Hacker News: Panino

New comment by Panino in "Openrsync: An implementation of rsync, by the OpenBSD team"

Panino — Sun, 31 May 2026 14:44:12 +0000

No, it doesn't.

I think some people may not be reading closely. On Unix, "/etc/services" is a file, not a directory:

  $ file /etc/services                                                                                                                         
  /etc/services: ASCII text

Here are two OpenBSD 7.9 endpoints running Samba rsync:

rsync -av -e ssh /etc/services example.com:/tmp/services

The above command creates a mirror of the local file /etc/services in a remote file called /tmp/services. The outcome is exactly the same as if I had run "scp /etc/services example.com:/tmp/services"

  client$ sha256 -q /etc/services                                                                                                                    
  469d28e72ed0e0994d31b555cc1bed7bc95a23fd1beeb30062affb64db0dd44a

  server$ sha256 -q /tmp/services                                                                                                          
  469d28e72ed0e0994d31b555cc1bed7bc95a23fd1beeb30062affb64db0dd44a

openrsync --rsync-path=openrsync -av -e ssh /etc/services example.com:/tmp/services

The above command creates a mirror of the local file /etc/services in a remote file called /tmp/services/services. The outcome is NOT the same as if I had run "scp /etc/services example.com:/tmp/services"

Please note that "/tmp/services" and "/tmp/services/services" are different.

  client$ sha256 -q /etc/services                                                                
  469d28e72ed0e0994d31b555cc1bed7bc95a23fd1beeb30062affb64db0dd44a

  server$ sha256 -q /tmp/services  
  sha256: /tmp/services: read error: Is a directory
  server$ sha256 -q /tmp/services/services                                                                                                 
  469d28e72ed0e0994d31b555cc1bed7bc95a23fd1beeb30062affb64db0dd44a

Here's an OpenBSD 7.9 client and Ubuntu server both running Samba rsync:

rsync -av -e ssh /etc/services example.com:/tmp/services

The above command creates a mirror of the local file /etc/services in a remote file called /tmp/services. The outcome is exactly the same as if I had run "scp /etc/services example.com:/tmp/services"

If you disagree, please state what operating systems you're using and copy/paste the output of the following commands on each side:

  uname -a
  rsync -V
  openrsync -V

I get

  $ rsync -V
  rsync  version 3.4.3  protocol version 32
  (snipped)

  $ openrsync -V
  openrsync 0.1 (protocol version 27)

Then please run the commands I ran above, in particular

openrsync --rsync-path=openrsync -av -e ssh /etc/services example.com:/tmp/services

And then type "file /tmp/services" on the remote server.

New comment by Panino in "Openrsync: An implementation of rsync, by the OpenBSD team"

Panino — Sat, 30 May 2026 17:32:17 +0000

> Was there already a /tmp/services directory on the dest?

No. And just to make sure, I ran a quick 'rm -rf /tmp/services' on the remote host, then re-ran openrsync on the client. Same result. This is OpenBSD 7.9 on both sides.

And I 100% agree about trailing slashes.

New comment by Panino in "Openrsync: An implementation of rsync, by the OpenBSD team"

Panino — Sat, 30 May 2026 16:41:15 +0000

I've been using openrsync here and there since it was announced and it's definitely improved over time. I'm looking forward to when I can use it exclusively.

The one place in my usage where it doesn't match Samba rsync is with the following:

openrsync --rsync-path=openrsync -av -e ssh /etc/services example.com:/tmp/services

I would expect openrsync to create a remote file /tmp/services, but instead it creates /tmp/services/services.

Normal directory mirroring as in -av -e ssh /path/to/src/ example.com:/path/to/dst/ works as it does with Samba rsync.

New comment by Panino in "Rise and Fall of Hosting Provider Gandi.net"

Panino — Wed, 27 May 2026 23:06:25 +0000

Gandi was so great, once. No upselling, whois privacy by default before it was normal, good prices. I had a domain with them 25 years ago so I was a longtime customer, but never again.

Good writeup. I only used Gandi as a domain registrar so I was only familiar with the insane cost increases. What a terrible company:

> Gandi now informed them that their email would be suspended unless they paid extra, effectively retroactively changing the terms of a service already paid for.

New comment by Panino in "Security researcher says Microsoft built a Bitlocker backdoor, releases exploit"

Panino — Sun, 17 May 2026 18:50:59 +0000

I would also love to hear specific opinions about VeraCrypt because I need to get some Windows users to encrypt some of their seldom-used sensitive files, like HR for example.

They can't use age or any other "right answer" tools. I'm talking about people who don't know their own username, people who don't know that their Windows password is the one they use to log into Windows. "Is that for my email?" Just getting them to use a password manager is like arm wrestling an aligator. If VeraCrypt isn't the best option for them, then what is?

New comment by Panino in "Help Keep Thunderbird Alive"

Panino — Thu, 09 Apr 2026 18:29:14 +0000

I recently started using Thunderbird for work which uses O365 (horrific service) for mail. I've found that 2FA with O365 to be totally unreliable no matter the client, even using the iOS app.

Does anyone use Thunderbird with Gmail and 2FA, and does it work correctly 100% of the time there?

OpenBSD Copyright Policy

Panino — Sat, 07 Feb 2026 17:27:18 +0000

Article URL: https://www.openbsd.org/policy.html

Comments URL: https://news.ycombinator.com/item?id=46925631

Points: 1

# Comments: 0

New comment by Panino in "Hackers (1995) Animated Experience"

Panino — Fri, 06 Feb 2026 17:49:47 +0000

Watching with a big public group of people you mostly don't know but maybe should is a special experience. This may depend on region, but in the US there used to be frequent midnight openings for superfans like myself. People dress up in costumes, local shops hand out prizes and it's an event. Saw Phantom Menace this way, LOTR, Watchmen, and maybe others, but I haven't seen a midnight opening offered in years. Maybe the theater managers are swimming in the pool on the roof.

New comment by Panino in "Tesla unsupervised Robotaxis are nowhere to be found"

Panino — Sun, 25 Jan 2026 02:13:58 +0000

https://en.wikipedia.org/wiki/Greater_fool_theory

New comment by Panino in "Analysis finds anytime electricity from solar available as battery costs plummet"

Panino — Sat, 13 Dec 2025 18:13:16 +0000

Why would you think that? Solar and wind are both far cheaper than fossil fuels even ignoring the problems caused by coal and methane.

https://en.wikipedia.org/wiki/Cost_of_electricity_by_source

New comment by Panino in "Linux Instal Fest Belgrade"

Panino — Sat, 06 Dec 2025 19:47:56 +0000

I've been thinking a lot about organizing an installfest sometime in the next year or so, which would be my first time in over 20 years. To anyone with current experience running one, do you have any advice?

I'm also interested in smartphone operating systems like Ubuntu Touch and postmarketOS etc.

New comment by Panino in "Tell HN: iOS 18.7.2 in Lockdown Mode is unable to load many websites"

Panino — Sat, 06 Dec 2025 19:34:08 +0000

Thank you for posting this - I had to disable Lockdown Mode because of this issue.

Funding: The rpki-client project needs your help

Panino — Sun, 30 Nov 2025 16:30:48 +0000

Article URL: https://www.rpki-client.org/funding.html

Comments URL: https://news.ycombinator.com/item?id=46098007

Points: 1

# Comments: 0

New comment by Panino in "Notes by djb on using Fil-C"

Panino — Sun, 02 Nov 2025 19:13:36 +0000

> Also maybe of interest is that the new cdb subdomain is using pqconnect instead of dnscurve

This is not correct. There isn't a cdb subdomain because cdb.cr.yp.to doesn't have NS records, which is where DNSCurve fits in. If you have a DNSCurve resolver, then your queries for cdb.cr.yp.to will use DNSCurve and will be sent to the yp.to nameservers.

From there, if you have pqconnect, your http(s) connection to cdb.cr.yp.to will happen over pqconnect.

Maybe the confusion is because both DNSCurve and pqconnect encode pubkeys in DNS, but they do different things.

Here is DNSCurve:

  $ dig +short ns yp.to
  uz5jmyqz3gz2bhnuzg0rr0cml9u8pntyhn2jhtqn04yt3sm5h235c1.yp.to.

Here is pqconnect:

  $ dig +short cdb.cr.yp.to
  pq1htvv9k4wkfcmpx6rufjlt1qrr4mnv0dzygx5mlrjdfsxczbnzun055g15fg1.yp.to.
  131.193.32.108

Like CurveCP, pqconnect puts the pubkey into a CNAME.

New comment by Panino in "Let's Help NetBSD Cross the Finish Line Before 2025 Ends"

Panino — Sun, 26 Oct 2025 18:32:05 +0000

In some cases yes, replacing an old machine with a new one can be an evironmentally responsible choice. But in general that's not the case and one should thoughtfully consider the variables including but not limited to software choice, grid carbon cost (see Electricity Maps below), embodied carbon cost of materials, environmental issues of mining and production not strictly related to climate emissions, and more.

Low Tech Magazine wrote an article about this here:

https://solar.lowtechmagazine.com/2020/12/how-and-why-i-stop...

https://app.electricitymaps.com

New comment by Panino in "Apple Reportedly Moving Ahead with Ads in Maps App"

Panino — Sun, 26 Oct 2025 18:07:11 +0000

Apple News is loaded with ads, so this wouldn't surprise me. iOS already has ads.

I just installed Open Street Map (the iOS app is called OsmAnd) and it looks nice! Zoom in/out is much better than on Apple Maps. A quick check of a route I know produced a good map, so I'll start using OSM from now on.

How Big Can Tiny MicroSD Cards Get? Limits, Physics, and the Road Ahead

Panino — Tue, 22 Apr 2025 19:10:50 +0000

Article URL: https://lowendbox.com/blog/how-big-can-tiny-microsd-cards-get-limits-physics-and-the-road-ahead/

Comments URL: https://news.ycombinator.com/item?id=43765281

Points: 1

# Comments: 0

New comment by Panino in "Tesla Sales Fall Off a Cliff Globally, Including Germany, Australia, and China"

Panino — Mon, 10 Mar 2025 00:48:23 +0000

Note that GP used "whilst" which is British English, and previous posts seem Euro-centric and talk about renaming "American football." So it sounds like this person is Europe's problem.

The post had a number of grammatical errors too, so if "whilst" we're at it, should we criticize all of European education? Please don't post low-effort negative nationalism. It's cheap and the subject (the richest person alive is apparently a nazi) is a serious matter.

New comment by Panino in "Humans have caused 1.5 °C of long-term global warming according to new estimates"

Panino — Sun, 17 Nov 2024 19:17:09 +0000

> I was surprised how little it costs to stop climate change.

If you read Drawdown, you'll see that it doesn't cost money to stop climate change, it saves money.

https://drawdown.org/the-book

New comment by Panino in "HardenedBSD Feature Comparison with OpenBSD, FreeBSD, NetBSD"

Panino — Mon, 04 Nov 2024 05:45:21 +0000

> Executable file integrity enforcement

I assume but don't know for sure that this refers to Veriexec in NetBSD, and I'm not sure what in HardenedBSD. Anyone know?

https://man.netbsd.org/veriexec.8

My understanding is that Veriexec isn't enabled by default - the manpage says only that "[s]ome kernels already enable Veriexec by default." If you have this enabled, how do you upgrade binaries? The manpage says that in strict mode 1, write access to monitored binaries is allowed but then access is denied. So I assume that after file modification, root then runs veriexecgen and veriexecctl load as mentioned in the manual to update the signatures list. So it seems that strict level 1 isn't functionally different from a read-only /usr or even just root-owned binaries. In either case, you just need root to update targeted binaries. Surely I'm missing something and would appreciate some insight.

At a glance as an outsider, stricter modes appear somewhat functionally similar to "chflags schg" on BSD systems, where more work is needed to get around restrictions. In the case of schg, you have to reboot into single user mode, remove the schg flag, then modify the binary, and continue booting into multi-user mode. You could do this as a remote attacker (as in not having console access) depending on what boot files are or aren't protected with schg, but modifying all the necessary files can be a source of new problems.