This makes sense to me. I guess I'll start hunting for the equivalent of `govulncheck` for Rust/Cargo.
Separately, I love the idea of the `geomys/sandboxed-step` action, but I've got such an aversion to use anyone else's actions, besides the first-party `actions/*` ones. I'll give sandboxed-step a look, sounds like it would be a nice thing to keep in my toolbox.
I was actually working on this last week, funnily enough. I've been working on a capability analysis tool for Rust, and if you're already generating a call graph via static analysis, taking that and matching it against the function-level vulnerability data that exists in RustSec isn't that hard.
cargo-audit is not quite at an equivalent level yet, it is lacking the specific features discussed in the post that identify the vulnerable parts of the API surface of a library. cargo-audit is like dependabot and others here in that it only tells you that you're using a version that was vulnerable, not that you're using a specific API that was vulnerable.
Saddly, since it relies on a Cargo.lock to be correct it also is affected by bugs that place dependencies in the Cargo.lock, but are not compiled into the binary. e.g. weak features in Cargo currently cause unused dependencies to show up in the Cargo.lock.
Depends on your workflow, I guess. I don't need to handle that case you noted and we delete the branch on remote after it's merged. So, it's good enough for me to delete my local branch if the upstream branch is gone. This is the alias I use for that, which I picked up from HN.
Yeah, there's a myth spread on the internet after Apple announced rcs support in iMessage that it was the end of green bubbles for android users. But green bubbles still exist; they never meant the other party is just using sms, they meant the other party isn't using iMessage.
Yeah, this is closer to what I do, too. I was surprised not to see a Containerfile in the linked github repo in the article (https://github.com/lthms/tinkerbell)
I found working with normal `dnf` and normal config files much easier than dealing with Ignition and Butane. Plus, working with your image in CI/CD instead of locally fixed my ZFS instability. When Fedora kernel updates, but ZFS doesn't support that version yet, now it fails in GitHub Actions and the container is never built, so there's no botched update that my NAS mistakenly picks up.
I can confirm that the Odroid H4 Plus also supports in-band ECC. If I remember right, Memtest86 showed different stats when I ran it with in-band ECC enabled/disabled though I didn't have a good way to test that an error was actually corrected.
Some systems allow forcing an ECC error, but assuming that's not available, if you can adjust memory voltages or timings, you can usually encourage errors that way and confirm memtest detects ECC corrections.
All CPUs with ECC support allow the forcing of ECC errors, but unfortunately in recent years the CPU vendors usually do not document how.
Only when they expose this feature in Linux EDAC drivers it becomes possible to do this. In the past Intel had maintained well its Linux EDAC drivers, but AMD had frequently great delays between the launch of a CPU and the update of the drivers. After the many lay-offs at Intel, it is unknown whether in the future their Linux support will remain as good as in the past.
I went to a b-sides yesterday (so: small, local, cybersecurity-focused) where someone described their feelings toward GenAI as "praying for Star Trek, but planning for Terminator." Someone else described AGI as a short term inevitability.
Not many others addressed it directly. The vibe I got from offhand remarks was that people felt it was a thing being forced upon them that they are resistant to use.
I really like this setup. I think it balances friction and usefulness in exactly the way I've been aiming for.
Still, I have a couple questions about it, since I don't own an iPhone but am considering buying one soon.
1. How does this affect backup and restore? Could I still restore from a backup on a new phone, if needed? I've lost my phone while traveling before and buying a replacement was pretty seamless.
2. Is the ability to disable the profile bound to the Mac you use Apple Configurator on? I don't own a Mac, but if I could use a friend's Mac when I need to make changes this could maybe work.
I've been using the same setup as the author for about a year, I can help some.
1. I don't know, never tried this. I do know iCloud backups still work, because I've used them after wiping my phone. But I think you must plug the new phone into your computer and set it up as a managed device before you load the backup, or else parts of the profile might not take.
2. No, it's not. I traded in my old macbook pro for a mac mini back in May. I was able to use Apple Configurator on the new mac mini to change the profile on my phone. There is one caveat though -- the phone is still technically supervised by the old mac, so you have to confirm the profile by going into the phone's settings. Using the original, you just have to plug the phone in and unlock it.
Even if I couldn't restore the whole profile from backup while traveling (which seems natural), at least it's still possible to restore some data. Which should be enough in the short term.
And that's perfect that I could manage it from a different Mac. That totally works for me. I worried there would be something which prevented that. I'm imagining a parent using this for parental controls, but then the kid disabling it at a friend's house who has a Mac. Works better for my scenario though!
Not totally sure that I'm reading it right, since I've never done MacOS development before, but I'm a big fan of Secretive and use it whenever possible. If I've got it right, maybe Secretive can add PQ support once ML-KEM is out of beta.
I didn't see the author or anyone else mention TouchID yet. That was such a quality of life improvement for me that I switched from Firefox to Chrome on my work MacBook just for that. With SSO+MFA everywhere, TouchID saved me so much hassle.
Also, I must've been using UBO wrong all these years cause I switched to UBOL and didn't notice a difference. So, thanks to the author, I've got a bunch of new settings to try!
I think you're right generally, but I wanna call out the ODROID H4 models as an exception to a lot of what you said. They are mostly upgradable (SODIMM RAM, SATA ports, M.2 2280 slots), and it does support in-band ECC which kinda checks the ECC box. They've got a Mini-ITX adapter for $15 so it can fit into existing cases too.
No IPMI and not very many NVME slots. So I think you're right that a good mATX board could be better.
Not sure about the odroid but I got myself the nas kit from friendly elec. With the largest ram it was about 150 bucks and comes with 2,5g ethernet and 4 NVME slots. No fan and keeps fairly cool even under load.
Running it with encrypted zfs volumes and even with a 5bay 3.5 Inch HDD dock attached via USB
Not totally upgradable, but at least pretty low cost and modern with an optional SATA + NVMe combination for Proxmox. Shovel in an enterprise SATA and a consumer 8TB WD SN850x and this should work pretty good. Even Optane is supported.
You can get a 1 -> 4 M.2 adapter for these as well which would give each one a 1x PCIe lane (same as all these other boards). If you still want spinning rust, these also have built-in power for those and SATA ports so you only need a 12-19v power supply. No idea why these aren't more popular as a basis for a NAS.
Separately, I love the idea of the `geomys/sandboxed-step` action, but I've got such an aversion to use anyone else's actions, besides the first-party `actions/*` ones. I'll give sandboxed-step a look, sounds like it would be a nice thing to keep in my toolbox.
reply