If you every used Linux for an extended period of time, you no doubt have been inundated with the varieties of packages and vast number of distributions. Despite this, if a program is worth its salt, it’s available as Flatpak, but what happens when you encounter something that isn’t a Flatpak? There’s hundreds of ways outside of Flatpak and many of them like Debian .debs and Red Hat’s .rpms are restricted to specific Linux distributions. This is where an important, but a relatively new skill in Linux comes in: making Distroboxes.

A Distrobox is running another specific flavor of Linux with near native performance on your main machine. Distrobox functions as a compatibility layer. Unlike a virtual machine, applications installed in a Distrobox have standard access to your system and to run virtually any Linux application you want anywhere. This means any configuration files are stored in the same locations they would as if you had installed them normally. Whether it’s a graphical application, a web browser, or build tools for a development project, Distrobox is the most flexible way to run almost any application from any Linux distribution.

Getting Started With Distrobox

First, I’m going to present a use cases. If you are installing programs the you intend to use on a regular basis, I recommend consolidating them to a single Distrobox. When it comes to more specialized programs or development workflows, create a new Distrobox. While you can make the majority of applications work, often times, this requires getting in the weeds and learning more about that specific environment before you take a deep dive.

One common usecase for Distrobox are applications that are restricted to a specific distribution. One example is Signal, which is unofficially supported as a Flatpak, but also only endorses a Debian or Ubuntu installation. Furthermore, this locks out all non-Ubuntu distributions from using Signal.

The first thing you’ll need to download Distrobox from your Linux distribution’s repositories, which shouldn’t be a problem for the vast majority of Linux users. If you prefer a more forward-facing way to play with Distrobox, you can use BoxBuddy, which adds some of the more day to day operations visible in an interface. I’m going to focus more on the main application, which requires using a terminal. Whether you want to use an interface like BoxBuddy or not, you will need to use a terminal to do something at some point, so I would recommend learning it.

To start with building a Distrobox, you need to evaluate which Linux system you need. There a list on Distrobox’s GitHub documentation or the “Image” dropdown menu in BoxBuddy. The list might be daunting, but you don’t know, start with fedora:latest or ubuntu:latest, which means running Fedora or Ubuntu respectively. Since Signal asks for a Debian/Ubuntu-based distribution, we’re going to use ubuntu-latest.

To create your first Distrobox, use `distrobox create -n yourdistrobox -i fedora:latest

If you are doing this for the first time, it will prompt you to pick the image from one of the latest Ubuntu mirrors. After, Podman will pull the latest Ubuntu image down so you can run it. Afterwards, you will be prompted to “enter” your Distrobox with distrobox enter yourdistrobox. This command can also be appended with commands your want to run in your Distrobox like distrobox enter yourdistrobox -- sudo dnf upgrade -y.

In terms of maintenance, you need to manually upgrade each of your containers as each system is independent of each other, even if they share the same image. Distrobox provides a basic command to run on every Distrobox you control in distrobox upgrade --all.

Exclusive Applications

The first thing to do is create a new Ubuntu Distrobox and run the commands from Signal’s website to install Signal as normal. Here’s where a bit of Linux know-how and trial and error comes in. Because Distroboxes are stripped down, some quality of life is missing and basic features aren’t installed out of the box. While Signal functions when you launch it, a few things are missing like the file picker for uploading images, localization of non-Latinized languages, and sound for audio/video calls. If you have issues, examine these issues.

• If you need a file picker, you will need the xdg-utils.
• Corresponding language fonts are needed, such as google-noto-sans-cjk-fonts for Chinese, Japanese, and Korean support on Fedora. On Ubuntu, this package is calledfonts-noto-cjk
• If you require sound, you will need the package for Pipewire. In the case of Ubuntu and Fedora, this is simply pipewire.

Here’s a sample Ubuntu one-liner:

sudo apt install xdg-utils fonts-noto-cjk pipewire

Afterwards, we need to integrate Signal through your GNOME or KDE menu, so we don’t have to open the terminal each time to run your Distrobox applications. Depending on the kind of application you use, you need to use a different distrobox-export command. Typically, this is named after the desktop file (e.g. Signal) from Signal’s website.

distrobox-export --app "Signal"

For command line programs, use the -b flag and the path of the binary.

distrobox-export -b /usr/bin/signal-desktop

Lastly, to stop or remove a Distrobox it’s a quick distrobox stop <yourdistrobox> and distrobox rm <yourdistrobox>.

So that’s our first application! Signal is a more simple example, but it’s not far off from what most applications are like. Most programs will automatically install these things for you, but the first time you install something, you should be prepared to take action.

The Workflow Distrobox

Moving away from special applications, let’s make what I call a workflow Distrobox. This is where you use one Distrobox to house various utilities that you intend to use on a regular basis. One example is a home for a particular development workflow. For me, one example is compiling whisper.cpp, which I use to make subtitles for my videos. I use a Fedora container with cmake and gcc-c++ to do C++ compilation.

Like with Signal, you can take this to the next level by using a Distrobox to version software or clump all of your daily applications together. I typically have “personal” containers appended by the corresponding container distributions, such as “fedora-personal” or “ubuntu-personal.” In these containers, this is where you would install things like web browsers. Some of the most popular web browsers like Brave and Vivaldi are not available officially Linux distributions outside of Ubuntu, Debian, or Debian. While you can run Brave or Vivaldi in their equivalent Flatpaks, the official install methods still stand by their Debian .debs and Red Hat .RPMs.

Like Vivaldi, Proton Authenticator only provides a raw Debian or Red Hat package. This is also a great way to show Distrobox has full access to your home folder and stores your configuration data identically as if the application was installed natively.

To install a .deb or .rpm package, run distrobox enter yourdistrobox, then download the corresponding package and install it as if you were on that distribution. If you are using BoxBuddy, you get the option to upload distribution packages to install. Next, you run the corresponding package commands to install the packages you downloaded.

cd ~/Downloads
sudo apt install ./vivaldi-stable.deb ./proton-pass.deb

Another common task for me as a video editor is to use NVIDIA’s CUDA container toolkit to make rendering videos easier. With NVIDIA’s CUDA binaries, they often require specific versions of Ubuntu, Fedora, or openSUSE and are slow to support new versions.

Instead of installing CUDA as a distribution package and creating a potential conflict with what’s already installed or compiling ffmpeg from source to get CUDA support, I can use a Distrobox based on LinuxServer.io’s full featured image of ffmpeg. Distrobox lets you create new Distroboxes using existing container images.

distrobox create -i docker.io/linuxserver/ffmpeg:latest -n ffmpeg

This creates a new Distrobox with ffmpeg, compiled with CUDA thanks to LinuxServer.io, and in a new container for us to use.

Complex Usecases

One of the newest uses for this is Davincibox, which allows anybody to run the video editor DaVinci Resolve on any Linux distribution. Currently on NVIDIA cards specifically, you need to change some specific rendering options in the settings.

• In DaVinci Resolve’s top menu, navigate to DaVinci Resolve → User → UI Settings → Uncheck “Stop playback when a frame or clip cannot be processed.” Despite this option’s wording, I have not experienced any issues in rendering videos.

In addition to these problems, DaVinci Resolve attempts to claim permissions of specific CUDA libraries, which breaks their functionality when you stop the container or reboot your system. As a workaround, you need to remove these libraries, then “rebuild” these libraries when davincibox repulls the main image with pristine libraries.

#!/bin/sh
# davincibox-fix
distrobox stop -Y davincibox
distrobox enter davincibox -- sudo rm -vf /lib/libcuda.so /lib/libnvcuvid.so /lib64/libcuda.so /lib64/libnvcuvid.so
distrobox stop -Y davincibox

Building Assemble Files

But more simple than something like Davincibox, you can take every step I used to create my Signal container and repeat that process in an .ini file that works on every Linux distribution. Distrobox has the ability to “assemble” applications using a custom .ini file. This means you can theoretically make any Distrobox container of most desktop Linux applications and replicate it in a file. The concept of Distrobox’s assembly files comes from the cloud computing world and it’s also a new way to share applications with other people. Instead of sharing a shell script that only works on a specific distribution or accounting for changes in one’s setup, you can distribute Distrobox .ini files to quickly install new applications through the magic of containers.

Let me break down some of the commands and what they look like when you make your own .ini file.

• Image: Location of the source container. This can be generic like quay.io or docker.io image of Ubuntu or something specialized like LinuxServer.io’s ffmpeg.
• Additional packages: Any package you want installed. This is run after the initial hooks from below.
• Init: Integration with systemd or openrc. I have never had to touch this.
• NVIDIA: Whether you need NVIDIA support or not.
• Pull: Whether you want to pull the image again when running distrobox assemble
• Root: Whether you want to enter the container as a root account
• Replace: Whether you want to replace your existing container of the same name after the distrobox assemble signal.ini command runs.

[signal]
image=docker.io/library/ubuntu:latest
additional_packages="xdg-utils pipewire fonts-noto-cjk" 
init=false
nvidia=false
pull=true
root=false
replace=true
# Instructions from https://signal.org/download/
init_hooks=wget -O- https://updates.signal.org/desktop/apt/keys.asc | gpg --dearmor > signal-desktop-keyring.gpg;cat signal-desktop-keyring.gpg | sudo tee /usr/share/keyrings/signal-desktop-keyring.gpg > /dev/null && rm signal-desktop-keyring.gpg
init_hooks=echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/signal-desktop-keyring.gpg] https://updates.signal.org/desktop/apt xenial main' | sudo tee /etc/apt/sources.list.d/signal-xenial.list
init_hooks=sudo apt update && sudo apt install signal-desktop -y

Distrobox Limitations

That said, Distrobox has its limitations. While the vast majority of programs you might use work, there’s a few catches. Here’s some of the things you can’t use with Distrobox or issues you might run into.

• Distroboxes will take some time when they are launched for the first time. This can be alleviated by adding them to your ~/.config/autostart folder to start them when you boot up, but you might not need every container to start when you log in. Afterwards, they will launch with near native performance.
• Programs like VeraCrypt or GNOME Disks, which require direct access to your filesystem or disks.
• VPN provider specific software, where VPNs and containers are a massive rabbit hole. Alternatively, you can use Wireguard or OpenVPN configuration files from your provider, especially since Wireguard is part of the Linux kernel.
• Using Distrobox isn’t a widespread practice yet, so certain programs may have unintended issues or need additional packages. Brave fails to show the icon in GNOME’s task switcher and DaVinci Resolve has unusual rendering problems unless certain options in the menu are checked.
• This might be an edge case, but using Fedora Distroboxes require internet connectivity. I’m not sure why this is, but I have not experienced this with Ubuntu, Debian, or openSUSE.

Despite these issues, Distrobox is an improvement to desktop Linux in a major way—you don’t have to install programs that mess around with your system. When you install system packages, it increases the chance that something will go wrong. This is why verified Flatpaks are important, because they won’t cause update problems or block your system for turning on. Where you need to run these kinds of programs, this is where Distrobox serves an important purpose and can run them without breaking your system. You’re not getting an opinionated view on that software, but using it as it was intended.

Ragebait Compilation

• Linus Tech Tips’ video “FINE! I’ll Try Linux ONE MORE TIME…”
• Lennart Pottering’s Mastodon on age verification in systemd/Linux
• Google’s Matthew Forsythe: “Android developer verification: Balancing openness and choice with safety”
• NVIDIA’s Henry Lin: “NVIDIA DLSS 5 Delivers AI-Powered Breakthrough In Visual Fidelity For Games”

Track Listing

• shimtone - Heartwarming (ほのぼの)
• KK - Starry winter (星が輝く冬)
• crepe (くれっぷ) - Fairy Lullaby (妖精の子守歌)
• H★ - Saturday morning
• gooset - Bittersweet
• Outro: Khaim - Neon Lamp

References

• Allen Day’s announcement of Steven’s departure
• Steven’s farewell post
• Coldplay concert exposes Astronomer CEO cheating on his spouse (@instaagraace on TikTok)

Track Listing

• Calum Bowen - The Artist’s House (from Pikuniku)

I spent 1 entire week of my channel, which I could have spent doing better things learning about making a server the right way. Using solely information on the internet and leveraging what power I have as a content creator and I’m throwing in the towel and am close to deterring people from making their website. Obviously it’s impossible to make the “perfect” website, but I’m going to break down why it’s near impossible to have a website today.

Bot Protection

One of the growing problems with posting content on the internet is AI. This includes the torrent of garbage that hits your server. I doubt there are people visiting my website from outdated versions of Internet Explorer or attempting to visit common WordPress PHP exploits that totally exist on your website.

Recently, generative AI has changed this for the worst where now every tech company boarding the AI train wants to scrape your website for data. This results in your website getting hammered by AI trying mine your artwork and text content for who knows what and this isn’t counting the mainstream crawlers like Google, Microsoft, and Perplexity are doing!

Unfortunately, modern problems call for modern solutions and whatever you pick in today’s day and age must have a way to integrate AI blocking. There are two programs for this: Anubis and Cloudflare. If you don’t implement either, you are doing yourself a disservice. “B… B… But Cloudflare controls so much of the internet,” tell these gatekeepers to touch grass.

Containers: Choices and Restrictions

The worst way to build a server is using native distribution repositories and there are still many people brainwashed into thinking that this is the only way to do things, both from Linux losers online and in documentation. This is where containers come in as universal ways to package applications in the way the original application developer intended.

For example, as of time of writing, Debian 13 (trixie) was released, but with an outdated version of Podman. Mere days later, Podman receives a new release. This is further proof of Debian shooting themselves in the foot where the version of Podman in Debian 12 (bookworm) had no Quadlet support, which is essential to updates, maintaining feature parity with Docker, and includes bug fixes.

The problems have less to do with containers themselves but rather the two standards competing for attention: Docker and Podman. Of the two, Podman is the better choice as it doesn’t require root privileges but also mostly backwards compatible.

The issues come in when certain programs are not made with Podman in mind because they are targeting features that are only available in Docker. For example, if you want to run Traefik, you have to use a Docker container because of the way Traefik expects things to be done the Docker way.

This is compounded by distribution modifications or hindrances, further most server distributions running outdated versions of Podman that won’t support Quadlets, which autostart your containers on login. Granted, making Quadlets requires a script to do this correctly, but this is a reason distributions matter a lot and I don’t have a good solution to these mismatched versions, especially given server software is always out of date.

Website Name & Server Software

The problem is the actual implementation process is very bad and poorly explained. It’s one thing for Anubis as a community project, but it’s another for a multimillion dollar company like Cloudflare.

For example, this documentation Cloudflare page tells you to fix a setting in your dashboard, so I spent 4 hours searching online through the dashboard. Turns out the problem is with how the proxy is going to my container and I have no clue what it is.

The first problem to building a website comes with server software. The technical term is “reverse proxy,” which is where you declare to a computer where you want everything pointed. One of the most popular of the bunch is nginx.

nginx is one of the oldest internet reverse proxies, but because it’s older, there’s a lot problems with the default configuration. For one, nginx will report your version on the default error page. This often rats out your Linux distribution and if you are vulnerable to any of crippling security issues.

The lesson nginx will teach you is to redirect your error pages. If you use a static site builder or another solution, you need change your error or redirect pages to be something else. This is compounded there are virtually no tutorials to setup Cloudflare with nginx online and spawned many competitors because people couldn’t be bothered to deal with nginx since it was made in an era where these flaws weren’t problems.

The alternatives include Traefik and Caddy. The worst by far is Caddy, which is sad because I found it very easy to setup by itself. The problem is integrating Cloudflare with Caddy requires building from source another module just to get Cloudflare to work properly and the moment this happened, it caused my server to crash. Turns out, despite the image optimization I’ve done to the files on my website is not enough and building Caddy modules eats up all my memory.

Now there are people who say Cloudflare Pages is much better, but this introduces a different problem. Cloudflare Pages requires posting this information on a Git server, which is likely controlled by someone else (GitHub/GitLab) since you came crawling here. The problem is the last thing I want is every mistake and typo I ever make to be published in a record for the rest of eternity. Beyond that, services like GitHub have already shown they will gladly mine information from your repositories and use it to train Microsoft’s artificial intelligence. No thanks.

The Real Failure of Self-Hosting

All of this boils down to I cannot build an effective website. In order to host a website, you need a Linux distro with everything updated, but also sane enough not to break. You also need a reverse proxy with support for bot protection so your content doesn’t get stolen and your website stays up. But there’s one last major problem with all these things: this information is gatekept: both by those who are experts in the field and by idiots online who believe containers are the devil and you should avoid systemd and learn binary to write a crontab instead.

For reference, I used a burner account to download various documentation from Red Hat about how to use containers and Podman. Red Hat generally has very good documentation and Podman is no exception. While Podman has good documentation, in no way does it get you started with the information that actually matters. There’s no assistance in writing a Dockerfile, which you will have to write in order to publish your website. Guides for this are scarce, but it’s pretty easy to figure out how these work because many random strangers on GitHub publishes their Dockerfiles for all to see and they are a great reference for you to reverse engineer what is basically a shell script.

The problem comes in bringing all these messy aspects of server making together. I have browsed virtually every single page on YouTube, Google, or anything AI has touched and it is impossible to find information on how to get Cloudflare to stop infinitely redirecting your website to oblivion. You’ll find someone who set up Cloudflare with Caddy or installing nginx in a Podman container, but nobody does it correctly, marrying your reverse proxy, Podman container, and Cloudflare firewall. Reading Cloudflare’s documentation is so poorly written I cannot ascertain what to do to begin with and Podman is just as bad.

I also ran another test and as a content creator, I am privileged with a very technically savvy audience who are bright about these kinds of topics. So as a social experiment and also an act of desperation, I posted a calm cry for help on all of my social media accounts: Mastodon, X (Formerly Twitter), Bluesky, and my YouTube Community page. I have hundreds of followers across my social media and thousands of subscribers and only 1 person responded referring to a TechnoTim video that was actually not that bad as long as I suck it up and use Docker instead of Podman. But it was only 1 comment to a content creator. I’m sick and tired of people saying “ask around on a forum” because I have burner accounts that have gone ghosted numerous times on Matrix and Discord, why should it be different for anyone else?

This is the real problem with self-hosting communities. Compounded by information constantly changing, people won’t even give you answers to basic problems. Tell me what to do, don’t give me cryptic advice or tell me to read documentation. I have a high BS tolerance, but this broke the camel’s back. I scoured all of Google, YouTube, Reddit, Cloudflare/nginx/Caddy forums and I’m very close to throwing in the towel. If it wasn’t for the people who give me money to do YouTube, I wouldn’t even bother.

Sources:

These are all of the links I read for the nothing I accomplished. To protect my own privacy, I have not linked any Discord, Matrix, or forum conversations I did. Needless to the say, many of my questions went unanswered or I was talked down to. I used burner accounts to simulate the experience most people would experience and did not wish to be given special treatment.

• One of the first Google searches I got for using Caddy and Cloudflare. When this article was originally written, it was probably fine. Since then, Caddy has made major changes to prevent most of the instructions from working. Not only that, but the “easiest” advice is to use a self-signed certificate (which did not work) or upload some root certificate nonsense (which also did not work).
• This YouTube video by @beamnetworks1 on nginx and Cloudflare HTTPS certificates at 7:27, except this is a self-signed certificate and does not work anyway. I got nothing but 502 errors and rejections because it wasn’t using an auto-generated HTTPS certificate. Give up all this origin server junk.
• A Reddit thread from r/selfhosted (Onion Link) about Traefik’s documentation. Many users have complained about poorly written documentation (yes!) and why you should give up and just use Caddy. This led down another rabbithole about nginx proxy manager and information about it was much more limited and it did not bypass the Docker problem either.
• A blog post about native installations of Caddy. The problem with this guide is it focuses on using native distribution packages and doesn’t discuss containers at all.
• A incredibly long GitHub guide to use Caddy
• Podlet, a script to create container startup files AKA Quadlets for Podman containers
• A sample podlet from the Universal Blue forums
• A forum post about Traefik and Podman. Basically, this guy was just told to RTFM politely and make a Quadlet, so see above. They weren’t even directed to the correct variables for their Quadlet. Icing on the cake, the issue was auto-closed by the moderation bot and nobody has asked this question since. What great help.
• Cloudflare’s root certificate, which buried in developer documentation and not available to download from the dashboard. To make this worse, this is the first thing you are presented when you look up how to do basic reverse proxy stuff and might as well be worthless.
• While I was editing this video and working on future content, I found an article on Fedora Magazine about podman auto-update, which is functionally similar to what Podlet is. At least it appears to be, I haven’t had time to test it.

The following were shared with me because of my influence.

• A guide by Daniel Melzak for making a Caddy Dockerfile. My personal Dockerfile does not do the Hugo building, as that already occurs on my personal computer. This is also missing the Cloudflare integration and update management.
• TechnoTim’s video Traefik 3 and FREE Wildcard Certificates with Docker

Video References

• Google I/O ‘25 Keynote
• Niccolò Ve’s video: “Open Source Infrastructure has an AI problem” (YouTube Link)
• Microsoft Build Day 1 Keynote. This version is edited to remove protesters who interrupted the beginning of the presentation.

Track Listing

• Kei Morimoto - Utopia
• gooset - Recharging
• Sonic Mania - Metallic Madness Zone Act 1
• Sonic Mania - Metallic Madness Zone Act 2
• Outro: Khaim - Neon Lamp

Recently, the Linux community is making me very disappointed. It’s not because someone in Fedora decided to remove 32-bit libraries. It’s not because of my precious Wayland and freedesktop.org standards being stalled. But hang on, isn’t all of this just Linux drama? What impact does all of this have on me? Before we get into that, I want to analyze the anatomy of drama within Linux and open source communities.

The Right Target Audience

Before we address any particular juicy drama, let’s break down an important part of covering a story on the internet. I strongly prefer first party sources whenever possible. Reading is easy, but interpreting information isn’t, because interpretation is what we, as users, act upon this information.

Example of Following a News Trail

• You watch a clip from the WAN Show that mentions a lawsuit with Anthropic and Facebook involving copyright. Since Linus and his team don’t cite sources or show the articles they are reading, just trust them bro.
• You don’t trust them and use a search engine to find the article they are reading.
• The search takes you to a LA Times article by Lauren Harvey, which mentions the aforementioned court case with a link.
• The original document is from Publishers’ Weekly, who uploaded the full court case.

This is why I hate reading news.

How I Read Linux News

For example, let’s say we’re covering a new release of software like OBS Studio’s (as of time of writing) recent 31.0.4 hotfix release.

• Simply analyzing the patch notes is far too overwhelming unless you know what to look for, but it’s helpful for those who are actively developing projects around OBS.
• We could analyze the end product by opening OBS prior to the update, but it looks visually similar to the last release.

Jordan has also published a companion blog post: “X11 Session Removal FAQ”

Follow Jordan

Jordan works at Centricular and helps develop GStreamer. He is currently a release manager for Flatpak, GNOME OS, and other projects related to the GNOME Foundation. Jordan assists GNOME with building CI pipelines and organizing GNOME’s versions with major Linux distributions. He currently resides in Greece.

• GNOME Blog
• GNOME Blog RSS

Referenced

• Jordan’s breakdown of (now former) Fedora’s Project Leader, Matthew Miller’s, inaccuracies about Flatpak
• GNOME Podcasts, Jordan’s first Linux application.
• GNOME Builder is a development tool for working GNOME tools like GTK, GLib, dconf, and other APIs.
• GNOME OS is GNOME’s flagship way to use and test the most recent releases of GNOME.
• openSUSE Aeon Desktop. Currently in Release Candidate stage, not for daily use.
• The Washington Post’s Joseph Menn’s article: “Apple yanks encrypted storage in U.K. instead of allowing backdoor access” (Soft paywall)
• Jordan’s talk from Linux App Summit 2025: Flathub: A paradigm shift for distributing applications
• Matthias Clasen’s call for fixing GNOME’s documentation
• GNOME’s help application yelp
• Amazon Web Services (AWS) became a GNOME Infrastructure Partner
• Signal’s president Meredith Whittaker and dev lead Joshua Lund’s blog post: “Privacy is priceless, Signal is expensive”
• After leaving WhatsApp and selling it to Facebook, the Signal Foundation was created by Brian Acton, who invested $50M into Signal.
• Android Authority’s C. Scott Brown: “Own an Android phone? You might be 30% less likely to get a match on dating apps”
• Brodie Robertson’s Tech Over Tea interview with KDE’s Nate Graham at 1:21:06 and how KDE’s telemetry is not very useful.
• Richard Brown’s talk at FOSDEM 2025: “FDE is almost there, how do we tackle the last hurdles?”, licensed under Creative Commons Attribution
• Igalia is a Spanish consultancy that has dedicated time to working on GNOME’s screen reader (orca).
• Jordan’s Blog Post: “An update on the X11 GNOME Session Removal”
• Jean Baptiste Lallement’s (jibel) Ubuntu Discourse post: “Ubuntu 25.10 drops support for GNOME on Xorg”
• The infamous GitLab issue that created conspiracies about GNOME sabotaging Ubuntu
• The Register’s Simon Sharwood: “Linus Torvalds goes back to a mechanical keyboard after making too many typos”

Video Intro

Warning: the following articles and videos either miss context of the original developer discussions or could spread incorrect assumptions about interactions between GNOME and Ubuntu developers.

• OMG! Ubuntu’s Joey Sneddon: Ubuntu 25.10 Drops Support for Using GNOME on Xorg/X11
• The Register’s Liam Proven: Ubuntu 25.10 and Fedora 43 to drop X11 in GNOME editions
• Brodie Robertson: Ubuntu Linux And The GNOME Wayland Problem
• Michael Tunnell: ⧸e⧸OS 3.0, GNOME Dropping X11, Alpine Linux, Ubuntu wants a Rusty Sudo, & more Linux news

Track Listing

• Intro: Khaim - Maybe
• Outro: Khaim - Neon Lamp

Bonus Content:

Patrons and YouTube Members get access to Jordan and Winward nerding out over Apple products for half an hour.

Donate

A lot of people feel like many open source developers are seemingly “spiteful” of “Linux users” or “Linux losers” as I’ve taken to calling them. The reason why is because the sign of a Linux loser is the tendency to immediately assume suspicion when there’s no reason to be distrustful. Look at how Linux losers respond to things like anything the Linux Foundation partnering with Chromium makers, GNOME and Wayland discussion, or when Canonical replaces the coreutils with Rust versions for example. I, and I presume many other open source projects, refuse to involve people in my community who are spreading uncertainty and suspicion.

As much as people bash corporate America, I think trust over suspicion is an important lesson that all of us can learn, because it makes us all better people. Of course, it’s important to remember what happens when trust is violated (look at what’s happening to Deepin/openSUSE as an example). Always give someone the benefit of the doubt, but verify and hold them to account.

References

During all 3 keynotes, protesters claiming to be former Microsoft workers shouted at speakers. I watched the unedited Day 1 keynote with Winward as well as the unedited Day 2 keynote by myself. For the purposes of the video, I combined the keynote video with audio provided by the protesters for clarity.

The Microsoft Developer YouTube account later unlisted the YouTube versions around 11am EST on Tuesday, May 20th. After, Microsoft uploaded edited keynotes to the YouTube channel and the Microsoft Build sessions page.

According to The Verge’s Tom Warren, the Day 3 keynote was also interrupted by a protester, which inadvertently led to a presenter leaking private sales conversations about Walmart. This deal was not private as it was disclosed publicly during the Day 1 keynote. These protesters have the most credibility, claiming something would happen within 2 days from Wednesday, as Israel launched air strikes against Gaza on Friday, confirming their claims.

• Unedited Day 1 Keynote. The protesters start speaking at 3:52.
• Edited Day 1 Keynote. The audio track with the room noise and the protestors was removed.
• No Azure For Apartheid’s protests by Joe Lopez, the first protestor on Day 1. (TikTok, X (formerly Twitter))
• No Azure For Apartheid’s protests by a woman only identified as a “former Google worker,” the second protestor on Day 1. (Instagram, TikTok, X (formerly Twitter))
• Microsoft’s 50th Anniversary Panel with Satya Nadella, Bill Gates, and Steve Ballmer.
• According to Paul Thurrott and Richard Campbell at 2:58, 2 more protestors attempted to rush both the left and right aisles when Lopez and the former Google worker were speaking. They were swiftly stopped by security and their shouting can be heard faintly in the original broadcast.
• Unedited Day 2 Keynote. The protests start at 1:00:43. Shortly into the protestor’s speech, Jay Parikh stopped talking because the protestor was close to the front of the stage and the mics were muted.
• Edited Day 2 Keynote. The section where the video is changed is around 1:00:56, which occured seconds later after the protestor was escorted out of the venue.
• No Azure For Apartheid’s protests by a “Palestinian tech worker” and others on Day 2 (TikTok, X (formerly Twitter)).
• The Verge’s Tom Warren’s article “Microsoft employee disrupts Satya Nadella’s keynote with ‘Free Palestine’ protest” The photo used by The Verge is by Agence France-Presse’s Jason Redmond via Getty Images
• xkcd 1597: Git
• “Elon Musk is Lying About Being Good at Video Games” by @Quin69TV
• “Elon Musk Ignites Online Speculation Over the Meaning of a Hand Gesture” - Ryan Mac, NY Times
• “Tesla Cybertruck event in 5 minutes” by The Verge. The original event was removed.
• Elon carries sink into Twitter HQ
• Meta Connect 2024
• Jeff Bezos Interview with AFA President Gen. Larry Spencer, Ret.
• Mark Zuckerberg testifies on Capitol Hill (full Senate hearing) - The Washington Post
• Amnesty International’s report: “Myanmar: The social atrocity: Meta and the right to remedy for the Rohingya”. The cover photo is by Tamara-Jade Kaz and the photo is by Ahmer Khan.
• Facebook CEO responds to flap over Kauai land suits, Hawaii News Now
• Mark Zuckerberg’s 2017 Puerto Rico VR Safari (Reupload)
• National Enquirer photo is by Patricia Wall of The New York Times.

I recently made a video about making an unattended Windows installer and got flooded with a ton of comments of people asking to switch to Linux or pleading with others to switch to Linux. I’ve wanted to analyze the problems of this for a long time, but more on the biggest issue people have with using Linux.

While the discussion of installation comes up, I don’t think installation is the biggest blocker for people. If people are installing Linux, they are already willing to make a concerted effort to escape Windows. Instead, the problem lies in the experience, not in the applications being bad, but just getting all of your ducks in a row when you first get started.

Today, I want to take a critical examination of the mindset of the people online who beg people to use Linux. I’m avoiding the common arguments like not having the applications you need or hardware issues–this is about the people problem of Linux. Is it standardization? Is it toxicity? You better keep on watching (or reading)!

Installing Is “Fine”

When discussion of Linux comes up, the installation experience is brought up every time. I’d be lying to you if it was straight forward–it’s not. For a lot of people, it’s buying a USB stick, downloading the Raspberry Pi Imager, then flashing your chosen distro to an ISO file.

When I have done this for other people, often times, I am the one supplying the USB stick, because most people don’t have one. They just store all their data in Google Drive or Dropbox, they don’t need a USB stick! On top of that, you have to pick a distro to use and whether that’s even right or not is something people who follow my channel know I have complained about ad nauseam. It doesn’t matter what you pick for our purposes, so I won’t beat that drum to death.

Trafotin’s non-exhaustive distro checklist:

• Must deliver updates when upstream does ASAP.
• Must have secure defaults (e.g. Secure Boot, Wayland)
• Must be run by corporation or community (not a single person)
• Must support some form of rollback (e.g. bootc, BTRFS, etc)
• Must be innovating upstream or changing desktop Linux.
• Must have critical developer mindshare (no BSD).
• Must withstand the wrath of non-technical people.
• Patches security issues within week of issue.
• Package manager must have rollback/redundancy
• Must respect privacy without configuration.
• Must support NVIDIA drivers (as good as they get anyway)
• Must run DaVinci Resolve else you couldn’t read this.

There’s Only So Much That Can Be Done

After finding the appropriate distribution or “distro,” you have to somehow wrangle your Linux ISO file into Raspberry Pi imager and install it to your USB stick. Then you need to backup your data, reboot your computer, then find the boot key to boot into your Linux USB. Now this sounds painful and it certainly is for people especially the first time, but this is actually the best this installation could possibly be.

Replacing the operating system your computer came with is a concerted effort, but it’s not that bad with a bit of knowledge, eve following the occasional YouTube tutorial. While mashing a random key when your computer boots up is pretty annoying, there’s nothing Linux or people who develop for applications for Linux can do. It’s not the best for those not in the know, but it’s the best it can be right now.

A similar comparison is installing a custom Android ROM like GrapheneOS to the Pixel device of choice. GrapheneOS has done virtually everything within their power to work with the constraints of the Android security model and buttons on their website to guide and automate the installation process.

That leaves the actual installation process which you’re bound to find plenty of guides about how to install something like Ubuntu. This is something that Linux app developers can do something about and I think it’s also in a good spot. It’s very clear what you need to and often times you are literally able to mash buttons and complete your installation with little issues. My only major gripe is of most major distributions is full-disk encryption is not recommended out of the box. It should be mandatory on all computers, but Windows/Mac are equally culpable in not enabling it by default too.

Installing Things is a Nightmare

Installing Linux might be a bit cumbersome, let’s get into the real problem–most people will not use Linux because it’s an experience problem. Once you’ve installed Linux and logged in for the first time, getting set up is almost always where problems start to crop up. First off, if you are an NVIDIA user (statistics claim 60% of all desktop computers), you might not even be able to login upon your next update!

Beyond that, it’s installing applications that’s a big problem. You could resort to the packages in your software store, but more than not, they can often break or block updates in the majority of distros (if they even work). You also have to hope that the distro that you chose hasn’t modified the program in a significant way or updates it in a timely fashion.

What’s more there are yearly updates and of all the people I’ve installed Linux on, none of them except one have succeeded in upgrading between major versions without my intervention. I’ve seen this happen on Ubuntu, Fedora, and openSUSE and this is unacceptable.

Even though Windows conceals it, people are still able to move between 24H01 to 24H02 with little issue (even Microsoft has to fumble for months). I’m sure part of this is rooted in the distrust Microsoft has created where people will assume updates break everything, but if you at the people who use things like Debian who stubbornly refuse to update, it’s an example of the fear of updates infecting even the Linux users.

A lot of people who consider themselves part of online Linux circles claim this is because of fragmentation. There’s too many solutions for the same problem. While this is partially true, there’s a reason that will resonate with people better–perfect is the enemy of good.

Many people want their packages to be perfect and we all settle for the same formats and solutions. The problem is many of those formats and solutions are often enumerating problems on top of not proliferating more opposing systems.

How do you download something like Audacity, the audio recorder I use? Well you go to their website and you download the AppImage they provide. The problem is AppImages are inherently broken and require out of date FUSE2 libraries that nobody uses anymore. How can I trust a package provided to me when the method of distribution is creating more problems than it intended to solve?

Things to ignore in online “Linux” circles:

• Extrapolating drama from project issue trackers
• Open source and free/libre software purity tests
• Involving or criticizing the Linux Foundation over desktop Linux
• Bickering over package formats
• “Why is <XYZ Linux thing> so corporate??”
• Controversy surrounding project governance
• “I switched to <XYZ> because…”
• RTFM, forced Googling, and ask your AI sessions
• Fighting over programming languages
• Licenses and people debating them
• Blogs and news outlets pandering to desktop Linux
• Messages based around fear and uncertainty

Linux “Users” Are Not Part of the Linux Community

Why can’t everyone agree on what to use? I think the problem is rooted in the chase over the unicorn of a new Linux user. The experience of desktop Linux is not very good when people have to tell people to Google a solution or read documentation. Desktop Linux will not succeed with a mainstream audience when many parts of it are one developer quitting away from going under.

Using Linux is like being a part of a food pantry. Everybody needs to eat and there’s lots of people who are hungry. There are people who go to get the food they need, but there’s also people who need to bring food to the food pantry so everyone can eat, clean the food pantry so its food that doesn’t go bad, or people to serve the food.

Today, Linux is only at the stage where there’s a lot of people who are hungry, but not enough people to perform the basic functions of developing software. Most distributions can’t even vet their packages or collapse because someone left. But food is still being put on the table and though people might complain, the minority take it the best they can.

What’s a bigger problem to me is the people who serve the food (the Linux users) in the Linux food pantry are too content. They want things to stay the way that it is because they like learning new things and people having the same magical experience they did. They scour the issues pages of projects for juicy gossip and tweak the presentation of the food, but it’s still the same old food the desktop Linux food pantry has been putting out for years.

Most of the people who work at the desktop Linux food pantry do not or have trouble empathizing with people. These are the same people who cosplay as developers when all they did was change some words in a settings file. I was there at one point in my life and I regret it deeply and apologize to everyone who has deal with this side of me. It’s also developers who often make applications just for themselves. Developers in the kitchen and the people being fed need empathy for each other.

Linux Doesn’t Need More Users

Unpopular opinion: Linux doesn’t need more users. Linux needs people who will make the experience better. Using Linux is not about customization or choice, just like using a food pantry isn’t about the flavors of food; it’s about the food or tool doing its job along with raising a community. Then and only then, can Linux call itself a platform for people to use.

There needs to be more people involved and I’m tired of people online pretending desktop Linux is fine. We’ve seen this over the last couple years and the contrast of behavior to people the “Linux community” has declared did something right and someone who “didn’t get it.” How about both people have valid experiences?

I’m a relatively busy person outside of YouTube and I fear for myself that my own attitude towards the “online Linux user” is getting too bitter. The “online Linux user” is not developers, it’s the people on Reddit showing off their Hyprland configuration. Great drinking game, guess what the comments are when you open a Reddit thread or a YouTube video about what the comments are going to be. That’s how much group think there is in the supposed Linux community and there’s cult-like behavior stopping change.

The real Linux community is the people running the food pantry. It’s not pretty, nor nice to listen to, nor interesting, but it’s the truth. If people are going to spend time complaining about “drama” or “did you hear X thing from this influencer did with Linux,” we have a problem. The only way for this to happen is to bring the money and development power to major desktop Linux projects. It’s time to stop wasting time on customization, packaging applications, or installing Linux. I’ve had enough and users: it’s time for you to actually help out around here.

Related post: Canonical’s Jon Seager announces Ubuntu will replace sudo with sudo-rs

Video References

In order of appearance.

• Katerina Koukiou’s presentation of the new Fedora installer, licensed under Creative Commons Attribution.
• Richard Brown’s FOSDEM 2023 talk: What could go wrong? Me, I was: Containerised Applications are the way, licensed under Creative Commons Attribution.
• Sebastian Wick’s Linux App Summit 2025 talk: The Future of Flatpak
• Aleix Pol Gonzalez, Felipe Borges, Sebastian Wick and Jordan Petridis’s Linux App Summit 2025 panel: The App Ecosystem and the Future of Desktop Linux Distributions
• Pewdiepie: I installed Linux (so should you)
• Matthias Clasen & Florian Leander Singer’s Linux App Summit 2025 talk: GTK apps on Android
• Akademy 2025: KDE e.V. Board - Report of the Board

Track Listing

• H☆ - Saturday morning
• Yosuke Matsuura (松浦洋介) - Midnight Chill Coffee
• noru (のる) - Warm Light, with You
• Outro: Khaim - Neon Lamp

In the next part of the Firefox saga, I’m going to cover one of the end game of Firefox, our raid boss being Mozilla itself. I’m a big fan of Firefox, but what really irritates me is the nagging little things Mozilla adds and turns on without my permission.

Bye Bye Mozilla! But Why?

Since the making of my last video, Mozilla has added a weather widget in the new tab page, more suggestions to ads/sponsors, and made everyone angry by consulting a lawyer for a legally-binding terms of service (this was pretty stupid and largely a non-story). I understand Mozilla needs to make money outside of being sponsored by Google (their “opposition”), but a consistent claim that you’ll find online is Mozilla has lost its way, needs to make Firefox the center of the company again, and build a “community.”

I want to give a more harsh reminder: Mozilla is not a privacy company; they are an investment firm that originally made a web browser. It’s a factory with thousands of employees folks! The community Mozilla fosters doesn’t involve end users (and honestly could do without entering a Mercurial server).

Ordering Mozilla to make Firefox a focus of the company again is the equivalent of ordering Microsoft to make Windows the focus of the company again. The reason I dislike Mozilla, but still use Firefox is until Mozilla makes some of their “anti-features” unchangable, there’s no reason to leave. We’re stuck with our current situation.

“But there are forks!” I hear some of you cry. The problem with many Firefox forks is they are poorly maintained, slow to deliver updates, or introduce problems in addition to the aforementioned problems of Firefox. This also goes without saying you need to trust your fork to keep up with all of these changes and they may not share the same sentiment to Mozilla as you. Many of them, if not all of them, are best avoided or replaced with browser extensions.

The road to configuring Firefox is pretty technical and requires frequent maintenance and if that isn’t for you, there are a few pre-configured options that work great. This is also your excuse to click off the video and use these instead.

• Mullvad Browser (for Windows, Mac, Linux)
• IronFox (for Android; on Accrescent and F-Droid)

The Arkenfox user.js

Now that the disclaimers are out of the way, how do we properly configure Firefox? The first step is understanding how Firefox’s administrative policies work. Firefox stores all of your settings in your Firefox profile, which is a folder that stores various settings to Firefox, your bookmarks, and data about the websites you visit. Where your profile is stored depends on what operating system you use, but it can also be found if you navigate to about:profiles and navigate to your current active profile. Finally, navigate to the “root directory” then click “Open Directory”.

Next, Firefox’s settings are stored in prefs.js, but you can’t and shouldn’t change this file at all, because Firefox is constantly touching it. Instead, we are going write a basic JavaScript file called a user.js containing all of the desired changes that we want.

While there are many Firefox configuration files, the most popular and consolidated user.js is the Arkenfox user.js. In addition to the normal Firefox user.js, you can write your own user-overrides.js to override Arkenfox’s configuration. That’s right, it’s an override of an override of your Firefox configuration!

No More Firefox Forks

The benefit of using the Arkenfox user.js is you get your Firefox configured the way you want off of the security-hardened Firefox base, then the user.js forcibly overrides any settings in Firefox, including incoming settings from undesired Mozilla features.

This is why most Firefox forks are obsolete because you are taking the initiative to fix Mozilla problems when they won’t. The major reason is you don’t have to trust any developers beyond Arkenfox, where many other Firefox-based browsers take their work from. in fact, many other Firefox clones use the same work done by Arkenfox, but often do not keep up with its updates.

The other thing for people who have watched my content previously is Mozilla has made many backend changes to the way data is cleaned in Firefox and Arkenfox has also taken previous feedback to heart and reenabled many features people expect. It’s so good that I never change anything, but I still included some preferential options for people who prefer to use Firefox a different way.

Downloading Arkenfox

The first thing to do visit the Arkenfox user.js GitHub and downloading the zip file containing the entire repository. Next, extract these files into the profile folder. After, you must run the scripts like prefsCleaner.bat (Windows) or prefsCleaner.sh (Mac/Linux).

To get your profile path in Firefox, navigate to about:profiles in the URL bar, then there will be a full list of your profiles. Navigate to your desired profile under “Root Directory” and “Open Directory.”

You can also open the terminal on your operating system and navigate to the path of your Firefox profile, which is cd <your profile path>

• Windows: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\<profile>
• Mac: ~/Library/Application Support/Firefox/Profiles/<profile>
• Linux: ~/.mozilla/firefox/profiles/<profile>
• Linux (Flatpak): ~/.var/app/org.mozilla.firefox/.mozilla/firefox/profiles/<profile>

Your user-overrides.js

So this is where I present to you my own user-overrides.js. I’ve included notes about what each option does as well as the corresponding action. Each command is enclosed in user_pref("...", "<value>");

There are three types of commands:

• Boolean (true/false)
• Number (a numeric value)
• String (anything, typically a URL)

Whatever is inside matches the corresponding option in your Firefox about:config. If you want to enable a specific feature, remove the // in the user-overrides.js from the desired tweak.

My user-overrides.js

My user-overrides.js can be found on my GitLab.

Common Options/Problems

With all of these changes being made, there’s bound to be troubleshooting. Now before you run away to another browser, you can always spin up about another Firefox profile and make different changes, so repeat the above steps for each Firefox profile you have.

Homepage

// 0=blank, 1=home, 2=last visited page, 3=resume previous session
// user_pref("browser.startup.page", 1);
//user_pref("browser.sessionstore.privacy_level", 0);
// change about:blank to any website (e.g. trafotin.com)
// user_pref("browser.startup.homepage", "https://trafotin.com");

By default, Arkenfox fully disables a homepage and new tab page. This is because Mozilla continues to include annoyances within the new tab page. Additionally, Arkenfox disables the internal service that saves your session when you close Firefox.

I added settings to re-enable these, but you can no longer change them in the menu and you must do so in your user-overrides.js.

Where’d My Browsing Data Go?

  // user_pref("browser.privatebrowsing.autostart", false);
//user_pref("privacy.clearOnShutdown_v2.historyFormDataAndDownloads", false); // 2811 FF128-135
//user_pref("privacy.clearOnShutdown_v2.browsingHistoryAndDownloads", false); // 2812 FF136+

// optional to match when you use settings>Cookies and Site Data>Clear Data
  // user_pref("privacy.clearSiteData.historyFormDataAndDownloads", false); // 2820 FF128-135
  // user_pref("privacy.clearSiteData.browsingHistoryAndDownloads", false); // 2821 FF136+

// optional to match when you use Ctrl-Shift-Del (settings>History>Custom Settings>Clear History)
  // user_pref("privacy.clearHistory.historyFormDataAndDownloads", false); // 2830 FF128-135
  // user_pref("privacy.clearHistory.browsingHistoryAndDownloads", false); // 2831 FF136+

Related to browser session restore, Firefox has very robust data auto-deletion, which recently got an overhaul. This includes anything like cookies, browsing data, cache, everything.

Arkenfox includes this special recipe for those who want session restore or more control over the Firefox auto-deletion settings.

Unless you need session restore, it’s advised to not touch these and instead learn how to allow websites to store data.

1. Visit the desired website you login, usually a login page.
2. Press Ctrl + i (⌘ + i on Mac) to open that website’s settings. You can also click on the padlock, “Connection (not) secure”, then “More information.”
3. Navigate to permissions, then the box “Set cookies,” “Allow.”

This way, you can save logins and site data without touching your Arkenfox configuration, while still deleting all that pesky browser data.

Before you complain, this is much harder to do in Chromium-based browsers.

To RFP or No RFP?

If you’ve been using Arkenfox’s user.js before today, there’s one big configuration to cover–Firefox’s fingerprinting resistance or RFP (Resist FingerPrinting).

user_pref("privacy.resistFingerprinting", true);
user_pref("privacy.resistFingerprinting.letterboxing", true);
user_pref("webgl.disabled", true);
user_pref("privacy.spoof_english", 2);

In previous iterations of Arkenfox, this was enabled by default, but now it is disabled. The reason is if you need such an extreme level of protection, we already have Mullvad Browser for that, which still is the closest way to get to being the Tor Browser without being the Tor Browser.

If you have previously watched my other video about Firefox, I strongly recommend updating and removing any changes related to RFP.

New Tab

user_pref("browser.newtabpage.enabled", true);

Arkenfox disables the new tab page, as it is a common vector for Mozilla to deploy experiments and unwanted links on you. I have encountered some folks in the wild who prefer this, so you can reenable it, but be warned you might need to deal with some Mozilla stuff you might not have signed up for.

Search Engine Suggestions

user_pref("browser.search.suggest.enabled", true);
user_pref("browser.urlbar.suggest.searches", true);

Some people still prefer to have their URL bar be their search engine. Setting these options brings the predictive search back.

Disk Caching

user_pref("browser.cache.disk.enable", true);

By default, Arkenfox disables disk caching, which can improve performance. I have never enabled this because I could not notice a speed difference, but I included it for the performance freaks.

Running & Updating

When you are done with your user-overrides.js, it’s time to put it into practice by installing it.

First, close Firefox and you will be modifying all the configurations in bulk using the terminal. Arkenfox can change over 5000 settings of totally random things in Firefox.

Using the terminal in your <profile> folder, run the scripts in order by typing ./ then the script. You can also drag/drop files into your terminal to run them:

1. prefsCleaner.sh: Follow the on-screen instructions by typing the number (1 to start), followed by a Enter.
2. updater.sh: This will make a backup of your previous Firefox configuration (not your user-overrides.js), update your user.js, tweak it with your user-overrides.js, then you should be good to go.

Post-Install

Arkenfox disables all telemetry out of the box and while Pocket is a web-based service, capturing the network traffic shows Pocket never attempts to phone home, except when you interact with it of course. Any other changes are purely cosmetic or preference.

• Google is still the default as there is no about:config settings for it. You may change it to be whatever you want.
• You may also customize your tab bar or vertical tabs as these are independent of Arkenfox.

Updating

You must also return to this folder and run these scripts when Firefox or Arkenfox receives a new release. Make a shortcut on your desktop (or somewhere else) to this folder so you can come back and run the scripts.

If you use multiple Firefox profiles, this process will need to be repeated on all of your profiles. I use a shell script to execute all of the scripts in sequence.

The best way to track updates is to subscribe to the Arkenfox GitHub RSS feed. This is because Mozilla doesn’t have a RSS feed for stable Firefox updates, only the Nightly (Alpha) releases. Instead, you must subscribe to their email newsletter.

To subscribe to Arkenfox’s RSS feed, add the following to your RSS feed reader.

https://github.com/arkenfox/user.js/releases.atom

Video Credits

• CNBC Video: Mozilla Foundation president talk AI integration on Firefox and Google’s antitrust ruling

Track Listing

• KK - Sunday-afternoon (日曜の午後)
• crepe (くれっぷ) - Fairy Lullaby (妖精の子守歌)
• KK - Lazy Club Activities (だらだら部活動)
• yuhei komatsu - COLOR
• KK - Ordinary Landscape (いつもの風景)
• yuhei komatsu - Holiday
• Nakagawa Koutarou (幸太郎中川) - Shiunin Sora’s Theme (紫雲院素良のテーマ) from Yu-Gi-Oh! ARC-V (遊☆戯☆王 ＡＲＣ－Ⅴ )
• Outro: Khaim - Neon Lamp

It’s sad to hear that Charles Gagnon (charlesg99) isn’t going to be working on it anymore after people whined and complained about a donation button. I have never once experienced a bug in Dash to Panel and it’s a testament that Charles and the other contributors have kept up this quality for years.

The only way open source projects will get better is if they beg for money and make the effort worth the contributors’ time. So put that donation button back in. This isn’t a charity.

Generative AI has been a big part of tech over the past 2 years, everything from the latest AI nonsense OpenAI has cooked up to new competition from DeepSeek’s R1. Let me make a different proposal to what you might here from a lot of more traditional tech users–we need all the AI. And I mean all the AI. I’m not talking about stuff like Claude or Perplexity, it’s all about local models. Here’s why you need to have local AI models that serve your needs and some examples you can use it to augment the work that you do.

The AI That Respects You Is Open

Generative AI can be a powerful tool, but there’s more to consider than just capability. For years, companies like Google and Facebook now utilize their own versions of generative AI, but they also leverage their platforms to further advantage themselves.

A big problem with a lot of generative AI tools is many of them are developed in secret and we have very little knowledge of what kind of information they were trained on beyond “publicly available information.”

Tweet from vx-underground: Kadrey v. Meta shows Facebook has been using pirated books to train their AI models.

What’s more is as AI because more prevalent, people begin to expose their most sensitive selves when they may not have intended. Many of the major players of generative AI either have a vested interest in selling personal information (Google, Facebook, Microsoft, etc) or parlay other surveillance giants/governments (ChatGPT, Claude, DeepSeek, etc).

What’s more, large language models like ChatGPT and Perplexity are only available in the cloud and have significant environmental impact (swept under the rug of course). While AI companies are quick to release research papers about their AI, reviewing sources of said papers reveals that these papers are often pushed out with inaccurate sources and references to boost their credibility and bypass academic peer review.

Owning Offline AI

That being said, I’m going to be up front and admit I’m not a moralist nor an accelerationist. The cat has been out of the bag and at this point as many of these tools are freely available, you should use them where you think they will work.

There’s a cultural problem endemic to tech enthusiasts: either you are an accelerationist who relies so much on AI and fail to admit its shortcomings or the doomer who will shout from high heavens at every mistake and copyright violation.

Read Ethan Zuckerman’s article: “Two warring visions of AI”

Owning your AI is the solution to this problem. Even if someone from your government threatens to ban the app, open source will find a way. Even if your model is censored by its makers, open source will find a way. Any law banning/regulating AI only punishes the law abiding citizens and the nefarious netizens will continue to develop in secret. It’s too late to put the genie back in the bottle, so you might as well make the best of the situation.

When you use offline AI, it’s just you and the AI. There’s total privacy as it all happens on your device. You can give the AI greater access to your data because you’re operating in 1 system. The best part is integrations with stuff that’s already on your operating system–you can write scripts and find ways to bring it into the work you do every day.

The Weakness of Offline AI

Before we get started, there are some drawbacks. While models like DeepSeek have shaken the industry up, the cloud-based models are still better in terms of performance and quality of results. The tradeoff is you giving your data of course.

There’s always pushback from people online that AI is a bubble, generates garbage slop that ruins the internet, and is making people lazier. All of those things are true, but the inverse is true as well. AI is being used to propagate knowledge and provide new forms of accessibility.

Blanket statements for and against AI do not accomplish anything, but a real tangible problem AI has is a usecase for the individual outside of academia and the workplace. Want to get some code quickly written? Need to proofread a document? Want an answer to your math homework? AI has you covered, but otherwise, there’s no reason to use AI at all.

Steep Hardware Requirements

Before you get excited about offline large language models, you should be aware of the hardware required to run many of these models. I have a high-end NVIDIA card and running some AI is no problem, but it’s incredibly power intensive and largely favors NVIDIA hardware.

There’s also a major concern for storage requirements. While you can get some memory efficient models, they often don’t perform as well as their highly tokenized counterparts. DeepSeek may advertise itself as a offline ChatGPT, but what they don’t tell you is they require over 400 GB of storage to operate in addition to steep GPU requirements.

This is a Developing Story

The last thing to be aware of is AI is rapidly changing and advancements are being made all the time. Things you hear from me will likely be outdated within a year. And for those of you who are still skeptical, if you don’t support open source AI, you are allowing proprietary companies like OpenAI, Claude, and Perplexity to dominate conversation.

If you are interested my other thoughts about AI, I wrote about it last year. All this being said, if you want to support open source software, we need to welcome and use open source AI.

Ollama

Now we get into tooling and there’s plenty of options available for you, but the most popular is a program called Ollama, It pulls models from some of the big contributors to open source AI, and provides a nice command line front-end.

Now this is where the complications come in, because Ollama is installed differently depending on which operating system you use. On Windows/Mac, there’s tray icon support. On Linux, the key differences is you don’t get a tray icon. If you prefer a normal graphical Linux frontend, try Jeff Samuel’s (AKA Jeffser) Alpaca, which automates the installation through Flatpak and then you can pick and choose what models you want. Alpaca also makes it easy to manage previous chats and upload documents.

If you are using Linux (or Windows) and are interested in more work with Ollama from the command-line or with custom server commands, you can try running the official Docker container.

For example, I use the Ollama Docker image in a Distrobox with access to my NVIDIA card. Then I export the Ollama binary to my host system. Whether you are running Windows, Mac, or Linux, you will need to run the Ollama server on your device to make your AI chat work (even if you use Alpaca).

distrobox create -i ollama/ollama -n ollama --nvidia
distrobox enter ollama -- distrobox-export -b /usr/bin/ollama

If you choose the Docker container route, you will need to periodically update the container image. Because of Docker’s nature, it’s also prudent to subscribe to Ollama’s GitHub RSS to get update notifications. You can also configure a Podman Quadlet or systemd job to auto-update Ollama for you.

docker pull docker.io/ollama/ollama

From here, I can run the Ollama server,

ollama serve

Then in a new tab/window, launch the Ollama client.

# List available models
ollama list
# Install a new models
ollama pull gemma2
# Run a model, install if not available
ollama run deepseek-r1
# Remove a model
ollama rm llama3.2-vision

What Would I Use AI For??

This begs the question: I store video games and family photos on my computer; I have limited space on my computer. How can I make the best use of my storage and what AI models should I use?

I want to break this up into a few categories, then some blanket recommendations. Especially with the general purpose ones, this can be consolidated, so don’t go downloading all of them, just pick and choose what you are comfortable with.

• Real world answers: This is where you ask questions that you would normally ask a search engine. The benefit of this is you don’t involve a third party service and it’s all done on your device. Downside is you might need to fact check because AI is not perfect. These are the big AI models most associate with: Facebook’s Llama, Google’s Gemma, and DeepSeek.
• Image description: This is very useful for alt-text or those with visual impairments, but very prone to error, so be prepared to edit responses. The best as of writing is Facebook’s Llama with is special vision models.
• Mathematics: Models like Phi3.5+ and Qwen excel in solving advanced algebra and calculus when most general models fail. The best way to word your prompts is like word problems. An example is “Jack and Joe leave their homes at the same time and drive towards each other. Jack drives at 60 mph, while Joe drives at 30 mph. They pass each other in 10 minutes. How far apart were Jack and Joe when they started?”
• Coding: If you are a programmer or server maintainer, AI can save you the headache of trying to search forums and documentation. Results may vary, so don’t blindly ship the code, but test it. It’s also a great way to experience programming languages you don’t know or may otherwise never learn.
• Proofreading/Summarization: If you are having writer’s block or you need your work reviewed, feed your work to an AI and get it proofed. It can often correct grammar or introduce counterpoints to your arguments.

Video Credits

• #MadeByGoogle ‘24: Keynote
• DeepSeek’s X (Formerly Twitter)
• Introducing GPT-4o
• Meta Connect 2024
• More than a decade after a stroke, Randy Travis sings again, courtesy of AI - Lee Cowan et al.; CBS News
• Ollama’s blogpost for the Windows preview build
• Perplexity Is a Bullshit Machine - Dhruv Mehrotra and Tim Marchman; WIRED and animation by Jacqui VanLiew; Getty Images

Track Listing

• Minobe Yutaka (蓑部雄崇) - City (シティ) from Yu-Gi-Oh! 5Ds (遊☆戯☆王5D’s（ファイブディーズ）)
• gooset - Bittersweet
• The song for the capital of Assyria scroll is Minobe Yutaka (蓑部雄崇) - Break time! (休み時間)) from Yu-Gi-Oh! GX (遊☆戯☆王デュエル モンスターズＧＸ)
• zukisuzuki BGM - Manager
• Outro: Khaim - Neon Lamp

January is a slower week when it comes to tech news, but I go away for a week and there’s drama in “the Linux community.” This week is going to be something different from the usual for me–I’m going to dissect the news. One thing that always grinds the gears of “Linux users” online is anything involving the Linux Foundation.

I’m going to break down a recent story of the Linux Foundation, because there’s always a ton of negative sentiment from random people online and I want to properly evaluate it and see if the concern or ideas for change are valid and why the Linux Foundation makes the decisions they do.

Linux Foundation Announces the Launch of Supporters of Chromium-Based Browsers

A couple days ago, the Linux Foundation, who are the stewards of various projects in the open source world, made the announcement of the Supporters of Chromium-Based Browsers initiative. The initiative promises to raise funding and development support for other projects that use Chromium.

There’s quite a bit to unpack here, but I think it’s important when we read about issues like these, we don’t let our opinions be shaped by what a journalist or content creator said online, we want to look at the source material and come to our own conclusions like educated adults. Online communities of “Linux people” who are generally not involved in these projects reacted very negatively, but I want to break this down.

Reading the Rulings

Let’s dive into the Google anti-trust ruling. Here in the United States, Google has been under a lot of pressure from regulators and now is officially a convicted monopoly. The question is what is the remediation to rectify their damage? Enter United States of America et al., v. Google, which breaks down the final judgment the court made in November 2024.

The remedy must prevent Google from frustrating or circumventing the Court’s Final Judgment by manipulating the development and deployment of new technologies like query-based AI solutions that provide the most likely long-term path for a new generation of search competitors, who will depend on the absence of anticompetitive constraints to evolve into full-fledged competitors and competitive threats

EXECUTIVE SUMMARY OF PLAINTIFFS’ PROPOSED FINAL JUDGMENT United States v. Google LLC (page 5), November 2024.

Key to the arguments of the federal government cite the Microsoft anti-trust cases (everywhere where Microsoft is in parens) and the solutions devised by the federal government is Google must divest their ownership in Google Chrome and Android.

Google’s ownership and control of Chrome and Android—key methods for the distribution of search engines to consumers—poses a significant challenge to effectuate a remedy that aims to “unfetter [these] market[s] from anticompetitive conduct” and “ensure that there remain no practices likely to result in monopolization in the future.

EXECUTIVE SUMMARY OF PLAINTIFFS’ PROPOSED FINAL JUDGMENT United States v. Google LLC (page 3), November 2024.

The Current State of Chromium

Whether this will come to pass is another thing entirely and commentators say that the incoming Trump presidency will need to see it through or not. Regardless, the threat of Google not being able to own an open source project might also come bundled with clauses that prevent the company and its developers from working on it anymore.

Chromium is used by so many projects everything from all the browsers based on it, Electron-based applications like VS Code and Discord, the Chromium Embedded Framework (CEF) that’s in many applications (Steam, OBS, etc) and video game launchers (League of Legends, Warframe, etc). The short of it: Chromium is popular and lots of projects use it.

This is a bit of a worst-case scenario, but that’s the reality and in its current state, Chromium could not survive in a post-Google world. Google knows this too. By their own disclosure, Google represents 94% of all contributions to Chromium.

By getting the Linux Foundation involved Google and the open source world benefit because it means there’s more non-Google voices helping develop Chromium and this scenario where the world is stuck with an undeveloped Chromium never comes.

The Role of the Linux Foundation

Despite the name, the Linux Foundation is not just about Linux, nor should they feel obligated to give anything out of the interest of its members. Google happens to be a paying member of the Linux Foundation and while they have not donated the Chromium trademark, having a framework like the Supporters of Chromium-Based Browsers is great for future proofing the project.

Read this blog post about the Linux Foundation’s mission statement.

This also brings up the mission and goals of the Linux Foundation. A lot of people online would have you believe the goal of the Linux Foundation is to raise money for the Linux desktop, but this isn’t true when we consider two major parts: mission statement and financial responsibility.

The Linux Foundation, as a non-profit 501(c)(6) lists in their bylaws:

The purposes of this corporation are to support, promote, protect and standardize Linux and other open source software and technologies.

The Linux Foundation Bylaws (Updated March 2024)

So as a non-profit, the Linux Foundation is serving its mission statement by protecting open source software like Chromium? I see nothing wrong here, sounds in-line with the mission statement.

Chromium is open source software, a reasonable argument could be made it’s a standard given how many projects use it, and the fund would protect Chromium in the event Google couldn’t develop it and give it neutral governance.

What’s the alternative?

Now imagine with me someone online says “How come you don’t give to the Mozilla Foundation? It’s only fair Mozilla gets some love as the dying web browser!” As much as I would like that, first let’s consider the Mozilla Foundation is also a non-profit organization and makes a good portion of income from the Mozilla royalties and expenses on software development of “fundamental technologies like web browsing and email.”

• The Linux Foundation’s previous filings
• The Mozilla Foundations previous filings

If you are curious about the difference between a 501(c)(3) and a 501(c)(6), the simplified version is the Linux Foundation is allowed to lobby for politics, the Mozilla Foundation is not.

While $18M is not a lot of their income, it’s significant enough that a tax regulator would have a second glance if the Linux Foundation were giving money to the Mozilla Foundation. Non-profits swapping money this way or through a fund could get negative attention of tax regulators and causes both the Linux and Mozilla Foundations to lose their non-profit status in a worst case scenario.

Non-profits are supposed to be spending their money, not giving it away. They can’t give money to the GNOME Foundation and the KDE e.V. for the same reasons. The Linux Foundation, when they spend money on a cause, they can’t do it when it would replace work in the organization they are giving money, because that organization needs to reciprocate and do the same.

There are also exceptions to this rule that I am not familiar enough with: things like scholarships or grant writing. There have also been cases where intermediate foundations do work for both parties. People are also needed to manage the funds appropriately, so it’s a lot of work.

Contrary to this, Chromium has no foundation support and the developers as well as Google have previously expressed they have no interest in opening a foundation for Chromium. Since there’s no foundation, the initiative is also open to other interested browser makers like Opera and Microsoft, not just Google. It’s not just these companies either because the fund is open to other Chromium interest groups/projects and can increase non-Google voices in Chromium. So what better to invest in an initiative like the Linux Foundation to support Chromium as the standard it has become?

Everyone is sure quiet…

This of course brings up yet another argument from the “critics” of the Linux Foundation that claim Google is only doing this to look good. My rebuttal is Google is being awfully quiet about this if they intended this to look good. If Google wanted regulators to notice this, they would typically publish it on “The Keyword,” their blog.

For example, Google used “The Keyword” to dispute a ruling from the UK’s Competition and Markets Authority (CMA). In this way, the Linux Foundation differed, because they used their equivalent newsroom to make their announcement, but no notification via social media.

Similarly, if we look on Google’s X (formerly Twitter) account, news of the Supporters for Chromium Browsers Initiative are non-existent. If this is about Google trying to posture themselves as anything but a monopoly, kind of weird they aren’t talking about it.

This Was Never About Desktop Linux

The reality is what these “critics” just can’t stand the darling desktop Linux users just don’t matter compared to the server and embedded device Linux users by many orders of magnitude. The natural distrust of companies plays a big role in this, but this is an example of what desktop Linux users shouldn’t be.

If desktop Linux users constantly beg the Linux Foundation to give to the Linux Foundation, yet criticize the Linux Foundation for using their spending and resources appropriately, I wouldn’t be giving money to them. More over, the Foundation can’t give money because of the complications of non-profit tax law in the United States (or overseas in the case of KDE e.V.).

I’m going to close with the wise words of a friend of the channel, who actually works for the Linux Foundation,

They’re going to tell you the same thing as everyone else. “Show me the money…” Make a better product.

Jorge Castro, CNCF | October 2024

Maybe when desktop Linux is actually a widely used, then there will be funding put in place for the open source desktop. Until then, keep on dreaming, start donating, and stop spreading these nonsense conspiracies.

Video Credits

• Open Source Summit 2024： A Hub of Innovation and Collaboration
• Trump, a populist president, is flanked by tech billionaires at his inauguration, Ali Swenson, Associated Press
• Google I/O 2024
• Watch Sundar Pichai, Google, and the AI Boom - Emily Chang et al, Bloomberg
• Google CEO Sundar Pichai questioned on tracking of users’ locations, CBS News (2018 hearing)
• WIRED25: Google CEO Sundar Pichai on Doing Business in China, Working with the Military, and More
• Bill Gates vs United States - Deposition
• Trump: DeepSeek’s cheap AI should be ‘wakeup call’ for US tech, Reuters
• Panel Discussion：Why a Universal Definition of ‘Open Source AI’ is Essential for Humanity
• Keynote： Linus Torvalds, Creator of Linux & Git, in Conversation with Dirk Hohndel
• Alphabet CEO Sundar Pichai on layoffs: Important to create capacity from within to invest for future

Track Listing

• IchinoseSound - Summer Peach
• Noru (のる) - Let’s Go For a Walk (今日はお散歩日和。)
• Sharou (しゃろう) - 10°C
• Kurippu (くれっぷ) - Skip of the Beginning (始まりのスキップ)
• Ann Paris - Timeless
• Outro: Khaim - Neon Lamp

A while back, I was tasked to help a friend of mine setup his new gaming PC. Since he’s mostly a single player gamer and has a burning hatred for Windows 11, it got me thinking. I don’t think anyone has tried to gather everything they could about Steam on Linux. I wanted to take a revisit the fundamentals and focus on the fast lane to get you caught up with using Steam on Linux. A lot has happened over the last couple years and what does it take to get started with gaming of Linux?

A Gamer’s Sacrifice

An important thing to know about Linux gameing is there are some games you can’t play, whether using Linux in the traditional computing sense or a Linux handheld like the Steam Deck or the Lenovo Legion Go S. I’m proud to report if the majority of games you play are single-player games, you will have little to no issues playing them on Linux. Likewise, if you are considering emulating games or playing retro games, most of the same programs like RetroArch, Dolphin, or PSX are available and functionally similar to their Windows versions.

The majority of competitive games won’t support Linux. This includes games like Call of Duty, Rainbow Six Siege, or Fortnite won’t work at all. There have also been games like Apex Legends and League of Legends that used to work on Linux, but don’t anymore. The reason is these games require you to install kernel level anti-cheat into your computer to make sure you aren’t cheating.

Meme Compilation

• Nicki Minaj skin is Distracting - Modern Warfare II from @fadedjokeh on YouTube
• [Severe profanity warning] The Ubisoft 2019 E3 Rainbow Six Siege streamer match, where the rapper Lil Yachty teamkilled someone
• We Like Fortnite from @StrikeRoom on YouTube (reupload)
• Destiny 2 pledges to ban all Steam Deck and Linux users in the name of cheating

This isn’t to say all multiplayer games don’t work on Linux. In particular, certain games like the Halo: Master Chief Collection support running on Linux using a weakened version of Easy Anti-Cheat and Fall Guys is the same way. The outlier is games like Warframe and Overwatch 2, which employ their own brand of anti-cheat or Marvel: Rivals, who pledge to allow Linux gamers to play. Your millege may vary, but if you are ever in doubt, an important site to remember is Are We Anti-Cheat Yet, which documents the status of games with anti-cheat and if they work on Linux or not.

Related: Riot Games breaks their silence on Linux as a platform: Linux is not allowed. They further spit in everyone’s face by releasing empty source code for the Vanguard anti-cheat as a April Fools’ joke.

Linux Locks Your Future Game Choices

What’s more is some AAA games with intrusive DRM for Linux can cause issues for you. The best examples of this are the EA and Ubisoft games, both of which deploy various types of copy-protection, virtual machine detection, and obfuscation layers to slow down pirates from cracking the game on day 1. This has also resulted in issues like some of the mid-2010s Assassin’s Creed games from working on Linux. That or clients like uPlay or Origin not working for random reasons.

Related: (Former) scene cracker Voksi describes why Ubisoft uses multiple layers of DRM on their games.

Now while the DRM and anti-cheat issues may not mean much to you now, this still affects future games with invasive DRM or rootkit anti-cheat features. It’s important to remember that when you are using Linux, you are locking yourself into playing only games that don’t struggle with these issues, short of using Windows. It’s important that you know this going in so you know whether or not installing Linux is best choice for you.

There are also plenty of resources that document issues or potential hiccups. ProtonDB documents the work that many other Steam gamers on Linux have done to get games to work or if games are working or not. Before buying/playing a game, visit ProtonDB to prep for any particular issues. It’s really also a buyers’ guide if you have no interest in troubleshooting issues.

Quick Procedure to See If Your Game Works

Recent titles require some time in the oven for the Linux community to work on them, but the majority don’t need extra attention.

1. Visit ProtonDB to see if the game works.
2. Visit Are We Anti-Cheat Yet to see if the anti-cheat works.
3. Evaluate if the game developer will break Linux support at a future date. If they do, is it on purpose or by accident?

Getting Started

So disclaimers out of the way, you’ve decided to make the plunge at installing Linux; the first thing that we have to get into is installing Linux itself. I won’t get too much into the weeds here, but the distribution you pick is incredibly important. I’m going to save you the trouble right now and tell you whatever you were told online, on Reddit, another YouTube video–throw it out the window. There’s a lot of old advice online, including from me.

As of writing this, the best gaming Linux distribution, if you need to ask, is Bazzite. You don’t have to think about updates or using the terminal. You just care about your games and keeping your games working.

Not only that, if you use one of the Windows-based gaming handhelds, there’s a high likelihood that Bazzite will outperform Windows and integrate better with the hardware. While most steps can be replicated across most flavors of Linux, there are many pitfalls with libraries games depend on, especially legacy libraries needed by Windows to play games or need to be kept up to date to match what’s Steam or games expect.

Related: The Verge’s Sean Hollister’s review of Bazzite on the ASUS ROG Ally X

GNOME or KDE?

Looking up Bazzite online makes it easy to think it’s only for the handheld gaming devices, but Bazzite has a desktop mode similar to SteamOS or you could opt for something completely different.

The 2 environments are KDE and GNOME. I recommend starting with KDE; KDE is what’s used in the Steam Deck after all, but occasionally it suffers from some bugs like copy/paste stops working randomly. GNOME is personally a better experience for me, but it doesn’t handle monitor scaling as well as KDE does.

Just try out both of them and Bazzite’s install page provides an easy command to switch between the 2 via 1 terminal command and reboot.

Steam

Bazzite comes with Steam preinstalled and various under the hood utilities to get things like your controllers to work better or optimizing performance as a whole. There’s optimization for hybrid GPUs usage for laptop users.

After logging into Steam, the first thing that you need to do is open the Steam settings → Compatibility → Enable Steam compatibility for all games.

The reason is Steam will only give you access to “Steam Deck verified” games out of the box. By changing this compatibility setting, you change this so Steam attempts to run all games in your library using the Proton compatibility layer. Steam will prompt you to restart, then start installing and playing games!

Troubleshooting

Of course, you should always be prepared for stuff to go wrong. As a general disclaimer, your results may vary from others online and if you aren’t prepared to troubleshoot, your game may not work at all. As always, check ProtonDB and see what other people have done. If you are having problems, try some of the suggested solutions.

Variants of Proton/Wine

Often times, the version of Proton that Valve ships isn’t optimal in certain cases. Valve also provides an “experimental” version of Proton that is periodically updated with hotfixes for newer titles.

To change your Proton variant, right-click on your game, Properties → Compatibility → Force the use of a specific Steam Play compatibility tool and select your desired Proton version (e.g. Proton Experimental).

ProtonQt-Up

Additionally, there are other third party versions of Wine. The most popular is Proton-GE, GE being the creator Glorious Eggroll. Proton-GE is by far the most popular, but it does need to be manually updated every release. ProtonQt-Up is preinstalled on both SteamOS and Bazzite.

To update other custom Proton, you need to use ProtonUp-Qt. It’s basically a manager for installing custom Proton versions and supports all of the Linux game launchers including Steam.

To use ProtonUp-Qt, select the game launcher you want (ProtonUp-Qt automatically detects it). In this case, select Steam and select “Add Version.” From here, select the desired Wine fork (default is Proton-GE) and install it when prompted.

Unfortunately, it does need to manually updated. If you are having a problem launching a game, open ProtonUp-Qt again and update your Wine fork to the latest version.

Launch Options

In the case of troubleshooting, Steam games all have launch options if you right-click on your game and visit Properties → General → Launch Options.

Here you enter in witchcraft variables you find on ProtonDB that worked for other people. There’s a few things to look out for and it’s how each of them is broken down.

Below is a sample command; don’t use it with every game, but it’s helpful to know the difference between each one.

Special note for GNOME users and have issues right-clicking, visit Steam → Settings → Interface → Enable context menu focus compatibility mode

mangohud PROTON_NO_ESYNC=1 __GL_SHADER_DISK_CACHE=1 __GL_SHADER_DISK_CACHE_SKIP_CLEANUP=1 DXVK_HUD=compiler PROTON_ENABLE_NVAPI=1 PROTON_HIDE_NVIDIA_GPU=0 %command% --launcher-skip

Overlay Programs

Every command always starts with overlay programs, which run on your Linux system and do specific things. In this sample command, mangohud is MangoHUD, a program that lets you track performance in an overlay. Another popular one is gamescope, a program called Gamescope that can fix how windows are drawn within games.

While Bazzite includes these, you will need to make sure your system is up to date, otherwise these overlays don’t work or prevent games from launching. If you have no interest in such tools, you need to remove these from your launch arguments.

Environment Variables

Everything with an = are environment variables. These tweak Wine to do things.

Esync

With PROTON_NO_ESYNC=1, Proton is normally configured to make games that are CPU-bound to use Esync, which forces the game to be multi-threaded, even if it isn’t on Windows, which can increase performance. Some games don’t handle this well or older CPUs are incompatible, so it needs to be disabled in these cases.

Fossilize & Shader Caching

Other environment variables like the __GL_SHADER_DISK_CACHE... are needed to control shader caching. On both Windows and Linux, Steam and games on Steam need to load shaders for you to see things in a 3D environment. On Linux, Steam uses Fossilize, which runs when you launch a game with a popup telling you shaders are being processed.

The flag DXVK_HUD shows on-screen when shaders are being compiled by Fossilize or in the background by DirectX/Windows.

NVIDIA

If you have an NVIDIA graphics card, you’l learn quickly that NVIDIA is the boogeyman of stuff not working on Linux and doesn’t support the Steam Deck Big Picture Mode interface.

More over, there are environment variables for games like Batman: Arkham Knight and the Witcher 2 to unlock the NVIDIA specific features in games. Most of the time, it’s the variables PROTON_ENABLE_NVAPI=1 PROTON_HIDE_NVIDIA_GPU=0, which allows Wine to directly interact with your NVIDIA GPU.

Launch Arguments

Finally are the old school Windows arguments. These are always following the word %command% and the --yourargrument. It’s also great if you need to bypass game launchers or intro screens.

Popular commands include -novid in Valve’s games to skip the logo crawl and --no-launcher in games like Balder’s Gate 3. Most launch arguments usually follow a wording similar to this.

Now You Know

Lastly, you are not limited to Steam when it comes to games, but it is where the vast majority of games are. There are launchers that can run games on other platforms like Epic, GOG, Battle.net, and retro games.

Track Listing

• KK - Ordinary Landscape (いつもの風景)
• yuhei komatsu - Scattered Sakura (桜が散る時)
• crepe (くれっぷ) - Fairy Gift (妖精の贈り歌)
• crepe (くれっぷ) - End of Summer (夏の終わりに)
• Yu-Gi-Oh! Duel Monsters GX Spirit Summoner (遊戯王デュエルモンスターズＧＸ ＳＰＩＲＩＴ ＳＵＭＭＯＮＥＲ) - Deck Construction Music
• Outro: Khaim - Neon Lamp

Today, I wanted to dive into specific applications, but more importantly, not video games. I won’t be talking about failures as much because while a lot of work has gone into making video games working on Linux, not much has been/or can be done about non-gaming applications in Wine. Everything from Microsoft’s ClickToRun installers to applications opening to black screens is just an indicator there isn’t much Wine can do except grovel for support.

It’s not a total loss, because some of the right applications can work with the correct tweaks. Today, I’m going to be using the program Bottles to run Windows applications and highlighting what it takes to get KakaoTalk working in Bottles

Installing KakaoTalk

For those who haven’t heard of KakaoTalk, KakaoTalk is a instant messenging platform and it’s incredibly popular in Korea. Now, don’t go using expecting any kind of privacy, it’s not private by any means, but in many ways, it’s the WeChat of Korea.

The reason I’m starting with KakaoTalk is installing KakaoTalk in Bottles is pretty easy, but it does have some quirks to it. So how do we get it to work in Bottles?

Installing KakaoTalk in Bottles

First, download the Windows installer from the KakaoTalk website. Then in Bottles, create a new Bottle and select “Application.” Mono will need to installed when prompted.

With the ellipsis (the 3 dots), click “Browse Files,” and this will open a virtual Windows C:\ drive. Copy/paste the KakaoTalk installer into this folder.

Copy the path to the folder. This is a location we will need to use to install things and create shortcuts.

• Click “Add Shortcut” and paste the path you copied into your file manager’s search bar. Select the KakaoTalk installer, then click the play button in the new shortcut.
• Proceed through the KakaoTalk installer as you would on Windows.
• A new shortcut will need to be made for KakaoTalk, linking to C:\Program Files (x86)\)\Kakao\KakaoTalk\KakaoTalk.exe. From here, you can make this a desktop icon or add it to your Bottles library.

Font Oddities

Since KakaoTalk is a Korean application, it’s imperative to have fonts with support for Korean Hangul. In order for a font to support this, it needs to be a CJK font–a font that supports Chinese, Japanese, and Korean. Bottles has an extra package to install some pre-baked CJK fonts aptly named cjkfonts.

Afterwards, to make this change, you go into the settings of the KakaoTalk app in the top-right corner, then change the font in the menu…, then restarting KakaoTalk when prompted.

There’s also a weird instance where Bottles pulls from your system fonts. As a content creator, I have a lot of fonts that I’ve used for one reason or another. Unfortunately, all of them get jammed into the poor little KakaoTalk menu and I can’t figure out which of them are the preinstalled cjkfonts or not. I’m pretty sure it’s Source Sans Han.

The Bottles Installer’s Double Standard

Now all of this is pretty easy to execute, but it’s not so easy to implement in an installer. While Bottles allows you to build custom installers, in my testing anyway, there’s a bit of double standard of backups of programs you import versus running as an installer. In the past, I’ve written installers for Lutris and Bottles follows a similar format, but how do you write a Bottles installer?

First, let’s dig into the Bottles documentation. Installers in Bottles are designed to bypass all of the steps we just did to install KakaoTalk. The other reason I picked KakaoTalk is installing and using it requires little interaction from users and largely works in Wine, so it’s a prime example for a good installer. The only dependency it requires is cjkfonts and some minor tweaks to an .ini file.

Check out the installers writing guide from the Bottles documentation.

You could do this of course, but what’s actually going on underneath the hood? KakaoTalk stores all of its settings in a *.ini file. Let’s say I were to make a KakaoTalk installer, all I need to do is install KakaoTalk using the link from their website, then create a minimal .ini file that can be populated using the KakaoTalk installer.

The installer needs to be written as a YAML file and it’s the same format of the other files that the other built-in installers and backup files use.

1. Metadata for the installer: name, description, Wine rating, and Windows architecture. I copied my information from the KakaoTalk Wine AppDB listing.
2. Dependencies: These are built-in requirements in Windows to run KakaoTalk. Internally, this list can be viewed in Bottles → Your Bottle → Dependencies with brief descriptions about each package. It does require a basic understanding of how Windows app development works.
3. Info about the Windows binary: This includes the name, a user-specified icon for Bottles, the name of the executable, and the destination of the executable prior to running the installer.
4. The Steps: A series of scripting actions to run the installer or do specific things to complete the installation. In my KakaoTalk installer, I pulled KakaoTalk’s installer from their website, then created a prefs.ini, which KakaoTalk uses to configure fonts so Hangul support works without user interaction.

Writing the installer isn’t horribly difficult once you’ve figured out what the steps are. What’s more difficult is running the installer itself and this is likely why you don’t see many configurations for Bottles out there.

In Bottles, loading a configuration you have previously exported has a different standard than what is in the actual installer repo. This is on purpose to an extent because installers are vetted through the GitHub under the organization’s “programs” repo. To be fair to the developers, when you ship something in the default build of the program, it should be held to a higher standard than what people hack together themselves.

Background video: There’s more flavor with Vanilla OS - with Mirko Brombin and Luca Di Maio (C’è più gusto, con Vanilla OS - con Mirko Brombin e Luca Di Maio)

Improvements Are Coming Soon

As an overall installer improvement, my proposition is the backup should be able to pull Windows installers from the internet, just like what the built-in Bottles installers can. It would be a big improvement to the developer experience and it wouldn’t require forking the repo to test the installer if there was a framework that allowed users to run installers that could download installers from the internet.

As a project, Bottles’ development has slowed down a lot, but their developers been gearing up some major changes with Bottles Next, a rewrite of the Bottles user interface and backend logic to better serve its developers. I won’t get into the specifics, but since Bottles has gotten some pretty significant sponsorships, this is now their top priority and essential to the wellbeing/future of the project.

It’s clear that Bottles believes they can take development to the next level. Right now, it’s a matter of navigating the installation process and taking it slow. With the right application or game you want to play, you can probably accomplish it. The experience leaves a bit to be desired, but that’s why they’re rewriting it and can’t wait until that day comes.

GitHub

I submitted a pull request to Bottles recently.

Track Listing

• Sarah Kang ft. Won Jang - Summer Cold
• J. Louis - Can’t You See
• Private Press - DEEEEEEP from Cyberpunk 2077
• gooset - Shizuku (雫)
• Outro: Khaim - Neon Lamp

For the last 6 months, I’ve used Universal Blue, a series of Fedora images with a strong user-facing focus. On the surface, Universal Blue is no different from your standard Linux distribution. Instead, Universal Blue is about the future of desktop Linux and a glimpse of how it could be better.

But more than a year ago (and recently), I chatted with Jorge Castro, one of the lead developers, and I have never seen something from any other project in a long time that offers a lot of promise. A lot has happened between now and then, so has it been any different from using a different Linux distribution?

Picking an Image

The first thing to know is Universal Blue isn’t so much a distro as different variants of Fedora’s Atomic Desktops. you do is pick which Universal Blue spin you want. I am using Bluefin, the GNOME experience. There’s also Aurora, the KDE experience, and Bazzite, the gaming version with both GNOME and KDE with the Steam Big Picture mode. For the more technical users, you can build your own using BlueBuild.

Essentially, you pick the version you like the best and it provides you a custom experience. Bluefin and Aurora are good for more desktop computer users and Bazzite is for the gaming crowd. I’ve used both Bluefin and Aurora as daily drivers, but haven’t tested Bazzite at all.

Universal Blue Images

• Bazzite (Gaming)
• Bluefin (GNOME)
• Aurora (KDE)
• Base images

Installation

After you’ve decided on which image you want, you can add support for specific hardware or setups. A ton is supported here.

• Desktops
• Framework laptops
• Microsoft Surface devices
• ASUS laptops
• NVIDIA installations

This is a huge deal because a lot of these modifications require custom kernels, installing third party drivers, or NVIDIA breaking your display manager. All of these are a pain to install and maintain on Linux and in an image, you don’t need to think about it.

After you’ve downloaded the ISO image, burned it to a USB drive, you can install your desired distribution. Installation is very similar to Fedora’s install, unless you install Bazzite, which is a different process, albeit similar and more glamorous.

When you first boot in, especially if you are a Secure Boot user, the very first thing to do is enter is the preset password for mokutil, which signs your system with secure boot. Unlike many other Linux distros, all uBlue images come with Secure Boot support enabled out of the box.

To enable Secure Boot, using the arrow keys, select “Continue boot”, Enter, then enter in the password universalblue when prompted. Periodically, Universal Blue rotates keys via updates.

What’s So Different?

Bluefin includes a ton out of the box. For starters, a lot of management software not included in GNOME is included out of the box and some GNOME extensions make Bluefin similar to Ubuntu. The thing about Bluefin is it’s fairly unremarkable as a desktop. Under the hood, it’s how things are handled differently.

Atomic: The Same, But Different

Since Bluefin and Universal Blue are part of the Fedora Atomic desktop family, things that people know are different, but most of the same actions are backwards compatible.

For one, your Linux system files cannot be changed. Instead, your system is updated with the new system being queued up as independent systems and brought up the next time you reboot.

Related video: Red Hat’s Adam Šamalik gives a brief rundown of Fedora Silverblue, the parental base of Universal Blue.

This is a big bugaboo for neckbeard Linux users online, but what’s more interesting is modification is possible using existing frameworks in Linux, despite discourse online. This idea stems from a combination of obscure documentation and how Linux allows users to override developer-configurable pieces of their system.

Here’s a rudimentary example: while you can’t configure your /usr/ directly, you can configure your application in /etc/. Importantly, systemd uses /etc/systemd/system and you can use systemctl edit to edit systemd services and jobs.

Another obscure example is what isn’t said in the documentation. I use DaVinci Resolve as my video editor of choice and in theory with an Atomic Desktop, I shouldn’t be able to edit my system files. However, some third party applications like DaVinci Resolve are installed in the /opt/ folder and Fedora Atomic lets you install within /opt/ and it persists beyond reboots.

Reboots are also way for you to recover from a bad update or disaster. If you don’t like an update, force your computer off or run a quick version recovery to get everything in your system back before an update was installed.

A criticism I and many developers have levied on “stable” Linux distributions is stable isn’t even safer. Using this kind of rollback on reboot is the way you keep a rolling package base and the peace of mind knowing you will always have a system one reboot away.

Related video: Richard Brown’s talk “Regular Releases are Wrong, Roll for your life”.

Installing Packages

If Fedora Atomic or Universal Blue is different, how do you install things? Like with system configuration, there’s many avenues to install the things that you need.

• For Flatpaks, you get Warehouse , which allows you to graphically interact with Flatpak data, install Flatpaks, and take snapshots of specific application versions.
• BoxBuddy is a graphical way of interacting with Distrobox. Distrobox is how you can install any program from any Linux distribution, provided it doesn’t require a horrible amount of system access. BoxBuddy provides a graphical way to update and also install programs within containers.
• For GNOME Extensions, Matthew Jakeman’s Extension Manager lets you install GNOME Extensions without a browser extension and toggle existing extensions.
• AppImages are also a portable method to install specific software that you need, albeit being messier to update and increased application size.

Related video: Luca Di Maio (AKA 89luca89)’s talk “Developing on Aeon with Distrobox”

But what if you don’t (or can’t) use any of these? Something to remember is Fedora Atomic still gives you an avenue to revert back to old school Linux packaging, but you will need to reboot in order to get these applications to appear.

For example, if I needed to install a .rpm file, like VeraCrypt.

rpm-ostree install veracrypt.rpm

If you previously installed something, it can also be removed.

rpm-ostree remove htop

Putting all of every method from configuring systemd and layering rpm packages, we can install Mullvad’s app as an example.

First, let’s add the repo, then install Mullvad. Afterwards, reboot as the new Mullvad package is queued for the next update.

curl https://repository.mullvad.net/rpm/stable/mullvad.repo | sudo tee /etc/yum.repos.d/mullvad.repo
rpm-ostree install mullvad-vpn

Next, we enable the relevant systemd service files.

sudo systemctl enable mullvad-early-boot-blocking.service
sudo systemctl enable mullvad-daemon

A lot of people get annoyed by this, but if you are annoyed by this, why in the world are you installing things so frequently? There’s probably something more productive you could be doing, even if that’s just sitting down to watch a movie.

Additional customization is available in ujust for some specialty applications. For example, DaVinci Resolve inside a Distrobox container, Ollama, and tweaking various settings.

Installing Updates

Here’s one of the best parts about installing updates on Universal Blue. You don’t have to do anything. What’s more is updates are queued and staged automatically.

Normally, on Fedora Silverblue or other Atomic Desktops, you’d need to run a rebase command periodically during Fedora’s annual releases. Additionally, there’s no GUI way of updating, not until systemd supports it.

Something that makes me laugh is Linux users pride themselves on updating. It’s equally frustrating with companies like Apple and Windows, still make it difficult to move to newer versions of Windows or macOS without manual intervention. I’m proud to say that Bluefin updated me to Fedora 41 and I didn’t even know. That’s how it’s done!

The Customization Conundrum

With all of these options, this sounds really great, so now’s the time for the “but.” What if you don’t like something that’s part of the Universal Blue image you installed? What if you try to remove something from the base image? You can, but there’s a catch.

Good Luck Building an Image

The way Universal Blue’s (or Fedora Atomic) images work is this and I cannot stress enough how much Universal Blue has put into the way this works. I’m going to break it down in an ultra-simplified way.

• You put one of the base Universal Blue images, which are a completely barebones installation of Fedora Silverblue or Kinoite, but with all of the hardware support that people want (e.g. NVIDIA). This base image is missing some specific things like VL42 Loopback patches for OBS or specific libraries for applications that are not installed (e.g. libxcrypt).
• You edit a file that basically records all of the changes you are doing. For example, if you don’t want to include GNOME Text Editor, you can run a command when the image is built to remove it.
• Finally, you build your constructed image on your Git server like GitHub, GitLab, or a homelab).
• You configure your server to build the image daily (or however long you need updates).

The reality is desktop Linux development is a niche and being able to remove an application is just as important as installing one and it needs to be done in a way that requires zero interaction with git voodoo magic I still cannot learn to this day.

The fact of the matter is it is objectively easier to enter in one terminal command to remove something rather than attempting to construct your own operating system flavor.

You Removed What?

This is the biggest problem in my mind with not just Universal Blue, but Fedora Atomic as a whole. In other Linux systems, you can just plum remove something if you don’t like it. Removing something you don’t like in Fedora Atomic requires way too much commitment. If you think I’m quick to blame Universal Blue, this problem transcends the project.

For example, some of the hardware enablement is unnecessary for many users. As someone who uses Bluefin on bare metal, I doubt I need the VirtualBox, VMware, HyperV, and KVM tools installed. Similarly, why should I have AMD kernel patches? What if I don’t use VS Code, but want to use Virt-Manager and don’t develop code?

Similarly, removing preinstalled applications is not recommended, because it results in a higher amount of memory being used than it would removing.

This is why there are so many people who complain on the forums and online that Bluefin has too much preinstalled. In fact, I attempted to run the base Universal Blue images and sample Aurora as well. The process is very smooth, as smooth as moving to GNOME to KDE can be anyway. Rebasing the image works great at keeping your system clean.

To rebase on another Fedora Silverblue or Universal Blue image. It’s one quick command away:

For example, if I wanted to rebase on Aurora:

rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ublue-os/aurora:stable

I can also rebase to the base images.

rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ublue-os/silverblue-nvidia:latest

Using the base images leaves a lot to be desired because a lot of the software support Universal Blue installs is unavailable. VL42 loopback for cameras and some libraries are missing. The solution isn’t easy and won’t be anytime soon. It’s an all or nothing situation unless somebody is willing to help build images.

We Need Legacy Methods (For a Bit Longer)

What’s more is project leaders like Adrian Vovk are now stoking the fire of dropping support for all forms of Linux package distribution that isn’t a universal package like a container. To be fair, people like Adrian are actively working in these spaces and deserve every right to make such decisions.

Related video: Adrian’s talk “Carbon OS [sic] + homed” from All Systems Go! 2023

The problem isn’t moving in this direction; it’s inevitable for the Linux desktop to move in this direction and come closer to people who use Linux on the server. The problem is companies who make commercial software for Linux will not be able keep up. It’s taken years for Zoom to support Wayland and programs like TeamViewer are still slow to adopt Wayland support.

For sure there will be growing pains, but when it comes to massively popular commercial software. Mullvad needs to be installed as a native .rpm to make the most out of its built-in killswitch. VeraCrypt is best installed as a .rpm as it needs to be able to mount and format new devices (although applications like Fedora’s Media Writer and GNOME Circle’s Impression disprove this) and would need to be rewritten to accommodate modern standards.

Related: bootc, a framework for seamless Linux system updates and championed by Universal Blue’s contributors, has been adopted by the Linux Foundation. Here’s an announcement video from Red Hat’s Colin Walters.

The Future is Approaching Fast

Despite the criticism of not being able to remove packages, the difficulties of building/maintaining your own image, and some minor learning curve of being slightly different than what most Linux users know, I believe the current system Universal Blue uses is a good combination of staying true to the ideals of the creators. It offers a fantastic stable base and it’s a solid experience.

It’s so solid, it’s now my go-to recommendation for everyone using Linux, provided you can deal with some limitations with specific types of software. I will be working with my own friends and family across the holiday season and beyond to move over in the future.

Right now, the only people who shouldn’t be using Universal Blue are:

• People who live in low storage systems like Chromebooks or netbooks, but it’s something that may not be too far off in the future if atomic systems are changed to accomodate limited space.
• People who want to use snaps. Snaps could be made available in theory, but it’s not an ideal experience as Fedora does not package AppArmor and therefore does not sandbox snaps properly. Right now, Ubuntu and Arch Linux are the best options.
• People with software that isn’t well adapted to the filesystem changes Fedora Atomic does compared to traditional Fedora.

Track Listing

• Streambeats by Harris Heller - Falling Up
• SCENE - Move (Instrumental Version)
• のる (Noru) - Yubiwa
• t12ya - trailing note
• Outro: Khaim - Neon Lamp

Recently, I got to sit down with Jorge Castro, one of the project leads of Universal Blue, its Linux spins Bazzite, Bluefin and Aurora, and its mission to make Linux easier to use for everyone.

Learn More About Universal Blue

• Universal Blue
• Bazzite (Gaming)
• Bluefin (GNOME)
• Aurora (KDE)
• Universal Blue Discourse

Follow Jorge

Jorge has previously worked with Canonical and VMware. Today, he works with the Cloud Native Computing Foundation (CNCF) managing developer/executive relationships and stewarding projects like Kubernetes and deploying servers at scale.

• Mastodon (Hachyderm.io)
• Bluesky
• YouTube

Referenced

• My original question post to Universal Blue’s tinkerer’s guide. Also available via the original GitHub discussion
• Fedora 41’s Release Announcement by Matthew Miller
• Kyle Gospodnetich is the creator of Bazzite and a maintainer of Microsoft’s Linux projects.
• The CNCF’s webpage listing all active members.
• The vague ostree/rpm-ostree documentation page that debunks the inaccurate claims of customization of immutable/cloud native images.
• Gardiner, as in the YouTuber Gardiner Bryant.
• Digital Foundry’s video on Bazzite
• Jorge was stuck in the back of a British bus with Richard Brown, former chairman of openSUSE’s Board and the lead behind openSUSE Aeon (formerly MicroOS).
• Proton Mail Bridge has shipped stale QT libraries for a long time.
• Proton VPN’s plans on taking over the Proton VPN Flatpak (Onion Link)
• Proton VPN has less than 4 people working on their Linux app (Onion Link).
• How snaps are sandboxed and its permission variants. Richard Brown has previously mentioned that snap sandboxing is broken on openSUSE because AppArmor still has not patched Canonical’s customizations (see this video at 7:29). One of the other distros that supports proper snap sandboxing is Arch Linux.
• Popey refers to Alan Pope, the original advocate for snaps.
• Inkscape’s heated discussion to convince upstream to takeover the Flatpak
• Jorge’s discussion on the Universal Blue Discourse about the struggle of convincing Chromium to adopt sandboxing more friendly to Flatpaks
• Add Water, a GUI installer and maintainance program for Rafael Mardojai’s Firefox GNOME Theme
• The Arkenfox user.js and its lead Thorin Oakenpants. One of Oakenpants’ many discussions about the effectiveness of Firefox Containers and Total Cookie Protection.
• Christian Hergert is a maintainer for GNOME Builder and the author of the terminal Ptyxis (called Terminal on Universal Blue). Ptyxis recently became the default terminal of Fedora Workstation.
• Marco Ceppi is one of Canonical’s engineers.
• Ken VanDine is an engineering manager at Canonical for Ubuntu Desktop and the creator of Ubuntu Core Desktop. If there’s a desktop snap package, he probably maintains it.
• Adrian Vovk’s blog post about GNOME OS. Adrian has been part of GNOME’s team for years and the creator of carbonOS.
• szydell’s import of System76’s drivers to Fedora’s Copr.
• Alpaca, a GTK frontend for the ollama, which itself is an interface for llama.cpp.
• Apple’s mediocre sales of iPhones prior to announcing Apple Intelligence.
• The Windows package managers Winget and Chocolatey
• Rufus and its ability to bypass Windows To-Go and Windows 11 requirements.
• Cassidy James Blaede is a partner manager at the Endless OS Foundation. He was previously a UX designer at System76 and a co-founder of elementary OS.
• Timothée Ravier is one of Red Hat’s engineers and a big contributor to KDE, Fedora Atomic Desktops, Fedora CoreOS, and Flatpaks.
• Jorge mentioned Matt from the Linux Cast’s (YouTube and Odysee) video about organizing his dotfiles (YouTube and Odysee) and his upcoming review of Bluefin (YouTube and Odysee)

Errata

• Ultramarine does not have any image based ISOs.
• I misspoke and said the .io domain belonged to Mauritania. It actually belongs to Mauritius.

Track Listing

• Intro: Khaim - Maybe
• Outro: Khaim - Neon Lamp

Bonus Content:

Patrons and YouTube Members get access to the preshow/setup and Jorge showing off his decades of Linux and cloud computing merch.

Donate

I’ve been thinking about some of the ways that you can fix open source. Maybe a bit bigger than you. As your favorite arm chair developer whose only IDE is Neovim, let me tell you my proposal to improve open source work culture, introduce new avenues of communication, and why developers of free applications need to start begging people for money.

Related: The miscommunication and fumbles of the Wayland frog protocols.

The Two Way Street

The first thing is something we can start doing immediately, it’s users need to start recognizing developers. It’s something that’s really easy t o do and it’s get to know the people who make the applications that you use. It doesn’t require a lot of effort and you might learn how some of the projects or programs you use more organizationally.

Video: Hong Jen Yee’s (AKA PCMan) presentation on LXQT from Debconf 18, “LXDE & LXQt - The Classic Desktop Environments After 12 Years”

Stop Othering Developers

The thing that gets overlooked way too often is the names of developers. It’s really easy to say “_____ developer(s)” rather than the names of the people who have worked hard to contribute to the project. It’s a reminder that the blog posts you read and the issues you read about are written by people.

One of my peeves is when people talk about GNOME developers. Don’t get me wrong, I think there’s a lot of problems with GNOME’s development culture, but the net of people within GNOME is too wide. Are we talking about Georges Stavracas, a big contributor to Portals, OBS, and GNOME Calendar? What about Florian Müllner, a major contributor to GNOME’s extension framework or the display manager Mutter?

• Georges’ video about GTK switching from OpenGL to Vulkan (Portuguese with auto-translated subtitles)
• Carlos Garnacho, Florian Müllner, and Georges Stavracas present GNOME Shell’s work at GUADEC 2024

It’s fine to criticize a project in healthy ways, but it’s time to stop referring to work or blog posts by “_____ developers.” With names, you’ll learn real fast that the majority of projects are run by a minority of people actually engaging with the project online or representing a project.

Just because a GitLab or GitHub shows a ton of contributors, a reminder that this is historical contributors. With a lot of individual applications, typically only a few people are actively contributing to it. If you going to criticize a decision, please only discuss it with the people whom said decision concerns.

Communications Means Contributing:

Now that I’ve ragged on users, it’s the developers’ turn. Communication with users and developers is important. Often times, it feels like when you read a lot of developer blogs, they are more focused towards the developers and they are the creators.

Let’s rag on GNOME again. GNOME runs a blog called This Week in GNOME and it’s a great way to catch up on work done by various developers within GNOME’s community. It’s also nice-looking, got great formatting, and completely uniform with the whole libadwaita feel. That’s the good, the bad is when you consider the content of the blog.

For example, from last week’s post about libadwaita updates:

libadwaita got another new widget - AdwWrapBox - similar to GtkBox, but wrapping children when they can’t fit onto the same line. This can be useful for e.g. displaying tag pills

Alice Mikhaylenko, This Week in GNOME #169 Wrapped Boxes

There’s nothing inherently wrong with the content; if anything, it’s useful to know as a (GNOME/GTK) developer. The problem is none of this is change that users would be interested in knowing. Who is the target audience of this blog? Is it developers to show off their work? Visiting the “about” page redirects you to their GitLab README, which is just a bunch of submission rules and the illusion falls apart.

Now I appreciate it because tag pills are pretty neat, but there needs to be clear means and it needs to be through an official channel. As much as I like Nate Graham’s blog and Niccolò Venerandi, it’s frankly strange that KDE developers don’t contribute “promotional” content related to their work.

Oh wait, they have YouTube and Peertube.

• Akademy 2020 - Nate Graham - Visions of the Future
• Daily driving Plasma Mobile and what’s still lacking

This is what’s really important and this is something that’s a lot more tangible to quantify—it’s time to start marrying developer and user stories. If This Week in GNOME is supposed to be the developer announcements and the prominent KDE developers are user-focused stories, there needs to be a clear cut explanation of how the developer changes positively impact the user experience.

Recent news: Fedora’s Council Meeting on the most recent survey and use cases of AI

It shouldn’t be surprising that the users of a free operating system overpower its developers. It’s a tough job, but it probably makes a great story. It just needs to be these organizations telling these stories and putting this content in front of new users, not insiders.

Devs Need To Be YouTubers

Here’s the tough part: asking for money. We can’t just tell empty stories, because there needs to be a call to action. Of course, a story can be used to get more coding work or developers involved, but there needs to be a way in for the people who don’t know how or never worked in it professionally.

Here’s the thing, it’s also a great moment to make developer talks higher quality and more forward facing. Every year, you get great conferences from places like FOSDEM or All Systems Go!

Distantly related: Lennart Pottering’s talk on systemd and TPM

Here’s a great idea, organize some of the developers to do a Jitsi call (we don’t do Zoom around here, they are frauds). You’re going to sit down, livestream every other week, maybe every week. It doesn’t even have to be that long, even just 20 minutes. You chat about the cool new things happening in your project and answer questions in chat. You can be open about it, tell jokes, it’ll be a great time!

All of this might sound weird, but the way you get publicity especially in the eyes of normal people, is to act like a content creator. You can’t just a dev, you also need to be cognizant of your social media presence and speak with the authority of a YouTuber. It gets attention, but more importantly, exposes you to what people think and can draw people to your project by engaging with them,

Great example (though it goes into the unofficial side), Alecaddd’s videos on developing for Mozilla Thunderbird, including Thunderbird’s journey to get rid of technical debt and modernize the code.

FOSS Should Become Donationware

All of this would also help solve the chicken and egg problem of how to fund developers or foundations. You now have work that people know you for and you have a way to engage with said people, therefore, you’ve achieved the peak goal of any content creator: begging for money.

At any moment, open source projects need to start begging their users for money. Of course, you can’t make it too annoying, but you have to guilt trip them. Don’t think of like microtransactions in a mobile game! Think of it more like the banner that appears at the top of the Wayback Machine or Wikipedia.

And that’s the real rub here. Developing software for free, distributing it to people for free, and reproducing it for free is not sustainable. It should be something like a monthly reminder telling you donate. Now I’m not saying there should be a way to toggle it on or off since this is open source software and you should be allowed to do what you want to it.

The content creator angle also helps because it directs people to support the people who make a project that they enjoy a lot. it’s also finding a good way to distribute money to people who do specific work and a reminder to people who build the tools people use every day.

This is not a definitive way to raise money or improve publicity, because there’s always something that needs to be changed, but take this as some suggestions to how we can change the way we, as users, see developers as people who create things. There’s a reason open source is deprived of talent and has no financial model and a good way to change it how developers advertise their products to the public, which in turn generates developmental and financial contribution.

Track Listing

• Streambeats by Harris Heller - Unwind & Recharge
• The saxophone cacophony at 0:25 is Kenji Mori - Alto Form I
• Shimtone - Orbit
• Hitomi Satō (佐藤仁美) - Route 216 (２１６ばんどうろ) from Pokémon Diamond, Pearl, and Platinum
• Shimtone - Heartwarming (ほのぼの)
• Outro: Khaim - Neon Lamp

This is what got me thinking: what are the biggest problems with Linux updates right now? I’m not going to focus on formats or with Ubuntu in particular, because this problem transcends different formats and distributions. All of this is a call for better tooling and programs to make the process of updating easier for everyone, not just those unfamiliar with Linux.

The GUI Lies…

Let me tell you the tale of updating Ubuntu. Ubuntu has a few methods out of the box of updating their distribution. The first and most common one is Ubuntu’s Update Manager, which is capable of updating your Ubuntu packages and between different versions of Ubuntu.

The big benefit of Ubuntu’s Update Manager is it provides a GUI way to manage Ubuntu’s auto-updating and provides a very visible notification prompting users to update.

The problem here isn’t so much what Update Manager does, but rather what it doesn’t do. Inside Linux, there are multiple package formats, so for our purposes, we’ll briefly touch on distribution packages and universal packages like snaps and Flatpaks.

• Distribution packages are the traditional Linux packages and are typically updated on a package manager exclusive to a distribution. Common examples include Ubuntu’s apt, but also Fedora’s DNF, openSUSE’s zypper, and Arch Linux’s pacman.
• Universal packages are distribution agnostic (most of the time). These are snaps, Flatpaks, and AppImages; each of them are different universal package formats that work largely the same across multiple distributions.

There is a major difference with universal packages on Ubuntu and it’s universal packages like Flatpaks are not treated the same as snap packages. If you update through Ubuntu through the Update Manager, your apt and snap packages will be updated, but your Flatpaks won’t.

Ubuntu could easily integrate this, but they haven’t. If you want to update through the GUI, you’d have to use Discover or GNOME Software from the apt repos (not to be confused with the Snap Store) and make sure they have the appropriate packages to update your snaps and Flatpaks.

The “““Intended””” Way

This brings up matter that disappoints most Linux users is the way you’ve been installing your packages is probably wrong. Have you been using the streaming software OBS from your distribution’s repository? You’re doing it wrong because the OBS developers only test it in 2 ways on Linux. Have you tried using KeePassXC on Debian or Ubuntu? You’re doing it wrong because the maintainer went rogue and ignores the project’s wishes.

That might come off as very harsh, but most developers have uber-specific ways of using these applications. It’s really important that we use programs only through official channels because that’s what is tested and that’s the way we will have the least problems.

Returning to OBS, OBS has 2 official methods to install it, anybody know what they are? The answer is Flatpak and the Ubuntu PPA (not the one in the Ubuntu repos, a popular misconception).

• Nobara packages their own OBS, which caused this exchange on the OBS GitHub.
• Someone had problem with the snap of OBS and was turned away because it’s an unofficial package.

This is just scratching the surface; there are programs that provide lots of avenues to install their software. Firefox offers every method underneath the sun to use it: .deb, tar.gz, Flatpak, snap, they do everything. Other projects might not be so lucky because of limited resources. The email provider Tuta only provides an AppImage for example.

What makes this worse is this isn’t even the other programs that you use on your computer that aren’t snaps or Flatpaks. If your application doesn’t have a built in way to update and you aren’t using a snap or Flatpak, you’re out of luck and have to resort to visit the website and download an update manually.

One example is the Linux application firewall Open Snitch. Open Snitch is not available is any repository; instead, you must manually download the Debian or Red Hat package from their GitHub. What’s worse, the application has no mechanism to check for updates. Ironic for a network firewall that’s designed to protect you.

On a completely unrelated note, the creator of Open Snitch evilsocket, wrote about a security vulnerability in the Apple/Linux print server cups recently.

If you need something from another programming package manager, like Python’s pipx, npm, or Rust’s cargo, they all have their own independent repositories, with their own ways to update, and they aren’t tied to most GUI package managers.

Peeling Back the Layer

That’s why over the last couple years, I’ve become super jaded about where I get my packages. After becoming more conscientious of where I download my packages from and the chaos of all of these different package types, what can we do about it? The only thing that we can do is “favor” packages from their official sources first and foremost, especially if that package is a universal format like Flatpaks or snaps.

All you need to do is follow this procedure:

1. Visit the website of the program you want to install. Navigate to the “download” page, just like you would for Windows or Mac, but for Linux.
2. If there is a Flatpak or snap available, prioritize these packages above the others. The main reason is they are sandboxed and get first class updates.
3. If there is no Flatpak or snap available, turn to one of the other methods like the Debian and Red Hat packages. Other times might be when packages try to talk you out of it, like the Brave Browser. This can also include distribution-specific repositories too, so pay close attention.
4. Tarballs and source compilation are a last resort, often because they need to updated manually.

But what if you aren’t running the required distribution as one of the official packages? I use the Signal desktop app and Signal only has one way to use their application–their apt repo. As a Fedora user, I can’t install apt packages… or can I?

This is where Distrobox comes in. Distrobox allows you to install applications independent from the Linux distribution you use, simultaneously integrating it more than a program in a virtual machine. If you need to install a package in another distribution because it’s an official method or it’s better maintained, you can use a container instead.

In the case of Signal, I created an Ubuntu distrobox container and installed Signal inside. This way, I can have a minimal Ubuntu installation that has Signal and I can use Signal the way Signal’s developers intended!

Not Everyone Is a Admin

Except not really if you on KDE anyway. This did open up a can of worms because Docker and podman aren’t able to fully bridge specific actions. When I originally set up Signal, you get asked to verify your account with a captcha. Unfortunately, because Signal is trapped in a container, it can’t see Firefox on a KDE Plasma host system, so I had to develop a workaround.

1. In a Chromium-based browser, navigate to the webpage of Signal’s captcha delivery. If you need to use Firefox, you need enable the custom signalcaptcha URI scheme in the about:config. user_pref("network.protocol-handler.external.signalcaptcha". true);
2. Complete said captcha.
3. You will get a popup prompting you to open in Signal, close it, and copy the link from the button instead. It’s really long and starts with signalcaptcha://signal-hcaptcha....
4. In the container, run signal-desktop followed by the command. In this case, signal is the name of my Distrobox container. distrobox enter signal -- signal-desktop signalcaptcha://signal-hcaptcha....

If you are interested in how browser URI schemes, Mozilla has a quick reference page about this.

The solution isn’t perfect right now for some edge cases, including DaVinci Resolve identifying laptop GPUs or UTF-8 crashes with newsboat. If you need to download something for your development in a container, a container will receive its updates independently. If you are a Distrobox user or use BoxBuddy because you prefer a GUI, you need update containers in addition to your host system.

Related video: Ben Breard and Colin Walters talk this year from All Systems Go: “bootc: Generating an ecosystem around bootable OCI containers”

While Linux may seem daunting in this way, this issue is no different from Windows and Mac where there isn’t way to manage updating programs you have installed, especially since updates aren’t applied evenly either or even through Winget on Windows. It’s some extra steps, but Linux at least provide a way to make managing this possible, where it isn’t as accessible on proprietary operating systems.

The bottom line: your computer, no matter what operating system you use treats you like a developer or sysadmin. Updating software on computers is a massive pain, but until a better solution is posed, we need to evaluate packages based on how the developers want us to. One of the biggest problems of open source software is fragmentation, but a large part of this fragmentation is people making unnecessary versions of programs bearing the same name and deviating from a developer’s wishes in some way.

Track Listing:

• shimetone - citron (シトロン)
• yuhei komatsu - COLOR
• Kamaboko Sachiko (蒲鉾さちこ) - New Year’s Party (迎春の宴)
• call me joseph - still
• Outro: Khaim - Neon Lamp

Verifying downloads is something that should be ingrained into every computer user. Unfortunately, the process is very complicated and very few services make this easy for people. It’s intimidating to be told to use the terminal, especially if you are on Windows or Mac.

Paid Signatures

What’s more, why bother when a lot of the programs you use are probably verified already? Windows and macOS have a built-in mechanism to identify whether or not a program was created by the manufacturer that claimed to make it. If you use Snaps or Flatpaks on Linux, both implement a checkmark system to show the developer was verified by the Snapcraft and Flathub developers.

Signed applications are necessary to ensure the file wasn’t tampered with on the way from the developer to your computer. If you use a package manager like Winget, Homebrew, or the one in your Linux distribution, this process is also automatic. What’s more on Linux, the vast majority of packages on Linux are not verified. Even within the average distribution repository, most packages are not officially sanctioned by the original developers. This doesn’t mean a application is malware, but it can often introduce more problems.

The problem is signing systems like Apple’s notarization process or Microsoft certificates are costly for developers, requiring at least a couple hundred dollars up front just so the program you made won’t get blocked by the default antivirus.

• Apple’s crazy developer fees
• Microsoft’s explainer about certificates
• Microsoft’s list of code signing certificate providers

Unsigned applications don’t suggest they are malware, but it’s important to pay attention to where you got the program to begin with.

Bypassing Signature Checks on macOS

Like Microsoft, Apple has a robust verification system. Unlike Microsoft, Apple is more proactive at blocking unverified downloads. When you open an application for the first time, Apple will prompt you if you want to open the application.

If you need to open an unsigned application (e.g. LibreOffice, Alacritty, etc): navigate to /Applications and Ctrl + Click the application you want to open. Then select “Open.”

If you are on macOS Sequoia or higher, you will need to go to the Settings, “Privacy & Security” and manually allow an unsigned app.

Manual Verification

Naturally, people aren’t accustomed to verifying their downloads.

A couple years ago, Linux Mint was hacked and the ISO was modified to mine cryptocurrency off the unlucky souls who downloaded it. Thankfully, Mint’s team shut down the attack very quickly, but it goes to show how important it is to verify your downloads.

The attack was easily prevented if users verified their downloads. Unfortunately, verifying downloads is something that doesn’t get enough attention. The hacker of the Linux Mint, Peace, made the bold, but accurate claim:

Who the f**k checks those anyway?

Peace, to ZDNET’s Zack Whittaker February 21, 2016

We’re going to have to go and prove him wrong. It’s not going to be easy and maybe this is something that we need to start developing.

GPG Signatures

One of the most popular ways files are verified is PGP keys. Pretty Good Privacy (PGP) keys are often necessary for verifying other files using a central server for trust. Some projects also require verifying additional files.

PGP was originally only available to the government in the 1970s and PGP was developed to make file and text encryption more accessible to average people. Almost 40 years later, PGP is very unfriendly and is far too complicated to use. Encrypted messaging apps automate this message verifiability and security process, so they fill this void better. Despite its shortcomings, many open source projects and packaging utilities rely on PGP, because nobody has been able to break it.

PGP is typically handled with a command line application called GNU Privacy Guard (gnupg). There are various graphical front-ends:

• Windows: Gpg4win
• macOS: GPG Suite (Mail encryption is paid)
• Linux: Kleopatra

Of course, like most GNU applications, using gnupg or any of its frontends is not particularly straightforward.

Verifying GPG Signatures

I will be using the instructions for Kleopatra and Gpg4win. The instructions are similar for GPG Suite.

First, download the files you wish to verify. This will be your desired file and a signature file with the extension .sig or .asc.

Typically, these files are named something similar. If you download openSUSE Tumbleweed’s ISO and verify the checksums, the files we need here are the signature file openSUSE-Tumbleweed-DVD-x86_64-Current.iso.sha256.asc and file we want to verify openSUSE-Tumbleweed-DVD-x86_64-Current.iso.sha256.

Make note the folder where the files you downloaded are (e.g. Downloads).

1. In your GPG program, navigate to “Decrypt/Verify.”
2. Select the signature file first and the file that needs to be verified.
3. If you are told the certificate is unavailable, select “Search” to download the key from a known key server. Otherwise, skip to #6.
4. Once the key server has found the certificate, click on it and select “Import.”
5. Accept the next dialogue once the certificate was imported.
6. Repeat the process of “Decrypt/Verify” and select the files again.
7. Select “Show Audit Log.” If you see “Good signature from…,” the file has been verified as the authentic file.

Ignore any warnings that tell you the signature cannot be verified. This often confuses people who are trying to verify files when they aren’t trying to encrypt files themselves.

Since PGP keys aren’t designed for humans, you need to move them electronically. But of course humans still need to verify the authenticity of received keys, as accepting an attacker-provided public key can be catastrophic.

PGP addresses this with a hodgepodge of key servers and public key fingerprints. These components respectively provide (untrustworthy) data transfer and a short token that human beings can manually verify. While in theory this is sound, in practice it adds complexity, which is always the enemy of security.

Now you may think this is purely academic. It’s not. It can bite you in the ass.

What’s the matter with PGP? - Matthew D. Green, Johns Hopkins University

Command-Line

gnupg can also be used from a terminal to verify keys. As a GNU utility, it’s best utilized on Linux, macOS through Homebrew, or Windows Subsystem for Linux. It’s also preinstalled in many Linux distributions.

First, verify your file using the signature file first, then the downloaded file.

gpg --verify openSUSE-Tumbleweed-DVD-x86_64-Current.iso.sha256.asc openSUSE-Tumbleweed-DVD-x86_64-Snapshot20240806-Media.iso.sha256

If the certificate is not yet added, we need import it into our GPG keyring. You will get presented with a dialogue similar to this:

gpg: Signature made Tue 06 Aug 2024 09:04:47 AM EDT
gpg:                using RSA key 35A2F86E29B700A4
gpg: Can't check signature: No public key

Next, import the certificate from a remote server. This is the blob of letters and numbers after the key type. In this example, openSUSE uses an RSA key and the key is 35A2F86E29B700A4.

gpg --recv-keys 35A2F86E29B700A4

You should get an output informing you if the signature was imported to your keyring. Rerun the gpg --verify command from earlier. If you see “Good signature from…,” the file has been verified as the authentic file.

Check Out Those Checksums!

Often times, software makers will provide checksums, which are verified using GPG keys. This ensures the files you downloaded aren’t tampered with or corrupt in some way.

Checksums are alphanumeric representations of files or data—every file has one. There are many different algorithms to check files and it’s different for every operating system. For example on Linux, there’s a nice GUI called Collision. There are also command-line options.

An alternative is uploading the file to VirusTotal, but this may be privacy invasive as VirusTotal will receive a copy of your file.

At any point if you need to navigate to a folder or type a file name, you can drag the folder or file into your terminal instead of typing it out.

Popular Algorithms

• SHA1
• SHA256
• SHA512
• MD5

GNU coreutils (Linux)

Linux has the most comprehensive and commonly used hash verification tools by the GNU Project. The commands also have a built-in checker to formatted checksums from a file.

sha256sum openSUSE-Tumbleweed-DVD-x86_64-Snapshot20240806-Media.iso

Running the command will give an output that looks like this:

3b55f6f88c0a64f0e4e2abe19e106c40578ef60a9d97b5be149736e83154b0ce  /var/home/user/bin/mullvad-browser/Browser/Downloads/openSUSE-Tumbleweed-DVD-x86_64-Snapshot20240806-Media.iso

If you have a .sha* file, you can verify the file with the -c command.

sha256sum -c openSUSE-Tumbleweed-DVD-x86_64-Snapshot20240806-Media.iso.sha256

If you were not provided a .sha* file, you can manually verify by opening the file in a text editor or word processor, then manually comparing the hashes.

macOS/BSD: shasum and md5

On Mac, the process is slightly different than Linux, because macOS still maintains BSD tooling. The GNU version from above can be downloaded from Homebrew if you prefer the Linux commands.

Apple briefly discusses SHA checksums in their developer documentation. MD5 is deprecated due to its insecurities.

Open Terminal (or an alternative like iTerm2) and enter the desired commands.

shasum

For SHA checksums, use the shasum command. Below is an example for SHA256 sums.

shasum -a 256 subscribe.pkg

The output will look like this:

baaeeedffc7ef4a4f65ec8015699a5c95db91d131d253f1eb2ebc469557344c2 subscribe.pkg

md5

For MD5 checksums, use the md5 command.

md5 likethevideo.dmg

The output is very different from the Linux version, but it’s functionally the same.

MD5(likethevideo.dmg)= 20665acd5f59a8e22275c78e1490dcc7

Windows

Windows has a PowerShell utility called Get-Filehash, which is a catch-all command for all signatures and algorithms.

Get-Filehash is always following by your file, then the algorithm you wish to use.

Get-FileHash C:\Users\user1\Downloads\Contoso8_1_ENT.iso -Algorithm SHA256

All common algorithms are supported by Windows like SHA and MD5.

Did It Work?

Regardless of operating system, if the file is verified, you should just get an “OK.” Now your file is ready to use!

Now that you know, verify your downloads every time. You’ll keep yourself safe from the nasty things out there. All we need to do is pray for better tooling.

Resources

• Riseup’s tutorial on GPG key management. The guide is outdated, but the format of commands and best practices are still true.
• The Code Book: The Secret History of Codes and Code-breaking by Simon Singh. If you want to read specifically about key exchange, PGP, and quantum computing, it’s chapter 6 and onward.
• Damon Garn’s blog post for Red Hat “An introduction to hashing and checksums in Linux”

Track Listing

• Takashi Waraya (稿屋 隆) - With watching the donkey (ロバでも眺めながら)
• Yu-Gi-Oh! Power of Chaos: Kaiba the Revenge - Card List
• えだまめ88 - chocomint (チョコミント)
• Outro: Khaim - Neon Lamp

A common selling point of Linux is hardware support, especially for computers with lower configurations or older computers. Today, I want to bring a different opinion today: Linux can absolutely extend the use of older hardware, but by no means will it save it. I have a few lower end and older computers: the HP Compaq 8000 and the ASUS E403NA. I want to use each computer as test cases and demonstrations, so the next time you attempt to “revive” a computer, you set your expectations appropriately.

(Lack of) Security Guarantees

The first thing to get out of the way is security updates. Whether you’re using a computer from 14 years ago or a computer from the current generation, it’s important to understand security updates. For example, a while back I reviewed the experience of using Linux on a 2017 MacBook Air and as the sun sets for macOS Monterey, Linux is a major step up than using macOS Monterey, which has pretty much hit its end of life and as Apple abandons Intel for their Apple Silicon. That’s a good reason to consider using Linux on an older machine.

That’s where we need to talk about the ugly truths with end of life hardware. While Apple makes it easier to gauge hardware releases and security updates, on Windows or Linux machines, this can be more difficult. For example, the HP Compaq first came out in 2009 and was made available only to business customers (it even has Intel’s Core certification). The final firmware update for the Compaq was shipped in 2013. Now one shady thing both HP and Apple do is they never tell you that you are running a device with firmware with zero security patches. Apple is even worse in this regard because there’s no indication macOS won’t get updates until they stop.

Your hardware needs to be updated frequently, especially when there are vulnerabilities against physical hardware. One example was earlier this year, QuarksLabs found a serious flaw in TPM 2.0, so if you use an older version of TPM (you should), you would have missed the numerous security updates related to TPM since then. Not just TPM, but attacks like LogoFAIL exist as well.

It’s important to remember that if you use computer for sensitive operations that require addition security, like banking for example, take extreme caution with using hardware that won’t get security updates. If your device is no longer receiving security updates, installing Linux can help as a “badness reduction” measure, but it won’t fix the fact that you no longer get any hardware updates. It reduces the harm from the operating system level, but it won’t solve some crippling hardware flaws.

Limitations

One of the major selling points of Linux is its low performance. There are some desktop environments or window managers on Linux that can run on incredibly low-end hardware. For example, I have the ASUS E403NA—a laptop with less than 4 GB of RAM and with one of the classic 2017 Intel Celeron. It’s really important to acknowledge that the weaker the computer, the more it will limit your options to do specific things. I have to run the Sway window manager, because running most desktop environments lead to really slow performance.

Okay, it’s not that bad. On the HP Compaq, GNOME performs generally pretty well. While loading times themselves are slow, GNOME is actually fairly capable on 4 GB of RAM, it’s just older hard drives. It’s also very capable at general web browsing and even watching videos.

Software Support

One of the major problems with the HP Compaq in modern day is its ability to play contemporary video games or run OpenGL programs. I couldn’t get multiple modern video games to run, because most games I tried spit out OpenGL or DirectX errors.

• The Grim Fandango Remastered encounters errors because it requires OpenGL version 3.3 or higher.
• The Core 2 Duo only supports up to OpenGL 2.1 as indicated if you run Minetest, which runs at an average of 20 FPS.
• Despite meeting every minimum requirement except the GPU, Rebel Galaxy fails to launch at all.
• ABZÛ and Cuphead won’t run because the Core 2 Duo doesn’t support DirectX 11.

Now I did get some games to run, the best was Oddworld: Abe’s Oddysee, which was still unsuccessful at playing any of the rendered videos, featuring the good ol’ 90s scan lines. Aside from this, the game seems to be completely playable despite its downsides.

To push the hardware a little more, I also tried running the original Psychonauts. While not encountering any initial installation issues. the game practically ran at the rate of a slideshow and was unplayable.

What all of this shows is older hardware cannot keep up with the pace of software. You can’get in on the latest AI craze. You can’t do proper programming because compiling programs takes literal hours. That doesn’t mean it’s incapable, but there are serious limitation with what you can or can’t do.

Legacy Cables

The other problem is legacy cables. If older computers like the HP Compaq, you are effectively forced into specific display cables. For example, I usually use a lot of HDMI cables. But with the HP Compaq, the only cables that are supported are VGA and DisplayPort cables.

Now, I just so happen to have a pair of VGA cables lying around after years and years of using them. But for older computers, especially when you start getting into the early 2000s, maybe the 90s, you might not exactly have a FireWire cable lying around for that PowerMac G3 of yours.

The “Community” Doesn’t Know or Care

My favorite part about aging hardware (and open source software in general) is a lot of people will tell you there’s a community out there that develops a whole manner of firmware in case you’re having trouble. Indeed, if it’s very common firmware like ThinkPads or Microsoft Surfaces, hardware that’s actively used, people will care a lot about it. But when it comes to end of life hardware, this so called “community” is very unsympathetic and will not help you because the companies that abandoned the software to begin with are very unsympathetic about it.

Last year, openSUSE, Fedora, and Ubuntu have all announced initiatives to advance the x86 compilation of their packages to the next level from v2 to v3. Unfortunately, there have been people who continue to outcry these deprecation initiatives, but openSUSE’s polls show very few people understand these architectural differences, including me by the way.

If these changes and how these developers responding is an indication of anything, it shows that developers like those at Fedora, Canonical, and SUSE all want to move faster and older hardware support hinders progress and eats up developer time. I can’t imagine a single developer who would volunteer to discuss these issues when they would rather spend it programming. 32-bit hardware was dropped on many distributions for the same reason. As much as I would like us to be able to use these computers in the future, there’s a real human cost to the people who have to keep the 32-bit or even the PowerPC and it can’t go on forever. Think about it: if you are using a computer which no longer gets security updates or manufacturer supports, obviously with extenuating circumstances (economy, social change, etc), there’s very few reasons to use hardware that won’t be supported. If you’re sick of hardware that won’t be supported, maybe it’s time to support hardware makers that give their products a long shelf life.

B… But the Environment…

My favorite excuse is “using an older machine will save the environment.” Or the classic " you can breathe new life into your old computer." I hate to be the bearer of bad news, but in the case of HP Compaq, I would argue that continued use of older computers isn’t just bad for the environment, it’s actively worse compared to other alternatives.

While the Compaq might be lacking in gaming capabilities, it’s still really good at word processing, general web browsing, or some basic office work in something like LibreOffice. The problem isn’t so much in what it can do, but rather, what other devices you might or could own can do. We live in a day and age where smart phones have become very integrated into society. If all you can do is run a web browser, you are better off using your phone, a device that doesn’t require nearly as much space or power.So many people in today’s day and age don’t own computers, it wouldn’t be crime to tell someone to just their phone. Most modern smart phones do some things worse like tinkering and gaming, but when it comes to doing what most people actually do.

Takeaways

Now considering you made it this far and you haven’t left an angry comment in the video, the important thing here is presenting guidelines that we can use to understand how we can use technology better. We need our devices to receive updates and when they aren’t it means it’s time to migrate to newer devices that will. Sure, Linux has options that can save older hardware, but the slow decline of software that will work and the limits set purely because of old hardware. Maintaining old hardware has a cost: it’s a cost for the developers who have to keep it functional, on you because parts might no longer be available, and the real environmental cost when modern products might be a better alternative.

At the end of the day, everyone’s situation is different and it’s all about what works for you. I’m not going to hunt you down because you still have Debian computers running on PowerPC. It’s about making smart decisions about how we can use these tools the best.

Track Listing

• Hitomi Satō (佐藤仁美) - Poffins (ポフィン) from Pokémon Diamond, Pearl, and Platinum
• Sumochi (すもち) - Toy-dance (おもちゃのダンス)
• zukisuzuki BGM - Culture
• TECHNOTRAIN - Blue Soda
• Outro: Khaim - Neon Lamp

Did you hear about that really bad Linux vulnerability? It’s the compression software liblzma or by the better shorthand xz and the code was backdoored. Now when most people hear backdoor, most of the time it’s just bozos on the internet abusing the term; this time, it’s not a drill. Also, remember how I said it was a Linux vulnerability? It’s actually much worse than that. If you are a BSD or use other Unix-like tools on macOS or Windows, this matters for you too. I’ll do a quick recap of the situation, but I’m not interested in telling you the news. Instead, let’s the discuss the impact this has on you, the end user, and what the open source community can learn from this situation and respond effectively.

What Happened?

Everybody compresses their files. It could be a .zip file or it could be done by your operating system or a website you visit so you don’t use as much bandwidth. Even watching videos on YouTube or Peertube are compressed videos. To compress things, programmers rely on compression algorithms, which bulk analyze files and remove information to save on space. If you extract a file, that space becomes filled up again. File compression plays an important role in saving you data and memory.

In the case of xz, a developer at Microsoft, Andres Freund, found that liblzma, the core compression library in many popular programs, was manipulated by the xz maintainer Jia Tan to steal security keys to login to servers. The vulnerability was only found after ssh, the protocol commonly used to login to remote computers, was taking merely milliseconds longer to connect. This attack is not normal for open source and speaks of a sophisticated actor with in-depth knowledge of the inner workings of xz and its potential weaknesses.

There’s more to this story, but I will be returning to pull details as they become relevant.

• Official response from lead maintainer Lasse Collin
• What we know about the xz Utils backdoor that almost infected the world
• An infographic created by Thomas Roccia

Am I Affected?

Now most journalists panicked and ran with this story, but let’s not downplay how bad this is. Unless you maintain a server that is connected to the public internet and even if you do, this is largely irrelevant to you. Most of the open source vendors responded promptly on Friday and stopped the backdoored library from getting very far. If you are a “normal” end user or you just run a home lab, you are probably safe from the xz disaster. If you do have a server, most servers run older libraries than the ultra newest libraries that had the backdoor. Even if your system had the most updated backdoored xz, you’d still need to have a distro that downloaded the releases page of the GitHub. That’s a lot of ifs and if you are a normal user, keep calm and download the latest update from your package manager.

• Alpine Linux: Backdoor found in xz package source
• Arch Linux
• Debian CVE-2024-3094 concerning a backdoor exploit in XZ Utils
• Fedora 40 and Rawhide: CVE-2024-3094: Urgent alert for Fedora Linux 40 and Rawhide users
• Gentoo discussion
• Homebrew for macOS
• Kali Linux: All about the xz-utils backdoor
• openSUSE addresses supply chain attack against xz compression library
• Red Hat: CVE-2024-3094
• systemd changes libsystemd to block liblzma
• Ubuntu 24.04 Delay LTS Xz/liblzma security update

Technological, Social, and Cultural Issues

But even after you download your updates, we still have arguably a complicated and bigger problem remaining—what do we do if something like this happens again? What’s worse, what other vulnerabilities have been using the same tactics as the xz backdoor? What are developers doing to detect them? The unfortunate reality is this will not be the last time this happens. You bet after the attention over the last couple days that everyone has been watching this. There’s no clean solutions, but let’s take look at what’s been done and what’s being done.

The Technological Solution: Reproducible Builds

A technological solution we can turn to is reforming the build process. Extensive testing with the infected library showed that fake white spaces Unicode lookalikes were used to falsify commit history and making various obfuscated files to deliver the final blow. White spaces will require some extra code in testing tools and we’ve also seen programs like Google’s extension store adopt policies against using obfuscated code.

Something that many Linux distros have been striving for is reproducible builds. The backdoor relied on someone downloading the archives from the releases page, not the source code, so when developers like Freund comes along to troubleshoot, contributors can verify the source code matches the final product of libraries or binaries. For years, distros like Debian and NixOS have championed reproducible builds because it builds a great degree of trust between all parts of software delivery.

If you are willing to pitch in, Linux vendors could always use help in making sure their software is reproducible.

• Who is involved? — reproducible-builds.org
• Stretching out for trustworthy reproducible builds - creating bit by bit identical binaries - DebConf 2015

Intelligence agencies…

Mike Perry, “Reproducible Builds Moving Beyond Single Points of Failure for Software Distribution” 5:07

The Social Solution: Combating Project Leeching and Burnout

So we’ve addressed real name policies and things developers can do prevent these kind of vulnerabilities, but we need to talk about cultural reform. Open source has a big problem and it’s a human one. The lead maintainer of xz, Lasse Collin, has been doing so tirelessly for years. Unfortunately, it was only him working on xz for a long time. There were other contributors, but none of them did as much work by Collins, who was very open about his own mental health issues. Except if you see what prompted this response, which was two of the puppet accounts run by the perpetrators and almost like a heist movie, 3 days later, Jia Tan joins as a developer. There’s multiple layers to this, so let’s break this down.

Related: Evan Boeh’s breakdown of the exchanges of the puppet accounts

I think the most important thing here is some basic operational security. It’s tough to be a big target on the internet and being a developer falls into that camp. Everybody will get on your case and blame you for every tiny issue about and stuff that’s not even related to your software. But mention of Colin’s mental health issues was taken advantage of by people who intended to do ill. As a warning, do not tell the internet about your mental health, especially with the risk somebody will try to use it to exploit your overworked state of mind.

Related: Mr. Robot S1, E5

The Cultural Solution: Leadership and Vision

But on mental health, we also need to talk about the state of open source development and the consumerist culture in FOSS. Maintainers are accustomed to people visiting their repos to have people ask about new features or fix a bug or two. Unfortunately, some people are… not very nice to put it mildly. And it’s not just xz, but tons of other projects like the Android app store F-Droid deal with this as well as an attempted SQL backdoor.

In fact, this whole xz backdoor only started because of the sock puppet accounts started with really aggressive language to make Collin feel like he wasn’t doing enough.

The issue here is a communication one and there’s no easy fix, so let me provide two of my internet armchair opinions. Projects need to curb toxic behavior like this. Notice nobody stepped in to quash this kind of behavior against Collin. Open source projects aren’t the only things on the internet with these issues, but it’s high time to start addressing this. I’ll let you be the judge of how. People are the biggest weaknesses of hacking, not just the code.

No matter how big or small, your project should have a clear vision in mind from the get-go. For xz, these “complaints” could be easily quashed by simply declaring the project feature complete. There also needs to be a defined pipeline for users to give back to a project, either financially or through maintenance like fixing bugs or packaging. Getting there requires a vision that leads successful communities that can tackle complex problems: technological, social, or cultural. It needs to be a vision that inspires people to say “I want to be a part of that” and building relationships that make everyone better.

Relevant: Zack Weinberg’s Mastodon post on reform in FOSS

Closing

At risk of going too long, I think it’s better to close out with an ask: there’s three solutions for communities to consider, the matter here is picking the right one. This whole situation isn’t so much about the security as much as it is a wake up call for proper community development and solid technological policy to prevent incidents like the xz backdoor. You can read all the news you want about liblzma, but if we don’t evaluate our own practices, we’ll be doomed to repeat the same mistakes again.

Track Listing

• KK - Ordinary Landscape (いつもの風景)
• gooset - Bittersweet
• gooset - SUNNY
• Fukagawa - Green Harmony
• Song that plays over the Mr. Robot clip is 1.4_3-billharper.mp3
• Lukrembo - Store
• Outro: Khaim - Neon Lamp

A while back, I did a review of System76’s Darter Pro 9. Overall, I thought it was a pretty well-built machine with some minor flaws to critique. But what I didn’t mention was in August last year, I purchased System76 Adder Workstation 3. This massive thing is a gaming machine and shines as a mobile desktop PC.

My experience with the Adder is a similar experience to my unboxing of the Darter Pro and yes, they also gave me a Pop!_OS t-shirt in addition to the other merch inside. This is all nice and all, but living with this computer has me conflicted at the end. Overall, I think if you are able to accept that this is basically a portable desktop you can plant somewhere. It now handles all of my daily driving needs and I recommend it, only if you can stomach a few caveats. So let’s dive in.

I was not sponsored by System76 to make this review (will likely be more evident later). I paid for this computer with my own money.

My Configuration

The Adder is billed as a customizable gaming laptop. One of the major selling points to buy a System76 computer is the hardware is fully user upgradable and repairable. I chose pay extra for 32 GB of DDR5 RAM (default 16 GB), a 1 TB M.2 storage (default was 500 GB), and upgraded to a Nvidia RTX 4060 Max-Q (instead of the RTX 4050 Max-Q). It also comes with 13th Gen Intel Raptor Lake-S i9 Mobile with 8 performance cores and 16 efficiency cores. The new Adder Workstation 4 uses 14th Gen Intel CPUs instead, but will continue to use the Nvidia 40 series and other memory.

For ports, the Adder comes with 2 USB-C 3 ports, 1 Ethernet port, a Thunderbolt port, a HDMI port, a Kensington lock, a micro-SD card slot, a headphone jack, a microphone jack, 1 USB-A 3 port, and 1 USB-A 2 port. Overall, the vast majority of people will have enough ports to fit their needs, save for the glaring flaw of a USB 2 port. Thankfully, future models of Adder have also discontinued the trend of the USB 2 ports.

The screen is a 1080p, 144 Hz 15 in (38.1 cm) display and is more than sufficient in bright/outdoor conditions. The keyboard has a RGB back light and the brightness of the screen is sufficient for outdoor use or in sunny places. Like the Darter Pro, the Adder smudges quite a bit with your fingerprints, but doesn’t seem to be nearly as bad despite being the same material. You also get Bluetooth (which I never use), a webcam/microphone, and Wi-Fi 6E.

I think the most compelling thing about the Adder for end users is the computer’s customization. You can add a ton of RAM, it has lots of space for extra storage, and the ability to swap out parts is great. Compared to other gaming computers with the same price point, the fact you have the capability of replacing parts while remaining very price competitive is praiseworthy.

On price, with all of my upgrades to RAM (up to 64 GB, I did 32 instead of the default 16), storage, and the 4060, the full price was around $1863. It’s a steep price compared to its competition, but if you are willing to foot the effort or pay extra, you can get a machine with a better CPU and more storage/RAM. The compromises are a 1080p display, the sub-par webcam/microphone, and the dreaded USB-2 port (again, going away in the next version).

Why (Now, In This Economy, Support System76)?

The biggest question I want to clear up right now is “the why,”

System76 as a Company

On one hand, I want to support a company that makes a Linux laptop. System76 has contributed a lot to developing desktop Linux, has made some impact on the Linux app ecosystem, and will continue to so as they launch the Cosmic desktop environment. They offer a computer that’s fully upgradable and repairable. But on the other, the space is far too competitive and I wonder if I should have even bothered. This whole thing also causes me to question why System76 chose to roll their own firmware, desktop environment, and optimizations.

The thing is in the United States, a lot is riding on System76. The only other major Linux-focused laptop manufacturer in the US, Purism, is too busy shipping laptops with old hardware and refusing to refund people over unfinished Linux phones. International Linux laptop manufacturers who give back to development, like TUXEDO and Star Labs, are out of reach for anybody not in Europe or the UK (both charge hundreds of dollars in import fees, but it’s not their fault. Blame customs.).

Support My Needs!

The reason I chose to buy a computer now is I have very specific needs that only a gaming laptop (or a MacBook Pro, but who’s going to waste money on that?) is going to accomplish.

Mobile Content Creation

The first problem is I’m a content creator. First off, it means every other week of my life is consumed with recording slop videos for all of you on a regular basis. Previously, I never owned a good laptop this good. My workflow was always my desktop first in my home office and conducting personal work outside of the home was always done on my phone. I’m an advocate for desktops purely for control and customization.

However, there’s a problem—content creation. My phone and pathetic netbook ASUS laptop can’t edit videos effectively. This situation was so bad for me last year, I rushed out a video because I knew I was going away on vacation for a week and wouldn’t have time to or access to my desktop. One of the main reasons I bought this machine was because I need to have a portable editing machine and way to give the illusion of normal YouTube activities, even if I travel.

My Aging Desktop

The other reason is my aging desktop from 2016. My desktop is chock full of hardware no longer seeing security or feature updates. It has an Nvidia 1080 TI. a Intel i7 7700 Kaby Lake CPU, a 32 GB of DDR4 RAM. Nvidia won’t abandon the 10 series GPUs at least for another 2 years, but Intel is slowly killing off support for most CPUs made around the same time as my i7. Worse, ASUS has not given my motherboard an update since 2018. Avoid ASUS like the plague.

For these reasons, I chose to get a new laptop and I bring all of this up because of my previous hardware, I knew no matter how System76’s computer turned out, it would be a net improvement over my desktop. It’s a mobile workstation I can take places, has 7 years of improvements, and fully capable of handling my video editing and content creation needs. I will likely consider another computer one day, given Microsoft’s looming threats of an even more aggressive AI release of Windows. When whatever Windows 12 (if it’s even going to be called that) comes out, I will make a decision about upgrading, but in the mean time, chose to settle with the Adder Pro. Right now, my desktop has become my streaming/recording computer.

Merch

The included merch and stickers are identical to the Darter Pro 9 review. The Pop!_OS shirt I got is limited edition.

They also gave me a [Pop!_OS] t-shirt for free for some reason, which is far from one of the worst things I’ve worn in my life… The computer comes provided with a little welcome card, telling you to “unleash your potential” and a quick little message about where to get help online. They also gave a cardboard standout character named Melvin, which okay… but this is a questionable inclusion. Cardboard is easy damaged and I think Melvin here is going to be staying in his little frame. They also give various branded System76/Pop!_OS stickers, which used to be just individual, now they are 2 sheets together.

Using the Adder Workstation

First, I uninstalled Pop!_OS and rebuilt my Fedora setup using my scripts. Once again, I am firm believer in rolling release distributions and Pop!_OS is not. Despite replacing Pop!_OS, I have not seen any hardware failure or anything of the sort. If you are not a fan of Fedora, you can install Arch, NixOS, or whatever you want. If you use Arch, Fedora, or NixOS, each has community maintained packages for System76’s firmware controls and tools.

If you uninstall Pop!_OS or remove the default partition with Pop!_OS’s recovery image, there is a prompt in the BIOS that is hard-coded to this recovery image. However, removing the partition is inconsequential and makes this feature useless.

GNOME & KDE

When I first installed Fedora 39, the first interesting quirk was GNOME would never boot properly and only showed a black screen. As a result, I spent the first 3 months using KDE Plasma 5.27. I installed the proprietary Nvidia drivers and used the Wayland version. KDE was an interesting experience:

• KDE handles display scaling better than GNOME does.
• KDE has fixed their file manager portal from bugging out. Portals also work way better now.
• Screen sharing will occasionally cause apps like Signal to crash. Some updates to Signal would fix it, but others broke it again.
• Using Nvidia with KDE and Wayland will lock your frame rate to whatever your lowest frame rate of your monitors is. I use a 60 Hz monitor from 2009 in addition to the built-in display, so it immediately locked the frame rate at 60 FPS. I have no non-Nvidia devices to replicate this issue.
• Nvidia causes a lot of interference with adding new monitors. Not directly a KDE problem as much as it is a Nvidia problem.

These problems eventually caused me to go back to GNOME, but they were admittedly minor. GNOME did magically start working, so I have no idea what happened to GNOME during Fedora 39 launch—it’s been stable since. GNOME overall handled screen-sharing, high frame rates, Nvidia problems, and the keyboard backlight better. An unusual aspect of the RGB is when using the keys, the lights are limited to a minimum 20%, but in GNOME’s keyboard backlight menu, you are able to control this more tightly.

Peripherals

The keyboard of the Adder has very little flex and feels great to use. Unlike the Darter Pro, the function keys are more traditionally aligned, support most standard laptop BIOS features like volume, brightness, etc, and controlling the RGB lights. There is also a BIOS webcam switch, but the webcam switch only disables the webcam, not the microphone, despite both being the same module. You’re probably going to want to keep it off because it’s 720p and performs horribly.

The laptop has a fine hinge and is able to be opened with one hand. The computer weighs around 5 lbs (2.25 kg), so this thing is fairly heavy, but that’s normal for most gaming PCs in this category. The touchpad is also slightly off center, but I was never bothered by this personally. The speakers lack the range for bass, but they will get the job done.

Fan Noise

The biggest problem with the Adder (and most gaming machines like these) is fan noise. Even mildly hardware accelerated activities like playing a YouTube video will cause the fans to occasionally rev up. If you are performing a more complex task, like gaming, using OBS, or video editing, it can be louder and much more distracting. Because of the close proximity of the built-in microphone, your Discord calls over your competitive video games will likely be drowned out by fan noise unless you use an external microphone.

Heat

If you use the Adder as a standard laptop, the Adder accumulates heat like nobody’s business. This is really problematic if you use the laptop on your lap and you can really feel that heat. It also shows because the cooling vents are on the bottom of the laptop, so be prepared for a blast of warm air on your thighs. It’s not that bad and you won’t feel this way when the laptop is on a desk, but you will feel that perpetual heat.

Battery Life

An important thing I want to discuss is battery life. Linux on laptops has an abysmal reputation with battery life. However, I have never seen anything like the battery drain in the Adder. Without any tweaks to Fedora and using the default systemd power profiles, the battery life is around 4 hours. I figured installing System76’s power management tools would help, but it actually made the battery worse, dropping it to 2 hours. I know graphics cards suck down battery like no one’s business, but this was something else entirely.

But when I started reading reviews for other similar computers, I found that many reviewers were complaining about the same issues with other high-end gaming laptops: ASUS, Razer, Alienware, and Lenovo, all using Windows 11. I can only surmise that this ridiculous battery drain is because of Nvidia, whose drivers are already really problematic on Linux. However. I was able to increase the 4 hour battery life using tlp and disabling the default power profiles. This bumped the battery up to 6-7 hours, which I will definitely take. I will also comment this soured my experience with System76’s power management tools, especially when tlp felt like a better way to optimize and save on battery.

sudo dnf in tlp tlp-rdw -y
sudo systemctl mask power-profiles-daemon.service
sudo systemctl mask systemd-rfkill.service
sudo systemctl mask systemd-rfkill.socket

I also tested disabling the Nvidia GPU using both System76’s tools and envycontrol, both of which did not increase the battery life significantly. I’m more than willing to chalk this one up to user error.

System76’s Firmware Shortcomings

I’ve talked about it before, but I really want to emphasize the benefits of System76 is its firmware. The fact that they support coreboot is commendable. However, System76’s firmware is one of the most problematic things about these computers. In my previous review, I mentioned System76 disables Secure Boot by default, actively discourages their users from using it, and cannot password protect their BIOS.

The first thing I want to discuss is desktop firmware security. Windows is making strides in pushing their user base to adopt TPM as a secure element and verified boot with secured-core PCs. I understand most users are resistant to TPM because of how heavy-handed Microsoft is with this, but the harsh reality is Linux is really bad at protecting the integrity of your boot processes. The good news is Linux developers like Lennart Pottering and openSUSE’s Richard Brown are in agreement and are moving systemd and openSUSE Aeon respectively to adopt TPM by default as well.

Related: Matthew Garrett’s talk to the Linux Security Summit in 2023 about TPM-based security on Linux.

System76 needs to be held accountable because when they assemble your device, they have configure your hardware in specific ways. One of the things that I believe is hurting System76 is the neutering of the Intel Management Engine. I’m going to tread carefully here, because the Management Engine is not documented well, but the Intel Management Engine is important to use core security features Intel and Microsoft are using as the building blocks to make your experience as an end user more secure. Intel Boot Guard requires the Intel Management Engine to run and is part of the criteria Linux hardware security certification.

A long video about the finer details and writing an exploit for the Intel ME by Peter Bosch

The reasoning System76 gives for disabling the Management Engine is it’s proprietary garbage that “provides many extraneous features that are generally not usable or useful to our users.” I have changed my mind on this matter and now condemn System76’s team for this shallow thinking. Secured-core PCs and Intel Boot Guard are both features that are critical to the future of desktop computing. What’s more frustrating is the documentation of TianoCore supports using Intel Boot Guard, which System76 doesn’t need to foot any extra effort in implementing it. In fact, it’s probably more effort to neuter the Management Engine.

I know this might seem minor (it probably is), but some of the most reputable laptop manufacturers like Dell (owner of Alienware) and Lenovo make respectable gaming machines that meet these security certifications and standards; System76 does not. While the Management Engine is proprietary trash that has the potential to get hacked, everything in your computer has the potential to get hacked. We need to encourage our Linux manufacturers to support strong security standards just like their Windows counterparts. We also can’t let paranoia against proprietary microcode like the Management Engine (that’s barely a threat to 99% of the population) sacrifice our security and device future-proofing in the process.

I have retroactively changed the Darter Pro review to reflect this decision. Like I said in that video, I don’t think most people will care, but I do and believe secure defaults are paramount to reviewing a device. There is also a page on System76’s site about reverting to the proprietary firmware, which requires disabling Secure Boot and probably TPM. Then the Intel ME can renabled, but there are still issues with developer controls with Intel microcode.

Performance

On something lighter, let’s talk about performance metrics. The Adder is more than capable of basic tasks for web browsing, development, and watching videos. I’ve also discussed DaVinci Resolve’s performance on discrete GPUs, where you must natively install Resolve rather than using a container. The Adder now handles my video editing, light AI processing, and basic C compilation.

I decided to push this thing for gaming performance. This thing can easily run the vast majority of games, but chose some of the toughest games in my library: Cyberpunk 2077, the Witcher 3: Complete Edition, and Control. In all 3 games, the Adder is able to hold at least 50-100 FPS on maxed settings without ray-tracing. Introducing ray-tracing is where things get more interesting. As a gaming laptop, the Adder hits a CPU bottleneck in most games, but is more than capable of handling any AAA game at max settings, provided you don’t use ray-tracing or other specialty features.

• With Cyberpunk 2077, performance is all over the place with DLSS on quality mode. The frame rate goes between 54 and 70 fps. It’s noticeably worse with indoor areas as there’s a lot more scrutiny with detail. Certain locations like Megabuilding H10 (the starting apartment) are well optimized, others are not. Ray-tracing and DLSS are usable, but path tracing and DLSS frame generation are not.
• In the Witcher 3: Complete Edition, I ran the DirectX 11 version with ray-tracing and a similar result. Using the DirectX 12 version, both with and without ray-tracing will crash upon opening the “world map” in the menu. However, the DirectX 11 version will get a solid 120 fps on maxed settings.
• In Control, ray-tracing can easily cut down to about 70 FPS (down from 110), but was noticeably less taxing on the GPU than in CDPR’s games.

Final Thoughts

After spending 8 months daily driving the Adder, I have very mixed feelings. This computer has a few problems, but these problems may be beyond the control of System76. What makes it more complicated is this computer serves a different purpose to other laptops. The amount of customization is commendable and make it far more compelling for people with more niche use cases. However, I ask before you buy this:

• Do you want a computer that you are able to add tons of RAM and storage to? Do you value the right to repair? If so, System76 blows their competition out of the water.
• Do you like System76 as a company? Do you want to support the Cosmic desktop environment or their assistance with developing desktop Linux? If so, you can fund them by buying their laptops.
• Do you value privacy/security? If so, do not buy from System76 as most Windows OEMs have a more secure experience (albeit sometimes a worse Linux experience). Privacy is mostly the same, even if you don’t have open firmware.
• Are you a content creator who does a lot of video editing? Are you someone who likes to game, but frequently travels? Are you getting in on the AI hype train? These are the people who will make the best use of this machine. However, you might be better off buying another device.

My final verdict on System76 after the last year is if you value a repairable and insanely upgradable computer, they will have you covered in spades. If you have no interest in the nitty gritty of repair and upgrades, perhaps you are giving a recommendation to someone who isn’t a techie, steer clear of System76. “Normal” people who use System76’s machines miss out of serious security benefits and spend extra money on the ability to upgrade, which most will unfortunately not exercise.

I like this computer minus its battery life and security problems. I am the target audience as a content creator, but the laptop space is competitive. You are likely able to get a similar device from a competing laptop maker for less, sacrificing upgrade paths. In fact, you could probably go to your local Micro Center or whatever and purchase something like a Legion Pro or Alienware for a similar experience. It’s doubly hard for System76 to compete with the big players who don’t need to consider the Linux angle.

At this time, I only recommend buying this machine if you are an enthusiast or someone who wants to support the software work of System76. Unless you make use of those upgrade options, you’re probably better off spending your money elsewhere.

Summary

🚫 Not recommended, unless you intend to support System76 and Pop!_OS.

Pros

• Good performance (content creation, gaming, general use)
• User serviceable and repairable
• 144 Hz display (1080p, but works great on GNOME/KDE Wayland)
• Allows higher RAM and storage than most competitors when purchasing
• Coreboot and TianoCore firmware

Cons

• 30 day refund includes the days it took for your computer to ship to you
• Collects fingerprints, but not as noticeable as the Darter Pro 9
• Battery life is terrible (around 4 hours, but usually less, doubled if you set up tlp)
• Bad webcam/microphone
• 1 USB-2 port (The Adder Workstation 4 will replace it with a USB-A 3 port)
• Really loud
• Can get hot to use with extended use and lots of things running
• Hardware security is much weaker than popular laptop manufacturers (insecure BIOS, no Intel Boot Guard because of neutered ME, and fails various HSM levels)

Other

• Charger is heavy
• Lots of merchandise in addition to computer (t-shirt is limited edition)
• I didn’t test Windows. It’s very likely I will use my other M.2 slot for this or to test distros.
• There are only 2 RAM slots. If you wish to upgrade the RAM, you will need to purchase 32 GB sticks to upgrade.
• Parts claim warranty is void if removed, but System76 does not care.
• F4 key is blank and 1 key apart from the other volume keys.

References:

• Screen specs footage is from Boku no Kokoro no Yabai Yatsu (The Dangers in My Heart) Episode 2
• Some scenes from Tenet (2020)
• Video in the light testing is SHINee’s LUCKY STAR
• Various videos from System76’s YouTube channel

Track Listing

• KK - Sunday afternoon (日曜の午後)
• h - Saturday morning
• gooset - SOLDIER
• h - rain & rainbow
• h - wet day
• yuhei komatsu - Another Face
• Outro: Khaim - Neon Lamp

I’m tired of seeing comments complaining about GNOME being Apple (think “the devil”) or KDE breaking everyone’s fun by adding/changing 10 billion features.

Stop treating GNOME and KDE like they are consumer companies. They need time and talent and do everything for very little (monetary) gain. One of the reasons desktop Linux will never succeed with “normal” people is because there’s not enough hands to keep the duct-taped ship afloat. If people don’t step up, it will become a sinking ship very fast. Not to mention the people who think they can do better and jump ship only to rebuild the same exact ship some place else.

Some developers are very opinionated and bad at communicating because most developers don’t know how to communicate with people. They’re used to developing for themselves, but not with others. Don’t get me started on the marketing, branding, and UX design angle!

At the end of the day, there’s a person behind the screen and on those git servers, and making comments like this only dehumanizes them more. It’s easy for people to make blanket comments like this because they view these people as just as nebulous of the worst executives in Big Tech.

Show your developers some love more often or help out your favorite projects or software you use. If you don’t know how to program, use them, report problems, or do testing. It’d be nice for a change than complaining online.

A unique thing that desktop environments on Linux get is extensions. And they aren’t limited to the latest AI product being shoved down your throat (hi Windows)! The most popular desktop environments like GNOME and KDE offer extensions, but not all is as okay in extension land as you might think.

I want to unpack some of the extensions that I really like and the situation involving desktop extensions is more precarious than most people know.

Polonium (KDE)

Have you ever wanted to do window tiling? You know, where your windows automatically arrange themselves, some would say dynamically? Well, there used to be this thing called Bismuth, which would automagically rearrange your windows just like a tiling window manager.

Except people are reporting bugs, especially on newer versions of Plasma and the developer is stepping down. I made video about this situation last year and quite a bit (hasn’t) changed since then. Bismuth is still up on GitHub, but despite development basically grinding to a halt. The long story short is Bismuth relies on the KWin’s APIs from Plasma 5.26 and is incompatible with Plasma 5.27 and the upcoming Plasma 6. The maintainer also had some personal issues and stepped away because he didn’t have enough time. Let this serve as a reminder that most developers are not on company time or payroll. They are normal people who have to commit their free time and talent, often for little to no gain.

The result was a fork of Bismuth called Polonium (you know, as in the radioactive metal, because Bismuth is a metal?). Polonium targets KWin’s new APIs and supports the same dynamic window tiling that Bismuth did. I encountered a few KWin crashes when I was using it, but I’m more willing to chalk that up to Nvidia being a pain since they can’t be replicated reliably. Polonium is pretty cool in that it’s Wayland-focused and building on the age old work of Bismuth.

However, this is where the plot thickens. Recently, the lead developer of Polonium, zeroxoneafour, has said the current codebase for Polonium is unsustainable. This is due in large part that the original KWin APIs from KDE 5.27’s early days and growing incompatible with the constant development of KDE.

Since Polonium is from mid-2023, it has since accrued technical debt as KWin begins to clear up and on the eve of Plasma 6. What needs to happen now is that development of KWin continues to refine and make sure the protocols that Polonium uses to work stabilize in Plasma 6. It’s a complicated situation, but the basic gist is Polonium is playing catch-up with the large, ongoing changes in the upcoming Plasma 6. zeroxoneafour has also said the only solution to fix Polonium’s technical debt is to completely rewrite it from the ground up, which the current beta version out now is a proof of concept. If you want to help them and you have experience with TypeScript, you can go visit their GitHub.

GNOME Extensions

Unfortunately, picking GNOME as a platform hasn’t been smooth sailing. The long story short is the GNOME developers have been making a lot of changes to their windowing compositor Mutter and its components. The most important change is moving away from GNOME JavaScript (or GJS). There’s a bit to unpack here.

1. GJS is a variant of JavaScript similar to TypeScript. But for developers coming in to work with GTK, it’s not totally the same. The primary reason this was changed to make the toolkit easier to adopt or get into.
2. GJS is different, but not too different. Someone could easily script or program a way to update older extensions to replace GJS with standard JavaScript.
3. That means that extension makers need to maintain 2 versions of their extensions. Wait, what?

People online are complaining about the fact that GNOME’s extension developers have to maintain extensions in GJS from GNOME 44 and below, and extensions in standard JavaScript for GNOME 45 and above. You’ll hear complaints about how GNOME is an unstable platform that constantly breaks every yearly release and then some.

I want to highlight a problem that I think most people avoid or don’t think about: it’s most software projects don’t have a PR team. Most people didn’t see this in a fancy press statement or in a dazzling video by GNOME’s YouTube channel. They saw this in a blog post, written by an engineer, for contributors. In fact, most people probably heard about it from their favorite content creator reading the news, an online forum like Reddit or Lemmy, or one of the Linux content mill news websites.

The general feeling that people get is the lack of communication, because there is a genuine lack of communication–a communication team. But people continue to treat an open source product as they would a financed proprietary product. GNOME is not and while there are developers who are paid to work on it, it’s nowhere near the level of Windows or macOS. To be fair too, I’m not saying this excuses the poor communication. Even if unintentional, it doesn’t matter how you intended something to come off, what matters is how people perceive it.

The Teetering Tower

But we also need to be realistic about what extensions are. GNOME Extensions and extensions in KDE are not built with specific functionality in mind, nor are there convenient APIs for them to use. There’s no one framework or stable thing to build around and this sounds crazy, but it’s similar to extensions in your browser.

Chrome and Firefox have a stable framework for their extensions, but like KDE, the APIs are constantly being poked and probed by their developers and the W3 to see what people use and what isn’t. Browser extensions are rather constructed around a bunch of frameworks to do things in real time and limit the extent of what they can do for performance and security reasons.

The same is true with extensions in GNOME and KDE. Your extensions need the ability to specific things in real time. For example, I use Caffeine on GNOME, which prevents my computer from falling asleep when I do specific things like play full screen videos or games. But think about what goes into this: the extension needs to be able to read GNOME’s APIs to know that there is a full-screen window or specific application open on your device. All of this needs to be done in such a way that it doesn’t hinder the performance either because people will complain if an extension slows down their system!

GNOME Forge

But what does this look like? I have been bombarded with comments about how I got window tiling in GNOME. It’s an extension called [ you some manual tiling like you’d get in i3 or Sway. But like Bismuth and Polonium, Forge is not immune to this cycle.

Earlier last year, Jose Maranan, the lead maintainer of Forge announced he’s no longer able to keep working on the project. And this has affected the project because a lot of the Forge developers are trying to pick up the slack with Jose helping them and figuring out GNOME 45 porting and some annoying bugs like why the UI will suddenly become English for non-English GNOME users or the extension breaking on touchscreens.

In my observation on GNOME 45, the toggle menu is totally absent in the GUI, but can still be accessed through Matthew Jakeman’s Extension Manager. However, I’m not a power user of Forge. I just have 2 windows open at a time and mostly adhere to vanilla GNOME. If GNOME implements its tiling, I’d probably switch to that immediately.

Closing Thoughts

But while most of these problems are here, I feel it’s also important to acknowledge that GNOME and KDE have zero obligations to extension developers. They can’t just stop developing their desktop environments because a couple extensions aren’t just right. It’s the same reason Firefox and Chrome break extensions frequently because they constantly touch their APIs.

Here’s the part where I tell you I’m going to flip flop to another software, but not this time. I’m too much of a technological polyglot to settle anything properly anyway. I will solemnly accept it and will continue to advocate for the assistance of extension maintainers. It’s a thankless task and you’ll find that a lot of the people in these repos are just users like you and me. I don’t have the time to properly learn JavaScript and GNOME/KWin APIs, but I can use my platform to at least highlight where help is needed the most and why you should lend a helping hand to your extension maintainers.

My Favorite Desktop Extensions

• Polonium for dynamic window tiling on KDE
• Forge for tiling windows on GNOME. Given how I use GNOME, it says me the extra key presses of manually tiling windows.
• Caffeine to disable sleep/lock for a set time or for specific applications.
• Dash to Panel to add a clone of the vanilla GNOME panel to my other display purely so I can pretend to check the time.
• AppIndicator and KStatusNotifierItem Support for legacy system tray icons. I prefer GNOME’s “background apps” menu, but it’s unfinished as of time of writing.

Referenced

• Siri will be announced to have generative AI capabilities in WWDC 2024 (Korean)

9to5Linux is a content mill

I can’t say with definitive proof that the reference to plagiarism by 9to5Linux, but at most, it’s just cheap rewording of an official Asahi Linux blog post with little to add except the link to give them more clicks about Arch Linux ARM.

At a minimum, 9to5Linux is a worthless content mill and you should just learn how to use an RSS feed.

• Fedora Asahi Remix - Asahi Linux
• 9to5Linux’s copy

A question I see often is “how do you edit your videos?” The answer is I use DaVinci Resolve. While a lot of programs that I promote are open-source programs that can be freely inspected, distributed, and modified. However, I have tried all open-source video editors and all of them have disappointed me. Instead, I settled on DaVinci Resolve, one of the most popular free (as in cost) video editors. It’s been growing in popularity since Adobe continues to push their users to the brink with subscription prices and AI chicanery. While it might not be as featured filled as Premiere, Resolve gets the job done over and beyond most of its competition and one of the few commercial companies that supports Linux.

However, just because DaVinci Resolve supports Linux, that doesn’t mean it’s all smooth sailing. I don’t think it’s a secret that most of Black Magic’s employees all use Macs, because who in their right mind would use Windows? At least in my experience, I’ve noticed that when it works, Resolve outperforms and is generally smoother on Linux than on Windows, although I would chalk that up to 2 things:

• The Mac version is easier to port to Linux as since macOS is also Unix-like.
• Black Magic uses Linux as the backend for database servers, managing their products, or embedded systems.

And I am all about paying for a good product. If you use a product, whether it’s your favorite open-source project or a proprietary product, if you like a product, give them money and show your support. This especially goes for desktop Linux users since meeting one in real life is like finding a unicorn. If you pay for a product and you like how it works, you show your support and that the thing they offer is worth continuing.

But emphasis on “works.” Because if you scour the internet looking into Resolve, people complain about not getting it to work. Windows and Linux in particular are hard targets because of the diverse types of hardware out there. On Linux especially, it’s an uphill battle and I want to walkthrough some of these issues, some solutions, and debunking some claims online about how DaVinci Resolve functions on Linux right now.

Codec Complications

Resolve paywalls specific video codecs, or video format compatibility, from working. Some codecs like AAC audio, the standard for audio in MP4 files, don’t work at all! It might be easy to point the finger at Black Magic Design for crippling Linux users, but reality is they aren’t the enemy.

Did you know the popular video codec for MP4 and QuickTime files, H.264 is run by the MPEG LA, or as I call them, the scummy patent squatting body that monopolizes video on your computers and phones. Google, Microsoft, and Apple pay the MPEG LA truckloads of money every year (and you’d only know this by reading the Microsoft or Apple EULA, who doesn’t?).

Nobody likes them, especially the companies that pay them and it’s gotten so bad they’re trying to promote their own alternative: the AV1 codec to finally put an end to the H.264 reign of terror. Resolve only paywalls it because the license of H.264 requires the operating system pays money. No way would your distribution give into petty extortion like this.

Converting Media

Resolve blocks specific codecs from working for Linux users or paywalls them. For example, there’s a massive spreadsheet in their support manual describing all of the codecs that don’t work.

However, this means that using Resolve will require you to convert your existing “incompatible” media. You can use tools like ffmpeg and HandBrake to convert video or audio into the desired outputs.

If you don’t know what codec your file uses, VLC or MPV allow you to view the codec (Ctrl + j in VLC or i in mpv)

I typically do Nvidia NVENC H.264 for hardware acceleration, but if you don’t pay and especially if you want to support the future, use AV1. For audio, you need to use PCM wav.

Below are some sample commands.

Resolve Free

ffmpeg -i "incompatible.mp4" -vcodec libaom-av1 -acodec pcm_s16le "compatible.mkv"

Resolve Studio

ffmpeg -i "incompatible.mp4" -vcodec copy -acodec pcm_s16le "compatible.mov"

My Resolve Scripts

On my GitLab, I have 2 Resolve scripts:

1. First, run davinci-resolve-distrobox-1.sh. This installs all the dependencies and prompts you to download Resolve.
2. Second, run davinci-resolve-distrobox-2.sh. This fixes the prepacked libraries and integrates it into your system through Distrobox.

GitLab scripts

Distro(box) of Choice

Resolve is very picky about what distro you run it on. Officially, Rocky Linux is recommended, but very few people run Rocky Linux on desktop Linux. Instead, you can run Distrobox, a utility that lets you run applications in a Podman/Docker container.

• No matter what flavor of Linux, you can run a container where Resolve thinks it’s installed in the distro of your choosing.
• Distrobox gives the container full access to your home folder and can integrate installed programs as GUI or command line shortcuts.
• Since Resolve recommends Rocky Linux, we should use Fedora because it is more updated and has better hardware support.
• Since Resolve is running in a container, updates to the container are independent of your host system (the one you run your containers on). This way, Resolve runs in a stable environment without impacting other programs you use.

Lacking Libraries

Resolve requires specific applications and libraries in order to correctly run the installer and Resolve itself.

• The installer requires FUSE and various other libraries for the installation process. This is because the installer is a glorified AppImage.
• You need PulseAudio, the XDG libraries, and X11. Resolve will work in XWayland, but your window decorations will be invisible.
• RPMFusion is needed to run all the video codecs.
• You will need to download the desired version of Resolve from Black Magic’s website. If you use the free version, you can submit bogus information and get the download link. If you use the Studio version, you can click the “Download only” link. You also need the required libraries for your respective graphics card.
• If you use Nvidia, you need to download akmods-nvidia and xorg-x11-nvidia-cuda. In a container, the installation might fail, but don’t worry if it does. Your Distrobox container needs to be built with the --nvidia flag.
• If you use AMD, you need to use rocm-opengl. You might also need to install the Nvidia driver too.
• Intel Arc is untested.

After Resolve is installed, Resolve’s codecs are outdated and Resolve will fail to launch. First, copy the codecs from the RPMFusion folder and put them in Resolve’s folder.

sudo cp /lib64/libglib-2.0.so.0* /opt/resolve/libs

Pulling Old Fedora Libraries

Resolve’s codecs are still so old that even Fedora is leaving them in the dust. You need to download an archive of older Fedora 38 libraries, unpack the archive, and copy them into Resolve’s folder as well. Even if you use a newer version like Fedora 39, the 38 libraries still work.

Since this video, the link has been officially removed from the Fedora repositories. I saved a copy on the Wayback Machine

sudo dnf install cpio -y
wget https://web.archive.org/web/20231220041143if_/https://dl.fedoraproject.org/pub/fedora/linux/releases/38/Everything/x86_64/os/Packages/g/gdk-pixbuf2-2.42.10-2.fc38.x86_64.rpm
rpm2cpio ./gdk-pixbuf2-2.42.10-2.fc38.x86_64.rpm | cpio -idmv
sudo cp -r usr/lib64/* /opt/resolve/libs
rm -r usr
rm gdk-pixbuf2-2.42.10-2.fc38.x86_64.rpm

Reverse Engineering Resolve’s DRM

If you are a free user, this section is not relevant to you.

If you harden your Linux network settings, you will encounter problems ensuring your Resolve installation stays registered. If you use a randomized MAC address, Resolve needs to know your real MAC address, probably to check your vendor OUI.

TL;DR: Resolve is quite sound privacy-wise, but relies on you using a static MAC address if you use Studio.

There are 2 types of license: the dongle or internet activated code. When you first open Studio, you will be prompted to enter in your code or insert your dongle. I use an internet code, but many others have tested the dongle.

Privacy-wise, DaVinci Resolve collects no telemetry and attempts to keep network calls to a minimum. The only time Resolve phones home is when you enter in your license code and to check for updates. Resolve then generates a certificate in its /opt/resolve folder that attests that you are using a device with a specific vendor identifier. Otherwise, it will ask you enter your code again if you reboot your device or restart NetworkManager.

If you use my NetworkManager configuration /etc/NetworkManager/conf.d/00-macrandomize, comment out the following:

#wifi.cloned-mac-address=random
#ethernet.cloned-mac-address=random

There’s also conjecture on fat-tire’s Resolve container that DaVinci might use the Linux machine-id to identify uniqueness. While this is possible in theory, machine-id has no impact on Resolve’s DRM. Linux machine-id is just generated when you first install your OS, but this can be deleted or modified. For example, I use the Kicksecure machine-id, since they make it so all of their users use the same Linux machine-id. I replicated this with Studio and my license was retained.

echo "b08dfa6083e7567a1921a715000001fb" | sudo tee /etc/machine-id

Discrete GPU Troubles

Using Distrobox with discrete GPUs doesn’t work. I have no idea why. Still works fine on Desktops.

Misc Problems

• All window decorations are invisible in Wayland. They are visible in X11.
• The file picker doesn’t use portals. It’s their own machination.
• If you are an AMD user, you cannot export video as H.264.
• If you make changes to the Nvidia driver and Resolve fails to boot on Wayland claiming “make sure all displays are unplugged from your integrated GPU,” run Resolve in X11 once, then it will open again in XWayland.

Donate

This was the culmination of months of experimentation. If you like the work I do, please consider donating money.

Donate

Referenced:

• Adobe Says Significant Costs, Penalties May Arise Out of FTC Investigation - Denny Jacob, WSJ
• Official SEC Form 8-K against Adobe for subscriptions and acquisition of Figma
• Michael Horn’s video about DaVinci Resolve and Distrobox from YouTube and Odysee
• The AV1 Codec - Tim Terriberry, Mozilla Research - Linux Conf AU 2019
• The NetworkManager.conf documentation
• Fortinet’s explainer of vendor OUIs

Did you know:

The GNOME developers do not care how you pronounce GNOME. However, if I do not use “the hard G GNOME (/ɡəˈnoʊm),” there’s a chance it will create a headache for me to format subtitles later.

Intro

Have you ever tried using the GNOME Desktop Environment? It’s the default of Ubuntu, Fedora, and many more. But how many people really use GNOME? Lots of Linux distributions don’t use GNOME the way its developers intended (more on that later). They make all sorts of modifications, making it look like Windows (Nobara). Or they add extra applications on top of it (Pop!_OS or Ubuntu). Instead, I want to take a deep dive into examining the default GNOME experience and why the default GNOME experience provides one of the most optimal desktop workflows.

The GNOME Way

GNOME is built using what they call the Human Interface Guidelines (HIG). The HIG provide the basis to the why and how GNOME functions.

• truly follows the Unix way: simple apps inside a simple ecosystem. Minimalist by default.
• Removing complicated or confusing features based on how maintainable something is. It’s done to ease developer burden and a better OOBE.
• The prioritization of accessibility. All features are accessible as equally as possible. You can use a mouse, keyboard, or touchscreen and you can do almost everything.

In Practice

• adjustable windows for those with small displays
• Generic application names. Names are also carefully chosen so applications don’t conflict across different localizations and have double meaning.
• Priority support for common desktop hardware (yes, even NVIDIA)
• Same keys as Windows (mostly), perfected workflow from macOS, and a mash of features from tiling window managers.

The GNOME Workflow

There is no one workflow nor is it defined by the GNOME foundation. However, there’s an implied way GNOME’s developers hint about how you to use it.

• Super key opens an “exposé” view to see all of the open windows, similar to macOS. You can also access it by clicking/tapping the workspace dots.
• Typing in after opening the dash allows you to search applications, then searching your files and GNOME integrated applications.
• Navigation is done using mouse, touch, or the arrow keys.

The common hiccups are things that other direction environments do differently.

• Maximize is accomplished via keybind or dragging a window up.
• Minimizing windows is not necessary because of the Activities menu. It also encourages the minimalist nature: if you don’t need something open, close it. If you want to leave it open, send it to another workspace.
• Keyboard window switching is done in two ways to give equal access to the open windows of your focused application and which application you want to focus on. Alt + Tab to change your focused application and Alt + ~ to change windows of your focused application. This way, compared to traditional window managers, you always have access to all of your windows without a confusing menu.
• The window switching is dependant on what keyboard you use. The key is always whatever is above your Tab key. For example, on German keyboards, it’s Alt + +. Thanks to @kuhluhOG on YouTube for telling me about this.

Workspaces

Of all graphical desktop environments, GNOME’S virtual desktops are much more user facing and accessible than Windows, Mac, or other desktop environments.

Workspaces via GUI keybinds are limited to 4, but this can been increased using gsettings, GNOME’s equivalent to Windows’ Registry Editor. However, this becomes redundant once you embrace one of GNOME’s killer features—dynamic workspaces. Rather than having a set number, workspaces are added based on need them.

You also always know where you are using the newly added workspaces dots. Like most tiling window managers, and unlike Windows or macOS, you get a glance of which workspace you are on, similar to the pages on phone home screens.

November 2025 Update

Orignal Review

In a rare turn of events, I get to review a device I got a week to tinker with—the System76 Darter Pro 9. Using the System76 Darter Pro has been one of the most interesting experiences in using a laptop that just feels different from most other laptops I have ever used before. The System76 experience feels open, fresh, and comparable to other contemporaries from Dell and Lenovo.

Now before you get excited, this computer is not mine. This device belongs to a family member in need of a new computer. System76 didn’t pay for this review and while I didn’t pay for this myself, I was spending someone else’s money. I took a stab in the dark to see what the experience was like. The Darter Pro has not disappointed in bringing what I feel like is one of the best ways to use Linux on a computer, to a point where I am now sold on the concept of a computer constructed with Linux first.

Hardware

The Darter Pro came in a cardboard box, which seemed like an upgrade if you see videos of the same box last year, because now it has a handle! Not only that, the laptop comes in padded foam and with a plastic paper cover. All in all, you are getting computer similar to other flagship computers from companies like Dell and Lenovo, but with a bit of a Linuxy twist.

But you don’t want to hear me regurgitate hardware, let’s get into specifics. You can buy the laptop from System76’s website and I was able to get a $50 discount. The computer cost around $1163 plus shipping and handling. They also gave me a t-shirt for free for some reason, which is far from one of the worst things I’ve worn in my life. I can’t say I’m the biggest fan of Pop!_OS, but I will be wearing this t-shirt for the rest of this review.

The computer comes provided with a little welcome card, telling you to “unleash your potential” and a quick little message about where to get help online. They also gave a cardboard standout character named Melvin, which okay… but this is a questionable inclusion. Cardboard is easy damaged and I think Melvin here is going to be staying in his little frame. Funnily enough, they also give various branded System76/Pop!_OS stickers, which used to be just individual, now they are 2 sheets together.

Also on the left side, you have an HDMI port and a USB-3 slot. On the right, you get a headphone jack, micro-SD card slot, USB-2 slot, the power button and its corresponding LEDs, an Ethernet port, and a Kensington lock.

The computer also has a barrel jack charger, which I am most certainly docking points for. You have USB-C and Thunderbolt ports, please for the love of all things holy, just replace the barrel charger with a USB-C port. Nobody would be complaining.

Upgrades

I did apply some customization. Under normal circumstances, I typically give my family members the advice if they need to do things, just use your phone, it’s easier. However, this particular family member has a home business and has been operating with a Fedora XFCE on a ThinkPad straight from the Windows 8 era with 4 GB of RAM. So going the full 10 year gap of computing basically gave me the liberty to do anything, because at this point, anything would be an improvement!

Given how long upgrading was in the past, this is what influenced what I chose to do in picking the configuration. I selected 16 GB of DDR5 RAM and a 1 TB NVMe. I’ve been worried about the growing memory requirements to do basic things in a web browser, but also leaving the door open in the future in case something drastic happens to software in the future.

While the stock configuration of the Darter Pro was 250 GB, but I pushed for the 1 TB upgrade. Microsoft has been famous for offering the 1 TB backup in OneDrive and I chose that much to leave enough breathing room to store not just business documents and media to come, but family photos and home videos from decades past.

Firmware

One of the major things I want to start off with is discussing firmware. System76 isn’t one of the only manufacturers to be using Coreboot; Star Labs, Tuxedo, Chrome Books all use it. But one of the things that makes System76 is unique is their own custom BIOS with Coreboot and I have some mixed feelings about it.

On one hand, the BIOS are fully open-source and can be upgraded for free using System76’s firmware tool. This means that you can actually get guaranteed motherboard updates, which compared to some Windows OEMs is a breath of fresh air. System76 also disables the Intel Management Engine, well okay, they don’t completely disable it, but it’s heavily neutered to a point where it can only do what it needs to. I consider Coreboot the more important part of the equation here than shooting the Intel Management Engine. It’s more of a priority to keep up with updates and firmware issues than a proprietary system typically only abused in targeted attacks.

Now for the bad news. While I enjoy the fact that the firmware is open-source and given a long life, I need to be brutal about how the firmware operates as of today. The System76 firmware has Secure Boot disabled by default, which is my mind is a massive L because Pop!_OS is an Ubuntu-based distribution, which should support Secure Boot out of the box. Furthermore, if you read their documentation about some of their other computers, they claim using Secure Boot is “not recommended.” System76 stop this. Ubuntu fully supports Secure Boot and we need to be pushing people to use Secure Boot because it’s part of what makes a secure system.

But the plot thickens. You can turn on Secure Boot after a quick reboot, but one of the things that really irked me was you can’t password protect the BIOS. Now someone did open an issue on their GitHub and in their defense when it comes to protecting user data, full-disk encryption will get the job done. But it’s shocking that for firmware that touted as open, maybe it’s a little too open. You don’t want the local house maid plugging/booting arbitrary USB devices!

Windows 11

Speaking of other weird subcategories, let’s talk about Windows 11. Hang on a second, wasn’t this a video about System76 and how they can run Linux? Well one of the unique things about the Darter Pro 9 and the other System76 machines in their generation is the ability to run Windows 11 with no major modifications. Of course, you do need to have Secure Boot enabled, then you can boot into Windows 11 just fine, well not without some problems.

For one, I noticed the touchpad would not function at all in the installer. I had to get an external mouse to click through buttons, because yes, Window requires a mouse to use their installer, unlike Linux. On top of that, the touchpad still didn’t work when I first booted into Windows. I ran Windows Update, then the touchpad starts working, but it would randomly stop working. Turns out it’s a Microsoft problem with Intel touchpad drivers. I don’t blame System76 or Intel for this, go blame Microsoft, for ruining fun in people’s lives!

If you use a laptop and need to dual boot Linux and Windows, I would strongly advise at this time avoiding System76. I believe with other major Windows OEMs like Lenovo, Dell, or MSI, you could get a better experience dual-booting at the cost of maybe a slightly worse Linux experience.

System76’s Power Management

The Darter Pro comes with Pop!_OS or Ubuntu, whichever you choose when you buy your computer. I didn’t care about these options here, because I think we can all make the assumption that System76 tests Pop!_OS on their hardware, but let’s test a real distribution. No offense to System76, but I want to use a rolling release distribution and something that actually supports Secure Boot, but what are our options?

There’s a support article that provides tutorials to hook up various Linux distributions that are officially supported by their developers:

• Arch Linux (AUR)
• Fedora (Copr)
• NixOS

Of the given distributions here, I believe that Fedora is the best option here, which is what my family member was using anyway, Fedora XFCE to be more specific. At the time I provided Fedora XFCE because it was a full desktop experience for a low performance environment.

But now that they now have a capable computer, I believe it’s time for something close to what they know, but adopt future trends and increased security. I selected Fedora KDE, because of its similarities to Windows and XFCE. But not only that, KDE supports Wayland, where XFCE still does not.

As a side note, System76 has a graphics switcher, but the Darter Pro doesn’t come with a graphics card, only integrated 13th gen Intel graphics. Under these circumstances too, they claim the graphics switching might not even work on other distros. On top of that, you need to build the GNOME extension from source if you want a graphical version (GNOME only) and not everyone would want to do this.

Experience

So what is using the Darter Pro like? First off, as an accessibility note, you can open the laptop with one hand, but it does require a little bit of force. It does feel better opening it with 2. The frame isn’t weak and feels generally solid, so opening the laptop isn’t too easy, but not difficult.

The touchpad feels pretty good. It’s not Apple levels of polish, but it certainly gets the job done and all gestures is something like KDE or GNOME are identified correctly. The one major downside about the frame isn’t just the frame, it’s the magnesium-aluminum chassis. This thing smudges really easily. In fact, after the first couple hours of use, fingerprints and smeared skin began to become more visible as time as gone on. This is probably the most negative thing I have to say about this laptop and it might be less noticeable if they want to keep using this material, but chose to make it more on the silver side, similar to what Dell or HP do with their computers.

The computer feels about 3 pounds. I didn’t weigh it, but I would say it’s around 3 lbs (1.3 kgs for my overseas neighbors). And this is with the heaviest build, because my family member requested the largest screen possible in a workstation computer. The Darter Pro has a 15.6 in (<40 cm), 60 Hz LCD display and this wide display was the largest one they offered.

The keyboard isn’t horribly loud and still shows flex, but it’s no different than most other laptops. It’s not flimsy and feels pretty solid. You do get the Super key, always a plus. I do want to comment that the function keys are in different locations than where most people expect them and they are no media keys.

The microphone out of the box, needs to be set really low. I set it to about 28% and felt it wasn’t blowing out my ears; it’s nothing to write home about. The webcam is also nothing special, but it’s 720p still, which is disappointing, but it will get the job done.

The speakers are okay, but don’t seem to handle bass particularly well. It’s able to convey the scene properly and gets you 80% there. The color settings on the display are also pretty good and nothing feels out of place. The screen also is anti-glare and did a great job at diffusing ambient light or bright areas.

I did stress test this thing a little bit. The battery life is approximately 9ish hours and I did deplete the battery to about 30% and did a estimation, so maybe not the most optimal test.

Now just to burden this thing as much as I possibly could, I wanted to pick a current generation game, but something that could still support the computer with integrated graphics. The Darter Pro comes with 13th-gen Intel and I ran the Witcher 3: Complete Edition (the DirectX 11 version) with the low settings. The framerates are similar to what you’d experience on a Nintendo Switch and at worst, the frame rate would dip to the 16-20 FPS area, namely in the city areas like Novigrad and the opening cutscene with the Wild Hunt. I’ll give the Darter Pro a pass here because clearly this wasn’t meant for gaming, but to be a workstation computer.

Final Thoughts

System76 is a new experience and I only had a few days to play with one and power through some of the things I wanted to see about experiencing one for myself. The firmware definitely needs some work and there are some defaults that need to be changed, but overall the Darter Pro provides a fantastic workstation experience. If you are a writer, a developer, or a general computer developer, you would enjoy using it. The software experience, provided you don’t use Windows and use one of their supported distros is a joy to use. I would recommend this computer is you are diehard dedicated to the open firmware experience and want to support a company that is pushing the experience. Just maybe invest that money into magnesium-aluminum that doesn’t smudge so bad.

Summary

(Updated November 3rd, 2025) 🚫 Not recommended, unless you intend to support System76 and Pop!_OS.

Pros

• Powerful performance
• Reasonably priced with configuration choices
• Great 16:9 matte display
• User serviceable and repairable
• Fully open-source firmware

Cons

• Very easy to smudge/collects fingerprints
• 30 day refund includes the days it took for your computer to ship to you
• Below average webcam, microphone is average
• Windows is less viable due to touchpad driver issues
• 1 USB-2 port (seriously, we should be past these by now)
• Open-source BIOS is missing a lot of features other BIOS have
• Secure Boot does not work out of the box and is actively discouraged by System76
• (Updated March 9th, 2024) Disabled Intel Management Engine
• (Updated November 3rd, 2025) Provided battery lasted less than 2 years

Other

• Pop!_OS, Fedora, NixOS, and Arch are community supported
• Lots of merchandise in addition to computer (t-shirt is limited edition)
• No USB-C charger
• Fn keys are not in the places they are traditionally on other computers

Track Listing (Partial)

• t12ya - Under Moonlight (月灯の下)

Case 1: Windows 10

Windows telemetry can’t be turned off and you only get 2 options: Full and Basic. No matter which version of Windows you use, the GUI won’t give you a way to deal with this. You can use Group Policy Editor of course, but in order for you to get access to the real Group Policy Editor, you need Windows 11 Pro or higher and pay through the nose to get.

Telemetry collected in both cases appears to be useful, but it’s ruined by the ethical quandary. Users are never given the proper means to consent except that big Terms of Service box when they bought their Mac or PC and clicked “I Agree.” Arguably, Windows’s telemetry is worse because Windows’s team continues to smear their name by ripping out existing features and the overreliance on siphoning user information. All of this compounded by the fact that Microsoft sells off your information to advertisers in their Bing network and has been doing so since the Sinofsky era of Windows.

But wait! Even if you use Windows Pro, you still can’t turn off the telemetry! The only way to avoid it is to:

• get a Windows Education/Enterprise license
• In order to get the license, you need to contact a Microsoft sales rep and give Microsoft business-relevant/mostly accurate information.
• Then you need to pay for volume licensing or a subscription fee for its activation, which also might involve hosting a Azure AD server.
• Then you can turn off the telemetry.
• Screw Microsoft and just use anything else except ChromeOS.

Case 2: Opting Out & VS Code

But let’s say a program that lets you turn off the telemetry, what do you do? You could of course trust them, but we need operate with “distrust, but verify.” Let’s take one of my favorite examples: VS Code. If I haven’t already, I hope I’ve drilled into your skull that Microsoft is one of the most evil and privacy invasive companies on the planet, so because Microsoft is evil, that must mean VS Code is evil!

Indeed, at a glance when you review the documentation for VS Code, VS Code is subject to Microsoft’s privacy policy, the same legalese privacy policy that allows Microsoft to market off your information. But there’s a few important differences between VS Code and Windows: VS Code includes a toggle for users to turn off telemetry collection. Unlike Windows, this toggle fully disables VS Code’s telemetry.

There’s no way you could know that…

Now, the keen-eyed keyboard warriors are going to pounce on this and say “Aha! But there’s no way you can actually know that!” But there is, dear commenter, and it’s the GitHub page, you know, where they publish most of the source code, including the code for the telemetry bits! “But the backend for VS Code’s extensions are proprietary!” If you don’t want VS Code to track your extensions, simple, don’t use VS Code. You can go crawl over to VS Codium, but it isn’t going to change Microsoft gets to monitor the VS Code Marketplace and all the silly AI extensions you install.

The other reason VS Code wouldn’t help is also obvious: you don’t trust the telemetry being turned off when you uncheck the box? Consider that VS Code is the IDE of choice for developers, some of whom have to be savvy enough to read the source code, and would type an angry message on Twitter and Mastodon that VS Code was spying on everyone even if the box was unchecked? Come on, use your noggin. Who knew that if you used an online service, you have to trust they won’t do anything bad?

Case 3: The Preceding Reputation

Let’s talk about the most spicy one: Ubuntu. Ubuntu has garnered a long history of being called spyware by the famous Richard Stallman (sucking his toe) and the Electronic Frontier Foundation because of the Amazon search integration into their operating system. However, Ubuntu suffers from not what they are actually doing, but they dragged their reputation was dragged through the mud for years. Ubuntu removed the Amazon searching, but continued to include an Amazon icon that would redirect people with a referral link, just like if you were to visit the description of my video and click on a link. The problem is because the Amazon incident with search queries, people held that against them.

This reputation also may have further damaged another part of Ubuntu, the introduction of operating system telemetry in Ubuntu 18.04. Now we get into the realm of what telemetry is harmful and what’s benign. Canonical’s developers have always been open about what information about what will be collected. In practice, Canonical collecting this telemetry is purely to improve Ubuntu and some fairly common settings that can’t really be used to identify people as it’s largely impersonal.

When poor Will Cooke announced this on the mailing list, people piled in complain online and how Ubuntu was continuing down a dark path, even though the data is pretty harmless. Why? Because Ubuntu 18.04 continued to package the Amazon icon and the baggage of the Amazon incident. Even though it’s pretty clear how to disable it by unchecking a box. Once again, because Ubuntu is open-source, we can verify unchecking the box does as it claims.

Playing Devil’s Advocate

But let’s wrap this up. I spoke in an entire video defending telemetry and trying to understand it, but what about the normal person? What about someone who wants to protect their privacy? If you want to help the developer and you feel that you are helping them by providing telemetry, then by all means provide them that data; it’s your prerogative.

On the other hand, you are an extremist when it comes to privacy. We’ve seen studies about how easily information can be deanonymized and it helps that the information is impersonal, but I want all the help I can get and that includes turning it all off.

And by the way, if you need to resort to using Little Snitch or Portmaster to clam up telemetry if you’re given no opt-out, maybe you should consider using something else.

Hey guys, it’s Trafotin. Everywhere across the internet, people brag about the choice of Linux, and while not too complicated, Linux actually has less choice if your someone who cares about your decisions and I’m going to unpack why in my TED talk just shy of 20 minutes.

B… BUT MY CHOICE!

People like to think their computer is in all about choice and go ahead and crucify me, choice is actually very limited and I say this as someone with a channel who needs to recommend things to others. Linux just so happens to be the desktop OS that offers the most choices, but I would argue that most of them are “fake choices” at best or serious pitfalls at worst. Let’s back that up with an example, like say, your desktop environment or window manager.

Linux has lots of desktop environments: GNOME, KDE, XFCE, Mate, Cinnamon, LXQT, and LXDE. If you’re a window manager user, there’s plenty for you too: i3, awesomewm, Sway, xmonad, bspwm, and so much more! But what if you drill down to what matters: you want a system that’s comfortable to use, secure, and efficient at getting things done.

But let’s take security for example and this “choice” starts to break down. In order to promote the “secure” Linux desktop, we need to be using Wayland. Wayland is the next generation of display management on Linux and is more secure than the legacy window system X11. So how many of what I just showed support Wayland? The answer is only 3 of them: GNOME, KDE, and Sway. It’s a hard truth and that shows there’s actually less choice because most of these desktop environments and window managers are stuck in the past.

I’m not saying it’s easy; if it was easy, people would have moved already. But some Linux users practically worship their desktop environment and it’s just gross! Look, anything that can watch movies and communicate with my friends is like gold to me. The mentality I have is one of a digital nomad; if you use something and that something isn’t keeping up with either your needs or industry/security standards, then you have to move on to something better in life. The harsh truth is most desktop environments and window managers can’t keep up with the fast pace of development, either due to lack of developers, funding, or leadership. GNOME and KDE prove you can move fast because they both have lots of developers, funding, and solid leadership. That doesn’t mean you can’t go slow, because Sway helps build up wlroots for all the Wayland users who want window managers. And it can’t mean you go too fast either, because that’s why not many people willingly package Hyprland.

Gotta Go Fast

But it gets worse. Not only do your desktop environment or your window manager matter when it comes to speed, but your packages and everything you install does too, all the way down to your operating system. That’s why I recommend to stick to rolling releases. A rolling release means you’ll always get the latest and most up to date software with their newest features.

Fedora is cutting edge of Linux desktop users and has been dead-set on revolutionizing the Linux desktop as we know it. Many things critical to Linux, Flatpak, Wayland, image-based distributions like Fedora Silverblue, and Pipewire are just some of many. Fedora has been what I have stayed with for years because of its push for innovation in the desktop space and strong defaults.

Using Fedora is why I have been a long time advocate for rolling release distributions. Fedora adopts these new technologies faster, which means your system becomes not only more usable for you, but also more secure. I daily drove Debian for years and let me tell you: having outdated, crusty packages like GNOME 3.22, which at the time had a severe memory leak that went unpatched for years), just felt wrong. No offense to Debian, it’s a joy to work with in the cloud, but for desktop usage? No thanks.

Not only that, it does a disservice to the people who work so hard to create their software, only to find out there are weirdos in the wild using ancient versions, which they don’t maintain anymore. It’s about getting close we can to what is actually given to users. We’re seeing Canonical drop support for Firefox or cups and Red Hat with LibreOffice, but supporting the Firefox or LibreOffice’s snap/Flatpak means you are getting an experience curated by Firefox and LibreOffice’s devs. It’s only better for everyone.

And I know that there’s serious distrust over “but installing feature updates will break my computer!” Guys, this fallacy was created by Microsoft because they have beta-tested updates on their users since Windows 7. Features are not bad! Features fix problems and make your life better. If you are seriously concerned about stability, check out something like Fedora Silverblue, Kinoite, or Sericea. You don’t like an update, you can always roll back if you encounter a problem AND experience the awesome new features!

What are you going to do… use Windows or Mac?

The other thing I want to seriously stress Linux is not some silver bullet. Using Linux takes away one choice and it’s a choice I’m sure is going to piss the old people who watch me off—it’s using proprietary software.

Let me speak for experience as someone who does quasi-professional video editing, photo editing, and design work. I use the Adobe products pretty regularly and I’m familiar with the Affinity suite and let me tell you, unless it was Inkscape, using the other open-source solution felt like I was handicapping myself. GIMP’s supposed “stable” version is actually more unstable than the beta and Kdenlive can’t even show you something on a screen accurately (especially with proxy clips).

But the plot thickens, because using DaVinci Resolve Studio on Linux (yes, the paid one), you’re limited in what codecs you can use because of the stupid American legal system. And don’t get me started on getting proprietary solutions like it on Linux! You might not like proprietary software (trust me I don’t either), but when it’s an action I know for a fact can be done more efficiently somewhere else, I’m going to do it there.

And this forces you to surrender to Windows and macOS again. You’re a creative type like me and you find the behavior of Microsoft worsening every day—go use macOS if it means you doing what you need to and be aware of the privacy invasion and the trap of the Apple ecosystem. You want to play Destiny 2 or Roblox without being penalized or banned or you’re an aspiring game dev? Windows is there too.

Takeaways

In the end, it’s all about what works for you. And that’s what most important after all. If you can use your computer as a tool, that’s great! But only as tool. Temper your expectations and acknowledge what you can/cannot do, but always leave the door open to learn and don’t get attached to this stuff. It’s just a bunch of text buzzing around in a computer.

Have you enabled Secure Boot on your computer? I sure have, but what is it and why it’s so important to the fabric of computing today? Why is Windows 11 pushing Secure Boot so hard? Is it a way for Microsoft to block off third party operating systems? Did someone on a forum or Discord tell you to turn it off? All of this and more as we learn together why UEFI Secure Boot should be required for everyone!

What is UEFI?

Desktop computing is exposed to constant threats in the wild and one of the worst things that could be compromised is your boot process. For something like your phone or your laptop with critical information, we want that stuff locked down tight to prevent bad guys from getting in.

In a brief (ultra-simplified) explainer, any computerized has 3 major layers:

1. Your hardware, like the device you use.
2. Your BIOS, which operates as a single point of trust to handle things like peripherals.
3. Your operating system, like Windows, macOS, or Linux, where you make changes to your computer.

While booting up a computer started off simple in the early days, it has become more complex. Previous older iterations were things like the Extensible Firmware Interfaces (EFI), which is a miniature operating system that vastly increased this capability. EFI adds that ugly interface you have hidden away that controls things like your power management, virtualization, and what not.

UEFI “unifies” the complexity of EFI, but also makes UEFI the “trusted” version of EFI. You rely on your firmware to know if your computer is properly booting and not doing something sketchy in the process. UEFI is another chip attached to your motherboard that adds cryptographic authentication your devices are running and initialized properly. We need UEFI because many corporations view UEFI as the continuation and future of EFI.

What is Secure Boot?

The added cryptographic verification presented a new frontier for device makers. Personal computing devices like your computer or your phone contain lucrative information for attackers, so the big operating system vendors invest into protecting the sanctity of your system.

This started with the Platform Initialization standard. This generates a key, typically from your motherboard’s manufacturer, which attests the firmware on your motherboard is indeed valid and has not been tampered with (there’s protections for timestamping changes, so modifications, to prevent rollbacks, and replay attacks).

Secure Boot uses UEFI’s keys and ties it to pre-baked keys from your manufacturer to add an extra layer of security against malware exploiting this boot process (it’s similar to the prebuilt keys in your browser). This validates that the operating system you boot up is precisely the intended target and there’s no malicious code burrowed in as your device boots up. There’s also a keystore with forbidden keys, where if a key can no longer be used to verify boot images, it’s added to a blacklist so they won’t ever work again.

Exploitable Firmware Interfaces

This isn’t hypothetical, because state-sponsored attacks and limited attacks in the wild take advantage of people who haven’t caught up yet despite the years that have gone on. The Chinese research company Qihoo 360 reported on (in Chinese) UEFI rootkits using the backwards compatibility modules for EFI in ASUS’s computers.

Most recently, the Russian firm Kaspersky found a rootkit yet another vulnerability targeting this backwards compatbility, once again in ASUS and Gigabyte motherboards. If you thought ASUS shorting their BIOS or Gigabyte getting their firmware backdoored, that isn’t even the worst of it!

Microsoft Vs Corporate Linux

These sophisticated attacks are nothing compared to the history tied into the way Secure Boot was presented to the public. The dreaded operating system Windows 8, under the iron fist of Steven Sinofsky, began to require “Microsoft-compliant” UEFI Secure Boot. In the classic, poorly worded style of Microsft communication from the madman, Sinofsky added just a little clause to these requirements:

In the screenshot below you will notice that we designed the firmware to allow the customer to disable secure boot. However, doing so comes at your own risk. OEMs are free to choose how to enable this support and can further customize the parameters as described above in an effort to deliver unique value propositions to their customers.

This last line got major Linux manufacturers seriously concerned because history has shown OEMs often cut corners to ship firmware and what if the ability to boot something other than Windows was taken away?

Papers from Red Hat and Canonical describe how the ability to write and add keys needed to be included into the Microsoft requirements so OEM keys. In the original Build blog post, Sinofsky does mention this at the beginning, contradicting the quote that got everyone so worried:

Secure boot doesn’t “lock out” operating system loaders, but is a policy that allows firmware to validate authenticity of components… Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows

This quote provides probably the “intended” (whatever that means to you) meaning to users, “you can turn off Secure Boot, but you do so at your risk.” If you examine these carefully, you’ll see Red Hat and Canonical’s engineers don’t reject the UEFI or Secure Boot standard, but it needed to be done in an inclusive way to allow Linux users, on the server or desktop, to get Secure Boot.

Secure Your Boots Now!

To this day in comments, in places like Reddit, Discord, or 4chan, I continue to hear is using Secure Boot doesn’t work if you don’t use Windows. And while that might have been true at one point, it hasn’t been true for over a decade. I can guarantee that the vast majority of Linux users disabled Secure Boot because a guide online told them to. For example, I caught this “guide” from some guys on the Garuda Linux team telling their users to disable Secure Boot, which just borders on irresponsible because it can be done!

Not just this behavior, but also the fact Garuda automatically trusts and rebuilds some goofy fork of the AUR is reason alone you should just stay away from them.

It’s even more ironic the 2 most popular desktop Linux distributions, Fedora and Ubuntu (and their derivatives like Mint and ublue for example), have never been subject to this. Red Hat and Canonical have to cough up a one-time $99 fee to access the 3rd party Microsoft key, which ensures their users get full access to Secure Boot. This third party shim key Fedora pays for is used by the USB tool Ventoy to ensure Windows 11 and other compatible Linux distros can use Secure Boot out of the box (with a nifty guide!).

But Secure Boot on Linux breaks if you use the proprietary drivers like NVIDIA proprietary driver. In Fedora, Fedora includes Akmods, a startup script that rebuilds your packages on boot. Akmods allows you to generate your own key using openssl and sign the Linux kernel, thus allowing NVIDIA’s driver through Secure Boot correctly.

I wrote 2 little scripts based on a guide from the folks at Fedora’s RPMFusion that allows you to sign the kernel, so you too can get Secure Boot with the NVIDIA driver on Fedora. Once you enroll your keys, you reboot and can toggle some settings using mokutil to configure Secure Boot properly, by continuing with your keys. There are other methods for openSUSE’s installer and Arch Linux, but I’m not familiar enough with them.

I’m going to leave it there because instead of making strawman arguments claiming Secure Boot will lock people out, we need to accept the new standards because UEFI and Secure Boot are realities you need to wake up to. I didn’t even get into the part where Windows and Linux are just broken compared to Macs or mobile devices! So leave a like on this video. Leave a like on this video if you hated the Windows 8 era!

Verified Boot and TPM-verified boot

Desktop computing security is fundamentally broken compared to the strength of verified boot on Android and Apple devices. The advent of technologies like Intel Bootguard and Microsoft’s Pluton prove that the silver-lining of Windows 11 is PC verified boot has gotten easier than ever. However, there’s the issue of certificate verification. There’s are bypasses that require enabling third party UEFI certificates, like the ones Fedora and Ubuntu use, on Lenovo computers, but Linux now supports Secured Core computers without the need for such measures. If you use a distribution that isn’t a rolling release with an updated Linux 6.3 kernel or higher, you won’t get access to stuff like Pluton.

It’s time to learn about Flatpak and why you need to use it. Flatpak is the way to go and is going to revolutionize Linux, whether you want to or not, especially since it’s the easiest way to get things that you want. I’m going to be going over what Flatpaks even are, how to use it, and how to control what your Flatpaks do.

What are Flatpaks?

Flatpaks are sandboxed apps using bubblewrap, designed to universally work across many Linux operating systems, but specifically on desktop. Flatpak acts as a front-end for bubblewrap, which has really complex command-line arguments, and as an easy way to install packages independent of the operating system you use (a Debian user and an Arch user install the same packages together in harmony).

Since apps are sandboxed, Flatpak downloads dependencies and libraries independently, so your programs work the everywhere. Gaming on Linux is one desktop activity that greatly suffers from this, whether you’re running SteamOS, Ubuntu, Arch, you and developers will experience the agony of inconsistent results, when they could be universal. Flatpak also simulates architecture, so you can still run all your 32 bit libraries, ARM programs, or x86 games and graphics using Flatpak.

Linux Can’t Sandbox

On desktop Linux, applications are given access to daemons or allowed to access all files on your system. Ideally, your operating system shouldn’t be allow this to happen, but this is a very real problem Flatpak wants to solve, especially as Apple and Google have figured out how to do this already (with Android, ChromeOS, and iOS, MacOS has sandboxing too, but it’s opt-in for developers, so tyranny of the default).

The technology Flatpak is built to provide an answer to both of these problems. Flatpak is also integrated in major Linux app stores like GNOME Software, Discover, and pamac. Flatpak also provides a container folder which separates your data from your raw home folder, keeping your system and all the data inside organized.

Wayland Only

To take full advantage of Flatpak, you need to be using the Wayland display server. While you can use Flatpak on X11, it can’t properly sandbox applications using X11 only because X11 does not provide any GUI isolation whatsoever and will work against your security. After all, in order to future-proof our stuff, we need to use Wayland to get that sweet fractional scaling and HDR support (coming soon™).

Why Not Snaps or AppImages?

Since Linux has no sandboxing at all, you NEED to be using something that provides sandboxing. Almost every Linux distro will not do this for you.

AppImages

AppImages, another universal format that while nifty, still won’t do for you, especially since you are just trusting random packages on the internet, rather than a centralized store. This also results in the same user behavior that happens on Windows (and MacOS to a good degree) and we shouldn’t go back to.

AppImages also pack duplicate versions of programs. If you install Electron apps like the private messenger Session and the note-taking app Standard Notes, you now have duplicate copies of Electron, which eats up more space.

There are people who argue Flatpaks also duplicate on multiple different versions of libraries, but this is greatly mitigated by compression, which AppImages don’t allow for. That way, you aren’t downloading the full package.

It has also come out the main dev of AppImages is a dunce who refuses to use Wayland and to update the FUSE module to work with modern systems.

Snaps

Canonical’s snap packages also seek to solve the same issues Flatpak does, but it’s mired with problems.

• Many people don’t like Ubuntu pushing snaps or packaging Chromium/Firefox as a snap (even though Debian’s maintainers are way too taxed to properly maintain Chromium fast enough).
• Many people don’t like the concept of snap’s backend being proprietary (in my opinion this is silly because even if it was open-source, there would be no way to verify if Canonical were actually using the open-source code or not).
• Snaps auto-update and don’t allow users to disable it except through experimental settings.
• Snaps’ sandboxing doesn’t apply to legacy apps (“classic snaps”) and requires AppArmor. The sandboxing is worthless if you use SELinux or systems without mandatory access controls.
• Many people, including me, also hate that Canonical logs everything you install, which assigns a unique ID to on installation and for Canonical to do who knows what with. Anonymized statistics will always eventually be deanonymized, so it’s only a matter of time, even if it’s something like the flavor of Linux you use, the branches you enable, or the timezone you reside in. There’s no way to opt out either.

No doubt people will pick something to hate, but for me, inescapable telemetry and lack of SELinux is reason enough to give snaps a wide berth, unless you are locked into an application that absolutely needs it.

Flatpaks Are Better

Flatpak doesn’t collect any telemetry, lets you add/host your own repositories, also doesn’t require root, so it’s more secure for you to use and more convenient for desktop users who want to download their favorite applications. Flatpaks also provide a powerful permissions access system, which controls exactly what programs are allowed to access.

Flatpak may be imperfect, but some sandboxing is better than none at all.

The Cons

• Many people cite flatkill.org, which at the time, presented valid points. Unfortunately, that site hasn’t been updated in years and some of what was said then is no longer true now. However, Flatpak is still irrevocably broken because of the fact it’s built more to be a container than an application sandbox. As a result, this makes it really easy to bypass, but the devs are working on a solution.
• Flatpak’s poor security realistically could be fixed in the future through apps makers their sandboxes based on a standard (say, XDG portals) by coding their apps to distrust certain permissions by default. In fact, Whonix’s devs are working on a sandboxed app launcher and Chromium has stronger native sandboxing than Flatpak.
• Flatpak relies on every application operating off of the same libraries. This can result in dependencies not updating while some programs play catch up. Flatpak’s developers appear to be aware of this and developed an internal tool for making sure their package manifests are up to date.
• Wine and 32-bit dependent gaming needs a lot of work. While some programs like Heroic work flawlessly, I’ve seen problems with Lutris where some games will not install where they installed on the native package.
• Flatpak strongarms people into Pipewire. While there are still some edgecase holdouts, we need to be moving towards more secure defaults rather clinging futilely to PulseAudio. In fact, when I was testing Pipewire when it first came out years ago, I had far less issues in its beta state than PulseAudio.
• Some developers do not support Flatpak altogether. I had mentioned Session in the last video, but the Flatpak is not official. Many other programs fall into this category, so it’s vital you analyze the build manifest. As of the time of recording, the beta Flatpak site gives direct link to the manifest and with a teeny bit of know-how, it’s pretty easy to figure out what’s going on. Flatpak now has a pretty simple and robust verification system to mitigate this, but anything without a checkmark should be suspect.

Using Flatpaks

Forget about all this technical jargon! I’ve talked about why you need Flatpaks, some “drawbacks,” but let’s put this practice.

How to Setup & Use

First, add the Flathub remote. This gives you access to the main Flathub store.

flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo

Using flatpaks is also easy! Flatpak uses the same syntax as apt and dnf:

• update to update the repositories
• upgrade to run software upgrades
• install to install
• remove to uninstall
• search to search applications in your Flatpak remotes
• uninstall --unused to remove unused dependencies.

What/where should I download?

Now that we have access to Flathub, this pretty much is the whole kitchen sink to download anything we want. Of course, I do want to address a common thing I’ve read from other people online or seen in other content creators is people is something like this (first to last):

1. Distro package
2. Flatpak
3. AppImage
4. Third party repo (AUR, PPA, etc)
5. Snap
6. Tarball/provided by developer
7. Compile from source

This has been the way most people have seen packaging on Linux for a long time, but instead, I want to encourage all of us to look at this differently:

1. Flatpak
2. Snap (if you use Ubuntu)
3. Distro package
4. Tarball/provided by developer
5. Third party repo
6. Snap (non-Ubuntu)
7. AppImage
8. Compile from source

Flatpak, especially for graphical applications, needs to be your top priority as to where you download a package. Flatpak is far more flexible than many of its distro counterparts and is much robust at providing a secure window to a program without much tradeoff.

The other reason the vast majority of sandbox systems on Linux are unsufficient compared to Flatpak. Only Snap comes close, but Snaps come close and are definitely more suited for command-line programs, but if you don’t use AppArmor, the protections that Snap provides are useless. The sandboxing of Snaps is also very flawed in that the experience is only really geared for Ubuntu as you need a completely separate patch from Canonical for AppArmor to achieve acceptable sandboxing.

The Time to Say No

The other issue people need to look at is the landscape of apps in Flatpak, but consider whether or not you should use them. Here’s some of what find valid reasons to use a Flatpak:

• The application is old and never received an update to match upstream. For example, one of the packages I could never recommend to anyone in Flathub is a really old copy of Adobe Reader for 32-bit Ubuntu 12.04. While this application is an amazing achievement at demonstrating the fact Flatpak can run multiple architectures, I could never recommend running it because of Adobe abandoning the project and many unfixed security holes remain.
• Unverified applications. On the topic of unofficial applications, Flathub implements a pretty simple and reliable verification system. Basically, this means you can trust any application with a blue verified checkmark. But what happens with apps that aren’t verified? In these scenarios, you should view the “build manifest,” so you can verify what’s happening. Chances are because of new vetting processes odds of these being malicious are highly unlikely, but be cautious and read the code. If you can’t read the code, how many other people submit issues and star the manifest on GitHub? Do your best here, but odds are you will be fine.

Manage Your Permissions With Flatseal

However, if you use Flatpak, I would strongly recommend double-checking your permissions using Flatseal. Flatpak is way too permissive by default, especially it allows most programs access to whatever they ask for on install silently.

There are plenty of easy ways to use graphical programs to tweak your Flatpak permissions like Flatseal. Flatseal is a program that generates “override” files that change what programs are allowed to do on your system, stored in ~/.local/share/flatpak/overrides. If you use KDE, KDE has a built-in frontend identitical to Flatseal.

These permissions might be confusing and overwhelming, but I’m going to try my best simplify how they work:

• Network: Does GNOME Calculator or LibreOffice really need the internet, especially when Flatpak manages their updates? Audacity and Musescore adding telemetry? Let’s kill the internet for the apps that don’t need it. Most applications typically only enable it because they need it for their internal updating.
• Interprocess Communications (IPC): Allows program to read other processes and resources on your host machine. “Is not necessarily required” unless you use X11, but you shouldn’t be using X11.
• socket=pulseaudio: PulseAudio is a common vector for attack on desktops, since it grants access to your microphones if it’s being used by another application. Applications that don’t need to play audio (e.g. LibreOffice and ONLYOFFICE for example), should have this revoked.
• filesystem=: make sure you want your program to choose what folders it can access. Look out for global accesses and selectively pick folders to add using “Other files” in Flatseal.
• device=all: Don’t want an app accessing PCI and USB devices, like your webcam? Limit this, but it is needed if you use security keys, webcams, microphones, etc.
• Fallback to X11: As X11 is a legacy technology, we should avoid it like the plague. Older applications like Chromium/Electron-based applications, Krita, and Minetest still need it, but applications like OBS, LibreOffice, KeePassXC don’t because they support Wayland natively; just experiment with what works.
• talk-name=org.freedesktop.secrets: D‑Bus access to secrets stored on your keychain, like say, your GNOME Keyring or KDE Wallet data. This is needed for Chromium/Electron-based apps.

Takeaway

But what’s the point of this discussion? Why are you even covering this? Because you need to use Flatpak because secure solutions need to be easy otherwise people aren’t going to use them. Flatpak truly makes it easy and brings the Linux desktop one step forward to being that much greater.

I’m going to go out on a limb here and strongly recommend you install as many of your applications as Flatpaks. In fact, go uninstall your applications that have Flatpak versions, move your config folders to the Flatpak sandbox, and embrace the future as we wait for the next best thing.

More Resources:

• Setting up Flathub on various distros
• Flatkill (2019-2020) discusses how the default permissions set by Flatpak need to be more strict.
• Response to flatkill.org, TheEvilSkeleton’s rebuttal for Flathub not addressing security advisories.
• Flatpak gives complete access to /proc and /sys by madaidan
• Flatpak Command-Line Overrides, by the official documentation
• rusty-snake’s Flatpak overrides
• tommytran732’s flatpak overrides
• How does Flatpak handle security?

I started researching someone who had a quick answer to my problem and you’ll get plenty I covered before: Canva, Adobe Express, and Microsoft Designer. But I just want a simple prefabricated post background and I don’t want to interact with all of these subscription, always online (watching and listening) services to do this!

But turns out the answer I was looking for was one of such evil online services. Yes, more evil than Adobe! More evil than Microsoft–Facebook.

Facebook lets you add a background to your post, but what they are really doing is taking the text of your post and overlaying it on top of an image. And when I saw that, that’s when I knew this is what I wanted. The problem is using such a feature requires a Facebook account, where you use your real name(not your native or “chosen” name), an email, a (non-VOIP/Google Voice) phone number, and a picture of you holding your passport or driver’s license because “the future is private.”

I know that we don’t exactly have the strongest reputation on privacy right now, to put it lightly.

Mark Zuckerburg, Facebook F8 2019 Day 1 Keynote | 5:13

I decided to accomplish this by writing this as a shell script. There’s no need for a dedicated program or low level languages here, so why reinvent the wheel? The game plan is this:

• have a library of stock images or preset media
• Feed image into sdtin for ImageMagick.
• use ImageMagick to generate the specified text I want
• Overlay text on top of the stock image

Convert Image to Specification

First, social media platforms have image specifications. This is where it’s important we convert our image to get the aspect ratio correct. Many social media platforms often specify your images are at least 1080p and preferably square, but why? On mobile devices, which is where most users actually view images, images that are 16:9 or 19:10 are acceptable, but they get cut off because of the screen sizes of phones. As a result, post photos on social media uses a 1:1 aspect ratio.

(For example, movies like the Dark Knight have its action scenes shot in IMAX, which closer fits 16:9, but TV shows like Homecoming have its flashback scenes shot in 1:1.)

So let’s break down some of what we can do with ImageMagick. ImageMagick is a command-line tool for manipulating images. Now before you think you’ve never used ImageMagick before, odds are you have in a different way. If you use or visited a WordPress website (which is 25% of the internet btw), WordPress features integrations for resizing its images with ImageMagick.

Note for Windows users, you need to append magick.exe to the beginning of all of these commands and make sure ImageMagick is in your Powershell path. You could also use WSL.

I downloaded the Deepin wallpapers, which they use photos from Unsplash, a royalty free image sharing site. I also wrote a command to size down each photo to meet the 1:1 aspect ratio.

In ImageMagick, this is a simple “resize” command, then cropping off the edges:

convert "$1" -gravity center -crop 2000x2000:0:0 -resize 1080x1080 fbbkg_background.jpg

This preps the user’s image to meet those 1080x1080 standards, cropping the sides, and maintains the center of the image. I’ll also admit this is fulfill my needs. This script will look weird if you use an image smaller than 1080p, but you shouldn’t be uploading blurry photos to social media…

Generating Text in ImageMagick

Next, we’re going to be generating some text. While ImageMagick has many ways to generate text, many of them often do not support text wrapping, because if you don’t the text is going to trail off the image.

convert -background transparent -font Source-Sans-3-Bold -size 490x480 -fill white -strokewidth 2 -stroke black caption:"Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magnam aliquam quaerat voluptatem."

• -background transparent The text needs a transparent background before it’s layered on the background image.
• -gravity center This ensures the text is centered in the image.
• -font Source-Sans-3-Bold I use Adobe Source Sans 3 when I do hard subtitles in my YouTube Shorts, but you can pick a different font using identify -list font then change this to whatever font you want, under “Font: your font.”
• -size 480x480 This is the size of the image with the generated text. Ideally, it needs to be smaller than 1080x1080 and sit right in the center of the image.
• -fill white The text itself will be white as white is more visible in most scenarios. ImageMagick has lots of different preset colors and you will need to consult their documentation’s list.
• -strokewidth 2 The text itself will be given a 2 px outline.
• -stroke black The text outline is black #000000.
• caption: your caption The text we’re putting into the image.
• at the end at the name of your image. I’m using PNG as the file extension, but you could also use WEBP. This won’t work on image formats that don’t support transparency like JPG and GIF.

Overlaying the Images

Now we have 2 images: the text and the background. Let’s overlay them using the composite command.

fbbkg_name="$1"
composite -gravity center text_fbbkg.png "$1" "${fbbkg_name%.*}-fb.jpg"

Apple is a company with big goals and ambitions: they are the largest smart phone marketshare in the United States, they have been dumping money into AR headsets and electric cars people might not want, and to kill off the right to repair! That’s right everyone, we’re going to be doing the unthinkable–reviving an old 2015 Macbook Air and installing Linux. Apple may have abandoned it, but I won’t, at least my friend won’t!

8 Years Later

First things, some background. The 2015 Macbook Air was released at the beginning of 2015 and came with El Capitan.

(Ah yes, the day Epic Games bragged about Fortnite on Apple computers…)

There’s also multiple physical issues from over the years:

• The down arrow key is missing, but the key works fine.
• The hinge for the screen has also seen some wear and tear as the years have gone on.
• There used to be layers of masking tape on this thing left by their previous “IT guru” who left warnings in all caps saying things like “DO NOT UNPLUG” or whatever. I removed them all for the purposes of this video and they know not to unplug it.

The battery is also bulging out of the case so hard, the casing is also damaged. I’m actually going to have to get those proprietary Apple screwdrivers to remove the case and unplug the battery, because this battery is a fire hazard waiting to happen!

Even though this is a laptop, the battery is thoroughly damaged beyond repair and this thing will need to be plugged in at all times anyway, so removing the battery isn’t that much on an issue. My friend treats this more like a desktop anyway.

This particular laptop I have has received as many software updates as possible and runs Monterey and this is the last version of macOS this poor thing can run. In fact, this computer is on death row. Apple is going to kill off Monterey any day now, especially since Monterey is 2 releases behind Ventura.

Let’s Install Linux

It’s time to leave MacOS behind and install Linux!

Difficulties

Installing Linux isn’t without its problems. First, the very fact that this is Apple hardware makes this an uphill battle. We’re going to be fighting with the firmware. Apple is killing off all support for this device and we will lose access to the ability to reinstall MacOS over Wi-Fi to unsigned versions of MacOS. I tested this on this computer when it was running Sierra.

Apple hardware is also very finicky. Apple uses largely Broadcom chipsets for Wi-Fi and cameras, but they’re custom cards. Thankfully, Broadcom’s drivers are much more usable than they used to be, but it depends highly on what distro and how up to date it is. The webcam does not work at all on Linux, but shockingly, the microphone functions fine. This is because Apple uses a customized Broadcom chip and FaceTime is that sacred.

Cutting Up the Apple

Now you might think you could reinstall the Recovery OS, but you can’t, since it’s tied to the drive. You also can’t boot using Apple’s weird EFI boot thing because it uses an incompatible filesystem (and yes, I’m aware you could build a kernel patch, but poor friend isn’t going to keep up with this if it breaks). This is why all security bets are off, because our access is going to be cut off if the disk is wiped or corrupted, so we need to disable those necessary and now pesky Apple features.

The first thing we need to do is boot into Recovery on MacOS.

System Integrity Protection

You can access the Recovery OS by doing ⌘ + r when you hear the boot chime. From here, we need to disable System Integrity Protection (SIP). Since our god Apple has forsaken us, disabling SIP is necessary to minimize interference from Apple on what Linux is doing.

In Recovery, click on Utilities, then Terminal. Then run csrutil disable.

Firmware Password

We need to also disable the firmware password. There’s not going to be a way to configure the firmware password without MacOS. The firmware password also hampers the boot process, especially with non-Apple bootloaders. As my friend is victim to default settings, they did not set a firmware password.

In Recovery, click on Utilities, then Startup Security Utility. Then follow the prompts to disable your firmware password.

Use MacOS to create a copy

As a failsafe, you can create a MacOS boot drive using a USB drive with previous versions of MacOS. I have a Monterey USB in the bag in case I mess up somewhere or need to reinstall MacOS.

Apple has a nifty guide on precisely which command you need for which OS.

Which Distro?

Now we come to a conundrum: what distro to install? Here’s what I tested:

• Fedora: Broadcom Wi-Fi is very spotty and putting the computer to sleep doesn’t work. The Fedora 37 installer also fails and will not proceed. This is unacceptable and apparently has been going for since the launch of Fedora 37. No way I’m telling my friend to write a custom grub entry.
• openSUSE Tumbleweed will install correctly and the Broadcom drivers function great. The problem is closing the lid will cause the computer to perpetually show a black screen. This is also not good, but still better than Fedora.
• Arch: This probably works, but no way I’m giving Arch to my normie friend. I hear Manjaro runs fine, which instead of using that dumpster fire, use Arch instead.
• Debian: Sleeping doesn’t work and proprietary Broadcom Wi-Fi drivers will not reconnect after an hour when I tried it a few years ago. It’s not very usable.

None of my favorite distros work for what I need! But you don’t want to hear what doesn’t work! What does?

Ubuntu

I know this might come as a shock despite how hard I found the best was Ubuntu. The installer correctly identified all the drivers and while I haven’t tested the new Ubuntu installer based on Flutter, if the Ubiquiti works this well, I’m sure it’s pretty good with the Flutter one. Ubuntu seemingly has a lot of polish around the Mac and everything except the webcam works great.

Prep Your USB

While this week might be Ubuntu release day, I’m going to be installing the LTS, not interim release 23.04. Since we’re stuck using a stable distribution, it’s better anyway as we are in the Canonical ecosystem.

As a preface before going in, you might bust out that Ventoy USB with all your favorite Linux distros in it, The problem is Ventoy is fundamentally incompatible with Apple firmware, so you can’t use it to boot into anything, even with SIP disabled and no firmware password. You’re going to have to boot through USB on this one.

Also, I didn’t go down the rabbit hole of alternative bootloaders, like rEFInd, Clover, and OpenCore. If you do choose a custom bootloader, do it before you blow macOS away. I’m also not talking about some custom patches.

Make My Mac Normie Proof

• Disable Ubuntu telemetry
• Configure update-manager, apt, and snap to auto-update everything
• A lot of people don’t like Snaps, but I want to strongly recommend against removing it. Although Snaps have many problems, Snaps are still superior to using unsecured native packages. The Ubuntu Software Store is also the hub where you control all of your Snap permissions, so you want to keep that too.
• As an addition, I dropped in the GNOME Software. GNOME Software defaults to Flatpak and I would like to push my friend in this direction. It also supports installing apt and Snap packages.
• I installed the Brave Browser and configured it to a basic level.
• I installed ONLYOFFICE and VLC to play videos and open office documents.
• AppArmor

Hey everyone! You know, a funny thing happened to me on the way home today. I ran out of content, that’s what! So I decided that I like pain, so let’s install Alpine Linux as a desktop environment!

For those who don’t know, Alpine Linux is a distribution that prides itself in being incredibly minimalist. There’s no graphical installer, they don’t include the core GNU utilities, and they also use the BSD equivalent of sudo doas.

As a result of being incredibly stripped down, Alpine is generally used in the development of containers, but who told you you couldn’t use it as a desktop OS? I want to, gosh darn it! I want to perpetuate the meme and clown all those FSF zealots!

“I use Alpine, a distro that doesn’t include the GNU coreutils, or any other GNU code. It’s Linux, but it’s not GNU+Linux.”

Luke Smith, Schooling a Beta GNUtard on Linux

In all seriousness, I got a nasty idea in my head. A constant meme is perpetuated by online Linux circles is begging people to use things like Void Linux or Gentoo. And when I began to consider the systemd-free distributions. The fact of the matter is it is far easier to use systemd than to use something like openrc (Alpine’s alternative) and many applications are built around it. The documentation is way better and it sees very active development.

That being said, on a security perspective, systemd does too many things, more than what most desktop users or admins need on a daily basis. This isn’t to systemd is inherently bad. Controversy on the internet travels quickly and lives a long time, and there are still people who resist this to this day for the wrong reasons. The beauty of open-source is you have the choice not to use it.

First, I’m not using Gentoo, because I am not waiting 16 hours for a minor update to compile. Binary distributions all the way!

Second, with distributions like Devuan, Void, and Artix, it’s difficult to pinpoint how widely used these distributions actually are and whether they get the love and attention your operating system needs (No offense, but I might look at them in the future).

Alpine Linux is the only distribution that fits most people’s needs in this regard. It’s a minimal, binary distribution with biannual releases, but there’s a surprising number of packages in its repositories to get some work done. You can still browse the web, watch videos, or edit documents; practically anything you could do on desktop Linux is available to you. Except for:

• Gaming (at least optimally)
• GPU acceleration that isn’t integrated (Nvidia only supports glibc not musl, AMD requires Gentoo hacks)
• Running in a virtual machine as a desktop OS. I can’t get spice-vdagent to work and good luck with VirtualBox
• Programs that require systemd

Installing Alpine

If you are using Alpine on a virtual machine as a desktop user, I strongly recommend picking the standard ISO. While you might be tempted to pick the virtualized install, it’s so stripped down, you won’t be able to use copy/paste or drag/drop with Spice or have any other major kernel features out of the box.

1. On boot, hit Enter to proceed with booting
2. Login as root. There’s no passphrase.
3. We’re going to run setup-alpine. This is a command-line installer for Alpine Linux.

setup-alpine

Alpine’s command-line installer actually bridges together multiple other scripts that automate the process of building your system. I have them as headings here as a bit of insight to what’s happening.

setup-keymap

• Select your keyboard layout by country code. Mine is us.
• Select your keyboard variant. Mine is us.

setup-hostname

• Enter system hostname. For a desktop user, the default of localhost is fine, but you can change this whatever you want.
• Next, we need to connect to the network by selecting an interface. I always use wired eth0, but Alpine’s kernel should have the priorietary blobs necessary to get Wi-Fi to work.
• Choose dhcp (default) for a dynamic IP.
• Additional configuration?

usermod & passwd

Create a passphrase for your root user. Don’t worry about this one, because we’re going to lock the root user later.

setup-timezone

• Press ? to see what timezones are available and pick the one that’s applicable for you.
• I live in the US, so I’m going to pick America/
• Next, the installer will ask for a sub-timezone. This is the area you live in.
• I live in the East Coast, so I’m going to pick New_York.

setup-proxy

I don’t use a proxy, but you can configure one here (Default: none).

setup-apkrepos

Alpine will now show various mirrors for their repositories. You can select a number here for a specific one, press f to choose the fastest, or press r for a random one.

Standard user

I’m going to set up a standard user account, where I can do my daily activities. I’m going to pick user, but you can put whatever you want here; it’s your username.

Next, it will ask for your passphrase and make this passphrase a good one.

setup-sshd

I’m not going to be using SSH, but you can set it up here.

setup-disk

• Choose the desired volume. Mine is vda.
• Choose your desired volume type. If you are using a virtual machine, you can select the default of sys. However if you are using a physical computer, I strongly recommend choosing cryptsys, which is the encrypted LUKS install, which will protect your computer in the event of seizure or theft.
• Type in your passphrase at the prompts.

Post-Installation

Now we can reboot into our new system using reboot. Now enter in your encryption passphrase if you have one, since you’ll need to do this when you boot up. First, we’re going to log to our root user and get our stuff set up.

APK Updates

Alpine uses the apk package manager (Alpine Package Keeper), which is pretty basic, so you need to hold its hand a little bit.

• apk update to update the package list.
• apk upgrade --available to install any upgrades.
• apk add <package> to install a package.
• apk del <package> to uninstall a package.

I prefer to use vim instead of vi, but you can do whatever works for you.

Rootless User With doas

By default, Alpine does not install sudo, but we’re going to opt for doas, as it is more minimal. Remember, I chose user as my username, so you need to choose your username.

adduser user wheel
apk add doas

Now, we need to logout of our root user and into our user account, now with freshly minted doas privileges by typing exit.

On logging into the user account, we now have reduced privileges and we are able to run commands with doas. Now we need to lock the root account, so nobody can just abuse it.

doas passwd -l root

Installing a Desktop Environment

As Alpine is largely used on servers, we need to add the community repository to gain access to desktop packages. With doas, we can edit the line with the community mirror.

doas vim /etc/apk/repositories
doas apk update

You’ll know it worked when the package count leapt from ~4000 to ~17000.

Alpine does not have a wide selection of desktop environments, but they support:

• GNOME
• KDE Plasma
• Sway

I’m going to pick GNOME as GNOME on Alpine doesn’t require using Xorg, since we should all be moving to Wayland. To be clear, installing GNOME, KDE, or Xfce doesn’t install a minimal package; it installs some other things too.

Run the following command to setup your desktop. We also need NetworkManager, . Afterwards, we’re going to reboot and start those new services.

doas setup-desktop [gnome]
doas apk add bash bash-completion networkmanager-wifi
doas reboot

Niceties

The following are things I have tested out.

Debloating GNOME

Let’s debloat GNOME.

doas apk del firefox
doas apk add evince eog nautilus alacritty vlc

Flatpak

Now let’s setup Flatpak with some of the packages we need, which provides a whole host of apps that never would be in Alpine’s repos anyway.

doas apk add flatpak
flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
flatpak install flathub org.mozilla.firefox

Pipewire

There’s no sound out of the box, so let’s install PipeWire.

doas addgroup user audio
doas addgroup user video
# If you installed a desktop environment
doas apk del pulseaudio 
doas apk add pipewire wireplumber pipewire-pulse

AppArmor

There’s no mandatory access controls in Alpine, so we need to install it ourselves.

doas apk add apparmor apparmor-utils apparmor-profiles

Next we need to review our Linux security modules (LSM).

cat /sys/kernel/security/lsm

Then we’re going to edit the boot configuration to override the default LSM files. It’s important you copy /sys/kernel/security/lsm and put whatever you saw there, with

doas vim /boot/extlinux.conf

lsm=landlock,yama,apparmor

Now start AppArmor on boot:

doas rc-service apparmor start
doas rc-update add apparmor boot

Finally, verify AppArmor is working.

doas aa-status

If this is good, then set all available profiles into enforce mode. If you use any of these applications, set them into complain mode if they give you problems or write your own configuration.

doas aa-enforce /etc/apparmor.d/*

Spice Agent

I haven’t figured out how to get Spice working properly on Alpine. If someone knows, let me know down in the comments on YouTube or Odysee.

Long time viewers of the channel know I don’t talk about my current setup. I started using KDE Plasma a couple months ago and I’ve been incredibly impressed with how just a little bit of setup, KDE Plasma has become my desktop environment of choice.

Why KDE?

The last time I daily drove KDE was 6 years ago. I ran a setup much like MacOS and was a big Latte Dock user (rest in peace Latte Dock). KDE is also a powerhouse in desktop Linux, coming strong through things like Valve’s Steam Deck or as the flagship in SUSE’s desktop spins. KDE is one of the oldest desktop environments in Linux, receiving funding from Google, Canonical, and Tuxedo.

Long time viewers will know I previously used the Awesome window manager and GNOME on camera in the past, but I’ve never gotten into detail about this change. I also have an Nvidia graphics card (specifically the Nvidia 1080 TI) and have been seeking the next thing that runs it the best. I want to advocate for using what works for you, but at the same time, we need to be looking towards the future.

Wayland & Nvidia

The truth is most Linux desktop environments or window managers are not prepared for the future or don’t see enough development. One of the major reasons I switched was Wayland. Along with GNOME and Sway, KDE promotes and supports the Wayland display protocol, a secure and cleaner display system for the modern age.

Many other desktops just are not prepared for Wayland and part of future-proofing our stuff is using software that promotes future technologies. Wayland is more secure and we need to use as much as possible especially since XOrg’s development has hit an all time low.

Now the eagle eyed among you will know Nvidia is a massive pain on Linux. But in reality, I had to make zero changes to get KDE to accept the proprietary driver. What shocked me the most was I had experimented with KDE months ago and Nvidia was not functional at all. It truly is a “it just works” situation!

Of course, this might be because I have an incredibly common computer. I frequently get asked what my computer is, and if you want to know, go look up the Cyberpunk 2077 benchmark computers. Basically, I have that and 32 GB of RAM and Fedora 37. Your mileage may vary. If you are using an older KDE version on another stable distro, do not expect Wayland to work with Nvidia.

Tiling Windows

Every nerd loves a tiling window manager, but while I initially wanted to use the Sway window manager, they refuse to support the proprietary Nvidia driver, so they’re off the table. That sent me crawling over to GNOME, where you can use System76’s GNOME extension, Pop Shell. I’ve never covered it in depth, but it adds a sort of “pseudo-tiling” functionality to GNOME. I’ll freely admit using Pop Shell in its current state is an objective downgrade from using a tiling window manager, but I wanted to experience Nvidia and Wayland, for content of course!

But System76 rocked the Linux desktop space by announcing the creation of their own desktop environment, Cosmic. This actually got me worried because if System76 is going to drop GNOME soon, what’s going to become of the state of Pop Shell GNOME extension?

A talk by Victoria Brekenfeld, where she discusses smithay, PopOS’s custom Wayland compositor.

Yes, I am aware that System76 wants to support Wayland and Nvidia, but it’s going to take time for that to propagate through Linux distros repositories. For perspective, it took years for Arch Linux and Fedora’s maintainers to package ElementaryOS’s Pantheon desktop environment when it first came out. Plus there’s the risk Cosmic will suffer the same fate Unity did at the hands of Canonical.

On the other hand with KDE, KDE has pledged to support a new API to allow built-in window tiling without the assistance of an extension. This functionality is now in KDE, but developers still need to catch up, so I’ve been using bismuth, the most popular extension for tiling, which also has a .RPM package in Fedora.

Moving from Pop Shell to Bismuth is night and day. Pop-Shell requires you press a set key, like Super + Shift + Enter to enter a “window moving” mode, then another key to move your windows around (default hjkl). It’s a lot of keystrokes and moving to Bismuth requires I only press 1 shortcut to shuffle windows around.

Since Bismuth is around and KDE has added new APIs to support window tiling, I can now rest assured that nobody is going to touch my window tiling!

In defense of Pop Shell, this is likely a limitation of GNOME.

Customization

GNOME has treated me well and I can still say that I still has one of the stable desktop experiences out there. But a lot of people, including myself, don’t like having work around GNOME having their own vision, particularly when that vision doesn’t align with my own.

For example, you can’t export your GNOME keybindings through the GUI. Instead, you run this dconf command to output the keys into a file.

dconf dump /org/gnome/settings-daemon/plugins/media-keys/ > keys.txt

Then you need to load the same keys again on the new device.

cat keys.txt | dconf load /org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/

I respect GNOME for what it is, but I don’t want to have to fumble through dconf to figure out I have to do when at least with KDE, while their settings menu is confusing, at least it’s search-able. They also let you set a default terminal (unlike GNOME), have more than 4 desktops accessible via keybindings, and native tiling windows.

KDE also lets you customize your desktop to a great degree. I always gravitate to the Unity layout (Ubuntu Unity) since it makes better use of the short-end of the screen, but I stopped because of the way my multi-monitor setup works. My current setup is more similar to Windows 11, but instead of nagging from the weather widget, I have a visual list of all my desktops.

The KDE Ecosystem

I tried out each various programs from the KDE ecosystem:

• Dolphin has improved a lot and even has the ability to mount Apple devices via GUI, which only GNOME used to be able to do previously. Dolphin also has better thumbnailing for non-standard files, but you need to install ffmpegthumbs on Arch or Fedora.
• Spectacle also lets you annotate or draw on top of screenshots as well as record native Wayland sessions, which is an absolute functionality win compared to GNOME Screenshot.
• Discover now has direct links to a project in the repos, which is something GNOME Software doesn’t have. However, Discover’s auto-update feature is so resource intensive that I just deleted PackageKit and Discover altogether out of annoyance.
• I tried using Kmail, but as a creature of habit I went back to using Mozilla Thunderbird.
• KColorChooser is one of the few standalone color pickers on Wayland that I know and it’s very functional.
• KDE Partition Manager, while native to KDE, still feels inferior to GNOME Disk Utility. GNOME Disk Utility is more intuitive, doesn’t require root privileges on startup, and lets you burn ISOs to devices.
• Okular lets you sign documents (even if the method is really convoluted)
• KCalc doesn’t connect to the internet (did you know GNOME Calculator connects to the internet to get real-time currency conversion rates?)

Caveats

I’m going to briefly going to touch upon some minor issues now.

• KDE 5.26 has errors when you log out and your computer will be a black screen. I have replicated this on both X11 and Wayland, but 5.27 has fixed it. However, 5.27 is only being shipped in Arch Linux right now.
• Firefox on Wayland requires a special flag on KDE and using your distro’s native package or the Snap will give you problems. If you use the Flatpak and add the environment variable MOZ_ENABLE_WAYLAND=1 in .bashrc/.zshrc, it will work fine.
• Copy/pasting in (Neo)vim requires you install wl-clipboard as vim defaults to xclip rather than a native Wayland solution.
• DaVinci Resolve does not display window decorations. It doesn’t mean much to me as a tiling window manager user, but if I was using KDE as a floating window manager, I’d be upset.
• Chromium/Electron apps, like Signal or Brave, and Zoom cannot share your screen. This is because XDG Portals, a standard in the XDG Desktop, isn’t yet supported.
• OBS works as long as you are using Pipewire and you add the environment variable (You should be using Pipewire because it’s more consistent and secure than PulseAudio)
• Night light filters do not work on Wayland, not on KDE nor GNOME.
• Mixing GNOME and KDE apps does not look good. Same criticism applies for GNOME.
• Windows that don’t use their own icons will default to using XOrg or Wayland icons, depending on which display system they use.

Long time viewers of the channel know I don’t talk about my current setup. I started using KDE Plasma a couple months ago and I’ve been incredibly impressed with how just a little bit of setup, KDE Plasma has become my desktop environment of choice.

Why KDE?

The last time I daily drove KDE was 6 years ago. I ran a setup much like MacOS and was a big Latte Dock user (rest in peace Latte Dock). KDE is also a powerhouse in desktop Linux, coming strong through things like Valve’s Steam Deck or as the flagship in SUSE’s desktop spins. KDE is one of the oldest desktop environments in Linux, receiving funding from Google, Canonical, and Tuxedo.

Long time viewers will know I previously used the Awesome window manager and GNOME on camera in the past, but I’ve never gotten into detail about this change. I also have an Nvidia graphics card (specifically the Nvidia 1080 TI) and have been seeking the next thing that runs it the best. I want to advocate for using what works for you, but at the same time, we need to be looking towards the future.

Wayland & Nvidia

The truth is most Linux desktop environments or window managers are not prepared for the future or don’t see enough development. One of the major reasons I switched was Wayland. Along with GNOME and Sway, KDE promotes and supports the Wayland display protocol, a secure and cleaner display system for the modern age.

Many other desktops just are not prepared for Wayland and part of future-proofing our stuff is using software that promotes future technologies. Wayland is more secure and we need to use as much as possible especially since XOrg’s development has hit an all time low.

Now the eagle eyed among you will know Nvidia is a massive pain on Linux. But in reality, I had to make zero changes to get KDE to accept the proprietary driver. What shocked me the most was I had experimented with KDE months ago and Nvidia was not functional at all. It truly is a “it just works” situation!

Of course, this might be because I have an incredibly common computer. I frequently get asked what my computer is, and if you want to know, go look up the Cyberpunk 2077 benchmark computers. Basically, I have that and 32 GB of RAM and Fedora 37. Your mileage may vary. If you are using an older KDE version on another stable distro, do not expect Wayland to work with Nvidia.

Tiling Windows

Every nerd loves a tiling window manager, but while I initially wanted to use the Sway window manager, they refuse to support the proprietary Nvidia driver, so they’re off the table. That sent me crawling over to GNOME, where you can use System76’s GNOME extension, Pop Shell. I’ve never covered it in depth, but it adds a sort of “pseudo-tiling” functionality to GNOME. I’ll freely admit using Pop Shell in its current state is an objective downgrade from using a tiling window manager, but I wanted to experience Nvidia and Wayland, for content of course!

But System76 rocked the Linux desktop space by announcing the creation of their own desktop environment, Cosmic. This actually got me worried because if System76 is going to drop GNOME soon, what’s going to become of the state of Pop Shell GNOME extension?

A talk by Victoria Brekenfeld, where she discusses smithay, PopOS’s custom Wayland compositor.

Yes, I am aware that System76 wants to support Wayland and Nvidia, but it’s going to take time for that to propagate through Linux distros repositories. For perspective, it took years for Arch Linux and Fedora’s maintainers to package ElementaryOS’s Pantheon desktop environment when it first came out. Plus there’s the risk Cosmic will suffer the same fate Unity did at the hands of Canonical.

On the other hand with KDE, KDE has pledged to support a new API to allow built-in window tiling without the assistance of an extension. This functionality is now in KDE, but developers still need to catch up, so I’ve been using bismuth, the most popular extension for tiling, which also has a .RPM package in Fedora.

Moving from Pop Shell to Bismuth is night and day. Pop-Shell requires you press a set key, like Super + Shift + Enter to enter a “window moving” mode, then another key to move your windows around (default hjkl). It’s a lot of keystrokes and moving to Bismuth requires I only press 1 shortcut to shuffle windows around.

Since Bismuth is around and KDE has added new APIs to support window tiling, I can now rest assured that nobody is going to touch my window tiling!

In defense of Pop Shell, this is likely a limitation of GNOME.

Customization

GNOME has treated me well and I can still say that I still has one of the stable desktop experiences out there. But a lot of people, including myself, don’t like having work around GNOME having their own vision, particularly when that vision doesn’t align with my own.

For example, you can’t export your GNOME keybindings through the GUI. Instead, you run this dconf command to output the keys into a file.

dconf dump /org/gnome/settings-daemon/plugins/media-keys/ > keys.txt

Then you need to load the same keys again on the new device.

cat keys.txt | dconf load /org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/

I respect GNOME for what it is, but I don’t want to have to fumble through dconf to figure out I have to do when at least with KDE, while their settings menu is confusing, at least it’s search-able. They also let you set a default terminal (unlike GNOME), have more than 4 desktops accessible via keybindings, and native tiling windows.

KDE also lets you customize your desktop to a great degree. I always gravitate to the Unity layout (Ubuntu Unity) since it makes better use of the short-end of the screen, but I stopped because of the way my multi-monitor setup works. My current setup is more similar to Windows 11, but instead of nagging from the weather widget, I have a visual list of all my desktops.

The KDE Ecosystem

I tried out each various programs from the KDE ecosystem:

• Dolphin has improved a lot and even has the ability to mount Apple devices via GUI, which only GNOME used to be able to do previously. Dolphin also has better thumbnailing for non-standard files, but you need to install ffmpegthumbs on Arch or Fedora.
• Spectacle also lets you annotate or draw on top of screenshots as well as record native Wayland sessions, which is an absolute functionality win compared to GNOME Screenshot.
• Discover now has direct links to a project in the repos, which is something GNOME Software doesn’t have. However, Discover’s auto-update feature is so resource intensive that I just deleted PackageKit and Discover altogether out of annoyance.
• I tried using Kmail, but as a creature of habit I went back to using Mozilla Thunderbird.
• KColorChooser is one of the few standalone color pickers on Wayland that I know and it’s very functional.
• KDE Partition Manager, while native to KDE, still feels inferior to GNOME Disk Utility. GNOME Disk Utility is more intuitive, doesn’t require root privileges on startup, and lets you burn ISOs to devices.
• Okular lets you sign documents (even if the method is really convoluted)
• KCalc doesn’t connect to the internet (did you know GNOME Calculator connects to the internet to get real-time currency conversion rates?)

Caveats

I’m going to briefly going to touch upon some minor issues now.

• KDE 5.26 has errors when you log out and your computer will be a black screen. I have replicated this on both X11 and Wayland, but 5.27 has fixed it. However, 5.27 is only being shipped in Arch Linux right now.
• Firefox on Wayland requires a special flag on KDE and using your distro’s native package or the Snap will give you problems. If you use the Flatpak and add the environment variable MOZ_ENABLE_WAYLAND=1 in .bashrc/.zshrc, it will work fine.
• Copy/pasting in (Neo)vim requires you install wl-clipboard as vim defaults to xclip rather than a native Wayland solution.
• DaVinci Resolve does not display window decorations. It doesn’t mean much to me as a tiling window manager user, but if I was using KDE as a floating window manager, I’d be upset.
• Chromium/Electron apps, like Signal or Brave, and Zoom cannot share your screen. This is because XDG Portals, a standard in the XDG Desktop, isn’t yet supported.
• OBS works as long as you are using Pipewire and you add the environment variable (You should be using Pipewire because it’s more consistent and secure than PulseAudio)
• Night light filters do not work on Wayland, not on KDE nor GNOME.
• Mixing GNOME and KDE apps does not look good. Same criticism applies for GNOME.
• Windows that don’t use their own icons will default to using XOrg or Wayland icons, depending on which display system they use.

One of the coolest staple operating systems to always have in your toolkit is Whonix. Whonix has always been one of my personal mainstays in my arsenal of Linux operating systems, especially since it’s so different. So strap yourselves in, since people love them distro reviews, let’s learn about Whonix.

What is Whonix?

Whonix is not your traditional Linux operating system. Most people install Linux on real computers, virtual machines, or servers, but Whonix exclusively works on virtual machines. Also it requires that your computer supports virtual machines, and not just 1, but 2.

Whonix is incredibly distrustful of their “Workstation” virtual machine, which is where you conduct all the normal activities that you’d expect to do on Linux. To protect your privacy (and from all those loser sellouts with VPN sponsors), Whonix filters everything through the Tor network using a second lighter-weight virtual machine, the Gateway virtual machine.

Now if you were running Whonix with just one virtual machine, a virus or phishing email could in theory turn off the anonymity protections that Tor gives you, and deanonymize you. In fact, we know this has been done before by companies and governments in targeted attacks before.

Even if it was a child predator, Facebook is so messed up that they are willing to pay for 6 figure research to develop a cyber weapon for a government agency.

By using multiple virtual machines, malicious programs can’t just “turn off” Tor, they need to get past the virtual machine system you use, KVM or VirtualBox. In fact, if you use KVM, which I covered on the channel before, companies like Red Hat, Google, and Amazon have a vested interest in preventing people from doing just this to their data centers.

So you need to have not the most amazing computer, but one decent enough to run 2 other operating systems. And if you are going to use it, you can’t use an Apple Silicon Mac, and you need to use Linux and KVM to make the most out of it.

Another oddity for people who know me well is Whonix is based on Debian. The Whonix developers have mitigated a lot of the security issues that exist in Debian’s default installation and implemented further kernel hardening measures on top of it; so in my mind, if you’re going to use Debian, this is one of the ways to use it best.

Installation

Whonix has a page for installing VirtualBox, but I want to focus on KVM, which stumped me years ago getting into it. Whonix’s current KVM maintainer, HulaHoop, provides very in-depth instructions based on operating system.

Downloading the .QCOW files

Download Whonix Xfce.

Verify you received the authentic archive using the OpenPGP Signature by downloading it.

cd [the directory in which you downloaded the .libvirt.xz and the .asc]

Download HulaHoop’s OpenPGP key.

Import HulaHoop’s key to your GPG keyring.

gpg --keyid-format long --import --import-options show-only --with-fingerprint hulahoop.asc

Next, we need to verify the PGP key.

gpg --verify-options show-notations --verify Whonix*.libvirt.xz.asc Whonix*.libvirt.xz

If the download is authentic, we want to see:

gpg --verify-options show-notations --verify Whonix*.libvirt.xz.asc Whonix*.libvirt.xz

Do not continue if the verification fails. Try downloading Whonix again

The Whonix License Agreement

Extract the archive:

tar -xvf Whonix*.libvirt.xz

First we need to read the Whonix License Agreement. Unlike Microsoft’s end user license agreement, you can do whatever you want to Whonix, but you are 100% responsible for whatever you do, not them nor I am responsible for whatever happens.

more WHONIX_BINARY_LICENSE_AGREEMENT

To agree, enter the following: touch WHONIX_BINARY_LICENSE_AGREEMENT_accepted

If you don’t accept, you can’t continue with the installation.

Importing the KVM Templates

First add the virtual machine networks:

sudo virsh -c qemu:///system net-define Whonix_external*.xml
sudo virsh -c qemu:///system net-define Whonix_internal*.xml

Next activate the virtual networks and import the images.

sudo virsh -c qemu:///system net-autostart Whonix-External
sudo virsh -c qemu:///system net-start Whonix-External
sudo virsh -c qemu:///system net-autostart Whonix-Internal
sudo virsh -c qemu:///system net-start Whonix-Internal
sudo virsh -c qemu:///system define Whonix-Gateway*.xml
sudo virsh -c qemu:///system define Whonix-Workstation*.xml

Finally, let’s move them in place. Don’t be alarmed that they are 100GB, they will be much smaller at first and will expand as you put more in them.

sudo mv Whonix-Gateway*.qcow2 /var/lib/libvirt/images/Whonix-Gateway.qcow2
sudo cp --sparse=always Whonix-Workstation*.qcow2 /var/lib/libvirt/images/Whonix-Workstation.qcow2

If the move is successful and you can dispose of the files.

First Setup

If you open virt-manager, you’ll see there’s two new entries:

1. Whonix Workstation: This is where you conduct your browsing and desktop activities.
2. Whonix Gateway: This is where you configure your connection to the Tor network.

There’s a specific order to launching the virtual machines. You can also make duplicates of the Workstation, but there isn’t much value into making duplicate Gateways.

There’s also a live boot mode, which allows you to boot into a completely disposable desktop session that will delete your files when powered off.

Logging In

First boot up Gateway. This will kick you into a TTY environment.

Default username: user

Default password: changeme

Next, change your password using passwd. You shouldn’t use the default password.

Connect to the network using sudo whonixsetup. Then wait for Tor to connect.

Finally, run updates. Whonix’s devs created a script which manages apt without root privileges:

upgrade-nonroot

Then repeat the same steps with Whonix Workstation, but no sudo whonixsetup. You will also need to open the Tor Browser and allow it to be fully updated.

Using Whonix

Whonix also places priority on your security first and foremost. That doesn’t mean that other operating systems don’t protect you, but in addition to being locked into a virtual machine, you can’t just install and use the same programs you like to use on Linux.

• Wine does not work due to a modified kernel parameter.
• The kernel hardening has made it harder to run Flatpaks in the past.
• Using other programs that use Tor within Whonix (OnionShare, Brave, etc) makes you stand out amongst others in the Tor network. This is because your traffic is being bounced twice as much as everyone else.
• Tor is not a place for illegal activity. Do not rely on it for protection.