1. 5

      Do you also have a otf or ttf version available? I am working on a project where this font could be really usefull :)

      1. 2

        It’s a bitmap.

        1. 6

          You can wrap bitmap fonts in a TTF, so the actual bitmap is used at specific point sizes, and the other sizes are naively scaled. I don’t know, myself, how to do this, but I’ve seen it done.

          1. 3

            The tools Tilman made for Terminus TTF might be useful.

      1. 3

        Maybe show them this video from Philosophy Tube? The whole thing isn’t about the “nothing to hide” argument, but it does touch on it.

        1. 1

          I’m curious, what makes uBlock Origin better than any other ad blocker or even a pi-hole?

          1. 2

            A pi-hole can only do hostname based filtering. A browser extension can also filter on URL paths, and also do “cosmetic filtering” on CSS selectors. This may let you block first-party ads and annoyances that you couldn’t block with a pi-hole. uBlock Origin is the most trusted ad blocking browser extension.

          1. 9

            It’s really unfortunate that Fenix is not available on f-droid.. The only way you can run it today is with all the google tracking crap in it.

            Seems kind of silly this post has the ‘privacy’ tag on it, given that fact.

            1. 10

              I’d be surprised to find Google tracking. We have our own telemetry system, which is privacy preserving and there’s a way to opt-out.

              Care to clarify?

                1. 11

                  Ah yes. I thought you meant “behavioural tracking for advertising”, but having looked further into the code it seems with tracking you meant “counting installs”. https://github.com/mozilla-mobile/fenix/blob/64a4a7f422b692c77fdd7957b7b80357ff02b348/docs/metrics.md#activation

                  I’m not very familiar with that codebase, but the only occurence of the google advertising id I can find is for it to be hashed and uploaded so that Mozilla can count the number of unique ids (modulo folks who regularly reset their advertising id)

                  1. 8

                    Wait, you depend on proprietary google gms libraries in order to basically generate a uuid? That seems like overkill.

                    1. 0

                      Looks like that’s the easiest way to count installations and give people the power to opt-out and reset identifiers. I’m not a mobile engineer, but probably better than using a hardware identifier?

                      1. 2

                        I’m still completely astonished by this. You’re saying that Mozilla chose to depend on proprietary components from the world’s largest ad company, a company well-known for tracking users, just to effectively generate a uuid? Am I the only one who thinks that’s absurd? And if I am, why is that not absurd?

                        1. 6

                          The app also depends on the operating system from that same large ad company. I understand you’d draw the line someplace else than we apparently have.

                          But as a non-android developer, I don’t have an informed opinion about pros and cons and whether there were any alternatives.

                          1. 1

                            No, to a certain extent.. AOSP is still a thing and there are distros that use it..

              1. 5

                There’s an unofficial f-droid repo for it here.

                1. 1

                  That’s cool. Does Signal from this repository work with the official Signal servers?

                  1. 1

                    I haven’t installed it yet but the “About” info mentions “the Signal servers” so presumably they’re the official ones.

                2. 3

                  Is it not apparent that the privacy tag is for uBlock?

                  1. 0

                    You cannot have ‘privacy’ if the thing that ublock depends on is itself compromised.

                1. 4

                  Observations:

                  1. Of course this is from my senator, Lindsey Graham, who is a rat.
                  2. Of course this has bipartisan sponsorship.
                  3. This could affect the fediverse, depending on the “best practices” that end up being required, even though the fediverse doesn’t have end-to-end encryption; the best practices could require too much labor or expense to comply with.
                  1. 4

                    I love the idea of using the honeypot technique rather than a CAPTCHA, and I’ve used it in the past.

                    My concern is that it may not be as effective today as it was when it was first introduced about 10 years ago. Bots may be smarter now, and it doesn’t take a whole lot to adapt to honeypots. If your site is targeted specifically, a honeypot won’t protect you, because the bot herder will notice the failures and fix the bot. It’s really only good for preventing untargeted things like blog spam, and I worry that it’s not as good for that as it used to be.

                    1. 4

                      What would be a good XMPP provider that supports all the fancy XMPP extentions? Like syncing messages between clients? Are there any reliable paid services?

                      1. 6

                        A good start would probably be https://compliance.conversations.im/

                        As for reliable paid services I would probably look into https://account.conversations.im/ and some paid mail provider also provide XMPP.

                        1. 4

                          I second https://account.conversations.im/ I’m personally not using it (self-hosting) but I’ve got friends that pay for the account and are very happy with the service (always updated, supporting modern extensions etc.).

                          1. 2

                            I wrote a little article on installing Prosody with all the currently needed XMPP extensions: https://jfm.carcosa.net/blog/computing/set-up-prosody/. Could be useful to people who want to self-host.

                        1. 10

                          Server-side rendering is hard

                          I died inside.

                          1. 9

                            While the SE/30 isn’t doing as much of the work here as I’d want it to… this is very cool! Nice job.

                            I think the SE/30 is one of my favorite computers ever.

                            And also, how are you getting cmake to build binaries for an SE/30? I really admire the twisted mind that came up with a way to do that. Well done (either to you or whatever project you pulled in to do that)!

                            1. 1

                              One of my friends in college had an SE/30, and it really was a great computer: monochrome graphics and classic Macintosh case, but inside, actually more powerful than most of the color Mac IIs that were around at the same time. I think my friend actually ended up running A/UX on it, which made it even more impressive.

                              1. 3

                                I worked in an apple repair shop for most of the 90s. We had an SE/30 running A/UX as a file server until about 1997. At which point we replaced it with an apple network server 700 running AIX right around the time they were discontinued and the sales group no longer felt the need to have one on hand for demos.

                            1. 5

                              tldr; Linux will never be supported on all hardware because most hardware vendors aren’t willing to upstream their drivers or release adequate documentation for them to be implemented upstream. Whinge, whinge, whinge.

                              1. 2

                                I like it! I’ve written a web-based Mastodon/Pleroma client that works in text browsers and older browsers. I use it with Lynx and w3m, and I’ve definitely had people write to me that they’ve used it with IE5 or with Netscape 3. The biggest issue I’ve had is TLS, actually. I’m running a public instance that only runs on HTTPS, and only on TLS 1.1 or higher, and people on ancient and unmaintained browsers can’t use it; they have to run a local copy of it on plain HTTP on the same LAN as their old browser.

                                1. 2

                                  In my experience, HTTPS is the biggest obstacle to Web accessibility.

                                  1. 2

                                    Is it the one called Brutaldon? I’ve started exploring it, and it looks very cool!

                                    Thank you for writing and sharing it.

                                    1. 2

                                      Yes, it is brutaldon! Glad you enjoy it.

                                  1. 3

                                    I’d be interested in reading a summary of what issues you had, and how you think the best way is to avoid them.

                                    1. 4

                                      The biggest obstacle to old clients in my experience is HTTPS, with most of the web, with Google’s pushing, now being https-only, and thus inaccessible to older browsers. Ironically, google.com and the search remains accessible to most browsers.

                                      The second is probably new JavaScript syntax like === and try/catch, which cause parsing errors. JavaScript is generally designed in a way which makes it easy to do feature checks, so I can wrap everything in if(window.localStorage), but I can’t do that with ===. New syntax causes errors in older browsers, and I’ve had to rewrite certain things.

                                      I am using one third-party library, OpenPGP.js, which is heavy on new syntax and features, and I will have to selectively load it only for new clients, which I have not figured out how to test for yet.

                                      Another issue is that Mosaic considers > to be enough to close an HTML comment, not –>, meaning in-HTML scripts cannot include a > character. I noticed this before, and I found a couple of easy techniques in old JS books and by trial and error to work around this, but it meant combing through all of my JS and replacing if (a>b) with if (b>a), etc.

                                      1. 1

                                        The biggest obstacle to old clients in my experience is HTTPS, with most of the web, with Google’s pushing, now being https-only, and thus inaccessible to older browsers. Ironically, google.com and the search remains accessible to most browsers.

                                        Why should that be an issue? You’d think that this would only be a problem, if you force-redirected HTTP traffic to HTTPS, but I don’t know why one should do that in your case.

                                        1. 1

                                          It’s not an issue on my sites, but it’s an issue with almost every other website across the web at this point.

                                          One of the last holdouts was aol.com, until a year or two ago.

                                          If I didn’t have my own HTTP site, I’m not sure how I would log in to captive WiFi portals…

                                          1. 1

                                            For other people’s reference, the site http://neverssl.com/ exists for exactly this purpose.

                                            1. 1

                                              Ironically, this page doesn’t display without javascript

                                              1. 1

                                                Which page? http://neverssl.com/ doesn’t use any javascript for rendering, the only js used is for the twitter button.

                                    1. 4

                                      I’ve been mainly using swaywm, but the design of this is unique and charming, so I’m going to give it a try.

                                      I’ve used tiling extensions for Gnome 3 before, and none of them have ever been fully satisfactory, because they have too much fighting to do with the way Gnome wants to do things. But this seems to be a different and more comprehensive approach.

                                      1. 1

                                        i switched from gnome to xfce just so i could continue to use a proper tiling wm. i’m surprised no one ever made a good tiling extension for gnome, but i guess it just goes against the grain of how gnome is designed or implemented.

                                        1. 1

                                          Which tiled wm do you use with XFCE? I’ve heard of people doing that but never figured it out myself.

                                          1. 1

                                            xmonad - it has an integrate-with-xfce config file you can use. i’ve also used mate + i3 but i prefer xmonad because it has persistent workspaces.

                                      1. 8

                                        Adding any dependency comes with the cost of complexity and file size, but jQuery is not that large: the default build is 30K minified/compressed,

                                        It’s kinda large.

                                        If all you care about is having a nicer interface, just use zepto or another light jquery alternative

                                        1. 4

                                          Zepto seems inactive: issues are not responded to, PRs are not merged or commented on. jQuery is still very much alive in this regard.

                                          The best-case advantage seems to be going from 30K to about 11K transfer size. In my case it’s actually going from 23K to 11K since I use a jQuery build which removes some parts I don’t use. These are pretty small gains even on slower connections.

                                          1. 1

                                            I believe there are new kids on the block that are even smaller. I haven’t needed to use one for a while, but if I did that’s what I’d be looking for, especially for anything meant to be used on mobile.

                                            1. 1

                                              I use intercooler.js for progressive enhancement, which requires either jQuery or Zepto. The catch is that it doesn’t work with the default build of Zepto; it needs the data extension added. I don’t have the file sizes handy, but that certainly narrows the benefit.

                                            2. 2

                                              I agree with the statement from the article that coming from bundles in > 1MB territory 30KB shouldn’t be the end of the world. And if it is, you can always switch to a lighter alternative.

                                            1. 3

                                              I’m somewhat excited about the ASGI support. My hope is that this will mean that support for Server-Sent Events (SSE) will either become standard, or be provided by a less intrusive library than what you’d have to use now.

                                              1. 4

                                                The article misrepresents both Qwant and DuckDuckGo as only providing results from Bing. Apparently Qwant used Bing to bootstrap, but now uses its own crawler. DuckDuckGo aggregates results from many sources, not just Bing.

                                                1. 24

                                                  DoH doesn’t actually prevent ISPs user tracking

                                                  The article argues that DoH is pointless because the ISP can still read HTTP and the SNI part of TLS.

                                                  While that’s true… HTTP is become more rare and SNI is getting an upgrade to be encrypted.

                                                  Where it does actually help is in non-HTTP related requests (ie DNSSEC, SSHFP, TXT, CNAME)

                                                  DoH bypasses enterprise policies

                                                  DoH can be configured via GPO on Windows (for Firefox atleast)

                                                  DoH weakens cyber-security

                                                  Same as above but this time it’s about “how terrible our shitty middle boxes can no longer smear shit all over the connection”. DoH works with local CA’s so your shitty middlebox can still crack open DoH.

                                                  DoH helps criminals

                                                  See all of the above, if you already have a middlebox then you can crack DoH like any other HTTPS traffic, otherwise criminals could have been using this tech for ages without any issue. Malware has also been using Tor over Bridges and other methods to avoid detection, I doubt this is an issue with DoH any more than before.

                                                  DoH shouldn’t be recommended to dissidents

                                                  Is it?

                                                  DoH centralizes DNS traffic at a few DoH resolvers

                                                  Only if nobody ever uses DoH but just today Microsoft wrote that DoH will be supported by windows; known DoH resolvers will automatically upgrade to DoH and prevent cleartext lookups (if DHCP uses 1.1.1.1 as a DNS server for example). They argue that if DoH becomes widely supported, more DNS servers will support it.

                                                  1. 22

                                                    Helps criminals and shouldn’t be recommended to dissidents is a paradox, dissidents are people who have committed the crime of political dissidence.

                                                    1. 5

                                                      You’re doing a strawman here:

                                                      • it “helps criminals” because it’s simply an alternative avenue that some system administrators aren’t aware of yet; e.g., an extra way for malware to avoid detection;

                                                      • it couldn’t be recommended to dissidents because it’s just bad engineering and a partial/incomplete solution, and very easy to block and circumvent.

                                                      The points may seem contradictory when taken out-of-context, but it’s not really controversial at all once you actually do look at the context here.

                                                    2. 13

                                                      Came here to post several of these. “Bypasses enterprise policies”, “weakens cyber-security”, and “helps criminals” all seem basically like unalloyed good things to me. Shitty enterprise middleboxes and the culture of corporate serfdom they support need to die yesterday.

                                                      1. 5

                                                        While that’s true… HTTP is become more rare and SNI is getting an upgrade to be encrypted.

                                                        Does encrypting SNI actually help? If I see you connecting to 2620:0:862:ed1a::1 I know you’re visiting Wikipedia, or 2a03:2880:f10a:83:face:b00c::25de means you’re on Facebook. ESNI only hides requests to large MITM-concentrators.

                                                        1. 3

                                                          eSNI makes it a lot more difficult, especially if you have a CDN, cloud hoster or shared host on the other end. If the other end is an AWS/GCS/Azure IP then you haven’t learned that much.

                                                          1. 6

                                                            CDN: Yes, for a CDN or MITM-proxy, you may be able to hide the name. Although subsequent requests to 3rd party resources may leak information about the site you’re visiting.

                                                            Cloud hoster: Possible, but not necessarily; try visiting this random IP: http://71.19.148.33 - or just check out the reverse.

                                                            It seems that eSNI only provides privacy in very specific situations. I wouldn’t say it’s good protection if it misses most of the cases. This feels like “something has to be done, eSNI is something so it has to be done”

                                                            1. 3

                                                              Various papers have been published on the topic. Correlating ip addresses with websites is extremely effective. More than 90% of websites don’t change ipaddrs often and don’t share the same addrs with other websites.

                                                              1. 1

                                                                90% would still be better than the current 100%.

                                                          2. 5

                                                            These “shitty middleboxes” are keeping our country’s Critical Infrastructure like our power grid secure. Your comment reads as written by someone who has never worked a day in their life in security.

                                                            1. 10

                                                              From experience, 99% of middleboxes are bad and decrease security overall. There are a few exceptions that work well and those will likely not have any trouble with DoH.

                                                              1. 5

                                                                These “shitty middleboxes” are keeping our country’s Critical Infrastructure like our power grid secure.

                                                                Not sure if this is serious, considering the average (desolate) state of software infrastructure done by hardware companies.

                                                                1. 1

                                                                  I’ve actually worked in security for Critical Infrastructure. Some of this data collected by shitty middleware boxes was exported to Homeland Security, for example.

                                                            1. 1

                                                              Calibre 4 built on Python 3 is in the Fedora repositories. I had a little hiccup with the Kobo driver recently, but on the whole haven’t noticed major problems.