What are you using to view this? Nushell?
Xplore but it's not foss.
You can push it even futher with wikiman, an offline interface to search and view manpages and the Arch wiki.
No way to protect emails, google chats, or many other things AFAIK. Yeah, I hate it too.
https://linuxgamingcentral.com/posts/steamos-getting-nix-support/
Dunno if this ever came to fruition though.
Don’t do unattended upgrades. Neither host nor containers. Do blind or automated updates if you want but check up on them and be ready to roll back if something is wrong.
Those issues are only common on rolling releases. On stable distros, they put tape between breaking changes, test that tape, and then roll out updates.
Debian, and many other distros support it officially: https://wiki.debian.org/UnattendedUpgrades. It's not just a cronjob running "apt install", but an actual process, including automated checks. You can configure it to not upgrade specific packages, or stick to security updates.
As for containers, it is trivial to rollback versions, which is why unattended upgrades are ok. Although, if data or configuration is corrupted by a bug, then you probably would have to restore from backup (probably something I should have suggested in my initial reply).
It should be noted that unattended upgrade doesn't always mean "upgrade to the latest version". For docker/podman containers, you can pin them to a stable release, and then it will do unattended upgrades within that release, preventing any major breaking changes.
Similarly, on many distros, you can configure them to only do the minimum security updates, while leaving other packages untouched.
People should use what distro they know best. A rolling distro they know how to handle is much better than a non-rolling one they don’t.
I don't really feel like reinstalling the bootloader over ssh, to a machine that doesn't have a monitor, but you do you. There are real significant differences between stable and rolling release distros, that make a stable release more suited for a server, especially one you don't want to baby remotely.
I use arch. But the only reason I can afford to baby a rolling release distro is because I have two laptops (both running arch). I can feel confident that if one breaks, I can use the other. All my data is replicated to each laptop, and backed up to a remote server running syncthing, so I can even reinstall and not lose anything. But I still panicked when I saw that message suggesting that I should reinstall grub.
That remote server? Ubuntu with unattended upgrades, by the way. Most VPS providers will give you a linux distro image with unattended security upgrades enabled because it removes a footgun from the customer. On Contabo with Rocky 9, it even seems to do automatic reboots. This ensures that their customers don't have insecure, outdated binaries or libraries.
Docker doesn’t “bypass” the firewall. It manages rules so the ports that you pass to host will work. Because there’s no point in mapping blocked ports. You want to add and remove firewall rules by hand every time a container starts or stops, and look up container interfaces yourself? Be my guest.
Docker is a way for me to run services on my server. Literally every other service application respects the firewall. Sometimes I want services to be exposed on my home network, but not on a public wifi, something docker isn't capable of doing, but the firewall is. Sometimes I may want to configure a service while keeping it running. Or maybe I want to test it locally. Or maybe I want to use it locally
It's only docker where you have to deal with something like this:
***
services:
webtop:
image: lscr.io/linuxserver/webtop:latest
container_name: webtop
security_opt:
- seccomp:unconfined #optional
environment:
- PUID=1000
- PGID=1000
- TZ=Etc/UTC
- SUBFOLDER=/ #optional
- TITLE=Webtop #optional
volumes:
- /path/to/data:/config
- /var/run/docker.sock:/var/run/docker.sock #optional
ports:
- 3000:3000
- 3001:3001
restart: unless-stopped
Originally from here, edited for brevity.
Resulting in exposed services. Feel free to look at shodan or zoomeye, internet connected search engines, for exposed versions of this service. This service is highly dangerous to expose, as it gives people an in to your system via the docker socket.
Do any of those poor saps on zoomeye expect that I can pwn them by literally opening a webpage?
No. They expect their firewall to protect them by not allowing remote traffic to those ports. You can argue semantics all you want, but not informing people of this gives them another footgun to shoot themselves with. Hence, docker "bypasses" the firewall.
On the other hand, podman respects your firewall rules. Yes, you have to edit the rules yourself. But that's better than a footgun. The literal point of a firewall is to ensure that any services you accidentally have running aren't exposed to the internet, and docker throws that out the window.
Well one way to lower it is to settle law around the death penalty it seems
Or you could just not kill people.
Using conservative rough projections, the Commission estimates the annual costs of the present system ($137 million per year), the present system after implementation of the reforms … ($232.7 million per year) … and a system which imposes a maximum penalty of lifetime incarceration instead of the death penalty ($11.5 million).
From amnesty USA. https://www.amnestyusa.org/issues/death-penalty/death-penalty-facts/death-penalty-cost/
Ted Kaczynski lived until 81 and absolutely deserved death.
And he did die. Does that not satisfy you?
Kidding, but it's not a matter of deserves. It's about the states power in relation to their citizens. The state shouldn't have the power over life and death, because power corrupts. Cases like this: https://innocenceproject.org/melissa-lucio-9-facts-innocent-woman-facing-execution/
The poor woman was interrogated for 5 hours straight by police into confessing her "crime", while pregnant with twins, after which she was sentenced to death (still alive btw, lawsuits still ongoing and sucking up taxpayer money, even 13 years later.). One of the influential things in her death was the District Attorney who was attempting to be reelected on a "tough on crime" platform.
Cameron County D.A. Armando Villalobos was running for re-election and seeking a “win,” and is now serving a 13-year federal prison sentence for bribery and extortion.
Of course, you made an argument about "what if we require really, really hard evidence"... but what evidence is greater than a confession? What if evidence is fudged? There can never be a guarantee, and we should design our systems to account for human error... or malice.
Prison should be a place to rehabilitate people first, and a place to remove dangerous people from society second. Not a political platform, like the death penalty is so often.
The death penalty is the ultimate form of virtue signaling. An expensive way to remove someone from society, when life in prison would have the same effects, relatively. Everybody dies eventually, no need to waste money on killing people early when we could be spending money on keeping people alive.
Then it's still a bad idea because of the literal cost to taxpayers.
Life in prison is $70,000 per year (paid by taxpayers, of course).
The legal battle around the death penalty is around $1.12 million, also paid around taxpayers
https://www.cato.org/blog/financial-implications-death-penalty
That's 14 times more expensive.
There are tons of things I would see the state spend money on rather than literally killing people. In the case of this, maybe mental health help for the victims.
Check out sbctl (for secure boot) https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Assisted_process_with_sbctl
Nope, I just tested and the rootful podman service doesn't touch any iptables/firewall rules.
It uses what is called a "CNI", container network interface, to manage container networking rather than just overwriting all the iptables rules like docker does.
My goal was to install openstack on my server, using kolla-ansible, one of the automatic installers. It officially supported debian 11. I would have had to upgrade when the openstack packagers switched over to 12.
But it also officially supported Rocky Linux 9, which goes eol in like 7 years.
moonpiedumplings
joined 2 years ago
If the root account is locked, which cachyos does by default, then you won't get anything from this screen.
I had to fix by usb booting and troubleshooting (a different issue though, I was playing with initramfs generation).