Well, they have – I think. When you download an edited image, it supposedly downloads an image with edits applied. The original is optionally available too.

If you download the edited image, this is effectively equivalent to the status quo of image editing.

Are there any (ideally waterproof) compact devices with long battery life (months~years)?

On the website I only found a long list of supported devices with brand name search and protocol type. grep showed no LoRaWAN devices though?

My use-case is theft tracking. I only need the device to be able to locate itself after a theft actually occurred and I request it remotely. (Perhaps also periodically with very low frequency.)

Disabling su is stupid because you always need some form of privilege escalation, restricting sudo to apt offers no security benefit whatsoever as apt allows arbitrary file modification, disabling root ssh provides no benefit when the unprivileged user has sudo access – I could go on.

Yikes, lot’s of bad advice in this thread.

My advice: Go develop an actual threat model and find and implement mitigations to the threats you’ve identified.

If you can’t do that, that’s totally okay; it’s a skill that takes a lot of time and effort to learn and is well-compensated in the industry.

You will need to pay for it. Either through an individual assessment by someone who knows what they’re doing, managed hosting services where the hoster is contractually liable and has implemented such measures, by risking becoming part of a botnet or by not hosting in a world-public manner.

My recommendations:

• Pay for proper managed hosting for every part of your system that you are not capable of securing yourself. This is a general rule that even experienced people follow by i.e. renting a VPS rather than exposing their own physical HW. There are multiple grades to this such as SaaS, PaaS and IaaS.
• Research, evalue and implement low-hanging fruit measures that massively reduce the attack surface. One such measure would be to not host in a manner that is accessible to the entire world and instead pay for managed authenticated access that is limited to select people (i.e. VPN such as Tailscale)
• git gud

Wow is that ever a load of snake oil.

I see this kind of guide as actively harmful because it creates a false sense of security.

(but-with 'nix (lots-of 'parenthesis))

That’s for encrypting your data to protect against an untrusted storage back-end.

They also have e2ee for users though where the server cannot see the plaintext either.

https://nextcloud.com/encryption/

And this is why you want atomic updates folks…

Did you/your distro set up realtime ulimits correctly such that pw can acquire rt priority?

Thanks for the explanation!

Though it ought to be possible to only respond with the new self-signed cert when LE does the challenge and with the previous, properly signed cert otherwise.

I found https://codeberg.org/neilpang/acme.sh/wiki/TLS-ALPN-without-downtime which demonstrates one method to achieve that but I lack practical experience judge whether that’s optimal.

Forgive my ignorance but why would that incur a downtime?

The only way I can think of for downtime to happen if you switched certs before the new one was signed (in which case …don’t) or am I missing something?

It also strikes me as weird that LE requires 80 but does allow insecure 443 after a redirect. Why not just do/allow insecure 443 in the first place?

The same that happens when you update to receive a breaking change on a rolling distro. It’s version number go up, just at a different point in time.

That’s a very odd example to choose given how trivially interchangable kernels are.

At NixOS, we ship the same set of kernels on stable and rolling; the only potential difference being the default choice.
I’m pretty sure most other stable distros optionally ship newer kernels too. There isn’t really a technical reason why they couldn’t.

To be able to predict when something you depend on breaks.

This “something” could be as “insignificant” as a UI change that breaks your workflow.
For instance, GNOME desktop threw out X11 session support with the latest release (good riddance!) but you might for example depend on GNOME’s X11 session for a workflow you’ve used for many years.

With rolling, those breaking changes happen unpredictably at any time.
It is absolutely possible for that update to come out while you’re in a stressful phase of the year where you need to finish some work to hit a deadline. Needing to re-adjust your workflow during that time would be awful and could potentially have you miss the deadline. You could simply not update but that would also make you miss out on security/bug fixes.

With stable, you accumulate all those breaking changes and have them applied at a pre-determined time, while still receiving security/bug fixes in the mean time.
In our example that could mean that the update might even be in a newer point release immediately but, because your point release is still supported for some time, you can hold on on changing any workflows and focus on hitting your deadline.

You need to adjust your workflow in either case (change is inevitable) but with stable/point releases, you have more options to choose when you need to do that and not every point in time is equally convenient as any other.

Rolling vs. point release is not about whether a breaking change happens or not but when.

With rolling, breaking changes could happen at any time (even when inconvenient) but are smaller and spread out.
With point release, you get a big chunk of breaking changes all at once but at predictable points in time, usually with migration windows.

Waiting some weeks for uncaught bugs to be ironed out might be advisable if you still have limited debugging capabilities.

Otherwise, you can always nixos-rebuild build-vm using the new release channel and see whether it breaks anything you depend on.
My experience is that it probably won’t. My past few years of updating my server from one stable release to the next were, in one word, boring. Some renames, deprecations etc. with clear errors/warnings to fix at eval time but nothing that actually broke once it was built and deployed.

There’s also the option of just leaving an offline disk at someone’s and visiting them regularly to update the backup.

Having an entirely offline copy also protects you/mitigates against a few additional hazards.

If you don’t process any user data beyond what is technologically required to make the website work, you don’t need to inform the user about it.

None of this puts the user out of control; they’re free to add the Flathub repository should they wish to do so.

He

I hate to be that guy but OP gave no indication of their gender. English has the luxury of having a “natural” neutral pronoun; please just use that.

which these suggested Fedora Spins are designed to integrate with as tightly as possible

Could you explain what exactly this “tight integration” pertains? AFAIK these are just regular old global-state distros but with read-only snapshotting for said global state (RPM-ostree, “immutable”).
Read-only global system configuration state in pretty much requires usage of Flatpak and the like for user-level package application management because you aren’t supposed to modify the global system state to do so but that’s about the extent that I know such distros interact with Flatpak etc.

Bazzite is completely the opposite of an OS designed to run one app at once, which means you haven’t tried it before rubbishing it as a suggestion.

That is their one and only stated goal: Run games.

I don’t know about you but I typically only run one game at a time and have a hard time imagining how any gaming-focused distro would do it any other way besides running basic utilities in the background (i.e. comms software.).

Obviously you can use it to do non-gaming stuff too but at that point it’s just a regular old distro with read-only system state. You can install Flatpak, distrobox etc. on distros that have mutable system state too for that matter.

Could you point out the specific concrete things Bazzite does to improve separation between applications beyond the sandboxing tools that are available to any distribution?

It’s true that I haven’t used Bazzite; I have no use for imperative global state distributions and am capable of applying modifications useful for gaming on my own. It’s not like I haven’t done my research though.