Sandboxing apps is great and all, but it it’s not the entire picture of security.

Fair enough. I guess I didn’t distill my comment before writing it down.

The problem I see with op’s “Linux isn’t secure” comment (without getting all territorial about it) is that the solution touted by Qubes is already a solution in wide use in several Linux distros, meaning the compartmentalization of apps in constrained environments is already a mechanic used in flatpack, snap, even docker.

The fact that Qubes is a secure approach should be the focus, not the “our potassium is superior to all other countries” vibe from this post.

cbz files are not encrypted, they’re just zip files full of images with the xtension changed to “cbz”. Similarly, CBR files are the same thing, but using rar compression.

If you are referring to zip “password protection”, then I guess that’s technically valid, although why anyone would rely on such trivially-cracked security is beyond me.

This is a Qubes ad.

And that’s fine, but why Qubes insists it’s not Linux while booting the Linux kernel, running xen, using xfce as the primary desktop, and being listed on disteowatch seems like a weird marketing choice to me. Your primary audience knows what Linux is, so what is the motivation behind claiming “Qubes is not Linux”?

Ah, I see that now, thanks.

I’m responding to this:

kernel is not free it ships with blobs/proprietary crap etc

That is not true.

lol i’m sure the average joe who switches from windows to you name what linux distro does this by himself

Neither do you. And what that has to do with windows users is beyond me.

If you want gnu/herd, you’re free to install and use it. You will have no:

• MP3 playback
• use for wine (wine is Foss, but almost no windows executables are)
• practically no WiFi
• no discord
• no zoom
• no widevine
• no ms teams working properly

Drawing a hard line in the sand about FOSS is possible, but you must give up many modern conveniences.

I hope you didn’t infer from my comment that we should stop individually supporting FOSS, that’s not what I’m saying.

However, I will counter that I don’t think you are current with the overwhelmingly massive imbalance of corporate vs personal use is currently in play on big Foss projects.

Ffmpeg is used by almost everyone with a video project, but not companies want to kick in any bucks:

https://m.slashdot.org/story/448966

We saw this back in 2015 as well with NTP, which almost everyone on the internet uses, yet the one guy who worked on it had to stop doing so temporarily in 2017 and get a job to support himself:

https://www.informationweek.com/it-infrastructure/ntp-needs-money-is-a-foundation-the-answer-

Not only do corps use FOSS at a higher rate by an order of magnitude than individual users, but they also profit from it.

The kernel itself does not contain blobs, firmware or microcode. That is loaded after boot if you’ve chosen to do so.

NAS only, or storage and workload?

If you absolutely want zero closed code, you are limited to a very small pool of hardware.

The executable software isn’t difficult to run 100%, it’s the closed source drivers.

APIs. Or the ends are achieved by sharing data between apps in common data storage. But I prefer to be a tourist in my infrastructure, I no longer hand-bomb changes to systems.

My design pattern is essentially to integrate more and more of the container creation into config. Right now I’m using ansible and it’s nice. More automation means troubleshooting has fewer variables.

I had issues yesterday with a package upgrade across several containers, and it ended up being two config changes. I cycle the apps and done. That’s it.

That enables an amplification attack.

Technically, you’re right.

An amplification attack is just telling the server to respond to a different/wrong ip with the response to a query than the actual asking request. This is solved generally with DNSSEC verifying the origin and requester ips match, if not, the request is dumped.

However, if your authoritative server doesn’t have records for the request, it will simply forward it (if configured to do so) to an upstream and probably hardened server, or drop the request. Either way, it becomes not your problem.

So unless the amplification attack is asking for records your server is actually hosting and for which your server is authoritative, this isn’t a huge concern.

I’m not scrutinizing it much.

Same. I just run a Minecraft server for my kid and his friends and a static HTML blog, so I’m ok with it.

I’m fairly sure it’s a background migration task, and I have a feeling it depends on your region.

I haven’t had my instances deleted, but they do some kind of maintenance blip everyday that my monitoring sees as 3 seconds of downtime, so maybe keep that in mind.

Not very likely unless the SOA contains more records than simply for the author’s resources. Also, I think it’s assumed that DNSSEC is configured, but the author doesn’t specify.

Not enough info, but it sounds almost like you’re creating the snapshots locally and sending those over instead of snapshotting to the destination directly.

Sanoid and syncoid are Jim Salter’s creation. Check out his blog at mercenarysysadmin.com for some examples of sanoid and syncoid. Klara systems also has a number of deep dives into those utilities.

Love the enthusiasm, but let’s stop casting this as an end-user-only problem. The real issue is, once again, large corporations using and taking advantage of oss while putting ZERO money or work back into oss. It’s victim blaming with extra steps, and us blaming each other is exactly what the real culprits want.

If it makes us feel better that we can pay on a regulsr basis for these things, great. But massive oss projects can’t thrive on a few of us donating.

Looks like a lot of people have issues using this board for both iommu and sr-iov tasks.

This has some of the breakdown of the issues, but that board doesn’t seem to play well with hypervisors.

Those are not authoritative responses, though. You can only add CNAME and A records to pihole, because it’s built on dnsmasq and not on bind/unbound.

You can’t add SOA records to pihole. Or zone transfers, or any actual DNS server functions, really. Pihole is just a forwarder.

You should check out the nas compares review of the pre-release, it’s insanely expensive and he questions who exactly is the target audience.

Beyond that, he reviews the specs quite nicely (as usual).