kevincox
@kevincox@lemmy.ml
https://kevincox.ca
- Comment on The Most Loved Digital Audio Streaming Platforms. 1 month ago:
I paid for GPM for quite a while. I then started working at Google and beta tested YouTube Music from very early on and gave lots of feedback about how it sucked. When they shut down GPM I cancelled my YouTube Premium membership and installed an ad blocker. Not just YTM but so many things about YouTube were getting worse and worse and I couldn’t find it in myself to keep paying for a service that kept removing features.
- Comment on The Most Loved Digital Audio Streaming Platforms. 1 month ago:
Yes, but in my experience it is pretty trash. Unlike Google Play Music which matched the music to known tracks and shuffled it in with recommended playlists and other features on YouTube Music the uploaded songs are basically completely isolated. At that point why use a streaming service?
- Comment on SMTP provider 1 month ago:
A few hundred a month is just a few per day. That is pretty low volume by most standards.
I would say in general if the SMTP server could be replaced by a single human writing and mailing snail-mail letters by hand it qualifies as low volume.
- Comment on YouTube has found a new way to load ads | AdGuard Blog 1 month ago:
This isn’t how YouTube has streamed videos for many, many years.
Most video and live streams work by serving a sequence of small self-contained video files (often in the 1-5s range). Sometimes audio is also separate files (avoids duplication as you often use the same audio for all video qualities as well as enables audio-only streaming). This is done for a few reasons but primarily to allow quite seamless switching between quality levels on-the-fly.
Inserting ads in a stream like this is trivial. You just add a few ad chunks between the regular video chunks. The only real complication is that the ad needs to start at a chunk boundary. (And if you want it to be hard to detect you probably want the length of the ad to be a multiple of the regular chunk size). There is no re-encoding or other processing required at all. Just update the “playlist” (the list of chunks in the video) and the player will play the ad without knowing that it is “different” from the rest of the chunks.
- Comment on LDAP to UNIX user proxy 2 months ago:
Ah ok. You aren’t doing auth. So sort of irrelevant to the whole discussion.
- Comment on LDAP to UNIX user proxy 2 months ago:
Are you doing auth in the reverse proxy for Jellyfin? Do you use Chromecast or any non-web interface? If so I’m very interested how you got it to work.
- Comment on LDAP to UNIX user proxy 2 months ago:
The concern is that it would be nice if the UNIX users and LDAP is automatically in sync and managed from a version controlled source. I guess the answer is just build up a static LDAP database from my existing configs. It would be nice to have one authoritative system on the server but I guess as long as they are both built from one source of truth it shouldn’t be an issue.
- Comment on LDAP to UNIX user proxy 2 months ago:
Yes, LDAP is a general tool. But many applications that I am interested in using it for user information. That is what I want to use it for. I’m not really interested in storing other data.
I think you are sort of missing the goal of the question. I have a bunch of self-hosted services like Jellyfin, qBittorrent, PhotoPrism, Metabase … I want to avoid having to configure users in each one individually. I am considering LDAP because it is supported by many of these services. I’m not concerned about synchronizing UNIX users, I already have that solved. (If I need to move those to LDAP as well that can be considered, but isn’t a goal).
- Comment on LDAP to UNIX user proxy 2 months ago:
I do use a reverse proxy but for various reasons you can’t just block off some apps. For example if you want to play Jellyfin on a Chromecast or similar, or PhotoPrism if you want to use sharing links. Unfortunately these systems are designed around the built-in auth and you can’t just slap a proxy in front.
I do use nginx with basic with in front of services where I can. I trust nginx much more than 10 different services with varying quality levels. But unfortunately not all services play well.
- Comment on LDAP to UNIX user proxy 2 months ago:
How are you configuring this? I checked for Jellyfin and their are third-party plugins which don’t look too mature, but none of them seem to work with apps. qBittorrent doesn’t support much (actually I may be able to put reverse-proxy auth in front… I’ll look into that) and Metabase locks SSO behind a premium subscription.
IDK why but it does seem that LDAP is much more widely supported. Or am I missing some method to make it work
- Comment on LDAP to UNIX user proxy 2 months ago:
But the problem is that most self-hosted apps don’t integrate well with these. For example qBittorrent, Jellyfin, Metabase and many other common self-hosted apps.
- Comment on LDAP to UNIX user proxy 2 months ago:
NixOS makes it very easy to declartiviely configure servers. For example the users config to manage UNIX users: nixos.org/manual/nixos/stable/options#opt-users.u…
- Comment on LDAP to UNIX user proxy 2 months ago:
Yet another service to maintain. If the server is crashing you can’t log in, so you need backup UNIX users anyways.
- Comment on LDAP to UNIX user proxy 2 months ago:
I use NixOS.
- Submitted 2 months ago to selfhosted@lemmy.world | 34 comments
- Comment on Which one is selected? The "Yes" option or the "No" option? 2 months ago:
Yeah. I like old school tabs that were clearly attached to the thing that they switched.
- Comment on Which one is selected? The "Yes" option or the "No" option? 2 months ago:
I don’t think it is that simple. I think that outline is about the “focus”. So if I press enter it will activate that tab, if I press tab it will move the focus to the “Entire Screen” tab.
The UX issue is that there are two concepts of focus in this UI. There is “which tab is active” and “what UI element will pressing enter activate”. These two are not sufficiently differentiated which leads to a confusing experience.
Or maybe there can just be no keyboard focus indicator by default, but that may be annoying for keyboard power users. But this is generally how it works on the web, you have to press tab once to move keyboard focus to the first interactive element.
- Comment on Which one is selected? The "Yes" option or the "No" option? 2 months ago:
The one that always gets me is GNOME’s screen sharing portal.
a screenshot of the screen sharing dialog.
There is this outline around the “Application Window” tab which makes it seem selected. I use this UI multiple times a week and I need to pause for a sec every single time. I always think “I want to share a window”, “oh it is already selected” then stare at the monitors for a while before I realize why I can’t understand what I am looking at.
- Comment on Peloton announces $95 “used equipment activation fee” 2 months ago:
This is basically admitting that consumers don’t actually value their subscription service for the cost. If users were buying used bikes and signing up for subscriptions Peloton would be thrilled, they would do everything that they could to encourage that like free trials. But it must be that most people who buy used bikes don’t find the subscription worth it and cancel within a few months. Adding this fee both extracts more money and creates a sunk cost fallacy that will cause them to go longer before cancelling.
If the product sold itself they would just let people pay them subscriptions, its basically free money.
- Comment on Running One-man SaaS, 9 Years In 3 months ago:
This is my dream. However I think my target market is smaller and less willing to pay (personal rather than business). However maintenance is low effort and I want the product for myself. So even if it doesn’t make much or anything I think I will be happy to run it forever.
The ultimate dream would be to make enough to be able to employ someone else part time, so that there could be business continuity if I wasn’t able to run it anymore.
- Comment on Security and docker 3 months ago:
There is definitely isolation. In theory (if containers worked perfectly as intended) a container can’t see any processes from the host, sees different filesystems, possibly a different network interface and basically everything else. There are some things that are shared like CPU, Memory and disk space but these can also be limited by the host.
But yes, in practice the Linux kernel is wildly complex and these interfaces don’t work quite as well as intended. You get bugs in permission checks and even memory corruption and code execution vulnerabilities. This results in unintended ways for code to break out of containers.
So in theory the isolation is quite strong, but in practice you shouldn’t rely on it for security critical isolation.
- Comment on Security and docker 3 months ago:
where you have decent trust in the software you’re running.
I generally say that containers and traditional UNIX users are good enough isolation for “mostly trusted” software. Basically I know that they aren’t going to actively try to escalate their privilege but may contain bugs that would cause problems without any isolation.
Of course it always depends on your risk. If you are handing sensitive user data and run lots of different services on the same host you may start to worry about remote code execution vulnerabilities and will be interested in stronger isolation so that a RCE in any one service doesn’t allow escalation to access all data being processed by other services on the host.
- Comment on Security and docker 3 months ago:
IMHO it doesn’t majorly change the equation. Plus in general a single-word comment is not adding much to the discussion. I like Podman and use it over Docker, but in terms of the original question I think my answer would be the same if OP was using Podman.
- Comment on AI models collapse when trained on recursively generated data 3 months ago:
To be fair this doesn’t sound much different than your average human using the internet.
- Comment on Security and docker 3 months ago:
The Linux kernel is less secure for running untrusted software than a VM because most hypervisors have a far smaller attack surface.
how many serious organization destroying vulnerabilities have there been? It is pretty solid.
The CVEs differ? The reasons that most organizations don’t get destroyed is that they don’t run untrusted software on the same kernels that process their sensitive information.
whatever proprietary software thing you think is best
This is a ridiculous attack. I never suggested anything about proprietary software. Linux’s KVM is pretty great.
- Comment on Security and docker 3 months ago:
I think assuming that you are safe because you aren’t aware of any vulnerabilities is bad security practice.
Minimizing your attack surface is critical. Defense in depth is just one way to minimize your attack surface (but a very effective one). Putting your container inside a VM is excellent defense in depth. Putting your container inside a non-root user barely is because you still have one Linux kernel sized hole in your swiss-cheese defence model.
- Comment on Security and docker 3 months ago:
I never said it was trivial to escape, I just said it wasn’t a strong security boundary. Nothing is black and white. Docker isn’t going to stop a resourceful attacker but you may not need to worry about attackers who are going to spend >$100k on a 0-day vulnerability.
The Linux kernel isn’t easy to exploit as if it was it wouldn’t be used so heavily in security sensitive environments
If any “security sensitive” environment is relying on Linux kernel isolation I don’t think they are taking their sensitivity very seriously. The most security sensitive environments I am aware of doing this are shared hosting providers. Personally I wouldn’t rely on them to host anything particularly sensitive. But everyone’s risk tolerance is different.
use podman with a dedicated user for sandboxing
This is only every so slightly better. Users have existed in the kernel for a very long time so may be harder to find bugs in but at the end of the day the Linux kernel is just too complex to provide strong isolation.
There isn’t any way to break out of a properly configured docker container right now but if there were it would mean that an attacker has root
I would bet $1k that within 5 years we find out that this is false. Obviously all of the publicly known vulnerabilities have been patched. But more are found all of the time. For hobbyist use this is probably fine, but you should acknowledge the risk. There are almost certainly full kernel-privilege code execution vulnerabilities in the current Linux kernel, and it is very likely that at least one of these is privately known.
- Comment on Security and docker 3 months ago:
It is. Privilege escalation vulnerabilities are common. There is basically a 100% chance of unpatched container escapes in the Linux kernel. Some of these are very likely privately known and available for sale. So even if you are fully patched a resourceful attacker will escape the container.
That being said if you are a low-value regular-joe patching regularly, the risk is relatively low.
- Comment on Security and docker 3 months ago:
Docker (and Linux containers in general) are not a strong security boundary.
The reason is simply that the Linux kernel is far too large and complex of an interface to be vulnerability free. There are regular privilege escalation and container escapes found. There are also frequent Docker-specific container escape vulnerabilities.
If you want strong security boundaries you should use a VM, or even better separate hardware. This is why cloud container services run containers from different clients in different VMs, containers are not good enough to isolate untrusted workloads.
if Gossa were to be a virus, would I have been infected?
I would assume yes. This would require the virus to know an unpatched exploit for Linux or Docker, but these frequently appear. There are likely many for sale right now. If you aren’t a high value target and your OS is fully patched then someone probably won’t burn an exploit on you, but it is entirely possible.
- Comment on Why do many search engines seem to ignore operators (e.g. exact phrases, term exclusions, OR, etc.)? Is there a good reason for having a dumb 1997-level search logic that I'm not seeing? 4 months ago:
There are a few reasons. Some of them are in the users’ interest. Lots of people phrase their search like a question. “How do I turn off the wifi on my blue windows 11 laptop?”
While ignoring stopwords like “the” and “a” has been common for a while there is lots of info here that the user probably doesn’t actually care about. “my” is probably not helping the search, “how” may not either. Also in this case “blue” is almost certainly irrelevant. So by allowing near matches search engines can get good articles even if they don’t contain all of the words.
Secondly search engines often allow stemming and synonym matching. This isn’t really ignoring words but can give the appearance of doing so. For example maybe “windows” gets stemmed to “window” and “laptop” is allowed to match with “notebook”. You may get an article that is talking about a window of opportunity and writing in notebooks and it seems like these words have been ignored. This is generally helpful also often the best result won’t have used the exact same words that you did in the query.
Of course then there are the more negative reasons.
- Someone decided that you can’t buy anything if your product search returns no results. So they decided that they will show the “closest matches” even if nothing is anywhere close. This is infuriating and I have stopped using many sites because of it.
- If you need to make more searches or view more pages you also see more ads.
