Nix on non-NixOS distributions would be great, if it would support installing apps into the users home directory instead of a global directory (without recompiling everything).

(When I looked into it, it wasn’t possible, but if you made it work, please share.)

I used to use Ubuntu in the past, and it wasn’t Unity, Upstart, Bazaar, Mir, Launchpad, Snap, Amazon ads integration etc. that convinced me to look elsewhere, it was that I found out how other, not commercial distributions, integrated and instrumented its user base into their development.

Instead of having to sign a CLAs when contributing and signing your right away to some corporation, you become part of the community. (Update: It seems they have switched from their Copyright assignment, so something not as invasive in 2011, which is good. But they still require you to sign a CLA.)

So always look who is developing the distribution first, are they individuals or is it one company. And don’t let yourself be bated into the dependency of one company, because then you will be the victim of enshittyfication eventually.

So similar to kakoune? I tried that for a while, but it was missing some features so I went back to vim/neovim.

I need to know vi anyway, because that is available everywhere (as part of busybox), so using vim/nvim for bigger systems just fits.

What about Lua/Luajit?

In most scripting languages you have the interpreter binary and the (standard) libraries as separate files. But creating self-extracting executables, that clean up after themselves can easily be done by wrapping them in a shell script.

IMO, if low dependencies and small size is really important, you could also just write your script in a low level compiled language (C, Rust, Zig, …), link it statically (e.g. with musl) and execute that.

I started using Fedora Silverblue on a tablet, seems to work fine so far, but requiring a reboot in order to install new system packages is a bit cumbersome and the process itself takes a while, but ordinary Fedora also doesn’t win any races when asked to install a new package

I think switching to FCOS or Flatcar on servers that just use containers makes sense. Since it lessens the burden of administrating the base system itself. Using butan/ignition might be unusual at first, but it also allows to put the base system configuration into a git repo, and makes initial provisioning using ansible or similar unnecessary. The rest of the system and services can be managed via portainer or similar software.

I also do not have long term experience with FCOS, but the advertised features of auto-update, rolling-release, focus on security and stability makes it a good fit for container servers, IMO.

An alternative to Debian on servers might also be Apline Linux. Which also has more a focus on network devices, but some people use it on a desktop as well.

If you have many different systems, and just want to learn to operate them all, maybe NixOS might be interesting. Using flakes, you can configure multiple machines from just one repo, and share configurations between them. But getting up to speed on NixOS might not be so easy, it has a steep learning curve.

What’s ACC?

ACC - Advanced Charging Controller, which allows to set charge limits, thus extending the battery life, which should have been part of Android from the beginning,

Anyway I would strongly discourage using root under Android as it breaks the security model.

Security isn’t a binary, security works like an onion, you have multiple layers of security and multiple decisions to make on every level. Currently you might be right, that having root access to a device might compromise it in some ways, but that isn’t necessarily so and depends on how it is done.

You should find ways around using root and if you can’t you probably shouldn’t be doing on your phone anyway.

This kind of thinking is the ‘I know better than you’ mentality, that I sometimes see around people advertising GrapheneOS. Having ‘root’ permissions to the device is owing it, I want to decide what to do with it, not the vendor of the ROM, or who ever else. They aren’t me, they don’t know what I want to do with it.

The goal of security models is allowing me, the owner, to do what ever I want with my device, while preventing others, non-owners, un-trusted applications or the internet from doing what they want with my device. If the security model doesn’t allow me, the owner, to do what I want, then it failed its job at least partially.

Root is very dangerous as it can survive a factory reset.

Why is that dangerous? The first thing I do, when I get a new phone is boot into the boot loader, and overwrite the whole partition, then the system is trusted again, at least if I trust the vendor of the boot loader. When I want to do a factory reset, I do the same, overwrite the flash with a fresh OS image.

IMO, there are other reasons why the current implementation of root are dangerous: They currently considered binary and I think they could be implemented more gradually. Like one application having root over individual other applications, e.g. accessing their files. Allowing/Disallowing individual privileged system calls, or access to specific system files, etc. All of this could be hidden behind a switch in the developers menu. Maybe only allow applications to gain root access when using a registered hardware token, etc.

As for MicroG, it is sandboxed but it does require device admin for full functionality. It isn’t running as root but it requires a lot of device permissions. You can turn off the permissions you don’t need but that could break things.

In order for MicroG to work full, you need to fake the signature, which requires a patch to the system, or root privileges.

Like others already said, you can still root your GrapheneOS, there are two ways to do this:

1. Just unlock your bootloader, flash Magisk or whatever, done. Disadvantages, you cannot lock your bootloader again, thus creating a huge security gap where an attacker, when gained physical access to your phone, overwrites your boot partition and you boot your compromised system without noticing. Which is bad, IMO.

2. Recompile GrapheneOS with Magisk installed, signed it with that key and use this key in your bootloader to lock it. You essentially created a GrapheneOS fork, can no longer use their OTA update server and use the security updates, etc. You need to create this yourself.

Yeah, they don’t prevent you from doing it, the same as original ROMs don’t prevent you from doing it.

Exactly right. However all the downsides you have when doing that sort of defeats the purpose. So a GrapheneOS native way to control your device would be nice.

Well, I never really missed being able to pay via NFC on a phone, but I also never done it. My NFC chip in my card works fine.

When my baking app started detecting my rooted phone, I just switched to using their web-app via Firefox, which allows you to create a direct link to it as an “App”. Which is probably better anyway, than installing random proprietary apps on a phone. And logging into it every time is also easy with a password manager.

So I guess, as long as the banks still offer a website, I am good.

I am currently using a rooted LOS with MicroG. It certainly is not as secure as GrapheneOS in terms of app sandboxing, encryption, regular security updates, etc., but I have control of the system, in case I need it, for instance ACC, F-droid privilege extension (F-Droid auto updates), ReVanced Manager (not using it currently) etc.

I trust GrapheneOS much more than Apple, but both go into a similar direction with their understanding of security. IMO taking control away from the user might be a good option, if you are dealing with just regular consumers, but I don’t really like the “one-size-fits-all” approach of it. And it is my device, I should be allowed to decide what I want to do with it.

BTW, this is just a personal annoyance of mine. The GrapheneOS devs do a very good job.

I would like to switch, but there are a couple of points that are still holding me back right now:

• Charge limits, on LOS I can root the phone, install ACC and still use the OTA updates, if I apply the patch afterwards. (Will be resolved in A15)

• Option for sandboxed MicroG, IMO privacy is also very important for security, and people should be able to decide if they like more privacy or more security.

• Option for rooting sandboxed apps from outside. IMO I, and a person, like to have full control over my phone. Trust often comes with control. If I choose to trust one app to have root access to another app in order to inspect it, then this should be possible. Sandboxing could allow one app to have root access to individually chosen other apps, thus limiting the impact compared to system-wide root access. Maybe offer rooting gated behind a separate hardware token authentication. (sudo like) A lot there can be improved IMO, while still providing it and making it more secure in general.

I know that my understanding of security and privacy might be different from what GrapheneOS understands, but as a long time Linux Admin, I don’t like black boxes, I like to peek into them, modify or patch them, when they do something I don’t want them to do, etc. So that when I enter personal information into them, I am still in control what happens to them, at least that is my desire.

Taking control away from the user in order to “improve security” might be a valid approach to some, but it is not something I have much trust in.

So generally the pro of coreboot is that it is open source, but the con is that it is open source.

What I mean by that, you can fix any issues yourself, however, if you are unable to do it yourself, you have to wait until someone does it for you and often what features are available and stable are a hit and miss.

Compared to proprietary bioses, the company has some kind of standardized process for developing the bios. So you often get want you would expect. However, if the money flow from the pc vendor to the bios vendor drys up, you, or the community of owners. will not be able to fix any issues.

Linux support should be the same, regardless if you choose proprietary or open source bios. But that depends on how well the coreboot was ported to the platform. So officially supported coreboot bioses are likely better than others.

Personally, if all other attributes are equal, would go with coreboot, because I like to support vendors that offer that choice, and IMO a open source solution, that you can review and build yourself is intrinsically more secure than a binary blob, where you have to blindly trust some corporation. But other security minded people might disagree, which is fine.

Check if you find anything about this in the kernel log (dmesg).

Not the drama itself should influence your judgment, but how they will deal with it.

Whenever people work together on something, there will be some drama, but if they are dealing with it, then that should be fine.

Nix and NixOS are big enough, that even if it fails, there are enough other people that will continue it, maybe under a different name.

Even it that causes a hard fork, which I currently think is unlikely, there are may examples where that worked and resolved itself over time, without too much of burden on the users, meaning there are clear migration processes available: owncloud/nextcloud, Gogs/Gitea/Forgejo, redis/valkey, …

As I said, it is not impossible to move away from gh compared to many other cases in other industries, just that it is more difficult than necessary because vendor-lockin is allowed.

If vendor-lockin was illegal, companies had more incentives to use established or create new standards to facilitate simpler migration between software stacks, without changing the external interface.

For instance allowing your own DNS name to be used as the repo/project basepath instead of enforcing github.com, Allowing comments, reviews, issues and pull requests via email or other federated services, instead of enforcing github accounts to do so, providing documented, stable and full-featured APIs for every component of their software, so that it is easy to migrate and pick and choose different components of their while stack from possible different vendors, …

There are so many ways that would improve the migration situation, while also providing more ways for other ideas to compete on a level playing field. If a bright engineer has an idea for improving one component from github, they should not be required to write a whole separate platform first.

Well the reason for that is the vendor-lockin and centralized technology.

If your project for instance uses a similar development method as the linux kernel does, e.g. sending and reviewing patches via mailing lists and providing url to push and pull git repos from, it is quite easy to switch out the software stack underneath, because your are dealing with quasi-standart data: Mbox, SMTP, HTTP(s) and DNS. So you can move your whole community to a different software stack by just changing some DNS entries and maybe provide some url rewrite rules without disrupting the development process.

I am not saying that the mailing list development process is the right one for every project, but it demonstrates how agnostic to the software stack it could be.

If vendor-lockin is made illegal, the service providers would have more incentives to use or create standardized APIs, so that their product can be replaced by competitors. So switching to or from github/gitlab/… becomes easier.

It has more than you expect, if your project is established on github and want to move away you have to deal with:

• migration of issues
• migration of pull requests
• migration of all review comments etc
• migration of the wiki
• migration of the pages
• convince all contributors to possible create a new account somewhere else
• changing of the project urls. I don’t think github offers a url rewrite service
• forks on github will not have the new destination as the fork base
• change the ci and release process
• because you cannot add url rewrite rules to your old gh project, you might need to only ‘archive’ the project there with manually written text, to point to the new destination, for people to find it

You don’t know what a “monopoly” is.

What the author is probably searching for is “vendor-lockin”, which is an anticompetitive practice for so long that it became the way many companies rely their business on. It favors established products over new-comers by making switching offerings difficult/expensive or even impossible, thus better products often have no chance of competing in a field, that was dominated by a single supplier for a while.

IMO there should be strict regulations and high fines associated with it, because it hinders innovation massively across all industries.

The cost of switching away from github for a project is high, but not as high as in other fields.

IDK. I think that just causes more confusion. Like with “Use gitlab”, do I mean the application or gitlab.com?

“We give you money, so that you don’t put a backdoor from another country in your software.”