1. 3

    (2017) is this article missing anything in angle brackets, such as <stdbool.h> or < T >? Thus quite unreadable to me

    1. 4

      Indicating the return status of the last command is really useful, but I’ve found that just colour is too subtle most of the time. If you do this, you may want to experiment with putting the error code in the prompt if it’s not zero. Something like

      %(?..(%?%))
      

      to print (1) if the exit status was 1, for example.

      1. 1

        Riiight, I tried doing that and didn’t like it. So far that color-coded prompt seems to be noticeable enough for me, but maybe that’s because of novelty, I’ll see. :)

        1. 1

          Fwiw, I just use:

          setopt print_exit_value
          

          That way my prompt never changes, and I get the actual return code printed out blatantly like so:

          zsh: exit 129   ~/sync.sh
          

          I’d rather know the actual return code, and do nothing if everything is ok and not clutter the prompt at all.

          1. 2

            That’s exactly what I replaced with colorful >. :-) I’ve been living with print_exit_value for a long time but it’s nice when command output is exactly command output. :)

            1. 1

              Heh, I’d rather have the extra lines in this case so its obvious that something exited non zero. To each their own!

        2. 1

          for those who care about a visible exit code, I found

          setopt PRINT_EXIT_VALUE
          

          a nice personal solution. It does not go in your prompt

          1. 1

            I gotta refresh my tabs more often heh jinx but I agree entirely.

          2. 1

            IMO, I’m not a huge fan of this, as the fact that the exit status is not zero does not always mean an error has occurred. I suppose it really comes down to workflows and what tools you use all the time. But my prompt turning red because my compile failed is not any more informative than the three pages of errors I got prior to that. :)

            1. 2

              …exit status is not zero does not always mean an error has occurred.

              Indeed. I just use it as a useful point of information for those commands whose error codes are siginificant or I can’t tell actually failed. It’s always a personal preference thing, though.

          1. 3

            I wish they’d named the CA who revoked their certificate and never contacted them about it. I want to know who to avoid.

            1. 2

              In the links in the statement Comodo/Sectigo and CodeSignCert are named.

              1. 1

                if you click on the links, it has a name

              1. 31

                This is what has kept me busy the past 18 months. Ask me anything :-)

                1. 12

                  I’ve been using the preview for a while, and I like it a lot. Thanks to you and everyone at Mozilla.

                  Moving the address / tool bar to the bottom of the screen is, imho, a very clever decision that made my huge phablet phone a bit less painful to use.

                  1. 7

                    After using Firefox on Android for as long as I can remember, I have changed browsers.

                    Every time I start the new version my screen flashes. I perceive no performance improvements or “experience” benefits. On the contrary my favorite extensions no longer work.

                    My question is, why should I use/return to this new version?

                    1. 6

                      Same here, even on my latest Google Pixel, the Firefox performance was awful, the browser experience was not good. But now I’m very happy with the latest version, I can see real good improvements, the browser experience is great and it’s not resource hungry as the oldest version. I would like to congratulate the Mozilla team for the great job!

                    2. 7

                      I… hated it. Especially I feel like there wasn’t enough testing with the bar configured on top. I wrote a rant with the issues I have, which will probably read as too angry for a lobste.rs comment but allowed me to vent my frustration.

                      For now I set the bar on the bottom, which I don’t really like but solves 2 issues (buggy sites, and the new tab button being too far).

                      Still thank you for your work. I couldn’t get anything done without firefox in my pocket.

                      1. 9

                        Another issue not listed: I will sometimes come back to firefox to find an old tab is now completely blank. Reloading will not help: I have to close the tab and open it again. I’ve had this happen with both a lobsters tab and a completely unrelated site… I will have to try and find a reproducible way to trigger it, could be hard.

                        1. 3

                          I’ve had that issue on desktop firefox. If the site is bookmarked, I click it (helpful especially if it was a container tab)

                      2. 6

                        Lots of users hate the new tab drawer (vs. the original tab page in earlier Firefox Preview builds). I don’t think it matters whether it’s a drawer or a full screen page, but the fact that scrolling to the top of the list continues into closing the drawer is extremely annoying. I do not ever want to close the drawer by moving my finger down on the list of tabs!! Please make an option to only have the header draggable for closing.

                        1. 5

                          Any plans for completing the bookmark feature?

                          1. 4

                            Will it it be made available on F-Droid? Soon? Ever?

                            How does this release relate to these:

                            Getting Firefox via F-Droid has always confused me, so I’ve stayed away, but I’m always on the lookout for a good browser for Android.

                            1. 2

                              No idea about Klar, but Fennec is similar to IceCat: Firefox with the proprietary blobs removed. I think F-Droid doesn’t like vanilla Firefox for the reason that it contains blobs.

                              1. 2

                                My recollection is that F-Droid’s Fennec build is just Firefox with the trademarks removed, not proprietary blobs. The new Firefox for Android, Fenix, doesn’t get packaged because its standard build system involves downloading pre-compiled copies of other Mozilla components, like the GeckoView widget, rather than building absolutely everything from source. F-Droid does allow apps that download pre-compiled copies of things, but only if they’re obtained from a blessed list of Maven repositories, and Mozilla’s CI system is not on the list.

                                Also, there may be something about requiring the Play Store to support notifications, but I don’t think it’s the only or even the biggest blocker.

                                1. 3

                                  Ah, sounds like you know a more about this than me - I stand corrected. Thanks for the information!

                            2. 4

                              why block about:config? why no arbitrary extensions on your own risk? I would love a split screen or dual window feature.

                              1. 3

                                One thing I would absolutely love is socks5 proxy support. Any plans for that? Also, I use ^L and ^K a freakton in the desktop browser. I’d love to see support for that when using Firefox for Android on ChromeOS.

                                1. 3

                                  How can I downgrade without losing my settings and open tabs?

                                  1. 2

                                    Hi @st3fan,

                                    In general I’m pretty happy with the new version of Firefox. The one big mistake Mozilla made however was to pull important features out.

                                    For example I miss “custom search keywords”. I have a carefully crafted list of custom search keywords, and I use Firefox on top of iOS too because of it (otherwise I’ve got no reason to not switch to Safari). And it seems that this particular feature is not coming back on Android, due to some unification with the search engines, which don’t even synchronize. And this made me a little sad.

                                    Also the new engine has some issues with some animations on some websites, as when scrolling such pages I sometimes get lag. I also hope that you’ll improve Android’s UI for tablets, as some of the UI elements are a little small on top of my Galaxy Tab S7.

                                    Otherwise I’m happy to see Firefox improve, and the few add-ons I relied on still working. For me Android is not usable without Firefox ❤️

                                    Keep up the good work.

                                    1. 2

                                      Great work! It sounds like there’s been a lot of work going on under the hood for this release, and there’s mentioning of it now being easier to make new features in the product. Are there any blog posts - or could you talk a bit about what changes that has been made which now unlocks this extra velocity?

                                      1. 2

                                        I use Android with a keyboard.

                                        Do you know of any keyboard-driven browsing solutions like Vimium on Android at this time?

                                        1. 2

                                          Any way to display your bookmarks on startup or something like this ? I’m used to switching through my bookmarks, now I’ve got to add them all to this “collection”(? german word is “Sammlung”) and that is collapsed every time I create a new tab. “Add to start screen” doesn’t do anything.

                                          1. 1

                                            Finally found the option to add it as part of the start screen. The new Bookmarks view is hard for me to grasp, like everything looks the same.

                                          2. 1

                                            Hi Stefan, please take a look at brave on mobile. I was eagerly waiting for Brave UX in firefox and chrome. Fantastic news that firefox.

                                            One suggestion - After clicking on tab number at right bottom corner to open new tab, is it possible to slide to normal window to incognito windows by sliding on screen rather than click on each icon. This will be especially helpful for mobile or tablet with big screens.

                                            Again, big thanks making such huge change possible.

                                            1. 1

                                              This is the version that finally made me rate Firefox in Play store: to 1 star! Why did you (plural) make it this bad?

                                              Things that broke:

                                              • setting DuckDuckGo up a default search engine was simple in the past as I remember. It was auto-discovered, I think, I installed Firefox quite a time ago. Now I had to manually edit a search string.
                                              • The text selection menu is totally useless. I used to have “copy to clipboard” and “search <default search provider” there. Now I have to push “…” and scroll a tiny list with useless items populated by some incomprehensible logic, containing apps installed on my phone eg. a “pdf reader”, “encrypt”, “private search”, “Firefox search”, “new task”. Lot of useless crap instead of a single simple workflow. The “Firefox Search” option is the functional equivalent of the old operation, but it is at the bottom of the list, so it is a pain to use.
                                              • icons in the start page are smaller, and the workflows on their manipulation are not intuitive.
                                              • tab selection is terrible. The tabs opened in the background are at the top of the tab stack, but the current tab is at the top of the screen, and there are no visual cues that there may be other tabs above, you need to scroll both ways to find what you are looking for…

                                              The whole UX suggest that the developers don’t use Firefox for daily browsing. The feature are there, the UX is terrible, and is a regression in every possible aspect.

                                              The single good thing is the address bar in the bottom. I’d prefer to downgrade to an older version actually, as the previously advertised speed benefits are not noticable.

                                              The PR page states:

                                              User experience is key, in product and product development

                                              Maybe I’m not the target audience?

                                              I know this is not your (singular) fault, more likely a project management issue, but I think the direction is not the right one.

                                              1. 1

                                                Just got the update. Really liking the bar on the bottom.

                                              1. 1

                                                Is it available to download somewhere, or is that only for Google Android via the play store?

                                                1. 2

                                                  I have bookmarked this address, it’s for the testing build of Firefox https://firefox-ci-tc.services.mozilla.com/tasks/index/mobile.v2.fenix.nightly.latest/arm64-v8a

                                                  I found this address unnecessarily hard to find

                                                  1. 1

                                                    I used Aurora Store, after that FFUpdater picks it.

                                                    1. 11

                                                      Better than nothing perhaps, but the least secure of all 2fa methods (even in your link), as well as being cloneable/hijackable and vulnerable to “vendor social engineering”. Not to mention requires handing your phone number off to a company, to increase your targeting profile, to be added to txt spam lists, and/or sold to other companies so they can advertiser to (spam) you.

                                                      Hardware tokens, push-message-based, even totp, all are superior. Why even spend the dev cycles implementing something marginal like SMS-2fa, paying for txt messaging (and/or integrating with an sms vendor), when you can just do something better instead (and arguably more easily)?

                                                      1. 5

                                                        Not to mention requires handing your phone number off to a company, to increase your targeting profile, to be added to txt spam lists, and/or sold to other companies so they can advertiser to (spam) you.

                                                        It’s also a pain in areas with poor or intermittent mobile coverage.

                                                        1. 1

                                                          The criticism in the article seems to be mostly around phishing attacks. Are these other approaches more resilient to phishing? With the suggestion of randomized passwords as the best alternative, the author seems to be against any kind of 2FA.

                                                          1. 5

                                                            The author also states:

                                                            If you also want to eliminate phishing, you have two excellent options. You can either educate your users on how to use a password manager, or deploy U2F, FIDO2, WebAuthn, etc. This can be done with hardware tokens or a smartphone.

                                                            So I don’t think the author is against 2FA in general, just specifically SMS-2FA.

                                                            Also note the first suggestion of using a password manager is, in my opinion, a bit nuanced, because “how to use a password manager” includes having the manager fill in credentials for you, and the password manager restricting this to only on the correct domain defined for the password.

                                                            Are these other approaches more resilient to phishing?

                                                            I would say U2F, FIDO2, WebAuthn is far more resilient to phishing, yes.

                                                            “A good password manager”? As I mentioned above I feel this one is more tenuous. I personally feel users could easily be tricked to copy/pasting credentials out of a password manager, since users have the expectation that software in general is kind of clunky and broken so “it must not be working right so I’ll do it manually”. As such, I’m not sure I necessarily agree that just using a good password manager is sufficient to prevent phishing. It would be interesting to see stats on it though, as my hunch is just that and has no scientific basis or real evidence behind it.

                                                            TOTP as a 2nd factor is presumably just as vulnerable to phishing as a password alone, but being an extra step and relatively out of band from normal credential flow, but for preventing automated (non-phishing) attacks, seems useful. In my opinion better than SMS-2FA, but nowhere near as good as U2F, FIDO2, WebAuthn.

                                                            push-message-based tokens (like Okta uses for example) are, presumably (caveat I’m not a security professional) as secure as the weakest link of vendors involved: push-vendor (eg. google, apple) and token vendor (eg. okta). Generally requires server side integration/credentials to get the vendor to invoke the push, and are typically device locked.

                                                            1. 2

                                                              “A good password manager”? As I mentioned above I feel this one is more tenuous. I personally feel users could easily be tricked to copy/pasting credentials out of a password manager, since users have the expectation that software in general is kind of clunky and broken so “it must not be working right so I’ll do it manually”.

                                                              I can’t count the number of times I have copy/pasted a password because the Firefox password manager saved the credentials for one login form on the site, but then didn’t autofill them on a different form. Maybe that means that it doesn’t count as a “good password manager” though? I guess I should be filing bugs on these cases anyway.

                                                              1. 2

                                                                Same. I also have a few sites that don’t even work well with 1password (generally considered pretty decent). Some sites also seem to go out of their way to make password managers not work. Why?! ;_;

                                                            2. 5

                                                              Are these other approaches more resilient to phishing? With the suggestion of randomized passwords as the best alternative, the author seems to be against any kind of 2FA.

                                                              U2F and WebAuthn categorically prevent phishing by binding the domain into the hardware device.challenge response.

                                                          2. 3

                                                            Good link!

                                                            I posted this because I think it’s interesting to see articulated arguments for a position I’m surprised by.

                                                            1. 6

                                                              Google wants to know our phone numbers. From that research, we can see that a phone number is effective in deterring some attacks. The question I would ask is, can we achieve similar security through other means? For example, even Google shows that On-device prompts or security tokens are better than SMS.

                                                              So please, if you think you must, offer SMS. But also offer other 2FA options and especially don’t force collect phone numbers if you can avoid it.

                                                          1. 1

                                                            about the headphones, I don’t want to miss wireless. the freedom to pace around the flat while in a call / thinking etc is hard to get with wires. in case Bluetooth is not reliable enough, there are many devices with custom USB sound card receivers that are very plug and play

                                                            1. 8

                                                              Our SSH uses Kerberos, I wonder how that compares to the certificates…

                                                              1. 2

                                                                You’re doing it right. SSH with Kerberos is a great experience. Just make sure your admins haven’t done naughty things like allowing you to permit others to SSH into your account because you modified .k5login in your ~ …

                                                                1. 1

                                                                  thanks for the insight!

                                                                2. 1

                                                                  Kerberos is rather comparable with certificates – think of it as a primitive Let’s Encrypt. I tend to think of the service tickets as a really short-lived certificate.

                                                                1. 3

                                                                  I wonder if good old gpg signatures, verified by the registry on releases couldn’t help decouple these account hijackings a bit?

                                                                  1. 4

                                                                    So, suppose you require each account to associate at least one key. But then someone gets access to your account and either attaches another key, or replaces your key (because you need to have some sort of mechanism for replacing/rotating keys). And now you’re back to square one, except with a worse false sense of security because the malicious package will pass signature verification – it’s signed by a key associated with the correct account.

                                                                    So the short answer is that “just use PGP signatures” is not a solution. The long answer digs into the fact that package signing in, say, Linux distros only works because those distros have a relatively small number of people authorized to produce the packages and that group can more easily be thoroughly vetted; language-specific package indexes like RubyGems, npm, PyPI, etc. are wide open to anyone who wants to publish packages, and intensely vetting the trustworthiness of every package author in those systems is not feasible and likely never will be.

                                                                    1. 1

                                                                      What happens when a dev loses their key?

                                                                      1. 1

                                                                        it would seem to me that it’s still rather harder to lose a key than a password. of course maybe I’m wrong… as far as I know, the java maven central nexus has this requirement

                                                                        1. 2

                                                                          It might be harder, but it happens. Consider not just “losing control of the key” but the simpler “literally losing a key”, like your harddrive dies and it didn’t get backed up due to neglect, misconfiguration, bad timing, or a billion other things.

                                                                          How should that case be handled? If the user account can change the key that gems need to be signed by, we’re back to square one – once Attacker has guessed the password they just need to change the key before uploading the malicious version.

                                                                          If the signing key can’t be changed, the gem dies?

                                                                          as far as I know, the java maven central nexus has this requirement

                                                                          Maven Central requires that the package be signed with a public key visible in some public keyserver, yes. But nothing stops an attacker from generating a public key for some plausible looking name and putting that public key in the MIT PGP Public Key Server.

                                                                          You need to verify that the key that signed the package actually belongs to the person you expect it to. That’s the hard part, and most packages in the Maven Repo don’t have cross signed keys via various parties so that you can build some level of trust that the key that signed it is a key that belongs to someone you expect it to. The signing is in most cases merely theatre – you’re not trusting much more than that the package was submitted by some unknown party who uploaded a key somewhere, who may or may not be who you expect.

                                                                        2. 1

                                                                          It the makes a lot of noise and generally sucks, until the new key has reaches some designated level of trust.

                                                                          Or someone else (or ideally multiple people) commit privilege bless the key.

                                                                          I feel like the issue with gpg signing packages is less that we don’t know how to do it, more that its just a pain in the ass and makes other best practices more difficult.

                                                                      1. 1

                                                                        People is suggesting keeping your gmail account “alive” for a while, but in the case of that account being bound to something that you own, like your Git commits somewhere, it means that you’ll have to keep that account safe, forever.

                                                                        I have two questions:

                                                                        • Is there a way of changing your commit history to reflect to a new email address that does not belong to a centralized corporation but to you, in the form of a domain you own.
                                                                        • Is it possible to use another identification mechanism, a signature that is not bound to an email address? An email address requires infrastructure to work, and that eventually could belong to someone else, like your the domain your email is part of
                                                                        1. 2

                                                                          Is there a way of changing your commit history to reflect to a new email address that does not belong to a centralized corporation but to you, in the form of a domain you own.

                                                                          Yes in theory, however that changes all the hashes so no in practice.

                                                                          1. 2

                                                                            in my experience, just start committing with the new address and update any mailmap and authors files. can’t do anything about published history…

                                                                            1. 1

                                                                              You could use git filter-branch to rewrite the entire git repository to replace your old e-mail address with your new one, but that will change the hash of every commit so it will be a terrible experience for anyone who has an existing clone of your repository. I think it’s not worth it.

                                                                              1. 1

                                                                                Is it possible to use another identification mechanism, a signature that is not bound to an email address? An email address requires infrastructure to work, and that eventually could belong to someone else, like your the domain your email is part of

                                                                                In GitHub, you can choose to keep your email private and use something to the tune of username@users.noreply.github.com. See the details here

                                                                              1. 4

                                                                                by the way, on debian you can just install the user-mode-linux package instead of compiling a kernel yourself

                                                                                I had also uploaded the slirp code that debian ships, with the patches separate commits, to github: https://github.com/ailin-nemui/slirp however, it still needs to be compiled with gcc4 to produce working binaries

                                                                                1. 3

                                                                                  How do you install GCC 4 on modern systems?

                                                                                  1. 4

                                                                                    Nix has packages for both GCC 4.8 and 4.9.

                                                                                1. 2

                                                                                  I especially found part 2 interesting, about the wrong drive write speed causing some corruption

                                                                                  1. 13

                                                                                    Interesting post on the blue site

                                                                                    Quoted here:

                                                                                    I maintain the IRC server software that Mozilla IRC uses. I used to be in contact with the person who managed the Mozilla IRC server but they passed responsibility onto someone else and in the years since the new person has not bothered even once to reach out to us about solving their issues with IRC.

                                                                                    We have plenty of solutions available to deal with the kind of problems they claim to be having. If they want they can make it so people need to be logged into accounts to interact with channels/other users to solve abuse/spam they can do that. If they want a fancy modern client UI then there is several modern interfaces which are very accessible (IRCCloud, The Lounge, Kiwi IRC, etc).

                                                                                    Ultimately it seems to me that they are just making a knee jerk reaction and deciding to jump to some other platform without knowing what they want to move to and without actually looking into seeing if any of their problems are solvable. ¯_(ツ)_/¯

                                                                                    1. 8

                                                                                      That post has been pretty thoroughly debunked (the author posted the same comment to multiple threads). Mozilla does have the spam mitigations they mention enabled. Mozilla does have a corporate IRCCloud license. This is not some ill-considered knee-jerk reaction borne out of incompetence. It has been considered at great lengths and been a very long time coming

                                                                                      While I’ll personally be sad to see irc.mozilla.org go, I understand why it is necessary and am on-board with the decision.

                                                                                      1. 14

                                                                                        Perhaps it would be useful to explain why they’re insufficient, rather than just saying that you have them.

                                                                                        1. 8

                                                                                          I just fear that a closed platform such as discord is not a good fit for open source projects in the long run. You are not permitted to use your own clients and are ultimately in a vendor lock in. Of course they can just switch again when their core team became dissatisfied at any time

                                                                                          1. 8

                                                                                            I’m not an IRC admin, so I don’t have anything to say about the moderation aspect beyond what the article says. But guessing that the fact you can’t delete hateful messages is a big part of it.

                                                                                            But for me, and I say this as someone who loves IRC, the bigger reason is that IRC excludes people who aren’t as technically savvy. Yes I’ve used IRCCloud and no, it isn’t good enough. The only way to get persistent messages is to either pay for a service (not fair to ask contributors to do this, especially those from developing countries), or set up a bouncer/relay (this might be easy if you are an old Unix hand, but not so much for most people). And besides, hosting your own bouncer costs money too.

                                                                                            Even the passage you quoted says “logged in accounts”. Making an account on IRC is hard. I remember the first time I connected to IRC to play a game of Star Fury, and it was enormously intimidating. That’s not a barrier that I want a young contributor who doesn’t have the greatest handle on English to need to surpass.

                                                                                            It’s been linked elsewhere in this thread, but the author of this article’s other post is a pretty great read: http://exple.tive.org/blarg/2018/11/09/the-evolution-of-open/

                                                                                            This is bittersweet for me, irc.mozilla.org has been a huge part of my life for almost ten years now. But it’s the right call.

                                                                                            1. 4

                                                                                              But guessing that the fact you can’t delete hateful messages is a big part of it.

                                                                                              You can’t not delete them: every message is immediately thrown away by the server. This is one of my main complaints with IRC.

                                                                                              Also, I find it somewhat fascinating that the complexity (or even impossibly) of understanding the software stack that you use is swept under the rug in that whole article.

                                                                                              It talks about controlling your own destiny, but how can you do that if you can’t even implement the basic protocols?

                                                                                              Making an account on IRC is hard. I remember the first time I connected to IRC to play a game of Star Fury, and it was enormously intimidating.

                                                                                              Seems like it would be easy to improve. Anything from an out of band sign up page to a /msg from a bot on joining.

                                                                                              (Also, the implicit assumption here about the ability of these people’s ability to use a chat program is a bit… uncharitable, don’t you think? I know I would be insulted if you told me IRC was too hard for me to use.)

                                                                                              None of the reasons listed for shutting IRC down make sense, and all of them sound to me like someone higher up just liked slack and wanted an excuse to switch to it.

                                                                                              In spite of weaker moderation tools.

                                                                                              1. 4

                                                                                                Seems like it would be easy to improve. Anything from an out of band sign up page to a /msg from a bot on joining.

                                                                                                Maybe. IRC was “easy to improve” for years, I have yet to see those improvements happen.

                                                                                                And no, I don’t want to improve it, because I have a project to run and not write web interfaces for my chat tool.

                                                                                                None of the reasons listed for shutting IRC down make sense, and all of them sound to me like someone higher up just liked slack and wanted an excuse to switch to it.

                                                                                                Mozilla already uses Slack for internal discussion, but it will probably not be the replacement for community discussion, precisely because of bad moderation.

                                                                                                I don’t agree that the reasons don’t make sense, irc.mozilla.org is a constant target of abuse and just the cost of abuse handling is very high.

                                                                                              2. 4

                                                                                                I’m kind of glad that the IRC server can’t reach into my client and delete messages from its memory. I can do that myself if I want to. While it tends not to really happen in professional settings, it makes me annoyed and confused when I see messages disappear from the history of e.g. Twitch chats. It’s as if I’m being punished for another user’s transgression. Why don’t I get to know what happened?

                                                                                                1. 6

                                                                                                  The point here is that we can delete harassment targeted at specific users or groups before it reaches them. There’s no use in receiving abuse and just deleting it yourself.

                                                                                                  Spreading lies and attacks is pretty common and I see a case for deleting them before they are pushed towards other clients.

                                                                                                  Also, no, I don’t believe you have the right to receive a full log of all message that were sent to our network.

                                                                                                  All of the things above happen frequently on irc.mozilla.org, so they bring a big load.

                                                                                                  1. 2

                                                                                                    I’m not saying I should receive a full log of all messages that were sent to your network. I’m saying I should be allowed to keep a full log of all messages that were relayed to me. I respect that some other people might not want that, but I think a feature that deletes stuff from my personal copy of the history should at least have an opt-out.

                                                                                                    I think I’m fine with actually deleting messages before they’re sent to people, or rejecting them at the time of the receipt.

                                                                                                    I’ve certainly lamented the ability to retroactively make people’s clients unsee drive-by spam and harassment, but I think there’s plenty of room to get better at dealing with it (both technically and socially) without resorting to rewriting history.

                                                                                                    1. 4

                                                                                                      I’ve certainly lamented the ability to retroactively make people’s clients unsee drive-by spam and harassment, but I think there’s plenty of room to get better at dealing with it (both technically and socially) without resorting to rewriting history.

                                                                                                      This is not even in spite, I’m sure a lot of protocol designers would like to speak to you. I like your optimism to improve socially, but I have to keep my communities safe, now. Targeted harassment is real and behavioural education won’t make it go away soon.

                                                                                                      And the fact is that the Rust project deals with people joining our venues, spreading misinformation (and we’re very conservative flagging as such) and attacking people on a regular basis. IRC is by far the leader. We need a solution for that and clients that heed “delete” updates is currently what we have. You can use a client that ignores them, but yeah, that’s what we have.

                                                                                                      1. 1

                                                                                                        How can you delete messages before they end up in other clients? Does Discord support this? How scalable is that?

                                                                                                        I know there is auditorium mode on Undernet IRC, where only channel managers receive all messages from unidentified users, and have to acknowledge them manually before they will be posted for everyone else to see

                                                                                                        1. 2

                                                                                                          There’s a ton to consider here. I’ll only talk about the case where clients read all messages. (In IRC, that needs a bouncer or similar)

                                                                                                          • The model of the server: If the client is only connected while the user is active, you can obviously delete messages for all clients who have not read the messages.

                                                                                                          • If a message has reached the client (in IRC in all cases), you can send a message asking them to ignore and delete a previous message. This is a best effort, but most clients heed that.

                                                                                                          • In federated systems, there’s obviously the problem that not only clients, but also all federated servers need to cooperate.

                                                                                                          • As you describe, pre-screening is a good option in networks that expect a lot of abuse. I do that for YouTube comments and I have to delete ~50%.

                                                                                                          TL;DR: you need the clients to cooperate.

                                                                                                          Deletions always get the reputation of censorship, but indeed, there’s good reasons for having and heeding those in a cooperative fashion.

                                                                                                          • They are an effective tool for abuse handling. Abuse is often aimed at emotional pressure towards a victim. A standard strategy is deferring a trusted party to filter your messages. Abuse victims let other people pre-read their email or twitter DM. Deletion messages support this workflow on a server-wide scale.

                                                                                                          • Chat networks are used to spread illegal info/pictures/content. Informing clients of this to take appropriate action is good practice. Even in a federated network, allowing the origin server to inform other federated servers that a message probably shouldn’t be kept is a good thing to have.

                                                                                                          • Spam is real, keeping peoples clients clean without their interactions is improving their lives.

                                                                                                          I trust the chat operators of my networks, which is why I would never run a client that ignores deletions. I’m not alone in this.

                                                                                                          In the end, it’s a best effort and is highly dependent on the exact model of your network, but cooperation makes a lot of sense.

                                                                                        1. 5

                                                                                          I couldn’t find an official source (yet?)

                                                                                          1. 6

                                                                                            I got the same email as that HN page, which seems “official”. It’s also here: https://success.docker.com/article/docker-hub-user-notification

                                                                                            1. 0

                                                                                              Then why did you post that here? News is usually something better served elsewhere.

                                                                                              1. 0

                                                                                                They probably did it for the fake internet points?

                                                                                                1. 7

                                                                                                  or maybe just to let lobsters who use Docker Hub know…

                                                                                                  1. 2

                                                                                                    News is best posted elsewhere, and I seriously doubt very many ‘lobsters’ who were affected first found out about it here since emails were sent out.

                                                                                            1. 1

                                                                                              can someone answer me whether Kerberos has the same issue?

                                                                                              1. 4

                                                                                                Yes it does. It has other issues too like .k5passwd letting you list other users that can login to your account with THEIR credentials!

                                                                                                1. 1

                                                                                                  I suspect it has similar issues. From what I recall, at least under some conditions you’d end up getting a ticket on the remote host which is often stored as a /tmp file, and which can be used for some number of minutes or hours for at least some things you’d be authorised to do yourself.

                                                                                                1. 3

                                                                                                  it’s also dangerous. for example if you preload libressl as a replacement for openssl, but the binary has some compile time #ifs that invoke the correct (non crashing) api functions depending on the ssl library version

                                                                                                  1. 3

                                                                                                    ovh.ie might be interesting…

                                                                                                    1. 4

                                                                                                      OVH and its brands (eg Kimsufi) are good options as long as you’re not interesting in running a mail relay: their IP space is pretty much locked down in black lists because they’re apparently relatively spammer-friendly.

                                                                                                      Since the OP wants to stay away from US/UK, another reason to be wary of them may be that they’re quite involved in Canada which probably open them to the kind of “friendly inquiries” US/UK based operators also face.

                                                                                                    1. 12

                                                                                                      The only issue I have with Irrsi which WeeChat handles perfectly is a lack of proper documentation for API and commands - for example, there’s no list of built in statubar items with their descriptions. Themes are also a work of continuous trial and error.

                                                                                                      It’s really weird, regarding the fact that irssi is 25 years old right now, more or less, so it had enough time to be documented like a boss. But this might just a spark of wild 90s where no one cared about docs, but people learnt irssi from each other’s and knowing it was somehow the “common knowledge”, keeping the details away from users would be also a way to prevent “lamers” from doing anything beyond average use unless they can read the source code, which isn’t a piece of art either.

                                                                                                      Yes, I had to read an irssi source to understand how to configure it in the way I needed to. And no, this is not a “self documenting code”.

                                                                                                      1. 4

                                                                                                        thanks for checking out the changelogs ever now and then.

                                                                                                        sometimes even complete documentation still leaves me confused…

                                                                                                        however I do not believe there was any intention to fight off lamers ;) rather simply no one has the time or passion to contribute good docs

                                                                                                        1. 1

                                                                                                          If you don’t mind me asking: Why are you using Irssi and not Weechat, then? I switched from Irssi to weechat years ago (when it seemed like Irssi had nothing to offer over weechat anymore) and may be out of the loop in terms of new Irssi developments I’m missing.

                                                                                                          1. 1

                                                                                                            I didn’t say that I use irssi anymore… :) Switched to WeeChat in ~2010-2012 (that 0.4.x version branch which lasted quite too long), but I’m occasionally checking out irssi changelogs and the program itself.

                                                                                                            (and I’m quite missing it, especially the formats system)

                                                                                                            1. 1

                                                                                                              Same here, made the switch around 2014. Even Irssi seems have lower memory footprint on start, it randomly run into memory leaks after running for a while. Weechat is on the opposite, consuming lots of ram on start and didn’t quite increase after couple of months.

                                                                                                              1. 3

                                                                                                                Wow – I have run Irssi for literally years at a time without leaking. My setup is barely customized though.

                                                                                                                1. 2

                                                                                                                  I think you haven’t used plugins and their scripts too much :)

                                                                                                                  The memory footprint stability is quite new, I remember when WeeChat had memleaks and really choked up one of my machines (which wasn’t that weak), mostly because it couldn’t keep up with buffers.pl. At the end, FlashCode decided to rewrite that de facto standard script as a WC builtin. Same foriset and fset.

                                                                                                                  1. 2

                                                                                                                    My friends and I have a running joke where our reaction to beefy computers are, “What, are you gonna run ${MUTUAL_FRIEND}s Irssi or something on it?” Thanks for reminding me about how that joke originated!

                                                                                                                    1. 1

                                                                                                                      we are not aware of any leaks and if there are some we want them fixed

                                                                                                                1. 2

                                                                                                                  Luckily this post is on medium!

                                                                                                                  1. 15

                                                                                                                    At first I was really annoyed by that too! Then I realized …

                                                                                                                    the Medium is the message.

                                                                                                                    1. 3

                                                                                                                      Ugh. If it weren’t, I might actually read it. As it is, I’ll refrain from attempting to derive it from first principles here without peeking. Too easy. The headline says enough.

                                                                                                                      1. 3

                                                                                                                        Reader mode works nicely, tho of course without images, because Medium doesn’t use the img tag correctly.

                                                                                                                        1. 1

                                                                                                                          The image tags look fine to me in the inspector? Also Reader mode seems to work with them, thankfully. Is this something that changed recently?

                                                                                                                          1. 1

                                                                                                                            I’m guessing viewing the images requires having 3rd-party scripts unblocked, which in my book still qualifies as “doesn’t use the img tag correctly”.