How about scrambling to get the fucking chips produced again?

This post-quantum thing pertains to engineers who design new chips, not the people who operate the fabs that manufacture existing designs. Working on one doesn't take away from the other.

Can I use WebAuthn to log in to a remote system via ssh? Or am I still going to need to remember a password?

Not quite exactly like that, but there are similar things.

WebAuthn is a web-specific JavaScript API that allows web pages to interact with hardware authenticator devices. That includes both FIDO2 "roaming authenticators" such as YubiKeys, and built-in "platform authenticators" like TouchID and Windows Hello. FIDO2 devices are accessed via a standard protocol called CTAP, and platform authenticators have platform-specific APIs, but WebAuthn hides those details, so a page can use whatever type(s) of authenticator the browser knows how to talk to.

Recent versions of OpenSSH also support FIDO2 roaming authenticators, so you can use e.g. a YubiKey to log into a remote account. (This doesn't involve WebAuthn; it uses CTAP directly, just like a browser does as the basis for WebAuthn.) However, it requires support on both the client and the server (since it's a new kind of SSH key, which the server must understand), so it won't work with older servers. Also, the build of OpenSSH currently shipped in macOS has it disabled, and it might not work in Windows either (I'm not sure).

Platform authenticators like TouchID and Windows Hello do not use the FIDO2 CTAP protocol, and I don't think OpenSSH currently supports them. It would be possible, but someone would have to write code specifically to support TouchID, specifically to support Windows Hello, and so on.

There's an unofficial OpenSSH plugin for Windows Hello. There's also an unofficial tool for using TouchID with OpenSSH. The former is a plugin for OpenSSH's security-key support; the latter is an SSH agent that's backed by the macOS keychain.

OpenSSH can also use keys stored in PKCS#11 devices: smartcards (in smartcard readers) and some devices which emulate smartcards (such as YubiKeys). This is more compatible than the FIDO2 option (doesn't require any special support on the server side, and should work on a Mac), but also more complicated to set up.

BTW, when you say "remember a password", I'm assuming you mean the password for your local SSH private key, not the password for the remote account you're logging into. If you're typing remote passwords, you should switch to SSH keys right away, and preferably disable password logins entirely on the remote server ("PasswordAuthentication no" in sshd.conf) to prevent password-guessing attacks. If you have an SSH agent running (this is automatic on macOS and most Linux desktops; don't know about Windows), you'll only have to type the key's passphrase once per login session, which is better than typing remote passwords every time. Then you can start thinking about FIDO2/PKCS#11/etc. to store the key in a hardware token instead of a plain file.

Filesystem snapshots and COW subvolumes are another interesting way to do A/B images, but ZFS on Linux is controversial for license reasons and btrfs is controversial for technical reasons, so it makes sense to start with implementing A/B on partitions because that's the safe option that works everywhere. Partitions also mean you can use dm-verity to protect against changes below the filesystem level (e.g. corruption or malicious tampering). But I'm guessing systemd-sysupdate will probably gain btrfs support as an option in the future. (And people on Slashdot will probably proclaim that systemd plus btrfs is some sort of unholy union and the worst thing ever.)

If someone wants an immutable OS they should do it themselves individually

That's a use-case that Lennart wrote about wanting to support: you set up a system the normal way with packages, then snapshot it as an immutable image you can deploy to other machines. Later, you update the packages on the master system, then snapshot a new image to send to the other machines. Basically making your own custom immutable image-based sub-distribution out of a configuration you've built with a conventional mutable package-based distribution.

(You generally wouldn't do this for an individual home PC, but it makes sense for something like a corporate deployment of lots of workstations, or a compute cluster where all the worker nodes are identical and interchangeable. The same sort of scenarios where people use tools like Puppet or Ansible to deploy the same changes across lots of machines, but immutable whole-system images provide stronger assurance that all the nodes really are identical, and A/B updates mean that errors won't leave a node in a broken halfway state.)

Yes, the same way I wouldn't be affected by binary journald, by broken and feature-missing resolved, by timesyncd and all the other "optional" systemd component you promised us wouldn't affect us, and still did because distros relented and used them.

(...)

Just stop repeating that lie that we have full choice, we don't, we have very limited choice. All the big distros chose systemd, so we have the choice of a big distro we like with systemd or a systemd free little and often badly supported distro.

Debian is a pretty big distro and it doesn't install networkd or resolved or timesyncd by default. Those things are still handled in the same way as before systemd came along. Debian runs journald in non-persistent mode (memory only) and still uses a conventional syslogd for logging to disk, same as always. So yes, those components really are optional.

On top of that, this sysupdate thing isn't even usable unless the distro provides updates as whole-system images instead of individual packages, which is extremely unlikely to happen in traditional package-based systems -- it's such a huge fundamental change that you're basically making a whole new distro at that point. We'll likely see more image-based distros being created, probably some as variants of package-based distros (like Fedora Silverblue as opposed to plain Fedora). But image-based distros are new and experimental, while package-based distros are robust and mature, so the package systems won't be going away any time soon, if ever.

Yes, the same "systemd won't take over this", "systemd-whateverd is optional, not all distros will use it", "stuff X you're concerned with won't happen"... The past showed that most of the stuff we were concerned with and yet were dismissed condescendingly the same way you're doing now has sadly come to pass.

Really? I must have missed that. I run Debian, and Debian switched to systemd as init because it's useful, but Debian still runs a conventional syslog daemon alongside systemd's journal, and it works the same as always. Debian still uses the same scripts and config files as always for handling network interfaces; systemd-networkd and systemd-resolved aren't even installed by default. I haven't witnessed some sort of systemd dystopia having "sadly come to pass". Maybe some other distros have adopted more systemd stuff by default, but that's the distro's choice to make.

redhat is not on our side, ffs, it's a for profit company, it's owned by ibm, it's only goal is to make more and more money for the shareholders, and if it means destroying linux and turning it into a macOS style locked down OS. And people like you continue to urge us that everything is going well, that we worry for nothing, and you continue to put all our collective eggs in redhat's basket.

TiVo already turned Linux into a locked-down OS, years ago... on TiVo's own devices. So has Google to some extent, on Android devices. Neither of those has "destroyed Linux"; the existence of some locked-down devices doesn't take away anyone's ability to use traditional package-based distributions on their own computers. I'm sure there are people who'd like to run cryptographically-signed, immutable image-based Linux desktops once that technology is mature, and I'm sure Red Hat hopes to gain those customers by being a leader in supporting that kind of system. But like I said earlier, package-based distros aren't going away, and nobody's forcing you to switch.

The focus point for me is not systemd, it's Secure Boot and control over what OS is trusted by the firmware. Secure Boot is a legitimate security feature as long as the owner of the computer can install their own keys and/or turn it off, but some machines have it locked to Microsoft's keys so you can only boot an OS that's approved by Microsoft. And Microsoft has a partnership program that enables some Linux distros to boot via Microsoft's keys, but they could choose to stop doing that in the future; incidents like BootHole may even give them incentive to do so. Firmware locks on what OS you can boot are an actual concern, regardless of whether your OS of choice uses traditional packages or immutable system images.

Bottom line, I think it's important that computers allow you to install the OS of your choice, but I'm not concerned with Red Hat (or anyone else) working to enable new ways of building a Linux system, since that's just giving people more options for the OS of their choice. The existence of systemd-sysupdate on other computers doesn't take away your ability to use apt or pacman or whatever on your own.

But then, they included a DNS resolver, X11 auto configuration (which broke many desktop assumptions), user session management, syslog replacement, and the kitchen sink.

You realize systemd isn't a gigantic monolithic kitchen-sink binary, right? The service manager runs in PID 1, but things like logind, journald, networkd, resolved are all separate programs running in separate processes. And the auxiliary stuff is optional; if you don't want to use systemd's DNS resolver, don't install it. Plain old dhclient editing resolv.conf still works the same as always.

But including a package manager? Oh, come on, that is a bridge too far.

It's another separate program, and only relevant for distributions that are specifically designed to use it instead of a conventional package manager. If you're running something typical like Ubuntu or Arch or RHEL, systemd-sysupdate is not meant for you, and your distro likely won't even provide builds of it.

Package-based distributions have been around for a long time; we have good package managers now because the major ones have been in development for a quarter-century. RPM is a lot more robust now than it was back in 1997. Image-based distributions are a different approach that's new and experimental, so the systemd developers have taken a shot at advancing the state of the art for that kind of distribution model. They're not trying to change how traditional package-based systems install their updates.

Why the hell should my INIT SYSTEM be shadowing my packager manager and doing system upgrade tasks?

Did you read the article? This isn't meant to compete with package managers. If you use a distro based on a traditional package manager, you don't need this feature and your distro probably won't even enable it. It's meant to support distributions like Silverblue that treat the whole OS as a single unit, rather than a collection of individual packages. There's interest in that kind of update model, because it makes sense for some (not all) use-cases, so systemd is aiming to make it easier to build distros that way. But package-based distros aren't going away any time soon (if ever); nobody's forcing you to switch.

Merriam-Webster shows two definitions: one specifies fully automatic, and the other is "a rifle that resembles a military assault rifle but is designed to allow only semiautomatic fire". State laws have varying definitions, some of which include semi-automatic weapons. It's not as clear-cut as you make it sound. In the context of civilian mass shootings, there's a need for a term that means weapons designed to be good at killing lots of people quickly, and "assault rifle" seems to be what a lot of people have settled on, because it fits. Definitions follow from usage, not the other way around, and meanings of words can change over time.

(I see a parallel here to the word "hacker" -- which used to mean a skilled programmer, with no negative connotation, but now pretty much everyone uses it to mean a malicious intruder. Merriam-Webster shows both of those definitions too, along with one that's unrelated to computers.)

It was an AR-15 with a high-capacity magazine. Not selective-fire, but semi-automatic and closely modeled after the M16, which is a military weapon. You can say that the lack of full auto means an AR-15 is not a military weapon, but it's still pretty clearly designed for combat, not just hunting or sports. So it seems pretty reasonable to call it an assault rifle.

You're talking about a man who literally launched a luxury car into space. He probably doesn't even care if he flushes Twitter down the shitter, for the lulz. I think at this point he's just trying to go down in history as wasting as much money as humanly possible.

The point of that launch wasn't to put a car in space for the lulz, though. The point was to test a new type of rocket, to show that it works so customers would pay to launch other things (like satellites) on it. The payload for the test launch wasn't important; they could just as well have used a block of concrete. The car was a publicity gimmick, but the launch wasn't frivolous or wasteful.

It's not just Edge: macOS shows that notification when launching Firefox too.

Block those ads.

It's not an ad on a web page, it's a notification from the OS, outside any application.

This is the same basic idea as Diceware, which has been around for a long time and does it in a much simpler way. You don't need special barcoded dice or a special camera app. Just roll an ordinary 6-sided die 5 times and look up the numbers in the Diceware wordlist. You can even print the list on paper so that the process is entirely manual and no amount of compromised software can snoop on your password generation. Each word has about 12.9 bits of entropy (6^5 is approximately 2^12.9), and you can choose how many words to generate based on the password strength you want.

I guess the innovation of DiceKeys is using more than just the number on the die as the entropy source. Using the Diceware method, 25 dice (5 words) gives you about 64 bits of entropy; to get at least 196 bits you need 75 dice (15 words). DiceKeys uses the orientation of the dice and their arrangement in the box as additional entropy sources, to get 196 bits out of just 25 dice.

Only a loser millennial uses the word whataboutism. The rest of us adults just call you what you are... a fucking hypocrite.

That one's called "ad hominem": you don't have a response to the substance of the argument, so instead you just insult the person who made it.

It would be different if you bitched about both sides. But you dont. You, metaphorically complain about slavery, while owning over a dozen slaves.

The grandparent post hardly looks like "bitching" to me. Are you arguing that XXongo shouldn't have written it? That he/she should've written a criticism of Democrats or something too, to make it "both sides"? If you think there are important details being left out, post them yourself as a rebuttal, rather than just ad-hominem insults.