Same as you. This piece of shit needed to be gone.
I've seen Venezuelans begging for food, money and shelter in geographic areas where you wouldn't even imagine due the exodus.
I've seen South American communities orbiting xenophobia on Venezuelans because the lack of opportunities of immigrants where almost impossible in countries where there weren't any for many of the current residents.
resetting k3s in NixOS is not that straightforward and requires manual input. It cannot be fully automated as removing the statement from your config afaik unless this has changed recently.
Now I don't recall which issue I had, I think it was something related to CoreDNS config or passing through the /etc/hosts of the NixOS node, but I do remember having to touch the K3s YAML directly, and maybe having issues also persisting it. It's actually the only thing I fear would break if I had to reinstall NixOS from scratch...
I 100% see the Framework Desktop and Steam Machine less as competitors and more as separate flavors of the same form factor: Steam Machine for the lower priced, casual plug-n-play gaming use case, and Framework Desktop for the higher priced, professional use case.
Seeing as the Steam Machine feels like a way to get traction for SteamOS just as much as it is a venture for selling hardware, a partnership between them selling Framework laptops/desktops verified for SteamOS seems like exactly the type of thing Valve would want.
tldr; DHH is a controversial figure, and Framework are latching onto Omarchy. I think some folks think that Framework's image is being tarnished by working with DHH.
It really is so sad to see people get sucked into the alt-right pipeline and not even realize it despite it being so obvious from the outside that it's happening. For all his talk on indoctrination it's weird to suddenly have very specific opinions on a bunch of unrelated topics you have no personal involvement in, no expertise in, and tangible connection to. Even if you have feeling about some of these issues in passing no normal person with a dayjob becomes so prolific about all of them at once.
Except, of course, that despite these issues not moving the needle on basically anything in daily life they are all connected as part of a grand conspiracy corrupt society in some nonspecific way and must be eradicated. In a way I really can't blame any individual because there's very little in the way of defenses against it but it's sad to see the cocktail of intelligence, arrogance, and fame mean that no one will ever be successful at pulling him out.
Wait so how many degrees of separation do you have to be before you are ok? I mean fucking come on, this is ridiculous. DHH's blog entries are ugly, but are we really saying that valve shouldn't do business with a hardware company because they do business with one guy that says shitty things on a blog?
Any business larger than a certain size is gonna have a fan-out of hundreds if not thousands of business if you go 2 to 3 degrees of separation out. And they have to avoid any that have written mean blog posts?
I'm sure like 20-30% of open source software has contributions from assholes.
All chip manufacturers sell to military contractors and genocidal regimes. But valve should know not to do business with any chip manufacturers lol. Anyway
So not really an issue unless you are someone who makes politics your religion. Fortunately for Framework, outside of select US metropolitan areas, that isn't particularly prevalent.
How ironic, considering I’ve made a neutral comment to answer why someone is viewed as controversial, and I’m getting downvotes and people figuratively foaming at the mouth to defend someone who openly despises people different from him. If you want to see people who make politics their religion, look at the ones literally trying to ban non Christians from their country.
There is indeed a very loud wave of support for nazi and nazi supporting projects. You can see it in these comments and in the top thread on the topic:
1. Framework sent a laptop to DHH and sponsored his version of ruby conference, and promotes Omarchy, which DHH created, on social media. Also promoted hyprland.
2. Thread started, goes viral. People basically asking, "did you know DHH has some really weird and kinda gross blog posts dog whistling about how London isn't white anymore? Did you know there's hella transphobic joking going around in hyprland discord?"
3. Hyprland drama resolved when multiple users point out the main dev had a come to Jesus moment about their toxic community
4. Framework ceo Nirav makes a big post about how they're trying to create a "big tent" and push FOSS with this method.
5. Users point out that big tents with Nazis in it are just big Nazi tents (the Nazi bar issue, if you don't throw out the first Nazi that shows up to your bar, more will come, and normal customers will leave because nobody wants to be around Nazis, this, your bar is a Nazi bar now)
6. Predictably an ongoing fight about whether DHH is actually a fascist/ Nazi result in people saying things like "wait but I agree with him on the London thing," or worse, flagrant transphobia towards other users. This results in accusations against these users of they themselves being fascists or transphobes.
7. Some framework mod comes in to lay down the rules about how all other threads on this subject will be closed, this thread will be kept open in perpetuity and framework welcomes people to use it to criticize them or public figures or even organize a boycott if they want, however the mod requests people to not make transphobic comments or accuse other forum users of being fascists, as this will result in comment deletion. The ostensible goal: users attack public figures and not each other, and if a forum user vs forum user attack occurs, leaves it to the mods to deal with rather than everyone suddenly shouting "you're a transphobe! That's transphobic!" But the appearance: "we don't allow transphobes or anti-fascists here," or some other equivocation between being a transphobe/ fascist and being one who wants to point out that something is transphobic or fascist. I think it's a common pr "both sidesism" blunder community leaders make.
8. A shitstorm commences for a week. Silence from framework. Framework abandons most social media.
9. Framework's Linux community ambassadors relinquish their positions, citing Framework's silence on not being willing to say explicitly that they won't promote white supremacists/ fascists / DHH.
That's where we're at today. I learned a lot from the thread. I'm an obnoxious little anarchist that discovered that apparently a lot of people thought framework was going to save us from consumerist e waste capitalism and by betraying other progressive goals they also can't be trusted now for the other mission, and so all hope is lost and so now the only thing left to do is go back to buying products from companies that probably have child slavery in their supply chain. I also discovered that trying to do just a bit of progressivism means you must be perfect in every way or people will revert to default capitalism mode out of spite, basically a liberal form of leftist infighting that someone described to me as "treatlerism."
>Users point out that big tents with Nazis in it are just big Nazi tents (the Nazi bar issue, if you don't throw out the first Nazi that shows up to your bar, more will come, and normal customers will leave because nobody wants to be around Nazis, this, your bar is a Nazi bar now)
Yet they never point out big tents with Maoists and pedophiles are just big Marxist-pedo tents.
>Predictably an ongoing fight about whether DHH is actually a fascist/ Nazi result in people saying things like "wait but I agree with him on the London thing," or worse, flagrant transphobia towards other users. This results in accusations against these users of they themselves being fascists or transphobes.
There are also many openly Maoists/Marxist users with flagrant anti-White hatred and misandry.
>A shitstorm commences for a week. Silence from framework. Framework abandons most social media.
This is demonstrably false. Nirav responded and Framework has not abandoned any social media.
>Framework's Linux community ambassadors relinquish their positions, citing Framework's silence on not being willing to say explicitly that they won't promote white supremacists/ fascists / DHH.
A few far-left entryist political activists were told they can't use the platform to push Marxism, their religious beliefs, or anti-White/male hatred so they left. Good riddance.
Your account posts a lot about Marxists and pedophiles and Maoists. What led to these things being a primary concern of yours? Very rarely do I hear people talk about Maoists in 2025.
If you are concerned about pedophiles, the latest revelations about pedophilia at the top levels of government in the USA must be very concerning for you.
You'll find a lot open source leaders, and CEOs of companies like framework are not progressive, they are libertarian. Which people mistake as progressive because it's often very socially liberal.
Trying to pressure them won't do do anything, because goes against libertarian values to force collective values on individuals.
Another massive problem is if Meta has a fit with your organization, they can ban you from using WhatsApp for Business. All these Latam countries should and must pass regulations to avoid this kind of behavior. Free market all you want but if you captured market, it’s the nation’s responsibility to ensure their people can get the best service even if these companies are hating each other.
I'm a capitalist but yes when national security is in play "free market" in my book doesn't apply. You can't have health appointments, airline tickets, government services by default on WhatsApp. Most don't even bother with email and just default to WhatsApp.
It was kind of the same but not as pervasive with Facebook Messenger in the Philippines.
None of those are national security issues though, they’re QoL issues. The problem isn’t WhatsApp owning the market, it’s governments making the choice to only make their services available through WhatsApp and providing no alternative of their own to receive services. Every single “WhatsApp is too dominant” story I’ve seen usually boils down to governments acting as enablers for the supposed issue themselves.
You don't think WhatsApp for some reason stopping to work and airlines losing their default way to issue tickets is a national security issue? How about health care appointments with national ID and address on them being sent as PDFs and stored on Meta's servers? All of those are massive national security issues for me. It can grind the country to a halt for days on end.
There's a reason South Korea has laws requiring all data on its citizens and geography to be stored in Korea. Even Google Maps doesn't quite work in Korea.
Why are they running everything through WhatsApp in the first place with no alternatives? Using WhatsApp as a convenience is fine, but if you’re doing it with no way to not use WhatsApp or obtain data through an alternate mechanism other than WhatsApp, that’s what is causing your problems.
Issues that threaten national security are issues that threaten a nation’s sovereignty, put it at risk of war, or compromise the security of high ranking politicians, members of a nation’s intelligence service, military assets, and other issues of that caliber. The potential to miss flights or health care appointments does not rise to that level, but if it’s an actual problem, then it’s something solvable without reaching for the anti-monopoly gun or national security gun and a good start would be governments not using WhatsApp as an exclusive mechanism for obtaining government services. The second step is governments mandating that businesses in healthcare or transportation and other such critical industries have alternative mechanisms for customers to reach them other than WhatsApp.
South Korea is not a great example here. It's been weeks since the big data center fire and they've barely started to recover. Storing all data internally can really backfire if best practices aren't being followed, and that's a lot more likely with a not-invented-here approach.
Of course they are. It’s basically foreign soft power infiltration, invasion, control, and conquest. WhatsApp is Meta, Meta is deeply associated with not only the US government and its agencies, but the various entities of state control in the subordinate countries that believe they are being provided a means of controlling their countries, but do not realize or are deliberately subordinating themselves to the empire that is called America.
The pernicious thing that neutralizes many people like yourself, is that you cannot understand that meta/Facebook/WhatsApp is not just innocuous private business somehow magically different than the government in which at least you have a theoretical level of control over in a democracy.
Every place that an “American” company controls aspects of a technology inside a society is effectively to that degree conquered by the “USA”. One’s own country simply does not exist anymore to the same qualitative degree that it is controlled by foreign technologies/companies. That is also the revealing argument the system made when it threw its fit about the Chinese control of TikTok! So at least the “American” system believes it… “The lady doth protest too much, methinks.”
> The pernicious thing that neutralizes many people like yourself
I get exactly how people view private American companies abroad and that’s irrelevant to what I actually said.
Why are governments running all their communications and services through a private American app? Even in America, we’re not doing that, and there is always a fallback in some form of the telephone system, email, the postal service, the web or just showing up in person for anything that is absolutely essential. If I’m doing anything through a 3rd party app like WhatsApp instead, it’s either not that essential, or I’m doing it as a convenience but the fallbacks are always there.
So when people are talking about utterly essential services being run through WhatsApp and only WhatsApp, that seems like the obvious problem, because if that’s true, that’s also very stupid, and also a very stupid choice. Facebook profits from the situation, you could even say America profits from the situation, but you can’t say it isn’t without mutual engagement and compliance on the part of the supposedly aggrieved parties here.
For early adopters yes but many systems have been running as good enough without any kind of updates for a long time.
For many use cases it needs to get to a point where accuracy is good enough and then it will be set and forget. I disagree with the approach but that's what you find in the wild.
You can lock it up with a user account and payment system. The fact the site is up on the internet doesn’t mean you can or cannot profit from it. It’s up to you. What I would like it’s a way to notify my isp and say, block this traffic to my site.
> What I would like it’s a way to notify my isp and say, block this traffic to my site.
I would love that, and make it automated.
A single message from your IP to your router: block this traffic. That router sends it upstream, and it also blocks it. Repeat ad nauseum until source changes ASN or (if the originator is on the same ASN) reaches the router from the originator, routing table space notwithstanding. Maybe it expires after some auto-expiry -- a day or month or however long your IP lease exists. Plus, of course, a way to query what blocks I've requested and a way to unblock.
You can make the NS record for the _acme-challenge.domain.tld point to another server which is under your control, that way you don't have to update the zone through your DNS hoster. That server then only needs to be able to resolve the challenges for those who query.
1. Your main domain is important.example.com with provider A. No DNS API token for security.
2. Your throwaway domain in a dedicated account with DNS API is example.net with provider B and a DNS API token in your ACME client
3. You create
_acme-challenge.important.example.com not as TXT via API but permanent as CNAME to
_acme-challenge.example.net or
_acme-challenge.important.example.com.example.net
4. Your ACME client writes the challenge responses for important.example.com into a TXT at the unimportant _acme-challenge.example.net and has only API access to provider B. If this gets hacked and example.net lost you change the CNAMES and use a new domain whatever.tld as CNAME target.
This has blown my mind. Its been a constant source of frustration since Cloudflare stubbornly refuses to allow non-enterprise accounts to have a seperate key per zone. The thread requesting it is a masterclass in passive aggressiveness:
Could you elaborate on the separate key per zone issue? It's possible to create different API keys which have only access to a specific zone, and I'm a non-enterprise user.
I used the acme-dns server (https://github.com/joohoi/acme-dns) for this. It's basically a mini DNS server with a very basic API backed with sqlite. All of my acme.sh instances talk to it to publish TXT records, and accepts queries from the internet for those TXT records.
There's a NS record so *.acme-dns.example.com delegates requests to it, so each of my hosts that need a cert have a public CNAME like _acme-challenge.www.example.com CNAME asdfasf.acme-dns.example.com which points back to the acme-dns server.
When setting up a new hostname/certificate, a REST request is sent to acme-dns to register a new username/password/subdomain which is fed to acme.sh. Then every time acme.sh needs to issue/renew the certificate it sends the TXT info to the internal acme-dns server, which in turn makes it available to the world.
You can cname _acme-challenge.foo.com to foo.bar.com.
Now, if when you do the DNS challenge, you make a TXT at foo.bar.com with the challenge response, through CNAME redirection, the TXT record is picked up as if it were directly at _acme-challenge.foo.com. You can now issue wildcard certs for anything for foo.com.
I have it on my backlog to build an automated solution to this later this year to handle this for hundreds of individual domains and then put the resulting certificates in AWS secrets manager.
I'm going to also see if I can make some sort of ACME proxy, so internal clients authenticate to me, but they cant control dns, so I make the requests on their behalf. We need to get prepared for ACME everywhere. In May 2026, its 200 day certs, it only goes down from there.
In my case I have a very small nameserver at ns.example.com. So I set the NS record for _acme-challenge.example.com to ns.example.com.
An A-record lookup for ns.example.com resolves to the IP of my server.
This server listens on port 53. It is a custom, small Python server using `dnslib`, which also listens on port let's say 8053 for incoming HTTPS connections.
In certbot I have a custom handler, which, when it is passed the challenge for the domain verification, sends the challenge information via HTTPS to ns.example.com:8053/certbot/cache. The small DNS-server then stores it and waits for a DNS query on port 53 for that challenge to come in, and if it does, it serves it that challenge's TXT record.
elif qtype == 'TXT':
if qname.lower().startswith('_acme-challenge.'):
domain = qname[len('_acme-challenge.'):].strip('.').lower()
if domain in storage['domains']:
for verification_code in storage['domains'][domain.lower()]:
a.add_answer(*dnslib.RR.fromZone(qname + " 30 IN TXT " + verification_code))
The certbot hook looks like this
#!/usr/bin/env python3
import ...
r = requests.get('https://ns.example.com:8053/certbot/cache?domain='+urllib.parse.quote(os.environ['CERTBOT_DOMAIN'])+'&validation-code='+urllib.parse.quote(os.environ['CERTBOT_VALIDATION']))
That one nameserver-instance and hook can be used for any domain and certificate, so it is not just limited to the example.com-domain, but can also deal with challenges for let's say a *.testing.other-example.com wildcard certificate.
And since it already is a nameserver, it might as well serve the A records for dev1.testing.other-example.com, if you've set the NS record for testing.other-example.com to ns.example.com.
It's time for DNS providers to start supporting TSIG + key management. This is a standardized way to manipulate DNS records, and has a very granular ACL.
General note: your DNS provider can be different from your registrar, even though most registrars are also providers, and you can be your own DNS provider. The registrar is who gets the domain name under your control, and the provider is who hosts the nameserver with your DNS records on it.
no you don't, you can just run https://github.com/joohoi/acme-dns anywhere, and then CNAME _acme_challenge.realdomain.com to aklsfdsdl239072109387219038712.acme-dns.anywhere.com. then your ACME client just talks to the ACME DNS api, which let's it do nothing at all aside from deal with challenges for that one long random domain.
You can do it with an NS record, ie _acme_challenge.realdomain.com pointing to the DNS server that you can program to serve the challenge response. No need to make a CNAME and involve an additional domain in the middle.
I've been hoping to get ACME challenge delegation on traefik working for years already. The documentation says it supports it, but it simply fails every time.
If you have any idea how this tool would work on a docker swarm cluster, I'm all ears.
Because users would pick an alternative solution that meets their needs when they don't have leverage or ability to change DNS provider. Have to meet users where they are when they have options.
This concerned me greatly so I use AWS Route53 for DNS and use an IAM policy that only allows the key to work from specific IP addresses and limit it to only create and delete TXT records for a specific record set. I love when I can create exactly the permissions I want.
AWS IAM can be a huge pain but it can also solve a lot of problems.
It's a bit of a pain in the ass, but you can actually just publish the DNS records yourself. It's clear they are on the way out though as I believe it's only a 30 day valid certificate or something.
I use this for my Jellyfin server at home so that anyone can just type in blah.foo regardless of if their device supports anything like mDNS, as half the devices claim to support it but do not correctly.
Is having one key per zone worth paying money for? It's on the list of features I'd like to implement for PTRDNS because it makes sense for my own use case, but I don't know if there's enough interest to make it jump to the top of this list.
Hurricane Electric support a hidden primary as part of their free DNS nameserver service (do you actually want to expose your primary when someone else can handle the traffic?)
Yup, but it's a bit of a dance for bootstrapping, since they require you to already have delegated to them, but some TLDs require all NSes to be in sync and answer for the domain before delegating…
I just need one that can repeatedly say “I want talk to a representative” and when a representative answers “I would like to escalate to your manager”. After that a human on the loop is needed.
