dd-mm-yyyy is not an insane format, thank you.

KDE Connect and SyncThing

Turn your laptop around and look for a sticker with a model number. Go to your vendor’s support website, search for the model number and check their BIOS/UEFI downloads. Usually it’s a file you put on a USB stick, then you boot into BIOS/UEFI (press F12 or DEL ob boot, check manual if in doubt), select BIOS/UEFI update and select the file on the USB stick.

It’s the same for desktop components. There are very few vendors/models that get BIOS/UEFI updates via Windows Update (or fwupd under Linux).

https://docs.docker.com/engine/containers/run/#runtime-privilege-and-linux-capabilities

The --privileged flag gives all capabilities to the container. When the operator executes docker run --privileged, Docker enables access to all devices on the host, and reconfigures AppArmor or SELinux to allow the container nearly all the same access to the host as processes running outside containers on the host.

A manual --device /dev/dri should not be necessary. I’ll make sure to test it nevertheless.

A strictly confined Snap by the original software authors? For sure. The available Snap on Snapcraft.io is by Canonical though, but that’d be fine as well, if I can not get my own solution to work. I’m just a bit puzzled that apparmor on Debian apparently simply doesn’t allow for strictly confined Snaps.

https://docs.docker.com/engine/containers/run/#runtime-privilege-and-linux-capabilities

The --privileged flag gives all capabilities to the container. When the operator executes docker run --privileged, Docker enables access to all devices on the host, and reconfigures AppArmor or SELinux to allow the container nearly all the same access to the host as processes running outside containers on the host.

A manual --device /dev/dri should not be necessary. I’ll make sure to test it nevertheless.

Thanks for the input, but I will probably never not want to use Steam and I’ve accepted non-free firmware blobs a long time ago. All I want is to use a simple sandbox like I use for many other applications (mostly as Docker containers).

So proprietary software doesn’t have access to my filesystem. I am also restricting my Flathub usage to verified apps and Steam unfortunately isn’t one. And yesterday I learned Snaps don’t support strict confinement under Debian.

It’s proprietary software and because of that I don’t want to run it unisolated. Yes, I know there’s a flatpack, unfortunately it is not by Valve themselves. Yes, I know there’s a Snap, unfortunately it is by Canonical.
If I am not able to get Docker to work, I’ll probably end up using bubblewrap, like this project here: https://git.sr.ht/~whynothugo/steam-container

Good guy Embark Studios

I’m currently thinking about switching to MX Linux, which is basically Debian (even with the official Debian repositories) in a modern KDE theme and some cool additional software (from an own separate repository).

The only gripe I had with it so far is that it doesn’t come with apparmor enabled by default, which can easily be manually installed.

your firewal

Well, blocking inbound traffic from these countires is part of my firewall. I have some services that are exposed on the internet, but I don’t want the whole world to hammer these services, scrape them and potentially exploit vulnerabilities on them. I know a VPN would be more effective here, but that’s not an option for every service.

$ grep -i "dns" /etc/letsencrypt/renewal/enter.domain.here.conf

authenticator = dns-netcup
dns_netcup_credentials = /path/to/netcup/credentials.ini

AFAICT it is using DNS challenges, unless the cerbot netcup plugin somehow does stuff it shouln’t need to do.

enter.domain.here is simply a redaction of my real domain as I did not want to doxx myself.

Outbound traffic has never been blocked, so it’s not a matter of me or my “certificate manager” being able to reach Let’s Encrypt.

I’ve been using DNS challenge for this domain from the start. I’m not sure what you mean by external DNS hosting. The domain is from netcup, the certbot host runs in my local network (as does the HTTP server that the domain points to).

Netcup is a German hosting company, I live in Germany, inbound traffic from Germany is NOT blocked on my router, outbound traffic isn’t blocked at all.

I have an old Debian 11 “bullseye” installation running on one of my servers. It’s stuck at nginx 1.18.0, but it should theoretically still be covered by Debian 11 LTS security updates, right? https://wiki.debian.org/LTS/Using
nginx/oldoldstable-security,now 1.18.0-6.1+deb11u5

Huh?

I’m creating my own reddit - without blackjack and hookers!

UPDATE: Even more exciting… Per this comment from a prominent AMD Linux developer, it looks like a full HDMI 2.1 implementation for AMDGPU could be coming!