@mntmn well, librem5 is almost mnt reform just with a smaller, non-openhw design, not fully modular chassis... and, eh... phone chassis (smaller screen, no keyboard and mouse). But with cellular modem. So _almost_ there.
@g @marcel_kolaja no zřejmě to všechno je utajeno a o tom se nesmí mluvit proto udělám si screenshot tohoto sdělení něž ho smažou!!
@marcel_kolaja Babiš podle mě je hodně zkorumpovaný a nechci ho ani v Česku ani v EU
@dcz oh ok, that shortens all the hurdles significantly.
Maybe fedora decided they don't need a kernel on lxc/incus anyway
@dcz I hate booting from usb, all this hurdles with flashing a new iso on it, breaking into secure-mode bios with password i never remember as well as luks recovery key
@BreetzTootz true dat, Various Artists is my favourite band, OST is favourite band of my wife
@ondrej ok then I totlly miss the point. You cannot do DNS adblock without hijacking DNS, but yes that shouldn't be each and every request (proxying dns and breaking normal recursion) instead only for blacklisted. But if you hijack everything and pretend to be AA for everything then RD should be totally irrelevant as everything is non-recursive. Is it what you are saying that it still requires RD even when pretending being AA?
@Menel @xmpp @singpolyma ok perhaps it's caching more agressively than SOA TTL, I just set tlsa and checked - it was saying i should set tlsa, waited for ttl time, rechecked - still said I need to set tlsa. But today it's ok, shows green.
@ondrej I mean it's OK to return REFUSED to non recursive queries. It's not OK to do otherwise. Nothing to do with hijacking.
@ondrej Uhm, that's a default in unbound now, called cache snoop protection (REFUSE to rd=0)
@xmpp @singpolyma seems it does not follow cname? or it does not tell if domain is ok already?
@daniel So then simple minimal requirement:
Server must implement endpoint + unique for tlsv1.2 if it advertises PLUS and exporter + endpoint for tlsv1.3. Client may support either endpoint or unique for 1.2 and exporter or endpoint for 1.3 if it attempts to support PLUS
@daniel I went to add it to my domain just to realize with a big surprise I have already set it (don't remember that at all).
@daniel well yes, I'm aware about that problem, but I think the best we can do is just restrict that a rigid rules (1.2=cert+uniq, 1.3=cert+exporter) as otherwise you need to bring in signing and verification into stream feature negotiation which are usually working at different layers and not always can use each other's data.
@daniel I thought sasl-scram-plus is supported by majority client/server implementaitons?
Omg, just saw ad on youtube - Orban is the only protector of Europe from migration and Brussel is making everything possible to disrupt his noble efforts 🤡 🤦♂️ 🤬 google is radicalizing europe
@SwiftOnSecurity to hell with those vulnerabilities. I'm tired patching them, pulling the plug
Joined Nov 2019
