There are plenty of options: nix-sops, or nix-age, or whatever you would like - past the overall idea the implementation details are purely a matter of taste how you fancy things to be. Key idea is to have encrypted secrets in the store, decrypted at runtime using machine-specific credentials (host SSH keys are a typical option to repurpose, or you can set up something else). For local management you also encrypt to the “developer” keys (under the hood data is symmetrically encrypted with a random key and that key is encrypted to every key you have - machines and humans).
Alternatively, you can set up a secrets service (like a password manager/vault) and source from that. Difference is where the secrets live (encrypted store or networked service, with all the consequences of every approach), commonality is that they’re fetched at runtime, before your programs start.
I’m currently using deploy-rs, but if I’d redo my stuff (and the only reason I don’t is that I’m pretty much overwhelmed by life) I’d probably go with plain vanilla nixos-rebuild --target-host and skip any additional layers (that introduce extra complexity and fragility).
Just a crude and somewhat haphazard summary but hope it helps.
I strongly recommend investing in some lights-out management (IPMI, KVM or alike) solution that doesn’t depend on any OS peculiarities.
Configuration switching and rollback mechanisms aren’t exactly reliable with trickier setups, as it doesn’t account for any ephemeral state (like what’s actually in the routing tables), and that stuff cannot be always preemptively declared upfront. I’m afraid that despite a lot of efforts, the only truly reliable method to ensure system will come back is still to deploy-and-reboot.
True, it's not a full replacement for ipmi-ish tech. There are ways the deployed waiter can fail before it times out and triggers the rollback. Deploy often enough and you will hit all wonderful edge cases. I treat it as a first line of defense that saves me time on scooting the chair over to me server cabinet and yanking the cords.
WRT ephemeral state -- NixOS allows to minimize this. Coupled with impermanence, all non-declared and non-externally-retrievable state is wiped away upon reboot. And if it's not declative and not retrievable, I just don't use it. Homelab allows for a lot of choice in that regard
I have been using nixos-rebuild with target host and it has been totally fine.
The only thing I have not solved is password-protected sudo on the target host. I deploy using a dedicated user, which has passwordless sudo set up to work. Seems like a necessary evil.
> I deploy using a dedicated user, which has passwordless sudo set up to work.
IMO there is no point in doing that over just using root, maybe unless you have multiple administrators and do it for audit purposes.
Anyway, what you can do is have a dedicated deployment key that is only allowed to execute a subset of commands (via the command= option in authorized_keys). I've used it to only allow starting the nixos-upgrade.service (and some other not necessarily required things), which then pulls updates from a predefined location.
How do they even define “social media”? Do they just ban kids from participating in society using electronic communications? Or maintain a stoplist “here’s what we consider to be social media”? Or what?
I mean, sure, prime examples of what is colloquially called “social media” is crapware. I do get the intent.
But I wonder what sort of unintended, unplanned, odd and potentially even socially harmful consequences it would possibly have.
Can you (or someone) please tell what’s the point, for a regular GNU/Linux user, of having this thing you folks are working on?
I can understand corporate use case - the person with access to the machine is not its owner, and corporation may want to ensure their property works the way they expect it to be. Not something I care about, personally.
But when it’s a person using their own property, I don’t quite get the practical value of attestation. It’s not a security mechanism anymore (protecting a person from themselves is an odd goal), and it has significant abuse potential. That happened to mobile, and the outcome was that users were “protected” from themselves, that is - in less politically correct words - denied effective control over their personal property, as larger entities exercised their power and gated access to what became de-facto commonplace commodities by forcing to surrender any rights. Paired with awareness gap the effects were disastrous, and not just for personal compute.
The value is being able to easily and robustly verify that my device hasn't been compromised. Binding disk encryption keys to the TPM such that I don't need to enter a password but an adversary still can't get at the contents without a zero day.
Of course you can already do the above with secure boot coupled with a CPU that implements an fTPM. So I can't speak to the value of this project specifically, only build and boot integrity in general. For example I have no idea what they mean by the bullet "runtime integrity".
> For example I have no idea what they mean by the bullet "runtime integrity".
This is for example dm-verity (e.g. `/usr/` is an erofs partiton with matching dm-verity). Lennart always talks about either having files be RW (backed by encryption) or RX (backed by kernel signature verification).
I don’t think attestation can provide such guarantees. To best of my understanding, it won’t protect from any RCE, and it won’t protect from malicious updates to configuration files. It won’t let me run arbitrary binaries (putting a nail to any local development), or if it will - it would be a temporary security theater (as attackers would reuse the same processes to sign their malware). IDSes are sufficient for this purpose, without negative side effects.
And that’s why I said “not a security mechanism”. Attestation is for protecting against actors with local hardware access. I have FDE and door locks for that already.
I think all of that comes down to being a matter of what precisely you're attesting? So I'm not actually clear what we're talking about here.
Given secure boot and a TPM you can remotely attest, using your own keys, that the system booted up to a known good state. What exactly that means though depends entirely on what you configured the image to contain.
> it won’t protect from malicious updates to configuration files
It will if you include the verified correct state of the relevant config file in a merkel tree.
> It won’t let me run arbitrary binaries (putting a nail to any local development), or if it will - it would be a temporary security theater (as attackers would reuse the same processes to sign their malware).
Shouldn't it permit running arbitrary binaries that you have signed? That places the root of trust with the build environment.
Now if you attempt to compile binaries and then sign them on the production system yeah that would open you up to attack (if we assume a process has been compromised at runtime). But wasn't that already the case? Ideally the production system should never be used to sign anything. (Some combination of SGX, TPM, and SEV might be an exception to that but I don't know enough to say.)
> Attestation is for protecting against actors with local hardware access. I have FDE and door locks for that already.
If you remotely boot a box sitting in a rack on the other side of the world how can you be sure it hasn't been compromised? However you go about confirming it, isn't that what attestation is?
Well, maybe we're talking about different things, because I've asked from a regular GNU/Linux user perspective. That is, I have my computers and I'm concerned I would lose my freedoms to use them as I wish, because this attestation would be adopted and become de-facto mandatory if I ever want to do something online. Just like what happened to mobile, and what's currently slowly happening to other desktop OSes.
Production servers are a whole different story - it's usually not my hardware to begin with. But given how things are mostly immutable those days (shipped as images rather than installed the old-fashioned sysadmin way), I'm not really sure what to think of it...
You originally asked what the value proposition for a regular (non-corporate) user was. Then you raised some objections to my answer (or at least so I thought).
Granted these technologies can also be abused. But that involves running third party binaries that require SGX or other DRM measures before they will unlock or decrypt content or etc. Or querying a security element to learn who signed the image that was originally booted. Devices that support those things are already widespread. I don't think that's what this project is supposed to be. (Although I could always be wrong. There's almost no detail provided.)
Every authoritarian country thrives on “we’re surrounded by enemies, enemies everywhere” trope.
But, of course, all those glorious leaders happily shake hands and dine with each other, patting their backs and sharing ideas on how to keep peasants in check and themselves in power.
You’re bringing in something that’s (vaguely and poorly, for no one knows what it actually could be) defined as something that fits the narrative and present it: “see, if we think up a tool that’s inherently evil by definition of it, it cannot be neutral”. We might, but could such tool actually exist?
(And before we joke about building it, we can think up of its polar opposite too, something unquestionably good that just cannot be evil in the slightest. Again, I suspect, no such thing can exist in reality.)
Isn’t the purpose of all thought experiments to define something that is relevant to what you’re trying to philosophize about? “Fitting a narrative” is a thought-terminating cliché.
If we agree that there exists at least one thing theoretically whose invention would be unequivocally evil - without a morsel of moral justification, then surely there exists a moral spectrum on which all inventions lie, and the inventors (and builders) are not absolved of their sins by virtue of not having actually used their inventions. Maybe you disagree that even in the case of the Torment Nexus the inventor has no moral reckoning (yikes). Maybe you disagree that it’s a spectrum, and rather binary: Torment Nexus immoral, everything else moral (weird).
> If we agree that there exists at least one thing theoretically whose invention would be unequivocally evil
My issue is that your use of the phrase "exists ... theoretically" quietly steps across the boundary between ideal (where anything is possible), and real (where only some things are possible).
In other words, I think that Torment Nexus doesn't exist. Only its idea does, and I don't see how that's possibly sufficient. Kinda like faster-than-light travel - it would change a lot of things - but only it if would be a real thing. AFAIK to best of our understanding it's not. Even though the idea surely exists.
I rather think that it's the meme of Torment Nexus is the actual thought-stopper, because exploring what it could possibly be is what the meme warns one about.
It’s really not that difficult to come up with a Torment Nexus that, given enough money, could be built today. I’m not sure why you’re convinced it could not exist. Just browse a bunch of Wikipedia articles about torture and ethnic cleansing and general injustice and connect some dots.
Another point of the Torment Nexus is that it’s dark humor that science fiction writers especially will ideate something in their writing, and spend great lengths discussing the inevitable harm it unleashes, only to wait a few years and watch as someone actually builds the thing they basically warned everyone about. It’s a placeholder for “thing so bad that I don’t actually want to describe it lest some psychopath actually builds it.”
Not Apple, but iMazing switched to subscription model and they simply lost me as a customer.
JetBrains tried something similar a while ago too, and almost screwed it up - but managed to listen to their customers and nailed it with the perpetual fallback licensing. Making me not just pay the subscription but feel respect to the company.
Isn’t that a derogatory stereotype? Aren’t those men (and women and other folks) as “exploited” as a reader of a book or a player of a game, who understands they’re about to be a part of a fantasy but willingly suspend the disbelief for a short while?
It’s only exploitation if this suspension of disbelief is artificially prolonged in nefarious way, with a self-reinforcing fantasy so the person loses touch with the reality and spends increasingly unhealthy amounts of time in a fantasy, or otherwise get conditioned and start to exhibit addiction-like behaviors that aren’t in their best long-term interests.
That happens (every entertainment industry has its whales), but saying it’s the norm (rather than a pathological extremity) is sort of stigmatizing.
Consent does not bless immoral acts or neutralize damage. A person who takes a drug voluntarily is still being harmed by it. It causes changes in the consumer whether he likes it or not. Causality does not care about your consent.
(And to address your analogy to books, the content of a work of fiction also matters. Reading bad books isn't good for your mind either. But literary fiction at least has the potential to be good. The genre isn't categorically bad.)
And porn is addictive. Porn addiction is extremely widespread and afflicts mostly young men. Porn's ubiquity and the easy with which it can be accessed has created a situation that did not exist before, and from a young age. And not only is it addictive, but it does real psychological damage to these consumers, creating what some call "porn brain". It is an excellent method for producing sexually-crippled creeps and incels unable - and even uninterested, given the nature of their "fantasy" - to have healthy relationships with real human beings, and the stats corroborate this.
It is an incredibly twisted and deranging vice. It destroys individuals and has a destructive impact on society as a whole.
> A person who takes a drug voluntarily is still being harmed by it. It causes changes in the consumer whether he likes it or not.
I’m afraid you’re oversimplifying it. If only things would be this simple. They just never are.
Every experience causes changes (it’s the whole point). And every stimulating experience has a potential to skew your behaviors towards having more of it. Some more, some less, of course, but anything can become a passion and get unhealthy so.
There’s this fine distinction between someone who does something now and then, without significant impairment to their decision-making abilities that cause over-favoring such actions, and those who fail to notice it in time and become overtly obsessed with something.
It’s not about what you do - you can be watching porn or going hiking (or whatever most people would naively deem “good”) - anything can become unhealthy.
I think I understand your point, though. Indeed, pornography consumption nature is intimate and that leaves less opportunities for feedback and self-introspection. That is, noticing the point it becomes more of an obsession. However, dismissing it under a simple “porn is bad” (a tempting idea) is short-sighted by dismissing any nuances, and also harmful - just in different ways (through stigmatization).
I am going to push back here. I follow a variety of YouTubers, and I'm pretty sure that I have a parasocial relationship with most of them. I never heard the term before I watched a Tom Scott video about it. It made perfect sense me, and I saw it in myself. Literally, sometimes I talk to the screen, like we're in the room together. But it's only entertainment, and it's a fun way to "escape" after a long day at the office. I don't take it too seriously. Am I being exploited by a channel of funny people in their 20/30s who fix cars, or lift weights, or talk about relationship problems? I don't think so.
Are all transactions on OF inherently a parasocial relationship? If a dude wants to jerk his schmeat to somebody he thinks is attractive, and pays for access to the media without otherwise engaging, is that parasocial?
You could do that for free. Most are obviously looking for more.
It kind of sounds like you are trying to justify whatever it is you are doing, in which case you do you. I don't actually care what you do and neither should you care what I think.
> You could do that for free. Most are obviously looking for more.
And everyone can use Pornhub for free, yet Pornhub still makes money on their premium subscriptions. Are those also parasocial relationships?
> It kind of sounds like you are trying to justify whatever it is you are doing, in which case you do you.
You know I thought about putting the obligatory "I don't use OF" in my first comment, but felt it wouldn't be necessary. I see that it was; by the way have you stopped beating your wife?
reply