This was very helpful and well done. Thank you! I’m trying to find more resources of this level to educate my peers and there is so much noise. Would you happen to have some books about cybersec? Thanks again!
Not bad! Two questions: 1. How trustworthy is tailscale? 2. Can the exit node be setup to then connect to an external VPN like Nord? I.e as in two jumps for extra protection, one private on hetzner and one shared
> 1. How trustworthy is tailscale? Very IMHO. See tailscale.com/security for a technical description of how their service works, the TL;DR is that they facilitate distribution of _PUBLIC_KEYS_ not private keys and not the data being sent. As for whether it's safe to use that curl installer script or use of their `tailscale up` binary. This is a more philosophical take on my part, and is thus inferior to a technical analysis of the code itself (their code is open source), but Tailscale is a small security business. Small Security Businesses live and die based on their reputation, and if they started installing malware they would lose their reputation quickly and go out of business. 2. Yes you can do this. However, you're not really gaining anything by doing so. You are essentially distrusting Hetzner with the setup you descrbe, and if you distrust Hetzner, then simply don't use them. Go directly to the NordVPN from home. Your ISP doesn't particularly care if they know you are talking to Hetzner or Nord, they can't see what your doing regardless. If you think you're tricking Nord with this scenario, you're not... Sure they don't know your IP address, but they know it's you based on your account information you use to sign in.
Thanks for the video! I have an error when trying to execute this command: mount -t squashfs -o loop /mnt/cdrom/lfs.sqsh /mnt/ro it says no such device, when I do "ls /dev/loop*" the loop0 exists, can you help please?
I had a lot of issues with Pop!Os. I am not a Linux pro or anything so maybe it;s my fault but after about a month the OS just falls apart and gets stuttery and crashes. Maybe it's gnome/cosmic? I don't know but I found Mint and now EndeavorOS to be a much better experience. I will be giving it another go of course when cosmic updates, but I am unsure I'll actually switching. Arch based has been the best Linux experience I have personally had and especially for gaming. Good video and have a blessed day.
What should be added to this minimum if I want to run GUI (like GTK) app with audio? Without any desktop environment or window manager (or at least a manager which allows to create fullscreen graphics app with OpenGL/Vulkan API). (Yep, I need this for Raspberry Pi like embedded system)
So, to summarize this I need: 1. Build Linux kernel for my specific platform with all required drivers (for graphics and audio which I need) 2. Add some stuff to init(rd) which will allow me to use gaphics and audio APIs 3. Add my app built for this Correct?
Great video, need to rewatch it. Quick question regarding parallelism: Can you use something like epoll to listen to the ring buffers, if they offer some kind of a file descriptor?
whenever you do any kind of benchmark, i'd suggest to always use "perf stat <exename>" and not "time <exename>" as this will read the kernel's performance counters and give you not only the time but among other things the page faults, giving an indication of (at least temporary) used memory. how the package is named depends on your distribution, something like "perfmontools" or what.
If you are interested is both rust and cyber security, you might be interested in the book "black hat rust" kerkour.com/ Think of it as a way to learn rust through cybersec projects.
I have another question about performance: why BufReader::lines() returns String? I don't need a growable buffer, i need an immutable view into string content!
Windows dose prompt about it automaticaly during course of running as auto updates are by default on, i think its that way since at least XP. Seems that communication from OS to user in Linux is bit lacking too given consequent ep. Shame really because windows is getting irritatingly complicated even in things that used to be breeze or easy (the whole start button menu and settings aspect is now questionable affair cluttered with trash and takes a long time to purge the garbage). I do hope that Linux will one day rise to the challange sadly last 3 decades it has been trailing most major OSes in end user experience. Probbly absolutley glorious for people already familiar with them tho.
Didn't quite catch why wouldn't allocator give back 2559 dirty pages to OS if these 64 bytes are in use. Does allocator want us to free all requested memory to give those pages back or bcs we wrote data to these 10 Mb but freed only 9.9 Mb?
This is difficult to explain, sorry for the confusion. There's two types of allocation in Linux. One uses sbrk to move something called the break for the heap up and down. Think of the break like a line. In the case where you move the break up 10mb, either in one big jump, or many small jumps, then you use all of that 10mb, the you free all the memory other than the very top; the allocator cannot move the break back down because that very top is still being used. The other way to allocate is via mmap. If you use mmap by hand, you can grab a 10mb chunk of memory, use it, and the mark 9.9mb of that memory as DONT_NEED, I've not seen that sort of behaviour when an allocator uses mmap to grab memory and then give it to you via malloc/free. In the case where an allocator uses mmap, it will (hopefully) mark that 10mb chunk of memory as DONT_NEED when you are completely done with it. also, allocators try to be smart with mmap. Eg jemalloc will wait to mark an mmap as dont_need for some amount of time in case you ask for more memory.
@@masmullin So if allocator uses sbrk syscall there is particular reason why 9.9 Mb isn't freed (bcs 64 bytes are located at top of the 9.9 Mb). But in case of mmap it seems like nothing prevents allocator from freeing 9.9 Mb if it wants so, bcs mmap doesn't increase brk segment address but instead giving us pages of memory somewhere. So is it true that 'Dirty Pages' are really possible only while using sbrk, bcs if allocator use mmap it can call free syscall on freed(by allocator API) memory pages?
If you can accomplish the same thing with both (whether more / less lines of code or using native or dependencies) but one wins out in performance AND security then that is the clear winner.