cron.weekly issue #122: OpenSSL, NetBSD, MTU, Markdeep & more


cron.weekly is a newsletter about Linux, open source & webdevelopment. Want to get it in your inbox every Sunday? Subscribe below!

I respect your privacy and you won't get spam. Ever. Just a weekly-ish newsletter about Linux and open source.
Image of Mattias Geniar

Mattias Geniar, February 23, 2020

Follow me on Twitter as @mattiasgeniar

Hi everyone! πŸ‘‹

Welcome to cron.weekly issue #122.

Like I mentioned last week, this is the issue that includes a one-time e-mail open tracker. It allows me to validate my new e-mail setup. After today, it’s back to being the no-tracking newsletter again. πŸ˜‰

I’d appreciate it if you could load the images in this e-mail, just once. πŸ™

But you’re here for the content, not my e-mail debugging rant. So, enjoy this issue!

News & general πŸ—ž

Safari will no longer accept new HTTPS certificates that expire more than 13 months from their creation date

This means websites using multi-year SSL/TLS certs issued after the cut-off point, on September 1st, 2020, will throw up privacy errors in Apple’s browser.

This is a strong move to push the industry to short-lived, often-rotated certificates. This will probably hit enterprises the most … Can you imagine the Extended Validation hassle to go through every 12 months? πŸ˜…

It’s a certificate check I’ll definitely add to Oh Dear as well.

Let’s Encrypt now requires validation from multiple source IPs

Let’s Encrypt will now make multiple HTTP requests to the /.well-known/acme-challenge endpoint from different IPs. At least 3 out of 4 need to be successful, before a certificate is issued.

If you had previously whitelisted Let’s Encrypt IPs, you’ll have to make some changes on your end.

Preloading benchmarks in PHP 7.4

This post does a good series of benchmarking for PHP 7.4’s latest performance feature: preloading OPcaches.

You may remember that PHP compiles to bytecode everytime it is executed. This result is stored in the OPcache, to be re-used later. Since PHP 7.4, you can preload those, to avoid the expensive first-time hit.

Google Fonts traffic statistics

A lot of sites embed Google Fonts (a technique known as “webfonts”). This page shows how many requests they’re serving per second, and it’s pretty mind boggling!

Internet Society told to halt .org sale

Looks like the sale of the .ORG TLD to a private equity firm is being put on hold … for now.

How 1500 bytes became the MTU of the internet

A really nice read on how 1500 became the default Maximum Transmission Unit (MTU) on the internet. It’s a well-chosen trade-off from the early days of hubs & congested networks.

Centralised DoH is bad for Privacy, in 2019 and beyond

A few months ago, Mozilla announced it would be moving Firefox DNS lookups to Cloudflare by default, for its American audience. What was once a fairly distributed method of DNS (everyone would be using their ISPs’ defaults), has now changed to a centralized solution with all data being sent to Cloudflare.

Why designing for open source can be so difficult

“After being involved with design and open source projects for many years, I’ve noticed a few common reasons why designing for open source projects can be very difficult.”

I recognise a lot of what the author writes, it’s good to be aware of the pitfalls and tackle them early on.

QUIC and OpenSSL

“Whilst QUIC is very important, it is not on the roadmap for the 3.0 release.”

For the next major OpenSSL 3.0 release, the QUIC protocol isn’t considered. It will only be a focus after 3.0 and only if there is stability/maturity in the IETF process.

I guess this means it’ll remain hard to run HTTP/3 (or QUIC) on modern servers that rely on OpenSSL in the near future, unless you were to compile your own versions and link them against a different SSL library.

Running servers (and services) well is not trivial

I had so many “Amen! Preach brother!” moments in this post, it’s unbelievable. And I’m not even religious.

The role of a sysadmin is often overlooked or deemed as just not that important. But there are so many things we do in the background to ensure things keep running smoothly and Chris tackles them all.

South Korea switching their 3.3 million PCs to Linux

I’d love to fast-forward 2 or 3 years and see if they’re still running Linux then, or have reverted back to Windows.

Tools & Projects πŸ› 

Kasaya

Kasaya is a “WYSIWYG” scripting language and runtime for browser automation. It allows you to write test scripts using English-like statements, unlike Cucumber or or Selinium.

GitExplorer

GitExplorer: Find the right git commands you need without digging through the web.

MCUboot

MCUboot is a secure bootloader for 32-bit microcontrollers. The goal of MCUboot is to define a common infrastructure for the bootloader, system flash layout on microcontroller systems, and to provide a secure bootloader that enables easy software upgrade.

Homebrew on Linux

I missed this was a thing, but the popular Homebrew package manager on Mac also exists for Linux.

insights

Insights is a tool to visually explore a PostgreSQL database, with an emphasis on generating graphs that show business performance over time.

Markdeep

Markdeep is a technology for writing plain text documents that will look good in any web browser, whether local or remote. It supports diagrams, calendars, equations, and other features as extensions of Markdown syntax.

patroni

Patroni is a template for you to create your own customized, high-availability solution using Python and - for maximum accessibility - a distributed configuration store like ZooKeeper, etcd, Consul or Kubernetes.

degoogle

A huge list of alternatives to Google products. Privacy tips, tricks, and links.

NetBSD 9.0

“The NetBSD Project is pleased to announce NetBSD 9.0, the seventeenth major release of the NetBSD operating system.”

Major improvements include support for 64-bit ARMv8, improved virtualization support, Kernel ASLR, updates to the ZFS file system, support for NVMM virtualization, …

sslh

A ssl/ssh multiplexer sslh accepts connections on specified ports, and forwards them further based on tests performed on the first data packet sent by the remote client (aka: it allows you to run your SSH server and HTTPS webserver on the same port).

whoami.filippo.io (Filippo Valsorda on Twitter 🐦)

whoami.filippo.io, the SSH server that knows who you are, got some newly refreshed intel! Try it out! ssh whoami.filippo.io

OpenSSH 8.2

The 8.2 release is a pretty important one: OpenSSH now includes FIDO/U2F support (among a number of other new features and bugfixes). It also starts the long path of deprecating SHA1-dependent cryptography.

Guides & Tutorials πŸŽ“

Fork bombs implemented in different languages

Do you remember the first time you fell for a fork bomb? Or a ZIP recursion bomb? Lots of examples in different languages can be found here!

Reducing Docker image sizes

When getting started with containers, it’s pretty easy to be shocked by the size of the images that are built. This post looks at a number of techniques to reduce image size, without sacrificing developers’ and ops’ convenience.

Building a static serverless website using S3 and CloudFront

A good series of steps to use if you want to host your own static website on a serverless environment (aka: you’re not responsible for the servers, you can’t SSH into them and can’t really debug anything if it goes wrong, but I guess it’s the future and all).

Counting IP Addresses in a Log File

A simple guide that covers the most basic usages of grep & uniq to find and match IP addresses in logs. It’s something I still do on a daily basis, even after 15 years.

Keep your ship together with Kapitan

Kapitan is a tool to manage complex deployments using jsonnet, kadet and jinja2. You can use Kapitan to manage your Kubernetes manifests, your documentation, your Terraform configuration, … This post looks at a lot of practical examples and best practices on how to use Kapitan.

Replacing Jenkins with Concourse

This post goes over some of the steps on how you could replace Jenkins with Concourse CI. It lacks some practical examples I feel, but it should get you halfway at least.

How to monitor Kubernetes audit logs

A very in-depth post on what to look for in Kubernetes audit logs and how to visualize the important bits.



Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.