In the current job market, you know it was the other way round.

Well, the isolation allows you select what’s appropriate for each bit of data.

For example, my financial data have to live elsewhere - namely the financial institutions I use. I’ve been paying Todoist $36/year for the past 12 years and they have zero pressure to enshittify, so I’m okay keeping that data elsewhere. I also outsource my email to Fastmail because it’s generally inadvisable to self-host email.

However, for most things that I’ve started using recently (karakeep, miniflux, baby-buddy, homebox, ghostfolio, and so many others), I’ve chosen open source apps and run their servers on my homelab. Linux on the server (unlike the desktop) is extremely well funded. There are a ton of different types of container and micro-vm configurations you can mix and match to give the exact level of isolation, resource, filesystem, and network access you’re comfortable with.

Also, I don’t think it makes much sense to use proprietary software for much in the future. The cost of software development has been going down at increasing rate for as long as I can remember for a variety of reasons, and LLM-assisted AI Agents is the just the latest iteration. With the latest SOTA models, it doesn’t take much to create an maintain a selfhosted OSS app - someone with the will to put in time and the most basic understanding of the basic fundamentals of software engineering.

Certainly not things I would trust particularly personal or sensitive data with. But remember that breaking out of server-side containers/micro-vms is really hard, and way beyond the capabilities of any AI slop.

So yeah, from what I’ve seen so far the best tools out there for enjoying the largest variety of software (including potentially undisclosed AI slop) safely is server-side Linux containers + client-side browser isolation. The closest thing we have to sandboxes in the desktop is flatpak, and it’s so trivial to break out that I’ve watched people do it unintentionally, just trying to make their app work in it.

Because installing a native app requires an enormous amount of trust. Every native app running as your user has read access to all data created by every other app including browsers and their secrets like saved credentials.

The Linux ecosystem mostly got away with this by being too small to be worth targeting. But several recent events (like the attacks on the AUR) have increasingly shown that we’ve passed the threshold where that’s no longer true.

So, what am I to use when I don’t have the time to go through the source code of every new version of every single app with a fine-toothed comb? Well, browsers (while not perfect) have some level of sandboxing, doing an overall decent job of keeping websites’ (apps) data isolated from each other.

Switching to use web apps whenever possible meant (at least, in Firefox) giving up a lot of the functionality of native apps (like default file associations, dedicated entry in the taskbar, and so many others). They’re basically refusing to acknowledge the open web as a platform that solves a real need: providing security and escape from walled-garden app stores (which is the bigger problem on mobile). Instead they’re spending their funding on AI, and VPNs, and random other features nobody really asked for.

While I think it’s very important that there is more than one browser implementation in the world, I have 2 choices:

1. Use Chromium fork to get security and convenience and privacy.
2. Use Firefox (or its forks) to maybe get privacy at the expense of the other two.

Because installing a native app requires an enormous amount of trust. Every native app running as your user has read access to all data created by every other app including browsers and their secrets like saved credentials to sensitive websites.

The Linux ecosystem mostly got away with this by being too small to be worth targeting. But several recent events (like the attacks on the AUR) have increasingly shown that we’ve passed the threshold where that’s no longer true.

So, what am I to use when I don’t have the time to go through the source code of every new version of every single app with a fine-toothed comb? Well, browsers (while not perfect) have some level of sandboxing, doing an overall decent job of keeping websites’ (apps) data isolated from each other.

Switching to use web apps whenever possible meant (at least, in Firefox) giving up a lot of the functionality of native apps (like default file associations, dedicated entry in the taskbar, and so many others). They’re basically refusing to acknowledge the open web as a platform that solves a real need: providing security and escape from walled-garden app stores (which is the bigger problem on mobile). Instead they’re spending their funding on AI, and VPNs, and random other features nobody really asked for.

While I think it’s very important that there is more than one browser implementation in the world, I have 2 choices:

1. Use Chromium fork to get security and convenience and privacy.
2. Use Firefox (or its forks) to maybe get privacy at the expense of the other two.

Their absolute and stubborn refusal to implement PWA made me give up on Firefox recently.

I tried using Chrome for PWA only and using Firefox for my main browser for a while (to help their market share), but it made it very difficult because external links would open in Chrome.

I’ve found like 80% of sites I use are self hosted so I found it easier to just stop using websites with ads than dealing with Firefox 😞

Can you explain it to those of us that still don’t get it?

First version of Kodi was released in 2002.

It’s now 2026, so that’s more than two decades of development.

If you mean limitations in the client, I discovered that there’s a Jellyfin for Kodi plugin.

Kodi has had decades of development. It’s super customizable, has every feature you can think of, direct plays every video format, and is fast.

Having it act as a Jellyfin client has been amazing and given me the best of both worlds.

Representatives don’t give a fuck what their constituents have to say on social media. It’s full of foreign trolls and bots.

But if you go in person to a town hall / public hearing on an agenda item, they know that you are:

• A real person
• An American
• Extremely likely to vote in the next election.

Source: I successfully killed a local zoning change by convincing my neighbors to go out and speak against it, despite lobbying from a large developer.

You didn’t mention a lack of ads. They remove all the ads when you subscribe, right?

You mean “slam”

Yes, but ported C# usually doesn’t make for the most idiomatic Python.

99% of the time that doesn’t matter, but a highly security sensitive reverse proxy shared by multiple users most likely part of the stack to be attacked might be an exception.

I remember specifically buying an Nvidia GPU in 2009 because their proprietary driver was awesome and could do multi monitors properly using their proprietary X11 extension called TwinView

You might be misunderstanding the value-add of a CDN to self-hosting, so here’s my attempt at explaining:

I’ve been self-hosting things for a very long time. In the old days, we would wrangle our routers to expose port 80 for HTTP (and later, port 443 for HTTPS) and forward those connections to the self-host server and then add the appropriate DNS records to point our website domain to our home IP address (which was its own fun challenge when ISPs refused to give static IP addresses for home plans). Relatively simple.

However, in recent years (especially after the pandemic) the internet has become a much more hostile place. People find vulnerabilities in your nginx/caddy/apache or whatever reverse proxy you use (or router, or any one of the many other parts of your network/software stack) gain access to your local network and your personal data. And then there are bad actors doing DDoS attacks or AI crawlers generating DDoS levels of incoming requests to overload your hardware.

All that combined means it’s very dangerous to have your home IP exposed to the internet (allowing any sort of inbound requests) at all.

So, how do we access our self-hosted stuff while we’re outside of home? The safest approach is to use a VPN. Tailscale is the most popular one that I’ve come across. Only client devices that are connected to the VPN have access to your stuff. Random bad actors can’t poke your self-hosted stack for vulnerabilities.

Okay, what if you want to share something with people publicly? I for one, use Immich for my photo libraries and it’s very easy to be able to share a link to an album for friends and extended family to access without having to install and configure a VPN on their phones.

That is where cloudflare comes in. We can run cloudflared on our machine, which makes an outbound request to cloudflare and creates a tunnel to route all the incoming requests from their servers to your reverse proxy. Your network is still not exposed to the internet, and the edge nodes (the machines that actually front the incoming traffic from the clients) are not owned by you.

Now, I guess it’s feasible to rent a VPS on DigitalOcean/OVH/Azure/AWS and run a Tailscale exit node there to achieve a similar result. I haven’t looked too deeply into Pangolin but it looks kind of similar. Now you’re adding extra work to keep those configured correctly (and up-to-date), is less secure because you’re not doing that full time (unlike the engineers at cloudflare) and you’re still dependent on that VPS provider to not go down, so the disaster recovery profile hasn’t changed all that much.

That’s why there’s no self-hosted alternatives to a CDN. I guess you can go with their competitors like Fastly/Akamai/etc, but all of them are considerably more expensive. And even the ones that do have free tiers have data limits or bill per gigabyte. That’s an extra headache to worry about for that one month your mother decides to take 1000 videos of your son during the family vacation and her phone automatically backed up all of them at full-quality.

Yep. Tailscale uses wireguard under the hood so that setup sounds exactly the same.

The Cloudflare tunnel is free. They don’t seem to have a traffic cap either. They’ll charge you if you want to use a non apex domain (e.g. subdomain) or if you need their more advanced bot detection/defense products. But a basic/standard setup like what us self hosters have is free.

Yes, and yes.

Their Android app feels like an exact clone of the Google Photos Android app.

To access it remotely, you can use Tailscale like someone else mentioned. But you need to have Tailscale installed on everyone’s phones.

You can also use a Cloudflare Tunnel to allow it to be accessed over the Internet without exposing anything from your home network directly to the Internet.

The latter is useful when I want to share a secret link to a photo album after hanging out with people so everybody can upload the photos they took to one place (something I used to do a lot with Google Photos)

Does everything Google photos does. Their app looks/feels exactly Google’s app, including sharing links. Assuming you’re running it on reasonably powerful hardware, it does all the same face recognition and ML based search that Google photos does.

Not to derail your point, but growing up in Australia, we would mostly use kW. Like, it’s a 200kw engine instead of saying a 270hp engine.

I think it’s a jab at Postman, which is essentially curl with a GUI.

At a sea world??!!