1. 15

    Note: this article contains inline images of marked classified documents.

    This comment is not intended to spark a discussion; simply put, some people may want to avoid the article for this reason.

    1. 9

      Those images are the same as those found on this webpage: https://nsa.gov1.info/dni/nsa-ant-catalog/usb/index.html which is the first hit for a web search.

      There is a wikipedia page on them https://en.wikipedia.org/wiki/NSA_ANT_catalog which says they were leaked in 2013 by Der Speigel.

      I can see that NDA being applied to “I took a peek at my bosses desk” or “I went on the dark web and paid 10 bitcoins for this information”. I can not see that being applied to “I did a web search and found it on wikipedia.”

      And in any case, I don’t know if those are authentic or made up by a teenager hoping to get money from Der Speigel.

      1. 5

        Out of curiosity… why?

        1. 12

          IANAL etc etc… My understanding is something along the lines of… those holding US clearances sign an NDA to agree not to access classified documents for which they are not authorized nor need to access. I understand these people may want to avoid marked classified documents leaked online, for example because they may not have the “need to know”.

          I’m not here to dictate or judge, just to note for those who care about this material.

          1. 4

            Correct! It’s generally the same reason why prominent emulator developers won’t look at or access leaked documents/source code. It’s a whole can of beans that nobody should ever put themselves near.

        2. 1

          Good point, it would be polite to put up a “spoiler warning” if you’re going to do this. And there are plenty of publicly available examples they could have used to make the same point. Ah well.

        1. 9

          I’m one of the package maintainers of Nix for Arch Linux and it’s been a real headache getting this version to compile from source, beginning with the source tarball on the homepage returning a 404.

          There’s also 5 unspecified compulsory dependencies:

          • autoconf-archive
          • jq
          • libcpuid
          • gtest
          • lowdown

          And lowdown is patched in Nixpkgs, which adds another package that package maintainers have to juggle. The patches haven’t been accepted upstream either, which makes it difficult for me to justify including them in Arch Linux. What does lowdown even do anyway?

          I’ve spent a few hours today attempting to get this to compile, and it’s been one issue after the other.

          1. 7

            We no longer release source tarballs. If you want to build from source, please build from the tags in the Git repository.

            From the post.

            Looks like Lowdown might be used for the new documentation generation. Necessary for generating the man pages, I imagine.

            nixpkgs hacks up a lot of packages to enable dynamic linking but I don’t think that’s relevant to your Arch work. Just use the static version. Doesn’t matter.

            1. 4

              I use Arch Linux and am eagerly awaiting this working so I can upgrade to 2.4 with my normal arch package manager. Thank you for your service.

              1. 2

                I’ve managed to get it working, the blocker was generally just me being super tired and juggling multiple responsibilities!

                It’s been through the testing repository, and now in the community repository. 🎉

                1. 1

                  Awesome, thanks!

              2. 3

                What’s the goal of a nix package in arch? I thought nix is pretty much self-managing / self-updating in its own environment. That would make the nix package more of a nuisance than useful.

                Or am I missing some use case where you’d want pacman managing it?

                1. 2

                  All that linked lowdown patch does is help split up package outputs more finely, which is a Nixpkgs-specific thing. You can have hello.bin, hello.lib, hello.dev, hello.man, &c. Arch doesn’t concern itself with that when packaging.

                1. 7

                  This attack would be history once and for ever if DNSSEC was widely deployed… sigh…

                  1. 2

                    Forgive me if I sound ignorant, but how does one ensure DNSSEC and a BIND-RPZ co-exist? RPZs are widely used to return NXDOMAIN to any DNS lookup for ad/tracking networks on a lot of private/VPN networks.

                    1. 1

                      In this case, the recursive resolver could resolve domains and check their DNSSEC signature. But you could connect to your recursive resolver using DNS over TLS and remove the DNSSEC signatures, which is supported by systemd-resolved.

                      If it’s unclear, here is an example how it would work:

                      • Your DNS resolver on your local machine is set to 192.0.2.1#noads.dns.example.com.
                      • You go to example.com in Firefox.
                      • Firefox queries (through systemd-resolved but this is a detail) 192.0.2.1 over TLS: What is the IP for ‘example.com’?
                      • 192.0.2.1 asks b.gtld-servers.net.: What is the name server and the DNSSEC keys for ‘example.com’?
                      • b.gtld-servers.net. says it’s b.iana-servers.net. and the DNSSEC key is “f00bar”.
                      • 192.0.2.1 asks b.iana-servers.net.: What is the IP for ‘example.com’?
                      • b.iana-servers.net. answers 93.184.216.34, and the signature is “quux”.
                      • 192.0.2.1 checks that sign("93.184.216.34", "f00bar") is “quux”.
                      • 192.0.2.1 answers to Firefox “The IP is 93.184.216.34” over TLS and removes the DNSSEC information.

                      If the domain is blocked, 192.0.2.1 replies NXDOMAIN right away.

                  1. 1

                    From the “update” at the bottom:

                    Go on, bag on me for being ignorant. I know what that really means.

                    What does that really mean?

                    1. 6

                      I took it as a gender bias comment. This is a successful woman in tech who has faced harsh criticism from her peers, over the years, for being a woman in a male dominated industry.

                      1. 5

                        I agreed with you since it made sense, but after reading THE ONE from the other comment, I no longer agree. It seems just a screed against internet trolls who work in positions where they never could break prod or, in this case, make database design decisions.

                        1. 1

                          Good catch! I bet we’re both right to some extent, however! ;)

                        2. 2

                          And how were we to know the gender of the author just by reading the article?

                          1. 4

                            Well, that’s easy. She just wrote this post for you.

                            1. 1

                              Touche, missed that line :)

                            2. 1

                              They’re quite a well known blogger and their blog is called “Rachel by the bay”.

                          2. 5

                            Her post THE ONE, which she links to in the first paragraph, should make it clearer.

                            1. 3

                              That the commenter is more interested in putting someone down to make themselves feel/appear better than in actually engaging with the content of the article.

                              1. 1

                                I’m not entirely sure, but I hope the author isn’t too harsh on themselves.

                              1. 4

                                There’s a lot of ideological language there, but I don’t see the actual point, I.e. how winning this suit would benefit users.

                                How does access to the GPL’d source code used in Vizio TVs make it possible to repair the TV? It doesn’t make it any easier to modify the proprietary software in the TV, and it doesn’t provide access to the build system or docs of the specs of the internal hardware.

                                And how likely is a TV to fail because of a flaw in the firmware? Usually it’s a hardware failure, or else network-based services fail because the manufacturer turns off the servers they talk to, neither of which is related to this.

                                The most likely outcome seems to be that Vizio will just avoid copyleft software in the future.

                                1. 21

                                  IANAL, but if successful, it would set a precedent allowing for companies violating software licenses to be sued by or on behalf of their users, as opposed to the current situation where only the copyright holders themselves are considered to have standing.

                                  This would be a Good Thing.

                                  1. 16

                                    There are some other good comments about direct benefits to users, but I think it’s worth keeping in mind that these kind of enforcement actions can have really positive indirect benefits as well. For example, a successful enforcement action against Cisco/Linksys years ago laid the groundwork for the OpenWRT project, an open-source wireless router firmware project that supports a wide range of devices today. OpenWRT, in turn, fueled a bunch of important work on low-cost wireless radio equipment in the years since, and shows up routinely in mesh networking and long-distance WiFi projects that support efforts expand low-cost access to the Internet today (as, of course, one small piece of a larger, mostly non-technical, puzzle).

                                    1. 5

                                      Users are entitled to the source code. You shouldn’t have to justify the benefits - they are entitled to it, because that’s the license terms and Vizio is not living up to them.

                                      If Vizio would rather take on the costs of maintaining another set of software rather than live up to the terms of the license, that’s on them. Their use of GPLed software doesn’t benefit the community if they don’t live up to the license, so there’s no loss if they decide to go that route.

                                      1. 5

                                        How does access to the GPL’d source code used in Vizio TVs make it possible to repair the TV?

                                        The article says so:

                                        Copyleft licensing was designed as an ideological alternative to the classic corporate software model because it: allows people who receive the software to fix their devices, improve them and control them; entitles people to curtail surveillance and ads; and helps people continue to use their devices for a much longer time (instead of being forced to purchase new ones).

                                        “run this same nice software, but without ads and data grabbing” is already a very nice proposition for many customers I would say. And having a way to keep the TV (and more importantly, its apps) functioning properly is important as well if you don’t intend to buy a new TV every 5 or so years or however soon the manufacturer decides to stop providing software updates.

                                        The most likely outcome seems to be that Vizio will just avoid copyleft software in the future.

                                        I agree that’s probably the net effect of all these GPL law suits, and the GPL in general. If a company doesn’t have good intentions, copyleft vs non-copyleft isn’t going to make much of a difference in the end.

                                        1. 2

                                          The article answered “why” — I’m asking how technically. What is necessary to allow someone to rebuild a TV’s firmware? It seems likely it would require Vizio to make public some of their proprietary code, which I bet they wouldn’t do. They’d just pay damages instead (assuming that’s an option; IANAL.)

                                          “run this same nice software, but without ads and data grabbing” is already a very nice proposition for many customers I would say

                                          Again, ain’t gonna happen. There was a news story a few months ago about how Vizio is making more money from ads and data grabbing than from hardware sales. Making their TVs hackable would imperil their biggest revenue source.

                                          1. 2

                                            It seems likely it would require Vizio to make public some of their proprietary code, which I bet they wouldn’t do.

                                            This was spoken to in a previous post: https://sfconservancy.org/blog/2021/jul/23/tivoization-and-the-gpl-right-to-install/

                                            1. 2

                                              The article answered “why” — I’m asking how technically. What is necessary to allow someone to rebuild a TV’s firmware?

                                              Ah, I misunderstood. Well, that’s a good question. Typically though, there are always tinkerers willing to take apart the TV and figure out how to access the flash memory that stores the firmware. But you’re right, Vizio is not likely to tell you how to do it.

                                          2. 2

                                            Most smart TVs I’ve ever worked with were rendered useless by unmaintained apps no longer working, especially the browser/YouTube apps. With access to replace the firmware we could put Kodi, Firefox, chromium, whatever is needed on the TV and make it usable again.

                                            The most likely outcome seems to be that Vizio will just avoid copyleft software in the future.

                                            I hope so.

                                            1. 7

                                              My LG smart TV purchased recently (last 2 years) does not have support for Lets Encrypt’s new root certificate, so the situation is much worse than imagined.

                                              1. 1

                                                not have support for Lets Encrypt’s new root certificate

                                                Oh gosh. Does that mean the TV just can’t open an HTTPS connection to any site using a Let’s Encrypt derived cert anymore?

                                                1. 1

                                                  Yeah, I get a whole bunch of SSL handshake failures in my server-side logs. It’s extremely infuriating!

                                            2. 1

                                              How does access to the GPL’d source code used in Vizio TVs make it possible to repair the TV? It doesn’t make it any easier to modify the proprietary software in the TV, and it doesn’t provide access to the build system or docs of the specs of the internal hardware.

                                              If the code is GPLv3 (the article doesn’t say), they would have to provide instructions for installing modified versions of the software.

                                              If it’s an earlier GPL version, it would still let consumers know what the software is doing, which could be relevant to privacy concerns or developing external tools to interface with the TV.

                                              1. 2

                                                If the code is GPLv3 (the article doesn’t say), they would have to provide instructions for installing modified versions of the software.

                                                This is also true for GPLv2

                                                1. 2

                                                  No, it’s not - see Tivoization, a problem which GPLv3 was explicitly designed to address.

                                                  Perhaps you’re thinking of GPLv2’s provisions that (at least IIRC) require distributing any build systems, etc. needed to build the software? Just because you can build it doesn’t mean you can install it on the actual device.

                                                  1. 2

                                                    https://sfconservancy.org/blog/2021/jul/23/tivoization-and-the-gpl-right-to-install/

                                                    Tivoization unfortunately is widely misunderstood. It’s understandable, I’ve never seen a TiVo and I have seen a locked Android bootloader, and the way many people talk about it these sound the same on the surface.

                                                    What TiVo did was use technical measure to ensure that if you did install your own versions of the freedomware components, their nonfree components would stop working. They did not, it turns out, wholesale block installation of modified freedomware components. This is not a violation of GPLv2 (or, arguably, GPLv3).

                                                    What many manufacturers do now is block installation entirely. It’s not that the nonfree components will stop working but that the device will reject the installation attempt (or brick itself in some cases). This is a violation of both GPLv2 and GPLv3.

                                            1. 8

                                              I’ve been looking for articles like this. It’s a good article but only covers the outages from one angle. I’d love to see a writeup on what products were affected and why. For instance a bunch of coffeeshops stopped being able to take credit cards because they were using old iPad-based POS terminals that couldn’t handle the certificate change. Things like that broke all over the world, would love to see an analysis.

                                              1. 7

                                                My smart TV (purchased in 2020!) no longer connects to my Plex server because of this.

                                                All it requires is a firmware update that includes the new root certificate from Let’s Encrypt, but we all know how companies are once they’ve got your money.

                                                1. 1

                                                  It looks like Plex is serving the cross-signed chain. If they can fix that I’d guess that at least some of those devices will work again. I don’t have a device that’s affected, but I’ve tried modifying the chain in my Plex server, and it seems to work and not make anything worse.

                                                  If you want to try that I’m happy to go into what I did. But the real solution would be for Plex to make that change themselves…

                                                  1. 1

                                                    It’s a bit late, have already switched over to Jellyfin because Plex have made it clear they’re not going to do anything to improve the situation.

                                              1. 4

                                                Some kind of clue as to what we’re looking at here and why it is interesting would be super useful.

                                                  1. 2

                                                    The search engine calculates a score that aggressively favors text-heavy websites, and punishes those that have too many modern web design features.

                                                    On my phone at the moment, the above is probably the shortest summary I can find on the About page.

                                                  1. 4

                                                    This circumvents Microsoft’s anti-hijacking protections that the company built into Windows 10 to ensure malware couldn’t hijack default apps. Microsoft tells us this is not supported in Windows

                                                    Uhhh…

                                                    1. 21

                                                      Beware companies claiming they do something for the security of their users when it also affects their bottom line. Security, “anti-hijacking” and related terms are often used manipulatively (especially in EULAs!).

                                                      Restricting browser defaults choice is not an effective security feature for protecting user security or privacy:

                                                      1. Situation: viewing malware sites and suffering a drive-by-attack: I have no reason to believe Edge to be better (on average) than other major browsers.
                                                      2. Situation: malware addons: I have no reason to believe Edge to be better (on average) than other major browsers, all addon sites have reports of malware addons or addon authors turning bad (eg selling control of their successful addon).
                                                      3. Situation: malware already running on your computer, wants to change your default browser: by this point it’s too late, making ‘changing the default browser’ more obscure is not an effective defence of a user’s security or privacy.

                                                      Making it harder for users to change browser (and directly suggesting they do not do it with a little info box when they try, as Win10 does) is an effective method of enforcing market security. That’s not user security.

                                                      You start to get a sense of manipulation when you read Microsoft’s statements about edge and privacy::

                                                      Like all modern browsers, Microsoft Edge lets you collect and store specific data on your device, like cookies, and lets you send information to us, like browsing history, to make the experience as rich, fast, and personal as possible.

                                                      That’s straight out false. Not “all modern browsers” send information like “browsing history” to their makers. Notice how they have designed this sentence to make it feel normal and acceptable.

                                                      Whenever we collect data, we want to make sure it’s the right choice for you.

                                                      Uhuh. Is that the only reason you share data? Somehow you must be making money off this, otherwise you wouldn’t be doing it, right?

                                                      https://privacy.microsoft.com/en-ca/privacystatement

                                                      For example, we share your content with third parties when you tell us to do so, such as when you send an email to a friend, share photos and documents on OneDrive, or link accounts with another service.

                                                      Manipulative writing by business’ like this makes me ill. In a different content (eg flyers in your letterbox) this style of writing would be considered scam material.

                                                      1. 12

                                                        Mozilla has been trying to convince Microsoft to improve its default browser settings in Windows since its open letter to Microsoft in 2015. Nothing has changed, and Windows 11 is now making it even harder to switch default browsers.

                                                        Microsoft and anti-competitive practises go hand in hand, nothing to be surprised about.

                                                        1. 4

                                                          Was more concerned about the obvious security implications! If ff can do it, what is stopping malware from doing it?

                                                          1. 15

                                                            Likewise if Edge can bypass the mechanisms in the background, what’s stopping malware from doing it? Or apparently Firefox 😆😭

                                                            1. 4

                                                              Yep. I’m in a slightly weird position here: I think Microsoft is right to lock down that API; I just think they’re wrong for unlocking it for Edge. So I’d prefer neither Mozilla nor Edge could pull this stunt.

                                                              1. 2

                                                                Theoretically the mechanism could check that the software performing the bypass comes from microsoft (via cryptographic signature) and is therefore “safe”. It is possible for microsoft to allow Edge to bypass it and nothing else.

                                                                I’m actually sort of surprised they didn’t, but I guess doing it properly would have taken more work.

                                                                1. 2

                                                                  Or perhaps it was a silent protest by the engineers involved to allow firefox to do this.

                                                              2. 6

                                                                Nothing, of course, which isn’t too surprising, as this is pretty unlikely to have ever been about malware in the first place. If it had been, we’d have seen a real, secure API exposed to developers, whereas this is barely security by obscurity.

                                                                1. 4

                                                                  Nothing is stopping malware engineers from adding associations; SetUserFTA has been available for years.

                                                            1. 20

                                                              If you’re going to use (much more expensive) ref-counted heap objects instead of direct references, you might as well be using Swift. (Or Nim, or one of the other new-ish native-compiling languages.) Rust’s competitive advantage is the borrow checker and the way it lets you use direct pointers safely.

                                                              The author should at least have pointed out that there’s a significant runtime overhead to using their recommended technique.

                                                              1. 20

                                                                No, this a fatalistic take almost like “if you use dyn you may as well use Python”.

                                                                Swift’s refcounting is always atomic, but Rust can also use faster non-atomic Rc. Swift has a few local cases where it can omit redundant refcounts, but Rust can borrow Rc‘s content and avoid all refcounts within a scope, even if object’s usage is complex, and that’s a guarantee not dependent on a Sufficiently Smart Compiler.

                                                                Swift doesn’t mind doing implicit heap allocations, and all class instances are heap-allocated. Rust doesn’t allocate implicitly and can keep more things on the stack. Swift uses dynamic dispatch quite often, even in basic data structures like strings. In Rust direct inlineable code is the norm, and monomorphisation is a guarantee, even across libraries.

                                                                So there’s still a lot more to Rust, even if you need to use Arc in a few places.

                                                                1. 9

                                                                  Uhu. It seems to me that there are two schools of thought here.

                                                                  One says: .clone(), Rc and RefCell to make life easier.

                                                                  The other says: the zen of Rust is ownership: if you express a problem as a tree with clear ownership semantics, then the architecture of your entire application becomes radically simpler. Not every problem has clean ownership mapping, but most problems do, even if it might not be obvious for the start.

                                                                  I don’t know what approach is better for learning Rust. For writing large-scale production apps, I rather strongly feel that the second one is superior. Arcs and Mutexes make the code significantly harder to understand. The last example, a struct where every filed is an Arc, is a code smell to me: I always try to push arcs outwards in such cases, and have an Arc of struct rather than a struct of arcs.

                                                                  It’s not that every Arc and mutex is a code smell: on the contrary, there’s usually a couple of Arcs and Mutexes at the top level which are the linch-pin of the whole architecture. Like, the whole rust-analyzer is basically an Arc<RwLock<GlobalState>> plus cancellation. But just throwing arcs and interior mutability everywhere makes it harder to note these central pieces of state management.

                                                                  1. 3

                                                                    I’ve always felt that the order of preference for new code is:

                                                                    1. make it work
                                                                    2. make it pretty
                                                                    3. make it fast/resource-efficient

                                                                    (some people may choose to wedge in “make it correct” somewhere there, but I think that’s either mostly a pipe dream or already part of 1.)

                                                                    That would mean that you always use the easiest possible techniques in phases 1 and 2 and in phase 3 do something more clever but only if the easy techniques turned out to be a bottleneck.

                                                                    I’m guessing the easiest technique in Rust terms would be copying a lot.

                                                                    1. 2

                                                                      I tend to agree about that ordering, but I’ve also found that heap allocation and copying is frequently a bottleneck, so much so that I keep it in mind even in steps 1-2. (Of course this applies to pretty low-level performance sensitive code, but that’s the kind of domain Rust gets used for.)

                                                                    2. 3

                                                                      I completely agree. If you don’t need precise control over memory, including the ability to pass around refs to memory safely, then the sane choice is to use a well-designed garbage collected language.

                                                                      Maybe you’re building something where half needs to control memory and the other half doesn’t. I guess something like this could make sense then.

                                                                      1. 2

                                                                        Swift isn’t exactly “available” on many Linux distributions due to its overengineered build system. The same goes for dotnet. Both of these languages are extremely fickle and run many versions behind the latest stable release offered on the natively supported OS (macOS for Swift and Windows for dotnet).

                                                                        To build Rust is comparatively sane and a breath of fresh air.

                                                                        1. 1

                                                                          Well, there is OCaml of course. On Linux with a reasonable machine, compiling it from scratch with a C toolchain should take just a handful of minutes. Of course, setting up the OCaml platform tools like opam, dune, etc., will take a few minutes more.

                                                                      1. 1

                                                                        Relaxing and working on my reimplementation of Reckless Drivin’, a Macintosh game from 2000. Does anyone else remember that game? Also finally finishing up a post about some interesting things I have learned while working on it over the last year.

                                                                        1. 2

                                                                          There’s a guy on GitHub that’s managed to convince Pangea Software to release source code as CC-BY-SA-4.0.

                                                                          So far, it seems to be the following:

                                                                          • Bugdom
                                                                          • Nanosaur
                                                                          • Otto Matic
                                                                          • Mighty Mike (aka Power Pete)
                                                                          1. 1

                                                                            Thanks for linking to this! I’ve never played those games, but the source code in those repos is a very helpful reference for what I’m doing.

                                                                        1. 31

                                                                          That’s cool and all, but knowing Mozilla, an about:config option called “legacyUserProfileCustomizations” is gonna disappear.

                                                                          Related: In Firefox 90, they removed the “Compact” density option, which I kind of rely on to be comfortable with Firefox. They added an about:config option, “browser.compactmode.show”, to add it back. In Firefox 91, if you have the option enabled, they renamed the option from “Compact” to “Compact (not supported)”. I know it’s only a matter of time before they remove it entirely. And I’m kind of panicking about that, because I really, really don’t want more vertical space to be wasted by padding in the tab bar on small laptop screens. If anything, I find the “Compact” option too big. I wish Mozilla would stop changing things for the worse, and I wish Mozilla would stop taking away configuration options.

                                                                          1. 18

                                                                            What is wrong with them? Every major release, they’ve taken away functionality that I depend on.

                                                                            1. 12

                                                                              Every major release, they’ve taken away functionality that I depend on.

                                                                              I feel the same. I even often joke that Mozilla is spying on me with the sole goal of knowing what features I rely on and yanking them away from me :).

                                                                              What is wrong with them?

                                                                              Nothing is wrong with them. We just aren’t part of their main demographic target.

                                                                              1. 11

                                                                                I absolutely dread every single firefox update for the same reason - something I rely on or have burned in have and muscle memory get altered or removed.

                                                                                It feels completely hopeless to me as well because I can’t see another acceptable choice. I can’t support Google’s browser engine monopoly and every other browser I research has some other issue that makes me reject it in comparison.

                                                                                It feels like abuse by endless paper cuts, unwanted and unnecessary changes forced on me with no realistic choice to opt out. These changes seem to be accelerating too and meanwhile firefox market share declines further and further.

                                                                              2. 10

                                                                                That’s cool and all, but knowing Mozilla, an about:config option called “legacyUserProfileCustomizations” is gonna disappear.

                                                                                The reason it was made an option is to slightly improve startup time since it won’t have to check for this file on the disk. Comparatively few people use it, which is hardly surprising since it’s always been a very hidden feature, so it kind of makes sense: if you’re going to manually create CSS files then toggling an about:config option is little trouble.

                                                                                Apparently, the name “legacy” is in there “to avoid giving the impression that with this new preference we are adding a new customization feature”. I would be surprised if it was removed in the foreseeable future, because it’s actually not a lot of code/effort to support this.

                                                                                That being said, instead of relegating userChrome to a “hidden feature”, it would seem to me that properly integrating support for these kind of things in Firefox would give a lot more benefits. In many ways, almost everyone is a “power user” because a lot of folks – including non-technical people – spend entire days in the browser. For example, I disable the “close tab” button because I press it by accident somewhat frequently which is quite annoying. While loads of people don’t have this problem, I suspect I’m not the only person with this small annoyance considering some other browsers just offer this as a setting, but I am one of the comparatively small group of people who has the know-how to actually fix it in Firefox.

                                                                                The technical architecture to do a lot of these things is right there and actually works quite well; it just doesn’t fit in the “there is one UX to satisfy everyone, and if you don’t like it then there’s something wrong with you”-mentality 🤷

                                                                                1. 18

                                                                                  All preference changes through about:config are officially unsupported and come with zero guarantees. This includes creating custom chrome folders.

                                                                                  There actually is a maintenance and complexity cost for keeping these things alive. We’ve done a lot of hardening lately that was cumbersome to pull off in light of those customizations. In essence, we are disabling some protections when we detect profile hackery. I want to repeat: despite our team working around and “acknowledging” the existence of those hacks, they are still unsupported and we can’t promise to always work around custom profile quirks.

                                                                                  The best way to be heard and change things in an open source project is to show up and help drive things. I know this isn’t easy for big project like ours…

                                                                                  1. 4

                                                                                    This used to be a longer comment but I edited it and now it only shows this note 😳. I was needlessly nasty. Sorry, man, rough day.

                                                                                    1. 1

                                                                                      No harm done 👍

                                                                                    2. 2

                                                                                      I, too, prefer the “Compact” theme. Is there still anything that can be done to keep it going forward?

                                                                                    3. 2

                                                                                      I’ve heard this startup time justification before, but surely the additional hassle of implementing, testing, and documenting a new configuration parameter isn’t worth saving a single stat call on startup? It’s hard to imagine that even shows up in the profile.

                                                                                      1. 1

                                                                                        If everything else has already been tightly optimized, the stat call being performed on a spinning rust drive could be shown as being a major performance bottleneck when profiling startup performance.

                                                                                        1. 6

                                                                                          When I rebuild LLVM, ninja does a stat system call for every C++ source and header file on the disk, about 10,000 of them in total. If I have no changes, then it completes in so little time that it appears instantaneous.

                                                                                          If the cost of a stat system call is making a user-noticeable difference to start times, then you’re in an incredibly rare and happy place.

                                                                                  1. 23

                                                                                    I just bought domain and use it. It also allows me to setup TLS via Let’s Encrypt without need to adding root cert everywhere. IMHO perfect solution, and not that expensive or troublesome. I have also 100% guarantee, that there will be no conflicts.

                                                                                    1. 3

                                                                                      Only drawback some people may raise is the risk of domain name enumeration, where a would be attacker could enumerate all devices and services on your network just by looking at public DNS.

                                                                                      That said, I don’t think that’s really a problem.

                                                                                      1. 12

                                                                                        Only drawback some people may raise is the risk of domain name enumeration, where a would be attacker could enumerate all devices and services on your network just by looking at public DNS.

                                                                                        How? Just do local DNS resolution on the network using that domian. For example, you might have a public DNS entry for foobar.com, but you might have DNS for me.foobar.com, bazz.foobar.com, etc on your local network. So requests for those on your local network are serviced by your local network, and you have no mention of them in the public DNS. Am I missing something?

                                                                                        1. 3

                                                                                          That requires you to have a split-horizon DNS configuration. It’s pretty easy if you’re running your own DNS resolver but most ISP-provided consumer routers don’t support it and so you’ll also need to be running your own DHCP server. You might be able to put an SOA record in that points to a LAN IP but that will only work for devices running their own caching resolver.

                                                                                          1. 2

                                                                                            I have to have that anyway because my modem/router does not support connecting to the WAN IP from the LAN. I can specify the DNS server I want to use through the modem, which i have avoided up to now because i’ve had trouble with dnsmasq (and/or the wifi drivers for the EEEPC laptopserver it’s running from. Especially from the iphone, but sporadically from the rest of the network too. I’ve actively intended to fix that soon for about a year now.

                                                                                            1. 1

                                                                                              I use a combination of split-horizon and hidden-primary DNS. No need for private IP ranges to be public.

                                                                                            2. 2

                                                                                              The context here is let’s encrypt TLS. If you don’t resolve the name externally, how do you pass ACME validation? Plus there’s the certificate transparency log.

                                                                                              1. 1

                                                                                                You can do ACME validation via DNS as well, so you get the ease of using an externally valid SSL certs but can restrict internal domains with split-horizon DNS

                                                                                                https://letsencrypt.org/docs/challenge-types/

                                                                                                1. 1

                                                                                                  But that just moves the enumeration from foo.bar to _acme-challenge.foo.bar, right? Or an I missing something?

                                                                                                  1. 1

                                                                                                    No, thinking about it more I think you’re correct, you’d be subject to DNS enumeration either from your DNS provider or the certificate transparency logs, at least for the existing of the domains themselves. The information about which IPs are pointing to which domain would remain within the internal network though.

                                                                                                    The exception here could be to use a wildcard certificate which let’s encrypt just started supporting last year.

                                                                                        1. 25

                                                                                          How has AGPL failed? Quoting the introduction to Google’s own policies, which are the top hit for “agpl google” on DuckDuckGo:

                                                                                          WARNING: Code licensed under the GNU Affero General Public License (AGPL) MUST NOT be used at Google. The license places restrictions on software used over a network which are extremely difficult for Google to comply with.

                                                                                          This seems like a resounding success of AGPL.

                                                                                          Proprietary distributed systems frequently incorporate AGPL software to provide services.

                                                                                          Who, and which software packages? This isn’t just about naming and shaming, but ensuring that those software authors are informed and get the chance to exercise their legal rights. Similarly, please don’t talk about “the legal world” without specific references to legal opinions or cases.

                                                                                          I feel like this goes hand-in-hand with the fact that you use “open source” fourteen times and “Free Software” zero times. (The submitted title doesn’t line up with the headline of the page as currently written.) This shows an interest in the continued commercialization of software and exploitation of the commons, rather than in protecting Free Software from that exploitation.

                                                                                          1. 8

                                                                                            How has AGPL failed?

                                                                                            I said how in the article:

                                                                                            The AGPL was intended, in part, to guarantee this freedom to users, but it has failed. Proprietary distributed systems frequently incorporate AGPL software to provide services. The organizations implementing such systems believe that as long as the individual process that provides the service complies with the AGPL, the rest of the distributed system does not need to comply; and it appears that the legal world agrees.

                                                                                            The purpose of the AGPL is not to stop commercial users of the software, it’s to preserve the four freedoms. It doesn’t preserve those freedoms in practice when it’s been used, so it’s a failure.

                                                                                            But really AGPL doesn’t have anything to do with this. No-one claims AGPL is a license like the one I describe in the article.

                                                                                            Proprietary distributed systems frequently incorporate AGPL software to provide services.

                                                                                            Who, and which software packages?

                                                                                            mongodb is a high-profile example, used by Amazon.

                                                                                            1. 10

                                                                                              I’m fairly certain that the version of mongodb that Amazon based DocumentDB off of was Apache licensed, so I don’t think that applies here. From what I’m seeing, they also explicitly don’t offer hosted instances of the AGPL licensed versions of Mongo.

                                                                                              1. 5

                                                                                                But really AGPL doesn’t have anything to do with this. No-one claims AGPL is a license like the one I describe in the article.

                                                                                                Then your article headline is misleading, is it not?

                                                                                                1. 2

                                                                                                  This is true. MongoDB changed their license, in response to Amazon using forks of their own software to compete with them.

                                                                                                  1. 1

                                                                                                    That’s fair, you’re probably right. There are lots of other hosted instances of MongoDB that used the AGPL version though, so MongoDB is still the highest-profile example of this. That was the motivation for MongoDB’s move to SSPL.

                                                                                                  2. 2

                                                                                                    I don’t see a laundry list here. I appreciate that you checked your examples beforehand and removed those which were wrong, but now there’s only one example left. The reason that I push back on this so heavily is not just because I have evidence that companies shun AGPL, but because I personally have been instructed by every employer I’ve had in the industry that AGPL code is unacceptable in their corporate environment, sometimes including AGPL developer tools! It would have been grounds for termination at three different employers, including my oldest and my most recent employments.

                                                                                                    Regarding MongoDB, I have no evidence that AWS violated the terms of the AGPL, and they appear to have put effort into respecting it somewhat. It seems that MongoDB’s owners were unhappy that their own in-house SaaS offering was not competing enough with others, and they chose licensing as their way to fight. Neither of these companies are good, but none of them appear to be disrespecting the AGPL.

                                                                                                  3. 4

                                                                                                    the agpl says

                                                                                                    Notwithstanding any other provision of this License, if you modify the Program, your modified version must prominently offer all users interacting with it remotely through a computer network (if your version supports such interaction) an opportunity to receive the Corresponding Source of your version by providing access to the Corresponding Source from a network server at no charge, through some standard or customary means of facilitating copying of software.

                                                                                                    in other words, you cannot run your own proprietary fork of an agpl program; you have to offer users the modified sources. it says nothing about the sources of the other programs that that program communicates with, or the network infrastructure and configuration that comprises your distributed system.

                                                                                                    1. 3

                                                                                                      Yes. This is how we define distributed systems, in some security contexts: A distributed system consists of a patchwork network with multiple administrators, and many machines which are under the control of many different mutually-untrusting people. Running AGPL-licensed daemons on one machine under one’s control does not entitle one to any control over any other machines in the network, including control over what they execute or transmit.

                                                                                                      Copyright cannot help here, so copyleft cannot help here. Moreover, this problematic layout seems to be required by typical asynchronous constructions; it’s good engineering practice to only assume partial control over a distributed system.

                                                                                                      1. 1

                                                                                                        So, that seems fine then? What’s the problem with that?

                                                                                                        1. 1

                                                                                                          the problem, as the article says, is that we have no copyleft license that applies to entire distributed systems, and it would be nice to. not so much a problem with the agpl as an explanation of why it is not the license the OP was wishing for.

                                                                                                          1. 4

                                                                                                            I explain more upthread, but such licenses aren’t possible in typical distributed systems. Therefore we should not be so quick to shun AGPL in the hopes that some hypothetical better license is around the corner. (Without analyzing the author too much, I note that their popular work on GitHub is either MIT-licensed or using the GH default license, instead of licenses like AGPL which are known to repel corporate interests and preserve Free Software from exploitation.)

                                                                                                            1. 2

                                                                                                              We have Parity as a start. Its author says:

                                                                                                              “Parity notably strengthens copyleft for development tools: you can’t use a Parity-licensed tool to build closed software. “

                                                                                                              Its terms are copyleft for other software you “develop, operate, or analyze” with licensed software. That’s reads broad enough that anything an operator of distributed systems both owns and integrates should be open sourced.

                                                                                                      1. 5

                                                                                                        It’s so infuriating that, to this day, only third party apps speak DDC/CI. Why don’t Apple and Microsoft support it out of the box?! Even mainline Linux doesn’t do it, only an external module does.

                                                                                                        1. 12

                                                                                                          From my 4+ years of experience of responding to support emails, I’d say they probably tried it internally and found the device support not consistent enough.

                                                                                                          What I encounter the most when users say Lunar doesn’t work for them:

                                                                                                          • a monitor loses connection completely when a DDC write/read is sent through I²C (this is the worst, people can get very angry when this happens)
                                                                                                          • nothing happens when users change brightness in the app because
                                                                                                            • the hub/dock/adapter they’re using doesn’t forward DDC messages
                                                                                                            • the user is using a proprietary DisplayLink adapter (their driver for Mac doesn’t implement DDC)
                                                                                                            • the monitor is in fact a TV
                                                                                                            • the monitor blocks DDC while it has some smart setting turned on (like its own ambient light sensor, or a preset activation scheme)
                                                                                                            • Dual DisplayPort is used for more bandwidth

                                                                                                          With so many ways to fail, I think Apple doesn’t want to provide such a solution. They would rather sell a monitor that has their own USB protocol for changing brightness and volume smoothly.

                                                                                                          1. 2

                                                                                                            If I had to guess, it’s similar to IPMI where every manufacturer considers “supported” as:

                                                                                                            • The bare minimum, according to specification (IPMI 2.0)
                                                                                                            • No support whatsoever
                                                                                                            • Proprietary extension of the IPMI specification (vendors like Supermicro do this)
                                                                                                            • “Follow” the specification, but either half-baked or a very specific subset of the specification
                                                                                                            • “IPMI? What’s that? Here’s our exclusive communications protocol called BobsUselessProtocol!”
                                                                                                          1. 38

                                                                                                            To me, this really drives home the need for language projects to treat dependency and build tooling as first-class citizens and integrate good, complete tools into their releases. Leaving these things to “the community” (or a quasi official organization like PyPA) just creates a mess (see: Go).

                                                                                                            1. 9

                                                                                                              100% agree. I recently adopted a Python codebase and have delved into the ecosystem headfirst from a high precipice to find that’s improved drastically from the last time I wrote an app in Python — 2005 — but still feel like it’s in disarray relative to the polish of the Rust ecosystem and the organized chaos of the Ruby and JVM ecosystems in which I’ve swum for the last decade. I’ve invested considerable time in gluing together solutions and updating tools to work on Python 3.x.

                                                                                                              The article under-examines Poetry, which I find to meet my needs almost perfectly and have thus adopted despite some frustrating problems with PyTorch packages as dependencies (although PyTorch ~just fixed that).

                                                                                                              1. 5

                                                                                                                I also think poetry isn’t being considered enough. The article gives the impression that the author doesn’t have a lot of hands on experience of poetry but is curious about it. I’d recommend further exploring that curiosity. I understand that it’s hard to cover everything in a short article like this. If you’ve got an existing project using a working setup a lot of the points make sense and there’s no need to hurry up and change your setup. But I wouldn’t really call it a fair assessment of “The State of Python Packaging in 2021”.

                                                                                                                From my point of view it’s clear that pyproject.toml is the way going forward and is growing in popularity. Especially with the way considering it’s also required to specify the build system with modern setuptools going forward.

                                                                                                                As for the setup.cfg requiring an empty setup() with an setup.py is a half truth at best. It’s true that PEP-517 purposely defers editable installs to a later standard in order to reduce complexity of the PEP. But in practiceit’s not required if you use setuptools of a version equal to or greater than v40.9, released in spring of 2019. This is documented in the setuptools developers guide, if a setup.py is missing setuptools emulates a dummy file with an empty setup() for you. If you build you project with a PEP517/518 frontend you don’t need the setup.py. Having static setup.cfg is a massive improvement for the ecosystem as a whole since we can actually start resolving dependencies statically without running code, this benefit for the ecosystem as a whole should not be downplayed.

                                                                                                                I get the feeling that the author want to wait for a pipe-dream future where everything is perfectly specified and standardised before starting to adapt any of the new standards. I see this as completely fine and valid if you’re working on your own project, especially if you’ve already got existing working code. That said, in my opinion, I wouldn’t recommend it as the approach for everyone. I see it as necessary to start using the new standards on new projects so that we can start going forward, if we’re always clamping to the old way of doing things it’s going to be hard to progress and the progress will be hampered.

                                                                                                                I get the impression that the author is very knowledgeable and have plenty experience in the area, and I see the article as reflecting the opinion of the author which I respect but don’t fully agree with. I would love to have a chat with the author given the opportunity and hear more about his opinions. I’m also looking forward to read the 2022 edition next year. It’s also easy for me to contest some of the points here but it’s not completely fair without a reply from original author where he’s given a chance to elaborate and defend their choices.

                                                                                                                Full disclosure: I’m currently writing a book on the subject and I’ve researched the strides in Python Packaging quite heavily in recent time.

                                                                                                              2. 3

                                                                                                                just creates a mess (see: Go).

                                                                                                                It’s fair to say that packaging is a mess in Python but why exactly is packaging in Go a mess? Since 1.13 we have Go Modules which solves packaging very elegantly, at least in my opinion. What I especially like is that no central index service is required, to publish a package just tag a public git repo (there are also other ways to do that).

                                                                                                                1. 8

                                                                                                                  Yeah, Go is fine now, but in the past, when the maintainers tried to have “the community” solve the packaging problem it was a mess. There were a bunch of incompatible tools (Glide, dep, “go get”, and so many more) and none of them seemed to gain real traction. Prior to Go modules the Go situation looked similar to the current Python situation. To their credit, the Go developers realized their mistake and corrected it pretty quickly (a couple years, versus going on a couple decades for Python, so far).

                                                                                                                  1. 1

                                                                                                                    Thank you for the explanation.

                                                                                                                    Prior to Go modules the Go situation looked similar to the current Python situation.

                                                                                                                    Yes, I agree with you that the situation was similar before Modules were a thing. I was fed up with the existing solutions around that time and had written my own dependency management tool as well.

                                                                                                                  2. 4

                                                                                                                    It’s fair to say that packaging is a mess in Python but why exactly is packaging in Go a mess?

                                                                                                                    Not the original poster, but I think it’s because modules weren’t there from the start, and this allowed dep, glide, and others to pop up and further fragment dependency management.

                                                                                                                1. 2

                                                                                                                  I purchased a Supermicro JBOD board that advertised IPMI capabilities, which was partially true. I wasn’t able to obtain power metrics via standard IPMI tools due to Supermicro providing a vendor-specific IPMI tool.

                                                                                                                  On the other hand, the web interface did have these metrics available … so I created a Python library and a Prometheus exporter for these particular metrics.

                                                                                                                  1. 44

                                                                                                                    Time for a throwback: inject USER WAS BANNED FOR THIS POST on the final straw posts. Bonus points if you can do it in red.

                                                                                                                    (I am being both facetious, but also serious.)

                                                                                                                    1. 5

                                                                                                                      Is that what Something Awful does? It’s been a while …

                                                                                                                      1. 2

                                                                                                                        I’m thinking you’re thinking of imageboards.

                                                                                                                        1. 7

                                                                                                                          No, somethingawful did this originally iirc, I think imageboards adopted it as they (the U.S. boards) were formed from the culture there. Facepunch also had a similar all caps red ban message too, I think.

                                                                                                                          1. 2

                                                                                                                            Ahh, that figures. I didn’t enjoy SA forums at all when I found that side of the internet and didn’t find it worth spending money on…

                                                                                                                      2. 5

                                                                                                                        Still waiting for @pushcx to implement search and/or put through my archives upgrade. :P

                                                                                                                        1. 7

                                                                                                                          Well, that could certainly be the next April Fools’ joke…

                                                                                                                          As much as some content really should be deleted, it would be in the interest of transparency (unless it’s spam/illegal) to have it available to review, even if it should be some inconvenience (at least showdead level) to avoid leaving the poop in the punch bowl of a thread.

                                                                                                                          (The rest of this post requires a Lobsters Gold account to view.)

                                                                                                                          1. 2

                                                                                                                            Perhaps it should be removed from the normal trees of replies, but be left in the modlog? Then seeing it requires an extra step, and you know you’re going to be seeing something bad.

                                                                                                                            1. 2

                                                                                                                              Yeah, in retrospect I don’t want it to be something people try to “high score” with.

                                                                                                                      1. 12

                                                                                                                        What ever happened with the dispute over attribution with regards to this and that third party package manager?

                                                                                                                        1. 9

                                                                                                                          Like a modern day David vs. Goliath, David lost.

                                                                                                                          1. 6

                                                                                                                            On the github:

                                                                                                                            We would like to thank Keivan Beigi (@kayone) for his work on AppGet which helped us on the initial project direction for Windows Package Manager.

                                                                                                                            IIRC Beigi at one point said that was enough for him.

                                                                                                                            1. 4

                                                                                                                              I worked on implementing some circuitry and the microcontroller firmware for a muscle stimulator (used in medical science) as part of my undergrad EE degree. What’s a muscle stimulator? Well … two electrodes are placed on the skin near the muscle to be stimulated, and electric charges are pulsed through … :)

                                                                                                                              Let’s just say that the testing phase was quite eye opening for all parties involved. I was the only tester, but once my classmates heard about what I was doing, they all volunteered!

                                                                                                                              Note: All testing was done under supervision, which was a bit unnecessary considering the device was powered (9V battery if it was being used in production) by a 9V power supply with the current significantly limited.

                                                                                                                              Additionally, I have bilateral cochlear implants, and the program mapping can be quite painful.

                                                                                                                              1. 8

                                                                                                                                A disposable camera flash is powered off a single AA battery at 1.5 volts. If you short the flash bulb with your skin, you will have electrical burns that take months to heal (not to mention it’ll knock you on your ass).

                                                                                                                                Capacitors can do some very unintuitive things to a mild power supply.

                                                                                                                                1. 2

                                                                                                                                  Capacitors are amazing little components! AEDs are basically giant capacitors, due to the amount of energy they dissipate in a single charge.

                                                                                                                              1. 13
                                                                                                                                1. 6

                                                                                                                                  No, seems like it’s still on the homepage & in the source code as of 3.0.0.

                                                                                                                                  1. 6

                                                                                                                                    And thereby possibly violating the GDPR of those are in the EU. But any discussions about this are immediately censored in the Homebrew project.

                                                                                                                                    1. 1

                                                                                                                                      Can confirm, as a project they don’t like being told their approach isn’t fantastic.

                                                                                                                                      1. 2

                                                                                                                                        As someone who has been on the receiving end of many discussions like that (specifically, Firefox for Android aka Fenix), I can say the following:

                                                                                                                                        An open source project and their maintainers can make decisions about how they wish t run and implement the project.

                                                                                                                                        People can file all the bugs and re-open all the discussions for things that they do not agree with, but at one point they will have to accept that a decision has been made by the people running the project.

                                                                                                                                        What I see over and over again are the same responses:

                                                                                                                                        • they do not listen
                                                                                                                                        • they do care
                                                                                                                                        • they censure me
                                                                                                                                        • they don’t deal well with criticism
                                                                                                                                        • i will leave if you don’t do what I want
                                                                                                                                        • I will fork the project
                                                                                                                                        • the project is doomed

                                                                                                                                        As someone who has been on the receiving end of this many many times I can tell you that it is extremely tiring and unproductive. As a maintainer you simply cannot satisfy all requests from all users. For all kinds of reasons. Sometimes it is as simple as “we like the way this works”.

                                                                                                                                        So dead horses will be beaten and discussion threads will be closed. Sometimes no is no. It is that simple. How do you reach consensus? Well often you do. Sometimes you don’t.

                                                                                                                                        What makes it even more complicated is that the user base is usually also fully split. I can guarantee you that in this case, sending anonymous usage to google analytics, many people could not care less and probably don’t bother to disable it even after reading the note that is shown about it.

                                                                                                                                        So I ask people here, as a maintainer of a project, what do you do? Do you submit yourself to a small group of very vocal and strongly opinionated users? Or do you just stick with what you and fellow maintainers think is the best way to go forward?

                                                                                                                                        (What I find really interesting is that in communities like this, Lobsters, there is often a lot of agreement about how bad it is that people ask for time or free support from open source projects. It is often quickly labeled as unacceptable entitlement. How are issues like https://github.com/Homebrew/brew/issues/142 different I ask you?)

                                                                                                                                        1. 2

                                                                                                                                          As a maintainer you simply cannot satisfy all requests from all users.

                                                                                                                                          Nobody asked them to satisfy all requests from all users.

                                                                                                                                          I’d imagine I’m pretty safe to say that no single user anywhere asked them to add analytics, using one of the most privacy invasive companies on the planet.

                                                                                                                                          Debian, as usual, shows how to do this right:

                                                                                                                                          (a) prompt the user on-install/first-run, if they’re happy to provide anonymous usage information. Provide links to more information if necessary.

                                                                                                                                          (b) don’t rely on a privacy abusing mega-corp to provide the backend for said usage tracking.

                                                                                                                                          1. 1

                                                                                                                                            … shows how to do this right

                                                                                                                                            This is an opinion. And exactly why these discussions are so difficult.

                                                                                                                                      2. 1

                                                                                                                                        Can you explain how it violates the GDPR?

                                                                                                                                        1. 2

                                                                                                                                          You need informed consent before you send any identifiable data, and most data points are identifiable.

                                                                                                                                          1. 1

                                                                                                                                            I am not a lawyer but I am pretty sure that you don’t need consent for anonymous analytics since there is no connection to an person.

                                                                                                                                            If you think the data that Homebrew sends is indeed PII (Personally Identifiable Information) then you should definitely raise that with them. But I highly doubt this is the case since Homebrew does not know who you are.

                                                                                                                                            1. 1

                                                                                                                                              I’m not a lawyer either, but e.g. cookies require consent. Obviously a shell doesn’t have cookies, but Home-brew essentially re-creates them, by generating a UUID (and storing it, only generating a new one if it can’t read an existing one) and sending it with the calls to GA.

                                                                                                                                              If you accept that a cookie is a little piece of text on your computer that can be used to uniquely identify you, I’m not sure how “a UUID strode on your computer that can be used to uniquely identify you” wouldn’t be considered the same thing.

                                                                                                                                              1. 2

                                                                                                                                                The nuance here is “identify you”. Again I am not a lawyer but a random session or install ID is not PII and not something that identifies you. If it is connected to for example an email address then it would be.

                                                                                                                                                Home brew has no relationship with its users. It does not know who those are or how to identify them. If you would send a GDPR request to them to ask for your data then they cannot send you anything because they cannot uniquely identify you. Only when you give them that UUID and tell them, that’s me, they can. But at that point you have made the connection.

                                                                                                                                                1. 1

                                                                                                                                                  As I understand it (also not a lawyer) - because the data can later be combined with another source to identify the customer (that is, ‘this uuid is that persons laptop’), it’s covered.

                                                                                                                                                  The GDPR is not written to allow clever hacks to get around it.

                                                                                                                                                  On the bright side - violators can expect formal letters of warning at no cost. If you persistently ignore those for a year or so you’re likely to get a really damn big fine, but it’s not like it’ll come as a surprise.