Swap is rarely hit, especially if set up with zram.

This is not a good thing btw. Any unused anonymous page takes up space that could instead be used for file-backed pages that make your system faster.

Multiple swap tiers beyond zram/zswap

Swap is not tiered storage!

Priorities control order of preference, not tiers. If you run out of space on a higher priority, it will not move that swap’s data to a lower priority swap. It will keep all of it exactly where it is and new data will hit the lower prio swap instead, no matter how hot it is.

Intel Optane

Cool tech but it’s dead and was quite niche even when it was alive.

zram write-back device

Not a thing you actually want to use for swap. It’s not an automatic writeback that is integrated into the Linux MM in any way. (Probably has some use-case for non-swap zram purposes though.)

Large HDD swap partition used as a third tier swap disk

This makes no sense at all unless you are extremely space-constrained on the NVMe and absolutely must not OOM – even if progress stalls to an absolute crawl.

swapped pages can be moved around by the user (or a tool), by turning swap devices off and on.

This is neither feasible nor desirable. You don’t have enough granularity to do anything useful by doing so.
Even if you had, it’d work against the MM because it resurrects pages as “hot” that have been cold for a long time.
In any situation where swap is important, making the kernel think cold pages are hot is the very last thing you want.

I too wish it were but tiered/transcedental memory is not a thing in Linux and these hacks do not change that fact; they merely look similar if you don’t look close enough.

I cannot think of a single use-case where this would be preferable to a decently sized physical swap with zswap XOR just zram swap (if physical swap is infeasible).

This testing compares apples to oranges. Differently sized swap and quite obviously different workloads. Given how very much compress ratios depend on the specific data that is compressed, this experimental setup cannot produce valid results.

This is exacerbated by your swap being full. Zswap is more of a cache in front of your actual swap; it requires physical swap to function. If the physical swap is full, it cannot receive more data! Zswap not doing very much when the swap is full is totally expected behaviour because it simply doesn’t. The solution to that is to size your swap sensibly. (Admittedly, this does not appear to be documented clearly.)

zswap uses the exact same allocator as zram these days (zsmalloc). It’d be very surprising if it had different space efficiency characteristics. It’s not impossible (could be a bug) but claiming so would require quite certain evidence IMHO.

RE: LRU inversion: the problem with not caring about it is that it’s not a visible problem until it very suddenly is. Your system will not gradually degrade but very suddenly and unpredictably hit a wall that it cannot get itself over.

There’s https://gitlab.com/android_translation_layer/android_translation_layer which can already run BeatSaber apparently.

I think games specifically might be easier than most other apps as they are probably often little more than a 2D canvas displaying a regular Linux app with quite limited use of android-specific APIs.

Inconsistent time before sleep is likely the kernel waiting for IO to sync to disk.

Not going to sleep at all implies a serious issue that prevented the kernel from doing so. Check your logs!

Suspend reliability greatly depends on the firmware of your specific device as it controls the wakeup.

On my Framework 16 for instance, it is very reliable these days. I can’t remember the last time it woke up unexpectedly and I’m not sure whether it happened even once since the firmware update that fixed a major oversight in keyboard wakeup (waking when a key was pressed through a closed lid).

In Hyprland, how it works is that you define the screen lock command (e.g. swaylock) in hypridle and that gets wired into logind somehow such that you can loginctl lock-session.

I then (also in hypridle) define a before sleep hook that locks the session.

I believe the proper way to do this would be to run your lockscreen as a systemd unit that is WantedBy and Before suspend.target. This would in theory take care of making it idempotent and reliably show the lockscreen before initiating suspend.
A friend of mine has this sort of setup and, while it is reliable, the lockscreen is still racy and sometimes only triggers after suspend. Might be the lockscreen unit not signalling its readiness to systemd properly though.

Thank you!

I’ve found the Seedstudio thing after posting this too and it looks like the thing I’d be looking for!

What’s your experience w.r.t. coverage?
Obviously that highly depends on where exactly you are – you certainly aren’t going to have coverage in the outback – but I’m mostly concerned with places where people actually go and would take my bag/laptop/bicycle to. 'Stralia is going to generally be quite different from Germany too of course but it would be a good reference point from which I could extrapolate.

Well, they have – I think. When you download an edited image, it supposedly downloads an image with edits applied. The original is optionally available too.

If you download the edited image, this is effectively equivalent to the status quo of image editing.

Are there any (ideally waterproof) compact devices with long battery life (months~years)?

On the website I only found a long list of supported devices with brand name search and protocol type. grep showed no LoRaWAN devices though?

My use-case is theft tracking. I only need the device to be able to locate itself after a theft actually occurred and I request it remotely. (Perhaps also periodically with very low frequency.)

Disabling su is stupid because you always need some form of privilege escalation, restricting sudo to apt offers no security benefit whatsoever as apt allows arbitrary file modification, disabling root ssh provides no benefit when the unprivileged user has sudo access – I could go on.

Yikes, lot’s of bad advice in this thread.

My advice: Go develop an actual threat model and find and implement mitigations to the threats you’ve identified.

If you can’t do that, that’s totally okay; it’s a skill that takes a lot of time and effort to learn and is well-compensated in the industry.

You will need to pay for it. Either through an individual assessment by someone who knows what they’re doing, managed hosting services where the hoster is contractually liable and has implemented such measures, by risking becoming part of a botnet or by not hosting in a world-public manner.

My recommendations:

• Pay for proper managed hosting for every part of your system that you are not capable of securing yourself. This is a general rule that even experienced people follow by i.e. renting a VPS rather than exposing their own physical HW. There are multiple grades to this such as SaaS, PaaS and IaaS.
• Research, evalue and implement low-hanging fruit measures that massively reduce the attack surface. One such measure would be to not host in a manner that is accessible to the entire world and instead pay for managed authenticated access that is limited to select people (i.e. VPN such as Tailscale)
• git gud

Wow is that ever a load of snake oil.

I see this kind of guide as actively harmful because it creates a false sense of security.

Kagi is a search engine where you just simply pay with money rather than being instrumentalised in all kinds of awful ways in order to make the operator money.

I was very sceptical at first too. I highly recommend to simply try using it with the gratis 100 searches. That lasted me for a few days and I quickly noticed what there is to love about it.

It’s the best (and to my knowledge only) search engine money can buy.

(but-with 'nix (lots-of 'parenthesis))

That’s for encrypting your data to protect against an untrusted storage back-end.

They also have e2ee for users though where the server cannot see the plaintext either.

https://nextcloud.com/encryption/

And this is why you want atomic updates folks…

Did you/your distro set up realtime ulimits correctly such that pw can acquire rt priority?

Thanks for the explanation!

Though it ought to be possible to only respond with the new self-signed cert when LE does the challenge and with the previous, properly signed cert otherwise.

I found https://codeberg.org/neilpang/acme.sh/wiki/TLS-ALPN-without-downtime which demonstrates one method to achieve that but I lack practical experience judge whether that’s optimal.

Forgive my ignorance but why would that incur a downtime?

The only way I can think of for downtime to happen if you switched certs before the new one was signed (in which case …don’t) or am I missing something?

It also strikes me as weird that LE requires 80 but does allow insecure 443 after a redirect. Why not just do/allow insecure 443 in the first place?

The same that happens when you update to receive a breaking change on a rolling distro. It’s version number go up, just at a different point in time.

That’s a very odd example to choose given how trivially interchangable kernels are.

At NixOS, we ship the same set of kernels on stable and rolling; the only potential difference being the default choice.
I’m pretty sure most other stable distros optionally ship newer kernels too. There isn’t really a technical reason why they couldn’t.