HackerTrans
TopNewTrendsCommentsPastAskShowJobs

growse

3,174 karmajoined il y a 15 ans
@[email protected]

Submissions

Show HN: Aptmatic – a TUI for managing apt across a bunch of Debian boxes

crates.io
3 points·by growse·il y a 2 mois·0 comments

Screw You, Realtek

growse.com
4 points·by growse·il y a 2 mois·1 comments

comments

growse
·il y a 6 jours·discuss
> Summary: it's not DNSSEC itself, it's DNS providers like Cloudflare returning incorrect data to make responses shorter and avoid switching to TCP.

I feel like we need the angry goose meme here.

"But why are those providers returning incorrect data?"
growse
·il y a 2 mois·discuss
> No one.

I thought everyone was "trying so hard to re-invent PGP".

> we do need a single key that can be used for all those things

We do? This is not obvious. Why does my disk encryption key need to be the same that I use to sign binaries that I release?
growse
·il y a 2 mois·discuss
Who's reinventing a tool that can do all that?
growse
·il y a 2 mois·discuss
> Everyone is trying so hard to re-invent PGP

Which bit of PGP?
growse
·il y a 3 mois·discuss
I don't know enough about either the technical nuance or the political drama, but some observers have noted that GnuPG's implementation is (deliberately?) incompatible with the IETF's standards. It's not clear why.

https://floss.social/@hko/116459621169318785
growse
·il y a 3 mois·discuss
Maybe your company's ISP is CGNat'ting you?
growse
·il y a 3 mois·discuss
A non-trivial minority of the time, they don't support IPv4 either!
growse
·il y a 4 mois·discuss
I do similar, but frame it in terms of dependencies.

The database can live without the web server, but the web server doesn't work without the database.

Therefore webserver ---> database.

Key thing in that these deployment / context / container diagrams don't have a temporal axis. If you want to represent a flow, then you want a diagram where time has directionality, like a sequence diagram.
growse
·il y a 4 mois·discuss
If I accidentally yank the power cable out of my load balancer, I can plug it back in and I'm back up and running.

If I cock up my DNSSEC config, nobody can resolve any records under my org's domain (goodbye internal email!) and you've got to twiddle your thumbs for a period of time waiting for various timeouts to pass (go ask Slack how it went for them).

These things are not the same.
growse
·il y a 4 mois·discuss
> As if DNS isn't a major contributing to A LOT of downtime. That doesn't mean it's not worth doing not investing in making deployment more seamless and less error prone.

Ah yes. Let's take something that's prone to causing service issues and strap more footguns to it.

It's not worth it, because the cost is extremely quantifiable and visible, whereas the benefits struggle to be coherent.
growse
·il y a 4 mois·discuss
That entire post is that you should enable DNSSEC because it's "more secure", and there are no reasons not to.

"More secure" begs the question "against what?", which the blog post doesn't seem to want to go into. Maybe it's secure from hidden tigers.

My favourite DNSSEC "lolwut" is about how people argue that it's something "NIST recommends", whilst at the same time the most recent major DNSSEC outage was......... time.nist.gov! (https://ianix.com/pub/dnssec-outages.html)
growse
·il y a 5 mois·discuss
If you're in (for example) a CI context and do a git checkout @tag, there's no guarantee that you'll get the same content as the last time you fetched that tag.

Tags are not immutable.
growse
·il y a 5 mois·discuss
> Why is entitlement to others labor the moral position, instead of the immoral position?

You seem to be mistaking me for someone arguing that anyone is entitled to others' labour?
growse
·il y a 5 mois·discuss
The social contract is found (and implicitly negotiated) in the interactions between humans, ie: society.
growse
·il y a 5 mois·discuss
It's a social contract, which for many people is a moral contract.
growse
·il y a 5 mois·discuss
> CABF started imposing restrictions on the public CA operators regarding the issuance of non-HTTPS certificates.

The restriction is on signing non web certificates with the same root/intermediate as is part of the WebPKI.

There's no rule (that I'm aware of?) that says the CAs can't have different signing roots for whatever use-case that are then trusted by people who need that use case.
growse
·il y a 5 mois·discuss
> [citation needed]

My citation is the membership of the CAB.

> IMHO "other relying-party software applications" can include XMPP servers (also perhaps SMTP, IMAP, FTPS, NNTP, etc).

This may be your opinion, but what's the representation of XMPP etc. software maintainers at the CAB?
growse
·il y a 5 mois·discuss
The CAB is only concerned with the WebPKI. This means HTTPS.

There's loads of non web, non HTTPS TLS use cases, it's just the CAB doesn't care about those (why should it?).
growse
·il y a 5 mois·discuss
> if we could of built it much closer to the WCML

Knocking down half the towns that the WCML runs through to build more tracks carrying trains that aren't going to stop there would be neither easier nor cheaper than HS2.
growse
·il y a 6 mois·discuss
> But you write it as if it's in contradiction with my point, which I'm not seeing.

My point was that a community is members + values + practices + other stuff. In the case where one member who wants to upend the values and practices of an existing community, "just fork it" is an entirely reasonable response.