karswell_ has quit [Read error: Connection reset by peer]
tankfeeder has quit [Quit: Connection closed for inactivity]
rob_w has joined #picolisp
orivej has quit [Ping timeout: 256 seconds]
<rick42>
New ad campaign: "Don't settle for less. Only choose 100% pil." :)
<Regenaxer>
:)
<beneroth>
Good morning
<beneroth>
rick42, you got that wrong: "Settle for less. Only choose 100% pil." :)
<Regenaxer>
Good morning rick42, beneroth
<beneroth>
Good morning Regenaxer :)
tankfeeder has joined #picolisp
<tankfeeder>
Regenaxer: did i successfully change email in maillng list from gmail to disroot?
<beneroth>
tankfeeder, I think so. Got Subscribe & Unsubscribe mails for both.
<beneroth>
leaving google ?
<Regenaxer>
tankfeeder, yes, perfect
<tankfeeder>
beneroth: leaving, somebody did the same here, i dont remember who
<tankfeeder>
maybe aw
<beneroth>
good. I think their 80% dominance on email (addresses I think) should become less. Reading 80%+ of all email traffic is a power which should not rest on single entities.
<Regenaxer>
T
<tankfeeder>
i like disroot a lot
<tankfeeder>
big group of services, even diaspora exists and matrix
<tankfeeder>
found via privacytools.io
<beneroth>
they make a pretty good impression
nonlinear has joined #picolisp
nonlinear has quit [Quit: WeeChat 1.9.1]
aw- has joined #picolisp
<beneroth>
bbl
beneroth is now known as bene|off
<aw->
hi all
<Regenaxer>
Hi aw-
<aw->
what's the point of running pilbox in an emulator?
<Regenaxer>
Only when the tablet crahed on the floor ;)
<aw->
i tried a few others from the same 0.5.15 release, and they also worked out of the box.. not sure about the newer 0.6.x builds
<Regenaxer>
ok
<aw->
anyways this machine's hardware is part of the latest 4.14.x Linux kernel, so you can technically use any Linux with that mainline kernel
<aw->
there shouldn't be a need for a "community OS"
<Regenaxer>
What is a "community OS"?
jamtho_ has quit [Ping timeout: 240 seconds]
<aw->
assuming you know Linux, there's probably some hacking required to get the kernel compiled correctly, and to format the SD card as required by the chip
<aw->
"community OS" = OS distribution slightly patched with custom kernel to support the rock64 hardware
<Regenaxer>
ok
<aw->
Regenaxer: thanks for reading, are you interested in that machine?
<Regenaxer>
Yes, but not in the short term, as I've just set up a new intel machine
<aw->
oh i see
<Regenaxer>
rock64 would have been better, also in terms of power consumption I suspect
<aw->
what did you buy?
<aw->
power consumption is 15W, pretty good
<Regenaxer>
It is an off-the-shelve desktop, nothing special
<aw->
good, probably a lot more powerful than this
<Regenaxer>
perhaps, but it is not really needed. Mostly DB replication
<Regenaxer>
and backups storage
<Regenaxer>
Anyway, I keep it in mind
<aw->
well, i assume you can connect many drives to that
<Regenaxer>
right
<aw->
i don't think that would be feasible on here
<aw->
due to power requirements and well… USB :\
<Regenaxer>
Well, it is also good to have an x86 machine for testing
<aw->
right
<cess11>
That board looks quite nice, actually.
<cess11>
aw-: I get an SSL error from https://scaling.a1w.ca , says COMMON_NAME_INVALID.
<aw->
cess11: oh yeah, there's no SSL on there
<aw->
i forgot to add it when i created the certs
<aw->
it'll appear in a few days once the certs get renewed. sorry about that
<aw->
hmmm oh i see what's going on now
<tankfeeder>
double link lists more interesting than i thought
<Regenaxer>
yes, but a bit tedious to set up and maintain
<Regenaxer>
Sometimes just 'prior' is enough
<tankfeeder>
prior on double linked ?
<Regenaxer>
no, then a normal list can be used
<Regenaxer>
makes sense if not too long
<Regenaxer>
You can move the list pointer backwards
<tankfeeder>
~3-4K items
<Regenaxer>
hmm, to many I would say
<tankfeeder>
(state) calls ~12M times.
<Regenaxer>
less than 100 OK
<Regenaxer>
yeah
<tankfeeder>
i will try doubled.
<Regenaxer>
yes, better
<Regenaxer>
needs double space, but is a lot faster
<Regenaxer>
'prior' searches the list from the beginning
<tankfeeder>
it will be in one function, so i just will store and manipulate the pointer inside doubled list.
<Regenaxer>
good
<tankfeeder>
i dont need traverse till pointer again and again
<tankfeeder>
ok
<Regenaxer>
yep
bene|off is now known as beneroth
<beneroth>
back
<Regenaxer>
wb
<beneroth>
thx
<beneroth>
cess11, that is the (previously here in IRC) discussed CPU cache attack on ASLR (and virtualization in general), nothing new really. just new that some stuff is patched (original patch authors seems to be the same guys who came up with this attack & rowhammer)
<beneroth>
if I understand the patch correctly, it actually leads to periodic clearing of the cpu cache to protect kernel aslr somewhat
<Regenaxer>
yes, with some performance loss (5%?)
<beneroth>
well clearing the cache = performance loss
<Regenaxer>
As I understand, not the cache, but the lookup tables
<beneroth>
I'm not so sure that this actually brings back kernel ASLR guarantees, maybe (haven't looked deep enough into it), but maybe it is also just an urgent patching for a large-scale easy-to-use vulnerability the cloud-providers suffer from
<beneroth>
aw-, nice article!
<beneroth>
cool, so the rock64 works for you! glad to hear so, exciting!
<beneroth>
hm.. database server with this.. maybe with having the journal and transaction file on SD card (or RAM-fs) and the rest on a storage box with RAID connected via USB 3.0 ? would that be an idea, aw-, Regenaxer ?
<Regenaxer>
transaction file on SD card is ideal
<Regenaxer>
Not RAM, as it would be lost on power failure
<beneroth>
lol T
<beneroth>
I short-circuited my though there, haha how stupid
<Regenaxer>
:)
<Regenaxer>
Is SD card much faster?
<Regenaxer>
than HD
<beneroth>
dunno, I would guess, as SD is flash. nothing spinning. though HD storage box could also be SSDs I guess
<Regenaxer>
not sure how caching in the HD local cache is involved
<aw->
cess11: should be fixed now, thanks
<beneroth>
no idea how fast the bus is on which the SD connects
<aw->
beneroth: thanks
<Regenaxer>
'commit' calls fsync() twice, to make sure the writes were done
<aw->
transaction file on SD card = failed card in a couple days haha
<Regenaxer>
so writing must be finished before it proceeds
<Regenaxer>
aw-, because of wear?
<beneroth>
aw-, hm..right
<aw->
yes
<Regenaxer>
Not sure, it does wear-levelling
<Regenaxer>
needs a lot many writes
<aw->
database transaction log on SD card
<aw->
is a terrible idea
<beneroth>
well question in which ballpark this is
<Regenaxer>
Perhaps no problem if the SD total size is not too small
<beneroth>
better have not a setup which requires pre-scheduled hardware maintenance ^^
<aw->
and RAID over USB 3.0 is also probably a bad idea too
<Regenaxer>
T
<aw->
what' wrong with good ol' SATA SSD drives?
<aw->
actually i don;t know the speeds of USB 3.0
<cess11>
aw-: Great, thanks.
<beneroth>
aw-, theoretical (spec) performance of USB 3.0: 5 Gbit/s (625 MB/s)
<aw->
hmmm
<aw->
isn't SATA faster than that?
<beneroth>
SATA 3.0+ is
<aw->
well... 5 Gbit/s isn't so bad i guess ;)
<beneroth>
SATA 3.2+ is 16 Gbit/s (wikipedia)
<aw->
in all cases, if Regenaxer is trying to do "server" stuff, he should be using a server
<cess11>
Or at least HDD for storage and data integrity, due to flash cards being quite unreliable for caching and intensive I/O.
<aw->
it'll be better than a hacked up solution
<beneroth>
depends on use case.. his requirement is a backup solution for his home without having a server room or rackspace available, I guess ^^
<Regenaxer>
T
<aw->
right
<Regenaxer>
main purpos is ssl -> replica
<aw->
but looking at a $50 computer for that is a bit insane
<Regenaxer>
and my sources to be accessible from the tablet
<cess11>
So basically a NAS type of solution would be right?
<Regenaxer>
I also want to test pil on x86, and run Android SDK
<aw->
right, so a regular computer with a big motherboard, onboard SATA and USB 3.0 ports, maybe even dual processor would be good
<Regenaxer>
and also qemu to test the ppc64 and arm64 builds
<tankfeeder>
this cant insert item to the end of the list
<Regenaxer>
oh
<cess11>
Right, then maybe server hardware with Xen for separation of concerns would be best.
<aw->
something that lets you have redundancy out of the box, redundant/upgradeable RAM, redundant CPUs, swappable power supply..
<Regenaxer>
tankfeeder, seems this was not tested
<tankfeeder>
yea
<Regenaxer>
must go, bbl
<aw->
cess11: exactly
mtsd has quit []
<beneroth>
cess11, ok as long one doesn't equal "separation of concerns" with "secure separation", as this is prolly broken, see the ASLR topic / cpu cache hacking
<beneroth>
aw-, what you said with ARM 64bit -> pil Db server :D
<beneroth>
bbl
<aw->
beneroth: ?
orivej has joined #picolisp
jamtho_ has joined #picolisp
jamtho_ has quit [Ping timeout: 256 seconds]
<rick42>
sup
<rick42>
nice article, aw- !
<rick42>
aw-: also, nice wristband on your watch :)
<aw->
rick42: thanks
<beneroth>
<aw-> something that lets you have redundancy out of the box, redundant/upgradeable RAM, redundant CPUs, swappable power supply.
<beneroth>
hi rick42
<rick42>
beneroth: o/
<beneroth>
\o
<rick42>
aw: i also use a TKL keyboard and a Dell monitor (similar to that but older circa 2006)
<rick42>
the monitor has a USB hub builtin but not USB3 of course. good for only kbd and rodent, but convenient
<aw->
rick42: yeah! my monitor has a USB hub builtin as well
<aw->
rick42: how many keys is TKL ?
<aw->
i don't know much about these, just got it because it looked/felt/sounded awesome
<rick42>
aw-: :) yeah, for me too. i'm enjoying it right now heh
<rick42>
TKL -- for me, maybe i'm not precisely right on this -- is the keyboard without the numeric numberpad on the right side. nice for keeping the rodent closer to me
<rick42>
if i were an accountant, i would need that numeric pad though
* beneroth
is more used to the top row numeric keys
<rick42>
same here
* rick42
just realized he typed "numeric numberpad" :)
<beneroth>
yo dawg
<beneroth>
technically, the character keyboard is also a numberpad.. its all numbers in the end...
<aw->
rick42: yeah you're right
<aw->
i think my keyboard has 84 keys
<aw->
rick42: we have a similar setup haha
<rick42>
beneroth: "yo dawg, i heard you like numbers, so ..." nice one, m8
<beneroth>
;-)
<rick42>
aw-: i count 87 on mine (def not > 100 :)
<aw->
nice
<aw->
anyone here using "let's encrypt"?
<rick42>
aw-: i am
<rick42>
using acme-client to negotiate renewals
<aw->
what method do you use to renew?
<aw->
webroot?nginx?
<aw->
dns?
<rick42>
i use acme-client (in a daily cron job) to check if the certs need renewal. if they do acme-client takes take of the renewal. (it may do another challenge but i'm not quite sure)
<aw->
oh i see, so it sets up the domains on its own?
<rick42>
in nginx you can setup a .wellknown-challenge dir
<rick42>
yes it's a super convenient client
<rick42>
once it gets the certs it drops them in a dir i configured which is also configure in the web server
<aw->
right.. i think i need to do that, cause now i'm using DNS mode with Linode and it's crazy slow to update
<rick42>
(i.e. i don't move the certs, i point acme-client and the web server to the same dir)
<aw->
yeah same here
<rick42>
i didn't know you could use "dns mode" for this. how does it work?
<aw->
it's a pain in the ass
<aw->
if your DNS provider has an API, it generates some DNS entries, waits for the DNS to propagate (~15 mins), then validates the entries and makes the certs
<rick42>
day-um a bit circuitous
<aw->
sems like it would be much easier to use the .well-known challenge dir
<rick42>
i just don't know any doffernt b/c i'm small potatoes just running one personal server
<aw->
yeah but you're doing it right haha
<rick42>
"doing it right" but by way of falling bass-ackwards into it :D
orivej has quit [Ping timeout: 264 seconds]
<aw->
i think the problem with .well-known is it happens over HTTP haha
<aw->
chicken and egg situation
<aw->
same as picolisp 64-bit, you need picolisp to compile picolisp hahahaha
<rick42>
aw-: yes, that is my understanding too. hehe
<rick42>
is that why there are other methods like dns method? prolly
<aw->
actually letsencrypt doesn't even allow you to renew certs over HTTPS
<aw->
yeah probably
<aw->
at least picolisp lets you compile picolisp
<aw->
they should have consulted with Regenaxer when writing the "ACME" spec
* beneroth
uses a bash client, using nginx + .wellknown-challenge
<beneroth>
aw-, is the DNS check made using secure DNS?
<beneroth>
if not, it is as good as the HTTP way ^^
<beneroth>
aw-, haha yeah, but if they have consulted with Regenaxer it would have been much smaller, less complicated and less of an achievement xD
<aw->
no that's a bad argument
<aw->
beneroth: my argument is that using HTTP to perform validations for an HTTPS certificate is stupid
<aw->
it's not a matter of which approach is better
<aw->
beneroth: i agree with consulting Regenaxer
<aw->
haha
<beneroth>
my point is: it's the simplest way short of securely using DNS (DNSSEC et al), which brings in a hurdle of other problems
<beneroth>
if the bad boys can MitM your HTTP request, then they can also MiTM your DNS request.
<aw->
that's not my point, my point is the renewals occur over HTTP
<aw->
instead of HTTPS
<aw->
i don't know why you keep talking about DNS
<aw->
i'm not talking about DNS
<beneroth>
of course this would be migated by using HTTPS, but only if the target server already has an certificate AND it's pinned AND you diligently checked the CA for that certificate... if that is the case, then let's encrypt is kinda not needed
<aw->
beneroth: exactly!
<aw->
you just proved my point
<beneroth>
well the renewals could indeed occur over HTTPS, agreed. though you still suffer from the DNS security hole.
<beneroth>
I guess they save some little backend power by not using HTTPS. no idea what else it could be.
<aw->
yep
<aw->
personally I think this whole letsencrypt is a garbage hack
<aw->
i've thought that since the day the code started being pushed to GitHub
<cess11>
it is
<beneroth>
it is. its just a nicer implementation of how cert requesting worked for many years now.
<beneroth>
well no, s/nicer/cheaper
<cess11>
a garbage hack. it is instead of someone taking on some responsibility for ca and it trust issues.
<beneroth>
hard to scale up trust.
<aw->
yeah
<beneroth>
especially when some actors believe they're entitled to a free backup copy of everything while they sue the rest of the world for a copy of the movie/audio they posted online themselves.
<beneroth>
(usa)
<aw->
beneroth: you use acme.sh ?
<aw->
~6000 LOC bash script for renewing certificates.. don't look at the code, you will go blind
<beneroth>
KASLR being attackable is known for 1-2 years. so maybe this is about something more, but no information available yet. maybe more tomorrow.