1. 7

    Winds looks awesome, but the dependency on a bunch of cloud hosted, closed-source PaaS doesn’t seem so great. There doesn’t seem to be any way for someone to completely self-host Winds.

    1. 20

      Bitwarden is my tool of choice for this. I haven’t been a fan of other more CLI-centric password managers as they usually don’t have browser integration. The usability of using an in-browser UI to generate a random password and the prompts to save it when I submit forms are very important IMO. Nothing has come close to that while also being open source.

      1. 3

        One thing that irks me about Bitwarden is having to provide an email address and getting an installation id & key if I’d like to self host it for myself. Please correct me if I’m wrong but from what I understand, even for using it without the “premium” features one still needs to perform this step.

        If so, I think I’ll stick with my pass + rofi-pass + Password Store for Android combo for now.

        1. 4

          This is true, there are ways around it, if you work a little, since it is OSS. However, there are a few 3rd party tools, 2 of which are server implementations: bitwarden-go(https://github.com/VictorNine/bitwarden-go) and bitwarden-ruby(https://github.com/jcs/bitwarden-ruby).

          There is also a CLI tool (https://fossil.birl.ca/bitwarden-cli/doc/trunk/docs/build/html/index.html)

        2. 2

          Are you self-hosting it or using the hosted version? I’m somehow always sceptical of having hosted password storage, even if it’s encrypted and everything.

          1. 1

            If it’s not encrypted, they see your secrets. If it is encrypted, they’re in control of your secrets. In self-hosted setup, you are in control of your secrets. If encrypted, you might loose them. If sync’d to third party (preferably multiple), you still might loose key. If on scattered paper copies, each in safe place, you probably won’t. For some failures, write-once (i.e. CD-R) or append-only storage can help where a clean copy can be reproduced from the pieces.

            That’s pretty much my style of doing this. It’s not as easy as 1Password or something, though. There’s the real tradeoff.

            1. 2

              It is encrypted, here is a link on how the crypto works in english: https://fossil.birl.ca/bitwarden-cli/doc/trunk/docs/build/html/crypto.html

              I agree Bitwarden is not quite as user friendly(or as secure if using local vaults) as 1Password, but for an OSS app, it’s definitely at the top of the list on user friendliness of password managers.

              I run a server locally on my LAN, and my phone/etc sync to it. I definitely don’t want my secrets out in the cloud somewhere, no matter how encrypted they might be.

        1. 4

          Mentioned in the comments of the post, they have also fixed enabling word wrap and showing the status bar at the same time. I was always confused as to why those two settings were intermingled with each other.

          1. 2

            I find it a little ironic that after using the open-web browser that I am not able to inspect the sessionstore-backups/recovery.jsonlz4 file after a crash to recover some textfield data, as Mozilla Firefox is using a non-standard compression format, which cannot be examined with lzcat nor even with lz4cat from ports.

            The bug report about this lack of open formats has been filed 3 years ago, and suggests lz4 has actually been standardised long ago, yet this is still unfixed in Mozilla.

            Sad state of affairs, TBH. The whole choice of a non-standard format for user’s data is troubling; the lack of progress on this bug, after several years, no less, is even more so.

            1. 15

              https://bugzilla.mozilla.org/show_bug.cgi?id=1209390#c10 states that when Mozilla adopted using LZ4 compression there wasn’t a standard to begin with. Yeah, no one has migrated the format to the standard variant, which sucks, but it isn’t like they went out of their way in order to hide things from the user.

              It was probably unwise for Mozilla to shift to using that compression algorithm when it wasn’t fully baked, though I trust that the benefits outweighed the risks back then.

              1. 14

                This will sound disappointing to you, but your case is as edge-caseish as it gets.

                It’s hard to prioritize those things over things that affect more users. Note that other browser makers have security teams larger than all of Mozilla’s staff. Mozilla has to make those hard decisions.

                These jsonlz4 data structure are meant to be internal (but your still welcome to use the open source implementation within Firefox to mess with it).

                1. 2

                  I got downvoted twice for “incorrect” though I tried my best to be neutral and objective. Please let me know, what I should change to make these statements more correct and why. I’m happy to have this conversation.

                  1. 0

                    Priorities can be criticized.

                    Mozilla obviously has more than enough money that they could pay devs to fix this — just sell Mozilla’s investment in the CliqZ GmbH and there would be enough to do so.

                    But no, Mozilla sets its priorities as limiting what users can do, adding more analytics and tracking, and more cross promotions.

                    Third party cookie isolation still isn’t fully done, while at the same time money is spent on adding more analytics to AMO, on CliqZ, on the Mr Robot addon, and even on Pocket. Which still isn’t ooen source.

                    Mozilla has betrayed every single value of its manifesto, and has set priorities opposite of what it once stood for.

                    That can be criticized.

                    1. 11

                      Wow, that escalated quickly :) It sounds to me that you’re already arguing in bad faith, but I think I’ll be able to respond to each of your points individually in a meaningful and polite way. Maybe we can uplift this conversation a tiny bit? However, I’ll do this with my Mozilla hat off, as this is purely based on public information and I don’t work on Cliqz or Pocket or any of those things you mention. Here we go:

                      • Cliqz: Mozilla wants a web with more than just a few centralized search engines. For those silos to end, decentralization and experimentation is required. Cliqz attempts to do that
                      • Telemetry respects your privacy
                      • You can isolate cookies easily. EIther based on custom labels (“Multi Account Containers”) or based on the first party domain (i.e., the website in the URL bar). The former is in the settings, the latter is behind a pref (first party isolate). For your convenience, there’s also an add-on for first party isolation
                      • Cross Promotions: The web economy is based on horrible ads that are annoying and tracking users. To show that ads can be profitable without being tracking or annoying, Mozilla shows sponsored content (opt-out btw) by computing the recommendations locally on your own device
                      • Some of the pocket source code is already open source. It’s not a lot, that’s true. But we consider that a bug.
                      1. 2

                        As someone who also got into 1-3 arguments against firefox I guess you’ll always have to deal with criticism that is nit picking, because you’ve written “OSS, privacy respecting, open web” on your chest. Still it is obvious you won’t implement an lz4 file upgrade mechanism (oh boy is that funny when it’s only some tiny app and it’s sqlite tables). Because there are much more important things than two users not being able to use their default tools to inspect the internals of firefox.

                        1. 2

                          Sure, but it’s obvious that somehow Mozilla has enough money to buy shares in one of the largest Advertisement and Tracking companies’ subsidiaries (Burda, the company most known for shitty ads and its Tabloids, owns CliqZ), where Burda retains majority control.

                          And yet, there’s not enough left to actually fix the rest.

                          And no, I’m not talking about Telemetry — I’m talking about the fact that about:addons and addons.mozilla.org use proprietary analytics from Google, and send all page interactions to Google. If I wanted Google to know what I do, I’d use Chrome.

                          Yet somehow Mozilla also had enough money to convert all its tracking from the old, self-hosted Piwik instance to this.

                          None of your arguments fix the problem that Mozilla somehow sees it as higher priority to track its users and invest in tracking companies than to fix its bugs or promote open standards. None of your arguments even address that.

                          1. 3

                            about:addons code using Google analytics has been fixed and is now using telemetry APIs, adhering to the global control toggle. Will update with the link, when I’m not on a phone.

                            Either way, Google Analytics uses a mozilla-customized privacy policy that prevents Google from using the data.

                            If your tinfoil hat is still unimpressed, you’ll have to block those addresses via /etc/hosts (no offense.. I do too).

                        2. 3

                          I won’t comment on the rest of your comment, but this is really a pretty tiny issue. If you really want to read your sessionstore as a JSON file, it’s as easy as git clone https://github.com/Thrilleratplay/node-jsonlz4-decompress && cd node-jsonlz4-decompress && npm install && node index.js /path/to/your/sessionstore.jsonlz4. (that package isn’t in the NPM repos for some reason, even though the readme claims it is, but looking at the source code it seems pretty legit)

                          Sure, this isn’t perfect, but dude, it’s just an internal datastructure which uses a format which is slightly non-standard, but which still has open-source tools to easily read it - and looking at the source code, the format is only slightly different from regular lz4.

                    1. 2

                      A lot of my recommendations have been stated elsewhere in this thread, so I won’t repeat those.

                      I very much like Puzzles for some quick gaming on the go. It’s a port of Simon Tatham’s collection of games which is already on multiple platforms.

                      This is not in F-Droid’s repository, but is fully OSS; The Lichess android client. I play “correspondence” chess with friends and family fairly regularly and we do so over Lichess.

                      Frozen Bubble, more lightweight gaming on the go.

                      Solitaire CG a collection of solitaire card games.

                      OctoDroid for accessing Github on the go.

                      1. 1

                        In theory, if someone were accurate and patient enough to input all of the sequences, this could actually happen on a real game boy. I’m amazed at everything involved with this.

                        1. 1

                          Usually this is done by wiring up the console’s buttons to a microcontroller (e.g. TASBot). If someone can input this with hands, they’re probably not human :)

                        1. 3

                          I’m not familiar with the Life community’s terminology, could someone give a primer?

                          1. 7
                            1. 5

                              Well, there is a lobster spaceship

                          1. 1

                            While these are welcome and substantial improvements, I find myself continually baffled by the trend of putting messenger functionality in everything. App fatigue is real and I feel like we’re just perpetuating it.

                            1. 1

                              You’re not wrong, but the value here isn’t an attempt to add “me-too” features to Nextcloud, from my understanding. The goal with Nextcloud Talk is to be able to have that messenger functionality in an entirely self-hosted place without relying on third parties. And Nextcloud is starting to develop a network effect significant enough that tying the messenger to Nextcloud is also valuable, instead of embedding XMPP/IRC/Matrix. (Though there is work being done to bridge Nextcloud and XMPP that I’m looking forward to.)

                            1. 14

                              So who wants to adopt the lobster for lobste.rs?

                              1. 6

                                why not zoidberg?

                                1. 5

                                  I’m up for donating to a pool for this.

                                  1. 4

                                    Agreed with /u/gerikson, I’m up for a donation pool! Who wants to spearhead it?

                                    1. 15

                                      I could put together a pool to try to hit the Silver or Gold level. The link would point back to a note on the about page. There would be no reward for donating besides the warm glow of knowing you’ve helped support an organization that is the source of so much error handling in our code.

                                      Please take this ad-hoc poll by upvoting the single highest amount you’d donate towards this. Enough support and I’ll put something together. (If you made judicious use of your GPU a few years ago and have cryptocurrency to donate, please select the amount of USD you’d convert it into before sending it because I’m game for a fun lark, not a major project.) (Edit: tweeted)

                                      1. 59

                                        10 USD

                                        1. 17

                                          1 USD

                                          1. 9

                                            50 USD

                                            1. 4

                                              100 USD

                                              1. 1

                                                This is in progress.

                                                1. 1

                                                  500 USD

                                            1. 3

                                              I’m using RedHat’s other virtualization product, oVirt, for my personal homelab. It’s quite smooth and very well made.

                                              I looked into OpenStack as well, but there’s so many disparate components it cases the installation instructions to be way too complex. I’ve been turned off by the sheer complexity of all the components. (Many of which are optional, so that’s even extra complexity.)

                                              I plan on deploying OpenShift soon too, to learn me some Kubernetes. :)

                                              1. 2

                                                @pushcx, or whomever it applies, I wonder how much memory Lobsters is using?

                                                1. 3
                                                  USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
                                                  lobsters 30353  0.7  3.0 399412 124800 ?       Sl   00:00   6:20 unicorn_rails worker[7] -c config/unicorn.conf.rb -E production -D config.ru
                                                  lobsters 30359  0.8  4.2 449504 173164 ?       Sl   00:00   6:39 unicorn_rails worker[10] -c config/unicorn.conf.rb -E production -D config.ru
                                                  lobsters 30364  0.7  3.0 396484 122156 ?       Sl   00:00   6:24 unicorn_rails worker[4] -c config/unicorn.conf.rb -E production -D config.ru
                                                  lobsters 30368  0.7  3.0 398528 123688 ?       Sl   00:00   6:16 unicorn_rails worker[3] -c config/unicorn.conf.rb -E production -D config.ru
                                                  lobsters 30372  0.7  3.1 400852 126092 ?       Sl   00:00   6:15 unicorn_rails worker[0] -c config/unicorn.conf.rb -E production -D config.ru
                                                  lobsters 30376  0.7  3.0 397540 123052 ?       Sl   00:00   6:19 unicorn_rails worker[8] -c config/unicorn.conf.rb -E production -D config.ru
                                                  lobsters 30380  0.7  4.6 465020 189584 ?       Sl   00:00   6:25 unicorn_rails worker[1] -c config/unicorn.conf.rb -E production -D config.ru
                                                  lobsters 30384  0.7  3.0 398656 122660 ?       Sl   00:00   6:15 unicorn_rails worker[6] -c config/unicorn.conf.rb -E production -D config.ru
                                                  lobsters 30388  0.8  3.0 399388 124456 ?       Sl   00:00   6:33 unicorn_rails worker[9] -c config/unicorn.conf.rb -E production -D config.ru
                                                  lobsters 30392  0.7  3.0 399352 124268 ?       Sl   00:00   6:05 unicorn_rails worker[5] -c config/unicorn.conf.rb -E production -D config.ru
                                                  lobsters 30396  0.8  3.0 396560 122720 ?       Sl   00:00   6:35 unicorn_rails worker[2] -c config/unicorn.conf.rb -E production -D config.ru
                                                  lobsters 30422  0.7  3.0 400140 124288 ?       Sl   00:00   6:23 unicorn_rails worker[11] -c config/unicorn.conf.rb -E production -D config.ru
                                                  lobsters 32327  0.0  2.4 235416 97696 ?        Sl   Jan10   0:12 unicorn_rails master -c config/unicorn.conf.rb -E production -D config.ru
                                                  

                                                  It’s been two weeks since the service was bounced, so this is stable usage. I know there are issues with ps; if you have a preferred alternate measurement I can check it.

                                                  1. 1

                                                    I don’t know what specific problem of ps you are referring to, but if you want to check real memory cost of process (USS/PSS) under linux smem might be good tool.

                                                1. 1

                                                  This is mostly a press release/advertisement of a mobile app. An interesting one perhaps, but I think this is pretty much marketing spam.

                                                  1. 3

                                                    I like this. It’s a good idea in theory but the practical deployment of it is surprisingly difficult (tooling is missing) and any mistakes means your website is blocked by the browser’s interstitial with no way around. This concept needed more time to bake, perhaps some tools/patches/plugins written first.

                                                    1. 2

                                                      It’s also an attack vector. If a site is compromised an attacker can pin their own cert.

                                                    1. 5

                                                      I’m not sure what kind of integration each of the sites would include. I think it would be nice to see a list of other Lobsters-powered websites, perhaps more like a wiki page than anything managed by the admins. A little bit of federation would be cool to port/collate the user’s profile across instances, but that’s about as far as I’d expect such integration to go.

                                                      1. 7

                                                        This week I have an in-person interview as a follow up to a phone screening. I hope I get the job! Along with that, I will be submitting my resume to a few more tech companies (both remote positions and a couple I found in the Phoenix valley) for system administration positions. Fingers crossed!

                                                        In programming news, I’ll be creating a WebRTC signaling server and TURN REST API proxy. I’m developing what amounts to a serverless P2P coder’s notepad, but unfortunately that’s not possible. You still need a couple of servers in today’s internet – the signaling server and the TURN server. (Yay NAT.) So I already have a TURN server, but with just a few hardcoded credentials; not something I can send out along with the JS application code. So using this RFC and coturn I’ll be able to generate ephemeral credentials for each WebRTC session. Hopefully, anyways.

                                                        1. 1

                                                          Are you aware of ArchLinux’s netctl project? It’s based around systemd so it’s not portable to *BSD but the UX might be useful to draw inspiration from. Also, it’s an established project with the name ‘netctl’. :)

                                                          1. 1

                                                            Not until just now. Given that systemd will never be ported to OpenBSD, I’m Ok with the name collision. ;-)

                                                            Thanks for the UX ideas!

                                                          1. 3

                                                            Would posts related to the Raspberry Pi fit within the tag? Or do they need to include something even smaller for the tag to be appropriately applied?

                                                            1. 4

                                                              That’s a great question. I specifically avoided mentioning Raspberry Pi since I don’t know the answer. This issue is bigger than the tag suggestion where lots of “embedded systems” over the years are running on what would previously be more like desktop computers. The Pi has quite a bit of hardware running OS’s such as Linux. Yet, it’s also constrained versus a “real” computer we’d use for day to day tasks such as web browsing.

                                                              I’d say it comes down to the specs and intended use-case. We should keep this tag for resource-constrained systems that people go for to keep per-unit price dirt cheap, possibly tiny boards, and very hackable. Looking at them, the Pi 3 doesn’t look like a resource-constrained system with a quad core and 1GB of RAM. ;) Even the Pi Zero has 1GHz and 512MB of RAM. Whereas this Arduino’s specs are a lot more like what most embedded boards in consumer devices, appliances, etc would be with 16MHz MCU, 8KB of RAM, and 128KB of flash.

                                                              https://www.arduino.cc/en/Main/arduinoBoardMega

                                                              You couldn’t even fit a real Linux in that thing. Even the GRUB bootloader at 20-30K couldn’t fit in its RAM (assuming all of it is loaded on startup). So, with these tiny chips, there’s whole different types of OS’s, programming styles, debuggers (some physical), and so on to handle them. You can’t just drop your vanilla stuff on them accepting that it runs slower. You have to do different things or at least chop the software until the result is not much like a full version. For example, the smallest Linux I think got to 600K. It couldn’t even fit.

                                                              So, things using MCU’s with tiny RAM and ROM amounts to point they can’t run normal OS’s and toolchains. That’s how I’m defining it. If yall are curious, while we’re at it, here’s the lowest end of embedded that’s still in use:

                                                              http://www.embeddedinsights.com/channels/2010/12/10/considerations-for-4-bit-processing/

                                                              Previous record holder… a one-bit MCU… with PDF guide to it in references:

                                                              https://en.wikipedia.org/wiki/Motorola_MC14500B

                                                            1. 6

                                                              Can anyone comment to the FUD-meter on this article? I do realize that the article addresses this specifically, but wanted y’all’s input.

                                                              1. 5

                                                                I think the concerns are quite real. Facebook has a patent on GraphQL but does not liberally license it to users. Which means, currently, that every implementation of GraphQL from outside Facebook, and possibly even every server-side user, is in violation of that patent. Which is a risk. One that doesn’t really need to exist, given Facebook’s willingness to license patents liberally (see React). Facebook’s legal team has been notified, so hopefully this will be resolved.

                                                                Until it’s resolved, as I understand it, every server implementation of GraphQL is definitely in violation of Facebook’s patent unless they already have talked with Facebook themselves. (i.e. I expect Github has talked with Facebook a lot already since they’ve been working closely together on a variety of topics already, but did Apollo Server/Meteor talk to Facebook? etc, etc). Client-side implementations, I don’t think so. I am not a lawyer, though.

                                                                1. 5

                                                                  I think the concerns are quite real.

                                                                  The concerns are quite real, but to say that they’re unique to Facebook/React is bizarre and unfounded; software patents are a huge problem that plague everyone who uses software distributed under a license that doesn’t have an explicit patent grant.

                                                                  Everyone who uses BSD-licensed or MIT-licensed software is at risk if they operate in a jurisdiction that recognizes software patents.

                                                                  1. 1

                                                                    That’s one opinion, and the other one is that BSD and MIT license give implicit patent grant so you (licensee) are not at risk. On the other hand, that can be a risk to licenser (of “losing” patent). So one theory is that this is why Facebook came up with BSD+PATENTS: to replace implicit patent grant with explicit one so that they get protection in exchange of “losing” patent.

                                                                    You are saying BSD+PATENTS is better than BSD for users. But if BSD does not give any patent grant, why is BSD+PATENTS better than BSD for Facebook? After all, it’s Facebook’s decision, not users’.

                                                                    1. 1

                                                                      But if BSD does not give any patent grant, why is BSD+PATENTS better than BSD for Facebook? After all, it’s Facebook’s decision, not users’.

                                                                      Because accepting external contributions to an OSS codebase that doesn’t have a patent grant is a terrible idea if you operate a business in a jurisdiction that fails to recognize the invalidity of software patents.

                                                                2. 1

                                                                  Over 9000

                                                                1. 3

                                                                  I’d like to turn it around and ask you what you have self-hosted? Always curious what people have chosen. :)

                                                                  1. 1

                                                                    (not OP) I’m self-hosting Camlistore for backups (which has been working well so far) and a hacked-together RSS reader (because so many feeds only include a summary and a link to click through).

                                                                    1. 1

                                                                      I host my mails (OpenSMTPd as MTA, Dovecot as MDA until the OpenBSD-developers show some mercy and come up with their own implementation of IMAP), my website/s (static placeholder and blog, both via httpd, blog’s Wordpress), instant messaging (XMPP via Prosody, used to run Mattermost for a while), my backups (Arq, to three different physical locations), file synchronisation (recently switched to Nextcloud from ownCloud), torrents (via Transmission - and yes, really not for piracy), .. I’m sure I forgot something.

                                                                      1. 1

                                                                        Oh, new podcast! Thanks. :)