N.E.P.T.R

I think it is worth noting that while what Russia is doing is evil, they are not the only evil players in the game. So many countries are complicit and actively support Israel (monetarily), and most countries do business with USA (mega)companies (like Google, Microsoft, Meta) even with the current regime.

And support for extensions like uBlock Origin.

On Debian I would choose Flatpak because it will be generally much more up-to-date than native packages (which becomes even further true the longer through the release cycle we are).

I am not trying to say that SailfishOS (or Jolla) isnt a cool project, it just doesnt belong here. Whenever people post Obsidian.md in here I say the same thing for the same reason. Try posting in the Linux phones community. I don’t subscribe to this community to see proprietary software invade the FOSS space.

AOSP is open source, Google’s Certified Android is not. You can contest that if you want.

That doesn’t change that SailfishOS is straight up proprietary for most of its developed compotents. It does not belong in this community. The Wikipedia page for SailfishOS says under license “proprietary with some open source components”.

Sailfish OS is proprietary. It does not belong in this community.

From the description of this repo:

OpenCal is a web-based open-source software designed to make online appointment scheduling effortless and efficient. Whether you’re managing a team or running a business, OpenCal takes the hassle out of coordinating appointments, eliminating the need for endless back-and-forth emails. With OpenCal, you can streamline communication, save time, and focus on what really matters.

Can you give a description instead of just posting a plain link. Low effort post.

Screensharing is the only thing i dont think it does. Voice and video good. See snikket or conversations.im

They have the best ARM CPUs in any consumer product and very good software/hardware security. I hate Apple because their shit is overpriced and locked-down but that doesnt mean its garbage.

Yes, I understand what GVisor does. Cgroups2 are for isolation of system resources, bit arent even the main sandbox feature used for isolation by Docker. I am pretty sure namespaces significantly more important for these containers’ security.

GVisor helps with one of the main risks in a container setup which is the shared kernel by hosts and guests. I understand it comes with a performance penalty (and I didnt know it was incompatible with SELinux), but that does change my original point that GVisor is a security improvement to default Docker. I understand there is more nuance, even when I wrote my original comment I understood (just like any other security feature) it cant be used in every scenario. I was being intentionally general, and in my second comment I was pretty specific about what it protects against: Kernel vulnerabilities and privilege escalation.

I researched cgroups2 more and I still dont understand why you brought it up in the first place. Cgroups2 and gvisor provide very different security benefits. Cgroups help to keep a system available (lessening the risk DoS attacks) by controlling access to some system resources (io, devices, cpu, memory) and grouping processes of a similar type. It seems rather optimized to solve resource control on a container host. I mentioned gvisor because it is mostly just a drop-in replacement container runtime which doesnt need setup to be used.s

Now for a different container runtime which provides significantly more features (than gvisor) with less downsides (if configured correctly for a specific workload), Sydbox provides syd-oci which id an application kernel runtime which uses a permission config file to create a sandbox, isolating using namespaces, seccomp, landlock, and more. It can sandbox in many different categories (often times leveraging multiple features to provide a multilayer sandbox), you can see the categories at the syd manpage. The biggest downside is that you must really understand what your container application needs otherwise it will prevent it from running. It is a “secure by-default” sandbox which can be softened through config.

I dont really understand what you mean in your last sentence.

My reason for saying GVisor is safer is because it is an application kernel which provides traps and emulates most Linux syscalls in the guest with a far smaller set of syscalls to the host kernel, helping to prevent container escapes and privilege escalation. GVisor also fully drops privileges early into start up (before running any significant logic), helping to prevent privilege escalation.

Cgroups is not a really a security feature (from what I understand). It is about controlling process priority, hierarchy, and resources limiting (among other things). You can not use GVisor with LXC.

The UI is proprietary.

In order of most to least secure

VM > Docker+GVisor > Docker/LXC

Docker+GVisor is good middle ground because it provides the guest container with an application kernel in a memory safe language and reduced syscall attack surface to avoid kernel container escapes. Docker/LXC share the kernel with the host.

They disregard the risk from the vendor because you are already using their hardware. The hardware has firmware already included which is proprietary, the hardware itself is proprietary, and hardware effectively runs as root anyways. You should already trust your hardware or you shouldn’t be using it. Linux-libre is a purity test, that is it. It is security theater which actually, definitely, really makes you vulnerable without doing anything meaningful. The only time it makes any sense is if you only use open source hardware.

Being 2 months late to a quarterly patch is still very bad. /e/OS should be avoided.

The embargo on security patches isnt what i am talking about. Once security patches are released, /e/OS takes 1-2 months to patch these vulnerabilities. This isnt because of the embargo but in addition to it! They are by far the worst about this out of any of the alt Android ROMs (2nd worst is iode, at around ~1 month). /e/OS has been terrible about security for years even before all this “Google security patch” nonsense.

Just so people known (or a reminder), Grayjay is NOT open source. FUTO is very sus and the cofounder techbro guy (not rossmann) is a fascist wierdo.

/e/OS is terrible for security. They are often 1-2+ monthly behind on monthly Android security patches, leaving their users vulnerable to dozens (i am not exaggerating, often more) of critical and high severity vulnerabilities which are widely exploited. Stay away from that shit.

On fdroid, it reports these anti-features for Xtra

• Depends on not-libre proxy TTV.lol
• Tracks/reports your activity by leaking your IP and Twitch ID to their Russian proxy TTV.lol