I worked in software certification under Common Criteria, and while I do know that it creates a lot of work, there were cases where security has been improved measurably - in the hardware department, it even happened that a developer / manufacturer had a breach that affected almost the whole company really badly (design files etc stolen by a probably state sponsored attacker), but not the CC certified part because the attackers used a vector of attack that was caught there and rectified.

It seemingly was not fixed everywhere for whatever reason… but it’s not that CC certification is just some academic exercise that gives you nothing but a lot of work.

Is it the right approach for every product? Probably not because of the huge overhead power certified version. But for important pillars of a security model, it makes sense in my opinion.

Though it needs to be said that the scheme under which I certified is very thorough and strict, so YMMV.

Personally I’d love to see more wider usage of S/MIME and/or PGP.

I’d rather see less. https://www.latacora.com/blog/2019/07/16/the-pgp-problem/ is a good summary about the issue and they have a shorter follow-up post about why encrypting mail in general is bad at https://www.latacora.com/blog/2020/02/19/stop-using-encrypted/

What I take issue with actalis, is that they don’t just sign your private key but you actually get the private key from them. It then depends on how much you trust the issuer.

By definition, that key can no longer be considered “private”.

Yes

systemd config is inspired by INI, with section headers and key-value pairs. It doesn’t get much flatter than that. It doesn’t compare to YAML or JSON.

Which part of systemd’s config is not text-based? The only “database” it uses for configuration is the filesystem

The Epic “Store” barely qualifies as such, no wonder they’re trying to get at least something out of it

I love steam, but let’s get real here for a second. Valve will change some day. Enshitification is inevitable.

Steam is an example where I’m not sure when it would happen.

It already comes with a hefty fee of 30% per sale on the platform. I don’t think they can raise that without serious backlash. And there also isn’t really a need, Steam prints money. It prints money because it’s where users are. Users are there because they like the features. Some good features are only there because of laws (e.g. refunding); Valve can’t remove these.

So how would you make the service even more profitable?

Enshittification happens because corporations want (more) money out of a service that built a userbase. These were often running at a loss. To turn a profit, they need to change.

Steam can sell you licenses to games you don’t own already. It’s up to each publisher. Valve doesn’t care, they just deliver.

Really? They might use some GNU programs, but I’m sure the default user land for OpenBSD is all theirs. Just because you know cp etc. as GNU utils doesn’t mean the BSDs use the same ones. They are just part of the operating system. https://github.com/dcantrell/bsdutils tried to collect various BSD implementations for example

I was also with a provider that didn’t offer API access for the longest time. When they then increased prices, I switched, now paying a third of their asking price per year at a very good provider.

I guess migrating is difficult if the provider doesn’t offer a mechanism to either dump the DNS to a file or perform a zone transfer (the later being part of the standard).

Can only recommend INWX for domains, though my personal requirements aren’t the highest.

Not true, I also enjoy stuff not created by workers, like mountains, forests or the sea.

On the other hand, I hate a lot of stuff capitalism created.

A lot of paid cert providers were not so great before LE put the spotlight on the issue; it was more of a scheme to extract money from operators who couldn’t afford to not offer TLS / SSL. https://bugzilla.mozilla.org/show_bug.cgi?id=647959 was a famous post that made fun of / criticized the system before LE. This hurt security, and if not free, LE wouldn’t have worked.

Also wildcard certificates are more difficult to do automated with let’s encrypt.

They are trivial with a non-garbage domain provider.

If you want EV certificates (where the cert company actually calls you up and verifies you’re the company you claim to be) you also need to go the paid route

The process however isn’t as secure as one might think: https://cyberscoop.com/easy-fake-extended-validation-certificates-research-shows/

In my experience trustworthyness of certs is not an issue with LE. I sometimes check websites certs and of I see they’re LE I’m more like “Good for them”

Basically, am LE cert says “we were able to verify that the operator of this service you’re attempting to use controls (parts of) the domain it claims to be part of”. Nothing more or less. Which in most cases is enough so that you can secure the connection. It’s possibly even a stronger guarantee than some sketchy cert providers provided in the past which was like “we were able to verify that someone sent us money”.

By how the protocol is structured, it’s impossible for the address a downloader sees to know what the packet they forward actually contains, so they’re just taking the role of an ISP. Also, they don’t know the original source IP.

This would also be fairly unintrusive, but could add a few false positives.

If this was the case, we’d have a whole bigger problem on our hands.

Even considering the birthday problem, the chance for such collisions is astronomically small. Especially if you combine it with the file size that you always have anyways.

In fact I’d guess that sites like these already do exactly that in order to avoid hosting duplicates (if not handled at the file system level).

Ah, good find, I just skimmed Ark and didn’t see anything before Q1 '10.

i7 just marked their top of the line consumer products until they introduced the i9 in 2017. First models were introduced 2008, but I think the mobile versions came in 2010.

So yeah 15 years is pretty close.

Technically correct, but the settings in there are not service specific. However, if there’s something worthy of reworking it’s probably the Authelia part

Well, a lot of it is just trying stuff out, but let’s say you want to setup Navidrome because you read about it somewhere. My first step is always to go to https://search.nixos.org/options? and search for it, it’ll show you the options available. If you want to know how it’s implemented under the hood, press the “Declared in” link where it shows you the source code of the module, this can sometimes be helpful.

Other than that, read the wiki for examples, and remember that nix is a full language and not just a configuration, so you can keep it flexible.

Thanks for the answer; I do have at least one module in my config, but usually, I don’t enable or disable services like that, it was more of an example of how the configuration is split up and what the advantage of that is. In the end, if the only option is to enable the module, you’re not gaining that much if you need to import and enable it instead of just importing the configuration straight is my opinion.

Even when using in a basic way, I think it has one very tangible advantage: the fact that you can “compartmentalize” different aspects of your configuration.

Let’s say I set up a specific web service that I want to put behind a reverse proxy, and it uses a specific folder that doesn’t exist yet, like Navidrome which is a web-based audio player. It requires a set of adjustments of different system parts. My nix file for it looks like this:

{ config, ... }:

let
  domain = "music." + toString config.networking.domain;
in
  {
    services.navidrome = {
      enable = true;
      settings = {
        Address = "127.0.0.1";
        Port = 4533;
        MusicFolder = "/srv/music";
        BaseUrl = "https://" + domain;
        EnableSharing = true;
        Prometheus.Enabled = true;
        LogLevel = "debug";
        ReverseProxyWhitelist = "127.0.0.1/32";
      };
    };

    services.nginx = {
      upstreams = {
        navidrome = {
          servers = {
            "127.0.0.1:${toString config.services.navidrome.settings.Port}" = {};
          };
        };
      };
    };

    services.nginx.virtualHosts."${domain}" = {
      onlySSL = true;
      useACMEHost = config.networking.domain;
      extraConfig = ''
        include ${./authelia/server.conf};
      '';
      locations."/" = {
        proxyPass = "http://navidrome";
        recommendedProxySettings = false;
        extraConfig = ''
          include ${./authelia/proxy.conf};
          include ${./authelia/location.conf};
        '';
      };
    };

    systemd.tmpfiles.settings."navidrome-music-dir"."${toString config.services.navidrome.settings.MusicFolder}" = {
      d = {
        user = "laser";
        mode = "0755";
      };
    };
    systemd.services.navidrome.serviceConfig.BindReadOnlyPaths = ["/run/systemd/resolve/stub-resolv.conf"];
      
    security.acme.certs."${config.networking.domain}".extraDomainNames = [ "${domain}" ];
  }

All settings related to the service are contained in a single file. Don’t want it anymore? Comment it out from my main configuration (or whereever it’s imported from) and most traces of it are gone, the exception being the folder that was created using systemd.tmpfiles. No manually deleting the link from sites-available or editing the list of domains for my certificate. The next generation will look like the service never existed.

And in my configuration, at least the port could be changed and everything would still work – I guess there is room for improvement, but this does what I want pretty well.