commit 6ca3367104440fe7264dec1a1f8eaebbeb9bafed Author: Nick Thomas Date: Tue Nov 24 22:46:02 2020 +0000 Port content over diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8b3c274 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/dst diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..84f0374 --- /dev/null +++ b/Makefile @@ -0,0 +1,6 @@ +default: build + +build: + @rm -rf dst + @kiln + @tree dst diff --git a/README.gmi b/README.gmi new file mode 100644 index 0000000..7b46276 --- /dev/null +++ b/README.gmi @@ -0,0 +1,26 @@ +# Gemini Capsule - Nick Thomas + +## Introduction + +Gemini is awesome. This is my capsule. It replaces the old website: + +=> https://ur.gs Old HTTP website + +The Gemini capsule is hosted here: + +=> gemini://ur.gs + +## Tools + +=> https://sr.ht/~adnano/kiln Kiln static site generator +=> gemini://gem.limpet.net/agate/ Agate Gemini server + +## Usage + +Ensure Kiln is installed and run: + +``` +make +``` + +Feed the `dst/` directory to Agate. diff --git a/config.ini b/config.ini new file mode 100644 index 0000000..001eb16 --- /dev/null +++ b/config.ini @@ -0,0 +1,2 @@ +title = Nick Thomas +url = gemini://ur.gs diff --git a/src/blog/2013-09-14-dane-1.gmi b/src/blog/2013-09-14-dane-1.gmi new file mode 100644 index 0000000..b1dd1b2 --- /dev/null +++ b/src/blog/2013-09-14-dane-1.gmi @@ -0,0 +1,67 @@ +# DNSSEC + DANE: Part 1 + +## Problem + +Communications on the Internet overwhelmingly rely on SSL/TLS for protection. +There are two forms of protection this is meant to provide - from snooping of +traffic, and from impersonation. The first of those gets a lot of attention +but, unless we have the latter as well, an attacker can snoop on your traffic +by performing a man-in-the-middle attack on you with a dodgy certificate: + +=> http://falkvinge.net/2013/09/12/the-nsa-and-u-s-congress-has-destroyed-ssl-we-must-rebuild-web-security-from-the-ground-up/ + +Unfortunately, the current method of providing protection-from-impersonation +is terrible. Traditionally, OS and browser vendors pick a range of root +certificates to bundle with their software - a list that's generally hundreds +of entries long - and everyone trusts that the list is good. Anyone who can +get a certificate into the lists can then sell certificates signed by it to +people who can't (like me, for a start). + +They can sell certificates for any domain, for any reason, with any degree of +publicity, transparency or validation; the only recourse vendors have is to +threaten to stop trusting them if the're shown to be issuing certificates that +don't meet some standard or another. If they're compromised and the key for the +root certificate is stolen - as happened in 2011: + +=> https://www.eff.org/deeplinks/2011/03/iranian-hackers-obtain-fraudulent-https + +Then it's a mad scramble to revoke or blacklist new certificates based on that +stolen information before too much harm is done. + +Recently, some vendors - Chrome, for instance - have started introducing +certificate pinning +to restrict the range of CAs that are valid for a particular domain: + +=> https://www.imperialviolet.org/2011/05/04/pinning.html + +This helps a bit against some attacks on large sites, but isn't much use as a +general solution. + +As for the first part - the encryption itself - there's a lot of discussion +right now over which parameters are safe, and which aren't. There's probably +*some* setups that're safe from cryptanalysis - or if not, then we can probably +come up with some. In this area, one more problem we have with the current CA +model is that deploying new types of certificates is a slow process - you have +to wait for a trusted CA to start offering them, before you can use them. + +## Solutions + +The current system, then, can be summarised as trust silos. The main contender +to replace it is an RFC known as DANE: + +=> https://datatracker.ietf.org/doc/rfc6698/ + +This leverages DNSSEC-signed DNS to publish records that say which certificates +(rather than certificate authorities) are valid for a particular service running +on a domain. As it utilises the DNS, we move from trust silos to hierarchical +trust. + +Hierarchical trust is narrower, and so better, but still vulnerable to +compromises of keys not under your control. However, the only other schemes +I'm really aware of at the moment are based on web-of-trust relationships with +offline identity verification. This boils down to everyone manually curating +bookmarks that tell them how much to trust things, and there are still keys +out of your control that, if compromised, break you - you just get to choose +between trust anchors more flexibly than with a hierarchical system. I'm not +convinced the extra effort is worth it, so I've deployed DNSSEC + DANE instead, +and in the next article, I'll go over how I did it. diff --git a/src/blog/2013-09-15-dane-2.gmi b/src/blog/2013-09-15-dane-2.gmi new file mode 100644 index 0000000..0bebe63 --- /dev/null +++ b/src/blog/2013-09-15-dane-2.gmi @@ -0,0 +1,403 @@ +# DNSSEC + DANE: Part 2 + +Assuming you've been convinced that it's a good idea to set up DNSSEC and DANE, +the point of this article is to demonstrate how I did it for my own domain - +the individual steps to get from nothing to valid DANE records weren't very +difficult; just not documented in a recipe-style guide anywhere. Hopefully, +this will help you get set up. I'm using Debian Squeeze or Wheezy throughout, +depending on host, but the instructions should be similar for most Linux +distributions. + +## DNSSEC + +This is the part that provides the hierarchical trust model, enabling a random +user of your site to trust (more or less, anyway) that when they ask for a +record that tells them which certificates are valid for their site, they +get the same record that you're going to upload later. + + +### Resolving nameserver + +Firstly, the user needs to be able to make DNSSEC-validatable DNS queries to +begin with. This requires that their caching (also known as resolving) nameserver +supports DNSSEC queries. This is easy enough to test: + +``` +lupine@den:~$ dig +dnssec mozilla.org + +; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +dnssec mozilla.org +;; global options: +cmd +;; Got answer: +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25143 +;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 7 + +;; OPT PSEUDOSECTION: +; EDNS: version: 0, flags: do; udp: 4096 +;; QUESTION SECTION: +;mozilla.org. IN A + +;; ANSWER SECTION: +mozilla.org. 60 IN A 63.245.217.105 +mozilla.org. 60 IN RRSIG A 7 2 60 20131013124658 20130913125405 17933 mozilla.org. k2LOpTkl35qIPmFKVQix87mItL2ycPFTymx0yoZoIt+jpsGhEbQWgiiV FXndEwOKap/RsXdHtzWWWI4vcDdQgES0X/XInAxRKTadceapQ34Nyb0w TN9CpYidxpI35MY9cseZVu9eCKXq0M7VxpSBKSHshby2A/hymJntq1lD sSI= +mozilla.org. 60 IN RRSIG A 7 2 60 20131013125201 20130913125405 63920 mozilla.org. N/dNbs71T0oEAJ0ulqeVPg4ty7UwG02QKOFr3tRy0kDpnRsPvIKX8E0e lVxCU/TCEckfS8QQv3JytoOrIwKt/Y1lOI//NuxLIZT8RndMvWaROkrt Ncs3moQAsD6w0sT+Yn7wx1AimVO4udQ8dh3lyYCKHdRq8VfxyK6/5Lws tzQ= + +;; AUTHORITY SECTION: +mozilla.org. 60 IN NS ns2.mozilla.org. +mozilla.org. 60 IN NS ns1.mozilla.org. +mozilla.org. 60 IN RRSIG NS 7 2 60 20131013125024 20130913125405 17933 mozilla.org. MlltXDEKazn80b3mMqGSOhCCqeQhuiIsgMXI+kaAABnwXyxzHsli+BEL f1AC3Grog3p9DLtRUPbAm3RWIF6HWgd5gJJ5rcw+50ihWVEwQceWniKD Sl/13G7V8pKR0P4GZjpTg//Go4H6xYZAThhU544zjxis5ytupM+rAW0I +ho= +mozilla.org. 60 IN RRSIG NS 7 2 60 20131013125355 20130913125405 63920 mozilla.org. KnOTFZRq6f3K6wbfa6YMjVROHc6kr+RzvthX531H7AQjejB0yAc6ttyI q9J3u/cDg2sdsmROJ91JXkmU7Kjq+LJKrRedQPwY0xLr57ODK/87D3Kv Z9icf5HxarvdN4FlPb7j/uI8EIN4jKXb08976KtPu7BT+6o+1b+rwUWf Ccc= + +;; ADDITIONAL SECTION: +ns1.mozilla.org. 60 IN A 63.245.215.5 +ns2.mozilla.org. 60 IN A 63.245.218.7 +ns1.mozilla.org. 60 IN RRSIG A 7 3 60 20131013124618 20130913125405 63920 mozilla.org. e1mdvK7ERSuaNIxSf1O+8vyFJWoGBGGPSFt20KLiF+KBU1siDlywTTBr /UT5cNBB4prqcZ0DdFagnmWE2OploEqof0Nl/IiSPwVGy8eGksGmS0Qf zK78emWv4nQmVkiVokcZqIHiAXPxG9ZafJaTo/BGtnThILmatdnk2xuI JdY= +ns1.mozilla.org. 60 IN RRSIG A 7 3 60 20131013125230 20130913125405 17933 mozilla.org. 1wWdtXpmOk9oOwzl8j8Jvz2IyqfVXIMfB9kDRC0AUKQNvUDk85Xp6AfE 2i4vaupFRa5RTKKj4gBTYRqfObhdrJHLNIRx1BMb/mb/B/8IF0HuxXeU IlGU8Wu/GbDHOHrS42Z3i2w9Y+DVUI1JQQlPHapDtD20kzKnClIN9iSa FRo= +ns2.mozilla.org. 60 IN RRSIG A 7 3 60 20131013125059 20130913125405 17933 mozilla.org. WcnS3dw6gQ6gM5dP6tKGK+Gwkd3u8AMco2WCU3WzLoK0ADeJo9qjYGzd pSnJLRRMfiKBeWZJvm6g89sS+gPQh1IlncPp6AaGQdAAyl+OtwIswA/n qPQLlWBdJQrfAnzLKDXbOjTH2K9vXxNSUyAL5QzUgLIAB16oTvREbL42 bIc= +ns2.mozilla.org. 60 IN RRSIG A 7 3 60 20131013125237 20130913125405 63920 mozilla.org. V2xTFK6cG9v+mBKbZP7a5yXFJUaXKAt1qOP0VmHWrP1n5lNfvcOMrKLc g4vpaxdbA0M1B7xMhX4ps2IYljAUZdzkBCMXp+bYKPKXdkxKRmXsnspF 7Fii5N9q7FKyhLEbsW8G9MRTScE0ohu5s8db6hOGmkcbyvZJmk5+R1Qd aAk= + +;; Query time: 285 msec +;; SERVER: 213.138.102.177#53(213.138.102.177) +;; WHEN: Sat Sep 14 16:54:58 2013 +;; MSG SIZE rcvd: 1492 + +lupine@den:~$ +``` + +If you see RRSIG records, as above, then you don't need to do anything. If you +don't, then your resolver doesn't support DNSSEC. This is fairly common. As a +first resort, ask your provider (normally your ISP) to fix it. If that doesn't +bear fruit, or if you're impatient, you can install and use the Unbound resolver: + +=> http://unbound.net/ + +I was in the latter situation, and my router happens to run a hacked-up version +of Debian Squeeze, so I installed Unbound on it and configured the DHCP server +to refer to it when configuring clients; so every machine on my home network +now has access to a DNSSEC-capable resolver. You can also install and use it +locally, which might look like this: + +``` +root@den:~# apt-get install unbound # unbound-anchor # for wheezy +root@den:~# echo "nameserver 127.0.0.1" > /etc/resolv.conf +root@den:~# chattr +i /etc/resolv.conf +``` + +The resolv.conf file can be managed and altered in a number of ways - I can't +actually recommend altering it to point to the Unbound instance you just +installed and making it immutable. If your desktop environment manages DHCP +for you, then you should investigate options for providing the DNS manually. +Debian also has the `resolveconf` package which would allow you to specify +static fragments to go into resolv.conf. If you're old-fashioned and are +using static configuation + /etc/network/interfaces, then the dns-nameservers +directive will let you specify 127.0.0.1 - your local Unbound instance. + +### Browser (and other application) support + +Now that you can get DNSSEC records from your resolver, through means fair or +foul, you need client application support. Firefox has a plugin or two that also support DANE: + +=> https://os3sec.org/ +=> https://www.dnssec-validator.cz/ + +The equivalent Chrome plugin only supports DNSSEC: + +https://chrome.google.com/webstore/detail/dnssec-validator/hpmbmjbcmglolhjdcbicfdhmgmcoeknm + +Internet Explorer is probably Right Out, and I have no +idea about Opera, Safari, and the rest. Another option is to install the +Bloodhound browser. Apparently. + +=> https://www.dnssec-tools.org/wiki/index.php/Bloodhound + +Web browsers aren't the only applications that could make use of DNSSEC and +DANE, of course. Mail and XMPP are two other important protocols; Thunderbird +has no DNSSEC plugin at the moment, as far as I'm aware, and neither does Gajim +or Pidgin. Let me know if you're aware of any replacements that do - there's +obviously work to be done when it comes to client support. The more servers +support DNSSEC, the more pressure there is on client applications to support +it, of course. For now, open this web page on your DNSSEC-capable browser and +ensure that the DNSSEC plugin is happy. + +### Domain + +Now that you've got a client environment that can handle DNSSEC records, it's +time to look at getting your own domain DNSSEC-signed. I'll be using lupine.me.uk +as an example throughout; you need to pick (or register) a domain from a +DNSSEC-supporting registry: + +=> http://dnssec-deployment.org/ + +You should also ensure that it's with a registrar that allows you to upload +so-called DNSKEY records to that registry. For me, the answers were ".me.uk" +(now ".gs") and "gandi" - they may be different for you. + +### Authoritative nameserver + +Once you've got your domain, you need to decide how you're going to serve DNS +with it, in general. I was lazy and just set up my DNS server on the same machine +as the website - that's not generally appropriate for production, but a common +deployment is to have a DNS master on the same machine as the website, with +geographically-diverse slave servers doing zone transfers over AXFR. I'll just +look at sorting out one nameserver - a.ns.lupine.me.uk - though. + +The best authoritative nameserver - by far - for DNSSEC support is PowerDNS: + +=> https://www.powerdns.com/ + +It handles all the difficult details that, if I'm quite honest, I don't really +understand. Debian Squeeze includes version 2.9, and DNSSEC support comes in +the 3.x series, so I installed the 3.3 static package available on the +website and installed it: + +=> https://www.powerdns.com/downloads.html + +Wheezy backports, and Debian Jessie, are both easier to deal with. + +PowerDNS is fairly configurable, particularly for backends; I used its sqlite3 +backend, and setting it up for that looks like this: + +``` +root@oak:/etc/powerdns/pdns.d# cat 00-sqlite3-backend.conf +launch=gsqlite3 +gsqlite3-database=/var/lib/powerdns/pdns.sqlite3 +gsqlite3-dnssec=yes +``` + +The pdns.sqlite3 file is autogenerated when you restart PowerDNS, but it lacks +certain schema elements that are necessary for DNSSEC. You can add them by +running the commands detailed here: + +=> http://doc.powerdns.com/html/gsqlite.html#idp36763616 + +For completeness, they're duplicated below: + +``` +root@oak:~# sqlite3 /var/lib/powerdns/pdns.sqlite3 +sqlite> alter table records add ordername VARCHAR(255); +sqlite> alter table records add auth bool; +sqlite> create index orderindex on records(ordername); +sqlite> create table domainmetadata ( + id INTEGER PRIMARY KEY, + domain_id INT NOT NULL, + kind VARCHAR(16) COLLATE NOCASE, + content TEXT + ); +sqlite> create index domainmetaidindex on domainmetadata(domain_id); +sqlite> create table cryptokeys ( + id INTEGER PRIMARY KEY, + domain_id INT NOT NULL, + flags INT NOT NULL, + active BOOL, + content TEXT + ); +sqlite> create index domainidindex on cryptokeys(domain_id); +sqlite> create table tsigkeys ( + id INTEGER PRIMARY KEY, + name VARCHAR(255) COLLATE NOCASE, + algorithm VARCHAR(50) COLLATE NOCASE, + secret VARCHAR(255) + ); +sqlite> create unique index namealgoindex on tsigkeys(name, algorithm); +``` + +Now add some ordinary DNS records for PowerDNS to serve: + +``` +sqlite> insert into domains (name, type) VALUES('lupine.me.uk', 'NATIVE'); +sqlite> select id from domains where name = 'lupine.me.uk'; +1 # This may be different for you - I set domain_id below to it +# Set your own SOA serial value according to what you prefer +sqlite> insert into records (domain_id, name, type, content, ttl) VALUES( + 1, 'lupine.me.uk', 'SOA', 'a.ns.lupine.me.uk nick.lupine.me.uk 1378936223', 3600 + ); +sqlite> insert into records (domain_id, name, type, content, ttl) VALUES( + 1, 'lupine.me.uk', 'NS', 'a.ns.lupine.me.uk', 3600 + ); +sqlite> insert into records (domain_id, name, type, content, ttl) VALUES( + 1, 'a.ns.lupine.me.uk', 'A', '213.138.100.8', 3600 + ); +sqlite> insert into records (domain_id, name, type, content, ttl) VALUES( + 1, 'lupine.me.uk', 'MX', 'lupine.me.uk', 3600 + ); +sqlite> insert into records (domain_id, name, type, content, ttl) VALUES( + 1, 'www.lupine.me.uk', 'CNAME', 'lupine.me.uk', 3600 + ); +sqlite> insert into records (domain_id, name, type, content, ttl) VALUES( + 1, '*.chat.lupine.me.uk', 'CNAME', 'lupine.me.uk', 3600 + ); +sqlite> insert into records (domain_id, name, type, content, ttl) VALUES( + 1, '_xmpp-client._tcp.lupine.me.uk', 'SRV', '0 5222 lupine.me.uk', 3600 + ); +sqlite> insert into records (domain_id, name, type, content, ttl) VALUES( + 1, '_xmpp-server._tcp.lupine.me.uk', 'SRV', '0 5269 lupine.me.uk', 3600 + ); +``` + +At this point, the PowerDNS server will respond to DNS requests, but they're +not DNSSEC-signed. Enabling DNSSEC for the domain is as simple as: + +``` +root@oak:~# pdnssec secure-zone lupine.me.uk +Securing zone with rsasha256 algorithm with default key size +Zone lupine.me.uk secured +root@oak:~# pdnssec set-nsec3 lupine.me.uk +NSEC3 set, please rectify-zone if your backend needs it +root@oak:~# pdnssec rectify-zone lupine.me.uk +Adding NSEC3 hashed ordering information for 'lupine.me.uk' +root@oak:~# pdnssec check-zone lupine.me.uk +Checked 14 records of 'lupine.me.uk', 0 errors, 0 warnings. +root@oak:~# pdnssec show-zone lupine.me.uk +Zone is not presigned +Zone has hashed NSEC3 semantics, configuration: 1 0 1 ab +keys: +ID = 1 (KSK), tag = 7450, algo = 8, bits = 2048 Active: 1 ( RSASHA256 ) +KSK DNSKEY = lupine.me.uk IN DNSKEY 257 3 8 [...] ; ( RSASHA256 ) +DS = lupine.me.uk IN DS 7450 8 1 [...] ; ( SHA1 digest ) +DS = lupine.me.uk IN DS 7450 8 2 [...] ; ( SHA256 digest ) +DS = lupine.me.uk IN DS 7450 8 3 [...] ; ( GOST R 34.11-94 digest ) +DS = lupine.me.uk IN DS 7450 8 4 [...] ; ( SHA-384 digest ) +ID = 2 (ZSK), tag = 15433, algo = 8, bits = 1024 Active: 1 ( RSASHA256 ) +root@oak:~# +``` + +Now we have a signed DNSSEC zone. If you check the SQLite3 database, you'll +see new records have been generated to match the DNSKEY and DS records displayed +by the show-zone command, and the records you've added will have had various +bits of mysterious glue added. The finer points of DNSSEC are still lost on +me, but the important thing to note is that the "KSK DNSKEY" is the important +record that allows the chain of trust to be developed; this record is given +to the upstream zone via your registry (the ".me.uk" zone for me), who sign +it with their key. It is rotated every year or so, and you need to inform +the registry whenever it changes; you can have multiple active ones at once. +PowerDNS has some documentation on key management best practices, but I've +not needed to fuss with any of this, yet. + +=> http://doc.powerdns.com/html/dnssec-operational-doctrine.html + +So, take your DNSKEY record (or possibly DS record - different registrars +apparently might ask you for different things) and give it to your registrar. +Gandi has a neat "Enable DNSSEC" form you can use; others may vary. + +Once they have the record, you're ready to change the nameservers for the +domain to point to the DNS server you've just set up. I did this in gandi's +panel, and additional hoops I needed to jump through (because the nameserver +was in the lupine.me.uk zone) included notifying Nominet of the "a.ns.lupine.me.uk" +name, as well as notifying them of the "glue" between the name and its IP +addresses. This varies quite considerably by registry and registrar, so I'll +leave it as an exercise to the reader. + +## DANE + +Now that we have a DNSSEC-signed zone, we can add records to it, as defined by +RFC 6698. Unless someone is able to compromise the DNS trust anchor, your +registry's keys, or your keys, anyone looking these records up can be confident +that they are the ones you uploaded. + +### Getting a certificate + +If you already have a self-signed or CA-issued certificate that you intend to +use, then great. If not, you can either buy one from a CA, or become your own +mini-CA and issue one for yourself. I'm sticking with a CA-issued one for the +next few months, because although DNSSEC has poor client support, DANE support +is entirely non-existent; so the value of a non-CA-certified certificate is +still almost nil. Using a CA-issued certificate (mine is from StartSSL, and +was free) in conjunction with DANE is OK - DANE-aware clients will detect +traditionally-MitM'd certificates from such a record - but you miss out on +a couple of benefits. Specifically, you're still dependent on the CA to support +sensible (or new/experimental) key types, and if you let the CA generate the +private key rather than going the CSR route (don't do this, ever) then you're +trusting them not to keep a record of what it was. + +I may talk about how to generate a self-signed certificate here in the future. + +### Generating records + +Once you've got your certificate and configured your various services to use +it (HTTPS especially, but also XMPP, IMAPS, SSMTP, etc), it's time to link +it all together in the DNS. Generating the records (which are known as TLSA +records) is a pain, but there is a tool - called swede - to do it for you: + +=> https://github.com/pieterlexis/swede + +It's Python, only works against HTTPS, and you'd get and +use it like this: + +``` +lupine@den:~/Development$ git clone https://github.com/pieterlexis/swede +Cloning into 'swede'... +remote: Counting objects: 116, done. +remote: Compressing objects: 100% (55/55), done. +remote: Total 116 (delta 67), reused 107 (delta 59) +Receiving objects: 100% (116/116), 21.83 KiB, done. +Resolving deltas: 100% (67/67), done. +lupine@den:~/Development$ cd swede +lupine@den:~/Development/swede$ sudo apt-get install python-unbound python-argparse python-ipaddr python-m2crypto +# [...] +lupine@den:~/Development/swede$ ./swede create --output rfc lupine.me.uk +No certificate specified on the commandline, attempting to retrieve it from the server lupine.me.uk. +Attempting to get certificate from 213.138.100.8 +M2Crypto does not support SNI: services using virtual-hosting will show the wrong certificate! +Got a certificate with Subject: /description=z3YBHiV5NCKOeIZs/C=GB/CN=www.lupine.me.uk/emailAddress=postmaster@lupine.me.uk +_443._tcp.lupine.me.uk. IN TLSA 1 0 1 9730ccc0952f3150bc3c640aedb364bd628bc1738ada89826624d9442589eb06 +``` + +That last line is the TLSA record that identfies your certificate. Even though +swede only supports HTTPS, you can change _443 to _5222 and you've got an XMPP +record - so let's add a sensible set of TLSA records for this certificate to +DNS. + +``` +root@oak:~# sqlite3 /var/lib/powerdns/pdns.sqlite3 +sqlite> insert into records (domain_id, name, type, content, ttl) VALUES ( + 1, '_443._tcp.lupine.me.uk', 'TLSA', '1 0 1 9730ccc0952f3150bc3c640aedb364bd628bc1738ada89826624d9442589eb06', 3600 + ); +sqlite> insert into records (domain_id, name, type, content, ttl) VALUES ( + 1, '_993._tcp.lupine.me.uk', 'TLSA', '1 0 1 9730ccc0952f3150bc3c640aedb364bd628bc1738ada89826624d9442589eb06', 3600 + ); +sqlite> insert into records (domain_id, name, type, content, ttl) VALUES ( + 1, '_5222._tcp.lupine.me.uk', 'TLSA', '1 0 1 9730ccc0952f3150bc3c640aedb364bd628bc1738ada89826624d9442589eb06', 3600 + ); +sqlite> insert into records (domain_id, name, type, content, ttl) VALUES ( + 1, '_5269._tcp.lupine.me.uk', 'TLSA', '1 0 1 9730ccc0952f3150bc3c640aedb364bd628bc1738ada89826624d9442589eb06', 3600 + ); +sqlite> .exit +root@oak:~# pdnssec increase-serial lupine.me.uk && pdnssec rectify-all-zones +``` + +Now when you visit your website in a DANE-enabled browser, you'll see the +certificate is considered valid; you could remove all CA certificates from it +or use a self-signed certificate to the same end. Success! + + +## SSHFP + +As a fillip, now that you've done all that work, you can also add SSHFP records +to smooth SSH access. That looks like this: + +``` +root@oak:~# sshfp --scan lupine.me.uk +WARNING: Ignoring -k option, -s was passwd +# lupine.me.uk SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze3 +# lupine.me.uk SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze3 + +lupine.me.uk IN SSHFP 1 1 08C614DAF69DA62937FEFFA025607569B54B8D08 +lupine.me.uk IN SSHFP 2 1 67B596A0A593A931DAD21C83F6E7B9F02CBFE6F5 + +root@oak:~# sqlite3 /var/lib/powerdns/pdns.sqlite3 +sqlite> insert into records (domain_id, name, type, content, ttl) VALUES ( + 1, 'lupine.me.uk', 'SSHFP', '1 1 08C614DAF69DA62937FEFFA025607569B54B8D08', 3600 + ); +sqlite> # ... +sqlite> .exit +root@oak:~# pdnssec increase-serial lupine.me.uk && pdnssec rectify-all-zones + +To make use of this, you'll also need to alter your ssh_config: + +lupine@den:~$ echo "\n\nVerifyHostKeyDNS yes" >> ~/.ssh/config +``` + +The outcome is that when logging into your machines over SSH from a new +location, your SSH client can check the presented host key fingerprints +against the ones in DNS, and warn you if they don't match for any reason - +a man-in-the-middle attack, for instance. Or a server reinstall, of course. + diff --git a/src/blog/2015-04-09-new-blog.gmi b/src/blog/2015-04-09-new-blog.gmi new file mode 100644 index 0000000..32b5211 --- /dev/null +++ b/src/blog/2015-04-09-new-blog.gmi @@ -0,0 +1,28 @@ +# New Blogging Platform + +## Alive again + +So, back to blogging. I've tried to run a blog since the dawn of time, more or +less, and it's always been a bit of a failure, partly for lack of anything +interesting to write about, and partly because blogging software is uniformly +awful. Typo, Wordpress, Zotonic, various home-grown bits and pieces... always a +hassle to install, maintain and publish to. + +The latest attempt is also slightly home-grown, but based on the go.tools/blog +codebase (via hints in goblog), which is reasonably pleasant. TODO: styling. +Really TODO. + +=> https://blog.toshnix.com/goblog + +## The future + +No point having a blog if I'm not going to put anything on it (again), of +course. My old articles will be imported soon (they remind me how to do DNSSEC, +so I really do need them), but I'm hoping to embark on a project that's been +sat around in my head for a little while now. Working title: *The Capitalist +Pig-Dog Blog*. There's also a general election coming up, which is making me +want to write things, as ever. The state of housing is also still in my head. +Prices make me angry, co-operative housing models make me feel better. + +Watch this space. Possibly forever, but hopefully not. + diff --git a/src/blog/2015-04-19-pig-dog-01.gmi b/src/blog/2015-04-19-pig-dog-01.gmi new file mode 100644 index 0000000..7ad6405 --- /dev/null +++ b/src/blog/2015-04-19-pig-dog-01.gmi @@ -0,0 +1,106 @@ +# The Capitalist Pig-Dog Blog + +## Wat + +I'm a sucker for catchy names (do say it out loud, at least once), but the +premise might need some explanation for people who aren't me. It's worth noting +at the outset that I'm primarily writing this for, and to, myself; but there's +no point in being unreasonably obtuse about it. + +"Capitalist pig-dog" is a wonderful insult I've heard in the past, usually +issued by comical Communist caricatures at heroic Capitalist caricatures in +pursuit of a cheap laugh or two. I can't track it down to a particular source, +although the Pythons are partially to blame for popularising "pig-dog" in +general. The term really caught my imagination about a year ago, and I've spent +the intervening time trying to work out what it *means*. Or could mean. + +Any analysis of my political/socioeconomic views puts me somewhere generally +identified as leftwing. Although I can't call myself a communist in good faith, +people I discuss these things with will happily label me a communist or +socialist after a few rounds of discussion. Hopefully, it goes without saying +that I should try to stand by my beliefs, and live according to them. Even if +said beliefs are dead wrong (of course, I don't believe they are), doing +*nothing* about them would be a little odd. + +=> pig-dog-01/politicalcompass-me.png + +The most obvious thing I can do is to vote in elections according to said +beliefs; being a UK citizen, I get a wonderful range of choices. + +=> pig-dog-01/politicalcompass-uk-parties.png + +Ah. + +The Green Party are probably closest to me at the moment, although I wouldn't +consider myself to be a natural Green voter. Living in York adds Yorkshire First +and the TUSC to my ballot paper, but removes the SDLP Plaid Cymru, the SNP, SSP, +Sinn Féin, and Respect. A choice of three vaguely representative candidates to +vote for isn't terrible (assuming the TUSC and Yorkshire First are in my ballpark), +so I can express my beliefs in this way. + +=> https://www.greenparty.org.uk Green Party +=> http://www.yorkshirefirst.org.uk Yorkshire First +=> https://www.tusc.org.uk TUSC +=> https://www.sdlp.ie SDLP +=> https://www.plaid.cymru/ Plaid Cymru +=> http://www.snp.org SNP +=> http://www.scottishsocialistparty.org/ SSP +=> https://www.sinnfein.ie Sinn Fein +=> http://www.respectparty.org Respect + +However, since York Central is a pretty safe Labour seat, and the election is run +according to the frankly pathological FPTP system, that vote doesn't then result +in my beliefs being advanced through the political system. By itself, this form +of political expression is a non-starter. At best, I can help one of these parties +to start establishing a support base to get an MP into parliament to... well, do +very little. Westminster is not kind to small parties: + +=> https://www.theguardian.com/politics/2015/feb/28/caroline-lucas-im-not-playing-about +=> https://en.wikipedia.org/wiki/York_Central_%28UK_Parliament_constituency%29 York Central +=> https://www.electoral-reform.org.uk/first-past-the-post FPTP + +Voting, then, is not doing much for me, or my beliefs. Even if it were, it's a +couple of minutes of action every five years or so - and my beliefs are +important to me. Since the parties in power are busily advancing beliefs that +are, in my view, fairly diametrically opposed, surely there is more that I can +do? Activism for parties I *do* support, and reform of the associated +electoral systems, is a long game, and I do put some resources into that - +although I could do more, I'm sure. In my personal life, I can resist the +prevailing (or Westminster-prevailing, perhaps) social currents and act +according to my conscience instead. Economically, though, I'm a bit stuffed. +The UK is, at least in theory, a capitalist state - and by living here, drawing +a wage here, paying taxes and spending money here, I am engaging in that system. +These actions mark me as a capitalist pig-dog by deed, even if my words are +quite different. + +## Help, I'm stuck in a capitalist country + +I'm not actually stuck, of course. I could move to a different country - one +matching my ideological leanings more closely. Some thought and research has +gone into this possibility - I recently visited Finland, and I'm keeping an eye +on Scottish independence - but it's on ice at the moment. + +=> https://en.wikipedia.org/wiki/Politics_of_Finland Finland +=> https://commonspace.scot Scottish Independence + +What else is there to do? Here's the not-very-revelatory revelation: in +capitalist economic systems, spending money is a bit like voting. +People engage in consensual exchanges - labour for money, money for (other) +commodities. Competition drives down prices, price discovery guides production, +and consumer choice determines which competitors win out, in the end. Consumer +choice is generally assumed to be "rational", which can be interpreted in a +number of ways, and may not be true in general anyway. + +=> https://mises.org/sites/default/files/Economics%20in%20One%20Lesson_2.pdf The Lesson +=> http://www.goodreads.com/series/40494-apprentice-adept + +In reality - in my judgement, anyway - the system I'm in doesn't work like that +at all. But if it works a *bit* like that, I can advance my beliefs by earning +and spending according to them. I think I already do that to some extent, but +I've never tried to analyse or quantify it; I just act in fairly knee-jerk ways +to the new story _du_jour_ . What if I look at everything I earn, and everything +I spend? What if I analyse it and try to maximise the effect that my money has, +in creating the sort of world I want to live in? And what if I blog about it, +and others join in? Will I still be a capitalist pig-dog? Will they? + +Let's find out. diff --git a/src/blog/2015-04-24-pig-dog-02.gmi b/src/blog/2015-04-24-pig-dog-02.gmi new file mode 100644 index 0000000..cc8ee1f --- /dev/null +++ b/src/blog/2015-04-24-pig-dog-02.gmi @@ -0,0 +1,106 @@ +# The Capitalist Pig-Dog Blog: Starting Points + +## Beliefs and values + +My last post talked a bit about beliefs and sticking to them, but it shied away +from discussing them in any detail. Words like "leftwing", and the +Political Compass graph, might have given a few hints away. If I'm going to be +analysing and changing my behaviour according to these things, it's important to +get a decent grasp on what they _are_. + +=> https://politicalcompass.org Political Compass + +Firstly, I don't consider myself to be an ideologue. I've read Das Kapital and +The Wealth of Nations, but I'm not about to pick one up and start brandishing it +as the source of all answers to everything ever. Instead, I think of myself as a pragmatist - the economy (and human economic behaviour in general) is a means to +an end, and should be arranged however best meets those ends, regardless of +theoretical underpinnings. + +=> https://www.marxists.org/archive/marx/works/1867-c1/ Das Kapital +=> http://www.econlib.org/library/Smith/smWN.html The Wealth of Nations + +What end(s) am I pursuing? I lack any great theoretical underpinnings for this +either, but it's very important to me, personally, that everyone has access to +a basic, comfortable standard of living. It is also very important to me that +the power people have over other people is minimised. These beliefs do have +a degree of tension, of course - to ensure everyone is comfortable, you must +necessarily impinge on the freedom of others, to an extent. I've mostly resolved +this internally by emphasising the collectivist strand over the individualist +one. + +Is this all classic Third Wayism? Am I 20 years late to the party? Perhaps to an +extent, but watching New Labour in action (or looking back at its goals and +accomplishments) doesn't leave me with the feeling that the strategies pursued +actually worked - instead, I'm left with some degree of hostility to naive market +solutions. + +=> http://en.wikipedia.org/wiki/Third_Way Third Wayism + +I think this mostly comes down to private property. Some people believe that +property rights are sacrosanct, with their exercise being a vital part of being +free from others, but I lean more towards viewing them as a device for exercise +power over other people. Property rights are, of course, here to stay - and I +take advantage of them extensively - but this viewpoint informs how I'm inclined +to use property rights to solve problems. In particular, I'm liable to avoid +usages of property rights that permit a relatively few people to direct or control +the behaviour of many others, or their exploitation. Like the entire economic +spectrum. + +=> http://en.wikipedia.org/wiki/Natural_law Natural law +=> http://en.wikipedia.org/wiki/Rentier_capitalism Rentier capitalism +=> http://en.wikipedia.org/wiki/Rent-seeking Rent-seeking + +I consider rentiers to be rather bad; to me, this form of participation in a +market necessarily maximises the amount of power over others that a group can +have, while leaving significant numbers unable to participate (as artificially +restricting supply to raise prices is the surest way of increasing profits). +Austrian-style economics see rent-seeking and demand an end to all regulations; +but in many cases, some regulation is actually quite handy. As an example, +removing all planning restrictions would reduce the costs of property +significantly, but it would also result in some very unpleasant - including +fatal - dwellings being constructed. Honest regulations aiming to meet the basic +human need of housing - why is that so difficult to achieve? + +=> http://www.insidehousing.co.uk/quarter-of-tory-mps-are-landlords-says-research/6524104.article +=> http://en.wikipedia.org/wiki/Regulatory_capture + +At some point I'll be examining what I do for housing myself, and what other +options there are. Perhaps I'll be able to come to some conclusions at that point. +For now, it's easy to point at problems, but much harder to think up solutions. + +## Income and expenditure + +I've spent a little while trying to work out whether I should publish actual +numbers on here or not. We can be an odd bunch when it comes to how much we +earn, what we spend it on, etc. In the end, I figured, what's the harm? + +I've been using Gnucash to track my finances since 2010, and while I could just +open up read-only access to that database, even I'm not that open. So instead, I +made some pretty pictures: + +=> http://gnucash.org + +=> pig-dog-02/net-worth.png Net worth +=> pig-dog-02/expenses.png Expenses + +I am intending to dip into this historical data a fair bit in the future, +so this isn't the sum total of everything I'm releasing ever; there might even +be some tables in the future. The next post will look at my income in more +detail, before I go on to poke various aspects of expenditure (which is the +really interesting bit). + +For now, I'll just note that my take-home pay (after taxes and pension +contribution) is ~£3300/month (this is better than the median) but my net worth +(excluding said pension, as it happens) is still relatively low, although it's +on a fairly rapid upward trajectory. All this gives me significant leeway to +change my behaviour that, I will try my best to remember, won't necessarily be +available to people earning the kind of sums I can remember from before I lucked +out (this job started in 2008; things were a lot hairier before then, hence the +current net worth game). The next post will look at my income & net worth in a +bit more detail; it's worth setting out how much I earn and why I earn it in the +way that I do (along with considering alternatives, feasible or no) before going +on to see how that money is spent, hoarded or invested in any detail. + +=> http://en.wikipedia.org/wiki/Income_in_the_United_Kingdom +=> http://news.efinancialcareers.com/uk-en/9815/compare-your-net-wealth-to-the-rest-of-your-age-group/ + diff --git a/src/blog/2015-05-01-pig-dog-03.gmi b/src/blog/2015-05-01-pig-dog-03.gmi new file mode 100644 index 0000000..82a1642 --- /dev/null +++ b/src/blog/2015-05-01-pig-dog-03.gmi @@ -0,0 +1,176 @@ +# The Capitalist Pig-Dog Blog: Income + +## Payday! + +I get paid at the end of each month, from my job at Bytemark. +This is a typical employment contract, nothing special, but it bears thinking +about anyway. Bytemark's a pretty standard for-profit company; people hand over +cash for hosting, some of that cash is handed over to me in exchange for labour. +I never see some of the cash nominally handed over to me, because of taxes, +which go to various things - some of which I like, some of which I don't. More +on *that* another time. + +=> https://bytemark.co.uk Bytemark +=> https://en.wikipedia.org/wiki/PAYE Taxes + +Work is how I pay the bills; bills are how I live. The job ensures that I have +somewhere to live, food, water, energy, transport... everything. It's possible +some of this can be changed in the future, and I'll look at that when I get around +to it, but this is the situation right now. + +Fundamentally, I'm quite happy to accept the Marxist analysis of employment (go +back and read Das Kapital if you haven't already). The job that I have is pretty +nice to me, personally, but it's an exploitative contract (see: surplus value), +which works towards the reproduction of capital, and so ensuring these kinds of +contracts continue on forever. + +The usual free-market objections to this analysis that I encounter have been +deeply unconvincing; usually, they revolve around the idea that labour is a free +market (or it would be, if it weren't for that pesky government), and people are +free to exchange their labour for wages, or not, as they prefer. Nobody would +willingly allow themselves to be exploited, so employment cannot be exploitative. +QED. + +## Compulsion + +Unfortunately, if I don't work, I'm in a bit of a sorry state. Refusing to work +means no wages. We live in a vaguely civilised society, so if you're out of a +job there are welfare payments. Of course, you're not eligible for those if you +refuse to work - and it's generally argued amongst those *not* on welfare +(and even many who are) that "conditionality" - as the DWP now calls - is a good +thing. + +The switcharoo here is that I'm actually fine with working in principle - what +I'm not fine with are the employment terms on offer. But if I don't accept those +terms, I'm left in the fairly precarious position of needing to find a new way +to acquire, at a minimum, housing, food, water, energy and transport. If there's +no sane way for me to do this, the idea that the labour market is a free one is +ridiculous; a choice of X or death is no choice at all. + +It's worth noting that I could quite conceivably go on doing exactly the same +job with no complaints, if the background issue of compulsion went away; I am in +effect complaining, right now, about having no option but to do something I don't +really mind doing anyway. Other people may hate their jobs, of course, but if I +weren't being paid to write code, I'd do more of it at home for fun. + +## Alternatives + +So, is there a current (or conceivable) alternative that could render the current +situation unexploitative? From my point of view, the simplest hack is to make +the social security net unconditional. This normally takes the form of a +basic income or negative income tax Without the threat of death if I refuse to +accept the commonly-offered contract terms in my field, the contract can be freely +negotiated and entered into (or refused, of course), and free-market logic starts +to line up with reality. In this model, employers desperately need employees to +survive; but potential employees can scrape along, more or less, without employers +for as long as they feel they're being exploited. (In my case, that might not be +any time at all, of course). It's a complete inversion of the currently-existing +power relation between employer and employee, and this is for the better, in my +view. However, it's not happening anytime soon. + +=> http://basicincome2013.eu/ Basic income +=> http://www.econlib.org/library/Enc1/NegativeIncomeTax.html Negative income tax +=> http://www.businessinsider.com/heres-how-switzerlands-basic-income-initiative-works-2013-11?IR=T + +It's also worth noting that people are supremely good at not noticing that they're +being exploited; I'm taking a marxist analysis here almost as a given, but it's +the height of barmy radicalism to a lot of people. I'm fine with that. + +Entrepreneurs in the audience are, at this point, jumping up and down and shouting +"why not start your own business, or become a contractor?" - and I have given +both of these options serious thought in the past. Ultimately, however, neither +option does much - as a contractor, I'd still be subject to extraction of surplus +value; I'd just be throwing away a whole bunch of protections in employment law. +Becoming a business owner is identical to being a contractor, if the business is +a sole trader; and once I employ someone else, I'm just swapping around who +is the exploiter, and who is exploited. If I don't like the contract style, +there's absolutely no way I'd want to impose it on someone else, right? + +So far, I've assumed that surplus value (and all the other standard aspects of +a capitalist business) is actually happening. Could I construct (or join) an +organisation that lacks these characteristics, and so salve my conscience that +way? I've not come across anything that would allow me to pay the bills, but +non-profit, Free or otherwise-worthy software development is generally available +(reskilling might also be an option, allowing me to change jobs completely, but +that's not something I can do immediately). + +=> http://socialcoder.org/ non-profit software development +=> https://gnu.org/ Free (as in freedom) software development + +Joining a worker's cooperative would also do the trick, but I'm not aware of any +in my current skill set. I've already enquired about the possibility of converting +Bytemark into one; it's a no-go. Do get in touch if you're running one ;). + +=> http://en.wikipedia.org/wiki/Worker_cooperative Worker's co-operatives + +Could I start my own up? Quite possibly, but not this year, and probably not next +year either. Starting a business (of any sort) requires more capital than I have +at the moment. That's changing, of course, but I'm still quite ambivalent to this +option; running a worker's co-operative really does come under reskilling, I suppose! + +Evidently, I should have looked harder; there *are* some web-hosting co-operatives +in business. Eeenteresting. + +=> https://www.co-operativehost.com +=> https://www.webarchitects.coop +=> https://web.coop/ + +## The nuclear option + +Finally, I could just pack it all in, withdraw from the current market system +for housing, food, water, energy and transport, and join a long, honourable list +of people who've taken up homesteading: + +=> https://en.wikipedia.org/wiki/Homesteading + +All I need is enough land to support me, either individually or as part of a +commons... + +Back in the day, this was a viable living choice. Hopefully it's entirely obvious +that it's not the option it used to be - all the land is claimed, owned, parcelled +out, unavailable. If you want to live off the land, you need to acquire the land +first. And not just any land - you'll need permission. Really, this option has +the same problems as "start a worker's co-operative". Prohibitive levels of +reskilling, and large initial capital requirements. Another one for the future. + +It's worth noting that this state of affairs hasn't come about by chance, and nor +is it equitable. + +=> http://en.wikipedia.org/wiki/Inclosure_Acts +=> http://en.wikipedia.org/wiki/Diggers + +Land reform is more popular in some areas than others; maybe this can be fixed +in time. + +=> https://consult.scotland.gov.uk/land-reform-and-tenancy-unit/land-reform-scotland + +## Full circle + +That's a lot of words, and not all of them are particularly encouraging. Would I +want to grub in the dirt for food every day of the week, even if it were an +option? Would a worker's co-operative be a success in any of the fields I could +work in? Am I brave enough to switch jobs *right*now*? Only possibly! + +Leaving that last one aside, is there anything at all that I can do to improve +matters here? The fundamental issue is the imbalance of power between employee +and employer; the traditional remedy for that has been unionisation. +there is no union shop at work, nor do I suspect there ever will be; but I can +always join a union as an individual - so I'll join Prospect. + +=> https://prospect.org.uk + +I don't expect it to change any aspect of my current employee-employer relationship +in the short to medium term, but if nothing else, maybe the dues will help somewhere +else; and unions really need a shot in the arm. They really aren't the mass +movements they used to be, and they're not going to improve if someone as in +favour of them as myself can justify not joining one, are they? + +=> http://en.wikipedia.org/wiki/Wapping_dispute Wapping dispute +=> http://en.wikipedia.org/wiki/1926_United_Kingdom_general_strike 1926 UK general strike +=> http://en.wikipedia.org/wiki/Three-Day_Week Three-day week + +So, membership form sent. That makes this post worthwhile all by itself! I'm only +7 years late in joining... and hey, it's May Day! + +=> https://en.wikipedia.org/wiki/May_Day May Day + diff --git a/src/blog/2015-05-27-pig-dog-04.gmi b/src/blog/2015-05-27-pig-dog-04.gmi new file mode 100644 index 0000000..f7bed20 --- /dev/null +++ b/src/blog/2015-05-27-pig-dog-04.gmi @@ -0,0 +1,101 @@ +# The Capitalist Pig-Dog Blog: Expenditure: Debt + +## Apologies + +It's been a bit quiet recently because I've been collecting receipts all month. +Once I've got a month's worth, I can write a scintillating article about +shopping expenditure; until then, I'll just have to content myself with a short +piece on debt expenditure. + +## Time travel + +I've got quite a few debts; modern capitalist economies really are predicated +on the notion that debt is good. Although this raises a lot of hackles, it +doesn't bother me too much. If we're going to have money, it might as well have +a high velocity, and a lot of the objections are from people I'm not predisposed +to trust. Also, there's very little I could do on a practical level except to +stop using money entirely. Not impossible, but very much on the outskirts of +practical. + +=> http://en.wikipedia.org/wiki/Fractional-reserve_banking +=> http://wiki.mises.org/wiki/Criticism_of_fractional_reserve_banking +=> http://www.infowars.com/fractional-reserve-banking-government-and-moral-hazard/ +=> https://www.youtube.com/watch?v=ELEwjVRxxGE +=> http://en.wikipedia.org/wiki/Velocity_of_money Velocity of money + +I will never link to Alex Jones again. I promise. + +Anyway, the basic principle of debt is that you are leveraging your future earnings +to get something done *now*, goddamnit. As a child of New Labour, I was fortunate +enough to go to University, but in doing so, I got to experience this concept +for the first time in the form of student loans. + +=> http://en.wikipedia.org/wiki/Student_Loans_Company + +Fairly simple - the government lends me £12,000 over three years to go to university, +I pay it back with interest once I've got a decent job. I win, the government +wins twice (as it gets a higher-rate taxpayer out of it too), and society at large +wins as well. Certainly in theory. + +Student loans aren't my only credit arrangement, of course; I've borrowed money +since for various reasons. I don't really have any objections in principle, it's +mostly a matter of degree + +=> http://en.wikipedia.org/wiki/Usury + +## Analysis + +So what does my current expenditure on loans look like? And where does it go? + +``` +| Item | Monthly payment | Months left | Provider | +| ------------- | --------------- | ----------- | ------------------------- | +| Student loan | £300 | 3 | Student Loans Company | +| Mortgage | £780 | 267 | Nationwide | +| Personal loan | £430 | 22 | Nationwide | +| Bathroom loan | £100 | 12 | Barclays Personal Finance | +| Boiler loan | £ 80 | 36 | Hitachi Loans | +| Car loan | £300 | 15 | Santander | +``` + +Total: £1,990 + +It's not particularly pretty; even on my income, this is too much money on debt +repayments, any financial planner can tell you that (it's not even the end of the +story; there's also credit cards and an overdraft to consider, but I'll talk about +those separately). Just on common prudence grounds, it's imperative that I reduce +these payments; fortunately, the student loan is almost repaid and the mortgage +becomes much cheaper in the near future (new fixed-rate deal); that reduces the +total to around £1500, which is somewhat more sensible. + +In terms of who gets the money, Nationwide - a building society - gets the biggest +single share, receiving over half of it. The Student Loans Company - a non-profit - +is another significant beneficiary, at least for now. "Just" a quarter of the current +total - £480/month - goes to Evil Private Companies. + +A loan can be repaid at any time, so in theory I could shift that monthly expenditure +to Nationwide just by taking out a second loan; the amount of detriment to the losing +companies is precisely the interest they lose from my doing so, minus any early +repayment fees. The Hitachi one is worthwhile, so I'll look at that; the Barclays +one is not, but is nearly repaid. The car is actually a PCP with an interest +rate of 0% (I guess they make their money from the VAT dodge), so the point of moving +it within the term is more or less nil. + +=> http://en.wikipedia.org/wiki/Personal_contract_purchase#UK PCP + +Future loans can certainly be taken out exclusively with mutual organisations. +Building societies are OK, but alternative models do exist; credit unions are a +better model, but they aren't that popular in the UK, and my local one, NYCU, +collapsed in 2012 - I'd actually filled out the membership form the day before +they went. + +=> http://en.wikipedia.org/wiki/Credit_union Credit unions +=> http://www.bbc.co.uk/news/uk-england-york-north-yorkshire-20167650 NYCU + +Interestingly, it seems SYCU have expanded to York; they have a branch in the city, +at least. I've emailed them to ask about membership. I'll see if I can move a +subset of my concerns there; although I'd be surprised if they can do mortgages! + +The mortgage itself is an interesting thing; I'm paying it instead of rent, and +that in itself makes it great. I'll see if I can write more about the Evils Of +Renting later in the year. diff --git a/src/blog/2015-06-15-festival-of-ideas-2015.gmi b/src/blog/2015-06-15-festival-of-ideas-2015.gmi new file mode 100644 index 0000000..afec3ef --- /dev/null +++ b/src/blog/2015-06-15-festival-of-ideas-2015.gmi @@ -0,0 +1,88 @@ +# York Festival of Ideas 2015 + +## Users vs. Techs + +This year, I learned about York's Festival of Ideas. Started in 2011, this year's +theme was "Secrets and Discoveries", which included a whole day (today) on +Surveillance, Snowden and Security. Right up my alley, so off I went. This +article is really about things that were brought up in a panel discussion, +entitled The Future of Cyber-Security. I don't know if these things are being +recorded and uploaded, but I'll link if it becomes available. + +=> https://yorkfestivalofideas.com/2015/ Festival of Ideas +=> https://yorkfestivalofideas.com/2015/focus-days/surveillance/ Surveillance, Snowden and Security +=> http://yorkfestivalofideas.com/2015/talks/the-future-of-cyber-security/ The Future of Cyber-Security + +The panel was composed of five speakers, with what could be called a range of +experience; it was chaired by a BBC technology correspondent. Early in the main +discussion came a generally-agreed maxim - that "we" shouldn't let "the techies" +determine our online future. Being as charitable as I can be to this idea, I think +it's expressible as "not everything that is possible should be permitted". Or maybe, +"techies should build the online environment we mutually agree we should have, +rather than the one techies think is best". At the time, it came across as being +quite antagonistic - in any division of the populace between "techie" and "everyone else", +I'm surely in the former group, after all. + +Later in the discussion, an illuminating window was shone on this attitude - at +least for me - by a digression into the power that a small, elite group of +technologists sitting in Silicon Valley and working on huge online edifices that +we find ourselves willing, or forced, to use. Facebook, Google, Apple, Microsoft, +etc. These services and software companies mediate a large portion of online +interactions, and to a very real approximation, they *do* decide what is possible +online for people. This became evident in the last (and best) audience question +of the session, where someone asked what alternatives there were to these +behemoths - the questioner wanted to know what she could do, right now, to avoid +them, if possible. + +None of the panel could answer this. They all sheepishly proclaimed their allegiance +to Google, or to Apple, and commuted the question to "can we do without this service?" +or "what's the minimum amount of information I can give to this company while still +using their service?". One of the panellists (I forget who) managed to note that +alternatives do exist for some of these services, but didn't know what any of them +were, and opined that the cost of finding and using such an alternative outweighed +the benefits of escaping the Silicon Valley set of solutions. + +These people are users. More than that, they are consumers. Consumer activism, +it turns out, is how they expect their online services to evolve in a direction +that fulfils their wishes. (The pig-dog blog, incidentally, turns out to be +consumer activism and it's not a new thing. Who knew?) The techs are expected to +present a choice of online services that represents the range of the possible +(well, minus a few that have been determined ahead-of-time to be too dangerous), +and consumer choice is meant to filter out the bad ones. Wouldn't that be nice? + +In reality, of course, the options open to me as a tech for any online service +are much broader than the options open to a user, simply because many ways of +providing a given service haven't been productised in any sensible fashion. I +host my own email and instant messaging, and create my own encryption keys to +secure these things over the wider Internet. This is the online equivalent of +brewing your own beer, or making your own biltong. Those who can't are unlikely +to ever have the *dubious* pleasure of tasting Henderson's Relish biltong. + +Anyway, these users have their view of what is possible shaped by the products +that are currently successful. The "right to be forgotten" ruling came up partway +through this panel. Removing search results from Google indexing is fairly +pointless, a techie will cry - the content still exists, after all, and other +search indexes also exist. You just can't stop YaCy from indexing them. But it +doesn't matter to the user - the desired effect has been achieved according to +their (limited) view of what is possible. + +The idea of having your own email securely located in your own living room, or +being responsible for asserting your own identity online, is a revolutionary +concept to users in general. They're just not aware that it's an option until a +helpful techie informs them that it is - brainstorming "alternatives to GMail" +with such a group is going to throw up replies like "hotmail". Their view of +hat is possible is shaped by the techies providing the services they already +use. + +Attempts to productise self-hosting of email, say, are ongoing - but it's a niche +thing. The other side of the coin is attempting to convince users to be more +gung-ho with non-productised (or less-productised, I guess) solutions. If we're +sat in a wood, freezing to death, a decent proportion of us could make fire from +first principles, even if we don't have a Zippo lighter with us. As things are +with online services, we wouldn't even start collecting the analogous driftwood. + +Groups of techies like those behind MailPile have got the right idea, I think, +but it's an uphill slog - and trying to make users aware of these possibilities, +and get them into policy and legislative debates, is the hardest bit. The tech +comes naturally to us, after all. Did I stand up and say any of this at the panel +discussion? Of course not :p. diff --git a/src/blog/2015-07-26-subsonic.gmi b/src/blog/2015-07-26-subsonic.gmi new file mode 100644 index 0000000..d4b6682 --- /dev/null +++ b/src/blog/2015-07-26-subsonic.gmi @@ -0,0 +1,61 @@ +# Subsonic and Licensing + +## Subsonic + +Subsonic is a reasonably neat "personal cloud" sort of thing for playing music. +In many ways, it replicates the Owncloud Music application. I'm a fan of that +too, but switched to Subsonic once it became clear that upgrading OC would +always be a trial. Unfortunately, although Subsonic is open-source, it includes +a bunch of money-making "premium" stuff backed by a licensing scheme. This +includes nagware, etc. + +=> http://subsonic.org Subsonic +=> http://owncloud.org Owncloud + +With an open-source project, you can just fork it and release a version with all +that crap removed, of course, and that's precisely what +`@EugeneKay` has done: + +=> https://github.com/EugeneKay/subsonic/commit/a08c8a80da07ddfe8d34dada439cc3480ddce725 + +## Do not trust HTTP or DNS + +As the patch notes, the licensing scheme is fairly hilariously simple: the +license "key" is just the md5sum of the email address; a remote HTTP server +is looked up over DNS and queried to see if that license is on a central DB and, +if it is, whether it has expired. + +So in `/etc/hosts`: + +``` +127.0.0.1 subsonic.org +``` + +In `/etc/nginx/sites-enabled/subsonic.org.conf`: + +``` +server { + listen 80; + listen [::]:80; + server_name subsonic.org; + + location /backend/validateLicense.view { + return 200 "true\n2068585481000\n"; + } + + location / { + proxy_pass http://66.49.215.227; + } +} +``` + +(I've not actually tested the proxy_pass but I imagine it'll work). + +Then in the Subsonic licensing box: + +``` +Email: foo@example.com +Key: b48def645758b95537d4424c84d1a9ff +``` + +So, no need to maintain a separate fork after all. Beautiful. diff --git a/src/blog/2016-06-07-new-new-blog.gmi b/src/blog/2016-06-07-new-new-blog.gmi new file mode 100644 index 0000000..c6d8179 --- /dev/null +++ b/src/blog/2016-06-07-new-new-blog.gmi @@ -0,0 +1,17 @@ +# New, New Blogging Platform + +It's just over a year since I last changed blogging software! + +The new model integrates blog into website and the whole thing is based on +Hugo, a static site generator of some class. + +The theme is called grid-side]() and the big painted wall background is on +someone else's fine Creative Commons work. + +I've not been writing much recently, not even about PigDog, but I have been +*thinking* and *doing* instead. Big changes are afoot, and I'll write about +what I can, when I can. + +=> https://gohugo.io Hugo +=> http://themes.gohugo.io/grid-side/ Grid-Side +=> https://www.flickr.com/photos/shaireproductions/6824147671/ Painted wall diff --git a/src/blog/2017-11-16-email.gmi b/src/blog/2017-11-16-email.gmi new file mode 100644 index 0000000..6f87ad0 --- /dev/null +++ b/src/blog/2017-11-16-email.gmi @@ -0,0 +1,102 @@ +# Email! + +## Email sucks + +It really does, and yet we still need it. I've been hosting my own for over a +decade now, although for the bulk of the time I outsourced most of the mail +server smarts necessary to do so to the excellent Symbiosis virtual hosting +package, although I switched to `@tomav`'s docker-mailserver about six months +ago. + +=> https://symbiosis.bytemark.co.uk Symbiosis +=> https://github.com/tomav/docker-mailserver docker-mailserver + +Today, I finally switched to running my own mail server, directly on the server +with no third-party configuration or any docker. "But why?!" cried a friend +desperately, pointing out the existence of Mailcow and Libre.sh, +in addition to the options I'd already tried. + +=> https://libre.sh, Libre.sh + +The mail server setup I wanted had two requirements: + +* Use as few system resources as possible +* Be as unobtrusive to the rest of the system as possible + +Both of these requirements are tightly linked to *where* I self-host my +email. Normally, servers are hosted in datacentres with big, fast Internet +connections. About 2 years ago, I noticed that home Internet connections are +quite fast enough, thank you very much; since then, I've mostly been running +email on servers sat at home. In York, I used a standard rack-mounted server +that hid in the larder! + +In Shetland (more on that another time), I've switched to an +APU2, which also happens to be my router, website, and everything else as well. +Yes, this post was served from Shetland! + +=> https://pcengines.ch/apu2.htm APU2 + +Being tiny and multi-purpose, a heavyweight mail server solution wasn't an +option. In particular, no Docker. It would be absurd to install Docker on a +machine acting as a router. And in any case, I was always terrible about +rebuilding the containers to get fixes for security issues - I'm too used to +`unattended-upgrades`. + +The good thing about docker-based mail server setups is that they are very +self-contained - it's just a few files in `/var/lib/docker`, in the end. +non-docker mail server solutions like Symbiosis or Mailcow have an unfortunate +tendency to try to take over the whole machine. They come with piles of +dependencies, maybe a database and web interface you have to hook up, config +files modified or added across the system. It's not pretty. You also tend to +be stuck on older OS versions for an extended period as the vendor takes a while +to port their octopus-like solution to the updated system. + +## Make it better? + +I use Debian on all my personal hardware. It's rock-solid and comes with lots of +useful software, with very useful default configurations. I also have a set of +Ansible recipes I use to automate setting things up on those machines - you can +view them on the link below. + +=> https://debian.org +=> https://ansible.com +=> https://code.ur.gs/lupine/ansible-personal + +So, I resolved to create a minimal set of Ansible recipes that would get email +working simply by installing Debian packages and modifying their configuration, +with as light a touch as possible. You can view what I ended up with in the +`mail` role, so I won't document them in detail, but here's a brief overview: + +* Exim4 SMTP server +* Dovecot IMAP server +* amavisd-new + spam-assassin + +Everything gets solid TLS support, using certificates issued by LetsEncrypt. +It's quite rare to have a mail server with valid certificates! In any case, if +someone wants *my* email archive, they'll have to serve the warrant on *me* to +get it. And the APU2 is small enough to hide under a floorboard or so, if I +turned out to be really paranoid... + +=> https://letsencrypt.org LetsEncrypt + +## TODO + +The anti-spam setup is extremely rudimentary, and will likely need a lot of +extra work. I'll see how much spam comes in and adjust accordingly. Ultimately, +this was the most disappointing part of the setup - it's Perl-heavy and it took +a lot of head-scratching to work out how the different parts even fit together. + +There's no webmail. I'm OK with that. + +Dovecot has solr and lucene search engine integration. I doubt either will fit +onto the APU2, but I'll evaluate it. + +A long-term ambition of mine is to put together a vertical slice of email +functionality as a single, neat daemon that's optimised for the small, single +domain use case - a sort of Caddy for email. It could even use JMAP and database +storage instead of IMAP and Maildir, ship a HTTP server, and handle the tricky +DNS parts too. + +One day. Until then, this setup is working well enough. Give it a try! + +=> https://caddyserver.com Caddy diff --git a/src/blog/2020-01-15-stardew-valley.gmi b/src/blog/2020-01-15-stardew-valley.gmi new file mode 100644 index 0000000..291530f --- /dev/null +++ b/src/blog/2020-01-15-stardew-valley.gmi @@ -0,0 +1,217 @@ +# Stardew Valley on aarch64 + +At the end of last year I got a Pinebook Pro - mostly for reasons of paranoia. +So far, it's been pretty good, but there was +one thing that I couldn't get working: Stardew Valley + +You could call me a little bit addicted to this game, but it's proprietary, +closed-source, and the authors don't release binaries compiled for aarch64 - +although they do very kindly release x86_32 and x86_64 Linux binaries, which +is more than most companies do. + +I left a message on the forum and moved on, confident that it wouldn't ever +happen. I vaguely knew it was written in C#, but it's not an ecosystem I have +any experience in. I figured it was going to be the kind of thing that comes +under "possible, but not trivial" - and aarch64 + linux is super-niche. + +Fast forward a few weeks, I mentioned it in passing on the `#pinebook` IRC +channel, which went a little like: + +``` + stardew valley never got back to me *sob* + lupine: trying to get Stardew Valley on the pbp as well? + The game itself is written in C# so runs through Mono + they don't distribute aarch64-linux executables + You just need to build the libraries it needs and it should run + it's closed source, so "just need to build" is rather an issue +``` + +They rather roundly assured me that it wasn't an issue at all, and literally +10 minutes later I had a working Stardew Valley setup. This is incredible. + +I'm documenting the steps I took so I can come back to this in the future, but +maybe it'll be useful for others too. + +First, you need a copy of the game. I was working with v1.4 as shipppd by +GOG Games. It comes as one of those `.sh` files that contains an archive. That +doesn't have aarch64 support, and doesn't run on the PBP. Fortunately, I'd +already installed it on an amd64 laptop so I just rsynced that over: + +``` +lupine@pbp:~$ rsync -avzP '10.0.1.104:GOG Games' . + +# Might as well grab my savegames at the same time +lupine@pbp:~$ rsync -avzP 10.0.1.104:.config/StardewValley .config/StardewValley +``` + +I'm sure it's possible to make it run, I'm just being lazy. I'll update this in +the future if I work out how to go from the `.sh` file. + +What does this give us?: + +``` +lupine@pbp:~/GOG Games/Stardew Valley/game$ ls -lh +total 438M +-rwxrwxr-x 1 lupine lupine 12K Dec 8 23:58 BmFont.dll +drwx--x--x 17 lupine lupine 4.0K Dec 8 23:58 Content +-rwxrwxr-x 1 lupine lupine 330K Dec 8 23:58 GalaxyCSharp.dll +-rwxrwxr-x 1 lupine lupine 336 Dec 8 23:58 GalaxyCSharp.dll.config +-rwxrwxr-x 1 lupine lupine 91K Dec 8 23:58 goggame-1453375253.hashdb +-rwxrwxr-x 1 lupine lupine 782 Dec 8 23:58 goggame-1453375253.info +drwx--x--x 2 lupine lupine 4.0K Dec 8 23:58 lib +drwx--x--x 2 lupine lupine 4.0K Dec 8 23:58 lib64 +-rwxrwxr-x 1 lupine lupine 197M Dec 8 23:59 libGalaxyPeer64.so +-rwxrwxr-x 1 lupine lupine 177M Dec 8 23:59 libGalaxyPeer.so +-rwxrwxr-x 1 lupine lupine 5.3M Dec 8 23:59 libSkiaSharp.dll +-rwxrwxr-x 1 lupine lupine 119K Dec 8 23:58 Lidgren.Network.dll +lrwxrwxrwx 1 lupine lupine 14 Dec 9 00:00 mcs -> mcs.bin.x86_64 +-rwxrwxr-x 1 lupine lupine 17M Dec 8 23:59 mcs.bin.x86 +-rwxrwxr-x 1 lupine lupine 16M Dec 8 23:59 mcs.bin.x86_64 +drwx--x--x 3 lupine lupine 4.0K Dec 8 23:59 mono +-rwxrwxr-x 1 lupine lupine 2.5K Dec 8 23:59 monoconfig +-rwxrwxr-x 1 lupine lupine 1.3M Dec 8 23:58 MonoGame.Framework.dll +-rwxrwxr-x 1 lupine lupine 527 Dec 8 23:58 MonoGame.Framework.dll.config +-rwxrwxr-x 1 lupine lupine 203K Dec 8 23:58 Mono.Posix.dll +-rwxrwxr-x 1 lupine lupine 328K Dec 8 23:58 Mono.Security.dll +-rwxrwxr-x 1 lupine lupine 3.6M Dec 8 23:59 mscorlib.dll +-rwxrwxr-x 1 lupine lupine 267K Dec 8 23:58 SkiaSharp.dll +-rwxrwxr-x 1 lupine lupine 1.2K Dec 8 23:58 StardewValley +-rwxrwxr-x 1 lupine lupine 4.0M Dec 8 23:58 StardewValley.bin.x86 +-rwxrwxr-x 1 lupine lupine 3.8M Dec 8 23:58 StardewValley.bin.x86_64 +-rwxrwxr-x 1 lupine lupine 4.1M Dec 8 23:58 StardewValley.exe +-rwxrwxr-x 1 lupine lupine 6.5K Dec 8 23:58 StardewValley.GameData.dll +-rwxrwxr-x 1 lupine lupine 127K Dec 8 23:58 System.Configuration.dll +-rwxrwxr-x 1 lupine lupine 879K Dec 8 23:58 System.Core.dll +-rwxrwxr-x 1 lupine lupine 2.0M Dec 8 23:58 System.Data.dll +-rwxrwxr-x 1 lupine lupine 2.2M Dec 8 23:58 System.dll +-rwxrwxr-x 1 lupine lupine 442K Dec 8 23:58 System.Drawing.dll +-rwxrwxr-x 1 lupine lupine 966K Dec 8 23:58 System.Runtime.Serialization.dll +-rwxrwxr-x 1 lupine lupine 130K Dec 8 23:58 System.Security.dll +-rwxrwxr-x 1 lupine lupine 3.1M Dec 8 23:58 System.Xml.dll +-rwxrwxr-x 1 lupine lupine 131K Dec 8 23:58 System.Xml.Linq.dll +-rwxrwxr-x 1 lupine lupine 161K Dec 8 23:58 WindowsBase.dll +-rwxrwxr-x 1 lupine lupine 48K Dec 8 23:59 xTile.dll +-rwxrwxr-x 1 lupine lupine 9.0K Dec 8 23:59 xTilePipeline.dll +``` + +The magic here is that not all the `.dll` and `.exe` files here are **Windows** +object files. Instead, many of them are just Mono bytecode, which is analogous +to JVM bytecode: + +``` +lupine@pbp:~/GOG Games/Stardew Valley/game$ file StardewValley* +StardewValley: Bourne-Again shell script, ASCII text executable +StardewValley.bin.x86: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=4801f8881feefa8aa515f9fadc02c01598c44131, not stripped +StardewValley.bin.x86_64: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=04fe4f2c2ca8b4dc7faf70c643417bf0df632a9e, not stripped +StardewValley.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows +StardewValley.GameData.dll: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows +``` + +We need Mono to run these assemblies. I guess the `StardewValley.bin.*` files +ar just stripped-down Mono runtimes that invoke `StardewValley.exe`! + +The `mcs.*` binaries are "Mono C Sharp" - I don't know C#, but I assume it's +another essential part of the runtime. + +Debian has Mono + MCS already, so... + +``` +lupine@pbp~/GOG Games/Stardew Valley/game$ sudo apt install mono-runtime mono-rcs +lupine@pbp~/GOG Games/Stardew Valley/game$ ln -sf `which mcs` +``` + +We can then try to run the game: + +``` +lupine@pbp~/GOG Games/Stardew Valley/game$ mono StardewValley.exe +``` + +Amazingly, that's **almost sufficient**, all by itself, to get a fully working +game, at least for me. It starts up, and the only obviously broken thing is +sound. There are some complaints on the comamnd line that don't seem to get in +the way of actually playing it. + +Wat. + +No sound is annoying though, how about we fix that? + +Turns out Stardew Valley only **requires** two external libraries: SDL and +libasound. I've no idea if the graphics is working even though it can't find +SDL, or if it can find my native SDL libary but not the libasound one, or what, +but it's trivial to fix. Edit `MonoGame.Framework.dll.config` and add these +two lines: + +``` + + +``` + +Now you just need to put those two .so files into that directory locally, and +sound begins to work! + +(I just symlinked `/usr/lib/aarch64-linux-gnu` into place, which does the same +job). + +At this point the game works perfectly, including LAN multiplayer - which is +ridiculous - and despite worries about endianness, it can load and run my saves +as well. + +There are a few complaints on the console though. Let's see what we can do +about them. + + +``` +Your mono runtime and class libraries are out of sync. +The out of sync library is: /home/lupine/GOG Games/Stardew Valley/game/System.dll +``` + +OK, these are shipped with `mono-runtime` (actually in `libmono-system4.0-cil`) +anyway. The complaint is that these assemblies were compiled with a different +version of Mono, but it's falling back to the main ones anyway, so we can just +move these out of the way. + +The only `System.*.dll` file we need to keep is `System.Runtime.Serialization.dll` - +the rest can be moved out of the way. + +``` +System.TypeInitializationException: The type initializer for 'Galaxy.Api.GalaxyInstance' threw an exception. ---> System.TypeInitializationException: The type initializer for 'CustomExceptionHelper' threw an exception. ---> System.DllNotFoundException: GalaxyCSharpGlue + at (wrapper managed-to-native) Galaxy.Api.GalaxyInstance+CustomExceptionHelper.CustomExceptionRegisterCallback(Galaxy.Api.GalaxyInstance/CustomExceptionHelper/CustomExceptionDelegate) + at Galaxy.Api.GalaxyInstance+CustomExceptionHelper..cctor () [0x00011] in <22373852dcce42128dc7e065ea92368d>:0 + --- End of inner exception stack trace --- + at (wrapper managed-to-native) System.Object.__icall_wrapper_mono_generic_class_init(intptr) + at Galaxy.Api.GalaxyInstance..cctor () [0x00000] in <22373852dcce42128dc7e065ea92368d>:0 + --- End of inner exception stack trace --- + at StardewValley.SDKs.GalaxyHelper.Initialize () [0x00000] in <1ed49e648be548bcae8e4508597c9f4c>:0 + +``` + +I am *astonished* that this one isn't a fatal error - but the game runs fine +even though it can't find an external library. Ridiculous. + +Galaxy is GOG's multiplayer gubbins. If you've got a Steam game, it's different, +I'm sure, but the functionality this stuff is *for* is to negotiate multiplayer +games with strangers. + +I have no use for this myself, but `libGalaxyCSharpGlue.so` is looked up via +another dllmap in `GalaxyCSharp.dll.config` - it's not packaged by Debian, and +it may even be proprietary GOG code, but if we can get an aarch64 version of it, +making it work should be as simple as adding an entry there. + +If this did become a fatal error at some point, the minimum work would be a stub +implementation that meets the ABI but always says "no games available" or some +such. + +And... that's all the errors. Despite a different architecture, despite being +short some libraries, and despite running reverse-engineered (Panfrost) graphics +drivers with only a bare whisper of OpenGL support, my favourite game is running +at normal speed on an architecture its authors and publishers didn't even think +about. + +Again I say: ridiculous + +...maybe I should learn some CSharp? + +=> https://pine64.org/pinebook-pro Pinebook Pro +=> https://stardewvalley.com/ Stardew Valley +=> https://community.playstarbound.com/threads/arm-arm64-aarch64-linux-support.158840/ Forum message +=> https://www.gog.com/game/stardew_valley GOG Games: Stardew Valley diff --git a/src/blog/pig-dog-01/politicalcompass-me.png b/src/blog/pig-dog-01/politicalcompass-me.png new file mode 100644 index 0000000..35afb76 Binary files /dev/null and b/src/blog/pig-dog-01/politicalcompass-me.png differ diff --git a/src/blog/pig-dog-01/politicalcompass-uk-parties.png b/src/blog/pig-dog-01/politicalcompass-uk-parties.png new file mode 100644 index 0000000..c15c28e Binary files /dev/null and b/src/blog/pig-dog-01/politicalcompass-uk-parties.png differ diff --git a/src/blog/pig-dog-02/expenses.png b/src/blog/pig-dog-02/expenses.png new file mode 100644 index 0000000..e35887e Binary files /dev/null and b/src/blog/pig-dog-02/expenses.png differ diff --git a/src/blog/pig-dog-02/net-worth.png b/src/blog/pig-dog-02/net-worth.png new file mode 100644 index 0000000..59aef22 Binary files /dev/null and b/src/blog/pig-dog-02/net-worth.png differ diff --git a/src/index.gmi b/src/index.gmi new file mode 100644 index 0000000..6c3a8d2 --- /dev/null +++ b/src/index.gmi @@ -0,0 +1,13 @@ +# Nick Thomas + +## Meta + +* me@ur.gs +* Alias: lupine + +=> me@ur.gs.gpg.asc GPG key + +## About Me + +=> /post/ Posts +=> /travel/ Travel diff --git a/src/robots.txt b/src/robots.txt new file mode 100644 index 0000000..b0a24ea --- /dev/null +++ b/src/robots.txt @@ -0,0 +1,32 @@ +# Being archived in a long-term store is harmful to my privacy. Never +# know when I might need to change something in a hurry +User-Agent: ia_archiver +Disallow: / + +User-Agent: archiver +Disallow: / + +# Search engines tend to update their indexes fairly quickly, so no +# objections to being indexed by them in general. That said, I want to +# do my own (tiny) part in making Google useless +# not contribute to +User-Agent: indexer +Disallow: + +User-agent: Googlebot +Disallow: / + +User-Agent: gus +Disallow: + +# Research *should* only report anonymised aggregates, I can live with +# that +User-Agent: researcher +Disallow: + +# I remain confused by the incluson of proxies in robots.txt, but am +# happy for them to access the site as long as they themselves forbid +# being indexed or archived. I can add exceptions if I find any that +# don't do that +User-Agent: webproxy +Disallow: diff --git a/src/travel/2009-09-13-athens.gmi b/src/travel/2009-09-13-athens.gmi new file mode 100644 index 0000000..a0405ce --- /dev/null +++ b/src/travel/2009-09-13-athens.gmi @@ -0,0 +1,37 @@ +# Athens, Greece + +## Itinerary + +``` +| Leaving | 2009-09-13, Manchester International Airport | +| Accomodation | Some grimy 2* | +| Returning | 2009-09-20, Athens International Airport | +``` +## Thoughts + +My first trip abroad! + +I'm writing this from a decade later, so my memory of events isn't as good as it +could be. Some things I definitely remember: + +Waking up in the EXTREMELY CHEAP 2* hotel the day after getting in, and realising +what 2* actually means. The breakfast was... not good. + +We visited the main tourist-y sites in Athens, and generally had a good time. + +Dogs and cats everywhere. Wiped out by the sun, just like we were. + +We went to the Acropolis, and while all the ancient history was very nice, the +modern day was quite sad - looking down on the city from the slopes, there was +an overwhelming sense of squalor and human misery. Very cheerful. Trash was +everywhere too. + +One day, we jumped on the tram and went to the beach, south of Athens proper. It +was not a very good beach... + +Another day, we went to the national park and zoo. I recall a tiny kitten that +insisted on climbing up my leg while we ate at the café there. Most enjoyable. + +Most of the money was spent on eating out - I did not budget well! On the final +day, we were completely out of money, so got to the airport with about 8 hours +until the flight. Poor, exhausted, but happy. diff --git a/templates/.gitkeep b/templates/.gitkeep new file mode 100644 index 0000000..e69de29