I did that for a while because of compatibility issues with a newer laptop, it works but generally if there is no reason it's way easier to stay with the provided packages. Compiling weekly due to security patches becomes annoying over time for no real gain other than the version number
mysql/maria also lets you turn off/down the isolation level for queries if you know the guarantees aren't needed, to speed things up. I think postgres does not have that option.
I've been receiving loads of spam from google MX servers lately until blocking all mails with X-Google-Group-Id headers. I don't know how it's possible, the contents were 100% spammer controlled, no Google template
That also often shoots you as when json_encoding it only becomes an array when ordered "correctly" (numeric 0-based keys without gaps), otherwise an object. So to be safe you generally need to array_values after filtering.
If in your testdata you only remove elements from the end you don't catch that before production data hits.
It's especially problematic when encoding an empty object to json. By default an empty array is serialized as [], to get {} you either need to pass a flag to force object serialization (which can mess up serializing actual arrays), or cast the array as an object. Neither of which are great when the object is deeply nested in the serialized object.
Ubuntu also released TPM based FDE a few versions ago. I had these thoughts then and decided against using it. Typing my passphrase on boot is muscle memory and gives me simple security I can trust.
Also can recover data without my mainboard.
Maybe a hybrid (secureboot-TPM+phrase) slot for day to day to also prevent against evil maid attacks, and another slot with a backup passphrase would be acceptable.
>Typing my passphrase on boot is muscle memory and gives me simple security I can trust.
It's not an either-or. You can combine TPM with passwords which makes it far more secure than password alone. A TPM can enforce password guessing limits, otherwise a password needs to be absurdly long to be secure against GPU bruteforcing attacks. It also prevents someone from swapping out the bootloader with a backdoored version that steals your passwords.
>Also can recover data without my mainboard.
You're supposed to keep a backup of the encryption key when using TPM, in case it fails.
Sounds good - which software supports this? Specifically I'd prefer if it would do a composite key derivation in-time rather than "just a pw prompt but TPM has the full key"
No remotely reachable vuln should be taken lightly.
At the moment though, the preconditions look odd. I've been using nginx in various constellations for 10 years and never once combined rewrite and set.
There can be situations where you set some variables on top level and then override those in the location block with rewrite. These variables could be then used e.g. in log lines or in other "global" contexts.
It says coordinated distro release today, and I've received a notice earlier today but that does not include the CVE number. That's confusing / does not seem very coordinated to release 2 separate security update notices in a day.
That mentions 4.98.2-1+deb13u2, and its changelog has:
exim4 (4.98.2-1+deb13u2) trixie-security; urgency=high
* Backport fix for Use-After-Free in GnuTLS BDAT/CHUNKING code path.
This is Exim-Security-2026-05-01.1, fixed upstream in 4.99.3.
-- Andreas Metzler <ametzler@debian.org> Mon, 11 May 2026 19:14:46 +0200
Next easy attack vector is (non-rootless) docker run with rootfs mount, many are in docker group even when sudo is protected.
Also, most sensitive data is in the user scope anyways (on a PC).
You should always run dev stuff in containers to start with.
And when your system is compromised, reprovision from a higher scope, too many places to hide backdoors
reply