More

mcpherrinm · 2025-12-10T05:10:32 1765343432

Let’s Encrypt does operate CT logs. I wrote a blog post about our current-generation logs at https://letsencrypt.org/2024/03/14/introducing-sunlight

mcpherrinm · 2025-12-10T05:09:13 1765343353

Let’s Encrypt currently has a single primary with a handful of replicas, split across a primary and backup DC.

We’re in progress of adopting Vitess to shard into a handful of smaller instances, as our single big database is getting unwieldy.

samlambert · 2025-12-10T15:33:30 1765380810

Let’s Encrypt is an incredible project and the internet is better off for it. If you ever have questions about vitess or need help please let me know.

nodesocket · 2025-12-10T05:13:21 1765343601

Thanks. Would love to see a tech blog post once you get Vitess implemented.

mcpherrinm · 2025-12-10T06:55:22 1765349722

We’ve already started drafting it :)

mcpherrinm · 2025-12-09T22:27:33 1765319253

I'm the technical lead for Let's Encrypt SRE.

Publishing more about our resilience engineering sounds like a great idea!

I'll get that on our blogging schedule for next year

mcpherrinm · 2025-12-03T17:20:18 1764782418

Versity Gateway looks like a reasonable option here. I haven't personally used it, but I know some folks who say it performs pretty great as a "ZFS-backed S3" alternative.

https://github.com/versity/versitygw

Unlike other options like Garage or Minio, it doesn't have any clustering, replication, erasure coding, ...

Your S3 objects are just files on disk, and Versity exposes it. I gather it exists to provide an S3 interface on top of their other project (ScoutFS), but it seems like it should work on any old filesystem.

pkoiralap · 2025-12-03T17:31:49 1764783109

Versity is really promising. I got a chance to meet with Ben recently at the Super Computing conference in St. Louis and he was super chill about stuff. Big shout out to him.

He also mentioned that the minio-to-versity migration is a straight forward process. Apparently, you just read the data from mino's shadow filesystem and set it as an extended attribute in your file.

mbreese · 2025-12-03T17:43:43 1764783823

I really like what I've (just now) read about Versity. I like that they are thinking about large scale deployments with tape as the explicit cold-storage option. It really makes sense to me coming from an HPC background.

Thanks for posting this, as it's the first I've come across their work.

zzyzxd · 2025-12-03T21:38:15 1764797895

Garage also decide to not implement erasure coding.

mcpherrinm · 2025-12-02T18:17:06 1764699426

I don't expect we'll ever remove the other validation methods, and certainly have no plans to do so.

There are pros and cons of various approaches.

mcpherrinm · 2025-12-02T18:10:10 1764699010

Note that renewing certificates is generally exempt from rate limits: https://letsencrypt.org/docs/rate-limits/#limit-exemptions-f...

We are working on further improvements to our rate limits, including adding more automation to how we adjust them. We're not ready to announce that yet.

We wanted to get this post out as soon as we'd decided on a timeline so everyone's on the same page here.

mcpherrinm · 2025-11-30T18:18:08 1764526688

We had (optional) safety training when I worked at Square, which included CPR training, going over office evacuation procedures, etc. One of the most fun parts was they had a virtual fire extinguisher training, which involved basically a video game fire extinguisher controller to put out a fire on a tv. It’s definitely not as exciting as using a real fire extinguisher training, but can also be done in an office meeting room.

stouset · 2025-11-30T20:52:59 1764535979

I’m still upset they didn’t let us start fires in the meeting rooms to practice using real extinguishers.

Miss working with you!

hermitcrab · 2025-11-30T22:15:47 1764540947

Virtual training is better than nothing. But I don't think it really compares doing IRL.

mcpherrinm · 2025-11-24T00:47:33 1763945253

The Register is adding very little on top of https://blog.cloudflare.com/detecting-cgn-to-reduce-collater...

Previously discussed (a bit) at https://news.ycombinator.com/item?id=45746509

mcpherrinm · 2025-11-24T00:46:18 1763945178

I wonder if that's not very visible in Cloudflare's data because those mobile devices will likely use IPv6 to connect to Cloudflare-hosted sites.

trollbridge · 2025-11-24T02:14:56 1763950496

That’s what I was thinking. Anyone coming from Cloudflare will end up getting there via IPv6.

joecool1029 · 2025-11-24T02:36:46 1763951806

I use cloudflare to make my weather station available over T-Mobile. They don’t filter inbound ipv6 on regular phone lines (they do for TMHI) so you can host a simple page on ipv6, only set the AAAA record in cloudflare, and they will proxy it for ipv4 users so I can ignore being CGNAT’d for ipv4. Make sure if you do this setup with a tool like ddclient to keep the record current as T-mobile rotates ipv6 frequently

trollbridge · 2025-11-24T14:03:57 1763993037

Well, what I mean to say was “anyone coming from Verizon will get to Cloudflare via IPv6”.

My current endpoint lacks IPv6, so I use Cloudflare so IPv6 clients can get to it. Verizon’s IPv6 is noticeably faster than their IPv4 CG-NAT.

globalnode · 2025-11-24T02:42:38 1763952158

mobile devices dont get ip6 do they? last i looked my cheapo gateway only provided v4 cgnat

wmf · 2025-11-24T04:18:06 1763957886

Phones have been on IPv6 for years.

mcpherrinm · 2025-11-02T02:13:01 1762049581

https://blog.nelhage.com/post/regex-crosswords-z3/ was posted a few days ago here and is an interesting way to solve these

a022311 · 2025-11-02T20:11:49 1762114309

Yeah, that's how I found regexle, which eventually led me to this!