1. 1

    PrivateNetwork is a nice feature but I couldn’t find a good guide on exposing certain ports via loopback but not the whole interface. For example I still want to reverse-proxy to my service and allow it to talk to my Database (without using socket files), without giving access to everything else that exists on lo.

    1. 1

      I haven’t fine-tuned my services that much yet. But if I wanted to solve this problem I might try to look into nftables, to firwall lo, I would say.

      1. 1

        But nftables is only for in/out firewalling, not for locking down certain services from otherwise open ports via private interfaces. Systemd can do that, but in the guides I found you had to put the related services into the same interface.

        1. 1

          That’s true. It’s not optimal but with meta skuid you can lock out a port from other users. It is not as granular as services, but if you follow a 1 to 1 user<->service mapping, it is almost equivalent.

    1. 4

      The minimization part is cool. But I find running and experimenting with systemd inside of podman even cooler. I had no idea that one could do that.

      I mean that makes sense now that I think about it, systemd is designed to run inside a systemd-nspawn which is almost the same as podman, technically.

      1. 5

        It also makes sense considering docker never intended to have systemd running inside containers. This prompted RedHat to more or less write podman.

        https://lwn.net/Articles/676831/

        1. 1

          Wasn’t the article and the other side of the issue? I.e. docker running on a systemd host?

          Systemd always worked ok in any container runtime - docker is not really aware of the container contents on that level anyway

        1. 7

          This attack would be history once and for ever if DNSSEC was widely deployed… sigh…

          1. 2

            Forgive me if I sound ignorant, but how does one ensure DNSSEC and a BIND-RPZ co-exist? RPZs are widely used to return NXDOMAIN to any DNS lookup for ad/tracking networks on a lot of private/VPN networks.

            1. 1

              In this case, the recursive resolver could resolve domains and check their DNSSEC signature. But you could connect to your recursive resolver using DNS over TLS and remove the DNSSEC signatures, which is supported by systemd-resolved.

              If it’s unclear, here is an example how it would work:

              • Your DNS resolver on your local machine is set to 192.0.2.1#noads.dns.example.com.
              • You go to example.com in Firefox.
              • Firefox queries (through systemd-resolved but this is a detail) 192.0.2.1 over TLS: What is the IP for ‘example.com’?
              • 192.0.2.1 asks b.gtld-servers.net.: What is the name server and the DNSSEC keys for ‘example.com’?
              • b.gtld-servers.net. says it’s b.iana-servers.net. and the DNSSEC key is “f00bar”.
              • 192.0.2.1 asks b.iana-servers.net.: What is the IP for ‘example.com’?
              • b.iana-servers.net. answers 93.184.216.34, and the signature is “quux”.
              • 192.0.2.1 checks that sign("93.184.216.34", "f00bar") is “quux”.
              • 192.0.2.1 answers to Firefox “The IP is 93.184.216.34” over TLS and removes the DNSSEC information.

              If the domain is blocked, 192.0.2.1 replies NXDOMAIN right away.

          1. 17

            goatcounter.com is also another self-hosted and FLOSS alternative. I have no affiliation with it, I just know it because from /u/arp242.

            1. 3

              This is the type of blog post that should belong in some piece of documentation IMHO.

              I don’t need this right now, but when I will need it, Duckduckgo/Google will give me SEOized search results which will be crappy, and I will never find this high quality piece of content again :(

              1. 3

                There’s this thing called a ‘bookmark’, it’s built in to your browser and can be synced between machines as well. :-)

                1. 2

                  I think it would be easier for me to find it in some crappy SEOized search results, than the bookmark mess I have accumulated over the years. :-)

                  1. 1

                    I understand. I had the same situation about two years back.

                    One thing that helped me was putting all of my bookmarks into a text document with titles. I use Markdown, for several reasons:

                    • I can open it as a pinned tab and have it display nicely.
                    • All of the bookmarks can be links, allowing me to open them from that pinned tab.
                    • And most importantly, I can use Markdown headings and subheadings to break my bookmarks down into categories and subcategories.

                    I have an OpenBSD subcategory, and that’s what the bookmark for this article went into.

                    If your bookmarks are in Chrome (or one of its descendants), you can export your bookmarks as JSON, and from there, you can turn them into a Markdown list.

                  2. 1

                    Right. But how much of this content wasn’t posted on lobste.rs, and I never stumbled across it, and am therefore missing?

                1. 19

                  In my opinion, this is as big as CPython getting rid of the GIL. This was a Herculean effort, and I’m looking forward to starting to use OCaml 5.0.

                  1. 3

                    I’m really excited by SILE, I feel that it gives a breeze of fresh air to the typesetter space.

                    However what I’m missing is a place with showcases of what SILE can do, like this stackexchange question for Tex.

                    I know that it still is in the “alpha/beta” phase, but that would be helpful for me to get started.

                    1. 1

                      There are a handful of examples on the website and (as of just before the v0.12.0 release) the examples are in the website’s GitHub source repository here so they are open for contributions. There isn’t a really good large showcase document yet –just some examples of handling languages and samples of what packages do– but with time we’d like to turn the website example gallery into a more complete general purpose showcase.

                      Also as of today I just opened up GitHub Discussions on the project repository which has a Show and tell category. We’d be happy to field questions there.

                    1. 1

                      I sometimes wish I had the time to rewrite Rust with dependent typing and with monads, and it would compiles to readable C99.

                      Some goals: low overhead, safety.

                      But in addition to this, the same operators for async and results, since they both would be monads. And also more expressive types. (Vec<len=n > 1>.head() returns the value, since it is proven that it has at leas one element) Also since it compiles to C, no needs to “rewrite in newlang”, you can use almost any library as is.

                      1. 24

                        Typesetting systems. It’s interesting to think about the differences between TeX and html, one predating scrolling and one designed for screens rather than paper. What would a simple typesetting system look like that was built with a minimalist ethos, for scrolling, without perfect hyphenation and pixel-perfect page boundaries.

                        1. 7

                          I’ve been playing around with SILE recently. While it still has some rough edges, it has been refreshing coming from LaTeX. I don’t know if you’ve already looked into it.

                          1. 2

                            Going the other way– a easier to deploy/run TeX system– have you seen Tectontic?

                            I’m using it on and off with some existing documents and was pleasantly surprised.

                            1. 2

                              I have seen it. I will admit that I haven’t dug too deep into it. I respect the effort, however the clean slate implementation of SILE (as opposed to Tectontic’s port of XeTeX to Rust) offers some advantages.

                              Documents can be either in TeX-like syntax or XML. (Meaning they can be generated by a program and be valid) Also the native support of SVG (instead of the convoluted Tikz) is a killer feature for me. But in general, SILE is more lightweight.

                        1. 11

                          I would try and reimplement Z3 in Rust. It would probably take 10 years and most of my hair, though.

                          1. 4

                            I remembered starring on github a SAT solver written in Rust 3 or 4 years ago, it looked really promising. I was about to tell you to look into it, until I realized you were the author of it. :D

                            I know that Z3 does much more than Minisat, but I’m wondering: is it worth it? (= All the extra Z3 features)

                            1. 5

                              There’s a bunch of other SAT solvers in rust (and this one is just mostly a port of minisat done by someone else, that I forked to add a few things, I can’t claim authorship).

                              I know that Z3 does much more than Minisat, but I’m wondering: is it worth it? (= All the extra Z3 features)

                              Yes! SMT solvers are more convenient to use than SAT solvers in many situations, and I think it’ll increasingly be the case in the future (e.g. bitvectors are often as powerful as their SAT encoding equivalent). In some cases, you have a clear encoding of your problem into SAT, in which case it might be better. This book has a lot of examples using both a SAT solver and Z3.

                              Beyond that, SMT solvers are one order of magnitude more advanced than SAT solvers, I’d say. They’re full of features to handle theories (hence the name), and give users a nice high-level language to express their problem, rather than a list of clauses. SAT has its place (see for example Marijn Heule’s work on using clusters for parallel SAT solving to solve really hard math problems), but for most users I think SMT is the easiest to use, because of all these additional features. Amazon AWS has formed a large team of SMT experts and is using cvc5 for crypto or authentication stuff, not sure which exactly.

                            2. 2

                              Not in OCaml?!

                              1. 4

                                No, rust is better suited to this kind of very high performance tools :-). I do have a SMT solver in OCaml in the works, but you can’t really compete with the C/C++ crowd in terms of performance.

                            1. 2

                              The real question here is, I feel, why did the writer this not do it on their own and never bothered anyone?

                              Like, not calling her lazy or anything, but why wasn’t there an incentive for him to just get it done on his own? Since it’s obviously possible.

                              Indeed, getting anything “simple” to the level of “management handled issue” will by default add a standard amount of overhead (e.g. 10 mins in a startup, 1hr in round B, few weeks in a megacorp). But that’s just the nature of consensus making in large orgs… however a lot of things can be resolved exactly by not having to get them to management, by just doing them yourself (or yourself + a group of friends that don’t mind asking for help)

                              1. 10

                                First, I believe the “guy” writing at the “Rachel by the Bay” blog is a woman.

                                Second, they did write an initial dashboard by themselves, but then a “dashboard team” came along and insisted they’ll provide said dashboard—and then promptly decided they had more important things to do for 5 months. Here’s paragraph 3 and 4 of the post:

                                January 1: we put up a terrible hack: a shell script that runs a Python script that talks to the service to get the status and then dumps out raw HTML to a file in someone’s public_html path.

                                January 29, early: there’s this team that nominally owns dashboards, and they got wind of us wanting a dashboard. They want to be the ones to do it, so we meet with them to convey the request. We make a mockup of the list and the eventual big red button to give them some idea of what it should look like.

                                1. 3

                                  First, I believe the “guy” writing at the “Rachel by the Bay” blog is a woman.

                                  Ups, edited

                                  Second, they did write an initial dashboard by themselves, but then a “dashboard team” came along and insisted they’ll provide said dashboard—and then promptly decided they had more important things to do for 5 months. Here’s paragraph 3 and 4 of the post:

                                  What I was saying here was that, i.e. “WHY IS THERE a dashboard team!?” that seems like the fundamental question to tackle here. Why does the company not provide incentives to just leave the stupid python script up, or get the devs to spend the few days they did writing the dashboard without implicating a whole other department.

                                  I think the author might also think the same thing here, I was trying to paraphrase my takeaway, not criticize.

                                  1. 12

                                    “WHY IS THERE a dashboard team!?” that seems like the fundamental question to tackle here.

                                    I can answer this question as if it was the BigCorp for which I’m currently working. Please take my answer with a grain of salt, as this is most likely biased by my “grunt” point of view.

                                    1. Up high, the CEO most likely decided they wanted to reduce cost on the technology.
                                    2. They gave this task to a Senior VP. This senior VP discussed with a VP and a few directors, and they came up with one of the conclusions that the technology is too fragmented across the organisation, and too many people solve the same problems.
                                    3. The task got split up into smaller chunk “consolidate server technology”, “consolidate dashboard technology”, etc. At some point, some director got assigned the objective to “consolidate the dashboard technology”
                                    4. This director within their budget created a “dashboard team”
                                    5. Now you have a team which sole purpose is consolidate the dashboards, their performance is measured every quarter in terms of: how many dashboard were consolidated, and how many new dashboards are created by this consolidation team.
                                    6. This team now hunts down anybody who is using a dashboard or creating a new one, the team existence depends on it. (If they don’t perform well they will get reassigned, and members will loose the opportunity to be promoted quickly, and/or face the possibility to made redundant.)
                                2. 5

                                  Her name is Rachel and she is not a guy. If you want to use gendered language you should do your research on not jump to conclusions. The name is even visible in the domain.

                                  1. 2

                                    Gendering someone based on a personal name that you found in the domain name of the site where you found an article sounds like a lot of making assumptions to me. And in the glorious twenty-first century, anyone and everyone is free to be a “guy”, just like in the 90s we were all dudes.

                                1. 1

                                  For some reason, the owner of the website has banned my IP (it is static, and I never visited this website before?). Could anybody write down a TL;DR in the comments? Thanks!

                                  1. 6

                                    TL;DR: Webkit implements an AVIF decoder which is available in GtkWebKitView. But Safari doesn’t use these, it uses WebKit just for the rendering but uses the OS’ decoders. Since MacOS and iOS don’t implement an AVIF decoder, Safari doesn’t support it.

                                  1. 7

                                    While the content of this article is interesting, it reads like a product placement for the podcast basically produced by Google (or maybe it’s just trying to optimise the pagerank of coywolf.com).

                                    This is a lot of text to just say “well basically Safari delegates image/videos decoding to the OS, and Mac and iOS don’t support AVIF, while WebKit has been supporting it for a long time now.

                                    1. 1

                                      They also have ampproject scripts on the main page here.

                                      1. 1

                                        Well, I’m sorry. I don’t have any connection with those companies.

                                        1. 1

                                          I never claimed you did. I think the link is interesting, I’m just sad about how it is written.

                                          1. 2

                                            I understand. It is indeed sad that most informative articles these days seem to have some commercial background.

                                      1. 17

                                        I tried this and it actually is pretty darn fast. Coming from completion-nvim, it’s a massive difference in speed. If only the author licensed it properly

                                        1. 19

                                          Everything about this ‘edgy’, meme marketing reeks of immaturity – down to naming it Coq right after news of Coq realizing it probably needs a new name. While there is room on the scale for more fun/serious (no, putting emoji in the docs or CLI is not ‘fun’), I think this well overshot into gawdy and something I can’t take seriously.

                                          1. 8

                                            I’m not a huge fan of the copy, but it is pretty good software so I’ll judge it by that metric.

                                            1. 5

                                              I wouldn’t want to raise an issue or collaborate with the project though

                                            2. 3

                                              Very edgy. I respect the author’s choice to represent their project however they like, but it all comes across very unprofessional to me. Profanity aside, the commit log alone makes me wonder about the quality of the project.

                                              1. 6

                                                I don’t get why professionalism matters here? This is a personal project they made in their spare time and released for other people to use if they want. There’s nothing professional about it.

                                                1. 6

                                                  Profanity aside, the commit log alone makes me wonder about the quality of the project.

                                                  Ouch… I just took a look at it, and yes, I understand your reluctance… I never look at the commit log of projects to assess their quality, now I’m thinking that I should start doing that.

                                                  Thanks for saying this!

                                                  1. 4

                                                    I think icy’s point is a good one. If its good software, then who cares. The commit log being organized says nothing about the quality of the software. If the author is working on a thing primarily by themselves, then it doesn’t matter too much if the commit log is clean as they are the only ones that are hurt by it.

                                                    If the software solves a problem, then that’s a worthy reason for its existence imho

                                                    1. 2

                                                      You’re welcome! The log certainly isn’t the only indicator of project quality, but when the readme concerns me I like to check the logs.

                                                      1. 1

                                                        The r/vim sub didn’t take kindly either https://redd.it/p5931v considering it’s Neovim only and the react doesn’t inspire confidence

                                                        1. 1

                                                          If it’s good software, isn’t that evidence you should care less about the commit log?

                                                          1. 5

                                                            Reading commit logs is a great first step towards contributing to the project. Whenever I’m learning how a project works, often times I’ll look at the log messages, especially when I want to run git blame or git annotate.

                                                            Proper log messages not only help others, but yourself, too. I’ve forgotten a lot of the code I’ve written over the period of my hobbyist/career. I’ve needed to go back and make changes to code I’ve written. So that I can provide the best fix possible, it’s helpful to understand the “why” of a commit. The changes a commit produces the “what” and log messages (should) provide the “why”.

                                                            1. 2

                                                              None of that is an argument for why a chaotic commit log is evidence that a project is not good or that the software is bad

                                                              1. 2

                                                                That’s not the point I was making.

                                                      2. 2

                                                        Moreover… I don’t know if you understand French but “gawdy” is probably a good adjective to describe the linked video at the beginning of the readme.

                                                      3. 8

                                                        I wrote a github comment on that license issue: https://github.com/ms-jpq/coq_nvim/issues/15#issuecomment-900956033

                                                        Usually I don’t care too much, stuff like the WTFPL is a bit stupid but ultimately mostly harmless. But this “license” is really dangerous and could end up getting people hurt, if any part of it turns out to be enforceable.

                                                        1. 4

                                                          Yeah this neovim completion engine has me shaking in my boots.

                                                          I find it all refreshing that this guy doesn’t care about using his github as a linkedin or about people who think his license is dangerous.

                                                          1. 2

                                                            Are you making fun of the idea that giving up your rights to sue anyone ever can be dangerous? I don’t think I’m understanding you.

                                                            1. 3

                                                              Interpreting this as “can’t sue for any reason ever” should definitely and obviously be unenforceable right? If that could ever work, that’s not an issue with the license, rather that’s a huge issue with the legal system in question.

                                                              1. 3

                                                                I mean, I agree. It’s probably not enforceable. But I don’t know, I’m not a lawyer and neither is the author - and I’d not be willing to test it.

                                                                I have a lot of confidence that the “you can’t sue me” part of the license is unenforceable, so users of software under this license are probably safe. I assume. Again, not a lawyer. But the part where the license author promises not to ever sue the licensee? I have no idea how that works in court. Could a lawyer argue that the author of the license didn’t know what they were doing so that the license he wrote doesn’t apply to himself? Are there other protections in place to protect license authors from themselves? I really, really wouldn’t want to find out if I was in his shoes.

                                                                If there are any lawyers out there who could bring some clarity to this, I’d love to hear it. But the obvious practical solution is to pick a real license.

                                                              2. 2

                                                                Yes

                                                          2. 6

                                                            It has now been relicensed as GPL v3

                                                            1. 2
                                                              1. 1

                                                                Have you compared it to coc-nvim?

                                                                1. 2

                                                                  No. I’m using Neovim’s built in LSP.

                                                              1. 3

                                                                I’ve looked at MinIO for my home storage server, to expose files to other applications I run in my internal network for myself and my partner.

                                                                This a was a while ago, but skimming through their documentation, I could not find much related to ACLs. Basically what I found is “we don’t support the ACL API, we replaced it by a much weaker system of ‘policies’…” [1][2] And their server security page doesn’t even mention ACLs even once, only server side encryption. I was a little disappointed…

                                                                It’s really sad, because I like a lot of things about this project (open source, written in go, widely used and stable). Openshift used to have an object storage API, but I can’t find it anymore :( .


                                                                [1] See “List of amazon S3 API not supported by Minio” , sorry there is no anchor on this title/section.

                                                                [2] https://docs.min.io/docs/minio-client-complete-guide#policy

                                                                1. 1

                                                                  It’s really sad, because I like a lot of things about this project (open source, written in go, widely used and stable). Openshift used to have an object storage API, but I can’t find it anymore :( .

                                                                  This thing? https://blog.oddbit.com/post/2021-02-10-object-storage-with-openshift/

                                                                  1. 1

                                                                    I think that’s it. It has evolved so much since the last time I looked into it. It used to have its own “open api” which was not at all compatible with S3, and much more REST-y.

                                                                    It looks like now the objective is to be scalable. I was more looking for a replacement for NFS (= remote file system).

                                                                    But thanks for linking this!

                                                                    1. 1

                                                                      If you’re looking for NFS-kinda like stuff, maybe GlusterFS will be up your alley?

                                                                      1. 1

                                                                        I am seriously considering it. I need to look whether one can do authorization on glusterfs. (Remote user A can only mount this path in readonly, etc…)

                                                                  2. 1

                                                                    what exactly do you want to control access to? I’m currently running minio in production and set up AWS style policies in it with very little trouble

                                                                    EDIT: in my case I did actually use it to replace an NFS server

                                                                    1. 2

                                                                      What I mean is tokenA can only read in BucketA, tokenB can read/write is BucketA.

                                                                      1. 2

                                                                        yea, this isn’t a problem with minio, so you can create users with the mc admin tool, and set policies that are like…. IAM style json…

                                                                        {
                                                                          "Version": "2012-10-17",
                                                                          "Statement": [
                                                                            {
                                                                              "Effect": "Allow",
                                                                              "Action": ["s3:ListBucket"],
                                                                              "Resource": ["arn:aws:s3:::*"]
                                                                            },
                                                                            {
                                                                              "Effect": "Allow",
                                                                              "Action": ["s3:*"],
                                                                              "Resource": ["arn:aws:s3:::BucketA/*"]
                                                                            }
                                                                          ]
                                                                        }
                                                                        

                                                                        then you apply this policy to UserA (who uses TokenA) and then he can get to BucketA

                                                                        it’s an admittedly rough interface, but it totally works

                                                                  1. 9

                                                                    My personal favourite new features:

                                                                    • Building on Total Cookie Protection
                                                                    • Firefox now does catch-up paints for almost all user interactions, enabling a 10-20% improvement in response time to most user interactions.
                                                                    1. 3

                                                                      What are “catch-up paints”? I can’t find a good explanation.

                                                                    1. 8

                                                                      That is amazing! I was unaware of such a project. I’m not asking it to become the default, I just would like such an init system to be available on BSD at the administrator’s choice. (which would be my case)

                                                                      This is a great result for what it seems to be a one-man project.

                                                                      1. 7

                                                                        I’m not asking it to become the default, I just would like such an init system to be available on BSD at the administrator’s choice. (which would be my case)

                                                                        Interesting – I find BSDs appealing and use them because of a lack of choice. The whole system is “curated”, all the parts fit together. I have to check manpages to know apache uses -t to check its config file whereas haproxy uses -c, but if I use relayd and httpd I use the same flag that I use for pfctl and other builtins.

                                                                        So for me, the fact that “there’s one way to do it” is quite appealing!

                                                                        1. 3

                                                                          In my experience, BSD is more curated than Linux, but I wouldn’t say it follows the “there is only one way to do it” principle. For example, on both FreeBSD and NetBSD, there is more than one firewall included by default (pf, ipfilter, npf etc.), and the administrator can generally choose whichever he prefers.

                                                                        2. 1

                                                                          I just would like such an init system to be available on BSD at the administrator’s choice

                                                                          I replaced the FreeBSD’s rc.d with daemontools 15 years ago. It was just a port at the time (not sure if it still is), and it’s something that’s been possible for a long time if you’re willing to put a bit of effort in it.

                                                                          Fairly sure you can also do it on OpenBSD etc.