| 5 Jan 2025 |
 hexa | * | 15:13:29 |
 raitobezarius | reaction has something to block on the L3 level the scrapers | 15:19:37 |
| raitobezarius | https://reaction.ppom.me/filters/ai-crawlers.html | 15:20:39 |
 K900 | Oh sorry I meant Fastly | 15:21:47 |
 @adam:robins.wtf | that makes more sense :) | 15:22:36 |
| @adam:robins.wtf | i didn't mean to imply fastly was scraping us. i was just wondering if we could leverage fastly to protect hydra | 15:22:55 |
| hexa | tbh, the hydra-server needs to be more robust | 16:29:19 |
| hexa | it can't just lock up | 16:29:24 |
 Vladimír Čunát | Maybe we should separate the external-facing web somehow. | 16:31:53 |
 emily | the web UI runs on the same machine that holds the signing key, right? | 16:33:26 |
| hexa | yes | 16:37:59 |
| emily | scary | 16:39:16 |
| emily | signing key rotation when | 16:39:28 |
| hexa | different user | 16:39:33 |
| raitobezarius | the power of unix perm isolation | 16:39:50 |
| hexa | not that the hydra services had any hardening | 16:40:09 |
| emily | our signing keys are hardware-protected (Linux uses the x86 MMU) | 16:40:56 |
| raitobezarius | can we have the meme | 16:41:10 |
| raitobezarius | with like AMD SEV, Intel TDX, etc. | 16:41:19 |
| hexa | if you want to contribute to a hardening effort the hydra repo is open for contributions | 16:41:59 |
| hexa | if you want to brainstorm ideas to rotate keys, there is an open RFC for that | 16:42:15 |
| hexa | if you want to meme, maybe take it to #offtopic:nixos.org? 🤔 | 16:42:31 |
| hexa | because I want all of those things as well, but poking won't make it go any faster | 16:43:09 |
| raitobezarius | i will prefer implementing key rotation directly, sorry for disturbing the forces at work here :) | 16:43:11 |
| Vladimír Čunát | I believe the RFC is complete and easy to just plan/deploy. | 16:45:15 |
| Vladimír Čunát | It just got very little feedback (in my opinion). | 16:45:36 |
| Vladimír Čunát | * I believe the RFC is complete and easy to just plan/deploy. | 16:47:23 |
| emily | is it more elaborate than just "ship the new signing keys in default configurations alongside the old ones, wait M time, switch over signing to new keys, wait N time, remove old key from config"? | 16:47:29 |
| emily | (or I guess you could sign with both keys for a while?) | 16:47:34 |
| emily | ok I'll just read it :) | 16:47:41 |
