1. 1

    looks useful, would be better if it had binaries available

    1. 2

      Thanks! There’s a binary for Linux and I’ll get more cross-compiling Real Soon(TM)

    1. 1

      Swapping my home firewall/router box from pfSense to OpenBSD. Drama aside, the cumulative decisions Netgate has made over the last few years haven’t aligned with me, and pushing through a buggy version of Wireguard (and then pulling it) was the last straw.

      I did a trial run last weekend in a VM and it was fairly straightforward. Biggest issue was getting DHCP leases to resolve in DNS. pfSense has its own script for solving that, I had to combine unbound & dnsmasq.

      1. 4

        What a mess!

        The tl;dr is that the mimemagic maintainer yanked all existing versions and new versions are licensed under GPL (I think because it was using GPL code by mistake). This is bad because Rails (specifically ActiveStorage) depends on it, and Rails is MIT licensed.

        The latest update from the rails core team is that they’re working on swapping to libmagic or a Ruby translation of libmagic.

        If you’re having trouble as a Rails dev, you can just update your dependency but if you’re in a…license sensitive…environment, check with your lawyers first.

        1. 1

          The dumbest thing is probably that he published a new GPLed version as 0.3.x, which now every tool is updating to automatically.

          1. 1

            So the older versions were incorrectly licensed under another license? Sounds like rolling back to a version that contains GPL code but incorrect license text is a bad solution. Even in the short term.

            1. 1

              Sounds like rolling back to a version that contains GPL code but incorrect license text is a bad solution.

              Disclaimer: I haven’t looked at the file in question, largely because this seems contentious enough to already have escalated against another project using it (see elsewhere in the comments on this post).

              But from reading the discussions, it appears the issue is not any “GPL code” – rather, it’s a data file that ships with a GPL’d package. That data file apparently contains at least some of the mappings of magic numbers to file types, or similar information. And that’s a different sort of question; as some of the threads have pointed out, US copyright law (which is what would matter for things like GitHub and a lot of open-source package hosts) does not recognize copyright on compilations of facts. So if that is indeed the content being claimed, there may be quite a strong case to be made that it’s not only not GPL’d, but not subject to copyright at all.

              1. 5

                I thought so too, but looking at the file:

                 <magic priority="70">
                  <match type="string" value="PK\003\004" offset="0">
                    <match type="string" value="mimetype" offset="30">
                      <match type="string" offset="38" value="application/vnd.sun.xml.calc"/>
                    </match>
                  </match>
                </magic>
                

                Is this data or code? At what point does a list of matches with priorities become its own DSL? To me this definition looks closer to instructions than a data structure.

                1. 1

                  I’m not entirely convinced that even this would clear the bar of creative content. And I’m less convinced of the authors’ understanding of the GPL every time I look at one of the threads. As someone else pointed out here, they (or someone who acts like they have the ability to act on behalf of the GPL’d project) keep suggesting workarounds like telling people to already have a copy of the file present. Which… is not how the GPL works. If the file really is GPL’d, then that’s not a workaround anymore than “require someone to have this .so already present to be loaded at runtime” would be a workaround.

                  1. 1

                    They wouldn’t require someone to have that specific file present - just a file in that format. GPL specifically talks about linking and code, but would this really count? Or is it closer to ICC compiling GPL code which doesn’t make ICC itself GPL? (Compiling actually includes execution of constant expressions from the code)

          1. 2

            Wayland is not an option for me until the Zoom application (not the paralyzed browser version) works in it.

            1. 1

              Thought this was just my funky setup.

            1. 4

              Wait, everyone doesn’t add passphrases to their SSH keys & use their SSH agent to not have to type it in all the time?! Yeah that’s a disaster waiting to happen. Add passphrases to your keys! Use ssh-add!

              1. 35

                e-mail has a lot of legacy cruft. Regardless of the technical merits of e-mail or Telegram or Delta Chat, Signal, matrix.org or whatever, what people need to be hearing today is “WhatsApp and Facebook Messenger are unnecessarily invasive. Everyone is moving to X.” If there isn’t a clear message on what X is, then people will just keep on using WhatsApp and Facebook Messenger.

                It seems clear to me that e-mail is not the frontrunner for X, so by presenting it as a candidate for replacing WhatsApp and Facebook Messenger, I think the author is actually decreasing the likelihood that most people will migrate to a better messaging platform.

                My vote is for Signal. It has good clients for Android and iOS and it’s secure. It’s also simple enough that non-technical people can use it comfortably.

                1. 26

                  Signal is a silo and I dislike silos. That’s why I post on my blog instead of Twitter. What happens when someone buys Signal, the US government forces Signal to implement backdoors or Signal runs out of donation money?

                  1. 10

                    Signal isn’t perfect. My point is that Signal is better than WhatsApp and that presenting many alternatives to WhatsApp is harmful to Signal adoption. If Signal can’t reach critical mass like WhatsApp has it will fizzle out and we will be using WhatsApp again.

                    1. 12

                      If Signal can’t reach critical mass like WhatsApp has it will fizzle out

                      Great! We don’t need more silos.

                      and we will be using WhatsApp again.

                      What about XMPP or Matrix? They can (and should!) be improved so that they are viable alternatives.

                      1. 13

                        (Majority of) People don’t care about technology (how), they care about goal (why).

                        They don’t care if it’s Facebook, Whatsapp, Signal, Email, XMPP, they want to communicate.

                        1. 14

                          Yeah, I think the point of the previous poster was that these systems should be improved to a point where they’re just really good alternatives, which includes branding and the like. Element (formerly riot.im) has the right idea on this IMHO, instead of talking about all sorts of tech details and presenting 500 clients like xmpp.org, it just says “here are the features element has, here’s how you can use it”.

                          Of course, die-hard decentralisation advocates don’t like this. But this is pretty much the only way you will get any serious mainstream adoption as far as I can see. Certainly none of the other approaches that have been tried over the last ~15 years worked.

                          1. 7

                            …instead of talking about all sorts of tech details and presenting 500 clients like xmpp.org, it just says “here are the features element has, here’s how you can use it”.

                            Same problem with all the decentralized social networks and microblogging services. I was on Mastodon for a bit. I didn’t log in very often because I only followed a handful of privacy advocate types since none of my friends or other random people I followed on Twitter were on it. It was fine, though. But then they shut down the server I was on and apparently I missed whatever notification was sent out.

                            People always say crap like “What will you do if Twitter shuts down?”. Well, so far 100% of the federated / distributed social networks I’ve tried (I also tried that Facebook clone from way back when and then Identi.ca at some point) have shut down in one way or another and none of the conventional ones I’ve used have done so. I realize it’s a potential problem, but in my experience it just doesn’t matter.

                            1. 4

                              The main feature that cannot be listed in good faith and which is the one that everybody cares about is: “It has all my friend and family on it”.

                              I know it’s just a matter of critical mass and if nobody switches this will never happen.

                            2. 1

                              Sure, but we’re not the majority of people.. and we shouldn’t be choosing yet another silo to promote.

                            3. 5

                              XMPP and (to a lesser extent) Matrix do need to be improved before they are viable alternatives, though. Signal is already there. You may feel that ideological advantages make up for the UI shortcomings, but very few nontechnical users feel the same way.

                              1. 1

                                Have you tried joining a busy Matrix channel from a federated homeserver? It can take an hour. I think it needs some improvement too.

                                1. 2

                                  Oh, definitely. At least in the case of Matrix it’s clear that (1) the developers regard usability as an actual goal, (2) they know their usability could be improved, and (3) they’re working on improving it. I admit I don’t follow the XMPP ecosystem as closely, so the same could be the same there, but… XMPP has been around for 20 years, so what’s going to change now to make it more approachable?

                              2. 4

                                […] it will fizzle out

                                Great! We don’t need more silos.

                                Do you realize you’re cheering for keeping the WhatsApp silo?

                                Chat platforms have a strong network effect. We’re going to be stuck with Facebook’s network for as long as other networks are fragmented due to people disagreeing which one is the perfect one to end all other ones, and keep waiting for a pie in the sky, while all of them keep failing to reach the critical mass.

                                1. 1

                                  Do you realize you’re cheering for keeping the WhatsApp silo?

                                  Uh, not sure how you pulled that out of what I said, but I’m actually cheering for the downfall of all silos.

                                  1. 2

                                    I mean that by opposing the shift to the less-bad silo you’re not actually advancing the no-silo case, but keeping the status quo of the worst-silo.

                                    There is currently no decentralized option that is secure, practical, and popular enough to be adopted by mainstream consumers in numbers that could beat WhatsApp.

                                    If the choice is between WhatsApp and “just wait until we make one that is”, it means keeping WhatsApp.

                                2. 3

                                  They can be improved so that they are viable alternatives.

                                  Debatable.

                                  Great! We don’t need more silos.

                                  Domain-name federation is a half-assed solution to data portability. Domain names basically need to be backed by always-on servers, not everybody can have one, and not everybody should. Either make it really P2P (Scuttlebutt?) or don’t bother.

                                  1. 2

                                    I sadly agree, which is why logically I always end up recommend signal as ‘the best of a bad bunch’.

                                    I like XMPP, but for true silo-avoidance you need you run your own server (or at least have someone run it under your domain, so you can move away). This sucks. It’s sort of the same with matrix.

                                    The only way around this is real p2p as you say. So far I haven’t seen anything that I could recommend to former whatsapp users on this front however. I love scuttlebutt but I can’t see it as a good mobile solution.

                                3. 8

                                  Signal really needs a “web.signal.com”; typing on phones suck, and the destop app is ugh. I can’t write my own app either so I’m stuck with two bad options.

                                  This is actually a big reason I like Telegram: the web client is pretty good.

                                  1. 3

                                    I can’t write my own app either so I’m stuck with two bad options.

                                    FWIW I’m involved with Whisperfish, the Signal client for Sailfish OS. There has been a constant worry about 3rd party clients, but it does seem like OWS has loosened its policy.

                                    The current Whisperfish is written in Rust, with separate libraries for the protocol and service. OWS is also putting work into their own Rust library, which we may switch to.

                                    Technically you can, and the risk should be quite minimal. At the end of the, as OWS doesn’t support these efforts, and if you don’t make a fool of them, availability and use increases their brand value.

                                    Don’t want to know what happens if someone writes a horrible client and steps on their brand, so let’s be careful out there.

                                    1. 2

                                      Oh right; that’s good to know. I just searched for “Signal API” a while ago and nothing really obvious turned up so I assumed it’s either impossible or hard/hackish. To be honest I didn’t look very deeply at it, since I don’t really care all that much about Signal that much 😅 It’s just a single not-very-active chatgroup.

                                      1. 1

                                        Fair enough, sure. An API might sound too much like some raw web thing - it is based on HTTPS after all - but I don’t think all of it would be that simple ;)

                                        The work gone into the libraries has not been trivial, so if you do ever find yourself caring, I hope it’ll be a happy surprise!

                                    2. 2

                                      The Telegram desktop client is even better than the web client.

                                      1. 3

                                        I don’t like desktop clients.

                                        1. 4

                                          Is there a specific reason why? The desktop version of Telegram is butter smooth and has the same capabilities as the phone version (I’m pretty sure they’re built from the same source as well).

                                          1. 3

                                            Security is the biggest reason for me. Every other week, you hear about a fiasco where a desktop client for some communication service had some sort of remote code execution vulnerability. But there can be other reasons as well, like them being sloppy with their .deb packages and messing up with my update manager etc. As a potential user, I see no benefit in installing a desktop client over a web client.

                                            1. 4

                                              Security is the reason that you can’t easily have a web-based Signal client. Signal is end-to-end encrypted. In a web app, it’s impossible to isolate the keying material from whoever provides the service so it would be trivial for Signal to intercept all of your messages (even if they did the decryption client-side, they could push an update that uploads the plaintext after decryption).

                                              It also makes targeted attacks trivial: with the mobile and desktop apps, it’s possible to publish the hash that you get for the download and compare it against the versions other people run, so that you can see if you’re running a malicious version (I hope a future version of Signal will integrate that and use it to validate updates before it installs them by checking that other users in your network see the same series of updates). With a web app, you have no way of verifying that you’re running the same code that you were one page refresh ago, let alone the same code as someone else.

                                              1. 1

                                                A web based client has no advantages with regards to security. They are discrete topics. As a web developer, I would argue that a web based client has a significantly larger surface area for attacks.

                                                1. 1

                                                  When I say security, I don’t mean the security of my communications over that particular application. That’s important too, but it’s nothing compared to my personal computer getting hacked, which means my entire digital life getting compromised. Now you could say a web site could also hijack my entire computer by exploiting weaknesses in the browser, which is definitely a possibility, but that’s not what we hear every other week. We hear stupid zoom or slack desktop client containing a critical remote code execution vulnerability that allows a completely unrelated third party complete access to your computer.

                                              2. 1

                                                I just don’t like opening a new window/application. Almost all of my work is done with one terminal window (in tmux, on workspace 1) and a browser (workspace 2). This works very well for me as I hate dealing with window management. Obviously I do open other applications for specific purposes (GIMP, Geeqie, etc) but I find having an extra window just to chat occasionally is annoying. Much easier to open a tab in my browser, send my message, and close it again.

                                      2. 3

                                        The same thing that’s happening now with whatsapp - users move.

                                        1. 2

                                          A fraction of users is moving, the technically literate ones. Everyone else stays where their contacts are, or which is often the case, installs another messenger and then uses n+1.

                                          1. 2

                                            A fraction of users is moving, the technically literate ones

                                            I don’t think that’s what’s happening now. There have been a lot of mainstream press articles about WhatsApp. The technical users moved to Signal when Facebook bought WhatsApp, I’m now hearing non-technical folks ask what they should migrate to from WhatsApp. For example, one of our administrators recently asked about Signal because some of her family want to move their family chat there from WhatsApp.

                                            1. 1

                                              Yeah these last two days I have been asked a few times about chat apps. I have also noticed my signal contacts list expand by quite a few contacts, and there are lots of friends/family who I would not have expected to make the switch in there. I asked one family member, a doctor, what brought her in and she said that her group of doctors on whatsapp became concerned after the recent announcements.

                                              I wish I could recommend xmpp/OMEMO, but it’s just not as easy to set up. You can use conversations.im, and it’s a great service, but if you are worried about silos you are back to square one if you use their domain. They make using a custom domain as friction-free as possible but it still involves DNS settings.

                                              I feel the same way about matrix etc. Most people won’t run their own instance, so you end up in a silo again.

                                              For the closest thing to whatsapp, I have to recommend Signal. It’s not perfect, but it’s good. I wish you didn’t have to use a phone number…

                                        2. 2

                                          What happens when someone buys Signal, the US government forces Signal to implement backdoors or Signal runs out of donation money?

                                          Not supporting signal in any way, but how would your preferred solution actually mitigate those risks?

                                          1. 1

                                            Many different email providers all over the world and multiple clients based on the same standards.

                                            1. 6

                                              Anyone who has written email software used at scale by the general public can tell you that you will spend a lot of time working around servers and clients which do all sorts of weird things. Sometimes with good reasons, often times with … not so good reasons. This sucks but there’s nothing I can change about that, so I’ll need to deal with it.

                                              Getting something basic working is pretty easy. Getting all emails handled correctly is much harder. Actually displaying all emails well even harder still. There’s tons of edge cases.

                                              The entire system is incredibly messy, and we’re actually a few steps up from 20 years ago when it was even worse.

                                              And we still haven’t solved the damn line wrapping problem 30 years after we identified it…

                                              Email both proves Postel’s law correct and wrong: it’s correct in the sense that it does work, it’s wrong because it takes far more time and effort than it really needs to.

                                              1. 2

                                                I hear you (spent a few years at an ESP). It’s still better than some siloed walled garden proprietary thing that looks pretty but could disappear for any reason in a moment. The worst of all worlds except all others.

                                                1. 2

                                                  could disappear for any reason in a moment

                                                  I’m not so worried about this; all of these services have been around for ages and I’m not seeing them disappear from one day to the next in the foreseeable future. And even if it does happen: okay, just move somewhere else. It’s not even that big of a deal.

                                                  1. 1

                                                    Especially with chat services. There’s not that much to lose. Your contacts are almost always backed up elsewhere. I guess people value their chat history more than I do, however.

                                        3. 11

                                          My vote is for Signal. It has good clients for Android and iOS and it’s secure. It’s also simple enough that non-technical people can use it comfortably.

                                          I’ve recently started using it, and while it’s fine, I’m no fan. As @jlelse, it is another closed-off platform that you have to use, making me depend on someone else.

                                          They seem to (as of writing) prioritize “security” over “user freedom”, which I don’t agree with. There’s the famous thread, where they reject the notion of distributing Signal over F-Droid (instead having their own special updater, in their Google-less APK). What also annoys me is that their desktop client is based on Electron, which would have been very hard for me to use before upgrading my desktop last year.

                                          1. 6

                                            My vote is for Signal. It has good clients for Android and iOS and it’s secure. It’s also simple enough that non-technical people can use it comfortably.

                                            What I hate about signal is that it requires a mobile phone and an associated phone number. That makes it essentially useless - I loathe mobile phones - and very suspect to me. Why can’t the desktop client actually work?

                                            1. 2

                                              I completely agree. At the beginning of 2020 I gave up my smartphone and haven’t looked back. I’ve got a great dumb phone for voice and SMS, and the occasional photo. But now I can’t use Signal as I don’t have a mobile device to sign in to. In a word where Windows, Mac OS, Linux, Android, and iOS all exist as widely used operating systems, Signal is untenable as it only as full featured clients for two of these operating systems.

                                              Signal isn’t perfect.

                                              This isn’t about being perfect, this is about being accessible to everyone. It doesn’t matter how popular it becomes, I can’t use it.

                                              1. 1

                                                They’ve been planning on fixing that for a while, I don’t know what the status is. The advantage of using mobile phone numbers is bootstrapping. My address book is already full of phone numbers for my contacts. When I installed Signal, it told me which of them are already using it. When other folks joined, I got a notification. While I agree that it’s not a great long-term strategy, it worked very well for both WhatsApp and Signal to quickly bootstrap a large connected userbase.

                                                In contrast, most folks XMPP addresses were not the same as their email addresses and I don’t have a lot of email addresses in my address book anyway because my mail clients are all good at autocompleting them from people who have sent me mail before, so I don’t bother adding them. As a result, my Signal contact list was instantly as big as my Jabber Roster became after about six months of trying to get folks to use Jabber. The only reason Jabber was useable at all for me initially was that it was easy to run an ICQ bridge so I could bring my ICQ contacts across.

                                                1. 1

                                                  Support for using it without a phone number remains a work in progress. The introduction of PINs was a stepping stone towards that.

                                                2. 1

                                                  What I hate about signal is that it requires a mobile phone and an associated phone number.

                                                  On the bright side, Signal’s started to use UUIDs as well, so this may change. Some people may think it’s gonna be too late whenever it happens, if it does, but at least the protocols aren’t stagnant!

                                              1. 1

                                                As well as client work, I’m spending some time polishing up BitFriends which we quietly launched before Christmas.

                                                1. 1

                                                  Long, but some interesting nuggets of information in here. In particular some of their SaaS choices (Airbrake, SendGrid outside of Heroku) are worth learning from.