moonpiedumplings

@moonpiedumplings@programming.dev

This profile is from a federated server and may be incomplete. For a complete list of posts, browse on the original instance.

moonpiedumplings ,

Fun fact: you don't need to add the nixpkgs channel for the determinate systems installer, even when using channel commands or other things since it adds an option to your nix.conf to reference the nix flake for nixpkgs.

I don't know how to update this flake though.

moonpiedumplings ,

No one complained when s6, another init system, also offered a sudo alternative (before systemd did, too). But when Poettering does it, it's bad and wrong and ununixlike!

Maybe setuid has been extremely problematic, and more than one entity has sought alternatives?

moonpiedumplings ,

You could say the same thing about sudo. Sudo's codebase is massive, compared to alternatives like doas, but it comes with many features doas does not have, like being able to ask a remote LDAP server if a user will be able to escalate.

I find it absurd that we have just simply accepted the idea of a setuid binary with built in networking code, as our primary admin escalation tool. 100,000+ lines of C code, code that has had multiple buffer overflow exploits*, in a setuid binary, just for temporary admin privileges. Does that seem necessary to you?

Polkit provides an alternative to that. If you don't need the features, then fine, you don't have to use run0 — but then you can't use sudo without being a hypocrite. No longer do I have to have rely on a setuid binary that tries to do everything in one program when I really need sudo's features, instead polkit handles authentication (including asking remote resources if an action is okay), and run0 handles actual escalation.

In another comment in this thread, you mention sudo being lightweight — which is outright false. Compared to doas or su, it's extremely heavyweight, and with that complexity comes more risk of vulnerabilities. You also mention pkexec, for executing with polkit, but pkexec is also setuid, and has many of the same pitfalls.

*Buffer overflow exploits in sudo:

  1. https://arstechnica.com/information-technology/2020/02/serious-flaw-that-lurked-in-sudo-for-9-years-finally-gets-a-patch/
  2. https://blog.qualys.com/vulnerabilities-threat-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
moonpiedumplings ,

You're not supposed to brush your teeth after eating.

The reason for that is that when acids are in the mouth, they weaken the enamel of the tooth, which is the outer layer of the tooth,” Rolle says. Brushing immediately after consuming something acidic can damage the enamel layer of the tooth.

Source: https://www.cuimc.columbia.edu/news/brushing-immediately-after-meals-you-may-want-wait

moonpiedumplings ,

Xplore file browser

It's trivial to replace the independent pieces of xplore, but it has so many features in one app that I just can't let it go. It's got dual pane file browsing, disk usage chart, smb, ftp, and many other cloud storage connections. It also handles many types of compression.

It's become my main offline music player as well, because it has the simple ability to shuffle a folder of music, which is all I really need.

It can also view installed apps, export them to apk, and view and modify appdata (as non root!).

moonpiedumplings ,

I can spiral my tongue, so that the front part is fully upsidr down - but only to the left. I can't rotate it to the right at all for some reason, it's like the equivalent muscles are missing.

moonpiedumplings ,

Progression fantasy

moonpiedumplings ,

Putting something on GitHub is really inconsequential if you’re making your project open source since anyone can use it for anything anyway,

Except for people in China (blocked in China) or people on ipv6 only networks, since Github hasn't bothered to support ipv6, cutting out those in countries where ipv4 addresses are scarce.

So yes, it does matter. Both gitlab and codeberg, the two big alternatives, both support ipv6 (idk about them being blocked in china). They also support github logins, so you dob't even need to make an account.

And it's not a black or white. Software freedom is a spectrum, not a binary. We should strive to use more open source, decentralized software, while recognizing that many parts are going to be out of our immediate control, like the backbone of the internet or little pieces like proprietary firmware.

r/sysadmin and the size of this community

So I have been a part of this community for a while and it seems pretty quiet. I know Lemmy is not as big as Reddit so this community will always be much smaller but I kind of miss the activity on r/sysadmin. Infinity for Reddit still works for view only so I have been scrolling though posts on Reddit as some of the stories and...

moonpiedumplings ,

I agree with this.

Sometimes I've seen people complain about people using asklemmy for not askreddit style questions, but I actually think that's ok and I'm in favor of that as it means more discussion, content, and visibility.

Eventually asklemmy will reach "critical mass", and split into more niche communities.

Nextcloud appreciation post

After months of waiting, I finally got myself an instance with Libre Cloud. I was expecting basic file storage with a few goodies but boy, this is soooo much more. I am amaze by how complete this is!!! Apps let me configure my instance to fit everything I need, my workflow is now crazy fast and I can finally say goodbye to...

moonpiedumplings ,

What was it? I'm planning to do a nextcloud deployment via helm soon.

What's the draw of watching/following streamers?

I've watched some here and there, but having to try to catch them when they stream has put me too much in the mind of old tv and catching shows when they air. Watching the recording afterward is maybe good for some white noise, but it's clearly not the intended experience I think.

moonpiedumplings ,

https://moonpiedumplings.github.io/blog/twitch/

I like to watch people program on twitch. Seeing people suffer with code reminds me that I am not alone.

moonpiedumplings ,

sn1per is not open source, according to the OSI's definition

The license for sn1per can be found here: https://github.com/1N3/Sn1per/blob/master/LICENSE.md

It's more a EULA than an actual license. It prohibits a lot of stuff, and is basically source-available.

You agree not to create any product or service from any par of the Code from this Project, paid or free

There is also:

Sn1perSecurity LLC reserves the right to change the licensing terms at any time, without advance notice. Sn1perSecurity LLC reserves the right to terminate your license at any time.

So yeah. I decided to test it out anyways... but what I see... is not promising.

FROM docker.io/blackarchlinux/blackarch:latest

# Upgrade system
RUN pacman -Syu --noconfirm

# Install sn1per from official repository
RUN pacman -Sy sn1per --noconfirm

CMD ["sn1per"]

The two pacman commands are redundant. You only need to run pacman -Syu sn1per --noconfirm once. This also goes against docker best practice, as it creates two layers where only one would be necessary. In addition to that, best practice also includes deleting cache files, which isn't done here. The final docker image is probably significantly larger than it needs to be.

Their kali image has similar issues:

RUN set -x \
        && apt -yqq update \
        && apt -yqq full-upgrade \
        && apt clean
RUN apt install --yes metasploit-framework

https://www.docker.com/blog/intro-guide-to-dockerfile-best-practices/

It's still building right now. I might edit this post with more info if it's worth it. I really just want a command-line vulnerability scanner, and sn1per seems to offer that with greenbone/openvas as a backend.

I could modify the dockerfiles with something better, but I don't know if I'm legally allowed to do so outside of their repo, and I don't feel comfortable contributing to a repo that's not FOSS.

moonpiedumplings ,

I can't find the source code for this extension

How can I bypass CGNAT by using a VPS with a public IPv4 address?

I want to move away from Cloudflare tunnels, so I rented a cheap VPS from Hetzner and tried to follow this guide. Unfortunately, the WireGuard setup didn't work. I'm trying to forward all traffic from the VPS to my homeserver and vice versa. Are there any other ways to solve this issue?...

moonpiedumplings , (edited )

I use this too, and it should be noted that this does not require wireguard or any VPN solution. Rathole can be served publicly, allowing a machine behind a NAT or firewall to connect.

moonpiedumplings ,

No, it is lock in. If apple allowed for multiple app stores other than their own, then users could pay for an app on one app store, and then not have to pay again on another, potentially even on non-apple devices.

I encountered this when I first purchased minecraft bedrock edition on the amazon kindle. Rather than repurchasing it on the google play store when on a non-amazon, I simply tracked down the Amazon app store for non-amazon devices, and redownloaded it from there. No lock in to Amazon or other android devices, both ways.

Now, the Apple app store would still probably not work on androids... but now they would actually have to compete for users on the app store, by offering something potentially better than transferable purchases across ecosystems.

I suspect the upcoming Epic store for iOS and android may be like that... pay for a game/app on one OS, get it available for all platforms where you have the Epic store. But the only reason the Epic store is even coming to iOS is because Apple has been forced to open up their ecosystem.

Linux distro for selfhosting server

So I have been running a fair amount of selfhosted services over the last decade or so. I have always been running this on a Ubuntu LTS distribution running on a intel NUC machine. Most, if not all of my services run in a docker container, and using a docker compose file that brings everything up. The server is headless. I...

moonpiedumplings ,

LXD/Incus. It's truly free/open

Please stop saying this about lxd. You know it isn't true, ever since they started requiring a CLA.

LXD is literally less free than proxmox, looking at those terms, since Canonical isn't required to open source any custom lxd versions they host.

Also, I've literally brought this up to you before, and you acknowledged it. But you continue to spread this despite the fact that you should know better.

Anyway, Incus currently isn't packaged in debian bookworm, only trixie.

The version of lxd debian packages is before the license change so that's still free. But for people on other distros, it's better to clarify that incus is the truly FOSS option.

moonpiedumplings ,

Edge WebView2

I'm like 90% sure this requires edge to be installed, even though the EU mandated that they make edge uninstallable. So that might be their game here.

PSA: Docker nukes your firewall rules and replaces them with its own.

I use nftables to set my firewall rules. I typically manually configure the rules myself. Recently, I just happened to dump the ruleset, and, much to my surprise, my config was gone, and it was replaced with an enourmous amount of extremely cryptic firewall rules. After a quick examination of the rules, I found that it was...

moonpiedumplings ,

Yes it is a security risk, but if you don’t have all ports forwarded, someone would still have to breach your internal network IIRC, so you would have many many more problems than docker.

I think from the dev’s point of view (not that it is right or wrong), this is intended behavior simply because if docker didn’t do this, they would get 1,000 issues opened per day of people saying containers don’t work when they forgot to add a firewall rules for a new container.

My problem with this, is that when running a public facing server, this ends up with people exposing containers that really, really shouldn't be exposed.

Excerpt from another comment of mine:

It’s only docker where you have to deal with something like this:

---
services:
  webtop:
    image: lscr.io/linuxserver/webtop:latest
    container_name: webtop
    security_opt:
      - seccomp:unconfined #optional
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      - SUBFOLDER=/ #optional
      - TITLE=Webtop #optional
    volumes:
      - /path/to/data:/config
      - /var/run/docker.sock:/var/run/docker.sock #optional
    ports:
      - 3000:3000
      - 3001:3001
    restart: unless-stopped

Originally from here, edited for brevity.

Resulting in exposed services. Feel free to look at shodan or zoomeye, internet connected search engines, for exposed versions of this service. This service is highly dangerous to expose, as it gives people an in to your system via the docker socket.

moonpiedumplings ,

Probably not an issue, but you should check. If the port opened is something like 127.0.0.1:portnumber, then it's only bound to localhost, and only that local machine can access it. If no address is specified, then anyone with access to the server can access that service.

An easy way to see containers running is: docker ps, where you can look at forwarded ports.

Alternatively, you can use the nmap tool to scan your own server for exposed ports. nmap -A serverip does the slowest, but most indepth scan.

moonpiedumplings ,

Dockers manipulation of nftables is pretty well defined in their documentation

Documentation people don't read. People expect, that, like most other services, docker binds to ports/addresses behind the firewall. Literally no other container runtime/engine does this, including, notably, podman.

As to the usage of the docker socket that is widely advised against unless you really know what you’re doing.

Too bad people don't read that advice. They just deploy the webtop docker compose, without understanding what any of it is. I like (hate?) linuxserver's webtop, because it's an example of the two of the worst footguns in docker in one

To include the rest of my comment that I linked to:

Do any of those poor saps on zoomeye expect that I can pwn them by literally opening a webpage?

No. They expect their firewall to protect them by not allowing remote traffic to those ports. You can argue semantics all you want, but not informing people of this gives them another footgun to shoot themselves with. Hence, docker “bypasses” the firewall.

On the other hand, podman respects your firewall rules. Yes, you have to edit the rules yourself. But that’s better than a footgun. The literal point of a firewall is to ensure that any services you accidentally have running aren’t exposed to the internet, and docker throws that out the window.

You originally stated:

I think from the dev’s point of view (not that it is right or wrong), this is intended behavior simply because if docker didn’t do this, they would get 1,000 issues opened per day of people saying containers don’t work when they forgot to add a firewall rules for a new container.

And I'm trying to say that even if that was true, it would still be better than a footgun where people expose stuff that's not supposed to be exposed.

But that isn't the case for podman. A quick look through the github issues for podman, and I don't see it inundated with newbies asking "how to expose services?" because they assume the firewall port needs to be opened, probably. Instead, there are bug reports in the opposite direction, like this one, where services are being exposed despite the firewall being up.

(I don't have anything against you, I just really hate the way docker does things.)

Cloudflare Alternative

What do you guys use to expose private IP addresses to the web? I was using the npm proxy manager with Cloudflare CDN. However, it stopped working after I changed my router (I keep getting error 521). Looking for an alternative to Cloudflare cdn so I can access my media server/self-hosted services away from LAN....

moonpiedumplings ,

If you need public access:

https://github.com/anderspitman/awesome-tunneling

From this list, I use rathole. One rathole container runs on my vps, and another runs on my home server, and it exposes my reverse proxy (caddy), to the public.

NixOS As a replacement for active directory?

I have always been exposed to windows active directory with server controlled logins, server based "home" directories, etc. With the nature of NixOS it seems like it might be easy to deploy something similar by just setting up the configuration.nix as some sort of symlink to one stored on a central server. The only issue would...

moonpiedumplings ,

The person telling you to "learn what AD is" is kinda a douche, but they aren't wrong.

AD is mainly 3 components in one:

  • Configuration management across a variety of machines
  • Shared logins
  • Shared user data across many machines

All of these are doable on Linux. In many ways. Many, many ways. That you have to set up yourself.

For configuration management, do you want ansible, puppet, chef, nix, etc?

For shared logins, do you want openldap, lldap, Red Hat's ldap, etc?

For shared user data, do you want nfs, systemd-homed, or something else?

And for all of those, you have to evaluate, maybe test, and then select a solution, and then set it up yourself in a resilient manner.

Nixos, as a server distro, can host the relevant services needed for this. As a desktop distro, it can also do configuration management. But that's missing the point of AD, in my opinion.

The point of AD, and how it managed to become so popular, is that it is all of those, in an all-in-one solution that is simple to use (joining Windows machines to a domain is trivial), and it also comes with paid support.

Even if you were to build your own alternative on Nixos, which would be a lot of tinkering and twiddling, then you would end up with some of the same core features, but you would have to maintain, secure, etc, it yourself, and not having to do those to such an extent is why people buy Active Directory. There would be no alternative to things like Group Policy, instead you would be writing your own nix code.

So yeah. Unless someone comes along and builds an all-in-one solution on top of Nixos, nixos isn't really an alternative to active directory. You can replicate the core features. But it's not an alternative.

moonpiedumplings ,

I recently noticed that it's now integrated into Canvas, a FOSS online learning management software which my college (and my high school, and my middle school) have used.

To bad no one bothers with it, forcing everyone to use zoom instead. Which sucks, because the first day of online classes, zoom permissions weren't set up properly, meaning no one could join the meeting. Probably wouldn't have happened with BigBlueButton.

self-hosted/FOSS remote-access support gateway

One of the problems with having switched over a number of relatives to Linux is that I'm "the guy" when they have issues, and I can't always get over to help them in a timely manner. A lot of the time most stuff is working just fine and it's just a matter of popping into the desktop and fixing a bad link or a naughty plugin...

moonpiedumplings ,

I use https://github.com/Ylianst/MeshCentral

For this usecase. This also lets me do things like run admin cmd commands. It should be noted, however, that the Windows UAC prompt won't show up in a VNC session by default, you either need to configure UAC, or set up RDP.

moonpiedumplings ,

i thought of that too but youtube-dl and yt-dlp still exists in most repos

And if you're distro isn't one that pushes out fast updates, then neither will work consistently.

moonpiedumplings ,

Yes and no:

https://open-vsx.org/

I use code-oss provided by the arch repos and it seems to automatically hook into thia. There is probably some way to add that to vscodium.

moonpiedumplings ,

Python in Excel requires Internet access because calculations run on remote servers in the Microsoft Cloud. The calculations are not run by your local Excel application. 

From: https://support.microsoft.com/en-us/office/troubleshoot-python-in-excel-errors-7736520d-47ef-43a8-b640-d826afb63249

moonpiedumplings ,

Mozilla: ignores years of customer complaints and requests

Are these customers donating, or purchasing mozilla products or services so that mozilla doesn't have to rely on google's donations?

Mozilla: creates new product nobody asked for

https://github.com/Mozilla-Ocho

Nearly 10k and 400 stars on those respective repos.

A way to run a large language model on any operating system, in any OS, in a simple, local, and privacy respecting manner?

For linux we have docker, but Windows users were starving for a good way to do this, and even on linux, removing the step of configuring docker (or other container runtimes) to work with nvidia, is nice.

And it's still FOSS stuff they aren't being paid for, currently. But there are plenty of ways to monetize this.

Here's an easy one: tie in the the vpn service they have to allow you to access the web ui of the computer running the llamafile remotely. Configure something like end to end encryption or or nat traversal (so not even mozilla can sniff the traffic), and you end up with a private LLM you can access remotely.

With this, maybe they can afford some actual development on firefox, without having to rely on google money.

moonpiedumplings ,

Because much of mozilla's funding is from a deal with google, that's why.

US$300 million annually. Approximately 90% of Mozilla's royalties revenue for 2014 was derived from this contract

From https://en.wikipedia.org/wiki/Mozilla_Foundation

A lot of money, but not enough to actually to actually do a lot. They keep cutting features their "customers" like. Why?

Because development is expensive.

Google props mozilla up to pretend they don't have a monopoly on the internet. Just enough money to barely keep up, not enough to truly stay competitive.

Mozilla wants to not rely on google money, so they are trying to expand their products. AI is overhyped, but still useful, and something worth investing in.

moonpiedumplings ,

Then it's still a bad idea because of the literal cost to taxpayers.

Life in prison is $70,000 per year (paid by taxpayers, of course).

The legal battle around the death penalty is around $1.12 million, also paid around taxpayers

https://www.cato.org/blog/financial-implications-death-penalty

That's 14 times more expensive.

There are tons of things I would see the state spend money on rather than literally killing people. In the case of this, maybe mental health help for the victims.

moonpiedumplings ,

Well one way to lower it is to settle law around the death penalty it seems

Or you could just not kill people.

Using conservative rough projections, the Commission estimates the annual costs of the present system ($137 million per year), the present system after implementation of the reforms … ($232.7 million per year) … and a system which imposes a maximum penalty of lifetime incarceration instead of the death penalty ($11.5 million).

From amnesty USA. https://www.amnestyusa.org/issues/death-penalty/death-penalty-facts/death-penalty-cost/

Ted Kaczynski lived until 81 and absolutely deserved death.

And he did die. Does that not satisfy you?

Kidding, but it's not a matter of deserves. It's about the states power in relation to their citizens. The state shouldn't have the power over life and death, because power corrupts. Cases like this: https://innocenceproject.org/melissa-lucio-9-facts-innocent-woman-facing-execution/

The poor woman was interrogated for 5 hours straight by police into confessing her "crime", while pregnant with twins, after which she was sentenced to death (still alive btw, lawsuits still ongoing and sucking up taxpayer money, even 13 years later.). One of the influential things in her death was the District Attorney who was attempting to be reelected on a "tough on crime" platform.

Cameron County D.A. Armando Villalobos was running for re-election and seeking a “win,” and is now serving a 13-year federal prison sentence for bribery and extortion.

Of course, you made an argument about "what if we require really, really hard evidence"... but what evidence is greater than a confession? What if evidence is fudged? There can never be a guarantee, and we should design our systems to account for human error... or malice.

Prison should be a place to rehabilitate people first, and a place to remove dangerous people from society second. Not a political platform, like the death penalty is so often.

The death penalty is the ultimate form of virtue signaling. An expensive way to remove someone from society, when life in prison would have the same effects, relatively. Everybody dies eventually, no need to waste money on killing people early when we could be spending money on keeping people alive.

moonpiedumplings ,

Do you have any other book recommendations? Although I dislike the trope of the application of actual scientific knowledge, as characters get very OP very quickly, I love seeing characters using yhe scientific method to figure out what they can or can't do.

Quantum League

I looked up the book description, and a strong sense of deja vu hit me at the word "actuator"... I think I've read this book before.

Currently reading Industrial Strength magic by Macronomicon, and it scratches this itch for me, but waiting for chapter updates, even when daily, is so painful.

moonpiedumplings ,

The guide won't work. Grub attempts to verify everything in /boot, even if it is encrypted, which is pointless for a desktop use case.

https://moonpiedumplings.github.io/playground/arch-secureboot/

Original guide I followed: https://wejn.org/2021/09/fixing-grub-verification-requested-nobody-cares/

moonpiedumplings ,

Yeah, unintentional bugs are much easier to deal with than maliciousness, like replacing the "file upload" button with buy nitro, or discord in the browser's audio being finnicky (dark pattern you don't get this problem on element or the discord app.)

Of course, there are unintentional bugs as well, on top of maliciousness.

Screenshot_20240115-160050

Lmao. I'm guessing this is because they've begun to use LLM's for moderation (maybe trying to replace real humans?), but LLM's can't really count.

How was the Snowflake proxy used in 2023? ( forum.torproject.org )

We can also break down users by country. The largest contingent of Snowflake users are in Iran, which has been the case since the Mahsa Amini protests in 2022 1. The graph shows also a large number of users apparently from the United States, but we believe that may be partly the result of geolocation errors, and many of them are...

moonpiedumplings , (edited )

They could. But in countries where internet access is restricted by authorities, running any more than an insignificant amount of traffic over a VPN, even protocols as stealthy as the ones that make them indistinguishable from website (http/s) traffic, can be noticable... and being noticed can get you killed.

Snowflake, on the other hand, runs proxies to users of the snowflake browser extension, who act as entry points. It's named so because connections are ephemeral, and last for a short time, like snowflakes. This makes it much harder to distinguish.

It's not only about what internet traffic, it's also about where.

And of course, the how is relevant too. Not many people want to spend the time to set up an ssl vpn (and multiple people using it makes it easier to spot).

You need to understand what you're asking when you suggest people set up their own proxy. You're asking them to learn a skill, most likely in their free time (free time and energy they may not even have), and without many resources to learn (censored internet), and then rest their lives and livelihoods on that skill. Depending on the regime, maybe the lives of their friends and family, as well.

Comparatively, it's like two clicks to select snowflake as an entrypoint in the tor browser configuration options.

(Constructively) What is your least favorite distro & why?

I’ve been distrohopping for a while now, and eventually I landed on Arch. Part of the reason I have stuck with it is I think I had a balanced introduction, since I was exposed to both praise and criticism. We often discuss our favorite distros, but I think it’s equally important to talk about the ones that didn’t quite hit...

moonpiedumplings ,

Did you test with different kernels? Them using a custom scheduler that prioritizes desktop applications might cause background things to run slower.

Plus, the use of ananicy (cpu/ram limiter) limits stuff like that as well.

I use cachyos because they set up zram, anf uksmd by defualt. That's ram compression and deduplication, and it'a pretty powerful in my experience. If you're using cachyos, then uksmdstats and zramctl can give you an idea of how much you are saving.

moonpiedumplings ,

By the makers of wikipedia:

https://en.m.wikivoyage.org/wiki/Los_Angeles

moonpiedumplings ,

In my experience, best with science, math, and technology stuff:

https://arxiv.org/

But I've found it to be very good for finding scientific articles.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • test
  • worldmews
  • mews
  • All magazines
    •