I was reading GitLab's documentation (see link) on how to write to a repository from within the CI pipeline and noticed something: The described Docker executor is able to authenticate e.g. against the Git repository with only a private SSH key, being told absolutely nothing about the user's name it is associated with....
EDIT: Noticed you're talking about Gitlab in the question, and I responded about Github, but I'm certain that gitlab does everything the same way, because that's all the technology is capable of. (I have no way to test the ssh -T command at the end for gitlab, though, so ymmv.)
To clear up some minor confusion here:
Github knows nothing about your private key. There's very little metadata stored in the private key, and github.com has access to none of it. That includes email address or identity.
Github has identity information stored for you, and then, separately, you uploaded a public key. The public key also contains no information about you, but github knows it's part of your account. Additionally, github enforces a requirement that your public key can't be uploaded to any other account, for the reason I'm about to state below.
Github has an index built of everyone's public keys (or more likely their digests, although the technical details of the index are not something known to me--and it doesn't matter). When it sees an authentication request, it looks up the digest in the index, which maps to a user account.
At this point it already knows who is trying to authenticate. Once your authentication request succeeds with your public key (the usual challenge-response handshake associated with asymmetric cryptography), github interacts with your ssh client (most likely git) applying the permissions of your user and your user account.
BTW, github has a documented method for testing the handshake without doing any git operations:
ssh -T git@github.com
Depending on your ssh config, you might also need to supply -i some_filename.pem to this. Github will reply with
Hi aarkon! You've successfully authenticated, but GitHub does not provide shell access.
and then close the connection.
Note that the test authentication uses the username git and, again, contains no information about who you are. It's all just looked up on github's side.
I don't agree with him, and representation of particular minority groups, including gender minorities, are important when they are particularly under attack. It is important to actively resist the marginalization of groups under attack by elevating their voices.
That said, I'm not sure what Jon did was actually "actionable". I'd say, stop listening to him and treating him as a leader? As someone with lots of close trans friends, I think this guy lowkey sucks, but I think this suspension is weird.
Jon Ringer's actual actions did include pushback against representation for trans people. I'll take your word for it that this article didn't mention those exchanges; I'm not readin' all that.
Terraform and OpenTofu are great tools for building virtual infrastructure, e.g. using AWS API calls to spin up AWS virtual machines and provision them with networks and security relationships and stuff like that--in an automated, repeatable way. They are generalized tools for deploying and modifying infrastructure, even if it's not in the cloud (there are many tools in these frameworks that apply to self-hosted setups).
The rest of the words after "Terraform fork" are just the names of companies that decided to help OpenTofu, and are not especially helpful in understanding what it is or what it's used for.
“I've been told that I need to stop this eclipse and I do not have the authority to do that. So yes, people are really concerned. But we're just trying to prepare them.”
This is something I have thought a lot recently since I recently saw a project that absolute didn't care in the slightest about this and used many vendor specific features of MS SQL all over the place which had many advantages in terms of performance optimizations....
In almost 30 years I've never seen anyone actually switch databases underneath an existing product. I have worked at one place where generic database APIs were required because it was a product that supportedf multiple databases, but no individual customer was really expected to switch from one database to another, that's just how the product was written.
I have heard of this happening, but it's the kind of thing that happens in one of two scenarios:
Very early in a product's lifetime the developer (probably a startup) realizes the database they chose was a poor choice. Since the product doesn't even exist yet, the switching cost is low, and generic database use wouldn't have helped.
A management shakeup in a very mature product causes the team to switch databases. This is, as you observed, usually part of a major rewrite of some kind, so lots of things are going to change at once. Also--critically--this only happens with companies that have more money than sense. Management doesn't mind if it takes a long time to switch.
It won't go smoothly, at all, but nobody actually cares, so generic database use wouldn't have helped.
Wild, so it would suggest that the actor wasn't Chinese at all. An authentic Chinese person probably wouldn't choose a name that sounded like that, any more than I would name myself Sean MacBerkowitz, it would just sound wrong.
A random name generator might produce something like this, of course, if it wasn't programmed to be too picky.
I agree with you and understand what you're saying but I'd like to clarify that "sociopath" is just the newer psychology term for "psychopath". They're the same.
I went with the second one--more ram. Anecdotally, some people think beelink is more reliable but this is not a universal opinion, and my experience has been that the minisforum is extremely reliable.
If you search similar you can find options both up and down depending on your actual budget. You probably don't want to do components on these things, apart from maybe putting in a bigger m.2 nvme.
I definitely had rogue legacy in mind! Great game, but I don't think it leaned hard enough into just how grim and manipulative the whole enterprise is. Also I think you could have a lot of fun with the "marketing" mechanics, like, can the fairies explore the "real" world at all to find the right place to leave their macguffins? Can they leave better "bait", like magical books for the chosen kids to find, or even a shiny sword where it doesn't belong? Maybe they can recruit agents in the real world whose only job is to guide kids into their meat grinder.
I can answer this one, but mainly only in reference to the other popular solutions:
nginx. Solid, reliable, uncomplicated, but. Reverse proxy semantics have a weird dependency on manually setting up a dns resolver (why??) and you have to restart the instance if your upstream gets replaced.
traefik. I am literally a cloud software engineer, I've been doing Linux networking since 1994 and I've made 3 separate attempts to configure traefik to work according to its promises. It has never worked correctly. Traefik's main selling point to me is its automatic docker proxying via labels, but this doesn't even help you if you also have multiple VMs. Basically a non-starter due to poor docs and complexity.
caddy. Solid, reliable, uncomplicated. It will do acme cert provisioning out of the box for you if you want (I don't use that feature because I have a wildcard cert, but it seems nice). Also doesn't suffer from the problems I've listed above.
Heh. I am, as I said, a cloud sw eng, which is why I would never touch any solution that mentioned ansible, outside of the work I am required to do professionally. Too many scars. It's like owning a pet raccoon, you can maybe get it to do clever things if you give it enough treats, but it will eventually kill your dog.
dynamic inventory on AWS means the ansible interpreter will end up with three completely separate sets of hostnames for your architecture, not even including the actual DNS name. if you also need dynamic inventory on GCP, that's three completely different sets of hostnames, i.e. they are derived from different properties of the instances than the AWS names.
btw, those names are exposed to the ansible runtime graph via different names i.e. ansible_inventory vs some other thing, based on who even fuckin knows, but sometimes the way you access the name will completely change from one role to the next.
ansible-vault's semantics for when things can be decrypted and when they can't leads to completely nonsense solutions like a yaml file with normal contents where individual strings are encrypted and base64-encoded inline within the yaml, and others are not. This syntax doesn't work everywhere. The opaque contents of the encrypted strings can sometimes be treated as traversible yaml and sometimes cannot be.
ansible uses the system python interpreter, so if you need it to do anything that uses a different Python interpreter (because that's where your apps are installed), you have to force it to switch back and forth between interpreters. Also, the python setting in ansible is global to the interpreter meaning you could end up leaking the wrong interpreter into the role that follows the one you were trying to tweak, causing almost invisible problems.
ansible output and error reporting is just a goddamn mess. I mean look at this shit. Care to guess which one of those gives you a stream which is parseable as json? Just kidding, none of them do, because ansible always prefixes each line.
tags are a joke. do you want to run just part of a playbook? --start-at. But oops, because not every single task in your playbook is idempotent, that will not work, ever, because something was supposed to happen earlier on that didn't. So if you start at a particular tag, or run only the tasks that have a particular tag, your playbook will fail. Or worse, it will work, but it will work completely differently than in production because of some value that leaked into the role you were skipping into.
Last but not least, using ansible in production means your engineers will keep building onto it, making it more and more complex, "just one more task bro". The bigger it gets, the more fragile it gets, and the more all of these problems rears its head.
Really all of these have solutions, but they're constantly biting you and slowing down development and requiring people to be constantly trained on the gotchas. So it's not that you can't make it work, it's that the cost of keeping it working eats away at all the productive things you can be doing, and that problem accelerates.
The last bullet is perhaps unfair; any decent system would be a maintainable system, and any unmaintainable system becomes less maintainable the bigger your investment in it. Still, it's why I urge teams to stop using it as soon as they can, because the problem only gets worse.
Well people use ansible for a wide variety of things so there's no straightforward answer. It's a Python program, it can in theory do anything, and you'll find people trying to do anything with it. That said, some common ways to replace it include
you need terraform or pulumi or something for provisioning infrastructure anyway, so a ton of stuff can be done that way instead of using ansible. Infra tools aren't really the same thing, but there are definitely a few neat tricks you can do with them that might save you from reaching for ansible.
Kubernetes + helm is a big bear to wrestle, but if your company is also a big bear, it's worth doing. K8s will also solve a lot of the same problems as ansible in a more maintainable way.
Containerization of components is great even if you don't use kubernetes.
if you're working at the VM level instead of the container level, cloud-init can allow you to take your generic multipurpose image and make it configure itself into whatever you need at boot. Teams sometimes use ansible in the cloud-init architecture, but it's usually doing only a tiny amount of localhost work and no dynamic invetory in that role, so it's a lot nicer there.
maybe just write a Python program or even a shell script? If your team has development skills at all, a simple bespoke tool to solve a specific problem can be way nicer.
And you'll notice that the entry under "Torrents" does not actually match the name you typed into your description text, as yours has two sevens. Crafty indeed, and they could stand to make this a little more obvious in the document.
This article does not actually establish any meaningful blame for Elon Musk in Naomi Wu's plight.
Sorry, yes Elon Musk is the reason Twitter is shitting itself to death, but that doesn't make Elon the main person responsible for Naomi's problems. It's probably not even top 10. It's weird to call him out in this.
This is incorrect. It's true that most (in fact, I would say almost all) forks go nowhere but that doesn't mean forking isn't incredibly valuable. Even the example you cite, "original project is dead" isn't just incidentally useful, it's critical to open source. Other examples include:
project's core team is part of a for profit org that is moving the project in a bad, profit motivated direction:
project's leader suddenly and dramatically loses respect (maybe he killed his wife or something);
project's leader dies without leaving a digital will regarding who controls the core repo;
project continues to direct effort into features while falling to address major security concerns;
project is healthy and useful in every way but there is an important use case not being addressed, and the fork would address it.
Even if 99% of forks fail, that's irrelevant because 99% of original projects fail in the same ways. Forks are critical to open source.
Without SSL on the LAN side of a reverse proxy, I presume that all traffic between the server and the reverse proxy is unencrypted and, thus, accessible to any device on the LAN....
There are actually technical requirements for HIPAA compliance (HITRUST or HITECH, or maybe both, idr any more). Essentially no HPI (healthcare information about an individual), unencrypted, in transit, ever. Also, not unencrypted on disk, ever. The idea is that if your network security slips and someone manages to place a traffic snoop somewhere, they still can’t listen in.
It’s almost never a requirement (and very rarely implemented) in mid- to low-risk security situations, and even for HIPAA entitties, encryption in transit is usually implemented with an encrypted layer 3 of some kind. But I could see a fairly simple high-risk app needing the network to contain nothing in plaintext.
Unless you’re Jason Bourne, I doubt you need it for your homelab.
Loving the NUC. You’re paying about what I paid and getting twice the RAM and twice the SSD space, so, from where I’m sitting, it looks like a good deal. I’ve got 4 VMs running on mine–and one of those is running about 8 containerized apps–so I’d say you should have room to do whatever you want with that bad boy.
If you’re doing any kind of media center, I would definitely prioritize high speed Internet and hardwired connections as well. I hardwired my whole house for my project.
I added a 4TB external drive to mine, which should easily fit within your budget, and I’d recommend it if, again, you’re doing media stuff.
hth. In truth my setup is also to experiment with automation and it’s a fun hobby, so more power to you! Getting to watch some very fast streaming TV is a bonus.
Meta just announced that they are trying to integrate Threads with ActivityPub (Mastodon, Lemmy, etc.). We need to defederate them if we want to avoid them pushing their crap into fediverse....
Then go join threads.net? Nobody’s stopping you from doing that. That would put you on a server friendly to your beliefs.
Server admins also have opinions, and are not required to take a democratic vote and each individual user’s choice into account. They can decide for themselves, and they will, for good or ill. If you don’t like where it ends up, your user decision should be to fuck off to threads.
Do you know why Facebook paid a billion dollars for Instagram? Instagram wasn’t worth that much. It wasn’t generating a billion dollars in revenue. It probably still doesn’t.
Facebook bought Instagram because Instagram was a growing app that was popular with a demographic Facebook wanted to control. They spent a billion dollars to eliminate a growing threat.
Mastodon and, to a lesser extent, Lemmy, represent a growing threat. Not a very big one right now, but it could become a bigger one. It could become another billion dollar problem for the goliaths on the Internet, in a few years. They need to have total control, if a social media app starts to fragment it just collapses instead as users decide to go wherever the other users are.
Facebook’s 1000:1 user ratio would make Lemmy irrelevant and stave off that billion dollar problem for Facebook down the road. An incredibly cheap way to kill a tiny but growing competitor.
Ok I have a question. I’m kinda a noob when it comes to privacy. I’ll follow the guides and do the things to try to minimize ad companies selling my data etc....
It’s basically always this. Your phone in the same room with someone else’s phone. This is stronger around christmas when people are looking for gift ideas, so they push this mind control shit on you even harder.
It’s not actually listening to you–that’s been debunked multiple ways–but what it’s doing instead is arguably worse.
They literally give you a locker when you go in for an MRI because you have to spend so long naked. This was never a problem for her. She’s just stupid.
My problem with it is it’s a waste of a ring slot. The odds of this helping you at all are miniscule. Fighting enemies that attack within a range of <=22? This ring doesn’t help you at all.
Recently I have decided that the backup solution I have been using is far too complex for my family to figure out when I die. I began writing documentation on how they can access photos, videos, documents and so on. In that process I thought, I gotta make this simple....
While that’s true, op has rightly raised the issue of photos, videos and documents meaning things that were created by them and uniquely meaningful to the family. If those only exist within the self hosting Rube Goldberg machine, they’re not coming back out without careful documentation.
I would also add anything created by me, so art, my personal writing and drafts, software I haven’t released yet, and so on.
Normally this is obviously correct, but in this case, we have to consider how tall the characters are. As a DM, I would rule that if any part of the character (their actual person, not including, say, the reach of the sword they’re holding) is within the 30’ circle, or could be if they actively collaborated with the cleric using free actions, then the bless would affect them.
There’s also a few definitions we need to talk about:
if the cleric (we’ll call them Carl) is 30’ in the air, that is understood to mean that if the spell holding them up there fails, they will fall 30’. By the same token, a character 0’ feet in the air can only fall 0’. We can infer that Carl’s feet (or the bottom part of the PC, at any rate) are 30 feet in air.
we consider Carl to be in the center of the 5x5 grid square in the plane A formed 30’ above the flat terrain.
the “allies are 20ft away” part is a bit too fuzzy for this to work (how many allies? which ones? they can’t all occupy the same grid square unless they’re tiny), so we’ll have to make some calls here. Let’s just consider one ally, Alice, who is 20’ away.
We consider Alice to be in the center of her grid square, in the plane T formed by the flat terrain.
When we say Alice is “20ft away” from Carl, we mean that a perpendicular line drawn through the cleric intersects with T at the center of a grid square in A–we’ll call this square C(T) and Carl’s square at current altitude C(A), and the center of C(T) is 20’ from the center of Alice’s square A(T). Visualized as a battle grid you would have C ◻◻◻ A in plane T, with 3 empty squares separating them. On a physical table, Carl would also probably be standing on a little platform or a d6 to indicate altitude.
“Range: 30ft” 30 feet from what? Definitely not Carl’s god, they’re probably not even in the room. Maybe we mean 30ft from Carl’s 3rd chakra, or maybe it’s just 30ft from any part of Carl’s person. That seems easier, let’s go with that one.
Based on some anthropometric data I found very quickly, the average human woman has a vertical reach of about 77 inches or 6’ 5". That’s naked, and she’s probably wearing boots, let’s add another inch for the soles so 6’ 6".
We can give her a little bit more of an advantage as well; the shortest path between Alice and Carl is a straight line following the radius of the sphere, so she could “lean in” a bit with her arm to get closer. She can’t go a full 45 degrees without falling prone though, so this only adds a little. Without a posable figure and a 3d model of the space in front of me I couldn’t tell you how much she could reasonably add by pointing her body and hand at an angle, so let’s just call it 2 more inches and keep measuring vertically.
We’ll call the apex of her fingertips at 80 inches above T a new plane F, and A(F) is the point where she touches that plane with her fingers.
Now we get to actually apply the Pythagorean theorem. It’s a triangle formed by the points (C(A) -> A(A) = 240") as leg 1 and (A(A) -> A(F) = 280") as leg 2. The hypotenuse, then, is 368 inches.
30ft is 360 inches. Is 80 inches of Alice enough to put a fingertip through any part of a 30ft sphere around Carl’s feet?
You might not understand channels people mention in day to day talk from youtube or references.
Hahaha jesus nah, the only time I ever hear people mention streamers or youtubers is to go “Who the hell is THAT? they did WHAT to their underage fans?” And then I immediately stop caring about them.
I’ve been using fastmail for a few months now. Besides being a really top-notch replacement for gmail and even adding a few features, it also onboards you by giving you a couple quick fields to fill out and then immediately imports everything you had in gmail. And then it keeps importing it, continuously, as long as you want.
It’s not like i’m paying for gmail, so I’ll keep the account alive as long as I need while I switch all the same accounts and records that you are (validly) mentioning as a barrier. I could actually do most of it in one sweep, if I just searched for my old email address in 1password, but it’s not really that time-sensitive to switch, and in the meantime I get to use fastmail.
[Thread, post or comment was deleted by the moderator]
The dynamic applies to anything where you are expected to make regular payments.
Renting an apartment? Landlord wants to see you and fix your shit as little as possible.
Renting a car? They want you to drive it as little as possible so they can keep renting it for as long as possible. Maybe they’re charging you by the mile, too, just to cover that base completely.
SSH login without user name? ( docs.gitlab.com )
I was reading GitLab's documentation (see link) on how to write to a repository from within the CI pipeline and noticed something: The described Docker executor is able to authenticate e.g. against the Git repository with only a private SSH key, being told absolutely nothing about the user's name it is associated with....
Kristi Noem Suggests Biden’s Dog Should Have Been Killed, Too ( www.nytimes.com )
Much ado about "nothing" - Xe Iaso (==Goodbye NixOS) ( xeiaso.net )
https://discourse.nixos.org/t/much-ado-about-nothing/44236...
Our Response to Hashicorp's Cease and Desist Letter | OpenTofu ( opentofu.org )
https://feddit.nu/pictrs/image/c2330506-c03b-4012-bed5-873302f291a4.png...
Microsoft is silently installing Copilot onto Windows Server 2022 ( mastodon.gamedev.place )
https://lemmy.ml/pictrs/image/51faa0ca-2b47-4eba-bc8c-d9edabba5ca9.png
Residents Beg Michigan Mayor to Stop Solar Eclipse - He Scientifically Can't ( rivergrandrapids.com )
“I've been told that I need to stop this eclipse and I do not have the authority to do that. So yes, people are really concerned. But we're just trying to prepare them.”
Genuine Question - have you migrated DBMS on a Production System which wouldn't have been possible with vendor lock-in on the backend?
This is something I have thought a lot recently since I recently saw a project that absolute didn't care in the slightest about this and used many vendor specific features of MS SQL all over the place which had many advantages in terms of performance optimizations....
I believe the term is "get rekt noob" ( ttrpg.network )
My rogue uses her performer persona while traveling. Innkeepers love her.
“the lesson *I'm* choosing to take from xz, as an oss maintainer, is that anyone trying to pressure or guilt me into doing something should immediately be told no, for security reasons” ( crabby.fyi )
Boeing whistle-blower found dead by suicide ( www.bbc.com )
Coincidentally, it was only 1 day before he was scheduled to make his deposition against Boeing.
Replacement Proxmox (media/VPN torrent server) hardware suggestions
Hey everyone!...
Exxon CEO blames public for failure to fix climate change ( thehill.com )
And this is my new campaign plan ( lemmy.world )
Italy’s new Piracy Shield has just gone into operation and is already harming human rights there ( walledculture.org )
this can't be real. is it? ( lemmy.ml )
Well I think I failed that test ( lemmy.world )
AI chatbots tend to choose violence and nuclear strikes in wargames ( www.newscientist.com )
After 1.5 years of learning selfhosting, this is where I'm at ( lemmy.dbzer0.com )
@selfhosted...
Megathread seemingly has a contradiction. What am I missing?
In the Megathread, section 3-12 (Unsafe Sites), under "All Purpose", the first entry is 1377x-to, reason listed as...
Maker Naomi Wu is Silenced by Chinese Authorities (And Why I Blame Elon Musk) ( skepchick.org )
Some of y'all need to see this and drop the superiority complex... ( lemmy.world )
Image shows a tweet with the header "and people STILL try to convince me Linux and Windows are better when the DATA clearly shows otherwise. SMH"...
TIL that operating system Linux is an example of anarcho-communism ( en.wikipedia.org )
Do any of you have that one service that just breaks constantly? I'd love to love Nextcloud, but it sure makes that difficult at times ( lemmy.world )
When is it necessary to have SSL on the LAN side of a reverse proxy (between the reverse proxy and the server)?
Without SSL on the LAN side of a reverse proxy, I presume that all traffic between the server and the reverse proxy is unencrypted and, thus, accessible to any device on the LAN....
Recommendations on first Homelab hardware: NUC or not?
Hi,...
Dear server admins, please defederate threads.net. Dear users, ask your server admin to defederate threads.net. ( mstdn.social )
Meta just announced that they are trying to integrate Threads with ActivityPub (Mastodon, Lemmy, etc.). We need to defederate them if we want to avoid them pushing their crap into fediverse....
iPhone is listening
Ok I have a question. I’m kinda a noob when it comes to privacy. I’ll follow the guides and do the things to try to minimize ad companies selling my data etc....
Woman Enters MRI Machine With a Gun, Gets Shot in Butt ( gizmodo.com )
Arrrrrrrrrr ( lemmy.world )
Does a 28 hit? No. ( lemmy.world )
After I’m Gone Backup Solution
Recently I have decided that the backup solution I have been using is far too complex for my family to figure out when I die. I began writing documentation on how they can access photos, videos, documents and so on. In that process I thought, I gotta make this simple....
It comes up more often than you'd think ( startrek.website )
Is gmail the easiest Google service to replace or what?
Gmail is an email service. Like the fediverse, email is federated....
[Thread, post or comment was deleted by the moderator]
[Louis Rossmann] Piracy is COMPLETELY justified: Louis tries NetFlix and remembers why ( odysee.com )