They 100% can.

An attacker escaping from a container can’t be system root as Podman runs rootless (without some other exploit or weak password).

The filesystem itself is also read-only.

/dev/nvme0n1p4 on /sysroot type xfs (ro)
/dev/nvme0n1p4 on /usr type xfs (ro)
/dev/nvme0n1p3 on /boot type ext4 (ro)

Selfhosted Gitea is a way to get a wiki, bug tracker or whatnot - collaborate, for example, but it’s not necessary to have a Git server for your personal use.

No, but it is amazing for browsing your repos and visually seeing what you did in a past commit or a branch, while your IDE is open to your latest code. Or copying and pasting something that you need from a different repo.

For Git experts, sure they can probably do all that better inside their IDE or CLI, but for us plebs, having your own Forgejo is incredible 😍

I have mine configured to disable the wiki and issues, etc, it’s just the repo browser.

deleted by creator

I use UCore for my homelab and it’s been flawless. Absolutely no issues. I run around 50 containers, LLMs, and host some public sites with Caddy.

The major thing that’s keeping me away from CoreOS/ uCore is all the ignition-butane-stuff. From what I’ve heard, it’s needlessly complicated

It’s super super easy. Run a docker one-liner on your existing local server or laptop to host a quick webserver:

docker run -p 5080:80 --name quick-webserver -v "$PWD":/var/www/html php:7.2-apache

And put this Ignition file in the directory from above: https://github.com/ublue-os/ucore/blob/main/examples/ucore-autorebase.butane

That’s it, that’s the only steps. Boot off the ISO and type in the hosting URL from above.

You’ll only need that when building the server the first time.

Thank you for posting this - I have had a play and it’s excellent.

I am a newbie in the Linux world and have been looking for something to replace the excellent WinSCP. XPipe is the first application I’ve used on Linux that actually makes remote SSH/SCP browsing easy to do, while still being able to handle more complicated SSH auth than just user/pass.

Not the FIPS one, I use the normal 5 series.

Yubikeys are great because you can also add your TOTP codes on there, but require a physical touch to generate the codes.

You can do that with other products like the NitroKey as well, but the implementation is not as good - example the secrets are not encrypted on the NitroKey.

I assumed that yubikeys would be found pretty much only in enterprise environments but perhaps I was wrong there.

As a datapoint, I am a home user and use Yubikeys. For example, they are one of the 2FA options supported by Bitwarden for home users.

I have recently trialed both NitroKey and OnlyKey to see if I’d want to replace my Yubikey with either of those, but the Yubikey is sadly superior. (Sadly because it’s not as open as those other two options.)

deleted by creator

stores my notes metadata in proprietary database format?

Obsidian note metadata is stored in YAML in the markdown note file itself. That’s about as non-proprietary as it gets.

Not sure why you hate Obsidian. I don’t love it and would switch to a FOSS alternative if there was something comparable, but at least I’m not making crap up about it.

It makes for very handy use cases where other applications can work on the same data. This could be easily adding content into your notes (without needing an API to do so), using external editors for working on certain aspects of your notes, or even just the super handy convenience of having everything in one directory structure.

My Obsidian notes are right inside the same folders as the PDFs and other resources they refer to. I don’t have to have a tree structure inside my notes and then the same tree structure in my hard drive or Dropbox or wherever with all my other files.

I was a 10+ year Evernote veteran, and I couldn’t go back to the single DB style like Evernote or Trillium. I wish there was an open source competitor to Obsidian, but alas not yet.

And as @acockworkorange@mander.xyz rightly points out, people (me!) have been burned in the past by a program becoming obsolete and having your files stuck in some proprietary format. Plain files right in a folder on the disk is the way to go.

I mean in your linked thread it says:

I have some 15K notes in Obsidian and it runs fine.

I personally have 4000+ notes in Obsidian and it runs fine 🤷

Here’s also Obsidian with 100,000 notes and it performs fine. This test is also 2 years out of date.

They might be talking about posts like this (which I would love to have refuted, as this kind of info has so far kept me from using Docker significantly):

https://security.stackexchange.com/a/169649

Containers are isolated from the host by default.

Are you certain about that? My understanding is that Docker containers are literally just processes running on the host (ideally rootless), but with no isolation in the way that VMs are isolated from the host.

If you have some links for further reading it would be great, as I have been extremely cautious with my Docker usage so far.

I haven’t found anything to refute this, but this post from 2017 states:

In 2017 alone, 434 linux kernel exploits were found, and as you have seen in this post, kernel exploits can be devastating for containerized environments. This is because containers share the same kernel as the host, thus trusting the built-in protection mechanisms alone isn’t sufficient.

If someone exploits a kernel bug inside a container, they exploited it on the host OS. If this exploit allows for code execution, it will be executed on the host OS, not inside the container.

If this exploit allows for arbitrary memory access, the attacker can change or read any data for any other container.