You misspelled KeepAss.

I'm using VNC over an SSH tunnel. TigerVNC's vncviewer even has the -via parameter you can use to make creating the tunnel seamless.

Reminds me of the programs that make the kernel drop FS buffers in an attempt to free up RAM. Or hog as much memory as they can in an attempt to have unused things swapped to disk. Yeah, they free up RAM all right, but at the expense of actual speed.

Most of the time, this junk is actively harmful. Forget it, modern Linux uses optimized defaults.

You can get more performance out of your hardware by switching to from heavyweight to lightweight programs - for example, instead of Skype (which uses Electron), choose some other way to chat like irssi for IRC. Instead of Gnome, choose i3 or dwm or something like that. You need a bunch of tradeoffs and learning, though, to really get the most out of your hardware.

In Linux, the locate command is crazy fast. I am amazed at how slow search is in Windows, compared to this.

I can drive my manual and eat at the same time just fine, thankyouverymuch :) I think I once submitted a pull request while on the road...

The last time I needed to boot a PC that didn't have a screen, I built a NixOS installation image with SSH access. I added a user, sudo access, and prepopulated authenticated SSH keys, something similar to https://nixos.mayflower.consulting/blog/2018/09/11/custom-images/

It was about as easy as configuring my own NixOS system.

There you go: https://wiki.archlinux.org/title/Bubblewrap

Environments are per-process. Every program can have its own environment, so don't inject secrets where they're not needed.

I'm using bubblewrap to restrict access to FS.

Most of modern music sounds horrible. Elevators and shopping malls would be better off silent than blasting this noisome garbage.

There are exceptions - there totally are modern composers creating quality stuff. It's just not played anywhere in public places, for some reason.

I agree with other comments here (about quality, cost of growing, availability, difficulties and especially with tomato varieties being optimized for convenient commercial farming, not taste.

I'm gardening for psychological safety, myself.

When I was a kid, Soviet Union collapsed, economy was in chaos, and though I never went hungry, fancier food (like meat) was unavailable commercially, so we raised it, grew our potatoes and basic veggies. It was a ton of work.

At the moment, stores are full of yummies. However, I can imagine them yummies disappearing - there was a brief food scare at the beginning of Covid (or whenever it was), then the Ukraine war started, scaring the whole Eastern Europe into thinking "Hey, my country is not too different from Ukraine - can we be next?"

Thus we bought a farm, last year, and started a basic garden. Last year we planted some basic foodstuffs - tomatoes, cucumbers, onions, garlic. Two kinds of mint for tea. They produced next to nothing, though. This year, it's more tomatoes, more cucumbers, potatoes, a selection of different herbs. The mints are perennial, and they're crazy weeds - you wouldn't be able to get rid of the beastly things if you wanted to. The yields are OK - I counted around 10 mid-sized potatoes grown from 1 large-sized potato planted, for something like 3x ROI (sample size: 1 plant, the rest keep growing). Tomatoes are sweet and tastier than anything.

You'll ask if it's worth the effort. Now I have a summer home (yet with a fiber optic network connection, yum!), for kids to run around in. I invest minor effort and minor funds (except for the farm, heh, hand tools are inexpensive), getting some food that I need to acquire anyway. Growing foodstuffs is linearly scalable. In the possible event of dung-ventilation, I'll have land, hand tools, and some basic proficiency in growing stuff. Thus it's like prepping, without really spending any money. Anything I buy will get used to grow food and recoups costs within the season. Oh, and I'm getting some badly needed exercise, spading my plant beds.

I don't have a plan for the case of zombie invasion (or hungry mobs spilling out of large cities), except being in the middle of nowhere. I'm hoping this scenario won't come to pass. If it does - the hypothetical robbed me won't be any worse off than a city dweller, either.

That reminds me - I should call my neighbor and order a tractor trailer full of bullshit (that's 15 tons, IIRC), costing 200€. I can pay now, get it here, and let it ripen for a couple of years.

Not saying my practice is the best one, but here's what I do:

• EFI system partition is mounted on /boot
  • kernel is held here. In case of distros like NixOS etc that keep around old kernels, a small ESP might run out of space. I make mine at least 1GB.
• the rest of the disk is one luks2 volume
• inside the encrypted volume, there's a BTRFS volume
• there's a subvolume for /home
• and a subvolume for every distro I have (which is usually 1, but sometimes I tinker or switch)
• Kernel command line parameters specify the btrfs subvol with the right distro to boot.
• for NixOS, you need a bootloader (to choose the right kernel). Systemd-boot works well, and its configuration is easily readable. I never figured out how to work with GRUB2, its configuration is just too confusing.
• or if you like Arch, dispense with bootloaders and just use EFISTUB. You can put kernel cmdline params into EFI bootloader options with efibootmgr.

Simple yet complete. Efficient, and extensible - for example, now that everything is a subvolume, I can easily snapshot it, then create backups with rsync off the snapshot, to avoid inconsistent state between backed-up files.

There's plenty of good advice in other comments in this topic. Let me add mine too, something I haven't seen in other comments: You need to figure out your threat model, and steer your course accordingly.

Who do you trust?

• No one? Don't use a computer. Use an airgapped computer without any internet connection. Write your own OS (but be mindful of bootstrapping issues, you'll also need to write your own compiler to protect against Thompson's hack). It's a hassle.
• Original authors of software? Compile and install all software from source. Consider using LFS. It's a hassle.
• Maintainers of my operating system of choice? Only install packages from official package repositories (apt in Debian, pacman in Arch, you know the drill). Eschew any others, like PPA in Ubuntu, AUR in Arch. Though package maintainers don't necessarily review any package updates, there's a chance they just might. Though package maintainers are in the position to inject backdoors during packaging, this is somewhat unlikely as packaging scripts tend to be small and easy to review.

What risky activities are you doing?

• Running random crap software downloaded from the internet?
  • Run it in a virtual machine. It's easy to install another Linux into a VM - you could try VirtualBox or qemu or libvirt or some other one.
  • Containerize it with Docker, or run it in Firejail or Bubblewrap
    • Don't mount your home directory, or anything other important into the container. Instead, if you need to pass data, use a dedicated directory.
    • It's easy to restrict internet access to a program, when running it in Docker or Bubblewrap.
• Running the same as root? I'm pretty sure a full virtual machine would be the only secure option to do that, and I'm 100% certain even that would be enough.
• Running large software that probably ought to be OK, but you never know for certain? This is what I normally do:
  • Use the Flatpak version, if available. Check its permissions (e.g. with Flatseal), you might be able to tighten the screws. For example, a browser (yes, Firefox, Thunderbird, Chromium are available as Flatpaks. Even Chrome is) is plenty large enough for any number of security bugs to hide in. Or a backdoor, which might be crafted to be indistinguishable from a honest bug.
  • If there's no Flatpak version available, I Bubblewrap it.

I have a simple Bash script that restricts apps' view of my filesystem, and cuts off as much stuff as possible, while retaining the app's ability to run. Works with Wayland and console apps, optionally with Xorg apps if I set a flag. Network access requires its own flag.

I could share my Bubblewrapping script, if there's interest.