hello

  • 70 Posts
  • 83 Comments
Joined 3Y ago
cake
Cake day: Jan 17, 2022

help-circle
rss

telegram is (and has always been) terrible for privacy.

it’s great for cops around the world, more so in countries where telegram cooperates with them but also in ones where they don’t.

nobody should use telegram.


🎉 thanks to the developers and everyone who helped!

one bug i noticed after the upgrade: my notifications page shows unread notifications for (what i guess is) every reply i’ve ever received which was later deleted. the count in the bell icon only reflected the actual new unread notifications I had received since I last looked, but when i click to view my unread notifications then all of these old ones about deleted messages appear to be unread now.


how will the fix work?


I could be wrong, but I interpret this post as being about Mastodon’s culture of being against search technology, which I find depressing and irritating for reasons I explained in that other thread as well as this one.

However, I just noticed a place where there is some lack of informed consent here on Lemmy: in the Lemmy UI, it appears that upvotes and downvotes are anonymous. I checked a long time ago, and realized that they weren’t really; the identity of the up or down voter is federated, but it is simply not shown by the UI.

I would assume that many (probably most) lemmy users do not realize this: admins of your own instance and all federated instances have the ability to see who upvoted and downvoted what.

It just now came to my attention that Friendica actually is showing this information publicly, in the form of “$username does not like this” for a downvote! https://rytter.me/display/4c906314-4763-d3aa-4584-11a516756414 🤣

(hey @OptimusPrime@lemmy.ml … why did you downvote that? I myself am also listed there as not liking it; I downvoted it as a test to confirm my assumption that it would show up as “does not like”, and then when I undownvoted it that event apparently didn’t get federated.)

imo these are the kind of “informed consent” issues that fediverse developers should be thinking about, rather than “how can we increase the power imbalance by making it so that only the elite are allowed to have fulltext search… in the name of justice” as so many seem to be hell-bent on doing.

i clicked a button that most lemmy users would assume is an anonymous up/down vote and now my name is listed on a 3rd party website saying i “don’t like” something (even though I tried to undo it). #thisisfine ?





you could open the terminal and type ping -c 1 lemmy.ml which will send an echo request to lemmy and see if it replies, and will also tell you what IP address your computer is currently resolving the name to. if it is an IP address other than 51.38.185.90 then you are dealing with DNS censorship which is usually easy to circumvent by using a different DNS server. if it has the correct IP and some error message or a timeout, that would be interesting.

if you want to paste the output of that command here, to copy text from the terminal to your clipboard you can use ctrl-shift-c (instead of ctrl-c like in other programs, because in the terminal ctrl-c by itself sends an interrupt signal to the running program).


what operating system are you using? (eg, mac, windows, linux, android, iphone, …)


lemmy.ml currently appears to be hosted on a French OVH IP address (51.38.185.90).

Do you know who is blocking it, or why?!

Hopefully it is just DNS blocking, so you could circumvent it by using a different DNS server?












Are you running the software that you want to be listening on that port while you’re doing the test? Are you sure it is actually listening on that port? You can see which ports which programs are listening on with the command sudo ss -tulpn (those options tell it to display tcp and udp listening ports and program names, and to not try to resolve IP addresses into names; see man ss for details).

If you’ve opened the port in your gateway and your local firewall and you’re running the software, it seems like it should work… one possible reason why it might not would be if you’re double NAT’d (eg the NAT gateway you’re configuring is itself behind another NAT gateway). To see if this is the case, try to find in the router’s web interface if it says what its WAN (upstream) IP address is. If it’s something else in an RFC1918 range (192.168.x, 10.x, or 172.16-31.x) then you’re double NAT’d and need to figure out how to configure the outer NAT gateway.


I’m guessing that your computer doesn’t have its own public IP address, so, opening ports on its firewall doesn’t actually make them reachable on the internet yet. You’re probably behind a NAT gateway (eg, the modem/router your computer is connected to the internet via), so you need to open a port there and direct it to your computer.

NAT allows your whole LAN to share a single public IPv4 address, which means that for inbound connections the gateway needs to be configured to know which LAN address to send inbound traffic on a given TCP/UDP port to.

On your linux computer you can find out the IP address of your router with the command ip route |grep default, and then you can browse to that address in your web browser. You’ll most likely need its password (maybe it’s written on the bottom of your router/modem?). Once you’re logged in to its web interface, you’ll hopefully be able to figure out how to use it to open/allow/map/route ports to your computer.

edit: it looks like the URL you’re using to test is referring to a different port than any of the ones you said you’ve opened with ufw, which might be a problem? also, btw, the ufw allow command takes effect immediately - you don’t need to systemctl restart ufw.service afterwards.


via https://superuser.com/questions/1723668/how-to-update-snap-store-linux-how-to-update-this
fedilink







Good twitter thread here claiming the original one saw a 500% boost in Navy applicants (a number claimed numerous other places but which I gave up looking for a source for after a couple minutes). Meanwhile here is the US Naval Institute claiming that, instead of Top Gun, the late 80s enlistment increase should be attributed to increased spending on recruiting (ignoring that some of that money most likely helped subsidize the film), even though there were recruiters in theaters then too and 90% of applicants in some cities had seen it… and therefore concludes implausibly that the new film’s “effect on the service’s recruiting will probably be small at best”.






it’s always heartwarming to see neighbors coming together for a common cause like this





Why aren’t non-reproducibly-built binaries of GPL-licensed software considered undistributable?
cross-posted from: https://lemmy.ml/post/274345 > Reading the rather disturbing (albeit refreshingly honest, compared to some other distros) [answer to the FAQ "Can Slackware be recompiled from scratch?"](https://docs.slackware.com/slackware:faq#can_slackware_be_recompiled_from_scratch) got me wondering... > > GPLv3 says: > > The “Corresponding Source” for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. > > GPLv2 says something similar: > > The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. > > In the absence of [reproducible builds](https://en.wikipedia.org/wiki/Reproducible_builds), how is it actually legal for third parties (not the copyright holder) to distribute binaries of GPL-licensed software? > > Even if I have the corresponding source code and precisely the same build environment that the distributor built a binary with, if the build process is not reproducible then I cannot actually ***generate*** precisely the same copyrighted ***work in object code form*** which I've received. > > The GPL doesn't seem to say anything about how distributing source code and build scripts which can generate a different-but-effectively-equivalent(-but-not-easily-verifiably-so) binary being sufficient to comply with the source code requirement. > > So, how is distributing these binaries not copyright infringement? > > (Obviously in practice everyone agrees that it is OK to distribute non-reproducible binaries, since most everyone does it, but the answer "the entire free software community just seems to agree that slightly violating the GPL is OK because reproducible builds are too much work" is pretty unsatisfying.)
fedilink

Why aren’t non-reproducibly-built binaries of GPL-licensed software considered undistributable?
Reading the rather disturbing (albeit refreshingly honest, compared to some other distros) [answer to the FAQ "Can Slackware be recompiled from scratch?"](https://docs.slackware.com/slackware:faq#can_slackware_be_recompiled_from_scratch) got me wondering... GPLv3 says: > The “Corresponding Source” for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. GPLv2 says something similar: > The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. In the absence of [reproducible builds](https://en.wikipedia.org/wiki/Reproducible_builds), how is it actually legal for third parties (not the copyright holder) to distribute binaries of GPL-licensed software? Even if I have the corresponding source code and precisely the same build environment that the distributor built a binary with, if the build process is not reproducible then I cannot actually ***generate*** precisely the same copyrighted ***work in object code form*** which I've received. The GPL doesn't seem to say anything about how distributing source code and build scripts which can generate a different-but-effectively-equivalent(-but-not-easily-verifiably-so) binary being sufficient to comply with the source code requirement. So, how is distributing these binaries not copyright infringement? (Obviously in practice everyone agrees that it is OK to distribute non-reproducible binaries, since most everyone does it, but the answer "the entire free software community just seems to agree that slightly violating the GPL is OK because reproducible builds are too much work" is pretty unsatisfying.)
fedilink



The fourth one is complicated; the US and China both abstained in the vote, apparently expecting the other to veto, while the USSR voted for him. (His lies about his wartime history weren’t exposed until years later.)




interop with other fediverse platforms
If I understand correctly, users of other fediverse things like Mastodon can follow lemmy communities (and users?) but the reverse is not currently possible. Would it not make sense for lemmy users to be able to subscribe to a hashtag or user on a mastodon instance?
fedilink







This story really does not belong here in the “ukraine_war_news” community.

The only connection to the war is that they’re originally from Ukraine (but have been in the US for six years) and that someone apparently made a petition supporting them which incorrectly suggests that they could possibly be deported to Ukraine during the war. (By my understanding of US law, they will not in fact be deported until after serving their sentence in the US if they are convicted.)


“Take the chips out of your cell phones” … right, ok, that seems prudent … “especially the international ones, we will give you other chips.” … wat???

(because surely sigint systems are incapable of correlating that an IMEI which was just using a foreign SIM now has a local one?)



feature request: it should be possible to flag a community
related: there is presently spam under "trending communities".
fedilink

Do you know what e’s “one proprietary application” is? (I don’t and I’m curious; see my other comment in this thread.)


/e/OS

Last time I looked, /e/ OS was going-to-be-open-source-later software (but was already distributing images). Now it looks like they have published a lot of source code but their FAQ ominously says

Yes – all our source code is available and you can compile it, fork it. Some pre-built applications are used in the system; they are built separately from source code available here, or synced from open-source repositories such as F-Droid. We ship one proprietary application though.

…which, for me, goes from cool to wat to nope in three sentences.

(I do wonder what their one proprietary app is, but am not going to spend more than the minute i just spent trying to find the answer to that question.)



Lemmy has an API and Reddit has an API, so, what you want shouldn’t be too difficult.

If you don’t want to start from scratch you could fork something actively maintained that uses the reddit API already, like tootbot, so that you only need to implement the Lemmy side.




You could ask on their forum or matrix channel. I just noticed that neither GNOME Foundation nor RedHat are listed on that about page, both of whom iirc are actually very involved. This post says “GNOME has a donor who is interested in supporting financial sustainability for app developers and removing barriers to an inclusive ecosystem. Flathub would like to use these funds to work with a contractor for a short-term project and make steps towards supporting application developers being able to request payments (whether donations or subscriptions).”

edit: reading more of that thread, I see another recent funder (possibly the aforementioned GNOME funder?) is “Endless Network”… inventors of “The World’s First Pay-As-You-Go PC” 🤦


From the description at the link I was thinking that this actually converted snaps into flatpaks, but clicking through to the project’s readme I see it actually only replaces installed snaps with equivalent flatpaks in cases where a flatpak already exists. Still useful I guess, but less wow.


There are currently six companies listed here, but, the important thing is that the flatpak client software can install things from places other than flathub (and the server-side software running flathub is free software).

The snapcraft server-side software is closed source, and even if someone reimplemented it they would also need to fork the snapd client software as the snapcraft URLs are hardcoded and not reconfigurable.


do they make one that doesn’t have any internet connectivity “features”?

their models i just looked at all mention “app control” which sounds like an indicator that you might be denied some important functionality you don’t login with facebook or something like that.



lemmy.ml is still bigger overall, but lemmygrad is more active over the last month



In theory or in practice? Last I saw it looked promising but was still not very usable yet.


I agree that compared to the average carrier-provided or manufacturer-provided Android system, iOS out-of-the-box is less horrifically bad for privacy. But that is an extremely low bar :)

but Google is a advertising company

Apple is also in the advertising business, and is also an NSA collaborator.


Yeah, it was kind of mean of Martijn to put a picture of an N900 at the top of the article… got my hopes up!


Thanks, I edited the post to add Guix and Nix to the timeline.

It’s worth noting that Guix also packages WPE WebKit (another embeddable version of WebKit, which shares a version numbering scheme with WebKitGTK) from the same .scm file and for some reason has still not updated that (despite having just upgraded it the previous month to address another security problem).

(WPE WebKit is used far less than WebKitGTK on desktop OSes, but it can be used for things like webkit overlays in gstreamer pipelines…)



First, I want to say thank you for making Lemmy and for running this instance!

But, this “promotion initiative” strikes me as questionable idea for two reasons:

  1. Having many instances hosted on the same infrastructure defeats a lot of the purpose of the federated model. If/when this infrastructure goes down for whatever reason, many instances will be affected.

  2. If I understand your offer correctly, you’re actually only offering free hosting for one year? So, after a year, if the admins aren’t able to provide their own infrastructure, will you stop running their instances? This seems like it will inevitably leave a lot of users with a very negative impression of lemmy, when all of their posts and comments evaporate in to thin air.

Maybe the overlap between the set of people who are capable of running their own server and the set of people who would use a service like this is larger than I’m imagining, but I’m quite certain there are a lot of people in the second set who are not in the first.

It seems to me that a better approach would be to focus on making it as easy as possible to deploy lemmy, to encourage more instances on diverse infrastructure. (I see you already already have Docker, Ansible, and AWS instructions; as an aside, I recommend replacing the AWS instructions with a note recommending that users boycott Amazon…)


In some regions and on some issues (such as the currently-existing states that identify as Marxist-Leninist) Amnesty’s positions tend to be strongly US-aligned, while on other topics (such as Palestine, US domestic issues, and WikiLeaks) they’re very much not aligned. It turns out politics aren’t reducible to a small boolean circuit :)


When a website uses cloudlfare, TLS encrypts the connection (including passwords, etc) from your web browser to cloudflare - not from your browser all the way to the actual site you’re logging in to. (Then, if the request can’t be satisfied by cloudflare’s cache, there is another TLS connection from cloudflare to the “origin server”.)

In either case, Cloudflare sees everything sent to hostnames hosted by them.

Some sites might have your password sent to a different hostname that isn’t hosted by cloudflare, in which case they wouldn’t see your password, but, they would typically still see the resulting session cookie which allows someone to log in as you.

Cloudflare is like any other machine-in-the-middle attack except instead of being something everyone knows they should avoid, it somehow is a service that some people actually pay for (perhaps because they like to imagine that their website might one day be so popular that their VPS would insufficient to serve it).

In case you actually do need a CDN (and I’d guess 99.9% of cloudflare sites don’t), the correct way to do it is to use the CDN only for static content like images and video. Ideally the CDN shouldn’t need (or have) any cookies, and, if you don’t want to give the CDN (or malicious parties acting under their authority) the ability to hijack your users accounts, then you shouldn’t rely on them for hosting javascript either.


fzf is awesome but i keep forgetting it exists, thanks for the reminder.


This is a great writeup, but I’m not thrilled with the disclosure timeline.

Why did the author notify Google prior to submitting the patch to LKML, but then wait another whole week after that before notifying any other Linux distributors? (The LKML post doesn’t say that the bug it fixed is an exploitable vulnerability, but after the fix was public there was a much higher chance that attackers could realize that it is.)

Also, did any distros ship updates on March 7 when the vulnerability became fully public? Given that they were notified on February 28, it seems like they should have, but none of the ones I’ve checked did. (And while some have now, many still haven’t!)


As someone wrote in 2017 at Ubuntu Bug #1728616: using ‘devel’ in sources.list causes apt-get update to fail [via]:

The whole ‘devel’ thing has been half-broken in one way or another since it was introduced. My advice is just to not use it. And I honestly think we should remove all remnants of it from launchpad and the Ubuntu/PPA archives as well. Trying to treat “the latest at any given point” as the same thing as a “rolling” distribution may have been fun to score some political points, but it doesn’t actually do useful things.

Looking at the issues for “rolling-rhino” it looks like that is still the situation today.