|
The shared machines at my university use a Windows fileserver (I think) to provide our home directories over NFS. That has really taught me the meaning of patience. If WSL is any similar, I would never put up with it.
|
#
?
Mar 15, 2021 19:03
|
|
|
|
| # ? Apr 24, 2024 22:02 |
|
|
windows users jerking themselves off about the unprecedented innovation of linux running in a container
|
|
#
?
Mar 15, 2021 20:20
|
|
|
so there's a whole mess getting kicked up by the pfsense people right now because they paid some developer to write a kernel wireguard implementation for them and were trying to get it merged into FreeBSD, which came to a head when the founder of wireguard was asked to do a code review and found pfsense's patch to be bloated and exploit filled, which caused pfsense's owner to have multiple petty meltdowns about it (blog post/archive) but that's not what I wanted to post about yospos - i want to talk about the guy they decided to hire, who is like bsd's hans reiser: https://www.theregister.com/2008/04/24/kip_macy_arrest/ https://abcnews.go.com/US/exclusive-landlord-hell-defends-terrorizing-apartment-tenants/story?id=20875476 quote:Kip Macy, 39, and his wife, Nicole Macy, also 39, were deemed "landlords of hell" by authorities for menacing the tenants of their San Francisco apartment building. quote:In what authorities called a 17-month lawless rampage, the couple burglarized apartments, sabotaged the building's structure, and even sawed up through a horrified tenant's apartment floor, according to district attorney George Gascon. quote:From September 2005 to December 2007, Kip and Nicole Macy tried to make their tenants leave by any means necessary according to the DA, including asking a city inspector what beams to cut to make their building deemed unfit to live in -- and then actually doing it. quote:"They used a power saw and tried to compromise the structure of the building so the floor would actually collapse," DA Gascon said. quote:The two also cut phone lines, shut off power, and boarded up the windows of occupied apartments. Kip and Nicole Macy even removed tenants' belongings from their apartments. quote:"I regret, you know, having moved the Mexicans' stuff into the hallway," Kip Macy said. "I don't see how that was burglary, or theft, since I neither stole their stuff." quote:Eventually he and Nicole Macy were arrested at Kip Macy's parents' house in 2008 and released on $500,000 bond, for which Kip Macy's parents drained much of their retirement savings to pay. His mother Marie even sold her jewelry to help finance their release. Once free, Kip and Nicole Macy jumped bail, fleeing to Italy, leaving Kip Macy's father and mother, potentially at a loss of half a million dollars.
|
|
#
?
Mar 17, 2021 23:30
|
|
|
great now pfsense is tainted, thanks assholes. guess i’ll switch to a USG and go all unifi
|
|
#
?
Mar 18, 2021 00:01
|
|
|
cool that he refers to his tenants as ‘the Mexicans’
|
|
#
?
Mar 18, 2021 00:02
|
|
|
Scott’s not the owner of pfsense, which makes his indignation a little harder to understand. I’m just impressed how loving incompetent Kip had to be as a landlord to be actually charged with a landlord crime.
|
|
#
?
Mar 18, 2021 00:07
|
|
|
Trying to setup a self-hosted Nextcloud and with an OnlyOffice document server to build an online document google-docs like service in Docker. Man I'm having to learn a lot about how to config reverse proxies and ssl certs. I already hate nginx, but I imagine it's much better than older stuff. It's not too bad when you can use the standard ports for SSL connections, but now I have two services, nextcloud was easy to setup, but nextcloud and onlyoffice are on the same IP so they need to use different ports which means one of them needs to ports forward all of its ports so I've gotta figure out what all I need to switch around. Nitrousoxide fucked around with this message at 00:23 on Mar 18, 2021 |
|
#
?
Mar 18, 2021 00:13
|
|
|
Nitrousoxide posted:Trying to setup a self-hosted Nextcloud and with an OnlyOffice document server to build an online document google-docs like service in Docker. Man I'm having to learn a lot about how to config reverse proxies and ssl certs. I already hate nginx, but I imagine it's much better than older stuff. Can you use SNI to share the same public facing port between both services?
|
|
#
?
Mar 18, 2021 00:16
|
|
|
sb hermit posted:Can you use SNI to share the same public facing port between both services? Hmm... Hadn't heard of SNI before but that might do it. I'd have to figure out how to set that up, but it'd probably be a good idea to future proof it incase I need more https connections in the future.
|
|
#
?
Mar 18, 2021 00:24
|
|
|
Nitrousoxide posted:Trying to setup a self-hosted Nextcloud and with an OnlyOffice document server to build an online document google-docs like service in Docker. Man I'm having to learn a lot about how to config reverse proxies and ssl certs. I already hate nginx, but I imagine it's much better than older stuff. If you're using docker why are those running on the same container? This is what the nginx reverse proxy is for.
|
|
#
?
Mar 18, 2021 00:26
|
|
|
spankmeister posted:If you're using docker why are those running on the same container? This is what the nginx reverse proxy is for. They are running in different containers? I only create stacks for things and their dependencies. Like a stack with OnlyOffice + LetsEncrypt (now Swag). OnlyOffice includes the nginx proxy server in its docker image already so I really don't need that part of LetsEncrypt, but I also don't want to have to deal with the hassle of self-signing new keys every year so I want Swag to handle that for me. NextCloud is running in an entirely different container, but it's still on the same IP as OnlyOffice since it's physically located in the same machine
|
|
#
?
Mar 18, 2021 00:35
|
|
|
Ditch the nginx proxy and swag for the onlyoffice, just run it on port 80. Do the same for nextcloud. make a third container that has nginx and swag that handles all TLS and renewal stuff and reverse proxies to the two containers. You can achieve this with virtual hosts on nginx easily, or you can make it so that it runs on the same domain, but in separate URLs
|
|
#
?
Mar 18, 2021 00:41
|
|
|
Athas posted:The shared machines at my university use a Windows fileserver (I think) to provide our home directories over NFS. That has really taught me the meaning of patience. If WSL is any similar, I would never put up with it. nfs is garbage
|
|
#
?
Mar 18, 2021 01:30
|
|
|
text editor posted:so there's a whole mess getting kicked up by the pfsense people right now because they paid some developer to write a kernel wireguard implementation for them and were trying to get it merged into FreeBSD, which came to a head when the founder of wireguard was asked to do a code review and found pfsense's patch to be bloated and exploit filled, which caused pfsense's owner to have multiple petty meltdowns about it (blog post/archive) there’s some good stuff here though! quote:In particular, the code was not working well in FreeBSD’s “jail” container environment. We take all bug reports seriously, but we also prioritize them. Since jails are not a normal use-case for pfSense, we deferred the problem for the release. quote:We are taking the public discussion from the past week about Wireguard and FreeBSD very seriously. The uncoordinated publication caught us off-guard, which is unfortunate and not the norm in the security community. However, every issue that has been disclosed to us is being investigated and evaluated. – Right now, we have not found any issues that would result in a remote or unprivileged vulnerability for pfSense users who are running Wireguard. – We’ve identified several low-risk issues that are unlikely to be exploitable, except by an attacker who has already compromised the admin permissions of the system. Also, the use of Jumbo Frames appears to be problematic, but this is not a typical use case for most networks and most users. Again, we take these seriously, we are developing and testing fixes right now, and we will disclose our findings as soon as possible. uh you wanted to merge this into a mainline? idk, maybe the standards for FreeBSD are lower or something
|
|
#
?
Mar 18, 2021 01:46
|
|
|
hobbesmaster posted:there’s some good stuff here though! https://arstechnica.com/gadgets/2021/03/in-kernel-wireguard-is-on-its-way-to-freebsd-and-the-pfsense-router/ The founder of wireguard looked at it and saw that it was really terrible. They went to talk to some freebsd core developers to do a proper port of wireguard to freebsd. C development is hard. But when a company develops its own software, they can set their own standards. The beauty of open source, on the other hand, lets other people see their standards and then everyone understands what a POS their product is.
|
|
#
?
Mar 18, 2021 02:09
|
|
|
scott long is a character. there was a bunch of drama surrounding his exit (in 2005) as a core contributor to freebsd if I recall correctly.
|
|
#
?
Mar 18, 2021 02:25
|
|
|
sb hermit posted:https://arstechnica.com/gadgets/2021/03/in-kernel-wireguard-is-on-its-way-to-freebsd-and-the-pfsense-router/ I feel this is understating it even https://lists.zx2c4.com/pipermail/wireguard/2021-March/006494.html sleeps to address race conditions and validation code that just returns true anyways, lol pre:There were random sleeps added to “fix” race conditions, validation functions that just returned true, catastrophic cryptographic vulnerabilities, whole parts of the protocol unimplemented, kernel panics, security bypasses, overflows, random printf statements deep in crypto code, the most spectacular buffer overflows, and the whole litany of awful things that go wrong when people aren’t careful when they write C. pre:One curious thing of note is that there were 40,000 lines of optimized crypto implementations pulled out of the Linux kernel compat module but not really wired up correctly, and mangled beyond repair with mazes of Linux→FreeBSD ifdefs. I wound up replacing this with an 1,800 line file, crypto.c [1], containing all of the cryptographic primitives needed to implement WireGuard. pre:We reduced the project structure down to four C files – the aforementioned crypto.c, two files copied verbatim from OpenBSD – wg_noise.c and wg_cookie.c – and if_wg.c
|
|
#
?
Mar 18, 2021 03:10
|
|
|
epitaph posted:scott long is a character. there was a bunch of drama surrounding his exit (in 2005) as a core contributor to freebsd if I recall correctly. it sounds like scott long was only hired by netgate/pfsense quite recently, but he does seem like a match with their corporate philosophy
|
|
#
?
Mar 18, 2021 04:12
|
|
|
BobHoward posted:it sounds like scott long was only hired by netgate/pfsense quite recently, but he does seem like a match with their corporate philosophy ffs 
|
|
#
?
Mar 18, 2021 05:51
|
|
|
text editor posted:I feel this is understating it even 
|
|
#
?
Mar 18, 2021 05:53
|
|
|
be right back gonna take huge chunks of the Linux kernel, add a bunch of ifdef switches, put no effort into integrating the code into the new system, dump the giant steaming pile into the hands of the community for review, and then complain that they don’t like what I did.
|
|
#
?
Mar 18, 2021 06:02
|
|
|
DoomTrainPhD posted:be right back gonna take huge chunks of the Linux kernel, add a bunch of ifdef switches, put no effort into integrating the code into the new system, dump the giant steaming pile into the hands of the community for review, and then complain that they don’t like what I did. This is SUPPOSED to be a collaborative effort. Many hands make light work! But I do wonder how much Linux related code out there is much better...
|
|
#
?
Mar 18, 2021 14:07
|
|
|
even if it had turned out perfectly it honestly is pretty disturbing to me that we're here in 2021 and needing some extremely security-sensitive software written the decision was to just contract some guy to copy/paste together a bunch of c. unsurprising but disturbing.
|
|
#
?
Mar 18, 2021 15:07
|
|
|
this may be preaching to the choir, but I recently put WireGuard on a pi, opened up a port, and that poo poo works... like really well. I hope they don’t mess it up
|
|
#
?
Mar 18, 2021 15:53
|
|
|
It always seemed a bit iffy to me to hardcode a cipher suite the way Wireguard and Sodium do. Digests seem to get cycled out every decade or so and even ciphers like RC4 have gradually been weakened to the point of being considered unsafe.
|
|
#
?
Mar 18, 2021 17:20
|
|
|
Thats part of the design, if the ciphers get deprecated then they will release wireguard 2.0 which would not be backwards compatible with version 1. It makes a lot more sense than openvpn/openssl which can configured a 1000 different ways, and like 4 of them are secure. Upgrade to the new version vs consult this compatibility matrix.
|
|
#
?
Mar 18, 2021 17:29
|
|
|
namlosh posted:this may be preaching to the choir, but I recently put WireGuard on a pi, opened up a port, and that poo poo works... like really well. I hope they don’t mess it up your avatar makes my laptop's screen dim itself and then brighten itself over and over not related to your post just thought id mention it but yea i use wireguard with mullvad on the pi i use as a seedbox, very nice
|
|
#
?
Mar 18, 2021 17:35
|
|
|
Perplx posted:Thats part of the design, if the ciphers get deprecated then they will release wireguard 2.0 which would not be backwards compatible with version 1. It makes a lot more sense than openvpn/openssl which can configured a 1000 different ways, and like 4 of them are secure. and that is kind of the question mark for the future, whether in 15 years everyone will be using an equally clean wireguard 3.1, or if we're all on gnu/pipewarden 1.1 since it supports every version of wireguard (and configurably another billion variants) since it doesn't break this or that.
|
|
#
?
Mar 18, 2021 17:46
|
|
|
the rfcs on ike protocol negotiation are insane the worst is that there are no error reporting standards, so trying to figure out why different implementations (like windows and a vpn appliance, or macos and strongswan) are consistently a nightmare of trying to decode arcane errors or (more commonly) falling back to a known working set of protocols and bumping security up from there.
|
|
#
?
Mar 18, 2021 18:12
|
|
|
Cybernetic Vermin posted:and that is kind of the question mark for the future, whether in 15 years everyone will be using an equally clean wireguard 3.1, or if we're all on gnu/pipewarden 1.1 since it supports every version of wireguard (and configurably another billion variants) since it doesn't break this or that. more likely it'll be in a bunch of cisco poo poo and oh i'm terribly sorry sir, you'll need to purchase a software and hardware upgrade and new support plan for wireguard Two Point Oh!! support, let me put you in touch with a local salesprick right away so yeah what will actually happen is the unsecure variant will hang around in wide use for 15 years after it gets cracked
|
|
#
?
Mar 18, 2021 18:23
|
|
|
Sapozhnik posted:more likely it'll be in a bunch of cisco poo poo and oh i'm terribly sorry sir, you'll need to purchase a software and hardware upgrade and new support plan for wireguard Two Point Oh!! support, let me put you in touch with a local salesprick right away yeah, i think we're describing the same scenario, with you describing a likely "this or that" threatening to break, where i described how that outcome would work out in like rhel.
|
|
#
?
Mar 18, 2021 18:32
|
|
|
Perplx posted:Thats part of the design, if the ciphers get deprecated then they will release wireguard 2.0 which would not be backwards compatible with version 1. It makes a lot more sense than openvpn/openssl which can configured a 1000 different ways, and like 4 of them are secure. this is the only way to design software with important security/performance/reliability invariants. the gentoo packaging kefuffle a few weeks back really upset me in this regard. yes, you can compile on your obscure arch, but that doesn’t mean the assumptions made about compiler output/instruction timing/etc will hold which are crucial to upholding intended guarantees. all abstractions are lies and portability is mostly a waste of time in the realm of security/system software.
|
|
#
?
Mar 19, 2021 05:14
|
|
|
are you thinking about the pyca/cryptography thing where they started using rust?
|
|
#
?
Mar 19, 2021 09:16
|
|
|
Tankakern posted:are you thinking about the pyca/cryptography thing where they started using rust? yeah, should have clarified
|
|
#
?
Mar 20, 2021 02:00
|
|
|
https://m.soundcloud.com/nasa/sounds-of-perseverance-mars-rover-driving-sol-16-90-second-highlights I want whatever linux distribution that NASA runs that can get microphones to work because pulseaudio is poo poo it has gotten better but the ui still blows
|
|
#
?
Mar 20, 2021 07:39
|
|
|
hbag posted:your avatar makes my laptop's screen dim itself and then brighten itself over and over Jira closed... as designed
|
|
#
?
Mar 20, 2021 09:04
|
|
|
from the Arch Linux Facebook Community 
|
|
#
?
Mar 20, 2021 09:13
|
|
|
if i were to compile some software and wanted to keep updated when there was a new release or a bugfix, how would i do it lot of software only have a single mailing list, with help type of questions intermixed with release announcements basically what i'm asking is, how do repo maintainers keep on top on all of this
|
|
#
?
Mar 20, 2021 10:36
|
|
|
Each package has a maintainer that keeps up to date on whatever channel there is for that particular piece of software.
|
|
#
?
Mar 20, 2021 10:40
|
|
|
|
| # ? Apr 24, 2024 22:02 |
|
|
yeah, you know, stupid of me imagining there would be a better way than manually curating my electronic mail inbox linux
|
|
#
?
Mar 20, 2021 10:46
|
|