<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>If you look back a few days earlier in this list, you'll see my
experiences in installing Ubuntu on older MacOS hardware -- I just
went through the process and documented it there -- and there are
various resources on the web that weren't too hard to find. I'm
typing this on Ubuntu running on a MacBook 2,1 now.</p>
<p><br>
</p>
<p>It has some nice features. But there are warts.<br>
</p>
<p><br>
</p>
<p>Ken</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 2020-05-09 10:05 p.m., Dmitri
Zaitsev wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAHoSP8KobNq6FAZ3msEivTqR0_shoKXKU0m=sVhX9M23fyboCA@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="auto">
<div>I would be very interested to learn how to avoid the
insecure MacOS software replacing it with that from Linux
land. Any good source to read about it?<br>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Sun, May 10, 2020,
07:47 Daniel J. Luke <<a
href="mailto:dluke@geeklair.net" moz-do-not-send="true">dluke@geeklair.net</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">On May
7, 2020, at 3:34 PM, Ken Cunningham <<a
href="mailto:ken.cunningham.webuse@gmail.com"
target="_blank" rel="noreferrer" moz-do-not-send="true">ken.cunningham.webuse@gmail.com</a>>
wrote:<br>
>> there are large closed-source surface areas that
you aren't going to be able to keep updated.<br>
> <br>
> You have said that before, and I listened, but: <br>
> <br>
> all my systems live behind a firewall, and none are
exposed to the open web.<br>
> I don’t use any MacOS-era software to access anything
outside the network. Only, really, MacPorts stuff (all
with up-to-date security) and TenFourFox (also built with
MacPorts stuff, also with all up to date security).<br>
<br>
... and they're probably all linked with versions of
Libsystem that don't have the most recent patches from
Apple (you could probably be backporting them, but I doubt
you're doing that :) ).<br>
<br>
> I just don’t see the vulnerability, TBH.<br>
> <br>
> If you know of any, please give me an example. I
don’t want to be stupid about things.<br>
<br>
It's risky - the majority of bugs that Apple releases
security patches for are in components that exist in
previous Mac OS versions. Maybe those versions don't have
those problems (but they probably do). Maybe no one is
exploiting them.<br>
<br>
If you are firewalling and monitoring both inbound and
outbound traffic, maybe you've set things up so that you
can run a vulnerable system safely. Most people aren't
capable of doing that. These kinds of things are hard to
do well - if you've got a strong perimeter, but vulnerable
systems inside - it just takes one problem with your
perimeter security and an attacker has access to
everything you thought was secured by your perimeter
security.<br>
<br>
> The time daemon, maybe? I heard there was something
about that daemon,<br>
<br>
yeah, it's had a bunch of problems.<br>
<br>
> but it just checks Apple’s time server.<br>
<br>
how do you know? (hint: ntp uses udp and also
bgp-interdomain routing is still largely insecure).<br>
<br>
> I could replace that too, I guess...<br>
<br>
At that point, if you're not using any MacOS software -
why are you running Mac OS at all? That hardware can run
an OS that's still getting security patches and run all of
the unix-y software that's in Macports without the risk.<br>
<br>
(Of course, Mac OS UI and hardware drivers are generally
better, so I understand there may be reasons why people
might want to do this - but I think it's too easy to
overlook the potential downside).<br>
<br>
[This is probably off-topic for macports, so I'll refrain
from typing more]<br>
-- <br>
Daniel J. Luke<br>
<br>
</blockquote>
</div>
</div>
</div>
</blockquote>
</body>
</html>