mirror of
https://git.sr.ht/~seirdy/seirdy.one
synced 2024-11-27 14:12:09 +00:00
Compare commits
3 commits
69f4988429
...
a4812c72c9
Author | SHA1 | Date | |
---|---|---|---|
|
a4812c72c9 | ||
|
a214dcd6b8 | ||
|
97f5cd4483 |
6 changed files with 97 additions and 23 deletions
30
content/about/ssh-policy.txt
Normal file
30
content/about/ssh-policy.txt
Normal file
|
@ -0,0 +1,30 @@
|
|||
#
|
||||
# Custom policy based on seirdy.one (created on 2022/09/11)
|
||||
#
|
||||
|
||||
# The name of this policy (displayed in the output during scans). Must be in quotes.
|
||||
name = "Custom Policy (based on seirdy.one on 2022/09/11)"
|
||||
|
||||
# The version of this policy (displayed in the output during scans). Not parsed, and may be any value, including strings.
|
||||
version = 1
|
||||
|
||||
# The banner that must match exactly. Commented out to ignore banners, since minor variability in the banner is sometimes normal.
|
||||
# banner = "SSH-2.0-OpenSSH_8.8"
|
||||
|
||||
# The compression options that must match exactly (order matters).
|
||||
# I've never needed it.
|
||||
compressions = none
|
||||
|
||||
# The host key types that must match exactly (order matters).
|
||||
# Why do other key types still exist lmao
|
||||
host keys = ssh-ed25519
|
||||
|
||||
# The key exchange algorithms that must match exactly (order matters).
|
||||
key exchanges = sntrup761x25519-sha512@openssh.com
|
||||
|
||||
# The ciphers that must match exactly (order matters).
|
||||
ciphers = chacha20-poly1305@openssh.com
|
||||
|
||||
# The MACs that must match exactly (order matters).
|
||||
# MACs are redundant with the chacha20-poly1305 cipher; don't use any.
|
||||
macs =
|
|
@ -1,5 +1,9 @@
|
|||
Here's the software I use. I've recently started to reduce my use of TUIs in favor of CLIs, for a variety of reasons. When possible, I try to use lightweight programs that can run on any machine, from a single-board computer to a giant desktop. I don't ever want to feel like I need to upgrade my hardware to do the same tasks as before: hardware upgrades should only be justified by my use-cases significantly changing, existing hardware being broken beyond repair, or upstream abandonment of security patches.
|
||||
|
||||
## Hardware
|
||||
|
||||
My main computer is a 2013 HP Elitebook 840 G1. It has a dual-core Intel i5-4300U CPU (Haswell), with simultaneous multithreading disabled.
|
||||
|
||||
## Environment
|
||||
|
||||
* OS: Fedora 36
|
||||
|
@ -35,6 +39,15 @@ Here's the software I use. I've recently started to reduce my use of TUIs in fav
|
|||
=> https://github.com/leahneukirchen/mblaze mblaze
|
||||
=> https://git.sr.ht/~seirdy/bwrap-scripts/tree/trunk/item/w3m-sandbox w3m-sandbox
|
||||
|
||||
## Networking and pentesting:
|
||||
|
||||
* RustScan (don't use it on max settings without permission)
|
||||
* q, a DNS client that supports DoH, DoH3, DoQ, and ODoH.
|
||||
* rnp, a ping tool that supports TCP and QUIC "pings" to estimate handshake latency.
|
||||
* both curl and xh for HTTP testing.
|
||||
* kinvolk's wrk2 fork and bombardier for HTTP load-testing
|
||||
* ssh-auditor
|
||||
|
||||
## Other tools:
|
||||
|
||||
* jq (I love writing jq programs)
|
||||
|
@ -43,10 +56,10 @@ Here's the software I use. I've recently started to reduce my use of TUIs in fav
|
|||
* msync
|
||||
* wormhole-william
|
||||
* rdrview
|
||||
* Efficient Compression Tool (better than ZopfliPNG)
|
||||
* RustScan (don't use it on max settings without permission)
|
||||
* Efficient Compression Tool (better than Zopfli/ZopfliPNG)
|
||||
* scc
|
||||
* Pandoc
|
||||
* ghq, a VCS repository manager in the style of $GOPATH
|
||||
|
||||
=> https://github.com/psanford/wormhole-william wormhole-william
|
||||
=> https://github.com/eafer/rdrview rdrview
|
||||
|
|
|
@ -11,7 +11,7 @@ Here's the software I use. I've recently started to reduce my use of <abbr title
|
|||
Hardware
|
||||
--------
|
||||
|
||||
My main computer is a 2013 HP Elitebook 840 G1. It has an Intel i5-4300U CPU, with simultaneous multithreading disabled.
|
||||
My main computer is a 2013 HP Elitebook 840 G1. It has a dual-core Intel i5-4300U CPU (Haswell), with simultaneous multithreading disabled.
|
||||
|
||||
Environment
|
||||
-----------
|
||||
|
@ -46,7 +46,7 @@ mpd
|
|||
: My music player daemon, paired with [my mpd scripts](https://sr.ht/~seirdy/mpd-scripts/) and [mpd-mpris](https://github.com/natsukagami/mpd-mpris).
|
||||
|
||||
mpv
|
||||
: My video player. I have three builds of mpv: one normal build, and two with decoder libraries that have profile-guided optimization for different types of video (anime, and live-action that includes heavy filmgrain). Often paired with [yt-dlp](https://github.com/yt-dlp/yt-dlp) and [mpv_sponsorblock](https://github.com/po5/mpv_sponsorblock).
|
||||
: My video player. I have three builds of mpv: one normal build, and two with decoder libraries that have profile-guided optimization for different types of video (anime, and live-action that includes heavy filmgrain). Often paired with [yt-dlp](#yt-dlp) and [mpv_sponsorblock](https://github.com/po5/mpv_sponsorblock).
|
||||
: Also my main image viewer, since FFmpeg recently got support for JPEG-XL and AVIF.
|
||||
|
||||
[swayimg](https://github.com/artemsen/swayimg)
|
||||
|
@ -103,12 +103,38 @@ Neomutt
|
|||
[w3m-sandbox](https://git.sr.ht/~seirdy/bwrap-scripts/tree/trunk/item/w3m-sandbox)
|
||||
: Displays HTML mail in a sandboxed environment. Networking and most filesystem access are disabled; using its full unrestricted functionality will involve syscalls I forbid with seccomp and crash the program.
|
||||
|
||||
Networking and penetration testing
|
||||
----------------------------------
|
||||
|
||||
Every administrator needs some tools to test their servers.
|
||||
|
||||
|
||||
[RustScan](https://rustscan.github.io/RustScan/)
|
||||
: A port-scanner that can scan all 65 thousand ports in _seconds_. It optionally integrates with nmap. Don't use it on someone else's server without permission; this thing is brutal.
|
||||
|
||||
[q (DNS client)](https://github.com/natesales/q)
|
||||
: A DNS client that supports DNS-over-TLS, DNS-over-HTTPS, DNS-over-HTTP/3, DNS-over-QUIC, and Oblivious DNS-over-HTTPS. It sports a wide variety of options that aren't present in other `dig` replacements.
|
||||
|
||||
[rnp](https://github.com/r12f/rnp)
|
||||
: A "layer-4 ping tool" that can measure the round-trip time of a plain TCP or QUIC connection, rather than using ICMP.
|
||||
|
||||
[cURL](https://curl.se/) OR [xh](https://github.com/ducaale/xh)
|
||||
: cURL supports a wide variety of features, protocols, TLS libraries, etc. `xh` is more focused on HTTP. I like to use both; when I don't need the features of cURL, I use xh for its simple color output and HTTPie-like syntax. Plus, it's nice to be able to test a server with two different HTTP+TLS implementations.
|
||||
|
||||
[wrk2 (fork)](https://github.com/kinvolk/wrk2) OR [bombardier](https://github.com/codesenberg/bombardier)
|
||||
: Two great HTTP load-testers. wrk2 is mostly abandoned, but this fork has since added some features. When I need to test something like HTTP/2, I reach for bombardier. I haven't yet evaluated different HTTP/3 load-testers; I might have to give h2load+nghttp3 a look.
|
||||
|
||||
[ssh-audit](https://github.com/jtesta/ssh-audit)
|
||||
: I check my SSH config against [this SSH policy](../ssh-policy.txt). It's based on the GrapheneOS infrastructure's SSH configs.
|
||||
|
||||
Other tools
|
||||
-----------
|
||||
|
||||
Everyday utilities I can't live without:
|
||||
|
||||
|
||||
jq
|
||||
: Interpreter for the jq domain-specific programming language. Indespensible for creating, manipulaitng, and filtering data.
|
||||
: Interpreter for the jq domain-specific programming language. Indispensable for creating, manipulating, and filtering data.
|
||||
|
||||
fzf
|
||||
: A fuzzy-finder that blends the CLI and TUI. Used for my program launcher, tab-completion, shell history search, Neovim menus (with telescope.nvim), and command-line path-completion.
|
||||
|
@ -128,10 +154,7 @@ z.lua
|
|||
: The Readability algorithm on the command-line. Pairs nicely with Pandoc and/or w3m to extract and manipulate article content.
|
||||
|
||||
[Efficient Compression Tool](https://github.com/fhanau/Efficient-Compression-Tool)
|
||||
: The last word in optimizing gzip or PNG size. Runs circles around ZopfliPNG, oxipng, etc.
|
||||
|
||||
[RustScan](https://github.com/RustScan/RustScan)
|
||||
: A port-scanner that can scan all 65 thousand ports in seconds. Don't use it on someone else's server without permission; this thing is brutal.
|
||||
: The last word in optimizing gzip or PNG size. Runs circles around Zopfli, ZopfliPNG, oxipng, etc. I use it in combination with `brotli` to compress all static text and PNGs on this site.
|
||||
|
||||
[scc](https://github.com/boyter/scc)
|
||||
: Super fast SLOC alternative that shows statistics on code complexity by language.
|
||||
|
@ -142,10 +165,16 @@ Pandoc
|
|||
bmake
|
||||
: Much simpler than GNU Make, and good for ensuring that Makefiles are portable.
|
||||
|
||||
[ghq](https://github.com/x-motemen/ghq)
|
||||
: A tool to manage version-control clones (Git, Mercurial, et al) in the style of `$GOPATH`. I have hundreds of repositories cloned from several different remotes, and this takes care of organizing them in my filesystem.
|
||||
|
||||
<a href="https://github.com/yt-dlp" id="yt-dlp">yt-dlp</a>
|
||||
: Download videos from hundreds of different sites, including YouTube. Integrates with external downloaders like aria2 and downloads DASH chunks in parallel to max out your connection speed. yt-dlp also integrates with Sponsorblock to add skippable chapters for the segments I'd otherwise have to manually skip (sponsored content, subscription-begging, an ending segment featuring other videos, and other useless bullshit). I've forgotten what it's like to watch a video ad.
|
||||
|
||||
This website
|
||||
------------
|
||||
|
||||
I use multiple aforementioned tools (Neovim, bmake, sd) for routine tasks when building seirdy.one.
|
||||
I use multiple aforementioned tools (Neovim, bmake, sd, etc.) for routine tasks when building seirdy.one.
|
||||
|
||||
### Make content
|
||||
|
||||
|
@ -165,6 +194,9 @@ pngquant, Efficient Compression Tool
|
|||
`avifenc`
|
||||
: Comes with libavif. I use it with libaom to encode AVIF images with lossy compression. I also link libaom against libjxl so that I can get Butteraugli-based quality tuning.
|
||||
|
||||
`cjxl`
|
||||
: The reference JPEG-XL encoder. JPEG-XL won't be enabled-by-default in browsers for a while, but I still offer it via some `<picture>` elements.
|
||||
|
||||
### Deploy the website
|
||||
|
||||
|
||||
|
@ -178,16 +210,16 @@ Efficient Compression Tool, Brotli
|
|||
: These perform static compression at max settings[^4] for all static content. Reduces payload size and saves server CPU resources.
|
||||
|
||||
rsync
|
||||
: Transfers files to the server
|
||||
: Transfers modified files to the server with transparent zstd compression.
|
||||
|
||||
[builds.sr.ht](https://builds.sr.ht/)
|
||||
: <abbr title="Continuous Integration/Continuous Delivery">CI/CD</abbr> service that has nice features. Production site builds occur in an Alpine VM on builds.sr.ht. Features I like include letting me ssh into failed builds, having an accessible Web UI, and not requiring any JavaScript.
|
||||
: <abbr title="Continuous Integration/Continuous Delivery">CI/CD</abbr> service. Production site builds occur in an Alpine VM on builds.sr.ht. Features I like include letting me ssh into failed builds, having an accessible Web UI, and not requiring any JavaScript. I bring most of my own binaries and use portable Makefiles and shell-scripts, so I could easily migrate to another offering if necessary.
|
||||
|
||||
### Test the website
|
||||
|
||||
I don't run these utilities every push; they're too heavy for that. I do run them often, though.
|
||||
|
||||
I run these tools locally, on every applicable file. A full run takes under <time datetime="PT2M">2 minutes</time>.
|
||||
I run these tools locally, on every applicable file. A full run takes under <time datetime="PT6M">6 minutes</time> on my modest dual-core notebook.
|
||||
|
||||
|
||||
[Nu HTML Checker](https://validator.github.io/validator/)
|
||||
|
@ -209,17 +241,15 @@ jq
|
|||
: I validate my Atom feeds using this tool. Like always, I filter out false positives and report them upstream.
|
||||
|
||||
[htmltest](https://github.com/wjdp/htmltest) OR [html-proofer](https://github.com/gjtorikian/html-proofer)
|
||||
: Two very similar tools. html-proofer is slow but supports more features; I run the faster htmltest more often. They check for broken links, markup errors, and valid icons.
|
||||
: Two very similar tools. html-proofer is slow but supports more features; I run the faster htmltest more often. They check for broken links, markup errors, and valid icons. htmltest's ability to cache links is really useful: instead of testing nearly two thousand links every run, I can spread the load over the course of a week. It's also much easier to build a static binary of htmltest than other link-checkers, like Lychee.
|
||||
|
||||
[webhint](https://webhint.io)
|
||||
: When all the aforementioned tests pass, my staging site deploys and webhint runs on every page in its sitemap. I skip its axe-based tests, since those are already covered by axe-core.
|
||||
|
||||
Webhint checks HTTP headers, validates the Web App Manifest, ensures caching and compression work, checks for compatibility issues, validates compliance with a performance budget, and looks for common HTML/CSS mistakes.
|
||||
: When all the aforementioned tests pass, my staging site deploys and webhint runs on every page in its sitemap. Webhint checks HTTP headers, validates the Web App Manifest, ensures caching and compression work, checks for compatibility issues, validates compliance with a performance budget, and looks for common HTML/CSS mistakes. I skip its axe-based tests, since those are already covered by axe-core.
|
||||
|
||||
Tools I have yet to add to this section:
|
||||
|
||||
* Something to validate my Webfinger JSON against a schema
|
||||
* A tool to validate microdata and RDFa. structured-data-linter or Schemarama could work.
|
||||
* A tool to validate microdata and RDFa. The W3C structured-data-linter or Google's Schemarama could work.
|
||||
* A tool to validate microformats.
|
||||
|
||||
### Server-side stuff
|
||||
|
|
|
@ -5,7 +5,7 @@ date: 2022-08-10T17:00:00-07:00
|
|||
|
||||
Web development **fuzzes browsers and developer tools** with the side-effect of occasionally producing decent Web content. My site has broken enough things to give me plenty of bugs to file, or cause others to file on my behalf. Despite all the fuss I make about maintaining compatibility, I do make exceptions for simple fixable bugs and broken developer tools.
|
||||
|
||||
My strict Content Security Policy (<abbr>CSP</abbr>) has broken various developer tools (Axe, Lighthouse), Brave's Reader Mode (allowing styles with a CSP hash blocks reader-mode CSS), WebKit media controls (I relax the <abbr>CSP</abbr> on the affected page), Chromium DevTools' console, and various parts of Epiphany. Recent directives like `navigate-to` and `webrtc` were unsupported by Google's CSP evaluator (and by proxy, Lighthouse) until I pushed a trivial fix.
|
||||
My strict Content Security Policy (<abbr title="Content Security Policy">CSP</abbr>) has broken various developer tools (Axe, Lighthouse), Brave's Reader Mode (allowing styles with a CSP hash blocks reader-mode CSS), WebKit media controls (I relax the <abbr>CSP</abbr> on the affected page), Chromium DevTools' console, and various parts of Epiphany. Recent directives like `navigate-to` and `webrtc` were unsupported by Google's CSP evaluator (and by proxy, Lighthouse) until I pushed a trivial fix.
|
||||
|
||||
Recent features like CSS containment, `media` attributes in `<meta name="theme-color">` elements, the `@supports selector()` CSS at-rule, and `prefers-contrast: less` expose several false positives in the W3C's CSS and Nu HTML validators; I fixed a couple of the simpler issues.
|
||||
|
||||
|
|
|
@ -61,7 +61,7 @@ Our goal: make a textual website maximally inclusive, using restricted enhanceme
|
|||
|
||||
### Prior art
|
||||
|
||||
You can regard this article as an elaboration on existing work by the Web Accessibility Initiative (<abbr>WAI</abbr>).
|
||||
You can regard this article as an elaboration on existing work by the Web Accessibility Initiative (<abbr title="Web Accessibility Initiative’s">WAI</abbr>).
|
||||
|
||||
I'll cite the <abbr>WAI's</abbr> {{<mention-work itemprop="citation" itemtype="TechArticle">}}{{<cited-work name="Techniques for WCAG 2.2" url="https://www.w3.org/WAI/WCAG22/Techniques/">}}{{</mention-work>}} a number of times. Each "Success Criterion" (requirement) of the WCAG has possible techniques. Unlike the <cite>Web Content Accessibility Guidelines</cite> (<abbr title="Web Content Accessibility Guidelines">WCAG</abbr>), the Techniques document does not list requirements; rather, it serves to non-exhaustively educate authors about _how_ to use specific technologies to comply with the WCAG. I don't find much utility in the technology-agnostic goals enumerated by the WCAG without the accompanying technology-specific techniques to meet those goals.
|
||||
|
||||
|
@ -418,7 +418,7 @@ Using `content-visibility` for content at the end of the page is relatively safe
|
|||
|
||||
### Performance of assistive technologies
|
||||
|
||||
{{<mention-work itemtype="CreativeWork" itemprop="mentions">}}{{<indieweb-person first-name="Eric" last-name="Bailey" url="https://ericwbailey.design/" itemprop="author" appendString="’s">}} presentation {{<cited-work name="The intersection of performance and accessibility" url="https://noti.st/ericwbailey/Yfyaxa/slides">}}{{</mention-work>}} describes how computing the accessibility tree can be expensive if a page has too many DOM nodes and custom elements. Browsers use complex heuristics to determine which elements to report, to reduce the size of the accessibility tree. Now that all major browsers are moving to multi-process architectures, some browser components interface with assistive technology (<abbr>AT</abbr>) in a separate process. Data about the page's semantics needs to cross process boundaries, incurring additional overhead.
|
||||
{{<mention-work itemtype="CreativeWork" itemprop="mentions">}}{{<indieweb-person first-name="Eric" last-name="Bailey" url="https://ericwbailey.design/" itemprop="author" appendString="’s">}} presentation {{<cited-work name="The intersection of performance and accessibility" url="https://noti.st/ericwbailey/Yfyaxa/slides">}}{{</mention-work>}} describes how computing the accessibility tree can be expensive if a page has too many DOM nodes and custom elements. Browsers use complex heuristics to determine which elements to report, to reduce the size of the accessibility tree. Now that all major browsers are moving to multi-process architectures, some browser components interface with assistive technology (<abbr title="Assistive Technology">AT</abbr>) in a separate process. Data about the page's semantics needs to cross process boundaries, incurring additional overhead.
|
||||
|
||||
Re-calculating nodes in the accessibility tree can create small delays for user interaction. These delays add up, causing the accessibility tree to fall out-of-sync with the actual page state. In extreme cases, an out-of-control accessibility tree may crash the <abbr>AT</abbr>. Moreover, speech synthesizers may be slow to start speaking when the CPU is under load. Delayed speech synthesis is incredibly annoying because it tends to omit words while "warming up".
|
||||
|
||||
|
@ -443,7 +443,7 @@ Plenty of reasons exist for using older versions of each of the mainstream brows
|
|||
|
||||
|
||||
Firefox
|
||||
: In addition to Firefox's "Stable", "Beta", and "Nightly" channels, Firefox includes an "Extended Support Release" (<abbr>ESR</abbr>). Firefox <abbr>ESR</abbr> receives only bugfixes and major security patches for over one year. It's the default browser in Debian and the basis for the Tor Browser. In other words: if you want people to be able to browse your site anonymously (i.e. with the Tor Browser), you need to support Firefox <abbr>ESR</abbr> versions for at least 13 months after their release. If that wasn't enough: the latest version of KaiOS uses Firefox 84, while older versions (still being sold in 2022!) use Firefox 49.[^12]
|
||||
: In addition to Firefox's "Stable", "Beta", and "Nightly" channels, Firefox includes an "Extended Support Release" (<abbr title="Extended Support Release">ESR</abbr>). Firefox <abbr>ESR</abbr> receives only bugfixes and major security patches for over one year. It's the default browser in Debian and the basis for the Tor Browser. In other words: if you want people to be able to browse your site anonymously (i.e. with the Tor Browser), you need to support Firefox <abbr>ESR</abbr> versions for at least 13 months after their release. If that wasn't enough: the latest version of KaiOS uses Firefox 84, while older versions (still being sold in 2022!) use Firefox 49.[^12]
|
||||
|
||||
Safari and WebKit
|
||||
: On Linux, WebKitGTK powers various browsers, RSS readers, and in-app browsers. WebKitGTK versions are limited by a distribution's release model; LTS distributions will not have the shiniest new WebKit features. Safari versions are similarly limited by iOS and macOS versions. For instance, the iPhone 7 will not be able to run iOS 16 or Safari 16, just four years after it was discontinued; it'll only receive occasional security patches for Safari 15.x. The only way for iPhone-7-and-earlier users to use Safari 16+ features is to buy a new phone. Expecting users to buy a new device every few years just to display a webpage needlessly contributes to the rampant consumerism and throw-away culture in the consumer electronics industry.
|
||||
|
@ -483,7 +483,7 @@ Many people use Tor out of necessity. On Tor, additional constraints apply.
|
|||
|
||||
Tor users are encouraged to set the [Tor Browser's security settings](https://tb-manual.torproject.org/en-US/security-settings/) to "safest". This disables scripts, MathML, remote fonts, SVG images, and [other unsafe Firefox features](https://gitweb.torproject.org/torbutton.git/tree/modules/security-prefs.js). If your site has any SVG images, the Tor browser will download these just like Firefox would (to avoid fingerprinting) but will not render them.
|
||||
|
||||
If you must use scripts, ensure that they perform well with just-in-time (<abbr>JIT</abbr>) compilation disabled. The Tor Browser's "safer" mode, iOS Lockdown mode, and Microsoft Edge's "enhanced" security mode all disable JIT compilation by default.[^15]
|
||||
If you must use scripts, ensure that they perform well with just-in-time (<abbr title="Just-In-Time">JIT</abbr>) compilation disabled. The Tor Browser's "safer" mode, iOS Lockdown mode, and Microsoft Edge's "enhanced" security mode all disable JIT compilation by default.[^15]
|
||||
|
||||
Additionally, hopping between nodes in Tor circuits incurs latency, worsening the impacts of requiring multiple requests and round-trips. Try to minimise the number of requests to view a page.
|
||||
|
||||
|
|
1
static/ssh-policy.txt
Symbolic link
1
static/ssh-policy.txt
Symbolic link
|
@ -0,0 +1 @@
|
|||
../content/about/ssh-policy.txt
|
Loading…
Reference in a new issue