The command line really wasn’t designed for secrets. So, keeping secrets secret on the command line requires some extra care and effort.

Viele Archlinux Nutzer nutzen AUR (Arch User Repository) zur Erstellung von Paketen für Anwendungen die nicht in den offiziellen Repositories der Distribution vorhanden sind. Der Entwickler Hunter Wittenborn hat nun ein ähnliches Projekt namens DUR für Debian-basierte Systeme geschaffen.

All of this adds a bit of complexity to the services we write, which it would be nice to avoid. It also adds to the attack surface: privilege dropping code has been a source of vulnerabilities, notably on a couple of occasions in Bash. Avoiding writing it at all, or at least delegating it to other software with more testing than our own, would be good.

Spoofing a browser’s user agent is often hailed as a privacy enhancing technique. Unfortunately, due to the abundance of other methods to detect browser and operating system information (as will be discussed in this article), these extensions do not meaningfully enhance privacy.

Hello and welcome to my little Kubernetes on Hetzner tutorial for the first half of 2021. This tutorial will help you bootstrapping a Kubernetes Cluster on Hetzner with KubeOne.

There is concept called "Event Sources" in Falco, these "Event Sources" defines where Falco can consume events, and apply rules to these events to detect abnormal behavior.

Our clients tend to ask us: “Can we have a cheaper alternative to Amazon RDS?”, “Wouldn’t it be awesome to have something like RDS not just in AWS…”. Well, to meet their needs and implement an RDS-like managed solution in Kubernetes, we took a look at the current state of the most popular PostgreSQL operators: Stolon, Crunchy Data, Zalando, KubeDB, StackGres. We compared them and made our own choice.

Luckily Kyverno is also able to generate objects, like secrets. So the following policy is going to clone the secret under the default namespace to any newly created namespace.

After the experience of the service level operator and Asadito, I wanted something similar and to be available for everyone, and like everything that I develop in my free time, OSS.

Let’s Encrypt is well-known for issuing certificates that are valid for only 90 days. Since the very first certificates issued by Let’s Encrypt’s infrastructure, those certificates have been given a 90 day validity period by our CA software by taking the issuance time and adding exactly 2,160 hours to yield the certificate’s “not after” date. However, RFC 5280 defines the validity period of a certificate as being the duration between the “not before” and the “not after” timestamps, inclusive. This inclusivity means that Let’s Encrypt’s certificates have all been actually valid for 90 days plus 1 second.

I once worked for a company where they managed to create about half a million subversion commits in just 2 or 3 years, with about 3 developers working on it. I’ll leave it as an exercise to guess how they managed to do that :-)

If you’re a graduate interviewing for a software job and wondering what a typical day is like, here’s some notes from what I did last Tuesday. It was a pretty typical day.

There are various similar guides on other sites, but many of these guides were partially incomplete, so I’ve tried to write the most complete guide as possible, which can be used by paranoid users like me.

Brave is a chromium based browser, which comes with a built-in adblocker and with a “rewards” program, that is supposed to make you earn money. But the relevant part today is that Brave is advertised as a “private browser by default”.

KRunner Cheatsheet

Alle sitzen vor der Glotze, irgendwo vor einer Bar. Warten auf Tore bei der Fußball-Europameisterschaft. Und dann geht der Fernseher aus. Das ist fies. Und lustig. Vielleicht war unser Netzbastler Moritz Metz in der Nähe.

This blog post is about an experiment to automate creation of Kubernetes Network Policies based on actual network traffic captured from applications running on a Kubernetes cluster.

In the afternoon of October 17, 2013 we merged the first config file ever that would use Travis CI for the curl project using the nifty integration at GitHub.

The registrar and the registry must communicate with one another. The registrar asks the registry whether the name tested by the user is free and available for registration. The registrar then asks the registry to place the name in the database. This communication follows a standardised protocol called EPP, Extensible Provisioning Protocol.

A number of years ago we started the Discoverable Partitions Specification which defines GPT partition type UUIDs and partition flags for the various partitions Linux systems typically deal with.