The machine is a development machine. I am a long time developer in C/C++/ and lately doing some python. I am now retired - so I can cherry pick which projects I want to get involved with. I’ve kept three clients into retirement. I’ve done everything in my career from device drivers for the old AT&T System V 3.3.3 Unix kernel, all the way down to modern day GUI apps for Win/Linux.
I’d still be on FreeBSD if they wouldn’t have lost the lions share of their talent, and the ports tree loosing all semblance of quality. Now - I like my hulu, netflix, and my steam games (Skyrim SE and Fallout-4) on Linux. You can’t do that under FreeBSD. In fact, my steam titles categorically run better on Linux - then they did on honest to God W10 on real hardware. That is NOT hyperbole.
I no longer support Windows in any form now that I am retired. Too frustrating, too unstable, too much…well…you know… I’ll not start my rant against W10 - it’s all been said before elsewhere.
Back to your question…This machine is for development for the medical community, specifically, the VA. I am an old USMC 'Nam era vet. I go to the VA as I had a mortar dropped 18" from my head while I was crawling under some barbed wire while fully prone. Not a scratch from the mortar - as I was prone. But…I did get my ears blown out. In fact, the local VA (Denver) actually takes pretty good care of me (I do some volunteer work for them as well for cancer patients). I am working with two designated RN’s…and for HIPPA and Encryption reasons, their lawyer has directed all development to be done on air-gap machines ONLY. And the same was true when I was working for a project for Raytheon (DoD contractor) way back when the Iraq invasion first happened doing satellite command and control.
So essentially - what I’m doing is classified. But how I am doing it is not.
So this machine doesn’t have a wire plugged into it. The MB has no wireless devices on it. No Cat-5E going to it, and the onboard NIC has been shutdown. They almost made me physically cut the etch on the MB to physically disable the NIC (as if I would know which etch to cut! Which I wouldn’t. )…but was able to get a variance based upon sending a pic of the setup, where the “wire” is on a different floor of my townhome from where this workstation is at. And…arguing about cutting etches would immediately void the warranty of the MB.
So installs and updates are all done via “Sneakernet”. I have a bash script that keeps the local copy of the whole mirror up to date on my main workstation (AMD TR Gen 1 16 core, 64Gb ram, 18Tb of storage). I modify the pacman.conf and the mirrorlist to use my local mirror, then “chattr +i” those files to prevent updates from messing with them. Lastly, I copy the mirrors to a USB SSD in a adapter case from my main workstation, then physically transfer the SSD by hand by walking to the workstation (thus the term “Sneakernet”) to the secure workstation - and then rsync’d the mirrors into this workstation manually.
Doesn’t all make sense to me…but I don’t set the rules - I’m just the dev. The client’s lawyer sets the rules. One thing I can share with you, is that some DoD projects, and most everything I do with the VA comes with it’s own strange set of rules and regs. Good Lord almighty, how the gov loves red tape! But - they are willing to pay for that so I follow their rules. I just bid appropriately.
One of my other clients is a dark DoD installation - that’s all I can say. I use this same workstation for these projects as well following a DoD mandate rule that I can’t remember the paragraph number of at this point.
While this doesn’t directly address your question…I hope it gives you a well enough picture!