Pantherina

Pantherina, 3 months ago

Duplicate post :D

Pantherina, 3 months ago

True

Pantherina, 3 months ago

<span style="color:#323232;">sudo cat /etc/systemd/system/CUSTOM-networkstuff.service <<EOF
</span><span style="color:#323232;">[Unit]
</span><span style="color:#323232;">Description=Ping Wikipedia.org
</span><span style="color:#323232;">After=network-online.target
</span><span style="color:#323232;">Wants=network-online.target
</span><span style="color:#323232;">
</span><span style="color:#323232;">[Service]
</span><span style="color:#323232;">Type=oneshot
</span><span style="color:#323232;">ExecStart=/usr/bin/ping -c 1 wikipedia.org
</span><span style="color:#323232;">EOF
</span><span style="color:#323232;">
</span><span style="color:#323232;">sudo cat /etc/systemd/system/CUSTOM-networkstuff.timer <<EOF
</span><span style="color:#323232;">[Unit]
</span><span style="color:#323232;">Description=Daily ping to Wikipedia.org
</span><span style="color:#323232;">
</span><span style="color:#323232;">[Timer]
</span><span style="color:#323232;">OnCalendar=*-*-* *:*:00
</span><span style="color:#323232;">Persistent=true
</span><span style="color:#323232;">
</span><span style="color:#323232;">[Install]
</span><span style="color:#323232;">WantedBy=timers.target
</span><span style="color:#323232;">EOF
</span><span style="color:#323232;">
</span><span style="color:#323232;">sudo systemctl enable --now CUSTOM-networkstuff
</span>

Pantherina, 3 months ago

If you randomize your Mac address (which is default on GrapheneOS and Fedora now) you are pretty anonymous to the wifi network.

Of course websites see where you are, they always do that. Use Tor or a VPN.

Pantherina, 3 months ago

LXQt is supercool, awesome to have a lightweight Wayland desktop!

I used pcmanfm-qt when Dolphin was broken, and it was very nice! I miss the “always filter when typing” feature, even though this will likely be possible in Dolphin.

Pantherina, 3 months ago

Diiiieee wollen dem kleinen Bürger… ähm Geld geben?

Pantherina, 3 months ago

Thats KDE only. The widget adding is complex as it allows to place them everywhere not only on the panel. This makes it very unstable compared to panel only (which would be like GNOME and enough for many workflows).

Kinoite also has no dedicated welcome dialog for doing the things that the GNOME setup does on Silverblue, I will do that when I have time.

Pantherina, 3 months ago

Discover too, thanks

Pantherina, 3 months ago

Be aware that secureblue is very secure!

Some kernel arguments may break boot (already have in the past) because of weird firmware and fedora not testing their kernel with those kargs.

Strange things may happen with Electron apps (for me its fine) and you might miss Firefox lol.

Pantherina, 3 months ago

I just wish I had rebased earlier 😅.

No you dont haha. I used it in a VM, then on a seperate SSD. In the beginning it was a total mess with random packages removed and we needed to find out ways to disable stuff like printing, so they can be added back.

Btw if you find a reliable way to 100% disable kde-connect, that would be awesome as it could be added back.

override removed packages on these images can neither be added back nor resetted, an rpm-ostree bug/issue.

Firefox from Fedora now supports using hardened_malloc instead of their jemalloc, so a custom image just adding back Firefox would already work.

After rebasing my ublue kinoite to secureblue I found that Firefox no longer started, lol. Learned how to compile it myself and dug into mozconfigs, really interesting stuff (short: if you optimize too much you break their build for some reason). Now because of weird mercurial stuff it doesnt compile anymore at all, so I use Chromium which sucks a lot.

Also had my system not boot twice, because of shitty Lenovo firmware and then because of the iwlwifi firmware bug.

Aaaand more. At the beginning there was no flatpak support, then only with bubblewrap-suid which is controversial and podman is broken, luckily there are userns images now.

The hack to use hardened_malloc on Flatpaks is also very nonstandard and electron apps do completely random things it seems (dont use electron, but its everywhere! Nextcloud, mullvadVPN, Signal, Element, …)

Pantherina, 3 months ago

Does Librewolf (RPM) work?

I only know that Chromium browsers use userns or setuid namespaces to isolate tabs. This is not allowed by the flatpak seccomp filter (applied for all apps) which is why bubblejail is a thing. But bubblejail is veeeeery alpha, portals, theming, running random binaries etc all broken or difficult.

Flatpak Chromium browsers use zypak instead, which will have a weaker seccomp filter than the tab sandbox in Chromium (because flatpak apps do more than browser tabs and there is only a single filter for them all).

No idea about firefox, they just support the flatpak without any mention if the sandboxing is better, worse, unaffected etc.

Librewolf builds firefox themselves, if they just add allow-replace-malloc or how its called in their mozconfig it works with hardened_malloc. And I think that is the easiest solution. If they dont add that it should probably not launch. Flatpak works for some reason, probably because somehow it doesnt use hardened_malloc.

• different name
• already privacy optimized (only problematic if you need a vanilla profile)

Tbh I want to compile firefox and the kernel with -O4 as I have a x86_64-v4 CPU. They will not do that as people run old hardware.

Thunderbird is the same, btw everything is built on the same codebase. My dream would be to build Firefox, Thunderbird and Torbrowser on COPR (or Github so the Fedora people dont kill me) with hardened configs.

I’ve also experienced some issues recently with boot times taking a lot more time than previously.

Longer than on vanilla fedora, or longer than before on secureblue? They distrust the hardware and generate random values as far as I understood, also use kernel lockdown mode. Those are important and increase boot times but not performance. Btw also if your CPU is affected by spectre/meltdown attacks it will automatically disable hyperthreading. Very cool karg that should totally be the default.

Yeah secureblue is nice and very needed. Wanted to do something similar (as did a lot of other people) and found qoijjjs awesome ground work. He invests hours in that project, look at the “secureblue Chromium vs Vanadium” table its crazy.

Pantherina, 3 months ago (edited 2 months ago)

Bubblejail allows to create different seccomp filters per app. This means you can allow the browsers to create namespaces, which fixes that problem. There are tons of problems though.

Yup needed some time to understand that zypak thing too. I think it boils down to that issue, they will be okay but less secure than possible, so… why not use something else?

Yeah there are a ton of hardening arguments. Currently I cant build that damn stuff anymore because somehow I have missing build deps that I have installed and added to my path 100%.

In this repo I collect my mozconfig, and if everything goes well I will use github builder to make RPMs. That would be lit, because I would have all of them hardened, but for v3 and v4 optimized. Put in a directory, do some rpm repo magic and I have my own repo.

Feel free to help me figure that stuff out. Librewolf has a nice build pipeline, I created a PR to just support replacing the malloc, that would be the easiest and best solution.

Then fedora firefox and librewolf would allow that, only flathub firefox missing really. Replacing the malloc is a very unsupported case for flatpak though, as the apps should be OS-unspecific.

Pantherina, 3 months ago

What distro?

Pantherina, 3 months ago

Never heard of sudoedit. I want to experiment with a system where I alias sudo=pkexec, VanillaOS does that

Pantherina, 3 months ago

Well, if you look at the file… and search the internet for “fedora edit grub entry not possible” that works.

You use grub2-mkconfig to create this file, and what you want to change it in another file that is used to create this one.

The thing is, what do you want to edit?

Pantherina, 3 months ago

Did you already do an internet search? Positive you will find that answer

Pantherina, 3 months ago

Sehr wahr

Pantherina, 3 months ago

My problem now is waiting for Fedora 40

Pantherina, 3 months ago

40 is not out, is that rawhide?

Pantherina, 3 months ago

Needs to be compiled for its ARM architecture, thats it. Plasma also highly relies on GPU acceleration, so this also has to work.

Pantherina, 3 months ago

github.com/…/Fedora-KDE-Minimal-Install-Guide

Pantherina, 3 months ago

GrapheneOS discuss. Their Github repo looks like they actually have the sources for everything.

Pantherina, 3 months ago

Portal of nothingness

Pantherina, 3 months ago

Search for some addon using “desktop view” on addons.mozilla.org