Technology Stir Fry, the blog

In which I renew my S/MIME certificate. Again.

TL;DR: still not a great experience. Some small hopeful signs.

In which I eventually get round to talking about how to convert containerised applications from something like Docker into the equivalent running as LXC containers under Proxmox.

In which things actually didn’t get worse in the PGP/GPG ecosystem, for a change.

In which I rant about Chrome and “Privacy” Sandbox.

I have been blogging at iay.org.uk for twenty years. Crikey.

Some thoughts after a year on Mastodon, including the move to a new instance.

Alongside “don’t drink coffee too late at night” I have a new rule to make sure I get a good night’s sleep: “never fire up Wireshark after 10pm”.

This article documents a particularly niche issue I ran into which took a while to debug and resolve. I’ve posted it for the benefit of search engines, so that the next person to run into these exact conditions might save a few hours. You’re welcome.

This is probably interesting only to someone in my exact situation, so most people should find some cat pictures to look at instead. If you’ve been directed here by a search engine because you’re tearing your hair out, though, read on.

So, I used to follow you on Twitter, but now I don’t. What’s up with that?

This morning, I was having a conversation with a colleague about the UK federation’s metadata publication system. We needed to reference the order of operations and I remembered that I had once published an article about this system, along with a diagram illustrating just the point under consideration.

Pulling up the article in question, I was slightly surprised to find that the original article was published exactly ten years ago today.

The original architecture of this system was deliberately flexible, because we didn’t really know for sure the environment we’d be operating in. It’s gratifying, therefore, to see that the basic design has held up well enough that we can still use the article as an informal reference.

In detail, of course, things are different now than we anticipated and the deployed system has aspects which are simpler than a decade ago, as well as others which have required some elaboration. At present, for example, eduGAIN has been successful enough that it is currently the only active source of metadata other than that registered by the UK federation itself. On the other side, we produce a number of additional outputs today that we hadn’t really considered at the time, the most important of those probably being that we now publish per-entity metadata as well as the aggregate metadata illustrated.

Another major change – one that happened in 2013, about a year after the article was published – was that we started publishing the tooling itself in a GitHub repository for the benefit of other organisations working in the same area. I remember the big challenge there being that the original repository (which dated back to 2004) contained customer data; the version we published had to be filtered using git filter-branch for privacy (see the ukf-meta-meta repository for the gory details). We’ve since rebased our development so that our internal repository matches the published one except that we don’t expose development work in progress. I’m really glad not to be reliant on filter-branch any more, and I’m sure any reader who has dipped a toe into those waters will sympathise.

Anyway: Happy birthday, helpful diagram!