Hey, I get it. It’s really difficult these days to tell when to care and when caring will make living in the modern world too difficult.

And I will uphold your right to care about different stuff than I do.

OK, thanks.

Not really that helpful, it’s just more he said/she said.

Grapheneos is a pretty poor choice of example, it has its own issues, they have conflicts with many others (see France pullout), they have openly fought with Murena, e/os, fairphone, among others. Plus, grapheneos likes to throw shade on “less permissive licenses”, which is really weird, considering they use an MIT license, whose loose terms is abused by many not-so-great companies.

The lead of grapheneos is just as controversial as futo, gets into public spats with others, generally difficult to work with, etc.

I say this using GrapheneOS myself.

I’m not a fan of the Curtis Yarvin association, though.

The people running these companies aren’t perfect. Sometimes they aren’t ideal, either. But I’d rather use Immich than Google photos and heliboard than Swiftkey.

Is there any other info on this besides drew devault’s blog post?

I “document” everything by forcing myself to create ansible runbooks for new services and configs. I have some gaps, definitely, but the more of them I create, the easier new services are to deploy.

I’m getting errors

It would help if you shared what errors you’re getting.

Sandboxing apps is great and all, but it it’s not the entire picture of security.

Fair enough. I guess I didn’t distill my comment before writing it down.

The problem I see with op’s “Linux isn’t secure” comment (without getting all territorial about it) is that the solution touted by Qubes is already a solution in wide use in several Linux distros, meaning the compartmentalization of apps in constrained environments is already a mechanic used in flatpack, snap, even docker.

The fact that Qubes is a secure approach should be the focus, not the “our potassium is superior to all other countries” vibe from this post.

Looks great!

cbz files are not encrypted, they’re just zip files full of images with the xtension changed to “cbz”. Similarly, CBR files are the same thing, but using rar compression.

If you are referring to zip “password protection”, then I guess that’s technically valid, although why anyone would rely on such trivially-cracked security is beyond me.

This is a Qubes ad.

And that’s fine, but why Qubes insists it’s not Linux while booting the Linux kernel, running xen, using xfce as the primary desktop, and being listed on disteowatch seems like a weird marketing choice to me. Your primary audience knows what Linux is, so what is the motivation behind claiming “Qubes is not Linux”?

Ah, I see that now, thanks.

I’m responding to this:

kernel is not free it ships with blobs/proprietary crap etc

That is not true.

lol i’m sure the average joe who switches from windows to you name what linux distro does this by himself

Neither do you. And what that has to do with windows users is beyond me.

If you want gnu/herd, you’re free to install and use it. You will have no:

• MP3 playback
• use for wine (wine is Foss, but almost no windows executables are)
• practically no WiFi
• no discord
• no zoom
• no widevine
• no ms teams working properly

Drawing a hard line in the sand about FOSS is possible, but you must give up many modern conveniences.

I hope you didn’t infer from my comment that we should stop individually supporting FOSS, that’s not what I’m saying.

However, I will counter that I don’t think you are current with the overwhelmingly massive imbalance of corporate vs personal use is currently in play on big Foss projects.

Ffmpeg is used by almost everyone with a video project, but not companies want to kick in any bucks:

https://m.slashdot.org/story/448966

We saw this back in 2015 as well with NTP, which almost everyone on the internet uses, yet the one guy who worked on it had to stop doing so temporarily in 2017 and get a job to support himself:

https://www.informationweek.com/it-infrastructure/ntp-needs-money-is-a-foundation-the-answer-

Not only do corps use FOSS at a higher rate by an order of magnitude than individual users, but they also profit from it.

The kernel itself does not contain blobs, firmware or microcode. That is loaded after boot if you’ve chosen to do so.

NAS only, or storage and workload?

If you absolutely want zero closed code, you are limited to a very small pool of hardware.

The executable software isn’t difficult to run 100%, it’s the closed source drivers.

APIs. Or the ends are achieved by sharing data between apps in common data storage. But I prefer to be a tourist in my infrastructure, I no longer hand-bomb changes to systems.

My design pattern is essentially to integrate more and more of the container creation into config. Right now I’m using ansible and it’s nice. More automation means troubleshooting has fewer variables.

I had issues yesterday with a package upgrade across several containers, and it ended up being two config changes. I cycle the apps and done. That’s it.

That enables an amplification attack.

Technically, you’re right.

An amplification attack is just telling the server to respond to a different/wrong ip with the response to a query than the actual asking request. This is solved generally with DNSSEC verifying the origin and requester ips match, if not, the request is dumped.

However, if your authoritative server doesn’t have records for the request, it will simply forward it (if configured to do so) to an upstream and probably hardened server, or drop the request. Either way, it becomes not your problem.

So unless the amplification attack is asking for records your server is actually hosting and for which your server is authoritative, this isn’t a huge concern.

I’m not scrutinizing it much.

Same. I just run a Minecraft server for my kid and his friends and a static HTML blog, so I’m ok with it.

I’m fairly sure it’s a background migration task, and I have a feeling it depends on your region.

I haven’t had my instances deleted, but they do some kind of maintenance blip everyday that my monitoring sees as 3 seconds of downtime, so maybe keep that in mind.