Sydney in winter
Jul. 6th, 2025 10:41 pm![[syndicated profile]](https://www.dreamwidth.org/img/silk/identity/feed.png){kind=small}
lecta_feedJune 2025
A work virtual walk-a-thon, combined with many many early morning meetings, was a chance to see Glorious Sydney in winter:
lecta_feed
Where Else to Find Me
Jul. 4th, 2025 07:59 pmblog_namei_org_feedI’m not blogging much these days, and more likely posting on these accounts:
- Fediverse (“Mastodon”): https://social.kernel.org/jmorris
- Bluesky: https://bsky.app/profile/jamesmorris.bsky.social
If you’d like to follow updates for the Linux Security Summit (LSS), see here:
For topics which are specifically $work related, see my LinkedIn:
Artist Training Grounds XV, Final Day: Makeup
Jul. 1st, 2025 06:26 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
frith posting in ![[community profile]](https://www.dreamwidth.org/img/silk/identity/community.png){kind=small}
ponyville_trotIt's the day reserved to turn in those assignments that missed even the two day extensions (I have one!) and there's a bonus task: "(Draw any prompts you missed) // Bonus: Combine and draw 2 or more prompts of your choice". I should have guessed this would happen! =8^O
As always, draw (or sculpt or do a photo-montage), host the image of what you made in an online gallery and drop the URL into the submission form here, it's live. King Grimlock does not specifying the prompt in the submitter, but otherwise it's the usual: you can enter five different images per prompt. The maximum resolution is 2000x2000 pixels, so chose a link from your gallery that points to a version of your image that does not exceed 2,000 pixels on either side. Also, don't exceed 4 Mb per picture or the poniloader will plotz and choke on your picture. MLPforums and Discord work as image hosts in a pinch, although I think that there's an expiry date on those options. Xitter works somehow, it looks like Mastodon does, probably Bluesky as well, if you're savvy and Imgur apparently works too. I use Flickr. The pictures will be visible on EqD along with the last task at 9 PM (MST) on July 3rd. KG has stopped trying to make bespoke URLs so I'll paste the gallery URL when it appears. Like, now: https://www.equestriadaily.com/2025/07/newbie-artist-training-grounds-xv-final.html
So be sure to get your drawings in well before 9 PM Mountain Standard Time (or midnight Eastern Daylight Savings Time and 5 AM UTC). King Grimlock is _not_ waiting until the cutoff time to prep and queue the gallery. The grace period should give you at least two extra days and KG goes back to edit in the late submissions, usually around the same time he posts the next prompt. This time the close date is July 6th but KG can and does change the close date on the submitter and keeps just two active at any given moment. This is the end.
Off topic submissions, more than was usual in past years, are showing up in the gallery. That's because King Grimlock is also posting what Calpain is prompting on Bluesky in his fringe NATG and people have been hybridizing this NATG with it. Calpain's prompts today are as many previous prompts in a single picture as you can / a pony stretched thin.
As always, draw (or sculpt or do a photo-montage), host the image of what you made in an online gallery and drop the URL into the submission form here, it's live. King Grimlock does not specifying the prompt in the submitter, but otherwise it's the usual: you can enter five different images per prompt. The maximum resolution is 2000x2000 pixels, so chose a link from your gallery that points to a version of your image that does not exceed 2,000 pixels on either side. Also, don't exceed 4 Mb per picture or the poniloader will plotz and choke on your picture. MLPforums and Discord work as image hosts in a pinch, although I think that there's an expiry date on those options. Xitter works somehow, it looks like Mastodon does, probably Bluesky as well, if you're savvy and Imgur apparently works too. I use Flickr. The pictures will be visible on EqD along with the last task at 9 PM (MST) on July 3rd. KG has stopped trying to make bespoke URLs so I'll paste the gallery URL when it appears. Like, now: https://www.equestriadaily.com/2025/07/newbie-artist-training-grounds-xv-final.html
So be sure to get your drawings in well before 9 PM Mountain Standard Time (or midnight Eastern Daylight Savings Time and 5 AM UTC). King Grimlock is _not_ waiting until the cutoff time to prep and queue the gallery. The grace period should give you at least two extra days and KG goes back to edit in the late submissions, usually around the same time he posts the next prompt. This time the close date is July 6th but KG can and does change the close date on the submitter and keeps just two active at any given moment. This is the end.
Off topic submissions, more than was usual in past years, are showing up in the gallery. That's because King Grimlock is also posting what Calpain is prompting on Bluesky in his fringe NATG and people have been hybridizing this NATG with it. Calpain's prompts today are as many previous prompts in a single picture as you can / a pony stretched thin.
Rebuilding journal search again
Jun. 30th, 2025 03:18 pmalierak posting in ![[site community profile]](https://www.dreamwidth.org/img/comm_staff.png){kind=small}
dw_maintenanceWe're having to rebuild the search server again (previously, previously). It will take a few days to reindex all the content.
Meanwhile search services should be running, but probably returning no results or incomplete results for most queries.
Meanwhile search services should be running, but probably returning no results or incomplete results for most queries.
Artist Training Grounds XV, 15th Prompt Pair
Jun. 29th, 2025 06:47 amfrith posting in ponyville_trotFor the 15th and final task: "Draw a pony graduating // Draw a pony who just hit the jackpot". I already did a graduated cylinder gag a few years ago. Perhaps I can do something with taking a hit of Cranky Jack's pot? Ugh! I can almost smell the stuff! X^p Maybe it's the wildfire smoke in the air this morning. Confound this NATG! It keeps driving me to pot!
The good news is that there _will_ be a Makeup day on July 1st.
As always, draw (or sculpt or do a photo-montage), host the image of what you made in an online gallery and drop the URL into the submission form here, it's live. King Grimlock does not specifying the prompt in the submitter, but otherwise it's the usual: you can enter five different images per prompt. The maximum resolution is 2000x2000 pixels, so chose a link from your gallery that points to a version of your image that does not exceed 2,000 pixels on either side. Also, don't exceed 4 Mb per picture or the poniloader will plotz and choke on your picture. MLPforums and Discord work as image hosts in a pinch, although I think that there's an expiry date on those options. Xitter works somehow, it looks like Mastodon does, probably Bluesky as well, if you're savvy and Imgur apparently works too. I use Flickr. The pictures will be visible on EqD along with the last task at 9 PM (MST) on July 1st. KG has stopped trying to make bespoke URLs so I'll paste the gallery URL when it appears. Voilà: https://www.equestriadaily.com/2025/06/newbie-artist-training-grounds-xv-bonus.html
So be sure to get your drawings in well before 9 PM Mountain Standard Time (or midnight Eastern Daylight Savings Time and 5 AM UTC). King Grimlock is _not_ waiting until the cutoff time to prep and queue the gallery. The grace period should give you at least two extra days and KG goes back to edit in the late submissions, usually around the same time he posts the next prompt. KG can and does change the close date on the submitter and keeps just two active at any given moment. I don't think there will be any late submission catch-up days in this NATG.
Off topic submissions, more than was usual in past years, are showing up in the gallery. That's because King Grimlock is also posting what Calpain is prompting on Bluesky in his fringe NATG and people have been hybridizing this NATG with it. Calpain's prompts today are pony feeling the heat / pony with their eye on the clock.
The good news is that there _will_ be a Makeup day on July 1st.
As always, draw (or sculpt or do a photo-montage), host the image of what you made in an online gallery and drop the URL into the submission form here, it's live. King Grimlock does not specifying the prompt in the submitter, but otherwise it's the usual: you can enter five different images per prompt. The maximum resolution is 2000x2000 pixels, so chose a link from your gallery that points to a version of your image that does not exceed 2,000 pixels on either side. Also, don't exceed 4 Mb per picture or the poniloader will plotz and choke on your picture. MLPforums and Discord work as image hosts in a pinch, although I think that there's an expiry date on those options. Xitter works somehow, it looks like Mastodon does, probably Bluesky as well, if you're savvy and Imgur apparently works too. I use Flickr. The pictures will be visible on EqD along with the last task at 9 PM (MST) on July 1st. KG has stopped trying to make bespoke URLs so I'll paste the gallery URL when it appears. Voilà: https://www.equestriadaily.com/2025/06/newbie-artist-training-grounds-xv-bonus.html
So be sure to get your drawings in well before 9 PM Mountain Standard Time (or midnight Eastern Daylight Savings Time and 5 AM UTC). King Grimlock is _not_ waiting until the cutoff time to prep and queue the gallery. The grace period should give you at least two extra days and KG goes back to edit in the late submissions, usually around the same time he posts the next prompt. KG can and does change the close date on the submitter and keeps just two active at any given moment. I don't think there will be any late submission catch-up days in this NATG.
Off topic submissions, more than was usual in past years, are showing up in the gallery. That's because King Grimlock is also posting what Calpain is prompting on Bluesky in his fringe NATG and people have been hybridizing this NATG with it. Calpain's prompts today are pony feeling the heat / pony with their eye on the clock.
Jonathan Abernathy You Are Kind by Molly McGhee
Jun. 27th, 2025 03:49 pmaltamira16This is a weird slipstream book that feels like it is trying to horn in on Nick Mamatas's territory sometimes.
Jonathan Abernathy is a lonely adult. He is an orphan, and his life is going nowhere. He goes and begs his old manager at the hotdog stand for a job because he desperately needs the money.
But he is working on a bigger project where he is a dream auditor. At night, he enters people's dreams and sucks away the bad parts so that they can be more productive. (This is the thing that feels Mamatas-like. People are doing weird things because of capitalism.) There are all sorts of things about the dream world that are unclear. What happens to the parts of the dreams that are sucked away? What happens to the lives of the people whose dreams have been changed?
He has a neighbor named Rhoda who has a daughter named Timmy, and sometimes Rhoda asks Jonathan to watch Timmy.
He likes her. He starts seeing her in dreams, but whose dreams are they? Which dreams are real?
Jonathan Abernathy is a lonely adult. He is an orphan, and his life is going nowhere. He goes and begs his old manager at the hotdog stand for a job because he desperately needs the money.
But he is working on a bigger project where he is a dream auditor. At night, he enters people's dreams and sucks away the bad parts so that they can be more productive. (This is the thing that feels Mamatas-like. People are doing weird things because of capitalism.) There are all sorts of things about the dream world that are unclear. What happens to the parts of the dreams that are sucked away? What happens to the lives of the people whose dreams have been changed?
He has a neighbor named Rhoda who has a daughter named Timmy, and sometimes Rhoda asks Jonathan to watch Timmy.
He likes her. He starts seeing her in dreams, but whose dreams are they? Which dreams are real?
Artist Training Grounds XV, 14th Prompt Pair
Jun. 27th, 2025 07:20 amfrith posting in ponyville_trotThe 14th task, will we get lucky? Nope: "Draw a pony living their best life // Draw a pony painting the town red". Am I going to have to draw substance abuse ponies now? Only one more prompt to go!
As always, draw (or sculpt or do a photo-montage), host the image of what you made in an online gallery and drop the URL into the submission form here, it's live. King Grimlock does not specifying the prompt in the submitter, but otherwise it's the usual: you can enter five different images per prompt. The maximum resolution is 2000x2000 pixels, so chose a link from your gallery that points to a version of your image that does not exceed 2,000 pixels on either side. Also, don't exceed 4 Mb per picture or the poniloader will plotz and choke on your picture. MLPforums and Discord work as image hosts in a pinch, although I think that there's an expiry date on those options. Xitter works somehow, it looks like Mastodon does, probably Bluesky as well, if you're savvy and Imgur apparently works too. I use Flickr. The pictures will be visible on EqD along with the last task at 9 PM (MST) on June 28th. KG has stopped trying to make bespoke URLs so I'll paste the gallery URL when it appears. Ta da! https://www.equestriadaily.com/2025/06/newbie-artist-training-grounds-xv_01215997842.html Technology is magic.
So be sure to get your drawings in well before 9 PM Mountain Standard Time (or midnight Eastern Daylight Savings Time and 5 AM UTC). King Grimlock is _not_ waiting until the cutoff time to prep and queue the gallery. The grace period should give you at least two extra days and KG goes back to edit in the late submissions, usually around the same time he posts the next prompt. KG can and does change the close date on the submitter and keeps just two active at any given moment. I don't think there will be any late submission catch-up days in this NATG.
Off topic submissions, more than was usual in past years, are showing up in the gallery. That's because King Grimlock is also posting what Calpain is prompting on Bluesky in his fringe NATG and people have been hybridizing this NATG with it. Calpain's prompts today are pony on the job / pony who is the breadwinner.
As always, draw (or sculpt or do a photo-montage), host the image of what you made in an online gallery and drop the URL into the submission form here, it's live. King Grimlock does not specifying the prompt in the submitter, but otherwise it's the usual: you can enter five different images per prompt. The maximum resolution is 2000x2000 pixels, so chose a link from your gallery that points to a version of your image that does not exceed 2,000 pixels on either side. Also, don't exceed 4 Mb per picture or the poniloader will plotz and choke on your picture. MLPforums and Discord work as image hosts in a pinch, although I think that there's an expiry date on those options. Xitter works somehow, it looks like Mastodon does, probably Bluesky as well, if you're savvy and Imgur apparently works too. I use Flickr. The pictures will be visible on EqD along with the last task at 9 PM (MST) on June 28th. KG has stopped trying to make bespoke URLs so I'll paste the gallery URL when it appears. Ta da! https://www.equestriadaily.com/2025/06/newbie-artist-training-grounds-xv_01215997842.html Technology is magic.
So be sure to get your drawings in well before 9 PM Mountain Standard Time (or midnight Eastern Daylight Savings Time and 5 AM UTC). King Grimlock is _not_ waiting until the cutoff time to prep and queue the gallery. The grace period should give you at least two extra days and KG goes back to edit in the late submissions, usually around the same time he posts the next prompt. KG can and does change the close date on the submitter and keeps just two active at any given moment. I don't think there will be any late submission catch-up days in this NATG.
Off topic submissions, more than was usual in past years, are showing up in the gallery. That's because King Grimlock is also posting what Calpain is prompting on Bluesky in his fringe NATG and people have been hybridizing this NATG with it. Calpain's prompts today are pony on the job / pony who is the breadwinner.
Artist Training Grounds XV, 13th Prompt Pair
Jun. 25th, 2025 06:37 amfrith posting in ponyville_trotThe 13th task, will we get lucky? Nope: "Draw a pony hitting the road // Draw a pony starting a new chapter of their life". The choices are road abuse (ouch) or autobiography writing. Or bouncing road apples.
As always, draw (or sculpt or do a photo-montage), host the image of what you made in an online gallery and drop the URL into the submission form here, it's live. King Grimlock does not specifying the prompt in the submitter, but otherwise it's the usual: you can enter five different images per prompt. The maximum resolution is 2000x2000 pixels, so chose a link from your gallery that points to a version of your image that does not exceed 2,000 pixels on either side. Also, don't exceed 4 Mb per picture or the poniloader will plotz and choke on your picture. MLPforums and Discord work as image hosts in a pinch, although I think that there's an expiry date on those options. Xitter works somehow, it looks like Mastodon does, probably Bluesky as well, if you're savvy and Imgur apparently works too. I use Flickr. The pictures will be visible on EqD along with the next task at 9 PM (MST) on June 26th. KG has stopped trying to make bespoke URLs so I'll paste the gallery URL when it appears. Le voici: https://www.equestriadaily.com/2025/06/newbie-artist-training-grounds-xv_01781599238.html
So be sure to get your drawings in well before 9 PM Mountain Standard Time (or midnight Eastern Daylight Savings Time and 5 AM UTC). The grace period should give you at least two extra days and KG goes back to edit in the late submissions, usually around the same time he posts the next prompt. KG can and does change the close date on the submitter and keeps just two active at any given moment. I don't think there will be any late submission catch-up days in this NATG.
Off topic submissions, more than was usual in past years, are showing up in the gallery. That's because King Grimlock is also posting what Calpain is prompting on Bluesky in his fringe NATG and people have been hybridizing this NATG with it. Calpain's prompts today are pony emptying their thoughts / Draw a pony going with the flow. Time to break out the edibles.
As always, draw (or sculpt or do a photo-montage), host the image of what you made in an online gallery and drop the URL into the submission form here, it's live. King Grimlock does not specifying the prompt in the submitter, but otherwise it's the usual: you can enter five different images per prompt. The maximum resolution is 2000x2000 pixels, so chose a link from your gallery that points to a version of your image that does not exceed 2,000 pixels on either side. Also, don't exceed 4 Mb per picture or the poniloader will plotz and choke on your picture. MLPforums and Discord work as image hosts in a pinch, although I think that there's an expiry date on those options. Xitter works somehow, it looks like Mastodon does, probably Bluesky as well, if you're savvy and Imgur apparently works too. I use Flickr. The pictures will be visible on EqD along with the next task at 9 PM (MST) on June 26th. KG has stopped trying to make bespoke URLs so I'll paste the gallery URL when it appears. Le voici: https://www.equestriadaily.com/2025/06/newbie-artist-training-grounds-xv_01781599238.html
So be sure to get your drawings in well before 9 PM Mountain Standard Time (or midnight Eastern Daylight Savings Time and 5 AM UTC). The grace period should give you at least two extra days and KG goes back to edit in the late submissions, usually around the same time he posts the next prompt. KG can and does change the close date on the submitter and keeps just two active at any given moment. I don't think there will be any late submission catch-up days in this NATG.
Off topic submissions, more than was usual in past years, are showing up in the gallery. That's because King Grimlock is also posting what Calpain is prompting on Bluesky in his fringe NATG and people have been hybridizing this NATG with it. Calpain's prompts today are pony emptying their thoughts / Draw a pony going with the flow. Time to break out the edibles.
Why is there no consistent single signon API flow?
Jun. 23rd, 2025 10:36 pmmjg59Single signon is a pretty vital part of modern enterprise security. You have users who need access to a bewildering array of services, and you want to be able to avoid the fallout of one of those services being compromised and your users having to change their passwords everywhere (because they're clearly going to be using the same password everywhere), or you want to be able to enforce some reasonable MFA policy without needing to configure it in 300 different places, or you want to be able to disable all user access in one place when someone leaves the company, or, well, all of the above. There's any number of providers for this, ranging from it being integrated with a more general app service platform (eg, Microsoft or Google) or a third party vendor (Okta, Ping, any number of bizarre companies). And, in general, they'll offer a straightforward mechanism to either issue OIDC tokens or manage SAML login flows, requiring users present whatever set of authentication mechanisms you've configured.
This is largely optimised for web authentication, which doesn't seem like a huge deal - if I'm logging into Workday then being bounced to another site for auth seems entirely reasonable. The problem is when you're trying to gate access to a non-web app, at which point consistency in login flow is usually achieved by spawning a browser and somehow managing submitting the result back to the remote server. And this makes some degree of sense - browsers are where webauthn token support tends to live, and it also ensures the user always has the same experience.
But it works poorly for CLI-based setups. There's basically two options - you can use the device code authorisation flow, where you perform authentication on what is nominally a separate machine to the one requesting it (but in this case is actually the same) and as a result end up with a straightforward mechanism to have your users socially engineered into giving Johnny Badman a valid auth token despite webauthn nominally being unphisable (as described years ago), or you reduce that risk somewhat by spawning a local server and POSTing the token back to it - which works locally but doesn't work well if you're dealing with trying to auth on a remote device. The user experience for both scenarios sucks, and it reduces a bunch of the worthwhile security properties that modern MFA supposedly gives us.
There's a third approach, which is in some ways the obviously good approach and in other ways is obviously a screaming nightmare. All the browser is doing is sending a bunch of requests to a remote service and handling the response locally. Why don't we just do the same? Okta, for instance, has an API for auth. We just need to submit the username and password to that and see what answer comes back. This is great until you enable any kind of MFA, at which point the additional authz step is something that's only supported via the browser. And basically everyone else is the same.
Of course, when we say "That's only supported via the browser", the browser is still just running some code of some form and we can figure out what it's doing and do the same. Which is how you end up scraping constants out of Javascript embedded in the API response in order to submit that data back in the appropriate way. This is all possible but it's incredibly annoying and fragile - the contract with the identity provider is that a browser is pointed at a URL, not that any of the internal implementation remains consistent.
I've done this. I've implemented code to scrape an identity provider's auth responses to extract the webauthn challenges and feed those to a local security token without using a browser. I've also written support for forwarding those challenges over the SSH agent protocol to make this work with remote systems that aren't running a GUI. This week I'm working on doing the same again, because every identity provider does all of this differently.
There's no fundamental reason all of this needs to be custom. It could be a straightforward "POST username and password, receive list of UUIDs describing MFA mechanisms, define how those MFA mechanisms work". That even gives space for custom auth factors (I'm looking at you, Okta Fastpass). But instead I'm left scraping JSON blobs out of Javascript and hoping nobody renames a field, even though I only care about extremely standard MFA mechanisms that shouldn't differ across different identity providers.
Someone, please, write a spec for this. Please don't make it be me.
This is largely optimised for web authentication, which doesn't seem like a huge deal - if I'm logging into Workday then being bounced to another site for auth seems entirely reasonable. The problem is when you're trying to gate access to a non-web app, at which point consistency in login flow is usually achieved by spawning a browser and somehow managing submitting the result back to the remote server. And this makes some degree of sense - browsers are where webauthn token support tends to live, and it also ensures the user always has the same experience.
But it works poorly for CLI-based setups. There's basically two options - you can use the device code authorisation flow, where you perform authentication on what is nominally a separate machine to the one requesting it (but in this case is actually the same) and as a result end up with a straightforward mechanism to have your users socially engineered into giving Johnny Badman a valid auth token despite webauthn nominally being unphisable (as described years ago), or you reduce that risk somewhat by spawning a local server and POSTing the token back to it - which works locally but doesn't work well if you're dealing with trying to auth on a remote device. The user experience for both scenarios sucks, and it reduces a bunch of the worthwhile security properties that modern MFA supposedly gives us.
There's a third approach, which is in some ways the obviously good approach and in other ways is obviously a screaming nightmare. All the browser is doing is sending a bunch of requests to a remote service and handling the response locally. Why don't we just do the same? Okta, for instance, has an API for auth. We just need to submit the username and password to that and see what answer comes back. This is great until you enable any kind of MFA, at which point the additional authz step is something that's only supported via the browser. And basically everyone else is the same.
Of course, when we say "That's only supported via the browser", the browser is still just running some code of some form and we can figure out what it's doing and do the same. Which is how you end up scraping constants out of Javascript embedded in the API response in order to submit that data back in the appropriate way. This is all possible but it's incredibly annoying and fragile - the contract with the identity provider is that a browser is pointed at a URL, not that any of the internal implementation remains consistent.
I've done this. I've implemented code to scrape an identity provider's auth responses to extract the webauthn challenges and feed those to a local security token without using a browser. I've also written support for forwarding those challenges over the SSH agent protocol to make this work with remote systems that aren't running a GUI. This week I'm working on doing the same again, because every identity provider does all of this differently.
There's no fundamental reason all of this needs to be custom. It could be a straightforward "POST username and password, receive list of UUIDs describing MFA mechanisms, define how those MFA mechanisms work". That even gives space for custom auth factors (I'm looking at you, Okta Fastpass). But instead I'm left scraping JSON blobs out of Javascript and hoping nobody renames a field, even though I only care about extremely standard MFA mechanisms that shouldn't differ across different identity providers.
Someone, please, write a spec for this. Please don't make it be me.
2025 NYC Primary Election Recommendations
Jun. 24th, 2025 02:32 pmsumana_feedLast-minute recommendations for New York City's Democratic primary election. (Early voting concluded Sunday; tomorrow, Tuesday the 24th, is the final day to vote.)I'm going to start with lesser-publicized races and move up the ballot.Western Queens …