HackerTrans
TopNewTrendsCommentsPastAskShowJobs

windlep

no profile record

comments

windlep
·tahun lalu·discuss
I've looked over the code, and some things seem a little odd to me.

The article starts by mentioning how insecure the browser is, apparently even cookies aren't secure. But then the API to talk to the BFF uses.... a server-side session tracked via a client cookie. If the BFF is holding the oauth credentials, then someone could steal the client cookie to make requests to the BFF to do whatever it can do.

It's not impossible to secure the browser from having credentials stolen from inside it, but it can be tricky to ensure that when the browser sends the credential in the request it doesn't leak somehow.

There's some irony as OAuth has DPoP now which can reduce the usefulness of stolen in-flight credentials but that can't be used in this BFF setup because the browser client needs the private key to sign the requests.

Properly securing the browser content on a login page, or the subdomain handling authentication credentials is definitely a challenge, and many don't like having to eliminate/audit any 3rd party JS they include on the page. I can see the appeal of a solution like this, but the trade-off isn't great.
windlep
·tahun lalu·discuss
Self-hosted FreshRSS, NetNewsWire on Mac, Fluent reader on linux/windows/ios. Any reader compatible with Google Reader API works with FreshRSS, and Fluent was the nicest UI I've seen (hasn't been updated recently, but I don't need new features).
windlep
·2 tahun yang lalu·discuss
I was able to make a uWebsockets adapter for NestJS pretty easily. It's a bit sensitive of a library to integrate though, a single write when the connection is gone and you get a segfault, which means a lot of checking before writing if you've yielded since you last checked. This was a few years ago, perhaps they fixed that.
windlep
·2 tahun yang lalu·discuss
I was under the impression that the underlying net/http library uses a new goroutine for every connection, so each websocket gets its own goroutine. Or is there somewhere else you were expecting goroutines in addition to the one per connection?
windlep
·2 tahun yang lalu·discuss
That's just an arms race. The kid will find a new favorite website to play games on, there seems no end to them. There's endless websites out there that are more appealing than doing homework. I have a very locked down network, there's always some new website that has games of some sort to play.

If schools are going to provide these things, they should have the sites the kids might need to access white-listed and block everything else. Telling parents to try and block things is not realistic.
windlep
·2 tahun yang lalu·discuss
Yes, that was kind of my point. Self-hosted negates the need, but most can't self host.... so that leaves end-to-end encryption the best intermediate step.
windlep
·2 tahun yang lalu·discuss
I self-host Immich and its definitely my favorite web photo system. One thing with Ente that aligns more with Mozilla's approach to data however is end-to-end encryption, which Ente has, but Immich doesn't. So I can see why Mozilla funded this option instead.

I personally wish that self-hosting was a more reliable and simplified process for the average person such that simpler and more powerful software like Immich was the best choice for all.
windlep
·2 tahun yang lalu·discuss
Yep, some of the nicest docs for a language I've seen.
windlep
·2 tahun yang lalu·discuss
The mix package manger for Elixir has a release option which compiles and bundles everything to a single binary. It appears possible to use Gleam libraries/code with mix, which should allow one to compile it all down to a single binary as well (though I haven't attempted this myself).
windlep
·2 tahun yang lalu·discuss
Definitely, while I have volsync backing it up, and the PV is replicated for local availability.... still annoying.
windlep
·2 tahun yang lalu·discuss
I've been self-hosting a lot of things on a home kubernetes cluster lately, though via gitops using flux (apparently this genre is now home-ops?). I was kind of expecting this article to be along those lines, using the fairly popular gitops starting template cluster-template: https://github.com/onedr0p/cluster-template

I set one of these up on a few cheap odroid-h4's, and have quite enjoyed having a fairly automated (though quite complex of course) setup, that has centralized logging, metrics, dashboards, backup, etc. by copying/adapting other people's setups.

Instead of weechat, I went with a nice web based irc client (the lounge) to replace my irccloud subscription. kubesearch makes it easy to find other people's configs to learn from (https://kubesearch.dev/hr/ghcr.io-bjw-s-helm-app-template-th...).
windlep
·2 tahun yang lalu·discuss
The patents page (https://www.google.com/patents/opnpledge/patents/) does not include the macaroon patent. Maybe they forgot to update it?
windlep
·2 tahun yang lalu·discuss
That was what the authors claimed when I asked them about the macaroon patent. It'd be nice if Google had a legal document associated with patents they never plan to enforce, or the constraints around when they might enforce them (e.g. only against patent trolls) that a company could rely on.
windlep
·2 tahun yang lalu·discuss
I remember when I saw a presentation by the macaroon authors a few years back, there were pending patents that Google filed around them. While the authors claimed Google wouldn't sue anyone, I'm always a bit skeptical about such claims. I thought macaroons would be helpful for some of my use-cases, but since I now knew there were patents that'd be wilful infringement so I didn't bother.

I can't find the patents now, so perhaps they were rejected or withdrawn. I had assumed that was why macaroons hadn't caught on more widely.

Edit: Found the patent: https://patents.google.com/patent/US9397990B1/