cron.weekly issue #116: ZFS, SHA-1, Zstandard, broot, glow & more

cron.weekly is a newsletter about Linux, open source & webdevelopment. Want to get it in your inbox every Sunday? Subscribe below!

I respect your privacy and you won't get spam. Ever. Just a weekly-ish newsletter about Linux and open source.

Want to help support this blog? Try out Oh Dear, the best all-in-one monitoring tool for your entire website, co-founded by me (the guy that wrote this blogpost). Start with a 10-day trial, no strings attached.

We offer uptime monitoring, SSL checks, broken links checking, performance & cronjob monitoring, branded status pages & so much more. Try us out today!

Image of Mattias Geniar

Mattias Geniar, January 12, 2020

Follow me on Twitter as @mattiasgeniar

Hi everyone!

I hope you all had a nice holiday got to spend it whichever way you prefer (behind a computer, obviously)!

It’s once again a pretty big issue, as I’ve had a few weeks of stockpiled bookmarked & news to share. Don’t let the scrollbar scare you. 😉

Wishing you all the best in 2020, successes wherever you need them and enough free time to keep learning & reading.

Enjoy!

News & general

Linus: “don’t use ZFS”

Strong words from Linus Torvalds regarding Oracle’s licensing policy on ZFS: “Don’t use ZFS. It’s that simple. It was always more of a buzzword than anything else, I feel, and the licensing issues just make it a non-starter for me.

Gandi loses data, customers told to use their own backups

I don’t like pointing to status pages or downtime as it feels very “finger pointing” to me, but I wanted to share this incident regardless. Gandi lost a storage device and couldn’t recover data for their customers, asking them to “use their own backups”. This is a good reminder that you don’t want to put all your eggs in one basket!

Benchmarking shell pipelines and the Unix “tools” philosophy

Is it faster to do the grep before the count, or after? This post looks into the nitty gritty performance details of shell pipelines!

Understanding filesystem takeover vulnerabilities in npm JavaScript package manager

Early in December, a security vulnerability in npm & yarn (the javascript package manager) was publicly disclosed. This post looks at how this vulnerability works. As a Linux sysadmin, you’ll be happy to read that it’s all about $PATH and symlinks!

SHA-1 is a Shambles

SHA-1 is broken. If you still use SHA-1 anywhere and you think it’s keeping your stuff private, guess again.

Removing the Linux /dev/random blocking pool

By default, reads from /dev/random are blocking (meaning: your program will hang until there is sufficient entropy (“random data”) to give back) and calls to /dev/urandom would never block (more on that here). Work is now being done to make /dev/random non-blocking as well, while still keeping it a secure cryptographic random-number generator (CRNG).

Now using Zstandard instead of xz for package compression

Arch is switching their package compression scheme from from xz (.pkg.tar.xz) to zstd (.pkg.tar.zst). The biggest motivation was not better compression (that’s about the same), but a whopping 1300% speed up in decompressing.

Python 2.7 is now end-of-life. Sort of.

Python 2.7 will not be maintained past 2020. If you use Red Hat (and I presume CentOS as well), it seems to be supported until June 2024 though. So much for EOL …

Kali Default Non-Root User

For years now, Kali has inherited the default root user policy from BackTrack. As of January 2020 they will change this and move Kali to a “traditional default non-root user” model.

What exactly is being sent to Ubuntu in the MOTD?

There was a bit of commotion around Ubuntu’s default MOTD behaviour, where it sends more data than you’d expect back to Canonical-owned servers every time you log in. In this blogpost, I look at the details of what is being sent and why you should care.

Debian votes for Proposal B, “Systemd but we support exploring alternatives”

Well there you have it, systemd remains (I’m not complaining though, it might be Stockholm Syndrome but I’ve come to like systemd).

My Business Card Runs Linux

An embedded systems engineer created a business card that runs a version of Linux with a kernel sized at 1.6MB, the entire root filesystem at 2.4MB and a boot-loader that fits in 256KB.

Tools & Projects

Oh Dear! Uptime & Broken Links monitoring sponsored

We built the Oh Dear monitoring service because there’s a gap in current uptime monitors: they all look at a single page (usually your homepage) and report on that. What about the other 100+ pages of your site? Ours routinely crawls your entire site (like Google) and reports broken links & pages and mixed content alerts. Give it a try, there’s a 10-day free trial!

scalene: a high-performance CPU and memory profiler for Python

Scalene is a high-performance CPU and memory profiler for Python that does a few things that other Python profilers do not and cannot do. It runs orders of magnitude faster than other profilers while delivering far more detailed information.

Lucidity: an interactive program-state visualizer

Lucidity is a new way of understanding what programs are doing as they execute. It looks really powerful and gives you visual insights into the state changes of your application. The video is worth a watch!

Snowpack

With Snowpack you can build modern web apps (using React, Vue, etc.) without a bundler (like Webpack, Parcel, Rollup). No more waiting for your bundler to rebuild your site every time you hit save. Instead, every change is reflected in the browser instantly.

Parcel

Parcel uses worker processes to enable multicore compilation, and has a filesystem cache for fast rebuilds even after a restart. Parcel has out of the box support for JS, CSS, HTML, file assets, and more - no plugins needed.

Broot: a new way to see and navigate directory trees

Get an overview of a directory at the CLI (even really big ones) in a way that you can still navigate them. It cleverly collapses large directories.

jql

This is an alternative to the popular jq tool to query json data at the command line. jql has a more lispy syntax to it.

jellyfin

Jellyfin is a free program that lets you collect, control, and stream all your favorite media. It holds your entire movie collection, and displays a beautiful collection of posters. Could be an alternative to the popular Plex, but it seems to be lacking mobile clients at the moment.

bandwhich

This is a CLI utility for displaying current network utilization by process, connection and remote IP/hostname. bandwhich sniffs a given network interface and records IP packet size, cross referencing it with the /proc filesystem on linux or lsof on macOS.

S3 Email

A serverless email server on AWS using S3 and SES. Pretty crazy actually, when you look at all the parts involved.

Apache Pulsar

Apache Pulsar is an open-source distributed pub-sub messaging system originally created at Yahoo and now part of the Apache Software Foundation. Built from the ground up as a multi-tenant system. Supports Isolation, Authentication, Authorization and Quotas.

dlinject.py

Inject a shared library (i.e. arbitrary code) into a live linux process, without ptrace.

Bash-my-AWS

Bash-my-AWS is a simple but extremely powerful set of CLI commands for managing resources on Amazon Web Services. They harness the power of Amazon’s AWSCLI, while abstracting away verbosity.

Rhasspy

Rhasspy is an open source, fully offline voice assistant toolkit for many languages that works well with Home Assistant, Hass.io, and Node-RED.

JohnSundell/Publish

Publish is a static site generator built specifically for Swift developers. It enables entire websites to be built using Swift, and supports themes, plugins and tons of other powerful customization options.

Checkov

Checkov is a static code analysis tool for infrastructure-as-code. It scans cloud infrastructure provisioned using Terraform and detects security and compliance misconfigurations.

KafkaHQ

A Kafka GUI for topics, topics data, consumers group, schema registry, connect, … It will start a Kafka node, a Zookeeper node, a Schema Registry, a Connect, fill with some sample data, start a consumer group and a kafka stream & start KafkaHQ.

ffsend

A fully featured Firefox Send client, entirely from the CLI.

FiloSottile/age

A simple, modern and secure encryption tool with small explicit keys, no config options, and UNIX-style composability.

outline

An open, extensible, wiki for your team built using React and Node.js.

cleaver

A blazing-fast static site generator using Laravel’s Blade templating engine.

hippy

Hippy is a cross-platform development framework, aiming to help developers write once, run on three platforms(iOS, Android and Web). Hippy is quite friendly to web developers, especially who are familar with React or Vue.

glow

Glow can render markdown on the CLI, super convenient!

wtfpython

Exploring Python through counter-intuitive snippets. If you think you know Python, think once more!

Guides & Tutorials

How to exit vim

Below are some simple methods for exiting vim. (It’s mostly funny though :-))

10 Ansible resources to accelerate your automation skills

A collection of useful links & resources to help get you started with Ansible.

Front-End Performance Checklist 2020

I’ve always loved performance, be it on the server, the code in the backend or the frontend. I think it’s good to be aware of all areas so I wanted to share this huge list of performance tips for front-end devs.

Prometheus For Beginners

This is a complete beginner guide to what Prometheus is, what it does and how to use it.

Mini HTTP guide for developers

This is a good summary of the HTTP protocol, even if you’ve been configuring web servers for a few years. Most of HTTP is abstracted away in frameworks or layers, but the nitty gritty details are still interesting.

Get to Know vi, a Text Editor for the Ages

A good back-to-the-basics on using the vi text editor. Even though I only use 0.1% of its features, it’s still my favorite editor at the CLI.

Scripting tmux

This is a good collection of tmux tips to configure it just the way you want, with the panes & windows you choose.

Automate the Boring Stuff with Python

This book can be read entirely online and gives a really good introduction to the Python programming language.

How To Set Up an Object Storage Server Using Minio on Ubuntu 18.04

If you want to try out object storage (“S3”) on your own, you can give Minio a try. This post gives you all the install instructions on Ubuntu 18.04.

Jenkins Home Lab: Part 1 - Setting up the Master

This is a 6-part guide on how to set up your own Jenkins instance to run your own CI/CD pipelines.

How To Configure a Galera Cluster with MySQL on Ubuntu 18.04 Servers

Another good step-by-step guide on running your own Galera cluster.

What You Probably Didn’t Know About Sudo

Everybody knows sudo, right? This tool is installed by default on most Linux systems and is available for most BSD and commercial Unix variants. Still, after talking to hundreds of sudo users, the most common answer I received was that sudo is a tool to complicate life.

Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.