ChanServ changed the topic of #freedesktop to: https://www.freedesktop.org infrastructure and online services || for questions about freedesktop.org projects, please see each project's contact || for discussions about specifications, please use https://gitlab.freedesktop.org/xdg or xdg@lists.freedesktop.org
noraj has quit [Read error: Connection reset by peer]
JanC is now known as Guest15306
JanC has joined #freedesktop
Guest15306 has quit [Ping timeout: 480 seconds]
scrumplex_ has joined #freedesktop
scrumplex has quit [Ping timeout: 480 seconds]
JanC is now known as Guest15310
JanC has joined #freedesktop
Guest15310 has quit [Ping timeout: 480 seconds]
georgc has joined #freedesktop
gchini has quit [Ping timeout: 480 seconds]
alanc has quit [Remote host closed the connection]
alanc has joined #freedesktop
phire_ has joined #freedesktop
phire is now known as Guest15313
phire_ is now known as phire
Guest15313 has quit [Ping timeout: 480 seconds]
kode54 has joined #freedesktop
JanC is now known as Guest15321
JanC has joined #freedesktop
Guest15321 has quit [Ping timeout: 480 seconds]
guludo has quit [Quit: WeeChat 4.6.1]
eluks has quit [Remote host closed the connection]
eluks has joined #freedesktop
swatish2 has joined #freedesktop
alarumbe has quit [Quit: ZNC 1.8.2+deb3.1+deb12u1 - https://znc.in]
jsa1 has joined #freedesktop
mfilion has joined #freedesktop
JanC is now known as Guest15332
JanC has joined #freedesktop
Guest15332 has quit [Ping timeout: 480 seconds]
jsa1 has quit [Ping timeout: 480 seconds]
georgc has quit [Quit: Leaving]
gchini has joined #freedesktop
gnuiyl has quit [Ping timeout: 480 seconds]
swatish21 has joined #freedesktop
gnuiyl has joined #freedesktop
swatish2 has quit [Ping timeout: 480 seconds]
gnuiyl has quit [Ping timeout: 480 seconds]
sima has joined #freedesktop
tzimmermann has joined #freedesktop
ximion has quit [Remote host closed the connection]
jsa1 has joined #freedesktop
<bentiss>
FWIW, I still haven't receive feedback from fastly regarding bot protection, so I'll try to enable anubis and a more strict caching policy (only `^/assets`), and see how it goes
<bentiss>
this will be switched on during the day I think
<karolherbst>
good luck
<bentiss>
either I broke everyone's workflow, either this had a nice impact on the servers :)
AbleBacon has quit [Read error: Connection reset by peer]
<bentiss>
Which image pasting service I can use to show a couple of graphs???
<karolherbst>
bentiss: nah, that's the usual impact with anubis
<karolherbst>
well..
<karolherbst>
usually the impact is bigger 🙃
<karolherbst>
reduction of 90% load is kinda the norm
<bentiss>
I'm still happy with the impact on gitaly, as that means faster queries for legitimate clients
<karolherbst>
bentiss: maybe turn down the difficulty a bit :D
<bentiss>
git pull over https still works so... we are good?
<karolherbst>
yeah.. git pull seems to work here
<bentiss>
karolherbst: you mean turn up? from 4 to 5?
<karolherbst>
nah. maybe starting with 3.. 4 can already be kinda slow
<bentiss>
5 was barely usable in the tests
<karolherbst>
like on a beefy laptop it even might take a second or two
<karolherbst>
took 5 seconds here
<bentiss>
oh, it took 400 ms here
<bentiss>
with a 5 year old desktop
<karolherbst>
I get 40 kH/s but I think something is up with my laptop...
<karolherbst>
or the power profile stuff is just broken
<bentiss>
anyway, lunch here, I'll monitor over the afternoon
<karolherbst>
have fun
<bentiss>
FWIW, it seems that part of the traffic is still not using anubis, which might explain the little gain
johnny0 has quit [Quit: leaving]
JanC is now known as Guest15343
JanC has joined #freedesktop
Guest15343 has quit [Ping timeout: 480 seconds]
<bentiss>
finally, 0R/s on the gitlab endpoint... and still have 126 R/s on the anubis one. We used to have 150 on gitlab so I guess it's better, but not absolutely fabulous
haaninjo has joined #freedesktop
swatish21 has quit [Ping timeout: 480 seconds]
<eric_engestrom>
bentiss: some jobs are running without outputting any logs and seem to run forever without making progress, is that a possible fallback from enabling anubis?
<bilboed>
bentiss: the API endpoints aren't protected by anubis, right ?
<bentiss>
bilboed: yeah, only GET requests are
<bilboed>
👍️
<bentiss>
and it's not entirely protected. I forward the request once to anubis, and if the client gets the cookie, I validate it at the fastly level and bypass anubis entirely
<bentiss>
if anyone wants to help, it's in rust, so that's a lot of fun... :-)
Traneptora has joined #freedesktop
Guest15350 has quit [Ping timeout: 480 seconds]
<mupuf>
Berenguer1931[m]: do you think we'll need to cancel all the jobs thast were running on hardware farms?
<mupuf>
bentiss: ^
ximion has joined #freedesktop
<bilboed>
oh wow, all requests at fastly go through rust code ?
<bentiss>
bilboed: yep, it's compiled in webasm and fastly executes that at the edge... (/me learned a lot of new terms)
<bentiss>
mupuf: maybe?
<mupuf>
bentiss: hehe, ok
<mupuf>
bentiss: seems like they got themselves unstuck
<mupuf>
so, all good!
<bentiss>
\o/
<mupuf>
congrats for entering the 22nd century, with rust compiled to webasm :D
<bentiss>
I know... this is a quite a feat :)
<bentiss>
Also, FWIW, the anubis config in itself is properly unconfigured, so maybe someone else could help on that
<bentiss>
(i.e. just pulling latest image and run)
<mupuf>
seems to work well. Was just a bit slow on my phone (22 s)
JanC is now known as Guest15351
JanC has joined #freedesktop
jsa1 has joined #freedesktop
Guest15351 has quit [Ping timeout: 480 seconds]
JanC is now known as Guest15353
JanC has joined #freedesktop
Guest15353 has quit [Ping timeout: 480 seconds]
swatish2 has quit [Ping timeout: 480 seconds]
pixelcluster_ has joined #freedesktop
mripard has joined #freedesktop
pixelcluster has quit [Ping timeout: 480 seconds]
<eric_engestrom>
thanks bentiss for the fix, and for putting anubis in place 🙏
JanC is now known as Guest15359
JanC has joined #freedesktop
<DemiMarie>
bentiss: I know Rust!
<bentiss>
heh
Guest15359 has quit [Ping timeout: 480 seconds]
<karolherbst>
bentiss, mupuf: I figured it out... it's _super_ slow only on firefox. Same machine with chromium it's pretty much instant
<karolherbst>
but no idea why it's so slow with firefox :D
<karolherbst>
maybe xe has any ideas?
<karolherbst>
or maybe firefox users just get punished or something :P
JanC is now known as Guest15362
JanC has joined #freedesktop
andy-turner has quit []
<Xe>
karolherbst: i've been trying to figure that out myself
<Xe>
i'm going to prioritize the wasm port for the checker as a stopgap
<karolherbst>
yeah.. maybe the JS engine is just bad or you hit bad patterns and the JIT can't make it go fast
<Xe>
my guess is that my intent on going from JIT to highly optimized C++ browser internals is a bet that did not pay off lol
<karolherbst>
heh
<Xe>
additional fun part
<Xe>
i do all my development on firefox
Guest15362 has quit [Ping timeout: 480 seconds]
<Xe>
so this just registers as "normal" for me
<karolherbst>
mhhh
<karolherbst>
it's quite fast on chromium
<Xe>
yeah, i am willing to bet that chromium does what i expect firefox to do
Consolatis_ has joined #freedesktop
Consolatis_ is now known as Consolatis
<karolherbst>
which algo is used anyway?
<karolherbst>
or what's the math problem
<karolherbst>
I never checked the details :D
<Xe>
naïve sha256 get leading number of zeros :D
<karolherbst>
mhhh
<karolherbst>
sounds like something that an optimizer could mess up if it doesn't use sha instructions
<dwfreed>
basically xe implemented bitcoin :D
* dwfreed
ducks
<Xe>
dwfreed: i mean, i implemented hashcash but bitcoin implemented hashcash
<dwfreed>
right
<Xe>
also "design" is a very strong word for this implementation, the rust one is a lot more designed than this is lol
<karolherbst>
anyway.. I hope the wasm port is going to help there a lot
<Xe>
another stopgap is to port the thing to use an in-JS sha256 library
<Xe>
but i trust javascript about as far as i can throw it, i have muscle weakness due to medication, and i'm unable to grasp or throw concepts
<Xe>
er, pure JS cryptographic code*
<karolherbst>
I think the argument in favor of a widespread used in-JS library is, that the JS JIT developers probably used it to optimize their JIT
<Xe>
as soon as I ship v1.18.0 later today i'm gonna rescue the wasm checker port and reduce scope to square peg -> round hole into existing anubis
<karolherbst>
and I wouldn't be surprised that firefox' pattern matching to detect where the sha instructions could be used, might trigger more reliably there
<karolherbst>
heh
<karolherbst>
have fun
<Xe>
the 28KB of wasm uses SIMD128 so it's fast enough that it's a logistical difficulty lol
<karolherbst>
mhhh
<Xe>
it also does bit-wise difficulty scaling so i'm gonna have to figure out a migration path :)
<karolherbst>
I'd look at it like this, if anubis gets big enough, that scrappers will try to get around it, they'll probably replace your code with something that's super fast
<Xe>
yeah, tbh, sha256 like this is bait
<Xe>
i'm waiting for an AI company to make a bypass by doing GPU offloading
<Xe>
then tweak things slightly and gain herd immunity :)
<karolherbst>
heh
<Xe>
long term i'm going to have 64 variants of proof of work and tweak things so that proof of work is shown less often
<Xe>
the kinda cool part about the implementation in wasm is that it runs the same binary on both the client and the server so that everything is in lockstep
<karolherbst>
it's kinda a pain how this residential business model works, because you can't even trust that a second connection from the same IP isn't malicious...
<Xe>
i've been looking at options, but sadly there's difficulties there :(
<karolherbst>
yeah...
<daniels>
karolherbst: residential IP reputation stopped being viable as a concept 20 years ago
<karolherbst>
heh fair
fomys_ has joined #freedesktop
<daniels>
CGNAT, your uncle's inexplicable attachment to his Android 4.4 phone, your IoT toaster, etc
<karolherbst>
tbf, if my toaster wants to access gitlab, who am I to judge
<eric_engestrom>
fraking toasters
<eric_engestrom>
(battlestar galactica reference)
JanC is now known as Guest15364
JanC has joined #freedesktop
<karolherbst>
I'm curious if this also solves our bot sign up problem...
<Xe>
from what i've seen elsewhere: yes
<karolherbst>
mhhh
<Xe>
karolherbst: could you get me in contact with the person that set up the gitlab k8s manifest? I'd like to see what ingress controller you're using so I can see if a Terrible Idea™ works
<karolherbst>
I'm sure bentiss set it all up
Guest15364 has quit [Ping timeout: 480 seconds]
JanC is now known as Guest15366
JanC has joined #freedesktop
<DemiMarie>
does anyone see this message?
<Xe>
DemiMarie: yes
<DemiMarie>
xe: your reliance on browser crypto really helps people with hardened browser configs, including what I believe is (or might be) MS Edge when visiting a website that one hasn't visited recently
<Xe>
no problem! glad it helps :)
<DemiMarie>
xe: one of the most common and effective hardening measures is disabling JIT
<DemiMarie>
it's the default in GrapheneOS
Guest15366 has quit [Ping timeout: 480 seconds]
<DemiMarie>
Lockdown mode on iOS enables it too, and I believe MS Edge disables JIT for websites one hasn't visited before
<Xe>
I haven't been able to test things on GrapheneOS due to not having hardware that can run it
<DemiMarie>
Lockdown on iOS also disables WebGL and WebGPU