Atemu

Atemu, 1 year ago

#2 is strange – why does it matter?

It doesn’t. If you’re running a laptop with a local web server for development, you wouldn’t want other devices in i.e. the coffee shop WiFi to be able to connect to your (likely insecure) local web server, would you?

If one is hosting a webserver on port 80, for example, they are going to poke a hole in their router’s NAT at port 80 to open that server’s port to the public. What difference does it make to then have another firewall that needs to be port forwarded?

Who is “they”? What about all the other ports?

Imagine a family member visits you and wants internet access in their Windows laptop, so you give them the WiFi password. Do you want that possibly malware infected thing poking around at ports other than 80 running on your server?

Obviously you shouldn’t have insecure things listening there in the fist place but you don’t always get to choose whether some thing you’re hosting is currently secure or not or may not care too much because it’s just on the local network and you didn’t expose it to the internet.
This is what defense in depth is about; making it less likely for something to happen or the attack less potent even if your primary protections have failed.

#3 is a strange one – what sort of malicious behaviour could even be done to a device with no firewall? If you have no applications listening on any port, then there’s nothing to access

Mostly addressed by the above but also note that you likely do have applications listening on ports you didn’t know about. Take a look at sudo ss -utpnl.

#5 is the only one that makes some sense; if you install a program that you do not trust (you don’t know how it works), you don’t want it to be able to readily communicate with the outside world unless you explicitly grant it permission to do so. Such an unknown program could be the door to get into your device, or a spy on your device’s actions.

It’s rather the other way around; you don’t want the outside world to be able to talk to untrusted software on your computer. To be a classical “door”, the application must be able to listen to connections.

OTOH, smarter malware can of course be something like a door by requesting intrusion by itself, so outbound filtering is also something you should do with untrusted applications.

People seem to treat it as if it’s acting like the front door to a house, but this analogy doesn’t make much sense to me – without a house (a service listening on a port), what good is a door?

I’d rather liken it to a razor fence around your house, protecting you from thieves even getting near it. Your windows are likely safe from intrusion but they’re known to be fragile. Razor fence can also be cut through but not everyone will have the skill or patience to do so.

If it turned out your window could easily be opened from the outside, you’d rather have razor fence in front until you can replace the window, would you?

Atemu, 1 year ago

It’s the best solution, but my phone doesn’t have a headphone jack (fuck you, Apple).

You can buy a tiny DAC that plugs into the digital port of the phone.

Atemu, 1 year ago

There is unrar which is source-available but its license is unfree because it restricts usage. See: fedoraproject.org/wiki/Licensing:Unrar

Atemu, 1 year ago

And, even more importantly, search.nixos.org/options to figure out which options to set. Always search for options first. “Installing” something by just adding the package to systemPackages etc. is usually the correct thing to do for end-user applications but not for “system things” such as services.

Atemu, 1 year ago

Problem is that the average person cannot discern between an actual expert and a charlatan.

Atemu, 1 year ago

It’s unkown whether he improved his temper or whether he just built a very good mail filter for himself though.

Atemu, 1 year ago (edited 1 year ago)

This is a lot to take in; it’s basically an overview of all the interesting features of Nix. When starting out, you don’t need this kind of in-depth knowledge. I personally gathered most of what was covered here in over 6-12months of using it and I did just fine.

It might still not be for you but don’t take this as the reference point.

Atemu, 1 year ago

While that is true, it’s also r13y on another level: Reproducible evaluation. That mostly stems from pure eval and locking.

In the “before times”, you’d get your Nix expressions from some mutable location in the Nix path, so running i.e. a nixos-rebuild on your configuration could produce two different eval results when ran at two different times, depending on whether anything about your channel configuration changed in the mean time. This cannot happen with flakes as all inputs are explicitly given and locked.

You could achieve the same using niv etc. before but that had its own issues.

Atemu, 1 year ago

Why go through all of that complexity when you could just sudo apt install docker?

Atemu, 1 year ago (edited 1 year ago)

Yes, a slight speed decrease is expected even with good proxy services at common residential speeds. Given that yours is far above the average, a greater decrease can be expected. It shouldn’t be this much though.

If this is installed on a common “router” SOHO gateway appliance, it’s likely that its hardware is simply not able to keep up with the tunnelling workload (encryption, package handling). For troubleshooting, try the same proxy server on a more powerful machine while disabling the proxy on the gateway. If it’s faster, that’s likely your issue.

Also try a different proxy server. That particular one might simply not have enough capacity to serve you more than that.

Atemu, 1 year ago

The “av1” numbers, which codec is that? There are many av1 encoders and even for Intel HW accel, there are at least two.

Atemu, 1 year ago

Now that’s meta.

Atemu, 1 year ago

meaning every step of building the kernel, including the steps taken to build the C compiler toolchain, are produced by code that is simple enough to check for correctness and safety.

Full-source bootstrap isn’t about just the kernel, it affects every piece of software. With GUIX and Nix, every single package can be fully traced back to the bootstrap seed.

Though it should be noted that you do require a running Linux kernel on an x86 machine in order to bootstrap.

it is not quite to the point where it /just works/ on a lot of the computer hardware that I own.

Unless we get some serious money, effort and/or regulation w.r.t. OSS firmware, that will likely never be the case.
That has nothing to do with its technology though, that’s a political issue. GUIX is a GNU project and acts like proprietary software does not exist/is not a basic necessity in 2023.

Atemu, 1 year ago

They’re not doing like proton and close basic stuff like IMAP and SMTP as a way to force you on the official apps

The reason Proton cannot do IMAP/SMTP is that they cannot read your emails which is required for both. That’s a feature, not a bug.

PM works with any app as long as the app implements their custom protocol for which there are at least two FOSS implementations as a reference.

proton is a “fake” open source that is mostly used for marketing: they opened only the UI, which communicates with a proprietary protocol to a proprietary server - useless

While I’d also prefer their back-end to be OSS, it’s not nearly as critical as the clients.
As a user, it doesn’t make a difference. I’m paying for an opaque service either way.

All the interesting stuff (E2EE, zero access storage) happen in the clients anyways. The BE is fairly uninteresting; it’s a mail server + zero-access encryption + Proton account handling. If you really wanted to build a mail service similar to Proton, you could build that yourself and probably would have to anyways.

Atemu, 1 year ago

Ah I think Windows does this “helpful” thing where it installs its bootloader into the ESP of any drive if it’s already present rather than the drive you explicitly told it to install onto.

You didn’t have anything in it yet, right? Unplug all other drives and then re-install Windows onto the drive. It should work as expected after that.

IIRC Pop!_OS sets the systemd-boot timeout super short; you have to hold a key after the firmware is done or something to get to it reliably or simply increase the timeout (1s is enough, I have it set to that on my systems). systemd-boot should give you the option to boot any windows installation though, it can auto-detect them.

Atemu, 1 year ago

The best way I know of is to get yourself a VM and get into the weeds; try to configure a system to your liking.

Follow the NixOS manual. The Wiki is unofficial; often opinionated, out of date or just plain wrong. Take it with a grain of salt. The canonical source of documentation is the NixOS manual and it’s not nearly as bad as you may have heard.

Make extensive use of search.nixos.org/options or man configuration.nix. Finding and making proper use of options and the module system is the bread and butter of using NixOS.

Eventhough everyone and their mom will recommend them to you for nebulous reasons, ignore flakes for now. You will know when you’ll benefit from using them; namely when you need to use something outside of NixOS/Nixpkgs. You’re going to have enough to figure out with plain old NixOS on its own though; I don’t have external dependencies in my config to this day.

To wrap it up, make sure to ask the community if something’s not working as expected: github.com/NixOS/nixpkgs#community

Atemu, 1 year ago

(Unless they have installed it onto their ASUS ROG Ally of course.)

Atemu, 1 year ago (edited 1 year ago)

If this is a VM, video playback stutters do not surprise me one bit. There’s many layers between the video and the image you see on screen here and they’re not optimised for viewing fidelity. This is likely not due to Linux but because you’re running this inside a with an emulated GPU. GUIs in VMs usually suck.

Optional codecs won’t help for Youtube since they serve royalty-free codecs such as VP9 or AV1 most of the time rather than patent-encoumbered codecs such as H.264 and free codecs are always installed.
That would also not fix stutters, only videos not playing back at all (because there’d be no decoder that could).

If this is a VM, installing the Nvidia driver also won’t do anything because the machine has no access to your host’s GPU. Not that the nvidia driver would change anything about videos since no sane browser supports their proprietary crap driver, so it’s software decoding either way.

You should try this on real hardware. You technically don’t even need to install as most GUI distros have a graphical installer with Firefox etc. pre-installed that you can use to test this.

If you have an Nvidia GPU, I’d recommend you to try !pop_os.

Atemu, 1 year ago

You should be spending very little time, if any, in that folder.

Hahaha, tell that to lemmy.ml/c/unixporn

Atemu, 1 year ago

there’s a different nvidia driver for each kernel version. Already a stupid design

That’s not a stupid design at all. A nvidia kernel module artifact is only compatible with exactly one kernel ABI. Thus you need one binary nvidia package for each kernel you ship.

Arch also has one package for every kernel ABI they ship: nvidia and nvidia-lts.
Though it should be noted that their design assumes that these two ABIs are the only possible ABIs which isn’t strictly the case as the zen, hardened or RT variants may sometimes lag behind their regular counterpart. That’s a stupid design if anything as it increases the friction of kernel ABI upgrades as a kernel package maintainer.

We at NixOS also ship the nvidia module for each of our ~50 kernel variants; all major versions of the Nvidia module compatible with that kernel in fact.
The only possible way to access these nvidia kernel modules is via a certain kernel’s linuxPackages attribute set that contains all packages that rely on a kernel ABI such as kernel modules or packages like perf. That’s good design if you ask me but I’m obviously biased ;)

Atemu, 1 year ago

Accountability? For tech giants? AHAHAHAAHAHAHAHAHAHAHAAHAHAHAA

Atemu, 1 year ago

I don’t know about timeshift but it appears to have a configuration tab for snapper.

Atemu, 1 year ago

Homomorphic encryption enables votes to be both public and obfuscated at the same time.

That’s nice but has nothing to do with voter fraud prevention.

I will not reply to the stupid ad hominem. You have made it exceptionally clear that you have no idea what my political views are.

Atemu, 1 year ago

If you’re only using this filesystem on Linux anyways, absolutely.