That is a setup guide for hardware key and passkey auth. It is not a hardening guide, and does nothing to mitigate these LPE vulns.

deleted by creator

Please tell me more, which firewall would you recommend that plays nice with Docker?

Firewalld

No NAT?

Another user in this thread suggested DMZing, so combine your advice with theirs and boom. It’s not uncommon, and it’s fine if you firewall the box yourself. Most people don’t knowingly choose to use a firewall that they don’t intend to work, like you would.

why would you copy paste a docker compose without reading it?

There’s more than one way to use docker. Spinning up an official mysql image using the official docker run OR docker compose calls suggested by the docs would start up a server wide open to the entire internet if DMZ’d.

Just to throw out an easy option: if the music is well-labeled on Youtube, you can get pretty close to that full suite with just yt-dlp by using --embed-thumbnail as a stand-in for album art, dumping your files with an “Artist - track - album” naming structure using the --output-template flag — then using an awk or python script as a second pass to add the artist/track/album names to each file as tags.

E: and in case it isn’t self-evident, you don’t have to give yt-dlp a URL for each track; it’ll work fine with a playlist URL.

Yt-dlp is the gold standard for that.

https://github.com/yt-dlp/yt-dlp

Tag cleanup and album art are their own beast that you’ll wanna tackle post-download, but beets is another gold standard tool that can help with that layer.

https://beets.io/

Gnome. The maintainers have a hard-earned rep for contemptuous attitudes towards community and end-user feedback.

You shouldn’t suggest UFW at all then. There are other firewall options that can be used just fine with docker.

It does have real potential to cause issues, e.g. if OP were to put their server in DMZ mode on their router and later copy some docker setup instructions that don’t explicitly bind to localhost.

This is dangerous advice because docker is well-known for undoing UFW’s iptable rules. It’s mitigated by binding to localhost, but still way too easy for people to shoot themselves in the foot by using the two together.

In that case… welcome to the club.

You might get more than you bargained for: Shuttleworth has one helluva grip after all these years.

No need to cargo-cult security practices here, chief. You’re not gonna get pwned by publishing your hardware specs. If you’re planning to build some kinda webapp for yourself, that’s a different story - but you have to fuck up hard to get hacked while hosting raw HTML.

Use an SSH key, disable password auth, make sure you’re firewalled (i.e. test with nmap), and call it a day.

Asserting that the state has no legitimate interest in using limited violence (i.e. tear gas) to execute lawful search and arrest warrants against heavily-armed, recalcitrant pedophiles is truly one of the takes of all time.

The Bundy standoff, the SLA, and the Waco Siege are categorically different from the firebombing of Philly or the Tulsa Massacre to anyone with a brain.

Is there a buried lede here? What’s noteworthy about an RC of a minor version release?

I appreciate systemd at a high level, and use it all the time, but Nanook’s comment in this thread is dead on the money in my book:

https://lemmy.world/post/30945123/17510444

The CLI interfaces for PA and SysD are janky/verbose af and make it hard for beginners to do simple things as well. E.g. try wiring up a virtual device with pacmd that fuses your desktop audio and mic output into a combined source using only the man pages, or putting together a fresh service from memory without looking up any directives.

E: even better example, compare how easy it is to set something up to run in cron vs. a systemd timer.

Sorry, bad phrasing on my end. I agree the community should suspicious, but I think the flawed premise in

It seems like there isn’t much criticism of the company or their tactics, and I’m curious if any of you think that should change.

is that there is consistent, well-founded criticism and has been this whole time. And even though the vocal folks are a minority, a lot of people feel ambivalent about the relationship rather than viewing it favorably.

I do think there are quite a few linux users and developers who are suspicious of Red Hat, they are a small-ish but pretty vocal minority.

Yeah, I’m with you all the way — no shade to OP, but the question has a flawed premise. I think the majority opinion is that they’re both an asset and a liability. They’re a huge contributor to the ecosystem and have done a lot of practical good, but I also think the community will turn on a dime if the suits overstep into FAFO territory.

(All that said, fuck Lennart Poettering. Dude couldn’t design a plan to get himself out of a paper bag.)

Not a triad user in sight.

Just lemmings living in the moment.

While I’m sure there’s a pre-canned tool out there for you, if you have basic software experience (which you seem to), this is one of those times where it’s usually most efficient to hack together a dumb CGI script and call it a day.

This prompt should get you most of the way there, using your llm of choice:

Write a minimalist cgi script to help upload files to a server. Upon a GET request, serve a light page with a centered form that takes in a file and a submission code. Submission codes will be stored on individual lines of a plaintext file. Adding new codes to this file is out of scope - but the codes will be 8-char hex strings (do validate that submission strings are not empty!). The script should accept the submission as a POST, and save the file to an upload dir if the submission code is valid.

Vet the output, harden as needed, setup a systemd service to serve with busybox httpd, and optionally reverse-proxy. If you’ve done this sorta thing before, you can probably knock it out in a half hour.

I’m talking about the executable binary flatpak, which is the interface used to execute and manage applications distributed in the Flatpak bundle format.

https://docs.flatpak.org/en/latest/flatpak-command-reference.html#flatpak

Flatpak: a system for building, distributing, and running sandboxed desktop applications on Linux.

Flatpak application: an application installed via the flatpak command or through a graphical interface, such as GNOME Software or KDE Discover.

Runtime: also called platform, an integrated environment providing basic utilities needed for a Flatpak application to work.

Flatpak bundle: a single-file export format containing a Flatpak application or runtime.

From https://docs.flatpak.org/en/latest/introduction.html#terminology

You might be thinking of AppImages, which are more of a pure file format.