witten @ witten @lemmy.world

Posts

0

Comments

315

Joined

2 yr. ago

Exactly.

Thanks for weighing in. That's historically been my take as well, although as of this thread I'm starting to wonder if modern PHP can be better and/or particular projects can be.

Also team borgmatic here. ;)

Ehhh I would say then you have probabilistic backups. There's some percent chance they're okay, and some percent chance they're useless. (And maybe some percent chance they're in between those extremes.) With the odds probably not in your favor. 😄

I don't know about pain-free. :D See my earlier post on the topic: https://lemmy.world/post/213870

But it might be worth it anyway depending on your needs! Trying out NixOS sounds cool though.. I've been meaning to look into that.

No port forwarding needed and works behind CG-NAT—assuming your DNS server is hosted elsewhere.

That sounds like a good work-around!

Fair enough!

I'm not sure that analogy quite holds (it's not like the Ryobi tools are left connected to the building as a critical component of the HVAC system or something), but I like the image anyway. :D

Yeah, publicly accessible in that it'd be reachable over HTTPS from the internet (and not behind a VPN), but password-protected. Thanks for weighing in on this!

Good to hear that many of PHP's "bad old days" issues have been fixed. That lines up with what other commenters here have said. I actually wrote some PHP way back then but not since, and I think that may have unfairly colored my current-day views on the language.

That all seems prudent and reasonable. I guess some of my own anxiety is about how exactly I'll evaluate projects like you're talking about. I can (and do) certainly look at whether a project is actively developed before selecting it. Not just for security reasons.. I don't want to bet on a horse that won't get updated with fixes and features. But for security in particular, I guess I was hoping for ways to evaluate that for a project.. without exhaustively poring over its source. Maybe, to your point, the other mitigations you listed should be sufficient, and I should worry more about that side of things than picking the perfect project.

Totally. Preachin' to the choir here. :D

Lol, I really appreciate your thoughts! These are exactly the sort of insights I came here for. I hope this is useful to others too who may be wondering about the same thing.

That makes sense. Maybe then the trick is to look at whether any particular app (PHP or otherwise) is written with modern security practices. How do you judge a project's security practices though?

And then, yeah, maybe also lock it down in a container so the blast radius of any actual exploit is pretty minimal.

Awesome, good to hear from an actual PHP dev. I assume then you're also fine self-hosting third-party PHP applications? How do you make the call on whether it's okay to host from a security perspective? The same as with software written in any other language?

I fully admit I may be doing this wrong. But in order to connect to a server over Wireguard I'm connecting to it over its Wireguard IP address. (And if I'm not connecting to it over Wireguard I don't connect to it over a Wireguard IP address.) It's relevant to note that I'm not using Wireguard as a traditional VPN where all traffic bound for the internet is tunneled over Wireguard. Instead, I'm using it strictly for point-to-point tunneling from a client to one of my servers. In other words, my default routes don't go to Wireguard. Maybe that's the difference here?

Good idea!

The app that comes to mind as having problems with changing IPs is the Home Assistant app. It would simply lose connectivity when the IP changed and never do another DNS lookup to connect again.. I always had to restart it. The "solution" for me was not to change IPs and just leave Wireguard on. It's cool that Ultrasonic handles it though.

Yeah, exactly.