That makes sense from a SaaS business owner because security and privacy are a part of software business.
However, I didn't specifically talk about software business. A medical doctor may be interested in mullvad VPN and run it in his own computer, but it doesn't make sense for him to spend a year on learning gentoo linux, setting up linux network namespaces with firejail application profiles for multiple VPNs for different applications, setting up a backdoor-free router out of a computer with Intel ME disabled, setting up a home VPN with the backdoor-free router, setting up a DNS server on that router, and so on. "High level" privacy is a huge full-time rabbit hole I could die in. There is an infinite rabbit hole in one field. At this level, system configuration becomes complex, and you want to learn how to automate reproducible system configuration with nixos or guix. Learning guile scheme and guix system can easily take 3 ~ 6 months of full-time effort on top of all these shit I mentioned. His doctor career would be over before he learns all that just to craft a private computer for himself.
An e-commerce store CEO would lose his shopify e-commerce store if he tried to do all these things I did for my computers. His job is to run an e-commerce store. It is not to spend the next few years full-time on learning linux commands, how to compile linux kernel on gentoo linux, how to set up guix user services, and so on. Before he gets all that, he will lose his e-commerce store.
I had to spend a month on writing a utility because my customized sway environment required it for audio GUI. How the hell did I end up writing a utility for "pipewire" audio GUI? Because KDE, GNOME, cinammon, XFCE, and other desktop environments were buggy as hell and I ended up with a customized sway environment. On top of that, I had to learn how to configure ALSA and pipewire with dot files. I hated learning how to configure pipewire with dot files. Linux desktop environment is still not ready for most people who just want things to work. Why the hell did I need to learn how to make xdg-desktop-portal backends work nicely with firejail? xdg-desktop-portal was another huge time sink. I hated learning about xdg-desktop-portal-gtk and xdg-desktop-portal-wlr and making them play nicely with web browsers in firejail. I had to learn all that because ALSA alone couldn't do basic things I wanted it to do. I also had to learn audio amplifiers and USB DACs because I couldn't stand shitty audio from my motherboard's internal headphone jack. It took months to tame linux audio according to my preferences. The cost of using a customized sway environment is basically your life.
It took months to "fully" tame all the quirks of my sway environment.
I just wanted some privacy, and I ended up doing a lot of things. When you do one thing, you don't just do one thing. You end up doing a lot of ancillary stuff. I ended up becoming very poor because I spent too much time on doing all these shit. It is death by thousand cuts. Security and privacy are just the tip of an iceberg which goes far beyond simple system crafting.
My "unintended" core specialty is crafting a private and robust personal computing environment.
One specialty can basically eat up nearly all of your time if you are not careful.
You don't know how long it takes to learn computer stuff basically from scratch. If they have a very good full-time tutor, they may learn the basic stuff quickly, but it genuinely takes more than a year to learn all the autistic OCD-level privacy shit along with all the ancillary stuff required for a "fully" robust computer system that's basically without a glitch at an OCD level.
The lesson is if you obsess with things outside your core specialty at autistic OCD levels, you will lose your core business whether it is a medical clinic, an e-commerce store, a restaurant, and so on.
In retrospect, if I was supposed to learn from scratch again, I would just install linux mint or buy a macbook, set up one VPN instance on my computer, implement browser isolation with multiple web browers, set up emacs org agenda, and call it a day. This way, your config is minimal, and you don't even want reproducible configuration management systems like nixos and guix.
I used to be an autistic geek. Now, I want a way out of the maze in my mind.
If I focused all that autistic obsession on becoming the best version of myself, I would be a multi-millionaire already.
And all that stuff you mentioned is stuff you can't buy. You can't buy a preconfigured router that fits your setup. You need to configure it yourself. And if it's the CEO who's provisioning servers and installing and configuring routers and setting up networking routes and crap like that, then there's your problem!
And if he's running an e-commerce store, then why the hell would he be stuggling with pipewire? What the hell is xdg-desktop-portal even used for when hosting a website. What does your audio obsession (nothing wrong with it, I have my own obsessions) making you fuck with amplifiers and DACs have to do with security in any way shape or form?
It really sounds like you started out with the conclusion of "This is boring, I don't want to do it" and finding reasons to justify it.
I think it's much better to become rich and then buy security and privacy than to implement them with your manual labor.
Your time is a lot more valuable than your money if you actually spend your time correctly.
You can be a 6 million dollar race horse if you drive it well.
I don't think people actually want privacy and security over everything else. It's better to focus on earning a lot of money from what you really want to do and buy security and privacy.
You think so because you belong to the US groupthink. You cannot "buy" privacy and security, that's an illusion. Buy many workers' time making big fences and reviewing code, you're not "buying security". Anyway, privacy and security are rights for everybody, not only for the rich. Every developer should care and defend them. Otherwise you'll have to buy security and privacy for all the projects (and people) you care about. And that could become impossible, depending on how large your heart and scope are. If you become rich to just screw all the people that trusted you with a crappy product with no security, then to me you are just a fraudster.
I didn't say it from the perspective of a software business owner.
A medical clinic owner, a restaurant owner, an e-commerce store owner, and other business owners cannot spend much time on computer security and computer privacy. If you are not a business owner, then you are a janitor, a marketer, a store clerk, and so on. If a car salesman spent all his day on hardening his linux machine, he will become flat broke.
You can also buy some levels of security and privacy from purism and other similar companies. Buy a computer with Intel ME disabled from purism and other companies. Enable (mullvad) VPN, and implement browser isolation by installing multiple web browsers. Use a local password manager. However, you can go much further than that by configuring firejail and hardening firejail profiles through manual tweaking. You can also configure linux network namespaces and isolate applications in different network namespaces. There's even more. Security and privacy are an infinite rabbit hole. If you keep going in the infinite rabbit hole, you will grow old and die before you can do anything actually useful with your computer. Should a car salesman listen to you and learn about purism, Intel ME, firejail, browser isolation, VPN, apparmor, linux network namespaces, linux firewall, and so on? No! Hell no! Even if you are a software business owner or a programmer who is in charge of security and privacy, you cannot obsess with the infinite rabbit hole of security and privacy. If you spent years and years on linux kernel hardening, sandboxing techniques, linux network namespaces, and other things, then you won't be effective at all. As I said, it is an infinite rabbit hole, and you can be OCD about it to infinity. Infinite obsession with a specific aspect will kill everything you touch. You haven't stared into the infinite abyss, but I have. That's why you think people should obsess with security and privacy.
Also, if you are a software business owner, then you are not going to write code yourself. You are going to hire other coders. So, you have to buy security and privacy for your software product by buying programmer labor. If a business owner specifically pays programmers to work on security and privacy, then their software will have better security and privacy. But, I wasn't talking about a software business owner. I was talking about other kinds of business owners who may or may not want to harden their own personal computers. A restaurant owner cannot harden his personal linux system to the degree that I have, or he will lose his restaurant because he spent a year full-time on security and privacy.
I think the vast majority of people including car salesman, restaurant owners, and so on shouldn't obsess with security and privacy so much that they lose their jobs and their businesses. Security and privacy are basically a form of safety. If you are so paranoid about thugs and disasters and spend a year full-time on hardening your own house, then you will become very poor and lose financial security and financial freedom. If you obsess with safety too much, you will lose both freedom and safety. You should be rational about it, and "personal" computer safety should not be more than a small hobby if you run a business where "computer" isn't the core business. Businesses like medical clinic and restaurant. If you are a software business owner, then you should just pay coders to implement security and privacy because you can't specialize in many things and still be effective as a businessman. A businessman can't be an effective marketer if he has to write a lot of code.
There is a reason for division of labor and specialization. If you don't specialize in one thing, you will be flat broke. There are more than million specializations, and it's ludicrous to want to force people to obsess with one specialization. That's like saying everyone should learn how to play piano at expert levels. That doesn't mean you neglect security and privacy, but you should be rational about it and not make it more than a small hobby. If you have no profitable specialty, then natural selection will take you out.
Yes, everyone should learn martial arts at expert levels for self defense. Everyone should become an expert pianist because music is good? Martial artists would love to hear that. Learning martial arts takes years of dedicated efforts. A businessman can't be an expert martial artist, an expert piaist, a linux privacy expert, an expert businessman, and so on at the same time. If people listen to everyone else, then everyone has to be everything at the same time. That's impossible.
A few options I recommend
1. Don't care too much about privacy. Live as if there is nothing to hide. Then, you don't have to worry about leaks. You don't download movies. You don't download music. You don't distract yourself. You just focus on work.
2. Buy computers with Intel ME disabled from purism and other companies. Run (mullvad) VPN. Implement browser isolation. Use a local password manager. Call it a day.
Both options are viable. Option 2 can be done even by a restaurant owner although most people would just opt for option 1 unless they are interested in privacy and security.
Right, that's why I always suggest anyone doing "actual" product work to use something like node-TS and Go.
node-TS for insane developer productivity (hella libraries, who really gives a fuck about NPM issues? just patch and move on) and ability to scale easily (95% of CRUD IO workloads for most companies). Need computational horsepower? Use Go for that thing, compile binary, call binary from node..
Honestly, just that alone is able to scale to millions of users and is super easy to maintain (granted the code is architected well). 95% of companies aren't really doing anything crazy, and 99% of companies are not unicorns.
Still, I wouldn't tell COBOL programmers to maybe ditch COBOL and write another language. They chose it over other languages for their own reasons.
It's okay to mention rust or any other language when it's a particularly good fit for a business or a project. But, shoving languages in people's faces repetitively is not okay.
In my experiences, directly telling people to do things differently never works. You have to wait for other people to ask you for advices, or you end up bothering other people.
AUR is not your repository. I have my own overlay where I am the king. I want to be the boss of my own things. Waiting for permission to take over maintenance of an abandoned AUR package was a pain in the ass. I am a king!
Also, AUR is not just treated as another repository on arch linux. Pacman doesn't recognize AUR. On gentoo linux, a third party overlay is treated just like the official gentoo overlay. Gentoo's emerge command recognizes both gentoo official overlay and third party overlays. I want one command to rule all packages for me.
PPAs and unofficial arch linux user repositories can very easily go out of sync with the official repository because they are pre-compiled binary packages. Source packages are compiled on my machine, so I don't have to worry about packages going out of sync due to minor version differences. When packages are out of sync, they break.
AUR is one repository where you can't just update an outdated package maintained by someone else who quietly gave up maintenance.
I have my own gentoo overlay where I have complete control. This sovereignty is really good for me. I can't stand waiting for permissions to take over maintenance of an outdated AUR package.
If you don't have your own platform, you are a peasant.
Also, pacman can't handle AUR. gentoo's emerge command can handle both the gentoo official overlay and third party overlays. I want one command to manage all repositories for me. Managing AUR with paru still feels like a dirty hack to me. I have wanted to move away from AUR handlers.
However, I didn't specifically talk about software business. A medical doctor may be interested in mullvad VPN and run it in his own computer, but it doesn't make sense for him to spend a year on learning gentoo linux, setting up linux network namespaces with firejail application profiles for multiple VPNs for different applications, setting up a backdoor-free router out of a computer with Intel ME disabled, setting up a home VPN with the backdoor-free router, setting up a DNS server on that router, and so on. "High level" privacy is a huge full-time rabbit hole I could die in. There is an infinite rabbit hole in one field. At this level, system configuration becomes complex, and you want to learn how to automate reproducible system configuration with nixos or guix. Learning guile scheme and guix system can easily take 3 ~ 6 months of full-time effort on top of all these shit I mentioned. His doctor career would be over before he learns all that just to craft a private computer for himself.
An e-commerce store CEO would lose his shopify e-commerce store if he tried to do all these things I did for my computers. His job is to run an e-commerce store. It is not to spend the next few years full-time on learning linux commands, how to compile linux kernel on gentoo linux, how to set up guix user services, and so on. Before he gets all that, he will lose his e-commerce store.
I had to spend a month on writing a utility because my customized sway environment required it for audio GUI. How the hell did I end up writing a utility for "pipewire" audio GUI? Because KDE, GNOME, cinammon, XFCE, and other desktop environments were buggy as hell and I ended up with a customized sway environment. On top of that, I had to learn how to configure ALSA and pipewire with dot files. I hated learning how to configure pipewire with dot files. Linux desktop environment is still not ready for most people who just want things to work. Why the hell did I need to learn how to make xdg-desktop-portal backends work nicely with firejail? xdg-desktop-portal was another huge time sink. I hated learning about xdg-desktop-portal-gtk and xdg-desktop-portal-wlr and making them play nicely with web browsers in firejail. I had to learn all that because ALSA alone couldn't do basic things I wanted it to do. I also had to learn audio amplifiers and USB DACs because I couldn't stand shitty audio from my motherboard's internal headphone jack. It took months to tame linux audio according to my preferences. The cost of using a customized sway environment is basically your life.
It took months to "fully" tame all the quirks of my sway environment.
I just wanted some privacy, and I ended up doing a lot of things. When you do one thing, you don't just do one thing. You end up doing a lot of ancillary stuff. I ended up becoming very poor because I spent too much time on doing all these shit. It is death by thousand cuts. Security and privacy are just the tip of an iceberg which goes far beyond simple system crafting.
My "unintended" core specialty is crafting a private and robust personal computing environment.
One specialty can basically eat up nearly all of your time if you are not careful.
You don't know how long it takes to learn computer stuff basically from scratch. If they have a very good full-time tutor, they may learn the basic stuff quickly, but it genuinely takes more than a year to learn all the autistic OCD-level privacy shit along with all the ancillary stuff required for a "fully" robust computer system that's basically without a glitch at an OCD level.
The lesson is if you obsess with things outside your core specialty at autistic OCD levels, you will lose your core business whether it is a medical clinic, an e-commerce store, a restaurant, and so on.
In retrospect, if I was supposed to learn from scratch again, I would just install linux mint or buy a macbook, set up one VPN instance on my computer, implement browser isolation with multiple web browers, set up emacs org agenda, and call it a day. This way, your config is minimal, and you don't even want reproducible configuration management systems like nixos and guix.
I used to be an autistic geek. Now, I want a way out of the maze in my mind.
If I focused all that autistic obsession on becoming the best version of myself, I would be a multi-millionaire already.