<ocdtrekkie>
kentonv: It took Google six months to fix KRACK on the Pixel 2. It took third party ROM authors two days.
<ocdtrekkie>
They might finally get their act together though, the dude who's been the head of Android security since time immemorial was recently shoved off to thermostat security or something.
<kentonv>
Android and iOS shipped fixes for KRACK at about the same time, no?
<ocdtrekkie>
Nope.
<ocdtrekkie>
iOS was in October, Pixel 2 got the fix in December.
<ocdtrekkie>
(My Windows Mobile phone was patched about three and a half weeks before the iOS fix, mind you.)
<ocdtrekkie>
(And look at the fanboyism in that headline.)
<kentonv>
I see, the first article had a correction at the bottom saying KRACK wasn't actually fixed
amnesium has joined #sandstorm
harish has quit [Ping timeout: 256 seconds]
<georgeowell>
yeh there was a patch to migitgate KRACK really quickly in Lineage OS
<ocdtrekkie>
Like two days, I think.
<digitalcircuit>
Yeah. Even got it on many no-longer-updated devices, too, like my Galaxy Nexus (Verizon, toro).
<kentonv>
I did the cyanogen thing for a while, and TBH my problem with it was the fact that it took a long time to get Android major releases and then basically forced you to wipe your phone when updating, which meant I was stuck on an old release for some time.
<kentonv>
it felt a lot like I was using a non-Nexus device
<kentonv>
it's cool that they push fast security patches, though
<ocdtrekkie>
I'll stick with my "globally available every Patch Tuesday" security patches, until they stop offering them.
<ocdtrekkie>
Then when that eventually stops I'll get an iPhone, though I promise to hate every day of owning it.
<ocdtrekkie>
Though I'd love a real new option to show up. Librem 5 sounds delightful, but I'm not going to drop money on hopes and dreams.
ogres has joined #sandstorm
<kentonv>
yeah, uh... nice ideals, but they can't just slap Debian on a phone and expect it to work
<kentonv>
I use Debian on my desktop but a phone OS it is not. There's a really large amount of work needed to make a good mobile OS. Ubuntu already failed at this. So did Mozilla. :(
amnesium has joined #sandstorm
<georgeowell>
yeh that is just madness
<georgeowell>
I don't know why they are starting from scratch
<ocdtrekkie>
I honestly would rather suffer a desktop OS on a phone than the painful ecosystems we have today.
<ocdtrekkie>
georgeowell: What do you start from? I mean, I know there are folks carrying forward Ubuntu's work, but didn't they abandon that whole UI framework in the desktop OS or whathaveyou?
<ocdtrekkie>
Making it kinda a dead end?
<kentonv>
the problem is not just UI, though. It's battery life. Mobile OS's have a whole different app lifecycle model that lets them be militant about resource usage in order to conserve battery...
<georgeowell>
I don't see why they don't just use LineageOS. I'm assuming they think they could run it without blobs but I don't actually think there is a proper foss baseband chip out there?
<ocdtrekkie>
georgeowell: Android is a bad OS.
<ocdtrekkie>
Nobody should use it, and building on top of poop gives you poop.
<ocdtrekkie>
Google already punishes the heck out of anyone who dares use Android without kissing the ring. See the Amazon feud right now.
<ocdtrekkie>
They don't mind if some hackers do their custom flashing stuff, but if you DARE try to do business without Google, you're gonna get it.
<georgeowell>
hmm you're probably right
<georgeowell>
would it be too mad to suggest forking Android :)
<ocdtrekkie>
Can't fork something with billions of dollars backing it and be the leading fork.
<ocdtrekkie>
If you want to maintain app compatibility, you're beholden to implement everything Google does anyways.
<ocdtrekkie>
And Google's already effectively forked Android: All the top apps won't work without their proprietary framework.
<georgeowell>
Yeh well they won't ever be supported on an alternate OS either
<georgeowell>
I am using Lineage without gapps and it's great
<ocdtrekkie>
And if you can't benefit from the app library, you might as well start from scratch.
<ocdtrekkie>
I tried doing the Android-without-Google thing for a while, but the amount of things that require Play Services became insurmountable.
<ocdtrekkie>
I needed Skype. And of course, even Microsoft's apps don't work without Google's malware enabled.
<kentonv>
you won't be able to have app compatibility due to Google Play Services being closed, but starting from AOSP is still a much better idea than starting from desktop Linux.
<ocdtrekkie>
(Adobe freaking Reader requires Google Play Services to work.)
<simpson>
(I'm not gonna stop your rant, but I think it's hilarious that you desire Skype and Adobe Reader while decrying Google's stuff.)
<ocdtrekkie>
simpson: I'd still use Hangouts too if I had a way. Chat apps are kinda unavoidable unless you find friends who are as paranoid as you.
<simpson>
ocdtrekkie: Aha. I don't really do the whole "friends" thing. Makes sense.
<TimMc>
talky.io is usable on a number of platforms
<ocdtrekkie>
As it is, Hangouts doesn't really work without either Gmail, Chrome, or Android, so every month or two, so I check it every month or two.
<ocdtrekkie>
...Wow, the end of that message lost it's way.
<simpson>
I am happy to assure you that Hangouts doesn't really work even with those things either~
<kentonv>
I mean, Hangouts doesn't really work _with_ those things either
<georgeowell>
hehe
<ocdtrekkie>
ROFL
<georgeowell>
I have Signal and WhatsApp
<georgeowell>
and SMS
<ocdtrekkie>
Anyways, yeah, Skype, Telegram, (ugh) Discord, are all needs for me. Someone finally made a Discord app for Windows Mobile that doesn't suck.
<ocdtrekkie>
I am still not sure how they did it, I think witchcraft was involved.
<TimMc>
Are there any usable self-hosted video chat services? Something XMPP-related maybe?
<georgeowell>
short answer: no
<ocdtrekkie>
You want self-hosted AND "usable".
<ocdtrekkie>
Man, asking a lot here.
<TimMc>
heh
<ocdtrekkie>
;)
<digitalcircuit>
Supposedly there's Nextcloud Talk..? Dunno if Nextcloud would be a good fit for Sandstorm, granted.
<TimMc>
I'd be happy with "paid and usable" but that doesn't seem to exist either, at least that I've heard of.
<georgeowell>
Signal does video now though and is end to end encryption
<TimMc>
instead there's "cloud and sometimes usable".
<georgeowell>
thouhg obviously you need a frikkin good connection
<ocdtrekkie>
I just loathe my appearance and prefer nobody else see it either.
<ocdtrekkie>
Prevents most desire for video chat services.
<georgeowell>
digitalcircuit: Nextcloud talk requires you to run your own STUN server
<TimMc>
Most of my video calls are from home, and I host from home, so if my connection is bad, tough luck. :-)
<georgeowell>
I think I am going to get a new 3310 and just keep the battery out unless in emergencies
<georgeowell>
:)
<TimMc>
(While I like talky, they don't have any apparent business model, so they're either gonna do something sketchy or flame out.)
<ocdtrekkie>
That's my beef with Discord.
<ocdtrekkie>
I can't fathom it's business model is actually sustainable, despite all their claims they'll never do ads or whatever either.
<ocdtrekkie>
Either they're going to get sold (I was surprised Amazon didn't buy them, they'd have gone alongside Twitch nicely) or they're gonna have a Red Wedding-style event that changes everything that everyone liked about it in search of profit.
<simpson>
I still can't believe that people enjoy it. It's not a very good system; it's made to confuse, I feel.
<digitalcircuit>
georgeowell: Fair point; I didn't realize bandwidth was a concern (yay asymmetric speeds).
<georgeowell>
most of these things use WebRTC
<georgeowell>
and if one side has a bad connection, you're in trouble
<digitalcircuit>
ocdtrekkie: I'm wondering how long until Discord drops/makes unusable the API, a la Twitter.
pie__ has joined #sandstorm
<georgeowell>
In my buisness we use mumble for online meetings
<georgeowell>
It's rock solid but is audio only.
<ocdtrekkie>
I am reasonably happy with Mumble as a thing, I use it too, but I currently rent a cheap service for it.
<ocdtrekkie>
But yeah, I get forced to use Discord because of some groups I'm in.
<georgeowell>
hmm I'm pretty confused with the CNAME for Wordpress on Sandstorm
<kentonv>
georgeowell, how so?
<georgeowell>
does it have to be hosted on a subdomain or can you point the root of your domain at a sandstorm wp site
<kentonv>
unfortunately, the DNS spec says that your root domain cannot be a CNAME
<kentonv>
if your server's IP address won't change, you can use an A record. Otherwise you'll need to use a "www." prefix or something, and put the CNAME there
<georgeowell>
ah ok. Never used a CNAMe before so didn't know.
<georgeowell>
DNS is dark magic really
<kentonv>
FWIW if you put Cloudflare in front of your blog then it will let you configure the root as a CNAME, because behind the scenes Cloudflare converts it to an A record and keeps it updated
<kentonv>
plus it will make the site faster. :)
<georgeowell>
and I'm assuming CloudFlare could handle TLS certs for you also
<kentonv>
yup
<TimMc>
georgeowell: DNS made a lot more sense to me once I understood that it's a giant, cooperative databaes.
<ocdtrekkie>
I hated DNS right up until I finally got DNS working right where I work.
<ocdtrekkie>
Where I am confident it was not properly configured for about 12 years.
<georgeowell>
I hated DNS right up till now and will continue to be frustrated with it into the future
jemc has joined #sandstorm
<TimMc>
Oh, frustration, definitely!
<TimMc>
Take this CNAME restriction, for one. I don't know the reason for it for sure, but I strongly suspect it's because DNS is most heavily used as a www name resolver and so MX and other uses get pushed to the side.
<TimMc>
(maybe the RFC gives the reasoning...)
<kentonv>
I suspect it's because DNS was already widely deployed before CNAMEs were introduced
<kentonv>
and they made a backwards-compatibility decision that base domain names shouldn't require clients to resolve CNAMEs
<kentonv>
BUT I'm just speculating there
<kentonv>
of course, now, it's multiple decades later and this restriction is silly
<TimMc>
Hmm! Plausible too.
<TimMc>
The "MX can't point to a CNAME" is even weirder.
<TimMc>
and I suspect a ton of zones do it anyway and no one notices
<kentonv>
MX is one of the oldest usages of DNS
<TimMc>
I love the SRV records that Jabber uses. You can specify ports right in the DNS!
<kentonv>
I was surprised to learn that a CNAME record indicates you want to clone *all* of the records of some other domain, not just the IP address records
<TimMc>
whoa
<kentonv>
so if a.com is a CNAME to b.com, then a.com gets b.com's MXs too
<kentonv>
in retrospect this should probably have been obvious. A records aren't special.
amnesium has joined #sandstorm
<TimMc>
OK, so it truly does mean an "alias/canonical" relationship in all ways, OK.
<kentonv>
actually maybe that's why your root domain can't use it... it might create complications with NS records?
<TimMc>
Having an MX and a CNAME for the same label would then also cause complications for precedence. If foo.example.com is an alias for bar.example.com and both have MX records, do you add, or do you replace?
<kentonv>
pretty sure if a host is a CNAME, you can't have other records on it
<TimMc>
So it's likely that my reasoning is precisely *wrong*: It's not that CNAME is too specific, it's that (perhaps) it is too general. :-)
<TimMc>
Yeah agreed, that would be counter to spec.
<TimMc>
and I'm trying to figure out why
<TimMc>
It would be nice if there were a commonly-supported pseudo-record along the lines of what CloudFlare provides, maybe "bar.example.com. COPY foo.example.com." and the authoritative resolver would just keep the A and AAAA records (or whatever) up to date with periodic queries.
<TimMc>
Not exactly a recursive resolver.
<kentonv>
I mean, the authoritative resolver can implement whatever features it wants, no need to change the spec
<kentonv>
(like Cloudflare does in this case)
<kentonv>
I guess that's what you mean? That it would be nice if more DNS servers supported this feature.
<kentonv>
(kind of like how wildcards aren't part of the spec, just a commonly-supported feature)
<TimMc>
Yes, exactly.
<TimMc>
"Commonly supported" so it would be portable to other resolvers. :-)
<kentonv>
what do you mean "portable"?
<TimMc>
Well, right now if you want to switch to a different DNS provider, I assume you can more or less copy zone files around.
<TimMc>
Having out-of-DNS-spec pseudo-records would make that harder.
<georgeowell>
hmm that's weird
<georgeowell>
Gandi has something called "web forwarding"
<kentonv>
that usually means they'll return a 301 redirect for you
<kentonv>
that is, their own web server will answer the requests but just always return redirects
<georgeowell>
pretty horific solution :)
<kentonv>
or sometimes there's a mode where it returns a page containing one big iframe containing your target site, which is even more horrific
<kentonv>
the URL bar doesn't update when you click links, etc.
<kentonv>
georgeowell, also, is it a self-hosted server, or Oasis?
<georgeowell>
self hosted
<kentonv>
ah, and not on a static IP probably?
<georgeowell>
yep static IP
<kentonv>
oh, if it's a static IP then you can configure your DNS to point at that IP
<kentonv>
you don't need a CNAME
<georgeowell>
what happens if there are multiple Wordpress grains?
<kentonv>
that's what the sandstorm-www txt record is for
<georgeowell>
ah I see!
<georgeowell>
it would still have to on a subdomain no?
<kentonv>
no, you can do the same on a subdomain, but it's easier to use a CNAME record where it's allowed
<kentonv>
like you can have example.com and foo.example.com... then you'd need TXT records on sandstorm-www.example.com and sandstorm-www.foo.example.com
<georgeowell>
nice
<georgeowell>
yeh I kinda wanted https though so I might just leave it as it is for now
<kentonv>
Cloudflare... ;)
<georgeowell>
yup ^.^
<kentonv>
(disclosure on the off chance people don't know this: I work for Cloudflare)
<georgeowell>
what's been going on with Tor/Cloudflare. It seems a hell of a lot better situation these days.
<kentonv>
we implemented Privacy Pass
<kentonv>
which is neato cryptography that lets you prove you are a human once and then use that proof to visit multiple web sites without people being able to track you
<georgeowell>
oh wow I totally didn't know what CAPTCHA stood for :)
pie__ has quit [Ping timeout: 276 seconds]
<georgeowell>
"Completely Automated Public Turing test to tell Computers and Humans Apart"
<ocdtrekkie>
I am going to go postal about ReCAPTCHA one of these days.
<georgeowell>
hmm but how is it related to people using Tor browser?
<kentonv>
the other end of Privacy Pass is implemented by the Tor browser
<georgeowell>
oh nice! I must have totally missed that news.
<georgeowell>
I even went to the tor Q&A at chaos congress and should have clocked that no one mentioned Cloudflare ^.^
harish has joined #sandstorm
<kentonv>
we still get people complaining on Twitter from time to time but then we ask them when they last actually saw a CF CAPTCHA and they're like "um... actually it's been a while"
<kentonv>
but, you know, people love to hate
<simpson>
I wouldn't worry about it too much.
<simpson>
Certainly I don't think there's anything CF can do to improve their reputation with folks like me, and that's okay.
amnesium has joined #sandstorm
<georgeowell>
also TBB has javascript enabled by default now
Zarutian_PI has quit [Read error: Connection reset by peer]
Zarutian_PI2 has quit [Ping timeout: 268 seconds]
TMM has joined #sandstorm
<TMM>
hi all!
<TMM>
I'm moving my sandstorm instance to another machine with a different IP
<TMM>
I'm using sandcats.io
<TMM>
I'm trying to work out what the best way of doing this is
<TMM>
It seems that there's an option of reusing an old dns name when reinstalling
<TMM>
but can I actually just lift and shift the installation I have now? or is it better to reinstall sandstorm and copy over some bits from /opt/sandstom?