• More distros should be like OpenSUSE

    Home » Forums » AskWoody support » Linux for the Home user » Linux – all distros » More distros should be like OpenSUSE

    • This topic has 3 replies, 1 voice, and was last updated 1 week, 1 day ago by Lance Haverkamp.
    Author
    Topic
    #2536728

    Not long ago, i finally got around to noticing and watching the Linus Tech Tips “Linux Challenge,” where Linus and one of his compatriots each chose a Linux distro to use exclusively for a month.

    It’s an ongoing trope on Linus’ channel that Linux hates him. I think it’s that he lets himself get flustered easily when he’s out of his comfort zone, and when that happens, he fails to tap into his general computer knowledge to punch his way through to the other side.

    Linus chose Pop!OS for his first choice, but something happened due to a bug somewhere, and in the process of trying to remove something to resolve the bug, even though the system tried to warn him that he was doing something extremely risky (it said that he was attempting to remove vital system files, or something like that, and made him type in “yesIreallywanttodothis”), he somehow managed to type that in without noticing. He didn’t read the warning, and somehow the gravity of the situation when it was asking him to confirm that he really wanted to do something escaped him, and… he borked his installation.

    I don’t blame him for that… I am kind of unsure how he could miss that, but each time something like this happens, it is a window into the psychology of how human minds work, and it can help us engineer systems a little better. It is the same reason that the policy of the US government, when it comes to investigating plane crashes, is not out to punish pilots who make mistakes while acting in good faith as much as it is to try to find out why a pilot trying to do the right thing managed to get caught up and did the wrong thing instead.

    Linus tried again, choosing to use Manjaro with KDE Plasma as the desktop environment.

    KDE Plasma is by far my favorite desktop environment (GUI) for Linux. Years ago, when I first started my efforts to move to Linux, I tried KDE and found the rough edges to be too much to bear, which was why I kept looking until I tried Mint with Cinnamon. KDE kept improving, though, and I ended up back here, this time for good (so far, at least, but I have no plans to change.

    That said, it does have a few caveats. Like just about everything, it needs some tweaking to be fully usable (this has been the case for Windows since the early 2000s, so it’s not just Linux). While “because the marketing department demands it!” is not usually a factor in the Linux world, it is still subject to the same issues and hobgoblins of commercial software in other ways.

    One of these came to the fore in Linus’ time with Manjaro. He needed to elevate privileges to be able to perform something, and he could not figure out how to do it. In most flavors of Linux, “open as root” is one of the options in the file manager context menu, just as “run as administrator” would be in the Windows options for a given program.

    That option was not in Manjaro KDE, though, so Linus searched on the web, and unfortunately saw the same discussion I did years ago when KDE removed that option, ostensibly for security reasons. The thread contained a rather pointed reply from one of the people (a dev?) who snarkily said you should be using the command line for admin work anyway, or some such thing, insinuating that the person asking the question of how to run the program as root was dumb for even asking. I don’t remember the exact text, but I remember how insulting it was, and after seeing Linus’ reaction, it was pretty evident he saw the same thing.

    It turns out that there are some security exploits that are possible when running graphical programs as root under X11, and to address that, KDE simply removed the file manager’s menu option to run as root, and then added in an extra bit of rude-gesturing to block the file manager or KDE text editors (kate and kwrite) from running as root, in case the user tried to make that happen manually.

    The plan was to have the system ask to elevate privileges whenever a person did anything that needed them, so it would never be necessary to ‘run as root,’ but that was years ago, and that plan has yet to be realized. They simply put in the “fix” to the security problem without the replacement being ready and expected people to just be okay with it… for their own good, of course.

    This heavy-handed “fix” was not needed to protect the more security-obsessed users. One could simply choose not to run graphical programs as root, if he was that concerned about it. But that wasn’t good enough… they had to remove that ability now, years (and counting) before the new ability to replace it was available.

    The reaction to this was not favorable. Articles about the issue, and how to fix it, soon appeared across the web. The first one I remember was to download patched versions of Dolphin (the KDE file manager), Kwrite, and Kate from OpenSUSE, and to replace the existing versions on a given distro with these new ones. Users of OpenSUSE never had to do that; they got the patched versions without having to do anything.

    Soon KDE felt the heat was too much, and they issued a compromise “fix” for the “fix.” If the user set a couple of environment variables in the command line to open Dolphin, it would let itself run as root once again. I put that bit into the launch command for Dolphin years ago, and that was that… it just worked from that point on.

    But that didn’t help people like Linus, who didn’t happen to read one of the pages describing how to do it. One of them was from Dedoimedo, who wrote a scathing riposte to KDE’s actions, along with directions on how to fix it, in one of his posts.

    Had Linus chosen OpenSUSE, he would never have known about this issue, nor would he have felt the sting of the insult from (I think) one of the devs for wanting to open as root in the first place.

    This is not the first time OpenSUSE has taken up the slack when other open-source devs slacked off.

    Firefox on Linux has long been built with the GTK (GNOME ToolKit) library to create the UI. In Linux, there are two competing toolkits, and GTK is one of them. The other is Qt, the one KDE Plasma uses.

    GTK is developed by GNOME for use in their own desktop environment, and nearly all competing desktop environments use it. The GNOME devs have been ripping out features and pushing simplistic, feature-poor products for years, and GTK reflects those biases. One of those is the GTK file picker, used by nearly all GTK applications. It is so simplified that the “load” dialong no longer has a text box where one can type or paste a path or filename into. You’re expected to drill through the file system, each time, forever.

    If you’re “in the know,” though, you can get the text entry box back each time. Press CTRL-L and it appears. There is no hint or clue in the UI that this shortcut exists… it’s a total secret. People have asked GNOME devs to add a button for it, but they have refused, stating that it is not an actual feature, but is instead more of an Easter egg.

    A feature as important as a filename entry field is just an Easter egg for those insiders who know about it.

    That’s what’s wrong with GTK+ in a nutshell. It is written by people who think that bit about the Easter egg is sensible. And Firefox uses GTK+ on Linux exclusively.

    Over a decade ago, someone filed a bug asking Firefox to better integrate KDE into Firefox, as the GTK kit pretty much assumes everything will be done the GNOME way. They closed it as WONTFIX, stating that the Qt port of Firefox was underway, so just wait for that.

    Then they discontinued the port.

    Mozilla has been hostile to KDE from the start, for reasons I can’t even guess. When they finally made Firefox compatible with the XDG desktop portal specification, it was a halfway implementation that still leaves much to be desired– unlike Chrome, whose XDG portal implementation has been perfect (as far as I have seen) from the first time I tried Chromium.

    Before Mozilla even made Firefox (partly) compatible with XDG desktop portal, OpenSUSE came uo with a solution. A set of small patches and a small helper application give Firefox the same (or better) integration that Chrome has. And as before, OpenSUSE users had to do nothing special to get this enhanced version of Firefox… the patched version is the one in the repo, just like Dolphin and Kate/Kwrite. For non KDE users, the patches do nothing; it does not harm their experience.

    Mozilla, of course, did not take up the patch. They called its need for a companion application ‘hacky,’ and they are kinda right about that. They declined the patch, but they also declined to provide a non-hacky alternative. Once XDG desktop portal came along and matured to the point where it would make doing that easy, they still provided only the most rudimentary level of compatibility with the XDG standard. How nice would it be to have them copy Chrome on this one thing!

    OpenSUSE made enough of an impression on me for these things that when I recently began to ponder the topic of Secure Boot, I thought it worth it to try once again.

    Edit: In March 2023, OpenSUSE stopped removing the lockdown mode from the kernel if Secure Boot was used. I made my objection known here, even to the extent of withdrawing my opinion as stated in the title of this post… but since then OpenSUSE has relented, returning things to the way they were when I wrote this post praising them. They promise to bring back the lockdown mode once it is fixed (I forget the actual language they used). I am not sure exactly what their criteria are for when it will qualify as being fixed, but it is certain that whatever these criteria may be, they’re not met right now, or they would not have reconsidered. Good job! My titular quote is once again reflective of my opinion.

    Major Linux distros have long had support for Secure Boot. Many of my Linux compatriots regard Secure Boot as little more than a devilish way for Microsoft to keep people from using anything but Windows on their PCs, but if that is Microsoft’s intention, they sure are taking their time to lower the boom (after more than ten years now). Microsoft has a service where they will sign Linux bootloaders with their security key so that Linux distros can boot on systems with Secure Boot enabled that only include Microsoft keys. The PC OEMs could, if they wanted, ask the various Linux distro maintainers to provide their keys too, so that they an all be placed in the firmware of Windows PCs, but they have not done that. This is not something MS has done that increases their control… it makes other OSes more viable than before, not less.

    All else being equal, I prefer to use Secure Boot if I can. Why not have an extra bit of security if it harms nothing?

    Unfortunately, the same kind of thing happened with the Linux kernel as with KDE Dolphin before. Some people were of the opinion that Secure Boot was worthless if the kernel was not also locked down in a number of ways. These restrictions included, among other things, blocking the Hibernate function. Their explanation was that the hibernation data would be out there in the open, and a would-be attacker could exploit it, extracting encryption keys or other secrets from within.

    There are ways to protect the hibernation data, but the kernel devs pushing the lockdown thing had no way of knowing if the user was doing this, so rather than let the user make the choice (if you want maximum security, either do not use Hibernate or take additional steps to secure it), they made it themselves. If you have secure boot on, lockdown mode WILL be imposed, and that means no hibernate for you.

    The result of this is that in the interest of security, many people who may have had secure boot ON will now have it OFF… and that’s better for security, or something…?

    I guessed, based on the other two examples above, that OpenSUSE would have reversed this lockdown requirement in their kernels, so I tried enabling Secure Boot (which had been OFF since the kernel people made the change), and sure enough, no lockdown mode. Hibernate is still available, warts and all, and now I can decide whether to use it even knowing its limitations.

    While there are a bunch of friendly Linux distros, none that I know of have such a history of undoing other dev’s heavy-handed, end-user-unfriendly moves. While I do not agree with all of their decisions (when they re-enabled root access for Kate, Kwrite, and Dolphin, they disabled the bit where trying to save a file in Kate or Kwrite where the user did not have permission would ask for a password to elevate privileges rather than simply say “access denied”), they are the only one that seem to be on the side of the user having the choice.

    Yeah, I have seen that incredibly “cute” web page that answers the question in its own URL, whether Linux is about choice, with an obnoxious “NO.”

    It’s wrong. Making a web page about something does not make it correct.

    I think you would have an argument on your hands if you told Richard Stallman that the free software movement was not about free (as in freedom) software. Freedom is what it is all about, and freedom requires choice. If there is no freedom to choose, there is no freedom of which to speak.That makes ‘choice’ the key feature of all free software. It’s why Pop!OS gave Linus the freedom to bork his own installation… rather than simply refusing, it tried to warn him, but then did as he wanted.

    While the ethos of ‘choice’ does not mean that all open source devs are obligated to provide options for every single thing they can imagine someone may want to change, it does reflect a general idea in open source that this level of freedom is a healthy and desirable thing, even if each software dev also has the freedom to refuse any given feature or option.

    In that way, OpenSUSE’s actions are a demonstration of that type of  freedom. Free software is about freedom, and when devs exercise their freedom to impose restrictions that are unacceptable to some, someone else is just as free to come in and change it back in their own fork.

    It’s a shame that OpenSUSE is discontinuing their standard-release series, the LEAP series. Tumbleweed will remain, but the non-rolling LEAP versions that get released one a year will be going away. Most people prefer that to the sometimes rough and (heh) tumble world of rolling releases like Tumbleweed. That’s why I wish that Ubuntu or other distros would start including stuff like this, to let the user make the choices again to the greatest degree possible.

    Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
    XPG Xenia 15, i7-9750H/32GB & GTX1660ti, KDE Neon
    Acer Swift Go 14, i5-1335U/16GB, KDE Neon (and Win 11)

    • This topic was modified 11 months, 2 weeks ago by Ascaris.
    • This topic was modified 11 months, 1 week ago by Ascaris.
    4 users thanked author for this post.
    Viewing 1 reply thread
    Author
    Replies
    • #2542154

      …Annnd they made a fool of me. Or themselves. Or something.

      The kernel update that just came down the pike has the lockdown mode enabled… so now, in the name of safety, I have to disable secure boot, because of the arbitrary decisions made by kernel devs who have no idea what my needs are or what my system configuration may be.

      Until now, the OpenSUSE devs have kept this madness out of the Tumbleweed kernels, but now they have given in.

      So let me amend that thought in the title. “More distros should be like OpenSUSE was.”

       

      Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
      XPG Xenia 15, i7-9750H/32GB & GTX1660ti, KDE Neon
      Acer Swift Go 14, i5-1335U/16GB, KDE Neon (and Win 11)

      1 user thanked author for this post.
      • #2543668

        Well, surprisingly, they’ve relented. They reverted the change for the next kernel release, with the promise that they will reinsert the lockdown mode when the bad effects of it are mitigated. Which bad effects is a good question, but at least they’re listening to their users… unlike Ubuntu and every other Linux distro, who make no effort to mitigate the locked-down kernel for their users. Having to sign all of the modules that are to be loaded is a pain, but certainly feasible… but giving up hibernation and writing to MSRs (model specific registers) is too much.

        I like to think that my post on Reddit may have swayed the opinion of someone influential over at OpenSUSE, but… probably not.

        The thread over there contains a few posts that suggest that Microsoft is tightening up the rules for having the Secure Boot shims signed, and that they threatened OpenSUSE with not signing their shims if they don’t stop removing the lockdown mode, but the whole point of signing the shim is to validate that the bootloader actually comes from OpenSUSE… and that has nothing to do with lockdown mode, which is about how the OS behaves after the boot process has completed. By all means, do what you must to make sure you are actually signing the genuine bootloader for OpenSUSE and not some imposter… but that’s where Microsoft’s role should end.

         

        Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
        XPG Xenia 15, i7-9750H/32GB & GTX1660ti, KDE Neon
        Acer Swift Go 14, i5-1335U/16GB, KDE Neon (and Win 11)

        1 user thanked author for this post.
    • #2637003

      OpenSUSE Leap is being replaced, not discontinued: They’re perfecting rolling for us ‘stable’ users, with Slowroll. OpenSUSE Slowroll is a currently experimental gem that harmonizes both fresh & stable. It’s Tumbleweed, slowed down, savoring updates every 1-2 months. Under the hood, Slowroll cherry-picks a recent stable version of every program, from Tumbleweed’s ever-evolving code base. The result? Exquisitely honed packages and seamless updates. My computers hum with a newfound confidence.

      Of course, it’s young, but whispers abound of Slowroll replacing the annual OpenSUSE Leap cycle by 2026. This meticulously paced experiment could offer a single, ever-evolving platform for both stability seekers and bleeding-edge enthusiasts. It’s still experimental, but I’m using it on every computer I have—except my main work desktop.

    Viewing 1 reply thread
    Reply To: More distros should be like OpenSUSE

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: