We are getting into the tricky end of the lifecycle, supporting the tools. Seems every day there is a newly abandoned crate with no replacement devs.

I’ll do a little research into both and try work out if there is anything that could be done. I can’t promise anything in terms of promptness, this is a learning experience for me as well. So hopefully someone else has an answer for you :)

You are the real life LongtimeUser4.

https://xkcd.com/1172/

Unfortunately I can’t help more than that.

Edit: can you give the output of lsmod? I wonder if a hacked linux keyboard driver could help? I’m happy to give it a try if your interested in testing it.

Doing the /service_name thing can get really messy if the web service has non-relative links. It gets very messy trying to do rewrite rules to fix that. Wouldnt recommend it.

So, you want to have two services accessible via the same URL? How do you want that to work? Can you give a list of services and the URLs you would like to access them by?

At least for mail, its actually not too hard, because SMTP/POP etc are all on different ports, so you can host your mail at mysite.com, and still have a website at the same address.

But where would we find an Arch virgin?

In theory, that is true, dual boot is good for trying stuff out. In practice, for a beginner who doesnt want to tinker, setting up dual boot is a nightmare.

I’ve dual booted since fedora 4, and it hasnt gotten any easier to get it setup. The best system for beginners was ubuntus weird “install as an app, then boot into it” thing, but that no longer exists.

Anything that works on the steam deck should also work exactly the same on your laptop, so yes, very good indication.

Installing on your old laptop is a good idea.

I just want to quickly say: You cannot permanently brick your PC with Linux. You may break your install, but you can just reinstall. Doing actual hardware damage is near impossible.

1. Possibly not. If your happy with W11, and the direction Microsoft is going, you can definitely just keep using it.

2. It depends. Packages from your distro, likely will work with no issues, but there is always the possibility that something gets shipped broken (which also exists for windows). Steam games, is generally good, and getting better all the time, but there are some games that definitely won’t work out of the box (or at all). Check your games: https://www.protondb.com/

To reiterate, it is impossible to do hardware damage, so you can always return back to windows if you decide its not for you. Maybe you’ll love Linux, maybe not, but its very safe to try.

Oh, well, if it requires a password that is pretty much solved. The original commentor made it seem a lot less hands on.

I was under the impression that the shim let OS’s boot all the way up, and that it was just a standard part of the boot process, I was suggesting instead that the signed binary only let’s you add a new key, which you can then use to boot without the shim.

Doesnt help when the key expires though.

Thanks for the additional info, greatly appreciated.

Having read up a bit more on mokutil, seems that it doesnt enroll the key by itself, but gets the uefi firmware to prompt the user to add the key at next boot. Which in theory gets around the malware risk, although given how many people auto-click accept, maybe not.

The other way keys could be securely installed would be for the distros to produce a uefi “addmykey” binary, with their keys baked in to the binary. They then get that signed by the MS key, which would allow that image to boot and setup the key without ever disabling secureboot. You wouldnt need to have a trusted PC either, as if the binary was tampered, it wouldn’t boot.

100% agree on the risk profile though, far too many people think they are more important than they really are. Realistically, most of us aren’t worth the effort to individually break into our computers.

I personally dont think MS did it out of maliciousness, more indifference. They wanted the security benefits, and didn’t care what it cost others. But we’ll likely never know what their true intent was.

I dont know how the bazzite script does it, but any tool that can be executed from userspace that could add keys could just as easily be abused by malware to add their own signing keys, which completely defeats the purpose. Edit: see princessnorah’s comments below for more details, but it is a lot more hands on, which prevents malware abusing it.

In an ideal world, Redhat, Canonical, Suse etc could have gotten their verification keys built into every motherboard, but that still cuts out the Arch/Gentoo/flavour-of-the-month crowd. And also increases the risk that a signing key gets leaked and abused by malware.

Its just not an easy problem to solve.

That should exactly fix the problem.

The real issue is that by default, if secure boot is enabled, you won’t be able to boot up into bazzite or whatever in order to run that command.

So the user experience will be worse now, because instead of just installing and running, Linux users have to disable secure boot, boot and install their distro, run that enroll command, and then reenable secureboot. And lots of people are going to give up at step 1, and leave secureboot off.

Yes and no. Yes, it’s old and should be upgraded ideally. No in that the Linux market share is so miniscule that targeting 20.04 or other out of support linuxes isnt as favourable as targeting Windows.

Also, the support/security update critique also applies to the community run distros as well, given they may not have the resources to keep up with security updates.

So yeah, my risk is increasing, but I dont feel anywhere near at risk as one of the 0.43% win XP machines still floating around…

Stats from here, no idea how accurate they are: https://gs.statcounter.com/os-version-market-share/windows/desktop/worldwide

Its a VM, that has a working toolchain. I am very comfortable that its safe within my environment, but in general, you’re all correct, it ideally would be upgraded.

I3 on Ubuntu.

Dont update unless required. Still using an 20.04 machine. As long as I can do my job, I dont need to chase the latest updates.

Odd that the disk didn’t show up in the list there. If there are other options near CMS maybe have a play with them?

Another option to checkout is to disable secure boot?

Switch from bios to uefi boot mode (or vice versa)?

Sometimes called legacy bios or something? From a quick google, might be called CSM

1 pump chump ey?

https://m.youtube.com/watch?v=nMuh33BMZYY