follow [best practice]

Install flatpaks

Dude. Find a security guy who knows about validation and supply chain risks. Tell that person those two phrases. Learning should commence if they’re any good.

Wow.

Oh, there’s learning coming, then.

That’s gonna be neat.

They were thinking mgmtconfig.

To summarize, “I have a POV that almost no one else has. Why is everyone not naming things the way I see them.”

Yes, pinocchio, your company is a real tech company because they use tech tools.

(sorry, it’s just a tech leveraging company, the same way my bus driver leverages the bus but does not fix or build it. My bus driver is not a bus; just the driver)

can’t seem to find a whitelist-only-JS feature

There’s one in your browser.

Do you really run a whitelist rather than a blacklist?

That’s a weird question. That ‘yes’ seems as easy as “do you wear your seat belt? Every TIME?!?”

Is it not tedious to add hundreds of domains to one rather than a few to the other?

After about a dozen you’re kinda set. I will enable one-offs in a private window, usually for shit news sites or the very occasional referral farm, and the exceptions are all reverted when I close the tab.

You need to disable JavaScript to read my blogspam.

Off by default already.

a tool that allows you to build packages for multiple systems in multiple formats (deb, rpm, nix, flatpak, snap, etc.).

Given flatpaks and snaps are toxic, the other ones - deb, rpm, pkg - can be packaged relatively easily. It’s all a separate effort with files and meta-info that doesn’t often intersect, but it’s manageable. It lends itself incredibly well to the trivial ‘automation’ that gitlab, forgejo and other major git suites provide.

Source: did this for the entirety I built and maintained a software suite for linux and unix, for like 15 years. I built some code, I packaged it. Because anything less isn’t really ISO27002.

TL;DR - the ‘tool’ is a simple script and your brain. the biggest hurdle is the unknown itself and, once you get to it, the work can be pretty straightforward.

makefile which packages as tarball, deb, rpm and appimage.

Packaging an RPM in a makefile? That’s inside-out.

They are not ran by smart people

not ran

Glass house?

1. find something Lennart built. Eg. systemd
2. remove that
3. go to 1

A LOT of plugins in many projects are a huge concern. I say this as someone who ran security for an OS for a while. It’s just people making bad decisions for everyone and then hand-waving the risks when questioned.

• rpm: signed payload and manifest with signatures in bill of materials that integrates and coordinates with system db and allows enterprise content review and validation at every step and/or easy back-out.
• flatpack/app image - none of these.

Anyone interested in build, security, deployment, should have issue with that. But look at its corp champions and discover their motive.

It was subtle. It was well-done. Roasted, even.

“you’re holding it wrong”?

If only there was some kind of spelling check.

fuck managing ssh key auth for hundreds of engineers.

You can pull the ssh key out of LDAP/AD. We did this 10 years ago. Really slick.

Now with modern config management (sit down, Ansible, you millennial junk) the keys update anyway in about a second.

This is one of those things where you either live it and love it, or never understand.

Qi charging changes your very life.

This cannot be explained in words.

till

\sigh

AT BEST it’s gonna be some ridiculous npm svalbard worth of projects in one tree, require all new hardware, and declare bankruptcy on the way. Canada did this with the Phoenix Pay System, except didn’t have ‘efficient’ funding so it only sucked but didn’t die.