paulgorman.org

< ^ txt

Tue Jul 13 06:00:01 EDT 2021 ======================================== Slept from ten to seven. Woke around four, and took a little while to fall back to sleep. Used a detuned radio for white noise last night instead of the fan. Worked. Mostly cloudy. Chance of showers and thunderstorms in the morning, then showers with thunderstorms likely in the afternoon. Highs around 80. Southwest winds 5 to 15 mph. Chance of precipitation 80 percent. Work ---------------------------------------- - changes for Entrata repayment agreements? Done. (No change.) - make rentable items not web visible for GB Done. - call Heather about manually setting rent Done. - 2:30 PM Entrata call Done. - router for PW Still waiting on IP info from Bullseye. - work on restoring WV email No. Twenty-minute walk at lunch. Cloudy, humid, a few rain drops. Rain cleared up a little in the afternoon. Sound of cicadas. Home ---------------------------------------- - Drain-O tub Done. - more packing/purging Done. - 6:30 PM MUG meeting, Michael W. Lucas about TLS, https://8x8.vc/mugorg/meeting Virtually attended! Thirty-three people in the MUG meeting! Some interesting bits from Michael's TLS talk: - If using RSA, 4096 bits is NOT twice as strong as 2048 bits — 2049 bits is twice as strong as 2048 bits, 4096 bits is an ridiculous multiple stronger (and VERY inefficient for clients to compute)! 2048 bit RSA is strong enough. - ECDSA is much more efficient for clients than RSA. - Don't use a host name in cert Common Names. That's deprecated. Put host names in SAN's instead. - What should go in the CN? Whatever your CA puts in there. - The `openssl` command includes a lot of subcommands, invoked like `openssl subcommand options`. - `openssl rsa -noout -text -in cert.key` can dump the info for a cert. - `openssl s_client -connect host:port` can be used for telnet-like testing of TLS services. See s_client(1ssl). - What info needs to go in a certificate signing request? If you're just getting domain validated cert, just include the host name. More info will be needed for organization validated or extended validation certificates. - The "modulus" can be used to match certs and keys — a key pair, i.e., to make sure a key and a cert match. A lot of the `openssl` subcommands have a flag like, e.g., `openssl rsa -modulus …`. - Certificate Authority Authorization will one day be a required thing, probably. It's basically DNS records saying what CA can issue what kind of certs for this domain, kind of like how SPF says which servers can send mail for a domain. - https://ssl-config.mozilla.org/ Ordered groceries, washed laundry, washed dishes, took broke microwave to trash. https://www.theregister.com/2021/07/09/centos_stream_greg_kurtzer/ > Greg Kurtzer, co-founder of CentOS and founder of Rocky Linux, has told The Register that despite the "negative effect" around the end of CentOS 8, he now believes that the focus on CentOS Stream is better for the community. > Aside from that, does Rocky Linux give anything back to Red Hat? This is where Kurtzer says something surprising. "CentOS to me means Community Enterprise Operating System and it's obvious that they killed the Community Enterprise Operating System by end-of-lifing it. > "Now, Neal Gompa [a member of the openSUSE board] challenged me two days ago on this, that the move to Stream is giving the community a more direct mechanism than Fedora to interoperate with this. CentOS has gone from being the operating system for the community enterprise to now being the developers' interface to the enterprise operating system. > "It completely changes the perspective of what Stream is. I'm finally OK with calling it CentOS Stream. I was upset with it for a while because we came up with the name CentOS and then all of a sudden it was killed." > This is the second mutual benefit with Red Hat, he said. "We can interface with CentOS Stream. Enterprise Linux is pulling from the CentOS Git repository as we pull from the CentOS Git repository. We're more of a peer to it. What we're all downstream from is CentOS Stream. Now we can actually push bug fixes directly into that same git repository that Red Hat's pulling from. > "So is there a mutualistic benefit? Absolutely, and I'm looking forward to being able to contribute back upstream to CentOS Stream. And then to have both Red Hat as well as Rocky, as well as all of the enterprise Linux distributions, benefit from that. I think Red Hat has done a tremendous job in terms of how they how they orchestrated this. I was slow on the uptake but I get what they're doing now." > Despite this change of perspective, Kurtzer still feels the way the change came about was disruptive. "I know very large enterprises that were in the process of transitioning to Ubuntu. I had a few of them contact me, I'm talking very large oil and gas, telecommunications, health and manufacturing, who said please give us a brief on what it is you're doing because we're nervous, we're trying to convert all of our tooling to Ubuntu and Debian, but if we don't have to do that, we don't want to." > What will come next once Rocky Linux 8 is fully done? > "The goal is to extend the operating system via special interests groups (SIGs)," said Kurtzer. "I'm really interested in high-performance computing and in cloud hybrid. Other people have spun up a hyperscale SIG, a SIG for legacy hardware, a SIG for laptops and workstations, a SIG for media and entertainment, a SIG for storage, a SIG for EDA [Electronic Design Automation]. There's going to be some overlap with CentOS SIGs as well as Fedora and EPEL packaging, but I think what we can do is be the new kid on the block." Servings: grains 5/6, fruit 2/4, vegetables 3/4, dairy 3/2, meat 3/3, nuts 0.5/0.5 Breakfast: pineapple, fried rice Brunch: coffee Lunch: apple, carrots, salami sandwich Dinner: macaroni and cheese with potato -30

< ^ txt