1. 3

    So cool!

    When reading articles such this, main questions I’m asking myself are “Why didn’t I want to figure this earlier? and “What else am I missing out”?

    I mean, I’ve read this Wikipedia section and a page by ~mascheck at some point - but this posting puts #! in executable files into a much better perspective.

    1. 5

      Looks really cool, there are way too little alternatives to Discourse and I hope most developers/admins will agree - that mailman or hyperkitty never managed to become a decent web-application (with, or without JavaScript).

      A link to forum.nim-lang.org in the git repo would be nice, though. :-)

      The rst-syntax example page is interesting, as we’ve learned on 1st April on @lobsters, you want to scrape/mirror/resize/convert foreign image embeddings.

      1. 5

        Thanks for the feedback, I added a little link below the image to forum.nim-lang.org.

        Indeed, this issue regarding foreign image embeddings didn’t even pop into my head. I shall make a note of it and hope nobody embeds a huge image in the meantime :)

        1. 3

          Sure! :-)

          Ah, completely missed that the image is a link to the forum, but now it’s better - might become a longer list, once more projects are using NimForum :-).

          PS: Maybe one could get you a lobsters “nim-hat”.

      1. 6

        Main home server:


        Tiny virtual servers:

        • DNS (bind9)
        1. 3

          Thank’s for the pointer to weeWX, I’ve more thought of using Grafana to display weather data. Are you able to create alerts (something is moving in your flat) with motion?

          1. 3

            Yes, you can tell Motion to run a command when motions starts, when motion ends etc. I don’t use that functionality at home, but at work I use it to send an XMPP message e.g. when somebody enters the serverroom and when the video is completed (including a link to the video), so I can keep track of who enters and what they do.

            I have had to fiddle a little with ignoring part of the image that constantly flickers in the server room; I can recomment Motion, it works well.

            weewx does enough that I haven’t bothered doing something with the data myself - I’ve only changed the display (colours and such) to integrate it into my website.

        1. 4

          Self-hosting is for me a long term project and I’m working on it infrequently… I should probably write a blog-posting at some point. I really need to start using some provisioning/automation tool… I can’t decide which ‘container’ technology I’d like to use.

          Already hosting:

          • Monitoring
          • Music Player Daemon
          • NFS (I’ve a dedicated storage, which is physically seperated from the application hosting hardware)
          • WireGuard as transport-layer encryption and authentication for the seperate nfs-exports
          • WireGuard VPN
          • nginx


          • mail (not decided which setup)
          • radicale
          • a web photo view, hopefully with rich metadata
          • git-annex (I still haven’t figured out how I can have a git-annex non-bare-metal repo, which let non annex-aware application access the data)
          • some self hosted ‘dropbox’ alternative (not decided which tool)
          • some issue tracker
          • Firefox Sync Server
          • XMPP/Matrix
          • DNS
          • Offsite and/or cloud backup (I ‘only’ got 2.5 Megabyte/s upload, so 4TB to upload will take at least three weeks)

          The whole setup (three computers) are using constantly about 60W (I’ve an energy meter installed).

          The setup costs me about 30 Euro for the Internet, ~12 Euro for electricity and 5 Euros for some server in a datacenter.

          If I’d store backups on backblaze ‘B2’, it’d cost me at least 20 Euros per month to have cloud-backups. (0.005 Cent per GB for storing uploaded data) and 0.01 Cent per GB if I need to retrieve the data. I should probably not mention this in public, but another possibility would be running the Backblaze Personal Backup in Wine (which I’ve tried out in 2014) - but this would be clearly a violation of the terms, and you’d have to hack something together, that ‘transparently’ encrypts all files infront of the backblaze wine client, and still is able to support delta uploads.

          1. 5

            Beautifully-done illustrations on top of the good info.

            1. 4

              I’m thankful for the rich “metadata” structure of svg’s. Some 1, 2 are done in Visio:

              <!-- Generated by Microsoft Visio, SVG Export StringTable.svg Page-12 -->

              Others in Inkscape:

              <!-- Created with Inkscape (http://www.inkscape.org/) -->

              I’ve been experimenting https://draw.io in order to avoid Visio, their FOSS model is a little bit weird (I’m not sure how open it’s actually). At least you can use file-system export (compressed base64 encoded xml structure) from their web interface. html “export” is an embedded svg and svg’s might need additional manual rework, in case you want to publish them.

              1. 2

                Yeah I’d really like to know how he made the illustrations! They are great.

              1. 3

                I’ve managed to check it out last night, and it appears to be working as advertised.

                Key generation is super awesome, built in QRcode reader to transfer configuration/public-keys between a desktop would be a great feature for semi-automated setups.

                The error reporting is still a little bit weird, for example I can’t configure as Allowed IPs for a Peer with the error message: “Bad address”. works though, so maybe just a user error.

                With the Wireguard(WG) Android connectivity I can/could now:

                • Stream music to my phone from my mpd-server with httpd/lame as output configured (MPDroid), or just configuring my mpd-server at home (works already)
                • Accessing my phone via. Termux/sshd (works already), sshfs via LTE works unexpectedly well OR adb via. VPN.
                • Do backups with Syncopoli and rsync:// instead of ssh (Keyfile management in Syncopoli is confusing)
                • Sync with radicale calendar server (probably contacts/notes too?)
                • Access read-only monitoring web-interface, getting alerts via. self hosted Matrix instance?
                • Report back the location of my phone (couldn’t find a tool for that yet, Termux API examples can report the location, though - might be done with a python script then)

                None of this requires root, I’m using CopperheadOS, which has root-access disabled.

                I need to figure out how to properly protect random apps to access those services. rsync:// supports secret-based-authentication, so that might be good enough.

                Basically I’d like to avoid having each service to do it’s own authentication/key management, but to have one ‘global instance’ (WG) to do deal with encryption instead.

                I’ve seen Orbot supports setting tunneling per app basis, so might be possible to implement for WG too.

                I’m still not sure if this all makes sense, but it feels rewarding to setup, so I’m trying to push forward what is possible. Especially backups are a huge painpoint in Android, I hope I’ll solve that for myself soon.

                Everything could be replaced by $VPN-technology, but WG, besides tor, is the first tool that kept me exited for long enough.

                1. 3

                  Report back the location of my phone

                  I’ve found OwnTracks works well for this use case. Reports back location and battery info. Downside is that MQTT brokers are a bit fiddly to configure and use.

                  1. 1

                    Thank you for the pointer, unfortunately they won’t provide a Google services free version (ticket.

                    1. 1

                      That’s certainly a bummer. Skimming the thread, seems to be a result of there being no free replacements for the geofencing APIs.

                  2. 1

                    Key generation is super awesome, built in QRcode reader to transfer configuration/public-keys between a desktop would be a great feature for semi-automated setups.

                    The TODO list actually has this on it. Hopefully we’ll get that implemented soon. You’re welcome to contribute too, if you’re into Android development.

                    The error reporting is still a little bit weird, for example I can’t configure as Allowed IPs for a Peer with the error message: “Bad address”. works though, so maybe just a user error.

                    The error reporting is very sub-par right now indeed. We probably should have more informative error messages, rather than just bubbling up the exception message text.

                    That “bad address” is coming from Android’s VPN API – is not “reduced” as a route; you might have meant to type Probably the app could reduce this for you, I suppose. But observe that normal Linux command line tools also don’t like unreduced routes:

                    thinkpad ~ # ip r a dev wlan0
                    Error: Invalid prefix for given prefix length.
                    thinkpad ~ # ip r a dev wlan0
                    thinkpad ~ # ip r a dev wlan0
                  1. 1

                    Cool. I wasn’t aware of PRoot, rootless and the rootless-container project in general. Since there is no mention of fakeroot and fakechroot, do you know how this compares?

                    1. 2

                      fake{root,chroot} is based on an LD_PRELOAD-like syscall interception. It has the advantage of not depending on the kernels namespace implementation, but the disadvantage of having a performance penalty.

                      proot is an frontend for linux namespaces.

                      1. 1

                        Thank you for your response, I see. So it’s not possible to run it inside a cointainer then? fakeroot with ldpreload is a pain, you basically can’t debootstrap Jessie on Stretch because of this.

                        1. 1

                          I thought one of them did LD_PRELOAD interception, which was fast enough that you don’t notice the performance penalty, but doesn’t work for things (e.g. Go binaries?) that make syscalls directly rather than going through libc’s wrappers. and the other did ptrace() interception, which works on everything, but makes syscalls much slower (though compilers spend a large proportion of their time doing things which aren’t syscalls, so it’s like a 20% perf hit for random C programs last time I tried).

                          1. 2

                            Both are using LD_PRELOAD. What you are thinking of is fakeroot-ng(1), which is ptrace(2)-based.

                            1. 1

                              Thank you.

                      1. 2

                        wkhtmltopdf might be enough for many usecases, it’s based on QtWebKit.

                        • Performance perspective isn’t perfect, but ok - I guess LaTeX isn’t rendering super fast either
                        • Security perspective - probably not adviceable to render foreign content + you should read the documentation properly (example: you need to disable JavaScript execution specifically, not other way round)

                        I’m wondering if there is a way to get Firefox headless to render PDF, that would be a good case.

                        Update: Sorry, I’ve accidentally overlooked @stephenr’s comment.

                        1. 2

                          I hope I’m not commenting too late, but your posting inspired me writing a script that automates setting up a new onion service and configuring a sshd-daemon that only listens on the .onion address.


                          Not super important when you are running behind a NAT, but if you want to have an anonymous onion service for a host that also listens on a public interface, something like this is highly recommended.

                          1. 2

                            I hope in addition of encrypting DNS traffic, there will be HTTPS connections without SNI field - but some cryptographic non fingerprintable handshake which is also expensive to bruteforce.

                            1. 2

                              That was originally planned for TLSv1.3, but dropped later on.

                              So for now even if you use DNS over HTTPS, your ISP will see what sites you visit anyway, and for verification DNSSEC exists already.

                              At least until encrypted SNI becomes available, DNS over HTTPS has no advantage over classical DNS yet.

                            1. 3

                              I’ve recently stumbled upon this animated spectogram video of a dialup sequence. Also I’m using the dialup sound as a ringtone for a while now (my phone rarely rings), but when my phone rings - people are mostly super confused about what is going on with me.

                              Edit: The video is also referenced in the 2015 thread.

                              1. 11

                                Finally a proper use of the caps lock key:

                                Press caps lock to switch to a command line interface; here’s the debug screen.

                                1. 8

                                  Well, I’d rather use it for Control. But maybe if keyboards would put Control where it belongs, next to Space (it should go Super Alt Control Space Control Alt Super), then it wouldn’t be necessary to have Control where most keyboards have Caps Lock.

                                  1. 5

                                    I always map Caps Locks to Ctrl, so whenever I’m on someone else’s laptop I keep flipping into caps when I mean to copy/paste/break/etc.

                                    1. 3

                                      it should go Super Alt Control Space Control Alt Super

                                      What’s the premise for “should” here?

                                      1. 1

                                        Because of the frequency of use. Control is used almost all the time, in Windows, Linux & emacs. As such, it should go into the easiest-to-strike location, right next to the spacebar where the thumb can strike it in conjunction with other keys.

                                        Alt/Meta is used less often, so it should receive the less-convenient spot. Alt should be used for less-frequently used functionality, and to modify Control (e.g. C-f moves forward one character; C-M-f moves forward one word).

                                        Super should be used least of the three, and ideally would be reserved for OS-, desktop-environment– or window-manager–specific tasks, e.g. for switching windows are accessing an app chooser. Since it’s used less than either Alt or Control, it belongs in the least-convenient spot, far from the spacebar.

                                        If we were really going to do things right, there’d be a pair of Hyper keys outboard of super, reserved for individual user assignment. But we don’t live in a perfect world.

                                    2. 4

                                      as a vi user, i would have said “use escape” but then remembered my caps-lock key is remapped to escape.

                                    1. 6

                                      Maybe I should add, that I’ve came to this link via. a @CopperheadOS posting. The twitter thread also shares some little more details about gcc/clang and Android in general.

                                      1. 6

                                        I like the strace output…

                                        $ strace  -f -e execve git git git git git git git git status 2>&1 | grep bin\/sh
                                        [pid 27778] execve("/bin/sh", ["/bin/sh", "-c", "exec git \"$@\"", "exec git", "git", "git", "git", "git", "git", "git", "status"], [/* 55 vars */]) = 0
                                        [pid 27780] execve("/bin/sh", ["/bin/sh", "-c", "exec git \"$@\"", "exec git", "git", "git", "git", "git", "git", "status"], [/* 55 vars */]) = 0
                                        [pid 27782] execve("/bin/sh", ["/bin/sh", "-c", "exec git \"$@\"", "exec git", "git", "git", "git", "git", "status"], [/* 55 vars */]) = 0
                                        [pid 27784] execve("/bin/sh", ["/bin/sh", "-c", "exec git \"$@\"", "exec git", "git", "git", "git", "status"], [/* 55 vars */]) = 0
                                        [pid 27786] execve("/bin/sh", ["/bin/sh", "-c", "exec git \"$@\"", "exec git", "git", "git", "status"], [/* 55 vars */]) = 0
                                        [pid 27788] execve("/bin/sh", ["/bin/sh", "-c", "exec git \"$@\"", "exec git", "git", "status"], [/* 55 vars */]) = 0
                                        [pid 27790] execve("/bin/sh", ["/bin/sh", "-c", "exec git \"$@\"", "exec git", "status"], [/* 55 vars */]) = 0
                                        1. 1

                                          I’m glad someone else had the same thought, it pleased me no end to see it laid out in system calls!

                                        1. 11

                                          Which points again out how important projects such as me_cleaner or libreboot are. It’s also impressive how little me_cleaner.py needs.

                                          1. 3

                                            Somewhat random aside: turning on disqus comments for your docs site is a terrible idea. If you make it possible for people to abuse random pages as a support forum… it’s going to happen.

                                            1. 2

                                              I agree, having issues/support questions fragmented, can be a huge big deal breaker. Just imagine you’re running into an issue so you:

                                              search via. web search engines, check out the project’s issue tracker, look for recent tweets mentioning the project, skimm through comment sections of the blog, link aggregators, reddit, mailinglist archives, IRC logs, …

                                              So it’s in reality not only a comment section only issue, but a problem of information spreading across multiple sources. And how could you mitigate this? Create a “Support Statement”. Link to this support statement in all of your communication channels, kindly point out the statement if ignored and start moderating in worst case.

                                              Why I don’t want to have comment sections removed?

                                              Projects often provide some outdated information on their blogs. Including a comment section can encourage others to contribute with more up to date details. This then can help people on a lost track to figure out where to continue searching, reducing their effort and used time for each problem. Other side, if I run into an issue, thing something can done be differently or want to add something helpful - I comment and hope, someone will find my informations usable.

                                              In general, comment sections often provide helpful additional details. The scope of a single blogposting is always limited. Comments are a way of expanding such scope and this without having many trade offs.

                                              Side note: Gitlab is also having a comment section below their release notes and before upgrading I, more than once, found some helpful informations in there.

                                              Final thoughts

                                              I think as long as you stay with this ‘specific traditional way’ of providing informations, a comment section can be a good thing and should not just be shut down. It’s hard to come up with a different solutions that other people will actually use. I’d really like to see different approaches, but I don’t think you’ll suddenly figure out different ones, just by reducing the quality of status quo.

                                              Maybe it would be cool to have an auto-generated list of issues, summarizing all issues introduced with each release. Thank’s for reading.

                                              Edit: Rephrasing Gitlb sentence a bit (still not perfect).

                                            1. 8

                                              Great summary. I can recommend reading EFF’s “The Problem with Mobile Phones” writeup, especially the section regarding “Phones off”. There is also a good paper summarizing baseband exploitation.

                                              1. Edit: Typo and rephrasing
                                              1. 2

                                                Out of curiosity, does this impact the ability for macOS to run on hardware other than Apple hardware?

                                                1. 3

                                                  Reasonable chunks of the macOS (née OS X) kernel are open source - see Apple Open Source, in particular XNU.

                                                  It’s an interesting decision by Apple not to encrypt the kernel, but I’m not convinced it’s security related like so many have suggested. Also, the quote from Apple spokesperson mentions “kernel cache”, which is a little different from the kernel itself. I’m no Apple kernel hacker so I’ve not investigated this any further (nor do I know much about the macOS kernel), but there seem to be some discrepancies in these reports

                                                  1. 1

                                                    (née OS X)

                                                    née Mac OS X, née NextSTEP, née Darwin, née XNU, née Mach.

                                                    The Operating System of a Thousand Names, especially if we’re naming operating systems by their kernels, like Linux.

                                                  2. 1

                                                    Why do you think this?
                                                    There is already OSx86/Hackintosh so you can run Mac OS X on non Apple hardware. I guess if someone is going to dig a little bit into macOS, it will also become available for OSx86. Short ‘research’ also reveals some people having already success with macOS on their PC hardware (this might need some verification).
                                                    If you wonder it will be possible to install iOS on non Apple hardware, I can’t tell you. First step would be, I guess, running iBoot on QEMU. Searching a bit I found iBoot running in QEMU, and then some git repo and this dead linking site

                                                  1. 1

                                                    This article hasn’t aged well, and for some reason the formatting is terrible. (I read it a few years ago, and it wasn’t as bad.)

                                                    I’ve reached the point where I refuse to talk about languages as being fast or slow. What seems to be true may not be– there may be someone who can use language features that I don’t know about– and what is true now will not be, 10 years from now.

                                                    I think that there was a much stronger C++ bias in 2006. Back then, there were a lot of people using C++ “because it’s fast” for web programming projects where it was inappropriate. And I agree that the quality of the programmers has always mattered more than traits of the language, whether we’re talking about performance or aesthetics. That will always be true. I’ve seen dozens of businesses fail because they hired bad programmers, and none fail because they chose a language that “wasn’t fast enough” (if you have good engineers, they can rewrite performance-critical stuff in other languages; it’s not a big deal.) That being said, I find it a bit audacious to claim that “C and C++ suck rocks as languages for numerical computing”. To my knowledge, that is not true. In fact, most of the scientific programmers whom I know use Numpy/Scipy, which use a lot of C libraries (and probably some Fortran).

                                                    1. 2

                                                      This article hasn’t aged well, and for some reason the formatting is terrible. (I read it a few years ago, and it wasn’t as bad.)

                                                      Thank you for your comment.
                                                      Seems they have changed their site at some point (even link-scheme), I could still figure out the old link which is far better styled.