NVIDIA’s Debian repo for Cuda has more up to date GPU drivers, if you don’t wanna manually install from the .run file. Documentation here, its not reflected yet in the docs but there’s a Debian 12 repo.
I’ve had good luck with refurbished Dell laptops. My primary laptop is a refurbished Dell Latitude 11" 3120. Bought it for ~$250 at beginning of this year and currently have Fedora on it. It’s not very powerful. I use it primarily to browse the web, watch movies/tv, and vnc/ssh to my other systems. Can last about 5-6 hours streaming video from jellyfin at 50% brightness, other stuff barely uses any power and can stretch out to 9-10 hours if I set display brightness even lower.
I’ve always bought Windows laptops then put linux on them so I’m used to verifying that tools such as TLP are installed, configured, enabled, and working. There is too much variety with laptops for all of them to be handled automatically unfortunately so I always verify it. If a laptop came with Linux pre-installed then it might be good to go ootb but I’d still verify.
Interesting. 9-10 hours sounds nice! Do you think never ones would have even better runtime? Have you used TLPUI? Maybe with a GUI I could get my self to play around with TLP…
The T480 and T580 are some of the last ones they made with swapable batteries. Everything works out of the box in Linux except the fingerprint scanner which needs some additional configuration.
I have a T480 with an integrated GPU and the largest battery. It runs for a long time on a charge and there are lots of spare parts available.
Just curious, the 72WH battery? What’s a “long time?” I use the standard slim battery on my T480 and was only getting 3-4 hours on Pop (both brand new batteries). And forget about standby. It would regularly lose 20-30% overnight if not completely shut down. Wanted to make it work, but that alone made me boot back into Windows for the laptop.
I still get over 12 hours of web browsing or video playback with the backlight around 30% on mine even though my internal battery is down to 60% capacity and my external is around 90%. Standby drains about 10% overnight. I am running Linux Mint on mine and I set up TLP. Undervolting can increase the runtime quite a bit, but I haven’t bothered with that yet.
Why buy Lenovo even there are a bunch of vendors making Linux-first laptops these days? When you buy Lenovo you’re supporting Microsoft and a bunch of other shady companies (firmware vendors, etc).
I’ve gotten both of my thinkpads used, so none of that money went to Lenovo or Microsoft. The laptops that come with Linux are expensive and are rarely available used.
That’s a good reply. Reading the other replies, I realized that great runtime is very different for everyone. I wouldn’t consider 5-7 hours great. More like absolute minimum 8. Better is 10-12. This sounds very unlikely though, apart from MacBooks with ARM CPU.
If you want to game, stick to regular Fedora. A project that is actually secure is ublue with dedicated NVIDIA images that should just work and never break, and they even have Bazzite, an Image specifically for the Steamdeck but also for Desktop.
These images are only ½ day behind upstream, apply minimal additions and patches (like drivers, codecs, packages, udev rules for controllers) and Nick from the video above found out that the Nobara patches with their weird less supported Kernel arent really worth the hassle.
I 100% agree, its best to just stick to upstream Fedora imo. Glad you made this comment. The security issues of Nobara always put me off, especially since basically everything it does can just be applied to regular Fedora. I think Nobara would much better serve as a script or toolkit, similar to Brace, or something along those lines instead of an entire separate OS with the security issues it brings.
Proprietary UEFI BIOS is, but for a secure system with local manipulation prevention it can be needed. Also secureboot is a security measurement against malware so no, its simply the best we have.
Look at Coreboot if you want a secure modern system
The vulnerability actually isn’t in Windows Boot Manager, it’s a flaw in the image-parsing code of the UEFI itself. That’s why it’s able to bypass SecureBoot.
It just happens that for whatever reason you can easily update the image file from within Windows/Linux itself. The fact they don’t show a logo currently does not mean you’re immune, as the system might just be showing a black screen at that point. Code can be injected into an image file without perceptibly affecting the image output, so you’d likely be able to use a “black screen” logo. If your computer has a UEFI instead of a BIOS, which is pretty much everything from the last 10yrs, then you are more than likely at risk.
My computer likely isn’t susceptible, and that’s because it’s a Dell workstation. While the bug still exists in the image parser, Dell has locked things down so it’s pretty much impossible to change the boot logo from userspace.
And that definition depends on how you define “benefitting the user”. If someone has an online match ruined by a hacker, I’d argue that they would have benefitted from the game running some kind of anticheat.
Do we define user as the singular individual person? Or do we consider the user as a collective, and factor in the larger benefit to the masses? It could even be argued that the people running cheats are the ones running malware (specifically, malware that targets the other users in the match) and should therefore be treated the same way we treat people who use more traditional viruses and trojans at the detriment to others. The same way you wouldn’t want some virus-ridden machine connecting to your home network, (you’d probably want everyone to at least be running a basic virus scanner and have common sense when browsing,) you would want everyone in the game running anticheat to ensure there is no malware.
Very few people would say that it’s okay to waste others’ time and computer resources on a bitcoin miner trojan… Most people would (correctly) determine that it is theft. But then when it comes to online games, the same people feel entitled to waste other peoples’ time and computer resources by ruining their matches.
That’s largely a corporate decision that is out of the hands of the programmers. Generally speaking, security specialists would agree with you. But running anticheat on the server costs server resources, which means you need more servers to accommodate the same number of players. Running it client-side is a cost cutting measure mandated by the corporate bean counters who did the math and concluded it’d be cheaper for the company to spend the users’ computer resources instead.
While I agree that client-side security isn’t the best solution, it’s certainly better than no solution. It’s the same argument people have against self-driving cars. The self-driving cars don’t need to be perfect; They just need to be better than the average driver. If they can reduce the number and severity of accidents that are currently happening without them, then they should be implemented. Even if the solution isn’t perfect. Because an imperfect solution is better than doing nothing at all.
You’re right and it’s a pragmatic approach to the problem. They only need broad technical effectiveness to change user behaviour.
I’d argue that it’s not strictly cost cutting but cost transferring. The total client resources most likely exceed that which would be needed on servers.
I don’t think that is a widely accepted holistic definition of malware. But even if, AC is not waisting resources. It’s taking the resources it needs to perform its job.
There are several forms of anticheat. The ones that just run when the game is running, is usually fine. However, there is the Riot anti cheat which just runs all the time and isn’t uninstalled when Valorant is uninstalled. That is malware.
You’ve linked to their anti cheat which they also offer but it’s not their main product. Funny that you missed that, given that you were already on their web site and irdeto.com/denuvo/ spells out “Anti-Piracy technology” in huge font:
There are games with single player and multiplayer modes that come with anti cheat. I had some game a few months ago that was a Steam freebie (can’t remember the name) whose anti cheat didn’t install properly on Windows and it didn’t allow me to launch regular single player, only mod mode.
According to them ~58% of anti-cheat games work. There’s been a large uptick of anti-cheat support since the Steam Deck.
According to ProtonDB, 86% of the top 1000 games on Steam function (Silver+ rating). It’s a pretty safe bet that the most of the missing 14% is probably due to anti-cheat.
It’s hard to really wrap your head around it without doing a ton of low-level taking things apart and putting them together differently.
But to answer, it’s pretty impressive the extent to which a full Linux install of any distro tends to just be like a bunch of legos put together in one particular way.
Theoretically, there’s no reason why you couldn’t ship-of-Thesius one distro into another. You’d have to have a good idea of what the differences between the two are, but it can certainly be done.
There’s a thing called a “chroot.” It’s basically a whole OS installed in a subdirectory on another whole OS. And there’s a command (also called “chroot”) that can be used to tell the parent OS to “give me a shell in the chroot OS – as in run the /path/to/chroot/bin/bash (or whatever) executable in ‘The Matrix’ such that that process thinks that the chroot is the root OS.”) That lets you do some pretty cool stuff like building an OS to be installed on another box. But when you run in the chroot, it doesn’t load the guest OS’s kernel or (typically) init system or anything. The processes run on the host system’s kernel.
And it’s entirely possible to have the guest chroot system be a whole different distro than the host. (Though some distros will have tools that make it easier to chroot into a guest chroot of the same distro.) Which implies that you can just kindof substitute one distro’s kernel for another distro’s, right?
Turns out the answer to that question is “at least mostly yes.” Quick funny personal story. I started working somewhere recently where they allowed new hires a choice between Windows, Mac, or Linux on their work laptop. I chose Linux, but didn’t like the distro they pre-installed on it. (KDE Neon. I preferred Arch. Insert hate here.) But the laptop had secure boot enabled and the PC support department wasn’t willing to let me disable that. The laptop would only allow certain kernels to boot. Windows and some kernels from some unknown set of Linux distros.
Just as a quick aside, the way it knew how to deny a specific kernel from running or allow another to run was with signatures. Canonical which makes Ubuntu includes cryptographic signatures in the kernel file identifying that kernel image as made and certified by Canonical. (Microsoft does roughly the same thing for Windows kernels.) The secure boot system on the laptop has a list of trusted certificates. If the kernel that the bootloader (which is also signed, by the way) asks the secure boot system to boot is signed by one of those certificates, it boots. If not, secure boot denies the request. Theoretically more certificates can probably be configured/trusted, but that wasn’t an option in my case.
But I still wanted to run Arch! Now, KDE Neon uses the Ubuntu kernel, so I knew that was one I could boot without access to the secure boot config. So I grabbed the .deb for the Ubuntu kernel, wrote a script to convert the .deb for the Ubuntu kernel into an Arch package. (Arch doesn’t use .debs or .rpms. It uses “pacman packages”.) I installed that arch package, configured the bootloader to point to the arch install including that Ubuntu kernel, and booted it. Viola! Arch (mostly) without secure boot access!
What I was running was really kindof 95% Arch and 5% Ubuntu kernel. Kindof a Frankenstein’s monster of OS’s. But it worked perfectly.
And theoretically, just about any part of a distro can be replaced with the equivalent from another distro. (Or from the upstream/source version.) You could technically take a Fedora system and replace the package manager with apt (I’m guessing there isn’t an rpm package that would install apt on your Fedora, so you might have to make it yourself or just build it from source and install it manually) pointed at Ubuntu repositories and transform Fedora piece-by-piece into Ubuntu. It’d be a pretty wild and messy process. And it would probably be easier to just reformat and install Ubuntu. But it could be done.
Similarly, you could replace the init system. Artix is a fork of Arch that gives a choice of init systems whereas Arch only supports Systemd. And it’s kindof another Frankenstein’s monster of an OS because it still relies heavily on the Arch repos. But it works.
This Arch story reminds me a lot of a r/talesfromtechsupport story that went remarkably similar but had a less happy ending for the Linux enthusiast, where he basically disabled the TPM and couldn’t access the company network because the network seemed to only allow trusted machines.
Can’t find it right now but maybe I can do some digging once I’m on a computer
To tell the next part of my story, when I did all of what I described, I first backed up the KDE neon install onto a tiny little partiton. So I still had it to go back to if I needed to.
And after I’d been using Arch for a good while, the VPN folks decided to retire OpenVPN and switch to something called “GlobalProtect”.
They run BMC, a remote machine management program, on all freshly-imaged machines. That lets them (un)install shit without the user’s knowledge and stuff. Windows users had lots of horror stories about “the great Java uninstall of 2018” where the PC Support folks just randomly decided one day to uninstall OpenJDK from every Windows user’s machine. While we were trying to write/maintain Java software written in-house. (This happened multiple times within a few years.)
One of the biggest benefits to running Linux (even if it was KDE Neon) was that the PC Support folks were scared of Linux and stayed very hands-off. They never (un)installed stuff remotely for KDE Neon users.
…until they switched to GlobalProtect. They wouldn’t give out the .deb for GlobalProtect to let folks install it themselves. They’d only install it for you via BMC.
But since I was running Arch and had never installed BMC, (actually I have another story about BMC on Arch, but I’ll save it for when I have more time), my machine was passed over when they installed GlobalProtect on all the KDE Neon machines.
So I rebooted into KDE Neon, asked pretty please that they install GlobalProtect, and have been using KDE Neon ever since.
Now, I’ve done nothing to disable the TPM or anything on Arch. I don’t think even if GlobalProtect uses the TPM that there’s any reason it couldn’t do so while on Arch. But I tried just copying the install from KDE Neon to Arch file-for-file and running it. It didn’t work. I had to strace it to get more info and… don’t remember what the error was about now. Some inter-process communication thing I had never heard of before wasn’t able to talk to the daemon process.
I keep telling myself I’m going to get GlobalProtect running on Arch again so I don’t have to keep using KDE Neon, but it’s been a while since I’ve worked on that any.
Also, one of my coworkers had been working for years by connecting to the company VPN from a personal machine. And I told him he needed to figure out his VPN situation months before they actually turned off OpenVPN. But he didn’t heed my warnings and when they shut off OpenVPN, he was screwed. He took the Mac they’d sent him when he was first hired off of mothballs and tried to get it running. They ended up just telling him they needed to send him a new machine. So he basically couldn’t work for almost two weeks while he waited for the new KDE Neon machine he ordered to get set up/imaged/etc and then shipped halfway across the country. He uses KDE Neon on a company laptop now.
There are some great stories about how we’ve messed with PC Support at this company. Lol.
Edit: Ok. I’ll tell the BMC-on-Arch story now.
Same company. Back before they were issuing secureboot’d machines, and before they offered the option of a Linux machine (or without special manager approval, a Mac, actually), I installed Arch on my host on a forgiveness-rather-than-permission basis.
When they started supporting Linux, they got BMC set up for Linux. (It had worked on Windows prior, of course.) And then they started sending me nagging emails about installing BMC. They knew my boss would back me up if they pressed me to switch back to Windows, so they didn’t push for that. But they wanted me to install BMC just to get the feature that it periodically phoned home to let PC Support know it was still in use and all that. (I think it also offered features like if I ever reported it stolen, they set it up so it would wipe its own hard drive next time it phoned home. To protect any trade secrets.)
I kindof ignored them for a while. Eventually they visited my desk in person. (This was before I was working remotely.) I was like “yeah, ok, tell me what to do” (I figured it was a good compromise that would let me keep Arch) and they were like “we’ll send you the installer.”
Now, the Linux distro they supported at the time wasn’t KDE Neon. It was Ubuntu. And I was on Arch. And I asked “the installer was probably was packaged for Ubuntu, right? BMC is supposed to run as a daemon and Arch doesn’t even use the same init system. I’d be surprised if it worked.” And one of the PC support guys looked me right in the eye and passed his hand over his head in a “you’re talking over my head” gesture. And then walks away.
I received the installer. Tried to run it. It immediately choked for exactly the reason I suspected. Basically it looked at my system, didn’t find the init system it expected, and aborted before extracting the files to be installed.
So, was I going to give up and switch to Ubuntu? No! I wasn’t daunted.
So I broke out strace and gdb and managed to trick the installer into extracting the files. (Basically when it checked for the init system, I altered a variable from false to true to make it not abort before extracting.)
And then I just had to stick it at the right place on the filesystem. I never made a service file for it. I just manually ran it every now and then. And killed it a little while later. No one nagged me again.
Now, I wasn’t the only one who ran Arch. I had a coworker there who also ran Arch and somehow he was never nagged to install BMC. Not sure why. But when I left the company, I left all my work with this other coworker in case he ever needed it.
And then I returned to this company. It was after that that I did the Archbunkenstein thing because they’d started using machines that enforced secureboot. The coworker who was still running Arch when I returned had lost my BMC installer reverse engineering work. And still had never been nagged by PC Support. I expected to be nagged again, but I ran Archbunkenstein for a good year or so without anyone nagging me. When I switched back to KDE Neon for the VPN, it had BMC installed, so I’ve been using BMC ever since.
You may wish to investigate Bedrock linux, it allows you to Frankenstein 2 (or more) distros together. I’m sure there’s a way you could have your KDE neon kernel plus BMC while having everything else Arch
Using Btrfs you can do some pretty cool snapshotting: It’s basically like system restore of Windows but MUCH faster and pretty seamless. Even if you annihilate the whole operating system you can restore the snapshot and voila, have fun! It also has compression which can save some wear on SSDs and of course give you some more free™ storage space, which is cool [actual benefits depend on workload*]
There’s no GUI, but following the wiki pages on BTRFS subvolumes you should be able to make a subvolume for those with like 2 simple commands (take a look at the man page for BTRFS subvolumes as well)
I wasn’t cool enough to figure out how to “just boot into a snapshot” when I tried btrfs a while ago. I mean I did figure it out (maybe?) but somehow the read/write rights where messed up and the snapshot couldn’t actually boot/I wasn’t able to log in +___+ Just reinstalled the system eith good old ext4. It sounds really cool, though …
Well, sounds like a setup or distro issue. It should work without problems on Debian/Ubuntu/Mint. Linux Mint even really supports it as a setup-less default with TimeShift
linux
Newest
This magazine is from a federated server and may be incomplete. Browse more on the original instance.