Much better article with very real tips about what options to try than yesterday's (weirdly flagged/dead?) post on the topic. Which while I really enjoyed lacked substance; I was in the comments trying to provide a more useful basis with some real examples, but this is an exemplary list of awesome ways systemd can easily quickly readily provide aassive boost to isolation & security. Great write up!
Yesterday's, just in case: https://us.jlcarveth.dev/post/hardening-systemd.mdhttps://news.ycombinator.com/item?id=44928504
Maybe fix the certificate issue on the site. Some browser doesnt event let one go forward with a bad cert.
Things I hate: Flatpak, Snaps, Docker containers, SystemD (different I know, but worth a mention due to the strong emotions nonetheless). Obviously too big a topic to talk about everything, but one common theme in all of them is they are often presented as the only way to do things by the developers that use them. The projects that use them tend to be harder to customize than they should be - sometimes much harder. Some of them, like Snaps and SystemD, get shoved down my throat so I hate them with a smouldering hate! And I won't use Ubuntu or derivatives any more. If you want to make a derivative distro, use Debian, use Arch, use openSuse, use RedHat.
I don't love it when I see so many projects on github where the project is a docker image or a flatpak - instead of writing an app that I can directly install on at least some flavor of Linux, with an optional wrapper / container / package. Of course I understand why its done, but it does feel a bit antithetical to the spirit of open source if I have to do a ton of arcane work to decouple your project from these containers (all of which have obvious downsides as well as upsides) just to use it directly in an OS - which is ultimately where all this type of software runs.
Why write beautiful or useful software, and lock it in a box? Technically, of course it remains open source. Yes, I can probably laboriously take it out of the box. No, locking it in the box in the first place is not as effectively open as if it had never been placed only there in the first place. Developers who want to do this are totally free to do so - just it will rub me wrong and I won't appreciate their work nearly as much. That is a trade off I presume they know they are making for many users, so to each his own.
Practically? I have opted to avoid all flatpaks and snaps, and to only use appimages - to avoid having a variety of these tools with their variety of performance, maintenance, and security concerns to deal with on my system. I chose appimage because snaps are terrible and I much prefer the fuller inclusion of dependencies in an appimage compared to flatpaks just duplicating what a repository already does - and sharing dependencies between apps. I only use appimage if I really need a piece of software and there is no other packaging available. Similarly, I only use docker off my main device, but there are a few projects that require me to use it. I will always prefer an LXC or a VM first if I can.
That's my own little world. I know it doesn't matter. But I would guess it fits pretty close to the sentiment and practice of a lot of people.