Hacker News: brongondwana

New comment by brongondwana in "Artemis II crew take “spectacular” image of Earth"

brongondwana — Fri, 03 Apr 2026 20:39:36 +0000

Tell the world you're REALLY fat without telling the world ...

New comment by brongondwana in "Amiga Unix (Amix)"

brongondwana — Sun, 01 Feb 2026 12:33:20 +0000

Damn, $2000. I wish I'd kept my copy.

New comment by brongondwana in "Many hells of WebDAV"

brongondwana — Wed, 07 Jan 2026 22:36:05 +0000

Did you use the 'litmus' test suite? I found it very useful when building Fastmail's (perl) WebDAV file server implementation.

There were also a bunch of fun things with quirks around unicode filename handling which made me sad (that was just a matter of testing against a ton of clients).

As for CalDAV and CardDAV - as others have said, JMAP Calendars/Contacts will make building clients a lot easier eventually... but yeah. My implementation of syncing as a client now is to look for sync-collection and fall back to collecting etags to know which URLs to fetch. Either way, sync-collection ALSO gives a set of URLs and then I multi-get those in batches; meaning both the primary and fallback codepath revert to the multi-get (or even individual GETs).

New comment by brongondwana in "A worker fell into a nuclear reactor pool"

brongondwana — Sun, 26 Oct 2025 03:26:51 +0000

The good news is, you have less time to be annoyed by it

New comment by brongondwana in "JMAP for Calendars, Contacts and Files Now in Stalwart"

brongondwana — Thu, 23 Oct 2025 17:15:52 +0000

You're welcome! We're all very keen on keeping email open and something that everybody can build their own tools for.

New comment by brongondwana in "JMAP for Calendars, Contacts and Files Now in Stalwart"

brongondwana — Thu, 23 Oct 2025 06:16:11 +0000

We're working on it. We still use an unholy set of earlier versions of JMAP internally for our contacts and calendars; in particular the caldav_sync code is gnarly - I wrote it over 10 years ago when I knew less about calendars than I do now! It's still using an earlier branch of what became the perl Net::CalDAVTalk library interally, even though our frontend API is an almost-up-to-date version of what will become the JMAP Calendars spec eventually.

The downsides of developing and testing this stuff as we were writing it up!

We've finished rewriting the objectid generation to give smaller sized and more sortable IDs (they're an inverse of nanosecond internaldates now, plus some extra magic on the low bits for IMAP appends to avoid clashes)... which we wanted to speed up and reduce disk usage for the offline mode.

Next up is indeed updating to the latest spec on calendars and contacts. Files might take a bit longer, I really want to do some desktop clients for the files system, we have a really nice files backend at Fastmail which is only accessible via our interface or WebDAV right now.

New comment by brongondwana in "JMAP for Calendars, Contacts and Files Now in Stalwart"

brongondwana — Thu, 23 Oct 2025 06:08:46 +0000

That's not strictly true. IMAP has two things, UIDs which are mostly static (there's a UIDVALIDITY cache invalidation key to let a client know that UID information has been lost and recalculated); and message numbers.

UIDs don't change, but of course they can be deleted so it's a gappy list, meaning you can request even quite a large looking range of UIDs and get nothing back.

Message numbers change in every session, and also change every time you get an EXPUNGE. They're basically an ordered list without gaps, so you do a memmove at the offset of the EXPUNGE each time you get an expunge.

There are efforts like UIDONLY (RFC9586) to avoid having to keep that mapping at all, and there's OBJECTID (RFC8474) to let you cache a lot more even when UIDs are changed or when messages are moved between folders.

New comment by brongondwana in "JMAP for Calendars, Contacts and Files Now in Stalwart"

brongondwana — Thu, 23 Oct 2025 06:04:38 +0000

JMAP is only JSON over HTTP because that's what all the libraries support. Any data format which provides hashes and arrays would work fine, over any transport. So you could use CBOR or protocol buffers or whatever, over any channel you like.

Email immutability matters more in a world with AI

brongondwana — Thu, 02 Oct 2025 18:00:27 +0000

Article URL: https://www.fastmail.com/blog/not-written-with-ai/

Comments URL: https://news.ycombinator.com/item?id=45453135

Points: 166

# Comments: 111

New comment by brongondwana in "Just let me select text"

brongondwana — Wed, 24 Sep 2025 20:41:51 +0000

Join the club, we have compulsive mouse habits.

(am a member of this select club)

New comment by brongondwana in "Survey: a third of senior developers say over half their code is AI-generated"

brongondwana — Mon, 01 Sep 2025 10:47:42 +0000

This is why I trigger a segfault which dumps core at the spot where I had the printf when the conditions aren't what I want, so I can then open the debugger on the core (obviously: not if I have a copy of the input which can recreate it, if so then a debugger with a conditional breakpoint at the same spot is even better)

New comment by brongondwana in "SystemD Service Hardening"

brongondwana — Mon, 18 Aug 2025 10:26:39 +0000

We tried very hard to convert FastMail to Fastmail and... it's been about 90% successful but there's definitely a bunch of things out there spelled the old way. We just joke about BIG M occasionally.

[TIL - it's not even as old as me!] https://australianfoodtimeline.com.au/1978-launch-of-big-m/

New comment by brongondwana in "Fastmail Inbox UI Broken"

brongondwana — Thu, 07 Aug 2025 18:53:31 +0000

There are a few different threads on this and now that things are in a stable place I'm going to cross post this to all of them! The larger context is that we're making a major change to how we create IDs for email and mailboxes over the JMAP protocol. The old IDs are a UUID for mailboxId and the first 25 chars of the sha1 of the message for the emailId, prefixed by an 'M'. The new IDs are the createdmodseq for the mailbox prefixed by a 'P' (these are pretty short for most users) and a reverse counter of nanoseconds of the message internaldate (delivery time) for the emailId. This gives good storage density for offline and good data locality in databases for the email listings.

You can see all the code for that in a handful of merge requests in the public cyrus-imapd repository on github at https://github.com/cyrusimap/cyrus-imapd/

Over the past few weeks, I've been helping out with the last bits of code modification, largely the changes on https://github.com/cyrusimap/cyrus-imapd/pull/5539 if you're interested.

This morning we rolled out a build which we'd tested extensively on our staging and staff servers, but missed that for older v19 mailboxes which hadn't been upgraded to v20, the code to check if messages belonged in a thread incorrectly marked them all as missing.

This made MOST emails appear missing for most customers, clearly a very bad situation.

We immediately rolled back, but in the hurry missed that an unrelated change to correct subject matching for some languages (Japanese users had reported the issue, but possibly others as well) had changed the thread version, so new threads then had failed reads (making some, though many fewer, messages appear blank in the UI). There were about 50 million attempts to read those values over 15,000 users, because our UI was keeping on retrying thinking it was just a temporary synchronisation issue because the previous request told it there was a Thread to fetch data for. Ouch. https://github.com/cyrusimap/cyrus-imapd/pull/5527 contains those changes.

Anyway, since the only difference between the old and new records was normalisation of subjects, I wrote a tiny patch to let the old code read the newer records and just deployed that, which made all the emails re-appear for everyone again. This is the one bit of code from all this which isn't in a public repo, but it's two lines of: if (version == 2) version = 1;

Meanwhile, the real bug is fixed https://github.com/cyrusimap/cyrus-imapd/pull/5553 And a test has been written to prove it: https://github.com/cyrusimap/cyrus-imapd/pull/5554

But we'll wait until Monday to upgrade again, when we have fresh eyes available to watch that it's OK.

...

P.S. this is almost entirely unrelated to the UI changes. The underlying reason we're doing these changes IS related to UI changes, it's there to make offline mode use storage more efficiently on your device because the IDs are smaller and provide better data locality, but the timing is purely coincidental. The Cyrus changes have been done almost exclusively by the team in the USA and the UI changes by the team in Australia, and our deploy timelines were not synchronised.

New comment by brongondwana in "Fastmail breaks UI in production"

brongondwana — Thu, 07 Aug 2025 18:52:49 +0000

There are a few different threads on this and now that things are in a stable place I'm going to cross post this to all of them!

The larger context is that we're making a major change to how we create IDs for email and mailboxes over the JMAP protocol. The old IDs are a UUID for mailboxId and the first 25 chars of the sha1 of the message for the emailId, prefixed by an 'M'. The new IDs are the createdmodseq for the mailbox prefixed by a 'P' (these are pretty short for most users) and a reverse counter of nanoseconds of the message internaldate (delivery time) for the emailId. This gives good storage density for offline and good data locality in databases for the email listings.

You can see all the code for that in a handful of merge requests in the public cyrus-imapd repository on github at https://github.com/cyrusimap/cyrus-imapd/

Over the past few weeks, I've been helping out with the last bits of code modification, largely the changes on https://github.com/cyrusimap/cyrus-imapd/pull/5539 if you're interested.

This made MOST emails appear missing for most customers, clearly a very bad situation.

Meanwhile, the real bug is fixed https://github.com/cyrusimap/cyrus-imapd/pull/5553 And a test has been written to prove it: https://github.com/cyrusimap/cyrus-imapd/pull/5554

But we'll wait until Monday to upgrade again, when we have fresh eyes available to watch that it's OK.

...

New comment by brongondwana in "Google spoofed via DKIM replay attack: A technical breakdown"

brongondwana — Fri, 25 Jul 2025 14:50:13 +0000

Glad you asked! In a similar way to ARC (but better). The mailing list/group would add its own signature, and potentially a Delta-Body or Delta-Headers describing what changes it made (so that the verifier could undo the changes and verify the original signature, plus determine which changes were made by which hop).

So you'd have something like:

DKIM2: i=1; mf=sender@trusted.com; rt=accounts-payable@example.com; d=trusted.com

DKIM2: i=2; mf=bounce@example.com; rt=me@mydomain.com; d=example.com

So I could tell that the message came through example.com, and verify their signature on the message, as well as verify that trusted.com had intended the message to go to example.com in the previous hop.

New comment by brongondwana in "Google spoofed via DKIM replay attack: A technical breakdown"

brongondwana — Fri, 25 Jul 2025 14:32:16 +0000

Sadly, BCC is still a real thing, so the recipient system can't reliably tell that the recipient wasn't in the "to:" field and drop the message. That's one of the authentication holes that DKIM2 is planning to fix.

New comment by brongondwana in "Google spoofed via DKIM replay attack: A technical breakdown"

brongondwana — Fri, 25 Jul 2025 14:29:19 +0000

Bah, the datatracker doesn't list the candidate documents. Here's some direct links:

https://datatracker.ietf.org/doc/draft-chuang-dkim2-dns/

https://datatracker.ietf.org/doc/draft-gondwana-dkim2-header...

https://datatracker.ietf.org/doc/draft-gondwana-dkim2-modifi...

https://datatracker.ietf.org/doc/draft-robinson-dkim2-bounce...

https://datatracker.ietf.org/doc/draft-robinson-dkim2-messag...

New comment by brongondwana in "Google spoofed via DKIM replay attack: A technical breakdown"

brongondwana — Fri, 25 Jul 2025 14:27:18 +0000

I'm working on the solution to this (co-authors from Google and Yahoo, it's legit):

https://datatracker.ietf.org/doc/draft-gondwana-dkim2-motiva...

Note that it doesn't help avoid Google actually sending out a message with user-provided text in it, but it does stop it being replayed to you without Google intending it, because the SMTP FROM/TO are protected.

The motivation draft doesn't include technical detail, see early drafts of the technical detail in the various related docs at:

https://datatracker.ietf.org/wg/dkim/documents/

New comment by brongondwana in "The Twom Database Format"

brongondwana — Fri, 13 Jun 2025 20:46:59 +0000

Thanks!

New comment by brongondwana in "You Wouldn't Download a Hacker News"

brongondwana — Wed, 30 Apr 2025 14:32:38 +0000

Also there's the problem that every human has to have perfect opsec or you get the problem we have now, where there are massive botnets out there of compromised home computers.