Considering: https://www.forbes.com/sites/thomasbrewster/2021/04/26/update-your-mac-now-the-worst-hack-in-years-hits-apple-computers/?sh=642869635da0
Where we are speaking of a company with a very deep war chest, I think it’s safe to say, it’s all a crap shoot if you don’t know what your doing. And also if you do.
For instance. I run linux vserver (a set of kernel patches, cgroups like, predating cgroups) which is a form of para-virtualization. Now, this is ‘outmoded’ and few use it these days.
Well, turns out it’s sometimes advantageous to not go with latest greatest. Linux Vserver containers (not the kernel itself) are immune to Spectre and Meltdown. The two most serious kernel vulnerabilties introduced by HARDWARE! in, well, for ever.
Long story short. All the latest greatest software (even older stuff, kvm, xen, etc) is toast. Vulnerable. Unless to you patch the kernel, suspend a bunch of cpu features, etc. You take a 20% performance hit.
I don’t. i don’t patch my kernels. My virtuals are not vulnerable. blah, blah, blah.
So why the long post. Well, I know very, very few, ever seasoned, admins who are aware of this. It’s obscure knowledge.
And on the othe rhand, one of the richest companies on the planet (Kalifornia, ueber alles, ueber alles Kalifnornia!) can’t do security audits.
My very quick look at the security aspects of SFOS left me secure in the knowledge that I CAN inspect it. My apple developer license is lapsed. I doubt I can get a really good look at the internals.
And apple is the only alternative, until the bugs are out of Ubuntu Touchl, Plasma and co. Except maybe Librem. Librem might be a recomend. I haven’t had the time to look but it’s probably a step up from SFOS. I’m saving up my Kopecs.
But I’ll still develop for SFOS. I guess I’m just an old Nokia Fan Boy (I was an apple fan boy. I am a Commodore/Amiga fan boy).
Oh jah. Graphene. Hard, we are. Ah ah. The only recomended devices are from a company called google.
Pixel 5 (redfin)
Pixel 4a (5G) (bramble)
Pixel 4a (sunfish)
That does not install confidence in me.
Using the buzzword DNSSEC (and then describing it incorrectly) on you PR page is not secure. It’s just talk.
Sorry for the rant. I spent most of my day doing … security updates on servers.