Solar Bear

Something you might want to look into is using mTLS, or client certificate authentication, on any external facing services that aren’t intended for anybody but yourself or close friends/family. Basically, it means nobody can even connect to your server without having a certificate that was pre-generated by you. On the server end, you just create the certificate, and on the client end, you install it to the device and select it when asked.

The viability of this depends on what applications you use, as support for it must be implemented by its developers. For anything only accessed via web browser, it’s perfect. All web browsers (except Firefox on mobile…) can handle mTLS certs. Lots of Android apps also support it. I use it for Nextcloud on Android (so Files, Tasks, Notes, Photos, RSS, and DAVx5 apps all work) and support works across the board there. It also works for Home Assistant and Gotify apps. It looks like Immich does indeed support it too. In my configuration, I only require it on external connections by having 443 on the router be forwarded to 444 on the server, so I can apply different settings easily without having to do any filtering.

As far as security and privacy goes, mTLS is virtually impenetrable so long as you protect the certificate and configure the proxy correctly, and similar in concept to using Wireguard. Nearly everything I publicly expose is protected via mTLS, with very rare exceptions like Navidrome due to lack of support in subsonic clients, and a couple other things that I actually want to be universally reachable.

A direct case was not reported in the UK in recent years, but evidence of very likely polio transmission was found in sewage samples two years ago:

https://nationalpost.com/news/world/polio-virus-found-in-uk-sewage-samples-risk-to-public-low

A similar situation happened in New York where an actual case was found a month later:

https://www.reuters.com/world/us/polio-found-new-york-wastewater-state-assesses-virus-spread-2022-08-01/

The short of it is, when vaccination rates fall, Polio can be reintroduced via transmission of the live virus found in the oral vaccine, usually taken in poorer countries. If someone were to take the oral vaccine and then immediately travel to a country with lessening vaccination rates, like is currently happening in the west due to the spread of right-wing conspiracy mongering, the live virus still in the vaccinated individual has a low but not zero chance of propagating to the unvaccinated or immune-compromised population there. Samples containing these vaccine-derived viruses are found a few times per year in most places, and it’s a weaker virus so often it leads to no symptoms, but in very rare instances it does take hold with the expected effect:

https://www.who.int/emergencies/disease-outbreak-news/item/2022-DON366

Despite individual cases of polio turning up, either via direct reporting or evidence found elsewhere, it would still be correct to describe polio as being “eradicated” in these countries, at least currently. Nobody is confused by this or demands reclassification of the status of polio.

I don’t follow. We regularly refer to polio as being “eradicated”, even though there have still been documented (but exceptionally rare) cases of polio transmission even in western countries over the last couple decades. That actually sounds like a perfectly apt comparison for the goals of prison abolition, just not in the way you intended.

In short, prison abolition isn’t about abolishing prisons?

Bad name choice in my opinion, as it immediately makes me think: what a dumb idea.

This is kind of like saying being anti-war is a dumb idea because there will surely always be wars fought in defense. Being anti-war isn’t necessarily being an absolute pacifist. It’s about opposing war and striving towards a future where war is a relic of the past. Everybody understands this, but struggles to apply the same logic to other topics.

Striving for intentionally utopian and impossible ideals is a great idea, actually, as long as you recognize it for what it is. I’m a prison abolitionist. Ultimately what I strive for is a society that doesn’t need prisons. I don’t know if total prison abolition is possible, but worst case scenario, we get as close as possible. What’s so bad about that?

Similarly, I’m a communist, in the classical anarchist sense: abolition of state, class, and money. Are these things possible? Maybe not. In fact, probably not, at least not in any timeframe where humanity will be recognizable to us, as it would require true peace between all people and absolute post-scarcity in every way available to everyone. But worse case scenario, we get as close as possible.

Ultimately, adopting a utopian ideal is a recognition that the struggle to do better never ends. We’re never “done”. There’s no end of history. Even if we do somehow achieve it, it must be maintained.

Whatever you get for your NAS, make sure it’s CMR and not SMR. SMR drives do not perform well in NAS arrays.

I just want to follow this up and stress how important it is. This isn’t “oh, it kinda sucks but you can tolerate it” territory. It’s actually unusable after a certain point. I inherited a Synology NAS at my current job which is used for backup storage, and my job was to figure out why it wasn’t working anymore. After investigation, I found out the guy before me populated it with cheapo SMR drives, and after a certain point they just become literally unusable due to the ripple effect of rewrites inherent to shingled drives. I tried to format the array of five 6TB drives and start fresh, and it told me it would take 30 days to run whatever “optimization” process it performs after a format. After leaving it running for several days, I realized it wasn’t joking. During this period, I was getting around 1MB/s throughput to the system.

Do not buy SMR drives for any parity RAID usage, ever. It is fundamentally incompatible with how parity RAID (RAID5/6, ZFS RAID-Z, etc) writes across multiple disks. SMR should only be used for write-once situations, and ideally only for cold storage.

I explained my reasoning and you made no attempt to engage with it and just asked a question I already answered in depth. I’m not sure what you want, but it’s clearly not an answer.

Hard disagree. Everything you learn on Arch is transferable because Arch is vanilla almost to a fault. The deep understandings of components I learned from Arch have helped me more times than I can count. It’s only non-transferable if you view each command as an arcane spell to be cast in that specific situation. I’ve fixed so many issues over the years using this knowledge, and it’s literally what landed me my current job and promotions.

Arch is why I know how encryption and TPM works at a deeper level, which helped me find and fix the issue a Windows Dell PC was having that kept tripping into Bitlocker recovery. Knowledge of Grub and kernel parameters that I learned from Arch’s install process is why I was able to effortlessly break into a vendor’s DNS server whose root password was lost by the previous sysadmin before me when everybody else was panicking. Hell, it even helps in installing other distros, because advanced disk partitioning is a hot mess on a lot of distro GUI installers, so intimate knowledge of what I actually need helps me work around their failings. Plus all the countless other times that knowledge has helped me solve little problems instantly, because I knew how it worked from implementing it manually. When my coworkers falter because the GUI fails them and they know nothing else, I simply fix it with a command.

If you use Arch and actually make the effort to learn, not just copy and paste commands from the wiki, you will objectively learn a lot about how Linux works. If you seek a career in Linux, there’s nothing I can recommend more than transitioning to using Arch (not Garuda, not Manjaro, Arch) full-time on your daily driver computer.

Anyways, after about a decade I’ve recently switched to NixOS. Now there’s a distro where the skills you learn can’t be transferred out, but the knowledge I gained from Arch absolutely transferred in and gave me a head start.

When people recognize they were wrong about something, as smugly satisfying as it may be it’s not actually helpful to tell them that they should have been correct sooner.

Your response is “why are you doing X, you should do Y”

Because they’re right, you shouldn’t do X. I know that’s not a satisfying answer for most people to hear, but it’s often one people need to hear.

If the process must run as root, then giving a user direct and unauthenticated control over it is a security vulnerability. You’ve created a quick workaround for your issue, and to be clear it is unlikely to realistically cause you problems individually, but on a larger scale that becomes a massive issue. A better solution is required rather than recommend everybody create a hole in their security like yours in order to do this thing.

If this is something that unprivileged users reasonably want to control, then this control should be possible unprivileged, or at least with limited privilege, not by simply granting permanent total control of a root service.

This is ultimately an upstream issue more than anything else.

Refurbished drives get their SMART data reset during the process, they absolutely had more than that originally.

Recent NixOS convert, where has this work of art been all my life

Docker is open source, licensed under Apache-2.0. Not really sure what you’re talking about.

Plants aren’t sentient. When we say they “feel pain” and “communicate” we don’t mean like sentient creatures. We just don’t have better words to accurately convey the mechanics at play here. Computers also “communicate”.

The games will still be designed by humans. Generative AI will only be used as a tool in the workflow for creating certain assets faster, or for creating certain kinds of interactivity on the fly. It’s not good enough to wholesale create large sets of matching assets, and despite what folks may think, it won’t be for a long time, if ever. Not to mention, people just don’t want that. People want art to have intentional meaning, not computer generated slop.

This is no different than anything else, we naturally appreciate the skill it takes to create something entirely by hand, even if mass production is available.

It really seems like you didn’t have an actual argument, you just wanted to whine and duck away from any pushback.

It seems to me that you’ve just made up your mind and as such are not invested in even trying to understand other arguments.

it’s probably time to come to terms with the fact that better alternatives would have arisen had anyone thought they could truly manage it.

This is the most important takeaway. There’s a lot of people whining about Wayland, but Wayland devs are currently the only people actually willing to put in the work. Nobody wants to work on X and nobody wants to make an alternative to Wayland, so why do we keep wasting time on this topic?

The full details are complex but I’ll give you the basic gist. The original GPL licenses essentially say that if you give somebody the compiled binary, they are legally entitled to have the source code as well, along with the rights to modify and redistribute it so long as they too follow the same rules. It creates a system where code flows down freely like water.

However, this doesn’t apply if you don’t give them the binary. For example, taking an open source GPL-licensed project and running it on a server instead. The GPL doesn’t apply, so you can modify it and do whatever, and you aren’t required to share the source code if other people access it because that’s not specified in the GPL.

The AGPL was created to address this. It adds a stipulation that if you give people access to the software on a remote system, they are still entitled to the source code and all the same rights to modify and redistribute it. Code now flows freely again, and all is well.

The only “issue” is that the GPL/AGPL are only one-way compatible with the Apache/MIT/BSD/etc licenses. These licenses put minimal requirements on code sharing, so it’s completely fine to add their code to GPL projects. But themselves, they aren’t up to GPL requirements, so GPL code can’t be added to Apache projects.

Most Snaps have apt or Flatpak alternatives.

I’m simply not going to support a distro that creates a proprietary service and ships it as the default source of software. I will support and use distros that open source their code so that everyone can benefit from it. Whether workarounds or alternatives exist is unimportant, my prime issue with Ubuntu and Canonical is with their principles, not Ubuntu’s quality as a product to be consumed by me.