I was reading recently about how Tailscale makes peer-to-peer connections work, which I thought was quite interesting. If we stop using NAT there is still an issue of getting traffic through stateful firewalls. That can be hard without a server because, for example, in some cases you need to coordinate two nodes sending each other messages on the same port nearly simultaneously to get all the intervening firewalls to interpret that as an “outbound” session from both sides to allow traffic through. https://tailscale.com/blog/how-nat-traversal-works

I like rofi for this use case, but it uses fuzzy search instead of labels. You might have to type more than one letter, depending on what windows you have open. OTOH if you know any part of the window title you can start typing immediately without having to scan a list for a label first.

Labels work well for jumping to something you can already see, because the label appears where you are already looking, so you see it immediately. I’m guessing the process of finding the label for a window that is not visible would be clunkier - you’d have to find the label in a possibly long window list.

Very cool! A while ago I found that instead of using fractional scaling, things were smoother for me if I set Gome’s text scaling factor in accessibility settings. I think most GTK UI scales based off that value? It’s pretty helpful for me, even though I’m not actually using Gnome anymore. But if fractional scaling support has gotten better, maybe I’ll switch my approach.

Out of sheer curiosity I checked. 18 USC § 921(a)(16) defines “antique firearm” for purposes of crimes and criminal procedure. The term “firearm” is defined in 18 USC § 921(a)(3), which includes the text, “Such term does not include an antique firearm.” (source)

It’s perplexing because the “antique firearm” definition has numerous references to “firearm”. The (A) and (B) parts include or reference the text, “any firearm (including any firearm with a matchlock, flintlock, percussion cap, or similar type of ignition system) …”.

So it looks like antique firearms are an instance of Russell’s Paradox. I guess a flintlock is not not a firearm. Paradox resolving powers must be one of those things you need law school for.

I had to look it up - apparently this guy’s relation to Scotty is only explained in the director’s cut of Wrath of Khan https://memory-alpha.fandom.com/wiki/Peter_Preston

Goddammit. I can see how this is convenient for Netflix subscribers in the short term. But this is yet another consolidation adding to the oppressive weight on consumers, and would-be competitors. For one thing, I’m sure this is going going to lead to higher Netflix subscription prices than we would have seen otherwise.

This is what we gotta do - put social stigma on absurd wealth

My recollection is in the mirror universe Worf has a huge battle cruiser, and keeps Garak on a chain. So that’s inconclusive I guess.

I’m very glad I switched. One of the little improvements: IIRC last time I checked PaperWM didn’t have bindings to set a window to a specified width. It only had a cycle width option. With Niri I have shortcuts to set a window to ¼, ⅓, ½, ⅔, or ¾ of the screen width.

There are lots of other improvements. One of my favorites is the dynamic screen cast target.

My understanding is that the NixOS Lutris package runs with a virtual FHS that is built with a selection of libraries for running Wine. I think that might mean it doesn’t hook up libraries that are configured with nix-ld. If the game runs with steam-app, but not with Lutris, then it sounds like there’s a library missing from the Lutris FHS.

You can override to fix that. Looking at the game logs could give you information about which libraries are missing. Or you could add in everything that steam-app uses, the way you configured nix-ld.

There’s a configuration snippet that might point you in the right direction in this thread: https://discourse.nixos.org/t/nix-overlay-to-change-fhs-environment/54139/2

No, if something goes wrong with the VPN then the confined service will be unable to reach the internet. The setup runs the confined process in a network namespace that does not have a route to your default wifi or ethernet interfaces. If the VPN interface isn’t set up correctly, or stops working there is no other route out.

You can test this with or without setting up VPN-Confinement. To do a quick test without any VPN setup, create a test service like this:

systemd.services.test-unit = {
  serviceConfig = {
    NetworkNamespacePath = "/run/netns/test";
    Type = "oneshot";
  };
  script = ''
    ${pkgs.iputils}/bin/ping 1.1.1.1
  '';
};

Create a matching network namespace that doesn’t route anywhere:

sudo ip netns add test

Then set the unit running, and watch its output:

sudo systemctl start test-unit.service
journalctl -u test-unit.service -f

You’ll see ping report that the network is unreachable. If you delete the namespace while ping is running it will continue to report that the network is unreachable.

sudo ip netns del test

(If you don’t want to bother with a systemd unit, you can run a process in a given network namespace using sudo ip netns exec <namespace> <command>. For example, sudo ip netns exec test ping 1.1.1.1.)

If the namespace wasn’t set up for whatever reason the confined service won’t start. (See the edit on the post.)

I also did some tests with the VPN-Confinement setup with this test unit:

systemd.services.test-unit = {
  serviceConfig = {
    Type = "oneshot";
  };
  script = ''
    while true; do
      ${pkgs.curl}/bin/curl https://am.i.mullvad.net/connected
      sleep 5
    done
  '';
  vpnConfinement = {
    enable = true;
    inherit vpnNamespace;
  };
};

If I set vpnNamespace to a name that doesn’t match a configured vpnNamespace then the service won’t start.

If I bring down the VPN namespace while that curl loop is running with sudo systemctl stop wg.service then test-unit also stops, because of the systemd dependencies that systemd.services.<name>.vpnConfinement sets up.

If I bring down the network namespace manually while the curl loop is running with sudo ip netns del wg then the curl loop keeps running, and continues to report that it is connected to Mullvad. I guess the network namespace continues to exist while a running process is using it.

If I bring down the VPN network interface with sudo ip -n wg link set dev wg0 down then curl fails with status=6/NOTCONFIGURED

Good question! I think this is distinct from split tunneling, but does a similar thing. But I’m not an expert - I don’t know how precise or broad the definitions are, so I’m not positive the concepts don’t overlap.

From some brief reading it looks like split tunneling is set up by configuring routing to determine which traffic goes through the VPN based on destination IP addresses. OTOH what I’m calling confinement determines VPN use based on which process sends traffic. So with confinement all traffic from select processes, regardless of destination, goes through the VPN.

I think there are differences in how inbound traffic works too. With confinement inbound traffic can only reach confined processes.

This is the BS I came to this thread for!

And as I just recently learned, network namespaces support! Those can be handy if you need a backup job to route through a VPN tunnel, or some such thing.

I can’t think of a good story from personal experience, so I’ll share a wild objection from some guy on the internet from, I think 2007. The story pops into my head from time to time. This guy insisted that it would be impossible to create an entire OS that can run from start to finish without the resources of a major software company. He argued that therefore Linux must actually be a pirated, reskinned version of Windows. https://danielandrade.net/posts/linux-windows-misconceptions-tech-story/

I checked the Wayback machine to try to find more messages from that thread because I think he kept posting and doubling down. But pulling up ancient ZDNet forum posts is slow enough that I gave up.

As a gamer myself I don’t think it’s appropriate to try to deprive someone of a hobby that they genuinely enjoy. As a long-time Linux user I stick to games that work well on Linux, like Overwatch. But unfortunately games aren’t interchangeable - if League is your thing, Dota might not be an acceptable substitute.

Better to argue for dual booting than to try to cut off a friend’s personal relationship with their game.

I enjoyed Atlantis because so many of the episodes felt like emergency drills at a place where I used to work, and it made me feel right at home!

Ahhh, for some reason I had it in my head that rebooting cleared the syslog

To see logs from only the previous boot run,

journalctl -b -1

I’ve heard worrisome speculation about the white house working up to invading Venezuela. Supposedly officials are talking to oil industry executives about investment opportunities after a regime charge, and those conversations sound a lot like conversations that took place before the Iraq invasion.

Edit: Oh damn, the situation has escalated more than I realized https://unac.notowar.net/no-war-on-venezuela-all-out-for-a-week-of-emergency-protests/

Also the Social Security Administration, despite being a huge operation, runs with less than 1% overhead. And they get those checks out month after month. Medicare’s overhead is under 2%, compared to an average of 12% for private insurance, and polls seem to show people are more satisfied with Medicare than with private insurance.

I know the complaint that government is ineffective and inefficient is a classic - but it makes me wonder what programs that refers to? Maybe something in the Defense Department?