jssfr

@jssfr@zombofant.net

By day, #devops team lead at Cloud&Heat in Germany.

By night, #xmpp #electronics #embedded #penandpaper #rpg #photography.

I tend to dabble my feet in anything technical I can get my hands on, unless it's proprietary.

My photography related alt is at https://pixel.tchncs.de/jssfr .

Concerned with the state of the world (climate, for one, hatred and war for another), trying not to worry too much about things outside my control.

Interactions, boosts etc. in general welcome.

This profile is from a federated server and may be incomplete. Browse more on the original instance.

John_Livingston, (edited ) to fediverse French
@John_Livingston@mamot.fr avatar

Dear community,

I'm using Prosody+ConverseJS to add some chatting capabilities to (streaming software)

For such streaming platforms, there is a very useful feature, called the "Slow Mode". As far as i know, there is no XEP to describe this feature. So… I made a draft.

Here it is:
https://johnxlivingston.github.io/peertube-plugin-livechat/technical/slow_mode/

This is not submitted yet. As it is my first one, i'd like to have some people to have a look, and tell me if there are mispelling, misconception, or things to clarify.

jssfr,

@John_Livingston Woop woop, good work!

(Long-time editor and XSF council member here.)

This is looking pretty decent already. Only nitpick I have is that "CAN" is not an RFC 2119 word, and you should replace it with MAY or SHOULD (whichever fits best).

Some of the wording feels a bit strange to me, but as I'm not a native English speaker either, I'm not going to try to fix that :). Maybe someone else will step up?

The rest will probably come with discussion in the XMPP community on the standards mailing list.

If you need further help on the process, feel free to ping me :).

P.S.: I nearly didn't see your post because you didn't switch the language to English before posting :).

drewdevault, to random
@drewdevault@fosstodon.org avatar

We're working on anti-spam tools at SourceHut and there might be some opportunity for collabo with fedi admins & software developers

Our pitch, summarized, is a daemon that tells you if a sample is abuse or not.

Input: {
"ipAddress": "1.2.3.4",
"email": "foo@example.org",
"username": "foobar",
"rateLimit": "registration"
}

Output: (see next in thread)

jssfr,

@drewdevault Have you seen https://github.com/PowerDNS/weakforced ? It looks roughly related.

jssfr, to random

Don't pull the circuit breaker of your NAS while it's doing things.

I've never seen a filesystem that messed up—and I did live through the "fedora corrupts badly during hibernate/resume" in the 2010s.

At this rate, it looks as if I lost critical repository metadata of a bunch of less important repositories. The more important one at least is able to start a borg check, so I'm hopeful it won't be a total loss.

Non-backup data seems to be unaffected as the only workload running at the time was backup jobs, luckily. And I still have the offsite backups, so there is that.

jssfr, to random

https://www.postfix.org/smtp-smuggling.html

"SMTP Smuggling" vulnerability in Postfix allows to spoof senders even in the presence of some DMARC checks. Configuration workarounds exist.

Also, a wholehearted f* you to SEC Consult, who sat on this since June and disclosed it to some closed-source vendors and MSPs, but could apparently not be bothered to give e.g. Postfix a heads-up, publishing this close to the holidays.

Boosts for awareness welcome.

jssfr,

@outofcontrol As it happens, I'm looking through ISO 27001 documents at $dayjob for other reasons, and those mainly deal with the security of your own company/platform. AFAIK there's no obligations there regarding responsible disclosure of other people's security issues.

jssfr,

Thanks for all the boosts. I'd like to clarify that I'm not involved in finding or processing this vulnerability—I saw a toot about it in my timeline, in German, and wanted to spread this to the international audience.

I'm grateful for y'all helping in getting the word out, and I'm also glad that there's no algorithm on the Fedi which would likely make me profit off the attention in some way (which would feel wrong).

I wish you all a pleasant holiday and that this, after CVE-2023-48795, is the worst that's coming and that we're not up for a second log4j.

lcamtuf, (edited ) to random

deleted_by_author

    •
    jssfr,

    @lcamtuf
    This morning's 2FA edition: "something the cat played under the radiator over night, only to be found after 20 minutes of frantic search"

    b0rk, (edited ) to random
    @b0rk@jvns.ca avatar

    if you're an infrequent command line user -- what text editor do you use if you need to occasionally edit a file on the command line (other than vim/emacs)?

    curious about what people use to edit a git commit message etc

    if you picked 'other', I'd love to hear what you do in the replies!

    jssfr,

    @b0rk
    "I use vim and am not suffering, but also not comfortable (sometimes weird stuff happens and I do not know why, but I know how to back out of that oftentimes)"
    @ge0rg

    jabberati, to random
    @jabberati@social.anoxinon.de avatar

    deleted_by_author

    •
    jssfr, (edited )

    @jabberati @debacle @colincogle
    Many DNS providers besides clownflare support that. My main domains are currently split between https://inwx.de and https://gandi.net (though I don't really recommend Gandi currently before I see how that takeover pans out), both of which expose some kind of API I never tried to interact with, but I'm also using https://desec.io / https://dedyn.io in particular for "dynamic" DNS stuff.

    IIRC, the latter integrated nicely with the FRITZ!Box when I tried that, but don't pin me on that.

    jssfr,

    @colincogle @jabberati @aslmx @debacle IIRC, inwx does not allow you to use them just as external nameservers. https://desec.io would be the way to go then.

    ge0rg, (edited ) to random
    @ge0rg@chaos.social avatar

    Detailed and credible looking report of on an server hosted at in Germany: https://notes.valdikss.org.ru/jabber.ru-mitm/

    Looks like a transparent bridge was deployed in front of the actual server, obtained dedicated certificates from and MitMed all incoming client connections since July. It was discovered because the LE certificate expired 🤦

    jssfr,

    @ge0rg
    Also their OS images (at least used to) come with the ru_RU locale preinstalled :D

    (that once confused the heck out of me when I audited a box of mine)
    @ulfi

    drewdevault, to random
    @drewdevault@fosstodon.org avatar

    Fucking Mastodon DDoS, I should just black-hole mastodon user-agents

    jssfr,

    @dusnm @drewdevault The second issue linked in the commit message has a bunch of sensible suggestions for that: https://github.com/mastodon/mastodon/issues/23662

    mattblaze, to random
    @mattblaze@federate.social avatar

    Reminder about Mastodon "private" messages. Aside from not being end-end-encrypted (and so visible to instance administrators), they CC anyone @-mentioned ANYWHERE in the body of the message (not just those listed at the start).

    They are now called "private mentions" rather than "private messages", but if you don't fully understand the semantics, this behavior may be unexpected and/or cause unpleasant side effects.

    jssfr,

    @mattblaze
    I was aware of the first part (unencrypted) and it fits my expectations of a public social media app.

    The second part (mentions anywhere cause a CC) I was not aware of and you might have prevented some embarrassment in the future. So thanks for that.

    lcamtuf, to random

    deleted_by_author

    •
    jssfr,

    @lcamtuf Yay! Also thanks to @ge0rg (and some other folks not on the fediverse) for some additional proof reading!

    jssfr, to random

    Good UX needs to break through layers of abstraction.

    Change my mind.

    aeva, (edited ) to random
    @aeva@mastodon.gamedev.place avatar

    Do you have a lucky USB port on your computer?

    jssfr,

    @aeva Pro tip: Don't use those shaped like a rectangle with a smaller rectangle on top. They don't work, even though USB-A plugs fit right into them.

    (Image credit: https://commons.wikimedia.org/wiki/File:Rj_45.png )

    jssfr, to linux

    So recently I was faced with the task of making sure that a block device is truly safe to remove.

    How does one actually do that?

    Enumerating all uses of block devices seems to be rather tricky. Things which are not obvious to find:

    • device mapper use (lvm, mdraid, luks)
    • mounts in mount namespaces which are not the root namespace (grep /proc/*/mounts)
    • mounts in mount namespaces which are not the root namespace and which have no process running (kept alive via an fd to the formerly existing /proc/*/ns/mnt). I have no clue how to find those.

    Any other things I missed or suggestions how to find the last ones (mount namespaces which are kept alive via an fd)?

    Boosts as well as replies to guides or so very much welcome.

    (Yes, I am aware that all those methods are inherently faced with race conditions; If you happen to know a way which allows me to "detach" a block device (nbd, rbd, sdX) without race conditions, I'd be very interested in that too.)

    tobonaut, to random

    I'm planning to write an article covering the @Codeberg platform.

    What would you say is the "main" reason to join it? Why do you not use GitHub or GitLab and what's your thoughts about the future-proofness of such independent platforms?

    If you know any "hardcore" Codeberg user on Mastodon, please ping me!

    jssfr,

    @captainepoch
    This. All of this, really. (Replying nontheless to add some "weight".)

    I started moving over some of my GitHub repositories last week and plan to move everything I care about eventually.

    @tobonaut @Codeberg

    aboxofsox, to internet

    I'm not sure if I buy the whole killed . I've seen several services, with large user bases, using xmpp, or some abstraction of the same protocol. I don't think the concerns are invalid, I just think there's a bit more to it.

    jssfr,

    @aboxofsox
    When I've recently seen people say something like "X killed ", it seems as if they were not talking about the protocol itself (which, as your screenshot from the XMPP Standards Foundation website shows, is quite thriving).

    What they mean is that it they drained users from the federated network into their walled gardens and then closed off federation themselves (gtalk did that, whatsapp never federated in the first place afaik).

    It is important to remember that those corporations only do things which are profitable. Opening federation is not profitable on its own.
    @realcaseyrollins

    Codeberg, to random
    @Codeberg@social.anoxinon.de avatar

    Hi folks, we are sorry, but this downtime could last a moment. It looks like one of our root SSDs failed. While the RAID seems to work, the performance has dropped to a level where the whole service is impacted, and even our shell on that server is near to unresponsive.

    jssfr,

    @Codeberg
    Good luck with the recovery! Your service is much appreciated.

    Codeberg, to opensource
    @Codeberg@social.anoxinon.de avatar

    : Tell us about your favourite / projects that are not available on mainstream platforms, whether on a self-hosted cgit or available as an archive download only.

    The world is more than and .

    jssfr,

    @Codeberg
    https://hg.prosody.im @prosodyim even resists the mainstream by going with .

  • All
  • Subscribed
  • Moderated
  • Favorites
  • JUstTest
  • InstantRegret
  • mdbf
  • ethstaker
  • magazineikmin
  • cubers
  • rosin
  • thenastyranch
  • Youngstown
  • osvaldo12
  • slotface
  • khanakhh
  • kavyap
  • DreamBathrooms
  • provamag3
  • Durango
  • everett
  • tacticalgear
  • modclub
  • anitta
  • cisconetworking
  • tester
  • ngwrru68w68
  • GTA5RPClips
  • normalnudes
  • megavids
  • Leos
  • lostlight
  • All magazines
    •