Reddit itself is monetized, but the people writing the review or suggesting products most likely weren't paid to recommend stuff. Not that there aren't paid shills on reddit, but as long as your BS meter is decent, a quick peek at the poster's profile can confirm whether the suggestions are legit.
It's a bit of work to weed out real testimonies but if you can collect a bunch of reviews and use your own judgement as a final filter. I think that's better than just clicking any of the "Top 10 <product>" sites that google shows on the first page.
Reddit works absolutely fine for this query so long as you dig a little, in the same way you once had to dig a bit for this kind of query on google search, back when it was good.
You just have to review enough threads on the subject to build up a picture and refine your search.
I did just this for noise cancelling headphones before Christmas and reddit was invaluable.
What about: this is now somewhat builtin into SSH, so you don't need an additional tool (or more accurately, this additional tool could be far simpler and more robust).
Ok. That is helpful, but ssh server or client? No way I would bother upgrading the server on all those boxes just to get to a point that is already working with sshpass.
Client. OpenSSH 8.4 has SSH_ASKPASS_REQUIRE that allows one to always invoke SSH_ASKPASS, notably when run from a terminal (previously, it was only invoked when there was no terminal to prompt the password).
There are not many network vendors. Check the link in the first footnote for an example how Cisco, the leader in the field, makes it difficult to deploy SSH keys. This is getting better. For example, Juniper (another network vendor) now supports SSH certificates.
I have no idea what's going on in the footnote, but deploying SSH keys on Cisco equipment is like 3 commands (conf t, user x, ssh something something) to deploy public keys, not hard at all.
It's been a few years, but this requires manually deploying keys and adding/removing users on all your devices. Most use TACACS+ and/or Radius to centrally manage users, which don't support keys in that way (or at least didn't the last time I worked with them.)
Another possibility would be to use CA certificates for authentication and only TACACS+ for authorization and accounting. Juniper now supports CA certificates. Cisco may in 10 years.
I am using a similar approach to filter network flows, but the language is just SQL-like (notably because users may not be familiar with all the quirks of SQL) and gets translated to ClickHouse SQL. The language is exposed to the end user, so there is completion and syntax highlighting. Since the result is open source, you get a complete example (notably to evaluate how complex this is).
Xfwm has been rewritten from scratch at least 2 times. I can't imagine there is any code left from the original releases. Plus it used to be a CDE clone and that was dropped around version 2 when it became a light Gnome clone.
Perhaps the companies which self-host are the ones with the most stringent security needs, and are the exact customers who would be willing to pay more.
Perhaps the optimal price is higher for this new plan, than for the cloud plan?!?
As the README mentions "cloud-based" platforms, it should be noted that Diagrams.net (previously Draw.io) is available as an offline application. Inkscape is missing connection points and routing controls to make it easy to do diagrams. Also, Diagrams.net can export to SVG or PNG while keeping the original diagram embedded. I use that instead of the specific format they use.
I tried to get diagrams to pass through the container ID to the exported SVG "g" to find it's some massive java thing that hasn't been added to in years. There's a lot of scope for semantic SVG we could use in other tools.
How are certificates distributed to computers before the TLS session begins? How does a user trust an untrusted certificate and it's chain, say from Let's Encrypt?
You only distribute public keys to the end user - and private key signed hashes that can be verified by those public keys.
The user is given an option to trust a key for a new repo, when it's not in their list of trusted keys. The installation already comes with a list of trusted keys when it begins. If you trust it, then you run it - just like you should be trusting the root certificates in your system to really benefit from TLS, even. That includes Government, Telco and Company issued certificates. :-)
> How are certificates distributed to computers before the TLS session begins? How does a user trust an untrusted certificate and it's chain, say from Let's Encrypt?
A handful of root certificates are baked into every OS and carefully guarded at every level to make sure they’re never given to someone who doesn’t have possession of a domain. Are you proposing to do this for GPG checksums? What would that look like?
It's the same logical process. A list of public keys that are trusted for installations are already kept in the OS. When updating, first they download packages are public key updates, and signed with the old key.
The user is also alerted if this key update happened because there may have been a private key compromise, or if this is a cryptographic strength/algorithm update, or a key rotation etc.
Once the user decides to verify the information, do their research - and approve, the new keys are now used to verify signed packages. So on and so forth.
The deal is that you do not rely on TLS to fetch this package update information at all. You merely download the signed hashes required to verify package authenticity and proceed.
Even before the OS exists, it tells you that so-and-so is their public key, download the ISO, verify the signed hashes with their public keys. Once you trust and install with this ISO, the update process can take care of the rest.
You can do that research with other systems. Not the one where you are stuck because of outdated protocols, certificates etc.
Besides, if your system is not following the most secure TLS version or having the most up-to-date certs, what is the point in browsing something with TLS? It should be plaintext compatible.
Unfortunately, many web servers will block bots, either immediately or after a few requests.