wow 10 months flew by since this was posted and since then the United States had a surprise privacy bill that is bipartisan that sort of addresses the issues you and I mentioned. https://www.washingtonpost.com/technology/2024/04/07/congress-privacy-deal-cantwell-rodgers/

This bill was proposed around the same time the TikTok ban was announced. I speculate that law makers had a difficult time framing the arguments against TikTok when “the data of citizens have no protections so there was no easy legal grounds to forbit the likes of TikTok to harvest it”

From what I’ve heard, this bill is pretty good. I need to educate myself more on it, however.

For backup and sync I use Syncthing. I can specify which folder on which devices I want to sync to which folder on the server.

I use a folder based gallery on my phone so when I move stuff around on my phone (or on my server) it gets replicated on all my devices.

I also have a policy to sync specified folders (and subfolder) with my family’s devices. No more " hey can you send me all the pics from the XYZ trip"

We take a trip. Make a subolder for that trip in a shared folder dump all our pictures there, get home and open the folder on the computer and prune together.

Debian has the advantage of not using snapd like Ubuntu does. You have to not only remove snaps but also instruct the package manager not you pull in snaps as dependencies and not to favor snap packages.

I have fond memories of Ubuntu being my first distro many years ago but pushing snaps onto users to compete with flatpak is a nuisance.

You can still buy a lifetime licenses of office but you have to buy it from 3rd party sellers and then validate the license with M$. Example Deal..

I bought 2 of them and also saved the install binary to have office suite.

I use libreoffice personally but I have family members that get frustrated when they cannot find the same formatting options

newsblur

cool thanks.

Well I’m glad to hear these things being worked on and worked out

I agree that by design Flatpak aims to provide a secure environment through sandboxing; in practice, the implementation has gaps that can lead to security risks, particularly when apps are granted extensive filesystem access. This can undermine the effectiveness of the sandbox and potentially expose systems to vulnerabilities. HOWEVER, being on an immutable system, these risks are mitigated to some degree.

I’m particularly hopeful for Flatpak’s promise of fine grained permissions. Flatpak is developing a fine-grained permission system with portals for external interactions, BUT this system relies on integration with toolkits like GTK, rather than app-specific APIs, complicating its implementation. There is more info in the linked article in the previous post, and here it is again.

Admittedly I’m not familiar with distrobox, but my caution is for any approach that distributes containerized programs with their own runtimes; they proved to be a real headache on my “mutable” system and my nvidia GPU until I switched to rolling OS.

I’m glad you found some candidates to potentially resolve your issue. What distro did you end up using? I’m curious to give it a go next chance I have some free time. Cheers.

TL;DR: If I were to choose an immutable OS to run on my propriety graphics cards I’d choose an immutable distribution with rolling releases or hardware enablement packages, which tend to do a better job of keeping these graphics libraries up-to-date for new hardware.

I don’t have a recommendation but I just learned about immutable Linux OSes from this post. I could see benefits of immutable OS files, but I’ve been skeptical about package distribution like flatpak and snap, at least in their current state.

Dont get me wrong, the workflow of flatpack is great, but in my experience, apps from flatpack typically ship with their own runtime and don’t rely on system runtimes (likely why you have GPU driver issues). As a software developer, I obviously prefer to ship with all dependencies and runtimes so I don’t have to rely on the system to be updated but this comes with downsides:

A major problem with alternate runtimes is drivers. New graphics hardware needs new graphics libraries which have a ton of dependencies. Mesa depends on LLVM for compiling shaders. The NVidia driver depends on a kernel module whose version must exactly match that of the library. All of these libraries have their own transitive dependencies like libdrm, libstdc++ and glibc. If you want new hardware to work, you need to be using new versions of all of these libraries.

Linux distributions, especially those with rolling releases or hardware enablement packages, do a great job of keeping these libraries up-to-date for new hardware. Bundled runtimes do not. Source.

I’d recommend checking out that article I linked as source. There are also security concerns of using apps, some of which are mitigated by having an immutable filesystem, but there are more points and this comment is long enough as it is.

EDIT: I reread my comment and it comes off as “immutable bad, blah blah”. Truth is I don’t know much about these OSes but I wanted to point out that distributing apps in containers comes with its own challenges; which I gather is necessary for immutable OSes. So my TL;DR is to narrow down to a distribution that is immutable and has a rolling release or distributes hardware enablement packages.

The statement is very informative. The bug happens under increased read/write operations to the same file causing a race condition.

I also found interesting:

Despite the bug being present in OpenZFS for many years, this issue has not been found to impact any TrueNAS systems. The bug fix is scheduled to be included in OpenZFS 2.2.2 within the next week

using the settings you described ( minus the VPN ) I was not able to cloak myself over the past several days

Yes, some guy was streaming live on YouTube talking about a subject that he does not otherwise have, and he showed that before talking about the subject, there were no ads for dog toys, and after talking about dogs, there were ads about dog toys. The video isn’t really that great because he goes and clicks on an ad about a dog toy and proceeds to get more of them, so he kind of tainted his results.

I wish I didn’t waste my time watching this video

7 visits with brave, 7 times identified as the same. I’m using the default options of a fresh brave install

how did you have such success?

thanks for the masterclass in CF tunnels.

I am ready to accept everything you’ve said but there is the SSH case that keeps tripping me up. For reference, here is the CF docs on Connecting SSH through CF Tunnels.

Can you help me clear up the misunderstanding here? From the docs it appears you can create a SSH key pair on a client and then copy the public key to the server. It does not appear that the docs state you need to share those keys with CF, so I assume (perhaps incorrectly) that my session will be encrypted with my private key (on client) and public key (on server).

Again, what you said appears to make sense, perhaps SSH is the only edge case that is implemented differently?

hmm, I’m not sure I agree - or perhaps I didn’t explain myself well previously and caused confusion between us.

Yes I agree with you in your description of how cloudflare encrypts -> decrypts -> encrypts; they are allowing you to ride over their network. If you remove cloudflare from the picture entirely, then you just have the internet facing server.

What I’m saying is, if the client and endpoint (server) talk in an encrypted protocol, then cloudflare cannot MiTM the data, only the IP headers. This is similar if you were to connect to any ol’ website over an ISP’s network. If your session is not HTTPS, then your application data can be read. You can have encrypted sessions inside of CF tunnel-network-tunnel.

If your services support encryption, great. But you can also expose a wireguard endpoint so you have the following

wg client --(tunnel to CF)–> CF network --(tunnel to your server)–> wireguard server

the real advantage to CF tunnel is hiding your IP from the public internet, not poking any holes in your firewall for ingress traffic, and cloudflare can apply firewall rules to those clients trying to reach your server by DNS hostname.

thanks.

The last gleam of hope I had was last year when John Oliver did an episode on data brokers. He in turn went and purchased data that would match congressmen in the D.C. area, along with their “interests.” He jokingly threatened to release it (bc congressmen tend to act on an issue if it affects them personally). I thought that would be huge, everybody would see how rampant and invasive data collection would be. I was thrilled for a breakthrough.

but so far no movement, hasn’t been released. I wonder if people wrote to John Oliver and his team if we will get an answer haha

I feel so powerless, so hopeless.

Bills aren’t being passed by lawmakers because like many of us who care about privacy, they have not heard about the abilities of data brokers and have no visibility into how rampant and disgusting and invasive their behavior is.

Friends and family I talk to don’t care. “Oh well, what are they going to do, find me personally?”

I feel if people were able to look themselves up in these databases, they would fear it as well

interesting, I’ll have to read about this some more then. thanks for pointing me in the right direction

reminds me of the John Oliver episode on Data Brokers where he started buying up data on senators in an effort to get better regulations about tracking data and aggregation bc that seems to be the only way they want to pass bills. Their interests > interests of the people they should be representing

I apologize, I misread the chain of comments. Your explanation is perfectly adequate for someone who has a basic grasp on networking and VPN and tunnels and encryption.

I would just like to add that if your endpoints communicate via an encrypted transport (HTTPS, SSH, etc) then doesn’t matter if cloudflare tries to inspect your packets. There would be 2 layers of encryption while traversing the public web, then 1 layer when traversing CF’s network.

And to some, packet inspection is not a downside since they can offer more protection - but that is totally up to your attack vector tollerence

WARP (a client) just connects you to CF’s network.

If your server is running cloudflared (an outbound-only tunnel) then you can enroll your WARP client to reach your server, while your server is never accessible on the public web. That’s the principal behind Zero Trust.

While techinically yes, WARP can be considered as a VPN, it is just a secure tunnel to an endpoint. In which case you can argue any point-to-point tunnel is a VPN.