Nice post and +1 for having a small "hardening" section.
I wish that every systemd example/sample/template came with _extensive_ hardening, since I find it quite confusing. I've used systemd-analyze security <SERVICE> to try to figure out what was needed. For Elixir, I've come up with:
I usually commit often locally and push to remote right away. Then when I want to open up my PR, I use `git reset --soft <target>` where target is the local version of the target branch in my PR. That resets all the commits, but keeps all the changes in the staging area, and then I can clean up my history. Then I force push to override what's there.
This works well for my workflow because we squash all commits into target branches and don't really rely on commit history auditing during review. I understand that's not the case everywhere, but works for me.
I caution the casual reader against glacier. It's not what it appears at a glance. Your files should be put into a single archive before upload otherwise you'll spend weeks waiting for AWS scripts to manage old files.
I didn't like it initially (years ago, when Docker Swarm was still worth mentioning) but I spent a year+ during the pandemic learning it on work time and porting one of our products. I deployed k3s at home and love it.
Unlike many, we deploy our product on-prem to customers who want to be hands off (not always technical) so I had to get very familiar with deploying and configuring in a variety of environments from bare metal to cloud providers to Raspberry Pi and redeploying over and over, not just the workload but the entire cluster.
While at one time Docker was my preferred method of deploying software everywhere, it's now Kubernetes.
I blogged a 4 part series[0][1][2][3] about the process (read: tutorial) and caveats of deploying K3s to devices like the Raspberry Pi. It also covers monitorings with Influx/Telegraf, rotating logs and reducing write to SD cards (see the caveats), discusses networking considerations and storage and a few other things I thought might he useful to a beginner.
Kubernetes is my preferred way to deploy any software at home now and I have a basic template for deploying anything that runs in a container with auto-ingress, DNS, certificates (from my internal CA), storage etc all auto-configured.
> Well, because it simply doesn't work for them: returning from a function does not trigger the EXIT signal.
It doesn't trigger EXIT, but it does trigger RETURN. Just trap both:
#!/bin/bash
foo() {
trap "echo 'Cleanup!'" RETURN EXIT
#return
#exit
echo "Kill me with ^C or \"kill $$\""
while true ; do : ; done
}
foo # should print 'Cleanup!' on SIGTERM,
# returning, or calling exit
Did you, by chance, mistake ad blocking for AdBlock - the browser extension?
42.7% of users globally use ad blockers while Adblock has 65 million users. Surely, 42.7% of users is > than 65 million.
Also, I don’t understand why you compared page views to users. It’s probably very uncommon for a user to install an ad blocker but also choose to enable or disable it on specific page views.
Edit: Wait... Immersed is available for Linux. For someone who doesn't know what all the requirements are for a VR desktop environment, can anyone list them? Assume I'm thinking about buying the Oculus 2 and want to use it with Linux + Immersed.
"Sagas", or distributed transactions, are what you're looking for.
These are APIs/functions/methods that know how to complete every step of your atomic operation and how to roll it back if any step fails. They more or less recreate what would have been a single database transaction pre-microservice.
That's a very 20th century view of propaganda. Modern propaganda doesn't need to be factually incorrect to be effective, it just needs to direct the attention of the audience in a manner that suits the propagandist. You can push pretty much any agenda in a very convincing manner simply by choosing to emphasise or de-emphasise certain facts; we are in many ways more powerfully influenced by what we consider to be important than what we believe to be true.
If you only read reports of vaccine-related harms, it's easy to come to the conclusion that vaccines are a terrible mistake or even a conspiracy, because human brains aren't very good at prioritising the singular fact that vaccines have saved millions of lives over a constant stream of emotive stories. If you only read about the inconsistencies and errors in contemporary reports of the Holocaust, it's easy to come to the conclusion that the whole thing is exaggerated or an outright hoax, because it's just deeply unpleasant to think about six million corpses.
I don't need to lie to you or dictate what you believe, I just need to influence what you pay attention to; if I control your attention, I can guide you towards a conclusion and make you believe that you came to it of your own initiative.
Note that by not setting rel="noopener noreferrer" on the links you let the linked sites control the opener window (and of course see a detailed referrer header).
> Given enough experts and a drive to make it work, technology finds a way.
Given no experts and not enough users to complain or care about breaking compatibility, technology finds the door.
Does Thunderbird keep a local, accessible copy of whole accounts when using IMAP? Since the traditional way of using IMAP is by keeping the mails on the server and interacting with them via the server, I would think it doesn't.
Personally, I'm using nodejs-notify[1] to watch all mailboxes of all accounts via IMAP IDLE, and have it execute mbsync[2] when it receives an event to sync the account with a local Maildir. I got my MUA (mu4e[3]) configured to use those Maildirs without doing any IMAP itself.
Big fan of Every Frame a Painting. Loved the indepth breakdowns the channel did and really affected the may I look as film as a medium. Sad to hear that it winded down.
For others interested in similar channels, here's my list:
I was very disappointed with the same thing! However, it is very easy to get rid of the resolver-based execution model and turn it into a generalized graph query language. We've done that at my company and it's been working well for us -- here's our blog post: https://blog.kensho.com/compiled-graphql-as-a-database-query...
I wish that every systemd example/sample/template came with _extensive_ hardening, since I find it quite confusing. I've used systemd-analyze security <SERVICE> to try to figure out what was needed. For Elixir, I've come up with:
Plus the use of TemporaryFileSystem and BindPaths to limit the file system.