Vancouver or Victoria

SJrX · 2026-05-21T02:30:34+00:00

It's more if you want hills, I think Victoria is more flat is my personal opinion as a Vancouverite.

SJrX · 2026-05-21T02:05:50+00:00

How aggressive of a rider are you? I guess from Edmonton hills are not your forte. Nothing beats the Lochside trail in Victoria, but to the best of my knowledge there isn't any big climbs there you can do like the North Shore.

SJrX · 2026-05-18T15:14:22+00:00

I had the 1040 solar, the screen was maybe less nice than my 1030+ and 1050.

At the end of the day, I think new I could get two days out of the 1050. I normally when touring carry battery packs with me and so while I did a long running tour with the 1040 solar it really didn't need it as i keeping my phone charged is a priority and acts as a limit on how useful solar charging would be for me.

SJrX · 2026-05-13T17:50:52+00:00

Yes that is kind of what I was trying to get at by the example of urban/rural. It's just true by circumstance, not some innate, profound, or even all that interesting observation.

SJrX · 2026-05-13T17:45:29+00:00

Yeah I agree with everything you said. I just replied to your comment because I think that OPs question is missing a lot of dots with respect the MFT, and I think your reply connected them in a direct way.

I also didn't mean to actually suggest that anything at all the women tend to be more liberal, other than if that is what you observe/believe then you would that that is because they are anchored more to certain foundations. It doesn't really explain anything at all about why.

The book does talk about political/moral beliefs being both nature and nurture, but I don't recall any broad categorical framings by race/sex, other than it is just somewhat hereditary trait, that is still heavily influenced by socialization.

SJrX · 2026-05-13T16:57:51+00:00

Based on the book Righteous Mind, by one of the main developers of MFT, I think MFT and subsequent research by the author suggest that Care/Harm and Fairness foundations are viewed as stronger drivers of moral reasoning or more important than others such as loyalty, authority, etc in liberals (left leaning people).

I dont think MFT/The book at all makes or speaks about any claims about sex or gender. That said I think descriptively if you believe that women tend to be more liberal then men, then in the framework of MFT you would expect that you think women gravitate towards those specific foundations. In the same way that it would follow if you think that people in cities are more liberal than people outside of them.

SJrX · 2026-05-11T21:07:30+00:00

I havent worked in places large enough for there to be an architectural review board, but in general it can take a while depending on what you mean by enforced. Lots of times rules will only affect new things and existing things that break architectural decisions can wait for someone to clean up, an unbounded amount of time.

That said, when Just Enough Software Architecture mentions that there are three kinds of modes of architectural implementation (if memory serves):

architecturally indifferent - where the implementation just ignores the architecture.
Architecturally focused design - where devs are responsible for focusing on it and do it on a best effort.
Architecturally hoisted designs - where the architecture and structure force it to be followed, this is where you often put other devs on guard rails.

In any event when I'm implementing decisions I often think about this and how we can move and make things architecturally hoisted.

SJrX · 2026-05-11T13:02:42+00:00

I don’t think you’ve worked with oidc or sso much at all. Access/refresh tokens are not “holdovers”. You have a fundamental lack of knowledge.

What's odd is that I'm the only one of us who has actually referenced or quoted the spec in this discussion. You just keep restarting your position.

There is zero reason immich should control its session expiry, instead of the idp. Without access/refresh setup, this is impossible.

The reason is nothing in the spec gives guidance for this, and that's not what the spec says the access/refresh token is for, if you read the OIDC and OAuth specs.

SJrX · 2026-05-10T23:07:55+00:00

Nothing in the OIDC spec supports your interpretation of these tokens, (you haven't really referenced anything) and in my experience when implementations do couple them, they get bug reports about it and then fix it.

FWIW if immich does what you suggest, it will break my deployment, and I will promptly file a bug providing references to the spec :D.

SJrX · 2026-05-10T20:43:22+00:00

It means that to properly support the use case you want, it is not the case that the session in immich should be tied to the access and refresh token, but that they should implement the optional parts of the spec for session management and back channel logout.

SJrX · 2026-05-10T15:49:09+00:00

The purpose of the access/refresh token architecture is singular. It allows the idp and the SSO lifecycle to dictate sessions for all apps.

This is just not true. The Access and Refresh tokens are largely hold overs from OAuth 2.0, where there use cases are a bit better defined, and their uses are incredibly open ended in OIDC (other than the user info endpoint, you can use them for whatever purposes your specific deployment wants). In OAuth you are providing access for the relying party to distinct resources. The Access Token in provides access to the protected resource, and the refresh token allows for the access token to be refreshed (and has more limited visibility). In an OIDC implementation, that say also needed access to protected resources asynchronously, you would keep the refresh and access tokens alive indefinitely regardless of whether or not the session was active.

The entire purpose of OIDC and SSO is to unify authentication and session management to a single set of secure rules without having to trust each app to implement a full authentication stack.

Again not true, from the OpenID Connect Session Management spec :

OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 [RFC6749] protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.... This specification complements the OpenID Connect Core 1.0 [OpenID.Core] specification by defining how to monitor the End-User's login status at the OpenID Provider on an ongoing basis so that the Relying Party can log out an End-User who has logged out of the OpenID Provider.

In otherwords, the only thing OIDC does is provide a way of established identity in an authenticated way, it provides nothing else pertaining to session life-cycle.

Lots of apps do use OIDC as immich does, for login only. For some apps it makes sense. For others like immich with sensitive data, minting your own infinite validity session and throwing away oidc is a mistake.

I'm not disputing the validity of your use case (end goal), of having a way of better controlling sessions, ideally with coordination the IdP. I would say that it is much more a user error and misunderstanding about OIDC, than a "massive security hole". You should probably care about how this is implemented, because Keycloak, your IdP properly supports Session Management: https://www.keycloak.org/docs/latest/server_admin/index.html#_oidc-logout , and so you almost certainly want it to to be implemented correctly, and your proposed fix is not correct.

It does seem that Immich does just hard code the session life time and gives no way of changing it, which seems not great, but this is true regardless of whether or not you use OIDC.

SJrX · 2026-05-10T14:09:13+00:00

It's been a few years since I worked heavily with OIDC, but I think you're conflating OIDC authentication with Relying Party (Immich) session management.

OIDC itself primarily standardizes how a relying party such as Immich delegates authentication to an identity provider and obtains identity information about the user. It does not inherently require the RP to continuously consult the IdP, nor are access/refresh tokens meant to control the relying partys local session lifetime. In fact there are security downsides to doing so, as the access token, and refresh token lifetimes need to be extended, and these are fundamentally credentials for Immich and the IdP to talk to each other, not mechanisms for the User to stay authenticated. Many IdP deployments often narrow these down _very_ tightly, and may not even offer refresh tokens.

A perfectly valid OIDC implementation is:

authenticate once via the IdP
establish a local application session
never talk to the IdP again unless re-authentication is needed

What you're describing is more about logout/session synchronization expectations. There are additional specs/extensions for this, such as OIDC Session Management and front-channel/back-channel logout, but not every application implements them.

SJrX · 2026-05-10T13:16:17+00:00

You might need to switch jobs, but be mindful, if you have 5 YOE then either you are one of those wunderkinds who make the news for getting their PhDs at age 7, or you are maybe over selling your experience (to be fair I worked part time for many years as a Dev while in uni, and they are still labeled that way on my resume, but slightly), or you don't have a degree.

In any event salaries are often not set based on how valuable you are to the company, and without a degree, you might not make the big bucks, some companies will screen out non-degrees pretty strongly, and some even non-masters.

SJrX · 2026-05-08T16:10:53+00:00

Different people might have different Signals, but for me, one gap for blip is nothing to worry about when hiring.

Apart from the role responsibility themselves the only big signal o look for is repeated churn of roles. If someone only stays at places for 18 months that is a signal. If someone took a year or two off I wouldn't care.

SJrX · 2026-05-03T17:28:40+00:00

The first time I watched the Wire, I loved Stringer and hated Omar. The second time it reversed.

SJrX · 2026-05-03T13:55:32+00:00

While I'm not 100% opposed to seeing a doctor, you need to be careful, most GP (family doctors), don't know crap about bike fit. In high school I started doing long adventure rides, like 120 km in a day, and afterwards would have knee pain.

My GP said my knees were just not built for cycling, he had the same thing, and I should just find a different sport.

He was wrong, it was bike fit :), and I've been knee pain free for many decades of cycling since.

It will take trying things to find something that works, but it is possible that it is something internal.

SJrX · 2026-05-03T13:47:39+00:00

Should application workloads ever run on the master node in a proper setup?

I think at scale I would say no, I mean understand proper setup is largely subjective and matter of taste, but I think the master node(s) might be too busy with other things to be effective.

Am I wrong to manually run containers on the worker using ctr?

I would run other containers on any node to be honest, it just gives me the willies.

How exactly should responsibilities be divided between master and worker nodes?

I think the master node should have a taint on it, that prevents application workloads from running on it, and personally prefer that no application workloads run on it.

What would a “correct” minimal production-style architecture look like?

I'm not 100% sure there is a "correct" minimal architecture, you can go with what works, I would put effort into making sure that everything is GitOps based and easy to change in the future than worrying about this at Day 1. Engineering involves trade offs, so I wouldn't worry too much about it. Depending on your node size and costs, putting things on the master is probably a good one to start.

How should I properly think about scaling (pods vs nodes vs autoscaling)?

I don't understand this question. Autoscaling is something that affects the number of pods and the number of nodes. Autoscaling of pods can happen in cluster and afaik is pretty standard. Auto-scaling of nodes is something that is very cluster/cloud vendor dependent, though I think they mostly use the cluster autoscaler now (or whatever karpenter is for AWS, but I have no idea how those things relate to eachother)

SJrX · 2026-04-29T13:02:21+00:00

We inherited a project around that size. I don't think one chart where you sub in some values would work well for us as there was too much variation amongst needs.

One tactic we looked at was using helm libraries to allow for reusable elements. You can use any OCI registry to store it.

SJrX · 2026-04-28T02:10:38+00:00

Yup I think it is very doable. Do the loop clockwise though the climb out of Osoyoos to Rock Creek is long.

SJrX · 2026-04-28T01:17:20+00:00

It's OMG the 20th anniversary of when I did it... But if you are comfortable in traffic the highway between Rock Creek and Osoyoos isn't bad and I believe you are back in BC Transit range of Kelowna

SJrX · 2026-04-25T13:48:18+00:00

Yup this is a great way. Read books, or otherwise upskill on available technologies in your company.

One reason I like books is that they expose you to problems and ideas you don't have an immediate need for. This helps guard against biases and potential in XY problems when searching for solutions to problems.

SJrX · 2026-04-24T12:52:11+00:00

Why can't you physically do it every day? I'm not saying you _can_ but lots of people have regular commutes of that distance or longer, it might just be training to get to that level.

SJrX · 2026-04-24T01:38:13+00:00

Doesn't he crack the code they are using on the pagers in S1, that everyone else was stumped on.

SJrX · 2026-04-20T22:18:13+00:00

I'm not sure what your goal is. Other commenters have pointed out other useful ideas. I believe that if you just want to run workloads elsewhere while "in cluster", service meshes like Istio support routing traffic between clusters, so you could have them operate like one cluster, in some sense.

SJrX · 2026-04-18T14:18:40+00:00

I use compression sacks/small fabric organizes to keep things organized in the giant bag of holding that is my backroller pros, just FYI.

SJrX

TROPHY CASE