Symfony Profiler

null

Proxies\__CG__\App\Entity\Entry {#1577
  +user: Proxies\__CG__\App\Entity\User {#2363 …}
  +magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
  +image: null
  +domain: Proxies\__CG__\App\Entity\Domain {#1909 …}
  +slug: "Just-read-Madaidans-Insecurities-Do-you-know-how-much-is"
  +title: "Just read Madaidans Insecurities. Do you know how much is still relevant?"
  +url: "https://www.madaidans-insecurities.github.io/linux.html"
  +body: """
    Basically\n
    \n
    - Sandboxing is bad, bubblewrap (used in Flatpak) is a really good implementation though. Firefox and other apps are not very well sandboxed though\n
    - The kernel is endangered through user namespaces (used in Flatpak and Podman/Docker containers i.e. in Distrobox and Toolbox too)\n
    - the root password can be extracted veeery easily, especially when entering it through a terminal. Windows “okay” button might actually be more secure!\n
    - X11 is insecure, okay we know that\n
    - the kernel is very bloated and everything in there has all the permissions, which is not needed\n
    - Kernel bugs are often not fixed quickly or at all\n
    - Stable Distros are insecure if only CVE bugs are backported, as many security bugs dont get a CVE\n
    \n
    I am currently experimenting with the hardened Kernel and hardened_malloc, I use GrapheneOS since over a year.\n
    \n
    On Linux its a bit more difficult though, as Flatpak and Distrobox dont work anymore.\n
    \n
    This would mean user namespaces need to be enabled again, which I can’t seem to make work with\n
    \n
    `sudo sysctl -w kernel.unprivileged_users_clone=1`\n
    \n
    But the file doesnt exist and creating it doesnt work, probably needs to be a karg or something?\n
    \n
    I am testing all this using the hardened mod of Ublue (a slight Fedora deviation using its image-based distribution model):\n
    \n
    [github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)\n
    \n
    The images are rather opinionated though and have things like Flatpak removed, making them nearly unusable.\n
    \n
    Maybe nix is a solution? Would this be a good idea?\n
    \n
    Another point, bubblejail is not yet in the Fedora repos, which would be a way to make secure sandboxing accessible. [Here](https://github.com/rusty-snake/fedora-extras/tree/main/bubblejail) is a spec file from rusty-snake.\n
    \n
    What do you know about this?
    """
  +type: "link"
  +lang: "en"
  +isOc: false
  +hasEmbed: false
  +commentCount: 8
  +favouriteCount: 36
  +score: 0
  +isAdult: false
  +sticky: false
  +lastActive: DateTime @1700929355 {#1741
    date: 2023-11-25 17:22:35.0 +01:00
  }
  +ip: null
  +adaAmount: 0
  +tags: null
  +mentions: null
  +comments: Doctrine\ORM\PersistentCollection {#1906 …}
  +votes: Doctrine\ORM\PersistentCollection {#2382 …}
  +reports: Doctrine\ORM\PersistentCollection {#2383 …}
  +favourites: Doctrine\ORM\PersistentCollection {#1362 …}
  +notifications: Doctrine\ORM\PersistentCollection {#1401 …}
  +badges: Doctrine\ORM\PersistentCollection {#2021 …}
  +children: [
    1 => App\Entity\EntryComment {#1609
      +user: App\Entity\User {#261 …}
      +entry: Proxies\__CG__\App\Entity\Entry {#1577 …2}
      +magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
      +image: null
      +parent: null
      +root: null
      +body: """
        “This connection is untrusted” “SSL_ERROR_BAD_CERT_DOMAIN”\n
        \n
        The irony.
        """
      +lang: "en"
      +isAdult: false
      +favouriteCount: 11
      +score: 0
      +lastActive: DateTime @1701510560 {#1431
        date: 2023-12-02 10:49:20.0 +01:00
      }
      +ip: null
      +tags: null
      +mentions: [
        "@Pantherina@feddit.de"
      ]
      +children: Doctrine\ORM\PersistentCollection {#1587 …}
      +nested: Doctrine\ORM\PersistentCollection {#1574 …}
      +votes: Doctrine\ORM\PersistentCollection {#1588 …}
      +reports: Doctrine\ORM\PersistentCollection {#1584 …}
      +favourites: Doctrine\ORM\PersistentCollection {#1551 …}
      +notifications: Doctrine\ORM\PersistentCollection {#1655 …}
      -id: 157122
      -bodyTs: "'bad':7 'cert':8 'connect':2 'domain':9 'error':6 'ironi':11 'ssl':5 'untrust':4"
      +ranking: 0
      +commentCount: 0
      +upVotes: 0
      +downVotes: 0
      +visibility: "visible             "
      +apId: "https://beehaw.org/comment/1721846"
      +editedAt: null
      +createdAt: DateTimeImmutable @1700793081 {#1694
        date: 2023-11-24 03:31:21.0 +01:00
      }
      +"title": 157122
    }
    0 => App\Entity\EntryComment {#1550
      +user: App\Entity\User {#261 …}
      +entry: Proxies\__CG__\App\Entity\Entry {#1577 …2}
      +magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
      +image: null
      +parent: Proxies\__CG__\App\Entity\EntryComment {#1598 …}
      +root: Proxies\__CG__\App\Entity\EntryComment {#1598 …}
      +body: """
        I remember reading there, when it wasn’t on github pages but it’s own website, the recommendation to keep your critical dotfiles permissioned to a different user account of yours. I don’t think that’s bad advice. Yes it is probably not needed if you use the system as a pro sysadmin for server purposes, but for desktop use it’s just natural that you’ll run a lot more programs in a much less controlled manner.\n
        \n
        Of course there were ones that I thought they went overboard, but it has at least a few good pieces, if not more, I don’t really remember.
        """
      +lang: "en"
      +isAdult: false
      +favouriteCount: 2
      +score: 0
      +lastActive: DateTime @1700809862 {#1668
        date: 2023-11-24 08:11:02.0 +01:00
      }
      +ip: null
      +tags: null
      +mentions: [
        "@Pantherina@feddit.de"
        "@bbbhltz@beehaw.org"
      ]
      +children: Doctrine\ORM\PersistentCollection {#1611 …}
      +nested: Doctrine\ORM\PersistentCollection {#1705 …}
      +votes: Doctrine\ORM\PersistentCollection {#1692 …}
      +reports: Doctrine\ORM\PersistentCollection {#1686 …}
      +favourites: Doctrine\ORM\PersistentCollection {#1680 …}
      +notifications: Doctrine\ORM\PersistentCollection {#1683 …}
      -id: 157623
      -bodyTs: "'account':29 'advic':39 'bad':38 'control':78 'cours':81 'critic':22 'desktop':60 'differ':27 'dotfil':23 'github':10 'good':98 'keep':20 'least':95 'less':77 'll':68 'lot':71 'manner':79 'much':76 'natur':65 'need':45 'one':84 'overboard':90 'page':11 'permiss':24 'piec':99 'pro':53 'probabl':43 'program':73 'purpos':57 'read':3 'realli':106 'recommend':18 'rememb':2,107 'run':69 'server':56 'sysadmin':54 'system':50 'think':35 'thought':87 'use':48,61 'user':28 'wasn':7 'websit':16 'went':89 'yes':40"
      +ranking: 0
      +commentCount: 0
      +upVotes: 0
      +downVotes: 0
      +visibility: "visible             "
      +apId: "https://beehaw.org/comment/1722547"
      +editedAt: null
      +createdAt: DateTimeImmutable @1700809862 {#1567
        date: 2023-11-24 08:11:02.0 +01:00
      }
      +"title": 157623
    }
  ]
  -id: 16138
  -titleTs: "'insecur':4 'know':7 'madaidan':3 'much':9 'read':2 'relev':12 'still':11"
  -bodyTs: "'/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':220 '/rusty-snake/fedora-extras/tree/main/bubblejail)':271 '1':177 'access':267 'actual':63 'anoth':248 'anymor':151 'app':18 'backport':110 'bad':4 'base':215 'basic':1 'bit':141 'bloat':78 'bubblejail':250 'bubblewrap':5 'bug':92,108,114 'button':61 'clone':176 'contain':37 'creat':184 'current':121 'cve':107,118 'deviat':210 'difficult':143 'distribut':216 'distro':102 'distrobox':40,148 'doesnt':181,186 'dont':115,149 'easili':51 'enabl':160 'endang':28 'enter':54 'especi':52 'everyth':80 'exist':182 'experi':122 'extract':49 'fedora':209,256 'file':180,275 'firefox':15 'fix':96 'flatpak':8,34,146,231 'get':116 'github.com':219,270 'github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':218 'github.com/rusty-snake/fedora-extras/tree/main/bubblejail)':269 'good':12,246 'grapheneo':132 'harden':125,128,203 'i.e':38 'idea':247 'imag':214,222 'image-bas':213 'implement':13 'insecur':69,104 'karg':193 'kernel':26,75,91,126 'kernel.unprivileged':174 'know':72,283 'like':230 'linux':138 'make':168,233,264 'malloc':129 'mani':112 'mayb':237 'mean':154 'might':62 'mod':204 'model':217 'namespac':31,156 'near':235 'need':90,157,189 'nix':238 'often':94 'okay':60,70 'opinion':225 'password':46 'permiss':86 'podman/docker':36 'point':249 'probabl':188 'quick':97 'rather':224 'realli':11 'remov':232 'repo':257 'root':45 'rusti':278 'rusty-snak':277 'sandbox':2,23,266 'secur':66,113,265 'seem':166 'sinc':133 'slight':208 'snake':279 'solut':241 'someth':195 'spec':274 'stabl':101 'sudo':171 'sysctl':172 'termin':58 'test':198 'thing':229 'though':14,24,144,226 'toolbox':42 'ublu':206 'unus':236 'use':6,32,131,201,211 'user':30,155,175 'veeeri':50 'w':173 'way':262 'well':22 'window':59 'work':150,169,187 'would':153,242,259 'x11':67 'year':136 'yet':253"
  +cross: false
  +upVotes: 0
  +downVotes: 0
  +ranking: 1700870525
  +visibility: "visible             "
  +apId: "https://feddit.de/post/5981126"
  +editedAt: null
  +createdAt: DateTimeImmutable @1700784125 {#1610
    date: 2023-11-24 01:02:05.0 +01:00
  }
  +__isInitialized__: true
   …2
}

Proxies\__CG__\App\Entity\Entry {#1577
  +user: Proxies\__CG__\App\Entity\User {#2363 …}
  +magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
  +image: null
  +domain: Proxies\__CG__\App\Entity\Domain {#1909 …}
  +slug: "Just-read-Madaidans-Insecurities-Do-you-know-how-much-is"
  +title: "Just read Madaidans Insecurities. Do you know how much is still relevant?"
  +url: "https://www.madaidans-insecurities.github.io/linux.html"
  +body: """
    Basically\n
    \n
    - Sandboxing is bad, bubblewrap (used in Flatpak) is a really good implementation though. Firefox and other apps are not very well sandboxed though\n
    - The kernel is endangered through user namespaces (used in Flatpak and Podman/Docker containers i.e. in Distrobox and Toolbox too)\n
    - the root password can be extracted veeery easily, especially when entering it through a terminal. Windows “okay” button might actually be more secure!\n
    - X11 is insecure, okay we know that\n
    - the kernel is very bloated and everything in there has all the permissions, which is not needed\n
    - Kernel bugs are often not fixed quickly or at all\n
    - Stable Distros are insecure if only CVE bugs are backported, as many security bugs dont get a CVE\n
    \n
    I am currently experimenting with the hardened Kernel and hardened_malloc, I use GrapheneOS since over a year.\n
    \n
    On Linux its a bit more difficult though, as Flatpak and Distrobox dont work anymore.\n
    \n
    This would mean user namespaces need to be enabled again, which I can’t seem to make work with\n
    \n
    `sudo sysctl -w kernel.unprivileged_users_clone=1`\n
    \n
    But the file doesnt exist and creating it doesnt work, probably needs to be a karg or something?\n
    \n
    I am testing all this using the hardened mod of Ublue (a slight Fedora deviation using its image-based distribution model):\n
    \n
    [github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)\n
    \n
    The images are rather opinionated though and have things like Flatpak removed, making them nearly unusable.\n
    \n
    Maybe nix is a solution? Would this be a good idea?\n
    \n
    Another point, bubblejail is not yet in the Fedora repos, which would be a way to make secure sandboxing accessible. [Here](https://github.com/rusty-snake/fedora-extras/tree/main/bubblejail) is a spec file from rusty-snake.\n
    \n
    What do you know about this?
    """
  +type: "link"
  +lang: "en"
  +isOc: false
  +hasEmbed: false
  +commentCount: 8
  +favouriteCount: 36
  +score: 0
  +isAdult: false
  +sticky: false
  +lastActive: DateTime @1700929355 {#1741
    date: 2023-11-25 17:22:35.0 +01:00
  }
  +ip: null
  +adaAmount: 0
  +tags: null
  +mentions: null
  +comments: Doctrine\ORM\PersistentCollection {#1906 …}
  +votes: Doctrine\ORM\PersistentCollection {#2382 …}
  +reports: Doctrine\ORM\PersistentCollection {#2383 …}
  +favourites: Doctrine\ORM\PersistentCollection {#1362 …}
  +notifications: Doctrine\ORM\PersistentCollection {#1401 …}
  +badges: Doctrine\ORM\PersistentCollection {#2021 …}
  +children: [
    1 => App\Entity\EntryComment {#1609
      +user: App\Entity\User {#261 …}
      +entry: Proxies\__CG__\App\Entity\Entry {#1577 …2}
      +magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
      +image: null
      +parent: null
      +root: null
      +body: """
        “This connection is untrusted” “SSL_ERROR_BAD_CERT_DOMAIN”\n
        \n
        The irony.
        """
      +lang: "en"
      +isAdult: false
      +favouriteCount: 11
      +score: 0
      +lastActive: DateTime @1701510560 {#1431
        date: 2023-12-02 10:49:20.0 +01:00
      }
      +ip: null
      +tags: null
      +mentions: [
        "@Pantherina@feddit.de"
      ]
      +children: Doctrine\ORM\PersistentCollection {#1587 …}
      +nested: Doctrine\ORM\PersistentCollection {#1574 …}
      +votes: Doctrine\ORM\PersistentCollection {#1588 …}
      +reports: Doctrine\ORM\PersistentCollection {#1584 …}
      +favourites: Doctrine\ORM\PersistentCollection {#1551 …}
      +notifications: Doctrine\ORM\PersistentCollection {#1655 …}
      -id: 157122
      -bodyTs: "'bad':7 'cert':8 'connect':2 'domain':9 'error':6 'ironi':11 'ssl':5 'untrust':4"
      +ranking: 0
      +commentCount: 0
      +upVotes: 0
      +downVotes: 0
      +visibility: "visible             "
      +apId: "https://beehaw.org/comment/1721846"
      +editedAt: null
      +createdAt: DateTimeImmutable @1700793081 {#1694
        date: 2023-11-24 03:31:21.0 +01:00
      }
      +"title": 157122
    }
    0 => App\Entity\EntryComment {#1550
      +user: App\Entity\User {#261 …}
      +entry: Proxies\__CG__\App\Entity\Entry {#1577 …2}
      +magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
      +image: null
      +parent: Proxies\__CG__\App\Entity\EntryComment {#1598 …}
      +root: Proxies\__CG__\App\Entity\EntryComment {#1598 …}
      +body: """
        I remember reading there, when it wasn’t on github pages but it’s own website, the recommendation to keep your critical dotfiles permissioned to a different user account of yours. I don’t think that’s bad advice. Yes it is probably not needed if you use the system as a pro sysadmin for server purposes, but for desktop use it’s just natural that you’ll run a lot more programs in a much less controlled manner.\n
        \n
        Of course there were ones that I thought they went overboard, but it has at least a few good pieces, if not more, I don’t really remember.
        """
      +lang: "en"
      +isAdult: false
      +favouriteCount: 2
      +score: 0
      +lastActive: DateTime @1700809862 {#1668
        date: 2023-11-24 08:11:02.0 +01:00
      }
      +ip: null
      +tags: null
      +mentions: [
        "@Pantherina@feddit.de"
        "@bbbhltz@beehaw.org"
      ]
      +children: Doctrine\ORM\PersistentCollection {#1611 …}
      +nested: Doctrine\ORM\PersistentCollection {#1705 …}
      +votes: Doctrine\ORM\PersistentCollection {#1692 …}
      +reports: Doctrine\ORM\PersistentCollection {#1686 …}
      +favourites: Doctrine\ORM\PersistentCollection {#1680 …}
      +notifications: Doctrine\ORM\PersistentCollection {#1683 …}
      -id: 157623
      -bodyTs: "'account':29 'advic':39 'bad':38 'control':78 'cours':81 'critic':22 'desktop':60 'differ':27 'dotfil':23 'github':10 'good':98 'keep':20 'least':95 'less':77 'll':68 'lot':71 'manner':79 'much':76 'natur':65 'need':45 'one':84 'overboard':90 'page':11 'permiss':24 'piec':99 'pro':53 'probabl':43 'program':73 'purpos':57 'read':3 'realli':106 'recommend':18 'rememb':2,107 'run':69 'server':56 'sysadmin':54 'system':50 'think':35 'thought':87 'use':48,61 'user':28 'wasn':7 'websit':16 'went':89 'yes':40"
      +ranking: 0
      +commentCount: 0
      +upVotes: 0
      +downVotes: 0
      +visibility: "visible             "
      +apId: "https://beehaw.org/comment/1722547"
      +editedAt: null
      +createdAt: DateTimeImmutable @1700809862 {#1567
        date: 2023-11-24 08:11:02.0 +01:00
      }
      +"title": 157623
    }
  ]
  -id: 16138
  -titleTs: "'insecur':4 'know':7 'madaidan':3 'much':9 'read':2 'relev':12 'still':11"
  -bodyTs: "'/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':220 '/rusty-snake/fedora-extras/tree/main/bubblejail)':271 '1':177 'access':267 'actual':63 'anoth':248 'anymor':151 'app':18 'backport':110 'bad':4 'base':215 'basic':1 'bit':141 'bloat':78 'bubblejail':250 'bubblewrap':5 'bug':92,108,114 'button':61 'clone':176 'contain':37 'creat':184 'current':121 'cve':107,118 'deviat':210 'difficult':143 'distribut':216 'distro':102 'distrobox':40,148 'doesnt':181,186 'dont':115,149 'easili':51 'enabl':160 'endang':28 'enter':54 'especi':52 'everyth':80 'exist':182 'experi':122 'extract':49 'fedora':209,256 'file':180,275 'firefox':15 'fix':96 'flatpak':8,34,146,231 'get':116 'github.com':219,270 'github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':218 'github.com/rusty-snake/fedora-extras/tree/main/bubblejail)':269 'good':12,246 'grapheneo':132 'harden':125,128,203 'i.e':38 'idea':247 'imag':214,222 'image-bas':213 'implement':13 'insecur':69,104 'karg':193 'kernel':26,75,91,126 'kernel.unprivileged':174 'know':72,283 'like':230 'linux':138 'make':168,233,264 'malloc':129 'mani':112 'mayb':237 'mean':154 'might':62 'mod':204 'model':217 'namespac':31,156 'near':235 'need':90,157,189 'nix':238 'often':94 'okay':60,70 'opinion':225 'password':46 'permiss':86 'podman/docker':36 'point':249 'probabl':188 'quick':97 'rather':224 'realli':11 'remov':232 'repo':257 'root':45 'rusti':278 'rusty-snak':277 'sandbox':2,23,266 'secur':66,113,265 'seem':166 'sinc':133 'slight':208 'snake':279 'solut':241 'someth':195 'spec':274 'stabl':101 'sudo':171 'sysctl':172 'termin':58 'test':198 'thing':229 'though':14,24,144,226 'toolbox':42 'ublu':206 'unus':236 'use':6,32,131,201,211 'user':30,155,175 'veeeri':50 'w':173 'way':262 'well':22 'window':59 'work':150,169,187 'would':153,242,259 'x11':67 'year':136 'yet':253"
  +cross: false
  +upVotes: 0
  +downVotes: 0
  +ranking: 1700870525
  +visibility: "visible             "
  +apId: "https://feddit.de/post/5981126"
  +editedAt: null
  +createdAt: DateTimeImmutable @1700784125 {#1610
    date: 2023-11-24 01:02:05.0 +01:00
  }
  +__isInitialized__: true
   …2
}

Proxies\__CG__\App\Entity\Entry {#1577
  +user: Proxies\__CG__\App\Entity\User {#2363 …}
  +magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
  +image: null
  +domain: Proxies\__CG__\App\Entity\Domain {#1909 …}
  +slug: "Just-read-Madaidans-Insecurities-Do-you-know-how-much-is"
  +title: "Just read Madaidans Insecurities. Do you know how much is still relevant?"
  +url: "https://www.madaidans-insecurities.github.io/linux.html"
  +body: """
    Basically\n
    \n
    - Sandboxing is bad, bubblewrap (used in Flatpak) is a really good implementation though. Firefox and other apps are not very well sandboxed though\n
    - The kernel is endangered through user namespaces (used in Flatpak and Podman/Docker containers i.e. in Distrobox and Toolbox too)\n
    - the root password can be extracted veeery easily, especially when entering it through a terminal. Windows “okay” button might actually be more secure!\n
    - X11 is insecure, okay we know that\n
    - the kernel is very bloated and everything in there has all the permissions, which is not needed\n
    - Kernel bugs are often not fixed quickly or at all\n
    - Stable Distros are insecure if only CVE bugs are backported, as many security bugs dont get a CVE\n
    \n
    I am currently experimenting with the hardened Kernel and hardened_malloc, I use GrapheneOS since over a year.\n
    \n
    On Linux its a bit more difficult though, as Flatpak and Distrobox dont work anymore.\n
    \n
    This would mean user namespaces need to be enabled again, which I can’t seem to make work with\n
    \n
    `sudo sysctl -w kernel.unprivileged_users_clone=1`\n
    \n
    But the file doesnt exist and creating it doesnt work, probably needs to be a karg or something?\n
    \n
    I am testing all this using the hardened mod of Ublue (a slight Fedora deviation using its image-based distribution model):\n
    \n
    [github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)\n
    \n
    The images are rather opinionated though and have things like Flatpak removed, making them nearly unusable.\n
    \n
    Maybe nix is a solution? Would this be a good idea?\n
    \n
    Another point, bubblejail is not yet in the Fedora repos, which would be a way to make secure sandboxing accessible. [Here](https://github.com/rusty-snake/fedora-extras/tree/main/bubblejail) is a spec file from rusty-snake.\n
    \n
    What do you know about this?
    """
  +type: "link"
  +lang: "en"
  +isOc: false
  +hasEmbed: false
  +commentCount: 8
  +favouriteCount: 36
  +score: 0
  +isAdult: false
  +sticky: false
  +lastActive: DateTime @1700929355 {#1741
    date: 2023-11-25 17:22:35.0 +01:00
  }
  +ip: null
  +adaAmount: 0
  +tags: null
  +mentions: null
  +comments: Doctrine\ORM\PersistentCollection {#1906 …}
  +votes: Doctrine\ORM\PersistentCollection {#2382 …}
  +reports: Doctrine\ORM\PersistentCollection {#2383 …}
  +favourites: Doctrine\ORM\PersistentCollection {#1362 …}
  +notifications: Doctrine\ORM\PersistentCollection {#1401 …}
  +badges: Doctrine\ORM\PersistentCollection {#2021 …}
  +children: [
    1 => App\Entity\EntryComment {#1609
      +user: App\Entity\User {#261 …}
      +entry: Proxies\__CG__\App\Entity\Entry {#1577 …2}
      +magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
      +image: null
      +parent: null
      +root: null
      +body: """
        “This connection is untrusted” “SSL_ERROR_BAD_CERT_DOMAIN”\n
        \n
        The irony.
        """
      +lang: "en"
      +isAdult: false
      +favouriteCount: 11
      +score: 0
      +lastActive: DateTime @1701510560 {#1431
        date: 2023-12-02 10:49:20.0 +01:00
      }
      +ip: null
      +tags: null
      +mentions: [
        "@Pantherina@feddit.de"
      ]
      +children: Doctrine\ORM\PersistentCollection {#1587 …}
      +nested: Doctrine\ORM\PersistentCollection {#1574 …}
      +votes: Doctrine\ORM\PersistentCollection {#1588 …}
      +reports: Doctrine\ORM\PersistentCollection {#1584 …}
      +favourites: Doctrine\ORM\PersistentCollection {#1551 …}
      +notifications: Doctrine\ORM\PersistentCollection {#1655 …}
      -id: 157122
      -bodyTs: "'bad':7 'cert':8 'connect':2 'domain':9 'error':6 'ironi':11 'ssl':5 'untrust':4"
      +ranking: 0
      +commentCount: 0
      +upVotes: 0
      +downVotes: 0
      +visibility: "visible             "
      +apId: "https://beehaw.org/comment/1721846"
      +editedAt: null
      +createdAt: DateTimeImmutable @1700793081 {#1694
        date: 2023-11-24 03:31:21.0 +01:00
      }
      +"title": 157122
    }
    0 => App\Entity\EntryComment {#1550
      +user: App\Entity\User {#261 …}
      +entry: Proxies\__CG__\App\Entity\Entry {#1577 …2}
      +magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
      +image: null
      +parent: Proxies\__CG__\App\Entity\EntryComment {#1598 …}
      +root: Proxies\__CG__\App\Entity\EntryComment {#1598 …}
      +body: """
        I remember reading there, when it wasn’t on github pages but it’s own website, the recommendation to keep your critical dotfiles permissioned to a different user account of yours. I don’t think that’s bad advice. Yes it is probably not needed if you use the system as a pro sysadmin for server purposes, but for desktop use it’s just natural that you’ll run a lot more programs in a much less controlled manner.\n
        \n
        Of course there were ones that I thought they went overboard, but it has at least a few good pieces, if not more, I don’t really remember.
        """
      +lang: "en"
      +isAdult: false
      +favouriteCount: 2
      +score: 0
      +lastActive: DateTime @1700809862 {#1668
        date: 2023-11-24 08:11:02.0 +01:00
      }
      +ip: null
      +tags: null
      +mentions: [
        "@Pantherina@feddit.de"
        "@bbbhltz@beehaw.org"
      ]
      +children: Doctrine\ORM\PersistentCollection {#1611 …}
      +nested: Doctrine\ORM\PersistentCollection {#1705 …}
      +votes: Doctrine\ORM\PersistentCollection {#1692 …}
      +reports: Doctrine\ORM\PersistentCollection {#1686 …}
      +favourites: Doctrine\ORM\PersistentCollection {#1680 …}
      +notifications: Doctrine\ORM\PersistentCollection {#1683 …}
      -id: 157623
      -bodyTs: "'account':29 'advic':39 'bad':38 'control':78 'cours':81 'critic':22 'desktop':60 'differ':27 'dotfil':23 'github':10 'good':98 'keep':20 'least':95 'less':77 'll':68 'lot':71 'manner':79 'much':76 'natur':65 'need':45 'one':84 'overboard':90 'page':11 'permiss':24 'piec':99 'pro':53 'probabl':43 'program':73 'purpos':57 'read':3 'realli':106 'recommend':18 'rememb':2,107 'run':69 'server':56 'sysadmin':54 'system':50 'think':35 'thought':87 'use':48,61 'user':28 'wasn':7 'websit':16 'went':89 'yes':40"
      +ranking: 0
      +commentCount: 0
      +upVotes: 0
      +downVotes: 0
      +visibility: "visible             "
      +apId: "https://beehaw.org/comment/1722547"
      +editedAt: null
      +createdAt: DateTimeImmutable @1700809862 {#1567
        date: 2023-11-24 08:11:02.0 +01:00
      }
      +"title": 157623
    }
  ]
  -id: 16138
  -titleTs: "'insecur':4 'know':7 'madaidan':3 'much':9 'read':2 'relev':12 'still':11"
  -bodyTs: "'/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':220 '/rusty-snake/fedora-extras/tree/main/bubblejail)':271 '1':177 'access':267 'actual':63 'anoth':248 'anymor':151 'app':18 'backport':110 'bad':4 'base':215 'basic':1 'bit':141 'bloat':78 'bubblejail':250 'bubblewrap':5 'bug':92,108,114 'button':61 'clone':176 'contain':37 'creat':184 'current':121 'cve':107,118 'deviat':210 'difficult':143 'distribut':216 'distro':102 'distrobox':40,148 'doesnt':181,186 'dont':115,149 'easili':51 'enabl':160 'endang':28 'enter':54 'especi':52 'everyth':80 'exist':182 'experi':122 'extract':49 'fedora':209,256 'file':180,275 'firefox':15 'fix':96 'flatpak':8,34,146,231 'get':116 'github.com':219,270 'github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':218 'github.com/rusty-snake/fedora-extras/tree/main/bubblejail)':269 'good':12,246 'grapheneo':132 'harden':125,128,203 'i.e':38 'idea':247 'imag':214,222 'image-bas':213 'implement':13 'insecur':69,104 'karg':193 'kernel':26,75,91,126 'kernel.unprivileged':174 'know':72,283 'like':230 'linux':138 'make':168,233,264 'malloc':129 'mani':112 'mayb':237 'mean':154 'might':62 'mod':204 'model':217 'namespac':31,156 'near':235 'need':90,157,189 'nix':238 'often':94 'okay':60,70 'opinion':225 'password':46 'permiss':86 'podman/docker':36 'point':249 'probabl':188 'quick':97 'rather':224 'realli':11 'remov':232 'repo':257 'root':45 'rusti':278 'rusty-snak':277 'sandbox':2,23,266 'secur':66,113,265 'seem':166 'sinc':133 'slight':208 'snake':279 'solut':241 'someth':195 'spec':274 'stabl':101 'sudo':171 'sysctl':172 'termin':58 'test':198 'thing':229 'though':14,24,144,226 'toolbox':42 'ublu':206 'unus':236 'use':6,32,131,201,211 'user':30,155,175 'veeeri':50 'w':173 'way':262 'well':22 'window':59 'work':150,169,187 'would':153,242,259 'x11':67 'year':136 'yet':253"
  +cross: false
  +upVotes: 0
  +downVotes: 0
  +ranking: 1700870525
  +visibility: "visible             "
  +apId: "https://feddit.de/post/5981126"
  +editedAt: null
  +createdAt: DateTimeImmutable @1700784125 {#1610
    date: 2023-11-24 01:02:05.0 +01:00
  }
  +__isInitialized__: true
   …2
}

null

App\Entity\EntryComment {#1609
  +user: App\Entity\User {#261 …}
  +entry: Proxies\__CG__\App\Entity\Entry {#1577
    +user: Proxies\__CG__\App\Entity\User {#2363 …}
    +magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
    +image: null
    +domain: Proxies\__CG__\App\Entity\Domain {#1909 …}
    +slug: "Just-read-Madaidans-Insecurities-Do-you-know-how-much-is"
    +title: "Just read Madaidans Insecurities. Do you know how much is still relevant?"
    +url: "https://www.madaidans-insecurities.github.io/linux.html"
    +body: """
      Basically\n
      \n
      - Sandboxing is bad, bubblewrap (used in Flatpak) is a really good implementation though. Firefox and other apps are not very well sandboxed though\n
      - The kernel is endangered through user namespaces (used in Flatpak and Podman/Docker containers i.e. in Distrobox and Toolbox too)\n
      - the root password can be extracted veeery easily, especially when entering it through a terminal. Windows “okay” button might actually be more secure!\n
      - X11 is insecure, okay we know that\n
      - the kernel is very bloated and everything in there has all the permissions, which is not needed\n
      - Kernel bugs are often not fixed quickly or at all\n
      - Stable Distros are insecure if only CVE bugs are backported, as many security bugs dont get a CVE\n
      \n
      I am currently experimenting with the hardened Kernel and hardened_malloc, I use GrapheneOS since over a year.\n
      \n
      On Linux its a bit more difficult though, as Flatpak and Distrobox dont work anymore.\n
      \n
      This would mean user namespaces need to be enabled again, which I can’t seem to make work with\n
      \n
      `sudo sysctl -w kernel.unprivileged_users_clone=1`\n
      \n
      But the file doesnt exist and creating it doesnt work, probably needs to be a karg or something?\n
      \n
      I am testing all this using the hardened mod of Ublue (a slight Fedora deviation using its image-based distribution model):\n
      \n
      [github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)\n
      \n
      The images are rather opinionated though and have things like Flatpak removed, making them nearly unusable.\n
      \n
      Maybe nix is a solution? Would this be a good idea?\n
      \n
      Another point, bubblejail is not yet in the Fedora repos, which would be a way to make secure sandboxing accessible. [Here](https://github.com/rusty-snake/fedora-extras/tree/main/bubblejail) is a spec file from rusty-snake.\n
      \n
      What do you know about this?
      """
    +type: "link"
    +lang: "en"
    +isOc: false
    +hasEmbed: false
    +commentCount: 8
    +favouriteCount: 36
    +score: 0
    +isAdult: false
    +sticky: false
    +lastActive: DateTime @1700929355 {#1741
      date: 2023-11-25 17:22:35.0 +01:00
    }
    +ip: null
    +adaAmount: 0
    +tags: null
    +mentions: null
    +comments: Doctrine\ORM\PersistentCollection {#1906 …}
    +votes: Doctrine\ORM\PersistentCollection {#2382 …}
    +reports: Doctrine\ORM\PersistentCollection {#2383 …}
    +favourites: Doctrine\ORM\PersistentCollection {#1362 …}
    +notifications: Doctrine\ORM\PersistentCollection {#1401 …}
    +badges: Doctrine\ORM\PersistentCollection {#2021 …}
    +children: [
      1 => App\Entity\EntryComment {#1609}
      0 => App\Entity\EntryComment {#1550
        +user: App\Entity\User {#261 …}
        +entry: Proxies\__CG__\App\Entity\Entry {#1577 …2}
        +magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
        +image: null
        +parent: Proxies\__CG__\App\Entity\EntryComment {#1598 …}
        +root: Proxies\__CG__\App\Entity\EntryComment {#1598 …}
        +body: """
          I remember reading there, when it wasn’t on github pages but it’s own website, the recommendation to keep your critical dotfiles permissioned to a different user account of yours. I don’t think that’s bad advice. Yes it is probably not needed if you use the system as a pro sysadmin for server purposes, but for desktop use it’s just natural that you’ll run a lot more programs in a much less controlled manner.\n
          \n
          Of course there were ones that I thought they went overboard, but it has at least a few good pieces, if not more, I don’t really remember.
          """
        +lang: "en"
        +isAdult: false
        +favouriteCount: 2
        +score: 0
        +lastActive: DateTime @1700809862 {#1668
          date: 2023-11-24 08:11:02.0 +01:00
        }
        +ip: null
        +tags: null
        +mentions: [
          "@Pantherina@feddit.de"
          "@bbbhltz@beehaw.org"
        ]
        +children: Doctrine\ORM\PersistentCollection {#1611 …}
        +nested: Doctrine\ORM\PersistentCollection {#1705 …}
        +votes: Doctrine\ORM\PersistentCollection {#1692 …}
        +reports: Doctrine\ORM\PersistentCollection {#1686 …}
        +favourites: Doctrine\ORM\PersistentCollection {#1680 …}
        +notifications: Doctrine\ORM\PersistentCollection {#1683 …}
        -id: 157623
        -bodyTs: "'account':29 'advic':39 'bad':38 'control':78 'cours':81 'critic':22 'desktop':60 'differ':27 'dotfil':23 'github':10 'good':98 'keep':20 'least':95 'less':77 'll':68 'lot':71 'manner':79 'much':76 'natur':65 'need':45 'one':84 'overboard':90 'page':11 'permiss':24 'piec':99 'pro':53 'probabl':43 'program':73 'purpos':57 'read':3 'realli':106 'recommend':18 'rememb':2,107 'run':69 'server':56 'sysadmin':54 'system':50 'think':35 'thought':87 'use':48,61 'user':28 'wasn':7 'websit':16 'went':89 'yes':40"
        +ranking: 0
        +commentCount: 0
        +upVotes: 0
        +downVotes: 0
        +visibility: "visible             "
        +apId: "https://beehaw.org/comment/1722547"
        +editedAt: null
        +createdAt: DateTimeImmutable @1700809862 {#1567
          date: 2023-11-24 08:11:02.0 +01:00
        }
        +"title": 157623
      }
    ]
    -id: 16138
    -titleTs: "'insecur':4 'know':7 'madaidan':3 'much':9 'read':2 'relev':12 'still':11"
    -bodyTs: "'/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':220 '/rusty-snake/fedora-extras/tree/main/bubblejail)':271 '1':177 'access':267 'actual':63 'anoth':248 'anymor':151 'app':18 'backport':110 'bad':4 'base':215 'basic':1 'bit':141 'bloat':78 'bubblejail':250 'bubblewrap':5 'bug':92,108,114 'button':61 'clone':176 'contain':37 'creat':184 'current':121 'cve':107,118 'deviat':210 'difficult':143 'distribut':216 'distro':102 'distrobox':40,148 'doesnt':181,186 'dont':115,149 'easili':51 'enabl':160 'endang':28 'enter':54 'especi':52 'everyth':80 'exist':182 'experi':122 'extract':49 'fedora':209,256 'file':180,275 'firefox':15 'fix':96 'flatpak':8,34,146,231 'get':116 'github.com':219,270 'github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':218 'github.com/rusty-snake/fedora-extras/tree/main/bubblejail)':269 'good':12,246 'grapheneo':132 'harden':125,128,203 'i.e':38 'idea':247 'imag':214,222 'image-bas':213 'implement':13 'insecur':69,104 'karg':193 'kernel':26,75,91,126 'kernel.unprivileged':174 'know':72,283 'like':230 'linux':138 'make':168,233,264 'malloc':129 'mani':112 'mayb':237 'mean':154 'might':62 'mod':204 'model':217 'namespac':31,156 'near':235 'need':90,157,189 'nix':238 'often':94 'okay':60,70 'opinion':225 'password':46 'permiss':86 'podman/docker':36 'point':249 'probabl':188 'quick':97 'rather':224 'realli':11 'remov':232 'repo':257 'root':45 'rusti':278 'rusty-snak':277 'sandbox':2,23,266 'secur':66,113,265 'seem':166 'sinc':133 'slight':208 'snake':279 'solut':241 'someth':195 'spec':274 'stabl':101 'sudo':171 'sysctl':172 'termin':58 'test':198 'thing':229 'though':14,24,144,226 'toolbox':42 'ublu':206 'unus':236 'use':6,32,131,201,211 'user':30,155,175 'veeeri':50 'w':173 'way':262 'well':22 'window':59 'work':150,169,187 'would':153,242,259 'x11':67 'year':136 'yet':253"
    +cross: false
    +upVotes: 0
    +downVotes: 0
    +ranking: 1700870525
    +visibility: "visible             "
    +apId: "https://feddit.de/post/5981126"
    +editedAt: null
    +createdAt: DateTimeImmutable @1700784125 {#1610
      date: 2023-11-24 01:02:05.0 +01:00
    }
    +__isInitialized__: true
     …2
  }
  +magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
  +image: null
  +parent: null
  +root: null
  +body: """
    “This connection is untrusted” “SSL_ERROR_BAD_CERT_DOMAIN”\n
    \n
    The irony.
    """
  +lang: "en"
  +isAdult: false
  +favouriteCount: 11
  +score: 0
  +lastActive: DateTime @1701510560 {#1431
    date: 2023-12-02 10:49:20.0 +01:00
  }
  +ip: null
  +tags: null
  +mentions: [
    "@Pantherina@feddit.de"
  ]
  +children: Doctrine\ORM\PersistentCollection {#1587 …}
  +nested: Doctrine\ORM\PersistentCollection {#1574 …}
  +votes: Doctrine\ORM\PersistentCollection {#1588 …}
  +reports: Doctrine\ORM\PersistentCollection {#1584 …}
  +favourites: Doctrine\ORM\PersistentCollection {#1551 …}
  +notifications: Doctrine\ORM\PersistentCollection {#1655 …}
  -id: 157122
  -bodyTs: "'bad':7 'cert':8 'connect':2 'domain':9 'error':6 'ironi':11 'ssl':5 'untrust':4"
  +ranking: 0
  +commentCount: 0
  +upVotes: 0
  +downVotes: 0
  +visibility: "visible             "
  +apId: "https://beehaw.org/comment/1721846"
  +editedAt: null
  +createdAt: DateTimeImmutable @1700793081 {#1694
    date: 2023-11-24 03:31:21.0 +01:00
  }
  +"title": 157122
}

App\Entity\EntryComment {#1609
  +user: App\Entity\User {#261 …}
  +entry: Proxies\__CG__\App\Entity\Entry {#1577
    +user: Proxies\__CG__\App\Entity\User {#2363 …}
    +magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
    +image: null
    +domain: Proxies\__CG__\App\Entity\Domain {#1909 …}
    +slug: "Just-read-Madaidans-Insecurities-Do-you-know-how-much-is"
    +title: "Just read Madaidans Insecurities. Do you know how much is still relevant?"
    +url: "https://www.madaidans-insecurities.github.io/linux.html"
    +body: """
      Basically\n
      \n
      - Sandboxing is bad, bubblewrap (used in Flatpak) is a really good implementation though. Firefox and other apps are not very well sandboxed though\n
      - The kernel is endangered through user namespaces (used in Flatpak and Podman/Docker containers i.e. in Distrobox and Toolbox too)\n
      - the root password can be extracted veeery easily, especially when entering it through a terminal. Windows “okay” button might actually be more secure!\n
      - X11 is insecure, okay we know that\n
      - the kernel is very bloated and everything in there has all the permissions, which is not needed\n
      - Kernel bugs are often not fixed quickly or at all\n
      - Stable Distros are insecure if only CVE bugs are backported, as many security bugs dont get a CVE\n
      \n
      I am currently experimenting with the hardened Kernel and hardened_malloc, I use GrapheneOS since over a year.\n
      \n
      On Linux its a bit more difficult though, as Flatpak and Distrobox dont work anymore.\n
      \n
      This would mean user namespaces need to be enabled again, which I can’t seem to make work with\n
      \n
      `sudo sysctl -w kernel.unprivileged_users_clone=1`\n
      \n
      But the file doesnt exist and creating it doesnt work, probably needs to be a karg or something?\n
      \n
      I am testing all this using the hardened mod of Ublue (a slight Fedora deviation using its image-based distribution model):\n
      \n
      [github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)\n
      \n
      The images are rather opinionated though and have things like Flatpak removed, making them nearly unusable.\n
      \n
      Maybe nix is a solution? Would this be a good idea?\n
      \n
      Another point, bubblejail is not yet in the Fedora repos, which would be a way to make secure sandboxing accessible. [Here](https://github.com/rusty-snake/fedora-extras/tree/main/bubblejail) is a spec file from rusty-snake.\n
      \n
      What do you know about this?
      """
    +type: "link"
    +lang: "en"
    +isOc: false
    +hasEmbed: false
    +commentCount: 8
    +favouriteCount: 36
    +score: 0
    +isAdult: false
    +sticky: false
    +lastActive: DateTime @1700929355 {#1741
      date: 2023-11-25 17:22:35.0 +01:00
    }
    +ip: null
    +adaAmount: 0
    +tags: null
    +mentions: null
    +comments: Doctrine\ORM\PersistentCollection {#1906 …}
    +votes: Doctrine\ORM\PersistentCollection {#2382 …}
    +reports: Doctrine\ORM\PersistentCollection {#2383 …}
    +favourites: Doctrine\ORM\PersistentCollection {#1362 …}
    +notifications: Doctrine\ORM\PersistentCollection {#1401 …}
    +badges: Doctrine\ORM\PersistentCollection {#2021 …}
    +children: [
      1 => App\Entity\EntryComment {#1609}
      0 => App\Entity\EntryComment {#1550
        +user: App\Entity\User {#261 …}
        +entry: Proxies\__CG__\App\Entity\Entry {#1577 …2}
        +magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
        +image: null
        +parent: Proxies\__CG__\App\Entity\EntryComment {#1598 …}
        +root: Proxies\__CG__\App\Entity\EntryComment {#1598 …}
        +body: """
          I remember reading there, when it wasn’t on github pages but it’s own website, the recommendation to keep your critical dotfiles permissioned to a different user account of yours. I don’t think that’s bad advice. Yes it is probably not needed if you use the system as a pro sysadmin for server purposes, but for desktop use it’s just natural that you’ll run a lot more programs in a much less controlled manner.\n
          \n
          Of course there were ones that I thought they went overboard, but it has at least a few good pieces, if not more, I don’t really remember.
          """
        +lang: "en"
        +isAdult: false
        +favouriteCount: 2
        +score: 0
        +lastActive: DateTime @1700809862 {#1668
          date: 2023-11-24 08:11:02.0 +01:00
        }
        +ip: null
        +tags: null
        +mentions: [
          "@Pantherina@feddit.de"
          "@bbbhltz@beehaw.org"
        ]
        +children: Doctrine\ORM\PersistentCollection {#1611 …}
        +nested: Doctrine\ORM\PersistentCollection {#1705 …}
        +votes: Doctrine\ORM\PersistentCollection {#1692 …}
        +reports: Doctrine\ORM\PersistentCollection {#1686 …}
        +favourites: Doctrine\ORM\PersistentCollection {#1680 …}
        +notifications: Doctrine\ORM\PersistentCollection {#1683 …}
        -id: 157623
        -bodyTs: "'account':29 'advic':39 'bad':38 'control':78 'cours':81 'critic':22 'desktop':60 'differ':27 'dotfil':23 'github':10 'good':98 'keep':20 'least':95 'less':77 'll':68 'lot':71 'manner':79 'much':76 'natur':65 'need':45 'one':84 'overboard':90 'page':11 'permiss':24 'piec':99 'pro':53 'probabl':43 'program':73 'purpos':57 'read':3 'realli':106 'recommend':18 'rememb':2,107 'run':69 'server':56 'sysadmin':54 'system':50 'think':35 'thought':87 'use':48,61 'user':28 'wasn':7 'websit':16 'went':89 'yes':40"
        +ranking: 0
        +commentCount: 0
        +upVotes: 0
        +downVotes: 0
        +visibility: "visible             "
        +apId: "https://beehaw.org/comment/1722547"
        +editedAt: null
        +createdAt: DateTimeImmutable @1700809862 {#1567
          date: 2023-11-24 08:11:02.0 +01:00
        }
        +"title": 157623
      }
    ]
    -id: 16138
    -titleTs: "'insecur':4 'know':7 'madaidan':3 'much':9 'read':2 'relev':12 'still':11"
    -bodyTs: "'/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':220 '/rusty-snake/fedora-extras/tree/main/bubblejail)':271 '1':177 'access':267 'actual':63 'anoth':248 'anymor':151 'app':18 'backport':110 'bad':4 'base':215 'basic':1 'bit':141 'bloat':78 'bubblejail':250 'bubblewrap':5 'bug':92,108,114 'button':61 'clone':176 'contain':37 'creat':184 'current':121 'cve':107,118 'deviat':210 'difficult':143 'distribut':216 'distro':102 'distrobox':40,148 'doesnt':181,186 'dont':115,149 'easili':51 'enabl':160 'endang':28 'enter':54 'especi':52 'everyth':80 'exist':182 'experi':122 'extract':49 'fedora':209,256 'file':180,275 'firefox':15 'fix':96 'flatpak':8,34,146,231 'get':116 'github.com':219,270 'github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':218 'github.com/rusty-snake/fedora-extras/tree/main/bubblejail)':269 'good':12,246 'grapheneo':132 'harden':125,128,203 'i.e':38 'idea':247 'imag':214,222 'image-bas':213 'implement':13 'insecur':69,104 'karg':193 'kernel':26,75,91,126 'kernel.unprivileged':174 'know':72,283 'like':230 'linux':138 'make':168,233,264 'malloc':129 'mani':112 'mayb':237 'mean':154 'might':62 'mod':204 'model':217 'namespac':31,156 'near':235 'need':90,157,189 'nix':238 'often':94 'okay':60,70 'opinion':225 'password':46 'permiss':86 'podman/docker':36 'point':249 'probabl':188 'quick':97 'rather':224 'realli':11 'remov':232 'repo':257 'root':45 'rusti':278 'rusty-snak':277 'sandbox':2,23,266 'secur':66,113,265 'seem':166 'sinc':133 'slight':208 'snake':279 'solut':241 'someth':195 'spec':274 'stabl':101 'sudo':171 'sysctl':172 'termin':58 'test':198 'thing':229 'though':14,24,144,226 'toolbox':42 'ublu':206 'unus':236 'use':6,32,131,201,211 'user':30,155,175 'veeeri':50 'w':173 'way':262 'well':22 'window':59 'work':150,169,187 'would':153,242,259 'x11':67 'year':136 'yet':253"
    +cross: false
    +upVotes: 0
    +downVotes: 0
    +ranking: 1700870525
    +visibility: "visible             "
    +apId: "https://feddit.de/post/5981126"
    +editedAt: null
    +createdAt: DateTimeImmutable @1700784125 {#1610
      date: 2023-11-24 01:02:05.0 +01:00
    }
    +__isInitialized__: true
     …2
  }
  +magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
  +image: null
  +parent: null
  +root: null
  +body: """
    “This connection is untrusted” “SSL_ERROR_BAD_CERT_DOMAIN”\n
    \n
    The irony.
    """
  +lang: "en"
  +isAdult: false
  +favouriteCount: 11
  +score: 0
  +lastActive: DateTime @1701510560 {#1431
    date: 2023-12-02 10:49:20.0 +01:00
  }
  +ip: null
  +tags: null
  +mentions: [
    "@Pantherina@feddit.de"
  ]
  +children: Doctrine\ORM\PersistentCollection {#1587 …}
  +nested: Doctrine\ORM\PersistentCollection {#1574 …}
  +votes: Doctrine\ORM\PersistentCollection {#1588 …}
  +reports: Doctrine\ORM\PersistentCollection {#1584 …}
  +favourites: Doctrine\ORM\PersistentCollection {#1551 …}
  +notifications: Doctrine\ORM\PersistentCollection {#1655 …}
  -id: 157122
  -bodyTs: "'bad':7 'cert':8 'connect':2 'domain':9 'error':6 'ironi':11 'ssl':5 'untrust':4"
  +ranking: 0
  +commentCount: 0
  +upVotes: 0
  +downVotes: 0
  +visibility: "visible             "
  +apId: "https://beehaw.org/comment/1721846"
  +editedAt: null
  +createdAt: DateTimeImmutable @1700793081 {#1694
    date: 2023-11-24 03:31:21.0 +01:00
  }
  +"title": 157122
}

App\Entity\EntryComment {#1609
  +user: App\Entity\User {#261 …}
  +entry: Proxies\__CG__\App\Entity\Entry {#1577
    +user: Proxies\__CG__\App\Entity\User {#2363 …}
    +magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
    +image: null
    +domain: Proxies\__CG__\App\Entity\Domain {#1909 …}
    +slug: "Just-read-Madaidans-Insecurities-Do-you-know-how-much-is"
    +title: "Just read Madaidans Insecurities. Do you know how much is still relevant?"
    +url: "https://www.madaidans-insecurities.github.io/linux.html"
    +body: """
      Basically\n
      \n
      - Sandboxing is bad, bubblewrap (used in Flatpak) is a really good implementation though. Firefox and other apps are not very well sandboxed though\n
      - The kernel is endangered through user namespaces (used in Flatpak and Podman/Docker containers i.e. in Distrobox and Toolbox too)\n
      - the root password can be extracted veeery easily, especially when entering it through a terminal. Windows “okay” button might actually be more secure!\n
      - X11 is insecure, okay we know that\n
      - the kernel is very bloated and everything in there has all the permissions, which is not needed\n
      - Kernel bugs are often not fixed quickly or at all\n
      - Stable Distros are insecure if only CVE bugs are backported, as many security bugs dont get a CVE\n
      \n
      I am currently experimenting with the hardened Kernel and hardened_malloc, I use GrapheneOS since over a year.\n
      \n
      On Linux its a bit more difficult though, as Flatpak and Distrobox dont work anymore.\n
      \n
      This would mean user namespaces need to be enabled again, which I can’t seem to make work with\n
      \n
      `sudo sysctl -w kernel.unprivileged_users_clone=1`\n
      \n
      But the file doesnt exist and creating it doesnt work, probably needs to be a karg or something?\n
      \n
      I am testing all this using the hardened mod of Ublue (a slight Fedora deviation using its image-based distribution model):\n
      \n
      [github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)\n
      \n
      The images are rather opinionated though and have things like Flatpak removed, making them nearly unusable.\n
      \n
      Maybe nix is a solution? Would this be a good idea?\n
      \n
      Another point, bubblejail is not yet in the Fedora repos, which would be a way to make secure sandboxing accessible. [Here](https://github.com/rusty-snake/fedora-extras/tree/main/bubblejail) is a spec file from rusty-snake.\n
      \n
      What do you know about this?
      """
    +type: "link"
    +lang: "en"
    +isOc: false
    +hasEmbed: false
    +commentCount: 8
    +favouriteCount: 36
    +score: 0
    +isAdult: false
    +sticky: false
    +lastActive: DateTime @1700929355 {#1741
      date: 2023-11-25 17:22:35.0 +01:00
    }
    +ip: null
    +adaAmount: 0
    +tags: null
    +mentions: null
    +comments: Doctrine\ORM\PersistentCollection {#1906 …}
    +votes: Doctrine\ORM\PersistentCollection {#2382 …}
    +reports: Doctrine\ORM\PersistentCollection {#2383 …}
    +favourites: Doctrine\ORM\PersistentCollection {#1362 …}
    +notifications: Doctrine\ORM\PersistentCollection {#1401 …}
    +badges: Doctrine\ORM\PersistentCollection {#2021 …}
    +children: [
      1 => App\Entity\EntryComment {#1609}
      0 => App\Entity\EntryComment {#1550
        +user: App\Entity\User {#261 …}
        +entry: Proxies\__CG__\App\Entity\Entry {#1577 …2}
        +magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
        +image: null
        +parent: Proxies\__CG__\App\Entity\EntryComment {#1598 …}
        +root: Proxies\__CG__\App\Entity\EntryComment {#1598 …}
        +body: """
          I remember reading there, when it wasn’t on github pages but it’s own website, the recommendation to keep your critical dotfiles permissioned to a different user account of yours. I don’t think that’s bad advice. Yes it is probably not needed if you use the system as a pro sysadmin for server purposes, but for desktop use it’s just natural that you’ll run a lot more programs in a much less controlled manner.\n
          \n
          Of course there were ones that I thought they went overboard, but it has at least a few good pieces, if not more, I don’t really remember.
          """
        +lang: "en"
        +isAdult: false
        +favouriteCount: 2
        +score: 0
        +lastActive: DateTime @1700809862 {#1668
          date: 2023-11-24 08:11:02.0 +01:00
        }
        +ip: null
        +tags: null
        +mentions: [
          "@Pantherina@feddit.de"
          "@bbbhltz@beehaw.org"
        ]
        +children: Doctrine\ORM\PersistentCollection {#1611 …}
        +nested: Doctrine\ORM\PersistentCollection {#1705 …}
        +votes: Doctrine\ORM\PersistentCollection {#1692 …}
        +reports: Doctrine\ORM\PersistentCollection {#1686 …}
        +favourites: Doctrine\ORM\PersistentCollection {#1680 …}
        +notifications: Doctrine\ORM\PersistentCollection {#1683 …}
        -id: 157623
        -bodyTs: "'account':29 'advic':39 'bad':38 'control':78 'cours':81 'critic':22 'desktop':60 'differ':27 'dotfil':23 'github':10 'good':98 'keep':20 'least':95 'less':77 'll':68 'lot':71 'manner':79 'much':76 'natur':65 'need':45 'one':84 'overboard':90 'page':11 'permiss':24 'piec':99 'pro':53 'probabl':43 'program':73 'purpos':57 'read':3 'realli':106 'recommend':18 'rememb':2,107 'run':69 'server':56 'sysadmin':54 'system':50 'think':35 'thought':87 'use':48,61 'user':28 'wasn':7 'websit':16 'went':89 'yes':40"
        +ranking: 0
        +commentCount: 0
        +upVotes: 0
        +downVotes: 0
        +visibility: "visible             "
        +apId: "https://beehaw.org/comment/1722547"
        +editedAt: null
        +createdAt: DateTimeImmutable @1700809862 {#1567
          date: 2023-11-24 08:11:02.0 +01:00
        }
        +"title": 157623
      }
    ]
    -id: 16138
    -titleTs: "'insecur':4 'know':7 'madaidan':3 'much':9 'read':2 'relev':12 'still':11"
    -bodyTs: "'/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':220 '/rusty-snake/fedora-extras/tree/main/bubblejail)':271 '1':177 'access':267 'actual':63 'anoth':248 'anymor':151 'app':18 'backport':110 'bad':4 'base':215 'basic':1 'bit':141 'bloat':78 'bubblejail':250 'bubblewrap':5 'bug':92,108,114 'button':61 'clone':176 'contain':37 'creat':184 'current':121 'cve':107,118 'deviat':210 'difficult':143 'distribut':216 'distro':102 'distrobox':40,148 'doesnt':181,186 'dont':115,149 'easili':51 'enabl':160 'endang':28 'enter':54 'especi':52 'everyth':80 'exist':182 'experi':122 'extract':49 'fedora':209,256 'file':180,275 'firefox':15 'fix':96 'flatpak':8,34,146,231 'get':116 'github.com':219,270 'github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':218 'github.com/rusty-snake/fedora-extras/tree/main/bubblejail)':269 'good':12,246 'grapheneo':132 'harden':125,128,203 'i.e':38 'idea':247 'imag':214,222 'image-bas':213 'implement':13 'insecur':69,104 'karg':193 'kernel':26,75,91,126 'kernel.unprivileged':174 'know':72,283 'like':230 'linux':138 'make':168,233,264 'malloc':129 'mani':112 'mayb':237 'mean':154 'might':62 'mod':204 'model':217 'namespac':31,156 'near':235 'need':90,157,189 'nix':238 'often':94 'okay':60,70 'opinion':225 'password':46 'permiss':86 'podman/docker':36 'point':249 'probabl':188 'quick':97 'rather':224 'realli':11 'remov':232 'repo':257 'root':45 'rusti':278 'rusty-snak':277 'sandbox':2,23,266 'secur':66,113,265 'seem':166 'sinc':133 'slight':208 'snake':279 'solut':241 'someth':195 'spec':274 'stabl':101 'sudo':171 'sysctl':172 'termin':58 'test':198 'thing':229 'though':14,24,144,226 'toolbox':42 'ublu':206 'unus':236 'use':6,32,131,201,211 'user':30,155,175 'veeeri':50 'w':173 'way':262 'well':22 'window':59 'work':150,169,187 'would':153,242,259 'x11':67 'year':136 'yet':253"
    +cross: false
    +upVotes: 0
    +downVotes: 0
    +ranking: 1700870525
    +visibility: "visible             "
    +apId: "https://feddit.de/post/5981126"
    +editedAt: null
    +createdAt: DateTimeImmutable @1700784125 {#1610
      date: 2023-11-24 01:02:05.0 +01:00
    }
    +__isInitialized__: true
     …2
  }
  +magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
  +image: null
  +parent: null
  +root: null
  +body: """
    “This connection is untrusted” “SSL_ERROR_BAD_CERT_DOMAIN”\n
    \n
    The irony.
    """
  +lang: "en"
  +isAdult: false
  +favouriteCount: 11
  +score: 0
  +lastActive: DateTime @1701510560 {#1431
    date: 2023-12-02 10:49:20.0 +01:00
  }
  +ip: null
  +tags: null
  +mentions: [
    "@Pantherina@feddit.de"
  ]
  +children: Doctrine\ORM\PersistentCollection {#1587 …}
  +nested: Doctrine\ORM\PersistentCollection {#1574 …}
  +votes: Doctrine\ORM\PersistentCollection {#1588 …}
  +reports: Doctrine\ORM\PersistentCollection {#1584 …}
  +favourites: Doctrine\ORM\PersistentCollection {#1551 …}
  +notifications: Doctrine\ORM\PersistentCollection {#1655 …}
  -id: 157122
  -bodyTs: "'bad':7 'cert':8 'connect':2 'domain':9 'error':6 'ironi':11 'ssl':5 'untrust':4"
  +ranking: 0
  +commentCount: 0
  +upVotes: 0
  +downVotes: 0
  +visibility: "visible             "
  +apId: "https://beehaw.org/comment/1721846"
  +editedAt: null
  +createdAt: DateTimeImmutable @1700793081 {#1694
    date: 2023-11-24 03:31:21.0 +01:00
  }
  +"title": 157122
}

null

App\Entity\EntryComment {#1550
  +user: App\Entity\User {#261 …}
  +entry: Proxies\__CG__\App\Entity\Entry {#1577
    +user: Proxies\__CG__\App\Entity\User {#2363 …}
    +magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
    +image: null
    +domain: Proxies\__CG__\App\Entity\Domain {#1909 …}
    +slug: "Just-read-Madaidans-Insecurities-Do-you-know-how-much-is"
    +title: "Just read Madaidans Insecurities. Do you know how much is still relevant?"
    +url: "https://www.madaidans-insecurities.github.io/linux.html"
    +body: """
      Basically\n
      \n
      - Sandboxing is bad, bubblewrap (used in Flatpak) is a really good implementation though. Firefox and other apps are not very well sandboxed though\n
      - The kernel is endangered through user namespaces (used in Flatpak and Podman/Docker containers i.e. in Distrobox and Toolbox too)\n
      - the root password can be extracted veeery easily, especially when entering it through a terminal. Windows “okay” button might actually be more secure!\n
      - X11 is insecure, okay we know that\n
      - the kernel is very bloated and everything in there has all the permissions, which is not needed\n
      - Kernel bugs are often not fixed quickly or at all\n
      - Stable Distros are insecure if only CVE bugs are backported, as many security bugs dont get a CVE\n
      \n
      I am currently experimenting with the hardened Kernel and hardened_malloc, I use GrapheneOS since over a year.\n
      \n
      On Linux its a bit more difficult though, as Flatpak and Distrobox dont work anymore.\n
      \n
      This would mean user namespaces need to be enabled again, which I can’t seem to make work with\n
      \n
      `sudo sysctl -w kernel.unprivileged_users_clone=1`\n
      \n
      But the file doesnt exist and creating it doesnt work, probably needs to be a karg or something?\n
      \n
      I am testing all this using the hardened mod of Ublue (a slight Fedora deviation using its image-based distribution model):\n
      \n
      [github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)\n
      \n
      The images are rather opinionated though and have things like Flatpak removed, making them nearly unusable.\n
      \n
      Maybe nix is a solution? Would this be a good idea?\n
      \n
      Another point, bubblejail is not yet in the Fedora repos, which would be a way to make secure sandboxing accessible. [Here](https://github.com/rusty-snake/fedora-extras/tree/main/bubblejail) is a spec file from rusty-snake.\n
      \n
      What do you know about this?
      """
    +type: "link"
    +lang: "en"
    +isOc: false
    +hasEmbed: false
    +commentCount: 8
    +favouriteCount: 36
    +score: 0
    +isAdult: false
    +sticky: false
    +lastActive: DateTime @1700929355 {#1741
      date: 2023-11-25 17:22:35.0 +01:00
    }
    +ip: null
    +adaAmount: 0
    +tags: null
    +mentions: null
    +comments: Doctrine\ORM\PersistentCollection {#1906 …}
    +votes: Doctrine\ORM\PersistentCollection {#2382 …}
    +reports: Doctrine\ORM\PersistentCollection {#2383 …}
    +favourites: Doctrine\ORM\PersistentCollection {#1362 …}
    +notifications: Doctrine\ORM\PersistentCollection {#1401 …}
    +badges: Doctrine\ORM\PersistentCollection {#2021 …}
    +children: [
      1 => App\Entity\EntryComment {#1609
        +user: App\Entity\User {#261 …}
        +entry: Proxies\__CG__\App\Entity\Entry {#1577 …2}
        +magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
        +image: null
        +parent: null
        +root: null
        +body: """
          “This connection is untrusted” “SSL_ERROR_BAD_CERT_DOMAIN”\n
          \n
          The irony.
          """
        +lang: "en"
        +isAdult: false
        +favouriteCount: 11
        +score: 0
        +lastActive: DateTime @1701510560 {#1431
          date: 2023-12-02 10:49:20.0 +01:00
        }
        +ip: null
        +tags: null
        +mentions: [
          "@Pantherina@feddit.de"
        ]
        +children: Doctrine\ORM\PersistentCollection {#1587 …}
        +nested: Doctrine\ORM\PersistentCollection {#1574 …}
        +votes: Doctrine\ORM\PersistentCollection {#1588 …}
        +reports: Doctrine\ORM\PersistentCollection {#1584 …}
        +favourites: Doctrine\ORM\PersistentCollection {#1551 …}
        +notifications: Doctrine\ORM\PersistentCollection {#1655 …}
        -id: 157122
        -bodyTs: "'bad':7 'cert':8 'connect':2 'domain':9 'error':6 'ironi':11 'ssl':5 'untrust':4"
        +ranking: 0
        +commentCount: 0
        +upVotes: 0
        +downVotes: 0
        +visibility: "visible             "
        +apId: "https://beehaw.org/comment/1721846"
        +editedAt: null
        +createdAt: DateTimeImmutable @1700793081 {#1694
          date: 2023-11-24 03:31:21.0 +01:00
        }
        +"title": 157122
      }
      0 => App\Entity\EntryComment {#1550}
    ]
    -id: 16138
    -titleTs: "'insecur':4 'know':7 'madaidan':3 'much':9 'read':2 'relev':12 'still':11"
    -bodyTs: "'/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':220 '/rusty-snake/fedora-extras/tree/main/bubblejail)':271 '1':177 'access':267 'actual':63 'anoth':248 'anymor':151 'app':18 'backport':110 'bad':4 'base':215 'basic':1 'bit':141 'bloat':78 'bubblejail':250 'bubblewrap':5 'bug':92,108,114 'button':61 'clone':176 'contain':37 'creat':184 'current':121 'cve':107,118 'deviat':210 'difficult':143 'distribut':216 'distro':102 'distrobox':40,148 'doesnt':181,186 'dont':115,149 'easili':51 'enabl':160 'endang':28 'enter':54 'especi':52 'everyth':80 'exist':182 'experi':122 'extract':49 'fedora':209,256 'file':180,275 'firefox':15 'fix':96 'flatpak':8,34,146,231 'get':116 'github.com':219,270 'github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':218 'github.com/rusty-snake/fedora-extras/tree/main/bubblejail)':269 'good':12,246 'grapheneo':132 'harden':125,128,203 'i.e':38 'idea':247 'imag':214,222 'image-bas':213 'implement':13 'insecur':69,104 'karg':193 'kernel':26,75,91,126 'kernel.unprivileged':174 'know':72,283 'like':230 'linux':138 'make':168,233,264 'malloc':129 'mani':112 'mayb':237 'mean':154 'might':62 'mod':204 'model':217 'namespac':31,156 'near':235 'need':90,157,189 'nix':238 'often':94 'okay':60,70 'opinion':225 'password':46 'permiss':86 'podman/docker':36 'point':249 'probabl':188 'quick':97 'rather':224 'realli':11 'remov':232 'repo':257 'root':45 'rusti':278 'rusty-snak':277 'sandbox':2,23,266 'secur':66,113,265 'seem':166 'sinc':133 'slight':208 'snake':279 'solut':241 'someth':195 'spec':274 'stabl':101 'sudo':171 'sysctl':172 'termin':58 'test':198 'thing':229 'though':14,24,144,226 'toolbox':42 'ublu':206 'unus':236 'use':6,32,131,201,211 'user':30,155,175 'veeeri':50 'w':173 'way':262 'well':22 'window':59 'work':150,169,187 'would':153,242,259 'x11':67 'year':136 'yet':253"
    +cross: false
    +upVotes: 0
    +downVotes: 0
    +ranking: 1700870525
    +visibility: "visible             "
    +apId: "https://feddit.de/post/5981126"
    +editedAt: null
    +createdAt: DateTimeImmutable @1700784125 {#1610
      date: 2023-11-24 01:02:05.0 +01:00
    }
    +__isInitialized__: true
     …2
  }
  +magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
  +image: null
  +parent: Proxies\__CG__\App\Entity\EntryComment {#1598 …}
  +root: Proxies\__CG__\App\Entity\EntryComment {#1598 …}
  +body: """
    I remember reading there, when it wasn’t on github pages but it’s own website, the recommendation to keep your critical dotfiles permissioned to a different user account of yours. I don’t think that’s bad advice. Yes it is probably not needed if you use the system as a pro sysadmin for server purposes, but for desktop use it’s just natural that you’ll run a lot more programs in a much less controlled manner.\n
    \n
    Of course there were ones that I thought they went overboard, but it has at least a few good pieces, if not more, I don’t really remember.
    """
  +lang: "en"
  +isAdult: false
  +favouriteCount: 2
  +score: 0
  +lastActive: DateTime @1700809862 {#1668
    date: 2023-11-24 08:11:02.0 +01:00
  }
  +ip: null
  +tags: null
  +mentions: [
    "@Pantherina@feddit.de"
    "@bbbhltz@beehaw.org"
  ]
  +children: Doctrine\ORM\PersistentCollection {#1611 …}
  +nested: Doctrine\ORM\PersistentCollection {#1705 …}
  +votes: Doctrine\ORM\PersistentCollection {#1692 …}
  +reports: Doctrine\ORM\PersistentCollection {#1686 …}
  +favourites: Doctrine\ORM\PersistentCollection {#1680 …}
  +notifications: Doctrine\ORM\PersistentCollection {#1683 …}
  -id: 157623
  -bodyTs: "'account':29 'advic':39 'bad':38 'control':78 'cours':81 'critic':22 'desktop':60 'differ':27 'dotfil':23 'github':10 'good':98 'keep':20 'least':95 'less':77 'll':68 'lot':71 'manner':79 'much':76 'natur':65 'need':45 'one':84 'overboard':90 'page':11 'permiss':24 'piec':99 'pro':53 'probabl':43 'program':73 'purpos':57 'read':3 'realli':106 'recommend':18 'rememb':2,107 'run':69 'server':56 'sysadmin':54 'system':50 'think':35 'thought':87 'use':48,61 'user':28 'wasn':7 'websit':16 'went':89 'yes':40"
  +ranking: 0
  +commentCount: 0
  +upVotes: 0
  +downVotes: 0
  +visibility: "visible             "
  +apId: "https://beehaw.org/comment/1722547"
  +editedAt: null
  +createdAt: DateTimeImmutable @1700809862 {#1567
    date: 2023-11-24 08:11:02.0 +01:00
  }
  +"title": 157623
}

App\Entity\EntryComment {#1550
  +user: App\Entity\User {#261 …}
  +entry: Proxies\__CG__\App\Entity\Entry {#1577
    +user: Proxies\__CG__\App\Entity\User {#2363 …}
    +magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
    +image: null
    +domain: Proxies\__CG__\App\Entity\Domain {#1909 …}
    +slug: "Just-read-Madaidans-Insecurities-Do-you-know-how-much-is"
    +title: "Just read Madaidans Insecurities. Do you know how much is still relevant?"
    +url: "https://www.madaidans-insecurities.github.io/linux.html"
    +body: """
      Basically\n
      \n
      - Sandboxing is bad, bubblewrap (used in Flatpak) is a really good implementation though. Firefox and other apps are not very well sandboxed though\n
      - The kernel is endangered through user namespaces (used in Flatpak and Podman/Docker containers i.e. in Distrobox and Toolbox too)\n
      - the root password can be extracted veeery easily, especially when entering it through a terminal. Windows “okay” button might actually be more secure!\n
      - X11 is insecure, okay we know that\n
      - the kernel is very bloated and everything in there has all the permissions, which is not needed\n
      - Kernel bugs are often not fixed quickly or at all\n
      - Stable Distros are insecure if only CVE bugs are backported, as many security bugs dont get a CVE\n
      \n
      I am currently experimenting with the hardened Kernel and hardened_malloc, I use GrapheneOS since over a year.\n
      \n
      On Linux its a bit more difficult though, as Flatpak and Distrobox dont work anymore.\n
      \n
      This would mean user namespaces need to be enabled again, which I can’t seem to make work with\n
      \n
      `sudo sysctl -w kernel.unprivileged_users_clone=1`\n
      \n
      But the file doesnt exist and creating it doesnt work, probably needs to be a karg or something?\n
      \n
      I am testing all this using the hardened mod of Ublue (a slight Fedora deviation using its image-based distribution model):\n
      \n
      [github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)\n
      \n
      The images are rather opinionated though and have things like Flatpak removed, making them nearly unusable.\n
      \n
      Maybe nix is a solution? Would this be a good idea?\n
      \n
      Another point, bubblejail is not yet in the Fedora repos, which would be a way to make secure sandboxing accessible. [Here](https://github.com/rusty-snake/fedora-extras/tree/main/bubblejail) is a spec file from rusty-snake.\n
      \n
      What do you know about this?
      """
    +type: "link"
    +lang: "en"
    +isOc: false
    +hasEmbed: false
    +commentCount: 8
    +favouriteCount: 36
    +score: 0
    +isAdult: false
    +sticky: false
    +lastActive: DateTime @1700929355 {#1741
      date: 2023-11-25 17:22:35.0 +01:00
    }
    +ip: null
    +adaAmount: 0
    +tags: null
    +mentions: null
    +comments: Doctrine\ORM\PersistentCollection {#1906 …}
    +votes: Doctrine\ORM\PersistentCollection {#2382 …}
    +reports: Doctrine\ORM\PersistentCollection {#2383 …}
    +favourites: Doctrine\ORM\PersistentCollection {#1362 …}
    +notifications: Doctrine\ORM\PersistentCollection {#1401 …}
    +badges: Doctrine\ORM\PersistentCollection {#2021 …}
    +children: [
      1 => App\Entity\EntryComment {#1609
        +user: App\Entity\User {#261 …}
        +entry: Proxies\__CG__\App\Entity\Entry {#1577 …2}
        +magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
        +image: null
        +parent: null
        +root: null
        +body: """
          “This connection is untrusted” “SSL_ERROR_BAD_CERT_DOMAIN”\n
          \n
          The irony.
          """
        +lang: "en"
        +isAdult: false
        +favouriteCount: 11
        +score: 0
        +lastActive: DateTime @1701510560 {#1431
          date: 2023-12-02 10:49:20.0 +01:00
        }
        +ip: null
        +tags: null
        +mentions: [
          "@Pantherina@feddit.de"
        ]
        +children: Doctrine\ORM\PersistentCollection {#1587 …}
        +nested: Doctrine\ORM\PersistentCollection {#1574 …}
        +votes: Doctrine\ORM\PersistentCollection {#1588 …}
        +reports: Doctrine\ORM\PersistentCollection {#1584 …}
        +favourites: Doctrine\ORM\PersistentCollection {#1551 …}
        +notifications: Doctrine\ORM\PersistentCollection {#1655 …}
        -id: 157122
        -bodyTs: "'bad':7 'cert':8 'connect':2 'domain':9 'error':6 'ironi':11 'ssl':5 'untrust':4"
        +ranking: 0
        +commentCount: 0
        +upVotes: 0
        +downVotes: 0
        +visibility: "visible             "
        +apId: "https://beehaw.org/comment/1721846"
        +editedAt: null
        +createdAt: DateTimeImmutable @1700793081 {#1694
          date: 2023-11-24 03:31:21.0 +01:00
        }
        +"title": 157122
      }
      0 => App\Entity\EntryComment {#1550}
    ]
    -id: 16138
    -titleTs: "'insecur':4 'know':7 'madaidan':3 'much':9 'read':2 'relev':12 'still':11"
    -bodyTs: "'/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':220 '/rusty-snake/fedora-extras/tree/main/bubblejail)':271 '1':177 'access':267 'actual':63 'anoth':248 'anymor':151 'app':18 'backport':110 'bad':4 'base':215 'basic':1 'bit':141 'bloat':78 'bubblejail':250 'bubblewrap':5 'bug':92,108,114 'button':61 'clone':176 'contain':37 'creat':184 'current':121 'cve':107,118 'deviat':210 'difficult':143 'distribut':216 'distro':102 'distrobox':40,148 'doesnt':181,186 'dont':115,149 'easili':51 'enabl':160 'endang':28 'enter':54 'especi':52 'everyth':80 'exist':182 'experi':122 'extract':49 'fedora':209,256 'file':180,275 'firefox':15 'fix':96 'flatpak':8,34,146,231 'get':116 'github.com':219,270 'github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':218 'github.com/rusty-snake/fedora-extras/tree/main/bubblejail)':269 'good':12,246 'grapheneo':132 'harden':125,128,203 'i.e':38 'idea':247 'imag':214,222 'image-bas':213 'implement':13 'insecur':69,104 'karg':193 'kernel':26,75,91,126 'kernel.unprivileged':174 'know':72,283 'like':230 'linux':138 'make':168,233,264 'malloc':129 'mani':112 'mayb':237 'mean':154 'might':62 'mod':204 'model':217 'namespac':31,156 'near':235 'need':90,157,189 'nix':238 'often':94 'okay':60,70 'opinion':225 'password':46 'permiss':86 'podman/docker':36 'point':249 'probabl':188 'quick':97 'rather':224 'realli':11 'remov':232 'repo':257 'root':45 'rusti':278 'rusty-snak':277 'sandbox':2,23,266 'secur':66,113,265 'seem':166 'sinc':133 'slight':208 'snake':279 'solut':241 'someth':195 'spec':274 'stabl':101 'sudo':171 'sysctl':172 'termin':58 'test':198 'thing':229 'though':14,24,144,226 'toolbox':42 'ublu':206 'unus':236 'use':6,32,131,201,211 'user':30,155,175 'veeeri':50 'w':173 'way':262 'well':22 'window':59 'work':150,169,187 'would':153,242,259 'x11':67 'year':136 'yet':253"
    +cross: false
    +upVotes: 0
    +downVotes: 0
    +ranking: 1700870525
    +visibility: "visible             "
    +apId: "https://feddit.de/post/5981126"
    +editedAt: null
    +createdAt: DateTimeImmutable @1700784125 {#1610
      date: 2023-11-24 01:02:05.0 +01:00
    }
    +__isInitialized__: true
     …2
  }
  +magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
  +image: null
  +parent: Proxies\__CG__\App\Entity\EntryComment {#1598 …}
  +root: Proxies\__CG__\App\Entity\EntryComment {#1598 …}
  +body: """
    I remember reading there, when it wasn’t on github pages but it’s own website, the recommendation to keep your critical dotfiles permissioned to a different user account of yours. I don’t think that’s bad advice. Yes it is probably not needed if you use the system as a pro sysadmin for server purposes, but for desktop use it’s just natural that you’ll run a lot more programs in a much less controlled manner.\n
    \n
    Of course there were ones that I thought they went overboard, but it has at least a few good pieces, if not more, I don’t really remember.
    """
  +lang: "en"
  +isAdult: false
  +favouriteCount: 2
  +score: 0
  +lastActive: DateTime @1700809862 {#1668
    date: 2023-11-24 08:11:02.0 +01:00
  }
  +ip: null
  +tags: null
  +mentions: [
    "@Pantherina@feddit.de"
    "@bbbhltz@beehaw.org"
  ]
  +children: Doctrine\ORM\PersistentCollection {#1611 …}
  +nested: Doctrine\ORM\PersistentCollection {#1705 …}
  +votes: Doctrine\ORM\PersistentCollection {#1692 …}
  +reports: Doctrine\ORM\PersistentCollection {#1686 …}
  +favourites: Doctrine\ORM\PersistentCollection {#1680 …}
  +notifications: Doctrine\ORM\PersistentCollection {#1683 …}
  -id: 157623
  -bodyTs: "'account':29 'advic':39 'bad':38 'control':78 'cours':81 'critic':22 'desktop':60 'differ':27 'dotfil':23 'github':10 'good':98 'keep':20 'least':95 'less':77 'll':68 'lot':71 'manner':79 'much':76 'natur':65 'need':45 'one':84 'overboard':90 'page':11 'permiss':24 'piec':99 'pro':53 'probabl':43 'program':73 'purpos':57 'read':3 'realli':106 'recommend':18 'rememb':2,107 'run':69 'server':56 'sysadmin':54 'system':50 'think':35 'thought':87 'use':48,61 'user':28 'wasn':7 'websit':16 'went':89 'yes':40"
  +ranking: 0
  +commentCount: 0
  +upVotes: 0
  +downVotes: 0
  +visibility: "visible             "
  +apId: "https://beehaw.org/comment/1722547"
  +editedAt: null
  +createdAt: DateTimeImmutable @1700809862 {#1567
    date: 2023-11-24 08:11:02.0 +01:00
  }
  +"title": 157623
}

App\Entity\EntryComment {#1550
  +user: App\Entity\User {#261 …}
  +entry: Proxies\__CG__\App\Entity\Entry {#1577
    +user: Proxies\__CG__\App\Entity\User {#2363 …}
    +magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
    +image: null
    +domain: Proxies\__CG__\App\Entity\Domain {#1909 …}
    +slug: "Just-read-Madaidans-Insecurities-Do-you-know-how-much-is"
    +title: "Just read Madaidans Insecurities. Do you know how much is still relevant?"
    +url: "https://www.madaidans-insecurities.github.io/linux.html"
    +body: """
      Basically\n
      \n
      - Sandboxing is bad, bubblewrap (used in Flatpak) is a really good implementation though. Firefox and other apps are not very well sandboxed though\n
      - The kernel is endangered through user namespaces (used in Flatpak and Podman/Docker containers i.e. in Distrobox and Toolbox too)\n
      - the root password can be extracted veeery easily, especially when entering it through a terminal. Windows “okay” button might actually be more secure!\n
      - X11 is insecure, okay we know that\n
      - the kernel is very bloated and everything in there has all the permissions, which is not needed\n
      - Kernel bugs are often not fixed quickly or at all\n
      - Stable Distros are insecure if only CVE bugs are backported, as many security bugs dont get a CVE\n
      \n
      I am currently experimenting with the hardened Kernel and hardened_malloc, I use GrapheneOS since over a year.\n
      \n
      On Linux its a bit more difficult though, as Flatpak and Distrobox dont work anymore.\n
      \n
      This would mean user namespaces need to be enabled again, which I can’t seem to make work with\n
      \n
      `sudo sysctl -w kernel.unprivileged_users_clone=1`\n
      \n
      But the file doesnt exist and creating it doesnt work, probably needs to be a karg or something?\n
      \n
      I am testing all this using the hardened mod of Ublue (a slight Fedora deviation using its image-based distribution model):\n
      \n
      [github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)\n
      \n
      The images are rather opinionated though and have things like Flatpak removed, making them nearly unusable.\n
      \n
      Maybe nix is a solution? Would this be a good idea?\n
      \n
      Another point, bubblejail is not yet in the Fedora repos, which would be a way to make secure sandboxing accessible. [Here](https://github.com/rusty-snake/fedora-extras/tree/main/bubblejail) is a spec file from rusty-snake.\n
      \n
      What do you know about this?
      """
    +type: "link"
    +lang: "en"
    +isOc: false
    +hasEmbed: false
    +commentCount: 8
    +favouriteCount: 36
    +score: 0
    +isAdult: false
    +sticky: false
    +lastActive: DateTime @1700929355 {#1741
      date: 2023-11-25 17:22:35.0 +01:00
    }
    +ip: null
    +adaAmount: 0
    +tags: null
    +mentions: null
    +comments: Doctrine\ORM\PersistentCollection {#1906 …}
    +votes: Doctrine\ORM\PersistentCollection {#2382 …}
    +reports: Doctrine\ORM\PersistentCollection {#2383 …}
    +favourites: Doctrine\ORM\PersistentCollection {#1362 …}
    +notifications: Doctrine\ORM\PersistentCollection {#1401 …}
    +badges: Doctrine\ORM\PersistentCollection {#2021 …}
    +children: [
      1 => App\Entity\EntryComment {#1609
        +user: App\Entity\User {#261 …}
        +entry: Proxies\__CG__\App\Entity\Entry {#1577 …2}
        +magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
        +image: null
        +parent: null
        +root: null
        +body: """
          “This connection is untrusted” “SSL_ERROR_BAD_CERT_DOMAIN”\n
          \n
          The irony.
          """
        +lang: "en"
        +isAdult: false
        +favouriteCount: 11
        +score: 0
        +lastActive: DateTime @1701510560 {#1431
          date: 2023-12-02 10:49:20.0 +01:00
        }
        +ip: null
        +tags: null
        +mentions: [
          "@Pantherina@feddit.de"
        ]
        +children: Doctrine\ORM\PersistentCollection {#1587 …}
        +nested: Doctrine\ORM\PersistentCollection {#1574 …}
        +votes: Doctrine\ORM\PersistentCollection {#1588 …}
        +reports: Doctrine\ORM\PersistentCollection {#1584 …}
        +favourites: Doctrine\ORM\PersistentCollection {#1551 …}
        +notifications: Doctrine\ORM\PersistentCollection {#1655 …}
        -id: 157122
        -bodyTs: "'bad':7 'cert':8 'connect':2 'domain':9 'error':6 'ironi':11 'ssl':5 'untrust':4"
        +ranking: 0
        +commentCount: 0
        +upVotes: 0
        +downVotes: 0
        +visibility: "visible             "
        +apId: "https://beehaw.org/comment/1721846"
        +editedAt: null
        +createdAt: DateTimeImmutable @1700793081 {#1694
          date: 2023-11-24 03:31:21.0 +01:00
        }
        +"title": 157122
      }
      0 => App\Entity\EntryComment {#1550}
    ]
    -id: 16138
    -titleTs: "'insecur':4 'know':7 'madaidan':3 'much':9 'read':2 'relev':12 'still':11"
    -bodyTs: "'/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':220 '/rusty-snake/fedora-extras/tree/main/bubblejail)':271 '1':177 'access':267 'actual':63 'anoth':248 'anymor':151 'app':18 'backport':110 'bad':4 'base':215 'basic':1 'bit':141 'bloat':78 'bubblejail':250 'bubblewrap':5 'bug':92,108,114 'button':61 'clone':176 'contain':37 'creat':184 'current':121 'cve':107,118 'deviat':210 'difficult':143 'distribut':216 'distro':102 'distrobox':40,148 'doesnt':181,186 'dont':115,149 'easili':51 'enabl':160 'endang':28 'enter':54 'especi':52 'everyth':80 'exist':182 'experi':122 'extract':49 'fedora':209,256 'file':180,275 'firefox':15 'fix':96 'flatpak':8,34,146,231 'get':116 'github.com':219,270 'github.com/qoijjj/hardened-images](https://github.com/qoijjj/hardened-images)':218 'github.com/rusty-snake/fedora-extras/tree/main/bubblejail)':269 'good':12,246 'grapheneo':132 'harden':125,128,203 'i.e':38 'idea':247 'imag':214,222 'image-bas':213 'implement':13 'insecur':69,104 'karg':193 'kernel':26,75,91,126 'kernel.unprivileged':174 'know':72,283 'like':230 'linux':138 'make':168,233,264 'malloc':129 'mani':112 'mayb':237 'mean':154 'might':62 'mod':204 'model':217 'namespac':31,156 'near':235 'need':90,157,189 'nix':238 'often':94 'okay':60,70 'opinion':225 'password':46 'permiss':86 'podman/docker':36 'point':249 'probabl':188 'quick':97 'rather':224 'realli':11 'remov':232 'repo':257 'root':45 'rusti':278 'rusty-snak':277 'sandbox':2,23,266 'secur':66,113,265 'seem':166 'sinc':133 'slight':208 'snake':279 'solut':241 'someth':195 'spec':274 'stabl':101 'sudo':171 'sysctl':172 'termin':58 'test':198 'thing':229 'though':14,24,144,226 'toolbox':42 'ublu':206 'unus':236 'use':6,32,131,201,211 'user':30,155,175 'veeeri':50 'w':173 'way':262 'well':22 'window':59 'work':150,169,187 'would':153,242,259 'x11':67 'year':136 'yet':253"
    +cross: false
    +upVotes: 0
    +downVotes: 0
    +ranking: 1700870525
    +visibility: "visible             "
    +apId: "https://feddit.de/post/5981126"
    +editedAt: null
    +createdAt: DateTimeImmutable @1700784125 {#1610
      date: 2023-11-24 01:02:05.0 +01:00
    }
    +__isInitialized__: true
     …2
  }
  +magazine: Proxies\__CG__\App\Entity\Magazine {#1586 …}
  +image: null
  +parent: Proxies\__CG__\App\Entity\EntryComment {#1598 …}
  +root: Proxies\__CG__\App\Entity\EntryComment {#1598 …}
  +body: """
    I remember reading there, when it wasn’t on github pages but it’s own website, the recommendation to keep your critical dotfiles permissioned to a different user account of yours. I don’t think that’s bad advice. Yes it is probably not needed if you use the system as a pro sysadmin for server purposes, but for desktop use it’s just natural that you’ll run a lot more programs in a much less controlled manner.\n
    \n
    Of course there were ones that I thought they went overboard, but it has at least a few good pieces, if not more, I don’t really remember.
    """
  +lang: "en"
  +isAdult: false
  +favouriteCount: 2
  +score: 0
  +lastActive: DateTime @1700809862 {#1668
    date: 2023-11-24 08:11:02.0 +01:00
  }
  +ip: null
  +tags: null
  +mentions: [
    "@Pantherina@feddit.de"
    "@bbbhltz@beehaw.org"
  ]
  +children: Doctrine\ORM\PersistentCollection {#1611 …}
  +nested: Doctrine\ORM\PersistentCollection {#1705 …}
  +votes: Doctrine\ORM\PersistentCollection {#1692 …}
  +reports: Doctrine\ORM\PersistentCollection {#1686 …}
  +favourites: Doctrine\ORM\PersistentCollection {#1680 …}
  +notifications: Doctrine\ORM\PersistentCollection {#1683 …}
  -id: 157623
  -bodyTs: "'account':29 'advic':39 'bad':38 'control':78 'cours':81 'critic':22 'desktop':60 'differ':27 'dotfil':23 'github':10 'good':98 'keep':20 'least':95 'less':77 'll':68 'lot':71 'manner':79 'much':76 'natur':65 'need':45 'one':84 'overboard':90 'page':11 'permiss':24 'piec':99 'pro':53 'probabl':43 'program':73 'purpos':57 'read':3 'realli':106 'recommend':18 'rememb':2,107 'run':69 'server':56 'sysadmin':54 'system':50 'think':35 'thought':87 'use':48,61 'user':28 'wasn':7 'websit':16 'went':89 'yes':40"
  +ranking: 0
  +commentCount: 0
  +upVotes: 0
  +downVotes: 0
  +visibility: "visible             "
  +apId: "https://beehaw.org/comment/1722547"
  +editedAt: null
  +createdAt: DateTimeImmutable @1700809862 {#1567
    date: 2023-11-24 08:11:02.0 +01:00
  }
  +"title": 157623
}

null

null