I don’t know what the commenter you replied to is talking about, but systemd has it’s own firewalling and sandboxing capabilities. They probably mean that they don’t use docker for deployment of services at all.

Here is a blogpost about systemd’s firewall capabilities: https://www.ctrl.blog/entry/systemd-application-firewall.html

Here is a blogpost about systemd’s sandboxing: https://www.redhat.com/en/blog/mastering-systemd

Here is the archwiki’s docs about drop in units: https://wiki.archlinux.org/title/Systemd#Drop-in_files

I can understand why someone would like this, but this seems like a lot to learn and configure, whereas podman/docker deny most capabilities and network permissions by default.

Is your flux config public?

99.9999% of freecell games are winnable. Very nice, and one of the reasons I preferred freecell.

https://opensource.google/documentation/reference/using/agpl-policy/

WARNING: Code licensed under the GNU Affero General Public License (AGPL) MUST NOT be used at Google.

I understand the technical challenges with running x86 apps on arm… but multiple wrappers that do something similar to proton have already been released.

If you follow the r/emulationonandroid subreddit, they have gotten PC games working on android for a while now. One of the wrappers, gamehub, has made it to the playstore. You can just sign in to your steam account (don’t do that gamehub is sketchy af, proprietary, and by a company that stole gpl code fro, yuzu and didn’t release a derivative product), download games, and play them.

The current concern is performance, but most lower and midrange games run just fine.

1. Corporations really, really love being admin on everybody elses devices. See kernel level anticheat.

2. I feel like people have gotten zero trust (I don’t need to trust anybody) confused with “I don’t trust anybody”.

3. I was listening to a podcast by packet pushers and they were like “So you meet a vendor, and they are like, ‘So what do you think zero trust means? We can work with that’”.

Despite all the warnings not to install kali linux, I decided to install kali linux and I am now encountering an issue I would not face had I chosen to use a linux distro designed with normal desktop use in mind. Can anyone help me?

Actually, modern kali is a lot more usable than the older kali. Kali used to only have a root user, so chromium and electron apps wouldn’t start since they don’t run as root.

Despite this, nowadays I generally recommend new people away from kali, because I believe the process of installing the tools that kali provides on other distros is a valuable learning experience.

Kali is great for the professional, but but learners I prefer they get to experience the package manager or other aspects of system management.

UWP 💀

UWP is Microsoft’s “new” app format, it’s what the windows store and the xbox use.

It also isn’t compatable with wine, and my pet theory is that this was the entire point of it. Combined with Windows S mode, which doesn’t let you install apps other than from the windows store, the goal was to lock down the windows ecosystem by having apps that can’t be made to run on linux.

I remember seeing a compatability layer for UWP apps a while ago, and I am pleased to see that it has come this far. Great work!

Edit: wait this uses a windows VM. Still good though and lets people escape the windows ecosystem.

As simpler and easier to use alternatives, check out voidauth and kanidm.

I don’t really understand why this is a concern with docker. Are there any particular features you want from version 29 that version 26 doesn’t offer?

The entire point of docker is that it doesn’t really matter what version of docker you have, the containers can still run.

Debian’s version of docker receives security updates in a timely manner, which should be enough.

I recommend libvirt + virt-manager as an alternative to hyper v.

The cool thing about virt manager is you can do it over ssh.

You are adding a new repo, but you should know that the debian repos already contain docker (via docker.io) and docker-compose.

I use authentik, which emables single sign on (the same account) between services.

Authentik is a bit complex and irritating at times, so I would recommend voidauth or kanidm as alternatives for most self hosters.

Except debian testing doesn’t receive security updates in a timely manner.

It’s designed exclusively for testing, not really for people to actually use it.

Would you use the cli?

One of the cool things I liked about calibre is that extensions worked via the cli interface as well, which made it easy to do batch workflows of operations on ebooks.

No, they added a beta vpn feature.

Does it require docker installed and being in the docker group, with the docker daemon running?

Just an FYI, having the ability to create containers and do other docker is equivalent to root: https://docs.docker.com/engine/security/#docker-daemon-attack-surface

It’s not really accurate to say that your playbooks don’t require root to run when they basically do.

I just installed Ciliium (another Kubernets CNI), and it also comes with a host based firewall, and an observability tool.

I didn’t have Hubble (observability tool enabled), but I previously didn’t have a firewall, and I finally decided to enable it, which caused my ceph deployment to fail. This will help me figure out where it is failing and what rules are needed to remediate it.

https://shulker.jeremylvln.fr/

Which uses: https://agones.dev/site/#td-block-1

But your question is somewhat vague.

Share your lsblk output. It’s likely that your system still leaves the bootloader unencrypted on the disk, even if the kernels and bootloader config are being encrypted (they aren’t encrypted by default on most installs).

It is theoretically possible to have only one partition that is luks encrypted, but this requires you to store the bootloader in the UEFI, and not all motherboards support this, so distros usually just install it to an unencrypted partition. The UEFI needs to be able to read an unencrypted bootloader from somewhere. That’s why it’s somewhat absurd to claim that the ESP can be encrypted, because it simply can’t.

From your link:

One difference is that the kernel and the initrd will be placed in the unencrypted ESP,