Just to rule it out (wouldn’t be the case on default debian):

Is SELinux enabled? sudo getenforce (if command missing or false, it’s not your problem here)

You are not running with podman as compose backend? sudo systemctl status podman shouldn’t show an active service unless you use it.

It was certainly not intended as a character assessment and it’s unfortunate you took it that way. I’m talking about how the release notes (and in passing your post) were written and not about you as a person or maintainer, or even the project itself.

I do hold release notes of a public project with thousands of users to a different standard than anon lemmy.world comments in a feedback thread. Is that interesting or surprising?

I believe there was actionable feedback given. You are of course free to dismiss it.

OK but how to replace the ASCII Tux in the blue screen of death?

For a system actually using ~16GB I don’t think a 120GB drive is “way too small” for the root but just on the generous side of just about right assuming there’s nothing more than boot and swap on it otherwise.

Moving /home to a separate drive while keeping the root intact has a few upsides compared to moving everything to one bigger drive.

Maybe I don’t understand the use case for bentopdf, and considering how popular it is, that is likely true

Especially in this day and age, be careful with believing something is right (or even popular) just becuse it looks popular. Talking about generalities of gameable metrics and the cognitive pattern, not to dunk on the project apart from their communications doing the same mistake.

It’s not as much the general style as the particular contents of this release. Your previous release notes did not give the bad impression this one does. Since you did ask for any feedback I let you know why I am now less likely to use or recommend the tool compared to before. The amount of text and emojis spent begging for TrustPilot reviews also contributes.

FWIW, netstat is considered legacy and deprecated. The in-vogue way to do the same thing is ss -lpn | grep 8080.

netstat like ifconfig still works and is shipped in the net-tools package if you like it but if you’re learning it’s better to build a habit with ss and ip right away.

https://arturogl.com/2023/10/18/linux-new-tools-replacing-netstat/

Try to ignore the GH stars and other engagement numbers. Or at least try not to put focus on them in your communications. It’s a distraction for you and you are making it a distraction for your audience. GH stars are not a useful signal as they are easily gamed and bought. Maybe yours are all organic, legitimate, and a legitimate cause for personal celebration. But you are just giving false credence to them (and thereby those illegitimately gaming the system) and removing focus from your own app. I don’t think it belongs in release notes or a great way to lead your pitch here.

Most of the first half of the release notes rubs me a bit the wrong way and feels like it’s not the place for those messages. Your “Very Important Note” feels less relevant than the “Dad Joke” section (which does have potential entertainment value) and probably has the exact opposite effect than the one you intend.

Thanks for sharing your work!

Do you feel there is anything deeply problematic with the page cache that would make this kind of side channel likely to be around elsewhere too or is it more of a specific case?

If you are ready to build your own packages and host your own repos, go for it. You should have some form of automation to at least get security updates, and it will take some recurring maintenance time no matter how you go about it. I haven’t looked closer at Poseidons repos but I think if this is a good idea or not depends a lot on the state of their build/packaging/distro code. It could be just a matter of cloning the repos, changing a few config parameters and running a couple of commands, or it could mean significant work, depending on how well it is engineered. You could start out and if you find yourself digging to deep in the process of getting a build, back out and reassess.

Kind of like others suggested, there are lighter options. All the big dists should have some form of build tooling to make kickstart/preseed/spins/whatever they call it where you can prepare a custom install ISO with your own set of packages. There are tools like packer and Nix that you can use either as part of building OS images or just script to run on a clean base installation of some dist. You can make an ansible playbook to automate setup and have that run by cloud-init. You could make a shell script to automate the installation of packages and setting up of environment.

Why?

It’s a snapshot with supposedly higher chance of working than any other point in time as it’s been more thoroughly tested. It’s a common reference point. It has prebuilt images and installers.

Don’t Arch and Tumbleweed do the same thing just without giving them names?

https://github.com/tonarino/innernet

A CA can be an encrypted volume on a live USB stick. It’s mostly for the CRLs you might want something online. A static HTTP server where you manually dump revocations is enough for that.

Unless you do TOFU (which some do and btw how often do you actually verify the github.com ssh fingerprint when connecting from a new host?), you need to add the trust root in some way, just as with any other method discussed. But that’s no more work than doing the same with individual host keys.

And what’s the alternative? Are you saying it’s less painful to log in and manually change passwords for every single server/service when you need to rotate?

If this is inside the threat model, you put a passphrase on that key and load it in an external process like ssh-agent or gpg-agent. Maybe even move it to a separate physical device like HSMs or crypto hardware wallets (many of which can be used for this purpose btw).

This is also neat: https://doc.qubes-os.org/en/latest/user/security-in-qubes/split-gpg-2.html#notes-about-split-gpg-2

Not if you use certificates signed by your own internal CA and trust the CA instead of straight up trusting the public keys explicitly.

This way you can generate new SSH or TLS keys trusted across a bunch of machines without having to touch those machines directly for every key, since they are signed by your trusted authority. If you configure CRLs properly you can also revoke them centrally.

mTLS (mutual TLS) is actually quite common out there. And SSH certificates moreso than public keys.

So clients get issued certificates that they can authenticate with. TLS for HTTPS but both ways. It sounds like this is what you’re asking about?

I haven’t tried this with Cinnamon but with other Desktop Environments you can run your own Window Manager inside it, if that’s something you’d like. That way you can take benefit of background services and desktop integrations of the DE but use any WM you like.

i3 under Xfce or KDE is very common, for example.

If you feel overwhelmed by this, an easy rule of thumb is sticking to distro packages of a trusted dist. Ideally ones with long track record, centralized packaging and tiered rollouts.

Roughly,

• High community trust: Debian, SUSE, Fedora, Ubuntu

• Depends on the package but at least everything is transparent with some form of process, contributors vetted, and a centralized namespace: Arch, Alpine, Nixpkgs

• Anything and anyone goes, you are one typo away from malware but hey, at least things get taken down when folks complain: AUR, GitHub, NPM, DockerHub, adding third-party ppa/copr

• IDGAF: curl | sh

Of course.

As Arch becomes mainstream and more of an attractive target for attackers I think we will get more of the same thing happening regularly in NPM: Legitimate popular packages getting compromised because a maintainer got infected or phished.

As well as botting of votes and comments.

https://www.theregister.com/2025/07/22/arch_aur_browsers_compromised/

There is crap like this all the time, that wave just happened to make news. Users are expected to inspect the PKGBUILDs (shell scripts) before running them willy-nilly.

You do as you wish but please don’t normalize dangerous behaviour.