document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2025-01-04 22:00:34 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'LCTT/master'

Browse Source
This commit is contained in:
Xingyu Wang 2019-07-13 12:11:03 +08:00
commit f3f712ce16
5 changed files with 315 additions and 99 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
published/20190630 Donald Trump Now Wants to Ban End-to-End Encryption.md Normal file
View File

@ -0,0 +1,51 @@
[#]: collector: (lujun9972)
[#]: translator: (wxy)
[#]: reviewer: (wxy)
[#]: publisher: (wxy)
[#]: url: (https://linux.cn/article-11092-1.html)
[#]: subject: (Donald Trump Now Wants to Ban End-to-End Encryption)
[#]: via: (https://news.softpedia.com/news/donald-trump-now-wants-to-ban-end-to-end-encryption-526567.shtml)
[#]: author: (Bogdan Popa https://news.softpedia.com/editors/browse/bogdan-popa)
美国总统特朗普要禁用端到端加密
======
> 美国官方在开会讨论端到端加密。
在[禁止][1]和[解禁][2]华为之后,美国总统唐纳德特朗普现在将目光盯上了端到端加密,据一份新的报告声称,白宫高级官员本周会面讨论了政府可以在这方面采取的第一项动作。
[Politico][3] 援引了三位知情人士的话指出,来自几个关键机构的二号官员讨论了针对端到端加密的潜在攻击。
“这两条路径是,要么就加密问题发表声明或一般立场,并且[说]他们将继续致力于解决方案或者要求国会立法”Politico 援引一位消息人士的话说。
虽然美国政府希望终止美国公司开发的软件中的端到端加密功能,但这一提议却招致了美国各机构代表的不同反应。
Politico 指出,例如,国土安全部 “内部存在分歧”,因为该机构意识到禁止端到端加密可能产生的安全隐患。
### 加密争议
推动制定这项针对端到端加密的规定,被视为美国情报机构和执法部门努力获取属于犯罪分子和恐怖分子的设备和数据的决定性步骤。
大多数美国公司已经将加密捆绑到他们的产品当中,这包括苹果和谷歌,它阻止了调查人员访问嫌疑人的数据。科技公司将端到端加密定位为一项关键的隐私功能,其中一些人警告说,任何针对它的监管都可能影响到国家安全。
特别是苹果公司,它是反对加密监管的最大公司之一。该公司[拒绝解锁圣贝纳迪诺恐怖分子使用的 iPhone][4],解释说侵入该设备会损害所有客户的安全。
FBI 最终使用了第三方开发的软件解锁了该设备。
--------------------------------------------------------------------------------
via: https://news.softpedia.com/news/donald-trump-now-wants-to-ban-end-to-end-encryption-526567.shtml
作者:[Bogdan Popa][a]
选题:[lujun9972][b]
译者:[wxy](https://github.com/wxy)
校对:[wxy](https://github.com/wxy)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://news.softpedia.com/editors/browse/bogdan-popa
[b]: https://github.com/lujun9972
[1]: https://news.softpedia.com/news/google-bans-huawei-from-using-android-google-play-gmail-other-services-526083.shtml
[2]: https://news.softpedia.com/news/breaking-donald-trump-says-huawei-can-buy-american-products-again-526564.shtml
[3]: https://www.politico.com/story/2019/06/27/trump-officials-weigh-encryption-crackdown-1385306
[4]: https://news.softpedia.com/news/judge-orders-apple-to-help-the-fbi-hack-san-bernardino-shooter-s-iphone-500517.shtml

98
translated/tech/20190702 Make Linux stronger with firewalls.md → published/20190702 Make Linux stronger with firewalls.md
View File

@ -1,16 +1,17 @@
[#]: collector: (lujun9972)
[#]: translator: (chen-ni)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: reviewer: (wxy)
[#]: publisher: (wxy)
[#]: url: (https://linux.cn/article-11093-1.html)
[#]: subject: (Make Linux stronger with firewalls)
[#]: via: (https://opensource.com/article/19/7/make-linux-stronger-firewalls)
[#]: author: (Seth Kenlon https://opensource.com/users/seth)
使用防火墙让你的 Linux 更加强大
======
掌握防火墙的工作原理,以及如何设置防火墙来提高 Linux 的安全性
![People working together to build ][1]
> 掌握防火墙的工作原理,以及如何设置防火墙来提高 Linux 的安全性
![](https://img.linux.net.cn/data/attachment/album/201907/13/114424m9clibvi0p128fln.jpg)
所有人都听说过防火墙(哪怕仅仅是在网络犯罪片里看到过相关的情节设定),很多人也知道他们的计算机里很可能正运行着防火墙,但是很少有人明白在必要的时候如何驾驭防火墙。
@ -18,23 +19,21 @@
### 防火墙的工作原理
网络里不同设备之间的通信是通过一种叫做 **端口** 的网关实现的。这里的端口指的并不是像 USB 端口 或者 HDMI 端口这样的物理连接。在网络术语中,端口是一个纯粹的虚拟概念,用来表示某种类型的数据到达或离开一台计算机时候所走的路径。其实也可以换个名字来称呼,比如叫“连接”或者“门道”,不过 [早在 1981 年的时候][2] 它们就被称作端口了,这个叫法也沿用至今。其实端口这个东西没有任何特别之处,只是一种用来指代一个可能会发生数据传输的地址的方式。
1972 年,一份 [端口数字清单][3](那时候的端口被称为“套接字”)被发布了,并且从此演化为一组众所周知的标准端口号,帮助管理特定类型的网络流量。比如说,你每天访问网站的时候都会使用 80 和 443 端口,因为互联网上的绝大多数人都同意(或者是默认)数据从 web 服务器上传输的时候是通过这两个端口的。如果想要验证这一点,你可以在使用浏览器访问网站的时候在 URL 后面加上一个非标准的端口号码。比如说,访问 **example.com:42** 的请求会被拒绝,因为 example.com 在 42 端口上并不提供网站服务。
网络里不同设备之间的通信是通过一种叫做<ruby>端口<rt>port</rt></ruby>的网关实现的。这里的端口指的并不是像 USB 端口 或者 HDMI 端口这样的物理连接。在网络术语中,端口是一个纯粹的虚拟概念,用来表示某种类型的数据到达或离开一台计算机时候所走的路径。其实也可以换个名字来称呼,比如叫“连接”或者“门口”,不过 [早在 1981 年的时候][2] 它们就被称作端口了,这个叫法也沿用至今。其实端口这个东西没有任何特别之处,只是一种用来指代一个可能会发生数据传输的地址的方式。
1972 年,发布了一份 [端口号列表][3](那时候的端口被称为“<ruby>套接字<rt>socket</rt></ruby>”),并且从此演化为一组众所周知的标准端口号,帮助管理特定类型的网络流量。比如说,你每天访问网站的时候都会使用 80 和 443 端口,因为互联网上的绝大多数人都同意(或者是默认)数据从 web 服务器上传输的时候是通过这两个端口的。如果想要验证这一点,你可以在使用浏览器访问网站的时候在 URL 后面加上一个非标准的端口号码。比如说,访问 `example.com:42` 的请求会被拒绝,因为 example.com 在 42 端口上并不提供网站服务。
![Navigating to a nonstandard port produces an error][4]
如果你是通过 80 端口访问同一个网站,就可以(不出所料地)正常访问了。你可以在 URL 后面加上 **:80** 来指定使用 80 端口,不过由于 80 端口是 HTTP 访问的标准端口,所以你的浏览器其实已经默认在使用 80 端口了。
如果你是通过 80 端口访问同一个网站,就可以(不出所料地)正常访问了。你可以在 URL 后面加上 `:80` 来指定使用 80 端口,不过由于 80 端口是 HTTP 访问的标准端口,所以你的浏览器其实已经默认在使用 80 端口了。
当一台计算机(比如说 web 服务器)准备在指定端口接收网络流量的时候,保持该端口向网络流量开放是一种可以接受的(也是必要的)行为。但是不需要接收流量的端口如果也处在开放状态就比较危险了,这就是需要用防火墙解决的问题。
#### 安装 firewalld
有很多种配置防火墙的方式,这篇文章介绍 [**firewalld**][5]。在桌面环境下它被集成在网络管理器Network Manager在终端里则是集成在 **firewall-cmd** 里。很多 Linux 发行版都预装了这些工具。如果你的发行版里没有,你可以把这篇文章当成是管理防火墙的通用性建议,在你所使用的防火墙软件里使用类似的方法,或者你也可以选择安装 **firewalld**
比如说在 Ubuntu 上,你必须启用 **universe** 软件仓库,关闭默认的 **ufw** 防火墙,然后再安装 **firewalld**
有很多种配置防火墙的方式,这篇文章介绍 [firewalld][5]。在桌面环境下它被集成在<ruby>网络管理器<rt>Network Manager</rt></ruby>里,在终端里则是集成在 `firewall-cmd` 里。很多 Linux 发行版都预装了这些工具。如果你的发行版里没有,你可以把这篇文章当成是管理防火墙的通用性建议,在你所使用的防火墙软件里使用类似的方法,或者你也可以选择安装 `firewalld`
比如说在 Ubuntu 上,你必须启用 universe 软件仓库,关闭默认的 `ufw` 防火墙,然后再安装 `firewalld`
```
$ sudo systemctl disable ufw
@ -42,21 +41,21 @@ $ sudo add-apt-repository universe
$ sudo apt install firewalld
```
Fedora、CentOS、RHEL、OpenSUSE以及其它很多发行版默认就包含了 **firewalld**
Fedora、CentOS、RHEL、OpenSUSE以及其它很多发行版默认就包含了 `firewalld`
无论你使用哪个发行版,如果希望防火墙发挥作用,就必须保持它在开启状态,并且设置成开机自动加载。你应该尽可能减少在防火墙维护工作上所花费的精力。
```
`$ sudo systemctl enable --now firewalld`
$ sudo systemctl enable --now firewalld
```
### 使用网络管理器选择区域
或许你每天都会连接到很多不同的网络。在工作的时候使用的是一个网络,在咖啡馆里是另一个,在家里又是另一个。你的计算机可以判断出哪一个网络的使用频率比较高,但是它并不知道哪一个是你信任的网络。
一个防火墙的 **区域** 里包含了端口开放和关闭的预设规则。你可以通过使用区域来选择一个对当前网络最适用的策略。
一个防火墙的<ruby>区域<rt>zone</rt></ruby>里包含了端口开放和关闭的预设规则。你可以通过使用区域来选择一个对当前网络最适用的策略。
你可以打开网络管理器里的连接编辑器(可以在应用菜单里找到),或者是使用 **nm-connection-editor &amp;** 命令以获取所有可用区域的列表。
你可以打开网络管理器里的连接编辑器(可以在应用菜单里找到),或者是使用 `nm-connection-editor &` 命令以获取所有可用区域的列表。
![Network Manager Connection Editor][6]
@ -71,7 +70,7 @@ Fedora、CentOS、RHEL、OpenSUSE以及其它很多发行版默认就包含
也可以使用下面的终端命令以获取同样的列表:
```
`$ sudo firewall-cmd --get-zones`
$ sudo firewall-cmd --get-zones
```
每个区域的名称已经可以透露出设计者创建这个区域的意图,不过你也可以使用下面这个终端命令获取任何一个区域的详细信息:
@ -89,18 +88,17 @@ work
  [...]
```
在这个例子中,**工作**区域的配置是允许接收 SSH 和 DHCPv6-client 的流量,但是拒绝接收其他任何用户没有明确请求的流量。(换句话说,**工作**区域并不会在你浏览网站的时候拦截 HTTP 响应流量,但是 **会** 拦截一个针对你计算机上 80 端口的 HTTP 请求。)
在这个例子中,`work` 区域的配置是允许接收 SSH 和 DHCPv6-client 的流量,但是拒绝接收其他任何用户没有明确请求的流量。(换句话说,`work` 区域并不会在你浏览网站的时候拦截 HTTP 响应流量,但是 **会** 拦截一个针对你计算机上 80 端口的 HTTP 请求。)
你可以依次查看每一个区域,弄清楚它们分别都允许什么样的流量。比较常见的有:
* **工作:** 这个区域应该在你非常信任的网络上使用。它允许 SSH、DHCPv6 和 mDNS并且还可以添加更多允许的项目。该区域非常适合作为一个基础配置然后在此之上根据日常办公的需求自定义一个工作环境。
* **公共:** 用在你不信任的网络上。这个区域的配置和工作区域是一样的,但是你不应该再继续添加其它任何允许项目。
* **丢弃:** 所有传入连接都会被丢弃,并且不会有任何响应。在不彻底关闭网络的条件下,这已经是最接近隐形模式的配置了,因为只允许传出网络连接(不过随便一个端口扫描器就可以通过传出流量检测到你的计算机,所以这个区域并不是一个隐形装置)。如果你在使用公共 WiFi这个区域可以说是最安全的选择如果你觉得当前的网络比较危险这个区域也一定是最好的选择。
* **拦截:** 所有传入连接都会被拒绝,但是会返回一个消息说明所请求的端口被禁用了。只有你主动发起的网络连接是被允许的。这是一个友好版的 **丢弃** 区域,因为虽然还是没有任何一个端口允许传入流量,但是说明了会拒绝接收任何不是本机主动发起的连接。
* **家庭:** 在你信任网络里的其它计算机的情况下使用这个区域。该区域只会允许你所选择的传入连接,但是你可以根据需求添加更多的允许项目。
* **内部:** 和工作区域类似,该区域适用于内部网络,你应该在基本信任网络里的计算机的情况下使用。你可以根据需求开放更多的端口和服务,同时保持和工作区域不同的一套规则。
* **信任:** 接受所有的网络连接。适合在故障排除的情况下或者是在你绝对信任的网络上使用。
* `work`:这个区域应该在你非常信任的网络上使用。它允许 SSH、DHCPv6 和 mDNS并且还可以添加更多允许的项目。该区域非常适合作为一个基础配置然后在此之上根据日常办公的需求自定义一个工作环境。
* `public` 用在你不信任的网络上。这个区域的配置和工作区域是一样的,但是你不应该再继续添加其它任何允许项目。
* `drop` 所有传入连接都会被丢弃,并且不会有任何响应。在不彻底关闭网络的条件下,这已经是最接近隐形模式的配置了,因为只允许传出网络连接(不过随便一个端口扫描器就可以通过传出流量检测到你的计算机,所以这个区域并不是一个隐形装置)。如果你在使用公共 WiFi这个区域可以说是最安全的选择如果你觉得当前的网络比较危险这个区域也一定是最好的选择。
* `block` 所有传入连接都会被拒绝,但是会返回一个消息说明所请求的端口被禁用了。只有你主动发起的网络连接是被允许的。这是一个友好版的 `drop` 区域,因为虽然还是没有任何一个端口允许传入流量,但是说明了会拒绝接收任何不是本机主动发起的连接。
* `home` 在你信任网络里的其它计算机的情况下使用这个区域。该区域只会允许你所选择的传入连接,但是你可以根据需求添加更多的允许项目。
* `internal` 和工作区域类似,该区域适用于内部网络,你应该在基本信任网络里的计算机的情况下使用。你可以根据需求开放更多的端口和服务,同时保持和工作区域不同的一套规则。
* `trusted` 接受所有的网络连接。适合在故障排除的情况下或者是在你绝对信任的网络上使用。
### 为网络指定一个区域
@ -116,14 +114,14 @@ work
### 默认区域
每次你加入一个新的网络的时候firewalld 并不会提示你进行选择,而是会指定一个默认区域。你可以在终端里输入下面这个命令来获取你的默认区域:
每次你加入一个新的网络的时候,`firewalld` 并不会提示你进行选择,而是会指定一个默认区域。你可以在终端里输入下面这个命令来获取你的默认区域:
```
$ sudo firewall-cmd --get-default
public
```
在这个例子里,默认区域是公共区域。你应该保证公共区域有非常严格的限制规则,这样在将它指定到未知网络中的时候才比较安全。或者你也可以设置你自己的默认区域。
在这个例子里,默认区域是 `public` 区域。你应该保证该区域有非常严格的限制规则,这样在将它指定到未知网络中的时候才比较安全。或者你也可以设置你自己的默认区域。
比如说,如果你是一个比较多疑的人,或者需要经常接触不可信任的网络的话,你可以设置一个非常严格的默认区域:
@ -134,7 +132,7 @@ $ sudo firewall-cmd --get-default
drop
```
这样一来,任何你新加入的网络都会被指定使用丢弃区域,除非你手动将它制定为另一个没有这么严格的区域。
这样一来,任何你新加入的网络都会被指定使用 `drop` 区域,除非你手动将它制定为另一个没有这么严格的区域。
### 通过开放端口和服务实现自定义区域
@ -146,81 +144,81 @@ Firewalld 的开发者们并不是想让他们设定的区域能够适应世界
在你的防火墙上添加许可的最简单的方式就是添加预设服务。严格来讲,你的防火墙并不懂什么是“服务”,因为它只知道端口号码和使用协议的类型。不过在标准和传统的基础之上,防火墙可以为你提供一套端口和协议的组合。
比如说,如果你是一个 web 开发者并且希望你的计算机对本地网络开放(这样你的同事就可以看到你正在搭建的网站了),可以添加 **http****https** 服务。如果你是一名游戏玩家,并且在为你的游戏公会运行开源的 [murmur][9] 语音聊天服务器,那么你可以添加 **murmur** 服务。还有其它很多可用的服务,你可以使用下面这个命令查看:
比如说,如果你是一个 web 开发者并且希望你的计算机对本地网络开放(这样你的同事就可以看到你正在搭建的网站了),可以添加 `http``https` 服务。如果你是一名游戏玩家,并且在为你的游戏公会运行开源的 [murmur][9] 语音聊天服务器,那么你可以添加 `murmur` 服务。还有其它很多可用的服务,你可以使用下面这个命令查看:
```
$ sudo firewall-cmd --get-services
amanda-client amanda-k5-client bacula bacula-client \
bgp bitcoin bitcoin-rpc ceph cfengine condor-collector \
ctdb dhcp dhcpv6 dhcpv6-client dns elasticsearch \
freeipa-ldap freeipa-ldaps ftp [...]
amanda-client amanda-k5-client bacula bacula-client \
bgp bitcoin bitcoin-rpc ceph cfengine condor-collector \
ctdb dhcp dhcpv6 dhcpv6-client dns elasticsearch \
freeipa-ldap freeipa-ldaps ftp [...]
```
如果你找到了一个自己需要的服务,可以将它添加到当前的防火墙配置中,比如说:
```
`$ sudo firewall-cmd --add-service murmur`
$ sudo firewall-cmd --add-service murmur
```
这个命令 **在你的默认区域里** 添加了指定服务所需要的所有端口和协议,不过在重启计算机或者防火墙之后就会失效。如果想让你的修改永久有效,可以使用 **\--permanent** 标志:
这个命令 **在你的默认区域里** 添加了指定服务所需要的所有端口和协议,不过在重启计算机或者防火墙之后就会失效。如果想让你的修改永久有效,可以使用 `--permanent` 标志:
```
`$ sudo firewall-cmd --add-service murmur --permanent`
$ sudo firewall-cmd --add-service murmur --permanent
```
你也可以将这个命令用于一个非默认区域:
```
`$ sudo firewall-cmd --add-service murmur --permanent --zone home`
$ sudo firewall-cmd --add-service murmur --permanent --zone home
```
#### 端口
有时候你希望允许的流量并不在 firewalld 定义的服务之中。也许你想在一个非标准的端口上运行一个常规服务,或者就是想随意开放一个端口。
有时候你希望允许的流量并不在 `firewalld` 定义的服务之中。也许你想在一个非标准的端口上运行一个常规服务,或者就是想随意开放一个端口。
举例来说,也许你正在运行开源的 [虚拟桌游][10] 软件 [MapTool][11]。由于 MapTool 服务器应该使用哪个端口这件事情并没有一个行业标准,所以你可以自行决定使用哪个端口,然后在防火墙上“开一个洞”,让它允许该端口上的流量。
实现方式和添加服务差不多:
```
`$ sudo firewall-cmd --add-port 51234/tcp`
$ sudo firewall-cmd --add-port 51234/tcp
```
这个命令 **在你的默认区域** 里将 51234 端口向 TCP 传入连接开放,不过在重启计算机或者防火墙之后就会失效。如果想让你的修改永久有效,可以使用 **\--permanent** 标志:
这个命令 **在你的默认区域** 里将 51234 端口向 TCP 传入连接开放,不过在重启计算机或者防火墙之后就会失效。如果想让你的修改永久有效,可以使用 `--permanent` 标志:
```
`$ sudo firewall-cmd --add-port 51234/tcp --permanent`
$ sudo firewall-cmd --add-port 51234/tcp --permanent
```
你也可以将这个命令用于一个非默认区域:
```
`$ sudo firewall-cmd --add-port 51234/tcp --permanent --zone home`
$ sudo firewall-cmd --add-port 51234/tcp --permanent --zone home
```
在路由器的防火墙上设置允许流量和在本机上设置的方式是不同的。你的路由器可能会为它的内嵌防火墙提供一个不同的配置界面(原理上是相同的),不过这就超出本文范围了。
### 移除端口和服务
如果你不再需要某项服务或者某个端口了,并且设置的时候没有使用 **\--permanent** 标志的话,那么可以通过重启防火墙来清除修改。
如果你不再需要某项服务或者某个端口了,并且设置的时候没有使用 `--permanent` 标志的话,那么可以通过重启防火墙来清除修改。
如果你已经将修改设置为永久生效了,可以使用 **\--remove-port** 或者 **\--remove-service** 标志来清除:
如果你已经将修改设置为永久生效了,可以使用 `--remove-port` 或者 `--remove-service` 标志来清除:
```
`$ sudo firewall-cmd --remove-port 51234/tcp --permanent`
$ sudo firewall-cmd --remove-port 51234/tcp --permanent
```
你可以通过在命令中指定一个区域以将端口或者服务从一个非默认区域中移除。
```
`$ sudo firewall-cmd --remove-service murmur --permanent --zone home`
$ sudo firewall-cmd --remove-service murmur --permanent --zone home
```
### 自定义区域
你可以随意使用 firewalld 默认提供的这些区域,不过也完全可以创建自己的区域。比如如果希望有一个针对游戏的特别区域,你可以创建一个,然后只有在玩儿游戏的时候切换到该区域。
你可以随意使用 `firewalld` 默认提供的这些区域,不过也完全可以创建自己的区域。比如如果希望有一个针对游戏的特别区域,你可以创建一个,然后只有在玩儿游戏的时候切换到该区域。
如果想要创建一个新的空白区域,你可以创建一个名为 **game** 的新区域,然后重新加载 firewall 规则,这样你的新区域就启用了:
如果想要创建一个新的空白区域,你可以创建一个名为 `game` 的新区域,然后重新加载防火墙规则,这样你的新区域就启用了:
```
$ sudo firewall-cmd --new-zone game --permanent
@ -242,7 +240,7 @@ via: https://opensource.com/article/19/7/make-linux-stronger-firewalls
作者:[Seth Kenlon][a]
选题:[lujun9972][b]
译者:[chen-ni](https://github.com/chen-ni)
校对:[校对者ID](https://github.com/校对者ID)
校对:[wxy](https://github.com/wxy)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出

49
sources/news/20190630 Donald Trump Now Wants to Ban End-to-End Encryption.md
View File

@ -1,49 +0,0 @@
[#]: collector: (lujun9972)
[#]: translator: ( )
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (Donald Trump Now Wants to Ban End-to-End Encryption)
[#]: via: (https://news.softpedia.com/news/donald-trump-now-wants-to-ban-end-to-end-encryption-526567.shtml)
[#]: author: (Bogdan Popa https://news.softpedia.com/editors/browse/bogdan-popa)
Donald Trump Now Wants to Ban End-to-End Encryption
======
**After[banning][1] and [unbanning][2] Huawei, United States President Donald Trump is now planning to go after end-to-end encryption, with a new report claiming that senior White House officials met this week to discuss the first step the administration could make in this regard.**
[Politico][3] notes, citing three people familiar with the matter, that number two officials from several key agencies discussed a potential offensive against end-to-end encryption.
“The two paths were to either put out a statement or a general position on encryption, and [say] that they would continue to work on a solution, or to ask Congress for legislation,” one source was quoted as saying by the cited publication.
While the White House administration wants to kill off end-to-end encryption in software developed by American companies, this proposal was received with mixed reactions from representatives of various agencies in the country.
For example, the DHS “is internally divided,” Politico notes, as the agency is aware of the security implications that banning end-to-end encryption could generate.
### The encryption dispute
Pushing for regulations against end-to-end encryption is described as a decisive step in the efforts of intelligence agencies and law enforcement in the United States to access devices and data belonging to criminals and terrorists.
The encryption, which the majority of American companies have already bundled into their products, including here Apple and Google, blocks investigators from accessing suspects data. Tech companies position end-to-end encryption as a key privacy feature, and several of them have warned that any regulation against it could even affect national security.
Apple, in particular, is one of the biggest companies fighting against anti-encryption regulation. The company [**refused to unlock an iPhone used by the San Bernardino terrorist**][4], explaining that breaking into the device would have compromised the security of all customers.
The FBI eventually unlocked the device using software developed by a third-party.
--------------------------------------------------------------------------------
via: https://news.softpedia.com/news/donald-trump-now-wants-to-ban-end-to-end-encryption-526567.shtml
作者:[Bogdan Popa;Jun][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://news.softpedia.com/editors/browse/bogdan-popa
[b]: https://github.com/lujun9972
[1]: https://news.softpedia.com/news/google-bans-huawei-from-using-android-google-play-gmail-other-services-526083.shtml
[2]: https://news.softpedia.com/news/breaking-donald-trump-says-huawei-can-buy-american-products-again-526564.shtml
[3]: https://www.politico.com/story/2019/06/27/trump-officials-weigh-encryption-crackdown-1385306
[4]: https://news.softpedia.com/news/judge-orders-apple-to-help-the-fbi-hack-san-bernardino-shooter-s-iphone-500517.shtml

98
sources/tech/20190712 What is Silverblue.md Normal file
View File

@ -0,0 +1,98 @@
[#]: collector: (lujun9972)
[#]: translator: ( )
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (What is Silverblue?)
[#]: via: (https://fedoramagazine.org/what-is-silverblue/)
[#]: author: (Tomáš Popela https://fedoramagazine.org/author/tpopela/)
What is Silverblue?
======
![][1]
Fedora Silverblue is becoming more and more popular inside and outside the Fedora world. So based on feedback from the community, here are answers to some interesting questions about the project. If you do have any other Silverblue related questions, please leave it in the comments section and we will try to answer them in a future article.
### What is Silverblue?
Silverblue is a codename for the new generation of the desktop operating system, previously known as Atomic Workstation. The operating system is delivered in images that are created by utilizing the _[rpm-ostree][2]_ [project][2]. The main benefits of the system are speed, security, atomic updates and immutability.
### What does “Silverblue” actually mean?
“Team Silverblue” or “Silverblue” in short doesnt have any hidden meaning. It was chosen after roughly two months when the project, previously known as Atomic Workstation was rebranded. There were over 150 words or word combinations reviewed in the process. In the end _Silverblue_ was chosen because it had an available domain as well as the social network accounts. One could think of it as a new take on Fedoras blue branding, and could be used in phrases like “Go, Team Silverblue!” or “Want to join the team and improve Silverblue?”.
### What is ostree?
[OSTree or libostree is a project][3] that combines a “git-like” model for committing and downloading bootable filesystem trees, together with a layer to deploy them and manage the bootloader configuration. OSTree is used by rpm-ostree, a hybrid package/image based system that Silverblue uses. It atomically replicates a base OS and allows the user to “layer” the traditional RPM on top of the base OS if needed.
### Why use Silverblue?
Because it allows you to concentrate on your work and not on the operating system youre running. Its more robust as the updates of the system are atomic. The only thing you need to do is to restart into the new image. Also, if theres anything wrong with the currently booted image, you can easily reboot/rollback to the previous working one, if available. If it isnt, you can download and boot any other image that was generated in the past, using the _ostree_ command.
Another advantage is the possibility of an easy switch between branches (or, in an old context, Fedora releases). You can easily try the _[Rawhide][4]_ or _[updates-testing][5]_ branch and then return back to the one that contains the current stable release. Also, you should consider Silverblue if you want to try something new and unusual.
### What are the benefits of an immutable OS?
One of the main benefits is security. The base operating system is mounted as read-only, and thus cannot be modified by malicious software. The only way to alter the system is through the _rpm-ostree_ utility.
Another benefit is robustness. Its nearly impossible for a regular user to get the OS to the state when it doesnt boot or doesnt work properly after accidentally or unintentionally removing some system library. Try to think about these kind of experiences from your past, and imagine how Silverblue could help you there.
### How does one manage applications and packages in Silverblue?
For graphical user interface applications, [Flatpak][6] is recommended, if the application is available as a flatpak. Users can choose between Flatpaks from either Fedora and built from Fedora packages and in Fedora-owned infrastructure, or Flathub that currently has a wider offering. Users can install them easily through GNOME Software, which already supports Fedora Silverblue.
One of the first things users find out is there is no _dnf_ preinstalled in the OS. The main reason is that it wouldnt work on Silverblue — and part of its functionality was replaced by the _rpm-ostree_ command. Users can overlay the traditional packages by using the _rpm-ostree install PACKAGE_. But it should only be used when there is no other way. This is because when the new system images are pulled from the repository, the system image must be rebuilt every time it is altered to accommodate the layered packages, or packages that were removed from the base OS or replaced with a different version.
Fedora Silverblue comes with the default set of GUI applications that are part of the base OS. The team is working on porting them to Flatpaks so they can be distributed that way. As a benefit, the base OS will become smaller and easier to maintain and test, and users can modify their default installation more easily. If you want to look at how its done or help, take a look at the official [documentation][7].
### What is Toolbox?
[_Toolbox_][8] is a project to make containers easily consumable for regular users. It does that by using _podman_s rootless containers. _Toolbox_ lets you easily and quickly create a container with a regular Fedora installation that you can play with or develop on, separated from your OS.
### Is there any Silverblue roadmap?
Formally there isnt any, as were focusing on problems we discover during our testing and from community feedback. Were currently using Fedoras [Taiga][9] to do our planning.
### Whats the release life cycle of the Silverblue?
Its the same as regular Fedora Workstation. A new release comes every 6 months and is supported for 13 months. The team plans to release updates for the OS bi-weekly (or longer) instead of daily as they currently do. That way the updates can be more thoroughly tested by QA and community volunteers before they are sent to the rest of the users.
### What is the future of the immutable OS?
From our point of view the future of the desktop involves the immutable OS. Its safest for the user, and Android, ChromeOS, and the last macOS Catalina all use this method under the hood. For the Linux desktop there are still problems with some third party software that expects to write to the OS. HP printer drivers are a good example.
Another issue is how parts of the system are distributed and installed. Fonts are a good example. Currently in Fedora theyre distributed in RPM packages. If you want to use them, you have to overlay them and then restart to the newly created image that contains them.
### What is the future of standard Workstation?
There is a possibility that the Silverblue will replace the regular Workstation. But theres still a long way to go for Silverblue to provide the same functionality and user experience as the Workstation. In the meantime both desktop offerings will be delivered at the same time.
### How does Atomic Workstation or Fedora CoreOS relate to any of this?
Atomic Workstation was the name of the project before it was renamed to Fedora Silverblue.
Fedora CoreOS is a different, but similar project. It shares some fundamental technologies with Silverblue, such as _rpm-ostree_, _toolbox_ and others. Nevertheless, CoreOS is a more minimal, container-focused and automatically updating OS.
--------------------------------------------------------------------------------
via: https://fedoramagazine.org/what-is-silverblue/
作者:[Tomáš Popela][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://fedoramagazine.org/author/tpopela/
[b]: https://github.com/lujun9972
[1]: https://fedoramagazine.org/wp-content/uploads/2019/07/what-is-fedora-silverblue-816x345.jpg
[2]: https://rpm-ostree.readthedocs.io/en/latest/
[3]: https://ostree.readthedocs.io/en/latest/
[4]: https://fedoraproject.org/wiki/Releases/Rawhide
[5]: https://fedoraproject.org/wiki/QA:Updates_Testing
[6]: https://flatpak.org/
[7]: https://docs.fedoraproject.org/en-US/flatpak/tutorial/
[8]: https://github.com/debarshiray/toolbox
[9]: https://teams.fedoraproject.org/project/silverblue/

118
sources/tech/20190713 ElectronMail - a Desktop Client for ProtonMail and Tutanota.md Normal file
View File

@ -0,0 +1,118 @@
[#]: collector: (lujun9972)
[#]: translator: ( )
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (ElectronMail a Desktop Client for ProtonMail and Tutanota)
[#]: via: (https://itsfoss.com/electronmail/)
[#]: author: (John Paul https://itsfoss.com/author/john/)
ElectronMail a Desktop Client for ProtonMail and Tutanota
======
The majority of people on the internet have email accounts from big companies, such as Google, that do not respect your privacy. Thankfully, there are privacy conscience alternatives like [Tutanota][1] and [ProtonMail][2]. The problems is that not all of them have a desktop client. Today, we will look at a project that seeks to solve that problem for you. Lets take a look at ElectronMail.
Electron-ic warning!
The following app is built with Electron (the name is ElectronMail for a reason). If the use of Electron upsets you, please consider this a trigger warning.
### ElectronMail: Desktop Client for Tutanota and ProtonMail
![Electron Mail About][3]
[ElectronMail][4] is simply put an email client for ProtonMail and Tutanota. It is built using three big technologies: [Electron][5], [TypeScript][6] and [Angular][7]. It includes the following features:
* Multi accounts support per each email provider
* Encrypted local storage
* Available for Linux, Windows, macOS, and FreeBSD
* Native notifications
* System tray icon with a total number of unread messages
* Master password to protect account information
* Switchable view layouts
* Offline access to the emails
* Encrypted local storage for emails
* Batch emails export to EML files
* Full-text search
* Built-in/prepackaged web clients
* Configuring proxy per account
* Spell Checking
* Support for two-factor authentication for extra security
Currently, ElectronMail only supports Tutanota and ProtonMail. I get the feeling that they will be adding more in the future. According to the [GitHub page][4]: “Multi email providers support. ProtonMail and Tutanota at the moment.”
ElectronMail is licensed under the MIT license.
#### How to install ElectronMail
Currently, there are several options to install ElectronMail on Linux. for Arch and Arch-based distros, you can install it from the [Arch User Repository][8]. There is also a Snap available for ElectrionMail. To install it, just enter `sudo snap install electron-mail`.
For all other Linux distros, you can [download][9] a `.deb` or `.rpm` file.
![Electron Mail Inbox][10]
You can also [download][9] an `.exe` installer for Windows or a `.dmg` file for macOS. There is even a file for FreeBSD.
[][11]
Suggested read  Zettlr - Markdown Editor for Writers and Researchers
#### Removing ElectronMail
If you install ElectronMail and decide that it is not for you, there are a couple steps that the [developer][12] recommends. **Be sure to follow these steps before you uninstall the application.**
If you are using the “Keep Me Signed In” feature, click “Log out” on the menu. This will delete the locally stored master password. It is possible to delete the master password after uninstalling ElectronMail, but that would involve editing the system keychain.
You will also need to delete the settings folder manually. You can find it by clicking “Open setting folder” after selecting the applications icon in the system tray.
![Electron Mail Setting][13]
### My Thoughts on ElectronMail
I dont usually use email clients. In fact, I mostly depend on web clients. So, I dont have much use for this application.
That being said, ElectronMail has a nice feel to it and is easy to set up. It has a good number of features activated out of the box and the advanced features arent that hard to activate.
The one question I have relates to search. According to the features list, ElectronMail supports full-text search. However, the free version of Tutanota only supports a limited search. I wonder how ElectronMail handles that.
At the end of the day, ElectronMail is just an Electron wrapper for a couple of web-based emails. I would rather just have them open in my browser than dedicate separate system resources to running Electron. If you only [use Tutanota email, they have their own official Electron-based desktop client][14]. You may try that.
My biggest issue is with security. This is an unofficial app for two very secure email apps. What if there is a way to capture your login info or read through your emails? Someone who is smarter than I would have to go through the source code to know for sure. That is always the issue with unofficial apps for a security project.
[][14]
Suggested read  Secure Email Service Tutanota Has a Desktop App Now
Have you every used ElectronMail? Do you think it would be worthwhile to install ElectronMail? What is your favorite email client? Please let us know in the comments below.
If you found this article interesting, please take a minute to share it on social media, Hacker News or [Reddit][15].
--------------------------------------------------------------------------------
via: https://itsfoss.com/electronmail/
作者:[John Paul][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://itsfoss.com/author/john/
[b]: https://github.com/lujun9972
[1]: https://itsfoss.com/tutanota-review/
[2]: https://itsfoss.com/protonmail/
[3]: https://i0.wp.com/itsfoss.com/wp-content/uploads/2019/07/electron-mail-about.jpg?resize=800%2C500&ssl=1
[4]: https://github.com/vladimiry/ElectronMail
[5]: https://electronjs.org/
[6]: http://www.typescriptlang.org/
[7]: https://angular.io/
[8]: https://aur.archlinux.org/packages/electronmail-bin
[9]: https://github.com/vladimiry/ElectronMail/releases
[10]: https://i0.wp.com/itsfoss.com/wp-content/uploads/2019/07/electron-mail-inbox.jpg?ssl=1
[11]: https://itsfoss.com/zettlr-markdown-editor/
[12]: https://github.com/vladimiry
[13]: https://i1.wp.com/itsfoss.com/wp-content/uploads/2019/07/electron-mail-setting.jpg?ssl=1
[14]: https://itsfoss.com/tutanota-desktop/
[15]: http://reddit.com/r/linuxusersgroup