Flatseal: well that’s normal, it can’t control Flatpak’s access controls if it is itself sandboxed. Even if it was sandboxes, it could just grant itself everything.

For Xournal: it’s probably because it doesn’t support portals or whatever, so it can’t use the open file dialog to get permissions. So it needs to be able to get to your files somehow to open them.

In both cases, it just means its permissions model is more like regular applications you’d get from your package manager. If you install Xournal with apt/dnf/pacman it also won’t be sandboxed.

The point of sandboxing is you can run applications you don’t trust too much, or significantly reduce the blast radius if say, your browser gets breached: then it has another barrier to overcome to reach anything other than the browser’s own data. The lack of sandboxing doesn’t inherently imply the app is evil or will hack you. It just means it doesn’t have the extra protection around it. So like, probably don’t open sketchy PDFs in it, but I wouldn’t stop using the app solely because it lacks sandboxing.

There shouldn’t be any issues with that. Most distros handle “install side by side” situations out of the box.

Data partition probably doesn’t matter. Nobara might use snapshots for updates so you can rollback, not sure, but it also shouldn’t horribly break things for /home.

The thing btrfs does well is root and home can be the same partition, but different subvolumes. Technically you can even have multiple distros on a single btrfs partition by means of subvolumes, so there’s no unusable wasted space.

I would do btrfs, Mint won’t care about the filesystem having more features than it needs, and there’s so many advantages to btrfs.

E: I might leave homes separated and explicitly share some folders you want to keep in sync. Mint’s configurations could impact Nobara’s configurations and vice-versa. Especially if versions of things differ, maybe Nobara will upgrade some configs and make them unusable with older packages from Mint. You can just symlink your downloads and documents and whatever to a common shared data partition or subvolume dedicated to that use case.

Depends on how good the ISP router is. I’ve had one that had most of the advanced settings available, so I didn’t feel the need to change. For a while I had offloaded DHCP and DNS and VPN to a Raspberry Pi. It’s very much possible to make do with the ISP router. That ISP would let you passthrough the public IP to a box on your network which lets you do a lot of stuff without going into bridge mode, so I could make my server the target while still letting the router do the routing so if my server was down it didn’t take the whole network with it.

Then I got a bad one where it won’t even let you set up port forwards unless the device is registered over DHCP so my static stuff and VMs didn’t work. Got my EdgeRouter X back online to get my stuff done.

I do use VLANs and stuff now so it makes sense for me to use my own router. With everything getting breached these days, I have a VLAN just for my computers, another one for smart but trusted-ish devices (the TV’s gotta reach the NAS), one for IoT that’s completely shielded off.

What you’re missing out on depends a lot on what features you don’t have you could make use of. If you have like 3 devices using the network like I did when I lived alone, yeah you’re probably not going to miss out on the VLANs. But maybe you want to do ad blocking network-wide. Maybe you’d want to better prioritize interactive traffic like VoIP and video calls or games. Maybe you want a reverse proxy or VPN that works even if your home server is down. Maybe you want your kids to not hog all the bandwidth. There’s a lot of things a router can do.

So if the ISP router does everything you want and you’re happy with its performance, it’s fine. Just keep it in mind, when you start being like “I wish it had X and Y features” maybe consider an upgrade then.

If you have the option of not getting a router from your ISP, I would definitely recommend bringing your own. If they provide it regardless and you’d be replacing it through unofficial means, eh, if it works well…

virtiofs is amazing, got my entire Steam library on it. It’s like it’s not there, NVMe speeds no problem.

It’ll depend a lot on your experience. I can just install Arch without reading the wiki at all in about 5 minutes for something fairly vanilla. If you’re comfortable with Linux then following the wiki won’t be too hard, took me maybe 2-3 hours on my first install before I had my DE and everything all set up (12 years ago). If you’ve never used Linux before and take the deep dive then it could take hours and days depending on how fast you can absorb all that information.

“Easy” is very subjective, there’s stuff that’s so dumbed down for the sake of “easy” that it makes my life harder when I need to do more complex stuff. I know people for whom linear algebra in 11 dimensions is easy for them to do and solve. Easy is relative to your own personal experience level and what you’re trying to accomplish.

Install it in a VM as a test run, you’ll see by yourself.

Yes

Obligatory https://youtu.be/xDLvUqhwHZc

The problem with Fedora and especially the atomic versions is that when you Google “how to do X on Linux” you pretty much always get information for Ubuntu and Debian derivatives. The atomic versions have it mildly harder because now you also have to learn how immutable distros work, and you can’t just make install something from GitHub (not that it’s recommended to do so, but if you just want your WiFi to work and that’s all you could find, it’s your best option).

It’s not as bad as it used to be thanks to Flatpak and stuff, but if you’re really a complete noob the best experience will be the one you can Google and get a working answer as easily as possible.

Once you’re familiar and ready to upgrade then it makes sense to go to other distros like Fedora, Nobara, Bazzite, Kionite and whatnot.

I don’t like Ubuntu, I feel like Mint is to Ubuntu what Manjaro is to Arch, Pop_OS is okay when it doesn’t uninstall your DE when installing Steam. But I still recommend those 3 to noobs because everyone knows how to get things working on those, and the guides are mostly interchangeable as well. Purely because it’s easy to search for help with those. I just tell them when you’re tired of the bugs and comfortable enough with Linux then go start distrohopping a bit to find your more permanent home.

There’s not a whole lot of good options for decent ARM PCs and the M1s are legitimately pretty good machines, repairability aside.

Even if you can’t repair them at least it’s pretty much guaranteed they can at least have their OS upgraded to a libre one. There’s going to be millions of them on the used market in a few years for cheap.

I have zero complaints about the hardware of my work provided MacBook Pro, very nice machine to use overall.

Are they the best bang for the buck? No. But Linux isn’t just about getting as much as possible for as little money as possible. Not everyone wants to daily drive an old bulky ThinkPad because it’s free-er. I’m happy with my framework but the battery life, keyboard and touchpad are quite inferior compared to my work MacBook. I wouldn’t buy one for myself, but I can recognize it’s still a nice machine and it’s much better than whatever crap Microsoft is pushing out with its Surface line.

Basically, the SUID bit makes a program get the permissions of the owner when executed. If you set /bin/bash as SUID, suddenly every bash shell would be a root shell, kind of. Processes on Linux have a real user ID, an effective user ID, and also a saved user ID that can be used to temporarily drop privileges and gain them back again later.

So tools like sudo and doas use this mechanism to temporarily become root, then run checks to make sure you’re allowed to use sudo, then run your command. But that process is still in your user’s session and process group, and you’re still its real user ID. If anything goes wrong between sudo being root and checking permissions, that can lead to a root shell when you weren’t supposed to, and you have a root exploit. Sudo is entirely responsible for cleaning the environment before launching the child process so that it’s safe.

Run0/systemd-run acts more like an API client. The client, running as your user, asks systemd to create a process and give you its inputs and outputs, which then creates it on your behalf on a clean process tree completely separate from your user session’s process tree and group. The client never ever gets permissions, never has to check for the permissions, it’s systemd that does over D-Bus through PolKit which are both isolated and unprivileged services. So there’s no dangerous code running anywhere to exploit to gain privileges. And it makes run0 very non-special and boring in the process, it really does practically nothing. Want to make your own in Python? You can, safely and quite easily. Any app can easily integrate sudo functionnality fairly safely, and it’ll even trigger the DE’s elevated permission prompt, which is a separate process so you can grant sudo access to an app without it being able to know about your password.

Run0 takes care of interpreting what you want to do, D-Bus passes the message around, PolKit adds its stamp of approval to it, systemd takes care of spawning of the process and only the spawning of the process. Every bit does its job in isolation from the others so it’s hard to exploit.

Do you even need reservations? You can also just set a static IP on the computer and it should be fine. Most DHCP servers test the IP before handing it out just in case.