LINUX Unplugged - 572: Data Security Only a Maniac Could Love
Episode Date: July 22, 2024Wes' self-decrypting bcachefs disk and a GrapheneOS twist that'll make you ditch your iPhone.Sponsored By:Core Contributor Membership: Take $1 a month of your membership for a lifetime!Tailscale: Tail...scale is a programmable networking software that is private and secure by default - get it free on up to 100 devices! 1Password Extended Access Management: 1Password Extended Access Management is a device trust solution for companies with Okta, and they ensure that if a device isn't trusted and secure, it can't log into your cloud apps. Support LINUX UnpluggedLinks:💥 Gets Sats Quick and Easy with Strike📻 LINUX Unplugged on Fountain.FMclevis — Clevis is a pluggable framework for automated decryption. It can be used to provide automated decryption of data or even automated unlocking of LUKS volumes.bcachefs EncryptionWhat measured boot and trusted boot means for LinuxAutomatically decrypt your disk using TPM2 — Entering the passphrase to decrypt the disk at boot can become quite tedious. On modern systems a secure hardware chip called “TPM” (Trusted Platform Module) can store a secret and automatically decrypt your disk. This is an alternative factor, not a second factor. Keep that in mind.Use systemd-cryptenroll with FIDO U2F or TPM2 to decrypt your diskAutomatic LUKS 2 disk decryption with TPM 2 on FedoraSafe automatic decryption of LUKS partition using TPM2 | 221bFOSDEM 2024: Clevis/Tang - unattended boot of an encrypted NixOS systemClevis & Tang on NixOS SlidesDecrypt LUKS volumes with a TPM on Fedora LinuxSelf-Hosted 127: Can't Fix What You Don't TrackGarmin Forerunner 265 — Forerunner 265 is a running smartwatch with a touchscreen AMOLED display, training metrics, phone-free music, & up to 13 days of battery life in smartwatchHRV StatusGarmin Sleep TrackingNap DetectionGarmin PayTribit Stormbox Micro 2 Wireless Portable Speaker: 10WUSB-C Charging Converter for Garmin Watch Without Charger CableObtainium — Obtainium allows you to install and update apps directly from their releases pages, and receive notifications when new releases are made available.Managing your personal access tokensMembership Summer Discount — Take $1 a month of your membership for a lifetime!Iotas — Iotas aims to provide distraction-free note taking with optional speedy sync with Nextcloud Notes.LINUX Unplugged 567: So Long sudoCeleste — GUI file synchronization client that can sync with any cloud providervt52's Blog: Migrating from NixOS channels to FlakesFUTO KeyboardautosshLINUX Unplugged 570: RegreSSHion StrikesAeon — The Linux Desktop for people who want to "get stuff done"Aeon: openSUSE for lazy developersGrayjay — Follow Creators Not PlatformsGrayjay on GitLabCrowdSecBustle — Bustle draws sequence diagrams of D-Bus activity. It shows signal emissions, method calls and their corresponding returns, with time stamps for each individual event and the duration of each method call. This can help you check for unwanted D-Bus traffic, and pinpoint why your D-Bus-based application is not performing as well as you like. It also provides statistics like signal frequencies and average method call times.open-and-shut — Type in Morse code by repeatedly slamming your laptop shut
Transcript
Discussion (0)
Okay, well, speaking of data security, I have a potentially dangerous hypothesis that I want to bounce off of you guys and the listeners, okay?
I suspect it is safer and better for the disk, spinning Rust disk, to run in a sweltering hot room than it is to shut it down and turn it on and shut it down every time it gets hot.
So I looked into the operating ambient temperatures of the SAS disks that are in the server, and it said they could operate something like 150 degrees
Fahrenheit.
Not bad.
Internal temperature.
Okay.
And they do have temperature sensors, so I checked them, and they were running at like
105, maybe the highest I've seen is 110, maybe 115 once Fahrenheit.
And that's with like what outside temp?
Probably about low 90s, 93, 95 degrees Fahrenheit in the garage.
That's a little headroom.
Okay.
Yeah.
And that's, you know, so if they can go up to 145 and they're at 105 to 110, I'm starting to think, now this could be wrong, but I'm starting to think it might actually better just to leave it running.
Just let them spin.
Because I think it's that cycling of powering on and powering off.
That's the time I always have stuff die, Wes.
That's when things always die.
For sure. So the question is. At least at this point, right's the time I always have stuff die, Wes. That's when things always die. For sure.
So the question is.
At least at this point, right?
They've kind of slowly come up to temp.
They've all the metals expanded.
They're running smooth.
They're old.
So I do worry, you know, because I feel like I'm running a risk of the longer they run
hot, I'm probably reducing their overall lifespan.
But it's still got to be a better treatment than the on, off,
on, off, on, off, every time it gets hot and cold, right? Or you just commit. June hits,
you turn the server off, you don't get to touch it until September.
That's pretty much what I'm going to have to do, I think.
Hello, friends, and welcome back to your weekly Linux talk show.
My name is Chris.
My name is Wes.
And my name is Brent.
Hello there, gentlemen.
Well, we have a very special guest, listener Tomasz.
Hello, Tomasz.
Hello.
It's a pleasure and honor to be here.
Thanks for having me.
Oh, no, thank you.
We'll tell you more about him as we go on.
And, of course, on today's show, we're going to learn how Wes's B-Cache Lux encrypted disk knows when to automatically decrypt itself.
It knows, somehow, through a combination of events.
And then we have a little Graphene OS follow-up that I don't think you're going to want to miss. So stay tuned for that. Then we'll round it out with some great boosts, excellent
picks, and a lot more. So before we get
into the show, let's say time-appropriate greetings to our
virtual lug. Hello, Mumble Room.
Hey, Chris. Hey, Weston. Hello, guys.
Oh, hello there. We got a
small little on-air group. Hello.
And then a big old
quiet listening lobby up there. So hello, everybody
up there in the quiet listening. You know, I think they like,
people are liking that for the audio stream.
They're loading up mumble and they're just tuning in that.
Yeah.
If you have,
I mean,
it's,
it's packaged.
It's fast.
Why not?
Yeah.
Good morning to our friends at tail scale as well.
Tail scale.com slash unplugged.
It is the easiest way to connect devices and services directly to each other,
wherever they are.
So go try it for free on 100 devices.
Tail scale.com slash unplugged.
It is a mesh network protected by Lego.
That's right.
It's crazy fast.
You can build a simple flat network over complex infrastructure,
bridge multiple data centers and lands together with your mobile device,
and get it all up and running in just minutes.
It's how I run everything.
I have no inbound ports on my firewall.
It's intuitive, it's programmable, and it's fast, like really fast. Try it out for individuals or a business at tailscale.com slash unplugged.
massive Windows outage caused by the CrowdStrike update,
go check out the members bootleg.
If you're already a member,
you might just hit pause right now and go catch it.
We went into some conversation there as well as also some open SUSE news.
And if you haven't become a member yet,
you can go to linuxunplugged.com slash membership
and use the promo code summer.
Take a dollar off your membership forever.
A dollar off your membership forever.
And then you can go listen to our take on that.
So try it out. LinuxUnplugged.com slash membership.
I also wanted to extend a thank you to all of you who made it to our meetup in Spokane, Washington a couple of weekends ago.
Wes was there in disguise.
Sure was.
He likes to do that. We tell everybody that he didn't make it to the meetup, but he's actually there.
I put on a second mustache. It really helps.
Yeah, that's all you got to do. I'm surprised. I never think it's going to work and it works
every time. And Brentley came down as well. I think you had a nice little trip, Brent.
I did. Yeah. And, uh, I just basically drove through the middle of the forest the whole time,
which is, uh, always really, really nice. So it was a nice little drive day trip.
Well, I say day trip, but I did sleep overnight in lady jupes, right? So I can it a day trip but uh it was nice to see everybody and uh i gotta say we gotta do that again it was
super fun great venue the no lie brewery super great venue and uh very hot day so i was very
thankful that they had misters outside and they had ac inside they know what they're doing over
there they know what they're doing over there and They know what they're doing over there. And the food was pretty good too.
We were the misters, right?
Yeah.
I had Brent there fanning me.
So it worked really well.
And then Uncle Brent got to stay over in the RV and see the kids
and go fight with them in the pool and all of that.
According to my watch,
that was the best sleep I'd gotten in the last two months.
So thank you.
That's hilarious.
Also, just before we move on, I have a question for you.
So please boost in an answer.
Do you use disk encryption?
Full stop.
I'd like to know.
I'm just trying to like to get a base analysis on that in the audience.
And then if you would, has it ever bitten you in the butt?
I'm not a big Lux encrypted drive guy because I've just never wanted to deal with the fallout.
But I'd like to know the audience's take.
And I am definitely using it on my wife's laptop these days.
So I just want to be prepared
and I think it'd be great to check the pulse of the audience
on where they're at with disk encryption. So boost and let
us know if you use disk encryption.
Yeah, full disk encryption or maybe you're using some of
the cool new like systemd
home d encrypted home profile.
Let us know what you're doing.
I'd love to hear that. I'd love to hear that.
I'd love to hear that.
So there you go.
But speaking of disk encryption, Wes, you've kind of had like a Bcash adventure.
You've discovered some software that I'm very much looking forward to hearing that seems like it helps you auto decrypt your disk under certain conditions.
You spent your time off from the show really well, it sounds like. I was doing a little cleanup on this old Linux Unplugged ThinkPad
that I use for testing distros and doing show work.
And it's been getting a bit crufty on the old hard drive.
A lot of partitions.
You know, we were trying out Omicube a few weeks ago.
That was still on there.
So cleaned that up, deleted some other things.
It must have been at least half a dozen distros on there, right?
Oh, yeah, for sure.
Plus, I've had a few things.
I wanted to make some more space, get ready for the next sets of distros.
And while I was at it, I thought, hmm, I think it's time to pivot.
What I'm using as my go-to driver on this machine, it hasn't really been fully NixOS yet.
Here, I'll take a little.
I know, it had to happen.
Wes, right here in the show?
All right, Brantley.
I hope you have something over there.
I don't know if you told Tomas, but at the first mention of Nix in the show, we must
take our drink.
Wow.
Fireball, huh?
That's an interesting choice, Wes.
That was an interesting choice.
It was the closest to the register.
Okay.
But, okay.
No, I'm not really trying to talk about Nix here.
It was just I was installing OSs, and when you do that, right, you get a choice of, well, what file system are you going to use?
Of course, you've got to make a decision.
Regular listeners will know that here at the show, we're pretty big fans.
We've got some excitement around BcacheFS.
You know, new file systems with fancy features and friendly licenses coming to the kernel.
Who doesn't like to see that?
But since kind of trying it when it got merged and a few times over the years,
I kind of felt like I wasn't keeping as close an eye on it
because I didn't really have any systems that weren't test systems actually using it day to day.
So I thought, let's go BcacheFS on root this time, you know?
Right on.
Especially for a NIC system, like the config's backed up.
I'm just not that worried about it.
If it breaks, it breaks.
If it doesn't, then great.
Right.
And, you know, I suppose if it really went sideways,
you could use a different computer for one episode too or something like.
Yes.
It's not unrecoverable.
So sort of the perfect situation because you use it, you use it regularly.
It is important, but it's not critical.
And I've already got backups and stuff, right?
So I'm not worried about data loss or anything. It'd be more just an operational inconvenience. Yeah. Okay. I like where your head's not critical. And I've already got backups and stuff, right? So I'm not worried about data loss or anything.
It'd be more just an operational inconvenience.
Yeah, okay.
I like where your head's at here.
So I went through, I got that installed,
and then I thought to myself,
wait, as I was like double-checking what I'd done,
and then, oh, I realized I wanted to turn on compression
because there's transparent compression
because it's a modern file system.
And then I realized, oh, right.
Kind of like ZFS, BcacheFS has native encryption.
It's not using Lux.
It's built into the file system.
It's AEAD style encryption using ChaCha20.
Each encrypted block is authenticated with a MAC, and then there's a chain of trust all
the way up to the super block.
This actually means it can protect against stuff that block level encryption, i.e.
Lux, can't quite defend against because at the block level, there's nowhere to store the MACs or nonces
without causing alignment problems, so it just kind of doesn't happen.
That's awesome.
So there's some neat security guarantees, or at least promises, going on with BcacheFS.
It does mean there's no per-directory encryption.
It's an encrypt-everything approach for a variety of reasons,
a lot of which was just kind of trying to keep it simple and audible and secure.
So if you wanted to break it out, you'd have to break out individual mount points or something.
Yes. Now, maybe eventually there'll be like separate trees or ways to do that.
But for the moment, it's all or nothing.
Okay.
Pretty simple, kind of like anything else you'd use.
There's user space tooling.
So if you enable encryption on BcacheFS, you boot up, your NetRAM FS is going to ask you, hey, type in your password.
That gets turned into an actual encryption key with sCrypt. And then that key is made available
to the kernel via the Linux kernel's key ring. And then the mount command is able to use that,
ask the kernel to use the key that it knows about now.
All right. Okay. So the kernel has a key ring. I guess I knew that, but didn't really remember that.
It can request that key from the kernel and the kernel has a key ring. I guess I knew that, but didn't really remember that. It can request that key from the kernel,
and the kernel has a mechanism to respond back securely.
Wow, that's so cool.
Yeah, there's a lot of neat underpinnings going on,
but it turns out not to be that complicated
from the end user perspective, right?
Like when you're formatting the drive,
you type bcachefs format,
and you just add dash dash encrypted on there.
Oh, that's great.
So the actual end user experience is smooth yep i basically just you know so i'd already i'd already
done it without encryption i migrated my home door off made myself a new encrypted route
reinstalled move the home door back on there done no problem was all working really easy are you
copying to like an external usb drive is that what you're doing there when you're saying you copied
your home directory off yeah just to another system you could do with the network
or onto another partition even you did netcat didn't you it was tar netcat you got me it was
just the simplest all right i didn't really have a ton of takeaways besides what we were just
talking about because it was kind of just working but i think as anyone with an encrypted drive
could probably attest to type in the password sure gets
old i mean it's one thing right like i don't usually turn in auto login maybe for like a
static system at my house or something yeah but on a laptop probably not so i've got to type in
that password already right yep yep and then now i got to type in this disk encryption password and
it won't even properly boot until you do so god forbid you turn it on and walk away for a second
to take care of something it won't be finished booting. Yes, exactly. Right. Like it's stuck. It's sitting
there and it's even, it's like at an early stage in the inner RAMFS. So it's not even like a super
set up environment. Right. Like you could be getting the networking up and starting some
services while you wait for me that are not even user specific. But that that's not. No. And of
course I was like, well, if I'm, if I'm doing encryption, I should make sure I've got like a
decent, you know, key here. So like I used a decently long passphrase with multiple words.
And so it's easy enough to remember, but it's kind of a pain to type.
You know, that's fair.
I probably could use something more secure if I didn't have to type it every time the system booted.
And, you know, like for the wife there, I specifically went with something that's it's a short, very short sentence, essentially.
Yeah, exactly.
So I started to become curious because, OK, let's get this out of the way.
Security is hard and complicated, and it depends a lot on your particular threat model, what you're worried about, what are you concerned, who's trying to access your system, what are you trying to protect against.
This is really all just kind of testing, you know.
So if you have particular concerns, you do travel a lot, you have sensitive proprietary data, make your own judgment.
This is another one of those don't do like we do, but we wanted to try it.
Yeah, I was interested in kind of exploring the spectrum of security and convenience and like, well, where what options do I have and where could I land that feels OK?
Could you find a balance for Wes?
Yes. And that's where I found a program called Clevis.
I love the name.
Uh huh.
OK, Clevis. I love the name. Uh-huh. Okay, Clevis.
Yeah, C-L-E-V-I-S.
And it's a pluggable framework for automated decryption.
It can be used to provide automated decryption of data or even automated unlocking of Lux volumes.
Yeah, and the key part is that automated decryption.
What?
That doesn't sound very secure.
Yeah.
Okay, so Cleavis does this
either by talking to a remote server called a Tang server or by leveraging some sort of
cryptographic device, in this case, a TPM. One thing you could do, I didn't try this,
but it'd be fun to mess with. You can set up a Tang server. It runs on the network
and it basically holds the secrets and does the attestation for you. So that means you could do something like run a Tang server on a secure network,
maybe it's tail scale, and then you could have a system set up where you can't,
I couldn't decrypt this proprietary Jupyter Broadcasting data
unless I was able to off onto the Jupyter Broadcasting network
that maybe also then has two-factor two-factor other kinds of like...
Right, it's usually our corporate login system
or whatever, yeah.
And then if you couldn't get onto the network,
you couldn't talk to the server,
so you couldn't decrypt the payload.
Fascinating.
This is really great.
I didn't go down that.
I didn't set up a tank server.
It sounds fun to try, but I did not do that.
But it's a way you could have essentially
IT-managed Linux disk encryption.
Yeah. Huh, okay. And maybe you don't do the root. Maybe it's a way you could have essentially IT managed Linux disk encryption. Yeah. Huh. Okay.
And maybe you don't do the root. Maybe it's a secondary drive that has like the sensitive data
that you're trying to protect or whatever. Right. Right. The other option was leveraging a TPM.
Yeah. Which if you're not familiar, uh, as stands for the trusted platform module,
which is an international standard for a secure crypto processor. Say that twice,
which is a dedicated microcontroller that's designed to secure hardware through integrated cryptographic keys. So you can
kind of think of it like a little YubiKey that is actually just embedded already in your computer.
I think a lot of Linux users have a negative association with the TPM because it was such
a Microsoft-centric thing when it was first announced and integrated into PCs, but Linux
has really been able to take full advantage of it.
Yeah, right.
The idea is it holds cryptographic keys
that it isn't going to reveal to you
or to anyone if it's working properly.
But you can ask it to use those keys to sign stuff
or to encrypt things for you.
And with the magic goodness of public key cryptography,
you can have it not reveal the private key,
but still do all these things that help you out. At that level, that's already neat because that
means I can encrypt something on my laptop that only my laptop can read. Because if you don't
have the same TPM chip that I do, you go to decrypt the payload I encrypted with my TPM,
it's not going to work for you.
That's useful on its own.
But the TPM these days can do more because it contains what are called platform configuration registers or PCR slots.
And these can be thought of as little pieces of memory that you can read later on, either
by the TPM or by some other thing external to TPM.
But they can't be changed once they've been written.
And this is for the lifetime of the boot cycle,
but like once you write data into them,
that's it until you reboot and write new data.
That's so cool, actually.
I just want to wrap my head around that for a second.
So it's like this trustable place to stash
while the OS is running,
and then it clears out,
and it's available the next time the OS boots up,
and it just temporarily can stash stuff there again.
So it has like a trusted space to store these important secrets while the OS is up and hot.
And in this case, the PCRs are used for a specific purpose as part of a scheme that
you can call measured boot.
The basic flow starts with the TPM performing a measurement of the BIOS slash EFI layer.
So we're like checking to see if anything's been modified?
Yes, right. And a measurement here usually means like reading the data that you're going to use,
whether that's like the actual firmware for the EFI or the configuration parameters or the kernel
or the kernel command line. And you take that and you hash it and you stick that in the PCR.
But actually, it's kind of like a blockchain type idea where okay you do the
initial thing you hash the the base layer stick that in pcr zero then you go measure the next
thing which is like some higher bit of the you know the next layer in the efi or like the the
particular modules you're using for this boot you take the hash from the first bit you add that with
the hash that you just made you hash those two together then you store the next i see and you
keep going on this way as you progress through the boot chain and so there's like a a basically a chain of
custody and a trustable chain of custody there yes right so you got like i don't know there's
like 20 of them or so you got pcr0 which is like the efi firmware you've got pcr1 which has more
efi firmware config you've got PCR2, which is hardware components.
It hashes if you have a RAID controller and what particular type of RAID controller that is.
Each one of these is basically building and verifying on top of each other.
Yes.
And you won't get the same hash in that value if you've changed anything about any of the previous values.
Right.
So that gives you an idea, okay, the state of my system has been changed.
It is not in a trusted state. Or it is in a fully trusted software state.
Yes, right.
So basically the measured boot process, once you've booted your system up, or as part of it,
you can ask the TPM to go check the value in this PCR, and you can see, like, did I get the value I expect?
You know, I booted the system previously.
I know that these hashes were X.
I've booted it again.
As you're saying, oh, well, some of these hashes are different.
Something's changed.
Did I make that change?
Do I expect this to be different?
Or did someone tamper with my system?
And this is called the measured boot process?
Mm-hmm.
Okay.
Ooh, that's really neat.
And so this is, you're looking at this to kind of get an idea if the system is valid.
So this must be like one of the indicators that it's okay to decrypt the disk.
Exactly.
Aha, I see where you're going with this.
If you're curious, you can do sudo systemd-analyze pcrs,
and then you'll see a dump of what's in your PCR registers if your system has support for them.
Or you can use the tpm2 underscore pcr read command,
and they're just going to look like SHA-256 hashes.
You know, it's all very similar stuff that you're used to
if you're doing any kind of Linux security cryptography stuff.
The next layer here is that the TPM can take those measured values
that are stored in the PCR slots
into account when it's doing encryption and decryption.
Okay.
Which means you can tell the TPM
encrypt against these specific PCR slots
and you won't be able to decrypt that payload
unless those slots all match
exactly what they were
when you encrypted it.
And they all have to check out too.
And you said there's 15 of those slots
and they all build on each other
so they all have to be verifiable in that stack.
They all have to check out first.
And then if that all checks out, this works.
Yeah, exactly.
Now, there's a little nuance there in that you, you know,
so Clevis, the actual tool doing the encryption and decryption here,
it can talk to the TPM.
It can request that the TPM uses its secure keys to encrypt stuff or decrypt stuff.
It can also then ask the TPM, hey, use these
particular PCR IDs, because you don't have to use all of them. You can use a subset, you can use,
you know, whichever ones make the most sense for your particular situation. And then that kind of
locks it to that state that you can only decrypt it if the particular PCR IDs that you specified
at encryption time still match. One that is of particular importance for these
kinds of payloads is PCR ID number 7, because that tracks the secure boot state. Now, another
thing that Linux users have, you know, leaves a bad taste in the mouth of Linux users is secure
boot. Yeah. That's because secure boot allows you to register a key with your BIOS firmware,
and then you can put your firmware into a mode that will refuse to boot any kernel or
other operating system component like bootloader that isn't signed with that key.
Now, this is where the bad taste comes from, right?
Because this can be abused by vendors, aka Microsoft, but so long as you are allowed
to modify and enroll your own keys,
it can be a nice layer of security because it goes from being like,
oh, I can only boot stuff that Microsoft signed to being,
oh, my computer will only boot stuff that I signed.
Right.
So it's a way to have integrity around what your computer will actually run.
Now, we should say there's a lot of trust being placed
in the actual
firmware of the laptop here, right? Probably you're going to want to have some kind of like
BIOS password so that people can't turn secure boot off on you. You're trusting that they
implemented the TPM well, that that's secure. Like there's all kinds of things you need to
worry about if you actually are really going down the paranoid path here. Yeah. Although if you're
going down the paranoid path, you're probably not looking at auto-decrypting your disk, right? Like you said, we're trying to target that balance
of data security, but in the right circumstances. Yeah, exactly. So in the context of using a TPM,
Secure Boot tells us that an attacker couldn't have loaded a compromised kernel or init ramfs
that then sets up, you know,
because the init ramfs is often the thing asking for your password or doing the decryption.
So with Secure Boot, and assuming you didn't mess something up, you've got this somewhat guarantee
that no one else can run unsigned code on your machine, which means they couldn't have snuck in
like a key logger into your init ramfs file, which is then going to capture your passphrase
or figure out how to read data off the disk in a sneaky way.
So you kind of get those two things added together where you get Secure Boot going,
which means you can only run trusted stuff at early boot, trusted bootloader, trusted kernel, trusted inner MFS.
Then with the PCR slot number seven measured, once that's all set up,
if you disable Secure Boot or you even just change what keys are enrolled in secure boot, PCR slot seven changes.
Right.
And so then this wouldn't work.
Exactly.
So you can then now lock your system against that firmware state and know that, okay, it's
booted a signed kernel.
I can tell that no one's been able to mess with the secure boot configuration since the
last time I did this.
No one's been able to mess with the secure boot configuration since the last time I did this.
And only in that state, Cleavis will be able to be successfully able to grab the key to unlock the disk.
Huh.
And it's kind of like a way for the system to say, hey, something here doesn't quite check out.
We're not going to auto decrypt.
Yeah, exactly. Or everything has checked out since the last time we were set up.
So let's go ahead and just automatically decrypt this disk.
And that's kind of how it ends up working in practice
is you kind of get all this set up,
you boot in, you manually type in your password,
you get to your desktop,
and then you can kind of capture the state.
If you've assessed the system,
you think everything's nice and secure,
you're happy with that,
then you can kind of do the first,
you can tell Cleavis to encrypt your disk password,
take into account whatever PCR IDs that you need to, and then until you make any changes,
you're good.
You've got a disk that'll auto-unlock.
Now, this is where you need to be careful about which IDs you use, because there's also
stuff above 7, 8, 9, 11 are common ones.
Those are measured by pieces after secure boot.
So that's stuff that like grub or system D measures into, or the Linux kernel will measure
in OS level stuff.
Yes.
Like the kernel will, if it's in secure boot mode, it'll measure the kernel command line
and the init ramfs that it's using into PCR nine.
So you can even get more secure in that if you're like, oh, I want to make sure this
will only, you know, this will only unlock if it's a specific hash of the kernel binary itself.
Now, the further along you go, then basically the more locked into a specific configuration
you get, because anytime you update the kernel, you're going to need to manually unlock.
Right.
So you, so for your setup, how far did you go?
I'm just going to seven right now.
All right.
And so thanks to your handy chart here in the doc, 7 is host platform?
No, that's 6.
7 is secure boot.
Oh, okay.
So you're going as far as secure boot.
Okay.
Right.
So if you change secure boot, you change the keys, or you change anything about the BIOS configuration before that, you'll need my password to log, to get the disk to unlock.
Hmm.
you'll need my password to get the disk to unlock.
So do you think this doesn't necessarily protect from somebody just grabs your laptop and walks away?
It's more of if software gets modified on your system.
Well, I mean, there's a few things.
Some of this stuff is intended to prevent
or address evil maid type attacks is what they call them.
Obviously, there's basically a few different scenarios.
In this case, if I left it in this configuration and someone grabbed my laptop and they didn't try to make any changes then it would boot and then you'd be relying on
user login on user login yeah now in particular too if you're doing this kind of thing you
probably you might want to limit the boot like system d boot in secure boot mode won't let you
modify the command line or choose your options.
So you probably like end up locking it down to be like this machine boots into one OS.
You know, it does this one thing.
And then, yeah, I have strong passwords in user space.
But it does mean because it's still done at the hardware level, if they didn't try to boot the machine and they tried to just take your drive or it's in a server or something, that's where sometimes a lot of this automated unlocking comes from.
Then you still know that it is encrypted.
And the other part is, the way this works is,
you just have a little file.
So when you do the clevis encrypt command,
it generates just like a little encrypted file
that needs the TPM to be unlocked.
And then once you've decrypted it,
it has the password you need for the disk.
So if I wanted to, I wanted to just disable this,
I could do other things to disable it, but the easiest
method is I would just go delete that file.
And then there's no automatic unlocking
possible, and it falls back to the security
realm of having
to type your password every time. So let's say maybe
you are going on the road, you could
just delete that file and be willing to type
your password every time. And then it would just ask you for your password every time it boots.
Yeah. Oh, that's nice.
Honestly, you gotta figure one of of the if somebody's stealing your your laptop probably
one of the more go-to moves is to just extract the disk and try to plug it into another machine
and in that scenario you're protected that's slick and you never had to be fussed with entering your
password in most situations and presumably you know like it gets a little more complicated here
when you do it with the root disk, but it could be a secondary disk.
It could be an external hard drive, right?
Like it could be something where you want to guarantee the machine state.
It's not tied up all with the boot process, but then like you can, you know, you plug in your external drive for backups and it, if you're comfortable, that'll auto decrypt for you.
I mean, you're using Clevis, you're using Lux here.
None of this really sounds Bcash.
So there isn't, there isn't actually any Lux.
Oh, there isn't? No, because it's native Bcash encryption. Oh, so you are using the Bcache FS. So there isn't actually any Lux. Oh, there isn't? No,
because it's native Bcache encryption. Oh, so you are using the Bcache encryption. Oh, okay.
I thought you decided to use Lux. All right. No, so
there's nothing that has to
be Bcache specific. So Cleavis
supports, Cleavis just does the
automated decryption part, basically.
So anything that can,
you know, you hook it into whatever system you
want, it'll spit out the decrypted password in the right scenario, and then you can stick that elsewhere.
But if you don't need some of the specific functionality, you can also do this kind of
TPM PCR ID locking with system decrypt enroll.
So you can do exactly the same thing either with Clevis or without Clevis to get your
Lux drives encrypted or decrypted.
So, um, all right. So nothing in here requires that and nothing in here necessarily requires or decrypted. Hmm. So, all right.
So nothing in here requires that
and nothing in here necessarily requires NixOS either.
No, I did use NixOS to prototype and play with this
just because it was, you know, easy to do
and that's the system I was configuring anyway.
But in some ways, NixOS is actually worse for some of this.
What?
One, Secure Boot is still kind of experimental.
There's a separate project not in mainstream Nix packages or NixOS
called Lonza Boot that configures it.
Super easy to set up.
That's part of why I went down this road.
I was like, I've never really configured
like a system that's this locked down before,
at least with these tools.
So I just wanted to see how hard is it
to add Secure Boot to this kind of setup.
It's one thing to add Secure Boot with Microsoft keys
that just runs Ubuntu and Fedora, right? But this was me generating my own keys and having to roll those in the firmware
myself. It turned out to be super trivial. But the other part is the way NixOS works, right?
Every generation, especially because with some of these tools, you end up making what's called a UKI,
which is like a unified kernel image that has the kernel, it has the init ramfs and the command line all built together
so you can hash and sign that one thing.
But because of the way NextOS works,
each generation basically gets its own hash.
So if you lock above PCR ID 7,
you're locking to a single generation,
which I think would be fine in the sense of like,
if you weren't doing updates.
Yeah, like if it's an appliance or a machine,
you're never changing.
Or you're going on a trip and you're like,
I'm not doing updates till I get back from the trip.
So I know that if I'm asked for my password,
when I boot my laptop,
something's wrong and I shouldn't trust the system.
That's actually, you know, when you say that,
I realize what a handy signal that is.
Like, whoa, why am I getting prompted for my password?
Something has changed.
It immediately tells you something has changed.
Now, what you do about that, I don't 100%
know, but you at least get a signal.
And then when you get back home later, if that didn't
happen, then you could knock the
security back down to PCR ID 7 and
not have to worry about doing it every update.
You go home, you go into full lockdown mode,
forensic mode, Wes. What happened
to my system? I should note, too,
I followed a couple guides here
from the Fedora magazine. Fedora in particular
and, you know,
RHEL type systems have good support for this.
Clevis is packaged. I did
also even notice that some of the derivatives, like
Bluefin, they've got a script included
in their just file that
will turn on the Lux version of this
for you automatically.
So, like, I did it in a niche way with BcashFS and Nix,
but you don't have to.
If this sounds interesting, there's a lot of tooling out there
to take advantage of the crypto processors you might already have.
1password.com slash unplugged.
Imagine your company's security is like the quad of a college campus.
There are nice brick paths between
the buildings. Those are the company-owned devices, if you will. IT-approved apps or managed employee
identities. And then there's the path people actually use, you know, the shortcuts that are
worn through the grass. They're the actual straightest line from point A to point B.
Those are unmanaged devices, shadow IT apps, non-employee identities, like, you know, contractors. Most security tools,
they only work on those happy brick paths, but a lot of security problems actually take place
on the shortcuts. 1Password Extended Access Management is the first security solution
that brings all these unmanaged devices, apps, and identities under your control. It ensures that
every user credential is strong and protected,
every device is known and healthy, and every app is visible.
1Password Extended Access Management solves the problems
that traditional identity access management solutions and NDMs just can't touch.
It's security for the way we actually work today,
and it's available now with companies that have Okta,
and it's coming late this year to Google Workspace and Microsoft Entra. So go check it out, support the show and see how it works at
1password.com slash unplugged. That's 1, the number 1
password dot com slash unplugged.
Well, sitting here with us is listener Tamash, who
has been, at least in my life for a little over a year now.
You're coming from Berlin and you're now here in my home for a little visit. Welcome. Oh, hey, thanks for having me.
So I know that you also are responsible for me getting into, well, getting a new modern phone.
That's a new thing for me. I usually always used recycled phones from family members and friends
who weren't, you know, didn't want to deal with those but um also you have a ton of experience with graphene os and i think since we've all been
on graphene os for at least a year now that we should do a little check-in so how long have you
been on graphene os oh um when did the 7a came out come out i basically waited for the 7a to come out
and i pulled the trigger immediately, got it
on a pretty good deal and have been using graphene
since then. So around a year
I guess. Nice.
So you're in good company. And it seems
like you have quite a
positive effect on my life with all these
like tech suggestions, but also
I don't know, you throw me into cold lakes and stuff whenever
it seems like I need it.
You said that was warm for your standard.
You're supposed to be Canadian, man.
Yeah, well, now we're measuring it.
But you introduced me to pretty much an Apple Watch killer.
I was never into fitness tracking, but you are huge on fitness tracking.
Can you tell us a little why and what you're using?
Yeah, so I have had a number of friends
who were into endurance sports over the years at university and afterwards uh it's actually one of
the ways i keep in touch with with friends that i kind of have uh let go because of the distances
um i used to live in the uk and have lots of friends from them and we kind of kept in touch by, by just doing events together and competing online on like
weekly basis, one summer time, I went from Berlin to UK to visit a couple of
those friends and they're like, dude, look, everybody's wearing these Garmin
watches here and they hooked me.
They sent me a bunch of blogs to read.
I picked one out and I've been basically wearing it every single day ever since.
That's been like seven years ago now.
And I've progressed from running to triathlon.
And yeah, I've just been a pretty heavy user.
However, unlike most of you probably, I actually use most of the fitness and sports tracking things.
So for me, it's not really an Apple Watch killer.
Apple Watch was never an option, right?
For the kind of distances and durations I do, the battery life.
Even if the feature set is good, the battery life would not be.
So it was basically between Garmin.
Back then, also Polar and TomTom had watches.
Polar still does.
There are a few other up-and-comers.
Polar and TomTom had watches.
Polar still does.
There are a few other open commerce.
TomTom has left the market since I've started with the 935.
And I got that basically just as it launched.
Used that for basically solid six years.
And then I handed it down to someone who's still using it.
So, yeah.
And the only reason I even upgraded to what I'm on now,
which is the 955 solar, is because I got it as a, as a present. So, yeah, these things just last forever.
Very nice. Well, speaking of presents, you got me my Garmin watch, which was a really kind gift. Thank you. So I got the 255, but Chris, you got a watch recently, didn't you?
I got the 265. I had to outdo you, Brent, you know a watch recently, didn't you? I got the 265.
I had to outdo you, Brent.
I mean, not intentionally.
No, I'm used to it now.
I'm used to Apple watch prices, so when I saw the Garmin watch prices, I thought, oh, these are a great deal.
And the watches are just sort of incremented in slight capabilities, so the 265 brings an AMOLED screen that supports touch. And I thought, coming from the Apple Watch, I might want that.
You do sacrifice a little bit of battery life,
but again, I had to charge my watch once a day on the Apple Watch,
and I'm charging the Garmin like once every seven days or so,
depending on how much I use the workout function.
And so I'm curious what you think.
I mean, we touched in Self Hosted recently about my foray
into some more open data gathering for some of these watches, which was a really attractive approach for me.
But why for you is this the Apple Watch killer?
Like, I'm curious how that transition is going.
Are there functions that aren't quite working out for you or are you a happy duck over there?
Longtime listeners know I've been making this transition to gra Graphene OS, but I was still carrying the Apple Watch in part because I was using it to receive
iMessages, but I solved that with Blue Bubbles. I didn't need the Apple Watch as much anymore.
And you'd gotten your Garmin and you were happy with it. And I'm a big fan of good sleep tracking
because I've got pretty bad sleep apnea and I just kind of like to keep an eye on it. And a good sleep
tracker helps me do that.
And I like to swim in the summer and go for walks and so why not have some tracking?
Every now and then the little challenges and the silly gamification actually is just enough to push me over into doing it when I would otherwise sit on my butt.
So I picked up the Garmin 265 and I immediately could tell it was a more traditional watch than the Apple Watch.
The Apple Watch feels like a computer on your wrist.
This feels like a watch with computer capabilities,
but also feels like it has first-class sleep tracking
and built-in nap detection and stuff that monitors your blood oxygen and heart rate
and all this stuff that's really good.
The sensors are really top-notch.
But what really pushed me over, Brent,
was that it completed the Graphene OS picture
for me. And that is contactless payment. I got to be honest with you. That's why I pulled the
trigger on the Garmin watch. Because when I switched to Graphene OS, I lost any kind of
wireless payment. And I don't really want to use the Google solutions anyways.
But around here,
credit card skimmers are becoming more and more popular, especially at the gas pumps,
which is one of my primary uses of my debit card. And so I prefer to use tap to pay there.
And the Garmin pay system is so good because what they're really doing is the most low tech
obvious solution possible. And so it's super solid. They just configure the little like NFC
chip in this thing or whatever to essentially transmit the same thing that the little chip
on your debit card does. So it's the same tap to pay system. Your debit card doesn't have an
internet connection and the Garmin watch doesn't require one. You can be completely offline,
no phone, no internet, and you can still do tap to pay with your watch. It's so, so great.
You know, we were out in Montana. Kids are at the pool and swimming for a couple of hours.
Everybody gets hungry. I'm in my swimming shorts and I'm wearing my Garmin watch. I can walk up to
the kiosk and I can tap to pay with my watch. No phone, no internet in the middle of Montana and
buy some hot dogs. It's really great.
If you remove the watch from your wrist, it can detect that and then it will ask you to enter a passcode before you can start using it again.
And that was the critical functionality that I was missing in a graphing OS based phone.
You know, I just wanted to have that.
I was living without it.
It wasn't a total deal breaker, but it really completed the picture.
Now, all the other features like the sleep tracking, the great fitness tracking, HRV status, which is really cool.
All that's really nice to have.
And I love it.
But the tap to pay is what sold me.
I'm curious, Tomasz, have you used the tap to pay?
Yeah.
So I haven't, like I said, I haven't switched to this watch because I felt like I needed it.
switched to this watch because i felt like i needed it but once i did have it it became basically my de facto backup at any point any given point so whenever i go on my long bike
rides out of town if i get stranded i don't know my phone falls out of my pocket don't have it
battery dies whatever happens to the phone the The watch's battery, like you said, just lasts for weeks on end.
So I know that I always have a payment method with me that I can rely on.
If my bike breaks down or whatever, I can still get back in.
I can buy bus tickets and get back in to pay for a taxi or whatever I want.
So yeah, I do make heavy use of it.
And it's definitely a peace of mind that you always have something on you and you don't
have to carry your wallet.
So a hundred percent.
And, and Google's not in the picture, right?
Google's not involved with the process, which I appreciate.
That's a bit of peace of mind too.
Yeah.
With the way you described it, Chris, it sounds like this is the modern cash.
Like it's a low-ish tech solution and you don't need internet connectivity, but it does
everything you need it to.
Yeah, it works.
And anything that does wireless payment, it'll work with.
Now, if we're comparing it strictly to the Apple Watch, I have to be honest, it doesn't have a virtual assistant, right?
So you're not holding down a button and talking to Siri, which means for me, I can't hold down a button like Dick Tracy and add a reminder, which I miss.
Not very many apps.
Then again, not really a big use case for me on a watch. They do have hundreds of watch faces, though. So where Apple
has like six, the Garmin has hundreds. Maybe only one will work for you, but there's lots to choose
from. And then it has all the other kind of, you know, kind of smartwatch features you'd expect,
like you can do a little timer and a stopwatch and do all that kind of tracking but to me it really it really was the perfect kind of price
i think it was i don't know i think i got it you know below just below 300 or something like that
or around 300 which is cheaper than an apple watch there's lots of bands for it so it has
kind of that community support and then like we talked about there's gadget bridge so you can use
open source tools that's in self-hosted more information there and it all kind of that community support. And then like we talked about, there's Gadget Bridge, so you can use open source tools. That's in self-hosted.
More information there. And it all
kind of completed it for me.
I think I'm
100% Graphene OS now.
I mean, I still have the iPhone around, but it's just
sitting
on a table.
It's pretty big for me. This is like quite the journey for you
in this Graphene OS, like
this Googling and this Appling ecosystem the journey for you in this, uh, graphene OS, like this Googling,
uh,
and disappling ecosystem is really what you've built,
right?
For yourself.
I'm curious.
Are there like accessories that you've used with your watch?
Cause I'm like still learning all the different things that are,
that are possible with it.
But,
uh,
have you tripped on over anything that's really useful that I can benefit
from basically?
Yeah.
You know,
I'll throw a couple of links in the show notes.
One I got because I just think the proprietary charger cable is fine.
You know, the little connector.
It's just like a little proprietary connector that goes to USB.
It's fine.
But I wanted to get something that I could just put on the end of any USB-C cable.
So they have a little adapter you can get on Amazon, which I'll put a link in the show notes. And you just put this little adapter on the end of any USB-C cable. So they have a little adapter as you can get on Amazon, which I'll put a link in the show notes.
And you just put this little adapter on the end of the USB-C cable and it adds a proprietary connector.
And then you can plug that in to the watch to charge it.
And it's not really a big deal.
The first time I had to charge the watch, I actually lost the charger because I'd gone so long since I unboxed it before I had to charge it.
So there's that.
So I wanted to have one everywhere.
it before I had to charge it. So there's that. So I wanted to have one everywhere.
And then kind of unrelated to the watch, but something I think both you guys should consider is I know because you both have Pixel 7s. I personally have not been satisfied with the
sound that comes out of the Pixel 7. I have the Pro, to be clear, Pixel 7 Pro. Like I listen to
podcasts. They're OK. Definitely music sucks super bad. A lot of
YouTube videos suck. It's kind of almost like a harsh, tinny, painful sound when I'm really
listening to it loud. And I came across the Stormbox Micro, which is a wireless Bluetooth
10-watt speaker that sounds great. And I went the little extra step and mounted this to the wall in
my bedroom. And so what I do is when I go to bed, I turn this thing on. mounted this to the wall in my bedroom.
And so what I do is when I go to bed, I turn this thing on.
It connects to the Paisel.
I listen to my audiobooks to go to sleep that way,
and then after about 30 minutes of inactivity, it turns itself off.
The speaker turns itself off.
So it's been a really nice addition.
So I'll link to both those accessories, Brent,
because I think you'd like both of them.
If you have any watch stuff, Tomas or Brent, if you guys have any other accessories, we should put links to those.
We'll kind of collect some of those in there because they're kind of compatible with the whole range of Garmin watches, which is nice.
So you can have the 255, the 265, or whatever else they have.
I think a lot of those accessories all work together.
Yeah, I got to say those USB-C to Garmin connectors are the staple.
Anybody who's got a Garmin watch should have one.
It's like one less
cable just tangling in your back somewhere that you
worry about. So,
yeah, for sure. Also,
do remember that these are
basically non-proprietary watch
bands, right? These watches just accept
normal watch bands because
there is apparently a standard for watch
bands that have existed for hundreds of years.
And Garmin decided to not reinvent the wheel, right?
So, yeah, if you don't like any of the Garmin offering,
which can actually be quite pricey,
there are so many options.
Then there's just...
I had a...
Well, there's no easy way to say this.
Brent was right.
And I hate to admit it.
I hate to admit it.
Can we get that in a more clearly, easily cut soundb say this. Brent was right. And I hate to admit it. I hate to admit it. Can we get that button in a more clearly, easily cut soundbite format?
Brent was right.
Wait, we have a soundtrack for that, right?
Don't you have like a button over there for Brent was right?
No.
Surprisingly, we've never had that button.
Okay.
Well, audience, please boost in what sound effect you would like for Chris being wrong
and Brent being right.
So a while back you said you got to get Obtainium. Are you even a while back you said, you got to get Obtainium.
You know, are you even graphing OSing if you're not using Obtainium?
And I said to you, get out of here with your yet another damn app store.
I've got Aurora.
I've got F-Droid.
I've got Play.
I had some other thing I was trying at the time.
Get out of here with your Obtainium, I said.
But now, many months later, having, for some reason,
listening to you and decided, okay, I'll go try it.
Realize you're completely right. And if you can, you really should only be using Obtainium.
Don't use any other app store. I know it's crazy, but I'm going to go out as far as say if you can.
What a nice combination of a super minimal OS that's secure from by default with this with Obtainium on top of her installing stuff.
Here's what it does.
Obtainium allows you to install and update apps, APKs, directly from their release pages on GitHub.
And you get updates and notifications like they've just been released to an app store.
You completely take out the middleman.
Now, obviously, this is for more advanced users.
Again, security is an individual thing.
Yeah, there's no Play Store scanning and doing anything, which can be a plus or a minus, I guess.
But, you know, there's been a couple of apps over the years, Wes, that I've had rugged by the Play Store or by Apple.
And to be honest with you, the straw that finally broke the camel's back to get me to leave iOS and go to graphing OS was Apple's App Store policies and the shenanigans they were doing with certain apps, capriciously saying you can't have this individual feature, these individual words, just really small things that were then altering and disrupting the end user experience because reasons.
altering and disrupting the end user experience because reasons.
And that's when I decided, well, this isn't a computer.
This isn't a device that I get to decide how it operates.
This is an appliance like a Nintendo Switch, and Apple makes those decisions.
And I want for a device as important as my phone to have it under my control.
And that's where the Graphene OS journey started.
And then also I wanted to de-Google.
And Wes, you've made this point as well.
It's like, is it even really your system if you can't install and manage software that you want, install from sources that you want?
And if you have apps that you know and trust from open source developers, why not just deploy them directly?
Why wait for FDRAID?
Why wait days for FDRAID to get the update? One of the main attractors for Obtainium for me, which was, I guess, maybe almost a year ago.
So, Chris, you're lagging behind on this one, is that I was able to receive software from trusted open source projects before they hit these repos.
And that ended up in a couple of situations being super important for me, either because of interest in new features that were coming out that I really, really wanted to have access to.
Or occasionally, as you know, my bug field is strong.
So occasionally I would find bugs in a version and knew that it was fixed, but just didn't
have access to it.
So Obtainium allowed just like such a direct connection to that software.
Yeah, it means maybe it's, you know, only vetted by the project itself and not by other
users and things like that.
But in most cases, actually, I've been
super happy with the results.
And I think you might like that too,
Chris, since you like all the new features
trickling down to your phones. Yeah, for sure.
We do have a couple of public service announcements,
though. If you're going to use Obtanium, you
probably want to log into GitHub
and get a
personal access token. Get your pat.
Get your pat because you're
going to get rate limited eventually.
Obtanium will do an update to Obtanium
and then everybody
launches it and checks for updates
and then GitHub rate limits the app.
And so every user that's just using the built-in token
is going to get rate limited. So you probably
want to take care of that.
It's pretty easy to do.
And then, Brent, you have a hot tip just based on your longer-term usage.
I do.
I would recommend once you, like, have a bunch of applications listed in there with, you know, the links to their GitHub, that you just somewhat regularly do an export of those subscriptions.
regularly do an export of those subscriptions. I've had once or twice where I would update Obtainium and it would just lose my entire list of subs basically. And that is somewhat crushing.
So I would recommend export them. Maybe you don't need that and you won't run into the problems that
I had only twice in the last year, but you know, that's twice enough. But it's a, you know,
quick little thing you can do and they
have an excellent export function in the app but um that might help you out in a place where i got
caught and now it is time for the boost thank you everybody who boosts into the show it's a value
for value production so if you get some value or made you think about something or you want to see
the show continue on you can always help us by boosting or becoming a member.
And we got some live boosts this week as we're recording.
Open Source Accountant came in with 2,500 sats and said, I had a great time at the meetup.
My wife wasn't sure if she's going to go and enjoy herself or not, but she ended up feeling
extremely comfortable and said, quote, I want to go to the next Linux convention too.
She also asked if there was going to be another mini-fest.
You know, I don't think there's currently been planning.
I have been so busy that I haven't really attended most of the current LinuxFest meetings,
but I'm going to start poking my head in there and I'll have a better idea.
I don't think there's plans for a mini-fest.
I'd love to do that though.
Do you like a JB mini-fest maybe someday?
It was great to see you, Open Source Accountant.
Also, we had Anonymous Podcast Guru who came in with a row of ducks, 2,222 sats, and says, love the show, guys.
Keep up the great work.
Thanks for the live boost.
You can listen live.
We do the show on Sundays.
And if you have a podcasting 2.0 app now like Fountain orverse or castomatic will show up in there just when
we're live and as part of your library podcast and that can be on your phone or uh you know
those have web apps too so it could be right on your desktop that's true or you could just
the secret you can also plug jblive.fm into anything that does an mp3 stream yeah real Real simple. It is pretty simple. Hey, Rich Lobster!
Wood Carver comes in with 121 sets.
Wood Carver is our baller booster.
I hoard that which your kind covet.
Just a gigawatt boost to support the show.
Just?
Just?
Yeah, just, yeah.
I get it.
121 gigawatts.
I don't think I have Doc on the soundboard, but I should.
If that was the thing, I'll put Doc Brown on the soundboard.
I love me some Doc Brown.
I think we need to now.
Woodcarver, thank you very much.
Appreciate that.
That came in via Podverse.
Hybrid Sarcasm comes in with 47,999.24 sets.
Four score and seven boosts to go.
You know, Hybrid did mention having some problems boosting in, maybe some temporary node
issues, so maybe that's where the 24 comes
in. Who knows? Could be.
Hey Chris, I want to encourage you
in your situation with your son's
laptop. Don't feel bad for one
minute about installing
Windows. I know you know that your relationship to your kids is way more important than advocating
for software freedom. Father to father, there's plenty of time to convert them to open source
software. For now, do what's necessary to create every wonderful memory you can.
Oh, that's some wise words there, Hybrid. You know, I was braced for the question to come up
on the trip because they brought their laptops with
them. You know, they're with Dad for quite a while.
It's plenty of time to get this done.
Didn't even come up once.
In fact,
not only did Dylan have to pivot to
Linux-only games, but
he had to pivot to offline games for quite a bit of it too,
which was interesting. And then my daughter just read. She just
didn't even bother with her laptop.
That's great.
So it didn't come up at all.
I don't think it's dismissed, but I think Linux lives another day on those machines.
And it helps, right, when it's the games they want to play are available.
It's a lot easier.
So I'm trying to encourage that.
We'll see.
But I think hybrid's right like ultimately i could i could perhaps capitulate on
this battle and live to win the war long term you know maybe maybe dylan would have experienced the
crowd strike fun and that would have uh you know eventually brought him back to linux anyway
plus sounds like hybrid might have been volunteering if you do have to go windows
to be the admin right is that what i was no oh yeah i think yeah i think you got that i think that's right now rotted mood boosted in
two boosts for a total of 35 000 sats using castomatic specifically and these were a little
special we noticed them earlier this week 10 000 sats and another message 25 000 sats but no
messages provided in there but wes we dug into this a little bit and there's something interesting going on yeah it looks like these were boosted to the members live version
which previously i don't know how long that we've been picking those up
ah right so normal in the past we've had issues um with podcasting 2.0 apps yeah well
and our private you know our member feeds because they're private feeds, they're not
on the podcast index.
It confuses the apps.
Yeah, so it looks it up by the API.
The API returns that feed.
It doesn't exist because these are individual private feeds for each member.
So if I'm reading the boost metadata, right, Rotted Mood boosted in by Castamatic to a
member feed, which maybe is new or at least kind of new.
Cool.
Does make us ask, though,
was it intentional? With no
message? Yeah, did it kind of work?
Or were you just sending some stats? Either
way, thank you. Yes, thank you. And
kind of fun to help us test this new stuff out.
Can we declare this the very
first set of stats sent to the
live Unplugged members' feeds?
No, I don't think so,
but maybe the first is made into our script right
yes i did have to update things so that we catch that catch that now yeah so it's it's you know
it's an evolving process nerves comes in with 20 000 sats why not uh when is brent installing gen
two the important questions being asked today okay question. Good question. Oh, these are hard ones. Well, I would ask you three gents, when do you think I should do this?
And also, I have a particular challenge if I'm not happy with any of your answers.
I wonder, would it be a fun thing to do at like a Linux Fest or another event where we're live?
And when we didn't have like something actively going on, we could check in on the Gen 2 build.
Something like that, you know, like a special event.
It feels like it should at least be a stream of some kind.
Right, where there's plenty of air to fill anyway.
Yeah, we could be doing a couple other things,
like a variety of things going on
and we go in and check in on the Gen 2 build every now and then.
And how long do you think it would take in this modern day?
Oh, I would be surprised if you couldn't get it done in a couple of hours.
It depends on which
so you have options now i mean with gen 2 and most people just do like a stage 3
so you'd probably so you'd probably do i think if i'm recalling correctly you probably do like
a stage 3 install which is pretty much everything's built for you at the real lower level and then
you're just building stuff on top of that i mean it really also depends on the machine so if we
wanted to be jerks we could stick you with a really old computer.
You know, I have one in mind. 32-bit, 32-bit.
I have a system in mind.
You've got one right beside your chair there.
We could always turn it into a competition next time we do a meetup in Berlin.
Yeah, there you go.
So can I bring my support crew with me?
You guys willing to go to Berlin with me and help me do this?
Absolutely for this.
I'm curious, Tamás, have you ever installed Gentoo? No.
Never.
I did it once.
I did this once, Brent,
but it was like almost
10 years ago.
This could be good.
Yeah, boost in, folks, with your Gentoo
status. I have a challenge in mind.
I think, let's say, well, we have to discuss this first before we lock it in.
But if like 23 people boost in that I should do Gentoo, then I will.
23?
I'll make it random.
23?
Mm-hmm.
I think just 200,000 stats.
Oh, let's do it.
Because 23 boosts, that's a lot.
Let's do it. That's a lot of people. It's got to be 20,000. It's just a lot. It. Oh, let's do it. You know, because I don't want to do my 23 boosts. That's a lot. Let's do it.
That's a lot of people.
Just like, it's got to be 20,000.
It's just a lot.
It's a big job.
All right.
Well, there you go.
200,000 sets.
That's when Brent will be installing Gen 2 NRS.
Thank you for the boost.
I think, although I'm not really sure that's a genuine thank you, because you may have
just somehow roped me into installing Gen 2 too, and I'm not really sure how that worked
out.
Hybrid sarcasm comes in with
20,000 cents. Make it so.
This one's directed at Guy and Master
Brantley. Have you considered using
a single machine to run multiple virtual
machines or containers?
This would allow you to offload the burden from
your laptop and possibly could be less costly
and more power efficient, at least
with the right hardware. This is a response
to your multi-machine lifestyle discussions.
It's a good idea.
I think it's likely a bad idea because of my internet reliability over here.
What?
So if it was a local, you know, only local systems, that would work great.
But one of the main reasons I have been on this journey to like add somehow add more computers to my life
is because I recently signed up to a co-working space which is you know a 20-minute drive away
and they have amazing internet over there so I can do like tons of great stuff over there but
it's a dedicated machine for exactly the kind of workload I'm doing in that space so in that way
I don't know if I would benefit from this VM strategy, but it's an
interesting exploration. You seem like you'd be a cubes OS guy. Well, is this another install
an OS challenge? Maybe. Put that on the back burner. You're right. He does that. He does seem...
I know. I know. I know. Never put that together before. Fuzzy Mistborn boosted in 1, 2, 3, 4, 5 sets.
So the culmination is 1, 2, 3, 4, 5.
Now Fuzzy says, I've been using desktop Linux primarily now for over four years.
First it was Pop!OS, then it was EndeavorOS, and now Fedora KDE.
Just got a Framework 13 and I haven't had any issues with it.
Long live the year of the Linux desktop.
Hurrah to that.
Long live the Linux desktop.
And congratulations on the Framework 13.
That's exciting.
Let us know what you're doing with that, what you're running on that.
You know we're tech guys.
We want to know everything.
If you want to tell us the specs, the distro, you know we'd love to hear it.
Gene Bean comes in with a row of ducks.
He writes, I'm boosting the JB crew, the fountain bot, and my podcast app, Cast-O-Matic.
I phrase it this way because of your boosting ad.
One of the things that I think we don't talk about enough, thank you, Gene, when you boost the show, not only is it getting split amongst all of us here, the host, Drew, the network, but also it's going to Fountain or
whatever app you're using, maybe Castomatic, and it's helping the developer. And a portion goes to
the podcast index in most cases, too, to help the podcast index project. So there is sustainability
built into the app development and the infrastructure behind it while you're supporting the content that you like.
It is a really slick system.
So thank you for the reminder, Gene.
Caden comes in with 2,000 sets.
For work, I have two different VMs depending on the VPN software because some don't play nice with each other.
Interesting.
I log into about 15 different computers every week for development or support.
Most of our servers just use RDP, to my dismay.
For personal, I have Tailscale with RDP and SSH over it.
It's enabled on pretty much all but a few devices.
I'm also looking at setting up a bridge between my network and the family's
so I can offer support when needed.
I'd be curious to know how you pull that bridge off, Caden.
The thing that I'm liking here is you run an RDP or SSH,
but you're doing it on the tail net.
I think that's the way to do it now, or whatever private network you do have.
I think that's the ninja move.
Satoshini boosted in 7,500 sets.
That's not possible. Nothing can do that.
They say, hey, why aren't you using your own nodes over there?
Everybody at JB just using custodial services. What's with that?
I mean, we do have a JB node.
That is true.
And that's what we started with.
But then we needed a way to have wallets for each host so we could do the splits.
And that's where the balance of using a self-hosted and custodial system
is actually kind of nice because our node's on Tor,
and from time to time the Tor network is just crap,
and, you know, it'll time out.
But the custodial service is on ClearNet, and that works.
Or custodial service, in this case Albi, has an outage,
but our node's online.
And so it's kind of been the perfect balance of when one thing's out,
the other tends to be online,
if anything's out. However, that said,
we will probably
over the next year all be using,
with some caveats,
either self-hosted solutions
for our nodes or a different backend
technology like Affetamint.
But keep on it. Check back
in. Make sure we do it.
And keep us honest.
Bear 454 comes in with 5,000 sats.
B-O-O-S-T.
I said Chris sent me over an excellent pick in 567.
Lotus is my go-to notes client now.
That's L-O-T-A-S.
So Lotus?
Lotus?
It's Iotas.
Oh, Iotas!
Right.
Yes.
Okay.
The RESTful background sync to Nextcloud is really a game-changing feature.
Yeah, that's what we've been talking about after the episode two behind the scenes there.
That does seem to be the big thing.
I hope I can return the favor.
I've recently discovered and started using...
Celeste.
Celeste.
It's for file sync.
It has a Rust-based GUI.
Oh, there it is.
And it's working around Rclone.
And while it definitely needs to mature,
I'm already finding it more reliable in some cases
than the NextCloud desktop client.
Plus, I can finally use my Proton drive space
for a redundant backup.
It currently supports Dropbox, Google Drive, NextCloud,
OwnCloud, PC, or pCloud, ProtonDrive, obviously,
and just generic web dev
with one unobtrusive tray icon showing status.
Ooh.
Yeah, this is really nice.
So you get one really solid sync app
that supports multiple backends.
Plus maybe it's just a little bit better
syncing to NextCloud or a little cleaner or whatever.
That is a great idea because on my system, it supports Dropbox too,
so I could reconnect to my old Dropbox.
That's a great pick.
So Celeste, we'll put a link to that in the show notes
because I think I'm going to switch to that.
That's really slick. Thank you, Bear.
Remaking Eden comes in with 5,000 cents.
I want to thank Brent for recommending the Garmin watches.
After a long hiatus from smartwatches after my pebble,
I am now happily rocking a Garmin Instinct 2 Solar.
Oh, those are so cool.
With 20-ish days of battery life, a subtle non-distracting screen,
and some really cool metrics like stress and body
battery.
Yeah, they sound silly, but they're actually pretty neat.
Finally, with its solar capabilities, if I turned off the smart features, it can run
essentially unlimited as long as it's getting decent lux.
What I like about this, so this range of Garmin watches is really impressive, and it really
is a different take on the smartwatch right like why
not why not have a a watch that just has some nice capabilities and it can go for days in this case
20-ish days it doesn't need to be a slimmed down ios device or a slimmed down android device
maybe i'll change my opinion maybe the next pixel watch will change my mind but that I feel right now. You know, you really should say thanks to Tomasz because he
got me into this ecosystem. And I feel like with Garmin's, it's like a, I don't know,
a pyramid scheme or something. So send me your kickbacks. I'll send them to Tomasz and he'll
send it to his friend who recommended it. My wallet is open anytime. We did receive
10,000 sats from Irm saying simply, have some sats.
Oh, thank you, Irm.
Appreciate the value there.
VT52 came in with 2,000 sats and writes, I wrote a blog post about switching to Flakes, which I hope can help Chris make the switch.
I love this.
Wes has also been getting me to use Flakes.
And it's very successfully so.
Only on one system.
But I feel like it's going to
take off because i'm going to need that software on all my systems wait wait wait wait isn't this
the very first mention of something no oh for this segment wait is that how it works we need
to write it's no longer clear yeah yeah the problem is once you take the shots is we can't
remember this is a really great post though we'll put a link to this in the show notes um i really like the way this is structured super easy to follow well done that is it
everybody should write guides like that thank you vt that's really great yeah if you want to get
chris to do something i guess that's the way yeah i think so eroc comes in with the two rows of ducks
things are looking up for all but duck.
Long time no boost since switching from Podverse to Audio Bookshelf for almost all of my listening.
Ah, yeah.
Dang.
You can boost from the web now.
Consider this another vote for continuing Linux desktop coverage.
When I was just getting back into Linux after bouncing off of it in college during the Ubuntu
1204 era, I wound up coming back to
Pop and over time found my way to Fedora, then Ubuntu again, then Fedora again, and now planted
on Bazite. None of this would have happened if your coverage didn't highlight the Linux desktop
experience. With regard to if I daily drive Linux on my current Dell laptop, I do, work as a Windows shop, so I run Windows there.
I'm very, very close to converting my desktop to Bazite as well, since I'm happy with how
it runs, and it just picked up 6.1 recently, which will make using my NVIDIA card less
of an issue.
It's going to require time I don't have, though, because I've got a lot of NTFS drives I'll
need to offload to another drive and reformat those disks
to play nicely with Linux.
Well, as far as NTFS goes, I mean, read-only works great.
Although my brother recently learned that if you accidentally unplug those drives, then
you can't really check them very easily on Linux.
So mileage may vary with your NTFS.
Now we have this guy NoblePane boosted in, the RoveDucks.
Yeah, I sure did.
This was a Coinbase lightning test boost.
So for a long time, Coinbase had been talking up getting lightning support built in.
I wasn't tracking it that closely, so I don't know exactly when it actually landed for real,
but it's there now.
So that means you can send sats.
If you have Bitcoin on Coinbase, you can just send sats directly. And then with, as Chris was just mentioning, you can now boost from the web by a lightning invoice on Fountain. So you don't have to log into Fountain at all. Go over to the Linux Unplugged show page, generate a lightning invoice there, and then you can send lightning directly from Coinbase right to the fountain invoice.
And now you've boosted us.
And it's going to get even smoother than that.
But that's getting pretty good from where we started just a little while ago.
So nice to see.
Try it out.
And I know some folks, you know, if you already got sats locked away on Coinbase, they're a lot easier to move now.
Anonymous podcast guru user comes in with a Spaceballs boost, 12,345 sats.
Yes, that's amazing.
I've got the same combination on my luggage.
Ah, a first-time booster.
I eventually managed to get my Albie account loaded up to send y'all some sats.
Love the show.
Keep up the great work.
Well, Podcast Guru user, thank you for actually setting up the whole process.
I know it's quite the journey.
We appreciate those who climb the mountain.
That's right.
We really do.
Thank you.
Oat comes in with 5,000 sats. It's not the distro. It's how you use it. quite the journey. We appreciate those who climb the mountain. That's right. We really do. Thank you. Oat comes in with 5,000 cents.
It's not the distro.
It's how you use it.
From Podverse.
Longtime listener, occasional booster.
Hello.
I'm thrilled to hear about Futo.
FOSS Android needed an open keyboard with local voice to text.
Yeah.
I do have one suggestion for you guys.
When talking about new software, would you mind including the license it's under?
To me, the license often makes or breaks whether I'm interested in a piece of software at all.
So it would be nice to know at the outset of the conversation.
That's good.
I think we could try to do that more.
We'll have to try to make a note of that, but yeah.
Certainly an important aspect.
Yeah.
That's a good piece of feedback.
And it's been a great keyboard.
I've been using it since before we talked about it on the show, by a couple of days still using it yeah same i mean i wouldn't say the voice
dictation is as fast as google but it's surprisingly good and it's it's sophisticated enough where you
don't have to do like the comma question mark period stuff because it gets all the intuition
and or indentation or whatever it is and it it just does it. And so when you say that, it just includes it in the text.
I think the only thing I would love, the two things I would change today if I could about the Fudo keyboard, add an emoji search, right?
Get a gosh darn emoji search in that thing ASAP, boys, ASAP.
And then, oh, man, I would love to get the frickin' language selection off of the frickin' spacebar.
If you want to press in to use it as a cursor mover to like move around, you know, like you would like a mouse or a trackpad,
you have to somehow do it quick enough or on the edges of the keyboard that you don't actually hit the word English
because if you hit the word and or you triggered for too long it opens up the keyboard
selection which
I never need and the cursor function which
I need almost any time I'm writing a
lengthy reply and it's
so have you had this yet I don't think so
it makes me so I can tell
oh can you tell I gotta try
it burns me up
and I I just wish they'd
really just give me and I wouldn't look in the settings like,
just let me turn that off.
Just let me turn off the language selection entirely.
If I want to change the language of my keyboard,
I'll go into the settings.
So, Chris, I think it does have emoji search.
It might just not work the way you think it does normally.
So you don't go into the emojis setting.
You just start typing your word,
and if that word actually corresponds with an emoji,
it'll pop up with a suggestion.
Yeah.
Yeah, that's okay i like
that i'd like that in addition to emoji search you know because sometimes like i i want to i want to
be inspired you know like i don't know just sometimes you want to search for your emoji and
the other thing they also have a dedicated voice to text keyboard which actually supports many many
languages and which is which is why i use, but it does work better than the one
that's built into the keyboard.
And you can hook it up so that the voice
button on the Futo keyboard
doesn't activate the built-in
voice-to-text, but the
secondary voice-to-text app, so it's
integrated pretty well. I recommend
giving that a shot if you haven't already.
That's really nice. Good tips.
David fully boosted in 2001, Satoshi's.
Coming in hot with the boost!
Long-time listener, first-time booster,
keep up that great work.
Woo!
Right on, David Foley.
Thank you for taking the journey.
Appreciate it very much.
I boosted from the web
using FountainWeb at linuxunplugged.com
slash boost!
Bobby Pin comes in with 10 000 sats whoa thanks for reminding me that the podcast app gets a bit of these sats this is a
great way to monetize without feeling like the dev is begging for money or plastering ads everywhere
love you fountain vamax comes in with 5 000 cents ch. Chris, I hear you on the Sophie's choice of Linux gaming.
In case it helps, Overwatch is and always has been a flawless Linux gaming experience for me.
When the friend group is in a team shooter mode, it scratches that itch, and they're willing to
switch to it so I can participate. In terms of other good Linux games that are mainstream,
Helldivers 2 is also flawless on Ubuntu 24.
These days, anti-cheat Linux gaming feels like being a vegan at a barbecue joint.
Well put.
VMAX, well put.
And I will check out Overwatch.
I've heard it mentioned lots, but I've never actually checked it out.
I'll give that a go.
Thank you.
Linux Teamster boosted in 5,000 sats.
Hey, Chris mentioned being a CPAP user.
I'm new to the CPAP lifestyle, and I was wondering what your thoughts are about Sleep HQ.
I know it's not self-hosted, but it seems like a great way to use and analyze the data.
What do you think?
So I never really went down this rabbit hole, although I've thought about it a couple of times.
So Sleep HQ is an online dashboard, and I guess probably i think it has like a community aspect as well to it
um and it gives you a it gives you data to review which i'm a big fan of so i probably should have
looked into this more i know there's also been some there are some like local solutions as well
i'll tell you what um maybe editor drew will have a few notes for us because I know he's gone down this rabbit hole before as well and we'll relay them in a follow-up episode. I'm really on
the fence. I don't know if there's other listeners out there that have CPAPs and if you've monkeyed
around with getting data out of them and if it's been worth it to you. I'd love to know. What I've
been doing so far has been tracking with my watch and kind of getting insights from that direction,
but it seems like the next logical thing to do would be to get insights from the machine too.
Soggy Waffles 1984 comes in with 2,000 sats.
You're doing a good job.
You know, in this case, I think some of the value in Value for Value is just coming from the username.
Yeah, that's great.
Although, you know, if the soggy waffles are soggy because there's a lot of butter and delicious maple syrup, that's a good reason.
I was just listening to Episode 570 and I'd used auto SSH years ago. I was the sysadmin for a five station radio group in North Texas. We had a remote transmitter that was a two hour drive to get to. So we did a lot of interesting things to keep us from having to go out there.
Nice.
We used to use Barracks boxes to stream our audio all over that cellular network.
I then used Auto SSH to keep the remote side connected so I could then tunnel over to check the stats and such.
Thanks for the shows, guys.
You know, we're using a Barracks box right now to live stream, Soggy. So there you
go. We're Auto SSH users and Barracks box users over here as well. Thank you for that boost. We'll
put a link to both the Auto SSH and the episode in the notes. Jordan Bravo comes in with 11,111
sets across two boosts. As I listened to Brent explain his issues with Tumbleweed,
I had just today set up my wife with a new laptop running OpenSUSE Aeon,
which is the immutable version of Tumbleweed.
My hope is that it will be impossible for her to break.
She's a casual user and all of her desired apps are available as flat packs.
The rolling release nature means no risky upgrades.
I'll report back in a year.
I think that's a pretty good thesis. I'd like to know how it goes.
And then Mr. Bravo comes in with a pick for us. I recommend an Android app called CrayJ.
Similar to NewPipe, it's an alternative privacy-preserving front-end for services such as YouTube and also supports other sources such as PeerTube,
Odyssey, etc. It's backed by Futo, which also funds Image. The only downside? No iOS version,
which I think is tricky because of limitations, both technical and those, you know, Apple App Store policies. This is a great call out. So grayj.app. And the idea is idea is that you can follow creators across platforms.
So one app and it helps
keep you private but it'll also
plug into things outside of just YouTube.
So it's like NewPipe
but more.
And that's a really slick
pick. Thank you Jordan Bravo. Gray J.
We should put a link to that in the show notes too.
We're going to have a lot of links in the notes. You guys are coming
in strong with the apps and the links and the pics thank you everybody
and bronze wing boosted in six six six six sets oh this is the way and this is three rows of ducks
the first one new nix punishment idea you all wear shock collars and the first person to mention Nix gets a zap. Oh! Oh!
Oh! I don't know
about this one. I've been zapped by an
electric fence that was trying to keep some chickens
in a particular area and that's not fun.
So I... I got some
bad memories on this one.
Smoke if you got him.
Second boost here, I use CrowdSec to
secure my servers. It's like failed ban
with crowdsourced ban lists.
Also, I listened at 1.25 speed.
And here's me ranking you all in speech from slowest to fastest.
Brent is definitely the slowest.
But Brent is slower than Alex, who's slower than Chris, who is slower than Wes.
I would have guessed I talk faster than Wes
I'm just getting old I'm slowing down in my old age
I wonder if you went back and listened to episode 100
if I was a faster talker
definitely higher pitched I'd say
I'd say so
CrowdSec nice call out
again jeez
this is a loaded with picks
boost segment we'll put a link to CrowdSec
in the show notes.
And the last boost here, speaking of multi-machine life,
every time I think of running a VM,
I just end up buying another small-purpose computer.
I've done this for Home Assistant, Blue Iris,
and now, thanks to Chris, Blue Bubbles.
Oh, really?
Now, is this a Mac or is this a non-Mac?
Somehow running macOS and Blue Bubbles
is what the implication I'm getting here.
You're right.
Actually, speaking of Blue Bubbles, I know the draw is for Android users to participate, but I'm using it a bit differently.
My wife and I both work from home, and a lot of our work ends up going through text.
We both must use Windows boxes for work.
With an iPhone, you can do SMS forwarding in Blue Bubbles.
So we get fully functional SMS and iMessage on our Windows machines, which makes texting far more efficient.
You can also use AI or copy and paste, you know, screenshots, et cetera.
It's actually amazing.
Yeah, I didn't mention this about Blue Bubbles implicitly, but one of my favorite things is having a desktop client for iMessage on Linux.
And it's a flat pack, which is great. things is having a desktop client for iMessage on Linux.
And it's a flat pack, which is great.
But also, once you have it everywhere, it's not a bad chat platform.
You know, I mean, is it any worse than, say, like, Twitter DMs? I don't think so.
So, yeah, there's something to it.
I think you're onto something there, Bronzewing.
Thank you for the update.
Oppie 1984 comes in with 4,000 sats.
Coming in hot with the boost.
Ooh, there it goes.
My 75-year-old mom spent her career using Microsoft Office,
and after she retired, she had a Windows laptop.
And after updating, it told her she had to pay for a subscription to Office.
She refused to pay and started using Google Drive for docs and spreadsheets.
But she hated it. I finally convinced her to give LibreOff Google Drive for docs and spreadsheets. But she hated it.
I finally convinced her to give LibreOffice a try, and she sold.
She even recommended it to her friends.
So that's my recommendations for those trying to switch others from Microsoft Office to something open source.
The old LibreOffice.
That's a nice success story. Thanks for reporting in.
Definitely.
Alatar the Blue comes in with 10,000 Zeds.
It's over 9,000! It sure is.
I should clarify, while I've daily driven Linux for over 20 years, and most of it on Fedora,
I've definitely been guilty of following the crazy distro hopping crazes. Everything from
Ubuntu and Debian to Gentoo. I even did Linux from scratch once. And maybe even a little BSD.
Tried Nix for a bit, but thankfully
never Arch. I'm not that much
of an evangelist. Wow. Fedora
always feels like home, though.
Yeah, there is something
just very consistent about Fedora
in, like, the user experience.
You know, it just feels...
It does. It's like it's coming home to a family
house that you've spent Christmas at or something for many years.
It's really nice.
Amorphous Phage boosted in 5,200 sets.
I just found the podcast recently.
It's super interesting and it motivates me to play around with Linux more.
My PC runs Nebora as I'm using it for gaming and Python programming.
I also just obtained an older tower to try out different distros.
I've used Linux for years and I would consider myself a decent or advanced user, but not an expert.
Are there any conferences or fairs in Europe about Linux tailored specifically to private enthusiasts?
For sure there are.
Well, I can mention one.
Fosden would be a definite one to go see.
That was what I was going to say.
I just forgot the name
because I've never been.
I do have a lot of friends
who do go to Fosden every year
and they have a lot of good to say about it.
Last year, there was a keynote
from Tim Bernsley
that a lot of people have enjoyed.
So yeah, Fosden is definitely one.
Although do be prepared
that it is a little bit chaotic from
what i've heard it's not like a corporate kind of well organized comparatively thing like
the cloud native conferences which i've been to a few of and so yeah not the well-oiled machine
more of a grassroots thing but definitely recommend it yeah I compare it to Europe's like it's like
Europe's scale basically
it's community organized
and people definitely
love it but I heard
yeah it's it's getting
popular enough that it's
quite chaotic but that's
a good place to start
it also says by the way
this is a zip code
boost
5 2 0 0 hello to
Brugge Switzerland if I
got that one right
greetings from the country of watches and chocolate okay maybe I0. Hello to Brug, Switzerland, if I got that one right.
Greetings from the country of watches and chocolate.
Okay, maybe I did.
Yeah, sounds like Brug.
I don't know how to say it correctly, but is perhaps the Swiss-German term for bridge.
So that's fun.
Ah, a bridge to where is the question.
Crybrite comes in with 12,100 sats.
I'm going to say that's how you say it.
Make it so.
Geeks.
Geeks. Geeks.
Geeks Challenge!
Prove you're not just a NixOS show.
Oh, this is boost number two for Gigawatt.
Oh, I see.
It's a different take on the Gigawatt, 12,100.
Yeah, so some background context for this.
I think there's some folks want to brew up a Geeks Challenge.
All right.
Which is the GNU.
It's like NixOS.
It's immutable it's got a lot of the same kind of um features and constraints but backed by gnu and configured in scheme
all right i mean i'll say put it on the list let's yeah keep you know let's let's hear from
more folks and we could do it yeah i think so i mean i'm totally down for it i'll take the next
couple just to round us out pab comes in with with 4,444 sets. Things are looking up for old McDuck.
Coming in from Fountain Rites, inspired by your rave about Plasma 6,
I have to get a go on my desktop.
I lasted a grand total of two hours before scurrying back to GNOME.
I applaud their granular control and polish of Plasma 6.
That's just not my cup of tea.
The human interface guidelines have really stuck with me,
and now it's difficult to downgrade from the more Windows SKU workflow.
Great show.
Keep it up.
That's fair.
I think, you know, when I go back to GNOME, I often think this is so well done.
It might not have all the stuff I want, and I have to really kind of put together a collection of different apps to accomplish stuff.
And then once you've adapted, like your whole workflow is now modeled on the GNOME way of doing things.
Yeah.
That's a lot to, yeah.
Absolutely.
All right.
Rounding it out with Sully86, 5,000 sats.
Sully writes, I boosted maybe a month ago from the new, about my new framework.
Well, I couldn't wait and I pre-ordered, so I got the 13 Ryzen 7640U option.
I was more than pleased with it when it arrived within a week.
Everyone at work, an MSP, was more than impressed with the quality, though there's still small
things I can pick on, like maybe the speakers.
The overall build quality is great, though, and multiple people in my life now want one.
I've dropped NixOS on it.
Boom!
And I couldn't be any happier.
More desktop content now.
I'm a daily Linux driver, please.
Now that he's a daily Linux driver, he wants that content.
Congratulations on the framework, man. They must be selling these things like hot freaking cakes with delicious, legitimate maple syrup because everyone has one.
I feel like every episode we hear about somebody in this one, too.
Yeah.
Where's your framework at, Wes?
Jeez.
Devator comes in with 9,001 sets.
It's over 9,000.
For daily driving linux yes since the c19 sent us home
my work my work wasn't able to provide us with enough machines for everyone so i've been daily
driving pop since and at this point no other distro could ever win me over pop would have to
lose me first for multi machines i think it depends on your brain. Fair enough.
At one time, I found having dedicated work machines
helped me mentally separate from work
when I wasn't working.
Now, though, I don't have that issue. I only use one machine.
That might be it for you, Brent.
Just being able to mentally...
Yeah, I think that's interesting.
Although I'm a little worried you're going to end up
with way too much to maintain.
But we'll see.
It's a good worry.
You'll have to help me when I get there.
Thank you, everybody who boosted in.
We had several under the 2,000 sack cutoff, but there were some good ones in there.
So we have them in our show notes and we've all read them.
We really appreciate that.
We had around 40 boosters.
Why do we say around?
Oh, because you and I boosted in.
So I boosted in as a test.
Yeah.
And then there were some live boosters.
Those were pulled separately so they didn't de-dupe if there was, you know.
So we're going to say around 40 boosters, but that's fantastic.
And we stacked an incredible 419,665 sats.
Yeah, boys.
Thank you, everybody.
We really appreciate that.
Yeah, boys.
Thank you, everybody.
We really appreciate that.
Those sats go to the crew and, of course, the creator of the app that you boosted and the podcast index.
Appreciate that value and your messages.
Some really killer ones.
Really contributing some serious value back to not only us but the listeners.
Much appreciated.
Everybody who boosts in and everybody who streams those sats.
And, of course, our core contributors.
We appreciate you as much as possible. I mean more,
if I could just give you all just one big internet hug,
I don't think maybe we're not supposed to do that anymore,
but you know,
the one with like the bold,
the bold,
the last tricks,
like that kind of hug,
like a serious hug,
like a bold one.
Thank you everybody who supports the show.
We really appreciate it.
And we were going to keep on going and try to keep this thing is,
you know,
focused on the audience as possible because that's our biggest customer.
That's what makes a difference.
All right.
How about a couple of bangers before we get out of here?
Wes, you found Bustle.
I never knew I needed Bustle.
Yeah, same.
In my life until I discovered Bustle.
And I don't know what you were doing, but this is an app that kind of gives you a diagram or draws a sequence of connections from D-Bus activity.
And D-Bus is doing all kinds of things on your system.
Yeah, it turns out, especially on like a desktop system and with things that use, you know, SystemD, there's a lot of D-Bus action under the hood.
And it's one system I've never really delved that deep into.
So I don't understand as well as I'd like to.
And a lot of times, right, you're like at the command
line, I didn't have a lot of great introspection
into it, so when I saw
Bustle float by, I thought it was great, because it's just a
very visual way you can record and go look
into, like, who's talking to who over
Dbus and what's getting sent, and
if you're trying to debug something or
learn, it seems like a nice tool. It's just nice
to have insight into an aspect of my system
that I never really thought about much, but it's a really
important aspect. And then we
have a bonus pick.
And Brentley, you, I think,
are thinking about stuff that some of us don't consider
out there in the Canadian wilderness.
Well, as you know, when the world shuts down,
communication is always important, so you've got to have
a few tools in your toolkit. And I found
a tool this week that I think we should
all at least consider
this one is called open and shut which might not immediately feel like it is observable like you
understand what's going on but please go to this github link and uh look at the nice little gif
that they included because open and shut allows you to type in morse code by repeatedly slamming your laptop shut which i think might be really useful yeah no keyboard required
no you know just uh you know every slam is a uh morse code transmission there's even a whalen
branch you know well you gotta have whalen in there right you want to be building towards the
future they describe a couple features here I thought you'd like.
It's used by battle-tested encoding, trusted by pilots, submariners, and amateur radio nerds.
And it also allows you to type 100 plus words per hour.
And, yeah, I don't know.
Use an old laptop would be my recommendation.
Maybe a ThinkPad, you know, they can handle it.
You know, I can tell this is quality stuff.
Did you see what it's written in? Did you see what
programming language they used? It looks like 100%
shell. It's 100% Bash.
It's for people who like to mess with computers.
Yeah, that's how you know it's high
quality right there. Yeah, it's
written in Bash. I love it. Open and shut
and bustle. We'll have links to those
in the show notes. Of course, those are
linuxunplugged.com slash 572.
Remember, we're
trying to figure out if you use disk encryption and if it's
ever bit you in the butt.
I'm kind of a no disk encryption guy. I think
encrypt the data and use other storage mechanisms,
but I say don't encrypt. Hey, can I see
your laptop real quick? We should call it
disk encryption, right? Because it's
like crispy. No. Okay, that's bad. But let us know
what you think. Let us know if you're a big
cryptor. Yeah, are you crazy enough
to let your drive
unlock itself, like me?
I wonder if Brent is. I bet Brent is.
But we'll find out. We'll find out.
See you next week. Same bad time,
same bad station. That's right.
Back to our regular time on
Sundays at noon Pacific, 3 p.m.
Eastern. You can tune in directly at jblive.fm
or if you have a podcasting 2.0 app, it'll be right there when we go live. And of course,
you can join the web stream and join the chat at jblive.tv. I tell you all that, really,
most of you are just going to listen on the RSS feed and listen when you want, and we love it.
You can get that at linuxunplugged.com slash RSS. It's really simple. Find it right over there and subscribe
and just listen to the dang show whenever you want.
Hey, if you enjoyed this episode,
you can also support us by sharing it with a friend.
Recommendation is the number one way
that podcasts get shared.
Because if you think about it,
it's a pretty big commitment.
Thanks so much for listening.
See you next Sunday. Thank you.