Feuerfest

Just the private blog of a Linux sysadmin

Blocking the competition

Photo by Erik Mclean: https://www.pexels.com/photo/a-room-with-black-and-white-seats-8266814/

Pixelfed's creator Daniel Supernault recently published an open letter addressed at Mark Zuckerberg. The reason being that posts containing links to Pixelfed are marked as Spam by Facebook/Meta and are deleted immediately (404 Media on the topic).

My opinion? The open letter is written exactly in the way it needs to written. Read it for yourself:

Dear Mark,

I hope this finds you well. I noticed something interesting today – it seems Instagram is blocking links to my little open-source project. You know, the one that lets people share photos without harvesting their personal data or forcing algorithmic feeds on them.

I have to admit, I’m flattered. Who would’ve thought a small team of volunteers could build something that would catch your attention? We’re just trying to give people a choice in how they share their memories online. No VCs, no surveillance capitalism, just code and community.

Remember when Facebook started? It was about connecting people, not maximizing engagement metrics. Our project might be tiny compared to Instagram, but we’re staying true to that original spirit of social media – giving people control over their online presence without turning them into products.

You could’ve ignored us. Instead, by blocking our links, you’ve given us the best endorsement we could ask for. You’ve confirmed what we’ve been saying all along – that big tech is more interested in protecting their walled gardens than fostering genuine innovation.

Every time you block a link to our platform, you remind people why we built it in the first place. Your action tells them there are alternatives worth exploring, ones that respect their privacy and agency. So thank you, Mark. You’ve turned our little project into a symbol of resistance against digital monopolies.

Perhaps one day you’ll remember what it felt like to be the underdog, building something because you believed in its potential to make the internet better. Our doors are always open if you want to remember what that feels like.

Best regards,

Daniel Supernault

P.S. Keep blocking those links. Every error message is just free advertising for the social web.

This again brought up a topic: How do I treat companies/social networks that literally block the competition?

Easy answer: I avoid them. Or migrate away from them. Then I delete all my data from their network and stay away from them. Sometimes even going so far as to add their domains to my DNS-Blocklist, so I never ever accidentally browse their site again.

Why?

I don't like being forced into a cage. The term "Internet" stands for interconnected networks. Attempting to create isolated "walled gardens" contradicts my core beliefs about how the Internet should function. If platforms like Facebook/Meta or Twitter/X try to oust the competition I'll gladly start using the competition - provided they uphold the principles of openness and connectivity.

There is a straightforward and logical rationale for this: The Internet is immense, and no single service can encompass everything - whether in terms of functionality or content. If a platform chooses to isolate itself in an effort to retain its users, it has every right to do so. However, it must also acknowledge the consequence of losing a few users along the process.

Comments

Hypocrisy

Photo by Madison Inouye: https://www.pexels.com/photo/self-care-isn-t-selfish-signage-2821823/

One of the attributes which is used to describe me, and that I get to hear regularly, is, that I am critical. Sometimes this comes in the form of an accolades that I have good discernment or that I am brave enough to publicly speak out things which many dare not to. And sometimes in form of constructive feedback that I should focus more on the positive side of a certain task or project.

However I always try to not be a hypocrite. I regularly question myself if I am the one to blame. If I could have done better, missed a crucial piece of information or if my words contradict my actions. And if they do: Do I have a just reason for this? A cause that explains it in a comprehensible way?

Additionally I try to keep my emotions out. Yes, I do not succeed in this 100% of the time. After all I'm not a machine. Still manage in succeeding often enough to not look like a raging barbarian. Failing to think over the issue in a neutral way often leads to missing key points. And makes it hard to see it through the eyes of the other involved parties/stakeholders. This in turn causes inaccurate statements or incoherent lines of reasoning. Nothing of this helps to convince other people or to get to the root of the problem.

Therefore it shouldn't surprise anyone that I don't like hypocrisy. Especially so when it touches a topic I have first hand personal experience with and is important to me.

Mental Health Day

October the 10th is the international day of awareness for all topic related to Mental Health. Be it a proper Work-Life-Balance, the poor care for people suffering from diseases such as depression (and many others) or the sadly still existing prejudices against people who have suffered from - or still do - Mental Health issues.

A complicated & delicate topic

Mental Health issues are a tricky thing. In nearly all cases I got to know in detail the ones suffering from it are not the ones responsible, nor to blame. Some people crumble under all the injustice in this world. Shattering while trying to just make things right but were doomed from the start as a single person can't beat the company, yet alone the system.

Others experienced such malevolent acts, even without getting hurt physically, that it left them in ruins. Just think about the child which constantly experienced injustices from it parents. Never getting to know what the word family should mean.

Yet these very same people have to accumulate an immense amount of strength and pick up the fight for their own sanity. Just to live a happy life.

And then there are outsiders who make fun of them for that. Who belittle them. Who question their ability to ever regain their mental health. That they can ever be a productive person again.

These are the people I strongly recommend a therapy - or at least speaking with, for example, an recovered alcoholic or a rape survivor. As the immense lack of sympathy and humility they show is shocking. They can't even imagine what these people have been through and how much work therapy is. Yet, again, some people make fun of therapy as they think of it as "It's just singing in a circle and clapping with your hands." No, it's not.

A special place in hell

And then.. There are certain companies I know of. Posting on Linkedin, Twitter, Instagram and all those other social-media and business platform how "Mental Health aware" they are. How much they care to enable their employees to live a good work-life balance. Etc. And so on. Yada Yada.

All this while they engage in union-busting with the help of a specialised law-firm. And have absolutely no issues in threatening, admonishing or taking people to court over nonsense. Sometimes even utilizing their knowledge of the mental health issues of certain employees to even quicken the process of making them resign (or leaving with a severance package and a signed NDA). Effectively using it as a weapon against them. Just to reach their goal of preventing a union.

And the only thing these people did was trying to organize a union to get their rights and better their situation.

Yeah, I seriously hope those people get a special place in hell.

Comments

De mortuis nihil nisi bene

Photo by Veronika Valdova: https://www.pexels.com/photo/cemetery-of-fallen-soldiers-and-veterans-930711/

This is a Latin saying commonly translated to "Speak no ill of the dead." And I somewhat agree with that, however, due to a recent event in Germany I realized that I apply this behaviour in a more contextualized way.

But what happened? Ursula Haverbeck died. She was one of Germany's most known holocaust deniers. Despite being born in 1928 and therefore must having experienced - or at least heard of - the horrors first-hand. She must have seen people vanishing at night. Burning shops from "unwanted people" etc.

Yet she denied the holocaust publicly several times - which is a crime punishable by law in Germany. And to prison she went. I think between 3 to 5 times. For a sentence of, in total, 4 years.

Now she is dead at the age of 96.

And of course there are many jokes about her dead, people being generally happy that this mean-spirited woman is gone, etc. and so on. Just the Internet being ... well, The Internet.

Personally I smiled about some remarks or jokes but saw a line crossed when people were proposing to do illegal things to her grave. That's definitely against too many of my personal viewpoints. No matter if you believe in (a/any) god at all, our of which faith you are, a graveyard is sacred ground. A place where the living can meet the dead on a highly personal level. To ease the sorrow of a lost one. Completely disconnected from any religious dogmas or viewpoints - no matter if you share the same faith as the deceased person or not.
Religious arguments aside: Desecrating just one grave affects all people who have a connection to this graveyard. Totally not acceptable.

However there are many people who post comments with "Speak no ill of the dead." in order to ask people to stop making fun of her. And the common reply is: "There is nothing wrong in telling the truth about a dead person."

And I second this. We do not speak well of many people from the history of mankind either. Of course Hitler & Stalin immediately come to mind.
Well, certain people do, of course. But most people will be very determined in what they think of such people.

So, yes. Say anything about a dead person. As long as it is true. But keep in mind to whom you are speaking.

And this is what I realized. When I am at a funeral I won't go to the griefing partner/family-member/whomever and tell this person: "Ah, well you know.. I never really like X anyway." No, you won't. Common courtesy. Not the time nor the place to play games or live your personal vendetta. And if you can't bring yourself to not say anything like this: Be a nice human being and don't show up at all. Sometimes staying away from a funeral you have been invited to already says more than enough.

Maybe you would state that you will still miss this person - despite giving you hard times every now and then. Again focusing on the good. And this should be fine. As usually the bereaved know the character of the deceased very well for themselves.

For me, the saying therefore reads as: "Speak no lie of the dead and mind who you are talking to."

If we can collectively agree on this, than the Internet will be a better place.

Comments

Get the damn memo already: Java11 reached end-of-life years ago

Photo by Chevanon Photography: https://www.pexels.com/photo/person-performing-coffee-art-302899/

I really dislike the uninformed attitude of some companies to the dependencies of their software. In this case: Rundeck
They actually state the following in their installation documentation:

Rundeck depends on Java 11. The Java 14 packages will satisfy this dependency however Rundeck will not function properly with them. It is recommended to install the openjdk-11-jre-headless package manually.
Source: https://docs.rundeck.com/docs/administration/install/linux-deb.html

In case Pagerduty (who owns Rundeck) didn't get the memo: Java11 reached end-of-life years ago! And some Linux distributions don't have packages for it any more. The latest Java version is Java22. And the current LTS version is Java21.

Utilizing https://endoflife.date/ we can easily get an overview of the respective dates.

Free builds from Oracle: https://endoflife.date/openjdk-builds-from-oracle: End of life reached: 19th March, 2019.

Paid builds from Oracle: https://endoflife.date/oracle-jdk: Premier Support reached end-of-life on 30th September 2023. Extended Support last until 31th January 2032.

RedHat builds of OpenJDK: https://endoflife.date/redhat-build-of-openjdk: Support ends 30th October 2024. With paid extended life-cycle support 1 it ends 31th October 2027.

However this is just for the OpenJDK packages!

The really important part is: Are there any Java11 packages for the operating system being used?

RedHat Linux Enterprise Server 9 contains Java1.8, Java11 and Java17.

SuSE Linux Enterprise Server 15 SP6 contains Java1.8, Java11 and Java17.

Ubuntu 24.04 - the current LTS version, provides OpenJDK packages for version 11, 17 and 21.

Debian Stable (Bookworm currently) ships with OpenJDK 17 only.

Sure, there are backports available for Debian, or you can just build your own packages. But that is not what bothers me. Java11 was released in September 2018. That is about 6 years ago. Java14 was released in March 2020. Four years ago.

And in all these years, they haven't been able to update their commercial application to depend on a more recent version of Java? Which is included in more recently released distributions? Or least make it work with them? This annoys me. Yes, it's nice that you offer free community packages for non-commercial distributions - but if I can't install your software because of missing dependencies, it doesn't help at all.

Especially as many business customers run commercial Linux distributions such as RedHat Linux Enterprise Server (RHEL) or SuSE Linux Enterprise Server (SLES) and are required to update regularly. Either by their own processes & standards or by law/insurances.

They literally can't install or even run older, unsupported versions of Java11 packages. This effectively forces them to purchase additional support packages for older versions of Java. Great! Not to mention if RHEL or SLES were to drop Java11 support. (Well, at least OpenJDK11 is already somewhat confirmed for RHEL10. Though I don't know if only with a valid ELS subscription or not. SuSE has not said anything about Java11 and SLES16 as far as I know).

Or they run one of the big non-commercial distributions like Debian or Ubuntu. Sure, Ubuntu 24.04 would be a viable alternative. But what if the customer doesn't have any Ubuntu servers? Should there be one or two Ubuntu servers out of thousands, just for one meagre application?

Create completely new Ansible playbooks and/or Puppet modules just for a handful of servers running a completely different OS? Maybe even use different software for other basic tasks like backup, LDAP integration, etc. in case the current software doesn't support Ubuntu LTS? This can easily lead to a long (and expensive) software chain reaction. Not to mention the new skills required at staff level.

"Just use docker."

You do understand that Docker is no solution to security risks when the container runs the same outdated software, yes? Sure it's good for mitigation/reduction of the attack surface but it doesn't fix the underlying problem.

And this annoys me. We really should hold enterprise software accountable to higher standards.

I do understand fairly well that someone at Pagerduty must have thought: "Well, all major (commercial) Linux distributions still support Java11, so there is no business risk for us. And for the rest we just provide container images via Docker." Yep, this is the reason why we sometimes can't have nice things. Total neglect of the wider responsibility while additionally ignoring the fact that Java11 needs to be included in all these commercial distributions as still too many software products rely on it.

If you sell software, every process involved in creating that piece of software should be treated as part of your core business and main revenue stream. Giving it the attention it deserves. If you don't, I'm going to make a few assumptions about your business. And those assumptions won't be favourable.

Unfortunately, this form of critical thinking about software dependencies is eroding as "Just use Docker" becomes the new norm among the next generation of IT professionals.

Comments

Why I'm on #TeamKeePassUltras

Photo by Paula: https://www.pexels.com/photo/grey-metal-lockers-is-open-170453/

Recently I got into a discussion about cloud password managers like LastPass, 1Password and the like. People argued that they were great because they offer flexibility, synchronisation, and enable users to automatically choose secure passwords. And while I concurred to these arguments, I still took the position of the opposite side.

I am strongly against any form of online/cloud/managed password managers where I (or an entity I trust) don't control everything in a transparent way. Why?

First let me make my, the what I call, "the conspiracy theory argument": It's the least important argument for me, but is suited just right for paving the way to my main arguments. Most companies are US based. National security letters are a fact. And companies like Lavabit and, presumably, the Open Source Drive/File encryption project Truecrypt had their fair share of experience with them. The US and especially the NSA shows that it has no sane moral limits on what type of data to access, accumulate, and analyse. Would they stop at companies offering password managers? I don't think so. Others take the stance: "Why should they send a NSL to LastPass, if they can access the data they are after directly through others means?" but enough on that point.

My main argument is the following: "If I can't trust them, why should I use them?" A cloud password manager is a blackbox. I put my credentials in, hit save, and that's it. What happens in the background? Is the data stored secure? Are the algorithms used still considered secure? Are there no unencrypted backup copies? How does their security concept look like? Are the servers patched regularly? Am I being informed to re-generate my passwords in case the password-generation algorithm had a flaw and was, for example, tied to the systems date and time (wired.com)? I can't know.

Just search for the name of your cloud password provider and add the lovely word "breach". They were already dozens of it for all online password managers out there. Despite people ironically choosing or recommending them as to be "more secure".

But more secure in comparison to what?

You don't have to use an online/cloud password manager. A locally installed password manager like KeePass works the same way.

"But it doesn't synchronize automatically with all my devices!" - Ah, so it's comfort you are after? Yeah, well that is the common trade-off you have to choose: Comfort, or security. However, you do know KeePass has a build in sync which allows to sync two KeePass database files? I use that and it works fine.

Or I just copy over the file from my Linux workstation onto my Smartphone when I know that I had added no new entry on my smartphone. There are enough tools to allow the accessing of Windows/NFS/whatever file shares from Smartphones. Even via SSH utilizing SCP.

Additionally online password managers with sync-features who do allow to host your own instance do exist! Take for example Bitwarden: https://bitwarden.com/help/install-on-premise-linux/
This would give you the security of hosting it yourself and automatic sync-feature so many people desire. If not made accessable to the internet, but online in your local network you can still sync your smartphone, without opening your crucial application to the biggest security risk in human history: The internet.

Sure, not everybody has the knowledge to selfhost such an application. That's a fair point which Jürgen Geuter aka tante pointed out years ago in his writing "Host your own is cynical". But that's exactly the reason why I make this blogpost about me and my viewpoint. I have the knowledge, and I constantly observe broken promises by the very companies who gave them. And yet I still use KeePass. As I like the simplicity.

That's why I'm on #TeamKeePassUltras. An OpenSource application available for all operating systems out there. A simple file, a key, a passphrase and that's it.

Comments

Personal thoughts on AI helper tools for job interviews

Photo by Sora Shimazaki: https://www.pexels.com/photo/professional-man-interviewing-an-applicant-5668863/

I recently read a comment on the /r/linuxadmin subreddit from someone who has developed and commercially runs a tool that helps job applicants in real-time, parallel to their interview. This tool doesn't just transcribe spoken words, which is fine by me. It can also solve coding problems and actively suggest what a candidate should say next to "ace the interview". It can even analyse the video feed to solve coding problems written down on a whiteboard.

This is precisely why I value meeting an applicant in person. Inviting them for a trial day of typical problems and conversations with potential future colleagues. It gives them a clear idea of what it's like to work for the company.

I understand that people can be in dire situations where they really need a job. Still, I do tend to have more sympathy for a person who is open and honest about their knowledge gaps.
However, I also disagree with seeing them as negative per se. Instead, it's a huge bonus when someone is able to say, "I don't know." Especially in such a delicate situation like a job interview.

If a candidate says, "I don't know." I will reply, "Perfect! Then let's iterate together on how you would proceed. Like you've just encountered a new problem at work without further knowledge."
I gain a great deal of insight into a person from their answers to such questions.

At a previous employer, I was interviewing a candidate. This applicant regularly said, "I don't know." This was to be expected. My colleague and I intentionally asked follow-up questions on the answered questions, constantly diving deeper into technical details. We didn't just want to check on the basics. We wanted to know if he understood the concepts and how he plans his work. Company-specific and technical knowledge is something we can teach. Changing how an adult person thinks and approaches problems? This is something we cannot do.

After working in our team for two years, he told us the following: "Right after the interview, I'd called my wife. I told her, "Well, it looks I'm not going to get the job. It feels like I couldn't answer anything." can you imagine how surprised I was when I was invited for a trial day?"

We then explained to him why we interview the way we do, and he added, "In most companies, I was only asked basic questions. And more often than not, there was not one person from the technical department. Not even from the team they were hiring for."

The upshot is that companies need to get their recruitment processes right and not just tick boxes.
If you do the latter, you'll get solutions like those described above.

And I don't think that's a good development for anybody.

I have also learnt to redesign my interviews. I don't want candidates to leave the interview feeling devastated or like they're not good enough. They may not be a good fit for the company and we may have to turn them down for various reasons, but that doesn't mean they're bad at what they do. There are just too many variables that need to come together in order to hire someone.

Comments