1. 50

    To whomever downvoted this as off-topic:

    • It’s about cryptography, security, and privacy
    • The source code examples are written in JavaScript

    …so which topic is it off-?

    1. 37

      It’s probably an expression of political distaste for overt references to furrydom rather than an authentic opinion that this article’s content is off-topic. I think this is absolutely topical content myself, but I’ve seen plenty of articles posted that I also thought were entirely topical (some of which I posted myself), that had off-topic or other flags because they were triggering to the political sensiblities of other users.

      1. 53

        Just posting in support of this.

        Folks, this is a nice high-effort post about implementing security, with code and references and the whole shebang. It isn’t shilling a service, it isn’t navel-gazing on politics, it isn’t even some borderline case of spamming a blog to get more views without care for the community.

        Anybody who flagged this as off-topic either didn’t read the article or is a tremendous asshole.

        Anyone who flagged this as spam either didn’t read the article or is a tremendous asshole.

        If the reference to furries in the title rustled your jimmies, despite the site policy here being to use the original title as close as possible, and you were unable to evaluate the quality of the article on its own merits, you’re a tremendous asshole.

        1. 26

          I get off topic downvotes for my posts with Mara too. Some of the graybeards here really dislike furries for some reason I can’t comprehend. I hope they can find something better to do that downvote furry adjacent content. Anyways, keep up the good work!

          1. 46

            I’m that kind of a person, though I don’t have a gray beard. To me it’s just cringe (for lack of a better word), just like an unironic “euphoric” atheist, a gun-obssessed anarcho capitalist, a “My Little Pony” Fanboy or a western-anime otaku. I honestly don’t see what the difference is.

            Any blog that tries to mix that kind of usually fringe subculture is fine by itself, people are strange, but I have my doubts how relevant it is to a general-public site like Lobsters.

            That being said, I didn’t flag it, I’ll just be hiding it.

            1. 16

              Setting aside how cringe or not it is, we should evaluate the article on its technical merits.

              1. 14

                In principle, yes, but we often have discissions on the form of sites (don’t post twitter threads, avoid medium, not loading without JS, too low contrast, automatically playing videos), and interspersing a page with furry imagary is just something that some people are used to (apparently this is an american thing), and others are not.

                1. 5

                  It’s not an American thing.

                  I don’t know why you think it is.

                  Eurofurence, Nordic Fuzz Con, and FurDU are just a few of the international furry conventions that attract thousands of attendees every year (COVID notwithstanding).

                  1. 16

                    Honestly that comes of as saying that McDonalds isn’t an american thing, because they have joints all over the world. Have you ever wondered why we are writing in English? I think everyone knows that american culture has a kind of dominance that no other culture has, because of hollywood, TV series and media in general. It’s always the de facto standard, and almost anything that is a thing in the US has following somewhere else. That has only intensified with the internet. But if anywhere in this thread, this is the point where we would be crossing over into off-topic territory, so I’d sugest we agree to disagree.

                    And regarding

                    I don’t know why you think it is.

                    First of all, Wikipedia says

                    The furry fandom has its roots in the underground comix movement of the 1970s, a genre of comic books that depicts explicit content.[5] In 1976, a pair of cartoonists created the amateur press association Vootie, which was dedicated to animal-focused art. Many of its featured works contained adult themes, such as “Omaha” the Cat Dancer, which contained explicit sex.[6] Vootie grew a small following over the next several years, and its contributors began meeting at science fiction and comics conventions.

                    So it literally comes from the US. But setting that aside, even if I didn’t know that, it’s something so inherintly american, that I would have been really suprised that something that at the same time desexualizes bestiality (by removing the inherent link) and sexualizes animals (by giving them human cues of attractivness and anatonomy) could come from anywhere else.

                    Edit: Also I was curious and looked it up, “Nordic Fuzz Con” has 1499 atendees in 2020, but considering how many contries these people came from, it’s approximatly 0.000008% of the population. It’s common that when people are too online, they overestimate how large their bubble really is. “Eurofurence” with almost twice as many atendees isn’t much better of.

                    1. 2

                      That’s super off topic for the discussion, but I’ve recently changed my mind about “american culture”. I now feel that a significant part of it is just universal, liberal culture, and not specifically American (hamburgers, pizzas and sushi being fun gastronomical examples). This post changed the way I think about this.

                    2. 2

                      I don’t know why you think it is [an American thing].

                      Probably due to mako’s comment, which said they “always considered it an American subculture”. I hadn’t heard of it being American before… thanks to your comment I’ll unlearn that.

                2. 12

                  Lobsters is general public? :-)

                  I think you could tack on just about any group and the content would be pretty much the same. “…for punks,” “…for people with a pulse,” or whatever. I’ve no strong opinion on furries. As long as their hobbies are not hurting anybody, I’ll just file it in the “not my thing, but not hurting me” bucket and see if the rest of what they have to say is interesting or not.

                  1. 11

                    Technology doesn’t exist in a vacuum. Practitioners, users, researchers, and creators are people whose experiences of technology will be informed by their lifestyle preferences, race, gender, queerness (or not), positionality in society, past experiences, mental health, hobbies, friends and so on.

                    It’s ridiculous and downright depressing to me that anyone would consider a blog off topic because the writer chose to make their technical narrative their own. It strikes me as the kind of narrow thinking that leads the tech industry to not be a very accessible or diverse place in general.

                    Divorcing technology from the real world leads to isolation and atrophy (to borrow the words of Courant). It reduces diversity, leads to moral atrophy, and systems built without empathy for users.

                    And it leads to gatekeeping. Don’t do that.

                    1. 8

                      The cringe is a reaction of your own, not the content itself. I would avoid downvoting a post just because of my relationship to it, so I’m glad you made the same call.

                      1. 11

                        Lobste.rs caters to a very specific subculture that exists in the IT sector that is in itself part of a broader subculture of technology creators and maintainers. It’s just that you think your subculture is important enough to be let in and others are not.

                        1. 11

                          You’re right that “technology” is a subculture, but my claim is that we are perpendicular/stochastically independent to “furry culture”.

                          It’s just that you think your subculture is important enough to be let in and others are not.

                          I would very kindly ask you not not be this elitist about this, this is explicitly a techonology site, with no further designations. The community has it’s tendencies, this way or another, but that doesn’t change the fact that the average to something as obscure as a “furry” will be recieved with some hesitation. This isn’t anything personal, I can imagine that if I went to some “normal” site like Facebook and started talking about the need Free Software that most people would consider me crazy.

                          1. 8

                            It’s the exact opposite of being elitist, it’s about being inclusive. You call “technological community” a thing that is aligned to your culture and values and it’s just a very small fraction of the people that produce digital technology. You universalize it because you cannot conceive that there might be different ways than yours of producing technology together. You believe your way is THE way and you reject other ways.

                      2. 11

                        I don’t think it’s greybeards, rather non-Americans. I’m in the UK, London, and if there’s a furry subculture here it is so microscopic that I’m not aware of it. I’ve always considered it an American subculture, and possibly mostly silicon valley, but certainly for non-Americans I think it’s very obscure. I didn’t vote either way, and have no idea what the furry thing is about, just glimpse it once in a while.

                        1. 11

                          For what it’s worth, in America you don’t just see people walking around expressing as furries while they shop for groceries. Most of us have never run across the culture in person. I think it’s not that this is an American phenomenon but that online spaces are safer, so that’s where you (and we) see them.

                          1. 3

                            just how microscopic would it have to be for you to not be aware of it? do you keep tabs on all… culture… in London?

                            1. 1

                              It’s honestly not very hard.

                          2. 10

                            I really enjoy most of the aesthetic of your pages, and the technical content! I just don’t like the random stuff being jammed in between it. I don’t need a bunch of reading space occupied by a full color, artistic, glorified selfie 6 times. Or in the case of Mara’s first appearance, 16 times.

                          3. 19

                            I’m not going to flag it, but the „for furrys“ bit certainly is off topic

                            1. 39

                              Furry is my blog’s aesthetic and theme, and a significant chunk of the content, but the focus is 99% encryption. The parts that are furry-relevant are:

                              1. A lot of tech workers are furries (or furry-adjacent).
                              2. I’ve found that furries are generally more comfortable with the abstraction of “identity” from “self” than non-furries. I generally attribute this to the prevalence of roleplay in our culture. (I remarked on this detail in the post.)
                              3. Implied but never stated in this particular article: Since roughly 80% of furries are LGBTQIA+, and queer folks are likely to be discriminated against in many locales, improving furry technology will likely have a net positive impact on queer privacy in oppressive societies.

                              This page isn’t so much for furries than it is from a furry, published on a furry blog, and with a bad furry pun in the title.

                              1. 27

                                You don’t actually need to entertain anti-furry sentiment. And do not worry either, there’s also people who appreciate this. I’d rather see furries than most common traits of the modern web.

                                1. 19

                                  A lot of tech workers are furries

                                  For certain values of “a lot”. I’d guess that this kind of stuff is more popular in the US than in India.

                                  1. 28

                                    The main problem with this kind of title phrasing is the forced communication of a political/sexual/whatever message, which is off-topic for the site, and most people don’t care, and don’t want to care for it.

                                    Anybody visiting the link would see that the page has a furry aesthetic. Then they would have the chance to read the article, or close the page. This way a message is promoted on the main page. I think identity politics are already too emphasized and destructive in discussions, and have a bad effect on communities and society. Consider seeing things like a Heterosexual christian father’s guide to unit testing on the front page. Without judging anybody’s identity, this is not the place and form for that topic and that kind of statements.

                                    1. 15

                                      I wonder why the simple reminder of a group’s existence bothers you so.

                                      1. 17

                                        For some reason you failed to understand my point, and are accusing me with something instead of arguing my points. Most likely this is because of my inability of phrasing my point efficiently.

                                        But in the same spirit: I wonder why do I even need to know anybody’s affiliation at all in context of a technical discussion?

                                        1. 11

                                          One could make the same argument to flag “Beej’s Guide to Network Programming” or any post about how company X solves their problems.

                                          1. 10

                                            And usually they do so, considering it as spam, a form of advertisement… Only not of the political, but of the business kind.

                                            1. 4

                                              I don’t think you are familiar with at least the first example.

                                              1. 6

                                                But at least I can be familiar with the second example…

                                                Your style is not that of a Friendly engineer.

                                                1. 4

                                                  There was a time he went by a different name…:p (angrysock)

                                          2. 6

                                            I wonder why do I even need to know anybody’s affiliation at all in context of a technical discussion?

                                            Because the author decided, that their “affiliation” is relevant to their content, that’s it. You don’t need to follow that thinking, you can opt-out of reading their article, even hide it on sites like lobste.rs.

                                            Any articel tells you something about the authors identity and cultural affiliations. And most of us just fill the blanks with defaults, where details are missing. i.e. an authors gender on technical content is often assumed to be male, if not stated otherwise. Most of us who grew up in societies with Christian majorities just assume that most guides to unit testing are a variation of the “Heterosexual christian father’s guide to unit testing”. That’s bad because it taints our perspective, even on the already factual diversity of tech and the net. So IMHO it’s a good thing, if more of us keep their affiliations explicit and maybe even reflect on how those influence their perspectives.

                                            1. 3

                                              Your points aren’t worth arguing. You assert several things (“most people don’t care,” “have a bad effect on communities”) without any supporting evidence. To the first about whether people care and “don’t want to care” – I don’t find that persuasive even if you can provide evidence that a majority of people don’t want to be confronted with the identities of people who’re considered outside the mainstream. But I also suspect you’re making an assertion you want to be right but have no evidence to back up.

                                              Likewise, what even is a “bad effect on communities and society”?

                                              You also express an opinion (“I think identity politics are already too emphasized”) which I heartily disagree with, but that’s your opinion and I don’t see any point arguing about that. OK, you think that. I think too many craft beers are over-hopped IPAs and not enough are Hefeweizens. The market seems to disagree with me, but you’re not going to convince me otherwise. :-)

                                              1. 7

                                                Your points aren’t worth arguing.

                                                Start with a thought-terminating cliché. Then you start arguing my points. :) No problem.

                                                To the first about whether people care and “don’t want to care” – I don’t find that persuasive even if you can provide evidence that a majority of people don’t want to be confronted with the identities of people who’re considered outside the mainstream.

                                                I understand your points, but you didn’t really grasp what I wanted to phrase. IMHO “mainstream” and other identities should not confront each other here unless being technically relevant ones, about which technical discussion can be carried on. There are other mediums for those kind of discussions.

                                                Lucky someone has managed to phrase my ideas better than I could above:

                                                https://lobste.rs/s/mn1am1/going_bark_furry_s_guide_end_end#c_xndsrl

                                            2. 14

                                              As I understand @kodfodrasz, they were bothered not inherently by the reminder of the group’s existence, but by the broadcasting of that reminder to the Lobsters front page. When an article title on the front page asserts the author’s voluntary membership of a group, that is not only a reminder that the group exists—it’s also implicitly an advocation that the group is a valid, normal, defensible group to join. One can agree with the content of such advocacy while also disliking the side effects of such advocacy.

                                              What side effects would those be? @kodfodrasz said that “identity politics are already too emphasized and destructive in discussions, and have a bad effect on communities and society”. I think they are referring to way advocacy for an identity can encourage an “us vs. them” mindset. Personally, I see the spread of that mindset as a legitimate downside which, when deciding whether to post such advocacy, must be balanced against the legitimate upside that advocacy for a good cause can have.

                                              1. 9

                                                ^ this

                                                My assertion is that currently I see a trend where legitimate topics are not discussed because some participants in the discussion have specific opinions on other topics than the one discussed. Dismissing some on-topic opinions for off-topic opinions is an everyday trend, and if bringing our off-topic identities to the site would gradually become more accepted, then that trend would also creep in from other parts of the society, where it has had done its harm already.

                                                I hold this opinion as a guide for every off-topic identity. I think of it with regards to this forum a bit similarly to the separation of church and state has happened in most of the western world.

                                                1. 6

                                                  by the broadcasting of that reminder to the Lobsters front page

                                                  The submitter (author in this case) has one “vote” in promoting their content on this site. Usually one net upvote keeps stuff in /new and outside the front page. What’s promoted this content to the front page is the site’s users, who have upvoted it enough to appear on it.

                                                  At time of my writing this comment, the current standing is

                                                  50, -7 off-topic, -4 spam
                                                  

                                                  Also note that comments themselves contribute to visibility, so everyone commenting complaining about this being off-topic and “in your face” aren’t helping their cause…

                                                  1. 5

                                                    When an article title on the front page asserts the author’s voluntary membership of a group, that is not only a reminder that the group exists—it’s also implicitly an advocation that the group is a valid, normal, defensible group to join.

                                                    Are you (or @kodfodrasz) implying that identifying as a furry is in some way so dangerous as to be suppressed by society at large?

                                                    1. 2

                                                      One can agree with the content of such advocacy while also disliking the side effects of such advocacy.

                                                  2. 4

                                                    Would you be fine with a BDSM-themed blog post on a tech topic?

                                                    1. 10

                                                      It depends how the theme is explored.

                                                      If it uses BDSM culture to explore the nuances of consent in order to explain a complicated technical point, I’m all for it.

                                                      1. 3

                                                        What if it’s just interlaced with drawings of BSDM activities, like that old GIMP splash screen? I wouldn’t be caught dead scrolling that (nor opening GIMP) at work.

                                                        1. 8

                                                          If you work at a place that cares more about some bullshit policing of imagery than technical merit, that’s a yikes from me.

                                                          1. 5

                                                            There’s an inherent sexual quality to BDSM that isn’t inherent to furry culture.

                                                            You do realize that, correct?

                                                            1. 6

                                                              Strictly speaking that isn’t necessarily true about BDSM.

                                                              1. 3

                                                                Oh? This is news to me.

                                                                1. 16

                                                                  Yep. There are people, for example, for whom submission is not a sexual thing but instead about being safe and there are people for whom having a little (in the subcategory of dd/lg) is about having somebody to support and take care of and encourage in self-improvement.

                                                                  That’s not everyone, the same way that there are in fact furries who are all about getting knotted.

                                                                  My point is just that if you want to go Not All Furries, you should be similarly rigorous about other subcultures.

                                                                  1. 6

                                                                    o/ I’m asexual but still very into BDSM (and also a furry!). I know what something being sexualised feels like — took a while to get here — and while a lot of people do link the two intimately (as many do for furry things), they aren’t dependently linked.

                                                          2. 6

                                                            Actually, I know a real example. There is a Python-related French blog named Sam et Max. The technical articles are generally considered high-quality by the French-speaking Python programmers. But there are also BDSM- and sex-related articles alongside the Python articles. Even within a Python-related article, the author sometimes makes some references about his own fantasies or real past experience.

                                                            1. 4

                                                              As long as there’s no overt pornography, sure. I’d read a good article on crypto that had “by someone currently tied up” on it. What’s the point of writing if you get shamed for putting your personality in it.

                                                              1. 3

                                                                Already mentioned elsewhere but it’s my understanding that being a furry isn’t inherently sexual / about sex, though there can be that aspect. I certainly wouldn’t mind a post that was something like “a lesbian’s guide to…” or “a gay person’s guide to..” because those identities encompass more than sexual practices. (Someone elsewhere says that BDSM isn’t strictly speaking sexual, which … is news to me, but I admit my ignorance here. If there’s a non-sexual aspect to BDSM identity then sure, I’m OK with a BDSM-themed post on tech.)

                                                            2. 5

                                                              Consider seeing things like a Heterosexual christian father’s guide to unit testing on the front page.

                                                              That goes without saying, because that’s the default viewpoint.

                                                              The way the author clarifies and establishes their viewpoint does not make their technical content anymore off topic than someone submitting something titled “A Hacker’s Guide to MFA” or “A SRE’s Guide to Notifications”. The lens that they are using to evaluate a technical topic is an important piece of information that we often-times forget in tech with disastrous outcomes.

                                                              1. 13

                                                                No, it is not necessarily the default. But even if it would be, articulating that off-topic identity on the front-page would be unnecessarily divisive, and I’m pretty convinced, that people of other identities would flock the comment section claiming that the post is racist (sic!), and is not inclusive, hurts their feeling, and I think they’d be right (on this site).

                                                                Hacker or SRE are on-topic tech identities themselves, while sexuality, political stand, religion are not really.

                                                                1. 6

                                                                  Hacker is a political identity. For instance, it’s one that I find really degrading when associated to the whole profession. The nerd identity or the general infatilizing of programmers is degrading as well. These are tolerated because they are the majority’s identity in this specific niche and presented as “neutral” even though they are not.

                                                                  1. 4

                                                                    Well I see some positive vibe about the hacker word in the IT sector, if you remember there was some hacker glider logo thingie around the millennia. I’m not one of them, and agree with you, I also find hacker somewhat negative, and not because of the “evil hacker”, but of the unprofessional meanings of the phrase (eg. quick hack). Still lots of fellow professionals don’t agree on this one with us.

                                                                    Regarding Nerd: I also find the phrase degrading, and I don’t understand those who refer to themselves as nerds in a positive context.

                                                                    1. 7

                                                                      I don’t understand those who refer to themselves as nerds in a positive context.

                                                                      The best way of removing the degrading conotation of a word is to rewrite its meaning. The best way to do that is to unironically use it in a neutral-to-positive context.

                                                                      1. 1

                                                                        yeah but the problem is what you want to appropriate. The word “slut” has been reappropriated to defend the right for men and women to have sex freely without judgement. The word “nigger” has been reappropriated because black people are proud of being black. But the word “nerd”? “nerd” means being obsessed with stuff and have very poor social skill and connections. Reappropriating the word flirts very closely with glorifying social disfunctions, exclusion and individualism.

                                                                        1. 4

                                                                          Reappropriating is done because there are negative connotations that we want to take out of focus; that’s the whole point.

                                                                          1. 1

                                                                            but Nerd is imho all negative. The positive connotations, like being dedicated and consistent on a practice is not exclusive to being a nerd. Being nerd is not even stigmatized anymore: now it’s cool to be nerd and still it’s degrading, like being a circus freak. You reappropriate a word to remove a stigma towards a category, but the stigma is already gone and what is left is a very distorted portrayal of knowledge workers.

                                                                            1. 4

                                                                              That the stigma is gone is precisely because people took the term and ran with it.

                                                                              Besides, I have no problem with assholes (whose opinion of me is no concern of mine) considering me a circus freak: it makes them keep themselves at a distance which means less work for me to get the same desirable result.

                                                                              (Also: I disagree with the term “nerd” glorifying “social dysfunction” - normalizing, maybe, but that’s a very inclusive stance, especially when these “dysfunctions” are called by their proper name: neurodiversity. And what precisely is the problem with individualism again? And another tangent: knowledge workers aren’t necessarily nerds and nerds aren’t necessarily knowledge workers)

                                                                              1. 1

                                                                                I agree with all your values but it doesn’t seem like this is what’s happening in the real world. Inclusion of neurodiversity is happening only in small bubble in USA/NE: if anything, neurodiverse people are just more aware of being different. Good for coping, not that good for social inclusion. Really neurodiverse people are still rejected by the society at large and at best they get tokenized and made into heroes but not really included. Also this appropriation of the word detached the concept of nerd from neurodiversity that if it was ever a thing, it’s not a thing now. Today being nerd is wearing glasses and a checkered shirt. Then if you flirt flawlessly with girls, entertain complex social networks and work as a hair dresser, it’s enough to say your hobby is building radios and boom, you’re a nerd. I don’t see how this process would help neurodiverse people and I don’t see how it is good to have to live up to this stereotype to be included in the IT industry (because in most places, if you are not some flavor of nerd/geek, you’re looked at with suspicion)

                                                            3. 15

                                                              A lot of tech workers are furries (or furry-adjacent).

                                                              I don’t doubt that a lot of furries (or furry-adjacent) might be tech workers, but I’m not sure your statement is accurate, given just how many tech workers there are.

                                                              1. 7

                                                                For most people, “Furries” is “that weird sex thing”. I can see a lot of people wanting to make it clear that sexual references are out of place in order to make tech a more comfortable and welcoming place for everyone. I suspect that famous Rails ‘pr0n star’ talk has (rightly) made people feel uncomfortable with sexual imagery in tech.

                                                                I’ve upvoted because the content is good, but I’m also not really one for keeping things milquetoast. I’d like to see more content like this. The technical parts are worth reading, even though I have no interest whatsoever in furries, and mildly dislike the aesthetic.

                                                                And yes – I’ve discovered today via google that it’s only a sex thing for 30% to 50% of the people in the subculture, but as an outsider, the sexual aspect is the only aspect I had ever heard people mention.

                                                                Going forward, I’d just suggest ignoring the downvotes and moving on – they’ll always be there on anything that’s not boring corporate talk, and the threads like these just suck the air out of interesting conversation.

                                                                1. 3

                                                                  [edit: content moved to different post, this was accidentally off-by-one click]

                                                                2. 12

                                                                  Yiff it bothers you, why not just read it without the images? Firefox reader view works great fur me.

                                                                  1. 9

                                                                    It doesn’t claim to be for furries, it claims to be by one.

                                                                    1. 5

                                                                      Is it, though? If it was written as “a teacher’s guide to end-to-end encryption” would anybody be flagging it or carping about the title just because the intended / primary audience was teachers but the content could be abstracted to anybody who cared about end-to-end encryption?

                                                                      1. 11

                                                                        That’s a good type of question to ask, but your example title “A Teacher’s Guide …” is not equivalent. The author being a teacher could be highly relevant to the content of the article; for example, the article might especially focus on the easy-to-teach parts of encryption. The author being a furry, however, is likely to affect only the theme.

                                                                        Analogous titles would change “furry” to another subculture that is not innately connected to tech and that people choose rather than being born with. Two examples:

                                                                        • “Hide my Waifu: An Otaku’s Guide to End-to-End Encryption”
                                                                        • “Communication is Key: A Polyamorous Person’s Guide to End-to-End Encryption”

                                                                        Would people complain about those titles? I predict that yes, some people would, though fewer than those who are complaining about the furry-related title.

                                                                    2. 5

                                                                      Obviously it’s great that someone wants to give us this information. In return we should give them respect and thanks.

                                                                      Showcasing their identity not only gives personal color to the post, it also donates some of the credit to the community they identify with, rather than to some default security engineer type we might imagine.

                                                                      Thanks to this personal touch, some readers can no longer say furries are unintelligent, or never did anything for them.

                                                                      1. 4

                                                                        Belatedly, but I’m following up on these flags. I missed this story and am reading through it now.

                                                                      1. 7

                                                                        Thanks for this proposal! Just two days ago, I went looking for such a talk and fell back to full-text search of “nixos”, but searching for “nix” alone is difficult, as it’s often use in constructs like “nix to mean Linux and other Unices.

                                                                        1. 3

                                                                          Puppet or Chef are great for more complex systems - managing whole companies from servers to switches and everything in between. But for your usecase, I agree that it sounds like either an external managed Container Plattform (EKS, GCP, DO, …) or 1-n virtual machine(s) on your favourite provider (number depends on expected traffic and uptime contraints; want zero downtime deployments?)

                                                                          For a small number of different machines, a simple ansible playbook (with or without docker or podman) seems like the right solution

                                                                          (source/context: I do SysOps with bare metal as well as cloud providers for a living)

                                                                          1. 2

                                                                            Yes, this seems like the way to go forward, I thankfully only have a single dependency, so I don’t think I need docker.

                                                                          1. 7

                                                                            As per the current landscape, there is no distribution-scoped package manager which uses images and leaves out hooks and triggers, not even in smaller Linux distributions.

                                                                            While that’s true as far as I know, I think Fedora Silverblue comes pretty close by using OStree and Flatpak.

                                                                            EDIT: And resinstack.io comes to mind, saw it recently here on lobste.rs. I guess many other projects based on linuxkit could qualify as well, as they end up using oci container images to ship (sub)trees of Linux filesystems in a somewhat comparable fashion to flatpak

                                                                            1. 5

                                                                              While that’s true as far as I know, I think Fedora Silverblue comes pretty close by using OStree and Flatpak.

                                                                              I agree, but the OSTree part is fairly limited in that it is not really a package manager, but just an OS image that consists of layered snapshots (as far as I understand). rpm-ostree adds some flexibility, but as far as I understand it is basically performing RPM installs and then creating OSTree snapshots of that. So, it is an impure, imperative traditional package manager shoehorned into the OSTree world. Of course, it does bring many benefits (atomic updates/rollbacks).

                                                                              I think for Red Hat’s vision where every desktop application is a Flatpak and all development and deployments happen in containers, this is a great approach. But it is fairly limited for folks who want to have the flexibility of a traditional Linux distribution, but with a non-global namespace (ability to install several versions/configurations of a package side-by-side), atomic upgrades/rollbacks, immutable system, etc.

                                                                              Here IMO, Nix, Guix, and Michael’s work are much more promising.

                                                                              (Sorry @phaer for piggy-backing on your comment, what you say is absolutely correct.)

                                                                              1. 2

                                                                                No worries, @danieldk. Thank’s for your input, I do agree regarding the limitations of OSTree. It’s still interesting to me as its backing by RedHat makes it much more likely to be deployable in enterprise contexts. In smaller, more hacker friendly environments, Nix, Guix and distri might be more promising :)

                                                                                1. 1

                                                                                  It’s still interesting to me as it’s backing by RedHat makes it much more likely to be deployable in enterprise contexts.

                                                                                  I agree. Regardless of whether there are more revolutionary approaches, what Red Hat is doing is a big step forward, and it is nice to see that one of the big players is exploring this space.

                                                                            1. 5

                                                                              The author points out that the “no warranty” bits are in the pinephone license. But completely misses that the exact same text is in every software license.

                                                                              1. 8

                                                                                The author seems to focus on power and thermal management features of the SOC. These are often managed by proprietary firmware on other platforms, even while while they may be running Linux as well. While the “no warranty” clause is in pretty much FLOSS license, it isn’t in many proprietary one.

                                                                                1. 4

                                                                                  From the “Warranty” on iOS & iPadOS:

                                                                                  This Warranty does not apply to any non-Apple branded hardware products or any software, even if packaged or sold with Apple hardware. Manufacturers, suppliers, or publishers, other than Apple, may provide their own warranties to you – please contact them for further information. Software distributed by Apple with or without the Apple brand (including, but not limited to system software) is not covered by this Warranty.

                                                                                  From the “License” on same:

                                                                                  7.3 TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE APPLE SOFTWARE AND SERVICES ARE PROVIDED “AS IS” AND “AS AVAILABLE”, WITH ALL FAULTS AND WITHOUT WARRANTY OF ANY KIND, AND APPLE AND APPLE’S LICENSORS (COLLECTIVELY REFERRED TO AS “APPLE” FOR THE PURPOSES OF SECTIONS 7 AND 8) HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH RESPECT TO THE APPLE SOFTWARE AND SERVICES, EITHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES AND/OR CONDITIONS OF MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, QUIET ENJOYMENT, AND NON-INFRINGEMENT OF THIRD PARTY RIGHTS.

                                                                                  1. 1

                                                                                    It is in nearly every proprietary software EULA I’ve seen, in my work as a license compliance officer.

                                                                                    1. 2

                                                                                      Really? Proprietary firmware for things like power management chips come without any warranty according to their license? I would assume that some warranties would be mandated by regulatory bodies, at least here in Europe, but I am clearly not an expert on that topic.

                                                                                      1. 2

                                                                                        Sometimes there are limited warranties as regulators require but they’re a lot more rare than any sensible person wants them to be.

                                                                                        It is certainly more common in firmware, certainly, but still uncommon.

                                                                                  2. 3

                                                                                    It’s not the same in every software license. Expensive proprietary charging controller firmware probably does come with a warranty of sorts.

                                                                                    The license text is there for a reason; you don’t have a legal recourse for when the software goes wrong (to the extent permitted by law). That’s fine for most things, but you’d not want software you use under such a license to be the sole thing responsible for preventing your house from burning down, IMO.

                                                                                  1. 4

                                                                                    Sounds like most of this is provided as part of https://www.resinstack.io/

                                                                                    1. 1

                                                                                      Sounds interesting, as it’s still based on Linux and OCI containers.

                                                                                      But if I am understanding it correctly, Resin wouldn’t support features such as resource quotas for containers without a Nomad Enterprise, because quotas aren’t supported in the free version?

                                                                                      1. 2

                                                                                        Sounds interesting, as it’s still based on Linux and OCI containers.

                                                                                        Nomad has a really nice plugin interface. So while it might be out of scope for this project, I wonder if a similar approach could be used to create something like this on other projects. pot for FreeBSD already exists. I imagine things like extending exec to support to also work with a capsicumizer style approach. I have recently been playing around with sandboxing using OpenBSD’s pledge and unveil and Go (it’s really straight forward) and I can imagine something where Nomad (the plugin that is) decides what a forked process is allowed to do. On top of that bhyve could be used (Docker uses xhyve on macOS anyways) or vmm or other hypervisors.

                                                                                        Also I think Nomad’s plugin architecture would be really interesting for running all sorts of microkernels, Solaris zones or maybe CloudABI or more experimental approaches.

                                                                                        So many ideas, so little time.

                                                                                        1. 2

                                                                                          resource quotas for individual containers are available in the free version, just not at the namespace level

                                                                                      1. 4

                                                                                        Doesn’t https://irmin.org/ fit the bill?

                                                                                        Embedding might be complicated outside the OCaml-verse - I haven’t tried - but as Irmin can even be compiled to a Unikernel, I guess it should be pretty portable.

                                                                                        1. 1

                                                                                          I just received the link for irmin somewhere else, but I haven’t looked at it yet. At a first glance, it looks like a great place to get inspirations from.

                                                                                          Even though I could compile it, say, for iOS, it would be a tough sell to an iOS programmer to actually add any dependency that’s no either Swift, Objective-C or C. Bringing the Ocaml runtime with the executable binary would be a red flag.

                                                                                          Another way to say “embedded” could be “cross plaftform”, as in POSIX, Windows, iOS, WASM, etc.

                                                                                          1. 1

                                                                                            If it’s able to compile, I guess one could possibly interface c (and the others) by using OCamls FFI, not sure how it would work with the constraints of iOS. You should theoretically be able to link it statically, but I have never tried that, and don’t know how that works for Irmin specifically.

                                                                                        1. 3

                                                                                          Why not both? There’s Next.js which is definitely not as light as the framework described in the post, but the page is still initially rendered on the server and client-side React takes over only for further interactions. It’s not perfect, but I think it’s a good compromise. Though obviously your custom framework will serve you better than massive framework like Next.

                                                                                          1. 3

                                                                                            But that’s what we had before! It still makes life of a simple Android user a pain. :)

                                                                                            1. 1

                                                                                              As someone who mostly left frontend web development ~5 years ago, I enjoyed using Next.js as it was relatively easy to build internal management applications with React (and Typescript as well as AntD in my case). So my perspective is from someone who’s not doing JavaScript fulltime.

                                                                                              That said, rendering data server side and “hydrating” it later on with lots of JavaScript can easily lead to several megabytes per page load. Next.js solution with getStaticProps / getStaticPaths / getServerSideProps seems flexible enough to handle it, but some trade-offs might be involved.

                                                                                            1. 8

                                                                                              Mind blown; I am having an on-off-relationship with web development since ~2004 and am a fan of XPath since at least 2009 and I never knew that there was a cross-browser JS API for XPath until I read your post. Not sure how that happened, thanks a lot!

                                                                                              1. 4

                                                                                                I’m very excited to read this article because I have exactly the same problem the author has - I run a server that requires a decryption password to be input on startup. In fact, even without leaving my house, I have the problem that my server is not near my monitor; so even though I do have a spare keyboard hooked up to it at all times (not ideal), whenever I reboot I need to drag my only monitor over to where it is. So being able to use a raspberry pi to control this would be very helpful.

                                                                                                1. 7

                                                                                                  Besides physical lights-out appliances, there’s dropbear-initramfs for Debian & derivatives as well as dracut-sshd for Fedora & friends which can be used to unlock hard disks via SSH from your initial ramdisk.

                                                                                                  1. 0

                                                                                                    These are really impressive solutions that I hadn’t seen before, thanks for posting them!

                                                                                                1. 1

                                                                                                  I didn’t get this article, could someone summarize it, please? I got that Talos might be some POWER9 system, and that the author is now running nested virtualization on it, but I fail to understand the importance.

                                                                                                  1. 3

                                                                                                    It’s actually an article about how you can use QEMU to emulate OpenPOWER systems like the Talos II on other platforms, so you can experiment with the platform instead of having to jump in with both feet if you’re concerned about the cost. If you’re not interested in those systems, this article won’t be relevant to you.

                                                                                                    1. 1

                                                                                                      Is Talos II (or other Raptor Systems stuff) the only available OpenPOWER system? Or are there others? Search engines don’t get me much farther than Raptor so far.

                                                                                                      1. 2

                                                                                                        No, because naturally IBM sells them too. There are also the Tyan and (I think) Wistron machines.

                                                                                                        However, those are all servers, and IBM – from personal experience, even – doesn’t do end user sales. Raptor sells servers too, of course, but they offer them retail. They’re a small business and COVID-19 has slowed their ship times, but you can plunk down a credit card and buy one, so they’re easiest to acquire. On the other hand, if what you want is an OpenPOWER workstation, Raptor is currently the only game in town.

                                                                                                        1. 1

                                                                                                          Thanks. Workstation is my primary interest, but I was curious about the whole space. I’m probably a couple years away from rebuilding my (Threadripper based) workstation, but when I do I’d like to consider one of these. I’m hoping some other options emerge (from Raptor or others) because right now it doesn’t look like the $3000-ish I usually budget goes very far with their current offerings.

                                                                                                          1. 2

                                                                                                            The main cost is the motherboard, and there’s just no economy of scale there right now. The CPUs are IBM binned, so they have some volume and price similar to Intel and AMD, but the boards (even though you get schematics and they’re based on the IBM reference design) are still specific to Raptor and manufactured in small numbers. $3000 could get you an 8-core Blackbird (32 threads) if you shaved a couple corners, but that may be less system than you want. My dual-8 Talos II main workstation with the bells and whistles would probably price around $7500 currently.

                                                                                                    2. 2

                                                                                                      Not an expert on that topic, but as I understand it, Talos currently offers the only workstations on the whole market which can be run without any closed firmware while being somewhat competitive with regards to performance.

                                                                                                    1. 2

                                                                                                      BazQux is awesome. I’m disappointed nobody else has mentioned it yet.

                                                                                                      1. 3

                                                                                                        I also use BazQux and am very happy with it. I previously used a self-hosted version of tt-rss, but gave up when it started to fail too often on valid feeds with parsing errors and because of its obnoxious maintainer.

                                                                                                        1. 2

                                                                                                          Also partially written in the rather obscure functional language ur/web https://github.com/bazqux/bazqux-urweb

                                                                                                          1. 1

                                                                                                            More about that in this blog entry and the message it links to.

                                                                                                        1. 11

                                                                                                          I wish it was easier to self host, I really do. I tried 3 times over the last 2 months to host jitsi. It’s a ridiculously complicated web of software, and impossible for anyone new to this to figure out how it’s all supposed to work when it doesn’t.

                                                                                                          First attempt was using the magical ‘curl |bash’ method on debian, which installed but I could never get 3-way video chat to work reliably.

                                                                                                          Second attempt was with their docker-compose project. After much effort trying different branches and config changes (both officially documented, and suggested in various issue comments in their repo), I ended up with something where 2-way video chat didn’t work reliably, and 3-way didn’t work at all.

                                                                                                          Third attempt was installing packages from AUR and hoping that I could figure out how it’s all supposed to work together so that I could get it to actually function. I got less far than the previous two attempts.

                                                                                                          1. 7

                                                                                                            Probably not much of a help to you but for others, NixOS just got support in release 20.03 and you should be able to use it like so:

                                                                                                            services.jitsi-meet = {
                                                                                                              enable = true;
                                                                                                              videobridge.openFirewall = true;
                                                                                                            };
                                                                                                            
                                                                                                            1. 3

                                                                                                              Thanks. I don’t use NixOS, but maybe this is a great time to try it.

                                                                                                              1. 3

                                                                                                                The PR wasn’t merged yet, as far as I can see:

                                                                                                                https://github.com/NixOS/nixpkgs/pull/82920

                                                                                                                Also the option search did not show the jitsi options.

                                                                                                                That said, the reviewers are being diligent but the PR is shaping up being super nice! The current blocker is to have some meaningful tests for the PR, which is difficult because you need to fake video input, do some screenshots, compare them or something like that.

                                                                                                                I did rip the relevant parts from the PR and make them available separately here in my nur-packages repo.

                                                                                                                1. 1

                                                                                                                  Ah bugger, sorry for some reason I thought it got merged a while ago!

                                                                                                              2. 3

                                                                                                                I got it working using on my second attempt using docker-compose and traefik as a reverse proxy. I could write a blog post about my setup if you think that could be of any help.

                                                                                                                Haven’t tried 3-way calls, yet…

                                                                                                                1. 2

                                                                                                                  That is a good thing to test since the two way calls don’t involve the brige. Which you probably know.

                                                                                                                  For me, I could reproduce problems by even just open the same conference in chrome/chromium three times or more. Only with the correct setup, I’d see the video feeds for all tiles in gallery view.

                                                                                                                  1. 1

                                                                                                                    I did not know the bridge was not involved! I will test 3-way calls today.

                                                                                                                  2. 1

                                                                                                                    Open 3 tabs and you should have 3-way calls.

                                                                                                                  3. 3

                                                                                                                    Jitsi Meet is easy to install on e.g. Debian by adding the correct repo (deb https://download.jitsi.org stable/) and installing the jitsi-meetpackage. This will pull in the required packages (jicofo, jitsi-meet-web, jitsi-meet-web-config, jitsi-meet-prosody) and suggests installing a turn server (jitsi-meet-turnserver). On installation you’ll be asked about what domain you want to use (give it a FQDN, i.e. somewhere.example.com instead of somewhere). Open up the firewall to UDP:10000 for Jitsi and whatever you use for XMPP,/BOSH/TURN/TURNS (I submitted a PR to get them to use the IANA-assigned ports for TURN/TURNS as that currently is a bit of a mess) but after that my experience is that it just works.

                                                                                                                    1. 2

                                                                                                                      The basic features of jitsi works ok. Try debugging jibri (Xorg server with a custom linux kernel module for audio loopback, starting chromium, starting the javascript web client, recorded with ffmpeg and using PJSUA for providing an SIP stack) video encoding errors or enabling Web Tokens and that is another story.

                                                                                                                      As long as it work out of the box and you do not have to seek in the internals, it is easy.

                                                                                                                      1. 1

                                                                                                                        Yes! I didn’t think this wasn’t too difficult (sure could be a bit easier). Here are some tips we use: https://j11g.com/2020/05/04/jitsi-finetuning-and-customization-tips/

                                                                                                                      2. 2

                                                                                                                        The official guide is fairly easy to follow IMO, and I never had issues on 3-way calls after installing it on debian buster: https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart

                                                                                                                        Jibri (the optional recording/streaming component) however is a lot more painful. It requires java 8 (or else video recording doesn’t terminate properly. Use of Java 8 causes cert issues on jicofo if you use let’s encrypt as the adoptopenjdk8 certstore doesn’t have LE), lots of cert tweakery (the one I mentioned about adoptopenjdk8 earlier, if you use self signed certs, chrome itself doesn’t like self signed certs so you’ll either have to trust the cert or run chrome in an insecure way), a kernel with alsa loopback capture support (can’t remember the name of the kernel module, but basically -cloud kernels don’t work, and I had no success with getting it to work in a container) etc.

                                                                                                                        1. 1

                                                                                                                          I managed to get Jitsi Meet working first time with the quick install instructions, however, I ended up spending days trying to get the JWT auth working which was incredibly frustrating.

                                                                                                                          In the end I scrapped my first attempt and found a post on the Jitsi forums which had step-by-step instructions for token auth with Ubuntu 18.04 and it worked like a charm. Here’s the link for anyone in a similar situation.

                                                                                                                          1. 1

                                                                                                                            I am running a debian setup and it works fine with up to 6 parties. I have not tried more yet, but I see no reason why it should not work.

                                                                                                                            The thing is that you need more RAM. I started with a small vpc at hetzner cloud and it works for 1on1 Chat, but only because jitsi uses peer-to-peer for those. The moment a third party joins, you need at least 8GB ram. I upgraded my instance and it works fine now.

                                                                                                                            1. 1

                                                                                                                              but I could never get 3-way video chat to work reliably.

                                                                                                                              Did you check the videobridge logs? The main difference between between 2 and 3 way calls is that the latter are using the videobridge and I had to fiddle around a bit with the way Jitsis Debian packaging handled hostnames and certificates. I have an ansible playbook for Jitsi Meet on Debian buster which I could clean up if that would be of any interest.

                                                                                                                              1. 1
                                                                                                                                1. 1

                                                                                                                                  I hadn’t seen that. Thanks for sharing, I’ll read up on it. Maybe I’ll make a 4th attempt soon :)

                                                                                                                                2. 1

                                                                                                                                  That is the whole thing: it is not a Web (HTTP) software: it is an XMPP software: a different protocol for which jitsi-meet is a web-to-xmpp gateway. :)

                                                                                                                                1. 4

                                                                                                                                  Trying to finish my hypervisor setup and starting to migrate various cloud VMs onto it. It’s a dedicated Hetzner server with Debian stable and libvirt. I opted out of libvirt’s iptables shenanigans and to use manually administered nftables rules for the network instead. Works really well so far.

                                                                                                                                  1. 1

                                                                                                                                    I just lost 2.5TB of important data and I’ll be recovering/building those information all week or maybe all month. And I also live in Iran so I can’t pay for stuff (I explained/cried here: https://social.tchncs.de/@arh/104105168565243534) so I’ll be searching for someone/some foundation that can pay costs of a year for a Wordpress host.

                                                                                                                                    1. 1

                                                                                                                                      How much traffic/storage are you expecting for your WordPress host? Is it connected to those 2.5TB of data? I am asking because your personal host seems to already run on https://www.autistici.org/, and as you probably know, they run a Wordpress farm at https://noblogs.org/ . I guess that’s insufficient for your needs?

                                                                                                                                      1. 1

                                                                                                                                        Completely unrelated to that 2.5 TB. My whole posts take about 200 KiB right now (yes, that small) and I probably won’t use more than 100 MiB of bandwidth monthly. Yes, my website is currently hosted on Autistici/Inventati but they don’t support blogs (PHP/Database) with personal domain and I always gave my domain as my main address and I want to use my personal domain for my blog. Noblogs doesn’t support custom domain either (however I have a blog there and I update it whenever I update my blog on my domian). If I can’t find a hosting (that is libre and privacy-focused), I’ll continue using static site.

                                                                                                                                        1. 1

                                                                                                                                          I read your mastodon post. You may be able to use Jekyll on your phone. This is a post by Aral Balkan on how he’s using Hugo on his phone to power his website. See https://ar.al/2018/07/30/web-development-on-a-phone-with-hugo-and-termux/ Perhaps his experience can help you set something similar up on your phone?

                                                                                                                                          1. 1

                                                                                                                                            That won’t work for me. I’ll need to build my website that uses some gems and then upload it to Autistici. Local gems won’t work on phone. Even if it works, I need something that works everywhere the same and takes less time. But thanks for your message. I really apprentice it.

                                                                                                                                    1. 2

                                                                                                                                      Can’t you also create a CA and sign your ssh private keys with it?

                                                                                                                                      CERTIFICATES
                                                                                                                                           ssh-keygen supports signing of keys to produce certificates that may be used for user or host authentication.  Certificates consist
                                                                                                                                           of a public key, some identity information, zero or more principal (user or host) names and a set of options that are signed by a
                                                                                                                                           Certification Authority (CA) key.  Clients or servers may then trust only the CA key and verify its signature on a certificate
                                                                                                                                           rather than trusting many user/host keys.  Note that OpenSSH certificates are a different, and much simpler, format to the X.509
                                                                                                                                           certificates used in ssl(8).
                                                                                                                                      
                                                                                                                                      1. 1

                                                                                                                                        They are generating short-lived certificates through their cli.

                                                                                                                                        1. 1

                                                                                                                                          Right but why not just sign users’ public keys?

                                                                                                                                          1. 1

                                                                                                                                            Not sure what you are getting at, but the thing you quoted is what they are using as far as I understand. And I know of no other ways to sign a users public key. Could you provide an example of what you are trying to achieve and possible benefits over their approach?

                                                                                                                                            1. 1

                                                                                                                                              Create a CA and install it on your servers, then sign your users’ ssh keys with it.

                                                                                                                                              Advantages:

                                                                                                                                              • Relatively simple to set up and supported natively by OpenSSH
                                                                                                                                              • Very similar user experience to manually added ssh keys
                                                                                                                                              • No dependencies on additional infrastructure except for maintaining a revocation list

                                                                                                                                              Disadvantages:

                                                                                                                                              • Less granular permissions
                                                                                                                                              • Doesn’t integrate with existing authentication schemes (like if you already have SSO)
                                                                                                                                              1. 1

                                                                                                                                                They are creating a CA, installing it on the server and signing users keys.

                                                                                                                                                Of course you could also do that without their tooling, but this article is specifically about the SSO integration so I am still not sure what your original question was, but that’s okay :)

                                                                                                                                                I think, technically you are not signing your ssh keys, but the certificate is itself a key type for OpenSSH.

                                                                                                                                      1. 9

                                                                                                                                        Starting a new job as a system administrator tomorrow!

                                                                                                                                        1. 2

                                                                                                                                          Congrats!

                                                                                                                                          1. 1

                                                                                                                                            Edit: [Removed as I replied instead of posting a new comment]

                                                                                                                                          1. 1

                                                                                                                                            So at this point we assume that there are more nasty bugs in OpenSMTPD and that people wearing various colours of hat are looking for them.

                                                                                                                                            1. 5

                                                                                                                                              I mean, I assume that about everything. From the machines that make my shoes to the laptop I’m typing on now. ;-P

                                                                                                                                              Vein attempts at comedy aside, I really do think it’s safe to assume there’s many vulnerabilities in all complex systems (I would classify MTAs as complex). And if there truly is no vulnerability in <insert doohickey here>, there’s likely a vulnerability in <this other doohickey> deployed on the same server.

                                                                                                                                              I’m a pessimistic realist who realizes we’re all human and prone to mistakes.

                                                                                                                                              1. 2

                                                                                                                                                Well this is one that’s getting some attention right now :)

                                                                                                                                                What’s most disappointing is that OpenSMTPD doesn’t seem to do much in the way of privilege separation. There’s no reason for the MTA to be running as root or having world writable directories or any of that mess unless you’re trying to preserve the 90s UNIX desktop experience of your mbox in /var/spool/mail and procmail “cleverness”. I’m sure there’s an audience for that by why is that in OpenBSD’s default MTA?

                                                                                                                                                Are they running fingerd and ytalk too? If we’re going for the retro experience over security let’s just use telnet! :)

                                                                                                                                                1. 1

                                                                                                                                                  It is privsep’d to some degree:

                                                                                                                                                  $ ps axu | grep smtpd
                                                                                                                                                   2083 root      0:00 /usr/sbin/smtpd -F
                                                                                                                                                   2085 smtpd     0:00 smtpd: klondike
                                                                                                                                                   2086 smtpd     0:00 smtpd: control
                                                                                                                                                   2087 smtpd     0:15 smtpd: lookup
                                                                                                                                                   2088 smtpd     0:03 smtpd: pony expres
                                                                                                                                                   2089 smtpq     0:00 smtpd: queue
                                                                                                                                                   2090 smtpd     0:00 smtpd: scheduler
                                                                                                                                                  

                                                                                                                                                  I’m not familiar enough with OpenSMTPD to tell you why this specific code isn’t in one of the privsep’d parts.

                                                                                                                                              2. 0

                                                                                                                                                Anyone actually uses it outside of OpenBSD? I’d imagine noone really does, so, not that many people would be looking for these; OTOH, finding a bug in OpenBSD software always adds extra points to the rep, doesn’t it? (I guess it might not anymore if these reports are to continue.)

                                                                                                                                                1. 3

                                                                                                                                                  On Linux, and on a forum there was a thread recently, and many reported in as moving to OpenSMTPD or have already moved to it from exim/postfix, as they found it easy to work with, and the security responses are impressively quick.

                                                                                                                                                  I guess there will be quite some secholes uncovered as nowadays OpenBSD and its sibling projects are getting more attention from security people (probably because they are an easy win as not utilizing as many mitigations/defense-in-depth methods used by other operating systems, and has having been neglected for their relatively small user base).

                                                                                                                                                  I’m also using it on a few machines, though only for mail forwarding (Linux and OpenBSD), but I plan to set up a complete mail infra based on it in the near future, to evaluate a complex setup.

                                                                                                                                                  1. 2

                                                                                                                                                    I’m just a couple weeks away from deploying an OpenSMTPD installation for HardenedBSD’s build infrastructure. It’ll be an internal-only deployment, though, just to pass emails between systems to a centralized internal mbox.

                                                                                                                                                    1. 2

                                                                                                                                                      It’s available on pretty much all Linux distros as a package, so I’d say yes. I’ve been using it for years myself on FreeBSD and Linux.

                                                                                                                                                      1. 2

                                                                                                                                                        Yes, on Linux.

                                                                                                                                                        1. 1

                                                                                                                                                          I did use it for a while, but not on my main mail server. It was nice to work with, but I didn’t look at the code and I’m not really able to audit any c code, really.

                                                                                                                                                      1. 3

                                                                                                                                                        Is there any ongoing project to wrap WireGuard in HTTP/3 with fallback to HTTP/2?

                                                                                                                                                        1. 3

                                                                                                                                                          I guess the main use-case would be to circumvent restricted network environments?

                                                                                                                                                          1. 2

                                                                                                                                                            I don’t think there is any benefit doing this, you are sacrificing the latency and performance of wireguard. :(

                                                                                                                                                          1. 4

                                                                                                                                                            This is very cool!

                                                                                                                                                            The Dhall Kubernetes package specifies record types for every object available by default in Kubernetes.

                                                                                                                                                            I glanced at Dhall & Nix for this purpose, as this could’ve saved me a lot of pain as a casual Kubernetes user. But on the flip-side, I didn’t go through with it after I realized that I did not write 99% of my manifests myself, and instead copy pasted & configured what’s available on Github. The way I use it, I’d need a massive ecosystem around Dhall+k8s with reusable bits around most things you want to deploy on kubernetes.

                                                                                                                                                            If I find myself doing this full-time in the future, and writing most of my manifests myself (without worrying of catching up with third party software), the safety and abstraction level this provides sounds like a big win.

                                                                                                                                                            1. 2

                                                                                                                                                              I didn’t go through with it after I realized that I did not write 99% of my manifests myself, and instead copy pasted & configured what’s available on Github.

                                                                                                                                                              Would it work for you to convert YAML manifests from Github to JSON and importing them through json-to-dall? Haven’t tried that myself yet, but doing something similar with cuelang at the moment. I guess the drawback is that you would probably have to annotate types by yourself?

                                                                                                                                                              1. 1

                                                                                                                                                                rekube mentioned in this thread sounds even more up my alley actually, as I’m a heavy Reason user. And looking at it’s repo it seems to have such a tool, so it is certainly possible! Maybe it’s a bit easier with rekube because how good OCaml is at inferring types?