Isn’t the purpose getting views on youtube?

IDK about OP, but I would really love a CAPTCHA of sorts to screen all the spam/scam calls

Today will be another productive day!

Never used powershell (thanks heavens, I’ve not touched windows since windows 7). Is it similar to nushell?

Well, it’s not like by learning fish you’ll automatically forget bash :) but I do agree that you should learn bash first, then plain sh and only after those go explore other shells.

I love how “radical shells” sounds! :)

Powershell does this on Windows. May also work on Linux?

Yes: https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-linux

Should you choose to install it, it will bring the total of people running powershell on linux to one :)

(I’m kidding, of course, more or less)

beware fish shell syntax works drastically differently from other POSIX shells

Come on, that’s scaremongering :)

On interactive, day-to-day use, fish syntax is basically the same as bash or any other shell: you type your commands, hit enter and the command is run. Only when it comes to scripting (or writing complex one-liners, or copy-pasting stuff from the web) are there appreciable differences. In those cases, until one is accustomed to fish, running the command/script in bash is still an option.

Let me be 100% clear: yes, fish will complain if a wildcard doesn’t expand to anything, and there are other minor things that may impact typical interactive use. I’m just saying there is basically zero learning curve if you want to try fish and that you can just fire up bash if you hit a wall in a moment when you can’t afford to investigate because you need stuff done.

If I had to say, the most hassle with fish is that people assume you are running POSIX shell and so you have to know how to adapt instructions to your shell. For example, someone may say “add expor SOME_VAR=some_value to your .bashrc” and you need to be able to translate that to fish. Also, there is very specific software (in my system, it’s just sdkman, an utility that manages which java development tools are installed/available in a shell session) that only works in POSIX shells and needs some adapter for fish.

There’s AsteroidOS but I couldn’t find any of the supported watches (all quite old IIRC) at a reasonable price.

Gadgetbridge with some proprietary watch is fine privacy-wise (I had an Amazfit GTR3 pro, I needed to register an account with the Zapp app and use it once, but then uninstalled it once I got the required password and used Gadgetbridge exclusively).

Bangle and the Pine Watch are low-res and IMHO quite ugly compared to alternatives from big brands.

My bad for causing confusion: when I wrote “trusted signature” I should have said “trusted public key”.

The signatures in an apt repo need to be verified with some public key (you can think of signatures as hashes encrypted with some private key).

For the software you install from your distro’s “official” repo, that key came with the .iso back when you installed your system with (it may have been updated afterwards, but that’s beyond the point here).

When you install from third-party repos, you have to manually trust the key (IIRC in Ubuntu it’s something like curl <some-url> | sudo apt-key add -?). So, this key must be pre-shared (you usually get it from the dev’s website) and trusted.

That would be “a pre-shared trusted signature to check against”, and is seldom available (in the real world where people live - yes, there are imaginary/ideal worlds where PGP is widespread and widely used) :)

Installing a .deb is what I was thinking about.

Even a signed tarball is better than curl|sh.

If you have a pre-shared trusted signature to check against (like with your distro’s repos), yes. But… that’s obviously not the case since we are talking installing software from the developer’s website.

Whatever cryptografic signature you can get from the same potentially compromised website you get the software from would be worth as much as the usual md5/sha checksums (ie. it would only check against transmission errors).

Binary packages have scripts (IIRC for .deb they are preinst/postinst to be run before/after installation and prerm/postrm before/after removal) that are run as root.

BTW the “unzip” part is also run as root, and a binary package can typically place stuff anywhere in your system (that’s their job after all)… even if you used literal zip files they could still install a script in ways that would cause the OS to execute it.

But you don’t have to develop anything.

I interpreted your “look for ways to do things separately” as “look for separate tools that do the various things” (and you have to integrate), but I see now that you meant “look for ways to do things differently”. My bad.

I’ve heard this over and over… what’s the difference security-wise between sudo running some install script and sudo installing a .deb (or whatever package format) ?

I don’t even understand why people like GitHub so much, its source management sucks.

It’s not that complicated… people use it because everyone has an account there and so your project gets more visibility (and your profile too, for those who plan to flex it when they look for the next job) and more contributions. Even a lot of projects that aren’t on github have some sort of mirror there for visibility.

Suppose you wanna contribute to gnu grep (or whatever)… do you happen to know off the top of your head where the source repo and bug tracker are? And do you know what’s the procedure to submit your patch?

If you are a company doing closed source, I agree that I don’t see why you would choose github over the myriad alternatives (including the self hosted ones).

Look for ways to do things separately and you will find much better tools

That’s a great way to spend your resources developing yet-another-source-forge-thingie instead of whatever your actual project/product is supposed to be :)

Yeah… does git have issue tracking? actions? C’mon: it’s not like github & co. are just git.

I bet that doesn’t exist: nobody would put work in a program that lets just restricts what you can do with zero usability advantages (ok someone might)

If you fear you might run unsafe commands just save whatever you are comfortable running in scripts and restrict yourself to run those instead of manually typing commands you don’t fully remember/understand.

BTW: topgrade will detect what needs updating in your system (your distro’s package manager, flatpak, python stuff, … whatever) and update all the things

BTW: “terminal emulator” is the program that shows you text in a window, the program that runs inside it and validates/interprets your commands is a “shell” (the one you are using is most probably bash)

Here’s what I get in fish when I start writing a rsync command and hit tab to ask for completions:

❱ rsync --append-verify --progress -avz -
-0  --from0                               (All *from/filter files are delimited by 0s)  --delete                   (Delete files that don’t exist on sender)
-4  --ipv4                                                               (Prefer IPv4)  --delete-after         (Receiver deletes after transfer, not before)
-6  --ipv6                                                               (Prefer IPv6)  --delete-before         (Receiver deletes before transfer (default))
-8  --8-bit-output                          (Leave high-bit chars unescaped in output)  --delete-delay                 (Find deletions during, delete after)
[more lines omitted]

I don’t see the reasoning in your answer (I do see its passive-aggressiveness, but chose to ignore it).

I asked “why?”; does your reply mean “because lack of manpower”, “because lack of skill” or something else entirely?

In case you are new to the FOSS world, that being “open source” doesn’t mean that something cannot be criticized or that people without the skill (or time!) to submit PRs must shut the fu*k up.

Those are outside Signal’s scope and depend entirely on your OS and your (or your sysadmin’s) security practices (eg. I’m almost sure in linux you need extra privileges for those things on top of just read access to the user’s home directory).

The point is, why didn’t the Signal devs code it the proper way and obtain the credentials every time (interactively from the user or automatically via the OS password manager) instead of just storing them in plain text?