Threads for fkooman

  1. 24

    To preserve the community aspect of Gitea we are experimenting with creating a decentralized autonomous organization where contributors would receive benefits based on their participation such as from code, documentation, translations, and perhaps even assisting individual community members with support questions.

    The worrying part…

    1. 10

      An enhanced enterprise version

      is the worrying part for me as well. Does that mean those enhancements are proprietary?

      1. 5

        I heard a rumor that they’re not actually intending to launch their own coinscam and that the way it was announced it came across differently from the actual intention but I don’t have a reliable source to back that up yet. It’s reasonable to be concerned about this but I wouldn’t write them off yet.

        1. 12

          This was the reply I got: https://twitter.com/giteaio/status/1585297381926793216

          1. We don’t plan on selling crypto or creating some shitcoin
          2. the DAO was mentioned as a possible way to ensure public and transparent community governance, but I believe it is possible to do that without cryptocurrency (still investigating if that is indeed possible, but… wanted to be upfront with areas we were exploring.)

          (Although I’ve since noticed that have at least one sponsor who is blockchain-related which is also bad.)

          1. 6

            Allegedly, that sponsor made a one-time donation a good couple of years ago, and has not done so since, so it’s listed for historical reasons only.

        2. 2

          Yeah, that probably means gitea is going to have to go in the bin for me. Which is a shame because I was quite liking it as a self-hosted solution.

          1. 4

            How so ? They haven’t actually done anything you can blame them for, they’re just trying to find ideas for something that hasn’t been completely solved. How about you help them finding better ones ?!

            1. 7

              They haven’t actually done anything you can blame them for

              “gitea is going to have to go in the bin for me” … if they implement a blockchain-based DAO. Apologies, I thought that was implicit but I could have made it explicit.

          2. 1

            Look, this is inevitable. However it is worrying in the sense that it matters how it is implemented, ethereum is not a real solution … these matters are too serious to just roll with whatever is around.

            As an aside; I wonder what happened to mathematics… people are content with a theorem prover thing sitting on top of a massive amount of proprietary foundations?!

            Mathematics is only convincing if you can trace the argument down to the axioms. Obviously the proofs stand on their own so technically you don’t need to run the theorem prover to be sure that it is correct, however, people build these theorem provers so that they can trust the verdict it provides.. and we will be heading into the future on this foundation?! It’s laughable and from my point of view it is because the free software world has not established a proper negotiation position; which is exactly what risk assessments and credit systems will give us.

            1. 1

              Agreed. I do think this is preferable to an SSPL-like solution. Ultimately, I suppose there is no effective way to take back from the greedy without being greedy yourself.

              Funny enough, I had to stop myself from tagging the story under merkle-trees, since I anticipated that the short paragraph you quoted would become a big part of the discussion.

              1. 2

                I mean, Git is literally a Merkle tree, so the tag should be appropriate? I do understand why we can’t call programming hacking and cryptography crypto any more, but still…

                1. 2

                  The linked article isn’t about Git, it’s about an organization that’s providing VCS as a service, and how it’s planning to fund itself in the future.

                2. 2

                  Ultimately, I suppose there is no effective way to take back from the greedy without being greedy yourself.

                  That sounds like an easy justification for a lot of things.

                  1. 1

                    Wasn’t meant as a justification so much as an observation. I personally think the best response to greed is… nothing. Call it out and move on. Two wrongs don’t make a right.

                3. 1

                  Why is that worrying? That if you write a lot of code you’ll get more privileges? Is there a concern about state actors breaking gitea through the front door?

                  1. 10

                    It’s worrying because “decentralized autonomous organization” usually means some crypto-currency-related thing. That means the project will get flooded by cryptobros who want to use the project as leverage to (a) legitimise crypto-currency, (b) financially exploit each other, or (c) both, rather than contributing to the project itself.

                    1. 1

                      Ah, thanks for explaining! I didn’t catch the connection between the terms used and cryptocurrency stuff.

                1. 5

                  but passkeys aren’t so complex that it’s unreasonable for people to know what’s going on

                  Yeah, I guess compared to WebAuthn with FIDO2 tokens, but if you are not familiar with that, it is still insanely complex for the purpose… Apparently WebAuthn, even with all its extensibility, wasn’t flexible enough to also (transparently) accommodate passkeys :/

                  It was a big mistake not to properly integrate this in browsers like Basic/Digest auth, or even using something like <keygen> where one doesn’t require any JS in the browser at all to make it work. Also, why not limit this to modern cryptography, still all this legacy!

                  Negative algorithms, loving this:

                      pubKeyCredParams: [{
                        type: "public-key",
                        alg: -7
                      }, {
                        type: "public-key",
                        alg: -257
                      }],
                  

                  Matthew Green) wrote about this almost 10 years ago, nothing improved.

                  1. 7

                    For what it’s worth, FIDO2 tokens aren’t any more complex. What’s new, and that has been developed to improve the user experience when using passkeys, is the non-modal UI.

                    Most of this code would work for regular FIDO2 authenticators all the same, except that the author disables their availability by setting authenticatorAttachment: "platform" in the authenticator selection, which limits authenticators to those that are provided by the platform, that is, passkeys. Without it, you could just as easily use authenticators that support client side discoverable(resident) keys as well. And for many services, having client side discoverable keys might not be that important. It is needed if you wish to support passwordless login - that is, having your authenticator be your only factor. But if you’re just using it as a second factor, you can support tokens that don’t support client side discoverable keys with a bit of extra effort, namely storing 64 extra bytes for each authenticator, and providing a list of authenticator IDs and their extra data when asking for authentication.

                    I’m a bit annoyed that the author specialized this for purely passkeys, when just a tad more effort would generalize it.

                    Though I still think you should be using a library for this. There’s a bunch of ways to get it wrong, and it’s worth using a library to avoid most of them. I especially like the py-webauthn library, as it only has 4 methods that you use. You still have to deal with data (de-)serialization, but that isn’t too difficult.

                    Some additions: As for a JS-less way, I’ve filled an issue on this a while ago, but it isn’t moving quickly, both because nobody is willing to dedicate time to this, and there are some complexities involved with marshaling binary data on the web.

                    Basic/Digest auth is probably not happening any time soon, as WebAuthn requires a challange-response, and that doesn’t have a precedent with the Authentication header use AFAIK.

                    1. 2

                      I’d up-vote your response multiple times if that were possible!

                      Some additions: As for a JS-less way, I’ve filled an issue on this a while ago, but it isn’t moving quickly, both because nobody is willing to dedicate time to this, and there are some complexities involved with marshaling binary data on the web.

                      Upvoted it there as well. Reading my way through :)

                      Basic/Digest auth is probably not happening any time soon, as WebAuthn requires a challange-response, and that doesn’t have a precedent with the Authentication header use AFAIK.

                      Digest is “challenge/response”, maybe not exactly in the way that would be required for fido2/webauthn/passkeys, but I guess also not that different either: https://datatracker.ietf.org/doc/html/rfc7616

                      1. 1

                        Digest is “challenge/response”, maybe not exactly in the way that would be required for fido2/webauthn/passkeys

                        Oh, I mistook it for Token auth. Looking over it, yeah, something resembling that could be done with webauthn, though only when using client side discoverable keys, which is a tad annoying as hardware keys usually have a fairly limited storage for them, and usually can only store less than 100. Enabling it for non-resident keys would require server to know what user is trying to log in before issuing a challenge, which would require one more roundtrip, and I’m not sure if that’s viable.

                  1. 3

                    This is super cool but I’m not 100% on the use case—you still need to build on an Apple OS since you can’t legally cross-compile to macOS right¹? So why not do the signing/notarisation then?

                    ¹ Xcode and Apple SDKs Agreement:

                    You are expressly prohibited from separately using the Apple SDKs or attempting to run any part of the Apple Software on non-Apple-branded hardware.

                    “Apple SDKs” means the macOS SDK, and the Apple-proprietary Software Development Kits (SDKs) provided hereunder, including but not limited to header files, APIs, libraries, simulators, and software[..]

                    1. 5

                      We have a pool of MacOS hardware to run builds / tests, and another pool to perform signing. The latter is a security risk so very tightly controlled and locked down. They are a pita to maintain.

                      Being able to sign on Linux will allow us to re-use the existing signing infrastructure we use for literally every other platform other than MacOS. It’ll be more secure and much less maintenance.

                      1. 1

                        Ahh ok separate build vs sign envs makes sense. Thanks for the insight.

                      2. 4

                        Yes, but you can also build software for macOS that doesn’t use Apple’s SDKs. For example CLI applications. I do know that for example in Go you can cross compile to darwin, which works, but you still need to “notarize” your binary before it can run.

                        1. 3

                          I can’t stand Apple’s code signing. Their tooling seems to be designed to only upload from Xcode GUI to Mac App Store, and everything is else is left half-assed, buggy, and undocumented. There are tons of things that can go wrong with signing, but their error messages are vague and unhelpful. So I’m happy there’s another tool.

                          1. 1

                            my usecase:

                            the Apple Uploader makes (on my uplink) ~350MB upstream traffic to upload a <50MB iOS ipa payload. Takes over an hour. I would be more than happy about an upload tool that would be not be as crappy in non high-end environments. So much about sustainability and double-standards.

                            The (swift) ipa for testing is ~15MB by the way and the previous ObjC version was 500K. This is how to ruin the planet with an upload obesity crisis.

                          1. 6

                            Filippo Valsorda response to this, or via original Twitter link.

                            1. 6

                              “Don’t ask any questions about the intentions of the known-malicious entity which has recommended secretly known-weak cryptography multiple times in the past on behest of the NSA. Don’t use your legal rights to scrutinize the government. Trust that the NSA and NIST has your best intentions at heart, citizen.”

                              Yeah no. It’s the NIST’s responsibility to prove themselves to no longer be malicious. So far, they haven’t.

                              1. 4

                                This seems disingenuous. Bernstein doesn’t accuse anyone of bribing researchers, he accuses the NSA of hiring them which makes bribing them unnecessary. I think that’s just a matter of public record.

                                1. 9

                                  The underlying things here are that A) a FOIA suit is a pretty standard thing and is not evidence of malice or evidence that the claims advanced about the contest are true (lots of agencies mess up FOIA, for reasons which often are banal, and get sued over it), and B) the documents obtained from it are almost certainly not going to provide any evidence for the claims, either.

                                  There are basically the following possibilities, in what I think is decreasing order of probability:

                                  • He wins the FOIA suit and receives the full set of requested documents and they don’t contain any references to nefarious NSA behavior, in which case he can say that he’s being stonewalled and the real documents would vindicate his claims.
                                  • He doesn’t win the FOIA suit and doesn’t get any documents, in which case he can say that he’s being stonewalled and the documents would vindicate his claims.
                                  • He wins the FOIA suit and receives a partial or null set of documents with no further explanation, in which case he can say that he’s being stonewalled and the full set would vindicate his claims.
                                  • He wins the FOIA suit and receives a partial or null set with some sort of Glomar response or similar for why it wasn’t the full set, in which case he can say that he’s being stonewalled and the full set would vindicate his claims.

                                  Notice how in every possible outcome of the FOIA suit, the result is: “he can say that he’s being stonewalled and the full/real set of documents would vindicate his claims”. That’s an incredibly strong indicator that this FOIA suit cannot return any documents that would support the claims he’s making. Which means – in my opinion, at least – the suit itself is being presented disingenuously. If he wants to go FOIA stuff, by all means FOIA stuff. But it’s not going to provide any evidence for his claims, and in fact we can pre-write the likely followup regardless of the outcome of the FOIA.

                                  1. 3

                                    I was really only talking about the bit harping on about the “bribery” accusation (which I think was just really badly written hyperbole)

                                    1. 9

                                      Well, you’re right that technically Bernstein doesn’t ever come out and say the exact literal words “I accuse the NSA of bribing researchers”. But the point – and I think this is part of what Flilppo gets at – is that Bernstein’s employing dishonest rhetorical tactics in order to maintain a future claim of plausible deniability when it comes to explicit accusations, despite everyone being able to clearly read the implicit claims he wants us all to notice and take away from what he wrote.

                                      1. 2

                                        Yeah, that’s reasonable.

                                    2. 1

                                      Notice how in every possible outcome of the FOIA suit, the result is: “he can say that he’s being stonewalled and the full/real set of documents would vindicate his claims”

                                      What I’m noticing more is that you haven’t listened out every possible outcome. You’ve only listed scenarios that assume bad faith. Yet you don’t even have to assume good faith on his part to get to additional possible outcomes though. e.g. there’s another possibility where he wins in court, gets documents that show internal deliberations, and he claims that the evaluation has not all been public, as claimed by NIST. Even his detractors hang the value of the competition on the public nature of the evaluation. If everyone agrees that is a critical component then verifying it could be in good faith, even if his beliefs extend into the shadow that would be cast over the results.

                                      1. 2

                                        Wait, does NIST seriously claim that “all evaluation has been public”? That seems plainly impossible to be true. As a first counterexample, people not on the review board. Do you have anywhere this is actually stated?

                                        1. 1

                                          The language is certainly up for interpretation but Ctrl -F for “Transparency for NISTPQC” to read about his transparency motivations for the FOIA suit.

                                  1. 1

                                    Interesting that in the other post on the homepage, about Fedora 36, they say they ship with 4.0.

                                    1. 3

                                      The 4.1 release will most likely soon be an update in Fedora 36…

                                      https://koji.fedoraproject.org/koji/packageinfo?packageID=26289

                                      1. 2

                                        Distros need to cut things off sometimes. I’m sad that they discontinued their kubic apt repository after it landed in Ubuntu, because the version that landed there is 3.4.4. It looks like if I want newer on Ubuntu I’m back to building my own debs like I was before the kubic apt repository was a thing.

                                      1. 20

                                        Too bad this is not the default in Firefox. It should have been, since AMP was first introduced. I will never use Brave because of their BAT cryptocurrency scam.

                                        1. 6

                                          Any resources/info on it being a scam (other than “it’s crypto”, ideally)? I was under the impression that it was a helpful idea, but maybe I’m missing something.

                                          1. 4

                                            My understanding is that they crawled social media to find photos of the owners of websites in order to make it look like the website owners were part of their website donation project. If people then subsequently donated in the belief that the money would go to the people Brave claimed it would go to, but the site owners weren’t participating in the project, the money would be held in some escrow account for some time until Brave took the money themselves.

                                            They’ve also been really shady in increasingly making their browser pretend it’s just Chrome, making it impossible to block or inform visitors about the scam.

                                            Here’s pushcx’s comment about it when it affected lobste.rs: https://github.com/lobsters/lobsters-ansible/issues/45

                                            EDIT: And here’s Tom Scott’s twitter thread about it: https://web.archive.org/web/20181224160027/https://twitter.com/tomscott/status/1076160882873380870

                                            1. 2

                                              Hm. I’d heard of those things. I guess I agree that’s not a great impression. I can understand why they would make such a mistake in good faith. Then again, when you’re trying to “fix the web” you can’t steamroll the very content creators you’re trying to help. And even if it was the result of ignorance as they suggest, it certainly calls into question their diligence in less visible parts of their operation. Maybe they need to do more to assure potential users of their ecosystem that such oversights won’t happen again.

                                              In any case, I can understand better now why someone would hew towards Firefox rather than Brave. What a shame… Anyways, thanks for your reply!

                                          2. 2

                                            They’re also run by a bigot. Stay away.

                                            1. 3

                                              don’t you work for google? might be worth mentioning if you’re commenting on an article about how a competing browser is sidestepping one of google’s more evil recent projects

                                              1. 5

                                                I’m not speaking as a Google employee and I don’t work on Chrome. It’s a big company. I did work on other browsers for a long time in the Mozilla ecosystem, including working with LGBT ex-Mozillans when we looked around the Prop-8 donations to see if anyone we knew had made donations and saw Eich’s significant donations to deprive equal human rights to people he knows and worked with. My feelings about this have nothing to do with who I happen to work for at one time or other. I’m a huge fan of a broad ecosystem of browsers offering a variety of takes on the web - I spent half my career working on that vision - but don’t get your supposedly privacy focused browser from someone with a history of attacking the human rights of vulnerable people.

                                                1. 4

                                                  If Brave’s technology is sound, it could always be forked. Similar to how people run de-Googled forks of Chrom(e|ium) to opt out of Google’s spying.

                                          1. 3

                                            It is not really difficult to make PHP software work with all versions from 5.4 until 8.1 with the exact same code. I am doing it for some of my projects. (Minor) release of PHP may require a few small tweaks, for example PHP 8.1 broke some of my unit tests because PDO (SQLite) will no longer stringify results:

                                            Integers and floats in results sets will now be returned using native PHP types. The previous behaviour can be restored by enabling the PDO::ATTR_STRINGIFY_FETCHES option.

                                            It requires some planning and some careful consideration when developing and adding dependencies. If you can assume at least PHP 7 a lot of stuff becomes much easier still.

                                            1. 3

                                              The browser UX could potentially be improved a lot by going back to “Basic/Digest Authentication” style where combined with a built-in password manager the whole login flow would disappear if TLS client authentication for everything is not achievable (yet).

                                              1. 19

                                                Am I stupid or is this post essentially just, “if someone gets access to your authentication tokens they can impersonate you”? Isn’t this expected? Is your threat model one in which a user who leaves their machine unlocked and logged in at a café should still be safe somehow? How would that work?

                                                And how is that specific to bearer tokens? If I leave my machine unlocked at a café, someone can take my SSH private key too; that’s not a bearer token. Why is it worse if someone gets my bearer token than if someone gets my SSH private key?

                                                1. 6

                                                  “if someone gets access to your authentication tokens they can impersonate you”?

                                                  Yes, that seems the complaint.

                                                  Isn’t this expected?

                                                  Currently yes, but I think that’s the idea the post complains about. It would be great if it wasn’t expected.

                                                  SSH keys can do slightly better. A file based private key without a password is not better than a bearer token. However we can go a bit further. Hardware tokens elevate the guarantee to “you haven’t stolen the actual hardware”. (Yes, you could tunnel the messages, but the driver could also validate the client, so that’s… complicated) This is similar to the idea of secure enclaves in the post.

                                                  1. 5

                                                    So what’s the solution for an authentication system where 1) I don’t need to re-authenticate (with a password, a hardware token, biometrics, whatever) for everyaction; and 2) I can safely leave my laptop unlocked in a café without “logging out” anywhere (which is the example proposed in the article)? What alternative to bearer tokens could possibly that?

                                                    1. 5

                                                      A tpm where the keys are write only and the computer has no unsigned writable persistent storage. Where the only thing of value on the machine is inaccessible proof of identity that allows you to to access someone else’s machine.

                                                      A thin client for the cloud, effectively.

                                                      I don’t think I want to own such a machine.

                                                  2. 1

                                                    Why is it worse if someone gets my bearer token than if someone gets my SSH private key?

                                                    That depends what you can with your SSH private key and with that specific Bearer token…

                                                    At least with SSH you could improve the security of your private key (somewhat) by having it encrypted with a passphrase on disk (default) and/or (somewhat more) by using a FIDO2 hardware token, this is not so easy with a Bearer token as those are supposed to be usable without “user presence”.

                                                    1. 8

                                                      So the complaint doesn’t have to do with bearer tokens; the complaint has to do with any system where the user doesn’t have to re-enter their password (or re-authenticate through other means) with every action.

                                                      1. 4

                                                        On the orange site mjg59 expands on his post thusly:

                                                        Hypothetical: I have a Github Enterprise org. Users log in via my identity provider to gain access. Github then issues a long-lived oauth token to the Github Desktop app. An attacker compromises a user’s laptop and copies that oauth token. That attacker now has access to all my private repos until I notice and revoke it.

                                                        Finding a solution to this particular problem without destroying the UX would be very nice!

                                                        1. 1

                                                          What about a rolling code system (similar to RKE used for vehicle fobs)? If someone steals & uses your key state, then your next code won’t work (because the attacker already used it). At that point you are forced to re-authenticate and invalidate the stolen state.

                                                          1. 2

                                                            I have a laptop and a desktop.

                                                            I reload and my connections get lost.

                                                            1. 1

                                                              Your laptop & desktop would not be sharing the same token/key.

                                                              1. 1

                                                                Doesn’t fix that sometimes connections crash. How do you verify you received the new token other than using it?

                                                                1. 1

                                                                  I don’t understand your question. Can you provide a concrete scenario?

                                                  1. 5

                                                    Fedora and Debian already have 64 bit releases for many years for Pi 3 (and also Pi 4 since a year or so, Debian since bullseye) with their normal release kernel. I fail to get excited about this.

                                                    1. 3

                                                      Not so long I got bitten by string array keys being silently converted to int when they can be interpreted as numeric, but not all numeric. The OP almost mentions this mixed in with the JSON encoding/decoding:

                                                      $ php -a
                                                      Interactive shell
                                                      
                                                      php > $foo = ["66" => "foo", "92" => "bar", "-1" => "baz"];
                                                      php > var_dump($foo);
                                                      php shell code:1:
                                                      array(3) {
                                                        [66] =>
                                                        string(3) "foo"
                                                        [92] =>
                                                        string(3) "bar"
                                                        [-1] =>
                                                        string(3) "baz"
                                                      }
                                                      php > 
                                                      

                                                      WAT:

                                                      Strings containing valid decimal ints, unless the number is preceded by a + sign, will be cast to the int type. E.g. the key “8” will actually be stored under 8. On the other hand “08” will not be cast, as it isn’t a valid decimal integer.

                                                      1. 1

                                                        Oh yes, that’s always a fun one to find by accident. My favourite WAT that I found is that this is valid:

                                                        foreach($x as $y->v(){0}) {}
                                                        

                                                        Fun to figure out why…

                                                      1. 32

                                                        We’re disabling HTTP/3 for the time being, which is hopefully picked up automatically upon restart. Restarting the browser should just help. If it doesn’t, disable HTTP3 manually.

                                                        Edit: The bug was in HTTP/3, but not in “all of HTTP/3”. We solved this on the server-end. A post-mortem will be held and I’ll make sure the outcome lands on lobste.rs

                                                        1. 17

                                                          Do I understand from this that Mozilla can just update my browser settings remotely without my updating‽

                                                          1. 21

                                                            Update: In the end, we disabled H3 on the offending server not in any client.

                                                            1. 8

                                                              Thanks for posting it here with your official hat on and being so honest! Mistakes can happen and exactly this behavior gives me confidence in the FF crew.

                                                              1. 3
                                                            2. 18

                                                              Yes. This is part of the “Remote settings” service, which we can use to ship or unship features (or gradually) or recover from breakage (like here!). We mostly use it as a backend for Firefox Sync and certificate revocation lists. Technically, we could also ship a new Firefox executable and undo / change settings, but that would realistically take many more hours. Needless to says, every “large” software project has these capabilities.

                                                              BTW I’d encourage you not to disable remote settings, because it also contains certificate revocation updates and (obviously) helps with cases like this here. I understand that this is causing some concern for some people. If you’re one of those, please take a look at https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections

                                                              Edit: I’m told sync is using a different backend and some of this is inaccurate. It seems that lots of folks are linking to this thread, which is why I will leave this comment, but strike-through.

                                                              1. 6

                                                                How do I disable Remote Settings but keep CRL updates on?

                                                                1. 5

                                                                  CRL updates are part of the payload that the “remote settings” service provides. So, I’m not sure what you are asking. I only know of the all-or-nothing switch.

                                                                  1. 2

                                                                    I think driib is asking “If I control the DNS for a public wifi point, can I use an NXDOMAIN for use-application-dns.net and a spoof of aus5.mozilla.org to force an update to my own (possibly evil) version of Firefox; and if so, how do I defend against that?”. But I could be wrong.

                                                                    1. 1

                                                                      We sign our remote settings as well as our Firefox browser updates.

                                                                      1. 1

                                                                        Good.

                                                                        1. 2
                                                                2. 1

                                                                  😱

                                                            1. 11

                                                              Do we have a tag to filter out web3/blockchain/nft/crypto bullshit and suggest it to posts like these? “web” does not quite cover this…

                                                              1. 7

                                                                merkle-trees was made exactly for that

                                                                1. 2

                                                                  Well, if someone’s overly specific, that’ll filter out git posts too…

                                                                  1. 2

                                                                    That would be an incorrect tag, because discussions related to git should be tagged with vcs - “Git and other version control systems”.

                                                              1. 7

                                                                The original bug report as to why:

                                                                With Schools using Google Forms as a testing platform, students are able to use this shortcut to search through the source of the page, and determine the correct answers.

                                                                Use case: Admin wants to prevent and stop students from using View-Source as a way to cheat during exams, state testing and quizzes

                                                                1. 32

                                                                  Clearly, modifying the browser is the only possible technical approach that can stop people from finding test answers in the page sources of Google Forms. Google is otherwise completely powerless to prevent test answers from appearing in the form’s HTML.

                                                                  1. 15

                                                                    That’s an interesting thread. I’m surprised to see so few people saying “instead how about you fix these stupid websites to not embed this stuff in the page source.”

                                                                    View Source is one of the emblematic features of the open Web. Countless people got started with HTML (or picked up new tricks) by viewing the source of websites.

                                                                    1. 6

                                                                      View Source is one of the emblematic features of the open Web.

                                                                      No surprise that Chrome* is open to blocking it, then.

                                                                    2. 8

                                                                      Wait, are they serious?! Why on Earth would the answers even be in the HTML? That literally doesn’t make sense…

                                                                      1. 2

                                                                        I ran into this a while ago, doing some compulsory training for an employer.

                                                                        After digging around, it seems the quiz sections were transpiled from Flash into JavaScript, leading to trivially exposed answers in the source code. Because the Flash app itself was entirely client-side, and wasn’t validating the answers against a server.

                                                                    1. 2

                                                                      Hopefully these optimizations find their way to libosinfo so e.g. GNOME Boxes also benefits from this and some day may make it easy to install Windows 11 and macOS on a virtual machine.

                                                                      1. 2

                                                                        Installing macOS on anything other than Apple hardware (in a VM or otherwise) is a violation of the EULA, so I doubt GNOME would touch it. VirtualBox and friends include big disclaimers about this to avoid being hit with DMCA notices. Apple has a history of sending them to any project that makes it easy to install OS X / macOS in VMs on non-Apple hardware unless they include these disclaimers.

                                                                        I had a quick look at the Windows installs and I couldn’t see how you provide your license key there either. Microsoft provides Windows VM images with quite a restrictive license (time-limited, for evaluation / testing only) but it looks as if this is installing from the DVD install image - do you need to provide license info after the install is finished?

                                                                        1. 2

                                                                          That’s petty of them, I don’t see how you would be doing something that is unethical in any way. Modifying some UEFI tables and using a DMG you got from the app store on your own MacBook. Although, some laws are so crazy it might technically be very well “illegal” these days.

                                                                          Microsoft offers the ISOs of Windows 8, 10 and 11 directly from their site. For Windows 8 you do need a valid license key to be able to install it.

                                                                          For what it is worth, in GNOME Boxes you can specify the license key for unattended Windows installations. You can also do a “manual” install with Windows >= 10 where there is a prompt for a license key you can then skip. You’re then running in an evaluation mode that probably will expire at some point and you can’t change all settings I think. Good enough to test stuff with Internet Explorer though and run some tests with apps.

                                                                          1. 6

                                                                            That’s petty of them, I don’t see how you would be doing something that is unethical in any way

                                                                            macOS exists for Apple to sell Macs and is funded out of sales of Macs and related services and so the EULA requires that you buy a Mac to be able to run it. Whether that’s ethical or not, it’s definitely illegal.

                                                                            Running it on a KVM VM on a MacBook that’s configured to boot to Linux is fine and in accordance with the EULA (last time I checked, not sure if it’s changed, I am not a lawyer, this is not legal advice), but running it on KVM on a non-Apple machine is not.

                                                                            Most things that support running virtualised macOS are quite explicit about this because the DMCA has some quite specific wording that differentiates between things designed for copyright infringement and things that are dual-use and can be used for copyright infringement. If you provide tooling that is designed for running macOS on a Mac in a VM and is also useable on other machines, it’s a dual-use thing and Apple can go after the folks that use it to violate their copyright but they can’t go after their tool. If you provide something that is marketed as letting you run macOS on non-Apple hardware, then they can go after the tool.

                                                                      1. 4

                                                                        It is the default filesystem in Fedora since 33.

                                                                        1. 4

                                                                          Some kind of clue as to what we’re looking at here and why it is interesting would be super useful.

                                                                            1. 2

                                                                              The search engine calculates a score that aggressively favors text-heavy websites, and punishes those that have too many modern web design features.

                                                                              On my phone at the moment, the above is probably the shortest summary I can find on the About page.

                                                                            1. 3

                                                                              I’m using GrapheneOS’ infrastructure repo for inspiration for hardening my SSH server config: https://github.com/GrapheneOS/infrastructure/blob/main/sshd_config which seems to take things a bit further and removing legacy stuff, i.e. RSA.

                                                                              Also, I’m using AddressFamily inet6 to only listen on IPv6 which reduces the number of log entries from curious scanners.

                                                                                1. 2

                                                                                  This is not the content I come to lobster.rs for, but it is content I snorted water out of my nose to. It set me musing about the quality of products and what happens when true innovation stalls but units still need to be moved.