| ▲ | Helmut10001 5 days ago |
| I don't trust Windows with my SSH keys. Since about 2 years, I am actively preparing my final migration to Linux. There's some Windows software left that I need to replace before this move is possible, but I am close. |
|
| ▲ | gregoryl 5 days ago | parent | next [-] |
| Just pull the trigger. A surprisingly large amount of software just works on wine. I'm a c# dev with near 20 years experience, and I finally got the shits with advertising in the start menu. Arch Linux, because I figured why not do it properly? I game a fair bit, and find most things on steam just work. |
| |
| ▲ | samuell 5 days ago | parent | next [-] | | Wine can be a bit of a headache if you are on a couple year older distro as it can make it harder to install newer Wine versions. But I found that the Bottles project pretty much solves this, by installing everything in some kind of sandboxed environment: https://usebottles.com/ https://github.com/bottlesdevs/Bottles Has worked wonderfully for the few cases where plain Wine failed. | | |
| ▲ | 1oooqooq 5 days ago | parent | next [-] | | bottles is garbage. i mean wine is extremely dangerous too... but bottles lie and that make it more dangerous. they don't have sandbox. only if you install the flatpack AND DISABLE SOME CONVENIENCES you actually get something I'd call a safe sandbox. but their site lies and make you feel safe while being extremely vulnerable installing cracked games (which is what everyone used bubble for). | |
| ▲ | pepa65 4 days ago | parent | prev [-] | | Too bad it's only flatpak, I'd try it out if it had an AppImage. |
| |
| ▲ | magnat 5 days ago | parent | prev [-] | | > I'm a c# dev with near 20 years experience Which IDE do you use? JetBrains Rider? | | |
| ▲ | seabrookmx 5 days ago | parent | next [-] | | Not the person you asked, but I'm in a similar boat (15 years, polyglot but a lot of C#). I mostly use VS Code to be honest. I use VSCode for other languages and for a long time it was the only graphical editor to have good remote development (over SSH) support. Rider has that feature now though and is pretty nice too. I typically jump over to it when I need to profile something as it integrates with dotTrace. If you're coming from full-fat Visual Studio you'll probably prefer Rider. | |
| ▲ | gregoryl 5 days ago | parent | prev [-] | | Rider; however that's on a Windows work machine. We are a solid way to getting a linux/mac dev env going; maybe 30% is netstandard2.0, 10% is net9, the remainder net472 (including an old school non-sdk web app on IIS). Maybe ~ million LOC in its 14 year lifespan. My personal dev is shifting to Rust. |
|
|
|
| ▲ | Bender 5 days ago | parent | prev | next [-] |
| I agree with you and just wanted to add that for what it's worth one can optionally limit where ssh keys are useful by adding network restrictions on the public key / server side. e.g. grep AuthorizedKeysFile /etc/ssh/sshd_config
AuthorizedKeysFile /etc/ssh/keys/%u
cat /etc/ssh/keys/bender
from="[192.redacted]/24,[redacted]/20" ssh-ed25519 AAAAC[snip...] comment
or wherever your system is configured to look for public keys, typically /home/username/.ssh/id_dsa.pub. I use a different location. Even being really broad like adding a /16 or /8 for a home ISP is still better than allowing the entire internet. This can also be useful where machine-to-machine ssh keys are utilized one can limit the access to that network so that should keys leak the potential blast radius of damage is reduced. For example, the keys for an Ansible account can be restricted to the Primary/Secondary Ansible server IP addresses or at very least the CIDR block(s) of the network(s) they reside in. Broad restrictions are not perfect but perfect is the enemy of good or good enough.Example use case would be that lets say a contractor from Microsoft tries one of your keys. Your restriction limits the key validity to 24.0.0.0/8 and they are coming from 207.0.0.0/8. They will be denied Authentication refused and you now have log entries that can be shared with their fraud department, the world, whomever. Obviously the tighter the restrictions the better, at the risk of requiring a static IPv4 or IPv6 address if too tight. One can always have lighter restrictions on a fall-back account that requires additional hoops to sudo / doas / su. |
|
| ▲ | mystifyingpoi 5 days ago | parent | prev | next [-] |
| Is such paranoia warranted? Millions of corporate laptops run Windows 11 just fine. I know M$ is evil and spying on you, but not to such degree. |
| |
| ▲ | miahi 5 days ago | parent | next [-] | | Having a Windows 11 corporate laptop with a domain/Entra login, I actually trust it more than a home Windows 11 with a Microsoft account. Because if I lock myself out, I have a contact (corporate support) that is actually interested in helping me recover everything. With a Microsoft account it's a mess. I had so many problems with Microsoft accounts that I lost count of how many I have, and most are broken in some way, because of different issues and different service integrations over time. The Skype account is now useless. I never recovered my paid Minecraft account after one event. With a machine with a local account, now I have to be very careful on what I click related to MS accounts, because trying to solve various issues with Teams, I managed to get the local account linked with that MS account. I spent hours trying to recover a different account after I randomly filled one nagging question about birth date - who wants to give the real birth date to Microsoft - and then I got locked out because I said was underage :). So yes, one of the big issues is the push to have a linked OS account where you have to rely on MS support to solve your issues, otherwise you basically get locked out of your machine and other things you paid for. Also, domain policies offer more control over the corporate PCs (this is how some of the MS spying is shut off on corporate PCs; it's debatable if the corporate spying added by other domain policies is an improvement). | | |
| ▲ | RyanHamilton 5 days ago | parent [-] | | I have to agree, I've also suffered account problems. I was locked out from an email address I used for 20 years. It refuses to take my password which is still valid. I've changed phone number since 20 years ago so can't use that and the security questions were nonsense as I was a teenager. Originally my account never had phone number, they insisted I add it when they integrated my Skype account perhaps. So I didn't expect access to that phone number to be a strong ongoing requirement. |
| |
| ▲ | JdeBP 5 days ago | parent | prev | next [-] | | I recently, by playing around with the LAN's default PAC file and a dummy HTTP server, discovered that on a machine that says in System Settings that Proxy Auto-Discovery is turned off, the PAC file is still fetched and used by a too-large number of Microsoft/Google background auto-update services, from Windows Update to Office. * https://mastodonapp.uk/@JdeBP/114693762493884550 I had been lucky through having done my own experimentation, decades ago, with setting up a default PAC file on the LAN and having left it in just-send-everything-directly mode, keeping it as I upgraded things on the LAN, all of these years. Because otherwise I would have been vulnerable to a third-party in the search path for years, on a machine that clearly and unequivocally, including per direct inspection of the setting in the registry, has this switched off. * https://jdebp.uk/FGA/web-browser-auto-proxy-configuration.ht... | |
| ▲ | sshine 5 days ago | parent | prev | next [-] | | > Is such paranoia warranted? Millions of corporate laptops run Windows 11 just fine. Yes. With Windows Recall data mining surveillance screenshots taken every 5-7 seconds, completely disregarding if this may compromise your security, safety or privacy, we move from "you're the product" to "you're a pet in a zoo, and we want to learn from your behavior." > I know M$ is evil and spying on you, but not to such degree.* I mean, they could be recording every second. I'm pretty sure that's a bandwidth issue. Not because they really feel like giving you 3-4 second pockets of security, safety and privacy. | | |
| ▲ | TiredOfLife 5 days ago | parent | next [-] | | I can't wait for the AI overlords to take ower. Maybe then we can finally be free from people spreading misinformation and fud. | |
| ▲ | delfinom 5 days ago | parent | prev [-] | | >Windows Recall data mining surveillance screenshots Some of you people are just too far gone to turn off a setting. | | |
| ▲ | TiredOfLife 5 days ago | parent | next [-] | | Turn on. It's off by default. But people on HN, reddit and twitter are too stupid. | | |
| ▲ | xigoi 5 days ago | parent [-] | | > It's off by default. For now. This is Microsoft we’re talking about. Needing a Microsoft account to log in to Windows used to be optional. |
| |
| ▲ | sshine 4 days ago | parent | prev | next [-] | | I’m reminded of a checkbox titled “Don’t ask me next time” when logging into Microsoft Online that I am given the option to check every single time I log in. My lack of trust in Microsoft (or Google) to keep my interest in mind is rooted in experience. The problem is: once your organisation is so corrupt that they think of this shit, turning off bad ideas becomes a game of whack-a-mole. Just say no to this kind of behaviour. | |
| ▲ | chainingsolid 5 days ago | parent | prev [-] | | We don't trust them to not turn it back on later... |
|
| |
| ▲ | chneu 5 days ago | parent | prev [-] | | I don't trust microsoft to not push an update that exposes all my stuff. Their updates the last few years have been an absolutely shitshow in so many regards. |
|
|
| ▲ | malux85 5 days ago | parent | prev | next [-] |
| Can you tell us which software? (Even if it’s very niche) I’m really curious where the gaps are. |
| |
| ▲ | xobs 5 days ago | parent | next [-] | | I know Altium doesn’t work, which is very important if you need to provide someone else files in Altium format. If you just want to work on designs there’s always Kicad, which is increasingly very good! But it can’t save in Altium format, and I’m not sure I’d trust it for manufacturing. The other thing I’m missing is my 3D Gerber viewer called ZofZPCB. I’ve not gotten either it or Altium to even start. | |
| ▲ | Helmut10001 4 days ago | parent | prev [-] | | The biggest migration challenge isn't finding one-to-one replacements for software, but rebuilding tested workflows and processes. For years, I've had a seamless document management process on Windows for all my receipts and bills: 1. My ScanSnap scans, auto-crops, and OCRs documents into a designated folder.
2. A small open-source tool, DropIt [1], monitors that folder.
3. Based on about 100 custom rules that parse the OCR'd text (for tax IDs, phone numbers, etc.), DropIt automatically renames and moves the PDFs into the correct subfolders.
4. Nextcloud then syncs the organized files, and I can discard the paper originals.
This "fire-and-forget" system has been incredibly reliable.When I explored replicating this on Linux, I found the building blocks exist. For instance, ocrmypdf seems to be a powerful OCR tool, and SANE drivers combined with gscan2pdf can handle the scanning. [2] I also found several tools for automated file renaming and organization.[3] However, the Fujitsu ScanSnap Home software provides an all-in-one experience for the initial capture.[4] More importantly, I'd have to manually translate all my pattern-matching rules from DropIt to a new system, likely a collection of shell scripts. I still feel that this is too fragile. I would need to program all exceptions myself: file renaming issues, special characters, length of document names, issues with OCR and alerting, should anything go wrong. The system needs to be fail-safe because once I throw the original away, there is no going back. Then, another challenge is to find the time to replace this reliable system with the shortest "downtime" possible. I need this daily.. so I already decided I need a migration phase, where both systems run in parallel. Perhaps this better explains my slowness to migrate to Linux. The fact that there isn't a well-known, integrated tool for this on Linux seems suspicious. It makes me wonder if I'm approaching the problem from the wrong direction. Is there a more "Linux-native" philosophy for this kind of workflow automation that I'm missing? And yes, I'm aware of Paperless-ngx. It's a fantastic project, but I'm committed to my current folder structure and prefer to avoid a solution that centralizes my documents in a database, away from my Nextcloud setup and my filesystem-first-philosophy for document management. I don't trust that paperless-ngx will be available in 40+ years from now, but I need my document management to last that long. [1]: http://www.dropitproject.com/ [2]: https://github.com/ocrmypdf/OCRmyPDF [3]: https://github.com/ptmrio/autorename-pdf [4]: https://forum.manjaro.org/t/fujitsu-scansnap-home-software-f... |
|
|
| ▲ | pepa65 4 days ago | parent | prev | next [-] |
| On one Windows box I once put my password in for a private Github site. Never had to do that again, it just 'remembered' it... Not what I would expect or want. |
|
| ▲ | nine_k 5 days ago | parent | prev | next [-] |
| Why replace it? Wine works fine. |
|
| ▲ | Kwpolska 5 days ago | parent | prev [-] |
| If Windows were to steal your SSH keys (lol), would you really think using a third-party program would protect you? The evil code could just read the key you configured in PuTTY. |
