@antihero, there's a few different methods that all attack that problem in perty much the same way. The flatpak in question needs to have access to the theme/font/icon pack you want it to use.
<a class="invalid-href" rel="noopener noreferrer" target="_blank" title="Invalid link protocol">https://docs.flatpak.org/en/latest/desktop-integration.html</a>
LFS and Gentoo, you have to compile, sure… but Arch? You don’t compile the kernel on vanilla Arch, if you mean packages, then just get the *-bin versions.
Edit: misunderstood your post. What’s wrong with Arch and Arch-based distros?
Yeah sorry I misunderstood, have you looked into NixOS? It offers quite a different workflow. I use arch and there hasn’t been a time where I wish I have it differently, except the occasional temptation to try Nix.
Hrm, I’ve been using Linux as my dayjob server os of choice for about 15 years, and for my personal computer for the past 10 - and I haven’t found something like what you described. Something I would recommend is looking at a configuration management tool (Ansible is a really solid choice).
Stability issues often come from misconfiguration or just flat out configuration drift (changes over time) - something like Ansible or Chef would help with that.
Other things that touch on some of your concerns may be SELinux (wiki.debian.org/SELinux). It’s a bit of a pain to get set up, but once you do your system is much more secure. It effectively functions under the principal of least access to lock down your Debian OS, rendering the need for AV/Malware scanning somewhat moot.
I’ve done a cursory glance or two at Checkmk for monitoring, but it sounds a bit overkill for a single Debian workstation.
I mostly troubleshoot things like VPN instability or crashes by diving into /var/log or journalctl -ex to see if any googleable errors are visible.
Great advice. Its just that I’m sorta a eager learner when it comes to tech, especially the privacy and security side and I honestly don’t always know what I’m doing or I’ll read the wrong guide to set things up and I end up getting lost or confused or things just straight up don’t work. So I for sure have some wires crossed somewhere and some roadblocks causing issues here and there. I have recently learned more about ansible and chef and I indeed need to research. Those tools seem quite complex but hey, I’ll try anyway. And as far as selinux goes, I just thought that was one of those thins that automatically comes installed and configured on every OS? Also there’s app armor… Is that in this realm of things too? Is it deemed “good” or necessary to use? Thanks
Personally, I find Ansible to be much more intuitive than other products in the configuration management space. Start small, think about what you want your system to look like.
Do you want Firefox installed? Use ansible.builtin.package to install it!
Do you want to have ssh server configured to disallow password authentication (and only allow ssh keys)? Use ansible.builtin.blockinfile on your sshd.config file!
Regarding SELinux vs apparmor, they both are designed to lock down a system, but they have different philosophies about how to approach the problem.
SELinux says block all by default and only if it’s configured to allow it will it be allowed to happen.
Apparmor on the other hand is permissive by default, and it will only restrict if it is configured to do so.
I suppose you could say it’s similar in that there are allow-lists and deny-lists that permit or restrict actions, but the key difference is Apparmor/SELinux are in the OS space - they can permit/restrict the ability to restart services, or prevent sudo from being used in certain ways.
Firewalls are predominantly used to permit/restrict network connectivity either ingress (e.g. traffic from outside the system coming into it) or egress (e.g. traffic that is leaving the system). A good example would be using a firewall to restrict ingress traffic to port 22 - allowing remote management of a system over SSH.
You don’t really compile anything during or after install with arch linux unless you find something on the AUR that needs to compile? If so, just look for <package_name-bin>.
I’ve been using both daily, for 25+ years. Windows is not hard to use, but harder to configure now, having multiple paths/ways to configure the same thing like settings, old control panel, command line, regedit, group policy, is sometimes shitty. Everything else works fine in win10 or 11.
Run dmesg and see if you find anything suspicious of the cause. If you find something like “blah blah… Ethernet… Blah blah… Key was rejected by service” or similar, it’s due to secureboot.
If this is actually related to secureboot your drivers are most likely not in tree and installed via dkms, so they need to be signed or secureboot won’t allow them. You can setup a machine-owner-key to sign them yourself, and you can setup dkms to automatically sign them using that key. The instructions are on dkms’ readme. After setting up you need to run dkms autoinstall or manually reinstall the drivers to trigger the automatic signing.
Edit: I just noticed you said you deactivated secure boot… I have no clue. But for future reference, you can sign your modules to work with secure boot, it’s not a bad idea.
Basically you make a new user with the name of the package you want to install. Login to that user then compile and install the package.
Now when you search for files owned by the user with the same name as the package you will find every file that package installed.
You can document that somewhere or just use the find command when you are ready to remove all files related to the package.
I didn’t actually do this for my own LFS build so I have no further experience on the matter. I think it will eventually lead to dependency hell when two packages want to install the same file.
I guess flatpaks are better about keeping libraries separate but I’m not sure if they leave random files all over your hard drive the way apt remove/apt purge does. (Getting really annoyed about all the crud left in my home dir)
Thanks for the read. This is what I was thinking about trying but hadn’t quite fleshed out yet. It is right on the edge of where I’m at in my learning curve. Perfect timing, thanks.
Do you have any advice when the packages are mostly python based instead of makefiles?
This method should work with any command that’s installing files on your disk but it’s probably not worth the headache when virtual environments exist for python.
Python, in these instances, is being used as the installer script. As far as I can tell it involves all of the same packaging and directory issues as what make is doing. Like, most of the packages have a Python startup script that takes a text file and installs everything from it. This usually includes a pip git+address or two. So far, just getting my feet wet to try out AI has been enough for me to overlook what all is happening behind the curtain. The machine is behind an external whitelist firewall all by itself. I am just starting to get to the point where I want to dial everything in so I know exactly what is happening.
I’ve noticed a few oddball times during installations pip said something like “package unavailable; reverting to base system.” This was while it is inside conda, which itself is inside a distrobox container. I’m not sure what “base system” it might be referring to here or if this is something normal. I am probing for any potential gotchas revolving around python and containers. I imagine it is still just a matter of reading a lot of code in the installation path.
Flatpak apps can be uninstalled without leaving a trace: flatpak uninstall --delete-data com.google.Chrome
But you might need some global overrides to make all apps write their configuration into ~/.var. Personally I globally revoke apps the permission to access filesystem= host, home, xdg-config, xdg-data.
That was actually the main reason that made me switch to Flatpak. Previously I used VMs to try out software, but with Flatpak I know that I can get rid of the application completely.
In arch/x86/Kconfig of the kernel tree it says for CMDLINE:
<span style="color:#323232;"> Enter arguments here that should be compiled into the kernel
</span><span style="color:#323232;"> image and used at boot time. If the boot loader provides a
</span><span style="color:#323232;"> command line at boot time, it is appended to this string to
</span><span style="color:#323232;"> form the full kernel command line, when the system boots.
</span><span style="color:#323232;">
</span><span style="color:#323232;"> However, you can use the CONFIG_CMDLINE_OVERRIDE option to
</span><span style="color:#323232;"> change this behavior.
</span><span style="color:#323232;">
</span><span style="color:#323232;"> In most cases, the command line (whether built-in or provided
</span><span style="color:#323232;"> by the boot loader) should specify the device for the root
</span><span style="color:#323232;"> file system.
</span>
and for CMDLINE_OVERRIDE:
<span style="color:#323232;"> Set this option to 'Y' to have the kernel ignore the boot loader
</span><span style="color:#323232;"> command line, and use ONLY the built-in command line.
</span><span style="color:#323232;">
</span><span style="color:#323232;"> This is used to work around broken boot loaders. This should
</span><span style="color:#323232;"> be set to 'N' under normal conditions.
</span>
So both commandlines will probably be used. I don’t think an initramfs will normally interfere with the kernel commandline. In any case you can make sure you got what you wanted with cat /proc/cmdline.
I use Silverblue with distrobox and was really hoping for a way to keep track of what I’ve installed in my distrobox images, since tracking layered packages is so easy in Silverblue already.
I’ve been intrigued by nix’s declarative aspects and this seems like a great way to have something similar with distrobox.
Edit: and yes, exporting to $PATH is also great! Right now I just have two different terminals: one launches into a distrobox image, the other the main os. Now I just need one. 😎
linux
Active
This magazine is from a federated server and may be incomplete. Browse more on the original instance.