Linux Rises, SteamOS Dominates

This week was a heck of a time to be a Linux enthusiast. We'll talk about the major xz backdoor and how it effects the Steam Deck (spoiler alert: it doesn't). Plus, we'll drill into the numbers from the March Steam Hardware Survey, and we'll touch on a new 3DS emulator that definitely isn't Citra. All this and more today! Let's get right into the news.

EA Does it Again

Battlefield V is now broken for a significant fraction of its playerbase and it's all Electronic Art's doing. A few months back, EA issued a press release titled "EA Anticheat and Battlefield" where they straight-up lied to their community. Quote:

When we transition over to EA anticheat you won't notice anything different when logging in and playing, but this transition will enable our teams to be better equipped to find and remove players that don't play fair.

The lie? Well, for many of their players, this worthless change of anticheat solutions was noticeable. And seeing as Battlefield V is now completely unplayable on Steam Deck and for other Linux gamers, they should've known that what they were saying was completely untrue.

Yet one more reason to never buy an EA game ever again.

Steam Hardware Survey

The March Steam Hardware Survey was released this week, and the numbers are—once again—quite interesting.

But let's have a quick refresher on February's numbers. In February we saw a huge jump in the number of simplified Chinese users and that skewed the results in favor of Windows 10. Relative Linux marketshare dropped from 1.95% in January to 1.76% in February.

Flash forward to March and Linux has risen back to 1.94%. Just one hundredth of a percentage point off from where we were in January.

What's fascinating, though, is looking at the Linux numbers. Where the infusion of simplified Chinese users skew the relative numbers, Linux metrics continued their trends.

SteamOS Holo made up 42% in January and 43.5% in February and then to 44.22% in March. With Arch Linux growing from 7.6% to 8.15% in February, and then falling to 7.66% in March. And the overall Steam Deck GPU percentage starting at 42% in January, grew to 43.6% in February, and falling even further down to 34% in March.

If my estimations are correct, that puts us well over 2 million Steam Deck Units, and we can clearly see that the SteamOS is the #1 most popular gaming distro. I'd be interested to see the how distros like ChimeraOS, Bazzite, and Manjaro Gaming Edition are counted.

But let me know your thoughts on this breakdown in the comments. And while you're down there, why not like that smash button? It's the best way to tell YouTube you want to see more videos just like this. And if you're not into the whole algorithm thing, you can head over to Subscribeto.me. It's my streaming site where you can watch these videos on your own terms. You can subscribe to my channel over there through your favorite Fediverse client—Mastodon, PixelFed, and Peertube just to name a few.

And I want to thank everyone who supports this show. I wouldn't be able to run this site without you guys. So thank you! Alright, next story.

Humble Spring Screams Bundle

This week, Humble launched their Spring Screams bundle and it's got a few spicy horror experiences. You can get 8 games for just $17. Titles include Amnesia: The Bunker (Verified), My Friendly Neighborhood (Verified), The Quarry (Unsupported, ProtonDB Platinum), Ad Infinitum (Playable), Escape the Backrooms (Playable), Devour (Verified), Demonologist (Playable), and Forewarned (Unsupported, ProtonDB Gold).

The title I'm most interested in has got to be My Friendly Neighborhood, since I'm a bit of a Muppets fan and his looks like it's right up my alley.

As always, purchasing this (or any bundle) with my affiliate link below helps charity and also this channel at no additional cost to you. And if you use my links, thank you!

Lemonade

Citra is back from the dead and all is right with the universe. Last month, Nintendo declared war on Yuzu, they cast fireball and Citra took critical damage. Both Yuzu and Citra were removed from GitHub and the creator of both emulators closed up shop.

Well, Lemonade is back with a second release. It's a fork of Citra, but they won't tell you that. They're looking for a clean break so as to not get de-listed. And that's a good thing.

In this latest release, they've completed their rebrand of the emulator, they've added a performance fix for Luigi's Mansion 2, added Android-specific fixes, and upgraded to the GPL 3.0 license. I'm interested to see how Lemonade develops over time. Hopefully, they are able to further develop their emulator and differentiate it with improved performance, compatibility, and features. And hopefully, Emudeck will add support for it, soon.

Flathub

So, after someone uploaded a malicious cryptowallet to Snpacraft a few weeks ago, it seems the alternative platform Flathub has made some changes. And if you don't know what Flathub is, it's where the Discovery store on Steam Deck gets its software from by default.

Developers have been able to get their app verified on Flathub which signified the Flatpak comes directly from the project themselves. They'd get a cute little "verified" tick next to the name of the app. But now? Flathub is going a step further: their website is now prominently displaying an "⚠️ Unverified" badge next to an application's name.

At the moment, neither the verified badge, nor this new unverified one are listed anywhere in the Discover store. Hopefully, someone will implement this feature soon as it's sorely needed.

xz backdoor

So, the xz backdoor was the big news this week. I could have made a video about it and got in on all the views and media hype. But I wanted to hang back and see what information actually developed after the frenzy died down.

If you live in the Linux world, you probably have already heard about this. But for those not in the know, the short version of the story is as follows:

xz utils is a software package that enabled compression and decompression on pretty much every single Linux distribution, including SteamOS. It's used all over the place, including with SSH connections. If you don't know what SSH is, it's what enables you to securely log in to a machine remotely over a network. You can get access to a terminal or even do display server forwarding.

Well, a few years ago, someone going by the name Jia Tan went to the xz forum and started leaving negging, abusive comments towards xz's maintainer. After what seems like a coordinated attack from multiple users on the forum, Jia Tan convinced xz's maintainer to let him "help" with the project. And for years, Jia Tan made substantive, useful changes to xz. This person was in for the long con.

So years down the line, Jia Tan introduces some heavily obfuscated code hidden (in what appeared to be test files) into the codebase. This obfuscated code would essentially let anyone with Jia Tan's private key log in to any machine running the compromised code as the root user. The technical aspects of it are less interesting to me because, honestly, the social engineering is the real issue.

Jia Tan spent years building trust just to sneak his backdoor into a foundational package for Linux. He used abusive comments and (some are speculating) sock puppet accounts to coordinate a sophisticated psychological campaign against the maintainer of a free software project.

I haven't mentioned the xz maintainer's name because, honestly, he didn't do anything wrong and I don't want any hate going his way. He has reported some mental health issues and Jia Tan exploited them with negging, abuse, and manipulation.

From my perspective, it is no longer a hypothetical. This is real, concrete evidence which shows abusive comments are a real and valid security threat. And it's time that we take that threat seriously.

I've had a few somewhat panicked comments asking about this and how it effects the Steam Deck. The short answer is: it doesn't. If you're running Steam OS, you're not effected by this and as of right now, there's nothing you need to do. The version of xz running on your Deck should be version 5.4.3 and that version has no known vulnerabilities.

I'd love to hear your thoughts on this story.

00:00 Intro
00:24 EA Breaks Battlefield V
01:36 March 2024 Steam Hardware Survey
03:45 Humble Spring Screams Bundle
04:34 3DS emulation returns with Citra fork ""Lemonade
05:25 Flathub begins calling out unverified applications
06:15 How the xz backdoor effects us