The post Animated Secrets Shared at PostSecret Live! Events appeared first on PostSecret.
Reload page in style: light
Network.
![[syndicated profile]](https://www.dreamwidth.org/img/silk/identity/feed.png){kind=small}
post_secret_feed at 12:02am on 22/03/2026The post Animated Secrets Shared at PostSecret Live! Events appeared first on PostSecret.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
mesona at 10:42am on 22/03/2026Name: Mint
Age: 22
I mostly post about: Daily life and hobby updates
My hobbies are: I enjoy Vocaloid music, Vtubers, Anime/manga, literature, birdwatching, knitting and crochet, playing rhythm games. I'm also a programmer and may bring up tech stuff occasionally. I'm learning to draw.
My fandoms are: Current hyperfixation is NBA (go Nuggets). I keep up with F1 casually. I follow paleontology and aviation news. Currently reading JJBA, Chainsaw Man, slowly watching Dark Winds. Check my About Me sticky for the full list of stuff.
I'm looking to meet people who: Are also writing personal journals and forming community. Besides that, people who write or read more structured content. Such as personal journal, hobby updates, recipes, guides, media reviews, short stories. Bonus if you're posting outside of America (I'm from Southeast Asia myself).
My posting schedule tends to be: Few times a week.
When I add people, my dealbreakers are: Obviously don't be bigoted, though I assume most people on this site aren't. Probably won't come up often, but I'm not a big fan of people who post inflammatory or reactionary takes.
Before adding me, you should know: I will probably be posting about experiences with mental/physical health stuff, as I am AuDHD and am working through cPTSD. It won't be my main topic, but just a heads up that some of my posts will be heavy, and they'll have a content warning if they are.
mellowsnopes_feed at 02:00am on 22/03/2026boxofdelights at 07:42pm on 21/03/2026![[community profile]](https://www.dreamwidth.org/img/silk/identity/community.png){kind=small}
latam is a new community for people to come together to talk about latinamerican music, films, food, culture, fandom, and more!rolanni at 08:03pm on 21/03/2026 under baking, coon cat logic, embroidery for fun & pleasure, everybody talks about the weather, life after the apocalypse, writer's day offWhat went before:
Also, this happened:
#
Saturday. Sunny and warm. I think. I haven't been out. In fact, I not only slept late, I lay in bed, snuggled with cats, and read my email, so I'm just now getting up and around.
Today's big plan is to make focaccia and maybe read or maybe... No, I don't think I'll write anything today. I do need to do some research but that can maybe wait. Maybe I'll finish my embroidery project and see how that turns out.
As you can see my plans are firm.
How's everybody doing today?
#
Focaccia happened. Yes, it tastes every bit as good as it looks.
#
Had a very strange experience -- I can't get into either Bank of America or Discover to get my statements for monies due in early April, which is only a problem because neither one of those entities sent me a reminder that I had a new bill, and I happened to notice that now that my head isn't filled up with BOOK.
Discover says that it's really terribly sorry but it can't complete "that operation" (which would be logging in) right now. Bank of America, ever charming, says that I phucked up my ID or my password or maybe both? And it might let me in if I give it my social security number, which, err. No.
So! I have two phone calls to make on Monday, lucky me.
In other news, I'm on what ought to be my last four meals from Cook Unity, delivered yesterday. Today, I had the shrimp grain bowl, which was...OK, I guess. I had six shrimp and got bored with them, so I chopped up the leftover ones, and I'll be having a shrimp salad sandwich for the evening meal.
Also we here in Central Maine are under an Active Weather Advisory and warned to look out for between 3 and 6 inches of snow on the overnight. Honestly, March.
And now? I'm going to go embroider.
#
So, I finished my first! ever! concept-to-finished-piece embroidery project and!
I learned some stuff.
The first thing I learned is that I made this too small, in terms of the current states of my eyesight and the steadiness of my hand. Next time, I WILL go bigger, even if it means I can't get the whole design inside the hoop at once.
I also learned -- actually, I knew this -- white-on-white is hard to read. Duh.
But! and most importantly!
I learned that it Can Be Done.
Which means I can Do It Again.
I should report that Tali and Rook joined me in the living room while I finished this up. Rook sat on my lap and didn't even try to mess the thread. He just kinda curled up and went to sleep.
#
So, that was a nice day off-ish. Tomorrow, I will start to read Kin Right, and will also plan on clearing off the top of my desk -- yes, again.
My next embroidery project is a pre-printed sampler -- that's it, just the design. So, my next step, now that's in the hoop, is to make a yarn/floss card. Which means I need to dig out the Big Bag of Floss. Later.
For right now, I'm going to pour myself a glass of wine and see about making that shrimp salad sandwich.
Everybody have a good evening. I'll check in tomorrow.
icanhascheezburger_feed at 03:00pm on 21/03/2026This cat lover was always on the lookout for a rescue, noticing every stray, glancing under cars a little more than most people. They already had three cats at home, but were always open to helping one more if the situation came up. For a while, nothing did.
Then on a grocery run, it finally did. At a house they usually pass to pet an outdoor cat, there was a tiny kitten tucked under a car. He had wandered into the garage a few days earlier and stayed, even with the other cats trying to chase him off. Small, friendly, and clearly not from the area. The homeowners already had five cats and couldn't take him in, so they offered him up.
At first, this purrson said no. Three cats is already a lot, and it felt like the sensible answer. But once they got home, that image stuck, a little kitten curled up under a car with nowhere else to go. It lingered long enough to change their mind.
So now there are four cats. The new little guy is set up in the guest room, going through the slow intro period and purring constantly like he's already settled in. He went from hiding outside to having a whole space to himself, and it's pretty clear he ended up exactly where he was meant to be.
notalwaysright_feed at 11:00pm on 21/03/2026Read From AAA To A Penny
Customer: "Okay, so I'll take twenty bucks for this one."
Gets out another old game.
Customer: "Twenty-five for this one."
After another game, I stop him:
Me: "Buddy, that isn't how it works. I'm gonna scan them, the computer will tell me what it's worth, and I'll offer you cash or store credit."
Read From AAA To A Penny
cosmolinguist at 11:06pm on 21/03/2026 under observationOn a single tube train alone the other day, I saw two people in black thin-rimmed aviators and all I could thin was well now I know what I want my next pair of glasses to look like!
Never felt so much like a dad, possibly because that style always reminded me of my dad since that's what he wore when I was a little kid.
But one of these two people was a young person of ambiguous gender presentation, so I have hope that such things can become fashionable among the queers.
I'm due an eye test, and presumably new glasses, so I've been keeping an eye out for what kind of frames I might want (since the narrow rectangular thick-framed "hipster glasses" that seem to suit me best are not as readily available as they once were! the frames I have now are boring as hell, too big and too round for me even though they're not as much of either as has been popular lately).
snopes_feed at 11:00pm on 21/03/2026primsong at 03:47pm on 21/03/2026 under 1083: pluralityicanhascheezburger_feed at 02:00pm on 21/03/2026Bookshelves are meant to hold books, but cats clearly see them as something much more exciting. To a cat, a bookshelf is basically a climbing tower filled with convenient little stepping spots. One moment the shelves are full of books. The next moment there's a cat halfway up the bookcase like it has been doing this its whole life.
Cats move through the shelves with confidence. A careful step between two books, a little stretch to the next level, maybe a paperback gets nudged out of the way along the journey. Every shelf becomes part of the path upward. The higher they go, the more pleased they seem with the whole situation.
Once a cat reaches the upper shelves, it quickly becomes the ruler of the room. From that height they can watch everything happening below like a fluffy supervisor. Humans moving around, snacks appearing in the kitchen, mysterious noises from the hallway. Nothing escapes the watchful eyes of a bookshelf cat.
In the end, the bookshelf turns into the perfect lookout spot. A cozy perch, a tall throne, and a place to sit proudly above the rest of the room. The books may live there, but the top shelf clearly belongs to the cat.
Today was A Travel Day; yesterday, in preparation for same, I Ran Errands, including "acquiring Tiny Cake" and "visiting the pharmacy".
On the way from those two jobs to the next couple, I passed Several Good Things.
One was a new-to-me flavour of completely ridiculous daffodil:
It's a double not in the sense of having a confusing froth of intermingled trumpets (as of Double Fashion or Double Camparnelle, both of which exist locally), but in the sense of having two nested trumpets, one shorter and orange, from which the longer white one protrudes. I have never! previously! seen a thing like this! I am really enjoying my current streak of encountering varieties of daffodil that make me go "what the fuck???"
Shortly thereafter I checked over my shoulder while crossing a tiny bridge and was startled and delighted to see A COOT UPON THE NEST that, last I passed it, was clearly still derelict. Obviously I went back and Gazed Upon It for Some Time and was eventually rewarded by it STANDING UP to reveal SEVEN??? (possibly) EGGS!!!
And the Egyptian goslings were peeping about the place when I subsequently passed them on my way back up the hill. A+ errands would run again.
musesfool at 03:05pm on 21/03/2026 under adventures in cooking
satisfiedicanhascheezburger_feed at 01:00pm on 21/03/2026Life isn't always sunshine and rainbows. Sometimes, it feels like everything goes our way, like everywhere we go we're blessed with an aura of luck, serendipity, and radiance. And some days, we feel so overwhelmed or out of emotional shape that the simplest thing can happen and it sends us spiraling. These are the days we do cry over spilled milk, and that's okay. It just means we have to know how to handle ourselves and how to cheer up naturally, and that means cat memes.
A gentle purring is enough to soothe anyone from stressed to sedated. Let these little purrs of cat memes fulfill that part of you that just needs a hug, because everyone gets like that sometimes. Small stresses, responsibilities, conversations, expectations, and worries begin stacking on top of each other until everything feels heavier than it should. You wake up tired, already behind, already carrying more than you can quite name. It's not dramatic, it's just life. In these moments, you could feel like you could easily lose yourself. You're supposed to answer messages, finish tasks, show up, be present, and the world doesn't care or pause when you can't join them. It really just means you're human, that you need a break, a hug, and a gentle purring of cat memes to soothe your soul. Enjoy these kitty cat memes and imagine you are getting that well deserved hug from a furball, a meme, or a person.
icanhascheezburger_feed at 12:00pm on 21/03/2026Cat memes and music festivals have a lot in common actually. Cats are fun, silly, and love to play dress up. There's so much excitement around music festivals that work purrfectly well with cats. People who like cats are sure to like music festivals as well, and vice versa. Lollapalooza is going to be great this year, with Lil Uzi Vert, Sombr, and Turnstile all purrforming, what could go wrong? Music festivals tend to be so many things at once. It's an opportunity to be with friends for days straight, it's about getting together and not being shy about love – love for your friends, for the music, for life, and for love itself. Wouldn't it be nice to be able to take your cat? Maybe he's at home just listening to the music you get to see live. Music festivals usually have so much activity. It's not just about taking something and going into dreamland; it can be life changing if you let it, just like cats.
mjg59_codon_feed at 12:38pm on 21/03/2026When you’re looking at source code it can be helpful to have some evidence indicating who wrote it. Author tags give a surface level indication, but it turns out you can just lie and if someone isn’t paying attention when merging stuff there’s certainly a risk that a commit could be merged with an author field that doesn’t represent reality. Account compromise can make this even worse - a PR being opened by a compromised user is going to be hard to distinguish from the authentic user. In a world where supply chain security is an increasing concern, it’s easy to understand why people would want more evidence that code was actually written by the person it’s attributed to.
git has support for cryptographically signing commits and tags. Because git is about choice even if Linux isn’t, you can do this signing with OpenPGP keys, X.509 certificates, or SSH keys. You’re probably going to be unsurprised about my feelings around OpenPGP and the web of trust, and X.509 certificates are an absolute nightmare. That leaves SSH keys, but bare cryptographic keys aren’t terribly helpful in isolation - you need some way to make a determination about which keys you trust. If you’re using someting like GitHub you can extract that information from the set of keys associated with a user account1, but that means that a compromised GitHub account is now also a way to alter the set of trusted keys and also when was the last time you audited your keys and how certain are you that every trusted key there is still 100% under your control? Surely there’s a better way.
And, thankfully, there is. OpenSSH supports certificates, an SSH public key that’s been signed by some trusted party and so now you can assert that it’s trustworthy in some form. SSH Certificates also contain metadata in the form of Principals, a list of identities that the trusted party included in the certificate. These might simply be usernames, but they might also provide information about group membership. There’s also, unsurprisingly, native support in SSH for forwarding them (using the agent forwarding protocol), so you can keep your keys on your local system, ssh into your actual dev system, and have access to them without any additional complexity.
And, wonderfully, you can use them in git! Let’s find out how.
There’s two main parameters you need to set. First,
|
|
because unfortunately for historical reasons all the git signing config is
under the gpg namespace even if you’re not using OpenPGP. Yes, this makes
me sad. But you’re also going to need something else. Either
user.signingkey needs to be set to the path of your certificate, or you
need to set gpg.ssh.defaultKeyCommand to a command that will talk to an
SSH agent and find the certificate for you (this can be helpful if it’s
stored on a smartcard or something rather than on disk). Thankfully for you,
I’ve written one. It will
talk to an SSH agent (either whatever’s pointed at by the SSH_AUTH_SOCK
environment variable or with the -agent argument), find a certificate
signed with the key provided with the -ca argument, and then pass that
back to git. Now you can simply pass -S to git commit and various other
commands, and you’ll have a signature.
This is a bit more annoying. Using native git tooling ends up calling out to
ssh-keygen2, which validates signatures against a file in a format
that looks somewhat like authorized-keys. This lets you add something like:
|
|
which will match all principals (the wildcard) and succeed if the signature is made with a certificate that’s signed by the key following cert-authority. I recommend you don’t read the code that does this in git because I made that mistake myself, but it does work. Unfortunately it doesn’t provide a lot of granularity around things like “Does the certificate need to be valid at this specific time” and “Should the user only be able to modify specific files” and that kind of thing, but also if you’re using GitHub or GitLab you wouldn’t need to do this at all because they’ll just do this magically and put a “verified” tag against anything with a valid signature, right?
Haha. No.
Unfortunately while both GitHub and GitLab support using SSH certificates
for authentication (so a user can’t push to a repo unless they have a
certificate signed by the configured CA), there’s currently no way to say
“Trust all commits with an SSH certificate signed by this CA”. I am unclear
on why. So, I wrote my
own. It takes a range of
commits, and verifies that each one is signed with either a certificate
signed by the key in CA_PUB_KEY or (optionally) an OpenPGP key provided in
ALLOWED_PGP_KEYS. Why OpenPGP? Because even if you sign all of your own
commits with an SSH certificate, anyone using the API or web interface will
end up with their commits signed by an OpenPGP key, and if you want to have
those commits validate you’ll need to handle that.
In any case, this should be easy enough to integrate into whatever CI pipeline you have. This is currently very much a proof of concept and I wouldn’t recommend deploying it anywhere, but I am interested in merging support for additional policy around things like expiry dates or group membership.
Of course, certificates don’t buy you any additional security if an attacker is able to steal your private key material - they can steal the certificate at the same time. This can be avoided on almost all modern hardware by storing the private key in a separate cryptographic coprocessor - a Trusted Platform Module on PCs, or the Secure Enclave on Macs. If you’re on a Mac then Secretive has been around for some time, but things are a little harder on Windows and Linux - there’s various things you can do with PKCS#11 but you’ll hate yourself even more than you’ll hate me for suggesting it in the first place, and there’s ssh-tpm-agent except it’s Linux only and quite tied to Linux.
So, obviously, I wrote my own. This makes use of the go-attestation library my team at Google wrote, and is able to generate TPM-backed keys and export them over the SSH agent protocol. It’s also able to proxy requests back to an existing agent, so you can just have it take care of your TPM-backed keys and continue using your existing agent for everything else. In theory it should also work on Windows3 but this is all in preparation for a talk I only found out I was giving about two weeks beforehand, so I haven’t actually had time to test anything other than that it builds.
And, delightfully, because the agent protocol doesn’t care about where the keys are actually stored, this still works just fine with forwarding - you can ssh into a remote system and sign something using a private key that’s stored in your local TPM or Secure Enclave. Remote use can be as transparent as local use.
Ah yes you may be wondering why I’m using go-attestation and why the term “attestation” is in my agent’s name. It’s because when I’m generating the key I’m also generating all the artifacts required to prove that the key was generated on a particular TPM. I haven’t actually implemented the other end of that yet, but if implemented this would allow you to verify that a key was generated in hardware before you issue it with an SSH certificate - and in an age of agentic bots accidentally exfiltrating whatever they find on disk, that gives you a lot more confidence that a commit was signed on hardware you own.
Using SSH certificates for git commit signing is great - the tooling is a bit rough but otherwise they’re basically better than every other alternative, and also if you already have infrastructure for issuing SSH certificates then you can just reuse it4 and everyone wins.
Did you know you can just download people’s SSH pubkeys from github from https://github.com/<username>.keys? Now you do ↩︎
Yes it is somewhat confusing that the keygen command does things
other than generate keys ↩︎
This is more difficult than it sounds ↩︎
And if you don’t, by implementing this you now have infrastructure for issuing SSH certificates and can use that for SSH authentication as well. ↩︎
notalwaysright_feed at 07:00pm on 21/03/2026Read Allergic To Common Sense, Part 34
Customer: "I'm allergic to anchovies, so no anchovies on my Caesar salad."
Me: "There's anchovies in our Caesar dressing, what would you like instead?"
Customer: "No, there's not. I had it last week, and I didn't taste them."
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|---|---|---|---|---|---|
|
1
|
2
|
3
|
4
|
5
|
6
|
|
|
7
|
8
|
9
|
10
|
11
|
12
|
13
|
|
14
|
15
|
16
|
17
|
18
|
19
|
20
|
| 21 |
22
|
23
|
24
|
25
|
26
|
27
|
|
28
|
29
|
30
|