kevincox

kevincox , 2 days ago

Prom is fun. You get to hang out with all of your classmates, ask someone out. A subset of people are always going to go overboard, but keep in mind that you don't see the "normal" cases. Most people just walk up to someone and ask them out. They find a date from the school or go alone.

I'm from Canada so I don't know if the US is wildly different, but here it is a bit of a big deal, but I think part of that is what makes it fun, you sort of build a bit of hype around what would otherwise be just another school dance.

kevincox , 2 days ago

FWIW I think it is actually a valuable social skill to be encouraged to ask someone out to prom. A lot of people don't have many similar experiences throughout their lives.

kevincox , 2 days ago

I don't really mean literally to practice asking people out. But there are times in your life where you need to ask people for things. It is hard to get over the anxiety, risk of social embarrassment and practice showing confidence (even if you are not). These are valuable skills in all sort of social circumstances.

kevincox , 3 days ago

I don't even know if that counts as on at all. It is really just laid on top partially covering it.

kevincox , 4 days ago

It's never too early. If you see an interesting job posting reach out and go thorough the process. At worst you learn a bit about what they were looking for and gain some interview experience. At best you get a job offer. Even if you decide not to take the offer you learn a bit about the positions available to you.

It costs effectively nothing to apply. Just a few hours of your time.

kevincox , 4 days ago

If you want to use proprietary apps the best option is probably dumping the APK from your "Googled" phone then sideloading it onto the new phone. However it may be difficult to keep up with updates unless you have a dedicated phone to download them.

kevincox , 5 days ago

I don't agree. As a single counter example of many YouTube has a huge wealth of information and content.

Maybe that value isn't worth the ads, that is much harder to say for certain. But it is clear that there is some valuable information on some sites that are supported by ads.

kevincox , 9 days ago

It's not "inherently insecure" at least not to that degree. (Once could argue that lack of E2EE is insecure.) If you stand up an unrelated instance you shouldn't be able to access private messages that don't relate to an account on your instance. So only bugs in your instance, or your conversation partner's instance, will be able to leak those messages.

kevincox , 8 days ago

Because to implement this you need to negotiate with individual credit card issuers. Basically how this works is that your phone is being issued a virtual card with the keys locked inside the phone's HSM. Then it can be used to make NFC payments just like any physical card. So you need 1. contracts with many card providers, 2. card issuance processes with these providers 3. huge amounts of compliance bureaucracy. At the end of the day it isn't really worth it unless you are a huge company and expect to have tons of users or see it as an essential feature of your phone OS.

kevincox , 8 days ago

1. I can usually pull out my phone faster than taking a card out of my wallet.
2. Phone-based cards typically have significantly higher limits than physical cards. (I can tap hundreds of dollars with my phone, only about $100 on my card.)
3. The phone needs to be unlocked which is safer than the card which just needs to be tapped with no other authentication.
4. One less thing to carry around.

kevincox , 8 days ago

I would pay a lot of money to see Nintendo's conniption over having to allow home brew and non-approved software on their game consoles. I would love to release emulators for older Nintendo consoles for the Switch so that they don't get to keep charging people again to play old games on newer consoles.

kevincox , 8 days ago

Most credit card issuers don't issue credit cards to random apps by solo developers.

kevincox , 11 days ago

I wonder if it could be something like adding a Link: </post/1234>; rel="activitypub" header or <link rel=activitypub href=/post/1234>. Then a browser (or browser extension) could detect this canonical ActivityPub URL and offer to open it in your configured instance or app. This is basically how RSS feeds work.

kevincox , 25 days ago

Just upload a PDF to any file sharing site?

kevincox , 29 days ago

How exactly does Samsung police this? Surely the repair shop could just… not tattle?

Well there is a contract in place and there would be consequences for not upholding the agreement. Sure, they could probably get away with it for quite a while. But it likely isn't worth the risk, they would rather just out Samsung as being a piece of shit and go on their merry way.

It would be pretty easy to catch this as well. Samsung can just occasionally submit a phone with a known third party part for repair and see if the expected report comes in.

kevincox , 29 days ago

Is this worse? It sounds pretty similar.

kevincox , 29 days ago

They'll brick your device if a part can't be verified so that isn't much different they destroying. Maybe they don't require repair shops to hand over personal info, but they do require device identifiers so I wouldn't be surprised if that is basically identical.

kevincox , 1 month ago

I'll trade rooms with you!

kevincox Mod , 1 month ago

I am willing to help with moderate. I have minimal existing moderation experience but have a long posting history and online presence.

I will not be able to commit enough time to be a sole moderator, but can help out as part of a team.

kevincox , 1 month ago

The last lines of the song are:

Me and my baby in a '69, oh, oh

It was the summer, summer, summer of '69

So I think at the very least it is intentionally ambiguous. Just like Big Balls is about hosting parties.

kevincox , 1 month ago

I wonder if it would be better to have a term limit. I don't really care if you are 125, but there should be a limit to how long you sit there with huge amounts of power. Especially since they aren't directly re-elected.

kevincox , 1 month ago

I'm sure some people will demand it. But for 99.9% of the population you don't need 1000Hz content. The main benefit is that whatever framerate your content is it will not have notable delay from the display refresh rate.

For example if you are watching 60Hz video on a 100Hz monitor you will get bad frame pacing. But on a 1000Hz monitor even though it isn't perfectly divisible. the 1/3ms delay isn't perceptible.

VRR can help a lot here, but can fall apart if you have different content at different frame rates. For example a notification pops up and a frame is rendered but then your game finishes its frame and needs to wait until the next refresh cycle. Ideally the compositor would have waited for the game frame before flushing the notification but it doesn't really know how long the game will take to render the next frame.

So really you just need your GPU to be able to composite at 1000Hz, you probably don't need your game to render at 1000Hz. It isn't really going to make much difference.

Basically at this point faster refresh rates just improve frame pacing when multiple things are on screen. Much like VRR does for single sources.

kevincox , 1 month ago

I also had a bad experience where I had a test website under a megabyte in a storage bucket. It was under the free tier and sat there for a few years. Then one month they sent me a bill (it was small, a handful of cents). Contact support saying that this use is under the free tier. They said that data was added then removed from the bucket. I hadn't logged into the account, no living API keys. They wouldn't forgive the charge.

Luckily my credit card had expired so they just locked my account.

kevincox , 1 month ago

Oh, flac fixes for HLS. I wonder if https://github.com/jellyfin/jellyfin/issues/8722 was fixed. I'll have to try it out today.

kevincox , 1 month ago

I would definitely go for Irish sheep farmer. You get to live in a cute little house in a green pasture by the seaside and the sheep feed themselves. What do you need to do? Sheer them every once and a while? I'd take that over Terraform any day of the week.

kevincox , 1 month ago

I think we as a society need to be a bit less sensitive about gifts. I think it is fine to not like a gift. What matters is that they thought of you to get something. Sometimes it won't land. It is better to admit that (if necessary) than hide it forever. It isn't my responsibility to love and care for a give that you give me.

I get you something I don't want it wasting space in your house just because you are afraid I will be offended. That is like the worst outcome of a gift, I don't want to be giving you a burden.

So if the kid is no longer interested in the toy I think it is fine to give it away or otherwise get rid of it. If the person is offended they should chill the fuck out.

kevincox , 1 month ago

*to an industry who creates serious health complications that raise the costs of hospitals.

kevincox , 1 month ago

Although getting something that supports AV1 hardware decoding could be forward thinking. For now you are probably fine without it and if you are ripping DVDs you may consider just keeping the original encoding. But most likely you will start to see more AV1 files coming in the future, and having a server that can transcode AV1 to older formats easily will keep everything on your network working properly.

kevincox , 1 month ago

If you want to serve multiple resolutions and bitrates you will probably want hardware that can do transcoding. However basically any graphics card (even integrated) will be able to transcode a video stream in real-time at a decent quality.

(If you wanted you can try to pre-transcode offline, but Jellyfin doesn't support this well)

kevincox , 1 month ago

Video serving is a very sequential workload so hard drives will be more than sufficient and you can typically get storage at a lower price.

SSD may give you slightly faster start and seeking but it is unlikely to be noticeable.

kevincox , 1 month ago

If they can shove ads into the GMail UI I'm sure they could have found a place to put them in Google Reader.

kevincox , 1 month ago

the whole security model of sudo makes no sense

I think that is a bit strong. Sure, you aren't gaining much protection if you just allow sudo -su root but there are a lot of valid use cases.

1. Logging.
2. A bit of an "explicit" check to keep you from doing something stupid without thinking.
3. You can configure sudo to only allow specific commands from different users. (Maybe a trusted friend should have permission to reboot your Minecraft server but nothing else)

kevincox , 1 month ago

If you haven't used any configuration management before it would definitely be valuable to learn.

However I would also recommend trying Nix and NixOS. The provide much better reproducibility. For example using Ansible-like tools I would always have issues where I create a file, then remove the code to create the file but the file still exists or the server is still running. I wrote a post going into more detail about the difference a while ago https://kevincox.ca/2015/12/13/nixos-managed-system/. However this is more involved. If you already have a running server it will be a big shift, instead of just slowly starting to manage things via Ansible.

But I would definitely consider using something. Having configuration managed and versioned with history is super valuable.

kevincox , 1 month ago

I like the option to preserve originals. I wonder if this is now always done or if it is configurable. Often times I am preserving the original footage and project files anyways so don't need an original. However other times I am just throwing footage straight from the camera and the archive is nice.

It also opens interesting possibilities like re-encoding down the road to new or better codecs or even just better encoders. For example it would be interesting to dedicate one background thread to re-encoding in a much higher effort, and possibly re-running this every few years to take advantage of encoder upgrades.

kevincox , 1 month ago

Currently s1 and t6. I'm not a fun person.

kevincox , 1 month ago

It depends on the cryptosystem. The private and public halves of the pair are often not symmetrical and often have overlap.

The parent is likely confused because in most situations the "private key file" will also contain all of the public key. Whether by necessity or for convenience.

kevincox , 1 month ago (edited 1 month ago)

Great question. Modern encryption schemes are usually composed of a handful of primitives. If we consider something like HTTPS it uses both asymmetric and symmetric parts.

Asymmetric encryption is the "magic" that you are missing. Asymmetric encryption algorithms create a keypair, one half of this is the "public key" which can be used to encrypt messages that can only be decrypted by the "private key". This means that even if the public key is public (as the name suggests) the messages can't be decrypted without the private key.

You can think of this as giving someone an open padlock. They can put something inside a box and lock it using the padlock, but they can't open it without your key.

Using this you could come up with a very simple protocol for establishing a secure channel:

1. The server sends you their public key, along with a certificate that proves that it belongs to them.
2. The client then uses this public key to encrypt a key for symmetric encryption.
3. The client sends this encrypted key to the server.
4. The server decrypts the key.
5. Now the client and server can both use the shared key to communicate.

(Note: There are many missing features from this system, but I think it illustrates the point. Don't design your own crypto.)

kevincox , 1 month ago

I ended up creating my own because I couldn't find something that did what I want a few years ago when I started looking. My main requirement was easy scaling of ingredients. It has a handful of features around that such as scaling by specifying servings, scaling by setting the amount of a particular ingredient (example making pancakes with leftover buttermilk, pour the buttermilk into the bowl then scale the recipe based on how much was left) and ingredient conversion. In most other ways it is pretty basic and free-form but it does the job. It stores data in a user-provided provider so other people never send me their recipes.

https://recipes.kevincox.ca/

kevincox , 1 month ago

Element is running a beta for Video Rooms which is basically exactly this. However it isn't standardized yet and I haven't tried it.

kevincox , 2 months ago

A blog platform.

kevincox , 2 months ago

I don't think you can pick out any one reason. XMPP is very old and has extensions for a huge variety of features. Many people have experience with older versions which had many major missing features (such as strong multi-device with offline support and server-side history) and a lot of the "hype" has died out long ago.

Matrix is new and made a lot of decisions that really helped its popularity.

1. Having a HTTP-based client-to-server protocol makes web clients very easy to make.
2. It is based on sync and merging rather than messages which moves some difficult problems (like multidevice and server-side history) into the core protocol meaning that it works well out of the box.
3. Having HTTP based protocols make hosting it familiar for many people.
4. The "default" Element clients have lots of features out of the box, features that for a long time were not always present on XMPP servers or clients. This gives a more consistent experience.

We will see what the history holds. Matrix is still very new and maybe the hype will die out and we end up moving back to XMPP. Or maybe something new. Overall I don't think there are major fundamental differences. I think Matrix making graph sync the core primitive to build off of was a good idea, but in practice I don't think it matters much.

You say that XMPP is much lighter. But I think that is mostly due to Synapse not being very efficient. Other implementations are fairly light. Even then my Synapse is using fairly small amounts of resources. You should also check that you are making an apples-to-apples comparison with large rooms, media and message history like you would typically see in a common Matrix server.

kevincox , 2 months ago (edited 2 months ago)

My Synapse install is using 94MiB of RAM and 500MiB of database disk space. CPU usage is effectively zero. I only have a 3 active users but decades of conversation history for myself (imported from other services). An uncompressed pg_dump of the data is about 250MiB which is within an order of magnitude of the raw text that I have in it. Nearly all of the conversations are encrypted so it wouldn't compress much.

Given that just running python takes 13MB of RAM it probably isn't using many resources past loading the code. At least at small scale running a Matrix server is not a notable resource burden for most people. A Matrix server written in a more efficient language (like Conduit) would likely be fairly similar to an XMPP server written in the same language. Either way unless you are hosting thousands of users it doesn't seem like this is a major problem for either protocol.

kevincox , 2 months ago

I do it the simple way. I just stick nginx in front of everything. If I don't want it to be publicly accessible I stick nginx basic auth in front of it.

The advantages is that I can easily access the services from anywhere on any device with just the password. I only need to trust nginx's basic auth to keep me protected, not various different service's authentication.

The downside is that some services don't work great when you have basic auth in the front. This is often due to things like public links or APIs that need to be accessed with other auth.

I just use nginx because I've always used it. I've heard that there are newer reverse proxies that are a bit easier to configure.

kevincox , 1 month ago

It depends on how much you trust nginx. A HTTP server is probably a bit more complex that your average VPN solution so probably more likely to have vulnerabilities, but it is also the most popular web server on the planet, so if there is a zero day I'm probably not the first target. If you stay up to date you are probably fine.

kevincox , 2 months ago

What are you hoping to sync? If it is just your subscription list and every device fetches by itself it shouldn't be too hard. However more complex things like read/unread would be hard to sync using a basic tool like Syncthing. The problem is that tools like Syncthing don't really have any conflict resolution capabilities so apps would need to be written specifically for that form of syncing.

Most open source readers use a shared backend server that manages checking feeds and syncing read events rather than this filesystem level syncing.

kevincox , 2 months ago

You seem to be talking about binary search, but this is a search with an unbounded end.

I think the actual optimal thing would be just to take the first commit and bisect from there. But in practice this has downsides:

1. Bugs that you are tracking down are typically biased towards recent commits.
2. Older commits may not even be relevant to the bug (ex: before the feature was introduced)
3. You may have trouble building older commits for various reasons.

So I think "optimal" is sort of fuzzy in this context, but I'm sure you could come up with various models for these variables and come up with something that is optimal for a given model. I haven't got around to doing that yet though.

kevincox , 2 months ago

Any chat protocol without full mutli-device support is not really an option for me https://github.com/simplex-chat/simplex-chat/issues/444.