Hacker News: welterde

New comment by welterde in "IPv6 just turned 30 and still hasn't taken over the world"

welterde — Sat, 03 Jan 2026 00:49:33 +0000

This is already a thing in IPv6 pretty much. You can write applications IPv6-only and support IPv4 via IPv4-mapped addresses (::ffff:1.2.3.4 for the IPv4 1.2.3.4). The host still needs to be dualstacked for that to work though. In case the host is IPv6-only you can use NAT64 (or similar technologies), where the IPv4-space is embedded behind some other prefix, but the application just talks plain IPv6 and doesn't have to care too much what happens in the background.

New comment by welterde in "IPv6 just turned 30 and still hasn't taken over the world"

welterde — Sat, 03 Jan 2026 00:34:55 +0000

The problem is that IPv4 has no provisions to be forward-compatible with anything with a larger address space. Thus whatever replacement you can think of will have the same problems as IPv6.

New comment by welterde in "Ancient X11 scaling technology"

welterde — Wed, 25 Jun 2025 12:31:46 +0000

For applications that were written with X11 in mind it works much much better than that. One example was the controlling a telescope. The computers in the control room were thin clients pretty much and displayed various windows from various machines across the mountain - even across multiple different operating systems! Some machines were running Solaris and some linux. The different machines belonged to different aspects of the telescope: some controlled the telescope itself and some machines belonged to the different scientifc instruments on the telescope. And it all worked quite well with no real noticeable lag.

New comment by welterde in "Hard numbers in the Wayland vs. X11 input latency discussion"

welterde — Mon, 27 Jan 2025 11:29:03 +0000

> For SSH forwarding you could have SSH ask the X server for a new socket for forwarding purposes - so remote clients can't snoop on local clients.

SSH pretty much already does this. Per default (using -X) X11 forwarding is in untrusted mode, which makes certain unsafe X11 extensions unavailable. So remote clients already cannot snoop the whole keyboard input.

New comment by welterde in "Hard numbers in the Wayland vs. X11 input latency discussion"

welterde — Mon, 27 Jan 2025 11:19:02 +0000

Some aspects of the client isolation are used by default when doing X11 forwarding via SSH. A remote keylogger will not work for instance.

New comment by welterde in "The IPv6 Transition"

welterde — Mon, 21 Oct 2024 07:11:20 +0000

IPv6 clients (or in theory any kind of IPv4 successor) can reach IPv4 servers via some kind of translation layer (for example NAT64) - so IPv6 is backwards-compatible with IPv4 in that direction. The inverse direction (IPv4 client to IPv6 server) is however not possible, since IPv4 is not forward-compatible with any possible successor, because it is not possible to encode more information into 32-bit than 32-bit.

New comment by welterde in "When railroad dining cars were the height of luxury"

welterde — Sun, 20 Oct 2024 14:42:50 +0000

Reliability is certainly one aspect where dedicated tracks helps a lot, but is not the only solution (see for example Switzerland). For Germany the issue is the overall too large utilization of the network and the large backlog of required maintenance of the rail infrastructure (in my opinion).

New comment by welterde in "When railroad dining cars were the height of luxury"

welterde — Wed, 16 Oct 2024 11:51:16 +0000

That has very little to do with the ICE train itself though, which can do above 320 km/h just fine in regular service (on international connections though, since in Germany the global train speed limit is 300 km/h I believe).

While the high-speed tracks in Germany are indeed quite a bit of a patch-work, there are over 1000 km of track certified for >= 250 km/h (as of 2015; quite a number of more lines got finished since then, but I could not find the updated number that included them) and by now really rather long corridors are very high-speed. The route from Munich (south of Germany) to Berlin is now mostly covered with upgraded routes for example. I think the 4 hours for that route are quite competitive to Shinkansen times. The fastest Shinkansen route (from the listed operating speed the only one that actually operates at 320 km/h; all others only operate at 260-300 km/h) is the Tōhoku Shinkansen line, which takes 3 hours and 20 minutes for the same distance traveled.

New comment by welterde in "Raspberry Pi Pico 2, our new $5 microcontroller board, on sale now"

welterde — Thu, 08 Aug 2024 16:54:43 +0000

If I read the datasheet correctly you still need an inductor and some passive components externally. The only thing that is not needed is an external switch mode power supply chip.

New comment by welterde in "Debian KDE: Right Linux distribution for professional digital painting in 2024"

welterde — Sat, 01 Jun 2024 09:49:47 +0000

The X11 primary selection buffer is an even better variant of that though. It allows single-shot copy&paste (meaning only one application can grab it) from the password manager to the target application and it tells the password manager the name of the application that grabbed it.

I think it shouldn't be too hard to hack in a dialog to password managers to confirm if the destination is correct before replying to the data request. But even without that one at least notices that a malicious/wrong application grabbed the password.

New comment by welterde in "X.org on NetBSD – The State of Things"

welterde — Mon, 06 May 2024 11:43:11 +0000

Nothing preventing you from writing a X11 server in something else either (and people have done so!). But fact is, most wayland compositors right now are either pure C or C++ (and I think the rest uses at least wlroots?). Many X11 window managers are written in non-c languages too and I don't think I am too far off the mark when I say that a decent fraction of wayland compositors would just be external window managers if there existed a standardized interface for window managers when they were written (I think some compositors have an interface for external window managers now, but is there a standard interface by now?).

New comment by welterde in "X.org on NetBSD – The State of Things"

welterde — Mon, 06 May 2024 09:33:59 +0000

It is only one old C codebase however (or a couple if one counts the *BSD semi-forks separately) instead of many different fresh c codebases (one per compositor with some shared code between some of them to be fair). I don't buy that this is actually better for security. It is a lot of more fun/less painful than cleaning up and improving some legacy codebase however.

New comment by welterde in "X.org on NetBSD – The State of Things"

welterde — Mon, 06 May 2024 08:44:39 +0000

X11 does have various ways to restrict access (one of which ssh does use for instance) and some more advanced security extensions. But as far as I can tell there has never been that much motivation to widely deploy any of it.

New comment by welterde in "12to11 – run Wayland applications on an X server"

welterde — Sat, 27 Apr 2024 15:24:19 +0000

Maybe the problem was with your specific setup or applications? Because at the observatory it worked flawlessly. Between the local data reduction machine (beefy server) and the desktop computer in my office the same. And I used that setup for years and it worked just fine (and I really really hate any lag or glitches).

VNC really sucked on the other hand, not being able to transparently share single windows (at least I never figured out how to), some windows would fail to refresh and I would need to drag them around to get them to redraw, copy and paste was always a pain, sometimes inputs not registering properly.

To be fair to VNC though, over the internet plain X11 forwarding really sucked (latency is the real killer here) and VNC won out there. Unless one was using NX proxy, then it blew VNC out of the water (while using X11 on both ends). Only RDP was somewhat on par with NX over the internet, but locally still beaten by X11.

New comment by welterde in "12to11 – run Wayland applications on an X server"

welterde — Sat, 27 Apr 2024 15:04:01 +0000

That's perfectly possible with X11 to attach via VNC to an existing session. But what X11 over (local) network does way better than either RDP or VNC is to run individual applications remotely while having them seamlessly integrate with the rest of desktop. At the observatory for example we were running thin clients in the control room while all the control panel windows were coming from many different machines across the mountain and it felt like all the applications were running locally on the machine in the control room (while in reality nothing was running there).

New comment by welterde in "12to11 – run Wayland applications on an X server"

welterde — Sat, 27 Apr 2024 14:28:58 +0000

That is not true. There are extensions to the X11 server that can resolve many of the security issues, but almost no one cares enough to use them.

If you are doing X11 forwarding via SSH it defaults to a more restricted configuration that only allows a more restricted access to the server (no direct sniffing of the input devices for instance).

New comment by welterde in "12to11 – run Wayland applications on an X server"

welterde — Sat, 27 Apr 2024 13:29:15 +0000

Not sure having shared memory and socket open to N fresh and under active feature development c codebases is that much more conducive to security? (N since while many compositors use wlroots there is still enough rope to hang yourself). To be fair, unless there is a exploitable bug in wlroots/lower wayland code, the blast-radius will be a lot more limited than if one is found in Xserver.

I think the Qubes approach is the only one worth considering if one deeply cares about security.

New comment by welterde in "12to11 – run Wayland applications on an X server"

welterde — Sat, 27 Apr 2024 10:31:58 +0000

There seems to be XACE/XSELinux, which seemingly exists in the mainline Xorg distro now. I wonder how the experience is with that?

In practice I think it doesn't see any adoption, since most people don't run with SELinux or even AppArmor on their desktop and none of the applications run isolated from each other, so it doesn't matter that they all have full access to the X11 server. And for actual security there is qubes, which solves both the application isolation and the X11 security issue.

New comment by welterde in "Why No IPv6?"

welterde — Mon, 15 Apr 2024 17:03:18 +0000

Only for IPv4 destinations however, where there is no other way. For IPv6 destinations it's just native connectivity with no NAT.

New comment by welterde in "Why No IPv6?"

welterde — Mon, 15 Apr 2024 12:21:49 +0000

What do you mean it has never been tried? That's how a lot of mobile providers and home internet providers operate today. My provider in Germany was already using DS-Lite (native IPv6 and IPv4 is tunneled over IPv6 to CGNAT gateway) more than 8 years ago. Mobile phones often use 464XLAT where IPv4 is translated to a region of the address space within IPv6 (the backbone is IPv6-only).

The problem is the inverse direction (IPv4 -> IPv6) since IPv4 is lacking any mechanism for forward-compatibility.