Which laptop PC should I get?

fuyuka

fuyuka Additionally, from the perspective of privacy and ease of use, I believe it would be best to run Secureblue using a virtual machine such as UTM. It is also recommended to use full-disk encryption (FDE), such as LUKS2, within the virtual machine. However, since the information regarding GPU acceleration support for UTM is inconsistent, tasks that require GPU power must still be run on the base macOS.

thmf

fuyuka The reason for mentioning M2 or higher is explained here. (Japanese link)
https://support.apple.com/en-us/guide/security/sec87716a080/web

Thanks for the link. I wonder where M5 will be in these tables and if there are any differences worth mentioning compared to M3-M4 generations.

DeletedUser683

thmf m5 has memory tagging

thmf

DeletedUser683 this is huge!

DeletedUser683

thmf yeah, actually, the only laptop/deaktop cpu with memory tagging

thmf

DeletedUser683 I wonder where it actually will be used. Like in GrapheneOS MTE is used everywhere including user apps. In PixelOS it's barely used. What about the MacOS on M5?

DeletedUser683

thmf it's not as strict as grapheneos, that enables memory tagging for everything. for macos kernel memory tagging is enabled, also for some default apps, and user installed apps are opt-in by app developer, i.e. developer decides to enable it.

Johnnyloans

DeletedUser683

Hopefully apple is notifying developers you have x amount of time until MTE is enforced system wide.

Would be a train wreck to do that now.

DeletedUser683

Johnnyloans not going to happen until m4 eol.

MuppetScalextric

Desertstorm Well that is not true. You have Debian GNU Linux for example which with the proper configurations and settings will beat Apple 12/10 times.

thmf

MuppetScalextric This is not true. Please search this forum for a lot of explanations about the topic including from project members accounts. Debian, and the whole x86 for that matter is garbage in terms of security. Their software repositories have >40000 packets, some of which are even from 90's with known vulnerabilities that won't be fixed. Ever. Debian choose which vulnerabilities get CVE number. A lot of them won't get one, and even if they do they won't fix them for ages if at all.

Apple macs are the only computers (as in "not phones") today that have software security backed by hardware. Just like GrapheneOS on Pixels or iOS on iPhones/iPads. Just a few posts above there's information about M5 getting memory tagging. Good luck trying to implement this on Debian and any x86 computer with

MuppetScalextric proper configurations and settings

fuyuka

MuppetScalextric @thmf Just as he said.
One fact that FLOSS advocates consistently overlook is that they justify the dismantling of security under the guise of a desire for excessive freedom. Who ultimately benefits from the dismantling of security? Exploiters and black hats stand to gain the most.

That i said, a must not make the fundamental mistake of sacrificing freedom solely for the sake of security.
@NoahRaketic

I agree with most of your post, but this is blatantly untrue. Chromebooks have very strong hardware backed-security, including a full Verified Boot implementation.

That’s why I no longer mention Chromebooks. While their security is comparable to that of the Pixel, their performance is on par with mobile devices, and the only device that struck a proper balance between security and overall code execution was the macOS-based computer. If you need enough computing power to justify using a Chromebook, it’s better to install GrapheneOS on a Pixel device that supports DP Alt mode and use an external mobile monitor.

The major issue with Chromebooks is that, unlike Android devices where it’s optional, they require a Google account.
This means that a Google account is directly linked to a digital ID, which is not a good sign for privacy.
Considering that even with Apple devices, an Apple ID itself is not mandatory, this is nothing short of terrible.
Therefore, even with a Titan, the Chromebook is not much different from a standard Pixel device without Graphene OS, and in some cases, it’s an even worse platform.

NoahRaketic

thmf Apple macs are the only computers (as in "not phones") today that have software security backed by hardware.

I agree with most of your post, but this is blatantly untrue. Chromebooks have very strong hardware backed-security, including a full Verified Boot implementation.

thmf

NoahRaketic You're right, my bad, totally forgot about these since don't use them. Somehow Apple's horrible privacy feels better then Google's.

NoahRaketic

fuyuka That i said, a must not make the fundamental mistake of sacrificing freedom solely for the sake of security.

This is subjective. The security advantages of Chromebooks, despite their locked-down nature and Google integration, can be extremely valuable to some people. Whether this is worth it for a user isn't your decision to make.

fuyuka and the only device that struck a proper balance between security and overall code execution was the macOS-based computer

This is also subjective. Who is the authority to say where the proper balance is? The reality is that this balance sits in a different place for different people.

Some GrapheneOS users use GrapheneOS partly to lessen Google integration. Some users just want the added security of GrapheneOS and don't mind using Google services at all. This is a diverse community with people of very different threat models.

NoahRaketic

fuyuka If I had “imposed” and defined such a balance, would I have said that devices requiring significant GPU power must, at the very least, use secure boot? I have never insisted that people “must” use Apple devices simply because they represent a balance between security and performance.

You are pretending to dictate what other users should/shouldn't consider using.

fuyuka the only device that struck a proper balance between security and overall code execution was the macOS-based computer. If you need enough computing power to justify using a Chromebook, it’s better to install GrapheneOS on a Pixel device that supports DP Alt mode and use an external mobile monitor.

fuyuka

As an aside, I looked into using mrchromebox on a Chromebook and Asahi Linux on a MacBook to bypass these restrictions, but given that they operate by bypassing boot verification from the ground up, I do not recommend this approach.

At the very least, Asahi Linux appears to be committed to utilizing SEP, but this goal seems more like a wishful hope for a fully functional implementation. Given the mountain of challenges that still need to be addressed and the fact that their development approach relies on reverse engineering, it seems unlikely that they will actually be able to put SEP to practical use.

CharlieMander

eclecticeclair I love ThinkPad. I dont think anyone else makes a better Laptop. If you dont need brand new then the there are great deals on eBay. Companies selling their old Laptops cheap.

I have P1 Gen 6 and X270

Upgradable Storage/2 SSD is a necessity for me.

eclecticeclair

mar2112

I recently purchased a 16" ThinkPad which I upgraded from Win11 to Fedora 43. It's a good size and weight for carrying around. USB C charging so no propriety charger and my travel charger works with my phone. Integrated graphics performance is acceptable for my photo editing software (darktable with OpenCL enabled).

fuyuka

NoahRaketic What do you mean by “subjective”?
The Intel & Ryzen CPUs found in Chromebooks have fewer cores than the M3, which suffers from the architectural limitation of using ARM, and they also offer lower performance. Moreover, it seems rather odd to defend devices that have the same or even more serious drawbacks as Pixel devices that cannot install GrapheneOS, simply on the basis of security.

To reiterate, a Chromebook is a device that cannot be used “properly” without a Google account, which I believe is an even more critical drawback than that of a typical Pixel device.
I don’t want to recommend a device with serious limitations simply because it offers robust security features.

If I had “imposed” and defined such a balance, would I have said that devices requiring significant GPU power must, at the very least, use secure boot? I have never insisted that people “must” use Apple devices simply because they represent a balance between security and performance.

NoahRaketic

fuyuka What do you mean by “subjective”?

It's subjective, because different people have different needs for a laptop. It's not an objective choice in any way. Some people don't get a laptop for performance and just want the form factor, for instance.

fuyuka Moreover, it seems rather odd to defend devices that have the same or even more serious drawbacks as Pixel devices that cannot install GrapheneOS, simply on the basis of security.

I'm not saying every user should have a Chromebook. I'm saying that whether the security improvement is or isn't worth it for someone is not up to you--it's up to the user.

fuyuka To reiterate, a Chromebook is a device that cannot be used “properly” without a Google account, which I believe is an even more critical drawback than that of a typical Pixel device.

I'm aware. But that's a critical drawback for you (and likely many others here), but not everyone.

fuyuka I don’t want to recommend a device with serious limitations simply because it offers robust security features.

You don't have to recommend anything, but it's not up to you how other users should choose what devices to use. Not everyone shares the same values that you do.

« Previous Page Next Page »