Not really. Immutability can be overriden by root, who can then edit files.
And in addition to that, /etc/, system config files, including pam files mentioned here, are not immuable even in immutable distros.
Not really. Immutability can be overriden by root, who can then edit files.
And in addition to that, /etc/, system config files, including pam files mentioned here, are not immuable even in immutable distros.
Yes this is the best way.
On Linux I've never had to install drivers for any printers, it comes with a "generic" driver that works for a ton of brands,
The original person you replied was commenting that nix was less vulnerable to supply chain attacks. Your reply is essentially completely off topic, talking about CVE's. They are not the same type of issue. Having an actively running piece of malware on your system is vastly more concerning than a vulnerability someone has yet to exploit, and the supply chain security techniques needed to protect against the former are different as well.
Immutability is an extremely poor defense against any form of attack. Immutability is literally a filesystem feature where a flag, chatttr -i is set on files or folders. Any program with root can adjust this flag, and any program running as a user could download additional binaries to or modify the users home directory. This is how the nix daemon works.
Now, if nixos followed (or you configured it to follow) a model where only binaries in the nix store could be executed, and nothing else could be executed (in addition to maybe say, using selinux to enforce that only the nix daemon is editing the nix store), that would be much more secure and very interesting. But it's not doing that.
Edit: correction, the nix store is not actually immutable on the filesystem level. It merely holds immutable "outputs", the packages and functions it generates. You're not supposed to edit them... but nothing stops you (if you're root or the nix daemon user). You can verify the nix store pretty easily, but it's not an ongoing process, that is to say it wouldn't catch malicious changes.
What I said above about a theoretical applocker enabled like system based on Nix still applies, however.
This is not the same. The AUR was a supply chain attack, where good packages where replaced with malicious one's.
Nix is better at stopping things like that from happening, becuase they have a monorepo, where most package updates or changes are reviewed by another person. The AUR is just a collection of individual git repos (or branches), where each maintainer can make updates or changes with no oversight.
Huh. I just checked and guix uncendors go. Very impressive.
It looks like they let you override cargo crate deps with different versipns but they haven't managed to compile without cargo or crates yet.
It's possible to use curl and make it pretend it is contacting a domain when it is actually contacting an ip address.
That way the reverse proxy can still do it's thing.
It can interface with ldap, but it cannot act as an ldap provider.
Keycloak only really acts as an OIDC/SAML provider. Whereas Authentik can do OIDC, SAML, LDAP, and more in a single app. It's just extremely rich.
I really like it because it has invites, which are extremely nice if you really want that form of fast onboarding.
Authentik is really feature rich, supporting the most out of any other provider.
The 3 killer features to me from authentik are:
Of course there are more. But software that does all 3 of those is rare, and I was frustrated trying to find them.
To play devil's advocate, Authentik is very big and unwieldy in some ways. If you only need OIDC for your family, then maybe pocket id or void auth may be more suitable.
Does it work from behind the rathole?
I'm so tired of news articles that hype up fairly mundane stuff, acting like it's the next big bomshell.
In addition to that, by misrepresenting what is happening, it's literally actively harmful to consume this kind of news, which is so common on the cybersecurity news cycle.
Yet another cyberslop article.