One thing that would be useful to understand is the distinction between CMR and SMR

I got a nice deal on the x280 and am happy with it, was also looking at the various X1 carbon. Two criteria I had were I wanted USB-C charging (since I have those chargers around and they can handle these laptops) and a single battery (eg. the T470s I have from work is nice but it has two small capacity batteries that each cost the same to replace as the full size single ones in the carbon and x280). One thing to keep in mind is some of the earlier X1 carbon don’t support NVME SSD (I think it started with 5th gen?)

Edit: another thing to consider is soldered RAM. Part of why my x280 was cheap was it’s only 8gb and can’t be upgraded. Since you’re looking at lighter weight things and using FOSS (and perhaps open to tinkering with things like ZRAM) that might be a useful aspect to focus on because there is probably a glut of such machines given how memory inefficient things are lately with every trivial app running a whole browser engine. OTOH, depending how many tabs you tend to have open and how many electron apps you tend to keep floating around, 8gb might start to feel cramped. Especially if you think you might want some VMs around.

Next time I look for a small laptop to have handy one thing I’m going to be sure to prioritise is: how much battery does it use while suspended? I’d really like to not need to have it switch to hibernate after 30m of sleep or w/e and ideally just plug it in overnight like a phone.

Big fan of that one, been using it for years.

https://explainshell.com/

It seems like the attack surface is limited to RF (bluetooth/wifi can be turned off if one is willing to make that compromise), app install (many just use a small selection of well-trusted apps), and messaging/browser which are regularly updated if the device is properly configured. Apps that aren’t pulling in random untrusted content are far less of an attack vector (eg. one’s bank app isn’t connecting to everything, just to the bank, pinterest is hopefully escaping user content, etc.)

Based on helpful details at the other thread (eg. Project Mainline, baseband isolation) I’m beginning to form the opinion that it is not unreasonably foolhardy for someone to continue to use an unsupported device if they are willing to make the compromises necessary to limit their exposure. Which wouldn’t necessarily mean “giving up bluetooth entirely”, just not using it when you’re in bluetooth range of an untrustworthy party eg. if you just use your headset to make zoom calls at home and are fine not having it on the subway.

Thanks for the reply. Definitely appreciate the point that lacklustre updates mean we need to pay attention even if we’re vaguely covered by our vendor. I think you’ve convinced me to subscribe to CVEs for android too, I’ve only had alerts for my browser. Really too bad they don’t make smaller Pixels.

Aren’t you sorta trusting whoever wrote any package you install with root? I mean, you should have that attitude anyhow as packages have a huge attack surface so privilege escalation bugs are way more common than remote execution but still, flatpak and snap at least offer a bit of a sandbox which might improve…

I’ve enjoyed runbox.com for years but don’t think they offer catch-all, at least not when I last checked. You might look at mxroute.com, I heard about it later and might have gone with them first and they somehow seem more likely to support that