Atemu

Atemu , 21 hours ago

Were you using the Google espionage services on GOS? If so, you'd likely gain a little privacy because of µG.

Some devices can lock the bootloader but that's not a generally supported feature on /e/OS.

Atemu , 2 days ago

Stromkosten nahe 0 für den Elektrorasierer, der mir vor vielen Jahren mal geschenkt wurde.

Atemu , 2 days ago

Why bother with such micro optimisations when the purpose is to be used extremely infrequently for compatibility reasons?

Atemu , 3 days ago

See if you can get the memory upgraded. DDR3 SO-DIMMs should be dirt cheap.

I'd also get a cheap SSD aswell, especially if this is for a child who might not be very careful with the machine.

Atemu , 2 days ago

there’s a different nvidia driver for each kernel version. Already a stupid design

That's not a stupid design at all. A nvidia kernel module artifact is only compatible with exactly one kernel ABI. Thus you need one binary nvidia package for each kernel you ship.

Arch also has one package for every kernel ABI they ship: nvidia and nvidia-lts.
Though it should be noted that their design assumes that these two ABIs are the only possible ABIs which isn't strictly the case as the zen, hardened or RT variants may sometimes lag behind their regular counterpart. That's a stupid design if anything as it increases the friction of kernel ABI upgrades as a kernel package maintainer.

We at NixOS also ship the nvidia module for each of our ~50 kernel variants; all major versions of the Nvidia module compatible with that kernel in fact.
The only possible way to access these nvidia kernel modules is via a certain kernel's linuxPackages attribute set that contains all packages that rely on a kernel ABI such as kernel modules or packages like perf. That's good design if you ask me but I'm obviously biased ;)

Atemu , 22 hours ago

These aren't all versions per se but mostly variants, versions and versions of variants. For example, we have packaged the xanmod kernel which is a modified kernel optimised for desktop use but it has two variants: Main and LTS. We have packaged both.

Here are the names of all of our kernels currently to give you an idea (as a JSON list):

[
  "linuxPackages",
  "linuxPackages-libre",
  "linuxPackages-rt",
  "linuxPackages-rt_latest",
  "linuxPackages_4_14",
  "linuxPackages_4_19",
  "linuxPackages_4_19_hardened",
  "linuxPackages_4_9",
  "linuxPackages_5_10",
  "linuxPackages_5_10_hardened",
  "linuxPackages_5_15",
  "linuxPackages_5_15_hardened",
  "linuxPackages_5_18",
  "linuxPackages_5_19",
  "linuxPackages_5_4",
  "linuxPackages_5_4_hardened",
  "linuxPackages_6_0",
  "linuxPackages_6_1",
  "linuxPackages_6_1_hardened",
  "linuxPackages_6_2",
  "linuxPackages_6_3",
  "linuxPackages_6_4",
  "linuxPackages_6_5",
  "linuxPackages_6_5_hardened",
  "linuxPackages_6_6",
  "linuxPackages_custom",
  "linuxPackages_custom_tinyconfig_kernel",
  "linuxPackages_hardened",
  "linuxPackages_latest",
  "linuxPackages_latest-libre",
  "linuxPackages_latest_hardened",
  "linuxPackages_latest_xen_dom0",
  "linuxPackages_latest_xen_dom0_hardened",
  "linuxPackages_lqx",
  "linuxPackages_rpi0",
  "linuxPackages_rpi02w",
  "linuxPackages_rpi1",
  "linuxPackages_rpi2",
  "linuxPackages_rpi3",
  "linuxPackages_rpi4",
  "linuxPackages_rt_5_10",
  "linuxPackages_rt_5_15",
  "linuxPackages_rt_5_4",
  "linuxPackages_rt_6_1",
  "linuxPackages_testing",
  "linuxPackages_testing_bcachefs",
  "linuxPackages_xanmod",
  "linuxPackages_xanmod_latest",
  "linuxPackages_xanmod_stable",
  "linuxPackages_xen_dom0",
  "linuxPackages_xen_dom0_hardened",
  "linuxPackages_zen"
]

(Note that some of these are aliases; linuxPackages_latest is currently linuxPackages_6_6 for example.)

Each of these has the following nvidiaPackages (modulo incompatibilities):

[
  "beta",
  "dc",
  "dc_520",
  "latest",
  "legacy_340",
  "legacy_390",
  "legacy_470",
  "production",
  "stable",
  "vulkan_beta"
]

(Again, some of these are aliases.)

This is useful to have because users might have hardware constraints. It's not hard to imagine a scenario where a user might have a WiFi chip that only works with kernel ABIs < 5.4 and require the 470 nvidia driver for their old GPU. Packaging just the latest kernel and just the latest Nvidia driver would make this user unable to use their system.

Atemu , 3 days ago

ncdu ~/.cache/

Atemu , 8 days ago

Don’t. Use a proper package manager for permanent installation of things. There’s a reason we have those.

Atemu , 8 days ago

That and ease of deployment.

If you as a developer wanted a non-technical user to test a thing you fixed for them, you could ask them to try an AppImage from your CI pipeline and they would easily be able to install it. They’re great for that.

Also, trying out a package can leave unwanted system state around in traditional imperative system package managers. AppImages OTOH are self-contained and user-installable.

Atemu , 8 days ago

Yeah, as a nixos-unstable user, you’ve been running “23.11” for the past 6 months ;)

Atemu , 11 days ago

closed

github.com/ProtonMail/proton-bridge

I don’t think the release these bridge apps on BSDs or smaller OSs

As long as your weird OS is supported by Go, you should be able to build and use it.

I don’t see them not releasing binary builds for such niche platforms as a strong argument.

you’re forced to use their apps on Android & iOS

I see nothing preventing the use of an alternative client.

Besides, both clients are FOSS:

github.com/ProtonMail/proton-mail-android
github.com/ProtonMail/ios-mail

These free-tier-loss-leading strategies are expensive too.

As a paying PM user, I think it’s fine. I can afford to pay ~$50/year for something as basic as e-mail. Not everyone is as privileged as me though and it’s great that they can have a slightly less featureful version for free.

Privacy in the most basic element of modern communication shouldn’t be reserved for the privileged.

marketing-heavy

Could you point me to the “heavy” advertising? I’ve yet to see any.

Atemu , 11 days ago

you still have to use their clients on mobile OSs even if you prefer running a client like K-9

If you made K-9 speak their protocol, I’m sure that would work. Additionally, there’s also nothing preventing you from running the bridge on your Android (or whatever) device; it’s a statically linked Go binary.

What your point boils down to is basically that they don’t use or support IMAP. In order for IMAP to work however, the mail server must have access to all of your emails in plain text.
Do you see how that’s an issue when your service is intended to provide privacy to the user? The fact that PM cannot read your emails at rest (even if they wanted to) is one of PM’s explicit selling points. See proton.me/blog/zero-access-encryption

This is the primary reason why PM (and Tutanota for that matter) don’t support IMAP. As a software engineer, I can also imagine they wouldn’t want to base their entire operations around such an old and crufty protocol though.

Where I definitely don’t agree tho is the free-tier thing.

That’s fine. I can see both sides. Though, as stated, I’m clearly in the “socialistic” “pay more to support less affluent people” approach to commercial services product camp.

Having access to the bridge cut off as well as not {Cal,Card}DAV is a real pain that forces the premium subscription

For us power users who need that, yes, that’s the point. We should pay.

For your average Joe, they get a fancy web UI calendar and calendar app for free; just like they do with Google but private. I personally find that quite amazing.

If there was no free tier to subsidize everyone could pay a lot less & get “premium” features others deem as essential.

[citation needed]

Atemu , 8 days ago

It’s also not altruistic to pay more for to subsidize in the manner you are alluding too

Whether something is altruistic or not is more of a philosophical debate.

Fact of the matter remains that unprivileged people using PM for free is only possible because us paying users pay at least slightly more. I don’t care whether that’s altruistic or not.

My affordable provider encrypts their servers & the account storage just fine without needing to reinvent the old, tested protocol

That’s nice but that’s just simple disk encryption at rest. That’s not at all comparable to zero-access encryption. Please read the Link in my last reply.

Atemu , 11 days ago

I do not believe that is the case. Youtube ads are an insanely profitable business. I suspect throwing a couple dozen of FTEs on blocking ad blockers would be <1% of current revenue.

Atemu , 12 days ago

Could it be that these are spam numbers that tried to reach you at some point but were blocked before they could?

Atemu , 15 days ago

Approaching at $9.99/month.

Atemu , 15 days ago

GTK 4 does not, possibly in a future version

That would be news to me. Has GTK finally managed to switch away from using actual real hardware pixels as its base unit for measurement?

Atemu , 16 days ago

microG also doesn’t avoid Google as it is still running proprietary Google code

What proprietary code?

has more privacy/security weaknesses

Source?

Atemu , 16 days ago

microG runs Google Play code just like Aurora Store. It is not fully open source.

Neither of them run “Google Play code”.

You can download proprietary apps through the Aurora Store and those on their own might include Google play libraries but that should be painfully obvious.

µG can optionally download and run the proprietary DroidGuard for implementing the proprietary SafetyNet. If you don’t want proprietary software, you should not explicitly enable SafetyNet (I don’t know what app you’d use it with anyways).

Here’s more information.

That’s a Twitter thread with no cited sources aka. the truthiest information known to man.

It is still connecting to Googles propriety servers.

If you ask it to, yes. That’s one of its explicit purposes.

It obviously must talk to Google servers in order to facilitate things like cloud messaging for example; there is no other way.

It does try to implement many APIs that would ordinarily talk to Google’s servers in regular GMS using alternative methods however and if it has to talk to Google, it does so with the least amount of data possible.

microG requires Signature Spoofing

This is usually only enabled for the µG app itself and nothing else.

ship with microG as a privileged system app. This increases the attack surface as it is not confined by the regular sandbox rules.

This does increase the attack surface a little. In a world where blindly trusting gigabytes of privileged vendor blobs is the norm however, I don’t think it’s all that significant.

Compared to the hundreds of MiB of regular proprietary GMS code that ships on Android devices, it pales in comparison.

downloads and executes Google code in that privileged unprotected context

As opposed to …running running the entire GMS in a privileged context?

MicroG doesn’t have the same app compatibility as Sandboxed Google Play despite the extra access it has on your device.

You’re comparing apples to oranges. µG replaces GMS, not the tool used to sandbox GMS. You could sandbox it in the same way.

There is no “extra access” that µG has compared to regular GMS.

[if] MicroG worked without talking to Google servers

I don’t know why you keep mentioning this, it was never up to debate.

the apps you’re actually using it with (the apps depending on Google Play) have Google code in them.

Apps that bundle Google Play code have Google Play code inside?!

Start the presses! Notify the President!

A wild revelation, the world must know it!

Atemu , 17 days ago

And entirely optional.

Atemu , 17 days ago

No, not obviously.

People new to Nix/NixOS always seem to think that flakes are some kind of fundamental shift or something and if you don’t use flakes, you’re not going to be ready for the future or whatever.
No, they’re not. They’re “just” a standardised method of composing separate Nix projects.

In the most common NixOS case (and especially when starting out) you have exactly one external Nix project you depend on and that’s Nixpkgs. Flakes provide very little (if any) benefit in this specific case.

If you’re starting out, you don’t need to care one bit about flakes, experimental features and the documentation of features that are not intended to be commonly used yet (especially not for beginners).

Atemu , 17 days ago

More likely, people will stop using YouTube at all

Hahaha, no.

Atemu , 16 days ago

That doesn’t change my reaction one bit.

Atemu , 18 days ago

How do you reply to emails to your catch-all?

Atemu , 18 days ago

systemd-boot discovers windows automatically, no need for configuration.

Atemu , 18 days ago

Detecting extensions using web accessible resources is not possible on Firefox as Firefox extension ID’s are unique for every browser instance. Therefore the URL of the extension resources cannot be known by third parties.

and also for Chrome:

in manifest v3 extensions will be able to enable ‘use_dynamic_url’ option, which will change the resource URL for each session (browser restart). This will render this detection method unusable.

Though it should be noted that this method isn’t the only way to detect extensions.

Atemu , 18 days ago

The way it’s written doesn’t say whether it simply isn’t made to work for Firefox or whether it couldn’t be made to work for Firefox. Fortunately, the latter appears to be the case.

Atemu , 18 days ago

You are free to use it however you want - but if you start charging for your product I get a cut.

The problem here is who this “I” is. Often times, there are dozens or hundreds of contributors. Do they each get a cut? Do they all get a cut of a cut? How is that cut calculated?

Atemu , 19 days ago

This kind of integration testing is best left up to the individual distros. Same as the integration (as in: packaging) itself.

Distros don’t want your binary package, they want your source code, build instructions and a build system that won’t make them cry. Some distros even explicitly disallow re-packaging external binary distributions.

As a distro maintainer, I appreciate your wish to do QA on all the distros but that’s just too much work. You focus on making your software better, we focus on making it work with the rest of the software ecosystem.

Providing a package for one or two distros (i.e. your favourite one) is good practice to ensure your software can be reasonably packaged but it’s not the primary way your users should receive your package in the traditional Linux distro model.
Additionally, you might want to package your software for one of the cross-distro package managers such as Flatpak, AppImage, Snap, Nix, Guix, distri or homebrew. This can serve distro maintainers as a point of reference; showing how it is intended to work so they can compare their packaging effort. If there’s some bug present in the distro package but not the cross-distro package, that’s a good sign the issue lies in the distro packaging for example.
Again, don’t put much time in this. Focus on your app.

Atemu , 19 days ago

Not invented here syndrome.

Atemu , 19 days ago

atproto.com/guides/overview

Atemu , 19 days ago

I use NixOS but I don’t bother with automatic deployment or even automatic formatting. I don’t feel it’s necessary in a homelab setting as hardware failure rarely happens at such small scale and the manual steps left aren’t that significant.

Atemu , 22 days ago

I don’t know about timeshift but it appears to have a configuration tab for snapper.

Atemu , 22 days ago

Voting is another concept that would become unhackable overnight

No. Voting on the blockchain is an even worse idea than money on the blockchain.

In many cases, there are good reasons why these things are done they way they are. I have yet to see a software system that is better at preventing voter fraud than humans looking at your government-issued ID at a poll site and humans overseeing other humans manually counting votes.

A single actor might be able to commit voter fraud in the order of dozes or hundreds of votes perhaps but with a digital voting system based on blockchain, they could do so on the order of thousands or even millions by compromising end-user devices used for voting or buy enough work/stake/whatever to perform a 51% attack.

Same goes for money btw. Our current system is by far not a perfect one but removing the ability for governments to i.e. freeze accounts of bad actors is not a boon.

Atemu , 22 days ago

nobody’s made a solution that is simple and effective

This one isn’t that either by the looks of it but it’s certainly a problem where something like blockchain could provide a solution.

Atemu , 22 days ago

This is false. Protonmail has supported Web Key Discovery for external domains since 2019: proton.me/blog/security-updates-2019

Atemu , 22 days ago

So PM claims it has on the order of 10^8 users. Let’s assume each user has one email address with one public ed25519 key, both of which are likely false.

Each key is 32Byte; 32B * 10^8 = 3.2GB.

Could someone do the math how much fiat it’d take to store such an enormous amount of data on the Ethereum or monero blockchains?

Atemu , 21 days ago

Homomorphic encryption enables votes to be both public and obfuscated at the same time.

That’s nice but has nothing to do with voter fraud prevention.

I will not reply to the stupid ad hominem. You have made it exceptionally clear that you have no idea what my political views are.

Atemu , 21 days ago

It actually is. The file gets opened by bash and bash passes the file descriptor to cat but cat is the program which instructs the kernel to write to the device.

Modern cat even does reflink copies on supported filesystems.

Atemu , 21 days ago

systemd has become like the JavaScript of init systems

Likening systemd to JavaScript is incredibly inappropriate.

systemd now handles DNS, cron, bootloader, and is a suite of tools tightly coupled with the init system)

No. Except for the cron replacement, all of those are stand-alone tools that can be run with systemd, without systemd or replaced with any alternative.

They just happen to be developed under the systemd project umbrella and are obviously tested to work well with another.

This argument is especially weird for systemd-boot; it’s not even a Linux program ffs.

There are some components that are harder to replace with alternatives but mostly because no good alternatives exist. Systemd might be partially to blame here in how easy it is those parts can be ran independently and replaced with equals and you could certainly criticize it for that but you didn’t even mention one of them.

Truth be told, the birth of systemd really heralded in the death of the UNIX philosophy

There is no truth in this sentence.

Doing one thing only, and doing it well, while looking good on paper, and oftentimes is a good general rule of thumb, doesn’t apply to modern application development, for better and worse.

What? Please google “Microservices”.

---

Your whole wall of text hinges on the assumption that systemd is a simple “init system”; a root process spawning a set of other processes. This is false.

systemd (as in: PID1) does service management, not init. It happens to also fit into the “job description” of init because starting and cleaning up dead services also fall under the responsibility of a service manager but reducing it to just an init system is just plain wrong. All the other things are handled by separate components/processes.

Thus, it still follows the “unix philosophy”. The “one thing” it does simply isn’t what you think it does.

It’s like saying cp doesn’t follow the UNIX philosophy because you could copy files with cat. cat is soo much simpler to understand, why would anyone ever use the bloated cp? Must be the pesky commercial influence of Bell labs!

Truth be told, the birth of cp really heralded in the death of the UNIX philosophy.

Atemu , 19 days ago

simple_cat which does a simple read/write loop

You just proved my own point. cat does the write(). Bash just configures where it writes to.

re the reflink thing, you were probably thinking of cp, not cat.

No, I was specifically thinking of cat. I just copied a 73G non-sparse incompressible file in 3 seconds using cat file > copy.

copy_file_range does reflinks on btrfs.

Atemu , 22 days ago

Not just read but modify even.

Atemu , 22 days ago

except for hdds without cache

The “cache” on HDDs is extremely tiny. Maybe a few seconds worth of sequential access at max. It does not exist to cache significant amounts of data for much longer than that.

At the sizes at which bcache is used, you could permanently hold almost all of your performance-critical data on flash storage while having enough space for tonnes of performance-uncritical data; all in the same storage “package”.

Atemu , 22 days ago

Note that bcache and bcachefs are different things. The latter is extremely new and not ready for “production” yet. This post is about bcache.

Atemu , 24 days ago

AMD platform support is coming to coreboot in the next few years, consumer platforms much later and even there I’m doubtful it’d come to your laptop in particular.

Get a Frame.work with Intel chip if you want coreboot on a modern laptop soon-ish. I know the guy working on that port ;)

Atemu , 24 days ago

WDYM by “overheat”?

Atemu , 25 days ago

What you’re doing is perfectly fine.

It is however more of a mitigation for bad distro installers than general good practice. If the distro installers preserved /home, you could keep it all in one partition. Because such “bad” distro installers still exist, it is good practice if you know that you might install such a distro.

If you were installing “manually” and had full control over this, I’d advocate for a single partition because it simplifies storage. Especially with the likes of btrfs you can have multiple storage locations inside one partition with decent separation between them.