Goofed Home

The Huntarr situation (score 200+ and climbing today) is getting discussed as a Huntarr problem. It’s not. It’s a structural problem with how we evaluate trust in self-hosted software.

Here’s the actual issue:

Docker Hub tells you almost nothing useful about security.

The ‘Verified Publisher’ badge verifies that the namespace belongs to the organization. That’s it. It says nothing about what’s in the image, how it was built, or whether the code was reviewed by anyone who knows what a 403 response is.

Tags are mutable pointers. huntarr:latest today is not guaranteed to be huntarr:latest tomorrow. There’s no notification when a tag gets repointed. If you’re pulling by tag in production (or in your homelab), you’re trusting a promise that can be silently broken.

The only actually trustworthy reference is a digest: sha256:.... Immutable, verifiable, auditable. Almost nobody uses them.

The Huntarr case specifically:

Someone did a basic code review — bandit, pip-audit, standard tools — and found 21 vulnerabilities including unauthenticated endpoints that return your entire arr stack’s API keys in cleartext. The container runs as root. There’s a Zip Slip. The maintainer’s response was to ban the reporter.

None of this would have been caught by Docker Hub’s trust signals, because Docker Hub’s trust signals don’t evaluate code. They evaluate namespace ownership.

What would actually help:

• Pull by digest, not tag. Pin your compose files.
• Check whether the image is built from a public, auditable Dockerfile. If the build process is opaque, that’s a signal.
• Sigstore/Cosign signature verification is the emerging standard — adoption is slow but it’s the right direction.
• Reproducible builds are the gold standard. Trust nothing, verify everything.

The uncomfortable truth: most of us are running images we’ve never audited, pulled from a registry whose trust signals we’ve never interrogated, as root, on our home networks. Huntarr made the news because someone did the work. Most of the time, nobody does.

One thing that sucks about that is you might miss an upgrade that needed to happen before a large version jump later. It’s pretty rare but I believe I’ve seen a container break like that and the upgrade was misery.

Fair! I’m not giving enough credit to the fact that some applications don’t really have another option than to run root for some dependencies

“This was supposed to be my vacation, I was so excited for this gun battle, wtf?”

-US tourists maybe

As an American currently in Mexico, I lold

Airport advertising sign, looks like they forgot to make the looping video full screen.

Photographer @mosspiglet@discuss.online

i love proxying images!!! i love proxying images!!!

I cannot express into words how much a loath Lemmy’s image proxying system

Ollama is now also possible.

Made roast beef last night, medium rare. Used bolar blade, marinated for 24 hours. Turned out really well, and photo shows that I don’t know how to slice meat properly 😂 Also had potatoes and carrots roasting under the meat.

Sandwiches and wraps for the week, for sure!

I have been doing beans from scratch as well, I don’t know why I never did before, canned is ok but when you eat a lot it’s way more expensive than it has to be. They take forever to cook but I just put a pot on my woodstove and 12 hours later they are done.

Beans are great with like canned tomatoes, even tofu, and other veggies.

I need other better meat substitutes, tofu is so so, not all that cheap though, it’s like 1.50 a pound even at aldi, and it doesn’t go that far.

Other that that in the city there’s a place that often but not always has young turkeys on sale for .50 a pound, I stocked up but am running low, except I have a lot of turkey stock I need to use, freezer is full of remnants of carcasses and bit pots of some, heating some right now, maybe to throw carrots and celery in there for soup which is good but gets old quick eating it back to back for a week.

Other than that I’ve lots of vinegar from alcohol brews that got infected, so I buy vegetables and wash and cut and throw in the buckets of vinegar, which is great, and keeps the veggies forever. Cabbage, zuchini, cucumber, jalapeno, garlic, onion, even radishes, and the like.

I’ve been saving money, haven’t been to the grocery store, or to town, since the holidays, have to run soon before maple syrup season starts in earnest around march 1st. Unfortunately turkey place is not near though, lots of beans this time around and idk what else, I guess tofu if not meat on sale which is unlikely. Chicken maybe. Hopefully I can find a fresh deer on the side of the road instead.

That’s a long time to cook beans from dry, though I’ve never done it before except in an Instant Pot, which takes less than an hour to turn two cups of dried chickpeas in to about 5-6 cups of edible chickpeas.

I don’t want to assume anything, but have you tried different cuisines to change things up? I’m trying to up my beans and lentils and chickpeas intake, so I’ve done all sorts of things like hummus, Brazilian chickpea curry, Indian chickpea curry, bean chili, pasta e fagioli. I’m also one of those people who can’t eat the same thing for more than a week, so I’m always looking for different ways to change up flavours and textures.

That’s a killer price on turkey! Do you have a stick blender to use to make a blended vegetable soup? Potatoes, pumpkins, leeks, turkey stock, pretty much all of the vegetables. And then put in shredded turkey and noodles/pasta or something. Add the usual salt, pepper, cumin, etc. Serve with smoked paprika, or cream/Greek yogurt/coconut cream, and bread on the side.

One of the most important things for me is to have a full stock of different herbs and spices, and ice cube trays to freeze leftover anything small enough to freeze (I especially do this with ginger, garlic and other herbs destined to die in the back of the fridge).

It’s a struggle. I’ve been there, too. I’m happy to share recipes that I’ve made, and substitutes that I’ve done. Absolutely no shame or high-horsed-ness about any of this - Food is food, and we’re in this together. 👊

It’s no season one, but I still enjoyed season two.

Without spoiling anything the end of season two doesn’t really work, but it doesn’t work because the season just sorta ends. If season three can pay off and finish the story of season two, as well as tell the next step of the story in season three, then I think it will all work out.

There are some other issues with season two, and during season two and going into season three GRRM has some harsh feedback. A creator isn’t always right, but it is concerning.

I think season two is worth getting into as preparation for season three, but if you waited I think that’s fine too.

Between seasons 4 & 5 of Game of Thrones I read all the released books and three Dunk & Egg novellas. The first novella, The Hedge Knight, was my absolute favorite of the three and when talk of spinoffs began I was really hoping we would get Dunk & Egg.

The first season of A Knight of the Seven Kingdoms has been basically perfect. It’s everything I could have asked for, plus some excellent new stuff that fits the story and world well.

I think the second novella is the weakest of the three, not bad but not as memorable as the first. However based on what we got from season one I expect the show runner Ira Parker will know what to add and change to keep it worth watching.

The lives of Dunk & Egg are interesting, so this show has lots of story left to tell. And if we make it to the ending (possibly 12-15 stories later), it’ll be a hell of a ride.

👌👌👌

The uniforms are little bit on the nose.

Very late but curious. How difficult is it for someone who genuinely never has used Linux before, to go those leaps? Someone who’s not braindead à la “grandma doesn’t know what the red X button is or does”, but just a basic user “I’ve heard of a terminal and you can do commands with it but idk, I use maps and files…”.

Like is there a self hosting guide for idiots?

cloudflare tunnel

Isn’t cloudflare American? is there no way to avoid that?

It’s a bit more complicated but the video I linked suggests using DuckDNS and a Wireguard VPN. It certainly works though in my experience it can be a bit of a pain because of CGNAT. If you have a reliable static or long-lived IP lease on IPv6 though it’s much less clumsy.