Quoting: WORM

The enclave is essentially intended to be a way for us to PGP-sign packages with a single signing key instead of how we do it right now, which is with one personal key per packager.

My assumption is this requires building on build servers instead of building on maintainers' machines like they currently do.

Nah, in cryptography we already have a solution for that.
Key signing.
The basic idea is:
The user gets the public key of the central(root) private key.
you generate your key pair, the root key signs a file containing at least your public key and any data we want to transfer with it(signing date, name, phone number, limits, etc.), you sign your code with your key, you distribute with the signed code the signed document, the user first confirms the document with the root key, than they confirm your code with the key contained in the file.

This is how encryption works on the web.
Take for example GOL.
If you click on the lock above you find if you understand what your looking at:
Liam generated a key pair.
Google Trust Services signed his public key with their private key.
The Root key of google signed the Google Trust Services key.
Your OS or browser(if you're using a firefox fork) confirms the trust worthiness of the Root key.

View this comment - View article - View full comments

Quoting: elmapulits even possible to fix that without breaking the functionally of all existing printers?

CVE-2024-47076 and CVE-2024-47175 easily(implement the proper checks).
CVE-2024-47177 even without breaking foomatic printers, but it requires serious research in the current use cases(command whitelists).
CVE-2024-47176 kind of. It doesn't require a change to printer drivers, firmware or any other upstream product, but it does require a downstream API change, so it could result in breakage of programs utilizing cups-browsed.

Edit:
on CVE-2024-47177 you can at least implement an opt-in check for it discouraging new printers from using it.
CVE-2024-47176 can also non-breaking be found by making adding printers an opt-in endeavor.

View this comment - View article - View full comments

Quoting: const

Quoting: GuestHow anti-cheat relates to that?

To really secure system integrity, there needs to be a full validation chain up to the kernel (and potentially beyond). Without that validation, game devs may continue to distrust anticheat tools on Linux. We don't yet know the new API MS announced to integrate in Windows, but it's really certain Linux will not be able to provide an equivalent unless the kernel and core libraries are build and signed by a trusted entity. Wouldn't make much sense to use that APi if the user can use a patched kernel. As SteamOS uses Archs kernel images and libraries, that must be done in Archs build system, hence the speculation this is related.

To be frank, I think we will see a major shift in cheating and anti-cheat in the coming years, it will be a battle of "AIs".

Actually the enclave part in this story implies we're dealing with a deeper than kernel feature.
I think they plan on using this kind of processor feature. [External Link].
Meaning that kernel verification isn't needed, because it would be firmware based.
Obviously this also means that the processor firmware starts behaving more like an OS, so you might be tempted to replace it with a FOSS variant to which I say look into coreboot/canoeboot/librem devices.

This isn't as crazy as it sounds HWID features such as CPUID have been really effectively in use for anti-cheat and drm, since their introduction.
Technically it can be circumvented with JIT, but in practice it costs way too much performance, leaving only flatout binary modding, which is OS agnostic anyway.

Edit:
The new info posted by Liam negates all the speculation here.
It's not useful for anti-cheat and it doesn't use fancy processor features.

View this comment - View article - View full comments

Quoting: JarmerSteam is just an absolute juggernaut in the space. ESPECIALLY for us linux gamers. There's really no true competition is there? I think it would nice for them to have true competition, but I just don't see that happening anytime soon.

I mean, I absolutely love Steam, but competition is good for the market!

Quoting: CatKillerFor comparison, Epic last reported their EGS peak CCU as 13.2 M in 2021, when their MAU was 62 M and they had 194 M total users. They've got 2023 reports for MAU (75 M) and total users (270 M).

Valve last reported their MAU for 2021 as 132 M; they haven't reported on the total number of users in a long time.

lol what on earth do all these acronyms mean!

The stupid thing is that I seriously get the impression that Steam has a lower relative market share on Linux than on Windows.
All the stores work on both, but while most windows users seem to mostly stick to Steam and the Epic Store, I see them using GOG, the web, itch.io, various repos and other stores.
I only have anecdotal evidence(they don't publish the relevant numbers directly and I'm too tired to figure out how to approach this with available information) for this, but if that is the case they're not especially a juggernaut for Linux gamers.

View this comment - View article - View full comments

Quoting: spacemonkeyMaybe it's for running Quest games (which run on Android) on (standalone) Deckard (which, I assume, will run on SeamOS). So developers don't have to do any porting when they want to deploy their game to both Quest and Deckard.

AOSP(stock android and most of its forks) seamlessly handles the difference between architectures by locally compiling(, which also makes reverse engineering android apps embarrassingly easy, explaining the large android modding scene).
QuestOS seems to at least be compatible with this method and it could be the default.

View this comment - View article - View full comments

Quoting: mr-victory

Quoting: LoudTechieIf there currently exists a statisfying answer it's probably encoded in the source code of safe exam browser.

SEB is open source? I'd expect such a software to go down the security through obscurity route.

Fully under the MIT license.
Found out when I was installing it for a relative.
On github [External Link]

I was also surprised when I found out.

View this comment - View article - View full comments

Quoting: mr-victory

Quoting: LoudTechieSecure boot, trust zone, tpms

If a game demands a signed kernel/OS/whatever then what's the point of using Linux? The freedom is gone.

My official answer is preformance and lack of espionage and bloat.
Edit:
and the ability to run various signed kernels

My unofficial answer is yeah, you're totally right.

DRM and anti-cheat are deepest corners of their hearts anti-freedom. They keep you from using your computer however you want. Nothing I can propose or suggest can avoid this.

If there currently exists a statisfying answer it's probably encoded in the source code of safe exam browser. [External Link]
I say this, because it's literally open source anti-cheat software and doesn't require a kernel driver.

For the rest you can take the LOL or even stadia path and move everything to your servers, so you only have to battle scripting, which can be fought by turning parts of the game in live captcha's.

Edit: the safe exam browser one is a pretty creative and pretty freedom perserving one.
External verification tool.
During tests they have the teachers use an external verification program to check safe exam browser for cheating tools, but outside of tests all modifications are on the table.
This could be done for esports during events.

View this comment - View article - View full comments

Quoting: Mangojuicedrinker

Quoting: _MarsAt the end of the day, if developers want to block unsupported platforms, they have plenty of methods to do so. And there is no way to prevent this. The only option is to convince companies to consider Linux as a supported platform.

Which needs:

Enough players

An actual solution to the anti-cheat situation

Do not give in to the demands of moron corporate overlords like Tim Sweeney. Do not view the world like they do: everything is dark no matter how much money you have.
If the game devs care about their game or are passionate about their craft, they'd be more interested than the player to make their games run on as many platforms as possible.
We have literally game pirates talking about installing Linux and testing their "crack" with Wine to make sure it runs in there as well xD! Literally.
How is this possible that a "cyber criminal" (depending on which region you live) cares more about the player experience than the actual game developers? It absolutely is not the case, it is because morons like Sweeney are in control.

Cyber criminals have no real protection they can hide behind the dmca doesn't count on piracy forums, being doxed is a prison sentence to them and there are no buyouts.
To them happy customers mean the availability of more money and sacrificial meat to hide behind.

View this comment - View article - View full comments

Quoting: mr-victoryDevs using eBPF on Windows will not be fine using eBPF on Linux because on Linux you can go one level deeper than that: The Linux kernel. On Windows, cheaters punch through vulnerable drivers for kernel level execution, this is why Valorant's Vanguard blocked keyboard drivers and stuff.

The answer to that already exists on android.
(android) Secure boot, trust zone, tpms, etc.
Check whether it's running a signed kernel you trust.

Quoting: pleasereadthemanual

Quoting: Cyba.Cowboythen the developers just aren't putting in as much effort for the Linux version.

(which wouldn't be the first time we've seen this)

Quoting: CatKillerIt's also exactly what you'd say if you couldn't be bothered to do something for a small audience and had necessarily-secret software to use as an excuse.

That's certainly true. I don't know enough about how it works to say whether an as-effective solution is feasible.

GrapheneOS has an interesting piece about it(google did it). [External Link]

Check out root detection android.
There're a lot of ways this is fought.
This ofcourse keeps up until someone starts running libreboot and can start editing the values there, but that is even more rare than linux.

View this comment - View article - View full comments

Quoting: tmtvl

Quoting: Purple Library GuyI'm starting to see the possibilities here. Can we throw in Pierre Poilievre?

This is looking like a prisoner of war exchange, only instead of prisoners of war you're exchanging war criminals.

Most prisoner of war exchanges contain criminals too.
War criminals and terrorists are most common, but we also have other things.

View this comment - View article - View full comments