<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Hacker News: aarmenaa</title><link>https://news.ycombinator.com/user?id=aarmenaa</link><description>Hacker News RSS</description><docs>https://hnrss.org/</docs><generator>hnrss v2.1.1</generator><lastBuildDate>Fri, 10 Jul 2026 02:30:47 +0000</lastBuildDate><atom:link href="https://hnrss.org/user?id=aarmenaa" rel="self" type="application/rss+xml"></atom:link><item><title><![CDATA[New comment by aarmenaa in "LineageOS Statistics"]]></title><description><![CDATA[
<p>> running apps that are mandatory to participate in modern society<p>This right here is why I no longer consider custom ROMs.  My phone is a tool critical to my daily life and I need it to function correctly nearly 100% of the time.  Custom ROMs never really reach that bar in my experience.<p>Also, the various forms of attestation allow corporations the power to punish me for having the temerity to modify my own property.  Yet another way the tech industry has metastasized into a societal cancer.</p>
]]></description><pubDate>Wed, 08 Jul 2026 15:51:03 +0000</pubDate><link>https://news.ycombinator.com/item?id=48833526</link><dc:creator>aarmenaa</dc:creator><comments>https://news.ycombinator.com/item?id=48833526</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48833526</guid></item><item><title><![CDATA[New comment by aarmenaa in "When employees feel slighted, they work less"]]></title><description><![CDATA[
<p>Yeah, I am always going to interpret that sort of thing as performative.  There seems to be whole corporate mythology that is <i>absolutely sure</i> there are a bunch of cheap, low-effort things managers can do to raise morale and get more productivity out of employees, like office birthday parties.  I propose a name for adherents to this philosophy: the Pizza Party Cult.</p>
]]></description><pubDate>Sat, 24 Jan 2026 16:14:48 +0000</pubDate><link>https://news.ycombinator.com/item?id=46744798</link><dc:creator>aarmenaa</dc:creator><comments>https://news.ycombinator.com/item?id=46744798</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=46744798</guid></item><item><title><![CDATA[New comment by aarmenaa in "Objects should shut up"]]></title><description><![CDATA[
<p>Yes.  I have a family member that has had many hospital stays over the last few years, and one of the most obnoxious things is that the staff just lets <i>everything</i> beep.  The last time we were in the emergency room the blood pressure monitor did not work and the staff didn't notice for over an hour.  Even when it does work, they're constantly in an alarm state because patient has chronic high blood pressure.  They either can't or won't silence the alarms, so every room is beeping, the nurse's station is beeping, their phones are beeping, and it's all being ignored.  It's the very definition of alert fatigue.</p>
]]></description><pubDate>Mon, 04 Aug 2025 15:21:01 +0000</pubDate><link>https://news.ycombinator.com/item?id=44787076</link><dc:creator>aarmenaa</dc:creator><comments>https://news.ycombinator.com/item?id=44787076</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=44787076</guid></item><item><title><![CDATA[New comment by aarmenaa in "Log by time, not by count"]]></title><description><![CDATA[
<p>I've noticed that for some reason developers really like using logs in place of actual metrics.  We use Datadog, and multiple times now I have seen devs add additional logging to an application just so they can then create a monitor that counts those log events.  I think it's a path of least resistance thing; emitting logs is very easy, and counting them is also very easy.  Reporting actual metrics isn't really difficult either, but unless you're already familiar with the system it's more effort to determine how to do it than just emitting a log line, so yeah.</p>
]]></description><pubDate>Mon, 21 Jul 2025 14:56:58 +0000</pubDate><link>https://news.ycombinator.com/item?id=44635903</link><dc:creator>aarmenaa</dc:creator><comments>https://news.ycombinator.com/item?id=44635903</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=44635903</guid></item><item><title><![CDATA[New comment by aarmenaa in "Life Altering PostgreSQL Patterns"]]></title><description><![CDATA[
<p>I like most of these patterns and have used them all before, but a word of caution using UUID primary keys: performance will suffer for large tables unless you take extra care.  Truly random values such as UUIDv4 result in very inefficient indexing, because values don't "cluster."  For databases, the best solution is to use a combination of a timestamp and a random value, and there are multiple implementations of UUID-like formats that do this.  The one I'm familiar with is ULID.  It's become a common enough pattern that UUIDv7 was created, which does exactly this.  I don't know if it's possible to generate UUIDv7 in Postgres yet.</p>
]]></description><pubDate>Sun, 16 Mar 2025 15:59:43 +0000</pubDate><link>https://news.ycombinator.com/item?id=43380035</link><dc:creator>aarmenaa</dc:creator><comments>https://news.ycombinator.com/item?id=43380035</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=43380035</guid></item><item><title><![CDATA[New comment by aarmenaa in "Optimizing Ruby's JSON, Part 4"]]></title><description><![CDATA[
<p>Maybe some people don't remember anymore, but there was a time when Ruby was HN's favorite language.  I miss those days.  I kind of get why everybody leaned into Python instead, but I'm never going to be happy about it.</p>
]]></description><pubDate>Fri, 03 Jan 2025 19:16:30 +0000</pubDate><link>https://news.ycombinator.com/item?id=42588604</link><dc:creator>aarmenaa</dc:creator><comments>https://news.ycombinator.com/item?id=42588604</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=42588604</guid></item><item><title><![CDATA[New comment by aarmenaa in "The CD Pipeline Manifesto"]]></title><description><![CDATA[
<p>If you manage to avoid scope creep then sure, static YAML has advantages.  But that's not usually what happens, is it?  The minute you allow users to execute an outside program -- which is strictly necessary for a CI/CD system -- you've already lost.  But even if we ignore that, the number of features always grows over time: you add variables so certain elements can be re-used, then you add loops and conditionals because some things need to happen multiple times, and then you add the ability to do math, string manipulation is always useful, and so on.  Before you know it you're trying to solve the halting problem because your "declarative markup" is a poorly specified turing-complete language that just happens to use a YAML parser as a tokenizer.  This bespoke language will be strictly worse than Python in every way.<p>My argument is that we should acknowledge that any CI/CD system intended for wide usage will eventually arrive here, and it's better that we go into that intentionally rather than accidentally.</p>
]]></description><pubDate>Tue, 24 Dec 2024 19:49:49 +0000</pubDate><link>https://news.ycombinator.com/item?id=42504416</link><dc:creator>aarmenaa</dc:creator><comments>https://news.ycombinator.com/item?id=42504416</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=42504416</guid></item><item><title><![CDATA[New comment by aarmenaa in "The CD Pipeline Manifesto"]]></title><description><![CDATA[
<p>FTA:<p>> The Fix: Use a full modern programming language, with its existing testing frameworks and tooling.<p>I was reading the article and thinking myself "a lot of this is fixed if the pipeline is just a Python script."  And really, if I was to start building a new CI/CD tool today the "user facing" portion would be a Python library that contains helper functions for interfacing with with the larger CI/CD system.  Not because I like Python (I'd rather Ruby) but because it is ubiquitous and completely sufficient for describing a CI/CD pipeline.<p>I'm firmly of the opinion that once we start implementing "the power of real code: loops, conditionals, runtime logic, standard libraries, and more" in YAML then YAML was the wrong choice.  I absolutely despise Ansible for the same reason and wish I could still write Chef cookbooks.</p>
]]></description><pubDate>Sun, 22 Dec 2024 01:34:34 +0000</pubDate><link>https://news.ycombinator.com/item?id=42483787</link><dc:creator>aarmenaa</dc:creator><comments>https://news.ycombinator.com/item?id=42483787</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=42483787</guid></item><item><title><![CDATA[New comment by aarmenaa in "Understanding Round Robin DNS"]]></title><description><![CDATA[
<p>True.  On the other hand, if you control the clients and can guarantee their behavior then DNS load balancing is highly effective.  A place I used to work had internal DNS servers with hundreds of millions of records with 60 second TTLs for a bespoke internal routing system that connected incoming connections from customers with the correct resources inside our network.  It was actually excellent.  Changing routing was as simple as doing a DDNS update, and with NOTIFY to push changes to all child servers the average delay was less than 60 seconds for full effect.  This made it easy to write more complicated tools, and I wrote a control panel that could take components from a single server to a whole data center out of service at the click of a button.<p>There were definitely some warts in that system but as those sorts of systems go it was fast, easy to introspect, and relatively bulletproof.</p>
]]></description><pubDate>Sat, 26 Oct 2024 23:49:54 +0000</pubDate><link>https://news.ycombinator.com/item?id=41958644</link><dc:creator>aarmenaa</dc:creator><comments>https://news.ycombinator.com/item?id=41958644</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=41958644</guid></item><item><title><![CDATA[New comment by aarmenaa in "TCP over TCP is a bad idea (2000)"]]></title><description><![CDATA[
<p>It is <i>very</i> difficult to misconfigure Wireguard -- there's just not that much to tune aside from MTU.  We've had a 1 Gbps tunnel between AWS and OVH for years and it worked mostly fine, except for the handful of times OVH's DDOS mitigation kicked in and killed the tunnel.  The issue is when you start wanting to go beyond 1 Gbps.<p>I think AWS will do 5 Gbps with a capable peer -- which is their limit for a single flow [1] -- but you might need to tell them first so they don't kill public networking on the instance though.  I found that UDP iperf tests reliably got my instance's internet shut off, so keep that in mind.  On the other hand, OVH will happily do 5-ish Gbps to/from my EC2 instance in a TCP iperf test, but won't tolerate more than 1 Gbps of inbound UDP.  OVH support has indicated that this is expected, though they do not document that limitation and it seemed that both their support and network engineering people were themselves unaware of that limit until we complained.  They don't seem to have the same limits on ESP, which is why I developed an interest in ipsec arcana.<p>[1] <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-network-bandwidth.html" rel="nofollow">https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-inst...</a></p>
]]></description><pubDate>Sat, 26 Oct 2024 18:29:50 +0000</pubDate><link>https://news.ycombinator.com/item?id=41956711</link><dc:creator>aarmenaa</dc:creator><comments>https://news.ycombinator.com/item?id=41956711</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=41956711</guid></item><item><title><![CDATA[New comment by aarmenaa in "TCP over TCP is a bad idea (2000)"]]></title><description><![CDATA[
<p>Sorry, I misremembered the issue.  Looking at my notes the issue is they don't allow disabling their NAT-T implementation, which detects NAT scenarios and automatically forces encapsulation on port 4500/udp.  The issue is that every public IP on an EC2 instance is a 1:1 NAT IP.  Every packet sent to the public IP is forwarded to the private IP -- including ESP -- but it <i>is technically NAT</i> and looks like NAT to strongSwan.<p>There's an issue open for years; it will probably never be fixed:<p><a href="https://wiki.strongswan.org/issues/1265" rel="nofollow">https://wiki.strongswan.org/issues/1265</a></p>
]]></description><pubDate>Sat, 26 Oct 2024 18:04:14 +0000</pubDate><link>https://news.ycombinator.com/item?id=41956525</link><dc:creator>aarmenaa</dc:creator><comments>https://news.ycombinator.com/item?id=41956525</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=41956525</guid></item><item><title><![CDATA[New comment by aarmenaa in "TCP over TCP is a bad idea (2000)"]]></title><description><![CDATA[
<p>We've run Wireguard tunnels that max out at 1 Gbps in AWS for years with no issues (on the AWS side, anyways).  It seems like things get hairy once you want to do more than that.</p>
]]></description><pubDate>Sat, 26 Oct 2024 00:09:52 +0000</pubDate><link>https://news.ycombinator.com/item?id=41951325</link><dc:creator>aarmenaa</dc:creator><comments>https://news.ycombinator.com/item?id=41951325</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=41951325</guid></item><item><title><![CDATA[New comment by aarmenaa in "TCP over TCP is a bad idea (2000)"]]></title><description><![CDATA[
<p>I did not.  I'm not terribly familiar with it, but it doesn't look like I can do general routing with it, right?  My end goal is to route between two subnets.</p>
]]></description><pubDate>Sat, 26 Oct 2024 00:08:06 +0000</pubDate><link>https://news.ycombinator.com/item?id=41951314</link><dc:creator>aarmenaa</dc:creator><comments>https://news.ycombinator.com/item?id=41951314</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=41951314</guid></item><item><title><![CDATA[New comment by aarmenaa in "TCP over TCP is a bad idea (2000)"]]></title><description><![CDATA[
<p>> The retransmit-in-retransmit behavior is precisely the issue.<p>But you're concerned about an issue I do not have.  In practice retransmits are rare between my endpoints, and if they did occur poor performance is acceptable for some period of time.  I just need it to me fast <i>most of the time</i>.  To reiterate: I do not care about what happens in non-optimal conditions.<p>> it looks like I've just accidentally described phantun (and maybe other solutions): <a href="https://github.com/dndx/phantun">https://github.com/dndx/phantun</a><p>I'll definitely look into that.  They specifically mention being more performant than udp2raw, so that's nice.</p>
]]></description><pubDate>Fri, 25 Oct 2024 22:59:14 +0000</pubDate><link>https://news.ycombinator.com/item?id=41950728</link><dc:creator>aarmenaa</dc:creator><comments>https://news.ycombinator.com/item?id=41950728</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=41950728</guid></item><item><title><![CDATA[New comment by aarmenaa in "TCP over TCP is a bad idea (2000)"]]></title><description><![CDATA[
<p>I've just spent the last month learning exactly why I definitely do want a TCP over TCP VPN.  The short answer is almost every cloud vendor assumes you're doing TCP, and they've taken the "unreliable" part of UDP to heart.  It is practically impossible run any modern VPN on most cloud providers anymore.<p>Over the last month, I've been attempting to set up a fast Wireguard VPN tunnel between AWS and OVH.  AWS killed all internet access on the instance with zero warning and sent us an email indicating that they suspected the instance was compromised and being used as part of a DDOS attack.  OVH randomly performs "DDOS mitigation" anytime the tunnel is under any load.  In both cases we were able to talk to someone and have the issue addressed, but I wanna stress: this is one stream between two IPs -- there's <i>nothing</i> that makes this anything close to looking like a DDOS.  Even after getting everything properly blessed, OVH drops all UDP traffic over 1 Gbps.  It took them a month of back-and-forth troubleshooting to tell us this.<p>The really terrible part is "TCP over TCP is bad" is now so prevalent there's basically no good VPN options for it if you need it.  Wireguard won't do it directly, but there's hacks involving udp2raw.  I tried it, and wasn't able to achieve more than 100 Mbps.  OpenVPN can do it, but is single-threaded and won't reasonably do more than 1 Gbps without hardware acceleration, which didn't appear to work on EC2 instances.  strongSwan cannot be configured to do unencapsulated ESP anymore -- they removed the option -- so it's UDP encapsulated only.  Their reasoning is UDP is necessary for NAT traversal, and of course everybody needs that.  It's also thread-per-SA so also not fast.  The only solution I've found than can do something not UDP is Libreswan, which can still do unencapsulated ESP (IP Protocol 50) if you ask nicely.  It's also thread-per-SA, but I've managed to wring 2 - 3 Gbps out of a single core after tinkering with the configuration.<p>For the love of all that's good in the world, just add performant TCP support to Wireguard.  I do not care about what happens in non-optimal conditions.<p>/rant</p>
]]></description><pubDate>Fri, 25 Oct 2024 21:54:15 +0000</pubDate><link>https://news.ycombinator.com/item?id=41950191</link><dc:creator>aarmenaa</dc:creator><comments>https://news.ycombinator.com/item?id=41950191</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=41950191</guid></item><item><title><![CDATA[New comment by aarmenaa in "The Insecurity of Debian"]]></title><description><![CDATA[
<p>The documentation is atrocious, and usually won't say things like "label your program unconfined_t" because they don't want you to do that ever.  Also, tutorials -- even RedHat's -- are always some variation of "here's how to use audit2allow."  That is very much not what I want.  I want to create a reusable policy that I can apply to many hosts via Ansible or as part of an RPM package I created.  I've never been able to figure out how to do that because it is always drowned out by SEO spam that barely scratches the surface of practical usage.<p>It's painfully obvious to me that the people who create SELinux and its documentation live in some alternate universe where they don't do anything the way I do, so I just turn it off.</p>
]]></description><pubDate>Wed, 04 Sep 2024 18:48:58 +0000</pubDate><link>https://news.ycombinator.com/item?id=41449141</link><dc:creator>aarmenaa</dc:creator><comments>https://news.ycombinator.com/item?id=41449141</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=41449141</guid></item><item><title><![CDATA[New comment by aarmenaa in "Proton launches its own version of Google Docs"]]></title><description><![CDATA[
<p>I've been considering switching from Fastmail to Proton for Mail/Calendar/Contacts, but I didn't realize their bridge didn't do CalDAV or CardDAV.  Also, apparently the bridge is desktop-only -- no mobile?  That's kind of a deal breaker.</p>
]]></description><pubDate>Wed, 03 Jul 2024 14:44:17 +0000</pubDate><link>https://news.ycombinator.com/item?id=40866403</link><dc:creator>aarmenaa</dc:creator><comments>https://news.ycombinator.com/item?id=40866403</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=40866403</guid></item><item><title><![CDATA[New comment by aarmenaa in "Cannabis use linked to epigenetic changes, study reveals"]]></title><description><![CDATA[
<p>I presume the uptick I've noticed of "weed is really bad, actually" articles filling my news feed and social media is a response to the imminent classification changes in the US in an attempt to sway public opinion.  I can only assume this is being driven by parties with ill intent, who prefer the status quo of using the phrase "I smell weed" to end-run constitutional protections against search and seizure, allowing unequal enforcement of the law, and selling less effective but more expensive treatments for ailments cannabis is known to be effective for.</p>
]]></description><pubDate>Sat, 25 May 2024 22:48:33 +0000</pubDate><link>https://news.ycombinator.com/item?id=40478385</link><dc:creator>aarmenaa</dc:creator><comments>https://news.ycombinator.com/item?id=40478385</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=40478385</guid></item><item><title><![CDATA[New comment by aarmenaa in "SSDs have become fast, except in the cloud"]]></title><description><![CDATA[
<p>I've previously worked for a place that ran most of their production network "on-prem".  They had a few thousand physical machines spread across 6 or so colocation sites on three continents.  I enjoyed that job immensely; I'd jump at the chance to build something like it from the ground up.  I'm not sure if that actually makes sense for very many businesses though.</p>
]]></description><pubDate>Tue, 20 Feb 2024 20:07:48 +0000</pubDate><link>https://news.ycombinator.com/item?id=39446225</link><dc:creator>aarmenaa</dc:creator><comments>https://news.ycombinator.com/item?id=39446225</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=39446225</guid></item><item><title><![CDATA[New comment by aarmenaa in "Why are we templating YAML? (2019)"]]></title><description><![CDATA[
<p>Chef vs Ansible was the first example that popped into my mind.  I had a very love/hate relationship with Chef when I used it, but writing cookbooks was definitely one of the good parts.</p>
]]></description><pubDate>Tue, 23 Jan 2024 17:40:43 +0000</pubDate><link>https://news.ycombinator.com/item?id=39106706</link><dc:creator>aarmenaa</dc:creator><comments>https://news.ycombinator.com/item?id=39106706</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=39106706</guid></item></channel></rss>