The Official Release of Lucid 5.25 (Lucid Five Twenty-Five)

[ASRI éducation]

the attached PET appears to solve that problem.

Thanks rcrsn51, the fix works for me.

[ICPUG]

RandSec

Are your CD problems partly due to the Sound being muted on startup? I noticed on my frugal install that sometimes I would boot up and the icon in the tray at the bottom right of the screen shows the sound muted.

After a while it mysteriously corrects itself and has volume (75% I think).

[RandSec]

RandSec

Are your CD problems partly due to the Sound being muted on startup? I noticed on my frugal install that sometimes I would boot up and the icon in the tray at the bottom right of the screen shows the sound muted.

After a while it mysteriously corrects itself and has volume (75% I think).

My issues are not volume problems, because the player does not interact like it does when working. And videos work. The delays feel deliberate.

[playdayz]

scsijon,

I seem to have a problem Embarassed , i'm missing the hal deamon at /usr/sbin/hald, am I alone?

Not alone. hald is not in Lucid 5.2.5. Ubuntu is phasing it out--or has phased it out and that is one less item of overhead. libhal *is* present because at least one thing needs it. The hal in PPM contains the full package, including hald, but I think you need to search in PPM because there is already the limited hal package installed so PPM won't show it unless you search.

[Jim1911]

Hi playdayz,

I've been away for about a month and so much has happened. Your Lucid 5.25 is the finest yet, it's working flawlessly on my hardware, both frugal and full hd installations. Kudos to you and your team.

Sorry that you are planning on taking a rest break, however it's well deserved, so enjoy the break. It's hard to believe how many releases you have made in such a short time. I've enjoyed the privilege of working with you and hope to do so again.

Best wishes,
Jim

[James C]

Just manually upgraded the frugal install on my Windows 7/PCLOS box from 520 to 525. No real problems.Had to rerun Alsawizard since this box has 2 sound cards but sound was working immediately.
Nvidia driver and all previously installed apps still working.Easy upgrade.

[maxpro4u]

Clean frugal install on A31 thinkpad. Sound working and volume buttons working well. The wireless card(D-Link G650) working. Fn buttons working. Battery icon working. Installed firefox 4-(BBC world news) flashplayer working smooth.

[bigpup]

Good review of Lucid Puppy 5.25 in Distrowatch Weekly:
http://distrowatch.com/weekly.php?issue=20110418

It does bring up some problems for someone new to Puppy.

[sszindian]

bigpup posted:

Thanks for posting this! Every Puppy Developer Should Read It.

Kind of relates to a few things testers were after in initial development and didn't get huh?

Maybe now a tester will be taken a bit more serious when things are asked for!

The review sure knocks Puppy out of the box for new users I think.

>>>---Indian------>

[rerwin]

Every Puppy Developer Should Read It.

I have, and am very concerned about the reviewer's wireless modem experience.

After admiring the aesthetics, my next mission was to get online, and actually this proved to be more traumatic than I expected. Outside of exploiting the occasional free WiFi spot, my connection to the Internet is almost exclusively via a 3G USB broadband modem. I clicked through the menus and found "Setup --> Internet Connection Wizard" and chose "Internet by dialup analog or wireless modem." While attempting to click my way through the configuration, Puppy suddenly froze on me. The screen was locked, the cursor wouldn't move, and even CTRL-ALT-Backspace wouldn't get me out of this mess. I finally had to do a brute-force reboot by pulling the power cord and removing the laptop's battery.

If anyone reading this thread has a similar experience, please tell me about it. I would hope that the latest "modem-modprobe" update package would prevent the problem. If not, I need all the info I can get regarding that lockup. There is always the possibility that the newer kernel is a factor, but probably not.

I hope some of you can help me out with this. TIA.
Richard

[RandSec]

Good review of Lucid Puppy 5.25 in Distrowatch Weekly:
http://distrowatch.com/weekly.php?issue=20110418

Yes, a good review, and a refreshing change from the general anti-security tone around here. The root user discussion and thoughts about malware were particularly interesting. I especially liked: "Puppy comes with a firewall, and you should of course be using it," and "Though most Flash exploits target Windows users, there's no reason why Linux can't be targeted as well," which is true. Of course, that is hardly the "minute detail and very specific terms" that some here demand. And I also have been told that security criticism is only understandable after the critic has introduced a Puppy with the desired changes already implemented. Critics who do not do that simply have no "influence," apparently. Next we will be unable to criticize a bad steak because we did not raise the cow.

I do not agree with the criticism of the Puppy root user design. Once malware gets into even a restricted user account, it can do anything that user could do, including changing privilege levels. Remember: malware can put an attacker inside your machine in real time via broadband. And when malware owns even a restricted user, everything that user has is already compromised, so limiting the attack at that point is like closing the barn door after the horse is gone. But if potential users THINK that Puppy has a problem, then Puppy DOES have a problem. So we probably ought to have some reasonable answer in the code.

Some other security issues include:
1) The firewall should be on, by default, upon first start, before any network transaction occurs. After that, a whiny user can turn it off.
2) There needs to be a config option to stop Puppy from automatically logging in before the user is ready. In particular, if the user boots from flash, that flash should be removed before the system goes online.
3) When Puppy boots from USB (typically flash but possibly an external hard drive), it needs to allow that USB to be removed after the boot, unmounting it first, of course, as is normal for drives. Removing the boot drive before going online is how we guarantee that new incoming malware does not attack the boot code, and that stops infection.
4) If a boot drive is removed after boot, there will be a need to handle updates. I suggest the boot drive NOT be updated continuously like external RAM (as is now done with flash), but only upon a manual Save command, similar to the LiveDVD. Multiple versions of the same file could exist in different directories, with only the latest loaded on boot. Eventually a flash would fill, and the loaded Puppy could be Saved to a new flash, much like the LiveDVD scheme now.
5) It will inevitably be necessary, sooner or later, to install downloaded code via SSL so we can guarantee that it comes from the approved repository. I suggest making the internal Quickpet a web page, and using a serious modern browser like Firefox for all downloaded code installs. The web page could be updated at will, and so also solve the Quickpet local update problem for LiveDVD users. By moving more of the current package to downloadable code, the .ISO gets smaller and stuff that does not work for some user need not get in their way. (No fewer than 3 included CD players apparently do not handle my Samsung optical drives. So I downloaded VLC, but the other players remain.)
6) When Puppy boots as a LiveDVD, one of the steps is: "Searching for Puppy files in computer disk drives..." Malware will love the ability to drop an infected file into a system and have that come up, perhaps even hidden from the user. There needs to be a way to configure Puppy to NOT do that search.
7) Some work is needed to finalize the great multisession-DVD feature which sets Puppy apart from all other distributions. Writing to optical media simply is not as reliable as writing to a hard drive. Verification after write should be required and automatic, and should it fail, other attempts are required, including requesting a new DVD, to the point of fully recovering however necessary.
8) Voiding the last <n> sessions is another great Puppy feature with issues: I have personally voided the last session on 2 LiveDVD's which then failed to boot. Surely a temporary form of voiding could be made available to load the previous system before making any dangerous changes on the DVD itself. There also needs to be some way to copy multisession DVD sessions from a "bad" DVD and save them. I would like to see the voiding feature also apply to a flash boot drive, just like a LiveDVD.
9) Puppy needs a config option to NOT ask to save at the end of a session, particularly for LiveDVD use. In my experience, the desktop Save button almost always works, whereas the end-of-session save often damages the DVD, and then it is too late to do anything about it.

This is from a year and a half of experience with the LiveDVD form. Surely other issues have revealed themselves to others.

[James C]

Now for a complete change of subject......

Dug an old test box out of the closet and upgraded a full install from 235 (that was a while back) to 525.Actually doesn't appear to be any problems....upgrade went really well.

[Luluc]

Of course, that is hardly the "minute detail and very specific terms" that some here demand.

"Some"? Who else besides me?

Once malware gets into even a restricted user account, it can do anything that user could do, including changing privilege levels. Remember: malware can put an attacker inside your machine in real time via broadband.

What have you been smoking? I want some of that too!

PROVE what you're saying. If you can't do it yourself, fine, just point us to any page that describes the necessary steps to achieve this kind of magic of which you speak so often. Is that asking too much? Just prove it, dammit!

[wuwei]

Luluc wrote:

PROVE what you're saying. If you can't do it yourself, fine, just point us to any page that describes the necessary steps to achieve this kind of magic of which you speak so often. Is that asking too much? Just prove it, dammit!

+1

Yes, pleeeeaaaase. One concrete example. ONE only!

[RandSec]

Once malware gets into even a restricted user account, it can do anything that user could do, including changing privilege levels. Remember: malware can put an attacker inside your machine in real time via broadband.

What have you been smoking? I want some of that too!

PROVE what you're saying. If you can't do it yourself, fine, just point us to any page that describes the necessary steps to achieve this kind of magic of which you speak so often. Is that asking too much? Just prove it, dammit!

Prove? What is there to prove? If you have never heard the term "bot" with respect to malware, you have some homework to do.

As I have tried to share repeatedly, security is not about particular responses to particular exposed threats. That is the Microsoft way, and despite having vast fortunes to spend and enormous resources applied to monthly patches, Windows malware continues to increase, both in quantity and virulence. Windows malware results thus stand as PROOF that the correct approach to security is NOT to await attacks and then patch them. PROVING that an attack exists thus has been shown to NOT be the path to security.

Puppy simply will not have resources for effective detection, analysis and patching, so if that is to be the security strategy, even the first sustained attacks will mark the end of the online Puppy platform for many people. That is of course my opinion, not PROOF, but it does reflect how I would act.

Security is the state of being safe. Achieving security means being pro-active to stop attack possibilities before they occur. Most people do have doors, and locks, and they use them to provide some level of physical security against known threats. Online, we have a continually growing and changing threat landscape which prevents us from knowing the threats or being confident in even basic safety.

For online systems, typically we seek to have a "layered defense," where a failure in one layer is backed up by different strength in another. The very first step to achieving security in an existing system is to find basic uncovered holes, and close them up. Standing back and saying: "Nobody could do anything with that," has been shown to be wrong, time and time again. The people who attack are smarter than us, and trickier, and can leverage openings in completely unexpected ways. Just because we cannot see the way to their success does not mean they will not hurt us.

The correct approach is to find some basic security truths and leverage those into SECURITY PROOFS FOR US. The first truth is that malware CAN get in and run, even in Linux (although it may be running in Flash or Java). The next truth is that, to "infect" future sessions, malware needs to change some code (or data leading to code) which will be executed by the future session. That PROVABLY can be prevented by not allowing code change, which is the usual province of LiveDVD operation. Notice that a writable drive cannot be protected in this way, because running malware cannot PROVABLY be prevented from changing stored code on the boot drive.

In practice, browsers frequently need security updates, so practical secure LiveDVD use requires some way for users to change code yet not allow malware to change code. We can approach that (not quite to absolute PROOF, but close) by infrequently and manually allowing code changes immediately after boot until browser changes are done, saving the result, then using physical action to prevent further saves.

Being strong against unknown future attacks is particularly important in systems like Puppy, which have no tool to find and expose infection. Because infection is dismissed out of hand, there is no trained cadre to detect it, analyze it, and work out a patch. Because infection is not found, the very concept is thought to not exist.

Because infection seems unbelievable, Puppies can be infected without the owner or user knowing. That is not a surprise and needs no PROOF beyond knowing what bots do. Those who have been paying attention KNOW that bots hide.

Now it is necessary for those who believe that Puppy cannot be infected in any way whatsoever to PROVE their case, and then to address the consequences of that being wrong.

[myke]

Re "bad steak", a good critic (at least the ones I respect) will either say the restaurant bought poor quality meat, the cook overcooked it, or the spicing was inappropriate and state what must be done in detail to correct it, etc.

So, criticizing the security of Puppy without delineating the steps required in concrete detail to upgrade puppy without degrading performance is the real challenge. Whining about security is not.

I repeat what I said before: come up with a security-enhanced puppy w/o degraded performance and we will all d/l and try it out. That I promise you. If you can't do it yourself, then volunteer to assist a dev. I believe Jemimah is a sys admin, who must deal with security issues on an ongoing basis; why don you PM her?

myke

[RandSec]

Luluc wrote:

PROVE what you're saying. If you can't do it yourself, fine, just point us to any page that describes the necessary steps to achieve this kind of magic of which you speak so often. Is that asking too much? Just prove it, dammit!

+1

Yes, pleeeeaaaase. One concrete example. ONE only!

-2

Examples of weakness are the PROVEN WRONG approach to security. To have even one is to realize that the system really was weak, after all, even when it was considered strong. But finding a weakness and patching that will not create security. In practice, all large, complex systems will always have exploitable errors or flaws, no matter how much patching is done.

To attain security, it is necessary to work in ways which PROVABLY PREVENT insecurity. My approach has been to prevent "infection": the ability of maware to get itself restarted on subsequent sessions. Infection is the largest danger, because an infected system may run a hidden bot for hundreds of sessions. Systems which flush malware and start out clean on each session may run malware, but only if and when acquired, and then only for half a session, on average.

To the extent that anything is ever new, this is a new and original approach to security. Puppy supports this, and nothing else does (as far as I know). It seems a shame for Puppy to not recognize its strengths and build upon them.

[nooby]

That would work for non-writeable CD and such DVD? But only on USB and HDD if them could be set to nonwriteable or how else to do it?

[RandSec]

Re "bad steak", a good critic (at least the ones I respect) will either say the restaurant bought poor quality meat, the cook overcooked it, or the spicing was inappropriate and state what must be done in detail to correct it, etc.

So, criticizing the security of Puppy without delineating the steps required in concrete detail to upgrade puppy without degrading performance is the real challenge. Whining about security is not.

"Whining" about a bad steak is how we avoid going back for the same thing again. It is unnecessary to analyze how it was bad or who caused it, because what matters is the going back.

I have presented security issues in more than enough detail to consider for implementation. For me to propose solution code would involve me knowing more than I do, or ever will. Sufficient information has been presented for the designers to use, or not.

I repeat what I said before: come up with a security-enhanced puppy w/o degraded performance and we will all d/l and try it out. That I promise you. If you can't do it yourself, then volunteer to assist a dev. I believe Jemimah is a sys admin, who must deal with security issues on an ongoing basis; why don you PM her?

myke

Improving security almost always involves some cost. Having a door means it must be opened, instead of just walking through. Having a lock means fumbling for the key. Having a firewall means that firewall code must run, instead of just accepting everything. Using a LiveDVD may be somewhat inconvenient, but as a path to security that inconvenience can pay off.

We have what we have, and Puppy is what it is, because current designers allowed that to happen. They were satisfied; I am not. Just finding a designer to talk to is not going to solve that problem.

[RandSec]

That would work for non-writeable CD and such DVD? But only on USB and HDD if them could be set to nonwriteable or how else to do it?

Most of the optical media we would use are in fact writable, although the writing process is both longer and more visible than a hard drive or even flash drive write. I assume that malware cannot write to my DVD+RW disc without that becoming apparent. But we could certainly remove the boot DVD immediately after booting, thus PROVABLY eliminating new infection as long as the computer was not yet online (or getting an infected USB drive plugged in). So we need an option for Puppy to not immediately connect online.

Our current computer systems are designed with an inherent lack of hardware to prevent malware from changing boot code and data. Fortunately, good security is largely already available in a LiveDVD approach. Unfortunately, many modern computers do not have a DVD drive, which in any case will be slow and, in my experience, error-prone. Still, one alternative is to use an external DVD-writer (provided the computer would boot from it), ideally with no hard drive at all.

When we do a LiveDVD boot with a hard drive present, such as an existing Windows drive, we have to consider the security consequences of malware creating or infecting a Puppy save file. That could be avoided with a configuration where Puppy would not search for or read that file. That should actually improve startup performance.

In non-LiveDVD systems, what counts is hardware "air gap" or "power off" security. To achieve that, we can boot from an external USB hard drive or flash drive--provided we can remove that USB plug prior to any risky operation. We need to allow a careful manual update from well-trusted sites, a manual save, and then removal of the USB connector, thus isolating the USB drive.

When I boot from flash, Puppy says that flash must not be removed. Even worse, it writes to the flash periodically. How could anyone imagine that would protect against malware infection? I have also acquired and used a flash with write-protect, which then becomes insecure forever after as soon as writing is enabled for browser updates. So for a secure HDD or flash boot, I think we are forced into waiting for changes to the Puppy design.

We need to be able to remove the flash once the system has been loaded into RAM and is running. We know that can be done, because the LiveDVD system can do it. We can remove the DVD after boot, to play a music CD, or to write a new .ISO. So gaining the ability to unplug the boot drive is not an unreasonable request. But unless and until Puppy changes, I cannot see a way for a USB flash boot drive to be both secure and offer practical support for browser security updates.