- In the Netherlands the public broadcaster still publishes news through Teletekst:
https://tweakers.net/reviews/11700/hoe-werkt-het-vernieuwde-...
- It's open source. Somebody will simply publish an AUR package with a custom kernel that is one command away. You're underestimating the capability of motivated nerds to make a good UX when needed :p. This is how we ended up with SteamOS in the first place
But given Linux kernel is monolithic and you can enforce signing of kernel modules too, using TPM to make sure the Kernel isn't tampered with is honestly the way to go.
- I hate everything about the Claude code plugin system. They saw GitHub Actions supply chain Fiasco and said: great let's add hallucinations on top.
It's that bad. It's embarrassingly bad.
No lock files. Nothing. And then most plugins in turn install MCPs from pypi with uvx so you have two layers of no pinning.
It's a supply chain nightmare. It's so bad that I'm ashamed for our industry
- FWIW I maintain an official implementation of the journal wire format in go now.
https://github.com/systemd/slog-journal so you can at least log to the journal now without CGO
But that's just the journal Wire format which is a lot simpler than the disk format.
I think a journal disk format parser in go would be a neat addition
- Given that 50-70% of the critical services I use in my daily life (healthcare, government, banking, insurance) all go through Cloudflare this practically means everything that is important to me as an individual is being actively intercepted by a US entity that falls under NSA's control.
So for all intents and purposes it's equivalent.
My point is: it's very hypocritical that we as industry professionals are complaining about poor cooperates being MITM'd whilst we're perfectly fine enabling the enfringement of fundamental human right to privacy of billions of people by all fronting the shit that we build by Cloudflare in the name of "security".
I find the lack of ethical compass in this regard very disturbing personally
- Complains about TLS inspection, yet fronts their website on the biggest and most widely deployed TLS introspection middle box in the world ...
Why do we all disdain local TLS inspection software yet half the Internet terminates their TLS connection at Cloudflare who are most likely giving direct access to US Intelligence?
It's so much worse as it's infringing on the privacy and security of billions of innocent people whilst inspection software only hurts some annoying enterprise folks.
I wish we all hopped off the Cloudflare bandwagon.
- Previous version was in bash. With this change you can build a nixos image not containing bash or any shell whatsoever. Not having interpreted languages on the system at all is an effective hardening technique combined with verity store containing all your executables as it makes it impossible for attackers to add new executable files to the system which stops almost all attack vectors.
You can read about the project here: https://github.com/NixOS/nixpkgs/issues/428908
- They do have and apparently the scale of the repo is actively breaking things: https://discourse.nixos.org/t/nixpkgs-core-team-update-2025-...
- It's just incomplete and very early days for landlock.
Landlock requires you to commit upfront to what is "deny-default"ed but they only added a control for TCP socket bind and nothing else. So you can "default-deny" tcp bind but all the other socket paths in the kernel are not guarded by landlock. It tries really hard to have the commit of features be an integral part of the landlock API so that you can have an application able to run on multiple kernel versions that support different parts of the landlock spec. But that means that as they develop the API the older versions of landlock need to be less restrictive than newer versions otherwise programs dont work across kernel versions.
That way, a program that is very restrictive on say kernel 6.30 can also run on kernel 6.1 with less restrictions. The program keeps functioning the same way (never break userspace). The only way to do that is to have the developer tell what parts need to be restricted explicitly and you can't restrict what isn't implemented yet.
They're planning to extend it to all socket types. This is also mentioned in the linked article https://github.com/landlock-lsm/linux/issues/6
I guess if you want to run without networking at all today you can just unshare into a fresh network namespace, or maybe use seccomp strict mode
- And it should've been NixOS after!
It did slowly sneak in over time I guess. In my last year of my master's eventually the faculty was forced to stop hosting its own intranet and mailing lists and migrate everything to the "cloud" (Microsoft 365 and Blackboard).
I have a copy at home of all the old wiki content and the old cs.uu.nl website. The university themselves didn't even think they should archive it so I archived it myself.
I hope there's other people with copies too. My archive isn't complete
- I studied at Utrecht University and all the programming classes in the Bachelor were C#, Visual Studio, XNA, DirectX. Windows. Database class i had to learn in Proprietary Microsoft tools too. All Microsoft stuff. Sure nobody would complain if you did stuff on Linux but all the support by TAs and teachers was on Microsoft platforms only.. The Master was much better but the Bachelor basically was grooming people to become Microsoft consultants.
If the rot starts at the core of your education curriculum there is no saving your dependence on Microsoft.
I always found this choice puzzling to teach people proprietary technologies in a public institution. This was before DotNet core and VSCode was a thing and Microsoft hadnt whitewashed themselves to look like an open source friendly brand yet.
- https://romailler.ch/project/eddsa-fault/
I think this can be solved by using hedged eddsa (Signal does this)
- Yep that's what I do! I have two ssh-ca's stored on two Yubikeys. And both are trusted by my servers.
If I lose one I can still sign new certs with the other.
https://github.com/arianvp/nixos-stuff/blob/master/modules/s...
- These aren't synced over iCloud
What you're thinking of are Passkeys. Which are synced. Somebody would have to write an SecurityKeyProvider that talks to the Passkey API instead.
Actually I don't think it's completely impossible. The only thing is that passkeys are origin-bound. They belong to a specific AppBundle ID or domain name. If say Secretive would add passkey support then that specific public/private keypair can't be used by another app. Though it does sync across instances of the app across devices.
Error: The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-consideration....
On Android