[Solved?] ...Purchase Porteus?

[fullmoonremix]

Salutations...

Stallman's version of commerce...
http://www.gnu.org/philosophy/selling.html

Because of my security concerns, I recently ordered (purchased?) Porteus XFCE from OSDisc for $8.22 (USD) S+H included.
That service does not do derivatives. How much should a "made to order" (payware?) Porteus derivative cost? And where would I buy one?

I would buy one if it had (for example) musl... PekWM... qingy... 5th browser... xfe... memcached... swapspace and ADEOS.
(Some of these are replacements of glibc... openbox... slim... firefox... pcman... and zswap.)

It should be noted... WindozzZ 95 retailed @ about $50 (USD) now WindozzZ currently retails quite a bit north of $200 (USD).

"Best Regards"...


Posted by 73.112.19.112 via http://webwarper.net
This is added while posting a message to avoid misusing the service

[Bogomips]

Would not a pgp signed Porteus allay your concerns?

[fullmoonremix]

Salutations...

Signing is highly useful and addresses authentication. However... I'm not concerned about authentication.
I'm concerned about security. Security means many things to many people depending on who you ask.

I retired from the "Loss Prevention" field that I worked in for many years in NYC protecting corporations.
I believe... real security is like an onion or castle comprised of many redundant layers... levels... tactics.

In any case... I'm addressing my concerns regarding this thread that extend beyond security and will begin with the purchase of a custom derivative.

"Best Regards"...

[brokenman]

I recently purchased Porteus XFCE from OSDisc

Why would you not support Porteus and buy it from us?

Signing is highly useful and addresses authentication. However... I'm not concerned about authentication. I'm concerned about security.

You're concerned about security and you bought Porteus from a third party that could have done anything to the product that we produce. This third party has never asked permission to sell our product.

A custom build of this kind would cost around $150US since it is a total rebuild of porteus and the kernel.

[Bogomips]

bought Porteus from a third party that could have done anything to the product that we produce. This third party has never asked permission to sell our product.

And there I was, having a vision of Porteus disks being delivered by secure courier service.

[brokenman]

And there I was, having a vision of Porteus disks being delivered by secure courier service.

I saw/read somewhere recently that this was exactly how an organization got got. They intercepted a delivery of an expected promo CD.

[fullmoonremix]

Salutations...

I saw/read somewhere recently that this was exactly how an organization got got. They intercepted a delivery of an expected promo CD.

The possibility of theft (and fraud) exists both on and offline even for the largest corporations and countries. If a company is noteworthy (NOT notorius) then theft is... "the exception that proves the rule".
(see... https://www.washingtonpost.com/world/na ... story.html )

Why would you not support Porteus and buy it from us?

Nothing on the Porteus site or forum establishes a commercial commerce framework (except the kiosk). I use PayPal. If there is a pathway to purchase "made to order" I would pay double.

You're concerned about security and you bought Porteus from a third party that could have done anything to the product that we produce. This third party has never asked permission to sell our product.

As I stated security means many things...

The third party you describe is a reputable US company supporting many distros.
In addition... Linux it's distributions and/or binaries can't be "sold"... that would be illegal.

However... it's "distribution services" (eg. Redhat/NYSE) can be "compensated" without violating copyleft
(infringement would trigger a lawsuit). Also... in my country there are strict laws governing commerce.

It would be ETHICAL to "reach out" to Porteus if they failed to (although FOSS... FLOSS... is "free" and/or "permissive" and/or "libre")...
like any other distro and this service supports many distros including upstream Slackware.

Many moons ago I used to be a patent/copyright legal clerk for a US Fortune 500 company in NYC.
That service posted the Porteus logo so there may be a potential related copy"right" issue there. I suggest you look into that.

The bottom line for me is... without question it's been a lot of fun and highly educational "playing" with Porteus
but at some point I actually need to get "professional" work done. So I am more than willing to pay for it now.

"Best Regards"...


Posted by 73.112.17.157 via http://webwarper.net
This is added while posting a message to avoid misusing the service

[brokenman]

Nothing on the Porteus site or forum establishes a commercial commerce framework.

Yes this is true. You could make a donation for the service though. I am sure someone can build the custom Porteus for you and mail it. But even this person would be downloading their sources from somewhere so I don't really get how having a CD mailed to you is any more secure. I would quite easily provide a secure download link and signed ISO. With this method I am quite content. I know exactly where I download my stuff, checked its authenticity. I know that I compiled the applications and that I created and signed the final ISO. Once I pass that ISO onto a disk and give it to someone to deliver, the chain of trust is broken.

[fullmoonremix]

Salutations...

You could make a donation for the service though.

I could if there were a service.

I am sure someone can build the custom Porteus for you...

No one has come forward.

But even this person would be downloading their sources from somewhere so I don't really get how having a CD mailed to you is any more secure.

Mail is secure (NOT perfect nothing is) by design. No authentication. No secure links. None of that is required.
Downloaded sources? Well... hopefully that person did their IT homework if they plan to remain in business.

In 18 months I have downloaded Porteus countless times. Authentication is a good thing.
Secure links are a good thing. I know... I've spent decades using them.

Sequestration is also a good thing because if there is a problem the source of it is not a mystery.
Personally for me... there is no such thing as trust (in a reliable sense) only merit.

IMHO... merit is brick and mortar. Pepsi has been around for over 100 yrs. They make a refreshing product. Why?... because it's real not virtual.
It's not an image of a beverage. And if something goes wrong there is real... not virtual accountability. Software is indemnified. Service is not.

Any case... I used the above named service to obtain a sequestered master.
What I'm interested in obtaining now is a non-sequestered derivative.

At this point...I'll take it signed or unsigned... secure or insecure link... by mail or email... donation or purchase.

The bottom line is... I need to use Porteus not "play" with it anymore.

"Best Regard"...



Posted by 73.112.17.157 via http://webwarper.net
This is added while posting a message to avoid misusing the service

[Evan]

<removed>

[fullmoonremix]

This post was removed because it lost context...

Posted by 73.112.17.157 via http://webwarper.net
This is added while posting a message to avoid misusing the service

[Evan]

<removed>

[fullmoonremix]

Salutations...

Now I will "briefly" elaborate. There is nothing wrong with Porteus.
Let me preface that I am 16yrs lifetime CompTIA A+ certified.

Currently... I am wrestling with a nasty firmware bug from a greybox "net appliance" purchased from eBay
(used gear often contains bugs... perhaps that is why the owner wants to move on).

Because of my liberal use of USB writables (I have since switched to burnables)...
I now have (expensive) multiple systems/devices that are compromised.

I seriously would not advise repairing compromised hardware... by booting (a spoofed system)
going online (with it) and downloading software (to it) thus attempting to remedy a problem by causing one.

It is possible to clean or at least manage contamination in a static environment.
Malicious code functions poorly in stactic environments
(burnables are static... which is why live "rescue" disks use them).

However... the only "reliable" way to create that environment
(and avoid false positives/negatives... even in authentication)
is to boot from static sequestered media.

Hence, therefore... a case is made for a "mail order" solution. I have reliably repaired lots of gear this way.
As I said before... security means lots of things to lots of people in lots of scenarios.

IMHO... contingency (ie. "security") @ it's core is... tactical prevention and
pragmatic deterrence NOT "speculation" (because NOTHING is foolproof).

Because I'm http://www.dictionary.com/browse/agnostic ... our motto is "never say never (and never say that either unless it was said)".

As a rule... we leave prediction to fortune tellers and palm readers.

"Best Regards"...


Posted by 73.112.17.157 via http://webwarper.net
This is added while posting a message to avoid misusing the service

[fullmoonremix]

This post was removed because it lost context...

Posted by 73.112.17.157 via http://webwarper.net
This is added while posting a message to avoid misusing the service

[fullmoonremix]

This post was removed because it lost context...

Posted by 73.112.17.157 via http://webwarper.net
This is added while posting a message to avoid misusing the service