr 12, 2021 4:33 pm Bluetooth has been proven exploitable from miles away with amplified gear, and an antenna.
https://www.npr.org/templates/story/sto ... Id=4599106
So actually yes. I know a few mates in the UK if you want me to have one stop by and test with you how far away you could be easily exploited.
I suggest you a buy a chill pill.hostile wrote: ↑Mon Apr 12, 2021 7:14 pm I appreciate the hyperbole @jca, on the face of it suggesting those of us that perhaps want a package manager should use a little more diplomacy is funny. "Please return your DE-10 Nano. You are not the target market and do not understand the product" was of course extremely diplomatic.
I do wonder how real "angry" gets support, but pretend hostile doesn't.
This place is very confusing. You are probably right. I'm gonna guess the next suggestion is I go buy a RasPi. Thanks for the #AbandonThread indicator. Cheers.
Right, this guy is treating the MiSTer like it needs to be enterprise-grade secure, when people have their houses filled with all kinds of more insecure shit every day, like their regular Windows computers, their unpatched routers, their passwords whose value is "password1" etc... It's such a weird obscure thing to worry about if your main concern is concern for the average user's home network. Not to say it isn't legitimate to want this stuff to be upgraded at some point, but hostile isn't going about this the proper way. Go to the issues page and point it out, be specific as to what the problem is, and describe why it is a problem. Them just asking for the buildroot is not productive.rhester72 wrote: ↑Mon Apr 12, 2021 4:39 pm If someone implicitly owns your entire infrastructure because they compromise a single weak device, you probably shouldn't own any hobby or IoT devices. Put it on a DMZ network and done. Seriously, we're talking about a piece of lab kit intended for student research in a school setting. It's never going to be a GP compute device (or managed as one), no matter how much that may gall anyone.
Right, what part of "or it may" don't you understand? Thanks. You gotta be less insufferable.hostile wrote: ↑Mon Apr 12, 2021 8:26 pm " Please provide evidence that it impacts 4.19.0, which uses a different version of blueZ entirely which may not have this vulnerability (or it may)."
Is there something about (fixed version 4.19.152-1) that you didn't understand?
https://security-tracker.debian.org/tracker/DSA-4774-1
https://packages.qa.debian.org/l/linux/ ... 1927Z.html
https://www.kernel.org/pub/linux/kernel ... g-4.19.152
- Bluetooth: A2MP: Fix not initializing all members (CVE-2020-12352)
- Bluetooth: L2CAP: Fix calling sk_filter on non-socket based channel
(CVE-2020-12351)
- Bluetooth: MGMT: Fix not checking if BT_HS is enabled
- Bluetooth: Consolidate encryption handling in hci_encrypt_cfm
- Bluetooth: Fix update of connection state in `hci_encrypt_cfm`
- Bluetooth: Disconnect if E0 is used for Level 4
Okay got it. So you think the average person's home LAN, especially with gamers forwarding ports frequently on their shitty unpatched routers, is not a major concern or anything, but some hackerbro using a high powered bluetooth gun from 2005, using this one exploit hoping to get in, is the real risk here to everyone's MiSTer's and should be taken extremely seriously. Got it. Priorities brutha.Your 1, 2, and 3 above are hardly worth addressing, especially given you flat out don't understand the difference in a remote wireless threat that can be exploited from miles away, and one to your self contained home LAN (ssh password).
I mean, I said OR IT MAY, but okay. I wasn't wrong, I'm open minded, unlike you. You can ignore that all you want."hoping that no one would fact check you" lol dude. I picked a random seemingly easy to understand issue. And yeah, look how you beat your chest like king ape, and you turned out to be wrong re: impacted kernel version.
Okay, so you have just inferred that he won't patch this particular vulnerability, solely because you have read his response to other adjacent issues from a long time ago. Sounds like you aren't putting in any actual effort into getting this fixed when you ostensibly care so much about it. That's a weird conflict between your stated motives and your actions here."Why didn't you point this out on the github issues page for the MiSTer linux repo" as I said above, Sorg has made his position on the Linux subsystem clear, both in his words that I pasted above, and in his refusals to support other PRs and issues in the past. Literally not worth my time. I'm free to discuss my concerns here on the forum, still, am I not?
What's the purpose of your theatrics? What's your intent?"if I can get the exploit figured out from your sources" you clearly don't have that skill level on deck. Lets not pretend, we both know few people here can check you on that claim, but you don't have to pretend with me. I mean you can't even work out the differences in the processor arch, let alone debug the potential impact. You could have simply looked at the kernel patch, but we both know you aren't really that invested in this part of your theatrics.
No. Not every other linux platform on the planet. There are loads of embedded devices running linux that don't have package managers. The MiSTer is being treated by the project maintainer as an embedded device, and those are not "all" supplied with package managers. Sorry."Right, this guy is treating the MiSTer like it needs to be enterprise-grade secure" literally no one is doing that. The ask was for a basic package manager, and that updates to packages and the OS be handled like literally EVERY other linux platform on the planet.
What? I didn't even say that lol. That was someone else.Your hyperbole, and exaggeration are cool though. "Package managers have overhead and the MiSTer isn't a general purpose linux distribution" was how we started on this path. viewtopic.php?p=22856#p22856
The Mr. Fusion creator literally figured out the buildroot on his own. I'm sure you could too. Probably should stop being lazy and do the work you are demanding others do for you. You aren't entitled to sorgelig agreeing with you. Go ahead and fork the project and see if you manage it better I guess. Compete in the marketplace buddy."Them just asking for the buildroot is not productive" as if asking something on the issues page is a functional way to get something.
You are the person who flew off the rails with the stupid security complaints about a hobby video games FPGA system that is in like 0.000001% of homes in mostly wealthy countries only. Now you are asking to re-rail the thread YOU derailed?This is way off topic at this point, simply because you wanted to "check" someone on a simple example. Feel free to put this train back on the tracks.
Why are you lumping me in with someone talking about overhead? I did mention maintenance requirements however. For the most part the bash script has been barely ever changed, check the commits. It works. And the best part is, people that know how to edit bash scripts can easily contribute. Fixing problems with package configuration is often a little less likely to have more people contribute a PR or raise productive feedback to an issue.The fact remains, you folks act like basic linux package management has some huge level of overhead, and maintenance requirements. It isn't. Likewise, you advocate for this reinvention of the wheel, which is honestly way more complex than a proper update repo: https://github.com/MiSTer-devel/Updater ... updater.sh
Why would Sorgelig do the work for you? If you are such a quitter then you'll never know I guess. Have fun being perpetually angry and deciding to not do anything about it.The amount of effort put into explaining why MiSTer isn't right for a package manager twists my mind! Even if someone did the work to support it, the PR would be refused, we all know that.
Well done! I'm glad you are doing the work instead of complaining like hostile over here.Bas wrote: ↑Mon Apr 12, 2021 8:37 pm This thread is veering a bit off track. I'm now up to the point where I have Jenkins building packages for all releases of all computer and console cores and they can be installed, upgraded, downgraded and removed at will on my test VM. Of course this is tackling the simplest bits first but the idea functions. No changes to anyone's workflow required. Next up: arcades. When that works I'm looking at dropping the binaries for apt into my actual MiSTer and see how that goes.
Lightbulbs/refrigerators/owens/etc and many cant even be upgraded even IF the user and the maker would want to.
There are probably many times more devices that do not run a package manager then systems that do.
What the hell is a hostile fork? The entire point of open sources projects is that no one person has control over them they can be forked limitlessly. Forking is always something that is encouraged.
you keep saying I said I was done? When did I say that? I said I didn't care about your hyperbole about project theft. I also said that I thought the conversation was not going to be productive. "Thanks for the #AbandonThread indicator" doesn't mean I'm leaving, it was literally a sarcastic response to the "Please return your DE-10 Nano" comment, please try to keep up!
Forking is not encouraged here in the MiSTerFPGA project. From what I understand it is explicitly part of why the buildroot is so contentious. It is literally discouraged by Sorg so people "don't run off and fork the entire project that he made without talking to him" per one of the project heads. Folks that ask about buildroot or trying to recreate it are often accused of "trying to jack the project", or similar like above the weird claims to want to "destroy it" re: MiSTer project. Other folks just like to dog pile on "lazy" claims because people ask for things that outta already be included in the "open source" aspects of this project.
zakk4223 wrote: ↑Fri Apr 09, 2021 4:17 pm No, you are not 'reducing complexity'. you are moving it. Because now someone has to generate packages for what was previously just a dead simple release process for core developers. Now you're going to say 'automated CI/CD!' but now someone has to maintain that. And when it breaks (and it will) the core authors have almost zero visibility into it, and likely don't really have the expertise or motivation to debug it if they did. So all it does it delay their release or make it annoying to deal with.
I feel like you're trying to 'fix' MRAs by using packages and ignoring the fact that for everything else you're going to generate a package file for a single RBF, which seems a bit silly.
At the end of the day users are still going to run a script to update their mister, even if packages are involved. So now you have two problems.
What rhester72 means is that the 'linux' OS of the mister is updated as a single image, which is loopback mounted on boot. So when the 'linux firmware' of mister is updated, it completely replaces that image file.
Not much, probably nothing. But compiling the main MiSTer file will be easier as you don't need to install a extra compiler instead of using the ones provided by Debian and/or Ubuntu. Keep in mind that I don't demand that someone else should do it. If anything, I'll do it my self