Atemu

Atemu, 1 year ago

One “hammer” mitigation to most threats could conceivably face when self-hosting is to never expose your services to the internet using a firewall. “Securing” your services against a small circle of guests/friends/family members in your home network is a lot simpler than securing against the entire world.
If you need to access your services remotely, there are ways to achieve that without permanently opening a single port to the internet such as Tailscale or ZeroTier.

Otherwise, commonly used tools in self-hosting such as Docker or VMs usually offer quite decent separation even if a service is compromised.

Nothing replaces good security hygiene though. Keep your stuff up-to-date. Use secure methods of authentication such as hard to guess passwords or better. Make frequent backups (3-2-1). The usual.

Atemu, 1 year ago

Yeah, I’ve noticed the PayPal issue aswell.

Atemu, 1 year ago

If I am packaging software for gentoo, all I have to do is translate the build instructions from the project’s documentation to gentoo’s package recipe.

It’s the same for Nixpkgs.

In nix, it seems that it is not that simple and you’ll have to do some exploration. Am I wrong?

In well behaved build systems, it’s likely easier to package than most other distros. If it’s not as well behaved you will have to do some “exploration” and the complexity can get quite out of control if the build system is exceptionally terrible.

Here is the package for the GNU hello program which uses a well-behaved build system:

github.com/NixOS/nixpkgs/blob/…/package.nix

If you ignore the optional passthru.tests, this is very simple. You provide metadata, sources etc. to the generic mkDerivation function and that’s it. The most complex non-standard thing this derivation does is enable the build system’s tests.

You don’t even need to run the provided build instructions because Nixpkgs’ stdenv abstracts those away. If it finds a makefile, it’ll automatically run make and make install with the correct flags for instance. Same for other standard build systems; if you pass cmake into nativeBuildInputs, it’ll attempt to build, install, check etc. using cmake’s standardised interfaces.

If the build system is poorly behaved however (like for instance Anki’s), you will have to get into the weeds and do some rather advanced things:

github.com/NixOS/nixpkgs/blob/…/default.nix

Luckily though, most packages aren’t like this.

Atemu, 1 year ago

#2 is strange – why does it matter?

It doesn’t. If you’re running a laptop with a local web server for development, you wouldn’t want other devices in i.e. the coffee shop WiFi to be able to connect to your (likely insecure) local web server, would you?

If one is hosting a webserver on port 80, for example, they are going to poke a hole in their router’s NAT at port 80 to open that server’s port to the public. What difference does it make to then have another firewall that needs to be port forwarded?

Who is “they”? What about all the other ports?

Imagine a family member visits you and wants internet access in their Windows laptop, so you give them the WiFi password. Do you want that possibly malware infected thing poking around at ports other than 80 running on your server?

Obviously you shouldn’t have insecure things listening there in the fist place but you don’t always get to choose whether some thing you’re hosting is currently secure or not or may not care too much because it’s just on the local network and you didn’t expose it to the internet.
This is what defense in depth is about; making it less likely for something to happen or the attack less potent even if your primary protections have failed.

#3 is a strange one – what sort of malicious behaviour could even be done to a device with no firewall? If you have no applications listening on any port, then there’s nothing to access

Mostly addressed by the above but also note that you likely do have applications listening on ports you didn’t know about. Take a look at sudo ss -utpnl.

#5 is the only one that makes some sense; if you install a program that you do not trust (you don’t know how it works), you don’t want it to be able to readily communicate with the outside world unless you explicitly grant it permission to do so. Such an unknown program could be the door to get into your device, or a spy on your device’s actions.

It’s rather the other way around; you don’t want the outside world to be able to talk to untrusted software on your computer. To be a classical “door”, the application must be able to listen to connections.

OTOH, smarter malware can of course be something like a door by requesting intrusion by itself, so outbound filtering is also something you should do with untrusted applications.

People seem to treat it as if it’s acting like the front door to a house, but this analogy doesn’t make much sense to me – without a house (a service listening on a port), what good is a door?

I’d rather liken it to a razor fence around your house, protecting you from thieves even getting near it. Your windows are likely safe from intrusion but they’re known to be fragile. Razor fence can also be cut through but not everyone will have the skill or patience to do so.

If it turned out your window could easily be opened from the outside, you’d rather have razor fence in front until you can replace the window, would you?

Atemu, 1 year ago

In my case I have a number of sockets from spotify, and steam listening on port 0.0.0.0. I would assume, that these are only available to connections from the LAN?

That’s exactly the kind of thing I meant :)

These are likely for things like in-house streaming, LAN game downloads and remote music playing, so you may even want to consider explicitly allowing them through the firewall but they’re also potential security holes of applications running under your user that you have largely no control over.

Atemu, 1 year ago

Synapse is AGPL-3.0.

Atemu, 1 year ago

Proton would still need to make use of it.

Atemu, 1 year ago

It’s the best solution, but my phone doesn’t have a headphone jack (fuck you, Apple).

You can buy a tiny DAC that plugs into the digital port of the phone.

Atemu, 1 year ago

It can only do that with the unfree unrar plugin. Do not expect your distro to ship it by default due to that issue.

Atemu, 1 year ago

Only with the unfree unrar plugin.

Atemu, 1 year ago

There is unrar which is source-available but its license is unfree because it restricts usage. See: fedoraproject.org/wiki/Licensing:Unrar

Atemu, 1 year ago

Indeed it won’t modify rar archives. What do you need those for?

The typical flow for rar archives is to unpack them and then either leave the files on disk as plain files or put them into a better archive format such as 7z.

Atemu, 1 year ago

Damn rat files…

I just opened a nix-shell with unrar in it on aarch64-linux and am able to execute it, so yes, it can be made to work.

Atemu, 1 year ago (edited 9 months ago)

Cookie banners are not really about cookies.

What they’re actually asking for is consent to process your data for profit in unethical ways. That usually involves cookies but could theoretically be done entirely without. They’re just a technological standard.

You might aswell say: “We use https. [consent] [settings]”

Atemu, 1 year ago

I don’t know much about this space, so I’m not certain this kind of tool is what you’re looking for but I know of penpot.app.

Atemu, 1 year ago

And, most importantly, money bags to subsidise the hell out of it. Let’s not kid ourselves here, the damn low price is one of the main reasons why people buy the SD rather than the ~2x more expensive alternatives.

Atemu, 1 year ago

And, even more importantly, search.nixos.org/options to figure out which options to set. Always search for options first. “Installing” something by just adding the package to systemPackages etc. is usually the correct thing to do for end-user applications but not for “system things” such as services.

Atemu, 1 year ago

As an example, users of Debian are reporting tons of KDE Plasma bugs that was already fixed, but because they are running an ancient version, they still have the bugs.

The idea is that those bug fixes would be backported as patches; old feature version + new security/bug fixes.

In practice, that’s really expensive to do, so often times bug fixes simply aren’t backported and I don’t even want to know the story of security fixes though I’d hope they do better there.

Atemu, 1 year ago

Debian has an effective Rolling distribution through testing than can get ahead of Arch.

I wouldn’t call a distro “branch” where maintainers say “don’t use this, it’s not officially supported and may even be insecure” an “effective” distribution. I’d consider it a test bed.

Debian tends to align its release with LTS Kernel and Mesa releases so there have been times the latest stable is running newer versions than Ubuntu

• Ubuntu LTS.

Ubuntu’s regular channel releases every 6 months, similar to Fedora or NixOS. That in itself is already a “stable” distro, just not long-time stable (LTS).
So Debian can for a short span of time after release be about as fresh as stable distros which is …kinda obvious? I would not consider a month or so every 2 years to be significant to even mention though, especially if you consider that Debian users aren’t the kind to jump onto a new release early on.

For some the priority to run software that won’t have major bugs, that is what Debian, Ubuntu LTS and RHEL offer.

That’s not the point of those distros at all. The point is to have the same features aswell as bugs for longer periods of time. This is because some functionality the user wants could depend on such bugs/unintended behaviour to be present.

The fact that huge regressions have to be weeded out more carefully before release in LTS is obvious if you know that it’d be expected for those “bugs” to remain present throughout the release’s support window.

Atemu, 1 year ago

Depends. There was that one F2P COD clone which used TCP and IIRC it did fine?

Atemu, 1 year ago (edited 11 months ago)

You could take the revision number. nixos-unstable has 567011 commits currently.

Atemu, 1 year ago

I’ll let you in on a little secret: Fstab gets converted to mount units anyways.