skilltheamps

joined 6 months ago
[–] skilltheamps 5 points 1 week ago* (last edited 1 week ago)

Genau genommen genauso super wie irgend eine andere Software auszuführen die bei dieser url runter geladen wurde. Der einzige kleine Bequemlichkeits-Unterschied besteht darin, dass wenn man ein Paket für den Paketmanager runterlädt man noch eine Chance hat das ganze wieder sauber zu deinstallieren. Es gibt ja so einen weit verbreiteten Mythos, dass curl in bash zu pipen pauschal unsicherer wäre. Aber die Sicherheit steht und fällt allein mit der Quelle aus der du ungeprüften code ausführst. Entweder du vertraust example.com oder nicht, ob du das mit curl in bash pipest oder auf irgend einem anderen Wege ausführst ist egal. Entweder die shippen malware dann haben sie dich so oder so, oder sie tun es nicht und curl | bash hinterlässt im schlimmsten Fall ein paar unaufgeräumte Dateien irgendwo.

(Der einzige Weg ohne verifizierierung der Quelle Sicherheit herzustellen ist eine sandbox, also z.B. als Flatpak installieren und alle kritischen Berechtigungen wegnehmen)

[–] skilltheamps 1 points 1 month ago* (last edited 1 month ago)

Ein viertel wäre ja eh wenig dafür dass eine ganze hälfte schlauer sein muss (zumindest falls mean=median). Die krux liegt wahrscheinlich eher darin wer behauptet schlauer zu sein

[–] skilltheamps 1 points 1 month ago* (last edited 1 month ago) (1 children)

There are also static export plugins for wordpress. One needs to get rid of comment boxes and such as they don't work then of course. But if all content is already in WordPress, serving just the static export is a low friction solution.

[–] skilltheamps 3 points 2 months ago* (last edited 2 months ago) (1 children)

The DNS server is only one thing you tell the domain, the other is the certificate authority. And those publish all issued certificates as part of certificate transparency. https://en.m.wikipedia.org/wiki/Certificate_Transparency

To mitigate the amount of published information, you can request wildcard certs to keep the subdomains private.

You can also use a wildcard cname entry to capture all subdomains and leave out the pihole faff, given that you use a reverse proxy that forwards to respective services by subdomain.

[–] skilltheamps 54 points 3 months ago (9 children)

How will you provide long term maintenance of their server for a one time payment of 150$?

[–] skilltheamps 3 points 3 months ago* (last edited 3 months ago)

Could you name some then. I don't really see any in the article.

[–] skilltheamps 32 points 3 months ago (3 children)

Nobody gets forced to port kernel stuff to rust. Also the rust compiler takes a lot of burden from maintainers by the safety it enforces.

The whole conflict ist not a technical one, it is entirely human. Some long-term kernel developers don't like people turning up and replacing the code they wrote. Instead of being proud that the concepts they built get to be elevated in a superior implementation, they throw tantrum and sabotage.

[–] skilltheamps 2 points 3 months ago* (last edited 3 months ago)

Be cautious with the answers when asking things like this. In discussion boards like here many are (rightfully) very excited about selfhosting and eager to share what they learned, but may ("just") have very few years of experience. There's a LOT to learn in this space, and it also takes a very long time to find out what is truly foolproof and easily recoverable.

First of, you want your OS do be disposable. And just as the OS should be decoupled, all the things you run should be decoupled from one another. Don't build complex structures that take effort to rebuild. When you build something, that is state. You want to minimize the amount of state you need to keep track of. Ideally, the only state you should have is your payload data. That is impossible of course, but you get the idea.

Immutable distros are indeed the way to go for long term reliability. And ideally you want immutability by booting images (like coreOS or Fedora IoT). Distros like microOS are not really immutable, they still use the regular package manager. They only make it a little more reliable by encouraging flatpak/docker/etc (and therefore cutting down on packages managed by the package manager) and a slightly more controlled update-procedure (making them transactional). But ultimately, once your system is in some way defect, the package manager will build on top of that defect. So you keep carrying along that fault. In that sense it is not immune to "os drift" (well expressed), it is just that drift happens slower. "Proper" immutable distros that work with images are self healing, because once you rebase to another image (could be an update or a completely different distribution, doesn't matter), you have a fresh system that doesn't have anything to do with the previous image. Furthermore the new image does not get composed on your computer, it gets put together upstream. You only run the final result with you know is bit for bit what was tested by the distro maintainers. So microOS is like receiving a puzzle and a manual how to put it together, and gluing it in a frame is the "immutability". Updates are like losening the glue of specific pieces and gluing in new ones. In coreOS you receive the glued puzzle and do not have to do anything yourself. Updates are like receiving an entire new glued puzzle. This also comes down to the state idea: some mutable system that was set up a long time ago and even drifted a bit has a ton of state. A truly immutable distro has a very tiny state, it is merely the hash of the image you run, and your changes in /etc (which should be minimal and well documented!).

Also you want to steer clear from things like Proxmox and generally LXC-containers and VMs. All these are not immutable (let alone immune to drift), and you only burden yourself with maintaining more mutable things with tons of state.

Docker is a good way to run your stuff. Just make sure to put all the persistent data the belongs together in subfolders of a subvolume and snapshot that, and then backup these snapshots. That way you ensure that you meet the requirements for the data(base)'s ACID properties to work. Your "backups" will be corrupted otherwise, since they would be a wild mosaic from different points in time. To be able to roll back cleanly if an update goes wrong, you should also snapshot the image hash together with the persistent data. This way you can preserve the complete state of a docker service before updating. Here you also minimize the state: you only have your payload data, the image hash and your compose.yml.

[–] skilltheamps 9 points 4 months ago (7 children)

When you're maintaining a product that is based on linux, you're surely qualified to port that thing to your platform yourself.

Open source developers are thanklessly giving away their work for free already, and for the many things where there's just a github page it is just a one man show run in spare time. Don't demand them to give away even more of their time to cater for whatever distro you're using, just because you are not willing to invest the time to learn how linux works and also not willing to give a way a few megabytes for the dependencies they're developing against.

All the discussions about things like distrobox and flatpak where linux novices express their dissatisfaction due to increased disk space are laughable. In the linux universe sole users have no power in deciding what goes, they do not pay anything and at worst pollute the bug tracker. Developers are what make up the linux universe, and what appeals to them is what is going to happen. Flatpak is a much more pleasant experience to develop for than a gazillion distros, hence this is where it is going, end of story. As a user either be happy with wherever the linux rollercoaster goes, or - if you want to see change- step up and contribute.

[–] skilltheamps 3 points 5 months ago

The feature I like most about the Google Timeline is the automatic transportation mode detection. It just knows how many kilometres I cycled any day etc. and also aggregates these into a monthly email. And it works completely automatic without fiddling around with anything.

No selfhosted alternative can do this afaik..

[–] skilltheamps 7 points 5 months ago

I think you slipped in the discussion intendations somewhere, this branch of the discussion tree is about the implications of piping curl into bash vs. installing packages

[–] skilltheamps 10 points 5 months ago

By that logic you have to review the Zed source code as well. Either you trust Zed devs or you don't - decide! If you suspect their install script does something fishy, they could do it just as well as part of the editor. If you run their editor you execute their code, if you run the install script you execute their code - it's the same thing.

Aur is worse because there usually somebody else writes the PKGBUILD, and then you have to either decide whether to trust that person as well, or be confident enough for vetting their work yourself.

view more: next ›