1. 3

Privacy:

When you host your own mailserver, you truly own your email without having to rely on any third-party.

Yeah, not really.

Only in a scenario where both parties own their infrastructure do you get the privacy gain the author assumes. Even then, you have to trust that the third party has good intentions and sound security practices.

I think the best approach to (unencrypted) email is to assume that anyone can read it.

1. 1

I still relay outgoing mail through Google (most of which is to public mailing lists or GMail accounts anyway), but I set up a receive‐only mail server last month, and now Google no longer has access to my sales receipts, my utility bills, my flight itineraries, nor knows all the mailing lists I subscribe to. That’s a big win in my book, even if email is ultimately unsecurable.

1. 2

I ♥️ this.

btw. my personal minimal (responsive 😉) html boilerplate:

<!doctype html><html lang="de"><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1.0">

1. 2

That’s a lot of unnecessary quotation marks! Also I think your two meta tags can be merged.

1. 1

Thanks for the feedback 😊👍 These are great suggestions.

2. 2

do meta tags not go in <head>?

1. 2

Head (& body) are no longer required.

1. 2

<head>, <body>, and even <html> have never been required in HTML.

1. 1

During my first semester at university, I submitted nearly all my homework using groff, and when the math part came up, I had to learn some eqn. It war really horrible, if the formula got slightly complicated, let alone when trying to write a mathematical proof.

And then there’s the general problem that troff/groff has so little good documentation, which is kind of ironic.

The good thing is that you don’t even need to know any of this to use groff, nowadays, which still produces smaller pdfs in less time. Since pandoc 2.0 has been released, a pdfroff exporter has been added that can parse TeX math and convert it to eqn syntax. Emacs calc mode can do a similar trick, but it more cumbersome.

1. 7

I’m a big fan of the eqn syntax: concise, powerful, easy to write, easy to read. TeX was heavily inspired by it, but has too many backslashes.

eqn:

x = {- b +- sqrt {b sup 2 - 4 a c}} over {2 a}


TeX:

x = {-b \pm \sqrt{b^2-4ac}} \over 2a


Plain UTF‐8:

𝑥 = (−𝑏 ± √(𝑏² − 4𝑎𝑐))⁄2𝑎


MathML:

<mrow>
<mi>x</mi>
<mo>=</mo>
<mfrac>
<mrow>
<mo>−</mo>
<mi>b</mi>
<mo>±</mo>
<msqrt>
<mrow>
<msup>
<mi>b</mi>
<mi>2</mi>
</msup>
<mo>−</mo>
<mi>4ac</mi>
</mrow>
</msqrt>
</mrow>
<mi>2a</mi>
</mfrac>
</mrow>

1. 1

The square root formula is too simple, it’s not what I’d consider “complicated”. What I was thinking about was aligned equations, using other fonts or with symbols not included in the default.

Take for example

\[fa] n >= 0: \fCcn(n)\fP ~\[==]~ C sub n = { ( 2 n ) ! } over { ( n + 1 ) ! cdot n ! }


or

.EQ L
wp(\fC\(dq df := df * x; x := x - 2\(dq\fI, I)
.EN
.EQ I
\(== ~ wp(\fC\(dq df := df * x; x := x - 2\(dq\fI, df cdot x !! = n !! ~ \(AN ~ x >= 0)
.EN
.EQ I
\(== ~ wp(\fC\(dq df := df * x\(dq\fI, df cdot ( x - 2 ) !! = n !! ~ \(AN ~ x - 2 >= 0)
.EN
.EQ I
\(== ~ wp(\fC\(dq\(dq\fI, df cdot x cdot ( x - 2 ) !! = n !! ~ \(AN ~ x - 2 >= 0)
.EN
.EQ I
\(== ~ df cdot x cdot ( x - 2 ) !! = n !! ~ \(AN ~ x >= 2
.EN


both which I remember took a white to correctly typeset.

2. 2

Eqn IMO has a cleaner syntax compared to main stream alternatives like MathML & MathJax.

I am still not sure why it didn’t become popular

1. 4

I attribute it to Joe Ossanna’s untimely death and troff being proprietary to AT&T.

1. 25

Copyleft licenses like AGPL and SSPL have a weaker result in terms of overall benefit to society than liberal licenses like MIT and Apache2

People are motivated not only by a sense of purpose and the desire to contribute to something greater, but also by improving their lot in life and that of their families and heirs (read: capitalism)

All hail MIT, because that will motivate the internal capitalist in our families and heirs to benefit society more since they can take the code out of the commons and use it to… amass capital. Or something.

Or maybe, just maybe, the model of selling an intangible, infinitely copy-able good is just not a great business model and the enforcement we see with licenses, DRM etc. is an indication of this fact?

Ultimately, in my philosophy, copyleft doesn’t represent real open source, despite what the OSI says. Copyleft is a restriction.

An argument as old as the GPL itself. In similar vein: if democracy were democratic, why does it not offer the option of abolishing democracy even with a majority?

1. 9

Similarly, I like to argue that the thirteenth amendment to the US constitution doesn’t represent real freedom, despite what the abolitionists say. Banning slavery is a restriction.

And it is! …on the masters. But the point is to protect the slaves from the masters. And the GPL is the same idea: it is supposed to protect the users of the software from misdeeds of the authors. For example, do you have a phone app that sends spurious push notifications to monopolize your time? If it was GPL, you’d have the right to hack that malicious code out (or have a developer do it and share their change with you, since not all users have the technical skills to do it themselves).

I think a lot of commentators about the GPL forget this. It isn’t about money per se, it is about letting the users escape the author’s dark patterns.

1. 2

This argument is unclear. You can hack the part out if it was released under any OS license, such as MIT or Apache 2.0 The GPL adds a restriction irrelevant to your use case which is that you are required to release the modified source code if you distribute the modified software.

1. 6

adam_d_ruppe is assuming that the source code of the application would not be released unless it was built on, and with, GPL components. The assumption is correct: 99% of phone apps are closed source.

1. 2

Of the 1% that are open source, what proportion are copyleft and what proportion are permissive?

2. 4

MIT etc. let the publisher decide - they can distribute the program without the source (modified or no). Some of them forward this to the end user, but many don’t. The GPL says the publisher MUST let the end user have that access, by requiring they make the full source - including modifications - available to them too. That’s what the “viral” thing is all about - making sure those rights actually make it to the end user and aren’t stripped out by a middle man.

2. 8

The comparison is spot on! Also see: https://en.wikipedia.org/wiki/Paradox_of_tolerance

“In order to maintain a tolerant society, the society must be intolerant of intolerance.” - Karl Popper

1. 3

I think you’re right that the selling model doesn’t work, which is why we have SaaS. The question is how to fairly compensate those who enable the sale of services, or goods built with open source, while retaining the benefits of open source.

As I allude to above, I think that software is more like music than anything else, and we need something like collecting societies to share the wealth.

1. 1

“and use it to… amass capital. Or something.”

Basically what they do.

“why does it not offer the option of abolishing democracy “

The 2nd Amendment in US is specifically included as a way to address government corruption, abolishing specific politicians or whole thing.

1. 2

The 2nd Amendment in US is specifically included as a way to address government corruption, abolishing specific politicians or whole thing.

I understood the argument as “if we have democracy (roughly: rule of the [majority of the] people), why can’t such a majority decide that they prefer to live in an absolutist monarchy and thereby end democracy?”. The 2nd Amendment to the US Constitution is a feature specifically designed to prevent that from happening.

2. 0

not offer the option of abolishing democracy even with a majority

It depends on the constitution, but it’s quite possible to turn a democracy into a defacto autocracy by changing laws and process through the democratic process. For example, it is possible to change the US constitution with sufficient majority in the house and senate or the state legislatures. The hope is that the distributed nature of the power makes such a hack very hard to do and requires a conspiracy of mind boggling proportion (or similarly sized stupidity and greed) but it can be done.

1. 3

This is a fun read. Not the ‘usual’ way of dumping the ROM, and there’s some visualization/analysis of the contents.

1. 2

Do you know what the usual way of dumping a ROM is? I was fascinated by this article because I didn’t know anything about the process.

1. 4

Hooking up to the ROM chip directly as in the article is pretty much the “usual” way a typical electronics person would dump a ROM. But someone who’s already knowledgeable about how the console works might prefer to interface through the cartridge connector and so avoid soldering things to the cartridge itself. Most (maybe even all) commercial game dumpers work this way.

1. 1

On the SNES/SFC, usually people use an edge connector (often from an actual SNES because finding one with the right pin spacing is hard) to build a cartridge dumper. Then they just do the same thing the SNES would do through the cartridge pins to read out the ROM.

Soldering jumper wires directly to the ROM chip on the cartridge is somewhat more inefficient (usually you want to dump a bunch of games), but is also totally awesome :)

1. 2

Unpopular opinion time!

These types of services can not work as marketed. If you don’t use their DNS-over-TLS service, then you’re still sending DNS queries and getting the responses back over plaintext. US ISPs, Comcast being the biggest offender, are known to hijack those requests.

Even with DNS-over-TLS, it’s possible for a passive attacker to infer queries based on packet metadata. The size of packets aren’t going to change for when I do an A record lookup for google.com yesterday versus today. A passive attacker could pre-compute the packet data length for the most common domains (Alexa top million, for example).

The only real solution is to mix different kinds of traffic in to a network specially crafted for privacy/anonymization, like Tor, which supports tunneling DNS queries.

1. 3

If you don’t use their DNS-over-TLS service, then you’re still sending DNS queries and getting the responses back over plaintext.

Well… yeah. Of course you don’t get any security benefits if you don’t use TLS. (Well, even without it you do get some, but it really buys you very little.)

Even with DNS-over-TLS, it’s possible for a passive attacker to infer queries based on packet metadata. The size of packets aren’t going to change for when I do an A record lookup for google.com yesterday versus today.

You can pad an HTTPS query URL with random data. Google even documents it.

1. 3

Cloudflare actually addresses that in their blog post:

While DNSSEC ensures integrity of data between a resolver and an authoritative server, it does not protect the privacy of the “last mile” towards you. DNS resolver, 1.1.1.1, supports both emerging DNS privacy standards - DNS-over-TLS, and DNS-over-HTTPS, which both provide last mile encryption to keep your DNS queries private and free from tampering.

An attacker can also observe server name indication in your TLS connections to see who you’re contacting anyway. Preventing hijacking is much more significant in my opinion.

1. 2

Not all resolvers support DNSSEC. Not all people even like or trust DNSSEC.

Either way, I don’t buy that Cloudflare’s solution, especially when using plaintext DNS, enhances security. It simply allows more entities to snoop and/or modify your data en-route.

1. 2

That’s true, your ISP can still snoop the DNS traffic going to Cloudflare. But it does make it harder for them to send you bogus records than if you were querying them directly. Assuming Comcast isn’t modifying my traffic in flight, which I agree is sadly a big assumption, I trust Cloudflare more. Right now I use Google DNS, which has all the same problems you’re describing. At minimum, I’m happy Cloudflare is championing a more secure version of DNS (over HTTP / TLS), even if it isn’t perfect.

I have considered setting up a recursive DNS resolver on a \$2.50/mo VPS and tunneling DNS from my home network to there. The IANA of course provides the root information for the root DNS servers, so it wouldn’t be that hard.

So I guess I don’t disagree with you. DNS is a complete shitshow one way or another, there’s no way to deny that. Unpopular or not, your opinion is objectively correct. It’s more of an uncomfortable fact than an opinion.

1. 1

It’s trivial for an ISP to anycast announce 1.1.1.1 and 8.8.8.8 wholly within their own network, capturing all of your DNS requests anyway. They can configure (or not, who would even notice?) all the same features available on CloudFlare or Google. I would be very surprised if people are already not doing it. If you wanted to be sneaky about it you can even set up a reverse proxy for the web content.

1. 1

Some Linux nerd might run traceroute and blog about it.

In any case, if you’re using Cloudflare DNS over HTTPS, they can’t forge Cloudflare’s certificate.

1. 4

The example given by the author sound hacky more than anything, to “discover” source files.

I’ve been using makefiles of this kind for years now, and it works remarkably well. I do that so they’re easy to package, regardless of the distro. I must admit my projects are fairly simple, but I never missed any “feature” with this makefile. I’m probably missing something here though so feel free to tell me!

1. 1

I use a very similar makefile for my own projects. It doesn’t support header dependencies, though, and separate (out‐of‐tree) builds would be nice. I’ve been considering adding a (non‐autotools) configure script to the mix for that reason.

1. 1

The example I gave doesn’t have header files, but you can easily add them to the mix (example). For out-of-tree build, I don’t get the point of it. Is it only to keep the source tree clean? I’ve seen some handmade configure script in the wild as well, pretty short ones (some only included the line “echo do not use autotools!”). In my case, they would generate the config.mk file, which includes all the customizable bits. IMO, customization should be done at the environment level, and with make -e. That is the reason why I like mk a lot, which does that by default (but that’s another topic!)

1. 9

I don’t understand all the Xvfb/Xephyr stuff. I do simple screencasts just by enabling audio monitoring and:

ffmpeg -f sndio -i snd/0.mon -video_size 1680x1050 -framerate 30 -f x11grab -i :0.0 -c:v libx264 -qp 0 -preset ultrafast output.mkv

1. 1

“Maybe we can finally get past our nemesis: the lady in the red dress! … Nope, Well, it was worth a shot.”

someone help me out here, what is this referencing?

1. 1

Just a guess, but the game probably crashes early on, enough to reach that character but no further.

1. 1
1. 3

Is the website failing HTTPS cert verification for anyone else?

1. 4
1. 10

I keep seeing this as a reply but I’m not sure what purpose does it serve: you still can’t read the site. The only thing you can get from comments is that yes, the site is using a self-signed certificate, meaning that the breakage is intentional.

1. 7

It is not broken - it is simply a different approach to CAs.

1. 4

It is not broken

Broken has a couple of different meanings in this context. The relevant ones being (a) “according to design” and (b) “according to reasonable expectations of users.” It can be broken(b) while also not-broken(a). Or in other words it can be “broken by design.”

1. 2

The user process is broken. The browser tries its best to give a very technical workaround, but the fact is that all other sites I read on the web don’t require me to trade my own sense of security for that of the author.

I do respect his choice, to be sure, but I ask people here to stop just silently referring to that original comment thread as if it explains anything. It doesn’t.

2. 2

In Chrome at least you can certainly read the site, you just have to click “Advanced” and “proceed to teduangst.com”

1. 2

The idea is to add the CA to the browser store. The CA is constrained to creating certs for tedunangst.org, which is nice. The weakness here is acquiring the CA in a secure way in the first place; the model is similar to SSH or signify.

Ideally you would acquire the CA out of band, like by meeting Ted in person. Good luck with that.

Unfortunately clicking through like you described loses any benefit: you’re obviously not checking the cert every time, so you’re prone to being MITMed each time you visit the site, as opposed to just the first time. (Firefox lets you save the exception, but Chrome doesn’t.)

The benefit of this over Let’s Encrypt is that if you add Ted’s CA and remove all the other CAs (that don’t have their own name constraints) from your cert store, you know that any valid HTTPS cert for tedunangst.com came from Ted and not from another compromised CA. I doubt even people who have added Ted’s CA have removed those other CAs, though, so it doesn’t seem like a real benefit to me.

2. 2

Indeed. I don’t understand this at all.

3. 2

Hi wyager, seems it’s my turn to direct you to: https://lobste.rs/s/qeqqge/moving_https ;-)

1. 6

And now they’re trying to persuade every project they use to switch to Apache License 2:

1. 2

I wish the ASF would still be using APlv1. It’s sad that the US legal system and patent situation caused this mess. The ASF is a very US-centric organisation (even though they don’t tend to view themselves as such), and from a perspective of a country where software paternts are not (yet) a thing, the differences between APLv1 and APLv2 appear as a solution looking for a problem.

1. 1

Even in the US, this feels like a solution looking for a problem. BSD licenses have long been considered to provide an implicit patent grant (by the very wording: “Permission is hereby granted to use, copy, modify and distribute for any purpose…”). http://en.swpat.org/wiki/Implicit_patent_licence

2. 2

And now they’re trying to persuade every project they use to switch to Apache License 2

No, they are asking politely if the projects might be willing to consider changing their licensing to be compatible. There is no persuasion going on by ASF people (which I assume you mean by “they”).

1. 1

Maybe I used the word incorrectly, but to me a polite request to change the license or the influential in the open source world organization would stop using the product feels pretty close to persuasion.

1. 1

I don’t see any major problem with them trying to persuade React and RocksDB to use a different license (in fact, I welcome it, personally). What they aren’t trying to do is coerce RocksDB and React to use the APL2. That would be a very different situation.

1. 1

1. 7

What’s unclear about MIT/ISC and patents? I always assumed the answer was a simple no.

1. 6

“Unclear” probably just means “would have to be decided in court”.

US-based lawyers are super happy with an explicit patent grant they can use to defend their client in court, should someone sue for patent infringement.

1. 5

The author has a full article on MIT. It comes down to “Neither copyright law nor patent law uses “to deal in” as a term of art; it has no specific meaning in court.” and refers to the following part of MIT:

to deal in the Software without restriction,

1. 5

ISC does not use this terminology. So why did he throw it in one bucket with MIT?

EDIT: See https://www.openbsd.org/policy.html for arguments in favour of ISC.

2. 2

I think that’s because MIT doesn’t mention patents explicitly while Apache has this:

1. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed.
1. 2

There’s an implicit patent grant in these licenses. Given the statement “Permission to use, copy, modify, and distribute this software … is hereby granted” I think it would be hard to argue that the recipient is not given a license to use the patent.

This only works if the copyright holder also holds the patent. But I (an eminently unqualified non‐lawyer) don’t see what the Apache 2.0 text provides that the ISC text doesn’t. “Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual … patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted.”

What’s really annoying about Apache, besides the deluge of verbiage, is the next sentence: “If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed.”

1. 1

What’s annoying about the patent pooling? It discourages a sue fest by revoking any patents granted to you by other contributors if you sue users of the software for patents you have granted to the project.

1. 4

It’s been about ten years, but I had an idea for a site called “listen to my CDs”. I’d upload a CD, and then allow a visitor (one, singular) to listen to it, streaming data in real time, but no faster. Surely I’m allowed to do that?

I thought it would be a really good test case for copyright law, but never quite got around to it. Never decided to give it up, maybe it’ll still work.

1. 2

the aereo case seems relevant.

1. 2

Indeed. By the way, Scalia (RIP) dissented in Aereo:

We came within one vote of declaring the VCR contraband 30 years ago… The dissent in that case was driven in part by the plaintiffs’ prediction that VCR technology would wreak all manner of havoc in the television and movie industries. … We are in no position to judge the validity of those self‐interested claims or to foresee the path of future technological development.

1. 1

surprisingly enough, I was in favour of the aereo ruling. I absolutely believe rebroadcasting should not be illegal, but if it is, the sophistry of having one microantenna per customer to make it technically okay is a clear case of evading the law

1. 6

Maybe also of interest:

Document Formatting and Typesetting on the UNIX System (ISBN: 9780961533625)

Document Formatting and Typesetting on the UNIX System: GRAP, MV, MS and TROFF (ISBN: 9780961533632)

Some parts are also available at google books.

1. 5

there’s some more titles on http://www.troff.org/books.html

1. 3

A free ebook for writing manpages, Practical Unix Manuals, by Kristaps Dzonsons (the author of mandoc): https://manpages.bsd.lv/

It also contains “The History of UNIX Manpages”, another nice read.

1. 4

This is a scan of the original book. The Groff community transcribed the scans into troff source and generated a new PDF from that, which is much nicer to read: http://home.windstream.net/kollar/utp/

1. 2

yes, see the last link on the O'Reilly site

1. 1

I saw, but it was worth pointing out because people are more likely to click “A single PDF file via HTTP” than “groff and PostScript files‐‐Beta”…

1. 3

I really love this talk. Leveraging userland exploits and GPU to gain full kernel access and finally total control of the system within moments from boot.

And all on a common piece of consumer electronics with over 60 million units shipped. Makes you wonder how much other hardware/software is capable of being so completely compromised.