Thanks for this! It’s a good impetus for me to think a little more holistically about my network security versus overfocusing on the router. I’ll have to do some more reading on overall networking best practices.

No I think we’re aligned! I am not trying to say the “build literally everything” from scratch is a viable alternative. You could go all the way down the rabbit hole of building a compiler, your own programming language, a smelter to refine the metals you need to try to cobble together your own hardware. But of course that is not realistic, which was what I was trying to get at in my comment. Basically, given that it is not feasible to do everything by yourself, at some point it seems you have to decide to trust something to be a functional human and not devolve into solipsism. So the question I am asking is, what are your own evaluations of what is trustworthy? Do you trust coreboot more than AMI? Protectli versus Qotom? It seems to me that we have to make these sorts of evaluations, versus believing that because there is some risk to everything that those risks are all equal. Apologies if I am not being clear though.

Thanks for sharing! Did you end up staying with the stock firmware?

Thanks for this! Agree that coreboot is definitely the requirement that, if dropped, would open up the most other options. So far it sounds like folks are mostly willing to have some faith in stock firmware, which is great as a sanity check for me. Appreciate your response!

Sorry, imprecise wording on my part, I meant build as in build/code from scratch, not build from source!

Thanks so much! I’d seen Hunsn mentioned in a few places as well, so glad to hear that it’s working well (and thanks especially for the memory ballooning tip, I’ll try to remember that when I inevitably run into issues later).

Thanks so much for sharing this! I think reading through it helps refocus the question I guess I should have asked, which is “Which vendors do people trust more in practice, recognizing that at some point recursive paranoia has to end unless one has the time and skill to try to build literally everything on their own?” And as a question of probabilities, it feels a bit more manageable to try to make a call and move on. I’m sort of thinking of this thread as a way for me to calibrate my current probability estimates with people who know more than I do and have likely thought about this question more than I have. But the reminder that there isn’t really going to be any certainty regardless of what I decide is well-taken.

(But if you don’t mind my asking, what machine did you end up with from CN? How did you approach firmware?)

Yes, I’m US-based, and you make a great point that it’s not as though US brands are inherently trustworthy either. That’s why I’m leaning towards an open source (or as open source as possible) firmware, with the understanding that we’re stuck with some proprietary blobs at the moment. I suppose I am thinking about it more from a harm reduction lens versus trying to find a bullet-proof solution.