今日已更新 80 条资讯 | 累计 20052 条内容
关于我们

标签:#home

找到 163 篇相关文章

AI 资讯

Homebrew 6.0.0 turns third-party taps into an opt-in trust list

Your CI runner is a stranger with a credit card and root. Every brew install against a third-party tap is the same trust gesture as curl | sh , just wearing a nicer shirt. (We have all written that step in a script and clicked merge.) This week Homebrew said the quiet part out loud and asked you to consent to it first. The 6.0.0 release shipped the week before DevOps.com's writeup with a tap-trust gate. Out of the box, only taps on a pre-approved list will install. Anything else gets a refusal until a human runs brew trust user/repo . Trust binds to the remote's fully-qualified URL, so the same tap mirrored to a different host is a fresh decision, not a transitive one. What the gate actually refuses Before 6.0.0, the package manager treated user/repo as a name and walked off to fetch the formula. After 6.0.0, an unrecognised remote URL is a refusal at resolve time. Project Leader Mike McQuaid framed it in the 6.0.0 introductory post: The Homebrew team is aware of the supply-side security issues with other package managers. We've taken various steps to mitigate these risks for our users. (He has a point. The last few years of supply-chain incidents were not theoretical.) Tap-trust is one of those steps. It does not inspect the contents of a tap, scan a formula, or pin a SHA. What it does is force a human, or a script, to make an explicit, auditable statement: this remote URL is one we accept. Where your pipeline will feel it DevOps.com flags the part that matters for this site's audience: CI/CD pipelines using Homebrew will need to add brew trust commands to their setup scripts. Quietly bump the Homebrew action on your runner image and the next build that touches a non-core tap will fail at the install step, well before any test runs. That is a feature, but only if you read the changelog. The migration itself is a one-liner per tap. The cost is owning a list. Every tap your pipeline depends on now has to be enumerated somewhere, reviewed when it changes, and version-

2026-06-23 原文 →
AI 资讯

How Much Does It Actually Cost to Run a Local LLM? (€ per Million Tokens, Measured)

"It runs on my own GPU, so it's basically free." I believed that until I put a meter on it. So I ran a controlled benchmark on one box — an openSUSE machine with a single RTX 3090 — driving three local models through ollama under an identical fixed workload (256-token generations in a loop for ~4 minutes each), while my open-source dashboard priced every run by the real GPU energy it burned : power sampled from nvidia-smi every 10 s, integrated over each run's exact window, multiplied by my actual day/night tariff. One number per model, in euros per million output tokens. Here's the part that made me re-run it. The tiny gemma3:1b came out at €0.118 / 1M tokens — about 5× cheaper than a hosted Flash-class API (~€0.55). But gemma3:27b 's electricity alone was €0.706 / 1M — more expensive per token than just paying the cloud, and that's before a single cent of the GPU's purchase price. "Local" didn't make it cheaper; it made it cost more and I own the depreciation. The mechanism is one line: each token costs watts ÷ throughput , and a big dense model is both slow and thirsty. A newer mid-size architecture ( gemma4:26b ) bought a lot of that back, landing at €0.272 . The full guide is methodology-first and reproducible end to end — minting an ingest key, the stdlib-only client, the exact ollama loop that reads eval_count / eval_duration for real tokens-per-second, reading each run back priced, and the honest caveats (this is marginal GPU energy only — not capex, idle, or cooling — and the absolute numbers round to fractions of a cent; the shape is the finding). Read the full guide on Medium → https://medium.com/@arsen.apostolov/how-much-does-it-actually-cost-to-run-a-local-llm-per-million-tokens-measured-4a90a7f31a48

2026-06-23 原文 →
AI 资讯

I Ran Gitleaks Against My Own Repo and Found 12 Real Secrets

Originally published at woitzik.dev I assumed my homelab repo was clean. No one had ever flagged anything in review (there is no one else reviewing it), CI was green, and I generally try to use Vault and ExternalSecrets for anything sensitive. Then I ran a full-history gitleaks detect against it. It found 12 distinct secrets committed in plaintext — including the OIDC private key that signs SSO tokens for half the cluster. This is the scanning setup I put in place afterward, the baseline strategy that let me adopt secret scanning without getting blocked by my own history on every commit, and the remediation plan for the leaks themselves. View the complete homelab infrastructure source on GitHub 🐙 What Gitleaks Found gitleaks detect --no-banner -v Twelve real findings, plus one already-hashed password (lower severity but still shouldn't be hand-committed) and one false positive in ROADMAP.md (documentation text that happened to match a generic API key pattern). The real findings, by severity: File Secret Why It Matters kubernetes/apps/authelia/configmap.yml OIDC issuer private key Signs SSO tokens for ArgoCD, Vault, Grafana — highest blast radius kubernetes/apps/garage/config.yml RPC secret + admin token Storage backend for Velero/Loki/CNPG backups kubernetes/apps/garage/secrets.yml Admin token (duplicate) Same secret committed twice in two files terraform/stacks/network/local_backend.hcl Garage S3 access key This is the Terraform state backend's own credential kubernetes/system/postgres/cnpg-backup-secret.yml Garage S3 secret key Used for WAL archiving kubernetes/apps/paperless/secrets.yml Postgres password + AI API token kubernetes/apps/cloudflared/secrets.yml Cloudflare Tunnel token kubernetes/apps/headscale/config.yml OIDC client secret Must match Authelia's client config kubernetes/system/monitoring/loki.yml Minio/S3 password kubernetes/apps/mikrodash/secrets.yml Dashboard password Lowest priority — internal tool only None of these were exposed by a public repo

2026-06-21 原文 →
AI 资讯

How Roomba started a robot revolution

If you had a Roomba, especially in the early days of the robot vacuum, it was in many ways a fairly unsophisticated machine. It would just bump around your house, looking for something to suck up, until its battery died or its (way too small) tank filled up. Not that it mattered, though. You probably […]

2026-06-21 原文 →
AI 资讯

SwitchBot’s Standing Circulator Fan is worth fighting for

I can't remember the last time I got excited about a fan. Normally, I just buy whatever Vornado or Dreo model fits my budget, but that was before I started testing the battery-powered Standing Circulator Fan from SwitchBot. As the name indicates, the SwitchBot fan is a 3D circulator - a fancy way of saying […]

2026-06-20 原文 →