It depends on what you're using for the resolver.
I'm assuming you only care about gethostbyname(3) and friends. With glibc that means nss; generally you're also looking at libnss_dns.so, which uses glibc's resolv (copied from BIND). This doesn't include enough configuration to do what you suggest; it pretty much just points everything towards a server.
So you have two options: use a different NSS module (maybe write your own?) or have a proxy DNS resolver that sends different requests to different places.
systemd-resolved actually handles the first option pretty well (although it would prefer that you use the dbus interface over gai). It can handle multiple interfaces with separate domains and split DNS fairly well! (Not so good with reverse DNS, unfortunately. But I get it, reverse DNS is pretty hacky anyways.)
If you prefer the forwarder route, dnsmasq seems to be fairly popular these days in the embedded world and elsewhere.
If I were you, I think I'd write a short NSS module or use dnsmasq, depending upon your needs.
Indeed, dnsmasq seems to be the least painful way to provide special DNS zones, special host files, and forwarding for everything else.
Also, your resolv.conf becomes trivial.
The trick is to grab the DHCP-provided DNS server address on reconnections and update the forwarding, if you use a laptop. For VMs in the cloud, it's not a problem, of course.
The better analogy in this case would be to an AmazonBasics USB cable, not to a phone charger.
Are there issues when anyone can provide a product? Yes. But this would certainly not involve Amazon opening the storefront to allow selling any sort of drugs, but rather them sourcing generic product themselves and selling it as private label.
I would have no problems trusting this product to be genuine, just as I have no problems trusting their other private label products. It's a different sort of issue.
> The better analogy in this case would be to an AmazonBasics USB cable
What's the story here? I purchased on (that failed quickly) and then another - which also failed - and gave up on those. I've actually never found a USB cable (that I often use as a charge) that I liked, but I've never set out on a quest to do so...
I've only bought AmazonBasics lightning cables for a while now, they work great IMO. I've had maybe one or two fail out of a dozen or two that I own, and its failure was caused by pinching from my car console.
I'm deeply saddened to hear that the Seattle Mystery Bookshop is closing. This feels like something easily missed in today's automation-based economy; the ability to go to an expert and get quality recommendations is not to be missed. Seattle Mystery Bookshop was only one of many excellent book stores in the Seattle area, but it seems that their number is diminishing by the day. I can only assume that that trend holds firm in other cities, and we are the poorer for it.
Is the major benefit an expert to give you recommendations? How is this different from any online medium like Reddit or Facebook where an expert can do the same thing, without a local constraint?
I go to /r/fantasy and ask for recommendations. I will probably get someone recommending goddamn Malazan* no matter how applicable it is to what I asked for. I will also get a lot of recs that are just a title, maybe a title and an author, with no further info. Some authors who hang out there will pimp their own books. Maybe someone recommends Name Of The Wind and a mini-flamewar about book 3 taking a decade and counting happens. I end up with a lot of unfiltered recommendations, and an overwhelming amount of research to do on them.
I go to a good bookstore. I can wander into the SF section and find a whole bunch of staff recommendation cards on the shelves next to things they’ve loved. Maybe there’s a list of Hugo and Nebula winners. Maybe some new stuff the average reader hasn’t heard of. Maybe a “if you liked THIS THING then try THIS OTHER THING” card on the shelf points me to something new. I’ve got a fairly small selection of recommendations, curated by people whose job is partially to keep up with new fiction and recommend the great new stuff. And maybe something outside my genre comfort zone catches my eye on the way to the SF/F section...
Also it is TONS easier to get an idea of just how long a book is when you’re picking one up off the shelves. One cover image and maybe a little tiny text note of how big the file is on Amazon’s page is a lot less information about the sheer size of the story I’m considering picking up.
* /r/fantasy loves this turgid-ass sprawling account of someone’s D&D campaign, I finally tried reading the first book and gave up after three chapters, then got told that “everyone knows it doesn’t pick up until book 3” and life is way too short for that IMHO...
----
TL;DR: Reddit ain't gonna give you professional recommendations. Reddit will give you a bunch of recommendations of stuff twentysomething guys with a ton of free time on their hands like.
Yea, but couldn't I find an expert amongst the group of random Internet people posting on these places? What makes a bookstore employee more knowledgeable or an expert?
You've mentioned recommendations and exploration but things like Goodreads have similar tools - you can follow users who have similar 'likes' as you, you can read lists by people who have similar tastes, and you can get recommendations from the 'pros'.
I'm sorry I mentioned Reddit. I really did mean any online medium, Goodreads, random book forums, anything else.
If you go to /r/fantasy and don't like their suggestions it simply means your tastes do not match with mainstream /r/fantasy tastes. Luckily we are not limited to just reddit when looking for recommendations on the internet. Just look around more.
Reddit and facebook offer the ability for anyone to recommend to you, with no real way to filter their actual authority on the subject except by the one post itself (scowering through each person's history to get a better sense is beyond unreasonable).
With a bookstore, you can reasonably expect, at least to a certain degree, an authority figure. With facebook/reddit, you can reasonably expect nonsense, and maybe one somewhat knowledged guy piping up in a wave of shit.
Tbh, I have no idea why you'd bring up reddit or fb instead of at least hn, where the noise to signal ratio at least attempts to approach something useable.
Reddit and facebook are where you go to accidentally stumble into something useful; not when you're searching for it.
In fact, if you're looking for an expert, you usually go where few people go: because those you would find there probably have good reason to be there; places where its only worth being if you're an expert in the niche
I usually skip the Rite of Spring, but love every other piece. Probably because I was trying to watch the visuals too hard instead of listening.
But the important thing to remember about Fantasia is that it's not a coherent story, it's a set of shorts.
You can watch subsets, skip some, or really do what you want. Just watch Night on Bald Mountain/Ave Maria, or the Dance of the Hours, or whatever you want. And give Fantasia 2000 a shot. Not as good, but still fun. Firebird was great.
> Assume the key material isn't compromised, since you have to assume that.
The nice thing about root certs is the private key is only needed to sign intermediate certs and CRLs. This means they can be kept offline in a secure location, and only accessed once every few months or so to sign new intermediate certs or CRLs. The actual crypto typically happens in a special locked-down piece of hardware, so that the actual private key never touches the memory or disk of the computer being used.
The whole process is called a "key ceremony" and follows strict procedures, with technical staff and outside auditors watching every step.
As far as I know, no CA has ever had its root key compromised. It would require physically breaking into a secure facility, or factoring of public key. Considering there's much lower-hanging fruit for anyone attempting to attack PKI, I'm not too concerned with a 20 year root cert lifetime. (Like you say, they could just remove it from future versions of OSX before then!)
It's also incorrect. The 2035 number is the root certificate. The leaf signer is (as of last night): Not Before: Sep 24 19:09:31 2015 GMT Not After : Oct 23 19:09:31 2017 GMT
The company I work for is in the process of migrating off of SHA-1 certs, and the amount of due diligince that has to go into this sort of an upgrade is incredible.
It involves analyzing full logs of all supported client enctypes and tracking down the full set of "flavors" of clients that only do SHA-1.
At the end of the day, you're going to break people, and it's all about minimizing how many people that is. Imagine the situation with hardware devices in the field from ten or so years ago. You can't update them and their software rev only supports SHA-1. What do you do?
If I were trying to drive adoption of a connector that has objectively better performance characteristics (high current draw for fast charging), I too wouldn't provide a legacy cable that doesn't exhibit those benefits.
I know the criteria for selecting my next laptop and monitor will involve USBC.
So you have two options: use a different NSS module (maybe write your own?) or have a proxy DNS resolver that sends different requests to different places.
systemd-resolved actually handles the first option pretty well (although it would prefer that you use the dbus interface over gai). It can handle multiple interfaces with separate domains and split DNS fairly well! (Not so good with reverse DNS, unfortunately. But I get it, reverse DNS is pretty hacky anyways.)
If you prefer the forwarder route, dnsmasq seems to be fairly popular these days in the embedded world and elsewhere.
If I were you, I think I'd write a short NSS module or use dnsmasq, depending upon your needs.