And the Flatpak browser thing is complicated.

Chromium uses namespaces. Nowadays unprivileged user namespaces, but the legacy suid namespaces are still integrated.

If you want to run Chromium (and I think all Electron apps too) as Flatpak, you replace those namespaces with zypak, which instead isolates processes using flatpak and its seccomp filters.

These are the seccomp filters for every app though, so they are probably way too unrestricted. Also it has a small performance hit.

That is the reason why no Chromium Browser Flatpak is official.

Now the thing with Firefox is, I have no idea what isolation they use. Everyone says its less secure. And they adopted Flatpak as if it was nothing, without any comment on that topic.

The issue is that Flatpak uses a single seccomp filter for bubblewrap, that is used by every app. But browsers would need a different one, with just the added permission to create user namespaces.

Currently this is not even possible when using a seperate repo. Really, no idea. Bubblejail is an alternative with custom seccomp filters and usernamespace permission. But it is very different, uses system packages and is very alpha.

You cant layer ffmpeg, you need to override-remove everything libav and then install everything new from rpmfusion. I did that, its a mess.

If you just want video playback thats just libavcodec-freeworld, thats why I specifically mentioned ffmpeg.

I am not a fan of Distrobox for small tools. For sure possible but unnecessary and the workflow is a pain. And trust me, I use it daily and even ran libvirt in a rootful one, virt-manager in a rootless one, connected over ssh.

There’s at least Fedora atomic with nvidia https://github.com/ublue-os/nvidia

My point was that Fedoras product is unusable. Ublue is the solution, their main images are basically Fedora Atomic but fixed.

that should depend on the file manager, right?

No thats libavcodec-freeworld and ffmpegthumbs. Most movies you find on the open sea are not in libre Codecs.

I mean coreutils in a memory safe language?

Rust is the currently most adopted C replacement

https://discuss.grapheneos.org/d/4290-sandboxed-microg/25

GrapheneOS is a bit slower due to security improvements btw. Secure app spawning and often enhanced randomization. 100% worth it though

How long do you get updates? Also, is that for every component? What ARM version does it use?

I am using Mull (on a Pixel 6a) and it took 3% with 40min screen time. Thats great.

I have no idea what is causing that for you.

I am also using

• ublock origin
• noscript
• dark background light text (saves a ton of screen energy)

Nothing Phone is a scam?

Google Pixels suck.

The 4 did everything right. Plastic cover? Yeah you use a protective case anyways.

The 6a that I now have is worse

the camera

is worse! I cant believe that but I compared pictures. At least the selfie Camera is absolute garbage.

size, shape, materials

• the phone is huge
• its rectangle size is worse to hold in the hand
• the 6a had some kind of plastic which is durable. The 7pro I had has a glass back? Wtf why?

fingerprint sensor

is so much worse. Why put it behind a display? I actually replaced one, so that is not the problem. But you cant unlock directly, they are waaay less reliable and you often need to create duplicate scans. Compare that to the damn 4a (and all other fingerprint sensors of that time) that just worked instantly.

No headphone jack

This is such a pain as an audiphile. I have awesome headphones and of course they are on a cable.

Bluetooth is factiually worse.

• It takes forever to connect (apple devices alway connect first for example).
• the controls for pause etc. take like a second to work
• you always broadcast your Bluetooth ID around
• you are attackable, like the iPhone DDOS attack
• you need more tiny battery powered devices for nothing
• headphones are always more expensive and often have worse audio quality

If you want to use normal headphones, the only good DACs are by Google and Samsung, and at least german electronic markets (!) dont have them.

And if you use a DAC, this works over USB. If you need to allow random USB devices all the time, this means you are also attackable through a cable.

My Pixel 4a is a bit slow, but the battery still lasts over a week in idle. I use it as an alarm clock now as its insecure.

I have not tested a Pixel 8, and the hardware for sure sounds appealing. But if Google continues this shitty path of useless “inventions” like the Fingerprint sensor behind the Glass, unnecessary huge and fragile phones, and purposeful decrease in security by needing Bluetooth all the time, while actively contributing to E-Waste, I will never recommend them.

It looks like a lite version?

Very interesting! Was always annoyed by the Ctrl+Shift+C

Ok then this is only a Desktop thing

The program will detect that it was closed via the SSD / CSD decorations (the three little buttons, one with the x) and handle the killing itself.

Maybe you can invoke that close command through the app?

Kriegsverherrlichung, echte Männer und Bier, die heilige Trinität der deutschen Leitkultur!

If you are a modder that wants to do stuff like replace the kernel, add in rust coreutils etc, then I think NixOS is indeed better. Have not used it but really want to try.

Image based Distros are just perfect for people that want to have perfectly reproducible bugs, or in general not many.

It is a good community concept, but tbh a preset of shared Nix config files could do the same thing too, with ease. Just dont deviate from those configs and you will have multiple people with the same systems.

Btw, uBlue List of aweome custom Images

I like them a lot, switched to Kinoite⏩uBlue: (Kinoite-main, -nokmods (until that got silently dropped), -main again; 37-39)⏩Secureblue kinoite-laptop-userns

The biggest Problem is that Fedoras Images are not usable.

• Filemanager movie thumbnails dont work
• Flatpak browsers are not feature-complete and probably not secure (because they can’t create usernamespace-isolated processes for tabs)
• they have no NVIDIA support
• powerusers will miss ffmpeg

The idea of immutable images is, to have a base that most people dont need to change. You can, but the moment you add NVIDIA proprietary drivers or full ffmpeg, you are in unprotected territory again.

So I like the Distros for their reproducible bugs and future possibility to be a very secure base (you could just verify the hash of the root system to check for viruses). But they cannot be produced in the US.

Fedora is nice but just like with rpmfusion, ublue is the key part that makes it work. And on immutable images this cannot just be added in a welcome dialog, as you need massive overrides by default.

Keep an eye on DivestOS. It seems to be somewhat similar to GrapheneOS but on more devices.

I think the changes are a bit too many though. They support microG in the GrapheneOS sandbox, which may be pretty cool (until it breaks, or you need stuff not included in microG)

I think 128GB is enough, but a small phone with a headphone jack, good cameras and a working fingerprint sensor…

Yes but RFP unifies the fingerprint to look like Firefox ESR on Windows.

Not sure about android though, and disabling RFP didnt fix the issue

Afaik all custom FF Android versions use Nightly, but I am not sure about that.

F-Droid basic had this for quite a while.

Huge mistake by the Developers to not push F-Droid basic more. It is the store you should use?

Google implemented that API so of course their store had it first. It also runs as a privileged system app though. (On GrapheneOS it doesnt need to)