HackerTrans
TopNewTrendsCommentsPastAskShowJobs

waych

no profile record

comments

waych
·29 dagen geleden·discuss
People don't usually understand that apt allows you to configure multiple sources across versions simultaneously, so you can e.g. run stable, but also selectively install from backports or unstable.

To do so, add the sources for trixie-backports and unstable, and add the following configuration (e.g. /etc/apt/preferences.d/trixie-sid-pin) so that the system knows which sources your prefer:

   # Default to trixie
   Package: *
   Pin: release n=trixie
   Pin-Priority: 990
   
   # Very low priority for sid
   Package: *
   Pin: release n=unstable
   Pin-Priority: 100
   
   # Give backports medium priority
   Package: *
   Pin: release n=trixie-backports
   Pin-Priority: 500
Now the system can access the latest kernel from unstable (and backports), while keeping everything else on stable:

   # apt policy linux-image-amd64
   linux-image-amd64:
     Installed: 7.0.12-1
     Candidate: 7.0.12-2
     Version table:
        7.0.12-2 500
           500 http://deb.debian.org/debian unstable/main amd64 Packages
    *** 7.0.12-1 100
           100 /var/lib/dpkg/status
        7.0.10-1~bpo13+1 500
           500 http://deb.debian.org/debian trixie-backports/main amd64 Packages
        6.12.90-2 500
           500 http://security.debian.org/debian-security trixie-security/main amd64 Packages
        6.12.86-1 990
           990 http://deb.debian.org/debian trixie/main amd64 Packages
I believe the kernel in backports gets updated only after it is live in unstable for at least a week, which lately still feels like forever.
waych
·2 maanden geleden·discuss
20 years ago, Google made a big deal about how they would do the right thing when "the the" was searched.

Oh how things have progressed.
waych
·2 maanden geleden·discuss
Live patching production kernels makes sense when there is an imminent threat/timeline and rebooting is throttled due to underlying throttling mechanisms that are guarding the health of distributed systems running a-top the systems. Here's a real example I am familiar with:

Consider a hyper-converged cluster with many nodes serving distributed block storage, say at N=3 replication. This can tolerate exactly one N=1 node of outage for the reboot. It would seem preferable to drain the nodes in a way that allows for more parallelism in the per-node kernel-reboot process, but draining is expensive and its cheaper to reboot and hope the data comes back to the pool within some period of time after the reboot. This gets worse linearly as the cluster grows.

A non-trivial size cluster facing this can have a reboot rollout easily stretch from hours into days and even weeks. It is further made slower when the roll-out itself is repeatedly paused when any other production issue is detected, or some other in-cluster event is happening and distributed storage health is degraded or unavailable. If a single (additional) node goes out during the reboot roll-out, data goes unavailable and storage must wait and heal. It also simply takes time for the cluster to reconcile when the storage eventually comes back from reboot to make sure it is all still there.

If your systems are large enough, things will go so slow that things fall into the trap where the target release changes mid-deployment: to benefit from everything learned in the last many days or weeks, security, performance, crashes, whatever! There is benefit because the fixes you cared about most got onto a portion of the cluster sooner than later. There is also penalty, as this resets the time it takes to deploy, elongating the perceived end-to-end deployment time. This negatively affects OKRs and similarly displaces the release of anything that was queued for upcoming releases.

So yeah, live patching is great to get priority fixes out in a matter of minutes or hours. I also think it is the best tool to get oneself out of this rollout-reset trap and onto the next release sooner. Faster than rollback or rollover.
waych
·2 maanden geleden·discuss
In the real world, leaving booby traps out that can harm others including the innocent are a liability and regularly a crime in itself.

I wonder how long these sorts of games will play before the law applies itself.
waych
·9 maanden geleden·discuss
FWIW git-branchless, an extension to git, addresses many of these points without leaving git.
waych
·vorig jaar·discuss
If the fines were existential threats, who would even want to do business in these countries?