From the article:

Samsung has informed MacRumors that the original report from The Elec is “completely incorrect” and that the “details are false.” While The Elec has pulled its report entirely, we are leaving our original article intact below for reference to ensure clarity around the situation.

It didn’t pass the sniff test when it was originally published either. The UMA is the largest contributor to the M series’ AI performance. The fact they published it at all is damning.

Can we get a bot or rule to ban this clickbait website from being posted?

Apple has been criticized for its recent naming scheme because it was the kind of complexity that Steve worked against. They clearly copied the names in a “death by committee” fashion with a total ignorance as to why they shouldn’t be copied. The recent naming scheme is clearly a mistake, and no one with a pulse on the market would say otherwise.

I’m as much of an enjoyer of macOS as anyone, but I’m not deluding myself into thinking they have any potential for gaming beyond the Sims. The hardware is more capable than ever, but the support for games is nonexistent. Apple could work with Valve to make Proton support macOS, but they don’t care to.

They probably fear that the failed Windows mobile lineup tainted the brand name for the product’s target demographic.

Call me out if I’m wrong, but my Deck is noticeably snappier after this update. TF2 is also smoother, which is weird considering the game hasn’t changed visually at all. Not even an update notice of anything major.

Incredible how OEMs keep fumbling this. Just give me a Steam Deck with prosumer performance and decent battery. Accomplish that how you want. Slap SteamOS on it then let me buy it. No, I don’t want to figure out Armor Crate or MSI launcher or whatever. I just want to play games without having to babysit the thing.

Valve can go into the negative selling Decks, something that their competitors can’t reasonably do because they will get money from Steam store sales made on the Deck. I for one went from buying 3-4 games a year to like a dozen because it’s been so convenient.

One man’s “investments” are another man’s “unfair competition”. The U.S. does the same thing with steel to prop up domestic steel companies. Try to import steel from Vietnam and they tax the hell out of it.

Haha Mint was my first distro! I wiped Windows 7 and installed Mint, then quickly learned that a tarball is in fact more work than an exe. Good times and a great learning experience! Back then it was the only thing not slow, ugly, or wildly unfamiliar.

I admire your gusto! I think it’s doable, and you can definitely pull it off if you want to. To replace MD5 and implement signatures you need to do the following, as a high level overview:

Extend dpkg to know what SHA2 is, and reliably detect it. (maybe measure hash length or specifying a new version using the control file?)

dpkg must also know what a signature is. More on that below.

Providing automatic/mandatory signing will require code to handle PKI as well as a place to store the signing information. I would do it by signing the two archives found within Deb packages, then placing information about the signing in the top-level of the package. Existing tools need to be able to ignore or handle whatever you implement as a rule of thumb.

Note that this is just my approach and maybe you can do better.

I also recommended looking into https://lists.debian.org/debian-dpkg/2001/03/msg00024.html. This is the thread I mentioned earlier, in which package signatures were discussed and ultimately turned down. Maybe the easiest approach is to re-implement what the contributor was trying to do back then, but with modern code and standards? If you want more resources, including my presentation on the topic to HackCFL and CitrusSec, let me know. I am here for whatever technical assistance or industry contacts I can provide. The white paper might be done in a month, minus peer review. I’m very busy and so is he. Good luck in any case!

To save you some effort, they do not consider it a priority to fix. Code was attempted to merge that would make package signatures the default, but it was removed because it “was a waste of cpu cycles” when “md5 and the https was just as good”. I’m not kidding, you can find the whole conversation in the Debian mailing archives. So instead I’m going to make it known how dumb it is, and encourage people to use something else.

In theory (whitepaper is still being written), if you MITM the connection to the APT mirror it’s using you can also carry out the attack over the network by injecting it into the package on the fly. Cert pinning might be a blocker, but local (LAN) package mirrors might still be valid attack targets. Enterprises often use MITM certs for things like DLP and packet inspection we might be able to leverage at least.

The use of MD5 becomes a bigger issue when paired with the lack of package signatures. You can inject code into a package and find a colliding digest absurdly fast. I and a friend from Threatlocker created a Metasploit module to use Deb packages for local privesc based on the concept. If it touches the filesystem outside of the APT cache it becomes a vector.

Did they ever make good on this plan?

RPM must accept SHA-1 hashes and DSA keys for Fedora 38, ideally with a deprecation warning that it will be disabled in F39.

And MD5 for package integrity checking, and not using per-package PKI signatures.

They chose an interesting time to switch licensing. MS introduced Garnet, and now the LF has Valkey as a direct descendent. Strange times ahead.