My sweet spot is set -ue because I like to be able to use things like if grep -q ...; then and I like things to stop if I misspelled a variable.

It does hide failures in the middle of a pipeline, but it’s a tradeoff. I guess one could turn it on and off when needed

The indent syntax is one of the obviously bad decisions in the design of python so it makes sense

I use the same heuristic… if I need a hashmap or more complex math, I need a different language

Also if the script grows beyond 100 lines, I stop and think about what I’m doing. Sometimes it’s OK, but it’s a warning flag

I imagine adding -- so it becomes tar -caf archive.tar.bz2 -- "$@" would fix that specific case

But yeah, putting bash in a position where it has more rights than the user providing the input is a really bad idea

I don’t disagree with your point, but how does set -e break conditionals? I use it all the time without issues

Pipefail I don’t use as much so perhaps that’s the issue?

Get a better boss

Tailscale is very popular among people I know who have similar problems. Supposedly it’s pretty transparent and easy to use.

If you want to do it yourself, setting up dyndns and a wireguard node on your network (with the wireguard udp port forwarded to it) is probably the easiest path. The official wireguard vpn app is pretty good at least for android and mac, and for a linux client you can just set up the wireguard thing directly. There are pretty good tutorials for this iirc.

Some dns name pointing to your home IP might in theory be an indication to potential hackers that there’s something there, but just having an alive IP on the internet will already get you malicious scans. Wireguard doesn’t respond unless the incoming packet is properly signed so it doesn’t show up in a regular scan.

Geo-restriction might just give a false sense of security. Fail2ban is probably overkill for a single udp port. Better to invest in having automatic security upgrades on and making your internal network more zero trust

Just don’t do yaml.

yq can translate yaml to json and in most cases json is still valid yaml

Then you can just use a conmon delimiter like comma or semicolon or something. It’s better even as you’re less likely to have something that seems to work until your exotic delimiter pops up in the data.

Better yet, use a commonly used data format like csv or json and don’t build your own

Or run the raid 5 or 6 separately, with hardware raid or mdadm

Even for simple mirroring there’s an argument to be made for running it separately from btrfs using mdadm. You do lose the benefit of btrfs being able to automatically pick the valid copy on localised corruption, but the admin tools are easier to use and more proven in a case of full disk failure, and if you run an encrypted block device you need to encrypt half as much stuff.

You get pretty far with just clone, pull, add, commit, push

the in depth technical details

TL;DR; sigalarm handler calls syslog which isn’t safe to call from a signal handler context.

Their example exploit needed about 10k attempts to get a remote shell so it’s not fast or quiet, but a neat find regardless