ck_

@ck_@discuss.tchncs.de

This is a remote user, information on this page may be incomplete. View at Source ↗

⁨Comment⁩ on ⁨Unicode tricks in pull requests: Do review tools warn us?⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
TL;DR: you could adopt good programming practices like “don’t shadow mutable state” and “put constants first in a comparison” or you can pay us money so we show you obscure attempts to exploit your bad programming in code review … maybe …
⁨Comment⁩ on ⁨This year in Servo: over 1000 pull requests and beyond - Servo, the embeddable, independent, memory-safe, modular, parallel web rendering engine⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
This project is so necessary, we really need a modern, open browser engine that’s not going down the path of enshitification.

In case you didn’t know, this is the project Mozilla dropped by the developers Mozilla fired. So if you feel like at the end of the year you have some money left over, maybe consider joining the crowdfunding effort. (I am not affiliated)
⁨Comment⁩ on ⁨VPNs, self hosting & security⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:

I have tailscale, which is great for ssh-ing onto my Nas from the outside world. But to access my services, is a VPN the best way to do it?

The main point about Tailscale that I see people on here often get wrong is that they compare it to a “classic” hub-and-spoke VPN, when in fact it is an end-to-end zero trust encrypted mesh network. End-to-end does not mean machine-to-machine, it means user to service. So in your case, you should place one tailscale node in each pod (collection of containers that make up one service) as a sidekick. That way, a user need to authenticate in order to even open a network connection for a specific service, which is a very secure solution.
⁨Comment⁩ on ⁨What do you use to manage secrets in your network?⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
If you like pass, you might want to look into passage
⁨Comment⁩ on ⁨Should I move to Docker?⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
The main downside of docker images is app developers don’t tend to play a lot of attention to the images that they produce beyond shipping their app. While software installed via your distribution benefits from marriculous scrutiny of security teams making sure security issues are fixed in a timely fashion, those fixes rarely trickle down the chain of images that your container ultimately depends on. While your distributions package manager sets up a cron job to install fixes from the security channel automatically, with Docker you are back to keeping track of this by yourself, hoping that the app developer takes this serious enough to supply new images in a timely fashion. This multies by number of images, so you are always only as secure as the least well maintained image.

Most images, including latest, are piss pour quality from a security standpoint. Because of that, professionals do not tend to grab “off the shelve” images from random sources of the internet. If they do, they pay extra attention to ensure that these containers run in sufficient isolated environment.

Self hosting communities do not often pay attention to this. You’ll have to decide for yourself how relevant this is for you.
⁨Comment⁩ on ⁨Nextcloud vs Syncthing for PKM notes?⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
Syncthing uses inotify to watch for changes, so it’s pretty much instant
⁨Comment⁩ on ⁨Nextcloud vs Syncthing for PKM notes?⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
Yeah, and for that reason, I opted for syncthing instead of Git for this use case.
⁨Comment⁩ on ⁨Nextcloud vs Syncthing for PKM notes?⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
Never had merge conflicts I take it 😄
⁨Comment⁩ on ⁨GitHub - couchbase/fleece: A super-fast, compact, JSON-equivalent binary data format⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
You probably wouldn’t. The main difference is that protobuf is structured while fleece is unstructured, so you would use it in places where you don’t want to (or can’t) tie yourself to a schema outright.
⁨Comment⁩ on ⁨Nextcloud vs Syncthing for PKM notes?⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
Does not have great UX on phones though.
⁨Comment⁩ on ⁨Replacing Cloudflare Tunnels with Tailscale?⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:

I ran a funnel test and yes it works, but still have to use the ts.net

Out of curiosity, why is that a deal breaker for you?
⁨Comment⁩ on ⁨Replacing Cloudflare Tunnels with Tailscale?⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:

Cloudflare can decrypt the data before it hits my site before it encrypts it

Give Tailscale funnel a try, it provides similar functionality but does not need to terminate yout TLS to do it.
⁨Comment⁩ on ⁨Replacing Cloudflare Tunnels with Tailscale?⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
Precisely. Except there is no “Tailscale manage them for you”.

So you could summarize your answer as " Tailscale certificates work like let encrypt".
⁨Comment⁩ on ⁨Replacing Cloudflare Tunnels with Tailscale?⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
That’s just not true. When you run an nginx proxy on a tailscale node, that nginx will terminate the TLS. There is no “gap” between your browser and that server.
⁨Comment⁩ on ⁨Replacing Cloudflare Tunnels with Tailscale?⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:

Both CF and Tailscale play MITM with your HTTPS connection

That’s not correct, tailscale does not intercept the traffic, TLS is terminated on the node. Tailscale mandates HTTPS / TLS with ts.net certificates so it can route traffic to the correct node in your tailnet.
⁨Comment⁩ on ⁨Replacing Cloudflare Tunnels with Tailscale?⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
Except you can condense that whole thread into
1. Install Tailscale
⁨Comment⁩ on ⁨What operating system and tools should a beginner use to learn programming?⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
Programming has very low hardware requirements, much lower than web browsing. Just don’t get sucket into the whole maelstrom of people trying to convince you that you need a bunch of complicated tools. If you are just stating out, Gedit or equivalent will work out just fine.

In terms of operating systems, if given the choice professionals tend to congregate around Linux and MacOS as the development experience historicaly has been much better due to having access to a proper terminal. This is something you want to familiarize yourself with if you haven’t already. Other factors may apply, especially in professional environments, where clients / employers mandate the use of Windows or something else, but this probably does not apply to you.

Universities usually have their curriculum, which is rather narrow in the beginning and widens in later terms, especially in masters classes. When it comes to teaching fundamentals, language and tools really does not matter much. It’s more about keeping things manageable for the teacher.
⁨Comment⁩ on ⁨Real quick question about the "break"⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:

It’s a very good lesson- to the point where I wouldn’t be surprised if the teacher is deliberately putting an arbitrary restriction on the assignment.

It’s not arbitrary. When you start out on a profession, the first thing a good instructor does is make you unlearn the things you already think you know before teaching you the things you need to know. Think of it this way: When you pick up a golf club and start hitting the ball, you’ll drive it left and right. First thing you’ll be taught is to only hit straight. Even if you think you should try to drive a curve ball, a good teacher will not allow you. Only when you have mastered the basics will he teach you to drive curved balls. So ignore your teachers advice at your own peril, but it will most likely set you up for an expert beginners career.

As a closer, I can tell you this much: I received the same advice almost 20 years ago and now, after being a professional developer for two decades, I can not recall more than five times when a break statement actually made more sense than to rethink the algorithm.
⁨Comment⁩ on ⁨Setup a DNS server on a dynamic public ip⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:

Is there any other way?

For all intends and purposes, let’s assume there isn’t. Running a DNS server on the ‘open internet’ is notoriously difficult if you are not familiar with the intricacies, especially with regards to security. Running it through a VPN is really the best option you have here.
⁨Comment⁩ on ⁨Send 1 mln requests - strategy⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
Aaand… blocked
⁨Comment⁩ on ⁨Send 1 mln requests - strategy⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
Given we know very little about the problem and runtime constraints, the second approach has the potential to have better performance, as with case 1. the average duration of the requests in a batch is equal to the worst case for all requests, while in case 2. the average duration of all requests is, well, the average.
⁨Comment⁩ on ⁨Banana Pi BPI-M7 - More Reasons to Avoid the Raspberry Pi⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
Definitely, the specs are nice and I also cannot say I’m a huge fan of the RPi foundation. More competition in this space would be great, but not having mainline support is just too much of a hassle.
⁨Comment⁩ on ⁨Banana Pi BPI-M7 - More Reasons to Avoid the Raspberry Pi⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
Fair, but I’m not running armbian, so my requirements boils down to: Must run any up to date Linux distro without having to side-load custom kernels or anything. Should work out of the box.
⁨Comment⁩ on ⁨Banana Pi BPI-M7 - More Reasons to Avoid the Raspberry Pi⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
Yeah, I figured. I’ll stick to the Raspberries then, mainly because the "just work"™
⁨Comment⁩ on ⁨Banana Pi BPI-M7 - More Reasons to Avoid the Raspberry Pi⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
My experience with Banana PIs is that they require some obscure kernel to run because the developers cannot be bothered to bring their hardware support and drivers upstream. Same was true for uboot. Has any of that changed in the meantime? If not, that this is a no go for me.
⁨Comment⁩ on ⁨Reality check: Our Go backend stack⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:

Has anyone been in a similar situation - how did you resolve it?

I have been there and after half a year of lobbying for changes, the only real solution was to change jobs.
⁨Comment⁩ on ⁨Looking for Advice with networking between VPS, Homelab and Cloudflare⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
With Tailscale, you would typically cut out the VPS, the connection would be client <-> homelab. No intermediary required. You COULD of course do it how you describe with the subnet router and everything, but the point of tailscale is really to have end to end connectivity.
⁨Comment⁩ on ⁨Does running applications inside a container as an unprivileged user have any security benefits?⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:

containers are based on namespaces which have always been also a security feature.

Not correct.

Chroot has been a common “system” technique, afterall.

Not correct.
⁨Comment⁩ on ⁨Does running applications inside a container as an unprivileged user have any security benefits?⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
Container are not a security concept. Hence, running things inside of a container does not provide any security benefits as opposed to outside of the container.

In actual fact, if you take the time to configure you services with proper systemd security features, you get more secure environments than with running generic containers with “just” unprivileged users.
⁨Comment⁩ on ⁨Does running applications inside a container as an unprivileged user have any security benefits?⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
This comment shows misunderstanding of what container and virtual machines are and how the technology behind each concept works. Containers are NOT virtual machines, do not treat them as such.