“Systemd provides a lot of network functionality in systemd-networkd, journald, timesyncd, etc. that is remote attack surface. All the systemd “cloud of daemons” is tightly coupled by dbus interfaces that enable an attacker to move from one exploited system service to the next. Even if the attacker doesn’t manage to find an exploit in another system service, DoS is easily possible because the DBUS interfaces are quite fragile. Even as a benevolent admin it is easily possible to get the system into a state where e.g. clean shutdown is no longer possible because systemctl doesn’t want to talk to systemd any longer and you cannot fix that. systemd-udevd also has raceconditions galore, so sending any message to it in the wrong order relative to another one will kill the system, maybe even open exploit vectors. At the very least I would, for hardening, recommend not using any network-facing systemd functionality.
And lines of code are not ridiculous, they are the best first-order estimate available. Of course an actual inspection of the code is better for a comparison, but that is a huge task. sloccount is quick and easy.”
err, why would a forum post single-handed prove that the entire linux enterprise world are being stupid, and how you can prove that he is even correct?, he is alone, against the entire world, red hat sell that shit, if it wasn’t secure companies wouldn’t buy it
I am not saying this proves single-handedly that systemd has vulnerabilities but it is one of probably many out there. I am not saying enterprise is stupid but I could definitely see some sacrifice being possibly made to spend less time setting up utilities on every systemd machine for enterprise work.
I could definitely see some sacrifice being possibly made to spend less time setting up utilities on every systemd machine for enterprise work.
I’m not sure how much time do you think anyone spends setting up systemd utilities… but as a home admin systemd has saved me a ton of time over the ragtag collection of shell scripts we had in the past. And a lot of that is because of its vastly improved logging.
I suppose if you consider logs to be “bloat” you won’t understand though. I consider them to be essential services.
I was saying that you do spend less time cause it is already there. Also you can have logs on other init systems, what I said on the post is that if later I wanted logs I could just setup instead of being already there (and the other utilities, not just the logs of course).
s6/66 simplifies dependency of running/starting, automatically enables an s6-log for each service/daemon/bundle it is much faster and smaller than systemd (by a factor of 10 maybe), and once it is up and running it is virtually impossible to bring down without its own routine. Servers have run consistenly for a decade with s6, including skarnet.org
Piggy backing to ask how one could play video from streaming services such as Netflix, Hulu, etc in full HD under such a setup? My assumptions are that videos would be played in a web browser, and most if not all streaming services like Netflix limit video playback to 720p in a web browser, although I’d love to be wrong about that.
There is a browser extension called “Netflix 1080p”, but in my experience the quality isn’t the same as Netflix’s native 1080p - the quality with the extension is visibly lower (but still better than 720p). And of course, it can’t do 4K at all. It also occasionally breaks, which is annoying.
If you really want to play streaming services at full quality, it’s better to just get a streaming stick like a Fire TV Stick, or a Roku or similar.
I’ve been using a htpc for TV content for years, and I’ve finally given up and just gonna pirate all my shit now. The hoops I’ve had to jump through to get 1080p on Linux, and Netflix/prime video working on my rooted lineageos phone has pissed me off too much. Researching all the *arr software packages and which sources to get content from, this weekend.
My understanding as a NixOS user is a lot of its fundamentals are very strongly coupled to systemd. It’s responsible for things like running system activation scripts and managing any services it exposes options to, so replacing it sounds like a tall order.
I’m not aware of any Nix-based alternatives, but I’d definitely welcome them! Oh and also, as others have pointed out, Guix might fit the bill depending on your needs.
Ahh, itsfoss.com. they had some article on “being a supercharged Joplin user” or some nonsense and suggestion 3 or 4 was “Create a notebook”… Really being a power user when you’re utilizing the most basic functionality the app was created for…
I thought about doing that but updating nixos confuses me. Does nixos-rebuild switch pull new packages? To my understanding there is a file that saves all currently installed versions of packages and switch only adds new things but wouldn’t update packages.
Like, if I want to update Google Chrome. Doing switch wouldn’t change anything if the config hasn’t changed, right?
I believe that’s correct – if nothing has changed from your last generation, then the new generation will be identical. But if something has changed, it will do a bunch of duplicating and remapping symlinks in the Nix store to ensure that everything plays nicely together and that you can rollback to a previous generation if needed.
So if you do a rebuild switch regularly, you will end up with gigs worth of old “copies” of things that aren’t being referenced in your current generation.
That’s what nix-collect-garbage handles – once you know your current generation is working well, you collect the garbage and recover that space, at the expense of not being able to roll back.
That’s why I think building a core system with NixOS and then having user software come from Flatpak is a nice combo for simple workstation that won’t update and bork itself, leaving my grandpa without a laptop until I can come take a look.
Edit: To clarify, nixos-rebuild-switch won’t update your Flatpaks at all – just the Flatpak service
That makes a lot of sense. I can setup their computer with nixos and stuff that needs to be updated regularly (like a web browser) can be flatpak which should be more stable too.
Then flatpak update would get them updated without rebuilding the whole OS.
My grandparents have been rocking Linux Mint for a few years. I have managed Chrome through Flatpak since I discovered that was possible on Mint. I’ve been flirting with the idea of having NixOS instead so I don’t have to remember what I’ve configured in the past. I’m not 100% sure now though :-P
Solution: the RPM Fedora version did work, the version from Flathub or the Fedora flatpack repo did not work. I guess the flatpack versions don't have the most recent xfreerdp version? I don't really know...
Could you please provide a brief description of Vital? I’m in the process of rebuilding my musicmaking setup after a 15 years long hiatus, so I need to update myself on what’s out there.
On that note, it looks like I’m gonna go for bitwig over Ardour. Any thoughts/opinions on that?
Vital is a vst similar to Serum, a pretty popular paid vst. It has a bunch of preset sounds but offers a lot of options for effects and automation to design your own sounds. I use it a ton personally and get a lot of range from it.
Getting plugins to install is often a big hurdle, if they are working, they work. However I think performance suffers alot. Didn’t try it on any bigger synths yet tho.
Might depend on what DAW you use but I found it abit tedious to setup with Ardour, but after that it worked perfectly with the VSTs I was running on Windows, mainly Amplitube 5.
I use it for spitfire labs, ott, and delay lama (very important) and all work great. There are occasional crashes when messing with parameters, but usually those don’t happen more then once. I haven’t noticed any performance issues.
Building images is easy enough. It’s pretty similar to how you’d install or compile software directly on the host. Just write a Dockerfile that runs the hide.me install script. I found this repo and image which may work for you as is or as a starting point.
When you run the image as a container you can set it up as the network gateway, just find a tutorial on how to set up a Wireguard container and replace Wireguard with your hide.me container.
In terms of kill switches you’d have to see how other people have done it, but it’s not impossible.
I found this repo and image which may work for you as is or as a starting point.
Wow I completely missed this one! This is exactly what I was planning to do! I actually installed the original repo because I’m not on arm, and it seem to work very well! I have to do a few tests to check if the killswitch actually works
I didn’t even look to see if the one I linked was a fork. I’m glad it works!
A cool thing about Dockerfiles is that they’re usually architecture agnostic. I think the one I linked is as well, meaning that the architecture is only locked in when the image is built for a specific one. In this case the repo owner probably only built it for arm machines, but a build for x86_64 should work as well.
An application and programs that use shell as their application, for example, IntelliJ IDEA use ‘idea.sh’ to run the IDE, so it would be useful for people to right-click and just create the ‘.desktop’ file right away.
isn’t it an entire OS? I only need to bind the internet traffic of my container to the ones I want doing something like network_mode: container:myhidemecontainer in docker compose
Don’t. Arch, Ubuntu, Debian, OpenSUSE, and Fedora are used in the exact same way. Pick one of them and then trf different desktop environments, if you want you can download the configurations for distro from their source code
Gnome has been pretty great on Wayland for a while.
Personally I’ve been using it since 2017, and besides a stint with a 1080 Ti that was constantly causing issues, it’s been pretty good besides screen sharing in some programs. Speaking of…
I just wish Discord would fix their shitty app or people would abandon that shitty app. Unfortunately neither looks likely.
Right, actually you can use Discord natively on Wayland just passing the flags mentioned in the post. The only issue I have found with the official Discord client is that it doesn’t support streaming audio alongside to streaming your screen, but vesktop does the trick for that.
From my experience, it seems like the video quality really sucks the moment you try to stream anything more complex, like a 3D game - no indication on my side, but a friend complained and I got the same result checking the stream on a second device. Frame rate drops to 2fps or worse, with bad quality on each frame.
I remember reading an issue on vesktop about it, but sounds like it might just come down to missing HW acceleration in electron for the relevant APIs? Though if you have any suggestions and/or better results, I’d love to hear about it.
linux
Active
This magazine is from a federated server and may be incomplete. Browse more on the original instance.