Sigh ... boots C64 with a rather odd coax to SCART to HDMI daisy-chain video interface. I also have a QSII joystick that I didn't quite manage to ruin playing Daley Thompson decathalon.
"You ship something with no known bugs and then someone finds one."
You managed to say that with a straight face!
Let's keep this ... non partisan. You might recall that many vendors have decided to embed static creds in firmware and only bother patch them out when caught out.
How on earth is embedded creds in any way: "no known bugs"?
I think we are on the same side (absolutely) but please don't allow the buggers any credibility!
> How on earth is embedded creds in any way: "no known bugs"?
You misunderstand how organizational knowledge works. You see, it doesn't.
Some embeds the credentials, someone else ships the product. The first person doesn't even necessarily still work there at that point.
Remember that time NASA sent a Mars orbiter to Mars and then immediately crashed it because some of them were using pounds and the others newtons? Literally rocket scientists.
The best we know how to do here is to keep the incentives aligned so the people who suffer the consequences of something can do something about it. And in this case the people who suffer the consequences are the consumers, not the company that may have already ceased to exist, so we need to give the consumers a good way to fix it.
> When you are building software, you build a security process, not security individuals or stuff like this happens.
You can't solve an incentive problem with process because then they lack the incentive to follow the process.
To enforce a law you need to be able to identify a violation at a point in time when you can still impose a penalty for it. When a device is first released, you don't yet know if anyone will find a vulnerability in it or if the company will stay around to update it if they do. By the time you find out if it will happen, you can't punish them for the same reason they can't provide updates: they've ceased operations and no longer exist. So that doesn't work.
> With software writers the losses occur to the end user.
Which is why the end user needs to be empowered to efficiently prevent the losses, since they're the one with the strongest incentive to do it.
Me and the wife (en_GB - draw your own conclusions!) love a decent coffee but can't be arsed with too much wankery over it. We have owned a few kitchen built in units and I've messed with a couple of grinders and espresso pots in the past.
Wifey found a kitchen built in unit a few years ago and it is still doing the job, very nicely.
Let's face it, what you want is a decent coffee and you have to start from that point, not what sort of bump or grind (that's grindr).
I want a cup of coffee with:
- Correct volume - sometimes a shot, mostly an "Americano" - I'm British don't you know
- Correct temperature - it'll go really bitter if too hot. Too cold - ... it'll be cold.
- Crema - A soft top is non negotiable
- Flavour - Ingredients and temperature (mostly)
The unit we have now manages bean to cup quite reasonably, without any mensuration facilities. I have made coffee for several Italians and they were quite happy with the results.
I've run DNS servers in the past - BIND and pdns. I've now gone all in ... because ... well it started with ACME.
As the OP states you can get a registrar to host a domain for you and then you create a subdomain anywhere you fancy and that includes at home. Do get the glue records right and do use dig to work out what is happening.
Now with a domain under your own control, you can use CNAME records in other zones to point at your zones and if you have dynamic DNS support on your zones (RFC 2136) then you can now support ACME ie Lets Encrypt and Zerossl and co.
Sadly certbot doesn't do (or it didn't) CNAME redirects for ACME. However, acme.sh and simple-acme do and both are absolutely rock solid. Both of those projects are used by a lot of people and well trod.
simple-acme is for Windows. It has loads of add on scripts to deal with scenarios. Those scripts seem to be deprecated but work rather well. Quite a lot of magic here that an old school Linux sysadmin is glad of.
PowerDNS auth server supports dynamic DNS and you can filter access by IP and TSIG-KEY, per zone and/or globally.
> don't expect it to automatically set up your webserver to use the certificates it obtains.
This makes me so happy. Acme and certbot trying to do this is annoying, Caddy trying to get certs by default is annoying. I ended up on a mix of dehydrated and Apache mod_md but I think I like the look of uACME because dehydrated just feels clunky
Neat, I've used lego (https://github.com/go-acme/lego) but will certainly have to give uacme a look, love me a simple ACME client.
acme.sh was too garish for my liking, even as a guy that likes his fair share of shell scripts. And obviously certbot is a non-starter because of snap.
Certbot has earned my ire on just about every occasion I've had to interact with it. It is a terrible program and I can't wait to finish replacing it everywhere.
The new setup is using uAcme and nsupdate to do DNS-01 challenges. No more fiddling with any issues in the web server config for a particular virtual host, like some errant rewrite rule that prevents access to .well-known/.
I mean certbot handles the just issue me a cert via DNS-01 and I'll do the rest flow just fine. Massive overkill of a program for just that use-case but it's been humming along for me for years at this point. What's the selling point for uACME?
> Sadly certbot doesn't do (or it didn't) CNAME redirects for ACME.
Are you certain? Not at a real machine at the moment so hard for me to dig into the details but CNAMEing the challenge response to another domain is absolutely supported via DNS-01 [0] and certbot is Let's Encrypt's recommended ACME client: [1]
Since Let’s Encrypt follows the DNS standards when
looking up TXT records for DNS-01 validation, you can
use CNAME records or NS records to delegate answering
the challenge to other DNS zones. This can be used to
delegate the _acme-challenge subdomain to a validation
specific server or zone.
... which is a very common pattern I've seen hundreds (thousands?) of times.
The issue you may have run into is that CNAME records are NOT allowed at the zone apex, for RFC 1033 states:
The CNAME record is used for nicknames. [...] There must not be any other
RRs associated with a nickname of the same class.
... of course making it impossible to enter NS, SOA, etc. records for the zone root when a CNAME exists there.
P.S. doing literally fucking anything on mobile is like pulling teeth encased in concrete. Since this is how the vast majority of the world interfaces with computing I am totally unsurprised that people are claiming 10x speedups with LLMs.
I tried this too a couple months ago, OP is right, certbot doesn't support the CNAME aliases: it lacks logic to add the TXT record to the redirected name, instead of the name in the certificate.
...I can make certbot talk to the foo.bar.com DNS server, but it tries to add the TXT record for _acme-challenge.foo.com, which that DNS server obviously rejects (and even if it accepted it, that obviously wouldn't work).
I'd be happy to hear there's a way to do it that I missed. Also I'm specifically talking about the rfc2136 support, maybe some of the proprietary certbot backends do support this.
I think CNAME redirections being not supported is reasonable choice. Would make my life easier as well but it opens all kinds of bad possibilities that bad actors would definitely use.
Can you give me an example where this is a problem? If someone can create a CNAME they can create a TXT (ignoring the possibility of an API being restricted to just one).
Without CNAME redirect I wouldn't be able to automatically renew wildcard ssl for client domains with dns that has no API. Even if they do have an API, doing it this way stops me from needing to deal with two different APIs
People forget configurations and CNAME can be left when domain it was pointing to changes owner. Then someone unauthorized can make certs for not his domain.
Ok I asked for an example and you provided one, that's fair. It also makes the second domain a target.
I had someone issue a cert on one of my subdomains because I forgot to remove DNS after cancelling a VPS, and the VPS provider didn't remove the reverse DNS so they found it. Small attack, but it happened.
Seconded. Don’t use certbot; it’s an awful piece of user-hostile software, starting from snap being the only supported installation channel. Everything it does wrong, acme.sh does right.
same on debian trixie. certbot works fine for me. Zone records in bind, generate the dnskey, cronjob to re-sign it daily and your off to the races. no problems no snaps.
Unfortunately, it's more than that: the Linux installation instructions on the certbot website[0] give options for pip or snap. Distro packages are not mentioned.
I feel no need to. I'm quite certain that the certbot folks are aware of the existence of distro packages and even know how to check https://pkgs.org/download/certbot for availability. One might guess that they only want to supply instructions for upstream-managed distribution channels rather than dealing with e.g. some ancient version being shipped on Debian.
Please don't tell people to RTFA. I have and it is still entitled rambling bollocks.
Is this really leading edge ... whatever it is supposed to be:
"The popular horse-switching fantasy answer is retraining. “Go back to school and become an engineer.” In theory, yes. In practice, rarely. The jump from an assembly-line worker to an engineer requires years of schooling and a different educational foundation."
They might as well pat the person who is losing their livelihood on the head and say "there, there, it will all come good in the wash".
I think I'm with you on this. The dribbling cynicism, pontification and entitledness is rather grating.
There are some uncommonly long ... m long ... dashes, sprinkled in para six and again later on. Perhaps our hero has a charmap app handy or has a remarkable keyboard or remembers a carefully curated, slack handful of compose sequences.
The system prompt for this beastie must surely have started with: You are a complete wanker, riff on the eighties "loadsa money" theme.
There are an awful lot of groups installing Linux on Win 10 cast offs around the world.
My uncle runs one in Bradford on Avon and they are slapping on an OS for you whilst you supp tea and chat. Often, the user-agent is set to something Microsoftie in the browser. If necessary Edge is installed but that is frowned on 8)
I have not heard of this MacBook Neo thing ... Why would ? I only own a little IT company and hang around on HN.
1. The usage statistics don't reflect your anecdotal Linux usage; Linux desktop/laptop usage share has not grown that significantly in 20 years and Windows remains quite dominant.
2. MacBook Neo was widely discussed on HN not very long ago, and I'd think if anything an owner of an IT company would be more aware of it than an average HN user. It's definitely going to shake up the market for lower-end laptops.
1. The devil is in the details: How are those stats gathered? Many, if not most Linux users hide their OS affiliation via USER-AGENT
2. Missed it or perhaps blanked it. It really will not shake up the lower end because anyone wanting a lower end laptop (whatever that is) will insist on it running Windows and not Apples.
There is a really good reason why car manufacturers run multiple marques - the budget, standard and premium ones. Attempting to put the Apple "premium shine" on a budget effort may backfire spectacularly (and devalue the entire brand) or maybe they will somehow manage to re-invent marketing.
I’m not sure what market you are in, but this thing will absolutely upend the low end market in North America. This is a MacBook which handily competes with used/refurbished M1 airs for performance, but sells for less. Hell, it sells for less than an iPhone.
They have managed to keep the build quality without really sacrificing anything you would expect on an entry level computer.
My experience with the low end of laptops is that people can’t even tell you what OS they have (chrome or windows). People are going to see this and think that apple makes good phones, good tablets, and now good computers for affordable prices. The existence of the c model iPhones never “cheapened” the high end models. The existence of the iPad does not cheapen the iPad Pro. All the reviews and media basically are people wondering how they managed to create such a high quality product at this price point.
It’s a general purpose computer that runs MacOS, just like every other Mac from the past few decades.
If you want an ad to tell you what that means, well...
There is great value to be had in reusing old hardware selling for a fraction of new pricing. There is great value to be had in an affordable machine with great battery life, light weight durable design, and a user friendly interface that will work and be supported for the better part of a decade. Knowing that some customers will be better served by the former or the latter is pretty valuable.
As an aside, if you are concerned about e waste, take a look at the teardown videos of this machine. This is being touted by many as the most repairable Mac in decades (admittedly, a low bar). Just about every component can be replaced in a few minutes with nothing more than a screwdriver
Never quite that cheap, but budget is relative, and the Neo is certainly a new degree of meeting that category, but I think in those relative terms the polycarbonate macbook would have been quite a good value for money at the time, even at around ~$1000. You could get cheaper laptops, and you still can, but what you'd get for that money would truly be terrible for the amount you'd save, unless you literally just played solitaire on them.
Even after years of operation, they'd be a decent buy on the used market compared to comparably priced windows laptops that would literally fall apart at the hinges and overheat.
I don't think anyone cares. I remember the switch from a MacBook with a (no-adjective) trackpad to a MacBook with a haptic trackpad. There was absolutely nothing earth-shattering about that switch, it was a great trackpad before and a great trackpad after.
True, I don’t think people care since Apple’s non-haptic trackpad is still far (and I mean FAR) better than anything else in the market. People who eventually move on to a higher priced Mac with a haptic trackpad will probably feel a difference and think of it as a nice bonus that came with their upgrade (and probably would not like to downgrade, if possible), but I dont think any newcomers would frown at its absence first-hand.
I’d say 100% with a fair share of confidence since Apple’s magic lies both in hardware AND software (as usual). The hardware is already phenomenal (and far above anything else in the market) but the Mac makes fantastic use of it in such a way that neither Windows nor Linux have managed to even start replicate.
Tried one of those MacBooks Neos in a store a few days ago because I got curious.
As a Linux/windows user I was completely baffled that you actually have to click (at least in the default setting) to make a mouse click instead of just giving it a tap. Does anyone prefer that?
> Why would ? I only own a little IT company and hang around on HN.
Something’s not quite right here.
If you hang around HN you have absolutely heard of the Neo. And I’d be downright frightful to have anything to do with your little IT company (whatever service it provides) if you haven’t at the very least /heard/ of the Neo at this point.
I suspect this is a little white lie just to drive a point home but I fail to see the benefit of such an act when all it does is make you look like you’re lying.
I blank threads I'm not interested in. To be honest I certainly did not notice it here and now I have engaged, I've only now noticed the adverts on TV here.
Now I know what I'm looking at, the Neo ads here are so up their own arse that it is unlikely that anyone has noticed what is on offer. Its an Apple {something, in pastel shades} is my only takeaway.
reply