Atemu

Atemu , 5 months ago

There are some obvious security risks involved in fully enabling the SysRq key. In addition to forcing reboots and the like, it can be used to dump the contents of the CPU registers, which could theoretically reveal sensitive information. Since using it requires physical access to the system (unless you go out of your way), most desktop users will probably consider the level of risk acceptable. That said, make sure you fully understand the implications of enabling it and the dynamics of the larger context in which your system is operating before you turn SysRq all the way on.

wiki.archlinux.org/title/Keyboard_shortcuts#Enabl…

I don’t care about this so sysrq is enabled on all of my desktop systems.

Atemu , 5 months ago

I wouldn’t be so sure about that. The Switch records a 720p30 video all the time for its 30s replay functionality that is on by default.

At least theoretically, capture and encoding themselves shouldn’t cause any more performance issues than a stock Switch already has (unless you try to stream and have the replay buffer ofc.) and sending a bunch of video data over a network isn’t very intensive.

Atemu , 5 months ago

Distro doesn’t really matter here. Choose any that you like.

Atemu , 5 months ago

Which of the drives does this happen with? Or does it happen with both?

Atemu , 5 months ago

Boot a live ISO with the flags recommended in the kernel message and do some tests on the bare drives. That way you won’t have the filesystem and subsequently the rest of the system giving out on you while you’re debugging.

Atemu , 5 months ago

I’d start by generating some synthetic workloads such as writing some sequential data to it and then reading it back a few times.

badblocks concerns partial failure of the device where (usually) just a few blocks misbehave while the rest remains accessible. The failure mode seen here is that the entire drive becomes inaccessible and it’s likely not due to the drive itself but how it’s connected.

If synthetic loads fail to reproduce the error, I’d put a filesystem on it and copy over some real data perhaps. Put on some load that mimics a real system somehow to try and get it to fail without the OS actually being ran off the drive.

Atemu , 5 months ago

Did you boot with the kernel flags from the log?

Could you show the dmesg from the point onwards when the drive dropped out?

Atemu , 5 months ago

God bless America…

Atemu , 5 months ago

Snapshots are cheap to create but they do still have a cost. Any file you delete will only free up the space it used once the last snapshot which contains the file is deleted.

So yes, if you’re low on space, you should look into deleting snapshots. Otherwise, snapshots are an extremely useful tool.

Atemu , 5 months ago

Tailscale’s official clients are FOSS on free platforms and there is an officially endorsed FOSS back-end (headscale) if you wanted to self-host a fully FOSS environment.

Of course, hosting headscale requires a public server which you may not want or have the ability to host and in those cases, using their proprietary back-end as a service is absolutely fine in my books.

As a company, Tailscale has generally struck me as quite the opposite of “garbage”.

Atemu , 5 months ago

with the shitshow that is google domains and the like, this seems like a good opportunity to look into a few of the alternatives.

I don’t see how google domains play into this? If you’re using their DNS and it sucks, just use a different DNS host instead. I can recommend desec.io.

most of those solutions seem built around selling seats which means they want you to add individual devices rather than just setting up a tunnel.

Are you talking about Tailscale?

The idea behind every client and server running a tailscaled isn’t to sell you more seats but rather to enable P2P connections. Their whole product is set up around this; ACLs and individual device sharing wouldn’t work without this architecture.

If you don’t care about all of that, you can simply set up a subnet router on one device and use it like a classical VPN server. Though I’ve never run into device limits on the free plan, even before they were increased.

Tailscale is as close to a hassle-free user-friendly solution as you can reasonably get.

Atemu , 5 months ago

Hmm, their BE still does a bit as it facilitates the connection of two devices with another. The clients are independently connected to it and if two want to talk with another, they first talk to the BE to coordinate the firewall piercing on both ends.

Still, given that an OSS re-implementation exists and is in no danger of being canned (TS went ahead and hired the person who made it lol), it being proprietary isn’t a big deal.

Atemu , 5 months ago

The SteamDeck uses gamescope to control saturation and vibrancy.

Atemu , 5 months ago

Ext4 does not have CoW.

That’s the only true part of this comment.

As for everything else:

Ext4 uses journaling to ensure consistency.

btrfs’ CoW makes it resistant to that issue by its nature; writes go elsewhere anyways, so you can delay the “commit” until everything is truly written and only then update the metadata (using a similar scheme again).

Please read en.wikipedia.org/wiki/Journaling_file_system.

Atemu , 5 months ago

At around 70%, fragmentation issues start becoming apparent with ZFS IIRC. Though they shouldn’t be this apparent.

Atemu , 5 months ago

I don’t see how the default filesystem of the enterprise Linux distro could be considered obscure.

Atemu , 5 months ago

What you just posted concerns the experimental RAID5/6 mode which, unlike all other block group modes, did not have CoW’s inherent safety.

As it stands, there is no stable RAID5/6 support in btrfs. If we’re talking about non-experimental usage of btrfs, it is irrelevant.

Atemu , 5 months ago

Default since RHEL 8. Consider looking up such facts before posting wrong facts.

Atemu , 5 months ago

Made by one of the people who made Lemmy btw ;)

Atemu , 5 months ago

Note that anti-virus can only assert that you are infected, not the opposite.

Atemu , 5 months ago

Might have been from before that was enforced or a temporary bug.

Atemu , 5 months ago

I’m sure they’re absolutely not allowed to tell anything related to this to the public ;)

Atemu , 5 months ago

That’s a really hacky method and should not be in the manual tbh.

You should be able to update by “installing” your env again though.

It’s a bit overkill but for declarative package management under non-NixOS, I use home-manager’s home.packages option. It does essentially this but wraps it in a nice package and home-manager can do a lot of other things too.

As for flakes: No, you don’t require them to do any of this. They solve an entirely different problem.

Atemu , 5 months ago

That could be Cloudflare or any number of DNS providers out there.

I can highly recommend desec.io for this purpose.

Atemu , 5 months ago

“Siri” actually does a lot locally, and I assume Google assistant does too.

On what basis? It’s Google, so I would assume any and all data that you could possibly input into their apps and services to be used against you.

Atemu , 5 months ago

Don’t have to re-upload every image from my phone as my network is 100/30 mbps

Is your immich server in a different network? But your photos are already on that server, right?

Atemu , 5 months ago

Reverse proxy can mean different things in different contexts. What kind are we talking?

Atemu , 5 months ago

It’s used in many cases where the machine may not be on the LAN and LAN is a technical term. “Internal” is not and to me signifies that it’s “not public” aswell as probably managed by someone, well, internally at the entity you’re with.

Atemu , 5 months ago

Though in the past decade or so, the lines have been blurred between a “dumb” editor and a full-on IDE with the advent of LSP, DAP and the like.

Atemu , 5 months ago

Security-critical C and memory safety bugs. Name a more iconic duo…

I’d have kinda preferred for public disclosure to have happened after the fix propagated to distros. Now we get to hurry the patch to end-users which isn’t always easily possible. Could we at least have a coordinated disclosure time each month? That’d be great.

Atemu , 5 months ago

I’m afraid I don’t understand what you’re trying to say.

Atemu , 5 months ago

They did follow that. You can read their disclosure timeline in their report.

Problem is that the devs of glibc aren’t the only people interested in getting glibc patched but us distro maintainers too.

What I would have preferred would be an early private disclosure to the upstream maintainers and then a public but intentionally unspecific disclosure with just the severity to give us distro people some time to prepare a swift rollout when the full disclosure happens and the patch becomes public.

Alternatively, what would be even better would have been to actually ship the patch in a release but not disclose its severity (or even try to hide it by making it seem like a refactor or non-security relevant bugfix) until a week or two later; ensuring that any half-decent distro release process and user upgrade cycle will have the patch before its severity is disclosed. That’s how the Linux kernel does it AFAIK and it’s the most reasonable approach I’ve seen.

Atemu , 5 months ago

I never had prime. The rare times where Amazon is the only reasonable source for something, I either don’t need fast shipping or just pay for it.

Atemu , 5 months ago

nodatacow is a hack and will disable any and all consistency mechanisms for that file’s contents. Tools should not be setting nodatacow for virtual drives, certainly not by default.

Atemu , 5 months ago

Yikes.

Atemu , 5 months ago

That has nothing to do with Jellyfin itself. Any comparable service will have the exact same issue because the root cause are browsers not supporting the container.

Atemu , 5 months ago

Get yourself a domain name. It doesn’t cost a whole lot and also allows you to complete DNS-01 challenges for SSL certs. It’s also, like, your own. That’s also a requirement for owning your email address.
(If you really don’t want to pay and don’t care about email, you can also use a shared domain DNS such as dedyn.io.)

You then simply set records to the Tailscale IP addresses of the hosts and you’re good to go. Alternatively, you can also set them to the hosts’ LAN subnet addresses and forward your subnet via a single subnet router; that’s how I do it.

Atemu , 5 months ago

One “hammer” mitigation to most threats could conceivably face when self-hosting is to never expose your services to the internet using a firewall. “Securing” your services against a small circle of guests/friends/family members in your home network is a lot simpler than securing against the entire world.
If you need to access your services remotely, there are ways to achieve that without permanently opening a single port to the internet such as Tailscale or ZeroTier.

Otherwise, commonly used tools in self-hosting such as Docker or VMs usually offer quite decent separation even if a service is compromised.

Nothing replaces good security hygiene though. Keep your stuff up-to-date. Use secure methods of authentication such as hard to guess passwords or better. Make frequent backups (3-2-1). The usual.

Atemu OP , 5 months ago

Yeah, I’ve noticed the PayPal issue aswell.

Atemu , 5 months ago

Eh, that’s fully enshittified too nowadays.

Atemu , 6 months ago

If I am packaging software for gentoo, all I have to do is translate the build instructions from the project’s documentation to gentoo’s package recipe.

It’s the same for Nixpkgs.

In nix, it seems that it is not that simple and you’ll have to do some exploration. Am I wrong?

In well behaved build systems, it’s likely easier to package than most other distros. If it’s not as well behaved you will have to do some “exploration” and the complexity can get quite out of control if the build system is exceptionally terrible.

Here is the package for the GNU hello program which uses a well-behaved build system:

github.com/NixOS/nixpkgs/blob/…/package.nix

If you ignore the optional passthru.tests, this is very simple. You provide metadata, sources etc. to the generic mkDerivation function and that’s it. The most complex non-standard thing this derivation does is enable the build system’s tests.

You don’t even need to run the provided build instructions because Nixpkgs’ stdenv abstracts those away. If it finds a makefile, it’ll automatically run make and make install with the correct flags for instance. Same for other standard build systems; if you pass cmake into nativeBuildInputs, it’ll attempt to build, install, check etc. using cmake’s standardised interfaces.

If the build system is poorly behaved however (like for instance Anki’s), you will have to get into the weeds and do some rather advanced things:

github.com/NixOS/nixpkgs/blob/…/default.nix

Luckily though, most packages aren’t like this.

Atemu , 5 months ago

In my case I have a number of sockets from spotify, and steam listening on port 0.0.0.0. I would assume, that these are only available to connections from the LAN?

That’s exactly the kind of thing I meant :)

These are likely for things like in-house streaming, LAN game downloads and remote music playing, so you may even want to consider explicitly allowing them through the firewall but they’re also potential security holes of applications running under your user that you have largely no control over.

Atemu , 6 months ago

Proton would still need to make use of it.

Atemu , 6 months ago

Was it ever there?

Atemu , 5 months ago

But I could easily see nixpkgs implement functions that allow nixos-rebuild switch to use either live patching method, or even implementing one specifically for NixOS.

Sadly, I could not. Live patching requires extensive knowledge of the previous system state and that is the antithesis to NixOS where any system state is fully independent of any other possible system state.

nixos-rebuild switch isn’t very magical at all once you understand this principle.

Live patching is also not really something you want to use or use frequently. It’s more intended for “this super critical box can only be taken down next Saturday but there’s a fix for a 0-day in the kernel today that we need ASAP”. If it’s at all possible to simply reboot, simply reboot (or kexec).