Max_P

@Max_P@lemmy.max-p.me

This is a remote user, information on this page may be incomplete. View at Source ↗

⁨Comment⁩ on ⁨Docker firewall question⁩ ⁨⁨5⁩ ⁨weeks⁩ ago⁩:
With Docker, the internal network is just a bridge interface. The reason most firewall rules don’t apply is a combination of:
- Containers have their own namespace including network namespace, so each container have a blank iptables just for them.
- For container communication, that goes through the FORWARD table, not the INPUT/OUTPUT ones.
- Docker adds its own rules to ensure that this works as expected.
The only thing that should be affected by the host firewall is the proxy service Docker uses to listen on a port on the host and send it to the container.

When using Docker, each container acts like an independent machine, and your host gets configured to act as a router. You can firewall Docker containers, the rules just need to be in the right place to work.
⁨Comment⁩ on ⁨Is a filter for muting Lemmy 'power users' possible?⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
You can block them and over time it should get better, or you can write a script that does some checks and blocks them for you.
⁨Comment⁩ on ⁨Telegram is exposing their users privacy.⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:

Telegram was built to protect activists and ordinary people from corrupt governments and corporations – we do not allow criminals to abuse our platform to evade justice.

So who gets to pick what’s a lawful request and criminal activity? It’s criminal in some states to seek an abortion or help with an abortion, so would they hand out the IPs of those “criminals”? Because depending on who you ask some will tell you they’re basically murderers. And that’s just one example.

Good privacy apps have nothing to hand out to any government, like Signal.
⁨Comment⁩ on ⁨AT&T is displeased with T-Mobile Priority, calls it out as a confusing marketing campaign⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
Because AT&T doesn’t have confusing branding such as the whole 5Ge which is really just them catching up with 4G+ that everyone else already had but totally not to trick users into thinking they’re getting 5G
⁨Comment⁩ on ⁨Can I DIY water backwashing through my basement drain?⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
I’d at least get a plumber to check it out. You could snake it yourself probably but you could also make it worse. If the pipe’s broken, you might as well just get more debris falling into it and clogging it further.

A regular plumber visit/check usually isn’t that expensive. Not cheap but far from 20k expensive.

It could also be connected to your flooding too, so you probably actually want to at least evaluate the damage ASAP. If the pipe’s broken, you just have a convenient pipe to drain all the rain water straight to your basement.
⁨Comment⁩ on ⁨I tried to selfhost Nextcloud at work⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
Having the web server be able to overwrite its own app code is such a good feature for security. Very safe. Only need a path traversal exploit to backdoor config.php!
⁨Comment⁩ on ⁨I tried to selfhost Nextcloud at work⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
Yep, and I’d guess there’s probably a huge component of “it must be as easy as possible” because the primary target is selfhosters that don’t really even want to learn how to set up Docker containers properly.

The AIO Docker image is an abomination. The other ones are slightly more sane but they still fundamentally mix code and data in the same folder so it’s not trivial to just replace the app.

In Docker, the auto updater should be completely neutered, it’s the wrong way to update the app.
⁨Comment⁩ on ⁨What are good harddrives to use with serves⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
I’ve heard very good things about resold HGST Helium enterprise drives and can be found fairly cheap for what they are on eBay.

I’m looking for something from 4TB upwards. I think I remember that drives with very high capacity are more likely to fail sooner - is that correct?

4TB isn’t even close to “very high capacity” these days. There’s like 32TB HDDs out there, just avoid the shingled archival drives. I believe the belief about higher capacity drives is a question of maturity of the technology rather than the capacity. 4TB drives made today are much better than the very first 4TB drives we made a long time ago when they were pushing the limits of technology.

Backblaze has pretty good drive reviews as well, with real world failure rate data and all.
⁨Comment⁩ on ⁨OpenAI Threatening to Ban Users for Asking Strawberry About Its Reasoning⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
OpenAI: Here’s a new model that can think in steps and reason about things!

User: How did you conclude this is the correct answer?

OpenAI: No! Not like that! banhammer
⁨Comment⁩ on ⁨YouTube confirms your pause screen is now fair game for ads⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
That’s fine, the ad co struck a deal with speaker co to not bill for those sound-seconds.
⁨Comment⁩ on ⁨YouTube confirms your pause screen is now fair game for ads⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
Soon: when you pause a video, it starts playing a video ad with audio, to make sure no silence time gets wasted from your speakers.
⁨Comment⁩ on ⁨Ethernet switch only partially working⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:

Ethernet splitter

What kind of splitter? Not a hub or switch, just a passive splitter?

Those do exist to do 4x 100M links on a single pair each, but you can’t just plug those into a router or switch and get 4 ports.
⁨Comment⁩ on ⁨I cannot seem to figure out how to get caddy automatic HTTPS to work behind cloud flair proxy.⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
If you’re behind Cloudflare, don’t. Just get an origin certificate from CF, it’s a cert that CF trust between itself and your server. By using Cloudflare you’re making Cloudflare responsible for your cert.
⁨Comment⁩ on ⁨DuckStation Creator Considers Shutting Down Emulator Amid License Change⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
What’s the problem with SwanStation? Forks are perfectly okay and normal with the GPL, that’s the fucking point of the GPL.
⁨Comment⁩ on ⁨Why is blender@lemmy.world empty when browsed from this instance?⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
Lemmy only sync’s about one page of posts, and without the comments or votes. And only once too, so if someone comes in a month later and tries to see it, it won’t even update those old posts.

So yeah, just need someone to subscribe to it and be patient as new content rolls in naturally through federation.
⁨Comment⁩ on ⁨Threads deepens its ties to the open social web, aka the ‘fediverse’ | TechCrunch⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
Only time will tell. They’ve definitely done their own share of EEE like for a while you could use Facebook Messenger over XMPP then closed it down.
⁨Comment⁩ on ⁨Threads deepens its ties to the open social web, aka the ‘fediverse’ | TechCrunch⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
Definitely can appreciate the carefulness here. Imagine they just open the floodgates and now some random Mastodon instance on a $5 VPS is getting hammered with millions of activities because they followed an account with millions of followers on Threads, and now it’s federating millions of likes and thousands of posts.

Meta is trying to be a good fediverse participant here. They could just come in and crush the entire fediverse and be like “lol should have gotten beefier servers”.
⁨Comment⁩ on ⁨How to avoid "things going wrong" and immutable distros?⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
If your stuff is all Docker then yeah, immutable makes sense as it makes the entire box declarative and immutable: you can get back the exact same operating Docker environment on the server, and then you can get back the exact same Docker workloads going with the Docker compose configurations.

If you ever need to run stuff you’d run on Debian, you can just shove it in a Debian container.

That said, if most of the stuff is containers, the risk of just the core Debian breaking is fairly low. Pick whatever is easiest for you to deal with based on your needs. Immutable distros have a bit of a learning curve.
⁨Comment⁩ on ⁨I can't find any NSFW Mastodon instances⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
From a user’s perspective, yes, but as an instance admin that’s also a DMCA nightmare.

That’s a great example of the eternal fight between mods and users that ultimately drives admins away: users feel entitled to post that stuff, and mods have to take it down. The user is anonymous and possibly from a country with very lax laws, so they’re protected. The admins have to pay for the servers with real money and their real identity, and thus also an easy target for lawyers.
⁨Comment⁩ on ⁨I can't find any NSFW Mastodon instances⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
Porn is often really high traffic, which is expensive to run. But a lot of people are weirdos too and tend to push it to the border of legality, which can be challenging for admins if your users keep posting lolis even if it’s not allowed. And they’ll scream at you “it’s not technically illegal”.

The other thing people do a lot with porn is post stuff from sketchy sources or repost paid content for free stealing from OnlyFans pages and the big porn studios. And lately, AI generated porn of non-consenting celebrities. And of course now the increasing pressure to make sure to keep minors out or heaven forbid they’re shown trans porn.

It’s expensive to store all that porn, it’s insanely expensive to distribute it, you need lawyers on standby for the firehose of DMCA reports, you need a solid team of moderators scrubbing the site as fast as possible for CSAM, or run AI tools that needs a lot of fast hardware to run at any decent speed (you need to analyze every frame of a video, for example).

It’s just expensive as fuck overall and that’s why a lot of the porn sites have the sketchiest ads ever, and that’s because you can’t run regular ads as most advertisers don’t want to be shown next to questionable content.

On the fediverse you have the added challenge that ideally, you scrub things before they get federated due to federation bugs. Or you risk being defederated which you probably will anyway as most admins just don’t want to deal with it.
⁨Comment⁩ on ⁨Question about mounting ZFS pool⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
I learned it accidentally trying to get root on an encrypted dataset working with systemd init without sd-zfs. This turns out to be how the zfs utility works internally to signal the driver “hey it’s okay, I’m a ZFS utility the user isn’t using mount directly”, and how you deal with mounting your root dataset to the temporary /sysroot while having its mountpoint set to / while in initramfs before pivoting root.

Obviously, don’t use that other than recovering your data, if you want to use this array you should figure out the mountpoints properly so ZFS does it automatically. It shouldn’t break anything but it’s gross, either set mointpoint=legacy and use fstab or set its mountpoint in ZFS and use zfs mount.
⁨Comment⁩ on ⁨Question about mounting ZFS pool⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
The trick for this one is mount -t zfs -o zfsutil internal /mnt/some/path

Assuming the root dataset is mountable. If you have a -o canmount=off on the dataset it will refuse to mount.

If it’s -o mountpoint=legacy then you don’t need -o zfsutil, but still need to provide both the source and destination paths. Otherwise you’ll get the fstab error because mount can’t figure out what to mount or where to mount it.
⁨Comment⁩ on ⁨Few suggestions for lemmy world : posting on profile and live chat⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
Profiles, yes that’d be nice as that’d bridge the gap with Mastodon and enable users to do standalone posts but see it threaded instead of the horrible microblogging UX for that.

Chat, I don’t think belong to ActivityPub, it works alright for direct messages but that’s it. It wouldn’t scale well for this amount of traffic for a chat. But you can however put your Discord/Matrix/IRC on your profile, and communities can put their own Discord/Matrix/IRC rooms link in the description to form a chat community around the Lemmy community. Maybe an option would be adding dedicated fields for those so that it can be added to the UI to direct you to those transparently. UIs could implement some support for those and embed the chat rooms in the page.
⁨Comment⁩ on ⁨Tailscale blocked on hotel wifi⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
Yep there’s a reason I reached directly for that configuration. WireGuard uses UDP, that’s one of the first things that gets blocked.

Turns out that’s also the kind of protocol corporate VPNs use, reusing port 443 over TCP. They call those “SSL VPN”. They get to weed out all commercial VPNs used to bypass their firewalls as well as most torrent/game activity while still mostly catering to their business guests.
⁨Comment⁩ on ⁨Tailscale blocked on hotel wifi⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
Best bet is probably going to be using something like OpenVPN on port 443 in TCP mode, which basically looks like regular HTTPS. It’s a hotel, I doubt they’re going to be doing deep analysis to detect signs it’s OpenVPN. It’s detectable easily but they wouldn’t spend the money on that advanced of a firewall.

My guess is they went for an allowed list of ports rather than blocked, so it lets DNS (53), HTTP (80), HTTPS (443), probably also POP/IMAP/SMTP (110, 995, 143, 993, 465)
⁨Comment⁩ on ⁨Why don't cell phones have BIOS?⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
A functional desktop Linux is hard. Getting desktop Linux to boot and run stuff isn’t that hard in itself.

The problem is mostly drivers. They’re made for Android specifically, and often for that device specifically as well, so getting them working outside of Android is hard. The second problem is of course manufacturer obstacles, they really don’t want you to do that.

Technically getting a kernel and a working framebuffer is fairly “easy”, because it’s mostly already there, you could just replace the initramfs and run whatever init and software you want. It’s getting the GPU to do stuff that’s a lot harder. WiFi is alright but cellular is a complete nightmare. A lot of those are Java native libraries, which makes it non-trivial to use outside of the Android Framework. But all the kernel stuff, you already have ready to steal right from the manufacturer, or you can take the ones LineageOS uses. It’s only a matter of getting a useful userspace.

And the phone landscape on Linux isn’t that interesting, so people’s attention have been around improving Android itself as it’s much more capable and mature, and is open-source. If Android was closed source we’d have Linux phones already, but for many FOSS entheusiasts, Android is fine and much better polished.

If you’re lucky, PostmarketOS might support your device well. If you’re less lucky you might get a kernel that boots but you can only get a serial shell to it over USB. If you’re unlucky, nothing exists, and you have to do it yourself.
⁨Comment⁩ on ⁨Private voting has been added to PieFed⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:

Firstly, remember than each piefed account only has one alt account and it’s always the same alt account doing the votes with the same gibberish user name. It’s an open source project so the mechanics of it cannot be kept secret and they can be verified by anyone with intermediate Python knowledge.

That implies trust in the person that operates the instance. It’s not a problem for piefed.social, because we can trust you. It will work for your instance. But can you trust other people’s PieFed instances? It’s open-source, I could just install it on my server, change the code to make me 2-3 alt accounts instead. Pick a random instance from lemmy.world’s instance list, would you blindly trust them to not fudge votes?

The availability of the source code doesn’t help much because you can’t prove that it’s the exact code that’s running with no modifications, and marking people running modified code as suspicious out of the box would be unfair and against open-source culture.

If the person is always downvoting or always voting the same as another person you’ll see those patterns in their alt and the alt can be banned.

Sure, but you lose some visibility into who the user is. Seeing the comments is useful to get a better grasp of who they are. Maybe they’re just a serial fact checker and downvoting misinformation and posting links to reputable sources. It can also help identify if there’s other activity beside just votes, large amounts of votes are less suspicious if you see the person’s also been engaging with comments all day.

And then you circle back to, do you trust the instance admin to investigate or even respond to your messages? How is it gonna go when a big, politically aligned instance is accused of botting and the admin denies the claims but the evidence suggests it’s likely? What do we do with Threads or even an hypothetical Twitter going fediverse, with Elon still as the boss? Or Truth Social?

The bigger the instance, the easier it is to sneak a few votes in. With millions of user accounts, you can borrow a couple hundred of your long inactive user’s alts easily and it’s essentially undetectable.

I’m sorry for the pessimism but I’ve come to expect the worst from people. Anything that can be exploited, will be exploited. I also see some deanonymization exploits too: people commonly vote+comment, so with some time, you can do correlation attacks and narrow down the accounts. So to prevent that, you’d have to remove the users mapping 1:1 to a gibberish alt by at least letting the user rotate them on demand, or rotate them on a schedule, and now we can’t correlate votes to patterns anymore. And everyone’s database endlessly fills up with generated alt accounts (that you can’t delete).

The way things are, we don’t have to put any trust in an instance admin. It might as well not be there, it’s just a gateway and file host. But we can independently investigate accounts and ban them individually, without having to resort to banning whole instances, even if the admins are a bit sketchy. Because of the inherent transparency of the protocol.
⁨Comment⁩ on ⁨Why don't cell phones have BIOS?⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
Apple is Apple, it’s not a super great example. They already had iBoot from the iPhones and iPads that they just adapted for the laptops, which is also what the M chips are. Apple’s firmware has always been rather quirky compared to more standard machines.

If you look at the cloud, like AWS and their Graviton instances, they use plain old regular UEFI but ARM, which then can load GRUB and the kernel as usual there. Completely generic and basically the same as x86_64 UEFI. You can load any generic ARM distro there. We already know what ARM PCs would look like.

The main thing here isn’t really x86 vs ARM, it’s embedded vs PCs. You can totally have non-BIOS and non-UEFI compatible machines with x86 CPUs in them, but I only saw this being done embedded in devices, in my case those were industrial machines. With ARM you’ll also see U-boot which is common in stuff like routers and IoT devices because it’s fairly easy to get working and can be controlled with serial ports. But for PCs, it’s gonna be UEFI if anything because Windows support. In the end, CPU is CPU, it runs code.

Why not UEFI everywhere then? Because it’s overkill most of the time, and orders of magnitude more code and complexity which you just don’t need for a router. Your router can start executing its operating system directly from flash. You know in advance where the kernel is located, you don’t need to start initializing PCIe devices and a SATA controller and scan disks for GPT headers and find an EFI partition formatted as FAT32 to find an executable to load into memory and execute, no graphics card to initialize, no keyboard and mouse to monitor for menu, no menus to display because there’s no options, etc. UEFI firmwares aren’t small. The arm64 OVMF firmware for QEMU is a whopping 64MB, that’s more flash than my router even have.
⁨Comment⁩ on ⁨Private voting has been added to PieFed⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
The problem with this approach is trust. It works for the users, but not admins. If I run a PieFed instance with this on, how can lemmy.world for example can trust my tiny instance to be playing by the rules? I went over more details in this other comment.

Sure, right now admins can contact you, for your instance. But you can’t really do that with dozens of instances and hundreds of instances. There’s a ton of instances we tolerate the users, but would you trust the admin with anonymous votes? Be in constant contact with a dozen instance admins on a daily basis?

It’s a good attempt though. Maybe we’re all pessimistic and it will work just fine!
⁨Comment⁩ on ⁨Private voting has been added to PieFed⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
Plus, if you know your votes are public, maybe it’ll incentivise some people to maybe skip upvoting that kind of content. People use anonymity to say and promote absolute vile things that would never dare say or support openly otherwise.