VPN dependent.

  • 7 Posts
  • 46 Comments
Joined 1 year ago
cake
Cake day: June 30th, 2023

help-circle

  • For backup and sync I use Syncthing. I can specify which folder on which devices I want to sync to which folder on the server.

    I use a folder based gallery on my phone so when I move stuff around on my phone (or on my server) it gets replicated on all my devices.

    I also have a policy to sync specified folders (and subfolder) with my family’s devices. No more " hey can you send me all the pics from the XYZ trip"

    We take a trip. Make a subolder for that trip in a shared folder dump all our pictures there, get home and open the folder on the computer and prune together.







  • I agree that by design Flatpak aims to provide a secure environment through sandboxing; in practice, the implementation has gaps that can lead to security risks, particularly when apps are granted extensive filesystem access. This can undermine the effectiveness of the sandbox and potentially expose systems to vulnerabilities. HOWEVER, being on an immutable system, these risks are mitigated to some degree.

    I’m particularly hopeful for Flatpak’s promise of fine grained permissions. Flatpak is developing a fine-grained permission system with portals for external interactions, BUT this system relies on integration with toolkits like GTK, rather than app-specific APIs, complicating its implementation. There is more info in the linked article in the previous post, and here it is again.

    Admittedly I’m not familiar with distrobox, but my caution is for any approach that distributes containerized programs with their own runtimes; they proved to be a real headache on my “mutable” system and my nvidia GPU until I switched to rolling OS.

    I’m glad you found some candidates to potentially resolve your issue. What distro did you end up using? I’m curious to give it a go next chance I have some free time. Cheers.


  • TL;DR: If I were to choose an immutable OS to run on my propriety graphics cards I’d choose an immutable distribution with rolling releases or hardware enablement packages, which tend to do a better job of keeping these graphics libraries up-to-date for new hardware.

    I don’t have a recommendation but I just learned about immutable Linux OSes from this post. I could see benefits of immutable OS files, but I’ve been skeptical about package distribution like flatpak and snap, at least in their current state.

    Dont get me wrong, the workflow of flatpack is great, but in my experience, apps from flatpack typically ship with their own runtime and don’t rely on system runtimes (likely why you have GPU driver issues). As a software developer, I obviously prefer to ship with all dependencies and runtimes so I don’t have to rely on the system to be updated but this comes with downsides:

    A major problem with alternate runtimes is drivers. New graphics hardware needs new graphics libraries which have a ton of dependencies. Mesa depends on LLVM for compiling shaders. The NVidia driver depends on a kernel module whose version must exactly match that of the library. All of these libraries have their own transitive dependencies like libdrm, libstdc++ and glibc. If you want new hardware to work, you need to be using new versions of all of these libraries.

    Linux distributions, especially those with rolling releases or hardware enablement packages, do a great job of keeping these libraries up-to-date for new hardware. Bundled runtimes do not. Source.

    I’d recommend checking out that article I linked as source. There are also security concerns of using apps, some of which are mitigated by having an immutable filesystem, but there are more points and this comment is long enough as it is.

    EDIT: I reread my comment and it comes off as “immutable bad, blah blah”. Truth is I don’t know much about these OSes but I wanted to point out that distributing apps in containers comes with its own challenges; which I gather is necessary for immutable OSes. So my TL;DR is to narrow down to a distribution that is immutable and has a rolling release or distributes hardware enablement packages.


  • The statement is very informative. The bug happens under increased read/write operations to the same file causing a race condition.

    I also found interesting:

    Despite the bug being present in OpenZFS for many years, this issue has not been found to impact any TrueNAS systems. The bug fix is scheduled to be included in OpenZFS 2.2.2 within the next week



  • Yes, some guy was streaming live on YouTube talking about a subject that he does not otherwise have, and he showed that before talking about the subject, there were no ads for dog toys, and after talking about dogs, there were ads about dog toys. The video isn’t really that great because he goes and clicks on an ad about a dog toy and proceeds to get more of them, so he kind of tainted his results.

    I wish I didn’t waste my time watching this video



  • thanks for the masterclass in CF tunnels.

    I am ready to accept everything you’ve said but there is the SSH case that keeps tripping me up. For reference, here is the CF docs on Connecting SSH through CF Tunnels.

    Can you help me clear up the misunderstanding here? From the docs it appears you can create a SSH key pair on a client and then copy the public key to the server. It does not appear that the docs state you need to share those keys with CF, so I assume (perhaps incorrectly) that my session will be encrypted with my private key (on client) and public key (on server).

    Again, what you said appears to make sense, perhaps SSH is the only edge case that is implemented differently?


  • hmm, I’m not sure I agree - or perhaps I didn’t explain myself well previously and caused confusion between us.

    Yes I agree with you in your description of how cloudflare encrypts -> decrypts -> encrypts; they are allowing you to ride over their network. If you remove cloudflare from the picture entirely, then you just have the internet facing server.

    What I’m saying is, if the client and endpoint (server) talk in an encrypted protocol, then cloudflare cannot MiTM the data, only the IP headers. This is similar if you were to connect to any ol’ website over an ISP’s network. If your session is not HTTPS, then your application data can be read. You can have encrypted sessions inside of CF tunnel-network-tunnel.

    If your services support encryption, great. But you can also expose a wireguard endpoint so you have the following

    wg client --(tunnel to CF)–> CF network --(tunnel to your server)–> wireguard server

    the real advantage to CF tunnel is hiding your IP from the public internet, not poking any holes in your firewall for ingress traffic, and cloudflare can apply firewall rules to those clients trying to reach your server by DNS hostname.


  • thanks.

    The last gleam of hope I had was last year when John Oliver did an episode on data brokers. He in turn went and purchased data that would match congressmen in the D.C. area, along with their “interests.” He jokingly threatened to release it (bc congressmen tend to act on an issue if it affects them personally). I thought that would be huge, everybody would see how rampant and invasive data collection would be. I was thrilled for a breakthrough.

    but so far no movement, hasn’t been released. I wonder if people wrote to John Oliver and his team if we will get an answer haha






  • I apologize, I misread the chain of comments. Your explanation is perfectly adequate for someone who has a basic grasp on networking and VPN and tunnels and encryption.

    I would just like to add that if your endpoints communicate via an encrypted transport (HTTPS, SSH, etc) then doesn’t matter if cloudflare tries to inspect your packets. There would be 2 layers of encryption while traversing the public web, then 1 layer when traversing CF’s network.

    And to some, packet inspection is not a downside since they can offer more protection - but that is totally up to your attack vector tollerence