Generally, I think it is better to use a general server OS like Debian or Fedora instead of something specialized like Proxmox or Unraid. That way you can always choose the way you want to use your server instead of being channeled into running it a specific way (especially if you ever change your mind).
Not really. You can side load, but not great user experience.
That is not how security works. You must protect against known and unknown attack vectors. I am only pointing out weaknesses of Docker and other linux containers that share the kernel with the host or/and run with Root. I'm not saying anything original or crazy, just read up on the security of these technologies and their limits. I am not a malware designer, I am a security researcher.
Look into gVisor and Kata Containers for info on how to improve the security of containers.
Here are some readings for you:
https://redlib.tux.pizza/r/docker/comments/eakd50/help_can_i_safely_run_malware_inside_a_container/
https://www.csoonline.com/article/1303004/vulnerabilities-in-docker-other-container-engines-enable-host-os-access.html
https://www.panoptica.app/research/7-ways-to-escape-a-container
https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/
https://www.securityweek.com/leaky-vessels-container-escape-vulnerabilities-impact-docker-others/
https://www.cybereason.com/blog/container-escape-all-you-need-is-cap-capabilities
It is not speculation, it is reducing attack surface. Security is preemptive. Docker/Podman are not strong isolation solutions. Rare does not mean we shouldn't protect against the chance of kernel vulnerabilities. The linux kernel around 30 million lines of code long and written in a memory unsafe language. Code isn't safe just because we dont know the vulnerabilities, this is basic cybersec reasoning.
Docker/Podman and LXC linux containers share the same kernel with the host machine. Root in the container is root period (in the case of rootfull containers). Even without root, much of the data on your machine is readable from any user. With a exploit to escape the container (which are common) the malicious program has root on the machine. This is a known attack vector against linux containers. VMs are much better for isolating untrusted software from the host OS.
Idk how to decide what is safe or not, but as a warning, Docker containers can escape trivially and have access to the kernel.
/e/OS is often a month or more behind on Android updates (including security). Unacceptable I think.
Some info about patch history here: https://www.divestos.org/pages/patch_history
General comparison table of Android ROM features: https://eylenburg.github.io/android_comparison.htm
True, though I also want people to check out Chimera Linux because it seems cool as shit.
I may have been incorrect, but I was pretty sure the deblobbing is why DivestOS doesn't support some of Android's features (along side the greater reason of security/privacy). Lineage, like any ROM, depends on binary blobs. DivestOS (and GOS) more thoroughly deblob than Lineage, which I think is a quite important metric when considering a ROM.
Blobs removed by DivestOS: https://codeberg.org/divested-mobile/divestos-build/src/branch/master/Scripts/Common/Deblob.sh
Yes, I understand. I am pretty sure that is incorrect. With an Arkenfox profile, I have modified my prefs in about:config and retained those changes persistently.
My point was that regardless of what apps you use, much of googles proprietary code is retained which increases attack surface and could be spyware. The website was just a neat overview comparison between ROMs. DivestOS has details on what it removes (and prob why it removes it). I am not saying that lineage is a bad ROM, just that there is more degoogling possible. DivestOS is a soft-fork of lineage that goes much further than it in an effort to deblob and harden Android. Security often can come at the cost of some usability.
Edit:
An example of a real disadvantage of lineage regardless of what apps you use is what webview it uses. Its webview is (likely) unhardened for Security and therefore poses some risk to the user if used in an attack. Webview provider cannot be changed without root.
I have independently tested you can change settings before. I will test again tomorrow if I remember to.
That is not how Arkenfox works. You apply the patch using the script, and then re-run this patch everytime Arkenfox receives an update. In between running, you can change settings in about:config and settings, but it will be overwritten if a different value is included in the user.js. A more permanent solution is using the user-overrides.js file required by the script before patching to create a persistent config.
Something like: user_prefs("privacy.resistFingerprinting.letterboxing" , "false");
It also removes much less google proprietary code blobs when compared to DivestOS or GrapheneOS. See a basic comparison table here: https://eylenburg.github.io/android_comparison.htm
Ruling like an ancient Chinese emperor
Image alt text: Picture of a tea box with the text "Gunpowder Tea" in large letters and underneath in smaller letters "China Green Tea".
Class traitor rule
Alt text:
Description: 3 panel comic of someone interacting with a cop during traffic stop
Conversation: Cop says "Do you know why I stopped you?" Driver responds "Because you're a class traitor?" Cop is too stunned to speak.
Kendama-core rule
Alt text: Child playing with a kendama-like toy with the catching mechanism and ball being each half of the demon core experiment.
I want to bring some attention to Slidge XMPP Bridges
It seems like an awesome project that fulfills a lot of the requirements for bridging many popular messaging platforms (like FB messenger, WhatsApp, discord, signal, and more). I wanted to share because I know a lot of us have friends and family who still use antiquated/proprietary communication platforms. Fair warning, I have not tried self hosting it myself yet since my server is kinda of a mess right now. Lmk what y'all think.
Thoughts/Experience with OpenSUSE Micro-OS?
As the title says, I wanted to hear what since other (more experience) self hosters think of Micro-OS.
concussy rule
Image transcription...
Instead of X say Y
| have a concussion = I'm in my bonked-up state.
I'm concussed = I'm all bonked up.
My brain is bruised = I've got a BrainBonk TM.
I'm in my concussion era = It's serving gonked gourd.
My concussion may affect the quality of my work = Getting my concussy slonked silly style.
blood-transfusion rule
Image transcription: 'Today, I operated on a little girl. She needed O- blood. We didn't have any, but her twin brother has O- blood. I explained to him that it was a matter of life and death. He sat quietly for a moment, and then said goodbye to his parents. I didn’t think anything of it until after we took his blood and he asked, “So when will I die?” He thought he was giving his life for hers. Thankfully, they both died'
sharing mononeon cus
would like to share. He has great patchwork and crocheted clothes, and better mastery over the bass. Sharing this in perticular cus he got a good color scheme going with his clothes.
Serving rule
Alt text: "I just realised the lid on medicine bottles is a serving size." Don't do that obviously, unless your goal is to meet the hatman in the ER.
Hiya, where do yall get memes.
Hi, as the title says I am looking for meme communities that share memes. My problem with lemmy (or reddits) main meme communites is that the memes are boring normal shit instead of gay boring normal shit. Mostly kidding but main meme subs are just bland and or basic observations about the world.
