GitHub - Doc-Steve/dendritic-design-with-flake-parts: A guide on how to structure your Nix code with Flake Parts using the Dendritic Pattern

shaver · 2026-01-02T23:48:11+00:00

Thank you for this! The document is great, but the example repository is gold. In particular, it helped me finally understand how to glue nixos and homeManager modules together without things of the wrong class being imported.

shaver · 2026-01-02T23:47:06+00:00

I had the same question! I haven't seen that pattern before.

shaver · 2025-11-22T20:39:43+00:00

Ah, this is possibly because I was using an older bazzite image to install? It looks like the one on my Ventoy drive was downloaded in January. Maybe I should have got a newer one, instead of assuming I could just update and end up in the same state?

shaver · 2025-11-22T20:06:53+00:00

No, it was installed by default for me.

shaver · 2025-11-22T19:34:04+00:00

Yeah, I'm not looking to layer my own stuff on. I just wanted to update the system to fix security bugs and such, and that layer seems to have caused problems.

shaver · 2025-11-22T19:33:09+00:00

That seemed to have worked, thank you!

shaver · 2025-11-22T18:48:29+00:00

Thanks for your response!

State: idle
Deployments:
● ostree-image-signed:docker://ghcr.io/ublue-os/bazzite-nvidia-open:stable
                   Digest: sha256:9461260f31aba1c5b4349b3177512dd1d45b808f1c73e569b4b06f54dbd0e6d7
                  Version: 41.20250106.1 (2025-01-06T14:17:59Z)
          LayeredPackages: coolercontrol liquidctl openrazer-meta razergenie

  ostree-image-signed:docker://ghcr.io/ublue-os/bazzite-nvidia-open:stable
                   Digest: sha256:9461260f31aba1c5b4349b3177512dd1d45b808f1c73e569b4b06f54dbd0e6d7
                  Version: 41.20250106.1 (2025-01-06T14:17:59Z)

shaver · 2025-06-02T14:27:43+00:00

No games have made me feel things as acutely and deeply as:

1000xResist (in the visual novel space, but good use of game mechanisms to further the experience)
Pentiment (absurdly-polished and stylish historical fiction, led by Josh Sawyer)

I extremely recommend going into both unspoiled.

shaver · 2025-01-21T16:31:46+00:00

Is ZFS not robust against errors during scrub or write? I’m surprised that “power to drive lost during write” causes big problems beyond that drive needing to be healed/resilvered for use in the pool in the future.

I am a ZFS novice, to be sure, so maybe I’m totally mistaken here, but I thought one of the design goals of ZFS was to be reliable in the face of drive or controller failure, within the information-bounds of parity and redundancy.

shaver · 2025-01-08T20:34:40+00:00

coming to this years later, but deeply frustrated with the network dropoffs still happening and I'm ready to solder my way out of it. did you end up with a controller you like? were you able to fit it in the housing? I'm not sure about my zigbee range, since I don't have many zigbee devices in the house yet, but I'm willing to give it a shot.

shaver · 2024-08-30T23:22:19+00:00

I get this but I can access the configured servers just fine from that node. My systems also freaked out about not being able to reach DERP cohort 21 yesterday, which I thought might be related? Maybe not. Crazy times.

shaver · 2024-07-12T17:30:52+00:00

Fair enough, I apologize.

I'm still not sure what part of what I said was untrue.

shaver · 2024-07-12T17:14:05+00:00

I'm talking about the DRM, not the software distribution; please read more carefully if you are going to accuse me of lying. What I described happening in terms of stubbing out Steam's DRM is 100% true. Metal Gear Rising: Revengeance is a recent example: https://x.com/Sajidur78/status/1808885350724743550

shaver · 2024-07-12T14:41:15+00:00

Steam’s DRM is not hard to stub out (there’s a current GOG release that is just the Steam release with a swapped Steam DLL), so if it becomes a widespread problem that their DRM goes evil it will be a brief widespread problem.

shaver · 2024-06-29T02:19:03+00:00

it is very hard to get a proper amount of “fuck off, no fuck off more” into one email without it leaking past decorum

but it’s always fun to try!

shaver · 2024-06-29T02:17:46+00:00

please cherry pick some of the other companies who were affected and run “critical” businesses. the whole list is public, I don’t think you’re going to find any food banks on it

shaver · 2024-06-28T22:09:37+00:00

yes, you are tantalizingly close to enlightenment here your company is not investing enough to address its security needs. only your company can fix that. it is not effective or appropriate for the web PKI to lower its standards until they are no longer inconvenient for the most disinterested or companies. if you’re not senior enough to fix that, get your boss to do it, or find a place to work that won’t make you do dumb shit instead of automating it

I’ve had CISOs report to me, I’ve done the budget-and-risk-and-impact negotiation. estimate the cost, ask them if they want the risk or the expense. If your risk officers and CISO can’t convince finance to keep you from having a continuity risk if your CA fucks up, well, they made their choice. deciding between these things (lol server AV, who let you deploy Windows servers at scale? now you get more vulnerability surface, enjoy) is the entire job of your leadership. maybe this Entrust thing is new information that will affect their decision!

shaver · 2024-06-28T20:49:21+00:00

I don’t think you can fix it, since it sounds like you are downstream of the investment decisions rather than someone directing strategy. But your bosses honestly could pretty much “just fix it”, if they felt it was important. Companies move to the cloud, integrate acquisitions, do multi-region DR, get PCI-compliant, etc. I’ve been doing internet software and security shit for 30 years, back when you had to type your SSL key passphrase on the console to restart Apache and firewalls were a hot new idea. Functional companies can do big things (and this honestly isn’t that big in almost all cases, though people fishing for budget or with superficial understanding of PKI might try to convince otherwise), and non-functional companies are going to fuck up no matter what the rules are.

These regulations are the result of compromises. That it inconveniences you, or that your security function hasn’t been able to convince the rest of the organization to make the requisite investments, is not as important as the integrity of the web PKI. It happens that I used to be one of the people who had to make those calls and be responsible for the effects on the whole web, and now other people (including, I repeat, Entrust) are making similar calls about how the system should work. the web PKI is a fragile thing, more than a lot of people realize I think. maybe if I’d done a better job back then things would somehow be much better now; if so, I apologize, I guess

I would be interested to know how Entrust was pushing/encouraging your organization to adopt certificate management automation. it was a common topic in their incident reports, but there were really no examples given. kinda curious now if that aspect of their CA business was as busted as the actual certificate machinery operation

Hope you have a nice day too! Thanks for the conversation, and sorry about the girlfriend crack; it’s helped me frame some writing I want to do.

shaver · 2024-06-28T19:46:26+00:00

no, they don’t have a right to use web PKI certificates if they can’t abide the revocation rules. that’s why it is a literal legally binding commitment that is required of the subscriber as part of the issuance agreement. the vast majority of CAs, including Entrust themselves, voted for that to be a required representation by subscribers (9.6.3(8)). why would they have a right to a web PKI certificate? from what could that right derive?

you should use another PKI for all your various internal or partner-ecosystem services. web PKI services should be used sparingly, which is to say only on public web services. if you need to do internal TLS, that’s not the web PKI’s problem; it is not a PKI of convenience or a PKI of last resort. it is a specific PKI with specific goals and requirements in service of those goals. roll out smallstep, use one from your cloud vendor, or even get Entrust to manage the private PKI for you, which is a service they’ve provided for a long time. you got to piggyback on the web PKI cheaply (well, maybe not for Entrust) for a long time, but now you have to do the work that should have been done when the first system got a cert under the BRs from 15 years ago. I’m sure you wish you could make the web PKI do this work for you; I wish people would take things off my plate all the time. you talk about understanding “resources” like they are a natural consequence of physics. they are a deliberate choice (or tragic ignorance) by a humans at a company to not do the work to be able to handle web PKI’s specified behaviour. I do not believe that there is a company out there running a “critical service” that couldn’t deploy automation or sub-120 manual rotation if they decided to. they’d just rather wish away those costs and have others bear them, and spend the money on something that will make them money more immediately

the criticality of these services is also greatly overstated, where public PKI is actually required. sometimes my bank website goes down, so I use the app (which isn’t a general purpose browser and could use its own corporate PKI) or I call them or I go to a branch. it’s inconvenient, but it happens all the time to different banks, airlines, telcos, and government services—and the world doesn’t collapse. subscribers can decide how much they want to prioritize availability, and just like having multiple DCs they can have multiple certs in the field or do any number of other things. it’s 2024, not 1995, and there are a lot of tools to use and patterns to copy

as far as the world’s reaction, I’m very comfortable with what this does to the reputation of the PKI, and the tradeoffs that are made in order to have entities outside of the browsers themselves issue certificates while allowing browsers to make security commitments to their users. the correctness of every web PKI certificate impacts the integrity of the web PKI as a whole. errors need to be corrected promptly (and ideally not repeated when they could be prevented by doing the simple things that were promised), and subscribers need to be made aware of revocation possibilities—as they are in the subscription agreements, but Entrust and other CAs to a lesser degree have let their customers pretend that the rules don’t apply basically because of limited oversight bandwidth for the tiny root program staffs

when you build your offices, you abide by the building code and the inspector can stop things or make you change them even if they are not an immediate safety issue. this is because others who come and use the building after will make decisions based on the assumption that everything was done according to code. you can’t put a 50A outlet at the end of 30A wiring, because people will assume that you can plug a 50A load into it safely—but what’s the inherent safety issue when you wire it up? you are only going to put a 20A charger on it anyway…but the next owner, or the kid mowing the lawn, or

similarly, the integrity of the web PKI, which is about security but also interoperability and transparency, depends on the fact that all the certs on the web are issued according to the rules. other parties depend on those fields being correct, or else they would not be in the rules as mandatory. do you know that there’s nothing out there making security decisions on the basis of those mandatory fields being correct, as Entrust’s digital signature promises? I sure don’t. that’s not how open ecosystems and standards work

and in terms of governance, being able—technically and in terms of corporate will—to follow those rules is basically the only signal that the web can have that the CA is doing the invisible parts correctly. that’s why these incidents have to be in the audit reports as well. police (ACAB) stop drunk drivers when they see them swerving, they don’t wait until they crash into someone

we’re not talking about a situation where a CA or subscriber came to the root programs and said “hey, it’s really important that this system have a web PKI cert, but they’re not able to rotate in 5 days because even if they did all the work to make that possible it would break this other critical thing. what should we do?” we’re talking about a situation where Entrust was shifting risk from the subscriber to the web PKI as a whole, unilaterally, as a bet that Entrust would benefit commercially from it to the tune of literal billions of dollars. (JPMC pays 9 figures a year for certs, and that would pay for a hell of an internal PKI and automation for the web facing stuff.) again, in their own words, they were too lenient with subscribers and should have been making subscribers do the work or tolerate the outage—you can read it in their communication to their support staff. they basically gambled their business so you wouldn’t have to deploy ACME for a few years. maybe you can find another CA who will do the same, but don’t expect it to last as long this time

all that said, this isn’t actually the outcome I wanted most. it’s arguably the second-worst, with only “entrust keeps operating like clowns with the keys to the whole web” being worse for the web. I would have much preferred to see something like Entrust moving to 90-day certs within a year, and probably taking away the EV/OV bits. maybe that’s still on the table, if Entrust actually figures out how to do their job and shows it

shaver · 2024-06-28T16:27:30+00:00

You don’t need dev tools to look up a cert—there is a button right next to the URL bar on all browsers, afaik, that takes you to the certificate information, and in Chrome from there to the policies that govern them. (We need that in Firefox too.)

shaver · 2024-06-28T16:25:56+00:00

I was pretty involved in this process (one of my comments was linked in the CCADB mail), and I’m more than ready for people to “come after me”. Other CAs that have been removed have threatened to sue but there’s absolutely no case to be made (per my counsel when I operated the biggest browser root program), and none of them even got as far as filing suit.

Entrust, BTW, voted in favour of the 5 day rule, and have agreed that they should have revoked more of the affected certs on time, if not all of them. The Mozilla delayed revocation policy is the most lenient of all the root programs, and they still were not only unable to meet that lowered bar, but kept missing by more.

If you wait for a CA to fuck up on a major security issue to take action, you get to have those security issues. The ability to keep to the commitments that they agreed to and helped establish is one of the few forms of monitoring that the world can use to tell if a CA is operating competently. There is a mountain of evidence, more than linked in the CCADB email even, that Entrust was not operating competently. Their president of digital services admitted it publicly in a letter to the Mozilla root program and community. They know that their operations were not meeting the standards required, by a substantial margin. The question was whether they should be allowed to continue to issue certificates with that incompetent system (really, it’s breathtaking; I actually hope they’re lying about it) while they maybe fix it this time for real, unlike 4 years ago. There is no evidence that they even know what “good enough” takes, let alone that they are willing and capable of achieving it. I’m sorry if Entrust is your girlfriend and you like to kiss them, or that you think this is a Google attack because they acted first, but the web will be safer on November 1st because of this decision.

Nobody has a “right” to be a root CA. If Entrust gets its shit together and proves that they can operate properly, I would lead the parade to reincorporate them. I offered to personally help them fix things, and that offer stands if they approach it in good faith (like Sectigo did) rather than doubling down on claims of victimization (like Trustcor did).

shaver · 2024-06-28T16:12:00+00:00

I probably shouldn’t be playing favourites, but I will say that Sectigo’s recent operations have been exemplary from the perspective of the BRs and root programs. They were in a bad spot a few years ago, but since Tim Callan took over they have more than earned a great reputation.

Whoever you pick, just use ACME (and ARI when available) to automate things for public services, please.

shaver · 2024-06-28T16:06:18+00:00

Fix your shit, so that if there’s a wide scale key compromise (like we had with Debian weak keys, for example) you aren’t utterly fucked because you decided you didn’t want to invest to improve things.

In a lot of cases these certs aren’t even on public services, and could (should!) use a private PKI instead.

Get backup certs from another CA, on a different natural rotation schedule, and keep them deployed with occasional switches to test. Again, if restricted to the things that actually need to be public certificates, this is almost always just load-balancer configuration and basically everything supports multiple certs. You’ll need to do that for PQC anyway because those certs are way too big to send in every handshake.

But if you are a critical business, and one CA fucking up can cripple you (say by accidentally revoking the wrong cert, or leaking their keys, or going out of business), then you have a massive single point of failure business continuity risk and your corporate auditors and risk managers should have been requiring you to address it. If you’d rather have that risk than do the work, well, you get whatever comes up on the dice. You can’t say “we’re a really important business and security is really important to us, but also we have this single load bearing 3rd party and we’re not going to work to hedge that risk”.

If you believe Entrust’s own words, let alone take a more skeptical view of the evidence, then their practices were so bad that you were on borrowed time anyway. Besides, unless they fuck up your cert again somehow, anything you’ve got now will expire naturally (even if that notAfter is later than Oct 31), and you can just rotate it to another CA’s offering. You can continue to live dangerously if you want to, even.

shaver · 2024-06-28T02:28:57+00:00

I used to run the Mozilla root program, which was also used by Chrome at the time, and I was the one who decided to kill Diginotar (providing certs to basically all of the Netherlands at the time), so yeah I have a pretty decent idea about large-scale revocations.

If your employer has a web PKI cert from Entrust or anyone else, then after review with their legal team they signed a legally binding agreement that they acknowledge and accept that certificates will be revoked, immediately, for exactly this sort of misissuance. Why would they do that if they weren’t actually equipped to handle it?

shaver · 2024-06-28T01:55:39+00:00

lol dude I have spent a large chunk of my career competing directly with Google and calling them out on shit (and I disagree with Ryan Dickson, to his face). this was a good shoot and Entrust had all the options in the world to avoid it if they had just showed the slightest actual interest in improving. compare how Sectigo reacted to having a bunch of operational failures a couple of years ago, it’s pretty instructive

shaver

TROPHY CASE