I suppose the most tangible benefit I get out of it is embedding a custom initramfs into the kernel and using it as an EFI stub. And I usually disable module loading and compile in everything I need, which feels cleaner. Also I make sure to tune the settings for my CPU and GPU, enable various virtualization options, and force SELinux to always remain active, among other things.

I have this device and use it to store my keepassxc and onlykey backups, and it’s useful to me because I’ve stopped using passwords (I only need to remember the pins for these devices which can unlock my keepass dbs that have everything else).

It seems secure enough for my use case, especially since the files I store in it are themselves encrypted (the onlykey backup still requires a pin), but I still want them to be difficult to access.

I’ve had to rely on it before but only because I didn’t prepare a backup onlykey ahead of time- ideally it should be one of many recovery methods. But so far it’s worked great for me.

mpd + ncmpcpp

Yes! Awk is great, I use it all the time for text processing problems that are beyond the scope of normal filters but aren’t worth writing a whole program for. It’s pretty versatile, and you can split expressions up and chain them together when they get too complicated. Try piping the output into sh sometime. It can be messy though and my awk programs tend to be write-only

Ah good to know! Will try that if I ever run into issues, thanks

I’ve been using it for years and I think it’s great. Currently on a 6 Pro. It’s true that some apps don’t work without Google Play services, but GrapheneOS has the option to install the google stuff in a sandbox, so you shouldn’t run into any issues if you do that. Personally, I don’t use Play services unless I need to, and use Aurora store for any apps that aren’t on F-Droid.

In any case, you can always revert to stock or try another OS

Edit: as faede has pointed out, it appears that Google Wallet has issues. Also, the usage docs mention issues with banking apps in general, so that’s something to consider

If you’re willing to spend the time to learn how to write custom policies, SELinux can be used for this, to some extent. It’s highly customizable and can sandbox your apps, but the process of doing so is quite complicated. I wrote a small guide on custom policy management on Gentoo in another comment if you’re interested.

There’s also apparently a “sandbox” feature, but I don’t know much about it. I just write my own policies and make them as strict as possible.

As an example, my web browser can’t access my home directory or anything except its own directories, and nobody (including my own user), except root and a few select processes (gpg, gpg-agent, git, pass) can access my gnupg directory.

This only covers security/permissions, and doesn’t include many of the other benefits of containerization or isolation. You could also try KVM with libvirt and Gentoo VMs; that works pretty well (despite update times) and I did that for a while with some success.

I learned by watching a bunch of cppcon videos, reading cppreference, and writing a lot of programs. Learning how to understand the error messages is also really important