boredsquirrel

boredsquirrel, 13 days ago

GrapheneOS is fundamentally better, if CalyxOS didnt fix up their mess in the past months.

boredsquirrel, 13 days ago

DivestOS also has longer somewhat-support for Pixels. But GrapheneOS still ships some updates to my 4a so not sure about that

boredsquirrel, 13 days ago

I also avoid sandboxed play like hell.

But note

• microG downloads official Google binaries. It is not some magical reverse engineered bundle. It is a reimplementation
• microG has privileged access to the system, and thus gives Google privileged access
• apps needing Google Play often include the binaries themselves and dont even rely on an "adapter"
• GrapheneOS sandboxed play has the same access as the apps, not more, not less

Sandboxed Play is better for privacy and may prevent a Pegasus/malware vector.

DivestOS has sandboxed microG but I didnt try it. Also note that microG could break any time and the Google binaries may be outdated.

Privileged android apps are a huge attack surface as so many devices have them. So outdated privileged microG binaries may be a target.

boredsquirrel, 13 days ago

No I dont know what they download. It should be in the scripts in their repo.

But they dont document that at all, instead giving the impression that it would be reverse engineered and open source.

boredsquirrel, 13 days ago

wallpapersden.com/…/1336x768/

boredsquirrel, 13 days ago

I am neurodivergent myself.

The word is complicated but for sure, I may rephrase that. Not sure if this will mess up the results though, it may create a second question out of it.

I think special is a positive word.

boredsquirrel, 13 days ago

You can see the live results!

boredsquirrel, 13 days ago

No thats lag as the form doesnt handle over 50 questions that well.

boredsquirrel, 13 days ago

Fixed some up, if you can be more specific about 2. That would help

boredsquirrel, 13 days ago

Free software is an option but for sure the open sourceness makes sense even if it wasnt free

boredsquirrel, 13 days ago

I think that is an option.

And that survey is anonymous, I dont get any personal info like IP address etc.

boredsquirrel, 13 days ago

Yup, oops. Those were caused by lag as the form gets horribly slow at that size, server-side somehow.

boredsquirrel, 13 days ago

I think they are relevant to getting to know this community. The questions are optional.

So going into this survey my idea of this community was

• Linux mint or arch users
• male
• 25 average
• often neurodivergent
• more income than average as tech stuff is kinda educated friendly

I am neurodivergent myself. I am interested if free software actually reaches poorer people. I am interested how diverse we are.

boredsquirrel, 13 days ago

Thanks, but poorly changing this now would cause breakage.

Yes forgot source install completely, thats an issue.

boredsquirrel, 13 days ago

Fedora Kinoite is also my go to perfect Windows replacement.

KDE is like the Windows desktop but better, faster, more features, less bloat

The updates are stable like Windows updates but dont break, dont annoy, dont cause downtime and dont mess with your GRUB.

Consider switching to uBlue kinoite-main if you want to have proprietary codecs for videos in Firefox etc.

boredsquirrel, 13 days ago

xdg-trash

boredsquirrel, 14 days ago

uBlue f**ed up their site a while ago, they had a huge list of images.

You can just use their kinoite-main image, which is what I do. It has Distrobox, homebrew and a few more things.

Here is an archived site

Use kinoite-main:latest and you will even get automatic version upgrades without a problem.

You can still rebase, you know? I tried Aurora and it was not for me, back on normal Kinoite.

But for sure it is a bit annoying to layer. But no issue. I layer 20 packages or so, 300 with dependencies, and all is fine.

I dont know about ROCM, their hardware enablement to my knowledge is just about NVIDIA, Asus and other proprietary stuff.

boredsquirrel, 14 days ago (edited 13 days ago)

Interesting.

Give it a shot, Aurora is fine. May have some packages you dont need, but it is fine.

They remove Firefox for whatever reason, which makes no sense. The Librewolf and Firefox Flatpaks are probably okay, the Librewolf RPM is completely broken

boredsquirrel, 13 days ago

a security hazard.

Okay?

You want your browser to update more often than your operating system.

Then why do you base on Fedora and have daily auto updates by default?

I shutdown my laptop every day and update every day. That is fine for me.

Fedora Firefox has some hardening flags that official Firefoxn has not. It is built for Fedora and works really really good.

I did benchmarks some time ago and it is also actually very performant.

Flatpak Firefox does not have the ability to create user namespaces for tab process isolation. This is due to all Flatpaks using the same badness-enumerating seccomp filter, there is no additional hardening possible and they still block userns creation.

Firefox can still isolate tabs via seccomp-bpf but this means it has 1 of its 2 security barriers removed when using a flatpak.

Seeing browsers as an app, it is good to have additional security from the browser to the OS, by sandboxing via flatpak.

But seeing the browser as a platform, passwords, bookmarks, credit card details etc may all be stored in there and a sandbox escape not necessary to steal peoples stuff.

Removing Firefox prevents people from reinstalling it (due to the rpm-ostree bug), and apart from the tarball (which has no desktop integration and is some random binary ran from some random location, likely without SELinux protection (unconfined users)) it is the best browser on Fedora.

installing it with distrobox.

This makes no real sense.

Pro

• it can update separately from the OS
• it works even with the current rpm-ostree bug
• it is the Fedora RPM
• it is kinda isolated from the root OS

Con

• updates are not automatic and need to be configured
• not sure if it has access to user namespace creation because it already runs in a user namespace container
• it adds additional boot time and constant RAM usage due to having a container
• distrobox does not allow Fedora DNF system upgrades so you need to nuke it and reinstall on a version change (at least every 13 months)

Using the tarball and placing it in /var/usrlocal/bin/ may be better. But still cumbersome.

The solution, even if you want to remove it, is having these issues solved, or this rpm-ostree bug fixed.

boredsquirrel, 13 days ago

Distrobox updates automatically

True, forgot that you use topgrade

Atomic Fedora should not have Firefox in image

There are many relevant issues and it is not a clear choice.

Irrelevant. Not everybody does.

Yeah and nobody knows about user namespaces or seccomp filters. This is about at least 2 user groups and one is not necessarily more important than another.

It is again not a clear choice.

a way to continue to prevent it, I will.

• in your opinionated images, I hope.

You start to sound like a GrapheneOS dev. It makes no sense to prevent users from reinstalling removed packages.

Which btw also include the Fedora Flathub repository.

boredsquirrel, 13 days ago

You also didnt answer to the security issue of removing an entire sandboxing layer, or to the point about not being able to upgrade Distroboxes.

Do you solve the second problem by building a latest distrobox container following the uBlue releases?

boredsquirrel, 15 days ago

AI is massively wasting power that we need for electrifying transportation and more useful things.

There are many things more useful than AI, for example good internet search engines.

AI can be useful for dedicated things like being trained on relevant tutorials and documentation to help with Linux.

boredsquirrel, 15 days ago

Pro apt:

• storage efficient
• may be optimized for stuff like x86_64 v3 or v4
• runs as many users and easily from terminal
• needed for some low level stuff like system packages

Contra apt:

• a ton of stuff comes from outside the main Ubuntu repo. Debian doesnt have that difference afaik but still many packages may be more abandoned
• 3rd party packaging 99% of the time, i.e. “unverified”. I had a lot of strange bugs especially with Ubuntu packages
• the apps ars not isolated at all

Pro Flatpak

• a ton of verified apps, nearly unavailable on other repos (that still doesnt make unverified apps insecure!)
• all apps have a sandbox that can be graphically hardened to be more secure, if the defaults are too broad
• by defaults the sandbox is pretty good
• many many apps that run everywhere

Contra Flatpak

• not suited for some apps like terminal apps or system stuff
• some apps are less maintained and use EOL runtimes etc
• some more storage space needed
• need user namespaces, nearly all distros have them enabled
• a bit slower startup time but okay
• a bit more RAM usage

boredsquirrel, 14 days ago

True, especially the dotfiles. Having them separated in individual per-app directories is awesome

boredsquirrel, 13 days ago

defaults

The default is completely sandboxed. Developers need to allowlist exactly what they want. So it is transparent.

Compare that to a random app where you need to monitor its syscalls to see what it does.

KDE Plasma now includes a GUI settings page that allows to change these.

I think GNOME needs to integrate that into their settings, I mean just include damn Flatseal as a settings page…

specify global options

This is supercool and I started doing that. All apps get the env vars to force Wayland now even though they may not use it. I have my overrides and uploaded them to my dotfiles.

But Bottles has a great sandbox

Echo that

over 1200 unmaintained packages in the Debian repositories, and even over 400 in Arch’s much smaller repositories

This is crazy, same on Fedora. Distros really need to start using separate repos, and automatically filter out everything that didnt get a “I maintain this” for a while.

There are packagers maintaining a shitload of apps at once.

Flathub applications are usually maintained by upstream

Not always but having this at all, and having most big names in there, is incredible. This is like a first time this happens.

easily rollback Flatpaks

Ostree is great

consistent build environment

And having it declared centrally can help add all the security benefits of the individual ones too. Really nice

boredsquirrel, 15 days ago

What?

Rufus just flashes ISOs to disks. On Linux you can doo that with

• udisksctl or dd
• Impression
• Fedora Media Writer
• KDE Iso Image writer
• Balena Etcher

But you are talking about something completely different and Ventoy does that.

boredsquirrel, 15 days ago

I think you should use dd for that?

boredsquirrel, 14 days ago

cat is for writing files, dd for writing disks.

Can you explain how this can work?

boredsquirrel, 14 days ago

What

boredsquirrel, 14 days ago

I thought that was what Impression uses but it doesnt tell that anymore. So I dont know

boredsquirrel, 14 days ago

Cool, need to try that

boredsquirrel, 16 days ago

Then try Celluloid Flatpak or Haruna. Celluloid in GTK, Haruna in Qt. Haruna has more GUI options but some big things are broken or buggy, so I use Celluloid.

My config is in my dotfiles under .var/app/

boredsquirrel, 16 days ago

discussion.fedoraproject.org/t/82062

boredsquirrel, 16 days ago

works fine as one would expect. Not that self explanatory, I wonder how

install Vivaldi as a flatpak and was not able to get it to talk with keepass.

No the native messaging portal is missing

What is mean by that line of reasoning?

Makes no sense. The Flatpak is official and more isolated than native packages. Reduce the number of system apps as much as possible.

See my thread on the methods but they are all hacky. You could copy the KeepassXC binary to the Browser flatpak container and launch it from there. But this needs to be repeated on every update, but it is possible and can be automated.

boredsquirrel, 16 days ago

Get a CD with RedHatLinux, SUSE or Debian 1 or something and try to install that

boredsquirrel, 16 days ago

I mean of course, they never shipped big parts of their orders but got the money anyways.

That company is fucked up completely.

boredsquirrel, 17 days ago (edited 17 days ago)

Looks useful. So this software detects how long you spend on what app?

This may be compositor dependent but just a guess. Thats a problem of Wayland (currently)

The port will be huge and just making the extension run not enough.

boredsquirrel, 17 days ago

I dont think they actually take screenshots, do they? That would be awfully inefficient. You can get the window titles in better ways.

the URL stuff should use a browser extension to tell them that name.

If that app really takes screenshots and extracts URLs from them, it is pretty overcomplex. But that improves platform-independence a lot

boredsquirrel, 17 days ago

I dont get it, I had the same issues on AMD too. Fedora likely wont change that, both Distros just use mostly upstream packages.

Also instead of Silverblue I honestly need to recommend uBlues silverblue-main base image, which has “batteries included”.

Or you try wayblue, which is a project shipping many Wayland window managers with some defaults.

boredsquirrel, 17 days ago

I am currently struggling with build a custom image.

1. Do I need to specify somewhere where the recipe.yaml files are? If I use multiple ones, and they are not in the top dir?
2. If I get random Errors without any output, do you know how to increase that?

I already asked the devs that so no problem if you dont know it.

boredsquirrel, 17 days ago

Here is my small project which I created to tackle down the issue. It is still the same, the config is really small and just tries to reinstall firefox, which was removed in secureblue.

directly use recipe.yml in the recipes folder to specify other .yml files to be used in building.

Interesting, will look at this.

Lets see

boredsquirrel, 17 days ago

Funny

boredsquirrel, 17 days ago

There already is Flatpak. Many proprietary apps are shipped as Snaps, which helps with Flatpak packaging as the binaries can just be packed into a different container.

Snap developers kinda help with making the whole portals, isolated apps stuff work.

But thats about it.

boredsquirrel, 17 days ago

No there are many CLI apps on Flathub.

Helix, and others.

boredsquirrel, 17 days ago

Interesting. Yes I had some other editor too, it opened a new terminal tab.

There is some flatpak export bin directory where the binaries are, I think you can put that to your PATH and have a pretty good CLI experience.

boredsquirrel, 18 days ago

Reminds me of the Talk about distributing firmware.

Bittorrent is poorly pretty suspicious which may be used as an argument. But I dont see the reason really.

boredsquirrel, 18 days ago

Its the same :D

Rebasing refers to an OSTree remote which is like a git repo, but with binaries and producing bootable systems. There are some differences there.

The idea is: there is a remote that has the exact wanted configuration, your system mirrors it. All the package manager does is similar to git pull.

If you rebase, you switch the upstream remote, and your system gets the diffs, downloads them.

The cool thing is, that these updates are atomic, so you stay on the current system and the rebased one is only set as the system you boot in after a reboot. You can still sudo ostree admin pin 0 before rebasing, and your current system will be saved forever to switch back to.

Note that /etc is writable so you might still accumulate duplicate or redundant configs.

gitlab.com/fedora/ostree/sig/-/issues