@[email protected] being as sharp as always, thank you for sharing this! I somehow missed that essay in the past, and recently even had a discussion where I argued in favor of signal. His overview makes some great points that shouldn’t be dismissed offhandedly. The important point is to not make the mistake of shunning signal in favor of an even less secure alternative. Also the user’s threat model should be taken into account. Those who aren’t anticapitalists (yet) might need to worry less about the concerns.

$200/card? What are those, legitimate western numbers?/s You can find “2TB” SD cards on AliExpress/etc for $3. Increasing the capacity to 1PT shouldn’t be much more than a minor change in the firmware.

You can expose your stuff to the internet, that’s not inherently frivolous, but it increases your attack surface. If you use cloudflared, you can tunnel it through cloudflared, which helps not publicly exposing your IP (but your services are still publicly exposed). You might be able to use cloudflared together with gluetun, but I prefer having the reverse proxy and cloudflared outside of the gluetun network.

I haven’t tried any out-of-the-box solution or setup script, so I can’t talk about them. if you go diy or want to edit any solution to have internet access exclusively over VPN (or not at all otherwise), I can recommend gluetun. Other than that, I just have a simple docker compose file and a reverse proxy. I recommend not exposing it to the www, but to keep it only accessible in your local network, or tailscale, if your use case allows it. Note: if you set up https, you might be leaking your subdomains in permanent certificate transparency records.

our hero! (Assuming the ratio keeps getting better)

I attune your family has human identifiable faces? Do you have a machine learning service container running? If so and if its enabled, it should just work. Otherwise, maybe try tweaking the parameters?

That’s a interesting approach. It kind of backdoors a lot of private communication efforts. I can’t even be sure, if disabling notifications for signal would avoid them from showing up in the database anyways

I haven’t tried it, but NTH on the SmartTube telegram chat recommended https://github.com/webosbrew/youtube-webos

the post already links to a summary, but tl;dr

the state seeks to charge Meta for supporting grooming of minors, because adding chat encryption obstructed law enforcement. Criminalizing the design decision to add encryption might deter all companies.

Some of the most damaging evidence in both trials came from internal company documents where employees raised concerns about safety risks and discussed tradeoffs. […] the rational corporate response is to stop putting anything in writing. Stop doing risk assessments. Stop asking hard questions internally. […] That makes everyone less safe.

At work I use kubernetes and quite like that (upgrading containers without downtime FTE), but I didn’t bother trying to set up the infrastructure myself. Some argue, it’s not with the efford for self hosting, I dunno.

What I do like to use is Dockge, to keep docker but also keep your sanity. It even offers a single button for “docker compose pull”, which is great of you don’t have to many compose files / stacks. Combine with a simple shell script to batch pull/build all stacks in one go, plus some backup solution, and it’s actually nice to use and does all that I need. I love CLIs, but I’ve had situations where the GUI came in very handy.

#! /bin/bash
# note: this will update and START all dockge stacks, even if you stopped them before
shopt -s nullglob
for proj in /opt/dockge /opt/stacks/*/; do
  echo "> $proj"
  docker compose -f "$proj/compose.yaml" up --pull always --build --detach
  echo ""
done