I took a cursory glance through the source code (for the Firefox version, at least), and I’m not seeing any calls to the gitflic.ru URL outside of the update functions (there appear to be two different places where these might be triggered) and one function for importing custom sites:

// Import custom sites from local/online
function import_url_options(e, online) {
  let url = '/custom/sites_custom.json';
  if (online)
    url = 'https://gitflic.ru/project/magnolia1234/bpc_updates/blob/raw?file=sites_custom.json'  + '&rel=' + randomInt(100000);
  try {
    fetch(url)
    .then(response => {
      if (response.ok) {
        response.text().then(result => {
          import_json(result);
        })
      }
    });
  } catch (err) {
    console.log(err);
  }
}

I noticed in the manifest.json, there is the optional permissions array:

"optional_permissions": [ "*://*/*" ],

Which seems to grant the extension access to all URLs, so maybe that’s why the HTTP request is able to fire on any given website rather than just the ones explicitly defined in the regular permissions array. Though this is speculation on my part; I’ve only ever written one or two complex Firefox extensions. I’m not sure if the “optional permissions” array can be declined upon installation (or configured in the extension settings after installation); perhaps access to the wildcard URL can be revoked so that this update call isn’t occurring constantly.

All looks okay to me, but this was a very quick audit.

I’ve had great results with various refurbished Dell Latitudes from eBay over the years. I have a stack of about 5 or 6 of 'em and they’ve all run many mainstream Linux distros with fantastic out-of-the-box support. I pass 'em out to members of the household whenever a laptop is needed and they’ll usually get the job done.

I’d just type in “Dell Latitude” on eBay and filter by price and such. I suspect any model with an i5 and 8GB RAM oughta be fine for light programming work. I’ve found sellers with high ratings (like 97% or higher) and thousands of sales are pretty reliable (and tend to have return policies in case you get a lemon). Just test all the hardware (webcam, microphone, headphone jack, USB ports, ethernet, etc) as soon as you get it.

I’ve saved a lot of money over the years buying secondhand, and these machines have been running without a hiccup for years of casual use.

I haven’t had to deal with this specific kind of use case before (accessing the local Jellyfin service while the laptop is connected to a VPN), but after some cursory research, one of these approaches may work for you:

Easy Option (only available on some VPN software):

There may be an option in your VPN client that lets you access local network addresses like your Jellyfin server. Check your settings and see if there are any options like “allow local network traffic” and then try opening up your Jellyfin server in a browser (e.g.: http://192.168.1.100:8096/)

Less Easy Option:

If your VPN client doesn’t have an option for allowing local traffic, you can open up the command prompt on your macbook and run a command like this:

sudo route add -net 192.168.1.0/24 192.168.1.1

Where 192.168.1.0/24 is the local network you want to connect to (where the Jellyfin server is located), and 192.168.1.1 is your local gateway (probably your wifi router’s address). Change both of these depending on how your network’s local IPs are formatted.

This should update your routing table to handle local network addresses without the VPN and this should persist between reboots.

Hope this helps.

Agreed. I’ve learned most of what I know about computers by fixing broken stuff. Like you, my first serious daily driver was Manjaro. And after dealing with broken systems time and time again, I’m tired, boss. My daily driver for the last 2 years has been Mint and I love it to death for how stable and functional it is. But the lessons I learned along the way with other distros have been invaluable.

Does the device show up if you open Gparted? Maybe it needs to be formatted. Though I guess it’d still show up with ‘lsusb’ even if it needed formatting.

I wanna say fwupd/lvfs manages firmware updates on Arch (and lots of other distros) these days.

You may be able to roll back the latest firmware update with fwupdmgr. What’s the output of fwupdmgr get-devices in your terminal? Also, what is the make/model of the ethernet port that is now on the fritz? You can search for it on the website here: https://fwupd.org/ in the “search for firmware” bar at the top, then you may be able to install the old version with fwupdmgr.

I’m not familiar with EndeavourOS, but I’ll ask a few questions to get the troubleshooting process started:

With the ethernet cable plugged in, can you access your local router config page (if you have one)? e.g.: 192.168.1.1. If not, what happens when you ping the router’s address in the terminal?

If you’re able to successfully ping/access your router, can you ping a well-known IP address such as 8.8.8.8 (google DNS) or 1.1.1.1 (cloudflare DNS)?

Jokingly: “Linux is free if your time is worthless”

Though this tongue-in-cheek tagline takes the “free as in free beer” misinterpretation of the term “free software”, I’ve always found it a fun way to describe the time investment you’ll need to make if you’ve spent your whole life using Windows before making the switch.

I’m in a similar boat to you; whether the blobs constitute a security threat seems to still be up in the air. I read through the issue thread on github a few months back and it seemed the vast majority of the blobs were built by scripts contained in the repository, but some weren’t documented well, leading to uncertainty.

The comment by Long0x0 on Aug 05 lists a lot of the blob files.

There’s no way to srsly prevent a full-bloat browser from messing with its environment.

Can you elaborate on this? I’m curious as to what manner a browser like Firefox could be exploited in order to affect its environment outside of something like a sandbox escape.

and connect to it with an iPad that has a Jellyfin client installed?

In my experience, you don’t even need the dedicated Jellyfin client. Just opening it up in a web browser works out of the box, so that’s potentially one less thing to download/install/manage for the clients.

That said, I’ve never tried to access Jellyfin from an iPad/iPhone/Mac so it might not be as seamless as my experiences on Android/Linux based devices. But I imagine they’d be fine; just test it out before you hit the road.