Just because there is no update does not mean there are security vulnerabilities to worry about, or do you have a specific one that is not fixed?

The attack vector seems very narrow to me. It checks the container registry downloads the containers and runs some docker commands.

It has no interface, so in order to attack it you either have to compromise the container registry (but then it would be easier to compromise the containers you download) the secure connection used to download the containers (https is quite stable) or something on the server side.

Also the project does not really look that abundant to me.

EDIT: So i have not checked this, but watchtower is probably using docker for most steps anyway? So basically the only thing that could be attacked is via the notifications watchtower is sending?

Years out of date

What problems does it have? Never ran into an issue for my usecase.

Automatic updates. Works like a dream. Depending on what you are running it can obviously cause issues, either server side breaking or server,client communication issues

Tbf, winget is a god sent and works surprisingly well, took them what? 30 years to get it done?!

Just today I logged into a Workstation at work, just to see 2 versions of Teams being auto launched. And no, no one installed 2 Versions, it was Windows.

Yep. The difference is simply put just ppl are used to the quirks on Windows but not on Linux.

Most critical infrastructure like my mail i subscribe to the release and blog rss feed. My OSs send me Update notifications via Mail (apticron), those i handle manual. Everything else auto updates daily.

You still need to check if the software you use is still maintained and receives security updates. This is mostly done by choosing popular and community drive options, since those are less likely to get abandoned.

Not necessarily traffic. Often download sites use mirrors to serve you the download. Sometimes those links are provided via a CDN which can be forced to comply to LEA or some other static hosted mirrors which are often hosted by others. The second part is more likely on community managed software.

So either traffic or the server/CDN behind the link. Happened before.

Is adding a URL too much? Jellyfin is also just login in addition to enter the server URL.

Was not aware ECH was actually in TLS 1.3 thanks for that. But yes it will take a long time for widespread adoption.

You have basically two options.

1. Symmetric Encryption. That means you use the same password/key for writing the Backup and for reading the backup. Here you have to write the password somewhere, depending on the OS there are options like keychains or similar that can hold the password so that the password is only available once you are loged in or have unlocked the keychain.

2. Asymmetric Encryption. That means you have different passwords/keys to read and write the backup. PGP is an example here. Here you can just simply use one key to write the backup, this key can become public and you do not have to worry about your backup since it will only be readable with the 2. key.

I personally use Restic with a password that is only readable by the system root user stored on the filesystem. Since I use Full Disk Encryption i do not have to worry too much about when the secret is available in clear text at runtime.

Actually no. The SNI is still not encrypted. So every site you are visiting can still be sniffed.

Not really how patents work. It does not matter if the code is open or not, others are still not allowed to use patented code elsewhere or at least not commercially. (Not talking about the legitimacy of software patents)

If I decide to put up with this type of attitude

Your the one insulting me.

Would you say pointing the finger at the linux devs and maintainers saying they should work harder does improve anything and drives ppl to volunteer?

Maybe you should take a read on Wikipedia on what gatekeeping is before you insult me. https://en.m.wikipedia.org/wiki/Gatekeeping_(communication)

OC stated those things ‘should be worked on’. What else is it than blaming ppl?

Yes things could be better, but saying things should be better while sitting on their ass and doing nothing is just not correct to say. If you say it should be better then you should take part in it getting better.

Yes thats why i said in theory. I doubt that many residential IPs are blacklisted, but still not optimal.

IPv6 only works but there are probably many Mail Servers that are IPv4 only, so you will not receive mails from them.

If you are serious about it, rent a VPS or get a static IP on your residential connection.

It would be more reliable to use a ‘clean’ not blacklisted static IP.

But in theory you could just use ddns and update the IP. But I actually never tried it.

Mailcow comes ready out of the box. Just change the DNS entries according to Mailcow and you are good to go.

This has been said over and over again. I have been hosting Mail now for over 2 years and have yet to encounter any problems. Although, i would not recommend to set it up manually and rather advise to use one of the ‘all in one’ suggested solutions here in the thread.