1. 2

    I just bought Shenzhen I/O, and the SO is out all weekend, so time to binge on logic puzzles!

    1. 1

      Have you played Exapunks? I love Zachtronics games, and am playing them oldest-to-newest. Almost done with Infinifactory!

      1.  

        I have not. I was a big fan of TIS-100, that was the only other Zachtronics game I have played.

        Just read about Exapunks and Infinifactory.. there goes any ‘spare time’ productivity for at least a month..

    1. 2

      I guess joining redhat in supporting a release for 10 years. That feels like a /long/ damn time to support a Linux OS release though… yikes.

      1. 3

        If they take this decision, it’s probably that they ran the numbers and see it profitable according to their potential customers.

        My thought is more that there’s probably an issue somewhere if companies prefer to stay on the same OS version for years.

        1. 2

          No kidding. Considering how much the the kernel, and hardware/platforms, change in a decade, Canonical has a LOT of backporting work ahead of them. Backporting a security fix written for a kernel that is years newer than yours cannot always be fun.

        1. 5

          Interesting article. Nothing to do with computers.

          1. 25

            Hence the ‘science’ tag. There’s a range of topics covered by this tag over the years and sometimes something is just interesting.

            1. 15

              +1 I appreciate any interesting content on Lobste.rs :)

              1. 4

                It is interesting, but does it mean that lobste.rs is the place to post it? Imho, no.

                1. 3

                  Is there an official word on what is appropriate or not? That Other Site has IMHO a good guide to what’s on- and what’s off-topic.

                  1. 4

                    When you post an article here, it says that if you cannot find a tag that fits your post, then it probably doesn’t belong here.

                    1. 5

                      So, we have a rule for tech stuff only and a science tag. An apparent contradiction. There’s two interpretations:

                      1. Science articles are an exception to the tech rule since technologists are often interested in science.

                      2. One can only post articles that mix science and technology. Medical tech is an easy example here.

                      I don’t have a lot to go on since science submissions are pretty rare. I say rare since some stories with the tag maybe didn’t need it. Anyway, what little I’ve seen in terms of votes and enforcement says No. 1 is the de facto rule. The votes in this thread, esp for GeoffWozniak’s and Todd’s comments, corroborate No. 1 being the community’s preference. I waited a while to reply to make sure the votes didn’t swing.

                      1. 3

                        This debate about what’s appropriate on a tech news aggregator site goes back at least 15 years, to slashdot and the like.

                        The closest we came to ideal was to describe the mix as a kind of omelette. Main parts consisting of tech stories, some science and related fields thrown in, with a pinch of just random interesting stuff and news from the scope of humanities.

                        It’s just my opinion but one of the things that keeps holding IT back is a myopic focus on purely technical matters, when in reality it’s more and more interconnected with different fields/areas, especially including areas falling under soft sciences.

                        1. 1

                          They are often myopic. However, we can also specialize forums to focus on one thing. The people wanting this to be just tech, esp deep stuff, might be on other forums for politics, science, etc. Similarly, most people wouldn’t protest Popular Science blocking articles that do in-depth analysis of bills on C-SPAN. People interested in that stuff have law journals or blogs to read.

                        2. 1

                          I mean, I’m sure there’s a hell of a lot of “tech” (in the narrow sense) involved in the analysis of the ice cores mentioned in the article.

                          1. 2

                            Under interpretation 1, it wouldn’t matter since we allow science in general. Under No 2, write-ups on the tech behind the analysis would be allowed but not the original article.

                            1. 1

                              So much science cannot be done without technology (would an article on how we take ice cores be on topic? Very few people here will ever have to take an ice core, but I would find such an article very interesting!) Is just reporting on the tech allowed, or are the conclusions drawn valid to discuss?

                              As long as there’s a “science” tag kind of article is on-topic. History is science after all [pdf]

                    2. 0

                      Yes that’s why I was the first to flag this as off topic.

                1. 4

                  I’ve always found it annoying that Red Hat offers no way to upgrade across major versions. This is to me an essential feature. There seems to be some (very limited) support for it nowadays, but it’s nothing compared to (for example) the Debian upgrade story.

                  1. 6

                    Redhat brings out new versions every ~5years, supports thema fort 10years. After that many years imho it’s beter tot re-install if only to make sure there are no dependencies someone installed by hand. This will make your life easier by reducing technical debt. At least that’s the theory…

                    1. 1

                      And it’s pretty rare to have a system live longer than 10 years in an enterprise environment.

                      1. 12

                        Yeah, you’d think so. You’d really think so.

                        (pours another shot)

                        1. 1

                          Well, obviously there are going to be small exceptions, but can anyone produce an example of a 1000+ system datacenter running 10yr+ old systems for production? Most of my background is HPC, and that would have been quite rare to see because of power inefficiency.

                          1.  

                            In the HPC world, that may be true. In a typical enterprise, it’s nothing of the sort.

                            In a typical medium-sized enterprise, you have multiple datacenters filled with some mix of modern and “legacy” hardware in each. All of this is managed by separate teams operating in their own little silos. Projects come and go based on which middle managers impressed a C-level exec last week on the golf course. Even in a particularly profitable year when the purse strings are loosened up enough to modernize most of the infrastructure, there’s that one fucking server that’s responsible for some highly business-critical task but the person who knew the task and wrote the software (in friggen Delphi or something, probably) retired five years ago. Nobody wants to touch it because there’s no documentation on it and the source code was lost when IT re-imaged his desktop PC after he left. Many have tried to virtualize it or at least upgrade the OS but all have failed. The last time it went down in the middle of the day, the CEO of the company came down personally from the seventh floor just to yell at a room full of IT managers for two hours with the conference room door deliberately left open. The best anyone can do about it now is monitor some opaque queue status built into the thing, have some spare hardware handy, and make sure all the backups still run nightly.

                            Yes, a company could hire a consultant to come in and disassemble the code to figure out how it works, and then possibly write a more maintainable clone for it. But that would introduce risk to whatever business process it manages and it would cost a lot more money than just keeping the old thing chugging along a little while longer, which is already working fine and, much more importantly, has already been paid for.

                            That’s the enterprise I know, anyway.

                            1. 1

                              I believe Google had this problem and ended up installing Debian over top of each Red Hat box. https://www.usenix.org/node/177348

                          2. 1

                            Physical systems? Yes. That was the great thing about applications running directly on physical servers. Server warranty expired -> application had to be installed somewhere else, and most likely with a new OS and newer application version. Now with virtualization the VMs simply get migrated to a new cluster when the hardware is EOL. Aaand of course the application is important enough that management accepts the system running although there hasn’t been security patches for years…

                          3. 1

                            In OpenBSD it is easy and with little pain to perform a similar task, in my opinion that’s one of the benefits of developing a coherent system with unified and carefully maintained set of tools, developed wisely by the same team. In GNU, many of the basic userland operating system programs don’t have the same maintainer, and are not developed as part of an entity.

                            1. 2

                              I don’t think you understand, this has nothing to do with the operating system itself. If you leave any system running with users that can access it, bad things will happen. They will put small shell scripts on it that control mission critical functionality without you knowing, store important data on it, (ab)use it to access another system, …

                              While I agree that being able to do upgrades could in theory be handy, I believe periodically wiping a system and replacing it will end up being better. All depends on your environment/job of course, but I’ve seen a fair share of 8+year old systems, not regularly re-created and accessible by almost everyone in the company. Shutting them down will probably end up causing a downtime somewhere else, or someone will complain about his data becoming inaccessible. This is no fun…

                          4. 4

                            This is ‘enterprise’ in the Red Hat world works.

                            You can upgrade FreeBSD from 5.3-RELEAES - by several steps - up to latest 11.2-RELEASE but you can not upgrade Red Hat (or CentOS) from 6.9 to 7.5, because NOT.

                            1. 2

                              Looks like upgrading RHEL 6 to 7 server on x86_64 is supported.

                              1. 1

                                Have you checked the details?

                                • Limited package groups: The upgrade process handles only the following package groups and packages: Minimal (@minimal), Base (@base), Web Server (@web-server), DHCP Server, File Server (@nfs-server), CIFS File Server and Print Server (@print-server). Although upgrades of other packages and groups are not supported, in some cases, packages can be uninstalled from the RHEL 6 system and reinstalled on the upgraded RHEL 7 system without a problem. See the table below.

                                So no, you can not compare that to freebsd-update and/or pkg upgrade from FreeBSD which will work in ANY condition and with all packages/states supported.

                                By the way, its only an ‘additional’ article in the knowledge base, its not official documentation of the Red Hat system.

                              2. 1

                                Well, the modern way of working is immutable infrastructure (or at least scripted and therefore fastish to recreate) anyway, so that should be a moot point. And yeah, I know, in reality it is not :/

                              1. 2

                                Oil is a shell, for others like me who didn’t know: https://www.oilshell.org/blog/2018/01/28.html

                                1. 4

                                  This script is raspberry pi specific, and relies on that the raspberry pi has a default password (which is “raspberry”) and that sudo is set up so that no password is needed (which is also the default in raspbian).

                                  Well, honestly, that is not at all surprising that someone compromised this system. This is in the same category as folks who run routers with default user/pass set, except in this case SSH is probably enabled by default.

                                  The author basically (unknowingly?!) deployed a honey pot at his girlfriend’s parent’s home, and wrote a story about what happens next.

                                  1. 11

                                    I kinda wish I hadn’t learned Vim — just so I could learn a more modern modal editor, Kakoune. Relearning the commands to be pretty much in reverse order (”word delete” instead of “delete word”) sounds like hell. Now, I did learn to type on Colemak after QWERTY.. but the Vim Muscle Memory™ seems much stronger than the QWERTY one was.

                                    faking multiple-cursor support by coloring parts of the buffer to look like cursors and then repeating the actual cursor’s actions at those regions

                                    Oh that’s how it’s actually implemented!! Dang, that’s pretty clever.

                                    1. 7

                                      After using Vim pretty much daily for nearly two decades, a month or so of light Kakoune usage was enough to wean me off Vim entirely. Vim’s a big program with a lot of features, so maybe I wasn’t using the really addictive ones, but I’ve seen similar comments from other people in #kakoune, so I’m not alone.

                                      1. 2
                                        1. 2

                                          The key-chording thing is definitely an issue, but one that can be worked around to some extent with mappings. I don’t think there are any two-modifier keystrokes I use regularly, so it takes me at least as long to remember them as it does to type them.

                                          I was actually pretty impressed with how string-quoting works in Kakoune. Although normal quoting works as you’d expect, the nestable quoting syntax %{} is, well, nestable, which means it almost never needs escaping and so deeply-nested string quoting is just about as natural as {} blocks in C.

                                          That said, Kakoune’s “scripting” is definitely unusual… it’s very much in the vein of basic Unix and Plan9 tools where it’s blissfully easy to hack together a solution that solves a specific problem, but trying to generalise that solution is nearly impossible. I do find that frustrating, but would I be more productive with an editor scripted in.. say, Haskell? Probably not.

                                          I can navigate by paragraph with [p and ]p. I don’t think I’ve ever deliberately used , in Vim or Kakoune, but for any kind of repetition I generally hold down ‘X’ to select a bunch of lines and the s command to create a selection for each thing I want to change. If I hit wi, that starts inserting before the word I just moved over; wa starts inserting after the word I just moved over (including the trailing whitespace). If you want to insert after the word but before the whitespace then yes, you’d need w;i… or just ea. I remember when I started using Kakoune, moving the selection around to the place I wanted it to be felt a bit like a sliding block puzzle, or a game of Snake, where I had to think about where my tail was going to end up as well as getting my head in the right place. I got used to it pretty quickly, though.

                                          In Kakoune as well as in Vim, I tend to open an editor session in the root directory of my project and open files with relative paths from there (unless I can get there with gf, or I have a handy “find” command that autocompletes all the filenames in my project so I can just type a few letters of the file I want to open). I guess I can see the appeal of having a current directory per buffer, but I guess I’ve learned to think of my projects’s structure from a top-down perspective rather than bottom up.

                                          At the end of the day, though, Kakoune’s got multiple cursors, and I don’t think I’ll ever be able to give that up.

                                      2. 1

                                        Why would you want to switch from modal vim to Kakoune? After browsing the top features of Kakoune, I didn’t see anything there that’s either not supported natively in vim, or couldn’t be enabled by a plugin or two.. So I’m genuinely curious what the motivation is behind the desire to switch.

                                        1. 2

                                          It’s not about features, it’s about this:

                                           Faster as in less keystrokes

                                          https://kakoune.org/why-kakoune/why-kakoune.html#_improving_on_the_editing_model

                                          1. 1

                                            Thanks, wow, that is an incredible concept. I guess I should have spent more time clicking around. Seems like they’d want to call that out on the front page!

                                            1. 1

                                              “Faster as in less keystrokes” is what’s on the front page. Yeah I guess they could’ve linked that text to the why page..

                                              1. 1

                                                Sure, but it literally does not describe wtf that means. I had assumed they were just referring to macro support…

                                      1. 2

                                        GNU Stow is a symlink farm manager

                                        What’s the benefit of symlinking vs. copying? I guess being able to edit dotfiles in their usual places (vi ~/.vimrc) is cool, but I actually do make temporary local changes sometimes, and I don’t want them in the repo.

                                        I just have “modules” (directories) with apply.sh scripts and a really simple install.sh to install these “modules” (also rinstall.sh to install over SSH to a machine where I don’t want to clone the git repo). So the repo works as kind of a “staging area” (like the git index).

                                        1. 1

                                          I’m in agreement with you. I would rather have filenames that don’t begin with a dot, and an install shell script gives me exactly that. What does stow do that a shell script can’t?

                                          1. 3

                                            I think the real benefit of having symlinks is if you are sharing the files across multiple devices.

                                            There’s nothing stopping someone from re-implementing a copy-not-symlink version of stow, but then you are responsible for merging differences in the script (or bailing out with an error).

                                            The beauty of having symlinks is you can use any external tool (e.g. git) to handle merging changes in the config files if you share them across multiple devices.

                                            edit: I actually implemented a shell script to do exactly what OP described, but kept getting burned by managing conflicts.

                                            1. 2

                                              Most of the things I want to make local customisations for have ways to include other files (sh, ssh, my editor, etc.), so I usually make my main config files include a .foo.local or .foo.d/* whenever possible.

                                              1. 2

                                                Some of the things I stow with stow are directories for precisely that same reason. I wrote an i3wm config manager that uses ~/.config/i3/config.d, and what I put into stow was literally that directory so I can add new files to ~/.config/i3wm/config.d and they magically show up in my repo where I can add them since config.d is a symlink.

                                              2. 2

                                                Isn’t managing conflicts exactly what a tool like git is supposed to help with? So on update a copy-not-symlink script would copy back into the repo and then do a merge.

                                                (I’ve always used symlinks because it’s less work and thought up front)

                                                1. 1

                                                  Yea that was kind of my (poorly worded) point. with copy-not-symlink, your script now has to be smart enough to recognize conflicts, not copy, and invoke git or whatever to help merge changes. with symlinks, you use one tool to symlink (stow) and another to resolve conflicts (git). Stow doesn’t care about conflicts, and it doesn’t have to. It is simpler and less work than creating your own script to copy-not-symlink.

                                          1. 3

                                            This is a pretty good intro to vim. In addition to the vim tutorial the author mentions, vim golf[0] is a really fun way to learn new tricks and practice.

                                            1. https://www.vimgolf.com
                                            1. 4

                                              There is also this adventure game.

                                              https://vim-adventures.com

                                              1. 1

                                                That seems like it would be fun, but unfortunately it’s a pay-to-play game after a certain point (level 2? if memory serves..)

                                              2. 1

                                                I think I’m the only vim fan who doesn’t like vim golf. I think it teaches the wrong lessons. Vim isn’t about saving keystrokes, that’s just a metric by which we measure saving time and mental overhead. Sure, df will be fewer characters than d/, but then you have to count letters to make sure you pick the right one. That’s gonna slow you down a lot.

                                                I also think that it contributes to the meme that we should be using as pristine configurations as possible. But you get incredible power out of maps. Having s map to "_d is way more useful than the default command.

                                                1. 2

                                                  Sure, not all solutions to vim golf challenges are practical ‘in real life’, but I sure have learned a lot of tricks that are practical ‘in real life’ by looking at how others have solved some of the challenges I’ve attempted..

                                              1. 5

                                                The solution to this problem is Keybase.io - full stop. I use it often and find it easier than falling off a log.

                                                Easy to set up, easy to use, great facilities for using encryption in other contexts besides E-mail. Great stuff. Can’t recommend it highly enough.

                                                1. 15

                                                  Keybase is a walled garden with some proprietary components. No thanks.

                                                  1. 6

                                                    Yup. That’s very true. It’s also utterly falling off a log easy workmanlike crypto for anyone whose standards are not quite as stringent as yours.

                                                    Put another way - no crypto at all or reliance on a walled garden with some proprietary components?

                                                    1. 0

                                                      There are quite a few ‘easy’ crypto implementations (e.g. Microsoft Outlooks mail encryption crap), the problem is they are all competing and not compatible with each other. I would rather support a company that is working to improve an existing implementation (e.g. gnupg) than go off and create yet another implementation.

                                                      1. 4

                                                        I manage my GnuPG keys just fine using Keybase. Are you sure you’re aware of what they’re actually offering or is this just a knee jerk response?

                                                        1. 0

                                                          Yes I’m aware that one feature of keybase is to be a flashy gnupg key server interface. But, from what I understand, they also roll their own crypto, and encourage users to use it.

                                                          https://keybase.io/docs/server_security

                                                          https://keybase.io/docs/crypto/local-key-security

                                                          is this just a knee jerk response

                                                          I figured lobste.rs users would give the benefit of the doubt before making stupid remarks like this, but I guess I was wrong.

                                                          1. 4

                                                            I’m perfectly capable of stupid remarks, but I’m unsure whether I’d classify that particular remark in that way.

                                                            Let’s get back to discussing nuts and bolts shall we?

                                                            I don’t use any “roll your own crypto” - I use Keybase to manage and utilize my GPG keys.

                                                            Anyway, you don’t like Keybase. That’s fine. It’s not meant for you. Clearly you’re an educated user who knows something about cryptography.

                                                            Keybase is meant for the millions of people who aren’t educated, but want some measure of protection with a usable interface on top. To my mind, it succeeds admirably at that. If you disagree, that’s fine, and I’d even maybe give your disagreement more weight than my beleif because, at least if I put stock in the ferocity of your attacks, you know what you’re talking about.

                                                            So maybe Keybase is terrible. It does what I want it to do very well. I’ll leave it there.

                                                            1. 4

                                                              I don’t use any “roll your own crypto” - I use Keybase to manage and utilize my GPG keys.

                                                              Maybe the parent meant that Keybase uses their own PGP library instead of audited open-source one?

                                                              From my point of view Keybase does two things well: social authentication and append-only log of key changes. Both have been tried for OpenPGP but never really caught on (see Linked Identities and CONIKS). There is also a nice set of tools that Keybase has (encrypted git etc.) but I’ve never tried that so I don’t want to comment on that.

                                                              1. 2

                                                                I haven’t used their encrypted git but I’ve used their encrypted portable filesystem and chat/group chat capabilities and they work great!

                                                                1. 2

                                                                  Thanks for info! I’ll check it out with my testing account, I’ve heard it previously that the chat is really nice.

                                                              2. 1

                                                                Keybase is meant for the millions of people who aren’t educated, but want some measure of protection with a usable interface on top.

                                                                I completely understand that point, I would love for there to be something providing a measure of protection with a usable interface on top, but implemented with purely FLOSS components and not controlled by exactly 1 company (which may not be around tomorrow, for instance). That’s all I was getting at. I don’t have anything against keybase personally, I just don’t like companies creating more walled gardens than there already are.

                                                                1. 5

                                                                  As would we all. But take a step back - look at the breadth of what Keybase provides, and take a ballpark guess at how many person hours that would take to implement.

                                                                  Now think about volunteers putting in those thousands of hours unpaid with no recompense beyond the knowledge that they will be stuck maintaining the code until they burn out from the continual stream of thankless demands for MOAR EVERYTHING NOW!!! (This may sound like hyperbole but all the high profile maintainer burnout we saw a few years back says otherwise.)

                                                                  This is the fundamental reality gap I see among many hard core FLOSS advocates. Until we manage to eliminate the entire concept of money, expecting such a heavy lift to come from a purely open source initiative seems highly unlikely to me.

                                                                  Let’s celebrate open source for what it is, encourage it wherever we can, and be SUPER kind to those who gift the result of their blood sweat and tears to us in that way, but let’s also be realistic about what’s reasonable and what may require some kind of financial backing in order to come to fruition.

                                                                  1. 1

                                                                    but let’s also be realistic about what’s reasonable and what may require some kind of financial backing in order to come to fruition.

                                                                    There are many examples of for-profit companies contributing employee time to FLOSS projects. Hell, I am currently working for such a company, doing such a thing. Keybase could be one of those.. but they chose to do their own thing.

                                                                    1. 1

                                                                      Can you give me a sense of precisely which components you take issue with? Someone has already posted about a library that Keybase uses that they’ve open sourced, and if you look at their Github profile I see a ton of open source?

                                                                      1. 2

                                                                        The fact that it’s just under 100MB when I see it in software updates and that it thought it needed my private key for my use-case of just authenticating a public key. When I used it, my work-around for keys was to have Keybase-specific keys to sign real keys. The 70-100MB whatever it was, though? I mean, how trustworthy and attack-proof can a central point of trust handling secrets be if it and/or its dependencies are that large?

                                                                        I just couldn’t trust it. To this day, it’s usually the largest download or update I get after a browser (basically an OS) or office suite (standard for bloat). Maybe something else in there, too, but it’s a small list. And a large program to do its one thing I wanted: social discovery.

                                                                        EDIT: Long day, I fired that off too quick. Forgot to add that I agree its usability and features are excellent. They’re one of the apps that sets the bar for how usability should be done by anything people in my camp would prefer.

                                                                        1. 2

                                                                          Yup. Again, it’s not for you :) You’re a security expert with highly specific needs :) That 100MB includes as others have said a filesystem, chat/group chat and encrypted SCM features. Not what you want.

                                                                          1. 1

                                                                            I’m a security expert with mental disability that makes me forget stuff constantly. I use GUI-based, highly-usable apps by default wherever I can. I rarely use stuff like GPG. Even when I do, it’s an ultra-minimal, work flow that ignores vast majority of its features. I might be closer to intended demographic than you might think. :)

                                                                            Let’s look at Keybase’s target instead of me. If you’re right, then they want to bring in the masses. So, we look at adoption patterns to find out what the masses want. Here’s what they want:

                                                                            1. Useful stuff a lot of people are already using that lets them leverage any contacts, data, etc they already have. Building on or integrating with existing platforms, centralized or decentralized, lets them do this.

                                                                            2. Something that prioritizes integrity and availability over confidentiality. They expect stuff to get hacked. They just want it to happen rarely with the company keeping their data as long as possible. Most people trust Google, Apple, Facebook, and Microsoft for this. Dropbox got a lot of them, too.

                                                                            3. Something that provides what they need or want in exchange for extra effort it introduces. Examples of need are apps for doing important stuff (esp work-related), AV on Windows, backup/sync software or using Facebook cuz family members prefer it for important stuff. Examples of want are Apple’s luxury products, anything adding personalization, anything increasing convenience after initial trouble (eg Dragon Naturally Speaking), and apps for doing fun stuff.

                                                                            Now, let’s assess Keybase against that list of massively-successful, mass-market goods. For 1, it’s not built into the platforms they don’t want to leave. For 2, the services I mentioned are much more likely to last and have better security teams than Keybase. For 3, existing players already provide a solution with wide adoption that’s usually better than what Keybase offer’s. It is getting a niche in the want/fun category for certain computer geeks and privacy lovers. They’re a tiny, tiny, tiny, tiny drop in the bucket of identity/chat/storage market, though.

                                                                            Conclusion: Keybase has nothing to offer, no need, and no want for most people you say it targets. It’s a niche product for computer, privacy, and novelty users in consumer or business space who can accept small community of fellow users. A solution working with Gmail or Facebook, which have existed, will have a better shot of wide adoption. Outlook if selling to enterprise. So, there’s still room to do stuff like a highly-usable, front end and/or 3rd-party integrations with GPG since they’re used within some of the same niche markets.

                                                          2. 2

                                                            For the record Gpg4Win also ships with GpgOL - a plugin for Outlook. I didn’t use it (Thunderbird+Enigmail work well for me) although it looks okay.

                                                        2. 0

                                                          Also, didn’t keybase pivot to being a chat app or something?

                                                          1. 1

                                                            Nope. Chat and group chat functionality are included but none of the other features went away, and in fact are being actively maintained.

                                                            1. 1

                                                              Ah. Thanks for the info.

                                                        3. 5

                                                          I’m not entirely sure keybase will solve things at scale, but it’s filling a gap:

                                                          Keybase has many features that I’m not using (git, filesystem, chats, teams), but I use it to follow the heck out of people that I know or work with. This gives me fine access to properly managed keys from all the peers. Given your other comments down this thread, I believe this seems to be exactly your use case too.

                                                          1. 7

                                                            Exactly. It provides a really nice interface around the aspects of public key crypto that frankly we’ve done a crappy job of socializing (making it easy for you to manage your key, making it easy for you to expose your key to me and visa versa, and then making it easy for us to use our keys to communicate).

                                                            It’s not perfect, and as has been said it’s got proprietary bits, but it’s a heck of a lot better than what 98% of people do without it, which is decide they should be using GPG, create keys, upload them to a keyserver, make a mistake, realize they are utterly hosed forever, and throw up their hands in dismay and go back to not using crypto (Which is EXACTLY what the author of this article did.)

                                                            Perfect is the enemy of the good (enough).

                                                        1. 5

                                                          These have been floating around FOR-EVER but I’m glad they keep cropping up. I see evidence of these constantly in just about every technical community I inhabit.

                                                          They were an eye opener for me at the time. Particularly #2 (accept me as I am) and #4 (transitive).

                                                          Grokking the fundamental falsehood of some of these deeply was definitely a step towards finally growing up in certain ways that I REALLY needed to (and had for a long time).

                                                          I also credit having successfully jettisoned #2 with being why at age 35 I finally started dating and met my wife :)

                                                          1. 5

                                                            I recognize some of these patterns, but I don’t think I associate them with technical communities. Where I’ve run into them is in “cultural geek” communities, those organized around things like fandoms. This could be idiosyncratic based on which specific kinds of both communities I’ve run into though.

                                                            1. 2

                                                              I’ll take your word for it. In my case, the degree ov overlap between technical communities and various fandoms is extremely high.

                                                              1. 1

                                                                That’s interesting and believable too, which is why I added the caveat that it could well be idiosyncratic. I’ve definitely read about this kind of thing in my area, artificial intelligence, e.g. the old MIT hacker culture. I just haven’t encountered it in person, and it always felt like something that existed way before my time. Out of curiosity, what kinds of technical communities have you encountered where the overlap is high?

                                                                The AI conferences I personally go to do have a handful of geeky people, but way more business/startup/government/military/professor types. A bunch of these factors pretty clearly don’t apply as far as I can tell, for better or worse. For example, socially awkward and/or unhygienic people are pretty much jetissoned without a second thought if someone thinks they might interfere with funding.

                                                                1. 2

                                                                  So, I want to be sure to constrain this properly.

                                                                  I came into the Boston technical scene in the early 1990s. At that time, the overlap with the Boston science fiction fandom community was HUGE as it was for the Polyamory and BDSM communities (of which I’ve never been a part. Vanilla and proud yo :)

                                                                  In fact, I pretty much got my start in the Boston tech scene by showing up at a science fiction fandom oriented group house in the middle of a blizzard and passing out my resume to anyone who’d talk to me :) I ended up living in that group house for a time.

                                                                  I’m fairly sure this isn’t representative of the here and now. Our industry has become a very VERY different place several times over since then (mostly for the better) and I suspect that younger folks are being drawn from a much more diverse background of interests.

                                                                  1. 1

                                                                    Hah interesting, I know some people who I think had a similar kind of experience in the SF Bay Area in the ’90s, living in group houses to get broadband internet and such. I got into tech in the late ‘90s in suburban Houston, which might have had a geek scene, but if so I didn’t know about it. The tech scene I was exposed to was much more “professional engineering” oriented, anchored by people who worked at NASA or NASA contractors (plus some people doing tech at oil companies).

                                                              2. 1

                                                                I’m not found that to be the case, even here in the Lobsters community in its forum and chat forms.

                                                              3. 2

                                                                I’m curious how #2 motivated you to start dating. Were you just generally more receptive of criticism from friends, and if so, how does that translate to wanting to start dating?

                                                                1. 4

                                                                  Not so much about wanting to start dating, but being willing to make the changes necessary to be perceived as attractive.

                                                                  “Friends accept me as I am”.

                                                                  Who cares if I have a giant sloppy beard, dress in sweat pants and faded T-shirts all the time, and generally take PRIDE in not giving two shits about my personal appearance? My TRUE friends will accept me for who I am and see past all that.

                                                                  Except that this is the real world. How you look DOES matter. Shave the beard, lose a few pounds, buy some decent clothing and it’s a whole different ballgame.

                                                                  1. 1

                                                                    I definitely agree with what you’re saying, but it reminds me of some definitions from Douglas Coupland’s novel Generation X :

                                                                    anti-victim device (AVD) - a small fashion accessory worn on an otherwise conservative outfit which announces to the world that one still has a spark of individuality burning inside: 1940s retro ties and earrings (on men), feminist buttons, noserings (on women), and the now almost completely extinct teeny weeny “rattail” haircut (both sexes).

                                                                    … and:

                                                                    personality tithe - a price paid for becoming a couple; previously amusing human beings become boring: “Thanks for inviting us, but Noreen and I are going to look at flatware catalogs tonight. Afterward we’re going to watch the shopping channel.”

                                                                    https://en.wikiquote.org/wiki/Generation_X:_Tales_for_an_Accelerated_Culture

                                                                    Some parts of a given personality are stupid and need to be shorn so the person can have a more interesting life. It’s easy to lionize the idea that someone can be Good Enough, or, in somewhat different subcultures, Cool Enough, that you never have to compromise on those things, but even if you luck into a job where that works, it doesn’t and can never work in a healthy personal relationship.

                                                                    1. 4

                                                                      Sounds like I need to read that book!

                                                                      I don’t personally see it as compromise.

                                                                      The truth is that my self confidence was in the shitter at that time. My personal appearance was just one outward manifestation of that.

                                                                      Recognizing that I needed to make changes if I wanted to meet someone and be less lonely was a first step towards letting go of some of that baggage.

                                                              1. 3

                                                                Or just set all your clocks to UTC. I did that for about 6 months in 2010-2011, as a personal protest against the silly DST transition. Works ok if you’re willing to do time conversions in your head.

                                                                1. 4

                                                                  if you’re willing to do time conversions in your head

                                                                  In that case, setting any timezone would be ‘ok’.

                                                                  1. 1

                                                                    UTC is the only timezone guaranteed to be free from DST.

                                                                    1. 1

                                                                      Well the point is, if OP is willing to do time conversions in their head, then any timezone will do since they can all be converted.

                                                                1. 2

                                                                  Try not to rely on fingerprint unlock only, or better yet use only PIN/password/pattern unlock, as biometric data can be cloned.

                                                                  Source?

                                                                    1. 1

                                                                      The researchers did not test their approach with real phones, and other security experts said the match rate would be significantly lower in real-life conditions.

                                                                  1. 7

                                                                    I’ve used OpenVPN for years, but the whole setup and maintenance process looks outdated. Recently started using Wireguard[1] in production which is quick to set up and hardly requires any maintenance. It also works well in containerized world.

                                                                    [1] - https://www.wireguard.com

                                                                    1. 3

                                                                      Unfortunately there’s not yet kernel support for Wireguard, so maintenance is higher than it would be otherwise (e.g. dependence upon wireguard maintainer keeping out of tree module up to date for latest kernels, and you (or your distro) having to build it out of tree).

                                                                      It seems like he’s close to getting it merged though, so I’m holding out for that!

                                                                      1. 4

                                                                        wireguard-go might also be usable, if maximum performance is not required. I wouldn’t think it would be any slower than openvpn, which is also user-space.

                                                                        1. 1

                                                                          Most distributions provide a kernel module since years. The burden of maintaining such a tiny piece of code is moderate and it does not impact admin and end users.

                                                                          1. 1

                                                                            Maybe in this one specific case, but I’ve been burned in the past by relying on an out of tree module (or set of patches), only to have the developer lose interest, sell out, whatever. (e.g. grsec). It’s rare I suppose, but the burden on users and admins is high when it does happen.

                                                                            (the same fate could happen to patches/modules in the tree, but it’s much more rare)

                                                                        2. 1

                                                                          I do not think you can compare now Wireguard and OpenVPN in term of reliability. Wireguard is still something new, does not be audited by security team yet and does not have a strong maintainability process. A little quote from the authors:

                                                                          As of June 2018 the developers of WireGuard advise treating the code and protocol as experimental, and caution that they have not yet achieved a stable release compatible with CVE tracking of any security vulnerabilities that may be discovered.[7][8]

                                                                          1. 3

                                                                            WireGuard has received formal verification from the developers [1], audited by [2], and reviewed by kernel developers and distributions that ship the kernel module. I don’t have numbers on the number of reviewers versus SLOC count but I suspect it could be much higher than OpenVPN given the size of WireGuard

                                                                            [1] https://www.wireguard.com/papers/wireguard-formal-verification.pdf

                                                                            [2] https://courses.csail.mit.edu/6.857/2018/project/He-Xu-Xu-WireGuard.pdf

                                                                            1. 1

                                                                              They’re saying that because they’re trustworthy, security folks. We always advise to say don’t trust it until proven otherwise with strong review and/or verification. There’s been some impressive results in verifying Wireguard on top of the fact that it’s so much smaller than competing implementations.

                                                                              For now, I’ll just give you this article for some nice comparisons. Also, that article says OpenVPN is about 600,000 lines of code. The most-secure systems were thousands to tens of thousands of lines of code because smaller systems are easier to bulletproof. I don’t need to look at OpenVPN’s security advisories to know it will have more errors with more complexity.

                                                                          1. 6

                                                                            It’s hard to overstate how important Librem phone is. Currently, it’s pretty much impossible to buy a high end phone that you can actually own. All Android based phones have their firmware locked and root access disabled. This effectively means that you do not own the device, and you don’t get the final say as to what will be running on it. I’m aware that it’s possible to crack the firmware, but I think that’s completely beside the point.

                                                                            We desperately need an open alternative that puts control back in the hands of the user. I think open computing is of fundamental importance. If we lose the ability to decide what code runs on our devices, we’ll be moving a step closer towards a totalitarian dystopia where the governments and corporations get to decide what’s good for us.

                                                                            1. 1

                                                                              All Android based phones have their firmware locked and root access disabled.

                                                                              Doesn’t Google offer official support for unlocking the bootloader on the Pixel phones?

                                                                              1. 1

                                                                                As far as I know, the only way to root a Pixel is by using sketchy third party binaries.

                                                                                1. 2

                                                                                  Yea seems like the only way to root it running LineageOS is to flash the ‘addon su’ package, not sure what that contains exactly (it might just be the su and sudo binaries?)

                                                                                  https://download.lineageos.org/extras

                                                                            1. 3

                                                                              This is the one tool that is making me seriously consider flipping my workflow upside down and switching from vim + git cli to emacs.

                                                                              That said, if anyone knows of something similar to magit that doesn’t require emacs, I’m interested in hearing about it! I’ve played with tig[0] a bit, but always go back to using git from the cli..

                                                                              1. https://jonas.github.io/tig/
                                                                              1. 3

                                                                                I recently started using spacemacs in vim mode (which is its default) and it’s lovely. It’s been a much better experience getting a decent environment going than I’ve ever had with vim. Haven’t dug into Magit yet but I’m eager to. The docs for spacemacs are a bit scattered but this was the most useful for me to get going:

                                                                                https://github.com/syl20bnr/spacemacs/blob/master/doc/BEGINNERS_TUTORIAL.org

                                                                                1. 1

                                                                                  How long did you use vim workflows before switching? I’ve been a fulltime vim user for about 10 years, and I’m afraid that my productivity will take a serious spill as I try to unlearn muscle memory and build new ones. If you used vim for a while, I’m curious how that experience was for you.

                                                                                  1. 5

                                                                                    I switched mostly to emacs + evil (also used for Spacemacs) after a decade and a half or so on various vi implementations. Evil is very complete, evil often feels more like a complete vi implementation in Emacs Lisp rather than ‘vi emulation’. So far I didn’t have to unlearn any muscle memory.

                                                                                    I used Spacemacs for the initial switch, but I found it to be very buggy and slow. So, at some point I just switched to Emacs + hand-picked packages. I use use-package to load/install packages that I install with Nix and manage with home-manager. I use general to set up spacemaps-like key bindings (e.g. SPC-p-f to find a file in a project SPC-b-b to search buffers, etc.).

                                                                                    However, the Emacs ecosystem can be a bit overwhelming, so Spacemacs is a good entry point.

                                                                                    1. 1

                                                                                      I never spent longer than six months or so using vim full time, so I’m in a very different situation. You’ll be able to put much of your muscle memory to good use in spacemacs, using the same keystrokes to navigate and edit within a buffer. However you’ll need to re-learn many other common tasks.

                                                                                      You will absolutely take a big productivity hit at first, but if you stick with it then you’ll start feeling comfortable pretty quickly. Learning is its own reward! :)

                                                                                  2. 2

                                                                                    I have used vimagit and fugitive (both Vim/Neovim plugins) together for a while now. Vimagit is far from equal to magit in terms of power, but provides my Vim setup with the main features I missed from magit (visual range staging, easy amends, etc.). Fugitive is also useful on its own, but I currently mostly use it to asychronously push/pull from within Neovim (as vimagit does not yet provide these features itself).

                                                                                    1. 2
                                                                                      1. There’s nothing wrong with converting to the true faith ;)
                                                                                      2. There was a Go project called lazygit that was posted here a while back that a few people claimed was quite nice (haven’t tried it myself, so I can’t say), and reminded me of Magit – maybe that would be worthwhile?
                                                                                      1. 2

                                                                                        One thing I’m wondering about trying is a TUI-only Emacs configuration with a virtually completely empty .emacs file, flset up for just magit and nothing else. I’m wondering if the load time with a maximally stripped-down configuration would be short enough to make it feasible to use magit in a non-Emacs-oriented workflow. So, edit in something else, launch Emacs+magic in terminal, stage changes, close Emacs.

                                                                                        The Emacs daemon mode might be an option too but it adds a bit of complexity to the setup. :/

                                                                                        1. 1

                                                                                          I use tig a lot for browsing commits, but for making commits, vimagit is a pretty cool magit-inspired vim-based git add -p type thing.

                                                                                          (Though I keep using add -p anyway lol)

                                                                                          1. 1

                                                                                            Fugitive is amazing. I use it extensively at work.

                                                                                            1. 1

                                                                                              I’ve been using its most basic functionality (Gblame, and gutter highlighting) for at least 1 year now. Perhaps it’s time to invest more time in learning the ‘advanced’ features.

                                                                                              1. 1

                                                                                                Yeah! It’s got good diffing, committing, etc.

                                                                                              2. 1

                                                                                                If you like fugitive, I’d also recommend checking out gina.

                                                                                                1. 1

                                                                                                  What does it do differently/better?

                                                                                            1. 8

                                                                                              quite busy with offline life but I hope to get a few hours to invest in my new hobby project; After getting inspired by Ultimate Writer I’ve ordered a 9in7 e-ink display only to find out that it uses a completely different controller than the smaller models and software support seems to be almost non-existent so far.

                                                                                              So I started hacking and can now do pretty much anything with it in custom code and try to implement a fbdev driver in the Linux kernel for it. My C is quite rusty and its my first endeavor in Linux kernel space, so we’ll see how it goes. Has been fun so far :)

                                                                                              1. 3

                                                                                                Wow, what a cool project. I would love a laptop with a good keyboard and e-ink display for running vim + other cli tools. I hope you plan to post about your experiences working with this particular panel + controller, since I’m interested in using something that size now that I know they exist :)

                                                                                              1. 3

                                                                                                Do you really need to have root privileges on your Google-free phones?

                                                                                                I would like to keep my phone as much secure as possible, and having root privileges enabled doesn’t seem like a smart choice if you have security in mind too.

                                                                                                1. 7

                                                                                                  Yes. I’m the owner of the hardware, I want to be able to do whatever I want with it, including the things that not having root would prevent me from doing.

                                                                                                  1. 3

                                                                                                    The problem with this idea is that you are also allowing the possibility for any applications you install to also use root. Some ‘root access management’ apps will prompt you, etc, but then you’re just depending on them to not have any issues that would allow an app to circumvent their checks.

                                                                                                    I am the owner of my hardware, and I choose to not allow applications to assume more permissions than the OS was designed to allow them to have.

                                                                                                    1. 7

                                                                                                      That just sounds like an argument for improving those components instead of giving up control altogether.

                                                                                                      1. 8

                                                                                                        Not at all what I intended. I’m merely pointing out the downfall in enabling root access on current mobile operating systems. I would use root in an OS which I could control, sadly there’s no longer any mobile device supporting one (RIP N900), but hopefully there will be a new one soon (Librem 5 cannot come fast enough).

                                                                                                        1. 2

                                                                                                          That makes sense.

                                                                                                          1. 2

                                                                                                            My N900 is still kicking, but yeah it’s not my daily driver because browser reasons :P

                                                                                                            Besides Librem5, we’re also waiting on the Pyra. The Gemini is here today running Debian as an alternate. Also running ubports on a Nexus 5 can get you close.

                                                                                                            1. 1

                                                                                                              Of course! There’s also postmarketOS.

                                                                                                        2. 3

                                                                                                          There used to be a lot of good use cases for rooting an Android phone, because there were a lot of reasonable things you needed root to do (run VPNs, block ads, change DNS settings, put background apps to sleep) and a lot of the culture of that time has persisted in the Android modding community. But over time, most of the things you really needed root for have been either added to the base system (doze, night mode) or made available to a user-space API (VPNs) or developer settings. With Android 7 or later, the only thing you really would need root for is micro-tweaking kernel settings, and that’s really only useful when you’re trying to get the most out of older hardware. Now it’s worth the little bit of extra security to leave your phone/tablet unrooted.

                                                                                                          1. 4

                                                                                                            There used to be a lot of good use cases for rooting an Android phone

                                                                                                            If you’re using a carrier-branded phone there are still reasons:

                                                                                                            • Debloating/disabling undesirable preinstalled apps.
                                                                                                            • Fine-grained app permissioning (xposed framework).
                                                                                                            • App hibernation and background running control.
                                                                                                            • DNS choice and filtering.
                                                                                                            • Ad Blocking.
                                                                                                            • Enabling hotspot support (varies with carrier).
                                                                                                            1. 4

                                                                                                              Some of those (DNS and ad blocking) no longer require root.

                                                                                                              If you are able to unlock the bootloader and run something like LineageOS, then you effectively resolve the remaining issues without rooting the device.

                                                                                                              1. 1

                                                                                                                Oof. Yeah, though to be totally pedantic, you could install an unrooted LineageOS on that phone (if it, or similar, is available), and get most of those. Blokada gives you DNS choice and filtering and ad blocking, and it doesn’t require root (it uses the VPN framework).

                                                                                                                1. 1

                                                                                                                  Blokada

                                                                                                                  I’ll give that try. I found DNS66 to cause long hangs and random lookup failures and, of course, AdAway requires root.

                                                                                                        3. 4

                                                                                                          The ‘root access’ moniker is a bit of a misnomer as it makes many people seem to think disabling it disables the root account. This is of course not what happens, Android being *nix underneath it by definition has a root account which is used to boot the device and run a host of services. Any bugs which would give rise to local root access still apply no matter whether a working su is installed or not. If the installed su app is working as it should the attack surface is only raised by so much as the user remains vigilant over granting root to specific apps. Any app which does get root can abuse it so this privilege should only be bestowed upon those bits which are ’ known to be trustworthy’. In other words, the security of a ‘rooted’ device depends for a large part on the judiciousness by which the user grants or denies root access, just like the security of a firearm depends on the hand wielding it.

                                                                                                          1. 1

                                                                                                            depends for a large part on the judiciousness by which the user grants or denies root access

                                                                                                            Not entirely. It also depends extremely heavily on the mechanism used to manage root access (e.g. SuperSu). If that application has issues that can be exploited to go around the user intervention, then all bets are off. Suddenly your firearm is capable of firing without you touching it.

                                                                                                            1. 1

                                                                                                              If the installed su app is working as it should the attack surface is only raised by so much as the user remains vigilant over granting root to specific apps.

                                                                                                              1. 1

                                                                                                                Ok, but my point is that’s a mighty big assumption to make.

                                                                                                          2. 3

                                                                                                            Like any decent system, every root requests are accepted (or rejected) by the user.

                                                                                                            It’s not like you installed an app from the store and it uses root without you knowing.

                                                                                                            1. 3

                                                                                                              You’re assuming the root manager software (like Magisk, or SuperSU back in the days) has no security issues whatsoever.

                                                                                                              Mind you, I’m not saying that commonly used root managers are compromised, but I believe that the current status of Android rooting management is inherently insecure because we rely on software not always audited. I prefer having a custom ROM (maybe even with a custom boot chain of trust!) without root rather than leaving such a wide attack surface available for an hypothetical rogue party.

                                                                                                            2. 1

                                                                                                              because if someone stole your phone and guessed your root password they could install whatever they want on it?

                                                                                                              1. 1

                                                                                                                Is this an argument against my thought? If yes could you please elaborate more? I’m curious about your point of view, and I’m afraid my (lacking) knowledge of English didn’t help me understanding your reply.

                                                                                                                1. 2

                                                                                                                  i’m confirming how having root access hurts security. which attacks can be carried out when your phone is rooted, which couldn’t be carried out if it weren’t rooted?

                                                                                                                  1. 3

                                                                                                                    An app with root access can read the private data of other apps, and can generally disregard the permissions system, so that’s two major classes of things there.

                                                                                                                    1. 1

                                                                                                                      but the user would be able to decide whether to run a program as root, wouldn’t they?

                                                                                                                    2. 3

                                                                                                                      One could trick the user into installing an app that bypasses root managers and gets root permissions directly. From there, the same rogue app could steal basically everything from the user’s phone without even noticing anything.

                                                                                                                      1. 1

                                                                                                                        why would the app be run as root? on linux i can build and run programs as my user account without giving the programs root permissions. i install programs with sudo, but then i’m running the package manager which is code i trust, not the programs i’m installing which i trust less. after installing a program, i still have to explicitly run it as root. does android work differently?

                                                                                                              1. 2

                                                                                                                Is it possible to find out what # lobster any user was?

                                                                                                                1. 8

                                                                                                                  Your own user number is available from the console in your browser:

                                                                                                                  Lobsters.curUser
                                                                                                                  

                                                                                                                  You can also see this value by viewing the source of any page you fetched while you were logged in.

                                                                                                                  1. 3

                                                                                                                    Specifically it looks like this is available by looking at a <script></script> block within the <head> tag of an article page like this one, containing a bit of Javascript that mentions the user number. I’m 5669, apparently.

                                                                                                                    1. 2

                                                                                                                      Currently yes, though I’d like to remove inline script tags to add a strict Content Security Policy.

                                                                                                                1. 4

                                                                                                                  This is why I love bhyve on HardenedBSD:

                                                                                                                  1. PaX ASLR is fully applied due to compilation as a Position-Independent Executable (HardenedBSD enhancement)
                                                                                                                  2. PaX NOEXEC is fully applied (strict W^X) (HardenedBSD enhancement)
                                                                                                                  3. Non-Cross-DSO CFI is fully applied (HardenedBSD enhancement)
                                                                                                                  4. Full RELRO (RELRO + BIND_NOW) is fully applied (HardenedBSD enhancement)
                                                                                                                  5. SafeStack is applied to the application (HardenedBSD enhancement)
                                                                                                                  6. Jailed (FreeBSD feature written by HardenedBSD)
                                                                                                                  7. Virtual memory protected with guard pages (FreeBSD feature written by HardenedBSD)
                                                                                                                  8. Capsicum is fully applied (FreeBSD feature)
                                                                                                                  9. No dependency on legacy hardware
                                                                                                                  10. Minimal support for some virtualized/emulated hardware (like e1000)

                                                                                                                  Bad guys are going to have a hard time breaking out of the userland components of bhyve on HardenedBSD. :)

                                                                                                                  1. 2

                                                                                                                    No dependency on legacy hardware

                                                                                                                    What does this mean exactly? Usually when I see statements like this, it means that software has some (arbitrary?) requirement to run on newer hardware and, say, a system that is 8-10 years old will not work.

                                                                                                                    1. 2

                                                                                                                      You’re correct: bhyve does require newer hardware. It requires VT-d and EPT. It runs on Intel Haswell and above. It has support for AMD processors, but I don’t know the minimum spec there.

                                                                                                                      1. 2

                                                                                                                        I was partially incorrect: On the Intel Xeon side, bhyve runs on Intel Westmere and above. Thanks to Patrick Mooney for pointing that out to me.