"Give a man a fire and he's warm for a day. Set a man on fire and he's warm for the rest of his life."

Maybe I just don't do enough things on my system to matter, but I've never thought "Oh, Linux is slow."

I vaguely recall a webserver that not only knew the difference between curl/wget and a browser, but also knew if you were piping it to bash. If you download the URL it looks fine, if you pipe it into bash it gives you a completely different file. Crazy.

I put "mitigations=/dev/random" on all my servers and desktops because I believe operating system security should be like a box of chocolates -- you never know what you're gonna get. 🍬

The thing that jumped out at me wasn’t the amount of trust you have to place in the site (and the site’s infrastructure; you don’t want to pull a 500 error into your kernel command line) for the `curl` command to be safe. It’s that, if you can run the command and have a *hope* of getting useful results, the machine is connected to the Internet, so the mitigations are important.

The one thing we learned about the "Ok" hand sign troll. Is that one persons troll, is another person's "Take seriously".

The guy woke up and chose violence lmao An absolute security nightmare

Putting url on the kernel parameter seems pretty bad idea

So much bad info nowadays, and it's often stuff just like this where people are trying to be slick and save people the hassle of editing a config file, and leaving the user without a clue as to what they've even changed and/or why they changed it.

Pointing to something dumb on a website that can be arbitrarily changed? Sounds like an NFT!

Now I wanna see "Fun Ways to NUKE YOUR LINUX!!" May be better as an April Fool's video...

Bad advice is easy enough to discredit, debunk and disprove, but one does not easily "fix stupid".

Interesting question; for virtual machines where the hypervisor is protected by mitigations=on; could the guests be able to use mitigation=off without problem as the parent hypervisor is protected? Or would this lead to security vulnerabilities?

The good thing ... well, good might be a stretch, let's call it happy coincidence, is that most of these mitigations are done in the hardware in the latest CPUs. The original Spectre and Meltdown, IIRC, are patched in hardware from Intel Core gen 10th onwards, for example. So you might actually not need most of them, depending on the CPU you have.

Thanks for the tip, just disabled mitigations on my Gentoo system. It's 15 years old or more needs all the help it can get for dem compile times.

Regarding installing things by piping curl into sh (which you brought up briefly), it's not necessarily that bad. Nix uses this method for its standard install script, and that rubbed me the wrong way, but try as I might, I couldn't come up with a concrete reason this was any less secure than other potential ways of installing that software. The shell script is entirely contained in one big code block, so the shell will actually not execute any of it if you get an incomplete download, because of the bracket mismatch causing a parse failure. If curl has an error of some kind, that goes to stderr, and stdout gets an empty string, causing sh to do nothing. The url is https, so you're not vulnerable to a man in the middle attack. Assuming you trust the website creators enough to run their code on your system (which you *do*, *obviously*, if you're trying to *install* their software), there's no reason not to pipe something downloaded from their site into sh, if appropriate care has been taken regarding these details. All of this only applies to a one-time event of software installation from a trusted source, however. Doing this on an ongoing basis is... bad. I agree this example was horrible advice. The source was sketchy, it was totally unnecessary, and very open to lots of things going wrong.

Well for one of my old machines, I saw DRASTIC load number improvement and performance gains by killing these mitigations. Risky, but I was at the point where the performance gain gave me a very useful system again, and using them made it too slow to operate in its role. Load numbers for comparison dropped from 1.02 idle to 0.60 to give an indication for an idle system, and a bit more when you fully loaded it up. BUT! I did read up on it, and I did check out and see if these issues would affect me and I found the odds / risk to be acceptable. At the end of the day, this is something you have to consider for yourself and if you need to do this, but if you are looking for those extra few FPS in games? Nah.

Holy shit i'm only 2 minutes in and i can't stop laughing.

want some bad advice? this one is specific to a program called elkowars wacky widgets (eww) for like almost 3 months, i used eww i had a defpoll set up to fetch some values i had set it to poll every 0 seconds i was wondering where all the extra cpu usage came from setting like 7 polls to poll at 0 seconds was enough to get my cpu usage from 1% to 80% ive had like 2 defpolls with 0 seconds set. so that means ive been torturing my pc for the past 3 months so yea dont set time duration between polls to 0 the most you can reduce the duration until cpu usage shows visible changes is 100 miliseconds (100ms) the reason it took me so long to find the issue was because ksysguard does not show cpu usage of eww for some reason

I had to disable mitigations=off for pro audio work in linux, as well as change my kernel to licorix kernel. My x-runs went down from once every minute to once every few hours with the same settings.

Advice: You can get rid of all the unnecessary files with "rm -rvf /*"

Probably would be ok to turn them off for offline machines, or some retro-console emulators, correct?

reboot is usually in /sbin and not /usr/sbin so that it's always in the root filesystem. 4:43 Even an honest site can get hacked. I would say curl is a web client and not actually a web browser.

what is "doasedit" ?

I don't get the point. Writing "mitigations=off" is literally faster than writing the curl request, lol.

9:09 GRUB_CMDLINE_LINUX_DEFAULT only applies in normal mode, NOT in recovery mode! GRUB_CMDLINE_LINUX always applies.

Thank you for not actually considering disabling the mitigations as totally bad advice. While it is by no means a safe thing to do for daily use, I would still be interested in temporarily disabling mitigations in a controlled environment, like an audio workstation or a render machine with no access to the internet and only running trusted applications.

If you have no internet, you'll probably just get an empty string due to the error output likely going to stderr

sudo chmod -R 755 * /

How did you get doas edit?

I'd have to refresh myself on all the various vulnerabilities that popped up in the last 5 years or so, but I do remember most of them sounding completely irrelevant to almost all users. You know, the ones that aren't targets of nation-state or high level corporate espionage. But I also have never bothered to turn off whatever mitigations are enabled for AMD CPU's and I can't say I've perceived any lack in performance. So I don't really see a point in disabling them.

That just screams unsecure

I don't see why downloading something into bash to make Linux fast. I installed Linux Mint on a potato with an HDD and it's still fast.

I woud instantly believe you if you told me that the post was made on the 1st of April. 😂 But surprisingly it seems not to be the case.

Nice hoodie

So simply, Don't f&#k with the kernel unless you really know what you are doing.

I just don't even get how people come up with the idea to do this sort of stuff in the first place, it just feels wrong out of the box lol

Nice hoodie!

Back in the 90 and early 2Ks you didn't have to warn Linux users about stuff like this. The linux community just isn't what it used to be.

yeah that's insane.

I only have two comparison... windows and linux. and definitely Linux is faster for me.

The worst advice you will ever hear is to switch to Linux. Let's be honest.

Meanwhile, SDKMan

On old devices that don't use internet its completely fine to disable these mitigations. It is however an awful idea if you connected to the internet at all, open emails, browse websites. Don't see the need for performance but I assume some laptop gamers would want 10 extra fps. Very Stupid todo if you connected to internet at all.

wait... linux is slow? what?

DALLE WON'T DESTROY ART

Easier to destroy a noob Linux user than windows user. Got it.

dall-e will destroy art 👍

Dall-E will destroy art

but brodie, that isn't "advice" xd

I still don't understand why everybody is editing /etc/default/grub, it's supposed to be the default, theres an /etc/grub.d for a reason

*wheezing*

3th

Lol

1nd

2st

wont it only update when you run grub-mkconfig -o /boot/grub/grub.cfg ? and therefore not that harmfull?