Site renders great for me, iOS Safari with blockers; text selection works fine.
Yeah, I know, karma hit coming, but the other comments are so counter to my experience (I quite like the page and content) that I could not not comment.
Perfmon essentially allows you to define commands you use daily, defined them in a toml file and tab them, ie customizable.
It could be docker or kubernetes commands and so on. This is different from btm.
Ha, I've literally never heard of bottom, and haven't looked it up yet, but it's just kind of funny doing Linux/Unix forever and knowing almost exactly what it must be about, just given the name. I'll edit this if I was wrong, but I bet I won't be.
Fascinating. Anecdata, sample size 1. If it works for OP, fantastic.
Definitely does NOT work for me.
My recipe, such as it is:
1. Be gentle with myself every morning. I may wake vaguely human, but consciousness and acuity require coffee, word games, ablutions, and point 2.
2. Dog walking, aka DW, aka Diagnostic Wandering, allows me to breathe fresh air, let my mind wander or perhaps let it focus. Most of the best code I've written in the last 4 years has been DW code. All of the weird bug discoveries have been DW discoveries. Most - and almost all - of my discoveries about how ND I am and how I really work have been DW discoveries.
3. Recognize which brain I have today, and select issues/workload based on that...
4. ...unless I really, really must, MUST, work on something specific, in which case force it, knowing there is a cost.
5. Recover from such costs as quickly as possible, but as gently as possible (cf #1, #2).
6. When off-roading with my very good friend the CTO, do NOT talk about work...
7. ...unless we both agree something needs 30-90s, after which resume #6.
8. Watch football all day Saturday, if possible, preferably Liverpool, but not necessarily. Detach. (If Saturday is impossible, e.g., family obligations, substitute Sunday.)
9. Read in bed every night before turning off the light, regardless of how tired I am. Subject is irrelevant (current bedside stack: LotR (again), two books of category theory, Ulysses). One sentence, one paragraph, one page, or as many as need be, until I start to drift off. If my GF has to collect the book from chest and turn off the light, so much the better! :-> (She's a night owl, there is no cost and there is much joy to her in this.)
10. Endeavour to start the bedtime process between 2300 and 2330 as often as possible - but see #1 re gentleness. DO teeth. EVERY night. REGARDLESS.
11. Nap occasionally. Ah, my 60s.
12. Recognize when #11 is a MUST, not just a SHOULD.
Let the brain cook and stew and bubble and backburn whilst doing other things. As effective as DWs for things that are more "R" than "d".
Yeah, so I only work "properly" for a few hours, and then I'd say I am gentle with myself the entire rest of the day. That's why I put all the "don't want to do, but need to get done" stuff in the first part. Then I'm chill for the rest of the day!
I got this idea from Brian Tracy's concept of "Eat That Frog" (and book of same title). "If you have to eat a live frog, it doesn't pay to sit around and look at it for very long."
I found the same principle applies in life in general. Once I've decided to do something I'm avoiding, I just have to jump into action right away, before the moment of hesitation can grow into a mountain of dread.
I guess, then, that one of the big benefits of my daily is that we don't swing wildly between WFH and RTO with whatever trend/fashion/panic/wind/fart is in the zeitgeist/ether/air/media?
With the exceptions of the occasional client meeting that must be onsite, or the occasional conference, and our monthly team lunches, I've been 100% WFH since mid-2020, not pandemic related (I was mostly WFH for since sometime in 2019 (waves vaguely), and it was changing from consultant to senior wage slave
that sealed the deal).
Just like the rest of my team. OK, sure, we're small, and OK, sure, perhaps we use the available communication channels more effectively than others seem to, and OK, sure, while some of us are friends, I don't think any of us make the category error of assuming that coworkers are supposed to double as our social life, but seriously, if people are effective working from home, and we are, then let them.
The world started WFH, we changed nothing. The world started RTO, we changed nothing. The world started complaining about gas prices, well, those of us who own trucks and/or off-road did too, but we changed nothing about how we work.
Triple the price of 1Gbps fibre to the home and we might get a bit more upset.
</s>
Interesting article, but it compares apples to a fruit stand: The approach could be improved by comparing Capsicum to using seccomp in the same way.
Sometime ago I wrote a library for a customer that did exactly that: Open a number of resources, e.g., stdin, stdout, stderr, a pipe or two, a socket or two, make the seccomp calls necessary to restrict the use of read/write/etc. to the associated file descriptors, then lock out all other system calls - which includes seccomp-related calls.
Basically, the library took a very Capsicum-like approach of whitelisting specific actions then sealing itself against further changes.
This is a LOT of work, of course, and the available APIs don't make it particularly easy or elegant, but it is definitely doable. I chose this approach because the docker whitelist approach was far too open ended and "uncurated", if you will, for the use-case we were targeting.
In this particular case, I was aided by the fact the library was written to support the very specific use-case of filters running in containers using FIFOs for IPC, logging, and reporting: Every filter saw exactly the same interfaces to the world, so it was relatively easier to lock things down.
Having said that, I wish Linux had a Capsicum-equivalent call, or, even better for the approach I took, a friendlier way to whitelist specific calls.
A problem with that approach is that libc can after an upgrade decide to start doing syscalls you were not expecting. Like the first time you call `printf()` it calls `newfstatat()`. Only the first time. Maybe in the future it'll call it more often than that, and then your binary breaks.
I'm not sure what glibc's latest policy is on linking statically, but at least it used to be basically unsupported and bugs about it were ignored. But even if supported, you can't know if it under some configurations or runtime circumstances uses dlopen for something.
Or maybe once you juggle more than X file descriptors some code switches from using `poll()` to using `select()` (or `epoll()`).
This is a problem but fwiw libc's should be falling back to old system calls. You can block clone3 today and see that your libc will fall back to clone.
Yeah. But it still means wandering into de facto unsupported territory in a way that pledge/unveil/landlock does not.
Your example may be true, but I'm guessing it's not a guarantee. Not to mention if one wants to be portable to musl or cosmopolitan libc. The others inherently are more likely to work in a way that any libc would be "unsurprised" by.
That's the approach I meant by "that approach", the library the parent commenter was talking about writing for a customer. Compare this to Landlock or OpenBSDs pledge/unveil.
“The goal of Landlock is to enable restriction of ambient rights (e.g. global filesystem or network access) for a set of processes. Because Landlock is a stackable LSM [(Linux Security Model)], it makes it possible to create safe security sandboxes as new security layers in addition to the existing system-wide access-controls. ... Landlock empowers any process, including unprivileged ones, to securely restrict themselves.”
I've actually found it pretty fine. It doesn't have full coverage, but they have a system of adding coverage (ABI versions), and it covers a lot of the important stuff.
The one restriction I'm not sure about is that you can't say "~/ except ~/.gnupg". You have to actually enumerate everything you do want to allow. But maybe that's for the best. Both because it mandates rules not becoming too complex to reason about, and because that's a weird requirement in general. Like did you really mean to give access to ~/.gnupg.backup/? Probably not. Probably best to enumerate the allowlist.
And if you really want to, I guess you can listdir() and compose the exhaustive list manually, after subtracting the "except X".
I find seccomp unusable and not fit for purpose, but landlock closes many doors.
Maybe you know better? I'd love to hear your take.
I definitely don't know better, and after taking a few more looks at landlock, I'm not even sure what my objections were, probably got it confused with something else entirely. Confusion and ignorance on my part I guess.
The actual title of the short uses the word "automate", French for "automaton"; I suspect NPR simply used the more familiar word in their headline for clarity.
Yeah, I know, karma hit coming, but the other comments are so counter to my experience (I quite like the page and content) that I could not not comment.
reply