@chenxiaolong - eviltoast
  • 0 Posts
  • 5 Comments
Joined 1 year ago
cake
Cake day: July 4th, 2023

help-circle
  • I don’t understand for example why it just isn’t included in the repos of Arch, Debian, Fedora, openSUSE, Ubuntu etc.

    For the most part, these distros all require that packages are built from source vs. repackaging prebuilt binaries. While Brave is open source, if you compile it yourself, you’ll be missing tons of API keys for accessing Brave’s services: https://github.com/brave/brave-browser/wiki/Build-configuration. While I suspect most folks wouldn’t care if eg. the cryptocurrency things stopped working, other things that break include Brave Sync and the downloading of the adblocker filter lists.

    Brave currently does not provide a way for 3rd parties to generate API keys to access these services: https://community.brave.com/t/does-brave-allow-the-distribution-of-self-compiled-or-distro-compiled-binaries/457833. Outside of reverse engineering their prebuilt binaries to extract the API keys, you’re pretty much out of luck (if you care about these features working).

    For websites that only work in Chromium, I’ve switched to just using plain old Chromium from Fedora’s repos. Being able to build the browser from source without losing features is pretty important to me (eg. I rebuild Fedora’s Chromium with the patches for enabling hardware video decoding on Wayland).


  • I primarily use Alacritty. I spend quite a lot of time running things that produce ludicrous amounts of output (eg. compiling Android from source). Out of 10 or so terminal emulators I’ve tested earlier this year, it was the only one that didn’t use 100% CPU displaying all that output, staying in the low single digits.

    I’d prefer to use Wezterm because I like its lua configuration system and the builtin pane splitting, but with my workload, I still run into issues where its CPU usage shoots to 100% and becomes non-responsive for a while. (That said, it’s already a lot better than before. I try to report any issues I can reliably reproduce and Wez has been wonderful about fixing them.)


  • I went IPv6-only for everything internal. The only thing that’s dual stack is the wireguard server running on the gateway. I haven’t run into any issues, mostly because my Linux distro’s package repository has many IPv6-compatible mirrors (enabled by default). For anything not in the distro’s repos, I build from source and package them up into RPMs myself, so as a side-effect, I don’t have to deal with eg. Github not supporting IPv6.

    Even things with generally crappy firmware, like the APC UPS management card, Supermicro & ASRock IPMI management interfaces, etc. have worked fine in an IPv6-only setup for me.



  • If you want to get fancy: systemd credentials. It can store the secrets encrypted on disk and seal the encryption key with the TPM chip. The encrypted secret is decrypted (non-interactively) and made available only to a specific systemd service. The process itself does not special systemd integration–it just sees a plain text file containing the secret, backed by a tmpfs that’s not visible to other processes.

    Depending on which TPM PCRs you bind to, you can choose how secure you want it to be. A reasonable/usable configuration would be something like binding to PCRs 7 and 14. With that setup, the TPM will not unseal the key if the system is booted into any other OS (i.e. anything signed with a different UEFI Secure Boot key). But if you really want to lock things down, you can bind to additional PCRs and make it so changing any hardware, boot order, BIOS setting, etc. will prevent the TPM from unsealing the key.