cizra

Environments are per-process. Every program can have its own environment, so don't inject secrets where they're not needed.

I'm using bubblewrap to restrict access to FS.

Reminds me of the programs that make the kernel drop FS buffers in an attempt to free up RAM. Or hog as much memory as they can in an attempt to have unused things swapped to disk. Yeah, they free up RAM all right, but at the expense of actual speed.

Most of the time, this junk is actively harmful. Forget it, modern Linux uses optimized defaults.

You can get more performance out of your hardware by switching to from heavyweight to lightweight programs - for example, instead of Skype (which uses Electron), choose some other way to chat like irssi for IRC. Instead of Gnome, choose i3 or dwm or something like that. You need a bunch of tradeoffs and learning, though, to really get the most out of your hardware.

I'm using VNC over an SSH tunnel. TigerVNC's vncviewer even has the -via parameter you can use to make creating the tunnel seamless.

There's plenty of good advice in other comments in this topic. Let me add mine too, something I haven't seen in other comments: You need to figure out your threat model, and steer your course accordingly.

Who do you trust?

• No one? Don't use a computer. Use an airgapped computer without any internet connection. Write your own OS (but be mindful of bootstrapping issues, you'll also need to write your own compiler to protect against Thompson's hack). It's a hassle.
• Original authors of software? Compile and install all software from source. Consider using LFS. It's a hassle.
• Maintainers of my operating system of choice? Only install packages from official package repositories (apt in Debian, pacman in Arch, you know the drill). Eschew any others, like PPA in Ubuntu, AUR in Arch. Though package maintainers don't necessarily review any package updates, there's a chance they just might. Though package maintainers are in the position to inject backdoors during packaging, this is somewhat unlikely as packaging scripts tend to be small and easy to review.

What risky activities are you doing?

• Running random crap software downloaded from the internet?
  • Run it in a virtual machine. It's easy to install another Linux into a VM - you could try VirtualBox or qemu or libvirt or some other one.
  • Containerize it with Docker, or run it in Firejail or Bubblewrap
    • Don't mount your home directory, or anything other important into the container. Instead, if you need to pass data, use a dedicated directory.
    • It's easy to restrict internet access to a program, when running it in Docker or Bubblewrap.
• Running the same as root? I'm pretty sure a full virtual machine would be the only secure option to do that, and I'm 100% certain even that would be enough.
• Running large software that probably ought to be OK, but you never know for certain? This is what I normally do:
  • Use the Flatpak version, if available. Check its permissions (e.g. with Flatseal), you might be able to tighten the screws. For example, a browser (yes, Firefox, Thunderbird, Chromium are available as Flatpaks. Even Chrome is) is plenty large enough for any number of security bugs to hide in. Or a backdoor, which might be crafted to be indistinguishable from a honest bug.
  • If there's no Flatpak version available, I Bubblewrap it.

I have a simple Bash script that restricts apps' view of my filesystem, and cuts off as much stuff as possible, while retaining the app's ability to run. Works with Wayland and console apps, optionally with Xorg apps if I set a flag. Network access requires its own flag.

I could share my Bubblewrapping script, if there's interest.

BZ2-ing up a terabyte of zeroes (back when a TB was more than people commonly had, then zipping that file up together with another file, to bypass virus scanners in emails that prevent emailing .exe files.

I've also seen a self-referential .zip file somewhere that contains itself.

Most of modern music sounds horrible. Elevators and shopping malls would be better off silent than blasting this noisome garbage.

There are exceptions - there totally are modern composers creating quality stuff. It's just not played anywhere in public places, for some reason.

Nix flakes, me.

My robot vacuum doesn't do WiFi, so unless it has an expensive GSM modem, it can't send anything.

OTOH, it just sweeps floors, and lacks built-in voice assistant, freemium subscription with a paid option to also sweep the hallway, smart speaker mode, companion/pet mode, built-in games, or all the rest that the modern equivalent of a broom ought to be capable of...

Mounting a Samba share and moving my LVM pvolumes of / onto a losetup'ed file on it, while running the system. Bass ackwards.

There are bacteria everywhere, indeed. Inside canned food, there are dead corpses of bacteria only, thankfully.

Hypothetically, if you sterilized your mouth somehow to ideal cleanliness, it'd get contaminated next time you inhale unsterilized air.

Let's give a moment of appreciation to our immune systems. Otherwise, we'd be like https://en.m.wikipedia.org/wiki/Severe_combined_immunodeficiency

Declarative system configuration is the killer feature of NiOS. Atomic rollbacks too. Versioning the whole mess in Git, too.

In Linux, the locate command is crazy fast. I am amazed at how slow search is in Windows, compared to this.

I started running my own Gitea instance because I wanted a private place to host my Obsidian notes.

I don't have the time to read the article now, but permit a question: what do you use Gitea for?

I'm holding my dotfiles on a SSH server, clone/push over SSH, and it's enough to do Git. I don't need a ticket system, or wiki or anything (I use plaintext notes).

$ cat ~/.ssh/config
Host srv
  Hostname srv.mywhatever.com

$ git clone srv:/path/to/repo
$ cd repo
$ git push

The last time I needed to boot a PC that didn't have a screen, I built a NixOS installation image with SSH access. I added a user, sudo access, and prepopulated authenticated SSH keys, something similar to https://nixos.mayflower.consulting/blog/2018/09/11/custom-images/

It was about as easy as configuring my own NixOS system.

There you go: https://wiki.archlinux.org/title/Bubblewrap

I migrated from XMonad to Sway, it checks all my requirements. I don't miss the Turing-complete configurability.

Not saying my practice is the best one, but here's what I do:

• EFI system partition is mounted on /boot
  • kernel is held here. In case of distros like NixOS etc that keep around old kernels, a small ESP might run out of space. I make mine at least 1GB.
• the rest of the disk is one luks2 volume
• inside the encrypted volume, there's a BTRFS volume
• there's a subvolume for /home
• and a subvolume for every distro I have (which is usually 1, but sometimes I tinker or switch)
• Kernel command line parameters specify the btrfs subvol with the right distro to boot.
• for NixOS, you need a bootloader (to choose the right kernel). Systemd-boot works well, and its configuration is easily readable. I never figured out how to work with GRUB2, its configuration is just too confusing.
• or if you like Arch, dispense with bootloaders and just use EFISTUB. You can put kernel cmdline params into EFI bootloader options with efibootmgr.

Simple yet complete. Efficient, and extensible - for example, now that everything is a subvolume, I can easily snapshot it, then create backups with rsync off the snapshot, to avoid inconsistent state between backed-up files.

1. Log into the Windows machine via the webclient avaliable at https://windows365.microsoft.com/
2. Use PuTTY to set up a reverse tunnel. You'll need to create a restricted tunnel-only user in your machine. Make sure to use key auth.
3. From your local machine, connect to localhost:portnumber.

As an alternative, you might be able to set up OpenSSH in Windows (yes it's possible), then use the ProxyJump setting in your local ~/.ssh/config to connect via a tunnel to the final box.

Here's how you configure the server to not let the user wreak too much havoc:

Match User restricted
        PermitOpen 127.0.0.1:3389 [::1]:3389
        X11Forwarding no
        AllowAgentForwarding no
        ForceCommand /bin/sh -c 'while sleep 999; do true; done'
        ClientAliveInterval 1
        ClientAliveCountMax 2

Jelqing, for example

i3, or Sway if you're on Wayland, just gets out of your way.

Have a virtual desktop for each use case, memorize where your apps are, and enjoy muscle-memory-based window management. Mod4+1 brings me to terminal, 2 is browser, 3 is work stuff, 4 is personal chat, 5 is email... Every app is fullscreen, for maximum screen real estate. Nothing annoys by blinking when I'm trying to concentrate on something else.

Fun fact: mentioning etc ssh sshd_config triggers some CloudFlare security warning that prevents me from posting it under the right name.

What's the Slackware way of managing package dependencies, then?

So it'll take you 10 minutes, instead of 5, to download a DVD rip of a movie... This limitation would have next to no practical impact on being able to communicate with the free world.

Once I a very sleepy adult human happened to accidentally stand smack in the middle of my ThinkPad P50, with plastic everything. It's 7 years old now, and still works fine.

What's your use case for FS-level encryption? LUKS has worked for me so far, I wonder where I'm missing out.

Inside a particular text file, you can use a modern text editor - (Neo)Vim, Helix, probably others let you to copy/paste via named "registers" (places to store copied stuff). Select something, then "ay to copy into "a", then "bp to paste from "b".

• The Prelude to Faun's Afternoon, by Ravel, is dope.
• Magnificat, by Arvo Pärt - the Voces8 sung it really well.
• ... there's too much good music in the world to list it all.

Corpses of dead bacteria and dead tuna :)

I think tmux should be able to do that.

https://stackoverflow.com/questions/31980036/how-to-switch-to-the-previous-pane-by-any-shortcut-in-tmux

BtrFS has Stuff.

• Subvolumes, which enable you to share the same /home between Linux distros
• Snapshots that are an great for
  • freezing the FS during off-machine backups: create a snapshot, rsync the snapshot not the main FS, drop the snapshot
  • transient backups. Will executing this thing hose my system? If no, drop the snapshot.
• ability to pool different disks into a single FS
• and so much more.

Fun story: once I needed to do something (resize? can't recall) a partition that happened to be in use. The solution involved smbmounting a network disk, losetup helping transform that thing into a virtual disk, then migrating the root FS there, recreating partitions, all while running the rootfs on that thing. Thus, pooling can bu useful.

By the way, what does Zsh have over bash that you find useful?

NeoVim is almost a drop-in replacement for Vim (the configuration file is under .config). Plugin installation might be different, tho.

Find a migration guide and be brave.

I got a new screen for my ol' trusty Poco F1, from AliExpress, for 20€, and spent an hour to install it.

Why is the question about "stopping me" - there's nothing here to motivate me to get one, so by default I won't.

How do you tell whether it's been hacked? The hallmark of a good hack is invisibility, like modifying logs. Do you perhaps count SSH sessions in your router and verify it against client logs, or somesuch technique?

I needed to redo partitions, but didn't want to reboot.

Here's a couple of pointers to get started:

1. The Arch Linux Wiki is full of excellent information. It's not for beginners, though.
2. Run top in your terminal to see what's taking CPU.
3. Run top -o RES (or what's easier, run top and then press M while it's running) to see what is taking up RAM.

... though unfortunately, it's mighty probable that the only significant consumer of memory and CPU is your browser. Get uBlock Origin, it helps web pages be lighter and eat less resources. Don't open too many tabs at once - learn to use bookmarks efficiently, instead (folders, bookmarks toolbar and whatnot).

Windows has a pre-built index as well (or at least it has a search indexer service that enjoys as warm a CPU as possible). That doesn't appear to improve the speed of search, though.

Yes, basically, except for the fractional amount of kids. Got my MSc for free (actually I got paid tuition to study, heh (living in Europe has its perks)). Now working in software engineering, happy with my life.

That said, I realize I'm an outlier, having many acquaintances with substantially harder lives. I'm deeply grateful to fate.

I can't be sure it'll last, though, so I'm trying to branch out into gardening now (while I have the money to spare for it). See if I can get a livable amount of veggies out of my farmland, some day. It won't be enough to sell, but perhaps our family could earn subsistence level of calories out of our land...

Dwarf Fortress and Cataclysm: DDA generate some crazy plotlines, full of narrative, twists, and character development. How come no writer has converted a character's story into a novel, yet?

We're at Linux@lemmy.ml, hon. The average user uses a package manager. The majority of software is open-source and compiles for ARM just fine. Games excepted, but they won't run on the low specs anyway.

Play video games - Cataclysm:DDA or Dwarf Fortress (tho I stayed on the pre-Steam version as it's lighter on the CPU).

Learn a new programming language at https://exercism.org

Read a book - tons of free ones around the interwebs, legally or not, as you desire.

Install a new operating system. Try Haiku or OpenBSD. See if your phone is compatible with PostmarketOS. If not, Termux + SSH + port forwarding in your WiFi box, set up a webserver and publish something. Host a Gemini pod.

Learn a craft. Repair something that another person would toss. Start a sourdough culture - it takes a week to mature (read up on how to do this right), then bake a bread. Homemade bread is approx 16× tastier than run-of-the-mill commercial stuff.

Take a walk somewhere you haven't walked before. Find the nearest forest lake and arrange a picnic. Take someone with you on the 2nd trip.