I recommend reading the description of the option `VerifyHostKeyDns` in the `ssh_config` man page.
If set to `yes`, you get automatic trust-on-first-use (no user prompt) if you use DNSSec, and you get the current asking-the-user behavior if your DNSSec is broken or you are under attack.
Obviously it's more secure if you use DNSSec, because that way you can reflexively deny any request to manually verify a host key, but it provides value regardless.
That site doesn't mention that when DNSSec is absent, the behaviour of SSH is identical to what happens if you hadn't used the SSHFP record at all, except that for unsophisticated attackers it also displays "no matching host key found in DNS".
So even without DNSSec using the SSHFP records is an improvement over not using them because some of the time it tells you for certain you're being interfered with.
There is no situation in which an insecure DNS response is auto-trusted by the SSH client.
Many domains are better served by a more limited programming language, so you can analyze a program and/or make guarantees about it.
Real regexes (actually regular…) are infinitely better than Python code matching the same string (if they are sufficient) - you can compute their intersection, union, complement; check if they can match anything at all (and generate an example automaticallly).
For software builds, Bazel and others use Starlark, which is a restricted Python subset, so builds can be guaranteed finite and can be reasoned about.
Ansible may or may not offer any benefits in return for the limits (I am not an ansible guru), but in general, most tasks do not need a Turing complete configuration/specification language - and it is then better to NOT have Turing completeness.
The "you don't want a full programming language" trope I see repeated a lot but I think far more people end up wishing for a Turing complete language than wishing it _wasn't_ Turing complete.
They do, until a configuration endless loop brings down their production system.
This is not really different than C vs Rust, or even Perl regular expressions (unbounded execution time) vs real regular expression. With great powers comes great abilities to shoot yourself in the foot.
The power/guarantee balance is delicate, and you can’t hold the stick at both ends. People will always complain.
This is exactly what the Starlark language was developed to solve, initially for Bazel but also used other places. It's a "full scripting language" but intentionally doesn't (in default configuration) support recursion or unbounded loops, so is deterministic and bounded execution time. I really wish more projects would reach for it as a configuration language.
I have such mixed feelings about Starlark and Bazel macros. When I write Bazel macros, they're great, the perfect tool for the job. When I encounter macros written by someone else, they are awful, a mistake and the bane of my existence.
In the same way that it's possible to have an xml/json/yaml/toml config that creates despair in those who have to maintain it, a python or bash script can grow into a monster in the basement.
Or, it could be a cogent script that makes its intent and operation obvious. I prefer that when possible.
The environment around the language can put in limits (on time, number of operations, etc.)
Convex does this well, replacing SQL (somewhat yaml-like sucky old declarative language) with JS/TS but in a well-locked-down environment with limits to ensure one mutation or query doesn’t take down the whole DB.
The number of times I've seen a configuration endless loop bring down anything are so few compared to the time wasted on DSLs and having to bend over backwards to do things a first-class programming language can do simply. Same with PCRE I've seen that maybe.. once.
Ahhm. At previous $DAYJOB, I inherited a WPF app written in 2012; I stumbled upon several WONTFIX bugs through the years - mostly having to do with shared memory bitmaps, having to manually call GC at times, and a host of other things.
Stable, but many issues. Stay away if you value your sanity and do anything nontrivial.
KDB v1 is from sometime in the late 1990’s (I met v2 in 2002; but v1 was internal use only at some investment bank).
But that follows A and A+ which were extremely column oriented and date to early 1990s or even late 1980s ; and to various APL implementations going back to the 1960’s
Columnar DBs were very much a thing among APL users (finance and operations research) but weren’t really known outside those fields - and even in those fields, there was a period of amnesia in the late ‘90s/early 2000’s
The existing laws are rarely well specified enough for precise enforcement, often on purpose.
You cannot have precise enforcement with imprecise laws. It’s as simple as that.
The HN favorite in this respect is “fair use” under copyright. It isn’t well specified enough for “precise enforcement”. How do you suggest we approach that one?
The name “Calcalist” is indeed a play on “Economist” (it is not a proper Hebrew word, but fuses the Hebrew word for economy “calcala” with the English suffix for a professional work “ist”.
However, it is just an expanded version of Ynet’s business/economy section, and Ynet is probably the closest equivalent to USA Today or The Sun.
How can a word come from the Bible? It must have existed before the Bible in order to have a meaning inside of it. Or did you mean to write it came from Aramaic?
I mean that it already appears in the Bible, in old Hebrew (which is close to, but isn’t exactly Aramaic), with the meaning “to feed and provide” - and I did not find any documentation about how it formed (or came into) Hebrew.
Which means of course m, that it was already in use before the Bible was canonicalized.
reply