Difference between revisions of "Regressions Of GNU\Linux"
(→Ubuntu) |
|||
Line 20: | Line 20: | ||
"Those are some great firewall rules you've configured there. It would be a shame if someone was to make them obsolete." | "Those are some great firewall rules you've configured there. It would be a shame if someone was to make them obsolete." | ||
− | It started with Ipchains in 1998. In 2000, there was the last stable release of ipchains, which means if not by then, shortly after iptables took over. It's been 19, 19 years since then. Suddenly now, a new firewall is needed. Is this necessary for most people? | + | It started with Ipchains in 1998. In 2000, there was the last stable release of ipchains, which means if not by then, shortly after iptables took over. It's been 19, 19 years since then. Suddenly now, a new firewall is needed. Is this necessary for most people? That is the question. |
From Wikipedia https://en.m.wikipedia.org/wiki/Nftables | From Wikipedia https://en.m.wikipedia.org/wiki/Nftables | ||
Line 33: | Line 33: | ||
More complex. Fail. | More complex. Fail. | ||
+ | <small>EDIT: in hindsight, It's come to my attention that most common nft commands will have the format of "nft add rule" something something, so essentially, you are only memorizing everything after "nft add rule". That makes it a bit better, but still a hurdle, that average folks will have to get over. An initial look at the long string of nft commands is bound to cause people to lock up, and not be able to process anything further. Smoke and mirrors. Regardless, the accurate comparison is then: | ||
+ | "cmd" -A OUTPUT -d 1.2.3.4 -j DROP | ||
+ | and | ||
+ | "cmd" ip filter output ip daddr 1.2.3.4 drop | ||
+ | It's apparent that the firewall has tried to become more self describing, which can be a good thing. Perhaps a more self describing nature will elucidate people on the actual workings of the firewall better. That would be the ideal. I haven't used it yet enough to say. | ||
+ | </small> | ||
− | With one fell swoop, thousands of iptables scripts and | + | With one fell swoop, thousands of iptables scripts and programs that use iptables were broken. |
+ | <small>Note: technically iptables-legacy can be used. At least for now. Woe is the day support is removed for that.</small> | ||
− | + | As an example, in 2020/10 This has bitten me with https://github.com/fail2ban/fail2ban/issues/2741 | |
+ | <pre> | ||
Fail2ban don't attempt to execute nft file. I tried to add full path to nft in config file. No luck... | Fail2ban don't attempt to execute nft file. I tried to add full path to nft in config file. No luck... | ||
Please be aware that due to ipv6 support (see #1742) fail2ban executes actionstart on demand (by first ban, family dependent). So by design you'd not see nft called unless first ban occurs. | Please be aware that due to ipv6 support (see #1742) fail2ban executes actionstart on demand (by first ban, family dependent). So by design you'd not see nft called unless first ban occurs. | ||
+ | </pre> | ||
− | Existing fail2ban functionality (when fail2ban started, new table f2b-sshd or f2b-whatever was created. Now apparently it's not.) has been changed. | + | Existing fail2ban functionality (when fail2ban started, new table f2b-sshd or f2b-whatever was created. Now apparently it's not created until the first account is added to the banlist.) has been changed. This leads the admin to think fail2ban isn't working when the table doesn't exist. This results in lost time. |
=== ifconfig replaced with ip === | === ifconfig replaced with ip === |
Revision as of 21:40, 26 December 2020
Change is not always for the better. This page chronicles bull*$&! that has come down the Linux pipeline.
http://web.archive.org/web/http://www.ariel.com.au/jokes/The\_Evolution\_of\_a\_Programmer.html
Debian
Predictable Network Interface Names
Someone has controversially decided that it is better for systems to have obtuse and confusing ethernet and wireless interface abbreviations such as enp0s25 instead of eth0. Remember this makes things simpler, and easier for people (but who?).
In reality, most people get the shaft, and perhaps 10% (a small proportion) of users benefit. This raises the bar for entry level people to get started. Adding unnecessary complexity to Linux.
Apt instead of Apt-get
This is a tentative, based on whether they remove support for apt-get. If that is the end goal, then this will be a valid regression, until then, they live side by side. I don't need apt, when apt-get does the job. Needless changes. There must be something more important to do than this.
Debian 10: iptables has been replaced with nftables, after nearly 20 years
"Those are some great firewall rules you've configured there. It would be a shame if someone was to make them obsolete."
It started with Ipchains in 1998. In 2000, there was the last stable release of ipchains, which means if not by then, shortly after iptables took over. It's been 19, 19 years since then. Suddenly now, a new firewall is needed. Is this necessary for most people? That is the question.
From Wikipedia https://en.m.wikipedia.org/wiki/Nftables
A command to drop any packets with the destination IP address 1.2.3.4:
iptables was:
iptables -A OUTPUT -d 1.2.3.4 -j DROP
nftables now is:
nft add rule ip filter output ip daddr 1.2.3.4 drop
More complex. Fail. EDIT: in hindsight, It's come to my attention that most common nft commands will have the format of "nft add rule" something something, so essentially, you are only memorizing everything after "nft add rule". That makes it a bit better, but still a hurdle, that average folks will have to get over. An initial look at the long string of nft commands is bound to cause people to lock up, and not be able to process anything further. Smoke and mirrors. Regardless, the accurate comparison is then:
"cmd" -A OUTPUT -d 1.2.3.4 -j DROP
and
"cmd" ip filter output ip daddr 1.2.3.4 drop
It's apparent that the firewall has tried to become more self describing, which can be a good thing. Perhaps a more self describing nature will elucidate people on the actual workings of the firewall better. That would be the ideal. I haven't used it yet enough to say.
With one fell swoop, thousands of iptables scripts and programs that use iptables were broken. Note: technically iptables-legacy can be used. At least for now. Woe is the day support is removed for that.
As an example, in 2020/10 This has bitten me with https://github.com/fail2ban/fail2ban/issues/2741
Fail2ban don't attempt to execute nft file. I tried to add full path to nft in config file. No luck... Please be aware that due to ipv6 support (see #1742) fail2ban executes actionstart on demand (by first ban, family dependent). So by design you'd not see nft called unless first ban occurs.
Existing fail2ban functionality (when fail2ban started, new table f2b-sshd or f2b-whatever was created. Now apparently it's not created until the first account is added to the banlist.) has been changed. This leads the admin to think fail2ban isn't working when the table doesn't exist. This results in lost time.
ifconfig replaced with ip
ifconfig, is simpler to use, and easier to view for basic nic information, or setting an ip (ifconfig eth# 192.168.1.2 netmask 255.255.255.0). ip is unnecessary complexity for most use cases. This raises the bar for entry level people to get started. Adding unnecessary complexity to Linux.
ifconfig remains in /sbin/ifconfig, and requires root but the effort has been made to obsolete it. Don't change, what doesn't need to change.
/etc/resolv.conf depreciated
All you should need for DNS is a one line text file that points to a DNS server. Put that in /etc/resolv.conf. The simplicity of that is a threat to more obtuse OS, therefore there will be an effort to complicate it. This raises the bar for entry level people to get started. Adding unnecessary complexity to Linux.
Aptitude Descriptions
debian 8: aptitude show openssl Package: openssl State: installed Automatically installed: no Version: 1.0.2k-1~bpo8+1 Priority: optional Section: utils Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org> Architecture: amd64 Uncompressed Size: 1,090 k Depends: libc6 (>= 2.15), libssl1.0.0 (>= 1.0.2~beta3) Suggests: ca-certificates Description: Secure Sockets Layer toolkit - cryptographic utility This package is part of the OpenSSL project's implementation of the SSL and TLS cryptographic protocols for secure communication over the Internet. It contains the general-purpose command line binary /usr/bin/openssl, useful for cryptographic operations such as: * creating RSA, DH, and DSA key parameters; * creating X.509 certificates, CSRs, and CRLs; * calculating message digests; * encrypting and decrypting with ciphers; * testing SSL/TLS clients and servers; * handling S/MIME signed or encrypted mail. debian 10: aptitude show openssl Package: openssl Version: 1.1.1d-0+deb10u3 State: installed Automatically installed: no Multi-Arch: foreign Priority: optional Section: utils Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org> Architecture: amd64 Uncompressed Size: 1,495 k Depends: libc6 (>= 2.15), libssl1.1 (>= 1.1.1) Suggests: ca-certificates Description: Secure Sockets Layer toolkit - cryptographic utility Homepage: https://www.openssl.org/ Tags: implemented-in::c, interface::commandline, protocol::ssl, role::program, scope::utility, security::cryptography, security::integrity, use::checking
Ubuntu
Dropping Support for i386
Some distributions are dropping intel 32-bit support. With one fell swoop, hundreds of thousands of laptops and desktops made before 2006 and 2007 lost the ability to use modern OS. EDIT: this was taken back, temporarily. It stands, that some OS must support 32 bit i386, otherwise a lot of devices will be headed to landfills.
Setting up Networking has become more complicated
What was (/etc/networking/interfaces):
auto eth0 iface eth0 inet static address 10.0.0.100 netmask 255.255.255.0 gateway 10.0.0.1
Example taken direct from http://web.archive.org/web/20150916101112/https://help.ubuntu.com/lts/serverguide/network-configuration.html For DNS, a one liner in /etc/resolv.conf will suffice.
Now is (w/netplan.io)
network: version: 2 renderer: networkd ethernets: eth0: addresses: - 10.10.10.2/24 gateway4: 10.10.10.1 nameservers: search: [mydomain, otherdomain] addresses: [10.10.10.1, 1.1.1.1]
Example direct from http://web.archive.org/web/20190905160853/https://help.ubuntu.com/lts/serverguide/network-configuration.html
GNU\Linux has and is being obfuscated.
SystemD fail
A plot to make linux worse, which was brought into all the major distributions through the back door. It deserves its own section.
Reboot fail
In Ubuntu 19.04, reboot can take upwards of 5-10 minutes to actually reboot the computer. Note that this occurs in only SystemD based distributions. A similar Debian (9 or 10) w/sysvinit reboots within 10-15 seconds.
I thought I would test systemd, so I installed Zoneminder on Ubuntu 19.04, and it demonstrates this problem. After witnessing the lifeforce of my computer being ripped out by this init, I threw the towel in and installed Devuan.
For the record, I also noticed the system to run noticeably slower. CCTV is a good benchmark for a server, as it involves a lot of CPU usage, unlike many file servers, or db servers.
Example Error when Trying to Reboot
user@host:~$ systemctl reboot Error getting authority: Error initializing authority: Error sending credentials: Error sending message: Broken pipe (g-io-error-quark, 44) Failed to set wall message, ignoring: Failed to activate service 'org.freedesktop.login1': timed out (service_start_timeout=25000ms) Failed to reboot system via logind: Connection timed out Failed to start reboot.target: Connection timed out See system logs and 'systemctl status reboot.target' for details. It is possible to perform action directly, see discussion of --force --force in man:systemctl(1). user@host:~$
And it will now take my machine 5-10 minutes to reboot.
External Links
- LinuxCNC FAIL: LinuxCNC broken because systemd can't do NTP right. In 2019/2020: Years after it is the default init...
- Nosystemd.org: More details on why this init is bad.
Udev requires reboots after Ubuntu 14
When I started using Linux distributions one of the things I noticed was how well updates were handled, compared to proprietary software. No forced reboots, no update screens that leave the user waiting. You can use your computer while it's updating. This statement ("Linux never needs to reboot when it updates") changed with udev requiring a reboot in Debian 8 or 9 occasionally (However, it's still extremely rare).
Misc
GIMP 2.10 Icons and Theme Disaster
For reference see: https://www.gimp.org/release-notes/gimp-2.10.html
A light grey thread with colourful icons that transmit information quickly has been turned to a dark grey (read: hard to see) theme with a mass of all-looking-the-same grey icons that not only reinvent how you find the tool you wanted, it also fails to transmit information as effectively. If color tv is good, black and white is better?
I consider this software on watch. As of now you can revert to the legacy (they call it 'legacy' instead of classic. Interesting word choice. Legacy implies depreciation. Classic implies value) so its ok, for now. But if these all-looking-the-same monochrome icons become default, it will be a regression.
Mozilla Shuts Down IRC
https://wiki.mozilla.org/IRC
Would you like some support for your mozilla? Just use your social media acct to login to our great matrix (whatever the hell that is) server.
Device Tree Bindings
ARM. Sounds like a good idea, except you need a different ISO for each single ARM CPU. Unlike the intel i386 which you can use one single ISO for ANY desktop/laptop.
ARM is fail. DTB is busy work, and fail.
This is one reason why Android is a failure.
It looks like unfortunately that RISCV will also follow this path. https://forums.sifive.com/t/will-riscv-avoid-the-linux-mainlining-mess-that-arm-had/1615
https://github.com/riscv/riscv-device-tree-doc
EOMA68 devs have abandoned RISCV in favor of IBM's power CPU. Perhaps this is the right choice. RISCV may end up being not-worth-the-effort.
quote
Many embedded systems use less fancy buses that don't support enumeration. This was true on PC up to the mid-1990s, before PCI overtook ISA. Most ARM systems, in particular, have buses that don't support enumeration. This is also the case with some embedded x86 systems that don't follow the PC architecture. Without enumeration, the operating system has to be told what devices are present and how to access them. The device tree is a standard format to represent this information. The main reason PC buses support discovery is that they're designed to allow a modular architecture where devices can be added and removed, e.g. adding an extension card into a PC or connecting a cable on an external port. Embedded systems typically have a fixed set of devices¹, and an operating system that's pre-loaded by the manufacturer and doesn't get replaced, so enumeration is not necessary.
Well guess what - It's necessary now.
|