I have installed an OS onto just the btrfs root subvolume, leaving the home directory intact. This is how I originally swapped from Manjaro to Arch. The arch manual install instructions helped.

But this should be a feature of the graphical installers imo.

Transparent fileystem compression and deduplication (btrfs feature not in ext4) compresses data while still having it be accessible normally. This leads to big space savings.

You can use the tool compsize to check it out.

Postgres jsonb?

That’s what I thought too: https://programming.dev/comment/22854391

But it seems to be possible to still do them wrong.

I like ORM’s because they prevent sql injection. Mostly. Sql injection is a really bad vuln that’s nowhere near as ubiqitous as it used to be for every php app, and that’s partly due to ORM’s.

I don’t hate on any language’s syntax tbh, but the tooling for nix is absolutely miserable compared to similar.

People hate on yaml a lot, but I can start typing and then press tab and it completes a whole template for whatever k8s objecy I am trying to make. Having to copy from my other project’s shell.nix/whatever into the new one feels miserable in comparison.

Debian repos are basically guaranteed safe: https://programming.dev/comment/22863237

Flathub is much, much safer than say, the google play store, but it ultimately does follow a model of app developers submitting packages which get reviewed and approved. In theory, someone could sneak malware past that, although there haven’t been any incidents (perhaps flathub’s review is very effective?). But the snap store, which follows a similar model has had malware. But canonical hasn’t been the best steward of that one.

In addition to this, not all stuff on flathub is open source, which is definitely concerning.

Thankfully, flatpak has a built in sandboxing system, which lets you limit what the appps have access to. KDE has a UI for it, and there is also the GUI app flatseal.

malicious code does occasionally sneak into Debian distributed apps

Do you have an example of this? The xz utils backdoor did not make it into debian stable, only unstable.

Debian stable essentially forks every package, maintaining a custom codebase. They then cherry pick security updates only (ignoring feature updates or minor bugfixes), and applying those. This makes it extraordinarily resilient to any form of supply chain attack.

Flatpak’s show up in discover, and aren’t by the distro. Usually it’s flathub.

Journalists communicating with sources in censored regions

Whistleblowers sharing information securely

You and your peer agree on an encryption key (any string).

This is unacceptably unsecure for the usecases you mention. There is a reason why the most secure messaging apps don’t use symetric encryption, don’t use passphrases, and they also possess forward secrecy.

It’s pointless to push this as a censhorship circumvention method when many other methods exist that already do so 10x better, in a secure way, over decentralized, hidden and unblockable infrastructure. (Tor’s meek-azure bridges use microsoft’s infrastructure, which nobody is able to block because everybody depends on it, even China).

I appreciate the project, and I am always happy to see people learning, progressing, and publishing their results, but you need to be honest about the weaknesses of your software compared to established solutions. It’s not impossible for you to one day produce a secure messaging app, but today is not the day. Right now, using this is just a fast way to get killed.

It looks like they are using prepared statements, which prevent sql injection:

https://www.php.net/manual/en/pdo.prepared-statements.php

somewhat relevant: https://en.wikipedia.org/wiki/Shadow_IT

Also try wireguard over port 53. Often (udp) traffic to port 53 is unblocked because it’s needed for DNS.

What is special about this setup is that it can sometimes get around captive portal wifi.

If you use kde, you can search for “profile manager”, and it will show up, and can be launched from the app menu.

At least works for me. Before this was added, the KDE search/app menu also lets you run commands directly, so I would just run firefox -p in there. No need for a terminal.

Database performance on btrfs is miserable compared to zfs, whereas bcachefs was doing much better.

I say was because… see the other comment in the thread. :/

See this old but still relevant comment I made on another thread: https://programming.dev/post/11284326/8200514 . TLDR: There are plenty of ways to do it. But you have to do it yourself and it’s not an all in one solution. Users are the easiest part though. Servers are second easiest. Clients are more difficult.

Further solutions and quick notes since then:

• Authentik is what I use for shared logins. It supports ldap as well as oidc.
• Nubus by univention for user management. It’s a wrapper around openldap and keycloak, so it comes with both those in one solution which looks nice
• Himmelblau is authentication of local desktops via oidc. Maybe not needed but interesting regardless.
• Firefox has policies: https://support.mozilla.org/en-US/kb/customizing-firefox-using-policiesjson which let you control and enforce certain settings like preinstalled extensions and default settings. You will probably need this for clients.
• Linux’s Realmd respects some group policies. Not all and it depends, but I’ve discovered it respects some, converting values to analogs. I’m assuming that Red Hat’s freeIPA/389 directory server can serve group policies as well. I don’t know how reliable this is for top down config though.

I’m going to focus on clients because users and servers are basically solved although you will have to pick and implement a solution.

If I was in an all linux environment… it depends on how much control I have over the current setup. The best would probably be to push configuration (but that also supports regular pull as well) from the top down to the users, via something like building immutable images or NixOS configs and then shipping them to clients. This would be an all in one solution that comprehensively covers every part of config.

I do agree with the other user in the thread, that user config management is a bit more difficult. Firefox policies cover the biggest thing, the browser, but the rest is annoying. Nix user config, or home manager config could do it, but hmmm.

And then the other thing is client security. When it comes to the specific kind of client security that IT environments want, Linux isn’t as ahead. I would really want an alternative AppLocker, or something similar to restrict app execution. I can guess three possible ways to do this:

• Mounting home directory noexec
• SELinux
• Apparmor

But, I think you would want to restrict software installation and execution. Not just to prevent malware, but having users install proprietary licensed software in an enterprise environment without actually purchase it could quickly turn into a nightmare for everybody.

edit: ooh, check this out:

https://talks.nixcon.org/nixcon-2024/talk/R8ZBWW/

https://clan.lol/docs/25.11/getting-started/creating-your-first-clan

https://github.com/nix-community/awesome-nix?tab=readme-ov-file#deployment-tools

Edit2: also check out meshcentral.

It’s codeberg pages… It is generated directly from codeberg, which has doesn’t allow private repos.

Source code: https://codeberg.org/purpleweb/Riddles_0-385_App

hides as regular HTTPS traffic so it’s not blockable by Firewalls

From OP’s post, of course. If OP does not need to evade firewalls that are that aggressive, then they should have settled for a less stealthy VPN solution, as many of these HTTPS proxy solutions have performance and usability (can often only proxy TCP traffic) tradeoffs.

Perhaps they have already tried the wireguard on port 443 solution, and it didn’t work for them. My high school would auto detect and block wireguard to any port. Perhaps they are in a similar situation.

Seems to be the case:

https://github.com/anyproto/anytype-ts?tab=License-1-ov-file#readme

https://github.com/anyproto/anytype-kotlin?tab=License-1-ov-file#readme

The sync server is MIT though: https://github.com/anyproto/any-sync?tab=MIT-1-ov-file#readme

Interesting.

Many of the prominent https VPN protocols are for evading the great firewall of China. OP had that as a requirement, so it is not an unreasonable assumption.

If you are evading less locked down firewalls, then you don’t need as stealthy VPNs.