karmarepellent (u/karmarepellent)

karmarepellent commented on Dear GitHub: no YAML anchors, please blog.yossarian.net/2025/0... · Posted by u/woodruffw

TheDong · 3 months ago

> Easy to write and read by hand, while also being easy to write and read with code in just about every language

Language implementations for yaml vary _wildly_.

What does the following parse as:

    some_map:
      key: value
      no: cap

If I google "yaml online" and paste it in, one gives me:

{'some_map': {False: 'cap', 'key': 'value'}}

The other gives me:

{'some_map': {'false': 'cap', 'key': 'value'}}

... and neither gives what a human probably intended, huh?

karmarepellent · 3 months ago

This is why I've become a fan of StrictYAML [0]. Of course it is not supported by many projects, but at least you are given the option to dispense with all the unnecessary features and their associated pitfalls in the context of your own projects.

Most notably it only offers three base types (scalar string, array, object) and moves the work of parsing values to stronger types (such as int8 or boolean) to your codebase where you tend to wrap values parsed from YAML into other types anyway.

Less surprises and headaches, but very niche, unfortunately.

[0] https://hitchdev.com/strictyaml/

karmarepellent commented on Passkeys and Modern Authentication lucumr.pocoo.org/2025/9/2... · Posted by u/Bogdanp

tadfisher · 4 months ago

Amazing, just like passkeys!

karmarepellent · 4 months ago

The sarcasm is duly noted. But I simply answered the question. I don't have any strong opinion regarding passkeys.

karmarepellent commented on Passkeys and Modern Authentication lucumr.pocoo.org/2025/9/2... · Posted by u/Bogdanp

01HNNWZ0MV43FF · 4 months ago

> Signing up is uploading a public key. Signing in is cryptographically signing a commitment to the current ephemeral tunnel.

How do I sign in from multiple computers?

karmarepellent · 4 months ago

A service that lets you sign up by uploading a SSH public key could just as well let you upload multiple public keys in your profile to be able to connect from other devices.

karmarepellent commented on Passkeys and Modern Authentication lucumr.pocoo.org/2025/9/2... · Posted by u/Bogdanp

vbezhenar · 4 months ago

ssh is terribly insecure with no way of checking server certificate fingerprint automatically. Web solved it decades ago with CA.

karmarepellent · 4 months ago

This is incorrect. SSH certificates work just like x509 certificates in that regard. Also, with PubkeyAuthentication, there exist all kinds of ways to collect host keys before connecting to them for the first time and thus avoiding the trust-on-first-use problem. Especially in private networks where you control all the nodes.

karmarepellent commented on Passkeys and Modern Authentication lucumr.pocoo.org/2025/9/2... · Posted by u/Bogdanp

alphazard · 4 months ago

Unfortunately the tech community is full of people who pride themselves on being aware of and advocating for the latest standard put out by whatever company. That's how we end up with lots of complicated nonsense like most of what is sent in HTTP headers, or the contents of a TLS certificate.

On the topic of authentication, it's solved. SSH nailed it, any further complexity is strictly worse. Signing up is uploading a public key. Signing in is cryptographically signing a commitment to the current ephemeral tunnel.

karmarepellent · 4 months ago

> Signing in is cryptographically signing a commitment to the current ephemeral tunnel.

I can see how SSH could be used for authentication on the web. And I have no doubt that it would be sound out-of-the-box. But I am not sure what you mean by your last sentence. Do you mean that authentication targets are gated and only reachable by establishing a tunnel via some kind of forwarding?

Aside from the wonderful possibilities that are offered by using port forwarding of some kind, you could also simply use OpenSSH's ForceCommand to let users authenticate via SSH and then return a short-lived token that can then be used to log into an application (or even a SSO service).

I guess no one uses SSH for authentication in this way because it is non-standard and kind of shuts out non-technical people.

karmarepellent commented on Automated Installation of Proxmox VE pve.proxmox.com/wiki/Auto... · Posted by u/karmarepellent

karmarepellent · 7 months ago

I'm curious to know if people see this as a viable alternative to a PXE installation, especially when it comes to the deployment of large-ish (possibly air-gapped) clusters.

karmarepellent commented on I Stopped Using Kubernetes. Our DevOps Team Is Happier Than Ever blog.stackademic.com/i-st... · Posted by u/yarapavan

mst · a year ago

"I am cutting this corner because I absolutely cannot make a business case I believe in for doing it the hard (but more correct) way but believe me I am still going to be low key paranoid about it indefinitely" is an experience that I think a lot of us can relate to.

I've actually asked for a task to be reassigned to somebody else before now on the grounds that I knew it deserved to be done the simple way but could not for the life of me bring myself to implement that.

(the trick is to find a colleague with a task you *can* do that they hate more and arrange a mutually beneficial swap)

karmarepellent · a year ago

Actually I think the trick is to change ones own perspective on these things. Regardless of how many redundancies and how many 9's of availability your system theoretically achieves, there is always stuff that can go wrong for a variety of reasons. If things go wrong, I am faster at fixing a not-so-complex system than the more complex system that should, in theory, be more robust.

Also I have yet to experience that an outage of any kind had any negative consequences for me personally. As long as you stand by the decisions you made in the past and show a path forward, people (even the higher-ups) are going to respect that.

Anticipating every possible issue that might or might not occur during the lifetime of an application just leads to over-engineering.

I think rationalizing it a little bit may also help with the paranoia.

karmarepellent commented on I Didn't Need Kubernetes, and You Probably Don't Either benhouston3d.com/blog/why... · Posted by u/bhouston

fragmede · a year ago

I'll let you in on the joke. The joke is the demand for 100% availability and instant gratification. we're making services where anything less than 4 nines, which is 5 minutes month, is deemed unacceptable. three nines is 10 minutes a week. two nines is 15 minutes a day. there are some things that are important enough that you can't take a coffee break and wait for, but Kubernetes lets you push four nines of availability, no problem. Kubernetes is solving for that level of availability, but my own body doesn't have anything near that level of availability. demanding that from everything and everyone else is what pushes for Kubernetes level of complexity.

karmarepellent · a year ago

Its a matter of evaluating what kind of infrastructure your application needs to run on. There are certainly mission critical systems where even a sliver of downtime causes real damage, like lost revenue. If you come to the conclusion that this application and everything it involves better run on k8s for availability reasons, you should probably focus on that and code your application in a k8s-friendly manner.

But there are tons of applications that run on over-engineered cloud environments that may or may not involve k8s and probably cost more to operate than they must. I use some tools every day where a daily 15 min downtime would not affect my or my work in the slightest. I am not saying this would be desirable per se. Its just that a lot of people (myself included) are happy to spend an hour of their work day talking to colleagues and drinking coffee, but a 15 min downtime of some tool is seen as an absolute catastrophe.