Environments are per-process. Every program can have its own environment, so don't inject secrets where they're not needed.
I'm using bubblewrap to restrict access to FS.
Environments are per-process. Every program can have its own environment, so don't inject secrets where they're not needed.
I'm using bubblewrap to restrict access to FS.
Reminds me of the programs that make the kernel drop FS buffers in an attempt to free up RAM. Or hog as much memory as they can in an attempt to have unused things swapped to disk. Yeah, they free up RAM all right, but at the expense of actual speed.
Most of the time, this junk is actively harmful. Forget it, modern Linux uses optimized defaults.
You can get more performance out of your hardware by switching to from heavyweight to lightweight programs - for example, instead of Skype (which uses Electron), choose some other way to chat like irssi for IRC. Instead of Gnome, choose i3 or dwm or something like that. You need a bunch of tradeoffs and learning, though, to really get the most out of your hardware.
I'm using VNC over an SSH tunnel. TigerVNC's vncviewer even has the -via parameter you can use to make creating the tunnel seamless.
There's plenty of good advice in other comments in this topic. Let me add mine too, something I haven't seen in other comments: You need to figure out your threat model, and steer your course accordingly.
Who do you trust?
What risky activities are you doing?
I have a simple Bash script that restricts apps' view of my filesystem, and cuts off as much stuff as possible, while retaining the app's ability to run. Works with Wayland and console apps, optionally with Xorg apps if I set a flag. Network access requires its own flag.
I could share my Bubblewrapping script, if there's interest.
Most of modern music sounds horrible. Elevators and shopping malls would be better off silent than blasting this noisome garbage.
There are exceptions - there totally are modern composers creating quality stuff. It's just not played anywhere in public places, for some reason.
The last time I needed to boot a PC that didn't have a screen, I built a NixOS installation image with SSH access. I added a user, sudo access, and prepopulated authenticated SSH keys, something similar to https://nixos.mayflower.consulting/blog/2018/09/11/custom-images/
It was about as easy as configuring my own NixOS system.
In Linux, the locate command is crazy fast. I am amazed at how slow search is in Windows, compared to this.
There you go: https://wiki.archlinux.org/title/Bubblewrap
Not saying my practice is the best one, but here's what I do:
efibootmgr.Simple yet complete. Efficient, and extensible - for example, now that everything is a subvolume, I can easily snapshot it, then create backups with rsync off the snapshot, to avoid inconsistent state between backed-up files.
So it'll take you 10 minutes, instead of 5, to download a DVD rip of a movie... This limitation would have next to no practical impact on being able to communicate with the free world.
I got a new screen for my ol' trusty Poco F1, from AliExpress, for 20€, and spent an hour to install it.
Why is the question about "stopping me" - there's nothing here to motivate me to get one, so by default I won't.
Play video games - Cataclysm:DDA or Dwarf Fortress (tho I stayed on the pre-Steam version as it's lighter on the CPU).
Learn a new programming language at https://exercism.org
Read a book - tons of free ones around the interwebs, legally or not, as you desire.
Install a new operating system. Try Haiku or OpenBSD. See if your phone is compatible with PostmarketOS. If not, Termux + SSH + port forwarding in your WiFi box, set up a webserver and publish something. Host a Gemini pod.
Learn a craft. Repair something that another person would toss. Start a sourdough culture - it takes a week to mature (read up on how to do this right), then bake a bread. Homemade bread is approx 16× tastier than run-of-the-mill commercial stuff.
Take a walk somewhere you haven't walked before. Find the nearest forest lake and arrange a picnic. Take someone with you on the 2nd trip.
Yes, basically, except for the fractional amount of kids. Got my MSc for free (actually I got paid tuition to study, heh (living in Europe has its perks)). Now working in software engineering, happy with my life.
That said, I realize I'm an outlier, having many acquaintances with substantially harder lives. I'm deeply grateful to fate.
I can't be sure it'll last, though, so I'm trying to branch out into gardening now (while I have the money to spare for it). See if I can get a livable amount of veggies out of my farmland, some day. It won't be enough to sell, but perhaps our family could earn subsistence level of calories out of our land...
Here's a couple of pointers to get started:
top in your terminal to see what's taking CPU.top -o RES (or what's easier, run top and then press M while it's running) to see what is taking up RAM.... though unfortunately, it's mighty probable that the only significant consumer of memory and CPU is your browser. Get uBlock Origin, it helps web pages be lighter and eat less resources. Don't open too many tabs at once - learn to use bookmarks efficiently, instead (folders, bookmarks toolbar and whatnot).
I saw a website once that taught me how to cross one eye. Now I'm teaching kids how to freak out their parents and teachers with this.
I wrote a Bash script that uses rsync to copy data elsewhere.
It gets launched by a systemd timer, but cron would also work. At first it creates a btrfs snapshot of source, for consistency's sake.
Then it copies stuff. It's incremental, ie. unchanged files get hardlinked, not copied (-link-dest against the latest symlink) into date-specific directories that present the full view of the filesystem.
Finally, it cleans up the source snapshot and rewrites the latest symlink to point to the freshly made copy, if successful.
I could share my script, if there's interest, tho it might look a bit messy. Oh, and these rdiff-whatchamacallits probably do the same thing in a more professional manner. I wrote mine to learn rsync.
Dwarf Fortress and Cataclysm: DDA generate some crazy plotlines, full of narrative, twists, and character development. How come no writer has converted a character's story into a novel, yet?
Windows has a pre-built index as well (or at least it has a search indexer service that enjoys as warm a CPU as possible). That doesn't appear to improve the speed of search, though.
Trying to decide between The Elder Scrolls: Morrowind (OpenMW), Cataclysm: Dark Days Ahead, doomscrolling in Lemmy, or doing some work instead. So far, work has been winning, but I'm not sure of continued success.
Indeed, Flatpak is its own repo. It might be more, or it might be less up to date than your favorite distro. Debian, for instance, was once notorious for packaging ancient versions (tho this has improved lately).
The saving grace of Flatpak is that it's still better isolated.
If native Chrome decides to start emitting your crypto wallet's privkeys as a part of its push for Better Customer Experience and More Precisely Targeted Ads, you won't even know or notice it. This is technically very easy to do. It might make itself hard to dislodge by injecting itself into ~/.bashrc or the desktop environment's startup system, or Systemd services.
If Flatpakked Chrome starts misbehaving, it might mine crypto on your CPU (wasting your electricity), or rent out all your disk space, or turn your PC into a node in a botnet, but it won't have access to read or write anything other than your ~/Downloads. It's also easy to uninstall, as it hasn't had a chance to spread its seed.
Sorry for the long rant... What was the original question again? Outdated dependencies? Not an expert, but I hear the whole reason AppImage, Snap, FlatPak, Yarn locks and Go language was invented was to make it easier to have outdated dependencies. You never know what's available in $Distribution, you depend on goodwill of maintainers of $Distribution to package your app and all deps. In AUR you can find older versions of Lua libs (lua51-filesystem) which someone had to add to make Mudlet run - Mudlet didn't see fit to upgrade to the latest Lua.
While it is indeed somewhat true that a library (that many apps depend on) can be patched to fix a security issue, and apps won't need to be rebuilt, it only works if the lib was a sufficiently recent version. And if the distro maintainer is more diligent than the Flatpak maintainer. Otherwise, the authors of said lib are going to ask you to upgrade to a supported version where that bug has already been fixed, defenestrating the whole argument-in-favor. This completely breaks down in NixOS, too, where your package would get rebuilt from source as inputs changed.
::: spoiler My guess Fallout 2 :::
Here it comes: https://paste.ee/p/voTFI
Note that I'm no Bash expert, and you'll undoubtedly find ways to improve or fix it. Usage:
isolate bash - and then verify your access to filesystem is restrictedX=1 isolate mindustry
NET=1 isolate curl https://ip6.me/api/NAME=mindustry isolate bash
NAME=mygame isolate ls; cp installer.sh ~/.local/share/bubblewrap/mygame/; NAME=mygame isolate bashI'm running my own mail server at home. It wasn't all that difficult to set up, using SNM.
The biggest hassle happens when my home IP changes (that's when my router dies for longer than the DHCP lease time), andI have to re-allowlist my home IP in Office365 and whatever the other one was. I get an automated response to the 1st email I send, with instructions how to unblock my IP.
The harvest finally started trickling in, so we had homegrown boiled potatoes, homegrown half-squash "boats" filled with homegrown tomatoes and definitely-not-homegrown parmesan. Homegrown tomato and cucumber salad too.
Which reminds me than I should launch a new batch of sourdough if I want homebaked wholemeal sourdough rye "black" bread (in fact it's grayish brown). There's nothing tastier than fresh rye bread.
A bit late to the party, but I took my kids out for a bicycle ride (into the nearest bog, so we walked part of the way). The bits where the ground was still covered with ice were the most fun.
When they got home, they were so hungry that they actually consented to eating soup!
By the way, it's totally possible to ride on level ice, if careful, but some trails have this compacted ridge in the middle which makes them convex.
I tried to run some software on my router. It kind of works, if it fits. Storage was the limiting factor. There's an option to expand the FS to include a USB stick, but somehow it made something overheat, and the router froze every now and then.
Oh, I totally agree my solution is not "proper" - it's a homebrewn solution, full of duct tape and shoestrings. That said, it does everything I need to do. Which features of "proper programs" would you be missing? Perhaps I could add them for my own use.
Did gou look into what takes up the most memory? You could downgrade from the modern browser with 500 tabs to netsurf with 500 bookmarks, perhaps, or similar. Many modern websites don't work there, though.
Instead of Gnome, I'm using Sway, at the moment it's taking up 236MB resident.
Do you need that mail client to run 24x7? It's better for mental health to check mail when you decide (once in the morning), not when some rando wants to sell you cannabis oil (best cure for any ailment!) - or you might find something tiny that checks for email and shows a desktop notification, so you know to launch your mail client.
Alacritty likes to munch memory, Foot takes up much less, but Foot doesn't render some colors correctly, for whatever reason.
Shop around, there are more options than just changing the Matrix client.
Dude, Arabic script is "just squiggly lines". They encode information into random-looking squiggles. Wild.
Heh heh.
My boss insisted that I come in for our 1:1s. 20 minutes later, I'm joining the standup remotely from home. He was like whoa man. I politely explained that I'm working where I can be most productive.
I'm running my email server on a POCO F1 ex-Android phone (running PostmarketOS now).
I wish I could get NixOS running on it, then I'd move other things also there.
👋 There are so many things to do for free.
Take a walk in nature, if it's in walking distance - or cycling, if you have a bicycle. If you don't, can you find a beaten-up old bike somewhere (local recycling station?) and fix it? Internet is full of instructions on fixing bikes. Get Duolingo and start learning a foreign language. Install a new operating system (Linux runs on Mac hardware too. If you're on Linux already, check out some flavor of BSD). Learn some coding, or a new programming language. Take some online course on Coursera or such. Call your mom on phone and ask about something old-fashioned she's good at (how to make saurekraut, or such), then try it out. Take up gardening. Repair something - take a stock of tools available and be creative. Install LineageOS on your phone, if supported. Music is free on YouTube and adblockers are free to - find a new music genre - if you can sing, imagine how difficult it must be to sing Magnificat by Arvo Pärt cleanly, in tune. Find an old Android phone, install Termux or Nix-on-droid and set it up as a free, low-power-consumption webserver with a built-in UPS. Listen to Orff's Catulli Carmina and read lyrics+translation in parallel (hoo boy, these Latins were a wild folk). Take up woodworking, if you have scrap lumber - build a bird feeder out of scap boards, perhaps a shipping pallet or such - again, basic tools cost a couple of lunches, and if that's out of reach - there actually exist people who practise flintknapping, and you can find instructional videos online. Take apart the siphon below your sink and clean it so water would drain faster. Read a book on https://gutenberg.org - they're all free and legal. Or find where z-lib has hidden itself, books over there are free too, though less legal. Start growing sourdough culture - it'll take a week or so until it's ready for baking.
Hoo boy, I wish I had time for everything that's interesting to me.
Interesting, could you please elaborate?
I had a look at flatpaks I have installed:
Firefox (org.mozilla.firefox): no access to ~
Thunderbird (org.mozilla.Thunderbird): no access to ~
Element (im.riot.Riot): no access to ~
Beyond All Reason (info.beyondallreason.bar) - no access to ~
Steam (com.valvesoftware.Steam) - no access to ~, and (best of all) Steam runs a ton of untrusted code in games, which will inherit this restriction.
Wolfenstein: Blade of Agony (com.realm667.Wolfenstein_Blade_of_Agony) - no access to ~
Chromium (com.github.Eloston.UngoogledChromium): allows access to ~ by default. It's one click to disable, or I could shop around for another one, like org.chromium.Chromium.
OpenTTD (org.openttd.OpenTTD) - allows access to ~
Thus, yeah, some apps neglect to restrrict ~, thankfully it's easy to fix. It's not a disadvantage, though, it's a lack of advantage.
The ocean is not only very heavy, it's also very long (tall, viewed sideways from POV of the Moon). This means the bits near the moon are more affected by gravity, pulled harder.
There's so much fun to be had with this effect. When the moon is overhead, you're stretched out an unmeasurably tiny bit, for example. It also causes tall objects to orient themselves perpendicular to moon (one end is lighter, the other end is heavier. Just like a weighted stick floats upright in water).
Oh, and then there's the fact that your head (which could be seen as kinda momentarily orbiting the moon, with orbital period of once a month) has a higher orbital velocity than your feet, thus your head is constantly dragged sideways, and lying down helps alleviate this effect (only your nose is now pulled off your face, not your whole head). This is the reason why it's easier to fall asleep when lying down.
Having an unauthenticated relay imposes the responsibility to configure it correctly (the "only certain addresses" part) and protect it (the "accessible outside the local network" bit). Are you sure it's not accessible? Did you remember to test with IPv6 too? Will it remain protected after the next time you mess around with your firewall for some totally unrelated reason?
If it works - good for you, but be mindful of all the baggage that comes with a new service.
You're trading one security issue (profileration of app passwords) to another one (an unauthenticated relay). Is it worth it?
In general, I support your stance. The devil is in the details, though, so to speak. You can only get so much evidece first-hand, and need to believe others about the rest. How do you distinguish fraudsters from honest bet mistaken people from people knowing the truth?
Fundamental logic skills also imply that atheism is a belief "God doesn't exist!"
As an upgrade, try agnosticism: "Do we have good evidence that God exists?" So far, the only argument in favor of atheism I know of is the Occam's Razor (those manifestations of God could also be explained in other, possibly simpler ways).
You misspelled KeepAss.