> MakuluLinux is not just an OS with a backdoor. It's a delivery vehicle for a centralized AI-as-a-service platform.
But to the actual article point; it looks like this OS is designed to have these "integration features" that depend on a 3rd party connection. They could obviously be better - But the intent of them is very similar to how Android, Windows, or MacOS operate.
The only person in the world you know can have shame is yourself. As for anyone else, you can only assume they do not have it, or are trying to trick you to feel shame to take advantage of you.
If you want said articles to feel ashamed, then they'll have to stop getting upvoted on HN. Otherwise they are here to stay.
Was there any analysis on what the binaries do, because it could theoretically be a really badly implemented 'check for updates'.
Though I'm tempted to believe it is all part of a big scam :)
Browsing to their github is also interesting, no source anywhere, a few empty repos with a LICENSE.txt or README.md, but nothing of value.
Lots of cool stuff that I happily use, but the bar to installing something that gets to see my password (OS, terminal, input handler, etc) is very high.
Not a popular take, but I'd rather run something from Valve or Google for the same reason. I trust there to be more vetting if a corporation is putting its reputation on the product than a toy I found on GitHub.
It's a bit of a myth that open source leads to more eyes on the software. Most people just install it and trust that somebody else did the audit.
Something with a vibrant community of maintainers? Maybe.
Something that's too big to personally audit but too small for that community? I'll pass.
At least with open source you have a chance to prevent this. With proprietary its pure trust.
It can happen anywhere, really
The problem isn't the open source (in fact, that's better). The problem is downloading random shit from the internet, and the biased assumption that open-source == trustworthy.
Debian repos are not NPM. Yes, the package are actually vetted to some degree.
I agree, there are companies I'd trust but most software isn't made by Valve and Google. There are plenty of developers also not auditing their dependencies.
> D = G × S. If G ≠ 1, D = 0. No action is routed without verified authority. No exceptions.
W... what?
Beyond that, Gentoo, SuSE and a few others.
But generally, yes, be careful with what you install :)
But as a Gentoo / SuSE user, I'm also a little offended!
Then Slackware, Mandrake (Mandriva now), dipped my toes into RHEL and OG Fedora (had a Fedora 1 DVD) but eventually settled on Debian and haven't looked back.
Why? Because the path to the desired result from a big-name distro is frequently non-intuitive, often to the point that the user may not even realize it's possible. When something doesn't work as expected, the response isn't "I need to figure out which packages to install and what config files to change," it's "oh I guess this distro isn't what I'm looking for".
I think it would do an immense amount of good if the big distros did more to address this. If they made it such that a fresh install could be made to fit any remotely common use case and hardware combination with no more than 1-3 clicks that would make tiny distros much less appealing.
A handful of distros have the right idea by offering an install ISO with preconfigured proprietary Nvidia drivers for example, but even that could be improved upon by just rolling some heuristics into the stock install ISO to figure out if the user needs Nvidia drivers or not.
People generally want something that works, without tinkering - particularly on an entertainement device. I'll happily let Valve etc. pick the kernel and driver versions, set up the compositors, make the controllers work, etc.
My NixOS install is immutable, so I can trivially roll back any changes to my system/software/configs.
It has a lockfile so the versions of all of my software do not change _at all_ unless I tell it to. That lockfile doesn't just extend to the software I have installed but all the software that is used to build the software on my machine, so I can perfectly reproduce the same system with the same version of software compiled by the same exact versions of the compilers.
On NixOS you can trivially have many versions of any software or library installed on your system and use them all (for example, foo can depend on python 3.7.2, bar can depend on python 2.7.1, and baz can depend on python 3.14. They can all happily live on my machine. You can even have multiple copies of the same version of python but compiled with different flags if you want. On arch linux your only option for python right now is 3.14.2.)
On NixOS I can trivially run 1 command and generate a bootable ISO that has exactly the same software and configs that I have installed on my computer. This has been rather nice for repair/debugging USBs and for running virtual machines off the ISOs.
You're also missing:
- Gentoo (not based on any of the distros you listed)
- Chimera Linux which brings in the FreeBSD userland, musl libc, and Dinit
- Suse Linux (a pop music video cover band that also made some Linux distros. They were pretty big in the live kernel patching ("Don't reboot it just patch!"). Not based on any of the distros you listed)For example, NixOS famously didn't require package maintainers to sign the artifacts they upload to NixOS's servers. (They still might not: it has been a year or two since I inquired.) The NixOS project considered it more important to make it easy for people to start maintaining NixOS packages (so that users would have a large selection of packages to choose from) than to have any kind of supply-chain integrity.
Maintaining a distro that is even remotely secure is a great deal of work, and the people that are willing to put in that work don't pick a distro to base their work on at random: they strongly tend to base their work on the distros that already have a pretty good security story, so for example the relatively new distro "Secureblue" is based on Fedora Atomic Desktop because Fedora already had for many years a pretty good security story. (E.g., it and RHEL are the only distros that use selinux in any real way.)
The point is that it is probably going to be hard for NixOS to improve its security much because most Linux maintainers either do not care about security much or do not even realize that the security of all Linux distros is lacking (compared to ChromeOS, MacOS, iOS or Android) The small fraction of Linux maintainers willing to work on improving security and aware of the immensity of the task naturally tend to direct their work toward a distro and an ecosystem (e.g., Qubes, Kicksecure, Fedora or Debian) that has already been the target of much previous security-improving effort.
Apart from NixOS, Guix, Alpine , Void, SuSE, Gentoo, Slackware, PCLinuxOS, GoboLinux.....
> essentially just a package set + some wallpapers.
Not Ubuntu with a different support cycle, Mint and PopOS with their own DEs, Arch derivatives that are easier to install, Elemantary with a DE and apps, Devuan with multiple init systems, ......
Fedora is bleeding edge not recommended for anything other than testing and is of corporate RedHat now owned by IBM and Arch is Gentoo's jealous cousin.
It's why I use FreeBSD and keeping close tabs on Haiku.
we have vastly different opinions on bleeding edge.
As myself I'm currently using FBSD16 for my colocated servers and desktop. I have been bleeding lately.
Location: Da Nang, Vietnam
mrbluecoat•1w ago
AI pentesters and fuzzers will soon be the norm. And that's a good thing.
pixl97•1w ago
AI is seemingly really good here on that. Be interested to watch how it performs on the more weird and uncommon security cases.