And it’s only necessary because Nix doesn’t include it. Which is the only way anything is allowed to run on an SELinux system. SELinux doesn’t require Nix mutation, it requires Nix to be complete.

There are workarounds to fix Nix’s incomplete definitions, but most end users opt for the easy post-install solution that ends up mutating thier store rather than including the fix as a unique derivation for every package to add the missing SElinux labels and policy.

It’s not. SELinux predates Fedora. Fedora went all-in on SELinux pretty early on though (a few other older distros too, but Fedora is one of the few remaining with significant mind-share), and many other distros decided not to do security at all for many years.

AppArmor is “sufficient” if you only want to deal with known-in-advance high risk applications being locked down, which was the approach most other distros took since it’s extremely complex to have a policy for absolutely everything (like SELinix requires).

In the latest distros using AppArmor, it’s been expanding so much that it is arguably easier to just implement SELinux and derive from Fedora’s Standard Policy. Ubuntu 24.04 for example was been broken by thier various AppArmor bugs for almost 1.5 years after release, all because they slapped system-wide AppArmor policy restrictions on the default system and didn’t coordinate any of it.

SELinux also doesn’t mutate the store unless the package in the store failed to set an SELinix file label. Providing the labels in most cases is trivial, so trivial in most cases that a global SELinux Nix policy package exists in a number of distros that can set normal defaults that work for most things.

It completely depends on where you look it up. I can’t find much of anything successfully in northern Indiana or southern Michigan, middling results in northern Ohio and central Tennessee, and good results in urban Colorado areas and southern California. Weirdly Mapcarta is giving excellent results in all of those areas, but no other app is.

I stumbled on the opensupermaps site before, but this is the first time I’ve ever seen any explanation. This explanation wasn’t great, but I eventually figured it out.

Option 1: Download file from opensupermaps.com to data folder for OSMAND and it will auto load.

Great, there are dozens of folders in the /Android/data/net.osmandplus/ folder, and files with the same file extension all over. Maybe I should have dropped them in the app’s root data folder and hoped they didn’t overwrite anything important? I ended up just opening thr files and then pickimg OSMAnd to be sure.

Deactivate the default map file(s) to ensure search pulls results from this file.

It took me 20 minutes of digging and trying things to figure out that this means to go into the Maps & Resources, then to the Local tab, then click thru each section and on each item in each section choose the three dots an dpick Deactivate for it. Except the map names you just loaded, which don’t always match the file names.

After all this, it turns out the address data is no better than what OSMAnd already has. The only difference is display order (which is very nice to have fixed), but doesn’t change the fact that probably 60% of the US has no address data at all. I know it’s a clusterf*ck with address data in the US, and many blocks of address data are proprietary or require licensing, but apparently MapCarta was able to get it. But not OSMAnd, Map.ME, MagicEarth, CoMaps, OrganicMaps, or even OpenSuperMaps.

SELinux is used on all the Fedora Immutable distros, and the OpenSUSE Immutable distro. It’s actually much easier to do SELinux in Immutable distros in a lot of ways than non-immutable. Especially the bootc-style ones where even more of the system is defined and prebuilt before deployment.

AppArmor is OK, but the whole issue is that you have to know what to throw into it. That’s also its benefit, you can focus in the high risk things and ignore the low risk things. It keeps expanding profiles more and more though, and ironically the ultimate destination is everything being under MAC.

Well damn, they actually have working US address look up. There’s literally no other version of OpenStreetMap that has that except AppleMaps.

I wonder if they could add navigation so it’s the first and only public Google Maps alternative.

EDIT: Especially ironic: they recommend OrganicMaps, which just pulled so much shady shit it’s been forked to CoMaps. And also is missing virtually all address data for the US.

I dont know whether it was intentional from OP or not, but part of the issue with that is the connecting of your device network details to the SIM. In modern cellular networking, the KYC of your mobike plan is not at all necessary to completely deanonymize you. It sure doesn’t hurt to not have your carrier actively selling your personal KYC info already attached to your Messages, voice call info, and location, but it’s also in no way going to prevent it.

Not just in Canada, it exists in the US too. They only offer US and Canadian numbers right now because of the partner carrier they use, but that “Proton SIM hub” is indeed an XMPP server. To make it even easier, they’ve also partnered with Snikket, and for the $5/month price of a phone number from JMP.chat, you can get a private dedicated personal XMPP server instance from Snikket. You’re free to do whatever you want with the Snikket XMPP instance (that’s XMPP related), and can create as many accounts as you want, and/or connect additional JMP.chat numbers to the same or different accounts on the server.

EDIT: They also take payment in Crypto or more traditional methods. It’s all prepaid flat-rate.

God I hate AI articles. Even if I like their sentiment.

I’m guessing you primarily use a computer? I’ve been using it for 2 years as well, but like most people it’s primarily thru mobile app. And it’s not exactly great. It functions, sure, but loses all albums on upload, doesnt seem to want to actually do the machine learning (forever stuck at 99.85%), and accessing the albums has some of the worst possible UI (tiny arrows in a long list of big boxes). I want them to succeed really badly, but their development is incredibly slow to the point where I’m reconsidering self-hosting with Immich as well so it works better.

I think you found it was exactly what I said? You worked around it by changing a specific setting directly in Firefox that disables the exact check I mentioned without needing to disable all of private DNS in Firefox though.

The Racknerd $35/yr seems to be the 500MB RAM VPS with a 500GB/mo network data limit. That’s probably sufficient power for a wireguard endpoint for ingress, but that’s pretty low network data limit if you’re putting a media server behind it (10GB/hr of video isn’t unexpected, data is counted twice when having to ingress+egress thru the endpoint=25 hours of quality video per month)

Vs Cloudflare I agree. Giving up the MitM isn’t an acceptable trade off in my opinion either.

I see, so Pangolin includes the Tailscale Funnel functionality (which Headscale currently does not), integrates Authentik and Traefik, and sells it as a stand alone service. I guess there’s probably a narrow market for that, though it’s unlikely to be self-hosting. My experience is that any OAuth or RBAC solution is too involved and/or poorly supported by self-hosted applications to see more than a small number self-hosters using it, and those that do are advanced enough users that they would probably just build it themselves with free tools instead.

Hosting the tunnel is the only real value add from these services, which is why I’m confused by Pangolin’s business model.

To some extent. Cloudflare is extremely explicit about it for their free service though, and they do actively exercise the option if they think you’re getting too much benefit from it.

Literally the only thing the US will use the metric system for: large volume soda.

Most of the chips in a smartphone are made by Qualcomm, both processors and peripheral chips like 5G modem, LTE modem, WiFi, and Bluetooth. Qualcomm chips require proprietary binary blobs to function, and usually only have a support lifetime of about 2 years. They also only supply those blobs to the manufacturer of the device.

So what benefit does Pangolin actually provide then if you already have to provide the VPS? Routing back to your network from a VPS is trivially easy, it’s getting the affordable VPS (given bandwidth prices) that’s actually the sticking point of any solution.

I’ve been trying to figure out what purpose Pangolin serves in this. Do they offer a paid service that has the internet-accessible entry/exit point that I’m not seeing?

Self-hosters aren’t lacking in tools to connect between a home server and some internet exposed server so they can tunnel from that public internet server back to their home server, they’re lacking in affordable options for the internet accessible server itself. Cloudflare Tunnel, Tailscale Funnel, and similar can easily be trivially replaced by a simple Wireguard connection from your home server to a public VPS with a couple trivial routing rules. But you have to have an affordable VPS with reasonable bandwidth and high reliability. Pangolin appears to just be Tailscale-ike permission-based routing software, but without the actual connections tools or hosting. That’s already available for free with Headscale, but Headscale also includes the connections part too. Am I missing something that would make Pangolin even equivalent, let alone better than, the free Headscale project?