No

Discourse is awesome. Just needs federation.

As a mod, it is lovely to work with, extremely well indexed, has tags, categories, roles and everything you want.

Everything should be done there. Matrix or Discord make no sense, its just chatting into nirvana, nobody every finds it again

And people… dont… use… threads! They just spam everything in a single chat which makes it unusable

Crazy, its completely new code? I thought it was a fork.

That makes it pretty impressive

On KDE Plasma theming and Cursors work with Flatpaks normally

And then there is OnlyOffice which also just uses Libreoffice and develops a minimalist web UI and sync features.

Why not join efforts?

Crazyy!

Btw I am XWayland free since today!

I have a list of recommended apps here

Some apps need environment variables:

Qt:

• qpwgraph

GTK

• GPU Screen recorder, I guess

Electron

• Nextcloud Flatpak
• MullvadVPN RPM
• Signal Flatpak
• (Element, I switched to the Webapp in Librewolf)
• Freetube Flatpak

You can use xlsclients -l to detect apps using XWayland.

Some may even want to run apps through XWayland on purpose, like KeepassXC for Clipboard access or autotype. Lets see how long it takes to implement all the needed protocols.

Yes I know, and I want to try DivestOS one time. But they do incomplete patches.

They cannot update the kernel themselves or even worse the firmware. The kernel needs to be built and patched for the specific hardware, GrapheneOS relies completely on Google here. And the firmware needs to be signed by the vendors, so no chance either.

And especially baseband, cellular stuff has extremely many vulnerabilities in the code.

I think 3a is already too old. I think 4a is a better minimum, but this is still insecure of course.

All Android phones have Google malware installed by default, as system apps, which means those apps can do whatever they want.

So every piece of data you put on there is possibly tracked and collected.

Then there are 2 more problems

• the software is proprietary and cannot be externally wiped clean
• the software is outdated

This makes it vulnerable to Pegasus attacks and others. There are tons of secure practices to avoid getting it, like LTE-only, HTTPS only, encrypted and trustworthy DNS, sandboxed processes, blocked javascript execution from unknown websites…

But still if the phone is outdated there are unpatched and publicly known security issues. Just spamming them at all phones is likely to succeed as so many people run vulnerable versions, as vendors suck.

Then if you have pegasus, the only way for security is to reflash the A/B partitions, both. Factory reset is not secure as it will keep what is already in the system partitions.

The firmware is protected and signed by the vendors, so it is likely clean.

But Pegasus installs itself to the phone storage.

If you A cant obtain factory images or B cant flash the phone at all, you cannot wipe it clean.

So a good activism phone needs

• trustworthy and minimal system apps / stock software
• modern software updates
• possible to reflash whole device externally
• nice to have: ability to verify checksum of system partition, like GrapheneOS Attestation

This makes them poorly pretty expensive. I think a slightly outdated GrapheneOS phone is okay though.

Burner phones are a strange concept. If you want to store sensitive data on it, you shouldnt use some cheap android phone or even a dumbphone without encryption support.

Very nice tool for usage and development!

I am not using Mint and it is also in the Fedora repos, but there is no reason for it to not be on Flathub. Maybe when I find the time I try to package it.

For some reason it is not yet on Flathub

TLDR?

Sorry yes I only watched the movies, I read the Hobbit and gave up at LOTR 1 page 80 or so, when it was still random stuff not in the movies.

Oh okay, didnt know Bazzite builds slower than the other images.

Instead of blocking users, education is the way better option. Flatpak Firefox does not have user namespace sandbox support, which is a pretty big deal.

No that is definetly a bug, as it spits out strange error messages.

I dont think Firefox running through Podman in rootless mode can create user namespaces? But not sure, will check that.

I have auto updates enabled and I reboot daily. This is not an issue especially on ublue where they are on by default.

Dont know where you get your games from 😉🐧☠️

I am not a fan because they install all that WINE stuff on the system level which is a huge security degradation.

Running WINE through Bottles with the latest protonGE through PupGUI works on all distros.

If they removed that I would consider it.

Also they remove Firefox and Flatpak Firefox can only use seccomp filters, not sandboxes, which less secure. And due to an rpm-ostree issue those removed packages are never reinstallable.

Dont spam please

GearLever](https://github.com/mijorus/gearlever) solves all the problems mentioned.

Sceptical but I will try it for sure.

It makes appimages less worse than Flatpaks though, so its only “badness reduction” for me.

There are AppImages out there that self-update , but GearLever also solves the update issue. And if you don’t want to use GearLever, there are other updaters like AppImageUpdate.

The first is what I mentioned, such updates can be perfectly done by a central package manager. Did you ever try to seal off a Windows install using Portmaster, where every installed app needed network access for their individual update services? Just no…

Ans to the repos, yeah maybe, havent looked if they are as secure as a linux repo. But the concept of “it is acceptable to download software from random websites” allows for malware to fit in there. Only if you will never find a .flatpak file it is possible to be sure its malware.

But there are other sandboxing options out there, such as using containers, and IMO, using a proper container is a better option for sandboxing. Or even better, use a VM if you’re actually running an untrusted app.

All worse than bubblewrap. Containers are either manual af (like with bubblejail) or if you refer to Distrobox/Toolbox, unconfined by default. They have no portal integration and no GUI configuration apps. So it may work somehow but probably worse, more resource heavy and there simply already is something better.

Same for VMs. Keep an eye on Kata containers, but this is about least privilege, not some QubesOS system that will not run in a tablet, for example. Android uses containers, is damn secure, and runs on phones.

[non executable stuff]

This is about protecting against malware. Linux Desktops are built on a different logic. Any unconfined software can download a binary to localbin, copy a random desktop entry from usrshareapps to your local folder, edit the exec line and add that binary to it.

Or just manipulate your .bashrc, change the sudo command to read input, save to file, pipe input to sudo. Tadaa, sudo password stolen.

That concept of “users can change their home but not the system” is poorly pretty flawed. So any directory that is writable without any priveges is insecure, if you dont trust every single piece of software you run.

Agree that Snaps are a problem. Its only really problematic when repackaging is illegal though, of course annoying but the Spotify flatpak is a repackaged snap. Same as with appimages.

I should write the same about snaps, but I feel they are covered WAY better.