The end is nigh

[Jasper]

The day is fast approaching when standard support for Focal Fossa ends in May 2025.

Extended support is provided by Canonical on a 'subscription' basis for an additional 5 years to April 2030.

[dimkr]

The primary meaning of "support" means that canonical provides Ubuntu 20.04 with security updates they can install. These security updates are applied on top of the package versions in 20.04 (and not later ones, with new features, new bugs and new vulnerabilities), allowing Ubuntu 20.04 to use it for several years without worrying too much about potential regressions or new issues introduced by updates.

However, Puppy has no mechanism to update packages. A Puppy built from Ubuntu 20.04 packages in 2021 doesn't have any security updates released between 2021 and 2025, so it's full of known bugs and known security issues.

Therefore, the EOL date of 20.04 should mean much if you're happy with a distro like this, which doesn't benefit from this "support".

[mikeslr]

Security is in the 'eye of the beholder'. Puppys are a niche distribution among the thousands of Linux OSes comprising the less than 5% of operating systems being used: not a likely target for attack unless how you use it specifically attracks attention. Running as a Frugal install under PupMode 13 with no reason to Save on Shudown/Reboot, nothing changes. So an old, STATIC Puppy is likely to be just as secure as the newest 'Full Installed' Distro with its as yet undetected and patched bugs.

[wiak]

In terms of whether it matters or not, security also depends on what you use your computer for. Most stuff I use my computer for is so general purpose unimportant I don't feel particularly vulnerable. I certainly no longer would use the likes of Puppy Linux for banking - save files/ save folders / RAM modes; none of that seems to me to make a distro any more secure at the moment you do banking... doesn't make it particularly less secure either I think. I'd probably use a KL depending on its upstream repo provider, since aside from the way a KL distro can be built up from scratch to contain only what a user wants, the end root filesystem remains upstream fully compatible and FR initrd just provides an overlayfs booting mechanism to provide all the nice frugal install functionality. But I don't use KL for banking and rely on Linux Mint full install and hope its developers care about such matters.

[rockedge]

@wiak

I have "stress tested" KLV's and put them up for scrutiny for security. They perform well. A KLV can be even further hardened.

Once the mechanism to allow umounting all the drives and partitions during KLV operation is finished, this will make it reasonably secure in the sense there is zero access to any storage.....at all.....except for the RAM.

Though I can not see anyone specifically going after any of my stuff. I don't bank on line.

[dimkr]

Security is in the 'eye of the beholder'. Puppys are a niche distribution among the thousands of Linux OSes comprising the less than 5% of operating systems being used: not a likely target for attack unless how you use it specifically attracks attention. Running as a Frugal install under PupMode 13 with no reason to Save on Shudown/Reboot, nothing changes. So an old, STATIC Puppy is likely to be just as secure as the newest 'Full Installed' Distro with its as yet undetected and patched bugs.

I disagree with pretty much everything you said.

A Puppy that shares the same browser, glibc, openssl, etc' with Ubuntu is definitely more likely to be exploitable to a known vulnerability that affects Ubuntu. Puppy is not very 'unique' and it's actually very close to the big distros.

And it's possible to modify the save layer (/initrd/pup_ro1) directly, so using PUPMODE 13 hardly protects you against persistent malware.

You can't expect a Puppy that misses years of fixes to known, high severity, remotely exploitable vulnerabilities, to be secure in any meaningful way.

[JusGellin]

I'm confused looking at this.
I thought that using PUPMODE 13 and not saving was a protection.
Then always starting with this when doing any setting changes, but not after this has been up and then only saving for this was the way the protection would continue.

It looks like there is quite a lot of mistrust for the safety of the puppys. Am I misunderstaning this then?

Thanks

[Jasper]

Another observation, the initial offering used the 5.4 kernel.

This has changed and the current uses 5.15.

[williwaw]

I'm confused looking at this.
I thought that using PUPMODE 13 and not saving was a protection.
Then always starting with this when doing any setting changes, but not after this has been up and then only saving for this was the way the protection would continue.

It looks like there is quite a lot of mistrust for the safety of the puppys. Am I misunderstaning this then?

Thanks

using pupmode 13 and not saving changes edit:should help prevent doesn't neccesarily prevent malware that "installs" itself.
Perhaps Dimkr is also commenting on man in the middle attacks. TBH I do not know if there are updates that can help prevent MIM attacks or if they should even be of concern with OS selection.

[d-pupp]

I think what dimkr is talking about is software has flaws. When one it found it is patched and the security hole can no longer be used to elevate privileges or install malware remotely. If you have old software no matter how careful you are it still has the flaw that can be exploited. That is the reason for keeping your system up to date. It patches the security holes before they can be used against you without your knowledge.

[dimkr]

Here's a little experiment for you.

Copy /usr/bin/geany to /initrd/pup_ro1/usr/bin/mtpaint, then reboot without saving. When you run mtpaint, you get geany instead although you haven't saved.

Now imagine a scenario where a malicious browser extension, website (that triggers a vulnerability in your browser) or an application you downloaded from this forum (how can you verify that packages people publish in the forum don't contain malware?), replaces your browser with an identical-looking application that leaks credit card info and credentials.

[williwaw]

Here's a little experiment for you.

yes, an eye opener.

Can a remaster (that includes the additional apps that one would normally keep in a save) be utilized to effect the security presumed above?
ie. the "benefit" of operating in pupmode 13 without saving?

[geo_c]

Here's a little experiment for you.

yes, an eye opener.

Can a remaster (that includes the additional apps that one would normally keep in a save) be utilized to effect the security presumed above?
ie. the "benefit" of operating in pupmode 13 without saving?

If I understand what's being said correctly, if you're running all in ram, but you download, install a package, the package can still write to the save through the layered filesystem, just because you don't tell it to save what's in ram doesn't mean you can't write to it. You just have to know where it's located. I do this all the time in Kennel Linux because the layers are easy to identify. In a pup they are "obscured" in the directories @dimkr mentions, but still accessible, or else you wouldn't be able to save on demand in the first place. That layered filesystem is loaded from a location.,

Do I have that right?

I would think that if your save was squashed it might be different on reboot and those alterations wouldn't stick. So maybe I have it all wrong.

[JusGellin]

But isn't that true that you can install apps at other places as well?
Like for instance /mnt/home. There it would do the same thing.
Is that just a vulnerability that puppy has?

Am I understanding this correctly?

I'm also installing puppies as a virtual machines using qemu virt-manager.
Once the puppy is set up, I make a snapshot that I can go back to.
That way, if I wanted to go back to that version of the snapshot I can.
That should also help prevent malware.

I still use the save folder with a back up for a quick reset though.

Thanks

[williwaw]

If I understand what's being said correctly, if you're running all in ram, but you download, install a package, the package can still write to the save through the layered filesystem, just because you don't tell it to save what's in ram doesn't mean you can't write to it. You just have to know where it's located. I do this all the time in Kennel Linux because the layers are easy to identify. In a pup they are "obscured" in the directories @dimkr mentions, but still accessible, or else you wouldn't be able to save on demand in the first place. That layered filesystem is loaded from a location.,

Do I have that right?

I would think that if your save was squashed it might be different on reboot and those alterations wouldn't stick. So maybe I have it all wrong.

just copying to /initrd/pup_ro1 (which is a link to /initrd/mnt/dev_save/v10x/vanilladpupsave-01/upper) seems to be all's that needed as upper is inside the save.

these directories are owned by root, so anything that has root privileges can write.

I suppose if it is squashed (or even saved as an ISO), it could also be unsquashed and written to also. Only one more easy step if the OS is depending on security by obscurity.

Maybe the best pratice for those with concern is to only access important sites such as banking with dedicated boot sessions using pupmode 5

[Wiz57]

I don't see /initrd/pup_ro1? I see others I can identify, like pup_a, pup_ro2,3,4,y, z, etc...those correspond to various sfses loaded at boot time, but no pup_ro1? This is in S15Pup32 22.12 250402...could it be that using the kernel parameter "nocopy" prevents a pup_ro1 being populated?

[williwaw]

I don't see /initrd/pup_ro1? I see others I can identify, like pup_a, pup_ro2,3,4,y, z, etc...those correspond to various sfses loaded at boot time, but no pup_ro1? This is in S15Pup32 22.12 250402...could it be that using the kernel parameter "nocopy" prevents a pup_ro1 being populated?

In spite of this thread being in the fossapup section, I have reported my results using vanilladpup 10

[wiak]

Maybe the best pratice for those with concern is to only access important sites such as banking with dedicated boot sessions using pupmode 5

Maybe so, but it provides no great security really anyway if the underlying system components are not up-to-date security-wise. I would therefore advise that Puppy is great for most purposes and especially when a user has an older machine but still wants a responsive/fast system - Puppy is excellent for that, but I wouldn't myself use Puppy nowadays for banking because system software related risks seem to be getting bigger every day; what gave us no problems for a decade or more may suddenly put us at risk. Hence best for banking to use a hardened system whose components are all easily kept up-to-date security-wise. I also don't use my Android phone for banking (whether up-to-date or not) since who knows what the Chinese factories put inside these machines???!

[ozsouth]

I use my Chromebook for banking. It gets weekly updates - only takes a few minutes. As number of bad actors seems to be increasing exponentially, the risk of doing otherwise is becoming too great. Fossapup has been a good tool, but without professional updates, it's 'use at own risk'. Pupmode 5 with the latest browser is probably the safest way to use it.

[dimkr]

these directories are owned by root, so anything that has root privileges can write.

Correct me if I'm wrong, but if your browser runs as spot and has a vulnerability that allows a remote attack to write an arbitrary file, the attacker can write /home/spot (which is owned by spot), therefore they can write to /initrd/pup_ro1/home/spot. PATH contains directories under /home/spot, therefore the attacker can trick you into running a malicious executable instead of the original from /usr/bin.

[JusGellin]

This topic has really upped my concerns. I hope this is still the best place to help me understand and find a solution.
I have some more questions about this:

Is this topic, "The end is nigh", meaning this is for an older Puppy that will soon not be supported?
Would the responses also apply to BookwormPup64_10.0.10 on a newer computer?

Is there any way to check to see if something like this or Bookworm has been compromised?

Would a mainline Linux, like Linux Mint be better to use for banking as long as it is kept updated?

Thanks

[rockedge]

@JusGellin

None of the Puppy's have been "compromised". These guys talk like there is an attack ongoing but look at what you are doing........pretty routine stuff?

Use precautions and safe practices coupled with common sense and I think you will be okay using a Puppy Linux....old, older or new.

Most of the exploits they reference takes a real expert to even formulate and many need to have the bad actor have direct physical contact with your machine....for at least a few minutes because waving a hand over the machine and saying the magic spell doesn't work...yet.

@dimkr is highly sensitive to security issues because he lives in a country where much of the most harmful and dangerous exploits are made into working programs that they sell for profit. Seems very high end, sophisticated Spyware is a real feather in the cap and a money maker over there. No wonder he is paranoid. The toolkits that are designed to do all the bad stuff are easier to use than installing most Linux software so people with darkness in their hearts but short on computer programming and networking skills still can do some major damage. Mostly if clicking on stuff like a madman going into dubious places on the network and downloading something inadvertently will bring the bad results.

As with literally everything............think before you jump.

[JusGellin]

@rockedge
Thanks for your valued perspective on this matter.

This topic really depressed me for some reason. I thought I was making progress and being careful with how I was using this.
I have really enjoyed this site for all the advancement it has made for making puppy linux efficient and fun to use.
I do know I have to be careful how I use it normally and to just use common sense to address any issues that come up.

Thanks again

[bigpup]

Do not know what version of Puppy you use.

But most have this information file in /usr/share/doc/root.htm

[JusGellin]

@rockedge
Thanks for directing me to that.
That has good information and I noticed there are other html's with useful information too.

[mikeslr]

Of course dimkr is right, and I 'put my foot in my mouth'. Should have caught it myself. Thanks, dimkr. Sometimes I don't critique my initial thought. What I meant to write was create an adrv.sfs holding only a recent web-browser, a hardened firefox or Librefox recommended. Adrv has priority over all file-systems other than tmpfs and a SaveFile/Folder; and holding only one application is easy to update. Boot pfix=RAM, AKA PupMode 5. Only tmpfs is Write-able and tmpfs is not preserved on Reboot/Shutdown.

Note that the Web-browser is contained in a READ-ONLY file-system. I love portables. But the very fact that if they are run from a mounted partition they will write changes to makes them vulnerable*.

But for the most part I agree with rockedge. "Use precautions and safe practices coupled with common sense and I think you will be okay using a Puppy Linux....old, older or new." My initial reply was 'my safe practice', that and using a hardened, current firefox which alerts me if I try to access a questionable web-site dredged up by a web-search engine*.

Want more security: Run your internet accessing applications in a container or a Chrooted Operating system.

Want more privacy/security: add ProtonVPN for $4.99 per month and run Tor.

-=-=-=-=-=-=-
* Recognizing their vulnerability, there is still a way to safely use portables run from a partition even for financial transactions. Portables exist in their own folder. After deploying one, and updating and hardening it, Right-Click that folder and select Duplicate from the pop-up menu, adding a discription such as 'bk' to the duplicate's name. Before accessing any on-line financial account, delete your 'regular' portable, Right-Click the Duplicate's folder and duplicate it giving that new duplicate the name of the just deleted copy. You can now access financial web-sites with a pristine web-browser. It only take about 1 minute to duplicate the folder of a portable web-browser. Except to update the 'bk' copy, don't use it other than to 'renew' the 'regular' copy.

[wiak]

Well yes, the only time I'm really cautious is with banks and even then I don't feel much danger just don't want that risk. Probably just a bit paranoid since I don't see any reports here of anything dodgy ever happening. Case of better safe than sorry.

[williwaw]

these directories are owned by root, so anything that has root privileges can write.

Correct me if I'm wrong, but if your browser runs as spot and has a vulnerability that allows a remote attack to write an arbitrary file, the attacker can write /home/spot (which is owned by spot), therefore they can write to /initrd/pup_ro1/home/spot. PATH contains directories under /home/spot, therefore the attacker can trick you into running a malicious executable instead of the original from /usr/bin.

hmm... so long as the browser has write privliges one can aquire an unwanted file.

I have actually experminted with running a portable browser in /tmp as part of a larger expermint unsquashing my browser each time I use it.

I cannot agree with rockedge assertion that "None of the Puppy's have been "compromised"." It's just too hard to prove a negative.

One thing that I have noticed since running my browsers from a sfs is a consistency of operation. I used to reinstall browsers more frequently as it appeared function would become corrupted, but I also used to try out addons as a way to "enchance" security. I think I was only enhancing my sense of security, until I wasnt.

[greengeek]

Unless a user designs and builds their own hardware, kernel, operating system, router, cellphone, and packet switching global fiber & satellite network - then they are already compromised in multiple ways.

Think of what happened to the 3000 Hamas operatives whose genitals got blown off by their pagers.
(EDIT - sorry i should have said 'Hezbollah' rather than 'Hamas' )

The whole system is compromised and I think we should try not to over think it.

[mikewalsh]

Browsers are insecure by their very nature. The totally secure browser simply doesn't exist; it's an oxymoron in real terms, 'cos the only 100% secure browser is one that NEVER goes online. Which makes it at best an ornament.....as much use as a chocolate teapot.

@greengeek has hit the nail on the head. You CAN over think the whole shebang until you're dizzy with the sheer number of possibilities that MIGHT happen....you could even become completely paranoid. About the best you can do is to minimize risks to the point where you, as an individual, feel comfortable.....or else you would never, EVER get anything done.

Mike.