Hi everyone! 👋
Welcome to cron.weekly issue #122.
Like I mentioned last week, this is the issue that includes a one-time e-mail open tracker. It allows me to validate my new e-mail setup. After today, it’s back to being the no-tracking newsletter again. 😉
I’d appreciate it if you could load the images in this e-mail, just once. 🙏
But you’re here for the content, not my e-mail debugging rant. So, enjoy this issue!
News & general 🗞
Safari will no longer accept new HTTPS certificates that expire more than 13 months from their creation date
This means websites using multi-year SSL/TLS certs issued after the cut-off point, on September 1st, 2020, will throw up privacy errors in Apple’s browser.
This is a strong move to push the industry to short-lived, often-rotated certificates. This will probably hit enterprises the most … Can you imagine the Extended Validation hassle to go through every 12 months? 😅
It’s a certificate check I’ll definitely add to Oh Dear as well.
Let’s Encrypt will now make multiple HTTP requests to the /.well-known/acme-challenge endpoint from different IPs. At least 3 out of 4 need to be successful, before a certificate is issued.
If you had previously whitelisted Let’s Encrypt IPs, you’ll have to make some changes on your end.
This post does a good series of benchmarking for PHP 7.4’s latest performance feature: preloading OPcaches.
You may remember that PHP compiles to bytecode everytime it is executed. This result is stored in the OPcache, to be re-used later. Since PHP 7.4, you can preload those, to avoid the expensive first-time hit.
A lot of sites embed Google Fonts (a technique known as “webfonts”). This page shows how many requests they’re serving per second, and it’s pretty mind boggling!
Looks like the sale of the .ORG TLD to a private equity firm is being put on hold … for now.
A really nice read on how 1500 became the default Maximum Transmission Unit (MTU) on the internet. It’s a well-chosen trade-off from the early days of hubs & congested networks.
A few months ago, Mozilla announced it would be moving Firefox DNS lookups to Cloudflare by default, for its American audience. What was once a fairly distributed method of DNS (everyone would be using their ISPs’ defaults), has now changed to a centralized solution with all data being sent to Cloudflare.
“After being involved with design and open source projects for many years, I’ve noticed a few common reasons why designing for open source projects can be very difficult.”
I recognise a lot of what the author writes, it’s good to be aware of the pitfalls and tackle them early on.
“Whilst QUIC is very important, it is not on the roadmap for the 3.0 release.”
For the next major OpenSSL 3.0 release, the QUIC protocol isn’t considered. It will only be a focus after 3.0 and only if there is stability/maturity in the IETF process.
I guess this means it’ll remain hard to run HTTP/3 (or QUIC) on modern servers that rely on OpenSSL in the near future, unless you were to compile your own versions and link them against a different SSL library.
I had so many “Amen! Preach brother!” moments in this post, it’s unbelievable. And I’m not even religious.
The role of a sysadmin is often overlooked or deemed as just not that important. But there are so many things we do in the background to ensure things keep running smoothly and Chris tackles them all.
I’d love to fast-forward 2 or 3 years and see if they’re still running Linux then, or have reverted back to Windows.
Tools & Projects 🛠
Kasaya is a “WYSIWYG” scripting language and runtime for browser automation. It allows you to write test scripts using English-like statements, unlike Cucumber or or Selinium.
GitExplorer: Find the right git commands you need without digging through the web.
MCUboot is a secure bootloader for 32-bit microcontrollers. The goal of MCUboot is to define a common infrastructure for the bootloader, system flash layout on microcontroller systems, and to provide a secure bootloader that enables easy software upgrade.
I missed this was a thing, but the popular Homebrew package manager on Mac also exists for Linux.
Insights is a tool to visually explore a PostgreSQL database, with an emphasis on generating graphs that show business performance over time.
Markdeep is a technology for writing plain text documents that will look good in any web browser, whether local or remote. It supports diagrams, calendars, equations, and other features as extensions of Markdown syntax.
Patroni is a template for you to create your own customized, high-availability solution using Python and - for maximum accessibility - a distributed configuration store like ZooKeeper, etcd, Consul or Kubernetes.
A huge list of alternatives to Google products. Privacy tips, tricks, and links.
“The NetBSD Project is pleased to announce NetBSD 9.0, the seventeenth major release of the NetBSD operating system.”
Major improvements include support for 64-bit ARMv8, improved virtualization support, Kernel ASLR, updates to the ZFS file system, support for NVMM virtualization, …
A ssl/ssh multiplexer sslh accepts connections on specified ports, and forwards them further based on tests performed on the first data packet sent by the remote client (aka: it allows you to run your SSH server and HTTPS webserver on the same port).
“whoami.filippo.io, the SSH server that knows who you are, got some newly refreshed intel! Try it out!
The 8.2 release is a pretty important one: OpenSSH now includes FIDO/U2F support (among a number of other new features and bugfixes). It also starts the long path of deprecating SHA1-dependent cryptography.
Guides & Tutorials 🎓
Do you remember the first time you fell for a fork bomb? Or a ZIP recursion bomb? Lots of examples in different languages can be found here!
When getting started with containers, it’s pretty easy to be shocked by the size of the images that are built. This post looks at a number of techniques to reduce image size, without sacrificing developers’ and ops’ convenience.
A good series of steps to use if you want to host your own static website on a serverless environment (aka: you’re not responsible for the servers, you can’t SSH into them and can’t really debug anything if it goes wrong, but I guess it’s the future and all).
A simple guide that covers the most basic usages of grep & uniq to find and match IP addresses in logs. It’s something I still do on a daily basis, even after 15 years.
Kapitan is a tool to manage complex deployments using jsonnet, kadet and jinja2. You can use Kapitan to manage your Kubernetes manifests, your documentation, your Terraform configuration, … This post looks at a lot of practical examples and best practices on how to use Kapitan.
This post goes over some of the steps on how you could replace Jenkins with Concourse CI. It lacks some practical examples I feel, but it should get you halfway at least.
A very in-depth post on what to look for in Kubernetes audit logs and how to visualize the important bits.