h3ndrik

Yeah, I think we should extend on the sandboxing features like AppArmor, SELinux and Flatpak for desktop use. Look at MacOS and Android and what they're doing for desktop users. That is currently not the Linux experience. Ultimately I'd like my system to have an easy and fine grained system to limit permissions. Force third-party apps to ask permission before accessing my documents or microphone. have sane defaults. make it easy to revoke for example internet access with a couple of clicks. make it so I can open an app multiple times. and have different profiles for work, private stuff and testing. This should be the default and active in 100% of the desktop applications. And apps should all use a dedicated individual place to store their data and config files.

Librewolf and more [...] used as Flatpak, [...] its way more stable.

That's just not true. I've been using Linux for quite a while now. And I can't remember my browser crashing in years, seriously. Firefox slowed down a bit when I had 3000 tabs open, but that's it. How stable is your Flatpak browser? Does it crash minus 5 times each year? How would that even work? And what about the theming and addons like password managers I talked about in the other comment? Use the distro's packaged version. It is way more stable. And as a bonus all the edge-cases will now work, too.

I mean it's not even my own problem. I just have Spotify, Microsoft Teams and Zoom installed that way, and a few pieces of software that I'm testing. I use a rolling distro so I have the most recent versions of every software I need anyways. And I have the skills to configure stuff. So I myself don't have an use-case for a spyware-riddled Chrome browser from Flathub or something. I have a nice LibreWolf from the unstable channel of my distro. Steam and all the other stuff is there, too. And it works almost flawlessly. Why would I trade that in for a 4GB version of the same software that has downsides?

It's the newer users I'm concerned with. Their sub-par experience of Linux.

This is what I mean:

• https://github.com/keepassxreboot/keepassxc/issues/7352 (Maybe Keepass works as of now(?) I don't think so but I haven't tried. At least some addons do. But other's don't. It requires the permissions to be configured by the prople preparing both flatpaks that want to talk to each other.)
• https://itsfoss.com/flatpak-app-apply-theme/ / https://docs.flatpak.org/en/latest/desktop-integration.html
• All the issues people had with Steam, the graphics drivers, attaching gamepads/controllers or headsets, getting Discord and extras working. (Some of that seems to have been resolved in the meantime. They put quite some work into it.)
• Some distros don't update Flatpak packages as part of their standard update mechanism. You need to learn to regularly run "flatpak update" or learn how to activate that.
• I have some packages still rely on old runtimes that are missing security patches. I suppose it's the same for a lot of other people. And there isn't a mechanism to warn you. You also need to learn how to figure that out.
• I don't remember which of the video conferencing solutions this was, but I remember fighting with the webcam permissions and advice on the internet was to disable sandboxing entirely. I set the permissions a bit better but then also screen sharing wouldn't work.

As I said, it's okay for someone like me - and probably you - to use, and I don't complain. I'm glad I have Flatpak available as a tool. But look at the issues I've linked above and the steep learning curve for the beginner. They need to learn what GTK is, what QT is, what desktop they use, learn what Flatseal is, use the CLI. They have no clue why it is even required to do that much work to get their Keepass set up. And that it's not Linux' fault but their decision from 2 weeks ago to install the browser that way. And their experience is just worse than it needs to be. And this isn't unsubstianced, I'm speaking from experience. I've answered these questions over and over again. It's already annoying to get the NVidia stuff set up reliably, find new software and adapt your workflow. And the switch from X11 to Wayland broke things like screen sharing/recording, anyways. And we're now piling 20 other things on top, to learn and do manually if you happen to be one of the users who don't use the default standard setup.

And nothing of that is "bad" or can't be fixed... We're making progress with all of that. And we'll get there. All I can say with my experience helping people with their Linux woes and the current state of Flatpak: The "use Flatpak for everything" mentality is causing issues for some newer users. And experience shows: They rarely understand the consequences but heard the hype about Flatpak. And few of them can explain why they used Flatpak over the proper packages in their distro.

So my opinion in short:

• Flatpak is nice : yes
• try a Flatpak first, then the distro package if it doesn't work: hard no
• you can get recent software on older distros with flatpak: yes
• you can recommend Flatpak: Yes, if you also explain the consequences of the sandboxing and pulling things from potentially unreliable third-party sources. You're doing people a disservice if you don't.
• some of this will change in the future: yes
• we should have more sandboxing: yes

Hehe, No. It's the sandboxing.

But with this approach you take over the answering questions to newbies... Why doesn't the webcam show up in the videoconferencing? Why doesn't my GTK / QT themes apply to some software and it's a 2 page tutorial with lots of command line commands to fix that? Why can't I install Firefox add-ons and on Windows and MacOS everything just works? Why is Linux so complicated and regularly stuff doesn't work?

I had this argument multiple times now. There is an easy solution: Do it the other way around until you know what you're doing and about the consequences. Distributions are there for a reason. They put everything into one package and do testing to make sure everything works together. They provide you with security patches if you choose the right distro. LibreOffice and a Browser even come preinstalled most of the times. If you do away with all of that, it's now your job to tie the software into your desktop, your job to handle the sandboxing if there is addons that need to pierce the sandbox. Your job to make sure the Flatpak publishers do quick updates and keep the runtimes up-to-date if a security vulnerability arise within an used library...

I'm not directly opposed to using Flatpak. I'm just saying there are some consequences that aren't that obvious. There are valid use-cases and I also use Flatpak. But in my experience hyping some of the available technologies without simultaneously explaining the consequences is regularly doing a disservice to new users.

I'd be happy if people just cut down on advertising Chrome/Firefox and LibreOffice via Flatpak to new users. They should use the packaged version. That's why we have distributions, to make the whole system a smooth experience and everything tie together.

Flatpak is slowly getting there and I think at least some distros have it preconfigured so the default GTK themes are in place.

Ultimately, I'd like sandboxing to be available natively in Linux, at least for desktop applications. And we can talk about a packaging format that is available to the user, allows pulling software directly from the upstream project, includes libraries and runtimes.

We're also regularly debating Flatpak here. That password managers don't tie into the browser and the desktop themes don't apply. It's also not the best solution and regularly confuses newer users.

kobold.cpp is easy to use, fast and I like it.

If you're interested in more relevant Lemmy communities:

• !fosai@lemmy.world
• !localllama@sh.itjust.works

(another option: text-generation-webui has several backends bundled. Maybe one of those works for you.)

Try a more managed and out-of-the-box solution first, then work your way down to the commandline. I'd recommend one of the NAS solutions like openmediavault (if they still do docker) or https://cockpit-project.org/

or Docker for Desktop or podman.io

(maybe lxc containers with proxmox or unraid)

You're right. Both standards are open. I got confused by the German Wikipedia article about Matter which is very misleading.

I have 2 thermostats but that's not enough for the rooms. And I'm not entirely happy with them. Maybe I need to find a good model and buy some more.

Zigbee

Sure. I think Zigbee/Matter are proprietary standards. And you don't have too much control over how it is implemented in the individual devices and any possible security vulnerabilities. It is a separate network though and easy to use. I bought a small Gateway to connect it to Home Assistant after the USB stick I was initially using showed some compatibility issues.

What I really like are those cheap chinese devices that have ESP8266 or ESP32 microcontrollers in them. I can flash Tasmota or Esphome on them, take control and have them run free software. No manufacturer's cloud needed and updates indefinitely.

Yeah, and we recently talked about smart/dumb appliances. In this household there are lots of older appliances anyways. And we moved a few years ago so they're just old enough that none of them have wifi. I think that has changed since. Nowadays it's not an extra 150€ for wifi anymore, but part of most appliances. And you get an App along with your new diswasher per default. I like "smart" with lighting. And having the washing machine turn on 2h before I get home is a huge convenience. Apart of that, I'd like the heating unit to be smart, but it isn't. I think we could save some energy if the gas heating stopped after everyone left. There is no steady weekly schedule I could program into the central unit, so it's just some radiators I can turn down. Apart from that, I don't think I have a good use-case for a smart diswasher, fridge or a bugging device that can play music.

[Intel ME] it is essentially at ring 0

I don't like it either. It's just a very stupid design choice to have some uncontrollable extra chips run god knows what with highest privileges. And in the past people already discovered several security vulnerabilities. And there is no alternative to it. I think AMD does the same. And coreboot is a bit niche. I'd have to put quite some effort in and make some trade-offs. And it doesn't have to be this way. I don't think the embedded controller firmware is a super valuable trade-secret anyways. They probably keep it a secret and locked down for shady reasons or because they don't want people to see the amount of vulnerabilities in it. I don't think it would do Intel or AMD any harm to just open up that part of the system.

Ah. Thanks for explaining :-)

Yeah, the ...keeping the mess somewhere else and not doing it on the important firewall... makes sense.

I also like to keep it clean so everything is a bit more modular and better to maintain. (I made the mistake of introducing circular dependencies and overly complicated setups often enough.)

I think the double-NAT is a bad idea. Such things just cause pain and break in unexpected ways. I'd rather focus on getting the firewall right. And the NAT doesn't add anything here. A firewall is the correct tool to filter packets between two network segments. A NAT is a crude thing that happens to drop incoming connections from the other side. But you could as well instruct your firewall to drop those packets. It'd be the same result just without the added pain.

And I have some IoT devices as well. Half of them use Zigbee, the other half is connected to my main wifi, I never got around to seperate them. But the're all running open source software and talking to my Home Assistant via MQTT or Esphome. (I don't own any smart dishwashers or coffee machines.)

I don't have too much info on IntelME. I suppose it doesn't do stupid things, or someone would have found out already. And it's really difficult to protect from. Especially in a setup that isn't completely locked down. I hope they someday learn and replace that with an open solution.

Thanks. I was going a bit more for the "what do you need that for" aspect. Emulating an enterprise environment sounds more like tinkering or learning? I mean I get network segmenting if you want to seperate for example an home-office from the entertainment devices in the livingroom from the cheap unpatched IoT devices... And also have a seperate network to experiment in the basement lab... Doing firewalling to keep the TV from transmitting behaviour tracking data to the manufacturer... Stop the kids from accessing the network share... Or you have several servers running at home with lots of containers...

But are that hypothetical use-cases? Or what do people actually use the 2 consecutive firewalls and different network segments for?

I mean I live in a country where electricity isn't that cheap. I run one server 24/7 and that has to do everything. And since it's just one machine I can set up a network bridge and a seperate internal network for docker there. Most of the networking isn't overly complicated and contained within that machine. But my OpenWRT also does additional wifi for the guests and a third network for experimentation.

I get doing it as a hobby. I was just wondering if there are 12 laptops at home, VLANs through the house and 3 servers with lots of storage and webservices and that's what the OPNsense is for, or if it's more "because I can".

What kind of extensive network setups are you running at home? I just have a few Wifi-routers with OpenWRT and one server / NAS. (Which also does DNS Ad-blocking.)