monovergent 🛠️

  • 15 Posts
  • 54 Comments
Joined 2 years ago
cake
Cake day: November 27th, 2023

help-circle


  • As others have suggested, QubesOS is a good one to have on your list. I’d probably use if it weren’t for its crippling effects on battery life.

    Immutable distros are much friendlier to laptops and, as I understand, update in a way not unlike an Android device would. But I insist on some system-level customizations and I haven’t been motivated to learn how such customizations can be made to survive updates and the like.

    I’ve also been eyeing NixOS, but with everything up and running on Debian smoothly for a few years, I haven’t found the excuse to switch yet. Along with customizing it to be a comfortable daily driver, I’ve also been trying to see how secure I can make my system as a fun exercise. While it’s not immutable, Debian is a good base considering the team behind it and how much is riding on its security, including internet-facing servers.

    What I’ve done to harden Debian, if anyone’s interested:

    • Apply Madaidan’s hardening guide judiciously. Roughly 2/3 of the measures made sense for my use case and it’s almost unnoticeable in my daily workflow.
    • Have as few closed-source components as possible. In my case, intel-microcode is the only non-free package on my system.
    • Install the hardening-runtime package, but remove its included slub_debug=FPZ kernel argument, which in recent kernels forces less secure unhashed pointers.
    • XFCE is still not fully ported to Wayland, so I use slock, the X11 screen locker with fewest lines of code.
    • Install the ufw firewall and default to deny
    • Enable unattended-upgrades
    • Everything including the /boot partition is encrypted. I have built coreboot with just the GRUB2 payload, which I configured to immediately bring up the LUKS password prompt. All other options are behind a password.

    I also put together and maintain a ~16 GB clean system image of Debian set up exactly to my taste, which I clone to my machines as needed. This probably wouldn’t have been a thing if I knew about NixOS earlier, and it certainly hasn’t helped me switch over either.




  • Whatever comes with your distro or desktop environment ought to be enough for anybody.

    Unless you have a minimal window manager that comes with only xterm. Then I’d install xfce4-terminal to get tabs and more reasonably sized text. If for some reason the distro or OS only has sh, I’ll also go ahead and install bash, but nothing fancier than that.





  • My first instinct is to recommend a recent Pixel with GrapheneOS:

    • Make sure to buy a factory-unlocked model so that it’s not locked down to the stock OS. Preferably also gently-used second-hand so no money goes directly to Google.
    • Of the options, GrapheneOS gives you the most compatibility, security, and updates.
    • Installing GrapheneOS can be intimidating at first, but it’s pretty hard to mess up if you install through a Chromium-based browser.

    I’ve also used CalyxOS and it’s a solid option that supports a few models outside of Pixels. But if you end up needing Google Play Services, you’ll be stuck with its replacement microG, while GrapheneOS offers sandboxed full-fat Google Play Services. While still secure, it’s not the hardline security of GrapheneOS.

    I have no experience with FairPhone or Linux phones. Fairphones’ main attractions are the easily replaceable battery and microSD slot. Linux phones are still too cumbersome for the regular user to daily drive.

    EDIT: see also this table comparing privacy-focused options https://threecats.com.au/comparison-of-custom-alternative-android-os-roms-grapheneos-divestos-calyxos-iodos-eos-lineageos-stock-android-aosp

    In the US, AT&T, Verizon, and T-Mobile have an oligopoly over the cellular infrastructure. All of the other carriers (MVNO) just piggyback off the infrastructure of the big three. Traditional voice calls and SMS (“green bubble”) texts are unencrypted and logged, no matter the carrier. Carriers can also perform cell tower triangulation and track the IMEI, which is permanently associated with your phone, surviving even an OS reinstall.

    One way you may try to avoid handing over identification at activation or payment for cell service is to buy a 1-year prepaid SIM with a prepaid gift card to a trusted friend’s or otherwise shared mailbox. Or buy a prepaid SIM at a brick-and-mortar store with cash and top off with refill cards thereafter.


    • Light and dark modes with nothing in between. Platinum from MacOS and the default look from Windows 95 were crisp and bright without burning out your eyeballs.
    • Wasted screen space. People laugh at Japanese websites for looking too busy, but I’d much rather deal with that than scroll for ages or look for links buried 3 levels deep in a hamburger menu.
    • The idea that everything needs a backlit color LCD screen.
    • Modern standby on laptops. Sure I could just hibernate it, but that’s very inelegant when S3 sleep was perfectly fine before.
    • Glued-together electronics.













  • Customizations, especially theming, at the system level. Or just learning to modify system files on an atomic distro, in general.

    I’m sure it’s doable and I am genuinely interested in moving to atomic/immutable distros. But more for the security aspect than reliability as I’ve yet to break my install of Linux in a way that takes more than an hour to recover from. I’ve enjoyed the predictability of Debian and my very particular taste in UI makes for additional baggage just reinstalling, let alone moving to a very different distro.