• 0 Posts
  • 287 Comments
Joined 5 months ago
cake
Cake day: June 9th, 2024

help-circle







  • good ideia to run restic as root

    As a general rule, run absolutely nothing as root unless there’s absolutely no other way to do what you’re trying to do. And, frankly, there’s maybe a dozen things that must be root, at most.

    One of the biggest hardening things you can do for yourself is to always, always run everything as the lowest privilege level you can to accomplish what you need.

    If all your data is owned by a user, run the backup tool as that user.

    If it’s owned by several non-priviliged users, then you want to make sure that the group permissions let you access it.

    As a related note, this also applies to containers and software you’re running: you shouldn’t run docker containers as root unless they specifically MUST have a permission that only root has, and I personally don’t run internet facing ones as the same user as all the others: if something gets popped, then they not only do not have root permissions, but they’re also siloed into their own data in the event of a container escape.

    My expectation is that, at some point, I’ll miss a CVE and get pwnt, so the goal is to reduce how much damage someone can do when that happens, rather than assume I’m going to be able to keep it from happening at all, so everything is focused on ‘once this is compromised, how can i make the compromise useless to the attacker’.


  • Unifi Gateway Ultra

    How have you liked the gateway? Any stupid decisions that have annoyed?

    My USG has decided that, after a decade, it’s going to be flaky and crash if it wants to (even after replacing it’s 4th dead PSU and 2nd USB stick) and I’m thinking it’s probably time to upgrade.

    I’ll admit to both liking the Unifi ecosystem and firmly not trusting the Unifi ecosystem one damn bit, which is bit of a weird situation where I’ve been really really unwilling to upgrade anything because that hasn’t always gone uh, smoothly.





  • And it doesn’t mean they can take away anything.

    Not if they’re able to monetize your small bugfix

    The problem is they can, and that’s not the point - I don’t care if you make money with something I spent my time on willingly, I care that you’re forcing me to say you’re the full and sole owner of my contributions and can do whatever you want at any point in the future with them.

    Signing a CLA puts the full ownership of the code in the hands of whomever you’ve signed the CLA with which means they have the full ability and legal right to do any damn thing they want, which often includes telling you to fuck yourself, changing the license, and running off to make a commercial product while both killing the AGPLed version, and fucking everyone who spent any time on it.

    If you have a CLA, I don’t care if your project gives out free handjobs: I don’t want it anywhere near anything I’m going to either be using or have to maintain.

    And sure you can fork from before the license change, but I’m unwilling to put a major piece of software into my workflows and hope that, if something happens, someone will come along and continue working on it.

    Frankly, I’m of the opinion that if you’re setting up a project and make the very, very involved decision to go with a CLA and spend the time implementing one, you’re spending that time because you’ve already determined it’s probably in your interests later to do a rugpull. If you’re not going to screw everyone, you don’t go to the store and buy a gallon of baby oil.

    I’ve turned into the person who doesn’t really care about new shit until it’s been around a decade, has no CLAs, and is under a standard GPL/AGPL license (none of this source-available business license nonsense), and has a proven track record of the developers not being shitheads.


  • Quickest peak and then utter vanishing of any interest in a project I’ve had in a while.

    Wouldn’t mind something a little more open than SearXNG in that it owns it’s own database, but requiring that they be the sole owner of anything anyone contributes AND having the ability to yank the rug at any time they feel like it pretty much puts it in the meh-who-cares category.

    Had enough stupid shit yanked over the past few years that I really just don’t care or have time to deal with any that is already prepping for their eventual enshittification.



  • contrast to their desktop offerings

    That’s because server offerings are real money, which is why Intel isn’t fucking those up.

    AMD is in the same boat: they make pennies on client and gaming (including gpu), but dumptrucks of cash from selling Epycs.

    IMO, the Zen 5(%) and Arrow Lake bad-for-gaming results are because uarch development from Intel and AMD are entirely focused on the customers that pay them: datacenter and enterprise.

    Both of those CPU families clearly show that efficiency and a focus on extremely threaded workloads were the priorities, and what do you know, that’s enterprise workloads!

    end of the x86 era

    I think it’s less the era of x86 is ended and more the era of the x86 duopoly putting consumer/gaming workloads first has ended because, well, there’s just no money there relative to other things they could invest their time and design resources in.

    I also expect this to happen with GPUs: AMD has already given up, and Intel is absolutely going to do that as soon as they possibly can without it being a catastrophic self-inflicted wound (since they want an iGPU to use). nVidia has also clearly stopped giving a shit about gaming - gamers get a GPU a year or two after enterprise has cards based on the same chip, and now they charge $2000* for them - and they’re often crippled in firmware/software so that they won’t compete with the enterprise cards as well as legally not being allowed to use the drivers in a situation like that.

    ARM is probably the consumer future, but we’ll see who and with what: I desperately hope that nVidia and MediaTek end up competitive so we don’t end up in a Qualcomm oops-your-cpu-is-two-years-old-no-more-support-for-you hellscape, but well, nVidia has made ARM SOCs for like, decades, and at no point would I call any of the ones they’ve ever shipped high performance desktop replacements.

    • Yes, I know there’s a down-stack option that shows up later, but that’s also kinda the point: the ones you can afford will show up for you… eventually. Very much designed to push purchasers into the top end.

  • I mean, recovery from parity data is how all of this works, this just doesn’t require you to have a controller, use a specific filesystem, have matching sized drives or anything else. Recovery is mostly like any other raid option I’ve ever used.

    The only drawback is that the parity data is mostly equivalent in size to the actual data you’re making parity data of, and you need to keep a couple copies of indexes since if you lose the index or the parity data, no recovery for you.

    In my case, I didn’t care: I’m using the oldest drives I’ve got as the parity drives, and the newer, larger drives for the data.

    If i were doing the build now and not 5 years ago, I might pick a different solution but there’s something to be said for an option that’s dead simple (looking at you, zfs) and likely to be reliable because it’s not doing anything fancy (looking at you, btrfs).

    From a usage (not technical) standpoint, the most equivalent commercial/prefabbed solution would probably be something like unraid.


  • A tool I’ve actually found way more useful than actual raid is snapraid.

    It just makes a giant parity file which can be used to validate, repair, and/or restore your data in the array without needing to rely on any hardware or filesystem magic. The validation bit being a big deal, because I can scrub all the data in the array and it’ll happily tell me if something funky has happened.

    It’s been super useful on my NAS, where it’s the only thing standing between my pile of random drives and data loss.

    There’s a very long list of caveats as to why this may not be the right choice for any particular use case, but for someone wanting to keep their picture and linux iso collection somewhat protected (use a 321 backup strategy, for the love of god), it’s a fairly viable option.



  • Hell I almost got snagged by one recently, and a goodly portion of my last job was dealing with phishing sites all day.

    They’ve gotten good with making things look like a proper email from a business that would be sending that kind of email, and if you’re distracted and expecting something you can have at least a moment of ‘oh this is probably legitimate’.

    The giveaway was, hilariously, a case of using ‘please kindly’ and ‘needful’ which uh, aren’t something this particular company would have actually used as phraseology in an email, so saved by scammers not realizing that americans at least don’t actually use those two phrases in conversation.