1. 2

    I’ve not played Factorio yet but how long does a full run take on average? Or is it just time boxed regardless? Lol.

    1. 3

      There’s an achievement for doing it in under 8 hours (there are several finish-time achievements but the 8-hour achieve “there is no spoon” is the hardest), but realistically a noon will take a LOT longer than that for their first time. I’d guess 100+ hours, although that’s just playing the game for fun and without specifically rushing to rocket-launch.

      1. 2

        My first run was 100+ hours; speedrunners finish it in a little over 2.5 hours on default settings.

        1. 2

          It really depends on how hard you rush towards launching the rocket - the “game over” condition (quotes there because you can play beyond launching a rocket).

          You could do it in a few hours if you rush and have an idea what you need to do. First time with no guides will probably be longer. Speedrunners can do it in about an hour - edit: hour and a half.

          1. 5

            A reasonably knowledgable pair of players, going in with a good premade plan, can launch a rocket in 3 hours. Default settings.

          2. 1

            My first play through was 40+ hours

            1. 1

              Personally I have played maybe 3 or 4 times and I always gave up before launching the rocket, after quite a few hours. I’m definitely not good at Factorio but this game is both quite difficult and truly great.

              1. 1

                I’ve dabbled in it for years, when 1.0 came out I finally did a full play through and it took around 30 hours.

              1. 34

                I haven’t bought a new dev machine in … eight years. Reconditioned, ex-corporate, Lenovo ThinkPads are where it’s at for me.

                Currently I’m running a W540 - high-res screen, 16GiB RAM (up to 32GiB), 500GiB SSD dual-booting Ubuntu (for play) and FreeBSD (for work). Cost me AUD$400 less the SSD. Prior to that, for several years, I was running FreeBSD on an X220 that I purchased for around AUD$300.

                https://duncan.bayne.id.au/photos/Working-_Hacking-_Making/x220_at_fresho.jpg

                My three children run Ubuntu on ThinkPad X250s. Having identical hardware and OSs makes management easy. Also purchased refurbed ex-corporate; most recently an 8GiB / 128GiB X250 for AUD$345 including shipping. Lightning fast with Ubuntu, and they can do all their kid stuff: Minecraft, Starbound, Spotify, Wesnoth, DOSBox (for retro games), etc.

                I might break the habit, though, with my next dev machine. Since the COVID-19 pandemic I’m looking at buying a new desktop (or maybe rackmount?) system and just using a laptop as a client when I’m not at my desk. If I do, though, it’ll be another refurbished X-series.

                1. 6

                  My three children run Ubuntu on ThinkPad X250s

                  Wow, you really spoil your kids; mine are on a T410 and T420. =) Works great for Minecraft, TIC-80, and SNES/Playstation emulation, and they don’t have to use a chiclet keyboard. The kid with the T420 has to put up with a 16:9 aspect ratio, but … life is never perfect.

                  1. 5

                    They used to run older X-series (our eldest, for example, had my old X220). But I standardised on current-generation power adaptors and docking stations for convenience (so we can share equipment). One of the reasons I’m looking at the X-series again for myself after the W is that the W requires 170W power adaptors o_O

                    Our family tradition is that, when you turn three, you get your big boy / big girl’s bed, and you get your first ThinkPad with Ubuntu.

                    1. 2

                      Standardizing on power adapters is also part of why I won’t buy the newer ones with the chonky rectangles. I must have ten or twelve of the barrel jack adapters in various places around the house. =)

                      1. 2

                        You can get barrel -> rectangle adaptors I believe. If you don’t have docking stations to consider, that might be an option.

                        The only reason I upgraded from my old X220 to a W540 is that I was doing a lot of work on trains at the time, and the 768px screen was a bit of a liability.

                        I’m seriously tempted to switch back to an X200. They’re old, now, but I still think they represent the pinnacle of X-series design: old IBM-style ThinkPad keyboard, ThinkLight, no trackpad (only TrackPoint). Would make a fine client for a desktop / server, especially with a newer screen panel and CoreBoot.

                        1. 1

                          I’m seriously tempted to switch back to an X200.

                          I used to have an X200 and I’d suggest considering the X301 instead; full-size classic keyboard, just as light, same 1440x900 resolution but slightly larger, and the palm rest is done with rubberized carbon fiber instead of plastic. Back in the day it also had a bonus of having two battery bays, but sadly these days you can’t buy a battery for the second bay unless you want to take a chance on a cheap one that will likely balloon up and crack your chassis from the inside. The main downside is that it requires a special 1.8-inch SSD.

                          1. 3

                            Ooh, thanks for letting me know - that looks perfect. Found this article while Googling the 301, too: http://panacek.net/post/x301-rebuild/

                  2. 4

                    I haven’t bought a new dev machine in … eight years.

                    I typically buy a new desktop computer every 5 years, so try to find a sweet spot in terms of good components that’ll be sufficiently performant for that long and allow for a bit of upgradability (usually a new GPU a few years in).

                    I’m presently at 7 years on this machine. CPUs haven’t gotten majorly faster compared to previous cycles, so I’ve found it difficult to justify the expense for only a 2-3x speedup. The Ryzens look like they might be worth it though.

                    1. 5

                      Ryzen is absolutely worth it. The increase in core count is amazing for certain workloads (including compiling, if you’re into that)

                      1. 1

                        My main work use of more cores would be benchmarking to optimise some multi-core locking, as I’m limited to the 4 real cores I currently have. Might also be use for gaming, while a few other applications are running.

                        1. 1

                          I’m generally a fan of re-use but I totally agree. Not every workload or work pattern needs a monster machine, but I think many of us who do software environment on the regular could probably benefit from one.

                          One question I’ve been pondering though is “Does my LAPTOP need to be something beefy?”

                          I’ve been experimenting along these lines with my PineBook Pro for the last few months and for me and my use cases thus far the answer is a resounding no.

                          I have my monster beast machine on my desktop, but for a laptop I am loving something that’s light and very energy efficient. It does 90% of what I need 90% of the time, and that’s plenty enough for me for a laptop :)

                          1. 3

                            Oooh! What’s your experience of the PineBook Pro been? I’m tossing up between one of those and a refurbished X-series ThinkPad as a next machine. My main sticking point is the lack of FreeBSD support; I’ve only recently switched back from Ubuntu as my work OS, and would hate to have to switch back again.

                            1. 2

                              Hiya! Expect to see a write-up posted here from me today or tomorrow, but real quick:

                              I know there is a FreeBSD port underway but… RealTalk - if you plan to actually USE the laptop for productive work you should either A) suck it up and plan to use the already specially tuned Manjaro or Debian Linux images OR B) plan some sincere time for kernel hacking and tuning. The Pinebook Pro has a ‘big/little’ CPU combo that’s not something you see in the X86 world. If your kernel isn’t tuned specifically for that, performance will be utter crap.

                              1. 3

                                Thanks :) Yeah I’d assumed (a) - which isn’t a deal-breaker mind you, especially if I’m using it essentially as a client for a FreeBSD desktop / server.

                            2. 2

                              I agree, I did a significant amount of development on a Lenovo IdeaPad with a super light wm and vim. I didn’t need anything more for what I was working on. Now my day job is a different story… I regularly make all 12 cores hurt.

                        2. 4

                          I too look for reconditioned ex-corporate, Lenovo ThinkPads and have been using a i7 X230 for a while, I was so impressed with it that on the day after it arrived I ordered another from the same re-conditioner, except I asked them to add the maximum RAM it would support and a bigger SSD so I could use it in a professional capacity.

                          The only reason I might upgrade now is to a machine that plays Minecraft as I find that game a great relaxing exercise akin to colouring or reading a book.

                          If you don’t mind a quick question: Would you say a X250 would suffice, or should I be looking at something newer?

                          1. 2

                            The X250 is just fine for Minecraft - in fact it played perfectly well on my old X220. It’d make a perfectly acceptable development system, actually, unless you were doing a lot of work with containers at which point 16GiB might become an issue.

                          2. 1

                            Where do you buy used in Australia?

                            1. 1

                              I haven’t bought a new dev machine in … eight years

                              My main machine is over 10 years old, though I recently added RAM and a new gfx card.

                              1. 1

                                Amazing story. During the last 12 months me and my wife got used laptops.

                                We got 2 laptops (A Lenovo Ideapad and Acer Nitro/VX series), mine with a better processor but her with a way better GPU(she does some rendering for his work/jobs) and we paid as much as 2/3 of what we would pay on her notebook alone. Both already equiped with 240GB ssds and 1TB HDs.

                                Also, i had a FX-9370 on my desk and that thing was power hungry. Sold it to a friend by a modest price cause he wanted to play old games and do some console emulation.

                              1. 11

                                Something like “this SSL cert is about to expire in a week” would, prior to LetsEncrypt, make sense as a thing that automatically files a ticket which must be acknowledged and marked complete. “This RAID set is down one disk” is another less dated example.

                                Maybe a viable solution is to replace low priority alerts with automatically generated tickets. The goal would be to make them way more inconvenient so there would be more pressure to turn off the sources of them rather than letting a deluge go through ignored.

                                1. 2

                                  Maybe a viable solution is to replace low priority alerts with automatically generated tickets.

                                  This is indeed exactly what was done at GitHub while I was there. The opened issues would CC relevant teams (which were defined in the same place as the condition that caused the alert), and closed themselves automatically once the underlying condition was no longer marked as failing.

                                  It worked okay, but a lot would just get ignored as noise still.

                                  1. 6

                                    Closing themselves automatically sounds like it would remove the pressure to quench spurious ticket sources. :/

                                    I guess I’d be fine with tickets automatically closing but only if they’re guaranteed to need human interaction by definition - e.g. if the ticket is “RAID set degraded” then I know it’s not going to get un-degraded unless someone shows up with a spare disk to solve it, so that one’s okay.

                                    My worry is that a thing like “median site response >35ms” would easily come and go by itself and train operators to ignore it. :(

                                    1. 3

                                      My worry is that a thing like “median site response >35ms” would easily come and go by itself and train operators to ignore it. :(

                                      That is pretty much 100% what happened, yeah. I suspect autoclose was introduced because it got too noisy at some point and competing priorities got in the way of trying to resolve things at their root.

                                      1. 6

                                        That’s what almost always happens. My view is that if it being auto-closed is in practice acceptable, then that alert shouldn’t have fired in the first place.

                                        https://www.robustperception.io/running-into-burning-buildings-because-the-fire-alarm-stopped are some thoughts on alert resolution I wrote a few years back.

                                        1. 2

                                          For the “this SSL cert is about to expire in a week” case, do you think it’s a good idea to use a prometheus rule and alertmanager and push it to a ticket system?

                                          1. 2

                                            That seems reasonable to me, presuming that it won’t take you a whole week to get a new cert.

                                            When you’ve only a day of wiggle room left, a page would probably be appropriate.

                                            1. 2

                                              Thanks!

                                  2. 2

                                    This is basically how it works at Amazon. A ticket is always created for an issue, severitys 1 and 2 page you, 2.5 pages you during work hours, and 3-5 never pages you. The oncall is generally expected to work on the tickets in the queue while oncall, though depending on the team the backlog stuff may get ignored. The thing is that tickets generally don’t auto resolve, they usually require at least one human interaction.

                                    At my current job we use opsgenie and sometimes I get paged from a blip in the metrics. Since there’s no ticket generated and it usually doesn’t happen at a convenient time, I don’t have the same tendency to follow up on issues unless they’re bad.

                                    1. 5

                                      2.5

                                      that must have been a fun meeting. “we’re out of numbers.” “let’s go for 2.5!”

                                      1. 2

                                        Shame they didn’t go for 2.71828… instead. Then they’d have alert levels 1, 2, e, 3,4 and 5. Tremendously confusing and borderline useless but it would never have stopped being funny.

                                  1. 3

                                    First time I’ve heard of the rule of 72, looks pretty useful.

                                    1. 6

                                      https://en.wikipedia.org/wiki/Rule_of_72 explains, basically it’s actually the rule of e*100 (i.e. ~69.3) but 72 has more divisors so is easier to work with.

                                      1. 3

                                        basically it’s actually the rule of e*100 (i.e. ~69.3)

                                        I think it’s ln(2) ~ 69.

                                        1. 1

                                          Right you are, I was getting my logarithms mixed up.

                                    1. 5

                                      One I often use is assuming a day has 100,000 seconds as that’s close enough for estimation purposes.

                                      1. 17

                                        I find the name “static site generator” kind of subconsciously promotes the idea of this just being all about some static files that move from here to there. What they usually come with though is a super complicated, fragile, and regularly updating toolchain that puts at risk your ability to generate the static part that was supposed to be simple. We have a couple “static” sites that are almost impossible to update now because the tooling that generates them is no longer being maintained, so it’s harder and harder to run that tooling successfully. They don’t feel like “static” sites very much anymore.

                                        1. 5

                                          I agree with you on this, but surely these issues can happen to any CMS.

                                          1. 1

                                            If the generation code is exercised on very web page visit it’s likely to degrade much more slowly than if it’s only exercised when there’s new content.

                                          2. 3

                                            You’re not the first person I’ve heard say that. I know a few people who spend an inordinate amount of time administering issues on their static sites.

                                            1. 1

                                              so it’s harder and harder to run that tooling successfully.

                                              This gets easier if your tooling isn’t on a platform that gets old.

                                              My static site generator is written in Clojure. Last commit, 2015. Going strong, no changes necessary to run it today.

                                            1. 19

                                              I think the principle of least power might apply here. Do you really want a full language here. Seems ripe for abuse.

                                              1. 11

                                                I think it depends on the domain. For ops work, it’s quite difficult to come up with a language that is simple enough while still being powerful enough.

                                                I’ve chosen Python as config file for a Docker template product I sell. Here’s my reasoning:

                                                You can say, ok, we’ll just have them use JSON. But now they’re writing code to generate the JSON, so we’re no better off.

                                                I could do something more powerful than JSON, but less powerful than Python. But—users might want to set Docker labels based on Git. So, great, I can hard code that as flag, but—what if they use Hg? What if they use Perforce? And that’s just one detail out of a thousand.

                                                So it’s much easier to say “Here’s a language you can mostly just use to construct dictionaries, just like JSON, but if you need it, you can do whatever”. And in my case it’s a template for Python applications, so I can assume Python is there.

                                                A longer write up on the pain of writing software for ops, and how I arrived at the decision to do what this article suggests: https://pythonspeed.com/articles/developing-tools-for-ops/

                                                1. 5

                                                  You should check out Starlark. It looks like Python but it doesn’t let you do a lot of the crazy dynamic stuff Python can do and it doesn’t let you do I/O or have unbounded loops. It was built for exactly this purpose: https://go.starlark.net

                                                  1. 2

                                                    I can see places where that would be useful, but it doesn’t help with things like “call out to a git subprocess to get the current branch”. Sometimes you just need a full programming language.

                                                    1. 1

                                                      I think we’re talking about different use cases then. I have a particularly hard time imagining when calling out to git is appropriate for this sort of configuration. It seems like you would want to do that ahead of time and pass the result into your configuration script as a parameter. That said, this is a pretty broad space, so maybe there are valid use cases and I’m just not imagining them. Mostly I deal with CI/CD pipelines and infra-as-code.

                                                      EDIT: By the way, I don’t think it’s inherently bad to use Python, but I do think you need to be disciplined and avoid doing I/O when you don’t need to.

                                                      1. 1

                                                        In that scenario the code that calls out to Git “ahead of time” is configuration from my perspective, because each organization writes its own variant.

                                                2. 6

                                                  In my experience it’s nearly always a mistake, and only ever viable long-term if the configuration “program” is completely dead before the configured program starts to run. Once you can have a thread moving in and out of “configuration” code at run-time, you’re lost.

                                                  1. 4

                                                    Agreed. Turing complete configs and config generators have often been my personal hell. If you need that much power in your configs, something has probably gone very wrong in the design phase.

                                                    1. 6

                                                      I think Turing completeness is a red herring, since even with a language like Dhall you can write something that will finish evaluation after you’re dead.

                                                      1. 3

                                                        I think the real factor is I/O. People will try to call out to the network or do other state full things that break in weird ways.

                                                      2. 2

                                                        The problem isn’t Turing complete configs - they’re inevitable as you try to capture all the levels of exceptions your environments have and how those interact.

                                                        The problem is accidentally Turing complete configs, as a language that organically grows the power needed to do non-trivial configuration tends not to grow it in ways that are best designed in a formal sense.

                                                        1. 5

                                                          The problem isn’t Turing complete configs - they’re inevitable as you try to capture all the levels of exceptions your environments have and how those interact.

                                                          Yes, and the goal should be to start normalizing environments, rather than shoving more and more into an increasingly complex configuration.This is precisely what I meant by something going wrong in the design phase.

                                                          1. 2

                                                            It’s very rare that that’s possible. There’s production vs development vs test vs developer’s machine, each cluster has a different capacity in accordance with regional needs and redundancy requirements, some clusters are on the older hardware/OS/BIOS firmware, you’re canarying some features only in some clusters, you’re in the middle of rolling out a new software version which has different resource requirements, and some clusters don’t have some subcomponents as legal doesn’t want you running that subcomponent in that jurisdiction.

                                                            Real life is messy, and configuration has to be able to capture it. No matter how much you work on making things consistent, there’s always going to be new variances coming up.

                                                            1. 3

                                                              Yes, and given the time spent on this, I regularly find the investment in simplifying the environment is not that different from going all the way on configuration, and pays dividends in system maintainability down the line.

                                                              1. 2

                                                                The environment is already as simple as it reasonably can be, this is irreducible complexity. You can’t exactly tell people to stop buying new hardware, stop traffic growth, stop developing features, or stop doing releases.

                                                                The question then is how do you deal with managing that environment. That is the true problem of configuration/change management.

                                                                1. 1

                                                                  I’m not sure how you can say that with a straight face.

                                                                  However, if you really want to go that way, you can do even better than turing-complete configuration languages. Just hard code things. That means that you get full visibility into your setup with your monitoring tools, can step into it with your debugger, get well integrated logging, get full checking with static analyzers (which will even allow you to catch configuration bugs at compile time), and so on.

                                                                  Because you’ve exposed your current configuration to your linter or static type checker, you’ve actually the confidence you can have in your changes.

                                                                  And then, rolling out a new configuration is as simple as rolling out a new binary.

                                                                  1. 2

                                                                    I think we’re talking about vastly different systems here in terms of scale and complexity.

                                                                    1. 1

                                                                      I’ve worked on Google’s display ads infrastructure.

                                                                      So, why is “write your config in a real programming language” reasonable, but “and do it in the same language, statically analyzed, tested with the code it’s changing the behavior of, deployed using the same continuous rollout pipeline, and integrated with the rest of your service’s infrastructure” a bridge too far?

                                                                      If your objection is incremental rollouts – keep in mind that you can already have different behavior per node by filtering by cluster, hashing the node ID and checking a threshold - which you’d probably be doing in a turing complete config anyways. (Just, if it’s like most places I worked, with fewer unit tests).

                                                                      If your objection is observability, you’re already exporting all service state via /flagz or similar, right?

                                                                      1. 1

                                                                        I’ve worked on Google’s display ads infrastructure.

                                                                        I was an SRE for those systems.

                                                                        why is “write your config in a real programming language” reasonable

                                                                        I never said it was reasonable, and my experience is actually that imperative languages don’t work too well once you get into the really complex use cases. You want declarative with inheritance, to capture all the nested levels of exceptions within a given configuration. Even then you need to factor it carefully, and do most of the other code health stuff you would with “real” programming.

                                                                        Because you’ve exposed your current configuration to your linter or static type checker, you’ve actually the confidence you can have in your changes.

                                                                        I’m not seeing how any of this has anything to do with static analysis, nor how it makes a difference either way in terms of monitoring, debugging, or logging.

                                                                        Confidence comes from seeing that the settings I want to change ended up changed in the dry run of the config change. Whether it actually has the desired ultimate effect is a different question entirely.

                                                                        And then, rolling out a new configuration is as simple as rolling out a new binary.

                                                                        That’s assuming that the cost of rolling out a new binary is effectively free. Building and running the automated tests for the binary could take rather a long time. That’s even worse if you want to quickly iterate on a setting on a single process before doing a broader rollout. Baking settings into binaries also doesn’t cover settings that can’t be baked into binaries, such as resource and scheduling requests.

                                                                        1. 1

                                                                          That’s assuming that the cost of rolling out a new binary is effectively free. Building and running the automated tests for the binary could take rather a long time.

                                                                          Sure, but config should also be running integration tests. Especially if it’s in a complex, turing complete language. I’d be rather surprised if config changes weren’t the source of comparable numbers of outages as code changes. Either via tickling a bug in existing code that shows up when config options are changed a certain way, or simply via being wrong.

                                                                          And the more complex your configuration, and the more power you put into the config language, the closer it gets to being “just more code”, but with worse quality control.

                                                                          So, if you go 90% of the way and give up on fighting config complexity, you may as well go the last few percent, and give it proper code treatment.

                                                                          1. 1

                                                                            You’re conflating two things there.

                                                                            Firstly how should you safely deploy a config change, presuming that it’s changing exactly the config it’s meant to change. Strategies there vary, and a code-like change (e.g. enable user-visible feature X) versus an operational change (e.g. increase the size of a threadpool) are best served by different types of testing. Having to wait for multi-day integration tests that involve multiple other humans for a threadpool tweak isn’t reasonable, on the other hand looking only at CPU usage when you’ve enabled a new feature isn’t right either.

                                                                            Secondly how do you ensure that you’re only changing the config that you expect to change. You can get pretty far by diffing the raw output configs, as unlike standard programming we have a complete set of possible inputs (i.e. all the config files). So it is practical to do a mass diff and have a human glance over it on every change. Unittests would likely hinder more than help here, as they’d either be overly specific and just create busy work on every change - or not specific enough and never catch anything.

                                                                            1. 1

                                                                              Secondly how do you ensure that you’re only changing the config that you expect to change. You can get pretty far by diffing the raw output configs, as unlike standard programming we have a complete set of possible inputs (i.e. all the config files).

                                                                              The proposal in the article was ‘import config’ as pure python code, and just execute it. There’s no raw output to diff in the author’s suggestion. And it can behave differently at runtime, inspecting the node that it runs on or the time of day, and doing different things based off that. If you’re doing that, I strongly think you’re going the wrong way. But if you’re going down that wrong path, take it all the way and integrate your “config” with the application fully.

                                                      3. 4

                                                        I don’t know how much you know Lua but it is a prime language for using like this. There are built-in features to create sandboxes which basically allow you to run untrusted code in a very restrictive environment. You can specify exactly which functions the untrusted code has access to and using the Lua C API, you can tie that environment into useful parts of your larger app.

                                                        1. 2

                                                          I think it REALLY depends upon your use case. Is this config for an internal tool that’s low impact? Maybe. Do we have to worry about hostile or under-informed users? That changes things.

                                                          1. 1

                                                            The problem is for many domains, more dynamism really is necessary. However, you can restrict unbounded looping and various I/O by using an embedded scripting language that supports those features, such as Starlark. https://go.starlark.net

                                                          1. 2

                                                            After a google-search, the explainations that I have found about what PAM is, were a bit too technical for my current understanding and knowledge of Linux. How would you describe the usage, the importance, the role, of this brick of the linux systems ?

                                                            (I say Linux, though I see it has been standardized on many other Unix like OSes.)

                                                            1. 4

                                                              Pam is an authentication/authorisation system, so in essence any time you “log in” PAM is involved.

                                                              For example ssh uses it to check usersnames&passwords, and then before the shell is created it might also setup ulimits etc.

                                                              1. 2

                                                                PAM is the standardized way in which applications (say “ssh” or “login” or your screensaver, etc) ask the “system” to authenticate and authorize a user. The “system” here is actually a library called libpam. libpam then looks at its configuration files (normally /etc/pam.conf and /etc/pam.d) for the rules to follow to authenticate a user for that application.

                                                                libpam replaces an older, less flexible, mechanism largely handled by NSS (Network Service Switch) or reading directly from fixed location files like “/etc/shadow”.

                                                                libpam came about because administrators wanted a flexible way to configure authentication on their systems, say requiring multiple factors via SSH but only a single factor on the serial port. Or supporting authentication mechanisms that are particular to their organization or environment, such as using a MySQL database to determine if a user is allowed to login to the current system via SSH.

                                                              1. 6

                                                                I find it curious that the Blink team at Google takes this action in order to prevent various other teams at Google from doing harmful user-agent sniffing to block browsers they don’t like. Google certainly isn’t the only ones, but they’re some of the biggest user-agent sniffing abusers.

                                                                FWIW, I think it’s a good step, nobody needs to know I’m on Ubuntu Linux using X11 on an x86_64 CPU running Firefox 74 with Gecko 20100101. At most, the Firefox/74 part is relevant, but even that has limited value.

                                                                1. 14

                                                                  They still want to know that. The mail contains a link to the proposed “user agent client hints” RFC, which splits the user agent into multiple more standardized headers the server has to request, making “user-agent sniffing” more effective.

                                                                  1. 4

                                                                    Oh. That’s sad. I read through a bit of the RFC now, and yeah, I don’t see why corporations wouldn’t just ask for everything and have slightly more reliable fingerprinting while still blocking browsers they don’t like. I don’t see how the proposed replacement isn’t also “an abundant source of compatibility issues … resulting in browsers lying about themselves … and sites (including Google properties) being broken in some browsers for no good reason”.

                                                                    What possible use case could a website have for knowing whether I’m on ARM or Risc-V or x86 or x86_64 other than fingerprinting? How is it responsible to let the server ask for the exact model of device you’re using?

                                                                    The spec even contains wording like “To set the Sec-CH-Platform header for a request, given a request (r), user agents MUST: […] Let value be a Structured Header object whose value is the user agent’s platform brand and version”, so there’s not even any space for a browser to offer an anti-fingerprinting setting and still claim to be compliant.

                                                                    1. 4

                                                                      What possible use case could a website have for knowing whether I’m on ARM or Risc-V or x86 or x86_64 other than fingerprinting?

                                                                      Software download links.

                                                                      How is it responsible to let the server ask for the exact model of device you’re using?

                                                                      … Okay, I’ve got nothing. At least the W3C has the presence of mind to ask the same question. This is literally “Issue 1” in the spec.

                                                                      1. 3

                                                                        Okay, I’ve got nothing.

                                                                        I have a use case for it. I’ve a server which users run on a intranet (typically either just an access point, or a mobile phone hotspot), with web browsers running on random personal tablets/mobile devices. Given that the users are generally not technical, they’d probably be able to identify a connected device as “iPad” versus “Samsung S10” if I can show that in the web app (or at least ask around to figure out whose device it is), but will not be able to do much with e.g an IP address.

                                                                        Obviously pretty niche. I have more secure solutions planned for this, however I’d like to keep the low barrier to entry that knowing the hardware type from user agent provides in addition to those.

                                                                      2. 2

                                                                        What possible use case could a website have for knowing whether I’m on ARM or Risc-V or x86 or x86_64 other than fingerprinting?

                                                                        Benchmarking and profiling. If your site performance starts tanking on one kind of processor on phones in the Philippines, you probably want to know that to see what you can do about it.

                                                                        Additionally, you can build a website with a certain performance budget when you know what your market minimally has. See the Steam Hardware and Software Survey for an example of this in the desktop videogame world.

                                                                        Finally, if you generally know what kinds of devices your customers are using, you can buy a bunch of those for your QA lab to make sure users are getting good real-world performance.

                                                                    2. 7

                                                                      Gecko 20100101

                                                                      Amusingly, this date is a static string — it is already frozen for compatibility reasons.

                                                                      1. 2

                                                                        Any site that offers you/administrators a “login history” view benefits from somewhat accurate information. Knowing the CPU type or window system probably doesn’t help much, but knowing it’s Firefox on Ubuntu combined with a location lookup from your IP is certainly a reasonable description to identify if it’s you or someone else using the account.

                                                                        1. 2

                                                                          There are terms I’d certainly like sites to know if I’m using a minority browser or a minority platform, though. Yes, there are downsides because of the risk of fingerprinting, but it’s good to remind sites that people like me exist.

                                                                          1. 1

                                                                            Though the audience here will play the world’s tiniest violin regarding for those affected the technical impact aspect may be of interest.

                                                                            The version numbering is useful low-hanging-fruit method in the ad-tech industry to catch fraud. A lot of bad actors use either just old browsers[1] or skew browser usage ratios; though of course most ‘fraud’ detection methods are native and just assume anything older than two major releases is fraud and ignore details such as LTS releases.

                                                                            [1] persuade the user to install a ‘useful’ tool and it sits as a background task burning ads or as a replacement for the users regular browser (never updated)

                                                                          1. 1

                                                                            Samsung M2022W Black&White laser. Never really got the wifi all figured out, so connected to a Ubuntu machine via USB.

                                                                            1. 15

                                                                              Maybe some folk don’t understand what’s going on here, but this is in direction violation of Postel’s law:

                                                                              They’re blocking access from old devices for absolutely no technical reason; they’re blocking read-only access from folks that might not have any other devices at their disposal.

                                                                              If you have an old iPod lying around, why on earth should you not be able to read Wikipedia on it? Absolutely no valid technical reason to deny access. Zilch. None. Nada.

                                                                              There’s no reason it shouldn’t be possible to read Wikipedia over straight HTTP, for that matter.

                                                                              1. 9

                                                                                I know next to nothing about security so correct me if I’m wrong, but doesn’t leaving old protocols enabled make users vulnerable to downgrade attacks?

                                                                                1. 14

                                                                                  You’re applying bank-level security to something that’s public information and should be accessible to everyone without a licence or access control in the first place. I don’t even know what sort of comparison to make here best, because in my view requiring HTTPS in the first place here was a misguided decision that’s based on politics, corporate interests and fear, not on rational facts. Postel’s law is also a well-known course of action in telecommunication, even Google still follows it — www.google.com still works just fine over straight HTTP, as does Bing, no TLS mandated from those who don’t want it.

                                                                                  1. 5

                                                                                    I agree with you, I’d like to be able to access Wikipedia with HTTP, but this is in my opinion a different issue from disabling old encryption protocols.

                                                                                    Accessing Wikipedia with secure and up to date protocols might not be necessary to you but it might be for people who live under totalitarian regimes. One could argue that said regimes have better ways to snoop on their victims (DNS tracking, replacing all certificates with one they own…) but I still believe that if enforcing the use of recent TLS versions can save even a single life, this is a measure worth taking. It would be interesting to know if Wikipedia has data on how much it is used by people living in dictatorships and how much dropping old TLS versions would help these people.

                                                                                    1. 4

                                                                                      totalitarian regimes

                                                                                      It’s funny you mention it, because this actually would not be a problem under a totalitarian regime with a masquerading proxy and a block return policy for the https port and/or their own certificates and a certificate authority. See https://www.xkcd.com/538/.

                                                                                      Also, are you suggesting that Wikipedia is basically blocking my access for my own good, even though it’s highly disruptive to me, and goes against my own self-interests? Yet they tell me it is in my own interest that my access is blocked? Isn’t that exactly what a totalitarian regime would do? Do you not find any sort of an irony in this situation?

                                                                                      1. 3

                                                                                        “Isn’t that exactly what a totalitarian regime would do?”

                                                                                        I think you may have overstated your case here.

                                                                                        1. 2

                                                                                          this actually would not be a problem under a totalitarian regime with a masquerading proxy and a block return policy for the https port and/or their own certificates and a certificate authority.

                                                                                          Yes, this is what I meant when I wrote “One could argue that said regimes have better ways to snoop on their victims”.

                                                                                          Also, are you suggesting that Wikipedia is basically blocking my access for my own good

                                                                                          No, here’s what I’m suggesting: there are Wikipedia users who live in countries where they could be thrown in jail/executed because of pages they read on Wikipedia. These users are not necessarily technical, do not know what a downgrade attack is and this could cost them their lives. Wikipedia admins feel they have a moral obligation to do everything they can to protect their lives, including preventing them from accessing Wikipedia if necessary. This is a price they are willing to pay even if it means making Wikipedia less convenient/impossible to use for other users.

                                                                                    2. 1

                                                                                      If they left http, yeah, sure. But I don’t think any attack that downgrades ssl encryption method exists, both parties always connect using the best they have. If there exists one, please let me know.

                                                                                      There is no technical reason I’m aware of. Why does wikipedia do this? It’s not like I need strong encryption to begin with, I just want to read something on the internet.

                                                                                      I still have usable, working smartphone with android Gingerbread, it’s the first smartphone I ever used. It’s still working flawlessly and I’m using it sometimes when I want to quickly find something when my current phone has no battery and I don’t want to turn on my computer.

                                                                                      This move will for no reason kill my perfectly working smartphone.

                                                                                      1. 9

                                                                                        But I don’t think any attack that downgrades ssl encryption method exists,

                                                                                        Downgrade attacks are possible with older versions of SSL e.g. https://www.ssl.com/article/deprecating-early-tls/

                                                                                        It’s not like I need strong encryption to begin with, I just want to read something on the internet.

                                                                                        Which exact page you’re looking at may be of interest, e.g. if you’re reading up on medical stuff.

                                                                                        1. 1

                                                                                          Which exact page you’re looking at may be of interest, e.g. if you’re reading up on medical stuff.

                                                                                          Are you suggesting that we implement access control in public libraries, so that noone can browse or checkout any books without strict supervision, approvals and logging by some central authority? (Kinda like 1984?)

                                                                                          Actually, are you suggesting that people do medical research and trust information from Wikipedia, literally edited by anonymous people on the internet?! HowDareYou.gif. Arguably, this is the most misguided security initiative in existence if thought of in this way; per my records, my original accounts on Wikipedia were created before they even had support for any TLS at all; which is not to say it’s not needed at all, just that it shouldn’t be a mandatory requirement, especially for read-only access.

                                                                                          P.S. BTW, Jimmy_Wales just responded to my concerns — https://twitter.com/jimmy_wales/status/1211961181260394496.

                                                                                          1. 10

                                                                                            Are you suggesting that we implement access control in public libraries, so that noone can browse or checkout any books without strict supervision, approvals and logging by some central authority? (Kinda like 1984?)

                                                                                            I’m saying that you may not wish other people to infer what medical conditions you may have based on your Wikipedia usage. So TLS as the default is desirable here, but whether it should be mandatory is another question.

                                                                                            1. 2

                                                                                              Are you suggesting that we implement access control in public libraries, so that noone can browse or checkout any books without strict supervision, approvals and logging by some central authority? (Kinda like 1984?)

                                                                                              PSST, public libraries in the western world already do this to some extent. Some countries are more central than others thanks to the US PATRIOT Act.

                                                                                              1. 1

                                                                                                public libraries in the western world

                                                                                                Not my experience at all; some private-university-run libraries do require ID for entry; but most city-, county- and state-run libraries still allow free entry without having to identify yourself in any way. This sometimes even extends to making study-room reservations (can often be made under any name) and anonymous computer use, too.

                                                                                          2. 8

                                                                                            I still have usable, working smartphone with android Gingerbread, it’s the first smartphone I ever used. It’s still working flawlessly and I’m using it sometimes when I want to quickly find something when my current phone has no battery and I don’t want to turn on my computer.

                                                                                            This move will for no reason kill my perfectly working smartphone.

                                                                                            It’s not working flawlessly, the old crypto protocols and algorithms it uses have been recalled like a Takata airbag, and you’re holding on because it hasn’t blown up in your face yet.

                                                                                            1. 2

                                                                                              This move will for no reason kill my perfectly working smartphone.

                                                                                              (my emphasis)

                                                                                              So you just use this phone to access Wikipedia, and use it for nothing else?

                                                                                              If so, that’s unfortunate, but your ire should be directed to the smartphone OS vendor for not providing needed updates to encryption protocols.

                                                                                              1. 2

                                                                                                our ire should be directed to the smartphone OS vendor for not providing needed updates to encryption protocols

                                                                                                I think it’s pretty clear that the user does not need encryption in this use-case, so, I don’t see any reason to complain to the OS vendor about encryption when you don’t want to be using any encryption in the first place. Like, seriously, what sort of arguments are these? Maybe it’s time to let go of the politics in tech, and provide technical solutions to technical problems?

                                                                                                1. 1

                                                                                                  As per my comment, I do believe that the authentication provisions of TLS are applicable to Wikipedia.

                                                                                                  Besides, the absolute outrage if WP had not offered HTTPS would be way bigger than now.

                                                                                          3. 15

                                                                                            I find the connection to Postel’s law only weak here, but in any case: This is the worst argument you could make.

                                                                                            It’s pretty much consensus among security professionals these days that Postel’s law is a really bad idea: https://tools.ietf.org/html/draft-iab-protocol-maintenance-04

                                                                                            1. 3

                                                                                              I don’t think what passes for “postel’s law” is what Postel meant, anyway.

                                                                                              AFAICT, Postel wasn’t thinking about violations at all, he was thinking about border conditions etc. He was the RFC editor, he didn’t want anyone to ignore the RFCs, he wanted them to be simple and easy to read. So he wrote “where the maximum line length is 65” and meant 65. He omitted “plus CRLF” or “including CRLF” because too many dotted i’s makes the prose heavy, so you ought to be liberal in what you accept and conservative in what you generate. But when he wrote 65, he didn’t intend the readers to inter “accept lines as long as RAM will allow”.

                                                                                              https://rant.gulbrandsen.priv.no/postel-principle is the same argument, perhaps better put.

                                                                                              IMO this is another case of someone wise saying something wise, being misunderstood, and the misunderstanding being a great deal less wise.

                                                                                              1. 2

                                                                                                I can’t really understand advocating laws around protocols except for “the protocol is the law”. Maybe you had to be there at the time.

                                                                                              2. 6

                                                                                                As I understand it, they’re protecting one set of users from a class of attack by disabling support for some crypto methods. That seems very far from “absolutely no technical reason”.

                                                                                                As for HTTP, if that were available, countries like Turkey would be able to block Wikipedia on a per-particle basis, and/or surveil its citizens on a per-article basis. With HTTPS-only, such countries have to open/close Wikipedia in toto, and cannot surveil page-level details. Is that “no reason”?

                                                                                                1. 1

                                                                                                  As for HTTP, if that were available, countries like Turkey would be able to block Wikipedia on a per-particle basis, and/or surveil its citizens on a per-article basis. With HTTPS-only, such countries have to open/close Wikipedia in toto, and cannot surveil page-level details. Is that “no reason”?

                                                                                                  I don’t understand why people think this is an acceptable argument for blocking HTTP. It reminds me of that jealous spouse scenario where someone promises to inflict harm, either to themselves or to their partner, should the partner decide to leave the relationship. “I’ll do harm if you censor me!”

                                                                                                  So, Turkey wants to block Wikipedia on a per-article business? That’s their decision, and they’ll go about it one way or another, I’m sure the politicians they don’t particularly care about the tech involved anyways (and again, it’s trivial for any determined entity to block port 443, and do a masquerade proxy on port 80, and if this is done on all internet connections within the country, it’ll work rather flawlessly, and noone would know any better). So, it’s basically hardly a deterrent for Turkey anyways. Why are you waging your regime-change wars on my behalf?

                                                                                                  1. 1

                                                                                                    Well, Wikipedia is a political project, in much the same way that Stack Overflow is. The people who write have opinions on whether their writings should be available to people who want to read.

                                                                                                    You may not care particularly whether all of or just some of the information on either Wikipedia or SO are available to all Turks, but the people who wrote that care more, of course. They wouldn’t spend time writing if they didn’t care, right? To these people, wanting to suppress information about the Turkish genocide of 1915 is an affront.

                                                                                                    So moving to HTTPS makes sense to them. That way, the Turkish government has to choose between

                                                                                                    • allowing Turks to read about the genocide
                                                                                                    • not allowing Turks any use of Wikipedia

                                                                                                    The Wikipedians are betting that the second option is unpopular with the Turks.

                                                                                                    It’s inconvenient for old ipad users, but if you ask the people who spend time writing, I’m sure they’ll say that being able to read about your country’s genocide at all is vastly more important than being able to read using old ipads.

                                                                                                2. 4

                                                                                                  I can think of several reasons:

                                                                                                  • not letting people know what you are reading
                                                                                                  • not letting people censor some articles
                                                                                                  • not letting people modify some articles (for example putting an incorrect download link for a popular software without being detected)
                                                                                                  • making an habit that everything should be HTTPS (for example for people to not be fooled by phishing sites with the lockpad in the URL bar)
                                                                                                  1. 2

                                                                                                    So what’s to stop a totalitarian regime from doing the following?

                                                                                                    • Redirect all DNS queries to their own DNS servers? The root DNS servers use fixed IP addresses, so it would be easy enough to reroute those addresses to return any address they want.
                                                                                                    • Redirect all DoH to 1.1.1.1 (or other well known DoH addresses) to again, their own server? Is the CloudFlare public key installed on all browsers? How would you know you are hitting CloudFlare, and not TotallyCloudFlare served by TotallyLegitCA?
                                                                                                    • Given control over DNS, redirect users to TotallyWikipedia? Again, do you know what CA Wikipedia uses? They can then decode (doesn’t matter if it’s SSL/1.0 or TLS/1.3) the request and proxy it or send out security to question the loyalty of the citizen. Or you know, download the entirety of Wikipedia (which anyone can do), and serve up a cleaned up version to their citizens.
                                                                                                    1. 1

                                                                                                      The difficulty is to setup/enrole TotallyLegitCA. How do you do that? If TotallyLegitCA is public, the transparency log will quickly reveal what they are doing. The only way to pull that seems to force people to have your CA installed, like Kazakhstan is doing.

                                                                                                      1. 2

                                                                                                        We’re talking about a totalitarian regime (or you know, your standard corporation who install their own CA in the browser).

                                                                                                  2. 3

                                                                                                    That’s actually incorrect. There are various technical reasons. But also remember that they need to operate on a vast scale as a non-profit. This is hard.

                                                                                                    Here are some technical reasons. I’m sure others will chime in as there are likely many more.

                                                                                                    • some attacks on TLSv1.0 can compromise key material which is used for the newer, secure versions of TLS
                                                                                                    • attacks only get better
                                                                                                    • removing old code reduces complexity
                                                                                                    1. 0

                                                                                                      providing a read-only version without login over HTTP shouldn’t really add any new code except they’d be on a HTTP-2-only webserver if I’m not mistaken.

                                                                                                    2. 2

                                                                                                      There are arguments for an inverse-postel’s law given in https://m.youtube.com/watch?v=_mE_JmwFi1Y

                                                                                                      1. 0

                                                                                                        But I hear all the time that I must ensure my personal site uses HTTPS and that soon browsers will refuse to connect to “insecure” sites. Isn’t this a good thing Wikipedia is doing? /s

                                                                                                        Edit also see this discussion: https://lobste.rs/s/xltmol/this_page_is_designed_last#c_keojc6

                                                                                                        1. 7

                                                                                                          I have HTTPS on my completely static website mostly so that no one asks why I don’t have HTTPS, but on the other hand, the “completely static” part is only relevant as long as there are only Eves in the middle and no Mallories.

                                                                                                          If serving everything over HTTPS will make the life of ISPs injecting ads and similar entities harder, it’s a good thing, until there’s a legal rather than technical solution to that.

                                                                                                          1. 2

                                                                                                            I actually think that HTTPS is reasonable for Wikipedia, if for nothing else to hinder 3rd parties for capture your embarrassing edits to “MLP: FIM erotica” and tracing it to back to you. For a static, read-only site it just adds cost and/or a potential point of failure.

                                                                                                            1. 1

                                                                                                              For a static, read-only site it just adds cost and/or a potential point of failure.

                                                                                                              dmbaturin just said what the value add is. HTTPS prevents third parties from modifying the content of your static site.

                                                                                                      1. 1

                                                                                                        This is a great solution if you are already running prometheus, or if you are interested in doing so. I do like the simplicity of hchk.io for cases where I don’t want to run prometheus (and related services/tooling like grafana, and push-gateway).

                                                                                                        Great idea and writeup though! Next time I have to run prometheus at a job, I’ll definitely keep this in mind for tracking the errant cron jobs that always seems to sneak in there somewhere.

                                                                                                        1. 1

                                                                                                          As I mentioned in https://blog.bejarano.io/alertmanager-alerts-with-amazon-ses/#sup1, I do not run Grafana or any dashboarding because I consider it worthless and time-consuming to set up.

                                                                                                          Thanks for the feedback!

                                                                                                          1. 1

                                                                                                            At a small scale the expression browser is sufficient (I use it for most of my work), but once you get beyond that something like Grafana is essential.

                                                                                                        1. 4

                                                                                                          I run Prometheus at home, though I’m obviously a bit biased there.

                                                                                                          1. 3

                                                                                                            I’m not biased and I run Prometheus at home, and elsewhere. Blackbox Exporter running on RPis in various physical/network locations, with ZeroTier. Most of the Blackbox Exporter target configuration uses DNS service discovery. Alert Manager for alerting. I’ve used many different monitoring systems and recommend Prometheus+Grafana, with Netdata for some low-level monitoring.

                                                                                                          1. 1

                                                                                                            People is suggesting keeping your gmail account “alive” for a while, but in the case of that account being bound to something that you own, like your Git commits somewhere, it means that you’ll have to keep that account safe, forever.

                                                                                                            I have two questions:

                                                                                                            • Is there a way of changing your commit history to reflect to a new email address that does not belong to a centralized corporation but to you, in the form of a domain you own.
                                                                                                            • Is it possible to use another identification mechanism, a signature that is not bound to an email address? An email address requires infrastructure to work, and that eventually could belong to someone else, like your the domain your email is part of
                                                                                                            1. 2

                                                                                                              Is there a way of changing your commit history to reflect to a new email address that does not belong to a centralized corporation but to you, in the form of a domain you own.

                                                                                                              Yes in theory, however that changes all the hashes so no in practice.

                                                                                                              1. 2

                                                                                                                in my experience, just start committing with the new address and update any mailmap and authors files. can’t do anything about published history…

                                                                                                                1. 1

                                                                                                                  You could use git filter-branch to rewrite the entire git repository to replace your old e-mail address with your new one, but that will change the hash of every commit so it will be a terrible experience for anyone who has an existing clone of your repository. I think it’s not worth it.

                                                                                                                  1. 1

                                                                                                                    Is it possible to use another identification mechanism, a signature that is not bound to an email address? An email address requires infrastructure to work, and that eventually could belong to someone else, like your the domain your email is part of

                                                                                                                    In GitHub, you can choose to keep your email private and use something to the tune of username@users.noreply.github.com. See the details here

                                                                                                                  1. 14

                                                                                                                    I still can’t get over the fact that someone got an idea to refresh HTML document tree 60 times per second and make HTML document viewer render it over and over and call it as “application”.

                                                                                                                    It’s so wrong on just too many levels that I don’t even know where to start, and people basically just don’t even notice that.

                                                                                                                    1. 11

                                                                                                                      But it doesn’t actually work the way? In AJAX apps, DOM is only updated on events (e.g. click, user network data received). You would have to have a timer to actually update it regularly in the background.

                                                                                                                      Probably the place it gets close to that is when they hijack the scroll event, which is horrible. But even that’s not changing the DOM if you’re not scrolling.

                                                                                                                      FWIW I agree with the premise of the OP, but I don’t think your criticism is accurate.

                                                                                                                      1. 7

                                                                                                                        It’s not the first time that someone got an idea to build GUIs by just extending existing document-rendering technology…

                                                                                                                        1. 9

                                                                                                                          DPS is a little bit different, because postscript is a programming language (specifically, a forth dialect with logo/turtle-style pen control). It’s relatively sensible to do widget-drawing with a language optimized for drawing arbitrary line graphics. A web app is more like trying to use dot macros to modify an MS word document at 30fps.

                                                                                                                          1. 9

                                                                                                                            A web app is more like trying to use dot macros to modify an MS word document at 30fps.

                                                                                                                            That reminds me, years ago my dad, who was a chemical engineer in a large company, showed me a simulation he’d gotten as an email attachment from a colleague. It had a pretty decent graphical animation entirely within an Excel spreadsheet. Part of the sheet was a “normal” spreadsheet with the actual formulas, but another part had cells resized to be small and rectangular, and their colors were changed a few times a second by macros, producing a medium-resolution raster-graphics display basically. This was apparently relatively common, because it made the graphical output self-contained within the same spreadsheet that you could mail around.

                                                                                                                        2. 7

                                                                                                                          I am not actually that offended by this idea, because most GUI applications are enhanced document viewers. But I do think that when your application requires to be run at 60 fps, you should use something else.

                                                                                                                          For example: The interoperability problem has already been solved with Java and if you really need something with more performance than that, you’d basically have to resort to lower level code like C/C++.

                                                                                                                          But if “a glorified document viewer and/or editor” all your application is, then an web-application will more than suffice.

                                                                                                                          1. 3
                                                                                                                            1. 5

                                                                                                                              Web apps are a cool hack, and I absolutely love the perverse joy one gets from making something impressive using the absolute wrong tools for the job. But, the point of a cool hack is that the idea that somebody would use it seriously or for important tasks is absurd.

                                                                                                                            2. 3

                                                                                                                              A developer equivalent of https://xkcd.com/763/

                                                                                                                              1. 2
                                                                                                                              1. 1

                                                                                                                                I’m loving the “log stdout” part, everything else can basically be ignored.

                                                                                                                                1. 2

                                                                                                                                  That’s definitely an improvement over the syslog situation, at least for our deployments. The native Prometheus export is neat as well; saves having to build an adapter to run alongside for metrics.

                                                                                                                                  1. 2

                                                                                                                                    I was partly joking. Not being able to log to stderr or stdout has caused so many problems because it’s basically impossible to debug haproxy without syslog being present (and HAProxy has the annoying tendence to stop logging if syslog hangs up such as happens when the network has a hiccup in an rsyslog sitaution)

                                                                                                                                    1. 1

                                                                                                                                      That exporter is one of the oldest: https://github.com/prometheus/haproxy_exporter

                                                                                                                                      1. 2

                                                                                                                                        Nope, this is a new, exporter-less endpoint, built into HAProxy itself: https://www.haproxy.com/blog/haproxy-exposes-a-prometheus-metrics-endpoint/

                                                                                                                                  1. 3

                                                                                                                                    Speaking as a Prometheus developer, it’s very easy to run Prometheus locally and I’ve done this in the past to debug both Prometheus (https://www.robustperception.io/optimising-go-allocations-using-pprof) and other applications. Most of the time I’m debugging the sort of issue that metrics aren’t suitable for though, so I’ll be print lining.

                                                                                                                                    1. 4

                                                                                                                                      https://www.robustperception.io/blog covers the Prometheus monitoring system, how to use it and why it is the way it is.

                                                                                                                                      1. 2

                                                                                                                                        Could one store the IP address of the initial request that causes you to generate a JWT in the token itself? Then you can validate that the current request comes from the same IP. If they’re different, then force them to log in again from their current IP.

                                                                                                                                        The user would need to re-login if they turn on a VPN or change locations, but that’s a small price to pay if that reduces the possibility for certain types of attacks. I’m definitely not a security expert, but working on a fairly sensitive app where a breach would be bad for a user. The fact that I haven’t seen this suggested next to more complex safeguards makes me think there’s a fundamental flaw in it that I’m just not thinking of.

                                                                                                                                        1. 5

                                                                                                                                          IPs aren’t a great factor to base stuff like this one, although that’s a good idea.

                                                                                                                                          I think what’s better is something like token binding (https://datatracker.ietf.org/wg/tokbind/documents/) which is a way to pin a certain token to a specific TLS session. This way you have some basic guarantees. But in the real world things are sorta messy =p

                                                                                                                                          1. 2

                                                                                                                                            Most home users would have to re log in every day. Services that tie my login to an IP address piss me off so much because they are constantly logging me out.

                                                                                                                                            1. 2

                                                                                                                                              The fact that I haven’t seen this suggested next to more complex safeguards makes me think there’s a fundamental flaw in it that I’m just not thinking of.

                                                                                                                                              It’s not a safe presumption that a users requests will always come from the same IP - even from request to request. Their internet access could be load balanced or otherwise change due to factors like roaming.

                                                                                                                                              1. 1

                                                                                                                                                Yeah that is also a common technique for cookies. If the remote IP changes you can invalidate the cookie.

                                                                                                                                              1. 4

                                                                                                                                                Nice article.

                                                                                                                                                Beware that InstrumentHandler is deprecated, and the functions in https://godoc.org/github.com/prometheus/client_golang/prometheus/promhttp are the recommend replacement.

                                                                                                                                                Splitting out latency with a success/failure label is also not recommended as a) if you have only successes or only failures, your queries break and b) users tend to create graphs of only success latency and miss all those slow failing requests. Separate success and failure metrics are better, and also easier to work with in PromQL.

                                                                                                                                                1. 3

                                                                                                                                                  Thanks for the suggestions Brian! promhttp package contains even more nice things like in flight requests. Maybe we should explicitly say ok in docs that InstrumentHandler is deprecated in favor of promhttp types? I don’t mind making a PR in docs