Those kinds of problems aren’t particularly new (PGP comes to mind as an example back when you couldn’t export it out of the US), but it’s a reminder that a lot of open-source comes from the US and Europe and is subject to western nation’s will. The US is also apparently thinks China is “stealing” RISC-V.

To me that goes against the spirit of open-source, where where you come from and who you are shouldn’t matter, because the code is by the people for the people and no money is exchanged. It’s already out there in the open, it’s not like it will stop the enemy from using the code. What’s also silly about this is if the those people were contributing anonymously under a fake or generic name, nothing would have happened.

The Internet got ruined when Facebook normalized/enforced using your real identity online.

The sandboxing is almost always better because it’s an extra layer.

Even if you gain root inside the container, you’re not necessarily even root on the host. So you have to exploit some software that has a known vulnerable library, trigger that in that single application that uses this particular library version, root or escape the container, and then root the host too.

The most likely outcome is it messes up your home folder and anything your user have access to, but more likely less.

Also, something with a known vulnerability doesn’t mean it’s triggerable. If you use say, a zip library and only use it to decompress your own assets, then it doesn’t matter what bugs it has, it will only ever decompress that one known good zip file. It’s only a problem if untrusted files gets involved that you can trick the user in causing them to be opened and trigger the exploit.

It’s not ideal to have outdated dependencies, but the sandboxing helps a lot, and the fact only a few apps have known vulnerable libraries further reduces the attack surface. You start having to chain a lot of exploits to do anything meaningful, and at that point you target those kind of efforts to bigger more valuable targets.

No, if you deleted the btrfs driver it would simply fail to mount due to the missing driver, if it’s a separate module in the first place. Same with LUKS, if you don’t have the tools or the drivers installed for it, it’ll just not mount it. You’d have to be accessing the drive directly with something like dd to corrupt it.

The error says /home is a symlink, what if you ls -l /home?

Since this is an atomic distro, /home might be a symlink to /var/home.

Docker, Distrobox, Toybox, systemd-nspawn, chroot.

Technically those all rely on the same kernel namespace features, just different ways to use it.

That’s also what Flatpaks and Snaps do. If you only care about package bloat, an AppImage would do too but it’s not a sandbox like Flatpak.

auto rollbacks and easy switching between states.

That’s the beauty of snapshots, you can boot them. So you just need GRUB to generate the correct menu and you can boot any arbitrary version of your system. On the ZFS side of things there’s zfsbootmenu, but I’m pretty sure I’ve seen it for btrfs too. You don’t even need rsync, you can use ssh $server btrfs send | btrfs recv and it should in theory be faster too (btrfs knows if you only modified one block of a big file).

and the current r/w system as the part that gets updated.

That kind of goes against the immutable thing. What I’d do is make a script that mounts a fork of the current snapshot readwrite into a temporary directory, chroot into it, install packages, exit chroot, unmount and then commit those changes as a snapshot. That’s the closest I can think of that’s easy to DIY that’s basically what rpm-ostree install does. It does it differently (daemon that manages hardlinks), but filesystem snapshots basically do the same thing without the extra work.

However, I think it would be good to use OStree

I found this, maybe it’ll help: https://ostreedev.github.io/ostree/adapting-existing/

It looks like the fundamental is the same, temporary directory you run the package manager into and then you commit the changes. So you can probably make it work with Debian if you want to spend the time.

All you really have to do for that is mount the partition readonly, and have a designated writable data partition for the rest. That can be as simple as setting it ro in your fstab.

How you ship updates can take many forms. If you don’t need your distro atomic, you can temporarily remount readwrite, rsync the new version over and make it readonly again. If you want it atomic, there’s the classic A/B scheme (Android, SteamOS), where you just download the image to the inactive partition and then just switch over when it’s ready to boot into. You can also do btrfs/ZFS snapshots, where the current system is forked off a snapshot. On your builder you just make your changes, then take a snapshot, then zfs/btrfs send it as a snapshot to all your other machines and you just boot off that new snapshot (readonly). It’s really not that magic: even Docker, if you dig deep enough, it’s just essentially tarballs being downloaded then extracted each in their own folder, and the layering actually comes from stacking them with overlayfs. What rpm-ostree does, from a quick glance at the docs, is they leverage the immutability and just build a new version of the filesystem using hardlinks and you just switch root to it. If you’ve ever opened an rpm or deb file, it’s just a regular tarball and the contents pretty much maps directly to the filesytem.

Here’s an Arch package example, but rpm/deb are about the same:

max-p@desktop /v/c/p/aur> tar -tvf zfs-utils-2.2.6-3-x86_64.pkg.tar.zst 
-rw-r--r-- root/root    114771 2024-10-13 01:43 .BUILDINFO
drwxr-xr-x root/root         0 2024-10-13 01:43 etc/
drwxr-xr-x root/root         0 2024-10-13 01:43 etc/bash_completion.d/
-rw-r--r-- root/root     15136 2024-10-13 01:43 etc/bash_completion.d/zfs
-rw-r--r-- root/root     15136 2024-10-13 01:43 etc/bash_completion.d/zpool
drwxr-xr-x root/root         0 2024-10-13 01:43 etc/default/
-rw-r--r-- root/root      4392 2024-10-13 01:43 etc/default/zfs
drwxr-xr-x root/root         0 2024-10-13 01:43 etc/zfs/
-rw-r--r-- root/root       165 2024-10-13 01:43 etc/zfs/vdev_id.conf.alias.example
-rw-r--r-- root/root       166 2024-10-13 01:43 etc/zfs/vdev_id.conf.multipath.example
-rw-r--r-- root/root       616 2024-10-13 01:43 etc/zfs/vdev_id.conf.sas_direct.example
-rw-r--r-- root/root       152 2024-10-13 01:43 etc/zfs/vdev_id.conf.sas_switch.example
-rw-r--r-- root/root       254 2024-10-13 01:43 etc/zfs/vdev_id.conf.scsi.example
drwxr-xr-x root/root         0 2024-10-13 01:43 etc/zfs/zed.d/
...

It’s beautifully simple. You could for example install ArchLinux without pacman, by mostly just tar -x the individual package files directly to /. All the package manager does is track which file is owned by which package (so it’s easier to remove), and dependency solving so it knows to go pull more stuff or it won’t work, and mirror/download management.

How you get that set up is all up to you. Packer+Ansible can make you disk images and you can maybe just throw them on a web server and download them and dd them to the inactive partition of an A/B scheme, and that’d be quite distro-agnostic too. You could build the image as a Docker container and export it as a tarball. You can build a chroot. Or a systemd-nspawn instance. You can also just install a VM yourself and set it up to your liking and then just dd the disk image to your computers.

If you want some information on how SteamOS does it, https://iliana.fyi/blog/build-your-own-steamos-updates/

I’m talking about the new one they made from scratch in Rust: https://system76.com/cosmic

Pop_OS! is about to drop a whole new desktop environment (COSMIC) made from scratch that’s not just a fork of Gnome. Canonical tried that as well a while back with Unity although it was mostly still Gnome with extra Compiz plugins.

A lot of cool stuff is also either for enterprise uses, or generally under the hood stuff. Simple packages updates can mean someone’s GPU is finally usable. Even that LibreOffice update might mean someone’s annoying bug is finally fixed.

But yes otherwise distros are mostly there to bundle up and configure the software for you. It’s really just a bunch of software, you can get the exact same experience making your own with LFS. Distros also make some choices like what are the best versions to bundle up as a release, what software and features they’re gonna use. Distros make choices for you like glibc/musl, will it use PulseAudio or PipeWire, and so on. Some distros like Bazzite are all about a specific use case (gamers), and all they do is ship all the latest tweaks and patches so all the handhelds behave correctly and just run the damn games out of the box. You can use regular Fedora but they just have it all good to go for you out of the box. That’s valuable to some people.

Sometimes not much is going on in open-source so it just makes for boring releases. Also means likely more focus on bug fixes and stability.

If your masturbator breaks during a masturbation cycle I recommend replacing it before it dies completely. A good masturbator should comfortably last an entire session without issues.

You mean you’re not actually supposed to spend 2 hours daily unfucking everyone’s shit during the standup turn by turn?

If just follows the cursor so if you move the mouse to another screen you can also input your password there.

The only difference is which one the mouse cursor is on initially.

In theory it should be on all monitors. At least on mine, all 3 monitors display the login screen and any of them can be used to input the password.

You can edit the settings from KDE’s settings to copy the KWin monitor configuration to it, you probably want to set the primary display.

In this world, money is power, and power absolutely does corrupt people.

I’ve seen a lot a fair amount of people that started off with humble beginnings, got really popular, made a ton of money, and turned into shitbags as a result because they can just fork up a bunch of cash to make problems go away.

Money and power enables you to get away with immoral stuff, if not straight up illegal.

They manage to make it so complicated it’s a whole thing to even just delete the default keyboard layout it thinks should be the default for your language too, if it stops adding it back at all.

I want “French (Canada)”, not " Canadian multilangual english CSA" or “Canadian multilangual french CSA”.

It’s not like any of them even matches the US keyboards we end up using anyway, everyone knows the labels on the keycaps never matches what key it actually prints. Just let me pick the god damn layout I want.

On Mac it’s even worse because you have to install it from some random dude’s GitHub, and because it’s a third-party layout, it straight up won’t let you delete the default one just in case, and I have to switch it back whenever it mysteriously decides to switch to the other one on its own for no reason.

On Linux: loadkeys cf and done.

That looks like a normal kernel to me. The mention of the surface is the hostname which comes from /etc/hostname.

Exactly how does it not work? Does the kernel even try to boot? Tried verbose mode?

You might need to regenerate your initramfs for the new hardware, I think on Fedora that’s Dracut? That usually does include machine specific drivers that needs to be available during early boot, but just regenerating it should fix that.

No, the majority of the energy consumption is in the backlight.

If they want them unintrusive they could just bring back the good ol’ notification ticker in the status bar. Zero space wasted by annoying notifications 99% of the time.

IPv6 or IPv4?

A /3 of IPv4 for that price is impossible, that’d be 10% of the entire IPv4 space. A /29 (32-3) would be more reasonable but 1k for a block of 8 IPs would be a massive ripoff.

Doesn’t make sense for IPv6 either, as that’d be exactly the global unicast range (2::/3), but makes sense they’d give you like a huge block in there, maybe a /32 as that’s what they assign to an ISP. As an end user you usually get a /48.

I want to love IPv6 but it’s unfortunately still basically impossible to get good proper IPv6 in the first place.

At home I’m stuck with fairly broken 6rd that can’t be hardware accelerated by my router and the MTU is like 1200 which is like 20% bandwidth overhead just for headers on the packets.

On the server side, OVH does have IPv6 but it’s not routed, so the host have to pretend to have all the IPv6 addresses and the OVH routers will only accept like 8 of them in use before its NDP table is full, so assigning an IPv6 to every Docker container fails miserably.

IPv6’s main problem is ISPs are so invested in NAT and IPv4 infrastructure they just won’t support IPv6. Microsoft, Google and Apple need to team together and start requiring functional IPv6 to create user demand, because otherwise most users don’t know about CGNAT and don’t care. Everything needs to complain about bad IPv6 connectivity so users complain to ISPs and pressure them into fixing it.