Screensharing is the only thing i dont think it does. Voice and video good. See snikket or conversations.im

They have the best ARM CPUs in any consumer product and very good software/hardware security. I hate Apple because their shit is overpriced and locked-down but that doesnt mean its garbage.

Yes, I understand what GVisor does. Cgroups2 are for isolation of system resources, bit arent even the main sandbox feature used for isolation by Docker. I am pretty sure namespaces significantly more important for these containers’ security.

GVisor helps with one of the main risks in a container setup which is the shared kernel by hosts and guests. I understand it comes with a performance penalty (and I didnt know it was incompatible with SELinux), but that does change my original point that GVisor is a security improvement to default Docker. I understand there is more nuance, even when I wrote my original comment I understood (just like any other security feature) it cant be used in every scenario. I was being intentionally general, and in my second comment I was pretty specific about what it protects against: Kernel vulnerabilities and privilege escalation.

I researched cgroups2 more and I still dont understand why you brought it up in the first place. Cgroups2 and gvisor provide very different security benefits. Cgroups help to keep a system available (lessening the risk DoS attacks) by controlling access to some system resources (io, devices, cpu, memory) and grouping processes of a similar type. It seems rather optimized to solve resource control on a container host. I mentioned gvisor because it is mostly just a drop-in replacement container runtime which doesnt need setup to be used.s

Now for a different container runtime which provides significantly more features (than gvisor) with less downsides (if configured correctly for a specific workload), Sydbox provides syd-oci which id an application kernel runtime which uses a permission config file to create a sandbox, isolating using namespaces, seccomp, landlock, and more. It can sandbox in many different categories (often times leveraging multiple features to provide a multilayer sandbox), you can see the categories at the syd manpage. The biggest downside is that you must really understand what your container application needs otherwise it will prevent it from running. It is a “secure by-default” sandbox which can be softened through config.

I dont really understand what you mean in your last sentence.

My reason for saying GVisor is safer is because it is an application kernel which provides traps and emulates most Linux syscalls in the guest with a far smaller set of syscalls to the host kernel, helping to prevent container escapes and privilege escalation. GVisor also fully drops privileges early into start up (before running any significant logic), helping to prevent privilege escalation.

Cgroups is not a really a security feature (from what I understand). It is about controlling process priority, hierarchy, and resources limiting (among other things). You can not use GVisor with LXC.

In order of most to least secure

VM > Docker+GVisor > Docker/LXC

Docker+GVisor is good middle ground because it provides the guest container with an application kernel in a memory safe language and reduced syscall attack surface to avoid kernel container escapes. Docker/LXC share the kernel with the host.

They disregard the risk from the vendor because you are already using their hardware. The hardware has firmware already included which is proprietary, the hardware itself is proprietary, and hardware effectively runs as root anyways. You should already trust your hardware or you shouldn’t be using it. Linux-libre is a purity test, that is it. It is security theater which actually, definitely, really makes you vulnerable without doing anything meaningful. The only time it makes any sense is if you only use open source hardware.

I would go with (semi)rolling, either openSUSE Tumbleweed/Slowroll or Fedora. I prioritize fast updating distros because they are better for security (many vulnerabilities go unnoticed because the full scope isnt understood and they are deemed normal bugs), and (unlike Windows) updates on Linux are a good thing, bring new features, crash/bug fixes, and optimizations.

Fedora is very popular, has wide software support, and is very stable. openSUSE is also still pretty popular, (even its rolling edition) is quite stable as well, has good software support, and YaST allows you to do graphical administration on your system. Both take security seriously and use SELinux for security policies.

If you care about security, use Brace for automatic system hardening. It has been developed for years by the former DivestOS dev Tavi, supporting many distros.

The other problem with Matrix for me is that Element call (the protocol) is not present in most public instances and isn’t very straightforward to selfhost. The default is jitsi which is not E2EE. Pretty major IMO because if Matrix is supposed to be a Discord alternative and supposedly E2EE but VC isnt encrypted, pretty yikes.

Also they have claimed for years that they have forward secrecy. Has something actually changed recently?

Where did you read that Signal uses MLS? I could not find any claims of using MLS on Signal’s specs page or their GitHub repo. Also MLS doesn’t mean anything on its own, see Soatok’s blog on MLS.

Soatok is currently in the process of writing a blog post about another vulneribilty they found in Matrix’s encryption, and with Matrix’s history of numerous vulnerabilities, I would stay away from that shit. No matter how “good” the algorithm is in theory, it is all about implementation. Matrix also has very brittle encryption, often times many messages will become unrecoverable, which is terrible UX.

You’d be better off just selfhosting XMPP+OMEMO, with the caveat that it is also flawed and leaks plenty of metadata.

The best alternatives to Signal (but not Discord) are SimpleX and Briar. Both are significantly better than XMPP/Matrix for privacy and security.

Lol

It still isnt great. Better than DeltaChat/Matrix but decently worse than Signal’s security.

OMEMO is better than nothing. Much better than OTR or PGP (looking at you DeltaChat), and the biggest problem seems to be the metadata and old versions used in some clients. The encryption (of message contents) at the very least is decent.

OMEMO is better than Matrix’s encryption, which the later doesnt offer proper forward secrecy and breaks all the time leaving messages inaccessible.

You can use the WebCord app for Spacebar.

Linux Mint has LMDE based on Debian.

Some people don’t understand that systemd isn’t the only init system, not even just the only init with modern features. We have runit, OpenRC, s6, dinit, each with very levels of features. The reason there is no real competitor to what systemd does is because it is “cheating”, and by that I mean systemd isn’t just an init system. It has major scope creep, trying to do everything. It isn’t even the best at doing what all the other software it replaces (like DNS, time, etc). What it offers that is irresistible to developers is unifications and abstractions which make developing for Linux simpler. This though is the exact opposite of what many people love about Linux: the option to pick and choose.

OCR support seems really cool. Currently for OCR I either use NormCap, or on Android some random OCR on f-droid which doesnt have any crazy perms.

For higher quality Text-to-Speech, install Pied (Flatpak or Snap), which offers a GUI for installing and configuring Piper TTS voices.

Chimera Linux uses musl libc, Void Linux has the option of musl libc, and of course Alpine uses musl libc.

I tried Waterfox and didnt really get it? Why use it over for example Zen or Librewolf? It just seemed way to close to Firefox but like with a couple of preinstalled extensions. Idk, just wasn’t for me.

My browser(s) is just a tool. I use many browsers for different things. I wish there were good alternatives to the main browser engines (Gecko, Blink, WebKit), but I am fine with just using good derivative browsers like Librewolf, Mullvad, Cromite, etc.

Waterfox is Gecko. I still agree with the comment that mentions it is written by a right-winger. I rather root for Servo, especially because Ladybird is just another web engine written C. Memory safety vulnerabilities are the largest represented class of vulnerabilities discovered every year. Servo being fully written in Rust is a good thing for its security, as long as they also design a strong sandboxing/isolation strategy on all OS platforms.