I was put on 5000IU D2 and I got kidney stones, twice. The doctor wouldn't believe that the D2 was the cause, but I stopped taking it and the stones have not recurred.
I would like to bring my D levels up, but not at the expense of kidney stones.
I was put on it because I have stones and my parathyroid hormone level is 2.5x normals. The understanding is that low vitamin D causes higher PTH which can influence stones even though my blood calcium is normal. We didn't get to a root cause on the palpitations but my vitamin D has dropped back to 9 so I am going to have to supplement.
* that once it was adopted, every single package started requiring it
* which meant that packages that previously could run everywhere, now could only run on systemd-based systems
* binary logs - a solution that solved nothing but created problems
* which locked out any system that wasn't linux
* which locked out any linux system that didn't want to use it
* which led to abominations like systemd-resolved
* "bUt yOu DoNt hAVe tO uSE it" - tell that to the remote attestation crowd, of which Poettering is a founding member of. see https://news.ycombinator.com/item?id=46784572 - soon you'll have to use systemD because nothing else *can* be used.
literally everything the systemD crowd has done leads to lockout and loss of choice. All ramrodded through by IBM/RedHat.
The systemD developers don't care about any of this, of course. They've got a long history of breaking user space and poor dev practices because they're systemD. I mean, their attitude was so bad they got one of their principal devs kicked from the kernel because they overloaded the use of the kernel boot parameter "debug", which flooded the console, and refused to modify the debug option to something compatible like "systemd.debug", broke literally every other system, and then told everybody else "hey we're not wrong, the rest of the world is wrong." And this has been their attitude since then.
Look, if people want to use systemD, that's just fine. But it is a fact that the entire development process for systemD is predicated on making Linux incompatible with anything else, which is an entire inversion of how Linux and Free Software works.
I actually like unit files. But if systemD was just an init system, it would stop there.
I don't like unit files very much. Instead of these variables that are specific to systems, and are ignored if you use a too old version of systemd, thus running your ftp server as root, you can prepend to the command line: sudo -u nobody ftpd. This composes much better and you can use the same commands that work in the shell.
> * "bUt yOu DoNt hAVe tO uSE it" - tell that to the remote attestation crowd, of which Poettering is a founding member of. see https://news.ycombinator.com/item?id=46784572 - soon you'll have to use systemD because nothing else can be used.
You're saying that because the person who made systemd now work on hardware attestation, all Linux distributions will eventually require remote hardware attestation, where users don't actually have the keys?
Maybe I'm naive, maybe I trust my distribution too much (Arch btw), but I don't see that happening. Probably Ubuntu and some other more commercial OSes might, but we'll still have choices in what OS/distribution to use, so just "vote with your partitions" or whatever.
If you build remote attestation into your product, corporate entities will require it. Just look at Android - What phones today give you unlimited root? If you have rooted, what applications have you broken? If you root, what e-fuses have you blown in your CPU meaning it can never be un-rooted? Android, at the start, was open and freely modified - not so much anymore. Companies like Google can and have cut off access to user's data, without recourse. You can't modify your phone, so you don't own your phone. You just pay rent until they don't support it anymore.
I think phones are a completely different beast though (and already a lost cause), PCs seems a lot more resilient to that sort of lock down.
But on the other hand, you might be right, you never know how the future looks. But personally I'll wait until there is at least some signal that it's moving in that direction, before I start prepping for it to actually happening.
* Literally every game console
* Literally every smartphone
* Microsoft, with their Win11 requirements, is moving there
* John Deere (read on their own hardware attestation efforts to block DIY)
* Car companies (require specialized tooling and software subscriptions to make certain repairs)
* Anything that requires a signed bootloader and signed software updates
* Snapdragon CPUs and e-fuses that burn when you use unsigned software, and brick
* Apple hardware, literally crypto-signed so you can't use aftermarket parts
* Google Chromecast
* Amazon Kindle, locked hardware
* IBM has locked hardware to their laptops for *years*. Ever try upgrading a wifi card in an IBM laptop? They're already invested in this
And Linux probably predates most/many of those things, yet remains open and without forced attestation. Why suddenly it's different today than all those years you reference?
Companies can make Linux variants that are tivoized, but it's not standardized. They have to put effort into it. Soon it'll just be systemctl --tivoize-me
They are a different beast because of the culture surrounding them — nothing technologically different. Lennart wants to bring that same culture to desktops.
People have been saying this since day dot. It was very controversial for Debian to change to use systemd. The vote was close due to many arguments which are still being played out
"The OS configuration and state (i.e. /etc/ and /var/) must be encrypted, and authenticated before they are used. The encryption key should be bound to the TPM device; i.e system data should be locked to a security concept belonging to the system, not the user."
See Android; or, where you no longer own your device, and if the company decides, you no longer own your data or access to it.
And if Linux$oft suddenly decides every user's system needs a backdoor or that every system mus automatically phone home with your entire browsing data, then, well, too bad, so sad of course!
I mentioned it somewhere else in the thread, and btw, I'm not affiliated with the company, this is just my charitable interpretation of their intentions: this is not for requiring _every_ consumer linux device to have attestation, but for specific devices that are needed for niche purposes to have a method to use an open OS stack while being capable of attestation.
Yes, I reference Android client attestation in my comments in this thread frequently. I actually see this company as likely to be the flip side of the “bad” client attestation coin; server attestation actually provides a lot of nice properties to end users and providers who wish to provide secure solutions with very limited user downside.
It won't remain "server" attestation. It will become "client" attestation, with the end result that you won't own your own machine anymore, you'll just be paying for a client device upon which you won't control the hardware or software anymore. See any mobile phone at all, anymore.
I don’t see anyone investing in this for general purpose desktop Linux in the state desktop Linux exists today; the harbinger of the Desktop Linux Apocalypse would be web-based Windows attestation (just as Android attestation is eroding alt-OSes) which feels like a viable “threat” but thankfully doesn’t seem to be happening just yet.
I do think this approach might get used for client attestation in gaming, which I actually don’t mind; renting/non-owning a client that lets me play against non cheaters is a pretty good gaming outcome, and needing a secure configuration to run games seems like a fine trade for me (vs for example needing a secure desktop configuration to access my bank, which would be irksome).
No, the endgame is that a small handful of entities or a consortium will effectively "own" Linux because they'll be the only "trusted" systems. Welcome to locked-down "Linux".
You'll be free to run your own Linux, but don't expect it to work outside of niche uses.
Android lets you put your own signed keys in on certain phones. For now.
The banking apps still won't trust them, though.
To add a quote from Lennart himself:
"The OS configuration and state (i.e. /etc/ and /var/) must be encrypted, and authenticated before they are used. The encryption key should be bound to the TPM device; i.e system data should be locked to a security concept belonging to the system, not the user."
Your system will not belong to you anymore. Just as it is with Android.
Banks do this because they have made their own requirement that the mobile device is a trust root that can authenticate the user. There are better, limited-purpose devices that can do this, but they are not popular/ubiquitous like smartphones, so here we are.
The oppressive part of this scheme is that Google's integrity check only passes for _their_ keys, which form a chain of trust through the TEE/TPM, through the bootloader and finally through the system image. Crucially, the only part banks should care about should just be the TEE and some secure storage, but Google provides an easy attestation scheme only for the entire hardware/software environment and not just the secure hardware bit that already lives in your phone and can't be phished.
It would be freaking cool if someone could turn your TPM into a Yubikey and have it be useful for you and your bank without having to verify the entire system firmware, bootloader and operating system.
it won’t matter if you disable it. You simply won’t be able to use your PC with any commercial services, in the same way that a rooted android installation can’t run banking apps without doing things to break that, and what they’re working on here aims to make that “breakage“ impossible.
I would like to bring my D levels up, but not at the expense of kidney stones.
reply