Did you/your distro set up realtime ulimits correctly such that pw can acquire rt priority?

Thanks for the explanation!

Though it ought to be possible to only respond with the new self-signed cert when LE does the challenge and with the previous, properly signed cert otherwise.

I found https://codeberg.org/neilpang/acme.sh/wiki/TLS-ALPN-without-downtime which demonstrates one method to achieve that but I lack practical experience judge whether that’s optimal.

Forgive my ignorance but why would that incur a downtime?

The only way I can think of for downtime to happen if you switched certs before the new one was signed (in which case …don’t) or am I missing something?

It also strikes me as weird that LE requires 80 but does allow insecure 443 after a redirect. Why not just do/allow insecure 443 in the first place?

The same that happens when you update to receive a breaking change on a rolling distro. It’s version number go up, just at a different point in time.

That’s a very odd example to choose given how trivially interchangable kernels are.

At NixOS, we ship the same set of kernels on stable and rolling; the only potential difference being the default choice.
I’m pretty sure most other stable distros optionally ship newer kernels too. There isn’t really a technical reason why they couldn’t.

To be able to predict when something you depend on breaks.

This “something” could be as “insignificant” as a UI change that breaks your workflow.
For instance, GNOME desktop threw out X11 session support with the latest release (good riddance!) but you might for example depend on GNOME’s X11 session for a workflow you’ve used for many years.

With rolling, those breaking changes happen unpredictably at any time.
It is absolutely possible for that update to come out while you’re in a stressful phase of the year where you need to finish some work to hit a deadline. Needing to re-adjust your workflow during that time would be awful and could potentially have you miss the deadline. You could simply not update but that would also make you miss out on security/bug fixes.

With stable, you accumulate all those breaking changes and have them applied at a pre-determined time, while still receiving security/bug fixes in the mean time.
In our example that could mean that the update might even be in a newer point release immediately but, because your point release is still supported for some time, you can hold on on changing any workflows and focus on hitting your deadline.

You need to adjust your workflow in either case (change is inevitable) but with stable/point releases, you have more options to choose when you need to do that and not every point in time is equally convenient as any other.

Rolling vs. point release is not about whether a breaking change happens or not but when.

With rolling, breaking changes could happen at any time (even when inconvenient) but are smaller and spread out.
With point release, you get a big chunk of breaking changes all at once but at predictable points in time, usually with migration windows.

Waiting some weeks for uncaught bugs to be ironed out might be advisable if you still have limited debugging capabilities.

Otherwise, you can always nixos-rebuild build-vm using the new release channel and see whether it breaks anything you depend on.
My experience is that it probably won’t. My past few years of updating my server from one stable release to the next were, in one word, boring. Some renames, deprecations etc. with clear errors/warnings to fix at eval time but nothing that actually broke once it was built and deployed.

https://blog.kagi.com/small-web is the closest I’ve seen but it is indeed quite small and often not useful.

Kagi is generally a tool that can be made to clean your search results of poorly incentivised content. It already categorises “top 10” click farms as such OOTB and lets you disable them entirely.

The ability to block websites from appearing in your results is the most useful though IME. If I stumble upon a poorly incentivised website, I can simply block it and it will never appear again.

It’s not all you’re asking for but it gets you the closest that I know of.

Ahhhhh whyyyyy, you’ve got all of these standard response codes made for you, why would you blatantly ignore them like that?!

At least they now allow passwords over 8 characters (yes, serious).

Are you 100% certain they don’t just truncate your password to 8 characters?

WDYM by “directory it drops down into”? nix develop stays in your current working directory.

If I wanted to clean up state, I’d create a clean task in the build system or build a clean script that I’d wire up to the flake outputs such that you could run nix run .#clean.

Signal “only” does PQ key exchange. Apple claims to be doing PQ rekeying in addition to PQ key exchange.

Read the article before commenting perhaps.

You could take the revision number. nixos-unstable has 567011 commits currently.

I do not believe that is the case. Youtube ads are an insanely profitable business. I suspect throwing a couple dozen of FTEs on blocking ad blockers would be <1% of current revenue.

You are free to use it however you want - but if you start charging for your product I get a cut.

The problem here is who this “I” is. Often times, there are dozens or hundreds of contributors. Do they each get a cut? Do they all get a cut of a cut? How is that cut calculated?