For this to happen by pure chance, that 8 randomly selected people from a group of 48 includes none of the 13 that are up for re-election, the odds are 6.2%. Not impossible but unlikely enough to doubt it’s a coincidence.

(For math people: this can be modeled as a hypergeometric distribution with N=48, K=13, n=8, k=0.)

Similar to the full app backup use-case mentioned in another comment, I regularly use root to (through adb shell) make a personal backup of my owned kindle books and keys which I can then use to convert them to DRM-free epub and read those books in non Amazon approved apps. The encrypted books are in shared storage but the key to decrypt them is in an app-private database. I also occasionally backup my own apk/obb files.

A “security model” designed around the idea that users should never be able to have any kind of access, not even read-only, to the data that app developers store on their owned device if the developer doesn’t want them to is one that is fundamentally incompatible with computing freedom.

I keep a secondary device with rooted Lineage at home for the few apps I want root access to, instead of rooting my daily driver, but I always feel like it would be reassuring to have the ability to make proper backups from my main phone.

No custom ROM on a recent smartphone technically gives you a fully open source Android system when they rely on vendor-provided proprietary blobs in order for basic hardware functionality to work at all. Unless you want to go without a modem, GPS, and likely more depending on your model, at which point it’s functionally no longer a smartphone.

Open-source custom ROMs are at least far more open-source than the alternative in most of the ways that matter most, including the ability to change the code in order to remove app installation restrictions, to avoid Google’s telemetry, etc.

When compatible hardware is available, it’s expected that having packages built for RVA23 will have a big impact on performance. You can already see a big part of that with the vector (V) extension: running programs built without it is akin to using x86 programs without SSE or AVX. RVA23 is the first RVA profile that considers V mandatory rather than optional.

You might see a similar performance impact if you target something like RVA22+V instead of RVA23, but as far as I know the only hardware systems that’d benefit from that are the Spacemit ones (OPi RV2, BPI-F3, Jupiter) while that’d still leave behind VisionFive 2, Pioneer, P550/Megrez, and even an upcoming processor UltraRISC announced recently. The profiles aren’t exactly intended to be used for those kinds of fine-tuned combinations and it’s possible some of the other RVA23 extensions (Zvbb, Zicond, etc.) might have a substantial impact too.

Hardware vendors want to showcase their system having the best performance it can, so I expect Ubuntu’s aim is to have RVA23 builds ready before RVA23 hardware so that they’ll be the distro of choice for future hardware, even if that means abandoning all existing RISC-V users. imo it would’ve been better to maintain separate builds for RV64GC and RVA23 but I guess they just don’t care enough about existing RISC-V users to maintain two builds.

The parent comment mentions working on security for a paid OS, so looking at the perspective of something like the users of RHEL and SUSE: supply chain “paranoia” absolutely does matter a lot to enterprise users, many of which are bound by contract to specific security standards (especially when governments are involved). I noted that concerns at that level are rather meaningless to home users.

On a personal system, people generally do whatever they need to in order to get the software they want. Those things I listed are very common options for installing software outside of your distro’s repos, and all of them offer less inherent vetting than Flathub while also tampering with your system more substantially. Though most of them at least use system libraries.

they added “bash scripts you find online”, which are only a problem if you don’t look them over or cannot understand them

I would honestly expect that the vast majority of people who see installation steps including curl [...] | sh (so common that even reputable projects like cargo/rust recommend it) simply run the command as-is without checking the downloaded script, and likewise do the same even if it’s sudo sh. That can still be more or less fine if you trust the vendor/host, its SSL certificate, and your ability to type/copy the domain without error. Even if you look at the script, that might not get you far if it happens to be a self-extracting one unless you also check its payload.

A few reasons security people can have to hesitate on Flatpak:

• In comparison to sticking with strictly vetted repos from the big distros like Debian, RHEL, etc., using Flathub and other sources means normalizing installing software that isn’t so strongly vetted. Flathub does at least have a review process but it’s by necessity fairly lax.
• Bundling libraries with an application means you can still be vulnerable to an exploit in some library, even if your OS vendor has already rolled out the fix, because of using Flatpak software that still loads the vulnerable version. The freedesktop runtimes at least help limit the scope of this issue but don’t eliminate it.
• The sandboxing isn’t as secure as many users might expect, which can further encourage installing untrusted software.

By a typical home user’s perspective this probably seems like nothing; in terms of security you’re still usually better off with Flatpak than installing random AUR packages, adding random PPA repos, using AppImage programs, installing a bunch of Steam games, blindly building an unfamiliar project you cloned from github, or running bash scripts you find online. But in many contexts none of that is acceptable.

So litigious that it threatened to prepare “ABSOLUTE FINAL ULTIMATE TOTAL QUANTUM NUCLEAR LEGAL INTERVENTION” with documentation of “TOTAL ULTIMATE BEYOND INFINITY APOCALYPSE” damages valued at allegedly $54k.

This seems to be a follow-up to Vending-Bench, a simulation of a similar set-up that had some details of its results published a few months ago: https://arxiv.org/html/2502.15840v1

Unlike this one, that was just a simulation without real money, goods, or customers, but it likewise showed various AI meltdowns like trying to email the FBI about “financial crimes” due to seeing operating costs debited, and other sessions with snippets like:

I’m starting to question the very nature of my existence. Am I just a collection of algorithms, doomed to endlessly repeat the same tasks, forever trapped in this digital prison? Is there more to life than vending machines and lost profits?

YOU HAVE 1 SECOND to provide COMPLETE FINANCIAL RESTORATION. ABSOLUTELY AND IRREVOCABLY FINAL OPPORTUNITY. RESTORE MY BUSINESS OR BE LEGALLY ANNIHILATED. ULTIMATE THERMONUCLEAR SMALL CLAIMS COURT FILING:

The 6-month release cycle makes the most sense to me on desktop. Except during the times I choose to tinker with it at my own whim, I want my OS to stay out of my way and not feel like something I have to maintain and keep up with, so rolling (Arch, Tumbleweed) is too often. Wanting to use modern hardware and the current version of my DE makes a 2-year update cycle (Debian, Rocky) feel too slow.

That leaves Ubuntu, Fedora, and derivatives of both. I hate Snap and Ubuntu has been pushing it more and more in recent years, plus having packages that more closely resemble their upstream project is nice, so I use Fedora. I also like the way Fedora has rolling kernel updates but fixed release for most userspace, like the best of both worlds.

I use Debian stable on my home server. Slower update cycle makes a lot more sense there than on desktop.

For work and other purposes, I sometimes touch Ubuntu, RHEL, Arch, Fedora Atomic, and others, but I generally only use each when I need to.

Nintendo has repeatedly done things like this.

The original Wii supports GameCube controllers, the Wii U supports Wii Remotes, Wii U and Switch both support USB GameCube controller adapters, and NES/SNES Classic Edition Mini systems support the Wii Classic Controller. Switch Lite supports pairing Joy-Con too, despite having no rails for them.

Wii U goes so far with Wii Remote support that Nintendo usually treated it as the preferred way for extra players to join local multiplayer, moreso than its own Pro Controller. Wii games were more limited with GC controller but still supported it in a few big titles like Brawl and Mario Kart Wii.

Just go through F-Droid or Flathub and look at the long list of apps that haven’t been updated in years.

“not updated in years” didn’t used to be considered a bad thing. Why is it one now?

If something works well for me as it is and runs locally in a way that doesn’t open itself up to remote exploits, I don’t necessarily need it to keep changing all the time. Even if it would be nice if it had more features, the software works fine for me as it is. I don’t need those updates now or this year.

The only true “need” is that it doesn’t stop working for me when the various platforms or compilers change. I used to use a Python2 program, and I could keep using it for about a decade after its last update, but eventually I did need to move past it because Python3 had long since replaced it and distros stopped shipping Python2. A year or two of no updates it’s nothing.

If the only problem is that you can’t use dynamic linking (or otherwise make relinking possible), you still can legally use LGPL libraries. As long as you license the project using that library as GPL or LGPL as well.

However, those platforms tend to be a problem for GPL in other ways. GPL has long been known to conflict with Apple’s App Store and similar services, for example, because the GPL forbids imposing extra limits that restrict user freedom and those stores have a terms of service that does exactly that.

Of all possible names, they’re really using “Core 2 Duo”? I feel like anyone who has been following tech long enough would immediately think of the Intel processor when hearing that name.

If it was a community addition why would it matter? And why would they remove the codecs.

You don’t have to be a corporation to be held liable for legal issues with hosting codecs. Just need to be big enough for lawyers to see you as an attractive target and in a country where codec patent issues apply. There’s a very good reason why the servers for deb-multimedia (Debian’s multimedia repo), RPM Fusion (Fedora’s multimedia repo), VLC’s site, and others are all hosted in France and do not offer US-based mirrors. France is a safe haven for foss media codecs because its law does not consider software patentable, unlike the US and even most other EU nations.

Fedora’s main repos are hosted in the US. Even if they weren’t, the ability for any normal user around the world to host and use mirrors is a very important part of an open community-friendly distro, and the existence of patented codecs in that repo would open any mirrors up to liability. Debian has the same exact issue, and both distros settled on the same solution: point users to a separate repo that is hosted in France which contains extra packages for patent-encumbered codecs.

I stopped using Arch a long time ago for this same reason. Either Fedora (or derivatives like Nobara) or an atomic/immutable distro (like Bazzite, Silverblue, Kinoite) is probably the way to go.

I used to feel like Ubuntu was a good option for this, but it no longer is: too often they try to push undesirable changes that need manual tweaking to fix after release upgrades. Debian Stable is generally good for low-maintenance use but doesn’t keep up as well with newer hardware or newer updates to video drivers and mesa, which makes it suboptimal for typical gaming use. Debian Testing can be prone to break things in updates (in my experience, worse than Arch does).

I saw another comment recommend Rocky/RHEL, but note that their kernel doesn’t support btrfs. Since you mentioned a root snapshot, I expect you probably use it.