Reading view

There are new articles available, click to refresh the page.

Fragile laws, broken laws, outdated laws

The most powerful authoritarian government in the world has locked down its most economic productive city over a month ago. It has since mobilised Shanghai municipal government, Chinese army, local volunteers, and ordered other provinces to send help to Shanghai. Yet, despite all the effort (at least seen on the news), Shanghainese are starving, literally. Many hospitals are closed to non-COVID patients, many with long term diseases are therefore unable to sustain treatment, resulting in unnecessary casualties. Everyday there are reports of citizens, civil servants, medical staff and other people sustaining the fallout. Local government overwhelmed, logistics broken down, people committing suicides, and until very recently, infected children regardless of age being separated from their non-infected parents. It is difficult to state the seriousness of the situation in Shanghai. It is more than dire, it is hopelessness.

The United States is the proceeding global power after the collapse of the United Kingdom. Both countries share the common law system, and has intertwined origins. For those not familiar with the terms ‘civil law’ and ‘common law’, they refer to different systems of laws where the major difference is court judgements in common law jurisdictions typically hold precedent value, meaning case outcomes for similar situations tend to be similar, whereas judgements in civil law jurisdiction typically do not hold precedent value. This means that in civil law, the law is the law as interpreted by different courts each time, while in common law, the law is the law as created and evolved through court judgements. Court cases in common law can be more important than the law itself, as it provides additional meaning. The US Supreme Court famously ruled same-sex marriage to be constitutionally protected when the US constitution said nothing about same-sex marriage.

Common law provides more flexibility for the society and freedom for the individual. While most civil law countries require a mandatory national ID, Hong Kong and Singapore are the only common law ones requiring so. However, as technology and how the world is shaped continues to progress, the common law system in its current form fails to keep up with its time.

Employment laws are unable to address the issues of remote work, since the assumption was employment had to be performed at the work site. Hong Kong recently faced such a dilemma of the validity of treatment prescribed by a physician licensed in Hong Kong while being physically outside of Hong Kong to a patient in Hong Kong. Where do one country end and another began? Once I step on a Cathay flight taking off from New York, Hong Kong laws apply and I can get my wine legally before 21. Laws are created based on assumptions from past experiences, and as such is unable to fulfil their original intentions when the underlying assumption has shifted dramatically.

The fundamental issue hindering arguments for a planned economy is justified in criticism towards the current legal system. Information is asymmetrical for different stakeholders and even if it is perfectly shared, there is latency which means circumstances on the ground would have changed by the time a decision comes from the top, and thus no longer reflects the actual needs. Government and firms are in direct contrast with each other. While government acts with authorisation of law, companies act without prohibition of law.

Despite all the criticisms Chinese legal system gets (often quite rightly so), there are lessons that can be learnt. Chinese cities and counties are empowered to make regulations that have legal force to govern themselves as they see fit. This is contradictory to the usual image that China as a unitary state, which will perhaps be explored in a future article. Back to the point, what China has done is essentially employing different cities to test out different regulations in action, before compiling lessons learnt in all of them and create a single uniform law. This is a very pragmatic approach and allows for a very efficient legal system, one that is both needed to support the tremendous growth and to govern a country of over a billion. Shanghai in 2022 shows what could happen if a government is not as efficient as the market, which is (almost) always. Similar results can be expected from laws that fail to keep up with the times.

In a globalised world dominated by multinational firms, companies choose the government they work with instead of the other way around. Venue shopping on a global scale. It is a world where some companies are more powerful than many countries, and while becoming entirely subordinate to the will of private firms is not something any country would wish for, it is increasingly the reality. While seemingly different on the surface, the government and firms actually have a lot in common. Government is just as concerned about the bottom line as companies are, except the word for it is “GDP”. Shareholders the citizens, board of directors the cabinet, and share price the Human Development Index (HDI). Whatever you call it, the fundamentals do not change. Trust in the future keep shareholders from selling and citizens from emigrating, good management keep employees from quitting and citizens from “laying down” (躺平 tang ping, a Chinese social trend similar to the “anti-work” sentiment), and satisfactory growth keep the seat at the highest office, and revolutions at bay. Dollars keep companies coming and governments running. Firms and governments are not that different after all. As such, it is even more surprising to see the lack of communication and cooperation between them, to the point of viewing each other as enemies. Given interaction is long term, this cannot be simply explained by calling it a Prisoner’s dilemma but rather long term game theory applies, to an extent. The problem is the government’s priority changes every few years once someone new is elected, rendering prior co-ooperation meaningless. Singapore provides clues in the way out, maintaining consistent governing standards over decades. While it is certainly not perfect, it is most definitely better than the United States’ system offers. “Checks and balances”, more like “Clogged and barely functions”.

“Empires … are little more than sandcastles. Only the tides are forever”. — Inspector Kido, Man in the High Castle

Tide has turned. Tide will turn. Tide is turning.

The Bund, Shanghai (Taken in 2018)

把日常阅读的网页,用 RSS 推荐给好友

虽然大家写 blog 的频率都没那么勤了,但是,RSS 还是有其它可以玩的方式的!

很多人都有用各种 read it later、或者书签类工具,把有意思的网页保存下来。在这些工具里,可以通过某些手法,把一些想要分享的网页,生成 rss。其他好友订阅这个 rss 地址,就可以自动刷新,看到你推荐的文章啦!

下面介绍一些,常见的书签网站,生成 rss 的方式。但首先——

  • 这些生成的 rss 地址里,大多都内嵌着网站的验证码,容易泄密,也冗长而不简洁。强烈建议:得到 rss 后,先用 Feedburner 之类的网站,转成新的 rss,再分享出来,可以去掉原先网址里的隐私信息。
  • 很多网站,并没有专门用来 share 的分类,只能通过曲线手段,把已经 archive 或者 star 的类别分享出来。这可能会影响你原本的使用习惯。
  • 一些网站生成的 rss,并没有全文,甚至只有标题和链接地址。没关系,能看到大家的推荐,就已经很好了,自己点开就可以啦。
  • 大多数 rss 订阅工具里,也都有发送给 read it later 的功能,可以辗转着,把自己订阅的文章分享给他人。

我的 RSS 分享地址是:

https://feed.fivest.one/readings
或者
https://feeds.feedburner.com/fivestone/readings

有兴趣和我分享的,欢迎留言或私信交换!!


Instapaper 免费版

感觉 Instapaper 生成 RSS 的功能是最好用的,可以把特定的文件夹设为公开,直接得到它的 rss,形如:

https://instapaper.com/folder/1234567/rss/123456/Vciysdfsd7mod9B
  • 在左边栏创建新的 Folder,存放想要分享的文章;
  • 进入这个 Folder,在页面上方选择 Edit,设置成 Public;
  • 点击页面右上角的下拉菜单,选择 Download;
  • 下载为 RSS Feed,就得到 RSS 地址了。

Pocket 免费版

好像 Pocket 的免费用户,内容都只能是公开的(无语…),只要知道了用户名,就可以通过 RSS 查看全部的内容(所以生成的 rss 需要转录才安全)。而且不能自定义分类,只有默认的:

https://getpocket.com/users/USERNAME/feed/all
https://getpocket.com/users/USERNAME/feed/unread
https://getpocket.com/users/USERNAME/feed/read

最后一条 …/read 会返回所有 Archived 了的文章,可以勉强用它作为分类的手段。

Readwise

这个只有收费版,我就不去试了。有它家的用户,可以帮忙把生成 rss 的方法分享一下?

Wallabag

我在用 Wallabag,可以自建,也有收费的服务可用。生成的 rss 是全文输出,效果很好。在 Config – Feed 里,生成一个 token,然后点开任何一个 tag,点击列表上方的 rss 图标,就可以得到这个 tag 的 rss 订阅(生成的地址里带着统一的 token,所以需要转录才安全):

https://wallabag.your.domain/feed/USERNAME/asdfghjkl/tags/t:share

在外置硬盘上,加密安装 ubuntu

需求:

  1. 在便携硬盘盒(M.2 SATA/NVME)安装 Linux(Ubuntu/Zorin),以便在不同的电脑上都可以启动使用。
  2. root 级别的系统分区加密(使用 LUKS & LVM)。
  3. 不要把整块硬盘都加密,而是在硬盘上保留一个未加密分区。这样也可以作为普通的移动硬盘使用。

——这篇攻略和是否外置硬盘盒,没多大关系。普通内置硬盘也可以这样加密安装。

最新的 Ubuntu 22.04 之后的版本,在安装界面里自带了 LVM 全盘加密安装的选项。但是并不能满足第 3 条需求。所以还需要一些复杂的手动操作。

安装过程尽量围绕 ubuntu 的图形安装界面,对新人友好。参考并验证了这篇教程。但原文连同 /boot 引导分区也一起加密了,于是在配置上略显繁琐。我觉得加密 /boot 并不是很有必要,做了一些改动。最终的硬盘分区结构为(以 512GB 硬盘为例):

  • 大约 800MB,EFI 引导分区
  • 大约 300GB,LUKS 加密分区。在其中配置 LVM 逻辑分区:
    • 2GB,swap 交换分区
    • 大约 300GB,Ubuntu 系统分区 root /
  • 大约 200GB,普通移动硬盘分区

操作步骤:

下载 Ubuntu,制作 USB 安装盘(过程略)。——然后,强烈建议在整个安装过程之前,在电脑的 BIOS 里,把内置的其它硬盘暂时卸载。

插上移动硬盘和 USB 启动盘。从 U 盘启动电脑,选择 Try Ubuntu。最新的 Ubuntu 22.04 安装程序里,已经内置了所需的 cryptsetup 和 cryptsetup-initramfs 软件包。因此,整个安装过程中,应该不需要连接互联网。

首先,把硬盘预分区。分区软件有很多种,可以用原文的 sgdidk,也可以直接用图形界面下的 Disk 或者 Gparted。在硬盘上创建 GPT 分区表,然后分成:

  • 大约 800MB,EFI 引导分区
  • 大约 300GB,要加密的系统分区
  • 余下的约 200GB 移动硬盘

这些分区都先不用格式化。记住第二个分区的名字,本文假定为 /dev/sda2。

分区成功后,关闭分区软件,打开 Terminal 命令界面,执行 root 权限

sudo -i

将系统分区加密。按提示输入密码,——这个密码,就是以后每次启动时,挂在硬盘用的密码。和安装 Ubuntu 时的用户密码,并不是一回事。

cryptsetup luksFormat --type=luks1 /dev/sda2

解锁刚刚加密的分区:

cryptsetup open /dev/sda2 hd2_crypt

创建逻辑卷组(LVM),然后在其中创建 2GB 的 swap 交换分区,再把剩余的空间创建为系统分区(这两个分区的大小,大家自行调整):

pvcreate /dev/mapper/hd2_crypt

vgcreate ubuntu--vg /dev/mapper/hd2_crypt

lvcreate -L 2G -n swap_1 ubuntu--vg

lvcreate -l 100%FREE -n root ubuntu--vg

然后,运行桌面上的 Ubuntu 安装程序(Terminal 先不要关),在磁盘分区页面,选择 Something else,进行手动分区。

  • 把 /dev/mapper/ubuntu—-vg-root 格式化成 ext4,挂载为系统根目录 /
  • 把 /dev/mapper/ubuntu—-vg-swap_1 设为 swap 交换分区
  • 把 /dev/sda1 设为 EFI 引导分区

点击 Install Now,确认对分区的设置。注意,到了下一步创建用户的界面时,先不要继续。切换回 Terminal 命令行界面,正式安装前,在 GRUB 中启用加密(能看懂下面这些命令的话,也可以直接去编辑相应的文件):

while [ ! -d /target/etc/default/grub.d ]; do sleep 1; done; echo "GRUB_ENABLE_CRYPTODISK=y" > /target/etc/default/grub.d/local.cfg

然后回到创建用户的页面,点击继续,开始安装系统。安装结束后,先不要 restart。而是点击 Continue Testing。

回到 Terminal 命令行界面,chroot 到新装的系统:

mount /dev/mapper/ubuntu----vg-root /target

for n in proc sys dev etc/resolv.conf; do mount --rbind /$n /target/$n; done

chroot /target

mount -a

原文说此时需要(联网)安装 apt install cryptsetup-initramfs;但我用的 ubuntu 安装程序已经自带了,并不需要联网安装软件包。

添加密钥文件相关设置:

echo "KEYFILE_PATTERN=/etc/luks/*.keyfile" >> /etc/cryptsetup-initramfs/conf-hook

echo "UMASK=0077" >> /etc/initramfs-tools/initramfs.conf

创建密钥文件并将其添加到 LUKS

mkdir /etc/luks

dd if=/dev/urandom of=/etc/luks/boot_os.keyfile bs=512 count=1

chmod u=rx,go-rwx /etc/luks

chmod u=r,go-rwx /etc/luks/boot_os.keyfile

将密钥添加到 boot_os.file 和 Crypttab

cryptsetup luksAddKey /dev/sda2 /etc/luks/boot_os.keyfile

echo "hd2_crypt UUID=$(blkid -s UUID -o value /dev/sda2) /etc/luks/boot_os.keyfile luks,discard" >> /etc/crypttab

更新 Initialramfs 内核映像

update-initramfs -u -k all

此时全部结束。可以重启系统啦。


关于这个硬盘密码:

  • 是用来防止,别人拿到这块硬盘时,无法查看硬盘的文件;
  • 并不能防止,当你登入系统后,因为系统漏洞或操作失误,而造成的入侵;
  • 这个密码,如果忘记了,硬盘里的文件,就再也无法看到了!!(有添加 recovery 的操作,但我觉得没必要);
  • 每次开机启动时,都要输入一次这个密码。所以,虽然密码需要足够复杂,但最好选一个,自己能方便记住,日常使用的方式。

如何修改硬盘密码:

最简单的方式,是在已经启动的移动硬盘系统里,先通过 disk 等分区软件,确认加密分区的名字(这里假设仍然是 /dev/sda2,但实际上不一定了),打开 Terminal 界面,

sudo -i

cryptsetup luksChangeKey /dev/sda2

按照提示,输入旧密码,再输入两遍新密码。最后,更新 initramfs,

update-initramfs -u -k all

就可以了。

Mastodon: 将媒体文件存放在本地(docker 版)

本攻略适用于——

  • 自建 mastodon(非大站)
  • 使用 docker compose
  • 将媒体文件直接保存在服务器上,而不使用 s3 外部存储

这个搭配虽然不多见,但其实用起来满爽的。很多人用的 s3 服务都是在薅羊毛,而 mastodon 那个变态的,把别人家的媒体文件缓存到自家的架构,流量的吞吐其实很大的(开了 relay 就更夸张),薅羊毛时很容易就超出了。反而是 vps 本身的流量上限很高。对于个人建站而言,媒体文件总量通常 <50GB,某些 vps 自带 200GB 硬盘,足够用了。

缺点是,除了数据库定期备份外,也要考虑媒体文件的异地备份问题。但其实只需要备份存储本地附件的 media_attachments,而 cache 是不需要备份的,所以工作量也不大。

两年前我把媒体文件转移到本地时,参照了 antisocial science 的设置。但因为我用 docker,官方默认的设置,docker 内外权限不一致,无法将媒体文件写到本地。于是匆匆又在本地建了个 minio s3 来中转……这样其实很浪费资源了,minio 的开销也不小。所以最近趁着搬家,又试了一下,终于把 docker + 本地存储 跑通了。


1. 在 docker-compose.yml 里,

web 和 sidekiq 容器中,已经预设了媒体文件的卷映射

volumes:
- ./public/system:/mastodon/public/system

这个不用动。——也可以改成其它的路径,但要和后面的设置一致(本文用相同的颜色标明)。

2. 修改 .env.production

S3_ENABLED=false
PAPERCLIP_ROOT_PATH=/mastodon/public/system
PAPERCLIP_ROOT_URL=/fivestone-mastodon-media

PAPERCLIP_ROOT_URL 是服务器的所有媒体文件链接的子文件夹名称,形如:

https://mastodon.fivest.one/fivestone-mastodon-media/media_attachments/.../x.jpg

默认值是 /system;但是建议改成独特一些的名字,而且建议和 S3_BUCKET 一致。以后需要在本地存储和 s3 之间转换时,可以省一点心。(所以要独特一些,防止回头在 s3 上和别人撞名)

3. 修改 nginx 的域名配置文件

参照官方的配置,把域名文件夹里的 proxy_pass ,直接改成本地的 alias

server 
{
  server_name mastodon.fivest.one;
# ......

  location /fivestone-mastodon-media/
  {
    alias /path-to...docker-compose-folder/public/system/ ;

    proxy_cache CACHE;
    proxy_cache_valid 200 48h;
    proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
    proxy_cache_lock on;

    expires 1y;
    add_header Cache-Control public;
    add_header 'Access-Control-Allow-Origin' '*';
    add_header X-Cache-Status $upstream_cache_status;
    add_header X-Content-Type-Options nosniff;
    add_header Content-Security-Policy "default-src 'none'; form-action 'none'";
  }
}

然后重启 nginx

sudo systemctl reload nginx.service

4. 通过 docker 设置媒体文件夹的权限

在 docker 内部,是以 mastodon 用户的身份,来运行程序的,所以要把媒体文件夹的所有者改成(docker 内部的)mastodon:

sudo docker-compose run --user=root --rm web chown -R mastodon /mastodon/public/system

如果是从 s3 迁移到本地,把媒体文件移入这个本地文件夹(/path-to…docker-compose-folder/public/system/)后,也要再执行一遍上面这条命令。

或者在 mastodon docker 服务已经启动的情况下,执行:

sudo docker exec -u 0 mastodon_container_web chown -R mastodon /mastodon/public/system

但在这条命令执行结束之前,mastodon 在后台写入媒体文件时,仍然可能出现文件夹权限不足,无法写入的问题。

❌