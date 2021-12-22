today's howtos Improving Replication Security With OpenZFS Delegation Delegation is an OpenZFS feature which allows the system administrator to grant the permission to perform various ZFS operations to unprivileged (read: non-root) users. This sounds more complicated than it really is—in a nutshell, we’re talking about filesystem-like permissions, but applied at the underlying ZFS level. There are as many use cases for OpenZFS delegation as there are for the direct filesystem permissions we’re all familiar with—for example, you could allow a user to snapshot their own home directory, but not the home directories of other users. But rather than indulge in an academic treatise on every possible use of delegation, we’re going to focus on one in particular: unprivileged ZFS replication between machines.

2.5 Gigabit homelab upgrade - with a PoE+ WiFi 6 AP For the past year, I've slowly upgraded parts of my network to 10 Gigabit. But 10 Gigabit switches, NICs, and even cabling is a bit more expensive and sometimes annoying to deal with than the very-cheap 1 Gbps equipment most homelabbers are used to. I dipped my toes into the 2.5 Gbps waters once I got a NAS with 2.5G ports—you can use standard USB NICs that cost less than $50, or PCIe cards for even less. And cabling is easier, since 2.5G works fine over Cat5e (which I already have run to most of my house).

Completely Switching to RSS Feeds Really Simple Syndication - portable, extensible, light on network resources. Also, I’ve blocked the regular HTML+JS sites in my browser - more on that later. Currently my newsboat feed is populated with indie sites, blogs, wiki pages, updates to documentation & new software releases, podcasts, YouTube channels, WordPress sites, Telegram Channels, Odysee / LBRY channels, SoundCloud , Bandcamp, Pixelfed, Mastodon & other Fediverse feeds. Unlike most people I don’t use email for newsletters or follow people on social media just for the sake of it, or have notifications in my browser.

Breach Disclosure Blow-by-Blow: Here's Why It's so Hard For many years now, I've lamented about how much of my time is spent attempting to disclose data breaches to impacted companies. It's by far the single most time-consuming activity in processing breaches for Have I Been Pwned (HIBP) and frankly, it's about the most thankless task I can imagine. Finding contact details is hard. Getting responses is hard. Not having an organisation just automatically assume you're trying to shake them down for cash is hard. So hard, in fact, I thought I'd record the process end-to-end and share it publicly to help demonstrate just how painful the process is.

GNU Core Utilities: coreutils-9.1 released This is to announce coreutils-9.1, a stable release. See the NEWS below for details. Thanks to everyone who has contributed! There have been 210 commits by 10 people in the 29 weeks since 9.0 Bernhard Voelker (3) Max Filippov (1) Bruno Haible (1) Paul Eggert (136) Christian Hesse (1) Pádraig Brady (64) Daniel Knittl-Frank (1) Rohan Sable (1) Jim Meyering (4) Ville Skyttä (1) Pádraig [on behalf of the coreutils maintainers] ================================================================== Here is the GNU coreutils home page: https://gnu.org/software/coreutils/ For a summary of changes and contributors, see: https://git.sv.gnu.org/gitweb/?p=coreutils.git;a=shortlog;h=v9.1 or run this command from a git-cloned coreutils directory: git shortlog v9.0..v9.1 To summarize the 259 gnulib-related changes, run these commands from a git-cloned coreutils directory: git checkout v9.1 git submodule summary v9.0 ================================================================== Here are the compressed sources: https://ftp.gnu.org/gnu/coreutils/coreutils-9.1.tar.gz (14MB) https://ftp.gnu.org/gnu/coreutils/coreutils-9.1.tar.xz (5.5MB) Here are the GPG detached signatures[*]: https://ftp.gnu.org/gnu/coreutils/coreutils-9.1.tar.gz.sig https://ftp.gnu.org/gnu/coreutils/coreutils-9.1.tar.xz.sig Use a mirror for higher download bandwidth: https://www.gnu.org/order/ftp.html Here are the SHA1 and SHA256 checksums: cab498ddc655fd3c7da553d80436d28bc9b17283 coreutils-9.1.tar.gz YFXfkmhgPoI5pcnB1kyyW5qZJTDfZuM7jXimYO2zezU coreutils-9.1.tar.gz aa7bf0be95eef29d98eb5c76d4455698b3b705b3 coreutils-9.1.tar.xz YaH0ENeLp+fzelpPUObRMgrKMzdUhKMlXt3xejhYBCM coreutils-9.1.tar.xz The SHA256 checksum is base64 encoded, instead of the hexadecimal encoding that most checksum tools default to. [*] Use a .sig file to verify that the corresponding file (without the .sig suffix) is intact. First, be sure to download both the .sig file and the corresponding tarball. Then, run a command like this: gpg --verify coreutils-9.1.tar.gz.sig If that command fails because you don't have the required public key, or that public key has expired, try the following commands to update or refresh it, and then rerun the 'gpg --verify' command. gpg --locate-external-key P@draigBrady.com gpg --recv-keys DF6FD971306037D9 wget -q -O- 'https://savannah.gnu.org/project/release-gpgkeys.php?group=coreutils&download=1' | gpg --import - This release was bootstrapped with the following tools: Autoconf 2.71 Automake 1.16.4 Gnulib v0.1-5194-g58c597d13 Bison 3.7.4 NEWS * Noteworthy changes in release 9.1 (2022-04-15) [stable] ** Bug fixes chmod -R no longer exits with error status when encountering symlinks. All files would be processed correctly, but the exit status was incorrect. [bug introduced in coreutils-9.0] If 'cp -Z A B' checks B's status and some other process then removes B, cp no longer creates B with a too-generous SELinux security context before adjusting it to the correct value. [bug introduced in coreutils-8.17] 'cp --preserve=ownership A B' no longer ignores the umask when creating B. Also, 'cp --preserve-xattr A B' is less likely to temporarily chmod u+w B. [bug introduced in coreutils-6.7] On macOS, 'cp A B' no longer miscopies when A is in an APFS file system and B is in some other file system. [bug introduced in coreutils-9.0] On macOS, fmt no longer corrupts multi-byte characters by misdetecting their component bytes as spaces. [This bug was present in "the beginning".] 'id xyz' now uses the name 'xyz' to determine groups, instead of xyz's uid. [bug introduced in coreutils-8.22] 'ls -v' and 'sort -V' no longer mishandle corner cases like "a..a" vs "a.+" or lines containing NULs. Their behavior now matches the documentation for file names like ".m4" that consist entirely of an extension, and the documentation has been clarified for unusual cases. [bug introduced in coreutils-7.0] On macOS, 'mv A B' no longer fails with "Operation not supported" when A and B are in the same tmpfs file system. [bug introduced in coreutils-9.0] 'mv -T --backup=numbered A B/' no longer miscalculates the backup number for B when A is a directory, possibly inflooping. [bug introduced in coreutils-6.3] ** Changes in behavior cat now uses the copy_file_range syscall if available, when doing simple copies between regular files. This may be more efficient, by avoiding user space copies, and possibly employing copy offloading or reflinking. chown and chroot now warn about usages like "chown root.root f", which have the nonstandard and long-obsolete "." separator that causes problems on platforms where user names contain ".". Applications should use ":" instead of ".". cksum no longer allows abbreviated algorithm names, so that forward compatibility and robustness is improved. date +'%-N' now suppresses excess trailing digits, instead of always padding them with zeros to 9 digits. It uses clock_getres and clock_gettime to infer the clock resolution. dd conv=fsync now synchronizes output even after a write error, and similarly for dd conv=fdatasync. dd now counts bytes instead of blocks if a block count ends in "B". For example, 'dd count=100KiB' now copies 100 KiB of data, not 102,400 blocks of data. The flags count_bytes, skip_bytes and seek_bytes are therefore obsolescent and are no longer documented, though they still work. ls no longer colors files with capabilities by default, as file-based capabilties are very rarely used, and lookup increases processing per file by about 30%. It's best to use getcap [-r] to identify files with capabilities. ls no longer tries to automount files, reverting to the behavior before the statx() call was introduced in coreutils-8.32. stat no longer tries to automount files by default, reverting to the behavior before the statx() call was introduced in coreutils-8.32. Only `stat --cached=never` will continue to automount files. timeout --foreground --kill-after=... will now exit with status 137 if the kill signal was sent, which is consistent with the behavior when the --foreground option is not specified. This allows users to distinguish if the command was more forcefully terminated. ** New Features dd now supports the aliases iseek=N for skip=N, and oseek=N for seek=N, like FreeBSD and other operating systems. dircolors takes a new --print-ls-colors option to display LS_COLORS entries, on separate lines, colored according to the entry color code. dircolors will now also match COLORTERM in addition to TERM environment variables. The default config will apply colors with any COLORTERM set. ** Improvements cp, mv, and install now use openat-like syscalls when copying to a directory. This avoids some race conditions and should be more efficient. On macOS, cp creates a copy-on-write clone if source and destination are regular files on the same APFS file system, the destination does not already exist, and cp is preserving mode and timestamps (e.g., 'cp -p', 'cp -a'). The new 'date' option --resolution outputs the timestamp resolution. With conv=fdatasync or conv=fsync, dd status=progress now reports any extra final progress just before synchronizing output data, since synchronizing can take a long time. printf now supports printing the numeric value of multi-byte characters. sort --debug now diagnoses issues with --field-separator characters that conflict with characters possibly used in numbers. 'tail -f file | filter' now exits on Solaris when filter exits. root invoked coreutils, that are built and run in single binary mode, now adjust /proc/$pid/cmdline to be more specific to the utility being run, rather than using the general "coreutils" binary name. ** Build-related AIX builds no longer fail because some library functions are not found. [bug introduced in coreutils-8.32]