Graphene shills have been banging on this point for donkey’s ages. Reality is that many people use phones that are out of OEM support and many OEM ROMs are bundled with questionable software (Oppo, Samsung etc.) There are some decent criticisms to be made about LineageOS, but others to be made about Grapheme, like its Google-suggestive configurations, which is quite bad for security and privacy. Graphene says this is all optional and not part of the OS, but doesn’t include any equivalent F-Droid installer.

My original reply to the OP’s question, thoughts and experiences with GrapheneOS, was along the lines of “I think GrapheneOS is Google-centric” and you disagreed saying that GrapheneOS was a “blank slate”. Honestly I think you’re being a bit defensive and maybe a little gaslighty which is why I downvoted.

GrapheneOS provides fairly prominent links to a Google Play installer or the relatively obscure Aurora Store. The Aurora Store client app is FOSS but the store is quite literally a proxy for the Google Play Store. The apps in the screenshots on Ausora Store’s homepage are mostly apps that use or require Google Play Services. This is all very Google-centric.

If Google Play wasn’t an important part of GrapheneOS, it could just not contain a prominent link to the Google Play installer. Or it could contain a link to install a fairly prominent app store that offers an ecosystem outside of Google Play. But it exclusively steers users to the Google Play ecosystem as a part of the default, packaged experience, hence my original reply to the OP.

But it is Google Play-centric. There is an option to install Google Play. There is not an option to install other app stores like F-Droid, unlike some of the other AOSP clones.

Screenshot for you. Google is explicitly linked to for easy setup. F-Droid is not. “There is nothing” is simply disingenuous.

I use GrapheneOS but I don’t like how Google Play-centric it is. It is geared towards people installing their “normal” apps with the GrapheneOS special sauce sandboxing. No F-Droid by default where all of the FOSS apps are.

Here’s the actual paper of the technology (Prio) that it’s based on.

Some problems stand out:

• It requires that the organisations (Mozilla and ISRG) not collude to decrypt the secret share (probably reasonable)
• The paper suggests registering end users to protect against Sybil attacks.
• The scheme requires the organisations to correctly withhold results from advertisers until there are sufficient results.

I’m not overly familiar with the tech stack but I’d be concerned about browsers using a persistent UUID to send impressions to Mozilla’s API.

The biggest elephant in the room is that seemingly nobody wants the damn thing. It offers nothing to users, except maybe a good feeling inside that they’re supporting AdTech. It offers AdTech less than the current deal where they can collect obscene amounts of personal information for targeted advertising.

PSA: if your financial institution/government/<other website> is using SMS codes (aka PSTN MFA) for multi-factor authentication they are practically worthless against a determined attacker who can use SIM swap or an SS7 attack to obtain the code. Basically you are secured by a single factor, your password. If your password is compromised it may be sold via black hat marketplaces and purchased by an attacker who would then likely attempt to break that second factor.

The best way to protect yourself is to use a unique password; a password manager especially helps with this. Sometimes institutions will offer “Authenticator” (TOTP) as a second factor, or PassKey authentication, both secure alternatives to SMS codes.

Here in Aus I’m working with Electronic Frontiers Australia to try and force some change within government and financial institutions (via the financial regulator). Most banks here use SMS codes and occasionally offer a proprietary app. One of the well-known international banks, ING Bank, even uses a 4 pin code to login to their online banking portal. 😖

Unfortunately SMS codes are a legacy left from old technology and a lack of understanding or resourcing by organisations that implement it. Authenticator/TOTP tokens have been around for 16 years (and standardised for 13 years), and PassKeys are relatively newer. There is a learning curve but at the very least every organisation should at least provide either TOTP or PassKeys as an option for security-minded users.

Yeah it is a bit of a pain. I currently only have a few users. Tooling-wise there are ways to tail the journals (if you’re using journalctl) and collate them but I haven’t gotten around to doing this myself yet.

At work we use separate clusters for various things. We built an Ansible collection to manage the lot so it’s not too much overhead.

For home use I skipped K8s and went to rootless Quadlet manifests. Each quadlet is in a separate non-root user with lingering enabled to reduce exposure from a container breakout.

It’s called Microsoft Clarity, and yes, Teams does it https://clarity.microsoft.com/ https://en.wikipedia.org/wiki/Session_replay

The company behind GitLab is seeking buyout offers, so make of that what you will.

My employer uses GitLab CE and it’s pretty good, and it is FOSS. The EE version is “open core” so not really FOSS.

If I were starting from scratch I’d be looking into Gitea/Forgejo as well.

In my country that would be a civil offence, not criminal.

I’d recommend at least taking some precautions (e.g. use TLS or Wireguard, firewall if possible).

There have been many improvements in making documentation more inclusive across the IT industry which shouldn’t be scoffed at. The first that comes to mind is changing “master” and “slave” to “primary” and “secondary” (or “replica” etc.) because references to slavery is inconsiderate to many.

I don’t think pile-ons are productive, but I think inclusive language and thinking is important.

I stand corrected, thank you. I’ll have to try that out.

The biggest issue I’ve had with I2P so far has been lack of content.

postman.i2p only permits torrents which includes its tracker in the torrent file, which means popular torrents from 1337x, TPB et al can’t be uploaded there (at least not without changing the infohash). Torrent clients like qBittorrent and BiglyBT can cross-seed on I2P and clearnet networks which is a recent development since libtorrent 2.0 came out (software packages take a while to bump to.the latest library), but from what I’ve tested nearly all of the infohashes I put into my client from “clearnet” torrent sites have stalled, probably because I2P is a little too bespoke at the moment.

The potential is definitely there IMO, but unless you’re just watching mainstream movies and TV it’s not a replacement for clearnet/VPN.

If I’m missing something I’d like to know :)

Bash scripts will only get you so far and I can wholly recommend Ansible for automation.

Basically the main advantage of Ansible is that its builtin tasks are “idempotent” which means you can re-run them and end up with the same result. Of course it is possible to do the same with bash scripts, but you may require more checks in place.

The other advantage of Ansible is that there are hundreds of modules for configuring a lot of different things on your system(s) and most are clear and easy to understand.

You could use HAProxy on the client side to load balance apps in multiple locations, but it really depends on the application.

I like to manage my software with Ansible but Docker stack files might make it simple enough for you.

Yeah, too frequent and too buggy. It got annoying having to do upgrades every six months and have to deal with all the new bugs that came with it.

Basically give me Debian-style biannual releases or Arch-style rolling releases.

I use Debian at home on my homeserver and a mix of Debian and Arch for my workstations. Most of my stuff is managed with Ansible to make rebuilding easier and most workloads in podman containers.

Personally I don’t overthink the distro thing. I recently started using Arch and quite like it. I’ve noticed packages that are available in Debian but not Arch and vice-versa. Debian Stable is nice because it’s just, well, stable.

Fedora has an annoying release cadence IMO. I have experienced desktop bugs in the early GA releases before which put me off. If I wanted instability I would sooner go with Arch (and I am yet to have many issues with Arch yet).

If I were to go with a BSD for a home server it would probably be OpenBSD or FreeBSD. OpenBSD has vmm and a bunch of tooling around it, and FreeBSD has bhyve and jails. I haven’t taken the plunge because Linux works and it’s what I know.

These days I hear about people using proxmox on their homeserver with LXC containers and/or VMs.