They’re not doing like proton and close basic stuff like IMAP and SMTP as a way to force you on the official apps
The reason Proton cannot do IMAP/SMTP is that they cannot read your emails which is required for both. That’s a feature, not a bug.
PM works with any app as long as the app implements their custom protocol for which there are at least two FOSS implementations as a reference.
proton is a “fake” open source that is mostly used for marketing: they opened only the UI, which communicates with a proprietary protocol to a proprietary server - useless
While I’d also prefer their back-end to be OSS, it’s not nearly as critical as the clients.
As a user, it doesn’t make a difference. I’m paying for an opaque service either way.
All the interesting stuff (E2EE, zero access storage) happen in the clients anyways. The BE is fairly uninteresting; it’s a mail server + zero-access encryption + Proton account handling. If you really wanted to build a mail service similar to Proton, you could build that yourself and probably would have to anyways.
It doesn’t. If you’re running a laptop with a local web server for development, you wouldn’t want other devices in i.e. the coffee shop WiFi to be able to connect to your (likely insecure) local web server, would you?
If one is hosting a webserver on port 80, for example, they are going to poke a hole in their router’s NAT at port 80 to open that server’s port to the public. What difference does it make to then have another firewall that needs to be port forwarded?
Who is “they”? What about all the other ports?
Imagine a family member visits you and wants internet access in their Windows laptop, so you give them the WiFi password. Do you want that possibly malware infected thing poking around at ports other than 80 running on your server?
Obviously you shouldn’t have insecure things listening there in the fist place but you don’t always get to choose whether some thing you’re hosting is currently secure or not or may not care too much because it’s just on the local network and you didn’t expose it to the internet.
This is what defense in depth is about; making it less likely for something to happen or the attack less potent even if your primary protections have failed.
#3 is a strange one – what sort of malicious behaviour could even be done to a device with no firewall? If you have no applications listening on any port, then there’s nothing to access
Mostly addressed by the above but also note that you likely do have applications listening on ports you didn’t know about. Take a look at sudo ss -utpnl.
#5 is the only one that makes some sense; if you install a program that you do not trust (you don’t know how it works), you don’t want it to be able to readily communicate with the outside world unless you explicitly grant it permission to do so. Such an unknown program could be the door to get into your device, or a spy on your device’s actions.
It’s rather the other way around; you don’t want the outside world to be able to talk to untrusted software on your computer. To be a classical “door”, the application must be able to listen to connections.
OTOH, smarter malware can of course be something like a door by requesting intrusion by itself, so outbound filtering is also something you should do with untrusted applications.
People seem to treat it as if it’s acting like the front door to a house, but this analogy doesn’t make much sense to me – without a house (a service listening on a port), what good is a door?
I’d rather liken it to a razor fence around your house, protecting you from thieves even getting near it. Your windows are likely safe from intrusion but they’re known to be fragile. Razor fence can also be cut through but not everyone will have the skill or patience to do so.
If it turned out your window could easily be opened from the outside, you’d rather have razor fence in front until you can replace the window, would you?
The best way I know of is to get yourself a VM and get into the weeds; try to configure a system to your liking.
Follow the NixOS manual. The Wiki is unofficial; often opinionated, out of date or just plain wrong. Take it with a grain of salt. The canonical source of documentation is the NixOS manual and it’s not nearly as bad as you may have heard.
Make extensive use of search.nixos.org/options or man configuration.nix. Finding and making proper use of options and the module system is the bread and butter of using NixOS.
Eventhough everyone and their mom will recommend them to you for nebulous reasons, ignore flakes for now. You will know when you’ll benefit from using them; namely when you need to use something outside of NixOS/Nixpkgs. You’re going to have enough to figure out with plain old NixOS on its own though; I don’t have external dependencies in my config to this day.
If this is a VM, video playback stutters do not surprise me one bit. There’s many layers between the video and the image you see on screen here and they’re not optimised for viewing fidelity. This is likely not due to Linux but because you’re running this inside a with an emulated GPU. GUIs in VMs usually suck.
Optional codecs won’t help for Youtube since they serve royalty-free codecs such as VP9 or AV1 most of the time rather than patent-encoumbered codecs such as H.264 and free codecs are always installed.
That would also not fix stutters, only videos not playing back at all (because there’d be no decoder that could).
If this is a VM, installing the Nvidia driver also won’t do anything because the machine has no access to your host’s GPU. Not that the nvidia driver would change anything about videos since no sane browser supports their proprietary crap driver, so it’s software decoding either way.
You should try this on real hardware. You technically don’t even need to install as most GUI distros have a graphical installer with Firefox etc. pre-installed that you can use to test this.
If you have an Nvidia GPU, I’d recommend you to try !pop_os.
there’s a different nvidia driver for each kernel version. Already a stupid design
That’s not a stupid design at all. A nvidia kernel module artifact is only compatible with exactly one kernel ABI. Thus you need one binary nvidia package for each kernel you ship.
Arch also has one package for every kernel ABI they ship: nvidia and nvidia-lts.
Though it should be noted that their design assumes that these two ABIs are the only possible ABIs which isn’t strictly the case as the zen, hardened or RT variants may sometimes lag behind their regular counterpart. That’s a stupid design if anything as it increases the friction of kernel ABI upgrades as a kernel package maintainer.
We at NixOS also ship the nvidia module for each of our ~50 kernel variants; all major versions of the Nvidia module compatible with that kernel in fact.
The only possible way to access these nvidia kernel modules is via a certain kernel’s linuxPackages attribute set that contains all packages that rely on a kernel ABI such as kernel modules or packages like perf. That’s good design if you ask me but I’m obviously biased ;)
And, even more importantly, search.nixos.org/options to figure out which options to set. Always search for options first. “Installing” something by just adding the package to systemPackages etc. is usually the correct thing to do for end-user applications but not for “system things” such as services.
While that is true, it’s also r13y on another level: Reproducible evaluation. That mostly stems from pure eval and locking.
In the “before times”, you’d get your Nix expressions from some mutable location in the Nix path, so running i.e. a nixos-rebuild on your configuration could produce two different eval results when ran at two different times, depending on whether anything about your channel configuration changed in the mean time. This cannot happen with flakes as all inputs are explicitly given and locked.
You could achieve the same using niv etc. before but that had its own issues.
It used to use Google search results but they switched to Bing. It is worse than Google.
That’d be news to me and an ad hoc comparison I just did shows results much closer to Google than Bing with results usually just locally having switched places while on Bing it’s an entirely different order.
They do(did?) use Bing for mobile search results because daddy Google forced them to not be competitive on the platform they’re most interested in.
I meant that as a reply to the second paragraph which generalised anarchism; including the non-Linux world.
I also disagree that this isn’t an issue in the broader Linux community however. See for example the loud minority with an irrational hate against quite obviously good software projects like systemd who got those ideas from charlatans or “experts”.