Readit News logoReadit News
KAMSPioneer commented on Make Your Own Backup System – Part 1: Strategy Before Scripts   it-notes.dragas.net/2025/... · Posted by u/Bogdanp
zeec123 · a month ago
> My preferred solution is to let client only write new backups, never delete.

I wish for syncoid to add this feature. I want it to only copy snapshots to the backup server. The server then deletes old snapshots. At the moment it requires delete permissions.

KAMSPioneer · a month ago
You can do this by using a dedicated syncoid user and ZFS delegated permissions: https://openzfs.github.io/openzfs-docs/man/master/8/zfs-allo...

You'll need to add the --no-elevate-permissions flag to your syncoid job.

KAMSPioneer commented on Why I no longer have an old-school cert on my HTTPS site   rachelbythebay.com/w/2025... · Posted by u/mcbain
dingaling · 3 months ago
> the session key cannot be recovered

Of course it can, but only for that specific session.

KAMSPioneer · 3 months ago
No, my GP is correct: if the server's RSA private key is compromised it does not allow decryption of any previously-recorded sessions.

You would need to compromise the _ephemeral session key_ which is difficult because it is discarded by both parties when the session is closed.

Compromising the RSA key backing the certificate allows _future_ impersonations of the server, which is a different attack altogether.

KAMSPioneer commented on Show HN: Sshsync – CLI tool to run shell commands across multiple remote servers   github.com/Blackmamoth/ss... · Posted by u/blackmamoth
revskill · 3 months ago
Ansible doesn't work on windows.

Stop assuming your method works across the universe of edge cases.

KAMSPioneer · 3 months ago
I mean, Ansible isn't the best choice for Windows configuration, I would agree, but you're not strictly correct: https://docs.ansible.com/ansible/latest/os_guide/windows_usa...
KAMSPioneer commented on Two new PebbleOS watches   ericmigi.com/blog/introdu... · Posted by u/griffinli
bigstrat2003 · 5 months ago
That makes no sense. Profit, by definition, is net. If you still have to pay costs out of some money, then it isn't profit.
KAMSPioneer · 5 months ago
Gross and net profit are each their own concept: https://www.investopedia.com/ask/answers/101314/what-are-dif...
KAMSPioneer commented on Tesla created secret team to suppress driving range complaints (2023)   reuters.com/investigates/... · Posted by u/mathgenius
SkyPuncher · 6 months ago
When you understand how the EPA actually test this, it makes sense. "Highway" isn't anything like what most people think it is. It's not cruising at 75mph with no traffic on a major interstate. It's more like busy country road driving.

> The "highway" program, on the other hand, is created to emulate rural and interstate freeway driving with a warmed-up engine, making no stops (both of which ensure maximum fuel economy). The vehicle is driven for 10 miles over a period of 12.5 minutes with an average speed of 48 mph and a top speed of 60 mph

Further, the force of drag grows exponentially with speed. Going 75mph on the interstate is massively less fuel efficient than 48mph.

https://auto.howstuffworks.com/fuel-efficiency/fuel-economy/...

KAMSPioneer · 6 months ago
I'm sorry but this is a pet peeve of mine: drag force does not scale exponentially with velocity, it scales with the square of velocity. Your point stands, of course.
KAMSPioneer commented on Fly To Podman: a script that will help you to migrate from Docker   github.com/Edu4rdSHL/fly-... · Posted by u/edu4rdshl
windexh8er · 6 months ago
The point is that RedHat went on a tirade for years telling everyone: "Docker bad, root! Podman good, no root! Docker bad, daemon! Podman good, no daemon!".

And then here comes Quadlets and the systemd requirements. Irony at its finest! The reality is Podman is good software if you've locked yourself into a corner with Dan Walsh and RHEL. In that case, enjoy.

For everyone else the OSS ecosystem that is Docker actually has less licensing overhead and restrictions, in the long run, than dealing with IBM/RedHat. IMO that is.

KAMSPioneer · 6 months ago
But...you don't need systemd or Quadlets to run Podman, it's just convenient. You can also use podman-compose (I personally don't, but a coworker does and it's reasonable).

But yeah I already use a distro with systemd (most folks do, I think), so for me, using Podman with systemd doesn't add a root daemon, it reuses an existing one (again, for most Linux distros/users).

KAMSPioneer commented on Fly To Podman: a script that will help you to migrate from Docker   github.com/Edu4rdSHL/fly-... · Posted by u/edu4rdshl
pydry · 6 months ago
Im fully on board with the idea that root daemons shouldnt be necessary I just dont want systemd to become a dependency for yet again something else it shouldnt be a dependency for.
KAMSPioneer · 6 months ago
Podman runs on FreeBSD without systemd, so there you go.
KAMSPioneer commented on IPv6 Is Hard   techlog.jenslink.net/post... · Posted by u/miyuru
aboardRat4 · 6 months ago
>Most consumer routers also implement a stateful firewall with deny-by-default inbound policy.

No they don't.

Most ISP boxes only implement the bare minimum of functions to make sure that youtube is available to the users. Which includes NAT, because otherwise youtube does not work, and does not include anything else.

KAMSPioneer · 6 months ago
Well, that's news to me. I don't use consumer routers myself, but I know lots of folks who do. Now, I won't say that I go investigating their home networks, but IPv6 is rather prevalent among the discount ISPs where I live, and I know of at least two coworkers who have an IPv6 firewall by default with their router.

Anyway, NAT is costlier than a firewall. It uses more memory, it requires rewriting packets on-the-fly, and typically if you're using embedded Linux (I'll assume that the vast majority of consumer devices for this are) then you're already using `iptables` or `nftables` to get NAT functionality. It is comparatively to set default inbound/forward drop policies.

But yes, I should have said "in my experience," since it's true that I only know the networking equipment of a few people in a small country with limited IPv6 rollout (my ISP does not provide it).

KAMSPioneer commented on IPv6 Is Hard   techlog.jenslink.net/post... · Posted by u/miyuru
aboardRat4 · 6 months ago
But most users are not business academic military.

They just want to watch some reels.

KAMSPioneer · 6 months ago
And? Most consumer routers also implement a stateful firewall with deny-by-default inbound policy. My point is that NAT isn't a security feature, and that firewalls in edge network equipment is table stakes these days.
KAMSPioneer commented on IPv6 Is Hard   techlog.jenslink.net/post... · Posted by u/miyuru
johnea · 6 months ago
I don't disagree, but I would point out that one upside to every LAN being behind NAT, is that those LANs are also inherently firewalled.

This is dependent on the firewall features of the NAT router, but at least its something, and the router provides one centralized point of protection from interent traffic.

In IPv6 typically every machine on a LAN is directly connected to the internet with a public IP address. Every one of those machines now needs a full strength internet firewall.

This complicates some intra-LAN communications, and removes the feature of having the LAN be a walled garden, mostly isolated from the interent.

KAMSPioneer · 6 months ago
Or you can implement a firewall on your gateway device with a default drop policy for inbound traffic. Essentially the same behavior as NAT in terms of unsolicited (usually malicious) inbound traffic, but without the downsides of one-to-many NAT.

Which is, coincidentally, exactly how it works if your LAN is made up of devices with publicly-routable IPv4 addresses as well, which happens in business/academic/military networks all the time.

K

u/KAMSPioneer

KarmaCake day359September 17, 2017
About
[ my public key: https://keybase.io/wrobertson; my proof: https://keybase.io/wrobertson/sigs/Av8Cl_wlLBGh4vhriHgyhe4cXVpan0jaFobetGom884 ]
View Original