Actually it is the same story with TLS 1.3 and TLS 1.2. A bunch of sites still doesn't support TLS 1.3 (e. g. arstechnica.com, startpage.com) and some of them only support TLS 1.2 with RSA (e. g. startpage.com).

You can try this yourself in Firefox by disabling ciphers (search for security.ssl3 in about:config) or by setting the minimum TLS version to 1.3 (security.tls.version.min = 4 in about:config).

My whole infrastructure is designed so that my homeserver is expendable.

Therefore my most important tool is Syncthing. It is decentral, which is awesome for uptime and reducing dependance on a single point of failure. My server is configured as the "introducer" node for convenience.

I try to find file-based applications, such as KeePassXC or Obsidian, whenever I can so that I can sync as much as possible with Syncthing.

Therefore there is (luckily) not much left to host and all of it is less critical:

• Nextcloud AIO: calendar, contacts, RSS, Syncthing files via external storage
• Webserver: Firefox search plugins (Why is this necessary, Mozilla?!), custom uBlock Origin filter list, personal website

So the worst thing that can happen when my server fails is: I need to import my OPML to a cloud provider and I loose syncing for some less important stuff and my homepage is not accessible.

Since I just rebuilt my server, I can confirm that I managed a whole week without it just fine. Thank you very much, Syncthing!

This has always been the case with Ubuntu. Ubuntu only ever supported its main repository with security updates. Now they offer (paid) support for the universe repository in addition, which is a bonus for Ubuntu users, as they now have a greater selection of packages with security updates.

If you don't opt-in to use Ubuntu Pro, nothing changes and Ubuntu will be as secure (or insecure) as it has always been. If you disable universe and multiverse you have a Ubuntu system where all packages receive guaranteed security updates for free.

Please note: I still don't recommend Ubuntu due to snapd not supporting third-party repositories, but that's no reason not to get the facts right.

Debian has always been the better choice if you required security updates for the complete package repository.

Personally I have my doubts if Debian actually manages to reliably backport security updates for all its packages. Afterall Eclipse was stuck on version 3.8 for multiple Debian releases due to lack of a maintainer ...

I've tried to combat this a bit with a global Flatpak override that takes unnecessarily broad permissions away by default, like filesystem=home, but apps could easily circumvent it by requesting permissions for specific subdirectories. This cat-and-mouse game could be fixed by allowing a recursive override, such as nofilesystem=home/*.

But even then, there is still the issue with D-Bus access, which is even more difficult to control ...

I think it is sad that Flatpak finally provides the tool to restrict desktop apps in the same way that mobile apps have been restricted for a decade, but the implementation chooses to be insecure by default and only provides limited options to make it secure by default.

I was in a similar situation not too long ago.

My criteria for another scripting language included that it should be preinstalled on all target systems (i. e. Debian and Fedora), it should be an interpreted language and it needs to have type safety.

Afterall I settled with Python due to its popularity, its syntax and features (type safety since v3.6, etc.) and the fact that it is preinstalled on many Linux distributions. System components often use Python as well, which means that libraries to interact with the system tend to be included by default.

For servers there's Docker/Kubernetes/Podman, which is well-established and serves a similar purpose as Flatpak on the desktop. Servers were actually first with the increase in popularity of containers.

90 % or more of my desktop (Fedora Kinoite and Silverblue) apps are Flatpaks already. I only have four rpm-ostree overlays (native packages) left: android-tools, brasero/k3b, syncthing (I could switch to SyncThingy for a Flatpak) and virt-manager/virtualbox

With Flatpak there is "flatpak override" which gives you the ability to grant additional permissions or restrict them even further. E. g. I use it to connect KeePassXC with Firefox or to disallow access to the X server to force almost all apps to use Wayland instead of X. It also allows me to prevent apps from creating and writing into arbitrary directories in my home.

Once I reinstall my home server, all its server software will be containerised as well (five years ago I didn't see the necessity yet). I am tired of having to manage dependencies with every (Nextcloud) upgrade. I want something that can auto update itself completely with minimal or no breakage, just like my desktops.

Sway is based on wlroots and therefore does not need to implement the complete Wayland specification itself. Many other Wayland window managers are also based on wlroots and therefore share a common base (compositor).

Furthermore Sway's git repo has activity up to a couple of days ago: https://github.com/swaywm/sway/commits/master

https://hyprland.org/

The Arch wiki lists more options to choose from: https://wiki.archlinux.org/title/wayland

On Sailfish OS I used to use Pure Maps, which seems to be available on Flathub. I don't know if it works on the Librem 5 though, but you might want to give it a try? There's also an optional dependency for offline maps.

As far as I know, companies don't have to comply yet with the Digital Markets Act. That's most likely the reason why the WebKit restriction is still in place.

You don't need your own server to use Joplin. You can select a local directory to store your notes and sync this directory with Syncthing between devices.

I am not sure if this works with iOS though.

My recommendation is F-Droid Basic. It's a more modern official client that supports automatic unattended updates on Android 12 and newer.