Max-P

NixOS isn’t a bad option, I’m not sure how much you can trim it down but I’d expect it to be possible to express in Nix to install to a target that’s different from the host. Maybe not NixOS but Nix itself as a package/config manager. I’m sure at minimum it makes for a great development environment for building a buildroot.

It’s hard to give concrete advice without knowing the specs or the software you want to run on this, but for tiny Linux systems there’s Buildroot so you can compile just the bare minimum you need and not use a distro at all (unless you could Buildroot as a distro). This is what OpenWRT uses to build all the router firmwares among other things.

For something that would go in a car that seems pretty ideal to me. Skip initializing things you won’t use, make something that boots to GUI in 3 seconds. When you want to update the software you flash it as a new firmware image, no on-device installing or anything.

Depending on what you run, ideally you’d skip Xorg/Wayland and use the framebuffer directly. But if you need to run a more standard environment, that’s what things like Cage are designed for. Single app, always full screen. It’s called a kiosk environment.

Proton is Wine but tweaked for the sole purpose of running games, so it packs a bunch of extra stuff needed to make games run well together.

Usually there’s also a long list of per-game tweaks and changes to make sure it runs, it’s all preconfigured so you press play in your launcher and it works. Not need to change settings whenever you want to play a game.

You can still use regular Wine but you’ll have to set up a bunch of stuff yourself, and eventually you run into a game that needs a different version of something that breaks another game, you get into prefix management and it’s a mess. Or oh this game runs better when we pretend to be Windows 7 but this one works best with Windows 10. Proton just does it all for you, every game gets its own space with all the correct settings from the get go, and you just launch into the game and play.

Honestly a VPN that doesn’t support Linux at least through manual connection settings, run away. All reputable and even the sketchier VPN providers support Linux, because that’s what the privacy crowd uses, not supporting it implies those aren’t even the target user base at all. It’s a red flag. It’s not a VPN for privacy or getting another country’s Netflix.

I’d trust Norton about as much as my ISP, so unless you use public WiFi somewhat often, it doesn’t add much value, just the downsides of captchas everywhere. They’re probably analyzing the traffic to map out malware campaigns and such, which would make sense but isn’t very private.

The business model of antivirus companies is fear, and they sell the solution to that fear. They have a VPN because people assume VPN means more security, of course they’ll sell you one. At best they block known malware domains and IPs, which is utterly useless on Linux anyway.

If you want a VPN get a real VPN.

Proof of work is what those modern captchas tend to do I believe. Not useful to stop creating accounts and such, but very effective to stop crawlers.

Have the same problem at work, and Cloudflare does jack shit about it. Half that traffic uses user agents that have no chance to even support TLS1.3, I see some IE5, IE6, Opera with their old Presto engine, I’ve even seen Netscape. Complete and utter bullshit. At this point if you’re not on an allow list of known common user agents or logged in, you get a PoW captcha.

A lot of those identify as christian because of cultural heritage and because it’s the “not some brown people’s religion” but are non-practicing or straight up non-believers otherwise. Those that do maybe go in the church once a year for the christmas stuff

The churches are packed with mostly tourists and the parking lot is filled with Ontario plates.

You’re just not gonna find many nutjobs like the rest of Canada and the US here. Even my grandparents pretty much just go out of habit from the old times. I haven’t once been in a religious argument in Québec my whole life. It’s basically unavoidable in the US.

The quiet revolution is a fairly interesting piece of history.

A good chunk of them have already been converted into condos and shops. I even hooked up with a guy that lived in one of those.

Christianity died in the 70s in Québec, you won’t find many people under like 40 that still gives a crap about religion in Québec.

You’ll first want to lock down the laptop with using the TPM so it only boots kernels signed by you, and also encrypt the drive using the TPM as the locking key so the key is only ever available to a kernel you signed. From there you’ll probably want to use dm-verity to also verify the integrity of the system or at least during the boot process.

Then, on top of that, once online and the machine is still authorized to access that data, you download a key from a server under your control to unlock the rest of the drive (as another partition). And log those accesses of course.

Then, when you want to revoke access to it, all you have to do is stop replying with the key whenever requested. That just puts a ton of hurdles to overcome to access the data once the server stops handing the key. They would have to pry out the key from the TPM to unlock the first stage and even be able to see how it works and how to potentially obtain the key. They could still manage to copy the data out while the system is fully unlocked and still trusted, which you can make a lot harder by preventing access to external drives or network shares. But they have physical access so they kind of have the last word if they really really really want to exfiltrate data.

This is the best you can do because it’s a passive: you stop supplying the unlock key so it’s stuck locked encrypted with no key, so the best they can do is format the laptop and sell it or use it for themselves. Any sort of active command system can be pretty easy to counter: just don’t get it online if you suspect the kill signal is coming, and it will never come, and therefore never get wiped. You want that system to be wiped by default unless your server decides it’s not.