Dropping instead of blocking might technically be better because it wastes a bit more bot time and they see it as “it doesn’t exist” rather than an obsticle to try exploits on. Not sure if that is true though.

For me:

• ssh server only with keys

• absolutely no ssh forwarding, only available to local network via firewall rules

• docker socket proxy for everything that needs socket access

• drop non-used ports, limit IPs for local-only services (e.g. paperless)

• crowdsec on traefik for the rest (sadly it blocks my VPN IPs also)

• Authelia over everything that doesn’t break the native apps (jellyfin and home assistant are the two that it breaks so far, and HA was very intermittent so I made a separate authelia rule and mobile DNS entry for slightly reduced rules)

• proper umask rules on all docker directories (or as much as possible)

• main drive FDE with a separate boot drive with FDE keyfile on a dongle that is removed except for updates and booting to make snatch-and-grabs useless and compromising bootloader impractical

• full disk encryption with passworded data drives, so even if a smash and grab happens when I leave the dongle in, the sensitive data is still encrypted and the keys aren’t in memory (makes a startup script with a password needed, so no automated startups for me)

For more info, I followed a lot of stuff on: https://github.com/imthenachoman/How-To-Secure-A-Linux-Server

That is very fair!!

But on the other hand, 99.9% of users don’t read all of the change notes for their packages and don’t have notifications for CVEs. In that case, in my opinion just doing updates as they come would be easier and safer.

Doesn’t ucore also have to restart to apply updates?

Not super ideal for a server as far as maintenance and uptime to have unexpected, frequent restarts as opposed to in-place updates, unless one’s startup is completely automated and drives are on-device keyfile decrypted, but that probably fits some threat models for security.

The desktop versions are great!

You absolutely can fail. I daily drive bazzite but many things have been pretty rough:

Any coding apps that will use an external device -> you can’t use flatpak. You have to use distrobox that constantly freezes your entire mouse for 3-5 seconds upon any sort of dialog, settings, saving, anything where it has to access the filesystem. Then you have to add udev rules to directories that in the documentation says not to write to, and reloading the rules doesn’t work for testing, you have to fully restart with every minor change or it will seem like the change didn’t work.

Luckily most device drivers seem to work in the provided arch distrobox but holy dependency hell. Things will fail to install because they need a package that exists on the host but not the container so you get an unsolvable “file exists” conflict. When installing a package, it will sometimes just try to grab an old version of a dependency specifically that will 404 out instead of just grabbing the most recent version (never happened on arch itself to me)

Setting up a plasma vault with gocryptfs was not fun figuring out how. Also ran into tons of dependency problems and the fact that fedora just abandoned it specifically. Ended up just having to stick the binary in a random folder and point to it.

Any sort of document authentication/signing -> doesn’t work and will not work in the future for a long time.

You absolutely have to install rpms still for corectrl, any external devices, like drawing tablets, etc…

Some games inexplicably use <50% GPU and <40% CPU with terrible framerates and will not go any higher (or lower) no matter what, switching between low and high settings and resolution results in 0fps change.

When I have my config set and don’t have to change anything, it is super super nice to never have to manually update, but anything outside of very basic usage is weaving through nonstandard undocumented territory.

Bazzite trades maintenance headaches for configuration and installation headaches. For me, that is worth it.

Yeah, they have a spotify connect plugin that works, but chromecast probably will not be supporter because google holds all of the cast keys and esphome/music assistant/ home assistant would have to register with them (and probably play the fees) i think

To be fair though. The experience of google and Microsoft online word/spreadsheets/etc… also sucks ass on a smartphone. Much better, sure, but doing spreadsheets or writing a paper on a phone is a bad experience in general.

This is a better list than the actual list probably 😅 Not having hollow knight or cuphead on the actual list is pretty insane and it is much more of a “non-mainstream best indie games” list

If you data wasn’t being stolen and sold up until now, it 100% will be after this lol. I wonder how much worse they can make discord. Speed run anyone?

That is very cool, I have never met someone who had success with open hardware. Can I ask what the company is?

Any tips for doing crowd funding if I decide to put my stuff on the market? I feel like crowd funding has died off a lot in comparison with 10 years ago since most campaigns either don’t reach the goal, don’t deliver the product (or a very basis version), or were scams to begin with.

That is a fantastic idea. Wtf how is this not commonplace? Or am I just way behind 😅

Open-source hardware is almost non-existant compared to software. There is a reason for it.

I am an electronics engineer who makes open source hardware as a hobby.

Hardware is extremely different from software. It requires substantial monetary investment.

My company last year did a dirt-cheap lowest-possible-budget prototype design and run of 10 for someone funding themselves independently. It cost 8000€ for the design and that one prototype run, and an extremely simple design at that (electronically, medical-spec mechanically).

Software you buy a system and you can develop and develop and iterate and test 1000 times and develop multiple projects on that single machine. If you sell 0 units, sure you are out a computer and a ton of personal time. Sucks, but you won’t lose your house.

If you do electronics + mechanical development, every time you iterate on the electronics, that will be 200€-1000€ please, plus test equipment. If you make a small mistake equivalent to a wrong pointer that is another 1000 down the drain.

Hardware projects, pure material-wise, can cost more than a car to develop (just going through CE and FCC compliance testing can be 2k-10k and you aren’t allowed to sell in the EU without it.

You need capital to burn or be OK with a non-market-ready end product. Most people would rather make a down payment on a house than develop open hardware that might never recoup just the material costs. You can’t just give the hardware away for free unlike software also.

I love how they say

there are moments when Arceus is genuinely pretty

and then show a screenshot of a game that looks objectively worse than a low-budget movie tie-in from 2007. I mean look at the 1 tile, non-randomized, no noise, no depth, repeating light effect on the water with 0 effort put in to even make it look slightly good. The depth of field and fog looks like it is from pokemon pearl with a gaussian blur put on top of it.

Super mario sunshine from 2002 looks almost as good at the water looks 10x better lol

Gamefreak puts literally 1% effort into any of their games…

Doing my part with 20-30mbps upload 😂

Uhhh, tons of people in Europe are on 240V 3 phase power.

My oven is 3100W and that is just fine. 3 phase consumer induction cooktops can easily go that high or higher.

Once my 3 phase charging pole is put in, my car will charge at >10000W on a household circuit.

Nope, syncthing for file syncing things between systems like music and I realized I never really used “cloud” storage.

Crazy how that doesn’t at all even address the problem of subtitle sync! It just pastes subtitles as-is in there. What if the subtitle files are at a different framerste? What if the subtitles have the wrong starting offset for the media? What if the subtitles have 1-2 mistakes in them as far as timing?

Hence why there are a dozen subtitle syncing tool projects supplementing ffmpeg like ffsubsync, subsync, alass, autosubsync, srtsync, etc…

Using the integrated player. That is the only player option on android TV. On android I am also using the integrated player. If I use the web player, the same UI as the web shows up WITHOUT the subtitle offset option that is in the web player in a web browser. Not sure what the difference could be. Always burning in subtitles isn’t enabled either.

The only thing about jellyfin is the damn subtitles. Subtitle sync is horrible. They added a subtitle offset feature last year which was a good workaround and then removed it a few months ago on androidtv and android. Now the subtitle offset on the web player doesn’t do anything anymore either

Even Subgen generated subtitles, which are pretty perfectly in sync in reality, are sometimes played back at an incorrect speed so it will progressively get more and more out of sync, but there is no way to tell what speed the subtitles are being played at.

Also it just ignores themes a lot of times or only displays themes on the admin console and nowhere else.

That said, jellyfin is still amazing!

I had to physically log into the server (I am not using a VPS) and docker compose -f ... down the container in order for it to be solved. After a downgrade of nextcloud it was solved and the next upgrade I did, didn’t experience the same issue. I ended up ditching nextcloud anyway because after an update ~8-12 months ago, the login page has never loaded since, so it can’t be used. I found out I rarely used it anyway.

Hey, I had a similar thing happen to me. It turns out the faulty container brought down my entire LAN network. The reason you can’t ssh in is likely because your router is stuck at 100% usage trying to figure it out.

At least that is what happened with my old Archer A7 and damn nextcloud.