I believe you, but I also very much believe that there are security vendors out there demonizing LE and free stuff in general. The more expensive equals better more serious thinking is unfortunately still quite present, especially in big corps. Big corps also seem to like the concept of having to prove yourself with a high price of entry, they just can’t believe a tiny company could possibly have a better product.

That doesn’t make it any less ridiculous, but I believe it. I’ve definitely heard my share of “we must use $sketchyVendor because $dubiousReason”. I’ve had to install ClamAV on readonly diskless VMs at work because otherwise customers refuse to sign because “we have no security systems”. Everything has to be TLS encrypted, even if it goes to localhost. Box checkers vs common sense.

IMO that’s more of a problem with the industry not really caring to support lower specs, or generally not seeing the deck as a real console or platform to target. People still make Switch games and the damn thing was already outdated at launch and they even underclocked it for good measures.

At 800p you’ve got to start thinking, is most of the detail those games compute even actually visible the on screen? How many PCs does that make obsolete? If the deck can’t run it at 800p, even at 1080p you’re gonna need what, an RTX 2060 for the lowest settings on a PC?

Some of the example titles don’t even sound like they’re the kind of titles that are made to showcase what your 4090 can do, which logically you’d want as many people as possible to be able to play it.

LetsEncrypt certs are DV certs. That a put a TXT record for LetsEncrypt vs a TXT record for a paid DigiCert makes no difference whatsoever.

I just checked and Shopify uses a LetsEncrypt cert, so that’s a big one that uses the plebian certs.

Neither does Google Trust Services or DigiCert. They’re all HTTP validation on Cloudflare and we have Fortune 100 companies served with LetsEncrypt certs.

I haven’t seen an EV cert in years, browsers stopped caring ages ago. It’s all been domain validated.

LetsEncrypt publicly logs which IP requested a certificate, that’s a lot more than what regular CAs do.

I guess one more to the pile of why everyone hates Zscaler.

Because it’s too flexible, and assumes everyone has source code to glue it all together. There’s endless choices you can make to have a functional system.

• Before you even compile the kernel, you have to provide a C compiler. That can be GCC or LLVM/clang.
• Before you even build the kernel, you have to pick a CPU architecture and subsystems to enable.
• Before you can even boot the kernel in any useful manner, you need to select a partition table format, one or more filesystems to put on the drive, all with varying amounts of features, but are at least mostly all POSIX compliant. Or a ramdisk.
• Even just starting at the very core of userspace, the C standard library, you have glibc, musl, uClibc. That can only be dealt with at compile time.
• Then on top of that, for the core utilities, you have the GNU coreutils, uutils, busybox, toybox, the BSD coreutils.
• Great, we can start booting now. Wait, now there’s the choice of init system: systemd, sysvinit, OpenRC, runit, upstart, dinit, and a lot more. Good, we’re booted.
• Now we need a login prompt, which can be agetty, greetd, mingetty, GDM, SDDM, LightDM. You’ve entered your password: that may or may not trigger a PAM session, which can verify your password from just about anywhere (locally, Kerberos, LDAP), start a D-Bus session, register a session with logind, that can trigger decryption and mounting of a drive, which itself could be local or remote or removable.
• We’re logged in! Now we need a shell. There’s bash, dash, zsh, ash with their own small differences, and that’s just the POSIX compatible ones. There’s also fish, nu, ksh, csh and more.
• We have a prompt! Now we should probably install some software. Is it gonna be apt, yum/dnf, zipper, pacman, apk, xbps, emerge, port? What’s the package names? Depends on the distro!
• We have a way to install software, now we need network to get it. How’s the network configured? ifupdown, systemd-networkd, NetworkManager, Connman, dhclient, dhcpcd, netplan, netctl. If you have WiFi, there’s iwd and wpa_supplicant.
• Lets get a graphical session. Xorg or Wayland based? ALSA, PulseAudio or PipeWire? Window manager or desktop environment?
• You want to mount a drive. systemd can do that, udev can do that, fstab can do that.

That’s just the basics to make it to a desktop. Now there’s some stuff to help that a lot, like Flatpak which aims to provide a known base system for apps to target. The portals help get access to resources with varying backends. PipeWire supports pretty much every audio protocol in existence so that’s alright. Flatpak is a pretty good standard/ABI to target. For server software we have similar things in the form of Docker and Podman. But all of these solutions are basically “lets just ship the distro with the software”.

The only really standard interface is the Linux kernel’s public interface. If you’re writing a driver, you better be ready to maintain it because stuff moves around a lot internally, the kernel doesn’t care not to break out of tree modules. Go makes use of the stable kernel API and skips the libc entirely, so Go binaries are usually fairly portable as long as the kernel is somewhat sane.

The only real standard you can target is POSIX, which is fine if you’re writing CLI or server software, but if you want to write GUIs, you just have to make choices. Most Linux stuff runs fine on FreeBSD too, they have Wayland, PipeWire and Mesa there too, so technically at this point you’re not even targetting Linux per-se, more like generally POSIX-y systems with software that’s just very commonly used and target that.

On Windows and Mac, you have what Microsoft/Apple provides and if you want anything else you bring it yourself. However, technically you can install PulseAudio on those, install an X server (Xming, Xquartz), run most DEs in there, run browsers and quite a bit of Linux-y stuff, natively on Windows and Mac in their respective binary formats.

The thing with FOSS is there isn’t a single standard it targets, we just port everything to everything as needed. The closest thing we have to a standard is targeting specific versions of specific distros, usually Debian/Ubuntu or RHEL and derivatives because that’s what the enterprise customers that pays for the development tends to run. That’s why Davinci Resolve is a pain to run on anything other than Rocky Linux. Thankfully, it’s also just software and dependencies, so if you just give it everything it uses from Rocky, it’ll work just fine on other distros. And that’s why source code is important: you can make everything work with everything with enough time and patience. That’s what powers the ecosystem.

Probably mostly a carryover from Reddit where it’s an either one or the other kind of deal.

That’s more of a general DevOps/server admin steep learning curve than Vaultwarden’s there, to be fair.

It looks a bit complicated at first as Docker isn’t a trivial abstraction, but it’s well worth it once it’s all set up and going. Each container is always the same, and always independent. Vaultwarden per-se isn’t too bad to run without a container, but the same Docker setup can be used for say, Jitsi which is an absolute mess of components to install and make work, some Java stuff, and all. But with Docker? Just docker compose up -d, wait a minute or two and it’s good to go, just need to point your reverse proxy to it.

Why do you need a reverse proxy? Because it’s a centralized location where everything comes in, and instead of having 10 different apps with their own certificates and ports, you have one proxy, one port, and a handful of certificates all managed together so you don’t have to figure out how to make all those apps play together nicely. Caddy is fine, you don’t need NGINX if you use Caddy. There’s also Traefik which lands in between Caddy and NGINX in ease of use. There’s also HAproxy. They all do the same fundamental thing: traffic comes in as HTTPS, it gets the Host header from the request and sends it to the right container as plain HTTP. Well it doesn’t have to work that way specifically but that’s the most common use case in self hosted.

As for your backups, if you used a Docker compose file, the volume data should be in the same directory. But it’s probably using some sort of database so you might want to look into how to do periodic data exports instead, as databases don’t like to be backed up live since the file is always being updated so you can’t really get a proper snapshot of it in one go.

But yeah, try to think of it as an infrastructure investment that makes deploying more apps in the future a breeze. Want to add a NextCloud? Add another docker compose file and start it, Caddy picks it up automagically and boom, it’s live and good to go!

Moving services to a new server is also pretty easy as well. Copy over your configs and composes, and volumes if applicable. Start them all, and they should all get back exactly in the same state as they were on the other box. No services to install and configure, no repos to add, no distro to maintain. All built into the container by someone else so you don’t have to worry about any of it. Each update of the app will bring with it the whole matching updated OS with the right packages in the right versions.

As a DevOps engineer we love the whole thing because I can have a Kubernetes cluster running on a whole rack and be like “here’s the apps I want you to run” and it just figures itself out, automatically balances the load, if a server goes down the containers respawn on another one and keeps going as if nothing happened. We don’t have to manually log into any of those servers to install services to run an app. More upfront work for minimal work afterwards.

I hope they’re donating big chunks of money to the Internet Archive in return for what’s likely to bring a ton of extra traffic.

Good luck with that given 3D printers are full of open-source software.

You need to unlock it to pair new devices, you can only turn Bluetooth on and off while locked. That could be really exploitable otherwise: just pair a keyboard, wait for the user to unlock their phone and install a remote control app via keyboard sequences.

If it’s USB-C, either you plug it straight in, or you get an adapter or a dock or anything that converts USB-C to an A port. Most laptop adapters for that will work just fine.

If it’s USB micro B, there’s a thing called an OTG adapter that gives you a regular USB-A port as well.

Then you just plug it in.

Yeah, that didn’t stop it from pwning a good chunk of the Internet: https://en.wikipedia.org/wiki/Log4Shell

IMO the biggest attack vector there would be a Minecraft exploit like log4j, so the most important part to me would make sure the game server is properly sandboxed just in case. Start from a point of view of, the attacker breached Minecraft and has shell access to that user. What can they do from there? Ideally, nothing useful other than maybe running a crypto miner. Don’t reuse passwords obviously.

With systemd, I’d use the various Protect* directives like ProtectHome, ProtectSystem=full, or failing that, a container (Docker, Podman, LXC, manually, there’s options). Just a bare Alpine container with Java would be pretty ideal, as you can’t exploit sudo or some other SUID binaries if they don’t exist in the first place.

That said the WireGuard solution is ideal because it limits potential attackers to people you handed a key, so at least you’d know who breached you.

I’ve fogotten Minecraft servers online and really nothing happened whatsoever.

Sorry for the YT Short, but of course the simpsons predicted this: https://youtube.com/shorts/rYb8geoO484

Does Lemmy even have print CSS or is it more like the site’s style is so basic it just works? I looked quickly and apart from hiding a few elements, it doesn’t look like it really tries to be printer friendly at all.

Lemmy’s format just kind of sucks for discussions and visibility. If you comment on a post from a year ago, you can expect that to not been seen by anyone ever.

Lemmy is primarily a link aggregator, just like Reddit. It also happens to somewhat work for Q&A and help forums, but fundamentally Lemmy is more oriented towards new content.

The more classic forum format is better for discussions because replies bump the thread up to bring new attention to it.

Also a lot of people just don’t give a shit about random people’s random thoughts, that’s why I’m not on Mastodon and never really used Twitter either. I don’t know why people feel the need to dump all their thoughts on the Internet, like I care that a celebrity is on a plane or enjoying a nice meal.

Lemmy is about topics, not people, that’s what I like about it. I don’t care about people.

A little bit more anonymity I guess, but be mindful that Lemmy is very public in nature. That includes all of your votes, so it’s still pretty easy to profile.

Make it through the web UI, this is not implemented as far as I know as that’s not a particularly common operation.

Also !boostforlemmy@lemmy.world

The only thing I wished worked with it is Android Auto. I tried developer options and everything, it refuses to run in the car, at least the F-Droid version.

Isn’t he the same person who calls adblocking piracy?

He’s also got a generally nuanced opinion of piracy, in that it’s justifiable in some situations. If you call it piracy and you’re okay with piracy then it’s not really a contradiction.

Being willing to talk about it despite working against your interests isn’t always bad depending on context.