1. 9

    There’s not much to it, but I like to keep it minimal: https://bejarano.io

    1. 4

      Minimal here, too: https://soc.me

      (Largely articles on language design.)

      1. 1

        Love your website. The keyboard section is really cool (and the XDG migration status too).

        1. 1


      2. 4

        I third your minimalism: https://awalgarg.me.

        1. 1

          I like yours

        2. 3

          I love the style, reminds me of good old https://notes.torrez.org/ - a blog design I was always jealous of.

          1. 2

            I like the design - clean and straightforward. At least on mobile. Also the way you organized your sites is also efficient, I think.

            1. 1


            2. 1

              This is beautiful!

              1. 2


            1. 6

              I was thinking about doing this last week when I moved from AWS WorkMail to Fastmail, thanks to the fact that Fastmail lets you not only receive emails at aliases, but also send them as such (which some sites might need for authentication purposes when contacting support, etc.).

              I’d like to hear the downsides of this approach, if any.

              1. 1

                I’ve done this for over a decade, and at Fastmail for the last few years. In my experience the downsides are:

                • This doesn’t work so well for mailing lists. It’s best to use your real address for mailing lists.
                • Gravatars are obnoxious — there’s no such thing as a catch-all Gravatar. Of course, Gravatar is problematic from a privacy perspective anyway, but many sites don’t allow you to configure an avatar any other way.

                Otherwise it works great when you use Fastmail’s (okayish) web UI to respond — it automatically selects the correct identity.

                1. -1

                  I’d the main downside is you are “tied” to Fastmail. Let’s say at some point you want to use another email provider then migrating all these aliases could take some time. I’d rather recommend (subjectively obviously) using another solution like SimpleLogin that focus solely on the email alias.

                  1. 1

                    Fastmail also lets you configure a catchall address, which allows you to make up addresses on the fly. (Of course, then you can also get spam at addresses that someone else made up… That said, it has worked well for me.)

                1. 3

                  Reading How To by Randall Munroe of XKCD, Christmas gift.

                  Not much else, it’s holidays after all.

                  1. 1

                    Are you liking it so far? I got my younger brother What If? last Christmas and he seemed to enjoy it, so maybe this is one I could consider for his birthday.

                    1. 1

                      I’m loving it so far, it is hilarious. It tickles one of my favourite types of humour.

                  1. 10

                    Find out my social security number because I just got hired at my first job at a full-time, remote, Site Reliability Operator position during my second year of university. Not an internship, a regular contract.

                    Thanks Lobsters for everything I’ve learned here that has gotten me this far.

                    Happy holidays!

                    1. 0

                      Could it have to do with the increase in popularity of more inmediate communication formats in the business environment such as Slack?

                      Where email is then reserved for longer content and external clients, instead of “chatting” over email with a couple lines per message.

                      1. 12

                        The internet archive guys are doing great work that is under-appreciated. If you want to help them out you can run the Archive Team Warrior to help them out. I run two different instances myself.

                        1. 1

                          Oh nice, I never knew that was a thing. I will set one up too!

                          How much traffic do they produce/month?

                          1. 1

                            To be honest I don’t watch it very closely but it’s never generated enough traffic on my network that I explicitly noticed it.

                          2. 1

                            Does The Internet Archive site operate as a client-server site? I mean, do they store everything themselves? Or is it distributed bittorrent style?

                            I think they could use something similar to HBO’s Silicon Valley’s PiperNet, where each node in the network stores encrypted pieces of the information. I believe it’s IPFS that operates similarly?

                            1. 2

                              read the thread, it is all in there

                              1. 1

                                Oops, I bookmarked it to read it later but by the title I didn’t know it answered my questions and so I asked. Sorry :D

                            1. 1

                              My $HOME directory contains some config files, a Desktop folder (where I keep everything of value) and a Downloads folder, which is sort of an inbox of things to review.

                              I mainly work in the Desktop, which contains:

                              • personal: which contains all my dotfiles (symlinked to where they should be), my files (invoices, ID and passport scans, digital backup of important paper documents…), my projects (basically a clone of all my repos and stuff in the works), my sites (SSH keys, Ansible playbooks, Terraform files, Kubernetes manifests, Docker stack files… As well as the source of my static sites) and my scripts (local cron jobs, mini utilities I use all the time, etc.). Also my encrypted password database file.
                              • studies: I’m on my third year in university for CS, one folder per subject and a Python script where I track all my grades.
                              • work: I do AWS as a side gig, so one folder per client, and one subfolder per project. Oh, and my CV in English and Spanish.

                              I keep everything in Desktop so that I can restic it all at once into my over-engineered backup system.

                              I’ve been happily using this system for half a decade, and I’m very happy with it.

                              I don’t think your system for file org is much important, but rather sticking to it and using it daily. I’m writing this off my memory, because I know where everything is and that’s what makes it productive.

                              1. 1

                                Can you point to a recent example of a post tagged ask that, in your opinion, had an excessive number of leaf comments hanging off each top-level comment?

                                1. 1

                                  This thread from 26 hours ago, for example.

                                  u/icefox’s first comment has quite some replies, and many are lengthy ones.

                                  In desktop browsers that’s just one swipe down to scroll, but in mobile browsers it’s not that fast.

                                  Again, it’s just mildly annoying, and I agree with others’ replies in that I would prefer this to be an option, not the default.

                                1. 1

                                  Some months ago I moved from Dnsmasq to CoreDNS.

                                  So far the change has been for the better, CoreDNS has DNS-over-TLS support, cache prefetching, detailed logging (vs. none at all in Dnsmasq, AFAIK) and detailed metrics in Prometheus’ format.

                                  Both support blocklists, custom hosts files, etc. CoreDNS has a nice set of features for service discovery too, but I don’t use them.

                                  So far loving it!

                                  1. 1

                                    I didn’t know about CoreDNS, I’m gonna check it out now.

                                    If it allows the usage of dnsmasq-based block lists while providing some simple prometheus metrics, I’m sold.

                                    1. 1

                                      Check out this comment on HN about my CoreDNS setup.

                                      It has hosts-style blocklists, caching, cache prefetching, DNS-over-TLS, per-request logging, Prometheus-style metrics…

                                      I include my previous Corefile (CoreDNS’ configuration file and format) in it, since then the only changes I’ve made are switching from Cloudflare’s upstream resolvers ( and to Quad9’s (, both support DNS-over-TLS so that my entire home network has it’s DNS encrypted.

                                  1. 2

                                    I’d like to add that, out of the three carriers that will grant the Spanish Institute of Statistics aggregated location data, (Vodafone, Movistar and Orange), Vodafone and Orange let you opt-out via email or their app.

                                    Movistar hasn’t enabled any opt-out mechanisms yet.

                                    1. 3

                                      In this example, the assignment expression helps avoid calling len() twice:

                                      if (n := len(a)) > 10:
                                         print(f"List is too long ({n} elements, expected <= 10)")

                                      Um, no it doesnt?:

                                      a1 = [10, 20, 30]
                                      n1 = len(a1)
                                      if n1 > 2:
                                         print(f'{n1} is greater than two')


                                      1. 2

                                        But it helps you avoid calling len() twice with one less line! Readability ∝ 1 / source.count('\n').

                                        With this change we’re one step closer to finally reaching Perl’s level.

                                        1. 2

                                          I guess it’s about the scope of the variable, as in Go:

                                          if n := len(S); n > 0 {
                                            fmt.Println(n, "characters long")  // n defined inside if statement
                                          // n undefined here
                                          1. 2

                                            Just for others reading this: it’s sadly not. n would still be defined after the conditional block. I assume it doesn’t work like that as Python doesn’t really have that level of scoping elsewhere (for loops leak too, etc).

                                            1. 1

                                              Wow, I just tested it and you’re right.

                                              Then I guess it’s only about convenience, but isn’t “sparse better than dense” and “simple better than complex”?

                                          2. 1

                                            It’s a shame they didn’t put the code that it was compared to:

                                            if len(a) > 10:
                                               print(f"List is too long ({len(a)} elements, expected <= 10)")

                                            Both are 2 lines; your 4-line alternative also leaves extra variables lying around.

                                            1. 0

                                              Both are 2 lines; your 4-line alternative also leaves extra variables lying around.

                                              So? Do you really think less lines is always more readable? How about now?

                                              v1 = ((((n1 + n2) - n3) * n4) / n5)

                                              I would rather have something like this, even though its more lines and more variables:

                                              v1 = n1 + n2
                                              v2 = v1 - n3
                                              v3 = v2 * n4
                                              v4 = v3 / n5

                                              Sometimes readability is more important than lines or variables. Not everything is code golf.

                                              1. 4

                                                Okay, but you’ve introduced 3 additional variables here. I can imagine it’s possible to confuse v3 and n3 because the names are so similar. Also, you don’t need that many parenthesis.

                                                v1 = (n1 + n2 - n3) * n4 / n5

                                                because + and - have the same operator precedence, so they’re evaluated in the order of their use. Later, * and / also have the same precedence so another pair of parenthesis can be removed. I think this 1 line is more clear than 4 lines.

                                                But I understand your point, less lines not always is better than more lines.

                                                1. 2

                                                  Do you really think less lines is always more readable?

                                                  No, I’m just comparing like for like. The intent of the quoted

                                                  the assignment expression helps avoid calling len() twice

                                                  was, in my eyes, to make a comparison with the code snippet that I posted, and not with anything else.

                                                  1. 0


                                                    So scope matters, a lot. In a toy example it’s easy to dismiss this stuff, but scoping your variables as tightly as possible means simplifies all future modifications and refactorings in real-world code, because you’ve minimized the “world” that can be potentially impacted by any changes to the variable or its assignment.

                                                    Scoping n to just the loop its intended to be used in is strictly preferable to having it visible (and available for misuse) in all code in the outer scope after the loop.

                                                    1. 8

                                                      The version with := leaks n too.

                                                      >>> a = [1,2,3,4]
                                                      >>> if (n := len(a)) > 10:
                                                      ...     print(f"List is too long ({n} elements, expected <= 10)")
                                                      >>> n
                                                      1. 5

                                                        Wow, that’s a disappointing choice

                                                        1. 3

                                                          Variables in for loops are scoped similarly:

                                                          >>> for i in range(43):
                                                          ...     pass
                                                          >>> i
                                              1. 6

                                                My early 2015 MacBook Pro is in an Apple-authorized repair shop since Tuesday after the upgrade to Catalina rendered it unbootable (recovery doesn’t work, Internet Recovery doesn’t detect networks, it doesn’t even let me get into Startup Manager by pressing Option during boot to reinstall macOS from a thumb drive).

                                                Another friend’s 2017 MacBook Pro had to have it’s OS reinstalled.

                                                My dad’s 2014 MacBook Air upgraded without issues, but has been unstable ever since it finished upgrading.

                                                People are having problems with Mail.app, with the filesystem, with the 64-bit BS, they couldn’t use Reminders for a week because they released iOS one week earlier with breaking changes, etc.

                                                This is not the Apple I signed up for. And I’m writing this from a quick and dirty Ubuntu thumb drive, and I have to say I’m surprised with how stable it is, after leaving desktop Linux half a decade ago.

                                                1. 4

                                                  This is not the Apple I signed up for. And I’m writing this from a quick and dirty Ubuntu thumb drive, and I have to say I’m surprised with how stable it is, after leaving desktop Linux half a decade ago.

                                                  Ubuntu’s pretty good. It gets a lot of fit-and-finish work, in my experience, and Mint is a smaller version of the same thing; a lot of people prefer Mint’s Cinnamon GUI over Ubuntu’s default GUI, as well.

                                                  1. 4

                                                    Never used Mint.

                                                    Chose Ubuntu out of interia. It was what I used since I was 9 up until I got the MacBook. It is what I use on servers (Ubuntu Server or CentOS, depends on how I feel like when in the morning) because It Just Works. If I could go back to GNOME 2 / MATE without having to deal with it myself I would (I obviously can, but tweaking DEs is very annoying and honestly, Unity or whatever it is now is not as bad as it was when it was introduced).

                                                    Thought about going back to Gentoo (which is where I left off), but I don’t have the time right now.

                                                    1. 3

                                                      I was on Mint for 5 or 6 years before moving back to Ubuntu. Fewer rough edges and better stability with the latter.

                                                  1. 6

                                                    I just use Things. I have no plan to move away from Apple jail ecosystem in the foreseeable future so…

                                                    1. 3

                                                      I also use Things, just on my laptop though (I keep my phone off of email, calendar, etc.).

                                                      Past monday the macOS Catalina update rendered my Macbook unbootable (sent to apple repair yesterday). In the meantime I’m running a live Ubuntu bootable thumb drive.

                                                      While Things is not available off-Apple, it’s nice they store everything you do in a single SQLite database file. Until I have my Macbook back I’ll be running Things with a SQL editor.

                                                      1. 1

                                                        Past monday the macOS Catalina update rendered my Macbook unbootable (sent to apple repair yesterday).

                                                        Same. Booted in safe mode, turned out it was a bad kext. Updated it and chugging along happily-er now.

                                                        1. 1

                                                          Mine doesn’t even respond to the boot time keystrokes in order to boot in safe mode, or verbose, or boot from a thumb drive…

                                                          I tried everything, but there’s nothing I could do without tearing it down.

                                                          May I know your model? Because a friend of mine also had his install broken. Also, is the bad kext related to Little Snitch? Thx.

                                                          1. 1

                                                            MacBook Pro (15-inch, 2017) – the bad kext was a corporate MDM thing (“Carbon Black”). But yikes, yours sounds muuuuch worse. I could access safe mode. Recovery was working but even once booted into recovery the dialogs were lagging for 5+ minutes.

                                                      2. 2


                                                        This comment made me check it out, and damn. I’ve been using Todoist for a couple years and this blows it out of the water. Thanks!

                                                        1. 1

                                                          +1 for Things. I have a soft spot for the idea of a bullet journal but Things is just so good.

                                                          1. 3

                                                            Things is the only software I’ve ever missed after leaving apple.

                                                            1. 1

                                                              I have a mac laptop, but an android phone, so I would be hesitant to use Things.

                                                        1. 1

                                                          Not a cloud provider, but if you are a DIY person, your hardware requirements aren’t huge and you have the money to invest in the hardware, you could do something similar to what https://solar.lowtechmagazine.com/about/ does.

                                                          1. 6

                                                            Cloudflare’s CEO response to this issue (5 months old): https://news.ycombinator.com/item?id=19828317

                                                            TL;DR: it’s Archive.is’ authoritative nameservers who return bad results (something in the block) when queries them. They have discussed internally to band-aid this with some workaround, but they decided it “would violate the integrity of DNS”.

                                                            1. 4

                                                              It’s certainly an interesting response from Cloudflare’s CEO:


                                                              the integrity of DNS and the privacy and security promises

                                                              the integrity of DNS and the privacy and security promises

                                                              (yes, the above phrase is actually mentioned twice in separate sentences)

                                                              This information leaks information about a requester’s IP and, in turn, sacrifices the privacy of users.

                                                              motivation for the privacy and security policies of

                                                              geolocation targeting without risking user privacy and security

                                                              First, they mention privacy as a reason a lot; a total of 5 times in a 5-paragraph snippet; and “security” 4 times. It has now been debunked that their DoH (which they deem even more private and more secure) is less private, not more. https://lobste.rs/s/sno4wu/centralised_doh_is_bad_for_privacy_2019

                                                              Whole thing doesn’t stand the most basic litmus test — after resolving a name, you still have to make HTTP/HTTPS requests, revealing not just the /24 subnet, but full 32 bits of the IPv4.

                                                              nationstate actors have monitored EDNS subnet information to track individuals

                                                              Yeah, this is just FUD, without even any attempt for a double-blind study. Which nationstate actors? Whom did they monitor? How instrumental was ECS, and how did it even came into the picture? It’s not like local regional providers have any reason to employ ECS. Did someone in China switch to an ECS-compliant third-party provider, without just going for a full VPN? Why? (Doesn’t it prove that it’s the third-party providers, like Cloudflare DNS, that facilitate this monitoring?) Whole thing just doesn’t make sense. You can always just monitor the HTTP/HTTPS traffic instead.

                                                              If you need real security, you gotta use a real VPN, not a fake DNS bandaid.

                                                              Lack of ECS on a global anycast resolver is not a security and privacy feature; it’s just a poor form to run a global public internet service.

                                                              We publish the geolocation information of the IPs that we query from.

                                                              Where? Not in DNS. Not in whois (there’s no rwhois referral, either).

                                                              Every other provider that doesn’t provide ECS at least has very easy to understand rDNS on the source IP of their resolver; but not Cloudflare:

                                                              % dig @a.resolvers.level3.net. o-o.myaddr.l.google.com -t txt +short | cut -f2 -d\" | xargs host
                                                     domain name pointer dns-8-0-14-4.dallas1.level3.net.
                                                              % dig @ordns.he.net. o-o.myaddr.l.google.com -t txt +short | cut -f2 -d\" | xargs host
                                                     domain name pointer tserv1.dal1.he.net.
                                                              % dig @one.one.one.one o-o.myaddr.l.google.com -t txt +short | cut -f2 -d\" | xargs host
                                                              Host not found: 2(SERVFAIL)

                                                              We are working with the small number of networks with a higher network/ISP density than Cloudflare (e.g., Netflix, Facebook, Google/YouTube) to come up with an EDNS IP Subnet alternative that gets them the information they need for geolocation targeting without risking user privacy and security. Those conversations have been productive and are ongoing. If archive.is has suggestions along these lines, we’d be happy to consider them.

                                                              Here, contrary to some popular belief that big providers use anycast and don’t need ECS, he’s basically admitting that other providers actually do use ECS, and do benefit from resolvers with ECS. By not doing ECS, Cloudflare DNS makes all competing CDNs slower than their 3.5 billion USD own CDN. This is in case anyone has any doubts that ECS is actually used by the large providers who have the capacity to do anycast.

                                                            1. 0

                                                              Am I the only one running IPsec/L2TP?

                                                              I do so for three reasons: server software comes preinstalled on my gateway (Mikrotik RouterOS), client software is included with iOS/macOS/Android/Windows, and AFAIK is secure (please let me know if not).

                                                              I’ve looked into Wireguard and I want to try it, but I don’t like my VPN server running on a host inside the network itself, which is much more probable to go offline and lock me out of the network, as opposed of it running on the very gateway to the network.

                                                              Any thoughts? I don’t have strong opinions regarding VPNs. Keep in mind I use them both for traffic encryption and for access to my network’s internal services.

                                                              1. 4

                                                                Your setup may or may not be secure. No one can really say without looking at in detail, because the configuration for IPSec is pretty complex. Worse the protocol complexity induces complex client/server software which is prone to hard to spot implementation mistakes.

                                                                This is one of the main reasons I try to push people to Wireguard where there are no security relevant config options and the code base is very small. IIRC, Wireguard is about 4000 lines of code vs ~400 000 for an IpSec implementation.

                                                                As a quick example, CVE-2017-6297 was a bug in MikroTik’s L2TP client where IpSec encryption was disabled after a reboot. In general, I am quite sceptical of the security of dedicated devices like routers. They have fewer ‘good’ eyes on them due to the relative difficulty of pulling apart their hardware/firmware/closed source software and yet their uniformity makes them an attractive target for well resourced attackers.

                                                                1. 3

                                                                  L2TP/IPsec can be problematic with hotel wifi and other braindead networks. Not even NAT-T and IKEv2 always help. OpenVPN will cheerfully work even with double (or quadruple) NAT. Nothing against Wireguard, but I didn’t find it nearly as easy to manage and unproblematic as OpenVPN, especially when performance is not a big concern.

                                                                  I wonder if the future is self-hosted VDI rather than VPN. It’s convenient for use on the road (just reconnect to a session), and much harder to ban, regulate, or persecute people for in countries with censorship.

                                                                1. 1

                                                                  The overkill (and much more secure) way of doing this is referencing images by digest:

                                                                  image: quay.io/ricardbejarano/nginx@sha256:{SHA256_DIGEST}

                                                                  I believe this is standard for all registries, and at least I’ve made it work on both Docker and Kubernetes (CRI: containerd).

                                                                  1. 1

                                                                    I have heard (but not verified) that Docker Hub at least doesn’t consistently keep untagged images permanently available, so old versions can disappear.

                                                                  1. 4

                                                                    Hm. Seems overkill. I just tag my docker images with the git hash. Done. Don’t deploy latest, deploy the tag.

                                                                    1. 1

                                                                      I have a trigger for the master branch that tags images as :master, and another trigger on all tags that tags to :latest, so my :latest images are the latest tag, so that I can sort of guarantee that :latest is stable and :master is master’s HEAD.

                                                                      This is on the Docker Hub, Quay.io does this by default if you leave the default build trigger on.

                                                                      (I also have a third trigger that tags images with the name of the tag ifself, too)

                                                                    1. 11

                                                                      If you want to know whether your browser+OS combo would support this: prefers-color-scheme.bejarano.io

                                                                      What a coincidence, I wrote it this Wednesday!