1. 1

    Great read! Very interesting.

    I found a minor typo in a link (Machines section - automated link) its https://chown.me/blog/upgrading-openbsd-with-ansible.html - No captial A in ansible ;)

    What Firewall are you using on your APU2? *sense, ipfire?

    1. 5

      I initially wrote “ansible” everywhere then I thought a capital was better so I use sed like a hammer :D Thanks!

      On the apu2, I run OpenBSD as well. A few years ago I ran OpenBSD for everything but hosting mastodon was too complicated (I don’t know well the Ruby ecosystem). I have some Ubuntu because containers make easy to host stuff. Most of the stuff still run on OpenBSD because I know the system well and being an OpenBSD developer I follow quite closely the project.

      I would still recommend for anyone to run OpenBSD on a router since it’s quite easy as PacketFilter is fucking awesome.

      1. 1

        Well, I guessed that. OpenBSD is great for that. I have a a APU2 at home waiting for me to finish it.

        Did you just install a plain OpenBSD and configured everything? OPNsense and pfsense are both based on OpenBSD. Right know I have OPNsense installed.

        1. 4

          Actually:

          • OPNsense and pfSense are both based on FreeBSD.
          • OPNsense is a fork of pfSense, which in turn is a fork of the good old m0n0wall (which was also based on FreeBSD).
          • Deciso/OPNsense is working on a version that is based on HardenedBSD, which in turn is also based on FreeBSD. It should come out very soon[1].

          So FreeBSD all the way with these routing/firewall operating systems ;).

          I use OPNsense since it came out on my APU2 (and later APU3 for another rack) and I can really recommend it! It’s very user friendly, easy to install and rather complete. I also really like you can use LibreSSL instead of OpenSSL. I also use OpenBSD on another router (like the author) and that also works rock solid/stable for years now. The BSD’s are great for firewalls/routing in my opinion.

          [1] https://opnsense.org/about/road-map/

          1. 1

            Alright! My bad :D

            I also really like OPNsense. I just have to figure out some stuff with my ISP and then I am ready to go

    1. 8

      I’m not sure what to make of it. On the one hand I think it’s great that GitLab chose to revert the announced changes, this means we don’t have to migrate our code on a really short notice. But on the other hand I am not sure if they can be trusted from now on. They deliberately wanted to use surveillance on their users and moved away from those so called ‘core values of their customers’. Who says they won’t try it again in the future? Or that they won’t try something more sneaky like using server log monitoring/analyses without people knowing instead of a third-party tracker.

      The worst thing I guess is that they didn’t expect such backlash (or as GitLab frames it ‘considerable feedback’), but seriously how can you not expect that? Most companies I know that use GitLab use it for the simple fact that it isn’t GitHub/Microsoft and that it always seemed to have a moral compass. It just doesn’t make sense to me…

      Migrating to another hosted git seems inevitable and I read a lot of positive things about sr.ht/sourcehut/sir hat lately here on Lobsters. Are there people here with first hand experience? Or is that considered too much offtopic?

      1. 27

        I never saw the move from GitHub -> GitLab as anything but a temporary measure to buy time while we waited for GitLab’s leadership to crank the dial from “happy users” to “happy investors”. This problem will continue for any investor-backed company; it’s just a matter of time.

        1. 2

          Get a VPS and install gitea/gogs or ask people for using theirs. At least I keep an installation around.

        1. 10

          I just bought my first house and I’m going to modify it almost completely to be fully sustainable and to fit my nerdy hobbies (server room, aquaponics and stuff). So this week I am going to make the general plans.

          1. 2

            I own a small security and privacy related company. For this I have around 150 TB’s of storage spread out in three locations:

            1. A storage server (FreeNAS) in my own rack at home.
            2. A storage server (FreeNAS) in a rack at a friend with his own company.
            3. A storage server (FreeBSD) in a colocation.

            All data is encrypted (FDE and FBE) and these locations are geographically separated by 50 and 100 km. I use a combination of rsync and syncthing depending on what needs to be backupped. Some might find this overkill, but when it comes to my customer data I really want to be fully in control myself (no public cloud stuff, physical access etc.) and make multiple geographically separated backups (at least two per backup) to make sure they don’t lose their data. As a added ‘benefit’ I also use it for my personal backups, but that is only a couple of hundreds of gigabytes.

            About cost: storage is rather cheap nowadays, so it doesn’t add much overhead. Instead of my current rack hardware (which is quite powerful and expensive) I used to use second hand HP Microservers. They are like 500 euro’s new (250 second hand) and they give you ECC memory, which is not a luxury when dealing with backups. When using the bandwidth at friendly locations and paying only for hardware and electricity (which is very expensive in my country), this server with 2 x 8 TB in RAIDz1 will cost you 0,65 eurocents a day/20 euro per month (250 electricity, 500 server, 440 disks) if you write it off in a five year period. 500 GB for 5 dollars a month seems like a very very bad deal then ;-). Backblaze is more affordable than your local hosting company, but hosting it yourself vs. hosting it at a cloud provider is also a matter of requirements and preference. When going above a certain amount of terabytes, self-hosting is very lucrative.

            1. 1

              In a random order: FreeBSD 12, i3wm, Firefox, Signal Desktop, Cryptomator, Keepass, Telegram, Spotify, VS Code, Libreoffice, Krita, git, bash, Remmina, Nextcloud, my favorite terminal of the moment.

              1. 24

                I see too many people rolling PHP-FPM only to show an IP address to the client. So, I wanted to share a simpler method which, I hope, can save you some time.

                1. 3

                  This seems very elegant, but just to be thorough are there any drawbacks/tradeoffs?

                  1. 4

                    The same T&Cs apply as when using nginx for standard stuff. This will/might be wrong if this nginx is behind another nginx, then you should look at X_FORWARDED_FOR (or whatever it’s called exactly).

                    1. 2

                      Beware if you use another public facing server in front of nginx. For example, if you have a reverse proxy (HAproxy for example), then the variable $remote_addr can represent the IP address of the proxy, not the initial HTTP client.

                      1. 4

                        Have a look at the realip module that allows Nginx to set the remote address based on a header set by the frontend proxy provided it’s one you have decided to trust that it’s setting correct headers.

                        Doing this over a custom solution in the application has the advantage that all remote address based features continue to work unaltered. Like geoip detection or logging addresses to web log files using built-in standard formats

                    2. 2

                      Yes this method also has my preference and we use that for years now. Years ago we used to use php (without php-fpm) for this, more or less like this:

                      <?php
                      echo $_SERVER['REMOTE_ADDR'] . PHP_EOL;
                      

                      But I was wondering: do you have suggestions for making it output both IPv4 and IPv6 addresses (like https://ip6.nl and others do) without adding additional complexity/dependencies like php (preferably with stock nginx or apache).

                      1. 4

                        To show both IPv4 and IPv6, the client needs to make two separate requests, to two separate domains that are configured differently, one with only an A record and one with only an AAAA record. Any given HTTP request is only going to be coming in on one or the other IP version.

                        ip6.nl makes XHR requests to https://4only.ip6.nl/myip.plp and https://6only.ip6.nl/myip.plp and displays the results on the page, again with Javascript. While those servers could very well be running the nginx config in the linked article, the ability to show both on the same page is much more complicated, tech-wise.

                        1. 2

                          You might be able to do it with redirects. Have the IPv4 server redirect to the IPv6 server with ?v4=a.b.c.d, and vice versa. Both servers would display both addresses once available.

                          It falls apart if you only have one type of address, since the redirect would be broken, but there’s probably a way around that. Maybe include the single address in the body of the 303, so if the redirect fails to connect you still have the initial IP address you used?

                          1. 3

                            The case where the caller can only connect on one protocol is probably very, very common still.

                        2. 3

                          But I was wondering: do you have suggestions for making it output both IPv4 and IPv6 addresses (like https://ip6.nl and others do) without adding additional complexity/dependencies like php (preferably with stock nginx or apache).

                          The tcp/ip stack of the client decides whether to try to connect using v4 or v6 first. I’ve added two extra dns entries, one with only a v4 address, and one with only a v6 address atop of one that has both: http://ip.netsend.nl http://ip4.netsend.nl http://ip6.netsend.nl

                        3. 2

                          Nice trick! Thanks!

                          However, you could add links to the relevant nginx-pages to your blog post as well.

                        1. 2

                          To answer your questions from our perspective:

                          1. NixOS for linux-only based deployments and FreeBSD with shell scripts and our own monitoring/management software for everything else. Sometimes we also use jails for specific security or feature requirements, but I guess that might qualify as a ‘container’ so you aren’t interested in that.

                          2. On NixOS you can just rollback. Very handy feature! But we almost never need it. This is more difficult on FreeBSD, but we very very rarely have a need for rollback since we exclusively use high quality stable well-maintained dependencies. If they don’t qualify, we don’t use them or create our own. Stability and high quality software is key.

                          3. Yup, alle files are timestamped both by signature as well in-line via comments with version number and date. We never have compatibility issues since we make everything compatible to begin with. If you need a specific version of a dependency to use a piece of code, we simply won’t use it.

                          4. NixOS is really awesome for this! On FreeBSD we don’t have the immutability features NixOS provides, but in my experience it’s also less of an issue on FreeBSD since two systems that are configured the same stay very consistent to begin with (in my experience not so much on Debian and CentOS).

                          5. On NixOS they are indeed tied to the NixOS files. On FreeBSD we make our own shell scripts and use a bot that manages consistency for us by auditing settings on a regular basis.

                          Personal opinion: NixOS is awesome in a lot of ways, but in the end I prefer BSD based operating systems in terms of consistency, lack of complexity and stability. It would be awesome if someday a FreeBSD or OpenBSD based OS would have some NixOS-like features (immutability, reproducible builds, central file with everything in it, easy true rollbacks etc.). Although, that might bite my preference for ‘simple, understandable operating systems that lack complexity’…

                          1. 4

                            I wish there was a way to simply choose a set of programs I need (say for example, jupyter with a set of libraries) and download a nixos configuration that I can simply apply to a virtual machine, and get a machine exactly according to what I need (with sane defaults). Does something like this exist now?

                            1. 6

                              I haven’t done this myself, but I’ve seen this talked about on several occasions. I get the impression that you can build a bootable iso from any given config, or you can build directly into a virtualization target.

                              Relevant links:

                              1. 2

                                This is such a cool idea! I at one point built a “try nixos” service where you got 1hr of free NixOS-in-a-VM, but I stopped working on it due to abuse concerns. Maybe it could live on in this way.

                                1. 1

                                  This is the question I also wanted to ask here, glad I am not the only one. Is there some way of generating secure configs somewhere, based on your needs? I tried to use Nixos like five times or so, but I always have the feeling I miss entries in the config file that make it less secure compared to my normal hardening of distro’s like CentOS and Debian that I know very well. I don’t know what gets done automagically (quite a bit it seems!) And what not.

                                  And I can find and use other’s config files of course, but who says they are any good? I really think some documented (and up to date) wiki/site/library of sane default examples for a lot of different use cases (i.e. apache/webserver/security headers, database/mysql, certbot/let’s encrypt etc. etc.) would greatly benefit users like me.

                                  But maybe that already exists and I can just not find it. So, if someone knows of something like this, let us know :)

                                  1. 3

                                    There’s generally the wiki, at: https://nixos.wiki/ (officially unofficial… but unofficially it’s the main one …kinda like in: the only one). There’s also https://nixos.org/nixos/security.html. But given that the NixOS community is not super large in itself, the security sub-community seems even smaller. I think you could try asking on the NixOS security discourse if you have some detailed questions; but given the slow traffic, it may be hit or miss. Or just asking on the main NixOS discourse.

                                1. 20

                                  Well, maybe first give some more information about the purpose of this survey and how you process and use the data? What is the (broader) context of your questions? I’m happy to help if you have a good goal and if it’s useful (also, I work within the higher education sector, I always like helping students). Also, what personal data will ‘surveymonkey’ collect and use and what for?

                                  Without such information it feels quite amateuristic to be honest. Lobsters violating the GDPR is one, but people doing research within a university should know better :-).

                                  1. 1

                                    So… Six months of work and they change some icons/colours, make switches a lot worse and add some light optimizations for their extremely crappy and intensive animations. Well, let’s say I’m not impressed.

                                    I still use it on Fedora on my daily driver, but I dislike it more every year. Maybe it’s time for something else. Are there people here that went from Gnome to another DE and are happy about the switch? And if so, which one did you choose and why? :)

                                    1. 2

                                      Admittedly, fractional scaling is a large improvement that probably required quite some plumbing.

                                      1. 1

                                        I switched to MATE a few years ago, but then again, Gnome has changed a lot since then, and from at least my perspective, has improved a lot. I too am not sure about the new icon themes, but maybe it just needs getting used to.

                                      1. 4

                                        I also switched my parents, some parents of friends and a couple of small non-profit organizations to Linux some time ago. Windows slowed their laptops/desktops down too much (despite a SSD and 8GB ram) and administering their systems was a PITA to put it lightly (even with Chocolately or a MS WDS). Also Windows 10 broke their systems more than once, so it really wasn’t an option anymore.

                                        First I used a heavily customized Gnome on CentOS 7, but now I use ElementaryOS for them since it needs less customizing from my part (it’s simple by default). The disadvantage is that Elementary is based on Ubuntu, which is far less stable than CentOS in my experience. But even with the occasional issues on Ubuntu (they are easily fixed), it’s far easier and better to manage than Windows for me. I am now looking at NixOS for my next iteration of the ‘simple light-weight desktop for basic users’ concept.

                                        By the way, the hardest part (for most of my test subjects) of migrating from Windows to Linux was indeed the transition from Microsoft Office to LibreOffice. The first step was installing LibreOffice on their Windows machines and letting them get used to the new GUI/controls. It’s going okay now, but they still would rather have Microsoft Office. MS Office unfortunately is just better at almost everything, except being open source, transparent and light-weight. Even to me (I almost exclusively run free software) LibreOffice feels like something out of a era long forgotten.

                                        To summarize, since they run on Linux:

                                        • I’m spending a lot less time administering their systems. There are less issues etc. Especially updating the machines now is totally unattended, while on Windows 10 it would cause trouble far too often.
                                        • They are happier with their system since it’s less complicated/very simple (I remove almost every button that isn’t necessary for them in the GUI).
                                        • The only thing they miss is MS Office, but they think it’s worth the trade-off.
                                        1. 2

                                          Yeah, I did the same thing installing some FOSS on their Windows machines before switching them over. OpenOffice, Firefox, and VLC were examples. For VLC, I’d tell them it was ugly but could play anything. People liked MS Office more but got used to OpenOffice. Due to that, I never got around to trying to move their MS Office copy to Linux with WINE. Maybe that would help in your case?

                                          1. 2

                                            Not a bad idea. I tried to run MS Office under Wine, but unfortunately at the time of testing (couple years ago) only Office 2007/2010 were somewhat compatible. Also, Wine adds complexity and I am not a big fan of adding that. Less is more :).

                                            So they just have to deal with LibreOffice for now :).

                                            By the way, most of my users (the Linux users that don’t know they run Linux haha) love VLC. They like it because it always works and has huge buttons/very simple controls. So I think it is not necessarily the lack of a beautiful/nice looking GUI that is a problem, but that it has more to do with simplicity/user friendlyness. That Ribbon (I think that’s the name of it, correct me if I am wrong) interface does a lot of things right for this kind of user.

                                            1. 1

                                              Yeah, VLC has great usability. I think a better-looking version could preserve most of what you describe. Just theme it or something. Could even sell themes in a store to generate funding like that chat apps do with their in-app art.

                                        1. 1

                                          I don’t know it (and don’t endorse it, I’m very hesitant when it comes to unaudited npm packages) but after a quick search this seems like something you are looking for:

                                          https://www.npmjs.com/package/markdown-cli

                                          Edit: I think I misread your question. Nevermind! Maybe this is something that can help you:

                                          https://pypi.org/project/csv2md/

                                          It’s only csv unfortunately, but if you can find json and cli argument equivalents you can write your own simple shell script to incorporate all in one.

                                          1. 1

                                            Work:

                                            • Tutanota web client on desktop.
                                            • Tutanota client for Android on my hardened AOSP device.

                                            Private:

                                            • Basic mailserver on OpenBSD with OpenSMTPD for important stuff. No web client, just Thunderbird or K9. Some people here do let me think of trying Mutt though. How does it compare to clients like Thunderbird?
                                            • Free Zoho account for non-important domains.

                                            But to be honest, I don’t like email that much.

                                            1. 3

                                              This looks interesting. Of course it’s a shame it’s based on Intel, but:

                                              • PCI-e
                                              • SATA
                                              • 2 x gigabit ethernet
                                              • x86
                                              • VT-x + VT-d
                                              • 32 GB ram
                                              • 4 okay-ish cores

                                              At first glance this looks like the first SBC that actually will be usable for stuff like routers, virtualization host/hypervisor (in a cluster for example) or a simple linux desktop stuck to the back of a monitor. Price will be important though, since you also need to get memory while a lot of other SBC’s have memory on the PCB.

                                              1. 8

                                                The fact that its based on Intel is, imho, a good thing .. I’ve got a drawer full of SBC’s that started out with lots of promise - ultimate power, great battery life, etc - but are sitting there unused because the vendors failed to keep the kernel promises.

                                                That’ll be less likely to happen with an Intel-based SBC, imho.

                                                1. 4

                                                  Most ARM SoCs are decently supported by mainline operating systems. Which boards do you have and what would you like to use them for?

                                                  1. 2

                                                    Which ARM SoCs do you have that are supported on mainline? I’ve had nothing but all kinds of issues with ARM. I tried using an overpriced SolidRun as a router and ran into nothing but issues and terrible support.

                                                    I wrote another post on seeing these issues in Android devices. ARM is not a platform. It’s just random shit soldered to random pins. At least Microsoft phones had ARM + UEFI. I mean we have device tress, but they’re usually broken to hell too and most phone vendors don’t use them.

                                                    Is the particular device in this post a 3rd party x86 clone? Is it free of Management Engine or other 3rd party controllers? I realize all x86 stuff has non-free binary blobs everywhere, where as you can get a lot of totally free ARM chips/boards, but long term support is often an issue. With x86+UEFI or even classic BIOS, you can run mainline Linux on them for years to come. There are even forks of Linux for older unsupported 386 chips if you really want to buy a ton of old 386 stock and use them in embedded applications. ARM is a clusterfuck by comparison.

                                                    1. 3

                                                      Rockchip RK3399/RK3328, Allwinner H3/H5/A64, Nvidia Tegra X1, the Broadcom junk that’s in the RPi…

                                                      I run FreeBSD (actually I worked on RK3399 support), so there’s no non-mainline :) but for Linux, Rockchip is actually mainlining their official drivers, and for Allwinner it’s the community.

                                                      Of course the cheap embedded boards aren’t as good as the high end server stuff (ThunderX/2/Centriq/eMAG/…), but there is a lot of support.

                                                      1. 2

                                                        OLIMEX has some interesting hardware and according to SUNXI Buying guide “Currently, Olimex is the only company creating Allwinner based OSHW, and Olimex actively contributes to the sunxi project.”.

                                                        For some cheaper but less open options(I use an orange pi zero as a home media server/nas/cups/whatever) armbian provides quite decent support.

                                                      2. 2

                                                        I bought the original PINE64 and found the is support to be pretty terrible, even today it feels like it’s all been hacked together by guests in China rather than the manufacturer doing much about it.

                                                        1. 1

                                                          It’s very well supported in FreeBSD.

                                                          For Linux, just don’t go to the vendor, ever. Check Arch Linux ARM and Armbian. (Apparently Ethernet support was merged into mainline as late as 4.15, but it’s there now)

                                                      3. 4

                                                        I think the parent was implying AMD would have less microcode updates and more trustworthiness due to better QA than Intel. Likely inspired by Meltdown/Spectre vulnerabilities. Also, AMD has been in the low-power, SoC game for some time. I don’t know if you’ll get lots of problems out of them that you wouldn’t out of Intel. It would surprise me a bit. I remember Soekris was using AMD Geodes.

                                                        Oh shit:

                                                        “Due to declining sales, limited resources available to design new products, and increased competition from Asia, Soekris Engineering, Inc. has suspended operations in the USA as of today.”

                                                        Glanced at their page to see product updates. Got sadder news than I was looking for.

                                                        1. 5

                                                          I don’t know much about the Soekris boards, but pcengines.ch sells surprisingly affordable AMD Jaguar-based boards for embedded and network applications. I’m using one for my OPNSense firewall and have been perfectly happy with it.

                                                          1. 1

                                                            Thanks for the tip!

                                                            1. 3

                                                              From corebooting my ALIX2C3 I recalll the geode microcode has another issue in that it’s reliant on legacy tooling to build so you are encouraged to just use the blob (tooling is either DOS based or related to visual studio, can’t recall).

                                                        2. 2

                                                          If I remember properly HardKernel had everything for their C2 platform mainlined so you could use modern kernels without having to use a vendor specific one.

                                                        3. 2

                                                          it’s a shame it’s based on Intel […] Price will be important though

                                                          I too immediately thought “why not Ryzen?” but, price is actually the reason they went with Intel, according to the blog post that’s linked here. Excerpt:

                                                          2017 December, We considered AMD Ryzen 5 2500U 3.5Ghz mobile processor. The performance was very impressive, but the price of the CPU was also very impressive. Fortunately, Intel also announced the Gemini Lake processors. It was slower than Ryzen but much faster than Intel Apollo Lake, and the price was reasonable.

                                                          Looks like the board will be considerably cheaper due to the Intel chip.

                                                        1. 12

                                                          Lenovo X260 with Linux (mostly Fedora or Debian) and OpenBSD. It’s a 13-14 inch model, so it doesn’t meet your requirements on screen size, but maybe there are 15 inch equivalents available. My laptop runs Linux perfectly and I couldn’t be happier with it.

                                                          Some things I like:

                                                          • Keyboard quality and feel
                                                          • Keyboard backlight
                                                          • Double batteries for easy swaps
                                                          • Modifiable and expandable to your taste
                                                          • Rather good Linux/BSD support
                                                          • Not so many gimmicks or dumb features I don’t use
                                                          • Matte screen (oh how I hate glossy panels)
                                                          • Quite sturdy enclosure
                                                          • Price! I bought it nearly new from someone for about 400 euros. Even now (some years later) they are very cheap second hand, and if you look at the right place they will be practically new.

                                                          What I dislike about it is that malicious companies like Intel have their spyware and backdoors in it. But going for Purism or alternatives is simply too expensive for me, so it isn’t an option for me.

                                                          I hope you find this info useful!

                                                          1. 2

                                                            I hope you find this info useful!

                                                            I did, thank you.

                                                            1. 2

                                                              I have a friend at my local hackerspace who does a lot of stuff to cripple/disable the Intel stuff. I helped him flashing some BIOS chips of ThinkPads. It’s kinda easy once you get the hang of it, we did two together and I think he did like 10-20 in total now. Also super interesting to learn a bit about how stuff works.

                                                              1. 2

                                                                I had my work get me one of these, but I forgot to specify not to get the low-res version, because it never crossed my mind that in this day and age it would still be possible to buy a 1366x786 display, but unfortunately it still is. I’d imagine it’s a decent machine if you don’t get stuck with the lousy-display variant tho.

                                                                My personal machine is an X301 which is a lot nicer since it’s from the 16:10 days, plus it has a carbon-fiber/magnesium palm rest instead of plastic like the newer models. The performance isn’t nearly as good, but it’s serviceable once you put ublock origin on it.

                                                              1. 5

                                                                GnuCash will probably be your best bet. It takes a while for most people I know to get the hang of it, since it is quite bad in that area. But it can do pretty much everything you can wish for in a budgeting app (or accounting program for not too large businesses for that matter).

                                                                1. 3

                                                                  I use Keepass for both work (very sensitive for others) and private (very sensitive for me), where the kdbx file is stored in a Cryptomator vault that gets synced through a private NextCloud instance that is only exposed over my own p2p vpn. All of these components are open source (which is a requirement for me), cross platform (linux, bsd, windows) and are quite consistent (which I find important). Of course, Keepass is a bit more work to setup and less fancy GUI wise than say LastPass, but it suits me fine. It has autofill anyway, so I rarely have to copy paste the passwords myself.

                                                                  The only thing I find a bit annoying is decrypting the vault every day, but I don’t feel syncing kdbx files over the internet is secure enough. How do others here feel about this? I always believe in layers of security (encrypted database + encrypted vault + tls + vpn + strong certificates and passphrases, everything under my own control) but there are also people that use Keepass only with Dropbox and only rely on the strenth of the kdbx file itself. Any thoughts? :)

                                                                  1. 8

                                                                    Is that blog satire? The author links in his second paragraph to articles he wrote praising DRM and dismissing all criticism[1], to articles claiming that repairability or the ability to replace firmware is unnecessary, as you can always throw a device away and buy a new one[2], and he’s arguing that modifying the way a website is displayed in your own browser – e.g. by restricting the JS, or modifying it – violates the site owners’ rights, and is wrong[3].

                                                                    I absolutely can’t tell.

                                                                    [1] http://www.technologicallyadvancedhuman.uk/why_eme_is_great.html

                                                                    If someone wants to sell a movie but they don’t want it pirated or modified without their permission, that’s fair-enough. It’s their content and it took them a lot of effort to make it. I don’t see why you would think you have the right to take someone elses work and do what you want with it without permission.

                                                                    [2] http://www.technologicallyadvancedhuman.uk/the_freedom_to_destroy.html

                                                                    The type of freedom we need over these practically immutable hardware components is what I call “The Freedom to Destroy”. This means that we can throw it away and replace it with something else if we need to. So if it malfunctions, whether due to a bad microcode or a dead transistor, we can simply destroy it.

                                                                    [3] http://www.naughtycomputer.uk/a_response_to_the_javascript_trap.html

                                                                    Also consider if it’s polite to run your modified JavaScript on someone else’s website. Imagine if you maintain and distribute a modified JavaScript to use with e.g. eBay. And imagine it malfunctions causing a DDOS on eBay or people to have their financial details stolen. Who’s fault is it?

                                                                    1. 4

                                                                      I read the DRM and firmware blogs, and was like “he can’t be serious”. I just closed the tab and went to check here if people understood the blogs haha. I guess not looking at your reply.

                                                                      In addition it’s also written rather simplistic/shallow. But the thought of satire didn’t cross my mind, but you might be right! Also because of the banner.

                                                                      1. 3

                                                                        The weird part is, the author’s posts have been previously tagged as satire on lobste.rs, or marked as April Fools joke, and he’s protested that they’re not. All of his websites have similar content as well.

                                                                        I’m super confused.

                                                                      2. 2

                                                                        So I think these positions are a bit different than what you summarised on those blog posts (and I agree w/ the finer points)

                                                                        • “EME is great” post:

                                                                          • The writer doesn’t like piracy
                                                                          • => DRM helps prevent that
                                                                          • existing DRM schemes, however, are messy and rely on stuff like Flash
                                                                          • EME allows for a “minimal” amount of obfuscation in order to prevent privacy. A solution that is cleaner than others, while preventing privacy
                                                                          • basically, if DRM is non-negotiable, EME is a good implementation of such
                                                                        • “Freedom to destroy” post:

                                                                          • IME lead to comments as CPU as a service
                                                                          • but even non-IME CPUs are basically a service (magic circuits, impossible to grasp)
                                                                          • Linux is built off of a lot of small software, where each component can be easily replaced (you can rewrite cd and put it into your own version)
                                                                          • “Freedom to destroy” = “Freedom to remove a part and put in a new part”. Basically you can replace things with “nicer” things that meet your objectives
                                                                          • CPUs aren’t really this yet (gotta replace whole motherboards) but… maybe one day
                                                                        • “Javascript Trap” post:

                                                                          • Javascript is running on you computer, but not easy to modify
                                                                          • Javascript’s “user” is the server runner, as they can modify it easily
                                                                          • (aside: running modified JS on someone else’s site could cause problems. For example a site extension could add way too many API calls bringing the site down. It’s not super nice to the site runner)
                                                                          • Free software helps to fight stuff like Google Maps, where we don’t have a real copy of the software (because JS isn’t usable in a real sense as a piece of free software)

                                                                        If this is satire, they unintentionally fell into real points. Don’t agree with everything, but this stuff has some basis in reality.

                                                                        1. 1

                                                                          The problem is that half of their points are completely irrational.

                                                                          For example, his EME post’s arguments rely on “I don’t see why you would think you have the right to take someone elses work and do what you want with it without permission.”, which assumes that the fair use doctrine isn’t a thing. If you assume the fair use doctrine exists, then EME removes a right that you otherwise would’ve had.

                                                                          The freedom to destroy post also applies to other hardware, not just CPUs, and assumes that users manually repairing devices isn’t a thing. I’ve just replaced some parts of one of my monitors, and had to modify the firmware afterwards. The freedom to destroy post assumes no user is ever going to modify or repair such devices. The same issue applies to flashing the firmware of routers. Even the EU considered the right of people to flash the firmware of devices they buy as so essential that they required that no router manufacturer may prevent users from flashing custom firmware.

                                                                          Regarding the Javascript Trap, his argument would declare Ad Blockers as problematic – every browser extension you use to modify a site, be it Reddit Enhancement Suite or uBlock Origin, modifies the JS of the original page, or runs its own. This even came to court in Germany, where the courts ruled that it’s an essential right of a user to run ad blockers and that whoever runs the browser is the user and can modify the document requested in whatever way they wish to display it.

                                                                          In general, each of the post has some points – but only under assumptions that require removing many legal rights that users have.

                                                                          1. 2

                                                                            Poe’s law applies here at some level.

                                                                            1. 2

                                                                              Or the turing test. If it’s indistinguishable from satire/trolling…

                                                                        1. 2

                                                                          We use OpenStack for all our internal virtual machines (which are quite a lot). I think it’s quite (too?) complex to setup, but the ease of use after the initial setup is really good. There are a lot of OpenStack-compatible images available and it also isn’t difficult to make them yourself for some BSD’s of lesser used Linux distro’s. I really like the automatic SSH-key deployment, IP address configuration (we use public IPv4 and IPv6) and ACL/firewall in the gui. I know some more organizations that use OpenStack, but most (like us) aren’t very public about it. We actually added more/new nodes to it recently :). Hope this helps!