Unfortunately we need them: https://qntm.org/abolish

Good news for you, the CGPM decided in 2022 to abandon the leap second by 2035.

Ableism. As disability advocate Imani Barbarin says, if bigotry is the goal, ableism and eugenics are the toolkit. If you look at the history of any form of systemic bigotry, the justification for human atrocities almost always boils down to “well these people can’t contribute to society, so they don’t deserve to be a part of it.”

A signature only tells you where something came from, not whether it’s safe. Saying APT is more secure than Docker just because it checks signatures is like saying a mysterious package from a stranger is safer because it includes a signed postcard and matches the delivery company’s database. You still have to trust both the sender and the delivery company. Sure, it’s important to reject signatures you don’t recognize—but the bigger question is: who do you trust?

APT trusts its keyring. Docker pulls over HTTPS with TLS, which already ensures you’re talking to the right registry. If you trust the registry and the image source, that’s often enough. If you don’t, tools like Cosign let you verify signatures. Pulling random images is just as risky as adding sketchy PPAs or running curl | bash—unless, again, you trust the source. I certainly trust Debian and Ubuntu more than Docker the company, but “no signature = insecure” misses the point.

Pointing out supply chain risks is good. But calling Docker “insecure” without nuance shuts down discussion and doesn’t help anyone think more critically about safer practices.

You know container image attestations are a thing, right?

Why not ask whoever is taking care of your cat to send pics / videos?

Generally agree, although worth noting that which side you pass on depends on which side of the road people use to drive in your country. In the US, driving on the right means overtaking on the left. One could say that generally the advice is to drive in outermost lanes (closer to the road shoulder) unless overtaking in lanes further from the shoulder.

94% AI generated per zerogpt.com

I lurk in my city’s subreddit. It briefly closed as part of the protests, but the Lemmy community that was created at the time is inactive.

Not exactly the same, but I find “plug” and “socket” or “jack” to be generally more useful terms since the definitions are based on function rather than similarity to genitalia. Plugs are usually male, but always. For example, computer power supplies typically have a male jack and a female plug. In those situations, I find it more meaningful to describe the part by whether it is fixed or moves rather than which way the prongs go.

I usually say “semiweekly” to mean twice per week. I also say “semimonthly” to mean twice per month (24 times per year) as opposed to “biweekly” (26 times per year).

Would be great if we could just take off all of August like Europe does.

Adding onto what TheMrDrProf said: basically LetsEncrypt just wants to know you actually control the domain you’re using to get the certificate. With HTTP challenges, your domain has to resolve to a working HTTP server. With DNS challenges, you need API access to your DNS provider so that Certbot can set a temporary record that proves ownership.

If you’re using NPM to manage your certs, then as TheMrDrProf said as long as the HTTP request from LetsEncrypt can make it to your NPM through the VPS proxy, you should be able to pass the challenge and get a certificate. The IP address of the domain doesn’t really matter as long as the request makes it all the way to the challenge HTTP server, which in this case is NPM.

In NPM, you should see “Use a DNS challenge” option. If you use that and your DNS Provider is supported (if not, I recommend Cloudflare), then your VPS proxy does not even need to be working in order to renew certificates. This has a few advantages such as being able to shut off unencrypted traffic on port 80 completely.

1. The certificate and private key need to be on your home server since that’s where the TLS is decrypted.
2. You should be able to tunnel TLS traffic through WireGuard, so no port forwarding is needed.
3. You’d probably want to move Nginx Proxy Manager to your home server as an ingress gateway (and you can keep all the config + TLS certificates). Then on your VPS, you would no longer need the complexity and something like HAProxy, vanilla Nginx, or Traefik would suffice. Seems like NPM has an open issue to add support for TLS passthrough, but in my opinion it’s simpler to just have your VPS forward all traffic to one port on your home server.

For added security, you can make sure the proxy on the VPS only routes traffic for the correct domain using SNI. That way if someone hits your IP randomly, it only goes to your home server if the correct domain name was requested as well.

What you’re doing makes sense to me. Good luck!