I run Steam in a flatpak for convenience and confinment reasons. One day my Steam install failed with

My first instinct is to check to make sure libc6:i386 is actually installed - it is. Then I check to see if there are flatpak updates, but with the 32-bit libraries I find more errors:

        ID                                                  Branch        Op        Remote         Download
 1. [✗] org.freedesktop.Platform.GL32.nvidia-460-39         1.4           i         flathub        178.7 MB / 178.7 MB

Error: While trying to apply extra data: apply_extra script failed, exit status 40704
error: Failed to install org.freedesktop.Platform.GL32.nvidia-460-39: While trying to apply extra data: apply_extra script failed, exit status 40704

Journal log

Feb 26 08:18:24 desktop polkitd(authority=local)[641]: Registered Authentication Agent for unix-process:3535:65589 (system bus name :1.75 [flatpak install org.freedesktop.Platform.GL32.nvidia-460-39], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Feb 26 08:18:26 desktop flatpak[3535]: libostree pull from 'flathub' for runtime/org.freedesktop.Platform.GL32.nvidia-460-39/x86_64/1.4 complete
                                       security: GPG: summary+commit 
                                       security: SIGN: disabled http: TLS
                                       delta: parts: 1 loose: 3
                                       transfer: secs: 0 size: 349.8 kB


Feb 26 08:18:54 desktop flatpak[3535]: system: Pulled runtime/org.freedesktop.Platform.GL32.nvidia-460-39/x86_64/1.4 from flathub
Feb 26 08:18:55 desktop audit[3583]: SECCOMP auid=1000 uid=0 gid=0 ses=2 subj==unconfined pid=3583 comm="apply_extra" exe="/app/bin/apply_extra" sig=31 arch=40000003 syscall=122 compat=1 ip=0x80a933d code=0x0

This is where I remember that I've been testing a lot of systemd confinement changes (including limiting SystemCalls) and one of the services I modified was gpg-agent. However, reverting that change doesn't help but I'm getting closer. (Aside: Great time to guess what config change I made that caused the errors..)

I then run:

sudo flatpak repair

to verify all the files in flatpak but nothing needed fixing.

I then ran:

$ sudo dpkg -V
...
/etc/systemd/system.conf
...

Oh, shoot I did setup

SystemCallArchitectures=native

This is saying I only want native syscalls to be run, but why is it applying to an application! I would have thought it just applied to services or other things systemd runs.

Sure enough disabling that option fixes it, Steam works, and the 32-bit NVidia via Flatpak install too.

But.. why?

Flatpak runs apps in a systemd scope (if available).

$ systemctl status --user app-flatpak-com.valvesoftware.Steam-6702.scope 
● app-flatpak-com.valvesoftware.Steam-6702.scope
     Loaded: loaded (/run/user/1000/systemd/transient/app-flatpak-com.valvesoftware.Steam-6702.scope; transient)
  Transient: yes
     Active: active (running) since Wed 2021-03-03 12:16:23 PST; 1min 2s ago
      Tasks: 113 (limit: 38415)
     Memory: 352.0M
        CPU: 16.066s
     CGroup: /user.slice/user-1000.slice/[email protected]/app.slice/app-flatpak-com.valvesoftware.Steam-6702.scope
             ├─6702 bwrap --args 41 /app/bin/steam-wrapper
             ├─6706 bwrap --args 4But what does 1 xdg-dbus-proxy --args=43
             ├─6707 xdg-dbus-proxy --args=43
             ├─6711 bwrap --args 41 /app/bin/steam-wrapper
             ├─6713 bash /home/bryan/.local/share/Steam/steam.sh
            ....etc

I want to explore inside this scope more and I stumble upon some Sandbox docs, but using flatpak run just creates it's own scope:

$ systemctl status --user app-flatpak-com.valvesoftware.Steam-7616.scope 
● app-flatpak-com.valvesoftware.Steam-7616.scope
     Loaded: loaded (/run/user/1000/systemd/transient/app-flatpak-com.valvesoftware.Steam-7616.scope; transient)
  Transient: yes
     Active: active (running) since Wed 2021-03-03 12:20:21 PST; 33s ago
      Tasks: 6 (limit: 38415)
     Memory: 2.8M
        CPU: 61ms
     CGroup: /user.slice/user-1000.slice/[email protected]/app.slice/app-flatpak-com.valvesoftware.Steam-7616.scope
             ├─7616 bwrap --args 42 bash
             ├─7620 bwrap --args 42 xdg-dbus-proxy --args=44
             ├─7621 xdg-dbus-proxy --args=44
             ├─7624 bwrap --args 42 bash
             └─7626 bash

But this is an awesome way to see what the Flatpak actually has access to (and the package icon is just such a nice touch)

$ flatpak run --command=bash com.valvesoftware.Steam 
[📦 com.valvesoftware.Steam ~]$ ls
Music  Pictures  cache  config  data
[📦 com.valvesoftware.Steam ~]$ pwd
/home/bryan

I totally forgot that Steam has a built-in music player. Let's turn that off.

flatpak permissions-show or list doesn't seem to do anything.

flatpak info --show-permissions com.valvesoftware.Steam is the right answer (thanks!)

filesystems=xdg-run/app/com.discordapp.Discord:create;xdg-pictures:ro;xdg-music:ro;
persistent=.;

I then decide to just install Flatseal to review those and end up disabling all the default file permissions.

$ flatpak run --command=bash com.valvesoftware.Steam 
[📦 com.valvesoftware.Steam ~]$ ls
Music  Pictures  cache  config  data

Hmm.. Did I do something wrong?

$ ls Music/ Pictures/
Music/:

Pictures/:

Nope, those directories are now empty. Previosly they were my actual music and pictures. Better confinement and a better understanding of how it works. Nice!

Have a comment or did I make a mistake? Add it via Gitlab.

I'm running Debian 11 (testing) with XFCE and getting PipeWire up and running was relatively easy - although explicitly unsupported for Debian 11.

sudo apt install pipewire pipewire-audio-client-libraries
sudo apt remove pulseaudio pulseaudio-utils
sudo apt autoremove

At some future point there will be something like pipewire-pulse which will do the rest, but for now you must:

sudo touch /etc/pipewire/media-session.d/with-pulseaudio
sudo cp /usr/share/doc/pipewire/examples/systemd/user/pipewire-pulse.* /etc/systemd/user/
systemctl --user enable pipewire-pulse pipewire

I suggest a reboot after, but a logout may be enough. Then try playing some music. If it worked, it should play just like it has before.

More processes

1456 bryan     20   0 1023428 102436  50396 S   1.7   2.6   0:02.06 quodlibet                     
690 bryan      9 -11  898044  27364  20932 S   1.0   0.7   0:00.31 pulseaudio

PipeWire runs as 3 separate processes compared to PulseAudio above. Of note, apparently PipeWire does want to adjust it's nice level, but in it's current state it doesn't depend on it - and I haven't seen any need for it.

PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND                       
936 bryan     20   0  826812 100484  50472 S   1.3   2.5   0:02.71 quodlibet                     
692 bryan     20   0   94656  12480   5928 S   0.7   0.3   0:00.38 pipewire-pulse                
693 bryan     20   0  107408  15228   7192 S   0.3   0.4   0:00.39 pipewire
701 bryan     20   0  225340  22756  17280 S   0.0   0.6   0:00.06 pipewire-media-

What's works? Everything so far..

• Playing music locally
• Playing videos locally
• Playing music/videos on the web
• Video calls via Jitsi
• Changing volume using xfce's pulseaudio applet

Except I can't change individual application volumes because pavucontrol was removed. I belive pavucontrol could actually control it, but I haven't tried it.

So worth switching?

If you want to be an early adopter, jump on in. If not Fedora and Ubuntu will both be including it this year (although I'm not sure if Ubuntu will replace PulseAudio with it).

This is my favorite line from the Fedora proposal: "...with both the PulseAudio and JACK maintainers and community. PipeWire is considered to be the successor of both projects."

It's generally a lot of work to get three projects to agree on standards between them, much less to have general agreement on a future path. I'm very impressed with all three groups to figure out a path to improve Linux audio together.

Another update - it's been 6 months and Signal still does not let you register.

Updated Riot was renamed to Element. XMPP info added in comment.

A couple years ago I was a part of a discussion about encrypted messaging.

• I was in the Signal camp - we needed it to be quick and easy to setup for users to get setup. Using existing phone numbers makes it easy.
• Others were in the Matrix camp - we need to start from scratch and make it distributed so no one organization is in control. We should definitely not tie it to phone numbers.

I was wrong.

Signal has been moving in the direction of adding PINs for some time because they realize the danger of relying on the phone number system. Signal just mandated PINs for everyone as part of that switch. Good for security? I really don't think so. They did it so you could recover some bits of "profile, settings, and who you’ve blocked".

Before PIN

If you lose your phone your profile is lost and all message data is lost too. When you get a new phone and install Signal your contacts are alerted that your Safety Number has changed - and should be re-validated.

After PIN

If you lost your phone you can use your PIN to recover some parts of your profile and other information. I am unsure if Safety Number still needs to be re-validated or not.

Your profile (or it's encryption key) is stored on at least 5 servers, but likely more. It's protected by secure value recovery.

There are many awesome components of this setup and it's clear that Signal wanted to make this as secure as possible. They wanted to make this a distributed setup so they don't even need to tbe only one hosting it. One of the key components is Intel's SGX which has several known attacks. I simply don't see the value in this and it means there is a new avenue of attack.

PIN Reuse

By mandating user chosen PINs, my guess is the great majority of users will reuse the PIN that encrypts their phone. Why? PINs are re-used a lot to start, but here is how the PIN deployment went for a lot of Signal users:

1. Get notification of new message
2. Click it to open Signal
3. Get Mandate to set a PIN before you can read the message!

That's horrible. That means people are in a rush to set a PIN to continue communicating. And now that rushed or reused PIN is stored in the cloud.

Hard to leave

They make it easy to get connections upgraded to secure, but their system to unregister when you uninstall has been down Since June 28th at least (tried last on July22nd). Without that, when you uninstall Signal it means:

• you might be texting someone and they respond back but you never receive the messages because they only go to Signal
• if someone you know joins Signal their messages will be automatically upgraded to Signal messages which you will never receive

Conclusion

In summary, Signal got people to hastily create or reuse PINs for minimal disclosed security benefits. There is a possibility that the push for mandatory cloud based PINS despite all of the pushback is that Signal knows of active attacks that these PINs would protect against. It likely would be related to using phone numbers.

I'm trying out the Element which uses the open Matrix network. I'm not actively encouraging others to join me, but just exploring the communities that exist there. It's already more featureful and supports more platforms than Signal ever did.

Maybe I missed something? Feel free to make a PR to add comments

Comments

kousu posted

In the XMPP world, Conversastions has been leading the charge to modernize XMPP, with an index of popular public groups (jabber.network) and a server validator. XMPP is mobile-battery friendly, and supports server-side logs wrapped in strong, multi-device encryption (in contrast to Signal, your keys never leave your devices!). Video calling even works now. It can interact with IRC and Riot (though the Riot bridge is less developed). There is a beautiful Windows client, a beautiful Linux client and a beautiful terminal client, two good Android clients, a beautiful web client which even supports video calling (and two others). It is easy to get an account from one of the many servers indexed here or here, or by looking through libreho.st. You can also set up your own with a little bit of reading. Snikket is building a one-click Slack-like personal-group server, with file-sharing, welcome channels and shared contacts, or you can integrate it with NextCloud. XMPP has solved a lot of problems over its long history, and might just outlast all the centralized services.

Bryan Reply

I totally forgot about XMPP, thanks for sharing!

What I've tried.

1. Firefox beta as a snap. (Definitely easy to install. But not as quick and harder to use for managing files - makes it's own Downloads directory, etc)
2. Firefox (stock) with custom AppArmor confinement. (Fun to do once, but the future is clearly using portals for file access, etc)
3. Firefox beta as a Flatpak.

I've now been running Firefox as a Flatpak for over 4 months and have not had any blocking issues.

Getting it installed

Flatpak - already installed on Fedora SilverBlue (comes with Firefox with some Fedora specific optimizations) and EndlessOS at least

Follow Quick Setup. This walks you through installing the Flatpak package as well as the Flathub repo. Now you could easily install Firefox with just 'flatpak install firefox' if you want the Stable Firefox.

To get the beta you need to add the Flathub Beta repo. You can just run:

sudo flatpak remote-add flathub-beta https://flathub.org/beta-repo/flathub-beta.flatpakrepo

Then to install Firefox from it do (You can also choose to install as a user and not using sudo with the --user flag):

sudo flatpak install flathub-beta firefox

Once you run the above commend it will ask you which Firefox to install, install any dependencies, tell you the permissions it will use, and finally install.

Looking for matches…
Similar refs found for ‘firefox’ in remote ‘flathub-beta’ (system):

...posts/mindshare/snap-firefox-initial.md
   3) app/org.mozilla.firefox/x86_64/beta

Which do you want to use (0 to abort)? [0-3]: 3
Required runtime for org.mozilla.firefox/x86_64/beta (runtime/org.freedesktop.Platform/x86_64/19.08) found in remote flathub
Do you want to install it? [Y/n]: y

org.mozilla.firefox permissions:
    ipc                          network       pcsc       pulseaudio       x11       devices       file access [1]       dbus access [2]
    system dbus access [3]

    [1] xdg-download
    [2] org.a11y.Bus, org.freedesktop.FileManager1, org.freedesktop.Notifications, org.freedesktop.ScreenSaver, org.gnome.SessionManager, org.gtk.vfs.*, org.mpris.MediaPlayer2.org.mozilla.firefox
    [3] org.freedesktop.NetworkManager


        ID                                             Branch            Op            Remote                  Download
 1. [—] org.freedesktop.Platform.GL.default            19.08             i             flathub                    56.1 MB / 89.1 MB
 2. [ ] org.freedesktop.Platform.Locale                19.08             i             flathub                 < 318.3 MB (partial)
 3. [ ] org.freedesktop.Platform.openh264              2.0               i             flathub                   < 1.5 MB
 4. [ ] org.gtk.Gtk3theme.Arc-Darker                   3.22              i             flathub                 < 145.9 kB
 5. [ ] org.freedesktop.Platform                       19.08             i             flathub                 < 238.5 MB
 6. [ ] org.mozilla.firefox.Locale                     beta              i             flathub-beta             < 48.3 MB (partial)
 7. [ ] org.mozilla.firefox                            beta              i             flathub-beta             < 79.1 MB

The first 5 dependencies downloaded are required by most applications and are shared, so the actual size of Firefox is more like 130MB.

Confinement

• You can't browsing for local files via browser file:/// (except for ~/Downloads). All local files need to be opened by Open File Dialogue which automatically adds the needed permissions.
• You can enable Wayland as well with 'sudo flatpak override --env=GDK_BACKEND=wayland org.mozilla.firefox (Wayland doesn't work with the NVidia driver and Gnome Shell in my setup though)

What Works?

Everything I want which includes in no particular order:

• Netflix (some older versions had issues with DRM IMU)
• WebGL (with my Nvidia card and proprietary driver. Flatpak installs the necessary bits to get it working based on your video card)
• It's speedy, it starts quick as I would normally expect
• Using the file browser for ANY file on my system. You can upload your private SSH keys if you really need to, but you need to explicitly select the file (and I'm not sure how you unshare it).
• Opening apps directly via Firefox (aka I download a PDF and I want it to open in Evince - this does use portals for confinement).
• Offline mode

What could use work?

• Some flatpak commands can figure out what just "Firefox" means, while others want the full org.mozilla.firefox
• If you want to run Firefox from the command line, you need to run it as org.mozilla.firefox. This is the same for all Flatpaks, although you can make an alias.
• It would be more convenient if Beta releases were part of the main Flathub (or advertised more)
• If you change your Downloads directory in Firefox, you have to update the permissions in Flatpak or else it won't allow it to work. If you do Save As.. it will work fine though.
• The flatpak permission-* commands lets you see what permissions are defined, but resetting or removing doesn't seem to actually work.

If you think you found a Flatpak specific Mozilla bug, the first place to look is Mozilla Bug #1278719 as many bugs are reported against this one bug for tracking purposes.

Comments

Add a comment by making a Pull Request to this post.

First, I strongly recommend switching to Jitsi Meet:

• It's free
• It doesn't require you to sign up at all
• It's open source
• It's on the cutting edge of privacy and security features

Second, Anything else that runs in a browser instead of trying to get you to download an specific desktop application. Your browser protects you from many stupid things a company may try to do. Installing their app means you are at more risk. (Apps for phones is a different story.).

A small sampling of other web based options:

• Talky.io (also open source, no account required)
• 8x8.vc which is the company that sponsors Jitsi Meet. Their offering has more business options
• Whatever Google calls their video chat product this week (Duo, Hangouts, Meet).
• join.me
• Microsoft Skype (no signups or account required for a basic meeting!)
• whereby

There are many reasons not to choose Zoom.

😞😞😞

Finally, So you have to use Zoom?

Zoom actually supports joining a call with a web browser. They just don't promote it. Some things may not work as well but you get to keep more of your privacy and security.

1. On joining the meeting close the request to run a local app.
2. Click Launch Meeting in middle of screen.
3. Again close out of the request to open a local app
4. Ideally, you now get a join from browser, click that!

If it doesn't work try loading the site in another browser. First try Chrome (or those based on it - Brave/Opera) and then Firefox. It's possible that your organization may have disabled the join from web feature.

If you are a Zoom host or admin (why?) you can also ensure that the web feature is not disabled.

Time for a 20.04 LTS LiveCD memory comparison with a bunch more distros. I last did one in 2016.

Using Lubuntu as an example base memory usage approximately doubled from 2016 (251M) to 2020 (585M). Those numbers aren't strictly comparable because I'm not using the exact same setup as in 16.04 and I enabled more modern features (virtio graphics, EUFI, 4 cores).

Lubuntu is able to work with less at least partially because of Zram. The other distro that has Zram enabled is Endless, but they also use the Chromium browser which generally uses more memory than Firefox (also Elementary uses Ephipany). My guess is if Xubuntu enabled zram it's profile would more closely match Lubuntu.

Notes:

• Time limit for each applicaton launch is approximately 30 seconds.
• Accuracy over 1G is by .25G increments. Under 1G, I tried to narrow it down to at least .1G.
• Getting out of full screen on YouTube apparently is an intensive task. Dropped testing that.
• Screen size was set to 1080p/60Hz.
• Sample qemu line: qemu-system-x86_64 -enable-kvm -cdrom clear-33300-live-desktop.iso -smbios file=/usr/share/ovmf/OVMF.fd -m 1024M -smp 4 -cpu host -vga virtio --full-screen
• All Ubuntu derivatives were from 20.04 LTS

I've been wanting to try out Rust with something very simple as a first pass through the language.

Rust Impressions

Although I didn't do much with functions on this quick pass - I love the ability to not have the order of main in a program to matter.

Super helpful error messages. Here is an example:

warning: value assigned to `temp` is never read
 --> src/main.rs:4:13
  |
4 |     let mut temp=0u32;
  |             ^^^^
  |
  = note: `#[warn(unused_assignments)]` on by default
  = help: maybe it is overwritten before being read?

I know others have said this, but the Rust compiler feels like it was designed to help me code, rather than just throw errors.

Speed?

I decided to write a simple unoptimized version of the fibonacci sequence. My goal was to take enough time to be noticable...

On my first pass:

• Rust runs took 1m34seconds (using cargo run)
• Python took more than 6 minutes
• C got 7 seconds

Clearly I must have done something wrong...

It turns out that by default it has debug info and checks that slow Rust down. So a

cargo build --release
./target/release/fib

Then it was faster than C.. and I realized I need to turn off C\'s debug bits too with:

gcc -O2 -s -DNDEBUG to gcc helped. gcc  fib.c

The final results (all approximate):

• Python: 6+ minutes.
• C: 1.101s
• Rust: .95sE

The Rust

fn main() {
    let mut previous=0u32;
    let mut current=1u32;
    let mut temp;
    let maxvalue = 2000000000u32;

    for _n in 0..2000000000 {
            if current >= maxvalue {
                //Reset!
                previous=0; current=1;
            }
        temp = current;
        current = previous + current;
        previous = temp;
    }
    println!("{}", current);
}

The C

#include <stdio.h>
int main() {

    unsigned long int previous=0;
    unsigned long int current=1;
    unsigned long int temp;
    unsigned long int maxvalue = 2000000000;
    for ( int n=0; n < 2000000000; n++ ) {
        if (current >= maxvalue) {
                //Reset!
                previous=0; current=1;
        }
        temp = current;
        current = previous + current;
        previous = temp;
    }
    printf("%lu", current);
}

The Python3

previous=0;
current=1;
temp = 0;
maxvalue = 2000000000;

for n in range(2000000000):
    if current >= maxvalue:
        #Reset!
        previous=0; current=1;
    temp = current;
    current = previous + current;
    previous = temp;
print(current);

With February 13th passing it would appear there are only 3 Malaysia patents left:

• MY 128994 (possible expiration of 30 Mar 2022)
• MY 141626-A (possible expiration of 31 May 2025)
• MY-163465-A (possible expiration of 15 Sep 2032)

These two just expired:

• MY 118734-A - Exp. Jan 31, 2020
• PH 1-1995-50216 - Exp. Feb 13, 2020

I am very much not a patent lawyer, but my reading indicates all the 3 remaining are really all the same expired US Patent US5565923A with varying Grant dates causing to expire far in the future.

I've started a detailed tracker for those who want more details.

I bought a hack computer for $299 - it's designed for teaching 8+ year olds programming. That's not my intended use case, but I wanted to support a Linux pre-installed vendor with my purchase (I bought an OLPC back in the day in the buy-one give-one program).

I only use a laptop for company events, which are usually 2-4 weeks a year. Otherwise, I use my desktop. I would have bought a machine with Ubuntu pre-installed if I was looking for more of a daily driver.

The underlying specs of the ASUS Laptop E406MA they sell are:

• 14.0" (16:9) LED-backlit HD (1920x1080) 60Hz Anti-Glare Panel with 45% NTSC
• 4GB DDR4
• 64G EMMC
• Intel® Pentium® Silver N5000 Processor

Unboxing and first boot

Included was an:

• introduction letter to parents
• tips (more for kids)
• 2 pages of hack stickers
• 2 hack pins
• ASUS manual bits
• A USB to Ethernet adapter
• and the laptop:

First boot takes about 20 seconds. And you are then dropped into what I'm pretty sure is GNOME Initial Setup. They also ask on Wifi connections if they are metered or not.

There are standard philips head screws on the bottom of the laptop, but it wasn't easy to remove the bottom and I didn't want to push - I've been told there is nothing user replaceable within.

The BIOS

The options I'd like change are there, and updating the BIOS was easy enough from the BIOS (although no LVFS support..).

A kids take

Keep in mind this review is done by 6 year old, while the laptop is designed for an 8+ year old.

He liked playing the art game and ball game. The ball game is an intro to the hack content. The art game is just Krita - see the artwork below. First load needed some help, but got the hang of the symmetrical tool.

He was able to install an informational program about Football by himself, though he was hoping it was a game to play.

Overall

For target market: It's really the perfect first laptop (if you want to buy new) with what I would generally consider the right trade-offs. Given Endless OS's ability to have great content pre-installed, I may have tried to go for a 128 GB drive. Endless OS is setup to use zram which will minimize RAM issues as much as possible. The core paths are designed for kids, but some applications are definitely not. It will be automatically updating and improving over time. I can't evaluate the actual Hack content whose first year is free, but after that will be $10 a month.

For people who want a cheap Linux pre-installed laptop: I don't think you can do better than this for $299.

Pros:

• CPU really seems to be the best in this price range. A real Intel quad-core, but is cheap enough to have missed some of the vulnerabilities that have plagued Intel (no HT).
• Battery life is great
• A 1080p screen

Cons:

• RAM and disk sizes. Slow eMMC disk. Not upgrade-able.
• Fingerprint reader doesn't work today (and that's not part of their goal with the machine, it defaults to no password)
• For free software purists, Trisquel didn't have working wireless or trackpad. The included USB->Ethernet worked though.
• Mouse can lack sensitivity at times
• Ubuntu: I have had Wifi issues after suspend, but stopping and starting Wifi fixed them
• Ubuntu: Boot times are slower than Endless
• Ubuntu: Suspend sometimes loses the ability to play sound (gets stuck on headphones)

I do plan on investigating the issues above and see if I can fix any of them.

Using Ubuntu?

My recommendations:

• Purge rsyslog (may speed up boot time and reduces unnecessary writes)
• For this class of machine, I'd go deb only (remove snaps) and manual updating
• Install zram-config
• I'm currently running with Wayland and Chromium
• If you don't want to use stock Ubuntu, I'd recommend Lubuntu.

Dive deeper

• Benchmarks showing it's slower then my desktop.. mostly a duh. But can let you compare to your computer. Tested with Wayland
• Spectre tool output
• lsusb

Florida, Tennessee, the EU and more are considering one timezone for the entire year - no more changing the clocks. Massachusetts had a group study the issue and recommend making the switch, but only if a majority of Northeast states decide to join them. I would like to see the NJ legislature vote to join them.

Interaction between countries would be helped by having one less factor that can impact collaboration. Below are two examples of ways this will help.

Meeting Times

Let's consider a meeting scheduled in EST with partipants from NJ, the EU, and Arizona.
NJ - normal disruption of changing times, but the clock time for the meeting stays the same.
Arizona - The clock time for the meeting changes twice a year.
EU - because they also change their clocks at different points throughout the year. Due to this, they have 4 clock time changes during each year.

This gets more complicated as we add partipants from more countries. UTC can help, but any location that has a time change has to be considered for both of it's timezones.

Global shift work or On-call

Generally, these are scheduled in UTC, but the shifts people actually work are in their local time. That can be disruptive in other ways, like finding child care.

In conclusion, while these may be minor compared to other concerns (like the potential health effects associated with change the clocks), the concerns of global collaboration should also be considered.