That might be helpful. So far I was skipping the window manager and just opening the application by itself in xinit.

Thanks, I’ll give that a look.

Based on the date, this is like reporting the second one, imo. A third wouldn’t be at all surprising though, the Serial-Killer-in-Chief won’t stop until someone forces him to.

A layered defense is always best. Nothing is 100%, but knowing your threat model will help define how far you have to go and how many layers you want in the way. Defending against State level actors looks different than swatting the constant low effort bot traffic. You’re right, if a bad actor gets root on your machine, all security is forfeit. The goal is to minimize that possibility by keeping applications and packages updated and only allowing necessary connections to the machine. You mentioned wireguard or tail scale. Set that up first. Then set up the host firewall to only allow outbound traffic onto the VPN to the required ports and endpoints on the LAN. If the VPS isn’t hosting any public facing services, disable all traffic except the VPN connection from and to the public Internet both on the cloud provider’s firewall and the host firewall. If it is hosting publicly accessible services then use tools like fail2ban and crowdsec to identify and block problem IPs.

Firewall rules on outbound traffic from the VPS to the LAN would do it. Allow traffic to the hosts and ports that the VPS needs to reach and block everything else.

Agreed.Also, Windows and OSX, unless you want to have to call your nephew who’s Good With Computers™ every couple of weeks. If you’re just using a browser for everything and never messing around like a good majority of people, Linux is just as good as either of those. Linux has gotten to the point where it’s Grandma proof if you stick to a distribution that prioritizes stability. If you choose a distro that prioritizes bleeding edge software versions, you may come across more bugs and breaking changes.Then you’ll need the troubleshooting skills mentioned here. Most of us are here to learn and mess around; the troubleshooting skills grow from that mindset.

I like my Denon Heos setup: 2 TVs, home theater, receiver in my office connected to my computer and speakers in 7 other locations. Works great with Music Assistant, and doesn’t require a cloud connection. It can pull firmware updates if you want but I’ve blocked all Internet access for those devices with no loss of functionality.

Wow that headline. While it’s factually true I guess, it’s not at all representative of what’s stated in the article. They conveniently leave out that they want a separate deal with Mexico. More decoupling than excluding.

Still way behind for KDE though. I’m running Sid on my gaming machine and hoping they update some time soon. I have KDE Neon on my laptop and it works great, but with an Ubuntu base it’s still trying to shove Snap down my throat.

Legal issues aside, are there any publicly available forks of the repo?

The Disney Vault!

Not so sure about that. It’s one of the hardest failures so far. It’ll probably make lists including Atari’s ET and the Ouya for quite a while.

Yes

If the opnsense interface on the WAN VLAN has a public routable IP address there shouldn’t be a problem with double NAT. Double NAT should only be a problem if they have a crappy ISP that’s using CGNAT.

Edit: never mind, I reread your comment. We’re saying the same thing essentially.

He’s trying to run it on an esp32, didn’t you read the title? /s

Image server mangled by autocorrect? Best I can come up with.

Now I’m just waiting for Netgate to announce an end to CE so I have a reason to move to OPNsense. I’m lazy and it works so I haven’t taken the time to move yet. Weird for a company to EEE their own product.

Doesn’t alpine refer to the part of the mountain above the forest, above the limit of tree growth? So maybe they are trying to deforest OP’s computer?