thayer @ thayer @lemmy.ca

---

---

Read more

Posts

13

Comments

271

Joined

2 yr. ago

There are too many differences for me to list here, but unlike mobile operating systems, Windows and most Linux desktops do not provide sandboxed environments for userspace apps by default. Apps generally have free reign over the whole system; reading/writing data from/to other apps without restriction or notification. There are virtually no safeguards against malicious actors.

Mobile operating systems significantly restrict system-level storage space, making key areas read-only to prevent data access or manipulation. They also protect app storage, so one app can't arbitrarily access or modify data stored for a different app.

Mobile operating systems also follow an image-based update model, wherein updates are atomic. System software updates are generally applied successfully all at once or not at all, helping to ensure your phone is never left in a partial or unusable state after a system update.

For desktop users, macOS, and atomic Linux distros combined with Flatpak are the closest comparisons.

Most operating systems will require your desktop password upon resume, and most thieves are low-functioning drug users who are not about to go Hacker Man on your laptop. They will most likely just wipe the system and install something else; if they can even figure that out.

Yeah, I'm sure there are a lot of variables there. I can only say that in my experience, I noticed zero impact to gaming performance when I started encrypting everything about 10 years ago. No stuttering or noticeable frame loss. It was a seamless experience and brings real peace of mind knowing that our financial info, photos, and other sensitive files are safely locked away.

No, the average user will never know the difference. I couldn't tell you exactly what the current performance impact is for hardware encryption, but it's likely around 1-4% depending on the platform (I use LUKS under Linux).

For gamers, it's likely a 1-5 FPS loss, depending on your hardware, which is negligible in my experience. I play mostly first and third person shooter-style games at 1440p/120hz, targeting 60-90 FPS, and there's no noticeable impact (Ryzen 5600 / RX 6800XT).

It does help greatly in general though, because all of your data will be encrypted when the device is at rest. Theft and B&Es will no longer present a risk to your privacy.

Per-app permissions address this specific threat model directly. Containerized apps, such as those provided by Flatpak can ensure that apps remain sandboxed and unable to access data without explicit authorization.

While it would certainly be nice to see this addressed, I don't recall Signal ever claiming their desktop app provided encryption at rest. I would also think that anyone worried about that level of privacy would be using disappearing messages and/or regularly wiping their history.

That said, this is just one of the many reasons why whole disk encryption should be the default for all mainstream operating systems today, and why per-app permissions and storage are increasingly important too.

Jeez, thanks for that invitation down the rabbit hole lol. Prior to your comment, I'd never come across any studies on boiled vs filtered coffee and its effects on hypertension and overall cardiovascular health. I've since read several and I'm now questioning my life choices. Seriously though, thanks for tip, and I'll definitely be doing my own experiments soon.

The beauty of Fedora Atomic is that anyone effected by the recent update (including me) could simply rollback to the previous image and boot as normal in order to troubleshoot. This is exactly why nearly all of my devices are running Silverblue or Kinoite now.

I think it's worth mentioning that significant bugs happen across all major OS platforms.

Recently, Microsoft pushed a patch requiring effected users to manually resize their EFI recovery partition. Shortly after that, it was announced that all Apple Silicon Macs suffered from an unpatchable vulnerability which can defeat encryption. These are just a couple of examples from recent memory...there are many others.

To truly avoid serious software vulnerabilities or bugs is to avoid software entirely. Operating systems are highly complex, multilayered software, and shit happens.

I recently posted about setting up my new Brother HL-L5210DW printer under Fedora Atomic, which was also having issues with duplex printing when using the brlaser driver. Maybe this will help you too:

https://lemmy.ca/post/23695569

If yours is networked, I think you just need to select the IPP option mentioned in my post, and enter the path as ipp://<printer-ip-address>

Mind if I ask what you don't like about French Press coffee? I ask only because we've been FP-only when at home for more than 10 years now. I can enjoy a cup of coffee from just about anywhere when on the road, so I'm definitely not a picky drinker but I do enjoy homemade FP the most.

I write everything in markdown, and I mean just about everything. Tech notes, recipes, work procedures, shopping lists...everything. If you check my comment history from today, you can see a quick example of the kind of tech notes I keep (firewalld in this case).

I keep all of my plain text files synced across multiple devices using Syncthing. For desktop editors, I use mostly vim and VSCodium (though Kate is nice too), and I use Markor on Android. This workflow has been highly efficient for many years now, and I no longer waste time constantly reviewing the latest note-taking app.

Frankly, I welcome multiple unixporn communities, as the largely singular community on reddit was too strict, in my opinion, and many screenshots went unshared as a result.

I've been happy with whc.ca for hosting...been using their pro account for years. I generally use canspace.ca for domain registration, and have done so for more than 10 years without issue.

I can't provide specific advice for tailscale, but I can share my notes for my own use case, which is for PCs that are safely behind the home firewall. You'd want to adjust your ssh/smb settings accordingly. You shouldn't need any rules for ProtonVPN, as you're likely just trying to block incoming connections, not outbound.

It's my understanding that Fedora opens ports 1025-65535/tcp and 1025-65535/udp by default.

To lock down to sane defaults (--permanent saves the settings directly, avoiding the need to run firewall-cmd --runtime-to-permanent separately):

        sudo firewall-cmd --permanent --remove-port=1025-65535/tcp
    sudo firewall-cmd --permanent --remove-port=1025-65535/udp
    sudo firewall-cmd --permanent --add-port=27031/udp  # steam remote play
    sudo firewall-cmd --permanent --add-port=27036/udp  # steam remote play
    sudo firewall-cmd --permanent --add-port=27036/tcp  # steam remote play
    sudo firewall-cmd --permanent --add-port=27037/tcp  # steam remote play


  

Ensure that ssh and samba-client are listed as allowed services too (sudo firewall-cmd --list-all).

• Firewalld must be reloaded before rule changes will take effect: firewall-cmd --reload
• Changes will reset upon reboot unless made persistent by using --permanent or by committing all changes with --runtime-to-permanent

Common commands:

        sudo systemctl enable --now firewalld   # enable and start firewalld service
    sudo systemctl disable firewalld
    sudo systemctl stop firewalld

    sudo firewall-cmd --state               # show running state of firewalld
    sudo firewall-cmd --get-active-zones    # list active zones
    sudo firewall-cmd --get-zones           # list all zones
    sudo firewall-cmd --get-default-zone    # list default zone
    sudo firewall-cmd --list-ports          # list allowed ports in current zone
    sudo firewall-cmd --list-all            # list all settings
    sudo firewall-cmd --reload              # reload firewall rules to activate any rule modifications


  

Add/remove ports, services, IPs:

        sudo firewall-cmd --add-port=port-number/port-type      # allow incoming port  (tcp,udp,sctp,dccp)
    sudo firewall-cmd --remove-port=port-number/port-type   # block incoming port
    sudo firewall-cmd --add-service=<service-name>          # allow incoming service (see /etc/services)
    sudo firewall-cmd --remove-service=<service-name>       # block incoming service (see /etc/services)
    sudo firewall-cmd --add-source=192.168.1.100 (or 192.168.1.0/24)    # whitelist incoming IP or IP range
    sudo firewall-cmd --remove-source=192.168.1.100 (or 192.168.1.0/24) # remove whitelisted IP or IP range


  

Block an IP or IP range (rich rules):

        sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.100' reject"
    sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.0/24' reject"


  

Whitelist IP for specific port (rich rule):

        sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.100" port protocol="tcp" port="3306" accept'


  

Removing a Rich Rule

        sudo firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.100" port protocol="tcp" port="3306" accept'

  

As a fellow Atomic user, my completely biased opinion is that you've made a good choice of distro for switching from Windows.

Don't sweat the need or desire to layer a few packages. I see a lot of folks stress over this as if it's a hard rule they are breaking. It's a general recommendation and little more. I would be surprised if most users don't layer at least one package (or even a few).

On my main workstation, running Kinoite at the moment, some of the layered packages include:

• distrobox
• gdm (sddm refuses to respect autologin)
• kate
• ksystemlog
• syncthing
• vim-enhanced
• virt-manager
• virt-viewer

Same, I've switched all of my workstations to Kinoite and Silverblue over the past 18 months, and couldn't be much happier about it.

That's a great post too, thanks for sharing it here. My hope is that folks might still manage to find this info through search engines, even if Lemmy isn't yet as highly indexed as other platforms.

If it were me and there was no way to have an additional drop installed from the exterior, I would still consider running a single cable through the living space to your desired location, as discreetly as possible.

It's difficult to suggest exactly how to do so without pics or a floorplan, but I would try to match the wall or trim color and keep the cable tucked close to the floor and/or ceiling throughout the run.

Once in place, the cable will quickly disappear into your surroundings and you'll be left with rock solid reliable networking.

And I don't even care if they keep it as a "tray". I'd be content with integration into the dash if they can make it work smoothly. For example, just having the app start minimized as a regular icon (or segregated icon) in the dash...just something at this point.

I'm happy to see it's finally happening, and I hope they left its implementation flexible.

What I'd really love to see (aside from triple buffer) is a real solution to the system tray situation. AppIndicator is problematic for some apps and under certain X11/Wayland desktops, and even when it works well it is cumbersome to use compared to traditional tray implementations. Hoping we see a new approach soon.

In the meantime, I've been enjoying a revisit to KDE Plasma under Kinoite and I have to say I'm really impressed with both DEs!