[2026-04-16T05:29:02Z] i fucking hate the linux networking stack so much [2026-04-16T10:59:25Z] kris_: why [2026-04-16T12:24:11Z] hmm [2026-04-16T12:24:18Z] midfavila: ping testing [2026-04-16T12:24:26Z] @midfavila (https://matrix.to/#/@irc_libera__midfavila:sewn.moe): pill testing [2026-04-16T12:24:31Z] ok [2026-04-16T12:24:42Z] bold messages [2026-04-16T12:24:57Z] inline replies [2026-04-16T12:25:01Z] this sucks [2026-04-16T12:46:27Z] sewn: odd behavior that isnt super obvious [2026-04-16T12:47:04Z] like the virtio stuff handles packets differently apparently, i moved my vpn gateway to a VM and it was way way overshooting my networks MTU sizing and it took me forever to figure out it was a VM moment [2026-04-16T12:47:14Z] apparently it will kinda glob packets together to reduce cpu cycles [2026-04-16T12:47:33Z] also, apparently icmp redirects are a thing [2026-04-16T12:48:13Z] when shutting down my vpn gateway my machines were suddenly discovering a new route via my real router because the vpn gateway sent a redirect on shutdown because apparently that's a default [2026-04-16T12:48:26Z] apparently accepting those is also a default [2026-04-16T12:58:01Z] my network is getting really complicated [2026-04-16T13:01:42Z] and you're wondering why it sucks? [2026-04-16T13:01:43Z] maybe thats why [2026-04-16T13:03:05Z] wdym [2026-04-16T13:03:23Z] your experience of the sucky linux networking stack is a result of your complicated setup [2026-04-16T13:03:26Z] it was working fine on real hardware so i spent hours chasing ghosts which is why im upset [2026-04-16T13:03:46Z] its not thaaat complicated anyway [2026-04-16T13:04:14Z] openbsd router running wireguard is my normal router, i have a VM running diskless alpine that runs a vpn connection to airvpn [2026-04-16T13:04:33Z] i route specific machines through the vpn gateway VM by simply changing their default gateway [2026-04-16T13:04:36Z] bing bang boom [2026-04-16T13:05:43Z] the issue with the virtualization came in when i was vpn'd into my house via my main router and was trying to connect to services (like my irc bouncer) that are going through the vpn gateway [2026-04-16T13:06:10Z] wireguard adds a lot of overhead MTU size wise so it was exceeding the maximum because of the virt networking stack [2026-04-16T13:06:55Z] because the irc bouncer would reply and it would fragment the packet and not get routed back to me [2026-04-16T13:07:31Z] anyway after much effort i now have 4 devices running through one airvpn connection [2026-04-16T13:07:40Z] and can add more with 1 setting [2026-04-16T13:09:02Z] "just dont do stuff" isnt really an excuse for braindead default behavior [2026-04-16T13:23:56Z] yes it is [2026-04-16T13:23:57Z] lol [2026-04-16T13:24:02Z] you're in #kisslinux dude come on [2026-04-16T13:24:50Z] if you're doing complex stuff then you should expect to have to be exceptionally thorough [2026-04-16T13:25:05Z] simple as [2026-04-16T13:29:24Z] midfavila: how's it related [2026-04-16T13:29:31Z] >this default behavior is illogical [2026-04-16T13:29:37Z] >simply dont build a router then [2026-04-16T13:30:09Z] would make sense to change the default behavior [2026-04-16T13:35:35Z] for you, perhaps it's illogical, but i'm sure it's there for a reason [2026-04-16T13:35:43Z] if not you could always open a pull request with the maintainers [2026-04-16T13:46:13Z] some of this stuff is there to reduce the amount of cpu cycles [2026-04-16T13:47:48Z] like the packet globbing thing [2026-04-16T13:47:58Z] as for the router advertisement thing, *listening* for that makes sense, sending them out i dont think does [2026-04-16T13:48:20Z] because if you have a system with a static route you've set explicitly and something sends it a packet going "hey actually use this router instead" that's just so silly to me [2026-04-16T13:48:29Z] i need to play with that because i wonder if theres an attack vector there [2026-04-16T13:49:38Z] im wondering if openbsd has the same behavior by default, has consistently been the best OS experience ive ever had in every aspect ngl [2026-04-16T13:51:40Z] personally I'm a bad network member and just disable icmp [2026-04-16T13:55:55Z] I'll never have to set this up from scratch again though so guess its fine [2026-04-16T17:13:01Z] kris_: https://landlock.io/talks/2024-06-06_landlock-article.pdf [2026-04-16T17:21:22Z] Ozymandias42: hell yeah [2026-04-16T17:21:36Z] i love the idea of landlock being implemented as something that can actually be used [2026-04-16T17:22:20Z] ill look at this more thoroughly once im out of class, i know the kiss-ng package manager uses landlock for build isolation [2026-04-16T17:23:11Z] https://github.com/git-bruh/kiss-ng [2026-04-16T17:28:59Z] i dont think it would be too much effort to write some sort of small wrapper around landlock in C to be orchestrated via shell script or w/e [2026-04-16T17:42:37Z] probably not that is what it's meant for. from what I understand it seems to be inspired by obsd's pledge/unveil the most [2026-04-16T17:43:13Z] yeah it's kind of our equivalent [2026-04-16T17:43:22Z] but it can absolutely be used for things like build isolation [2026-04-16T17:43:32Z] btw. the amount of security technologies in Linux is WILD [2026-04-16T17:43:39Z] yeah there are a lotttt of LSMs [2026-04-16T17:43:47Z] not just those [2026-04-16T17:43:53Z] LSMs is just a small subset [2026-04-16T17:44:00Z] i mean there's also the add-in stuff like apparmor/selinux/whatever else exists [2026-04-16T17:44:13Z] those are AppArmor, SELinux, Tomoyo, SMACK, YAMA and Landlock [2026-04-16T17:44:23Z] never heard of tomoyo, smack, or yama [2026-04-16T17:44:33Z] but then there's seccomp which is BPF based [2026-04-16T17:44:42Z] then there's capabilities, which are their own thing again [2026-04-16T17:44:42Z] personally as you know i dont really see a point in apparmor or selinux these days, they're kind of rendered redundant by other things [2026-04-16T17:44:45Z] like flatpak and watnot [2026-04-16T17:44:52Z] obviously not entirely [2026-04-16T17:45:06Z] that was my thinking too after that great talk I had with the guys on #openbsd this week [2026-04-16T17:45:09Z] capabilities are interesting [2026-04-16T17:45:17Z] ..before not after [2026-04-16T17:45:32Z] the #openbsd channel is shockingly active [2026-04-16T17:45:38Z] now I do see the point of SELinux even after all the other things even if I still think it's a lot less importnt than before those [2026-04-16T17:45:46Z] yeah and those guys are amazingly smart [2026-04-16T17:45:50Z] i'm only in here and zfsbootmenu at the moment though to reduce the amount of channels i'm potentially spamming given my new network setup [2026-04-16T17:45:56Z] same with the people in ##proxmox [2026-04-16T17:46:05Z] #netbsd is also cool [2026-04-16T17:46:09Z] ##slackware and #crux too [2026-04-16T17:46:16Z] #linux is a pit [2026-04-16T17:46:25Z] heck I happened to see that one of the guys there seems to be a colleague from a neighboring Uni. I've seen the adress he logged in from [2026-04-16T17:46:48Z] oh also wayland is apparently working rather well on openbsd these days [2026-04-16T17:46:57Z] i'm not going to switch to it on desktop but it's getting there [2026-04-16T17:47:03Z] awesome. seems I need to dig out my obsd VM again [2026-04-16T17:47:25Z] someone i follow on mastodon (justine smithies) apparently got mangowc working on openbsd without too much trouble [2026-04-16T17:47:33Z] #linux is not nearly as cultured and well behaved, yes. but there's some smart people there too. though a good bit less friendly [2026-04-16T17:47:37Z] libreboot leah has packaged librewolf for openbsd meaning it also has the only browser i'm willing to use now [2026-04-16T17:47:55Z] so really the only thing stopping me from using it on desktop is the off-chance i feel like gaming [2026-04-16T17:48:10Z] freebsd would cover 110% of my needs on desktop so if i finally do decide to jump ship i can just use that [2026-04-16T17:48:19Z] tbh there's not a need i have that freebsd doesn't cover rather well [2026-04-16T17:48:42Z] wanna help me put together an overview of security technologies? [2026-04-16T17:49:12Z] you probably know more about it than me at this point i kinda just use flatpak and containers and don't care otherwise [2026-04-16T17:49:28Z] outside of my generic hardening stuff like kernel pointer randomization / memory poisoning / basics like that [2026-04-16T17:49:36Z] https://pad.envs.net/sheet/#/2/sheet/edit/u+ktqCeLSMtS2QGzQLmnLuU+/ [2026-04-16T17:49:40Z] as of yesterday, disabling ICMP router redirects [2026-04-16T17:49:46Z] since apparently that's a thing, dumbest shit ive ever seen [2026-04-16T17:49:51Z] *imo* [2026-04-16T17:50:22Z] Ozymandias42: another thing i'll have to look at once i get back to my buddies house [2026-04-16T17:50:57Z] if you want me to infodump about security stuff i'm familiar with i can, but i don't generally use things like landlock/selinux/apparmor so that'd have to be all you [2026-04-16T17:51:18Z] I don't use them either [2026-04-16T17:51:36Z] but I have in the past and want to now look at all these things [2026-04-16T17:51:50Z] I feel like I should know at least loosely what is available and what they do [2026-04-16T17:52:09Z] it's kinda important what with software getting worse in quality (JS) and security [2026-04-16T17:52:48Z] btw. I'm now at the point in the spreadsheet where I might add cgroups, or flatpak but I'm not sure if those should even be counted as security mechanisms [2026-04-16T17:53:12Z] I mean namespaces _can_ be used to better security but they are more meant for context isolation [2026-04-16T17:53:39Z] most of the hardening i do with my systems is in the context of someone getting their hands on my shit [2026-04-16T17:53:49Z] most people don't understand how to properly set up a boot chain [2026-04-16T17:54:03Z] also memory poisoning is an underrated thing you can do [2026-04-16T17:54:14Z] init_on_free if you wanna look into that [2026-04-16T17:54:41Z] does that mean zeroing memory on freeing? [2026-04-16T17:55:04Z] yep. it does it explicitly- it costs a bunch of cpu cycles but it prevents things like cold boot attacks [2026-04-16T17:55:25Z] so when your system unmounts / on shutdown itll explicitly zero everything [2026-04-16T17:56:11Z] i dont personally care much about ~5% of my CPU performance going down the drain but those using low performance cpus might [2026-04-16T18:20:59Z] lol. TIL: TOMOYO is a backronym 'Task Oriented Management Obviates Your Onus" but also a reference to the character Tomoyo Daidouji from Cardcaptor Sakura [2026-04-16T19:02:23Z] Ozymandias42: this is the first i'm seeing cryptpad [2026-04-16T19:02:38Z] this website is horrendously slow [2026-04-16T19:02:56Z] unusably so, im guessing because i don't have gpu acceleration set up with librewolf [2026-04-16T19:04:20Z] kris_ re isolation: I got a sandbox wrapper running on top of bwrapper [2026-04-16T19:04:42Z] still haven't shared it as it's pretty raw, but the basic principle works. I also did some support scripts to get recursive dependencies and the like [2026-04-16T19:05:08Z] also worked on an aria2c bulk downloader, but that requires a PR I haven't made yet [2026-04-16T19:05:34Z] it's a very low-priority project, hence all the "not yet" :P [2026-04-16T19:05:43Z] but if there's interest I can share my findings as of now [2026-04-16T19:06:19Z] while kiss-ng looks really nice, I think there's still value in wrappers or straight improvements to the original shell implementation [2026-04-16T19:06:36Z] i don't see any reason the package manager should be moved away from using shell [2026-04-16T19:06:47Z] if anything, small bits written in a compiled language for the shell impl to orchestrate [2026-04-16T19:06:59Z] and zig still requires the whole llvm chain, so [2026-04-16T19:07:01Z] afaik [2026-04-16T19:07:04Z] well bwrap works suprisingly well, although I don't think it's as fine grained as landlock [2026-04-16T19:07:15Z] bwrap is what i was looking into using for my own build system [2026-04-16T19:07:21Z] given i don't really intend on using kiss personally [2026-04-16T19:07:36Z] cool [2026-04-16T19:07:45Z] im not sure what has to come along with bwrap though [2026-04-16T19:08:04Z] bwrap is not completely documented IIRC [2026-04-16T19:08:13Z] is there anything that is? :p [2026-04-16T19:08:20Z] well, slightly less than other stuff :P [2026-04-16T19:08:24Z] definitely more than alpine lol [2026-04-16T19:08:36Z] man I really should try to upstream some of my notes to the wiki [2026-04-16T19:09:03Z] alpines wiki is the only distro wiki ive ever contributed to given how anemic it is [2026-04-16T19:09:20Z] i ended up putting this here just for myself https://kris.sh/posts/alpine-diskless-install/ [2026-04-16T19:09:32Z] because i took one look at their diskless bits on the wiki and it was just so convoluted for what i was after [2026-04-16T19:10:07Z] also re: don't intend on using kiss- what i mean is i intend on more or less bootstrapping off of kiss to detach from it [2026-04-16T19:10:22Z] i'd like to write a build system that's kind of xbps-src adjacent because it is very cool [2026-04-16T19:10:29Z] but i also really like gentoos use flags system [2026-04-16T19:10:40Z] im pretty sure all of this can still be done in just posix shell [2026-04-16T19:11:48Z] nice notes kris [2026-04-16T19:11:51Z] reflects some of my experience too [2026-04-16T19:12:12Z] tyvm [2026-04-16T19:12:22Z] i dont think im going to document the vpn gateway half of this because it's just too complex [2026-04-16T19:12:30Z] im not sure if i could explain it in a way that would apply to most people [2026-04-16T19:12:41Z] kris_: do you know if there's a way to stop the automatic mounting [2026-04-16T19:12:56Z] because while it's important to wipe the initial disk it will still try to load the modloop and potentially explode [2026-04-16T19:13:06Z] and it's extra annoying to reboot a tousand times [2026-04-16T19:13:23Z] automatic mounting? [2026-04-16T19:13:26Z] of the boot media? [2026-04-16T19:13:36Z] of the overlay/whatever [2026-04-16T19:13:52Z] not sure, if anywhere it's in /etc/fstab [2026-04-16T19:14:07Z] i dont have access to that system at the moment so cant look around [2026-04-16T19:14:23Z] no worries [2026-04-16T19:14:30Z] I think it does it earlier than that, in the initramfs [2026-04-16T19:14:34Z] idk, most of alpine is still a bit of a black box to me [2026-04-16T19:14:38Z] should look for a boot param [2026-04-16T19:14:45Z] it's actually surprisingly less alien than it looks [2026-04-16T19:14:48Z] it's a bunch of shell scripts [2026-04-16T19:14:55Z] they're just completely undocumented lol [2026-04-16T19:14:58Z] yeah i know, it's just laid out very differently from what i'm normally using [2026-04-16T19:15:07Z] had to crawl through them to figure out how the hell to have diskless cryptsetup [2026-04-16T19:15:17Z] you should doc that [2026-04-16T19:15:19Z] despite an almost sufficient (for my purposes) blog post [2026-04-16T19:15:33Z] but i think eventually im going to just ditch alpine for the vpn gateway usecase and go back to openbsd given im not running this on a system with 8gb of emmc anymore [2026-04-16T19:15:53Z] while it's working i'm not going to touch it though [2026-04-16T19:15:54Z] yea I'll defo make at least a note on my website [2026-04-16T19:16:01Z] "note" being "living blog post" [2026-04-16T19:17:02Z] i need to make more posts on my website [2026-04-16T19:17:12Z] though nobody looks at it, it's basically my own documentation for me [2026-04-16T19:18:30Z] what's the url to yours? [2026-04-16T19:20:08Z] that page was super slow for me too which is why -since you hadn't joined then- stopped using it and went to libreoffice [2026-04-16T19:20:09Z] kris_: deralmas.me [2026-04-16T19:20:19Z] pretty empty website, as usual lol [2026-04-16T19:20:32Z] my best piece right now is the flatpak/dbus guide [2026-04-16T19:20:47Z] it's in the notes section [2026-04-16T19:20:47Z] do you use an ssg for this [2026-04-16T19:20:52Z] nope [2026-04-16T19:20:57Z] see https://www.deralmas.me/blog/showing-my-stuff.html [2026-04-16T19:21:03Z] Ozymandias42: yeah idk dude, i never use spreadsheets or anything like that [2026-04-16T19:21:06Z] I do some funny formatting tho [2026-04-16T19:21:11Z] like, by hand [2026-04-16T19:21:12Z] i just use plaintext files to organize my thoughts like this [2026-04-16T19:21:14Z] sometimes markdown [2026-04-16T19:21:24Z] i need to become acquainted with org mode at some point since i'm obsessed with emacs [2026-04-16T19:21:27Z] if you look at the source of that page, you can see what I mean [2026-04-16T19:21:31Z] I only use spreadsheets for stuff like that [2026-04-16T19:21:45Z] when I need to put together a matrix for comparisons spreadsheets are the way to go [2026-04-16T19:21:53Z] heck I even use tables in mardown files for that [2026-04-16T19:22:29Z] idk at some point i plan on setting up a local docs repo [2026-04-16T19:22:37Z] as in, a lighttpd server hosting my plaintext files [2026-04-16T19:22:43Z] so i can just browse them and click on the one i want [2026-04-16T19:22:44Z] if it's for a knowledge base I'd suggest using Joplin [2026-04-16T19:23:00Z] or actually what am i thinking, i keep forgetting [2026-04-16T19:23:01Z] that can use basically any backend you like and can also use plain markdown files mode [2026-04-16T19:23:10Z] an openbsd httpd server hosting just plaintext files [2026-04-16T19:23:21Z] I don't use that though. I use the joplin server component with a postgres database [2026-04-16T19:23:31Z] way overcomplex for the task imho [2026-04-16T19:23:43Z] but it could also use stuff like nextcloud or any webdav server really and just use plaintext [2026-04-16T19:23:45Z] a hugo template would probably work pretty well if you wanted something more fleshed out [2026-04-16T19:23:53Z] it also can encrypt the stuff clientside too [2026-04-16T19:23:58Z] well, i don't have a nextcloud/webdav server or anything resembling that [2026-04-16T19:24:06Z] sftp is the most complex thing you'll see in my stack in that regard [2026-04-16T19:24:09Z] kris_: I made a wiki [2026-04-16T19:24:20Z] I use it to store all my stuff (cmputer or not) [2026-04-16T19:24:29Z] very cool [2026-04-16T19:25:06Z] source code => https://framagit.org/Mindiell/kiwi [2026-04-16T19:25:11Z] it's python [2026-04-16T19:26:18Z] md files behind that I can import on my own computer to local edition if needed [2026-04-16T19:26:34Z] md files are always good [2026-04-16T19:26:51Z] that was kind of my intention behind thinking about using hugo [2026-04-16T19:27:29Z] but there are other ways to deal with markdown out there, i could probably get emacs to render it pretty easily [2026-04-16T19:27:38Z] or, there are tons of other terminal markdown renderers [2026-04-16T19:27:47Z] the issue there is that images in the terminal are evil [2026-04-16T19:30:17Z] that may be a project for this weekend [2026-04-16T19:30:40Z] or ill write an actual ssg in C++ to get a sense of the language since i need to anyway [2026-04-16T19:42:03Z] Mindiell: looks neat [2026-04-16T20:01:58Z] https://www.youtube.com/watch?v=JdPyQgLHVIg [2026-04-16T20:18:30Z] kris_: thx