> the old snapshot has security holes attackers know how to exploit.
So is running `docker build` and the `RUN apt update` line doing a cache hit, except the latter is silent.
The problem solved by pinning to the snapshot is not to magically be secure, it's knowing what a given image is made of so you can trivially assert which ones are safe and which ones aren't.
In both cases you have to rebuild an image anyway so updating the snapshot is just a step that makes it explicit in code instead of implicit.
where does the apt update connect to? If it is an up to date package repo you get fixes. Howerer there are lots of reasons it would not. You better know if this is your plan.
You get fixes that were current at docker build time, but I think GP is referring to fixes that appear in the apt repo after your docker container is deployed.
If you've pulled in a dependency from outside the base image, there will be no new base image version to alert you to an update of that external dependency. Unless your container regularly runs something like apt update && apt list --upgradable, you will be unaware of security fixes newly available from apt.
Don't worry it's no better on iOS, where I too have a English+French QWERTY setup, and where it too frequently decides to "helpfully" correct using an English dictionary several words into a unambiguously French sentence; or the other way around depending on wind direction and age of the captain.
Even more damning is that there seems to be three independent layers to the feature ("three suggestions" area above keyboard, autocorrect-as-you-type, correction popup as you touch a word) and neither agree with each other about which language it should be using.
- it's non-obvious that the second mechanism (a file picker) is a permission granting mechanism.
- it's non-obvious that the second mechanism (a file picker) is a permission granting mechanism whose permission survives the action context that triggered the file picker (e.g "pick a folder to do action A" also magically imbues similarly gated actions B C D and Z with access to that folder, possibly non-interactively even).
- it's non-obvious that the second mechanism (a file picker) is a permission granting mechanism whose permission propagates to an action gated by the first mechanism, a first mechanism for which "Yes" means yes but "No" means "Maybe, depending on past unrelated actions that triggered an unrelated permission mechanism"
This is a result of trying to retrofit a series of tighter security measures on top of a system that was not originally designed for them, in a way that is both understandable to users but also doesn't break back-compat with APIs (and therefore a lot of existing third-party apps that are seldom updated) too badly. I'm not saying Apple did a perfect job here, but it's a hard problem.
Yes, the problem could probably be "solved" by adding more UI, but "more UI" is not always a good solution. The more UI that exists, the less likely the user is to successfully navigate it. On the other hand, adding additional complexity to an existing UI is also fraught with potential for new bugs and edge cases. Again, not defending the status quo, but I can see how it might have ended up like this.
This is worth spending more time on trying to improve, and perhaps it is reasonable to expect better from an almost-$4tn company. But at the same time, a potential solution is far from easy or obvious, and there is a risk of making things worse if not done with an extreme level of thought and consideration.
(Alternate pessimistic take: A large number of users don't care or read anything, they just click "allow" on anything that gets in their way. A smaller set of users are terrified and disgusted by repeated invasions of the privacy and click "deny" on everything. None of these implementations are doing any good for either group. The allow/deny design pattern is badly broken and in need of rethinking.)
Very personal counterpoint: I find Stross writing extremely bland, contrived, and badly paced.
I really really disliked Accelerando in particular, finding it completely vacuous, the sciencey namedrops is self-aggrandising and sound like attempts at reader flattery, the entire plot is telegraphed, characters are generic and perfectly forgettable.
It was several friends recommendation and I only got reading through the whole ordeal because whenever I asked "well I'm about there and it doesn't click" they answered "no spoiler, just a dozen pages and you'll see!"
Not a critic, again this is my personal experience of it. If people enjoyed it, more power to them.
> Phone companies have decided you don't need that feature.Bu actually, they can easily implement a nice UI in the settings for the firewall and lock it behind a password, then parents would be able to use it to block individual websites.
iOS: Settings > Screen Time > Content & Privacy Restrictions > Toggle on
Then same area:
- App Installations & Purchases: disallow all
- App Store, Media, Web & Games > Web Content > Limit Adult Websites > Fill in allowlist and/or denylist, or Only Approved Websites and fill in allowlist
Apple is indeed better than most other companies on #2. But that's because it's the worst offender on #1. Its strategy is to appear to be the model company that cares about user rights and privacy, in hopes of capturing everyone in their closed-source walled garden that's already surveiling you at the OS level.
They're a part of the corp-gov surveillance complex [0]. This is the real threat behind the age verification push. The feds already have mass surveillance capabilities in iOS and macOS, and even Windows and most Android distros, but not on most open-source Linux distros, so they're starting to force it legally in the open. They're desperate because Linux is about to outcompete the enshittified Windows on desktops.
My workaround was to restore pre-notch behaviour by picking a resolution from the "show all resolutions" list that is conveniently+ exactly screen res height minus notch height.
I theoretically "lose" that much height but gain a) zero notch b) non-rounded top corners and c) a traditionally heighted menubar instead of the giant one that is so big only to cater for the notch.
+ I thought this was thanks to BetterDisplay but it turns out no third party tool is needed and it's all first party probably because someone at Apple is as annoyed by the notch as I was and so that's their solution.
I think it is because they want to send to apps resolution list that includes or excludes the notch area to choose from for full screen modes (eg in games). Selecting "show all resolutions" basically shows this list.
Definitely better now with their new "opensource" driver.
I still ran in a few snags:
- DKMS can break, e.g I had a kernel bump to 6.18 or 6.19 and the nvidia driver wasn't ready yet so the build failed. A mainline driver will always win this one.
- Suspend almost always works, but sometimes fails on lid close which is of course when you can't see it fail and my laptop battery dies unexpectedly. You'd say use hybrid sleep but that reliably always fails with the nvidia driver too. Both work flawlessly with Nouveau.
Since I don't need the extra perf on this laptop I just use Nouveau to drive the the dGPU + the AMD iGPU most of the time which is powerful enough for my non-desk needs.
Agree on both counts. I use debian unstable and is usually 50/50 on whether the machine will reboot on a working display after a kernel upgrade. Very easy to fix if you have a bit of knowledge, but certainly not ready for the general public.
I don't have a laptop with an nvidia card, but I often suspend the linux gaming machine on my living room, and sometimes it doesn't come back from sleep, while my steam deck never failed to.
So is running `docker build` and the `RUN apt update` line doing a cache hit, except the latter is silent.
The problem solved by pinning to the snapshot is not to magically be secure, it's knowing what a given image is made of so you can trivially assert which ones are safe and which ones aren't.
In both cases you have to rebuild an image anyway so updating the snapshot is just a step that makes it explicit in code instead of implicit.
reply