@cks@mastodon.social avatar

cks

@cks@mastodon.social

That cks. Overcommitted sysadmin, photographer, bicyclist, and other multitudes. I write a lot of words for a programmer. he/him

This profile is from a federated server and may be incomplete. Browse more on the original instance.

cks, to random
@cks@mastodon.social avatar

Why yes unnamed cloud vendor, I do appreciate you making the tiny system disk of my dinky, basically as cheap as possible VM be your "premium SSD" offering. I am sure I will need all those more expensive IOPS for (checks notes) automated Ubuntu package updates.

Also, no. I'm not surprised, I'm just disappointed at cloud vendor practices. It sure is nice to feel like they're out to ruthless exploit me.

cks, to random
@cks@mastodon.social avatar

It's certainly better to discover that my commuter bike has a flat rear tire on a Sunday afternoon than on, say, a Tuesday morning when I'm about to commute with it. But I'd rather not have the flat.

(You know how the bike mechanic at your local bike shop can change your flat tire in no time at all and make it look like magic? Me with flat tires is the exact reverse of that. I will forever be the last place finisher in any flat-changing competition.)

cks, to random
@cks@mastodon.social avatar

Well, that was a learning experience not just about where DNS servers put information when you query them with 'what are the NS records for this subdomain', but also on how some of our local DNS servers are configured. (In a way that kind of surprises me, for one of them.)

TIL that if you ask a parent authoritative server for NS records for a subdomain, they show up in the 'authority' section of the reply, not the 'answer' section. For (perfectly good) DNS reasons.

cks, to random
@cks@mastodon.social avatar

Half formed hot take: the Linux kernel CVE situation is the tip of an emerging iceberg as OSS people push back and refuse to do supply chain/security work for free just because third parties want it.

(AFAIK, the ultimate trigger was third party maintainers of old kernels wanting the mainstream kernel to note all changes that turned out to be security fixes so the 3rd parties could backport them and only them. Identifying what is actually a security fix is non-trivial extra work (& fallible).)

cks,
@cks@mastodon.social avatar

A realization: One way to describe the Linux kernel CVE situation is that the Linux kernel developers aren't going to be providing security analysis of bugfixes (or kernel changes in general) any more, especially for unsupported kernel versions. This is not quite accurate; some fixes will certainly come with a security analysis (eg, ones reported to the kernel as unfixed security issues). But fewer will than before.

Is this bad? Well, the analysis before was not infrequently wrong, so.

cks, to random
@cks@mastodon.social avatar

We used to operate one of the university's authoritative secondary DNS servers for all of the university's domains. Many years ago, we ceased doing this, reducing the server to just being authoritative for our own domains. Today I learned that there are a lot of people on the Internet still querying us for other people's domains that we haven't been NS records for for years. Where are they picking this up from? It is a mystery.

cks,
@cks@mastodon.social avatar

Bonus: some of the people still querying our DNS server for domains we aren't authoritative for appear to be (other people's) within-university DNS servers. All I can say is WHAT.

cks,
@cks@mastodon.social avatar

This is my face when I pull the name server statistics from our 'used to be an authoritative secondary and no longer is' DNS server and discover that more than 80% of the queries are for things we don't serve any more. This is also my face when I pull a tcpdump to look at the sources of this traffic and they are all over the place, including from eg 'DNS-8-0-10-3.Chicago1.Level3.net'. And a lot of AWS machines.

What.

cks, to random
@cks@mastodon.social avatar

I've now created my first cloud (virtual) machine. It is of course a special snowflake, because I had no desire to try to simultaneously learn this cloud vendor's web UI, terminology, etc and also some cloud machine automation setup. At least it's an extremely simple special snowflake and I kept notes (and off-machine copies of everything important).

I suspect that it is terribly set up and there are much better ways to do what I want, but meh. It's simple.

cks,
@cks@mastodon.social avatar

My first cloud VM isn't even in production yet and its external monitoring of our stuff already found a real problem. On the one hand, clearly it's valuable. On the other hand, I'd rather that this sort of problem wasn't there in the first place.

cks,
@cks@mastodon.social avatar

@phillmv Yep, we're still on-premise (although I've used locally hosted VMs for testing for years). Partly this is because of (our) university funding model, where it's very hard to guarantee ongoing funding but it's comparatively easy to get one-time funding through grants. The cloud converting one-time capex into ongoing opex is terrible for us; we can't be sure of the opex funding, and if we stop paying the cloud goes away. Hardware is ours for as long as it keeps working.

cks, to random
@cks@mastodon.social avatar

Great moments in dry (Go) commit comments[1]:

runtime: remove note about goid reuse

Goids are designed to be big enough that they will never be reused: a uint64 is enough to generate a new goroutine every nanosecond for 500+ years before wrapping around, and after 500 years you should probably stop and pick up some security updates.

[...]

1: https://go.googlesource.com/go/+/8f71c7633fd70fffc5fa65e7865e763238fa6f46

cks, to random
@cks@mastodon.social avatar

This is my face when people think it is a good idea to make your computer make bubble-popping noises when you change the sound volume. I AM LISTENING TO MUSIC YOU GOONS, IT IS NOT IMPROVED BY RANDOM BUBBLE POPS.

filippo, to random
@filippo@abyssdomain.expert avatar

Strong agree that sudo is dogma, and logging in as root is just fine, actually.

I think @fanf is even more right about this than he claims.

For single-user workstations, who cares about administrative access. The only real security boundary is the TPM/SEP. really(8) without any further authentication would be just fine.

The flip side is that I don't actually care about sudo's complexity or security, because it's not protecting a security boundary I care about.

https://dotat.at/@/2024-05-02-sudo.html

cks,
@cks@mastodon.social avatar

@filippo @fanf I sort of care about administrative access on my single-user workstations because I really don't want to spent all my time being one errant typo away from deleting /usr/bin. (Or having a makefile be etc etc.)

cks,
@cks@mastodon.social avatar

@filippo @fanf I actually want the forced tty interaction, because that makes it very hard for random scripts/Makefiles/etc to put in 'really ...' and surprise me in a very unpleasant way.

(Based on sudo logs at (university CS department) work, with our population of postdocs, graduate students, etc fetching and using random research software, there is clearly a lot of instructions and possibly scripts that already use sudo this way.)

fanf, to random
@fanf@mendeddrum.org avatar

on my blog!

https://dotat.at/@/2024-05-02-sudo.html

sudon't

cks,
@cks@mastodon.social avatar

@fanf I think sudo is a good replacement for setuid programs, especially setuid programs that you don't intend to make accessible to everyone, just to a restricted group. You could do that with other mechanisms, but sudo is very simple to set up and it's everywhere already.

GeePawHill, to random
@GeePawHill@mastodon.social avatar

No, wait, what?

It's pronounced "roo-bee"?

I been calling it rub-ee this whole time.

cks,
@cks@mastodon.social avatar

@GeePawHill I was going to think it weird but then I remembered that it originated from Japan.

(I have a lot of casual exposure to Japanese phoneme rules through anime (and manga), since sooner or later one winds up trying to understand how non-Japanese words wind up being pronounced the way they are in the Japanese dialog. Sometimes this leads to comedy with translating into/back to English, as people try to work out the correct English/Latin-alphabet version of some non-Japanese name.)

cks,
@cks@mastodon.social avatar

@GeePawHill For example, one (human) person in a manga I am very fond of has a special supernatural status. The Japanese for it transliterates to 'surei bega' and the term was expected to be some English language term that had been transliterated into Japanese by the manga creator. It took a rather long time (and in the end the word of the creator) to work out exactly what English term it was.

fanf, to random
@fanf@mendeddrum.org avatar

on my blog!

https://dotat.at/@/2024-04-30-wireguard.html

my wireguard IPv6 tunnel

cks,
@cks@mastodon.social avatar

@fanf Possibly relevant to your interests on this, my Fedora and Ubuntu 22.04 based version: https://utcc.utoronto.ca/~cks/space/blog/linux/Ubuntu2204WireGuardIPv6Gateway

cks, to random
@cks@mastodon.social avatar

In re Canonical and Ubuntu: at work we are still using Ubuntu LTS (and we're going to start using 24.04), but this is on servers where we don't have to deal with snaps (we turn them off, they don't work in our environment). But the Canonical monetization drive is obvious and the end point is inevitable, so I expect we'll wind up on Debian before too many more years (depending on what Canonical does to LTS releases). 2026? 2028? Who knows.

wrt: https://oldbytes.space/@feoh/112337886575696195

cadey, to random
@cadey@pony.social avatar

RPM and Fedora really aren't that bad tbh

cks,
@cks@mastodon.social avatar

@bitprophet @cadey I like RPM as a package format (especially for source packages) but I think Debian has consistently made better decisions about things like how to split up configuration files for programs and so on. (Oh Fedora, your Apache setup is terrible, or was the last time I looked.)

Apparently I am too picky for my own good.

misc, to random
@misc@mastodon.social avatar

There are so many map-based apps that should be pretty simple to implement and yet haven't been (afaik)

  • Chances of rain along your bike route for different start times
  • Given a route, best rated restaurants that don't take you far away from that route, for pick up orders
  • Best restaurant to meet up for two parties, that requires them to travel a roughly equal amount
cks,
@cks@mastodon.social avatar

@misc @irenes On iOS there's an "Epic Ride Weather" app that will show you forecast weather for a route for a particular time, I think including relatively granular rain chances. The drawback with it is that apparently all weather API sources are paid, so it has to charge you to cover its back-end access costs. (I haven't played with it because of that so I'm not sure how readily you can vary the start times and so on.)

whitequark, to random
@whitequark@mastodon.social avatar

it's surprisingly difficult to get a linux machine to communicate to itself using a pair of network adapters

cks,
@cks@mastodon.social avatar

@whitequark I think it might work with network namespaces if you detach one interface from the default network namespace and stuff it into another one. But I haven't actually tested this particular case (although I once did use network namespaces for separate routing tables).

Failing that, you can go all the way to not configuring one interface then attaching that interface to a virtual machine with its own IP. That definitely works! (... and is so annoying to need.)

whitequark, to random
@whitequark@mastodon.social avatar

being confronted so directly with the reality of linux uapi might eventually make me switch to a real operating system kernel

cks,
@cks@mastodon.social avatar

@whitequark There is a great quote from the Go people in a document about rewriting their linker[1]:

"The original linker was also simpler than it is now and its implementation fit in one Turing award winner’s head, so there’s little abstraction or modularity. Unfortunately, as the linker grew and evolved, it retained its lack of structure, and our sole Turing award winner retired."

1: https://docs.google.com/document/d/1D13QhciikbdLtaI67U6Ble5d_1nsI4befEd6_k1z91U/view

cks, to random
@cks@mastodon.social avatar

TIL that Lustmord is on Bandcamp, https://lustmord.bandcamp.com/music
Now I have some catching up to do (and a Bandcamp Friday coming up, conveniently).

cks,
@cks@mastodon.social avatar

Today's "oh my they are on Bandcamp" is Rapoon, https://rapoon.bandcamp.com/music

I have a number of Rapoon's albums on (packed-away) CDs and remember them fondly. The music fits in what I think of as the broad ambient family, more toward the pulsing drone side (and perhaps more the experimental side of electronic music in general).

  • All
  • Subscribed
  • Moderated
  • Favorites
  • JUstTest
  • rosin
  • InstantRegret
  • khanakhh
  • ngwrru68w68
  • osvaldo12
  • DreamBathrooms
  • mdbf
  • magazineikmin
  • thenastyranch
  • everett
  • Youngstown
  • slotface
  • kavyap
  • provamag3
  • GTA5RPClips
  • Durango
  • cubers
  • modclub
  • tester
  • tacticalgear
  • cisconetworking
  • ethstaker
  • anitta
  • Leos
  • megavids
  • normalnudes
  • lostlight
  • All magazines
    •