Had a quick skim and found this little guy:

# ---------- Protected media route ----------
@app.route('/img/<path:name>')
@login_required
def media(name):
    db = SessionLocal()
    try:
        me = current_user(db)
        # Find the post with this image
        post = db.query(Post).filter_by(image_path=name).first()
        if post:
            # Check visibility
            can_view = post.user_id == me.id or db.query(UserVisibility).filter_by(
                owner_id=post.user_id, viewer_id=me.id
            ).first() is not None
            if not can_view:
                abort(403)
        return send_from_directory(UPLOAD_DIR, os.path.basename(name))
    finally:
        db.close()

I’ve not read through everything, but there are some security concerns that jump out to me from just this function. Hopefully you can enlighten me on them.

Firstly, what is stopping a logged in user from accessing any image that, for whatever reason, doesn’t have an associated post for it?

Secondly, the return codes for “the image doesn’t exist” (404) and “the image exists but you can’t access it” (403) look to be different. This means that a logged in user can check whether a given filename (e.g. “epstien_and_trump_cuddling.jpg”) has been uploaded or not by any user.

Both of these look to be pretty bad security issues, especially for a project touting its ability to protect from nationstates. Am I missing something?

Is it clickbait titles that don’t want to say what the article is about?

(It’s deceitful probabilities in lootbox drop rates, for anyone wondering)

I used to work as a software dev before mass layoffs got me. Our work was technical enough that most of us used Linux to the point that finding a Windows user to test things was a real problem.

There’s tons of backup solutions out there. Why should selfhosters buy a proprietary one?

For the swap space, yes that’s for when you run out of RAM. 48GiB is plenty of RAM, so you should be fine without it. I have 32GiB of RAM on my system and have been running without swap for ages without issue.

Hardening guides like that are mostly designed for things like web servers which are connected to the public internet and need higher scrutiny. The default configuration for distros like Mint should be secure enough for the average user.

However, don’t feel invincible and run random code from random sites. Both Windows and Linux can’t protect you against malicious code you run yourself.

Having organised partitions is the kind of thing that people obsessed with organisation do. For most people, the default partitioning scheme is fine. However, as always, remember to keep backups of important data.

For installing software, Mint has a Software Centre (which is distinct from the Snap Store). I’d recommend installing software using that for the average user.

In Mint, there are three main types of packages:

• Debian/APT packages, which are provided by Mint (well, technically by the Debian distro and they trickle down to Mint, but technicalities). Not all software is available from Mint’s repos and they may be out of date.
• Flatpak packages, which are provided either by developers themselves or dedicated fans. They are usually more up to date and have a degree of sandboxing.
• Snap packages, which are controlled by a company named Canonical. As of late, Canonical has been a bit “ehhhh”, so there’s pushback against Snap. Mint has it disabled and has their reasoning explained here: https://linuxmint-user-guide.readthedocs.io/en/latest/snap.html

Mint’s software centre is able to install both Debian and Flatpak packages. I’d recommend using it where possible since it allows automatic upgrades and easier installation/uninstallation.

“It’s just horror, bro” with the same kind of energy as “it’s just a prank, bro”.

I’ve not played the game, but “person riding another person in horse gear” is absolutely a fetish thing, intentional or otherwise.

I think it absolutely would fall afoul of kiddie porn laws. Honestly, I think any depiction of a child in proximity to nudity probably would count.

It’s open source. If 32 bit support is important enough, people can fork and maintain it.

Don’t know if this is true for all environments, but you might be able to just create a file in ~/Templates for it to show up in that list.

Dual booting is fine. Bitlocker just makes it so that the installer isn’t able to resize the Windows partition (since it’s encrypted), but you can resize it in Windows to create enough space to put Mint on. You can also disable bitlocker entirely, but your files will no longer be encrypted.

There’s worry about the bootloader being nuked, but I think that’s a bit of an overreaction. Now everything is EFI, Windows shouldn’t touch other OSes. If it does, then that doesn’t require a full reinstall; it’s possible to boot from the live USB (the installer) and reinstall just the bootloader.

I don’t know if they still do it, but Mint used to do staggered updates (through their update manager) for some packages. They would start out making the update only available for, say, 10% of people and then slowly built up to 100% if no issues were discovered.

One thing that many guides tend to skip is how to install software. People coming from Windows might try to install software the “Windows way” by going to the website and downloading them. That is just likely to cause pain and suffering for a number of reasons.

Instead, every beginner friendly distro has its own flavour of software centre that users should be encouraged to use instead. Maybe even include a link to flathub in the guide or something.

When you plug your mechanical keyboard in, your steam deck shuts off, right? If you unplug it again, does it instantly come back to life or do you need to press the power button? Does it resume from suspend or actually boot from scratch?

Are you using the dock with a mains power connection (e.g. for charging)? The keyboard might require more voltage than the Steam deck can provide.

Does your keyboard have any of its own USB ports on the side? Having another “hub” connected to your main hub might be confusing it in some way.

When I was a kid my parents would only let me play games for half an hour a day. That works out at, using the monthly times, three times as much as Microsoft is letting people use.

Microsoft, is it an ad supported tier or a limited trial. Pick one.

Encryption and offsite backups. If someone nicks it then they don’t get any private information. And with backups it’s easy enough to just push the data onto a new device.

Ubuntu 25.10 entered beta on September 18th. It releases on October 9th. It’s still in beta.

… Yeah? Beta software having bugs isn’t the hottest of takes.

I’m willing to bet that if the GNU coreutils getting bumped a minor version caused widespread issues for a day, nobody would even bother reporting in it…

So, to address the elephant in the room… Why does commenting on a blog post need any kind of account? Why not have fields for “name” and “comment body” and use capcha and/or manual approval to guard against spam?

Like, why does everything need to be tied to an account nowadays?

I’ve always done things bare metal since starting the selfhosting stuff before containers were common. I’ve recently switched to NixOS on my server, which also solves the dependency hell issue that containers are supposed to solve.

I like that they’re passionate and supporting Linux and all, but unpaid work like that should be discouraged, imo.