Users who want take the extra precaution of waiting an additional period of time must decide to manually configure this with their tooling.

This practice has been a thing in the sysadmin community for years and years - most sysadmins know that you never install Windows updates on the day they release.

Having a step before publication means that's it's essentially opt-in pre-release software, and that comes with baggage - I have zero doubts that many entities who download packages to scan for malware explicitly exclude pre-release software, or don't discover it at all until it's released through normal channels.

I store every single important piece of info in my KeePass database. It stores ALL of my passwords, my SSN, credit cards, my health information, even some weird stuff like my vehicle maintainence records and whatnot. My KDBX file currently sits at 466K. Size is not a particularly compelling reason. Hate to be that guy, but if your database is much larger than that - you're probably doing it wrong.

Newer features like TOTP and passkeys are likewise not a concern for me. What did KeePassXC do when TOTP came around? They stored the relevant data in the attributes, and added a UI around it. It even works with my Steam TOTP, which is a nonstandard implementation. I haven't looked into it, but I imagine they did the same thing with passkeys. I don't see why this couldn't continue to be the paradigm they use. I don't use attributes at all - I haven't needed to, the notes section work great - but I do appreciate being able to look into the "raw data" of attributes quite easily, from within the UI.

If KeePass were being developed from scratch today, or if the developers of the various projects collectively really, really want to switch to a SQLite system of their own volition. Then sure, SQLite. I'm not going to ask them to do that now though.

---

On a separate note, an unfufilled niche that I have though, if anyone's looking for ideas. My secure password storage is a solved problem, KeePass is cross platform, easy to use, and very secure. What remains a problem is secure notes. I want to be able to write markdown (`.md`) documents, add photos and PDFs, then save it to a secure, encrypted folder somewhere. Doesn't need the same security posture as KeePass, but I don't want to leak metadata like file names.

Obsidian - my current notes app - is good from a usability standpoint, but it's not exactly secure. I could pair it up with Veracrypt, but that's a pain from a usability standpoint, and I don't trust my OS to keep the mounted Veracrypt volume contents a secret. Whatever the solution is, it must have a GPL license, or else I'm not going to trust it - from a long-term viability standpoint more than anything else.

If anyone has any suggestions here, would love to hear them.

Personally, I self host because the benefits I receive simply aren't available anywhere else at the level of quality I've come to expect - Jellyfin is a great media player, it's free, and I don't want to switch. Pihole provides ad protection and privacy for my whole home network. It's also free. Homeassistant is amazing, and free. Etc etc.

* Kubernetes is great for a lot of things, and I think there's many use cases for it where it's the best option bar none

* Particularly once you start piling on requirements - we need logging, we need metrics, we need rolling redeployments, we need HTTPS, we need a reverse proxy, we need a load balancer, we need healthchecks. Many (not all!) of these things are what mature services want, and k8s provides a standardized way to handle them.

* K8s IS complex. I won't lie. You need someone who understands it. But I do enjoy it, and I think others do too.

* The next best alternative in my opinion (if you don't want vendor lock in) is docker-compose. It's easy to deploy locally or on a server

* If you use docker-compose, but you find yourself wanting more, migrating to k8s should be straightforward

So to answer your questions, I think you can adopt k8s whenever you feel like it, assuming you have the expertise and are willing to dedicate time to maintaining it. I use it in my home network with a 1 node "cluster". The biggest pitfalls are all related to vendor lock in - managed Redis, Azure Key Vault. Hyper specific config related to your managed k8s provider that might be tough to untangle. At the same time, you can just as easily start small with docker-compose and scale up later as needed.

I'm 28. I started using computers on a regular basis when I was ~9 years old, playing RuneScape. Since then, I've spend probably 10s of thousands of hours on the internet - downloading torrents, signing up for sketchy Russian websites, doing online banking, testing experimental software downloaded over HTTP from a .xyz domain. I graduated high school, went to a technical college for compsci, graduated, worked in helpdesk, desktop support, IT management, and more recently DevOps. I develop software using all sorts of package managers, and used hundreds of thousands of unvetted software packages that arrived as dependencies.

Not once have I, or anyone I've been responsible for, been hacked. No crypto, no viruses, nothing. What the heck are you guys doing getting your Android phones hacked???? Like I only use a modicum of common sense these days, but I guess I've just been lucky and have been the odd one out. I still enjoy reading HN arrivals about security though, so maybe I just have always been slightly more security conscience?

In any case, this is just a stream of consciousness / gut feeling comment. Don't put too much weight into it, I haven't.

Most garbage was compactible and clean enough that I could stuff it into my garbage pocket (to the dismay of my girlfriend). Larger or dirtier items, I would put into a ziplock bag in my backpack that I carried with me everywhere. Public trash receptacles, while rarer than in North America, could be found often enough if you were observant of your surroundings.

k8s: Installing and using k8s can indeed be a nightmare. In my job, we use Azure, so it's not so bad since launching a cluster is mostly handled by Azure. Setting it up for personal use is less fun. The mountains of YAML you can end up using to deploy even semi-complex services is even less fun. That being said, I've been wanting to use it for a personal project (distributed cluster using cloud VPSs and bare metal at home connected using WireGuard). I just wish it was smaller and faster. Most guides recommend 2Gb of RAM and 2 CPU for the smallest of small deployments.

docker-compose: I actually love docker-compose for my personal stuff. I have an intel NUC hosting homeassistant, pihole, caddy, deluge, jellyfin and a handful of other stuff. Everything lives in a series of folders for each service. Backups (both data and code via git), disaster recovery, and just general reasoning about of it is so easy. The docker-compose files are small and easy to read. I also find docker-compose to be about as immutable as you'd like it - version control your docker-compose directories, pin your image SHAs, and you're in a good place. Or don't, and it will still work pretty well.

NixOS: I've done it. I installed it on my Framework Laptop since it was all the rage at the t ime. I lived with it for about a year, and it was okay - for day-to-day use - AFTER I had spent weeks learning how to use NixOS. I will freely admit it's an awesome technology in some respects. But the documentation just was not there. It was way too hard to learn how to do even basic tasks. I thought nix flakes might be the "aha" moment I was looking for, but I gave up trying to get that to work after a couple of days of troubleshooting. Don't even get me started on trying to package up something from scratch. As a random example, I googled "packaging python for nix" and the top result [1] is just way too complex for something that should be pretty simple. The example includes some abomination of a .nix file with inline bash and python scripts.

I don't really know where I'm going with this. I really do like the idea of NixOS. I just wish it was much, much easier to reason about. Curious to hear what others make of this.

[1](https://nixos.wiki/wiki/Packaging/Python)

I gave up after a short while using Nix and switched to Windows. It's not perfectly tuned like a minimal Linux install might be, but all of the hardware features work as expected and it has a pretty good battery life.

If someone can find a way to do something like Nix, but simple, I'll be interested. Even if it's just a on-rails version of Nix.

I was curious to see if they had checked out my personal website, so I grabbed my webserver logs and I recognized one IP from the city the job was based in. More than likely, the public IP of the business in question.

On a whim, I ran the IP through Shodan.io and it showed that 47808 was open - The BACNet protocol. I had no idea what this protocol was, but I was able to download some odd enterprisey software that had the ability to speak BACnet. I connected to the IP:Port and found a long list of connected things - water levels, temperatures, lights, and more.

I wasn't interested in doing anything questionable with this information. I'm not even certain it allowed me to do anything more than look, but I like to think I could have e.g. turned off lights or adjusted temperatures in the grow rooms. I made the (risky) executive decision to let the hiring manager know that their public IP had an important port open to the world. I wound up getting hired by that business, and the first task I was assigned was to fix the open port.

I'm not sure if that counts as "hacking", but I was proud of finding the vulnerability / misconfiguration nonetheless.

- Supports phone / tablet / browser / roku / others

- Can chromecast

- Supports movies, tv. Not sure about random videos but I suppose you could do it.

- Supports subtitle downloading

- Haven't used it myself, but supports podcasts, books, photos, music

Also FOSS. Doesn't have the same motive as commercial software ala Plex to nag you, and it hasn't nagged me yet.