Over the last weeks, I had some conversations about ticketing, bots, and CAPTCHAs. I don't believe CAPTCHAs are a solution any more, so I blogged about all the reasons I can think of!

https://behind.pretix.eu/2025/05/23/captchas-are-over/

@maralorn How do the non-nixified versions provide the dependencies?

@luj @arichtman detsys was doing this back when I was there: https://github.com/DeterminateSystems/nix-netboot-serve

I think the approach kind of sucks though, for multiple reasons -- first and foremost that having your whole system in the initrd is weird and fragile. For my personal use I built https://git.mbosch.me/linus/snowboot/src/branch/main/nix-modules/fetch-system-from-binary-cache.md instead -- it results in a fairly normal-sized initrd and an unmodified main system.

…will be mapped transiently to the right dynamic UID/GID.

This also opens another door for us: we can eventually allow *sharing* of such directories between two DynamicUser=1 services that run with distinct UIDs: on disk all their files will be owned by "nobody", but each service they are associated with will see them as if they own them personally, even though all these services run under a different UID.

For compatibility with old kernels we retain the chown() logic for now.

…on service activation if needed. It has worked like that ever since.

Re-chown()-ing is not ideal though. Effectively, in most cases it's sufficiently fast to not be annoying, but for services with very complex directory trees with millions of inodes this might come at a prohibitive time penalty.

On modern kernels there's new functionality to make this situation better: idmapped mounts. They permit that the UIDs/GIDs stored on disk are remapped before being made visible to applications.

#NixOS 25.11 is Xantusia 🦎 <3

Das hat schon was....

WARNING. The EU petition website where the "ban conversion therapy" citizens initiative is about to reach its goal (we are missing less than 90000 signatures) seems to be either intermittently overwhelmed or under attack.

Please do check again later or tomorrow to add your signature at https://eci.ec.europa.eu/043/public/#/screen/home

What's worse than #setuptools? A package switching over to #Hatchling, then internally calling setuptools in an awful way to build a C extension, completely bypassing out-of-tree builds.

#Gentoo #PEP517

#AfD #rechtsextrem #Rechtsextremismus #noAfD #AfDVerbotJetzt

Seit 10 Jahren schließe ich bei jeder Einladung in eine Talkshow meine Teilnahme von vorn herein aus, wenn die AfD da mit diskutiert. Diese macht haben alle Demokrat*innen. Diese Macht haben alle, die ihr in diesen Sendungen sitzen seht.

Seit Jahresbeginn fielen nur rund 20 Prozent der sonst üblichen Niederschlagsmenge.
https://www.tagesspiegel.de/wissen/fast-uberall-zu-trocken-die-starkste-fruhjahrsdurre-seit-1931-13617451.html

TIL (Today I Learned): There is a modified version of the #Signal app called Telemessage Archiver [1] that identifies itself as TM SIGNL in the PIN reminder popup. @Mer__edith is that an official special version or something you would consider nefarious? (gift link, needs e-mail) https://wapo.st/42FzSkK

[1] https://www.telemessage.com/signal-archiver-ios-installation-upgrade/ version. (thx @lauren for the hint)

I just discovered something really subtle about WireGuard... TL;DR if you are adjusting interface MTUs precisely, and you have mismatched MTUs between peers in some cases, make sure your smallest MTU is always a multiple of 16!

WireGuard header overhead is said to be 32 bytes + UDP + IP, so 80 bytes for IPv6 and 60 bytes for IPv4. That's where you get the default MTU of 1420 (1500 - 80, so it works with IPv6).

But that's not precisely true! Actually, WireGuard will add up to 15 bytes of padding to the data, to make it a multiple of 16, as long as it doesn't exceed the MTU on that side of the connection.

So let's say you have a server with the MTU set at 1440, but you also have a client that is using IPv4 over PPPoE. So you set its MTU to 1432, subtracting the PPPoE overhead of 8 bytes. That should be fine, since the client will figure out the right path MTU for any connections, right?

Wrong!

The TCP client and server will negotiate an MSS that gives 1432 byte IP packets within the tunnel. But 1432 is not a multiple of 16! However, the client WireGuard instance knows that there is no headroom, so it will send 1432 + 60 = 1492 byte packets, which is the maximum PPPoE MTU. But on the way back, the server thinks it can go up to 1440! 1432 % 16 == 8, so it will try to round up to 1440. Then, it sends 1500 byte packets, which don't fit in PPPoE!

The fix is to either set both the client and server MTU to 1432, or to round down the client MTU to 1424.

Today Melissa Lewis over on BlueSky pointed out that the font used in the infamous "You wouldn't steal a car" anti-piracy campaign was actually designed by Just van Rossum, whose brother, Guido, created the Python programming language (bsky.app/profile/melissa.news/post/3ln7hx5rhcj2v)

She also pointed out that the font had been cloned and released illegally for free under the name "XBAND Rough". Naturally, it would be hilarious if the anti-piracy campaign actually turned out to have used this pirated font, so I went sleuthing and quickly found a PDF from the campaign site with the font embedded (web.archive.org/web/20051223202935/http://www.piracyisacrime.com:80/press/pdfs/150605_8PP_brochure.pdf).

So I chucked it into FontForge and yep, turns out the campaign used a pirated font the entire time!

Pünktlich zum heutigen #NixOS Stammtisch weihen wir offiziell unsere neue Wanddekoration ein

Oof. Reportedly, if you got a certificate from SSL.com by putting “example[@]gmail.com” at _validation-contactemail.example.com, they would add gmail.com (!!!) to your verified domains.

A good reminder to use the CAA record, and to sign up for CT monitoring (e.g. Cert Spotter).

https://bugzilla.mozilla.org/show_bug.cgi?id=1961406

I swear these billionaires could announce they're going to start hunting us for sport and some people would still be out there defending it with they're whole chest like
"you're just mad because you can't run fast."

Now is the time to throw away the prototype and implement changes which will work.

1. Full and unconditional product liability for all software.
2. Mandatory recalls of unsafe software products.
3. Mandatory open sourcing of all systemically important software. ("OS", not "FOSS")
4. Mandatory independent 3rd party review of all systemically important software.
5. Mandatory reporting to independent accident investigation authority, with law-given full access to all aspects.

2/2