Badabinski

It also lacks any form of dependency management AFAICT. I don’t think there’s any way to say you depend on another service. I’m guessing you can probably order things lexically? But that’s, uh, shitty and bad.

I wrote and maintained a lot of sysvinit scripts and I fucking hated them. I wrote Upstart scripts and I fucking hated them. I wrote OpenRC scripts and I fucking hated them. Any init system that relies on one of the worst languages in common use nowadays can fuck right off. Systemd units are well documented, consistent, and reliable.

From my 30 seconds of looking, I actually like nitro a bit more than OpenRC or Upstart. It does seem like it’d struggle with daemons the way sysvinit scripts used to. Like, you have to write a process supervisor to track when your daemonized process dies so that it can then die and tell nitro (which is, ofc, a process supervisor), and it looks like the logging might be trickier in that case too. I fucking hate services that background themselves, but they do exist and systemd does a great job at handling those. It also doesn’t do any form of dependency management AFAICT, which is a more serious flaw.

Nitro seems like a good option for some use cases (although I cannot conceive why you’d want to run a service manager in a container when docker and k8s have robust service management built into them), but it’s never touching the disk on any of the tens of thousands of boxes I help administrate. systemd is just too good.

Just journalctl | grep and you’re good to go. The binary log files contain a lot of metadata per message that makes it easy to do more advanced filtering without breaking existing log file parsers.

Anubis has worked if that’s happening. The point is to make it computationally expensive to access a webpage, because that’s a natural rate limiter. It kinda sounds like it needs to be made more computationally expensive, however.

Do you have any sources for the 10x memory thing? I’ve seen people who have made memory usage claims, but I haven’t seen benchmarks demonstrating this.

EDIT: glibc-based images wouldn’t be using service managers either. PID 1 is your application.

EDIT: In response to this:

There’s a reason a huge portion of docker images are alpine-based.

After months of research, my company pushed thousands and thousands of containers away from alpine for operational and performance reasons. You can get small images using glibc-based distros. Just look at chainguard if you want an example. We saved money (many many dollars a month) and had fewer tickets once we finished banning alpine containers. I haven’t seen a compelling reason to switch back, and I just don’t see much to recommend Alpine outside of embedded systems where disk space is actually a problem. I’m not going to tell you that you’re wrong for using it, but my experience has basically been a series of events telling me to avoid it. Also, I fucking hate the person that decided it wasn’t going to do search domains properly or DNS over TCP.

Debian is superior for server tasks. musl is designed to optimize for smaller binaries on disk. Memory is a secondary goal, and cpu time is a non-goal. musl isn’t meant to be fast, it’s meant to be small and easily embedded. Those are great things if you need to run in a network/disk constrained environment, but for a server? Why waste CPU cycles using a libc that is, by design, less time efficient?

EDIT: I had to fight this fight at my job. We had hundreds of thousands of Alpine containers running, and switching them to glibc-based containers resulted in quantifiable cloud spend savings. I’m not saying musl (or alpine) is bad, just that you have horses for courses.

Is it? I thought the thing that musl optimized for was disk usage, not memory usage or CPU time. It’s been my experience that alpine containers are worse than their glibc counterparts because glibc is damn good. It’s definitely faster in many cases. I think this is fixed now, but I remember when musl made the python interpreter run like 50-100x slower.

EDIT: musl is good at what it tries to be good at. It’s not trying to be the fastest, it’s trying to be small on disk or over the network.

I’m positive it has the same issues as any other Windows VM setup. If you’ve got two GPUs, you can probably pass one of them through to the VM and get good graphical performance.

I wish the virtio-gpu stuff hadn’t died on Windows…

EDIT: It might not be dead? That’s cool if so.

If the game uses Unity and the mods are posted on Thunderstore, then Gale works perfectly.

And even then, zfs dedup is a WHOLE can of worms.

Powershell is a better language but is absolutely dogshit for interactive use IME. It’s SO wordy and the excessive use of camelCase is annoying and I yearn for simple GNU coreutils every time I touch it. Like, give me tail -f please, why does cat also have a -Wait option or whatever the fuck

A bunch of GNU tools have added JSON output and it’s so good. Like, GNU column can take tabular data and convert it into JSON really easily. It’s like the perfect text stream.

I dunno, I’d slow your roll on that. Hanlon’s razor came to notoriety in the field of computer science for a reason. I’ve done software dev professionally for over ten years now and you wouldn’t believe the stupid shit I’ve seen people write. The only thing that sucks more than a computer is the human writing software for it.

For those unfamiliar, here’s Hanlon’s razor:

Never attribute to malice that which is adequately explained by stupidity.

EDIT: After a quick look at the CVEs, this definitely sounds like a big ol’ fuckup. It sounds like there might be some unsafe defaults in polkit as well?

EDIT: Here’s the report from the actual researchers which is MUCH more cogent than OP’s article: https://www.openwall.com/lists/oss-security/2025/06/17/4

It’s chaining two separate oopsies together. This overview on GitHub also provides more details about the libblockdev side of things: https://github.com/advisories/GHSA-mpgj-hch9-5rvx

Specifically, this section:

However, a local attacker can create a specially crafted XFS image containing a SUID-root shell, then trick udisks into resizing it. This mounts their malicious filesystem with root privileges, allowing them to execute their SUID-root shell and gain complete control of the system.

That really doesn’t sound like something intentional to me. That sounds like a HUGE oopsy-woopsy fucky-wucky, to get technical about it.

For people like me who didn’t know what this was:

Stremio offers a secure, modern and seamless entertainment experience. With its easy-to-use interface and diverse content library, including 4K HDR support, users can enjoy their favorite movies and TV shows across all their devices. And with its commitment to security, Stremio is the ultimate choice for a worry-free, high-quality streaming experience.

edit: honestly, that’s a shitty description. This one seems a bit better:

Stremio is a modern media center that gives you the freedom to watch everything you want.

I feel like bpf would be a decent solution for anticheat. I believe you can limit what an ebpf program can look at quite effectively.

Should have just used AGPL from the start, instead of falling back to this fucked up modified BSD license. It wouldn’t stop people from stripping the branding, but they’d have to release source code which would tell all users what they’re actually using.

These are good points, and I was in a shitty mood when I made my comment. It’s an overstatement and not a very good take. I do still strongly support copyleft licenses and DCOs over CLAs, but I shouldn’t turn my nose up when something is released without those.

I used to be excited when companies open-sourced stuff, and that is no longer the case. I suppose I’m just frustrated and bitter and cynical when it comes to large companies doing good things.

Hence my initial whinging about how this was released with a permissive license and a copyright transfer. The longer I’m involved in this industry, the less I like permissive software licensing. There’s obviously a place for it, but my tolerance for permissive licensing is directly tied to my trust for the person or organization backing the software. I don’t trust Microsoft, and I don’t think I will ever personally contribute to their software unless my contribution is made under a copyleft license and with a DCO, not a copyright-transferring CLA.

You’re correct, but I don’t believe that a company shouldn’t be allowed to take my code and change its license in the future. If they want to take something proprietary, they can go ahead and remove my contribution from it first.

You absolutely do not need a CLA with a copyright transfer. There are plenty of large projects that use a Developer Certificate of Origin that protects the company while not allowing them to change the license of your contribution.

I’ll grant that my original post was pissy and angry and not a great take, however. You make good points here.