Readit Newsfilleokus commented on Strong Eventual Consistency – The Big Idea Behind CRDTs lewiscampbell.tech/blog/2... · Posted by u/tempodox
The big problem with CRDTs IMO is that they make it incredibly easy to break application semantics.
Just a basic example for a task tracker:
* first update sets task cancelled_at and cancellation_reason
* second update wants the task to be in progress, so sets started_at
If code just uses the timestamps to consider the task state, it would not assume the task is cancelled, unexpected since the later user update set it to in progress.
Easy fix, we just add a state field 'PENDING|INPROGRESS|CANCELLED|...'.
Okay, but now you have a task that is in progress, but also has a cancellation timestamp, which seems inconsistent.
The point is:
With CRDTs you have to consider how partial out of order merges affect the state, and make sure your logic is always written in a way so these are handled properly. That is *not easy*!
I'd love it if someone came up with a framework that allows defining application semantics on top of CRDTs, and have the framework ensure types remain consistent.
Yes!
Any many CRDT implantations have already solved this for the styled text domain (e.g bold and cursive can be additive but color not etc).
But something user definable would be really useful
Correct me if I'm wrong, but the problem here is not with GitHub Apps, instead CodeRabbit violated the principle of least privilege: ideally the private key of their app should never end up in the environment of a job for a client but rather a short lived token should be minted from it (for just a single repo (for which the job is running)) so it never gets anywhere near those areas where one of their clients has any influence over what runs.
I agree, this seems like straight up bad design from a security perspective.
But at the same time, me as a customer of Github, would prefer if Github made it harder for vendors like CodeRabbit to make misstakes like this.
If you have an app with access to more than 1M repos, it would make sense for Github to require a short lived token to access a given repository and only allow the "master" private key to update the app info or whatever.
And/or maybe design mechanisms that only allow minting of these tokens for the repo whenever a certain action is run (i.e not arbitrarily).
But at the end of the day, yes, it's impossible for Github to both allow users to grant full access to whatever app and at the same time ensure stuff like this doesn't happen.
filleokus commented on Nginx introduces native support for ACME protocol blog.nginx.org/blog/nativ... · Posted by u/phickey
My work is mostly running internal services that aren’t reachable from the external internet. DNS is the only option.
You can get wildcards with DNS. If you want *.foo.com, you just need to be able to set _acme-challenge.foo.com and you can get the wildcard.
Spivak is saying that the DNS method is superior (i.e you are agreeing - and I do too).
One reason I can think of for HTTP-01 / TLS-ALPN-01 is on-demand issuance, issuing the certificate when you get the request. Which might seem insane (and kinda is), but can be useful for e.g crazy web-migration projects. If you have an enormous, deeply levelled, domain sprawl that are almost never used but you need it up for some reason it can be quite handy.
(Another reason, soon, is that HTTP-01 will be able to issue certs for IP addresses: https://letsencrypt.org/2025/07/01/issuing-our-first-ip-addr...)
filleokus commented on Sumo – Simulation of Urban Mobility eclipse.dev/sumo/... · Posted by u/Stevvo
I ride rental scooters almost 10k minutes per year and would really like to get my hands on my own ride data to plug it into something like this (or simpler) to find the optimal routes for my regular trips.
Google Maps (or others) works good to find a resonable route, but I can do better on my own. One-way streets where bikes are allowed to go do opposite way is sometimes missing, short desire paths connecting bike ways, crossings where it's safe to do an (illegal) right-on-red etc.
Tried a GDPR data claim from Voi but got nothing back :( But I hope the data is somehow available for urban planners, think it would be a great source of truth to use in tools like this.
filleokus commented on Try the Mosquito Bucket of Death energyvanguard.com/blog/t... · Posted by u/almuhalil
How is that better than what the article describes? You need gas, electricity (outdoors!) and get constant fan noise.
I guess it depends a lot on your situation, but for OP's method to be effective you need to out-compete other breeding grounds in not only your backyard but also X feet/meters away (whatever distance mosquitoes typically fly to "hunt").
If there's a nice shallow pond on the property line 100 feet from your porch (or water filled tires at the sloppy neighbour or whatever it might be), I seriously doubt the efficacy of the method in the article.
This thing would lure in any mosquitoes (and unfortunately other things, as per sibling comment) that fly in your backyard, wherever they come from.
For electricity: That also of course depends, but around here it's not uncommon to have an outlet on the outside of some garage or outbuilding or something. The product I linked have a 50 feet cord as well. The fan noise has not been noticeable at all when I've seen it.
filleokus commented on Try the Mosquito Bucket of Death energyvanguard.com/blog/t... · Posted by u/almuhalil
Many people with mosquito issues around here (Sweden) uses something like https://www.clasohlson.com/se/Mosquito-Magnet/p/31-7190 which burns propane to produce Co2 to lure in mosquitoes and then sucks them in with a fan towards a metal grid to zap them with electricity.
Non-poisonous and from what I've heard fairly effective. Not sure if these exists in the US?
I think at this point the niche would be well-served if one could have a competent clamp-on landscape keyboard (so close, clicks keyboard) for their phone they could use to RDP into a better machine that could run while the phone is off. Additionally nice would be if the phone had a fully functional usb-c port that could do DP and usb for docking. At that point I'd have serious thoughts about retiring my backpack or nanote next. It frustrates me how close we are, if such a keyboard existed for $80 or so
I've been occasionally using Microsoft's RDP Client [0] on my iPhone with external keyboard + mouse with a usb-c cable into my external monitor (with a Logitech RF dongle connected to the back of it).
It worked okay, the mouse support is somewhat of a hack, but keyboard works awesome.
The biggest annoyance was actually getting RDP to work satisfactory on a linux box with no external monitor plugged in to it (hetzner box).
I thought someone would have created an app to run browser on the external screen in full resolution, so I could skip RDP and use vscode server via the browser. But the only option seems to be infinitex2p which is not available in the EU :(.
[0]: Which in typical Microsoft idiotic fashion semi recently got renamed to "Windows app"... [1]: https://x.com/infinitex2p
Unclear who is responsible here, Allianz or their third party "cloud-based CRM provider."
But I think that fundamentally, secure cloud-based SaaS is impossible. This stuff needs to be on-prem and airgapped from the internet. That makes some functionality complicated or impossible, but we're seeing that what we have now is not working.
Allianz have more than 150k employees with offices in 50+ countries. Not all of them need access to the CRM of course, but I think going back to on-prem is just asking for different kind of trouble.
We don't have any details now, but I wouldn't be surprised if the cloud-based CRM provider didn't have a very technical interesting weakness, but rather that some kind of social engineeringy method was used.
If global companies like this instead had stuff running on-prem all around the world the likelihood of more technical vulnerabilities seems MORE likely to me.
(Air gapping is of course possible, but in my experience, outside of the most security sensitive areas the downsides are simply not acceptable. Or the "air gapping" is just the old "hard shell" / permitter based access-model...)
It's meant to get around the great firewall in China, so it has to avoid the GFW's active probers that check to make sure the external website is a (legit) host. However a friend was able to get it to work American's in-flight firewall if the proxy SNI is set to Google Analytics.
[1] https://github.com/XTLS/Xray-core
Thankfully for my blood pressure, whoever had set it up had left some kind of management portal accessible on a random high port number and it contained some strings which led me back to the Xray project.