Sure, here are some:

http://security.stackexchange.com/questions/259088/ddg#270934

https://en.wikipedia.org/wiki/Digital_signature

The main feature would be that if flathub (or a hacker with access to flathub) acted maliciously, digital signatures would prevent them from issuing malware infested updates to flatpaks. Only the software’s originator would have the cryptographic key needed to sign releases of the software.

The risk of dependency vulnerabilities is real.

Also, flatpak packages are not digitally signed, unlike apt and all other major Linux distro package managers.

I’ve done this with Debian before, and it works fine. Linux usually mounts the root filesystem based on its UUID, so it doesn’t matter if changing the motherboard caused a change from /dev/sda to /dev/sdb .

If you use the proprietary Nvidia driver, make sure to update it to a version that supports the new video card. If you use the open source Nvidia driver, you should be fine even if it’s old, because it will at least support starting up in an unaccelerated mode.

Yeah, try pressing Alt+[PrintScreen, F] to invoke the OOM killer. It kills the memory-hoggingest process, usually the web browser.

Fedora documentation says this sysrq functionality may be disabled by default. You can enable it once by typing at a terminal: echo 1 | sudo tee /proc/sys/kernel/sysrq or permanently with echo 'kernel.sysrq = 1' | sudo tee /etc/sysctl.d/90-sysrq.conf

If it turns out that memory overconsumption is the problem, you can sometimes fix this lag by disabling swap. 16GB is easily enough RAM to do all normal desktop things.

Try going to http://000.000.000.000:8080/ in your web browser (replacing the 0’s with your public IP address), on your home connection. If it doesn’t work, it means that your port forwarding is probably not working. If the page loads correctly, it means your port forwarding is working correctly, and the problem is probably your ISP doing port blocking.

In my system, the raid arrays seem to do periodic data scrubbing automatically. Maybe it’s something that’s part of Debian, or maybe it’s just a default kernel setting. I don’t think it helps much with data integrity – I think it helps more just by ensuring the continued functionality of the drives.

When it’s running, you can type cat /proc/mdstat to see the progress.

That command will also show you if there is a failing drive, so that you can replace it.

Sure. First you set up a RAID5/6 array in mdadm. This is a purely software thing, which is built into the Linux kernel. It doesn’t require any hardware RAID system. If you have 3-4 drives, RAID5 is probably best, and if you have 5+ drives RAID6 is probably best.

If your 3 blank drives are sdb1, sdc1, and sdd1, run this:

mdadm --create --verbose /dev/md0 --level=5 -n 3 /dev/sdb1 /dev/sdc1 /dev/sdd1

This will create a block device called /dev/md0 that you can use as if it were a single large hard drive.

mkfs.btrfs /dev/md0

That will make the filesystem on the block device.

mkdir /mnt/bigraid
mount /dev/md0 /mnt/bigraid

This creates a mount point and mounts the filesystem.

To get it to mount every time you boot, add an entry for this filesystem in /etc/fstab

The man page at https://btrfs.readthedocs.io/en/latest/mkfs.btrfs.html says:

RAID5/6 has known problems and should not be used in production.

So those profiles have unknown, unspecified problems.

But btrfs is safe on top of md-based raid1/5/6. It also has the advantage that you only need to encrypt one volume.

Have you imported the tails-signing.key yet? Usually you can double-click on that to import it using whatever graphical gpg frontend is set up on your system. It may ask you how well you trust the owner of the key. You can answer that question however you want without affecting this verification process.

Next, it looks like you run the instructions from this page: https://tails.net/install/expert/index.en.html#verify

Some of those command line parameters look a little paranoid. The basic command you want to run is: gpg --verify somefile.sig somefile.img

The easiest way to disable unnecessary services is to uninstall them with aptitude, or whichever package manager you like. Try terminating services one by one, and see if anything bad happens. If nothing bad happens, you can probably uninstall it. On the other hand, if the system does get wonky a reboot should fix it. Or, you can research the services by name and decide whether to uninstall them. (avahi-daemon for example is a good idea to uninstall.)

To make the GUI not run, uninstall your display manager (gdm, xdm, nodm, or whatever) and uninstall your xorg server or wayland server. There may be GUI programs remaining after that, but they will only be consuming disk space, not RAM or CPU.

If the battery is old and holds little charge, you may save a few watts by removing it and throwing it away, instead of letting the system keep it topped off.

Get a power meter, such as a Kill-a-watt device. Then, experiment with different settings. If it’s consuming less than 30 watts, you’re probably fine. If you live in the US, one watt-year is about one US dollar (or a little more), so for every watt it consumes, that’s about how much you will pay per year for its electricity.

NTFS is considered pretty stable on Linux now. It should be safe to use indefinitely.

If you’re worried about the lack of Unix-style permissions and attributes in NTFS, then getting BTRFS or ext4 on Windows may be a good choice. Note that BTRFS is much more complicated than ext4, so ext4 may have better compatibility and lower risk of corruption. I used ext3 on Windows in 2007 and it was very reliable; ext4 today is very similar to ext3 from those days.

The absolute best compatibility would come from using a filesystem natively supported by both operating systems, developed without reverse engineering. That leaves only vfat (aka FAT32) and exfat. Both lack Unix-style permissions and attributes.

Using a VPN (like Tailscale or Netbird) will make setup very easy, but probably a bit slower, because they probably connect through the VPN service’s infrastructure.

My recommended approach would be to use a directly connected VPN, like OpenVPN, that just has two nodes on it – your VPS, and your home server. This will bypass the potentially slow infrastructure of a commercial VPN service. Then, use iptables rules to have the VPS forward the relevant connections (TCP port 80/443 for the web apps, TCP/UDP port 25565 for Minecraft, etc.) to the home server’s OpenVPN IP address.

My second recommended approach would be to use a program like openbsd-inetd on your VPS to forward all relevant connections to your real IP address. Then, open those ports on your home connection, but only for the VPS’s IP address. If some random person tries to portscan you, they will see closed ports.