utcc-utoronto-ca-cks

Google is requiring Certificate Authorities to stop issuing TLS certificates for client authentication, and Let's Encrypt isn't planning to create new roots for this purpose. However, servers can still validate TLS certificates presented by clients even without the proper client authentication EKU, and many projects are starting to accept TLS server certificates from clients instead.

The website blocks software with generic User-Agent headers from fetching syndication feeds, redirecting them to a special single-entry feed. Users are directed to a general web page explaining the issue with generic user agents.

A command-line script called 'promdownhosts' proved more useful than web dashboards during a power outage recovery. The script prints a text table of down machines, allowing easy filtering and access from server consoles without browsers.

The author lists specific features that make them attached to xterm as their terminal program, including its ziconbeep feature, large selection capability, ability to disable colors, customizable double-click word selection, and lack of automatic URL handling. They note that many of these features are difficult to replicate in other terminal emulators like gnome-terminal or urxvt.

The article argues that log messages should primarily serve the people operating software, not just developers. It emphasizes that log content should be meaningful and understandable to system administrators without requiring specialized knowledge. The author suggests developers should consider what operational value each log message provides to those running the software.

The author presents a taxonomy of text output methods from command-line tools, ranking them from best to worst. The preferred approach is plain text line-by-line output, while the most problematic involves full-screen terminal UI elements that disrupt normal command-line workflow. The author argues tools should provide options to disable fancy output and detect when it's inappropriate.

A Python program that displays Linux cgroup memory information evolved from showing two fields to needing three. The author considered creating a general solution for any number of fields but opted for a simpler hard-coded three-field version with a new command line option. This pragmatic approach provided immediate functionality without requiring a major redesign.

Systemd's IPAddressAllow and IPAddressDeny controls can be applied to socket units, restricting access only to those sockets rather than the entire service. This is implemented through eBPF programs attached to cgroups, with sockets inheriting these restrictions even when passed to other programs. However, this approach doesn't enable per-port IP access controls for regular service units.

Xterm's ziconbeep feature alerts users when minimized windows receive output, but cannot be fully implemented in window managers. While window managers can detect title changes for audible alerts, they cannot reliably detect new output or determine semantically meaningful changes requiring attention.

The article explores how eBPF could implement per-port IP address restrictions by extending systemd's current LPM map approach. It proposes embedding port numbers in LPM map keys alongside IP addresses, allowing scalable filtering of network packets based on both destination port and source IP. The approach maintains simple eBPF program generation while enabling more granular access controls.

The article argues that URLs included in HTTP User-Agent headers should be functional and lead to actual websites explaining the software or project. Non-working URLs are viewed as suspicious and may lead to blocking, while missing URLs are less concerning. The author notes they've seen various problematic URL patterns including example domains and .lan/.local addresses.

A power glitch at a university campus left some network switches in a non-working state despite being powered on. The issue was resolved by fully power cycling the affected hardware. This incident illustrates how power disruptions can cause computer hardware to enter unusual operational states.

An undergraduate research programmer added disk IO tracing to the Ultrix kernel for a professor's project. The code panicked on a customer's machine because a disk block address field was too small for their larger disks. This failure likely ended that part of the research project.

The author reports that switching to UEFI-only booting with GRUB on Ubuntu 24.04 servers has gone smoothly over the past two years. While there are concerns about handling redundant boot disks after disk failures, the overall transition has been successful with minimal issues.

The author describes adding a 'held' status to a Django web application for account requests, then realizing it was more restrictive than intended. This experience highlighted the need to document form behaviors, as past knowledge about form rules wasn't retained over time.

Websites now routinely serve different content to different HTTP User-Agents, with some getting errors, redirections, or challenge pages while others receive actual content. This makes it increasingly risky to assume results from one User-Agent apply to another, especially with browser-like User-Agents that are frequently forged by crawlers and malware.

The article discusses a proposal to add dependency cooldowns to Go, which would delay automatic updates to new dependency versions. Despite Go's minimum version selection feature, developers often update dependencies quickly through tools like Dependabot, creating potential issues. The author suggests implementing cooldown settings in go.mod files to ensure consistent application across projects.

The article argues that while attackers control most HTTP header information, web agents still emit valuable signals for access decisions. Inconsistencies in user-agent data can reveal suspicious activity, even if the data could be faked. The author advocates for empirical, thoughtful interpretation of these signals rather than dismissing all non-IP information as untrustworthy.

Fedora systems accumulate old GPG keys from RPM packages over time. The clean-rpm-gpg-pubkey tool helps remove obsolete keys, while manual removal may be needed for re-issued expired keys that cause DNF update issues.

The article explains that Wayland integrates the window manager into the display server to avoid event-handling delays and race conditions that occur when they are separate, as in X11. This integration allows the window manager to see and react to all input events without lag, and to freely intercept and modify events without limitations.

Python docstrings are attached to functions and scattered throughout code, making them local documentation. They work well for summarizing individual functions but poorly for providing overviews or documenting complex interactions between components.

DMARC DNS lookups occur for either the exact From: domain or the organization's top-level domain. While DMARC policy inheritance allows different policies for organizational domains and subdomains, DKIM alignment settings apply uniformly across all subdomains without their own DMARC records.

A university computing group maintained duplicate systems for tracking disk usage over many years. They evolved from traditional Unix scripts to ZFS-based reporting, then to Prometheus metrics with a new command-line tool. Despite creating modern replacements, they haven't removed the old infrastructure due to cleanup effort and inertia.

The author describes how duplicate systems often linger when a new, improved system is built but doesn't fully replace the old one. Organizations keep the old system running for existing functionality while using the new system for new features, creating little motivation to eliminate the duplicate system until resource constraints or maintenance burdens arise.

Mass production makes unexpected devices the cheapest options for network monitoring. Remote-controlled Wi-Fi power plugs serve as inexpensive wireless ping targets, while basic managed switches provide wired Ethernet monitoring points. Both solutions are cheaper than purpose-built alternatives due to their high-volume manufacturing.

Fedora's virt-manager has started defaulting to external snapshots as of Fedora 41, which cannot be reverted when mixed with internal snapshots. Users discovered this when trying to revert or delete snapshots, encountering errors about external snapshots not being revertable. The issue is particularly problematic when external snapshots are created on top of existing internal snapshots.

The author describes a brute-force approach to map IPv4 addresses to Autonomous System Numbers in Python 2 using a sparse file. By storing ASN data for each /24 network block in a file, the method allows efficient lookups with minimal memory usage. The implementation proved straightforward and created a 53 MB data file covering about 16.5 million /24 networks.

The author describes switching libvirt virtual machines from traditional BIOS/MBR booting to UEFI booting by directly editing the libvirt XML configuration. This change became possible after libvirt gained support for UEFI snapshots, and the author provides technical details about the XML modifications required for the transition.

The author discusses whether mmap() would perform better than plain read() for their Python code that maps IPv4 subnets to ASNs. They conclude mmap() would likely be worse due to Python's limitations and single-lookup use case, though performance depends on access patterns. The author recommends using mmap() primarily for code simplicity rather than performance.

Canonical's Netplan networking tool makes automation difficult by requiring DNS settings to be tied to specific interfaces and lacking proper tools for querying or modifying configurations. The system doesn't support removing settings or provide good ways to search YAML configurations, forcing users to resort to workarounds for basic automation tasks.