OK this finally convinced me to kick my decade long i3 habit and try niri. I hate switching to new stuff like this, the config etc gives me a headache. But the demo was very persuasive.
It’s really, really good! I realise now how much I switch to new workspaces just to avoid squishing whatever window I’m working in.
One thing I’d really love is a minimap of some sort. Even if it’s just a horizontal representation of what’s open that can fit into waybar. I can see myself ‘losing’ windows quite easily.
The push for local-first is driven by a few key new technological capabilities that previously restricted client devices from running heavy local-first computing:
No, it kept web pages from running heavy local-first computing. Native apps have been capable of this for quite a long time.
This article is pretty egregious in conflating “client” with “web browser”, which is a pet peeve of mine.
I think it’s more like application developers will go to some lengths to only have to support one broadly accessible platform rather than about five (iOS, Android, macOS, Windows, and “linux” as though it were only one target. Sorry BSD folks and other OS super-minorities). I can’t really blame them.
I am a solo dev at a small company. I develop and maintain a CRUD app that magically works on iPads, phones, desktops, barcode scanners etc. All thanks to… just being a website.
I still broadly agree that native is preferable though
Seriously. While reading this I was thinking yes, I have seen this movie. Outlook/Exchange started going around this circle 25 years ago. Local storage makes the UI super fast, and search works great. But then you have to sync, which means you have conflicts, which are in general impossible to solve without interrupting and confusing the user and doing a ton of work to solve cases the product people don’t want to think about. So in the name of sanity you go back to remote storage. Now the illusion of consistency is easier to maintain, but the UI is high-latency and freezes all the time, and the backend is baking client behavior into their APIs all over the place. Sentiment turns the other way and somebody funds the project to flip back to local storage (usually as if they just invented the idea). Repeat forever.
I mean, heck, if you want to go back to 1990, this is the NFS vs. AFS argument.
The thing that gives me a twitch with Apple software is that when it goes wrong it is awfully difficult to debug it, if not impossible.
Also what mad man set the ‘Facetime Reactions’ feature to ‘on’ by default? That upgrade was great I was swamped with messages asking why a confetti cannon was going off in their video during a job interview
This is what finally drove me out of the Apple ecosystem after almost 20 years. Paying premium prices for things that no longer “just work”, which Apple cannot/doesn’t care to fix, and are so opaque that they’re impossible to debug on your own.
If I’m going to be trapped in a world of flaky software, I don’t need to pay the Apple tax for that! I’ll be much happier with Linux where at least I stand a chance of fixing my own problems
The thing that gives me a twitch with Apple software is that when it goes wrong it is awfully difficult to debug it, if not impossible.
My last trip to the Apple Store concluded with a Genius opening a ticket with Apple. Even support personnel don’t have tools to properly support software.
Also what mad man set the ‘Facetime Reactions’ feature to ‘on’ by default?
So right after that came out, I had to fire someone help someone exit the org, and accidentally set off fireworks on the call. When I’m on my deathbed, that, and his reaction, will still be haunting me.
If it makes you feel any better, I’ve triggered both the heart emoji while describing a complicated engineering thing to a client and the balloons during a large group call at a point where it was highly inappropriate. At least the balloon thing brought a bit of levity to an otherwise serious discussion.
I enjoy the new “iPhone mirroring” feature in the latest OS, but it will stop working randomly, and when it does, there’s no way to debug why or get it to work again. You just have to hope it works tomorrow.
When you upload or input information through Firefox, you hereby grant us a nonexclusive, royalty-free, worldwide license to use that information to help you navigate, experience, and interact with online content as you indicate with your use of Firefox.
That’s… wow. Thank you for highlighting that. I am seriously considering using something other than Firefox for the first time in… ever. Regardless of how one might choose to interpret that statement, it’s frightening that they would even write it. This is not the Mozilla I knew or want. I’d love to know what alternatives people might suggest that are more community focused and completely FOSS, ideally still non-Chromium.
Isn’t it? Most GDPR consent screens have an easy “accept to everything” button and requires going through multiple steps to “not accept”, and many many more steps to “object” to their “legitimate interest” in tracking for the purposes of advertising. As long as these screens remain allowed and aren’t cracked down on (which I don’t foresee happening, ever), that’s the de facto meaning of “consent” in GDPR as far as I’m concerned: something that’s assumed given unless you actively go out of your way to revoke it.
It’s not what the text of the GDPR defines it as, but the text isn’t relevant; only its effect on the real world is.
Yes, definitely. Consent in GDPR is opt-in not opt-out. If it’s opt-out, that’s not consensual. And the law is the law.
Furthermore, for interstitials, to reject everything should be at least as easy as it is to accept everything, without dark patterns. Interstitials (e.g., from IAB and co.) first tried to make it hard to reject everything, but now you usually get a clear button for rejecting everything on most websites.
As I mentioned in another comment, the DPAs are understaffed and overworked. But they do move. A real-world example of a company affected by the GDPR, and that tries testing its limits, is Meta with Facebook. For user profiling, first they tried the Terms of Service, then they tried claiming a legitimate interest, then they introduced expensive subscriptions for those that tried to decline, now they introduced a UI degradation, delaying the user scrolling, which is illegal as well.
Many complain, on one hand, that the EU is too regulated, suffocating inovation, and with US’s tech oligarhs now sucking up to Trump to force the EU into allowing US companies to break the law. On the other hand, there are people who believe that the GDPR isn’t enforced enough. I wish people would make up their mind.
Many complain, on one hand, that the EU is too regulated, suffocating inovation, and with US’s tech oligarhs now sucking up to Trump to force the EU into allowing US companies to break the law. On the other hand, there are people who believe that the GDPR isn’t enforced enough. I wish people would make up their mind.
Those are different people, all who have made up their mind.
I thought I made it reasonably clear that I don’t care that much about what the text of the law is, I care about what material impact it has on the world.
To be fair, @mort’s feeling may come from non-actually-GDPR-compliant cookie consent forms. I have certainly seen where I couldn’t find the “reject all” button, and felt obligated to manually click up to 15 “legitimate interest” boxes. (And dammit could they please stop with their sliding buttons and use actual square check boxes instead?)
The facts you provided aren’t relevant. I’m talking about the de facto situation as it applies to 99% of companies, you’re talking about the text of the law and enforcement against one particular company. These are different things which don’t have much to do with each other.
You even acknowledge that DPAs are understaffed and overworked, which results in the lacking enforcement which is exactly what I’m complaining about. For what I can tell, we don’t disagree about any facts here.
I’m talking about GDPR as well, focusing about what impact it has in practice. I have been 100% consistent on that, since my first message in this sub-thread (https://lobste.rs/s/de2ab1/firefox_adds_terms_use#c_3sxqe1) which explicitly talks about what it means de facto. I don’t know where you got the impression that I’m talking about something else.
But there is enforcement, it’s just slower than we’d like. For example, screens making it harder to not opt in rather than opt in have gotten much rarer than they used to be. IME now they mostly come from American companies that don’t have much of a presence in the EU. So enforcement is causing things to move in the right direction, even if it is at a slow pace.
There is a website tracking fines against companies for GDPR violations [1] and as you can see, there are lots of fines against companies big and small every single month. “Insufficient legal basis for data processing” isn’t close to being the most common violation, but it’s pretty common, and has also been lobbed against companies big and small. It is not the case that there is only enforcement against a few high profile companies.
it’s the other way around - most of the time you have to actively revoke “legitimate interest”, consent should be off by default. Unfortunately, oftentimes “legitimate interest” is just “consent, but on by default” and they take exactly the same data for the same purpose (IIRC there are NGOs (such as NOYB, Panoptykon) fighting against IAB and other companies in those terms)
“Legitimate interest” is the GDPR loophole that ad tech companies use to spy on us without an easy opt-out option, right? I don’t know what this means in this context but I don’t trust it.
It is not, ad tech has been considered not a legitimate interest for… Ever… By the Europeans DPAs. Report to your DPA the one that abuse this. There have been enforcement.
Every website with a consent screen has a ton of ad stuff under “legitimate interest”, most ask you to “object” to each individually. The continued existence of this patterns means it’s de facto legal under the GDPR in my book. “Legitimate interest” is a tool to continue forced ad tracking.
I don’t think you’re disagreeing with me. It’s de jure illegal but de facto legal. I don’t care much what the text of the GDPR says, I care about its material effect on the real world; and the material effect is one where websites put up consent screens where the user has to “object” individually to every ad tech company’s “legitimate interest” in tracking the user for ad targeting purposes.
I used to be optimistic about the GDPR because there’s a lot of good stuff in the text of the law, but it has been long enough that we can clearly see that most of its actual effect is pretty underwhelming. Good law without enforcement is worthless.
De facto illegal for entities at Facebook’s scale? Maybe. But it’s certainly de facto legal for everyone else. It has been 7 years since it was implemented; if it was going to have a positive effect we’d have seen it by now. My patience has run out. GDPR failed.
I just gave you a concrete example of a powerful Big Tech company, with infinite resources for political lobbying, that was blasted for their practices. They first tried hiding behind their Terms of Use, then they tried claiming a legitimate interest, then they offered the choice of a paid subscription, and now they’ve introduced delays in scrolling for people that don’t consent to being profiled, which will be deemed illegal as well.
Your patience isn’t important. This is the legal system in action. Just because, for example, tax evasion happens, that doesn’t mean that anti tax evasion laws don’t work. Similarly with data protection laws. I used to work in the adtech industry. I know for a fact that there have been companies leaving the EU because of GDPR. I also know some of the legwork that IAB tried pulling off, but it won’t last.
Just the fact that you’re getting those interstitials is a win. Microsoft’s Edge browser, for example, gives EU citizens that IAB dialog on the first run, thus informing them that they are going to share their data with the entire advertising industry. That is in itself valuable for me, because it informs me that Edge is spyware.
I agree that the “we’re spying on you” pop-ups is a win in itself. I’m just complaining that it’s so toothless as to in practice allow websites to put up modals where each ad tech company’s “legitimate interest” in tracking me has to be individually disabled. If the goal of the GDPR was to in any way make it reasonably easy for users to opt out of tracking, it failed.
I agree that the “we’re spying on you” pop-ups is a win in itself.
I’m not so sure. I’ve even seen this used as an argument against the GDPR: The spin they give it is “this is the law that forces us to put up annoying cookie popups”. See for example this article on the Dutch public broadcasting agency (which is typically more left-leaning and not prone to give a platform to liberals).
“Alle AI-innovaties werken hier slechter dan in de VS. En waarom moet je op elke website op cookies klikken?”, zegt Van der Voort.
Roughly translated “all innovations in AI don’t work as well here as in the US. And why do you have to click on cookies (sic) on every single website?”
I’ve even seen this used as an argument against the GDPR: The spin they give it is “this is the law that forces us to put up annoying cookie popups”.
I have seen that as well, and I think it’s bullshit. The GDPR doesn’t force anyone to make any form of pop-up, nobody is forced to track users in a way which requires consent. The GDPR only requires disclosure and an opt-out mechanism if you do decide to spy on your users, which I consider good..
The GDPR only requires disclosure and an opt-out mechanism if you do decide to spy on your users, which I consider good..
I agree, but at the same time I think the average user just sees it as a nuisance, especially because in most cases there’s no other place to go where they don’t have a cookie popup. The web development/advertising industry knowingly and willfully “complied” in the most malicious and obnoxious way possible, resulting in this shitty situation. That’s 1 for the industry, 0 for the lawgivers.
I agree that it didn’t have the desired effect (which, incidentally, I have spent a lot of this thread complaining about, hehe). I think everyone was surprised about just how far everyone is willing to go in destroying their website’s user experience in order to keep tracking people.
has to “object” individually to every ad tech company’s “legitimate interest” in tracking the user
I’m not sure if you’re deep in grumpy posting or didn’t understand the idea here, but for legitimate interest you don’t need to agree and companies normally don’t give you the option. If you’re talking about the extra options you unset manually, they’re a different thing. The “legitimate interest” part is for example validating your identity through a third party before paying out money. Things you typically can’t opt out of without also refusing to use the service.
If you get a switch for “tracking” or “ads” that you can turn off, that’s not a part of the “legitimate interest” group of data.
I’m sorry but this isn’t true. I have encountered plenty consent screens with two tabs, “consent” and “legitimate interest”, and where the stuff under “consent” are default off while the stuff under “legitimate interest” is on by default and must be “objected to” individually. Some have an “object to all” button to “object” to all ad tracking in the “legitimate interest” category.
Here’s one example: https://i.imgur.com/J4dnptX.png, the Financial Times is clearly of the opinion that tracking for the purpose of advertising counts as “legitimate interest”.
I’m not saying that there’s any relationship between this pattern and what’s actually required by the GDPR, my understanding of the actual text of the law reflects yours. I’m saying that this is how it works in practice.
Mozilla updated the article with a clarifying statement:
UPDATE: We’ve seen a little confusion about the language regarding licenses, so we want to clear that up. We need a license to allow us to make some of the basic functionality of Firefox possible. Without it, we couldn’t use information typed into Firefox, for example. It does NOT give us ownership of your data or a right to use it for anything other than what is described in the Privacy Notice.
the problem is it doesn’t clarify anything. “basic functionality” is not defined. my guess is they want to be able to feed anything we type or upload to a site, to also be able to feed that into an LLM. “anything other than what is described” doesnt help because what is described is so vague as to mean anything “help you experience and interact with online content”
Mozilla updated the article with a clarifying statement:
UPDATE: We’ve seen a little confusion about the language regarding licenses, so we want to clear that up. We need a license to allow us to make some of the basic functionality of Firefox possible. Without it, we couldn’t use information typed into Firefox, for example. It does NOT give us ownership of your data or a right to use it for anything other than what is described in the Privacy Notice.
That is… not clarifying. And not comforting. “What is described” in the ToS is “to help you navigate, experience, and interact with online content.” That’s absurdly vague. And what is described in the Privacy Notice is absurdly broad:
To provide you with the Firefox browser
To adapt Firefox to your needs
To provide and improve search functionality
To serve relevant content and advertising on Firefox New Tab
To provide Mozilla Accounts
To provide AI Chatbots
To provide Review Checker, including serving sponsored content
To enable add-ons (addons.mozilla.org, “AMO”), including offering personalized suggestions
To maintain and improve features, performance and stability
To improve security
To understand usage of Firefox
To market our services.
To pseudonymize, de-identify, aggregate or anonymize data.
To communicate with you.
To comply with applicable laws, and identify and prevent harmful, unauthorized or illegal activity.
I’m glad we have this contextless legalese to clarify things. I wonder if there’s some kind of opt-in data collection in Firefox that Mozilla might have legal obligations to clarify their rights to? Couldn’t be that… No, let’s put a pause on critical thinking and post stupid TOS excerpts as if Mozilla are going to steal our Deviantart uploads and sell them as AI training data.
I’m glad we have this contextless legalese to clarify things. I wonder if there’s some kind of opt-in data collection in Firefox that Mozilla might have legal obligations to clarify their rights to? Couldn’t be that… No, let’s put a pause on critical thinking and post stupid TOS excerpts as if Mozilla are going to steal our Deviantart uploads and sell them as AI training data.
If they need a ToS for a particular feature, then that “contextless legalese” should be scoped to that feature, not to Firefox as a whole.
This is precisely why the same organization should not do all of these things. If they want to do non-tool stuff to continue funding their mission they should start up independently managed companies that can establish these consents for a narrow band of services. They can give the existing organization control as a majority shareholder, with dividends flowing back to the main organization. That is the way to ensure that incentives don’t become misaligned with the mission.
Really disappointing that CPU and RAM are soldered on, especially in a desktop. I understand there were difficulties but the answer is “don’t build the shitty thing”, not “couldn’t find a way of making it not shitty”.
Yeah I definitely agree. The right call would’ve been to not release this, even if I understand it’s very tempting for them.
It’s sad because now they’re bringing problems they set out to solve in laptops to the desktop space. It’s a bit backwards. Hopefully this isn’t a sign of them straying further from the goal.
It’s not a question of “engineering perspective” vs “trust, values, and brand protection”. It’s a necessity to realize the desired level of performance (which is desired by a non-insignificant amount of people, see also: democratization of AI).
To bring an analogy, if you’re building a car, the practical necessity for said car to have 4 wheels has higher priority than dislike of wheels as a concept. The other way lies madness FSF and their endorsement of 802.11n NICs in 2025.
No-one told Framework they had to build a car, though! If it’s not currently possible to build an AI optimised machine without compromising on their principles, then … don’t.
If it’s not currently possible to build an AI optimised machine without compromising on their principles, then … don’t.
You are missing the forest for the trees.
The principles of Framework is to build things that are more repairable than their competitors. Without Framework, a user who wants a workstation built on an energy-efficient, GPU-capable, highly memory-optimized SoC has no options other than Apple and maybe some NUC-style prebuilts (thus, no repairable/upgradeable options at all). With Framework, there now is a repairable option, even if it’s less repairable than some would want.
I think the difference in our opinions might be over just whether such a “highly memory optimised SoC” is Right or Wrong.
I think what Framework has built is Good and Wrong. Hence my claim that it’s bad from a brand perspective.
Sample data of only myself, but, I’ve gone from being quite an evangelist for Framework to seeing them as just another box maker. The horns effect (opposite of the halo effect) from association with AI probably doesn’t help either. Feels very bandwagony.
My personal take is that both are important to have around and it’s unlikely that people as committed to the bit as FSF folks would even buy something from Framework. Maybe I’ve misjudged the target audience though.
I’m not one of the “FSF folks” for a variety of reasons; I bought my wife and I each a Framework laptop, because I greatly value modularity and repairability.
As personal computing hardware becomes ever more appliance-like and user hostile, it was a delight to find a company with values similar to mine, and products to match.
But, surprise! Looks like the allure of hopping on the AI gravy train was too strong. Seems Framework is content to be a shitbox manufacturer who just happens to have some decent models in their lineup.
To use your analogy, you wouldn’t buy a car with non replaceable wheels and tyres.
That’s not my analogy, that’s a different analogy that happens to use the same metaphor. Unfortunately, this analogy seems unsound, since tyres (and, to a lesser extent, rims) are a consumable item, unlike CPU and RAM.
Why make a modular desktop when they all are anyway? What can they bring new to the table?
I posted my take on this question somewhere downthread.
So having made that trade-off, what differentiates them from any other straight-to-landfill consumer appliance manufacturer?
This is such a tone-deaf move. I’d worried about them abandoning their principles once they grew, it never occurred to me that they’d start selling shit like this so early in the piece.
At a glance, they have a very good reason for doing this. Shared RAM with a humongous bus to the SoC is the only way to compete with, e.g., Apple Silicon.
Framework isn’t supposed to be competing with Apple Silicon by building better Apple Silicon; they’re supposed to be offering an alternative to the consumer appliance / landfill model.
Well, yes :) But that’s the messaging they’ve run with to date, and attracted a lot of quite vocal supporters along the way. This move might lose a bunch of them; we’ll see.
I think about something like the RasPi with closed source firmware blobs on some components, where they can build something that makes some improvements, and then continue to push the boundaries as time goes on.
I do agree with the sentiment regarding a desktop in particular. I’m looking at this more like a giant NUC but it’s odd positioning! The only sort of side note is at least given the form factor the machine will likely last way longer than laptops do with all their random issues due to their usage patterns.
You kill performance if you force the CPU to communicate with the RAM over a socketed connection.
That’s why Apple Silicon puts CPU, GPU and RAM into the same package, so that there can be a super high bandwidth connection between memory and processing units.
That’s also why high end discrete GPUs use HBM (high bandwidth memory) in the same package as the GPU.
Framework also sells a discrete GPU, an AMD Radeon™ RX 7700S for $550. It has 8GB of GDDR6 RAM that is soldered in, again for performance reasons.
The tragedy of the Framework 16 is that you get to choose between an integrated GPU that has slow access to socketed main memory, or you can use the discrete GPU, which has fast soldered local memory, but then it’s very slow to transfer data between CPU memory and GPU memory. You have two GPUs, but both suffer from performance compromises.
I would like to see a Framework 16 mainboard that has the same architecture as the new desktop mainboard. A high performance GPU and a high performance CPU, both sharing the same high performance memory (aka integrated memory). This would seem to require soldered RAM, or RAM inside an integrated CPU/GPU SOC package.
People who want this kind of high performance architecture in a laptop currently buy macbooks. But it would be nice if Framework were to offer this too.
The Framework desktop has this architecture, so I see it as a step in the right direction.
The difference in memory bandwidth isn’t that high anymore. The M processors had an edge when desktop CPUs were still at DDR4, but with DDR5 you get around 100GB/s (dual channel). The current M4 has a memory bandwidth of 120GB/s. The M4 Pro has 273GB/s, M4 Max has 410GB/s and M2 Ultra has 800GB/s, for transparency, but they are at another pricepoint where you can just as well build a threadripper or even EPYC workstation with up to 700+ GB/s memory bandwidth and orders of magnitude more RAM (Apple charges a lot for RAM and storage).
There still are other advantages of the M processors (latency, etc.) which can’t be beaten without a SoC approach, but the flexibility gained with building your own system is still a more important matter to me personally. There’s also DDR6 on the horizon, but nothing stops Apple from using it as well in their chips. Just as well, nothing stops AMD or Intel from increasing the number of memory channels.
I keep dates in my URLs because I quite often have two posts with the same title. E.g. talking about the same movie twice. Still no good for posting the same title twice on the same day but that’s an edge case I just put up with…
I will look at ditching the trailing slash though, it does make sense.
Replace and with your WiFi’s name and password in plaintext. Yes, you read that right - a PASSWORD stored in PLAINTEXT. I’m pretty shocked by this, but it seems to be a norm for WiFi tools, not sure why.
It is required to have the password somehow if you want to connect to WiFi, as the WiFi access point wants to know that you have the correct password. How else would you accomplish this?
If you were to encrypt it, the decryption password would have to be stored somewhere on disk in plaintext, so that wouldn’t help much.
Another case: username and password for a website. The website’s server can have a hashed password stored for every user, but the client must have the password in plaintext. The difference being that the plaintext is often “stored” in the user’s mind. If you were to set up a script to automatically log in and post something, the the password would have to be accessible/plaintext.
From the tone of the article, I’m guessing the author is new(ish) to Linux. They don’t seem to understand that if you “roll your own” network connectivity by following random tutorials and running low-level networking utilities like wpa_supplicant directly, then yeah, you also get to figure out how to store the secrets securely, if that’s what you want.
I’m not 100% positive about how GNOME stores wifi passwords. I would think in GNOME keyring? But I do know for sure that KDE Plasma prefers (although does not require) you to store wifi passwords securely in the Wallet.
From the tone of the article, I’m guessing the author is new(ish) to Linux.
That is a good guess :)
They don’t seem to understand that if you “roll your own” network connectivity by following random tutorials and running low-level networking utilities like wpa_supplicant directly, then yeah, you also get to figure out how to store the secrets securely, if that’s what you want.
In the last footnote in the post, I mentioned how the machine’s existing WiFi config (NetworkManager) also stored passwords in plaintext. The option of using a keyring didn’t really occur to me because I didn’t see it being used by the machine.
Using a keyring also brings up another question - how would wpa_supplicant‘s config get the password from the keyring? I can run a command manually, but is it possible to automate this on boot? (I wouldn’t actually use this as a permanent setup, but just curious)
wpa_supplicant gets controlled either over its control socket or its D-Bus API by e.g. NetworkManager (which in turn communicates with the keychain implementation, often also over D-Bus), and either gets the secret pushed with the connection request, or requests it over those connections once it needs the secret.
You can use wpa_passphrase to precompute the WPA-PSK for a network and store that instead. It’s not going to stop a real attacker, but it can keep the password away from shoulder surfers and other low-effort attacks.
That option was mentioned in footnote 2 of the article, but was dismissed as “this (…) makes hashing pointless” because an attacker can use that value to gain access to the network.
Doesn’t every CPU have a “Secure Enclave” for storing secrets? I’m not familiar with how Linux uses it, but on Mac/iOS this is used as the basis of the Keychain, a secure db for keys and passwords.
No. All modern PCs have a TPM, and all modern Intel machines have SGX (for now). Neither of these is exactly equivalent to Apple Silicon’s Secure Enclave. Probably the closest you can come is using the TPM to release a keychain encryption secret only if the computer booted with a genuine software chain (genuine bootloader, genuine kernel, etc. etc.) but this is not done anywhere today to my knowledge. TPM support only just landed in systemd (the production release was a month or two ago).
That would at least protect against theft of a powered off laptop, as the keyring would only be accessible after the user has logged in to their machine. If an attacker tried to dump the hard drive, the password wouldn’t be there, as it would in the default scenario.
The same-ish protection would also apply to a regular keyring encrypted with the user’s login password. The difference being not even an encrypted blob to bruteforce on.
It wouldn’t do much about a root level attacker, which was the implied threat model, as file permissions only allowed reading by root (and someone reading directly from the drive).
Yeah, that is probably right. The passwords would have to be added to each user’s keyring if there are multiple users of the machine. You’d forego connectivity before user login after boot.
I think this isn’t done because the keyrings that might be installed is orthogonal to the WPA supplicant daemon. I’ve also run WPA supplicant on a Raspberry Pi which doesn’t have any keyring at all – but it could have been an optional feature for supported keyring implementations.
This makes me realize that I probably should have elaborated on the “not sure why”. I was thinking on something along of the lines of a keyring (I was thinking of Apple’s Keychain, which is where my WiFi password is stored on macOS). My Linux machine’s existing setup (NetworkManager) also stored passwords in plaintext, so I was unsure of why a keyring setup wasn’t the default.
Using a keyring also brings up another question - how would wpa_supplicant‘s config get the password from the keyring? I can run a command manually, but is it possible to automate this on boot? (I wouldn’t actually use this as a permanent setup, but just curious)
There’s a bunch of authentication protocols that could be used with WPA Enterprise access points (https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol), so you could have a setup with EAP-TLS where the TLS private key is stored in an HSM/TPM, or EAP-SIM using a SIM card.
I’m not a heavy bookmark user, and for the few I have I rely on Firefox bookmarks. What are people getting out of having separate dedicated bookmarking servers?
My use case was to access my bookmarks across multiple browsers (through the service’s browser extensions).
Also, as far as I remember, Chrome and Safari lack bookmark tags. You would have to reach out for a separate service if you want tags on those browsers.
I think a better way to think about it is as a “link collection”; it’s a way to track links that are interesting and you have read or want to read. If you spend any amount of time on a link aggregator (and given you’re on lobste.rs I’m assuming you do) you end up with a ton of articles like that and you need to keep track of them beyond your browser’s tabs. The one I wrote for myself even indexes the articles so I can plain text search through them so I can remember where I read something.
After using in-browser bookmarks with keywords I switched to a homemade bookmark server some years ago. My server is set up in a way so that it can be used as a default search engine. What I wanted out of it was:
Having the same keyword act both as a simple webpage bookmark and a search jump. So for example I can do either “lob” to come to the Lobsters main page or “lob lisp” to search for “lisp” on Lobsters. Similar to DDG bangs but personalized and uses prefix keywords rather than bangs.
Easy portability between browsers and devices.
Storing the bookmarks in a human and tool manageable way which currently means json blobs in git.
If there was an (obvious) way to run Linkding on OpenBSD, I probably wouldn’t even have started writing 42links. It seems to be a great software indeed.
Where is the documentation on how to install it on OpenBSD? The only supported way seems to be via Docker (which we neither have nor want to have). Running a “dev version” in production sounds like a not-so-great idea.
Adapt the Alpine container definition. Containers aren’t scary, nor are Containerfiles. Treat them as glorified build scripts and they’re trivial to adapt to non-container environments most of the time. This one in particular will nearly 1:1 map to a shell script that should run on almost any OS that can run Python+SQLIte, including OpenBSD.
I started a similar project a few weeks ago for my bookmarks that has expanded into also covering links I post to social media: https://search.technomancy.us (also in lisp!)
For me the purpose is not to collect the links as much as to index the content on the pages themselves.
Personally, I use both my standard browser’s bookmarks (for bookmarks) and services like the one I wrote :-) for read-it-later tasks; basically, as a TODO link collector. Having those in the browser clutters the bookmarks.
Yes — and Mozilla have access to your Firefox Accounts passphrase in plain text, if you ever log in via HTML that they serve rather than via the browser itself.
End-to-end encryption doesn’t help if the key ever leaves your machine.
I use my own service (gitlab.com/sodimel/share-links) that I started to write a few years ago. The main goals are to be able to share links to my friends and to the internet, to have a rss feed of recently added links, to be able to comment, add tags, group links by collections. The project is using Django so the admin interface is auto-generated, and it allows me to focus on features :)
The admin interface is for myself only, the public interface is written by me for the visitors.
I don’t mind using a “classic themed” django admin if it allows me to add links (it does, and I even added a small bit of js to fetch the title & language of the link I’m adding) and to filter them easily (it does too, I added a lot of filters).
Who am I to judge other people’s CSS skills? I mean, look at mine. There are reasons why 42links uses a (tiny) CSS framework with only a few extra declarations. I can’t design web stuff very well.
As far as I can see from your screenshot and the “demo”, it looks boring, but both functional and accessible. :-)
That’s the magic of the autogenerated django admin interface ; its boring but it works well, and you can configure it the way you want (display more columns, add filters to the right, custom actions in the dropdown).
I wanted to write all the css myself for the public interface, and that’s what I did. I really like the idea of an horizontally-scrollable filter list, it works very well on mobile :)
I’m confused as to why an HTML blog would strain a server more than a plain text blog. Serving this text as HTML might, POSSIBLY, double the size from 1kb to 2kb. Killing off the favicon would be just as effective, maybe moreso, for saving server resources.
Honestly, you’ve gone way overboard with the HTML there, too. You could drop the lang, the doctype, and the entire head block and it would work fine on 99.99% of browsers.
Anything less and the Nu HTML Checker emits a warning. Tidy output looks good for the above HTML, if we don’t mind the following warning about implicit tag:
Dropping the lang is bad for accessibility. Without the doctype it’s not valid standards mode HTML5. The charset is necessary if you have any non-ASCII characters. The viewport tag is needed for proper rendering on mobile.
Dropping the lang is bad for accessibility. Without the doctype it’s not valid standards mode HTML5. The charset is necessary if you have any non-ASCII characters. The viewport tag is needed for proper rendering on mobile.
I’m not making html5, just serving txt files.
I use BOM (byte order mask) in order to let the browser know that I’m using utf-8.
You can use the reading mode of your browser to display the text fine.
I don’t think txt files are so much of a problem in term of accessibility (I mean you can configure your screen reader to change the spoken language).
I had a terrible connection at home (where my small “server” is located), and I wanted to write in english (which is not my first language). I wanted to submit those articles on websites like here or hn, which can bring a lot of people over my bad connection, and I wanted to have pages as small as possible (I already got a kiss of death on my internet box by a sudden hn popularity, it’s not cool for the readers nor for me).
I argued with a friend that “you can start a blog within one minute”, and to prove I were right I executed and created the first txt file (I did this in a little bit over 10 minutes, I’m slow :/).
But I really like lightweight websites with html & css, and love to waste my time exploring funky lightweight designs from 1MB club (https://1mb.club/) :)
While I understand the spirit, you may be shooting yourself in the foot. If your intention is for people to read your articles, not just have the server serve them, you’d do well in improving the reader’s user experience just a bit. Plain text is just not great to read on desktop and on mobile it is unreadable (I mean literally unreadable because the font size is miniscule).
As it stands it’s a bit contradictory to care about readers not being able to see your website if it gets squeezed to death because when they are able they can’t read it anyway.
In china you can’t enable ADP and so your iCloud keys are always in escrow on Apple’s servers. That’s the access China will have. The UK wants access to the keys Apple don’t have, too.
Not sure. The question is who is the attacker. If it’s state agency, then definitely not.
If a state agency is targeting you, you probably don’t stand a chance. But given how state leaders are shifting more and more to the fascist extremes (left and right…), complete citizen observation isn’t just a topic for china anymore.
So not wanting any data on the server is IMO a very valid concern, because that makes “observe everyone” much harder.
I made something like this a while ago with a receipt printer. It would print out the forecast, word of the day, quote of the day, and I think some randomly chosen “lucky numbers”. The idea was that if something important happened that day, I could have a physical artifact of the day. I stopped using it because I found myself just not reading anything on it after a while, it all felt a bit same-y. but it was a fun little project, and I learned that lots of receipt printers are super cool and have a really simple serial interface. and also that the most expensive part of a receipt printer is probably the power supply, rather than the printer itself. I did a couple of other things with the printer, but ultimately, it is now languishing on my wall with nothing to do. Oh well!
Were you able to find one that doesn’t have all the apparently toxic chemicals in the paper? That’s mostly what keeps me from poking at receipt printers. Laser printer toner is also remarkably toxic and similarly absorbed through the skin, as I recall, which I also try to avoid – though in theory it’s fine once it’s baked onto the page at least.
note though that BPA-free often means it uses BPS instead, which has a lot of the same concerns attached. And I’m guessing BPA/BPS-free again needs a look into what it was replaced with there… (and is more expensive, but that doesnt really matter for a toy use case like this)
If you are interested in playing from local storage only I would also recommend checking out Kodi. I don’t ever quite know what people mean by “clunky” but its super fast and handles a very large collection of media without any bother.
Main issue is finding a device on which to install it. But there are whole distros that do nothing but run it, like coreelec, librelec, osmc. These are each designed for specific contexts and hardware choices.
Been using some form of Kodi for well over a decade now (albeit now with jellyfin, since a house move we wanted multi device streaming)
edit: I should add that I think you can also use the apple remote, or at least that’s what I did for a few years
In this context, generally a box that goes by the TV. So, a raspberry Pi, a Vero 4k, nvidia shield, apple tv etc. I use one called a Ugoos Am6b+ which I like because it does DolbyVision.
The distros I listed basically are a way to package Kodi and boot straight into it. For example, I use corelec on my Ugoos. Osmc runs on the vero 4k. Librelec I think can go on a pi.
If you have a NAS it’s very much geared around streaming from that over the LAN. Otherwise it can also do local storage on the device itself.
I’m assuming you mostly serve video files from the NAS that you watch from Kodi. Do you use anything to manage the library so to speak? Or are the just served as a simple file system?
It’s a simple file system on the NAS, reasonably neatly organised but yeah I do that bit manually. Kodi sees it and scrapes a bunch of metadata etc for each file, then builds a library for you that is searchable and looks good on the TV (all the apps do this I guess)
We use NUC. At least i3 to handle more unusual codecs on CPU.
Kodi is nice, but not perfect. But it is simple enough to control even when sick or not 100% sober. It also has companion apps. For Android at least. I just stream to my phone over tailnet.
Jellyfin is where obscure shows go so that we can watch them with our parents on their snoop^W smart TVs.
All the popular open source media servers have clunky UI or were unreliable; mostly both
Without specifically mentioning the ones you’re referring to it’s hard to know what this relates to.
I’ve recently adopted Jellyfin, and found it to be generally fine - a few quirks here and there but generally fine. The biggest downside I’ve seen so far is that there isn’t (to my knowledge) a good Mac open source client for it - but this article is about an AppleTV which doesn’t have that issue. I’m aware some of the iOS/iPadOS clients can run on macOS, but none of the ones I’ve tried work very well with a large screen.
Can someone expand on what specifically makes Infuse better?
Infuse has native support for jellyfin too. It’s quite a good app and has support for more codecs than just native iOS player (which jellyfin uses).
But, I don’t mind the jellyfin client on iOS? It seems to do what I want it to.
My guess is the author doesn’t want multi-device streaming /status syncing so jellyfin isn’t required. In which case infuse on appletv is a decent choice.
There’s a few mentions in there of having a phone and tablet; I do appreciate that Infuse makes it very easy to start watching a show on one screen and continue on another.
I didn’t name the specific open source apps because I didn’t want to get into an inevitably pretty nitpicky arguments about each. As a programmer running a linux desktop I’m pretty tolerant of clunky UI, but the apps I tried felt significantly worse and were soundly rejected by the nontechnical TV users. There’s probably a lot of familiarity at work in the personal taste; Infuse looks a lot like the popular streaming services.
I get that, and I have infuse on ios devices and very much like it. The cool thing is, if you ever want to expand and do plex/jellyfin style stuff, infuse has support for it baked right in.
The other thing I like is offline downloads, for when I hit the road but still wanna watch curb on repeat
This HN thread on Jellyfin hits all of the issues I had with the open source options and also hits all of the “you’re doing it wrong” nitpicking I was not interested in participating in.
LOL My needs are pretty modest, and I’m just impressed by all the free engineering hours that have gone into it and the features it has. What should I look out for? The fact that they have a Roku App was pretty amazing for me.
IMO the best way to use jellyfin on a personal computer is with jellyfin-mpv-shim and mpv. It’s what I use on Windows and Linux. jellyfin-mpv-shim has instructions for macOS so I am assuming that both that and mpv are available on macOS. mpv the media player is very minimalistic so it takes getting used to because the keybinds and such are not apparent but it works really well if you know how to handle it.
I switched over to Jellyfin Media Player because it uses MPV internally, and includes the web interface so it feels less clunky. The shim would sometimes break, and when I’m trying to watch something, I definitely don’t want to be debugging things.
JMP uses Qt’s Web engine, which is not extra lightweight but at least shared with other apps, so it’s worth the tradeoff for me.
There are some codecs that the browser can’t play. If you host jellyfin on a weak machine, you have to disable transcoding. So dedicated clients who are able to handle a larger variety of codecs are preferable to browsers.
I’ve noticed significantly better UI responsiveness and playback from the native app running on an AppleTV (which connects over average quality WiFi) than I do from a M2 Ultra Mac Studio with 128GB of RAM connecting to the same Jellyfin server over wired gigabit ethernet.
I assume it’s because the native app is better able to cache and preload content than the browser based client.
I mean a native client app for playback, rather than accessing it through a browser - the browser client is fine for admin tasks but for playback it’s less ideal IME: https://lobste.rs/s/sn8buz/tv_setup#c_altp8l
I’m not following how g.co was actually involved here, or how it might have been compromised.
The email came from google.com. The email passed SPF and DKIM.
The subject mentions important.g.co and it appears in the email body. But there aren’t any links to it, so the phising attempt seems to not actually rely on it in a way that requires a compromise of g.co. I don’t think the title of this post is warranted, as it appears unsupported by the facts.
It seems more relevant that the attacker convinced a google.com server to send the email for them, or that they got a hold of a DKIM key to sign it.
It would’ve probably been a little more suspicious if it said case-g287686.com instead. There’s also this, from an update to the gist:
Hack Clubbers have determined that this is almost definitely a bug in Google Workspace where you can create a new Workspace with any g.co subdomain and get it to send some emails without verifying that you own the domain.
I imagine this issue extends past g.co and could be used for any domain (besides those already registered like google.com). So yeah, it’s not an issue with g.co, but there is arguably an issue with Google Workspace allowing these phishing attempts to be just a little more convincing than they would otherwise.
Thank you! I thought I was going nuts reading this, it’s got nothing to do with g.co
Someone in the comments there has a theory:
[attacker] Submitted a Google Workspace support ticket with the name “Chloe Google Case ID G287687”. “Chloe” and the case ID closely match the phone call and lure in the SMS. You can only submit these support tickets if you’re logged into your G Admin account, so I hypothesize your account was already compromised to some extent
I won’t repeat the steps to perform the targeted password reset email part of this phishing attempt, but it appears that this is entirely a Google Workspace domain verification problem.
I suggested a title change for this post yesterday. @Aks if you see this, the title of this story is inaccurate and has been at the top of the front page for quite a while now; if you could change it, that’d be great. The same story was posted on Reddit with a more accurate title:
Almost got phished from a @google.com email. Google Workspace domain verification likely broken.
This is an okay stance to take & on the other end I can agree that CSS isn’t hard & don’t want to memorize a billion classname conventions, but what grinds my gears is when a tech lead or back-end team has mandated it on a front-end team that would prefer to not have that decision made for them—as can be said about most tools put on teams by folks not on those teams.
To me, if I want something that follows a system, the variables in Open Props covers what I need to have a consistent layer that a team can use—which is just CSS variables with a standardlized naming scheme other Open Prop modules can use. It is lighter weight, doesn’t need a compile step to be lean, & lets you structure your CSS or your HTML as you want without classname soup.
May not hard to write, but certainly it is hard to maintain. CSS makes it SO EASY to make a mess. In no time you’ll be facing selector specificity hell. If you have a team with juniors or just some backend folks trying to do some UI, that’s very common.
“But what about BEM?”. I like BEM! But, again it’s an extra step and another thing to learn (and you’re choosing not to deal with CSS specificiy to avoid its pitfalls).
IME, the BEM components I wrote were more effective and portable the smaller they were. I ended up with things like text text--small text--italic, which were basically in-house versions of Tailwind (before I knew what it was).
You can use utility classes & Open Prop names & still not use exclusively utility classes. No one has said Tailwind can’t be used for utility when needed, but in practice I see almost all name go away. There is nothing to select on that works for testing, or scraping, or filter lists.
Having a system is difficult since you have to make it stringly-typed one way or another, but that doesn’t discount the semantics or considering the balance needed. Often the UI & its architecture are low-priority or an afterthought since matching the design as quickly as possible tends to trump anything resembling maintainability & the same can happen in any code base if no standards are put in place & spaghetti is allowed to pass review.
It really is just the same old tired arguments on both sides tho really here. This isn’t the first time I have seen them & that post doesn’t really convince me given it has an agenda & some of the design choices seem intentionally obtuse without use of “modern” CSS from like the last 4–5 years.
but what grinds my gears is when a tech lead or back-end team has mandated it on a front-end team that would prefer to not have that decision made for them
Is this something that happened to you? Why would the back-end team decide on what technology the front-end team should use?
On multiple occasions have I seen a CTO, tech lead, or back-end team choose the stack for the front-end either before it was even started or purely based on a some proof-of-concept the back-end devs built & did not want the stack to change… just that it was entirely rewritten/refactored.
It raises the question that maybe the abstractions that were adopted by CSS are not the right ones in the long term, as other solutions are more team-friendly, easier to reason about.
Separation of presentation and content makes a lot of sense for a document format, and has been widely successful in that segment (think LaTex).
But for how the web is used today (think landing websites or webapps), the presentation is often part of the content. So the classic “Zen garden” model of CSS falls apart.
I’m in the same boat. I was appalled by it the first time I saw it.
But it fits my backend brain and makes building things so much easier. I like it in spite of myself. I’ve just never been able to bend my brain to automatically think in terms of the cascade, and reducing that to utilities makes it so much more workable for me, and lets me try things out faster. I’m excited about this release.
I am happy that you got a decent website up with Tailwind. I’m sad that you had a hard time with CSS and the conclusion you reached was that you were the one that sucked.
Didn’t web apps take off with users because they didn’t have to download and install software? You just create an account and off you go. Electron gets rid if that advantage.
Then it became the norm and loads of stuff was web based, electron seemed like the cheapest way to make a desktop app using existing devs at a company that also produced a web app.
Now HTML and js are all over the place and developing a native app is niche and expensive so electron makes sense.
I feel like the history of electron is a history of cost cutting to achieve cross-platform compatibility. Same goes with web apps.
As a solo dev, I produce web apps for work because all my users have a web browser regardless of platform, so I can sympathise with this approach. But in a perfect world it’d be a native app for each of them.
Also the McDonald’s screen sucks and is a terrible example
OK this finally convinced me to kick my decade long i3 habit and try niri. I hate switching to new stuff like this, the config etc gives me a headache. But the demo was very persuasive.
It’s really, really good! I realise now how much I switch to new workspaces just to avoid squishing whatever window I’m working in.
One thing I’d really love is a minimap of some sort. Even if it’s just a horizontal representation of what’s open that can fit into waybar. I can see myself ‘losing’ windows quite easily.
No, it kept web pages from running heavy local-first computing. Native apps have been capable of this for quite a long time.
This article is pretty egregious in conflating “client” with “web browser”, which is a pet peeve of mine.
Web developers will adopt complex new storage and synchronization APIs rather than
go to therapywrite native apps.I think it’s more like application developers will go to some lengths to only have to support one broadly accessible platform rather than about five (iOS, Android, macOS, Windows, and “linux” as though it were only one target. Sorry BSD folks and other OS super-minorities). I can’t really blame them.
I am a solo dev at a small company. I develop and maintain a CRUD app that magically works on iPads, phones, desktops, barcode scanners etc. All thanks to… just being a website.
I still broadly agree that native is preferable though
Websites:
Obviously there’s a lot of benefits to native applications too, but it’s not like there’s no reason to prefer browsers as an application platform.
A Few more:
Seriously. While reading this I was thinking yes, I have seen this movie. Outlook/Exchange started going around this circle 25 years ago. Local storage makes the UI super fast, and search works great. But then you have to sync, which means you have conflicts, which are in general impossible to solve without interrupting and confusing the user and doing a ton of work to solve cases the product people don’t want to think about. So in the name of sanity you go back to remote storage. Now the illusion of consistency is easier to maintain, but the UI is high-latency and freezes all the time, and the backend is baking client behavior into their APIs all over the place. Sentiment turns the other way and somebody funds the project to flip back to local storage (usually as if they just invented the idea). Repeat forever.
I mean, heck, if you want to go back to 1990, this is the NFS vs. AFS argument.
I’m strongly in the local-first camp. I recognize the problems you describe, but we’re getting better at dealing with them.
Seems like there has been a lot of progress on better theoretical underpinnings (CRDTs etc.), which presumably is a good thing.
Nigerian brewed Guinness is the way to go! Available as ‘Foreign Extra’ where I live
The thing that gives me a twitch with Apple software is that when it goes wrong it is awfully difficult to debug it, if not impossible.
Also what mad man set the ‘Facetime Reactions’ feature to ‘on’ by default? That upgrade was great I was swamped with messages asking why a confetti cannon was going off in their video during a job interview
This is what finally drove me out of the Apple ecosystem after almost 20 years. Paying premium prices for things that no longer “just work”, which Apple cannot/doesn’t care to fix, and are so opaque that they’re impossible to debug on your own.
If I’m going to be trapped in a world of flaky software, I don’t need to pay the Apple tax for that! I’ll be much happier with Linux where at least I stand a chance of fixing my own problems
My last trip to the Apple Store concluded with a Genius opening a ticket with Apple. Even support personnel don’t have tools to properly support software.
So right after that came out, I had to
fire someonehelp someone exit the org, and accidentally set off fireworks on the call. When I’m on my deathbed, that, and his reaction, will still be haunting me.If it makes you feel any better, I’ve triggered both the heart emoji while describing a complicated engineering thing to a client and the balloons during a large group call at a point where it was highly inappropriate. At least the balloon thing brought a bit of levity to an otherwise serious discussion.
I enjoy the new “iPhone mirroring” feature in the latest OS, but it will stop working randomly, and when it does, there’s no way to debug why or get it to work again. You just have to hope it works tomorrow.
Not only that, but if you turn it off, it’ll nag you with notifications every time an app starts using the webcam
https://www.mozilla.org/en-US/about/legal/terms/firefox/
:)
That’s… wow. Thank you for highlighting that. I am seriously considering using something other than Firefox for the first time in… ever. Regardless of how one might choose to interpret that statement, it’s frightening that they would even write it. This is not the Mozilla I knew or want. I’d love to know what alternatives people might suggest that are more community focused and completely FOSS, ideally still non-Chromium.
Thankfully, the lawful base for data use is spelled out in their privacy policy:
https://www.mozilla.org/en-US/privacy/firefox/#lawful-bases
e.g. Browsing, Interaction and Search data are “Legitimate interest” and “Consent”-based.
Consent being the kind that I haven’t given, but I’m supposed to actively revoke? Until the next update?
That unfortunately seems to be the current usage of the term “consent” in the tech industry.
Fortunately, that’s not consent as the GDPR defines it
Isn’t it? Most GDPR consent screens have an easy “accept to everything” button and requires going through multiple steps to “not accept”, and many many more steps to “object” to their “legitimate interest” in tracking for the purposes of advertising. As long as these screens remain allowed and aren’t cracked down on (which I don’t foresee happening, ever), that’s the de facto meaning of “consent” in GDPR as far as I’m concerned: something that’s assumed given unless you actively go out of your way to revoke it.
It’s not what the text of the GDPR defines it as, but the text isn’t relevant; only its effect on the real world is.
Yes, definitely. Consent in GDPR is opt-in not opt-out. If it’s opt-out, that’s not consensual. And the law is the law.
Furthermore, for interstitials, to reject everything should be at least as easy as it is to accept everything, without dark patterns. Interstitials (e.g., from IAB and co.) first tried to make it hard to reject everything, but now you usually get a clear button for rejecting everything on most websites.
As I mentioned in another comment, the DPAs are understaffed and overworked. But they do move. A real-world example of a company affected by the GDPR, and that tries testing its limits, is Meta with Facebook. For user profiling, first they tried the Terms of Service, then they tried claiming a legitimate interest, then they introduced expensive subscriptions for those that tried to decline, now they introduced a UI degradation, delaying the user scrolling, which is illegal as well.
Many complain, on one hand, that the EU is too regulated, suffocating inovation, and with US’s tech oligarhs now sucking up to Trump to force the EU into allowing US companies to break the law. On the other hand, there are people who believe that the GDPR isn’t enforced enough. I wish people would make up their mind.
Those are different people, all who have made up their mind.
I thought I made it reasonably clear that I don’t care that much about what the text of the law is, I care about what material impact it has on the world.
I corrected you with facts, and you’re replying with your feelings. Fair enough.
To be fair, @mort’s feeling may come from non-actually-GDPR-compliant cookie consent forms. I have certainly seen where I couldn’t find the “reject all” button, and felt obligated to manually click up to 15 “legitimate interest” boxes. (And dammit could they please stop with their sliding buttons and use actual square check boxes instead?)
I think the worse case is you click “reject all”, but you don’t actually reject all, and the legitimate interests are still checked.
The facts you provided aren’t relevant. I’m talking about the de facto situation as it applies to 99% of companies, you’re talking about the text of the law and enforcement against one particular company. These are different things which don’t have much to do with each other.
You even acknowledge that DPAs are understaffed and overworked, which results in the lacking enforcement which is exactly what I’m complaining about. For what I can tell, we don’t disagree about any facts here.
Well, other people in this sub-thread are talking about GDPR. You might have switched the topic, but that isn’t alexelcu’s fault.
I’m talking about GDPR as well, focusing about what impact it has in practice. I have been 100% consistent on that, since my first message in this sub-thread (https://lobste.rs/s/de2ab1/firefox_adds_terms_use#c_3sxqe1) which explicitly talks about what it means de facto. I don’t know where you got the impression that I’m talking about something else.
But there is enforcement, it’s just slower than we’d like. For example, screens making it harder to not opt in rather than opt in have gotten much rarer than they used to be. IME now they mostly come from American companies that don’t have much of a presence in the EU. So enforcement is causing things to move in the right direction, even if it is at a slow pace.
There is a website tracking fines against companies for GDPR violations [1] and as you can see, there are lots of fines against companies big and small every single month. “Insufficient legal basis for data processing” isn’t close to being the most common violation, but it’s pretty common, and has also been lobbed against companies big and small. It is not the case that there is only enforcement against a few high profile companies.
[1] https://www.enforcementtracker.com/
Why do you lay this at the feet of GDPR?
it’s the other way around - most of the time you have to actively revoke “legitimate interest”, consent should be off by default. Unfortunately, oftentimes “legitimate interest” is just “consent, but on by default” and they take exactly the same data for the same purpose (IIRC there are NGOs (such as NOYB, Panoptykon) fighting against IAB and other companies in those terms)
“Legitimate interest” is the GDPR loophole that ad tech companies use to spy on us without an easy opt-out option, right? I don’t know what this means in this context but I don’t trust it.
It is not, ad tech has been considered not a legitimate interest for… Ever… By the Europeans DPAs. Report to your DPA the one that abuse this. There have been enforcement.
Every website with a consent screen has a ton of ad stuff under “legitimate interest”, most ask you to “object” to each individually. The continued existence of this patterns means it’s de facto legal under the GDPR in my book. “Legitimate interest” is a tool to continue forced ad tracking.
Yes, all of that is illegal under GDPR.
The problem has been that DPAs are understaffed and overworked.
I don’t think you’re disagreeing with me. It’s de jure illegal but de facto legal. I don’t care much what the text of the GDPR says, I care about its material effect on the real world; and the material effect is one where websites put up consent screens where the user has to “object” individually to every ad tech company’s “legitimate interest” in tracking the user for ad targeting purposes.
I used to be optimistic about the GDPR because there’s a lot of good stuff in the text of the law, but it has been long enough that we can clearly see that most of its actual effect is pretty underwhelming. Good law without enforcement is worthless.
No, it’s de facto illegal a well, law enforcement is just slower that we’d like. Ask, for example, Facebook.
De facto illegal for entities at Facebook’s scale? Maybe. But it’s certainly de facto legal for everyone else. It has been 7 years since it was implemented; if it was going to have a positive effect we’d have seen it by now. My patience has run out. GDPR failed.
I just gave you a concrete example of a powerful Big Tech company, with infinite resources for political lobbying, that was blasted for their practices. They first tried hiding behind their Terms of Use, then they tried claiming a legitimate interest, then they offered the choice of a paid subscription, and now they’ve introduced delays in scrolling for people that don’t consent to being profiled, which will be deemed illegal as well.
Your patience isn’t important. This is the legal system in action. Just because, for example, tax evasion happens, that doesn’t mean that anti tax evasion laws don’t work. Similarly with data protection laws. I used to work in the adtech industry. I know for a fact that there have been companies leaving the EU because of GDPR. I also know some of the legwork that IAB tried pulling off, but it won’t last.
Just the fact that you’re getting those interstitials is a win. Microsoft’s Edge browser, for example, gives EU citizens that IAB dialog on the first run, thus informing them that they are going to share their data with the entire advertising industry. That is in itself valuable for me, because it informs me that Edge is spyware.
I agree that the “we’re spying on you” pop-ups is a win in itself. I’m just complaining that it’s so toothless as to in practice allow websites to put up modals where each ad tech company’s “legitimate interest” in tracking me has to be individually disabled. If the goal of the GDPR was to in any way make it reasonably easy for users to opt out of tracking, it failed.
I’m not so sure. I’ve even seen this used as an argument against the GDPR: The spin they give it is “this is the law that forces us to put up annoying cookie popups”. See for example this article on the Dutch public broadcasting agency (which is typically more left-leaning and not prone to give a platform to liberals).
Roughly translated “all innovations in AI don’t work as well here as in the US. And why do you have to click on cookies (sic) on every single website?”
I have seen that as well, and I think it’s bullshit. The GDPR doesn’t force anyone to make any form of pop-up, nobody is forced to track users in a way which requires consent. The GDPR only requires disclosure and an opt-out mechanism if you do decide to spy on your users, which I consider good..
I agree, but at the same time I think the average user just sees it as a nuisance, especially because in most cases there’s no other place to go where they don’t have a cookie popup. The web development/advertising industry knowingly and willfully “complied” in the most malicious and obnoxious way possible, resulting in this shitty situation. That’s 1 for the industry, 0 for the lawgivers.
I agree that it didn’t have the desired effect (which, incidentally, I have spent a lot of this thread complaining about, hehe). I think everyone was surprised about just how far everyone is willing to go in destroying their website’s user experience in order to keep tracking people.
I’m not sure if you’re deep in grumpy posting or didn’t understand the idea here, but for legitimate interest you don’t need to agree and companies normally don’t give you the option. If you’re talking about the extra options you unset manually, they’re a different thing. The “legitimate interest” part is for example validating your identity through a third party before paying out money. Things you typically can’t opt out of without also refusing to use the service.
If you get a switch for “tracking” or “ads” that you can turn off, that’s not a part of the “legitimate interest” group of data.
I’m sorry but this isn’t true. I have encountered plenty consent screens with two tabs, “consent” and “legitimate interest”, and where the stuff under “consent” are default off while the stuff under “legitimate interest” is on by default and must be “objected to” individually. Some have an “object to all” button to “object” to all ad tracking in the “legitimate interest” category.
Here’s one example: https://i.imgur.com/J4dnptX.png, the Financial Times is clearly of the opinion that tracking for the purpose of advertising counts as “legitimate interest”.
I’m not saying that there’s any relationship between this pattern and what’s actually required by the GDPR, my understanding of the actual text of the law reflects yours. I’m saying that this is how it works in practice.
So when I login to lobste.rs (or any other important website) do I grant them the permission to use my credentials? ;-)
Pretty much
this comment remains property of the Mozilla Foundation and is presented here with their kind permission
Mozilla updated the article with a clarifying statement:
the problem is it doesn’t clarify anything. “basic functionality” is not defined. my guess is they want to be able to feed anything we type or upload to a site, to also be able to feed that into an LLM. “anything other than what is described” doesnt help because what is described is so vague as to mean anything “help you experience and interact with online content”
That is… not clarifying. And not comforting. “What is described” in the ToS is “to help you navigate, experience, and interact with online content.” That’s absurdly vague. And what is described in the Privacy Notice is absurdly broad:
Yes. That’s the fucking point.
I’m glad we have this contextless legalese to clarify things. I wonder if there’s some kind of opt-in data collection in Firefox that Mozilla might have legal obligations to clarify their rights to? Couldn’t be that… No, let’s put a pause on critical thinking and post stupid TOS excerpts as if Mozilla are going to steal our Deviantart uploads and sell them as AI training data.
If they need a ToS for a particular feature, then that “contextless legalese” should be scoped to that feature, not to Firefox as a whole.
This is precisely why the same organization should not do all of these things. If they want to do non-tool stuff to continue funding their mission they should start up independently managed companies that can establish these consents for a narrow band of services. They can give the existing organization control as a majority shareholder, with dividends flowing back to the main organization. That is the way to ensure that incentives don’t become misaligned with the mission.
They’re future-proofing their terms of service. That’s even worse than future-proofing one’s code, Though for different reasons.
That language comes off a bit … onerous
But what does it mean? To “navigate”.
That’s it I guess. Thanks for the find! Firefox is dead to me now. What’s the non-evil browser to go to nowadays?
librewolf seems to be the rage now: https://librewolf.net/
On MacOS/iOS there is the Kagi browser Orion: https://kagi.com/orion/
Really disappointing that CPU and RAM are soldered on, especially in a desktop. I understand there were difficulties but the answer is “don’t build the shitty thing”, not “couldn’t find a way of making it not shitty”.
Yeah I definitely agree. The right call would’ve been to not release this, even if I understand it’s very tempting for them.
It’s sad because now they’re bringing problems they set out to solve in laptops to the desktop space. It’s a bit backwards. Hopefully this isn’t a sign of them straying further from the goal.
If these boards are proven to be reliable then this concept could still lead to less e-waste given that it’s just a single board.
But it’s a huge if. And it could seriously backfire if frequent replacements are needed.
The tradeoffs are reasonable, IMO - shared VRAM/RAM is a really powerful feature.
From an engineering perspective, perhaps.
From a trust, values, and brand protection perspective: not at all.
It’s not a question of “engineering perspective” vs “trust, values, and brand protection”. It’s a necessity to realize the desired level of performance (which is desired by a non-insignificant amount of people, see also: democratization of AI).
To bring an analogy, if you’re building a car, the practical necessity for said car to have 4 wheels has higher priority than dislike of wheels as a concept. The other way lies
madnessFSF and their endorsement of 802.11n NICs in 2025.No-one told Framework they had to build a car, though! If it’s not currently possible to build an AI optimised machine without compromising on their principles, then … don’t.
You are missing the forest for the trees.
The principles of Framework is to build things that are more repairable than their competitors. Without Framework, a user who wants a workstation built on an energy-efficient, GPU-capable, highly memory-optimized SoC has no options other than Apple and maybe some NUC-style prebuilts (thus, no repairable/upgradeable options at all). With Framework, there now is a repairable option, even if it’s less repairable than some would want.
In what world is this a net negative?
I think the difference in our opinions might be over just whether such a “highly memory optimised SoC” is Right or Wrong.
I think what Framework has built is Good and Wrong. Hence my claim that it’s bad from a brand perspective.
Sample data of only myself, but, I’ve gone from being quite an evangelist for Framework to seeing them as just another box maker. The horns effect (opposite of the halo effect) from association with AI probably doesn’t help either. Feels very bandwagony.
My personal take is that both are important to have around and it’s unlikely that people as committed to the bit as FSF folks would even buy something from Framework. Maybe I’ve misjudged the target audience though.
Possibly?
I’m not one of the “FSF folks” for a variety of reasons; I bought my wife and I each a Framework laptop, because I greatly value modularity and repairability.
As personal computing hardware becomes ever more appliance-like and user hostile, it was a delight to find a company with values similar to mine, and products to match.
But, surprise! Looks like the allure of hopping on the AI gravy train was too strong. Seems Framework is content to be a shitbox manufacturer who just happens to have some decent models in their lineup.
That’s exactly what I was trying to convey.
That’s not my analogy, that’s a different analogy that happens to use the same metaphor. Unfortunately, this analogy seems unsound, since tyres (and, to a lesser extent, rims) are a consumable item, unlike CPU and RAM.
I posted my take on this question somewhere downthread.
Framework made a PC that generates e-waste and “AI” slop. Lol.
So having made that trade-off, what differentiates them from any other straight-to-landfill consumer appliance manufacturer?
This is such a tone-deaf move. I’d worried about them abandoning their principles once they grew, it never occurred to me that they’d start selling shit like this so early in the piece.
From a company whose whole ethos is “less e-waste” they made a thing that adds to said e-waste.. Absolutely ridiculous.
At a glance, they have a very good reason for doing this. Shared RAM with a humongous bus to the SoC is the only way to compete with, e.g., Apple Silicon.
Framework isn’t supposed to be competing with Apple Silicon by building better Apple Silicon; they’re supposed to be offering an alternative to the consumer appliance / landfill model.
I think they might ultimately have the last word about who exactly they’re supposed to compete with. :)
Well, yes :) But that’s the messaging they’ve run with to date, and attracted a lot of quite vocal supporters along the way. This move might lose a bunch of them; we’ll see.
I think about something like the RasPi with closed source firmware blobs on some components, where they can build something that makes some improvements, and then continue to push the boundaries as time goes on.
I do agree with the sentiment regarding a desktop in particular. I’m looking at this more like a giant NUC but it’s odd positioning! The only sort of side note is at least given the form factor the machine will likely last way longer than laptops do with all their random issues due to their usage patterns.
You kill performance if you force the CPU to communicate with the RAM over a socketed connection.
That’s why Apple Silicon puts CPU, GPU and RAM into the same package, so that there can be a super high bandwidth connection between memory and processing units.
That’s also why high end discrete GPUs use HBM (high bandwidth memory) in the same package as the GPU.
Yes. My point wasn’t to rail against physics, it was to rail against Framework adding this to their product line.
Framework also sells a discrete GPU, an AMD Radeon™ RX 7700S for $550. It has 8GB of GDDR6 RAM that is soldered in, again for performance reasons.
The tragedy of the Framework 16 is that you get to choose between an integrated GPU that has slow access to socketed main memory, or you can use the discrete GPU, which has fast soldered local memory, but then it’s very slow to transfer data between CPU memory and GPU memory. You have two GPUs, but both suffer from performance compromises.
I would like to see a Framework 16 mainboard that has the same architecture as the new desktop mainboard. A high performance GPU and a high performance CPU, both sharing the same high performance memory (aka integrated memory). This would seem to require soldered RAM, or RAM inside an integrated CPU/GPU SOC package.
People who want this kind of high performance architecture in a laptop currently buy macbooks. But it would be nice if Framework were to offer this too.
The Framework desktop has this architecture, so I see it as a step in the right direction.
The difference in memory bandwidth isn’t that high anymore. The M processors had an edge when desktop CPUs were still at DDR4, but with DDR5 you get around 100GB/s (dual channel). The current M4 has a memory bandwidth of 120GB/s. The M4 Pro has 273GB/s, M4 Max has 410GB/s and M2 Ultra has 800GB/s, for transparency, but they are at another pricepoint where you can just as well build a threadripper or even EPYC workstation with up to 700+ GB/s memory bandwidth and orders of magnitude more RAM (Apple charges a lot for RAM and storage).
There still are other advantages of the M processors (latency, etc.) which can’t be beaten without a SoC approach, but the flexibility gained with building your own system is still a more important matter to me personally. There’s also DDR6 on the horizon, but nothing stops Apple from using it as well in their chips. Just as well, nothing stops AMD or Intel from increasing the number of memory channels.
By comparison, the LPDDR5x in the new desktop board has 273 GB/s of bandwidth. So that is a big difference over socketed memory.
I keep dates in my URLs because I quite often have two posts with the same title. E.g. talking about the same movie twice. Still no good for posting the same title twice on the same day but that’s an edge case I just put up with…
I will look at ditching the trailing slash though, it does make sense.
My www ain’t going anywhere ;)
I like using just the year for that - it means you get to reset your namespace once a year, while avoiding your URLs getting too long.
It is required to have the password somehow if you want to connect to WiFi, as the WiFi access point wants to know that you have the correct password. How else would you accomplish this?
If you were to encrypt it, the decryption password would have to be stored somewhere on disk in plaintext, so that wouldn’t help much.
Another case: username and password for a website. The website’s server can have a hashed password stored for every user, but the client must have the password in plaintext. The difference being that the plaintext is often “stored” in the user’s mind. If you were to set up a script to automatically log in and post something, the the password would have to be accessible/plaintext.
From the tone of the article, I’m guessing the author is new(ish) to Linux. They don’t seem to understand that if you “roll your own” network connectivity by following random tutorials and running low-level networking utilities like
wpa_supplicantdirectly, then yeah, you also get to figure out how to store the secrets securely, if that’s what you want.I’m not 100% positive about how GNOME stores wifi passwords. I would think in GNOME keyring? But I do know for sure that KDE Plasma prefers (although does not require) you to store wifi passwords securely in the Wallet.
That is a good guess :)
In the last footnote in the post, I mentioned how the machine’s existing WiFi config (NetworkManager) also stored passwords in plaintext. The option of using a keyring didn’t really occur to me because I didn’t see it being used by the machine.
Using a keyring also brings up another question - how would
wpa_supplicant‘s config get the password from the keyring? I can run a command manually, but is it possible to automate this on boot? (I wouldn’t actually use this as a permanent setup, but just curious)wpa_supplicant gets controlled either over its control socket or its D-Bus API by e.g. NetworkManager (which in turn communicates with the keychain implementation, often also over D-Bus), and either gets the secret pushed with the connection request, or requests it over those connections once it needs the secret.
ohh I remember seeing the D-Bus connection by NetworkManager while working on this. This makes sense, thank you!
You can use wpa_passphrase to precompute the WPA-PSK for a network and store that instead. It’s not going to stop a real attacker, but it can keep the password away from shoulder surfers and other low-effort attacks.
That option was mentioned in footnote 2 of the article, but was dismissed as “this (…) makes hashing pointless” because an attacker can use that value to gain access to the network.
I didn’t see that footnote. Regardless, I agree with your original comment.
Doesn’t every CPU have a “Secure Enclave” for storing secrets? I’m not familiar with how Linux uses it, but on Mac/iOS this is used as the basis of the Keychain, a secure db for keys and passwords.
No. All modern PCs have a TPM, and all modern Intel machines have SGX (for now). Neither of these is exactly equivalent to Apple Silicon’s Secure Enclave. Probably the closest you can come is using the TPM to release a keychain encryption secret only if the computer booted with a genuine software chain (genuine bootloader, genuine kernel, etc. etc.) but this is not done anywhere today to my knowledge. TPM support only just landed in systemd (the production release was a month or two ago).
SGX has not been supported by Intel desktop CPUs for a few generations now.
That would at least protect against theft of a powered off laptop, as the keyring would only be accessible after the user has logged in to their machine. If an attacker tried to dump the hard drive, the password wouldn’t be there, as it would in the default scenario.
The same-ish protection would also apply to a regular keyring encrypted with the user’s login password. The difference being not even an encrypted blob to bruteforce on.
It wouldn’t do much about a root level attacker, which was the implied threat model, as file permissions only allowed reading by root (and someone reading directly from the drive).
I think you can do something like store a wifi password in gnome-keyring
Yeah, that is probably right. The passwords would have to be added to each user’s keyring if there are multiple users of the machine. You’d forego connectivity before user login after boot.
I think this isn’t done because the keyrings that might be installed is orthogonal to the WPA supplicant daemon. I’ve also run WPA supplicant on a Raspberry Pi which doesn’t have any keyring at all – but it could have been an optional feature for supported keyring implementations.
This makes sense.
This makes me realize that I probably should have elaborated on the “not sure why”. I was thinking on something along of the lines of a keyring (I was thinking of Apple’s Keychain, which is where my WiFi password is stored on macOS). My Linux machine’s existing setup (NetworkManager) also stored passwords in plaintext, so I was unsure of why a keyring setup wasn’t the default.
Using a keyring also brings up another question - how would wpa_supplicant‘s config get the password from the keyring? I can run a command manually, but is it possible to automate this on boot? (I wouldn’t actually use this as a permanent setup, but just curious)
There’s a bunch of authentication protocols that could be used with WPA Enterprise access points (https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol), so you could have a setup with EAP-TLS where the TLS private key is stored in an HSM/TPM, or EAP-SIM using a SIM card.
Nice to see a Lisp implementation!
I’m not a heavy bookmark user, and for the few I have I rely on Firefox bookmarks. What are people getting out of having separate dedicated bookmarking servers?
My use case was to access my bookmarks across multiple browsers (through the service’s browser extensions).
Also, as far as I remember, Chrome and Safari lack bookmark tags. You would have to reach out for a separate service if you want tags on those browsers.
Also no tags on Firefox mobile.
Ah, this makes sense, thanks.
I think a better way to think about it is as a “link collection”; it’s a way to track links that are interesting and you have read or want to read. If you spend any amount of time on a link aggregator (and given you’re on lobste.rs I’m assuming you do) you end up with a ton of articles like that and you need to keep track of them beyond your browser’s tabs. The one I wrote for myself even indexes the articles so I can plain text search through them so I can remember where I read something.
After using in-browser bookmarks with keywords I switched to a homemade bookmark server some years ago. My server is set up in a way so that it can be used as a default search engine. What I wanted out of it was:
In theory, 42links can do 1 and 2. For 2 and 3, I wrote ymarks (ymarks.org).
device independence and backups mostly.
I run an instance of https://github.com/sissbruecker/linkding and it works great for my use case.
If there was an (obvious) way to run Linkding on OpenBSD, I probably wouldn’t even have started writing 42links. It seems to be a great software indeed.
It is written in python/sqlite. That should just work on OpenBSD
Where is the documentation on how to install it on OpenBSD? The only supported way seems to be via Docker (which we neither have nor want to have). Running a “dev version” in production sounds like a not-so-great idea.
Adapt the Alpine container definition. Containers aren’t scary, nor are Containerfiles. Treat them as glorified build scripts and they’re trivial to adapt to non-container environments most of the time. This one in particular will nearly 1:1 map to a shell script that should run on almost any OS that can run Python+SQLIte, including OpenBSD.
https://github.com/sissbruecker/linkding/blob/master/docker/alpine.Dockerfile
Ok, that could work. Well… thanks!
I started a similar project a few weeks ago for my bookmarks that has expanded into also covering links I post to social media: https://search.technomancy.us (also in lisp!)
For me the purpose is not to collect the links as much as to index the content on the pages themselves.
That sounds intriguing, indeed. I never had time to play with Fennel though.
Personally, I use both my standard browser’s bookmarks (for bookmarks) and services like the one I wrote :-) for read-it-later tasks; basically, as a TODO link collector. Having those in the browser clutters the bookmarks.
Makes sense. I hadn’t considered a bookmark service as a simple read-it-later alternative.
There is no good way I am aware of to export bookmarks from Firefox when one changes phones (Mozilla’s Sync service is insecure).
Can you elaborate?
I’m fortunate to not have sensitive bookmarks, but I had figured it was end-to-end encrypted with my Firefox Accounts passphrase?
Yes — and Mozilla have access to your Firefox Accounts passphrase in plain text, if you ever log in via HTML that they serve rather than via the browser itself.
End-to-end encryption doesn’t help if the key ever leaves your machine.
I use my own service (gitlab.com/sodimel/share-links) that I started to write a few years ago. The main goals are to be able to share links to my friends and to the internet, to have a rss feed of recently added links, to be able to comment, add tags, group links by collections. The project is using Django so the admin interface is auto-generated, and it allows me to focus on features :)
Interfaces written by software are not really attractive in my opinion.
The admin interface is for myself only, the public interface is written by me for the visitors.
I don’t mind using a “classic themed” django admin if it allows me to add links (it does, and I even added a small bit of js to fetch the title & language of the link I’m adding) and to filter them easily (it does too, I added a lot of filters).
Here’s a screenshot of the admin list view, and here’s the link to my own instance if you want to judge my css skills : https://links.l3m.in/en/
Who am I to judge other people’s CSS skills? I mean, look at mine. There are reasons why 42links uses a (tiny) CSS framework with only a few extra declarations. I can’t design web stuff very well.
As far as I can see from your screenshot and the “demo”, it looks boring, but both functional and accessible. :-)
That’s the magic of the autogenerated django admin interface ; its boring but it works well, and you can configure it the way you want (display more columns, add filters to the right, custom actions in the dropdown).
I wanted to write all the css myself for the public interface, and that’s what I did. I really like the idea of an horizontally-scrollable filter list, it works very well on mobile :)
I’m confused as to why an HTML blog would strain a server more than a plain text blog. Serving this text as HTML might, POSSIBLY, double the size from 1kb to 2kb. Killing off the favicon would be just as effective, maybe moreso, for saving server resources.
I had assumed this was satire.
Anyway it’s not even close to double I think. I wrote a 6 paragraph blog post, one with and one without html. The html was just
Then
<p>tags aroudn the actual text.The end result was just a 400 bytes smaller in plain text. But if you put links in you could click them etc etc.
Also, txt in a browser is surely more likely to be deprecated over html
Honestly, you’ve gone way overboard with the HTML there, too. You could drop the lang, the doctype, and the entire head block and it would work fine on 99.99% of browsers.
I think in HTML5 he could drop everything except the doctype and it would be valid, wouldn’t it?
The smallest “hello, world” HTML5 document I am able to write that passes both the Nu HTML Checker and
tidyversion 5.8.0 is the following one:Anything less and the Nu HTML Checker emits a warning. Tidy output looks good for the above HTML, if we don’t mind the following warning about implicit tag:
Dropping the lang is bad for accessibility. Without the doctype it’s not valid standards mode HTML5. The charset is necessary if you have any non-ASCII characters. The viewport tag is needed for proper rendering on mobile.
Dropping the lang is no worse for accessibility than just serving a txt file.
(I will go to my grave arguing that “lang” does nothing for accessibility, but I’ve lost that fight here already)
I don’t think txt files are so much of a problem in term of accessibility (I mean you can configure your screen reader to change the spoken language).
I created this txt blog for two reasons :
But I really like lightweight websites with html & css, and love to waste my time exploring funky lightweight designs from 1MB club (https://1mb.club/) :)
To be clear, you should do what makes you happy, and if this is it, good on you. I just don’t think the savings are significant, for the tradeoffs.
While I understand the spirit, you may be shooting yourself in the foot. If your intention is for people to read your articles, not just have the server serve them, you’d do well in improving the reader’s user experience just a bit. Plain text is just not great to read on desktop and on mobile it is unreadable (I mean literally unreadable because the font size is miniscule).
As it stands it’s a bit contradictory to care about readers not being able to see your website if it gets squeezed to death because when they are able they can’t read it anyway.
I don’t really mind if no one is reading my articles. I have another blog (in french) at l3m.in, which is made of html, css and even some images.
I disagree on your take on mobile readability; the reading mode (at least on firefox, haven’t tried on another browser) handle txt files just fine :)
Not as practical, but I also made https://1kb.club when I thought 1MB wasn’t extreme enough ;)
Oh you’re the one behind 1kb.club! Thank you for your work, I love stumbling across your site from time to time and discover new websites!
I found Mark Nottingham’s description of Apple’s potential responses to the UK interesting.
Presumably they have complied to some extent in China
In china you can’t enable ADP and so your iCloud keys are always in escrow on Apple’s servers. That’s the access China will have. The UK wants access to the keys Apple don’t have, too.
Apple .. decentralize? in what alternate universe is the author living?
SimpleX seems cool but:
Surely this is how almost every chat app is getting pwned though?
Not sure. The question is who is the attacker. If it’s state agency, then definitely not. If a state agency is targeting you, you probably don’t stand a chance. But given how state leaders are shifting more and more to the fascist extremes (left and right…), complete citizen observation isn’t just a topic for china anymore. So not wanting any data on the server is IMO a very valid concern, because that makes “observe everyone” much harder.
I made something like this a while ago with a receipt printer. It would print out the forecast, word of the day, quote of the day, and I think some randomly chosen “lucky numbers”. The idea was that if something important happened that day, I could have a physical artifact of the day. I stopped using it because I found myself just not reading anything on it after a while, it all felt a bit same-y. but it was a fun little project, and I learned that lots of receipt printers are super cool and have a really simple serial interface. and also that the most expensive part of a receipt printer is probably the power supply, rather than the printer itself. I did a couple of other things with the printer, but ultimately, it is now languishing on my wall with nothing to do. Oh well!
Were you able to find one that doesn’t have all the apparently toxic chemicals in the paper? That’s mostly what keeps me from poking at receipt printers. Laser printer toner is also remarkably toxic and similarly absorbed through the skin, as I recall, which I also try to avoid – though in theory it’s fine once it’s baked onto the page at least.
BPA free receipt paper should be easily available.
note though that BPA-free often means it uses BPS instead, which has a lot of the same concerns attached. And I’m guessing BPA/BPS-free again needs a look into what it was replaced with there… (and is more expensive, but that doesnt really matter for a toy use case like this)
Thermal transfer is the way I think. Also lasts a lot longer on the paper rather than fading over time.
But the printers tend to be a little bigger I think, and you have a ribbon to change
If you are interested in playing from local storage only I would also recommend checking out Kodi. I don’t ever quite know what people mean by “clunky” but its super fast and handles a very large collection of media without any bother.
Main issue is finding a device on which to install it. But there are whole distros that do nothing but run it, like coreelec, librelec, osmc. These are each designed for specific contexts and hardware choices.
Been using some form of Kodi for well over a decade now (albeit now with jellyfin, since a house move we wanted multi device streaming)
edit: I should add that I think you can also use the apple remote, or at least that’s what I did for a few years
What do you install kodi on? On the device that you consume media from? Or does it go on a server of sort?
In this context, generally a box that goes by the TV. So, a raspberry Pi, a Vero 4k, nvidia shield, apple tv etc. I use one called a Ugoos Am6b+ which I like because it does DolbyVision.
The distros I listed basically are a way to package Kodi and boot straight into it. For example, I use corelec on my Ugoos. Osmc runs on the vero 4k. Librelec I think can go on a pi.
If you have a NAS it’s very much geared around streaming from that over the LAN. Otherwise it can also do local storage on the device itself.
I’m assuming you mostly serve video files from the NAS that you watch from Kodi. Do you use anything to manage the library so to speak? Or are the just served as a simple file system?
It’s a simple file system on the NAS, reasonably neatly organised but yeah I do that bit manually. Kodi sees it and scrapes a bunch of metadata etc for each file, then builds a library for you that is searchable and looks good on the TV (all the apps do this I guess)
Raspberry Pi 5 or 500 is cheap, extremely common and well-understood, uses little power, and is capable to the point of overkill.
We use NUC. At least i3 to handle more unusual codecs on CPU.
Kodi is nice, but not perfect. But it is simple enough to control even when sick or not 100% sober. It also has companion apps. For Android at least. I just stream to my phone over tailnet.
Jellyfin is where obscure shows go so that we can watch them with our parents on their snoop^W smart TVs.
I use the jellyfin plugin for kodi and while not perfect, I like it. I guess I’m just used to the kodi interface now lol
Without specifically mentioning the ones you’re referring to it’s hard to know what this relates to.
I’ve recently adopted Jellyfin, and found it to be generally fine - a few quirks here and there but generally fine. The biggest downside I’ve seen so far is that there isn’t (to my knowledge) a good Mac open source client for it - but this article is about an AppleTV which doesn’t have that issue. I’m aware some of the iOS/iPadOS clients can run on macOS, but none of the ones I’ve tried work very well with a large screen.
Can someone expand on what specifically makes Infuse better?
Infuse has native support for jellyfin too. It’s quite a good app and has support for more codecs than just native iOS player (which jellyfin uses).
But, I don’t mind the jellyfin client on iOS? It seems to do what I want it to.
My guess is the author doesn’t want multi-device streaming /status syncing so jellyfin isn’t required. In which case infuse on appletv is a decent choice.
There’s a few mentions in there of having a phone and tablet; I do appreciate that Infuse makes it very easy to start watching a show on one screen and continue on another.
I didn’t name the specific open source apps because I didn’t want to get into an inevitably pretty nitpicky arguments about each. As a programmer running a linux desktop I’m pretty tolerant of clunky UI, but the apps I tried felt significantly worse and were soundly rejected by the nontechnical TV users. There’s probably a lot of familiarity at work in the personal taste; Infuse looks a lot like the popular streaming services.
I get that, and I have infuse on ios devices and very much like it. The cool thing is, if you ever want to expand and do plex/jellyfin style stuff, infuse has support for it baked right in.
The other thing I like is offline downloads, for when I hit the road but still wanna watch curb on repeat
This HN thread on Jellyfin hits all of the issues I had with the open source options and also hits all of the “you’re doing it wrong” nitpicking I was not interested in participating in.
Jellyfin rocks: https://kaushikghose.wordpress.com/2025/01/27/the-jellyfin-media-server-is-awesome/
Give it a bit of time.
I’ve been 2 years problem free now, really surprised and impressed with it
LOL My needs are pretty modest, and I’m just impressed by all the free engineering hours that have gone into it and the features it has. What should I look out for? The fact that they have a Roku App was pretty amazing for me.
PS. Thanks for reading!
IMO the best way to use jellyfin on a personal computer is with jellyfin-mpv-shim and mpv. It’s what I use on Windows and Linux. jellyfin-mpv-shim has instructions for macOS so I am assuming that both that and mpv are available on macOS. mpv the media player is very minimalistic so it takes getting used to because the keybinds and such are not apparent but it works really well if you know how to handle it.
https://github.com/jellyfin/jellyfin-mpv-shim/blob/master/README.md#osx-installation
I switched over to Jellyfin Media Player because it uses MPV internally, and includes the web interface so it feels less clunky. The shim would sometimes break, and when I’m trying to watch something, I definitely don’t want to be debugging things.
JMP uses Qt’s Web engine, which is not extra lightweight but at least shared with other apps, so it’s worth the tradeoff for me.
What do you get with the jellyfish client? I set up myself a nad and jellyfin on top, but watching via a browser is okay for our needs.
There are some codecs that the browser can’t play. If you host jellyfin on a weak machine, you have to disable transcoding. So dedicated clients who are able to handle a larger variety of codecs are preferable to browsers.
I’ve noticed significantly better UI responsiveness and playback from the native app running on an AppleTV (which connects over average quality WiFi) than I do from a M2 Ultra Mac Studio with 128GB of RAM connecting to the same Jellyfin server over wired gigabit ethernet.
I assume it’s because the native app is better able to cache and preload content than the browser based client.
Ps. What do you mean open source client for Mac? I use Firefox.
I mean a native client app for playback, rather than accessing it through a browser - the browser client is fine for admin tasks but for playback it’s less ideal IME: https://lobste.rs/s/sn8buz/tv_setup#c_altp8l
The founder is trying to start up a new production run thanks to this.
https://repebble.com/
I wish them all the best, the OG pebbles were pretty good devices.
I’m not following how
g.cowas actually involved here, or how it might have been compromised.The email came from
google.com. The email passed SPF and DKIM.The subject mentions
important.g.coand it appears in the email body. But there aren’t any links to it, so the phising attempt seems to not actually rely on it in a way that requires a compromise ofg.co. I don’t think the title of this post is warranted, as it appears unsupported by the facts.It seems more relevant that the attacker convinced a
google.comserver to send the email for them, or that they got a hold of a DKIM key to sign it.It would’ve probably been a little more suspicious if it said
case-g287686.cominstead. There’s also this, from an update to the gist:I imagine this issue extends past
g.coand could be used for any domain (besides those already registered likegoogle.com). So yeah, it’s not an issue withg.co, but there is arguably an issue with Google Workspace allowing these phishing attempts to be just a little more convincing than they would otherwise.Thank you! I thought I was going nuts reading this, it’s got nothing to do with g.co
Someone in the comments there has a theory:
I won’t repeat the steps to perform the targeted password reset email part of this phishing attempt, but it appears that this is entirely a Google Workspace domain verification problem.
I suggested a title change for this post yesterday. @Aks if you see this, the title of this story is inaccurate and has been at the top of the front page for quite a while now; if you could change it, that’d be great. The same story was posted on Reddit with a more accurate title:
People are rightly hard on tailwind.
And yet… for someone who sucks at front end responsive design I can’t deny it didn’t take me long to get a decent website up and running.
IME, the critics of Tailwind CSS are often CSS experts. So to them, “CSS isn’t hard”. The Tailwind abstractions just seem an extra step to them.
To me, though, they’re very useful and portable.
This is an okay stance to take & on the other end I can agree that CSS isn’t hard & don’t want to memorize a billion classname conventions, but what grinds my gears is when a tech lead or back-end team has mandated it on a front-end team that would prefer to not have that decision made for them—as can be said about most tools put on teams by folks not on those teams.
To me, if I want something that follows a system, the variables in Open Props covers what I need to have a consistent layer that a team can use—which is just CSS variables with a standardlized naming scheme other Open Prop modules can use. It is lighter weight, doesn’t need a compile step to be lean, & lets you structure your CSS or your HTML as you want without classname soup.
May not hard to write, but certainly it is hard to maintain. CSS makes it SO EASY to make a mess. In no time you’ll be facing selector specificity hell. If you have a team with juniors or just some backend folks trying to do some UI, that’s very common.
“But what about BEM?”. I like BEM! But, again it’s an extra step and another thing to learn (and you’re choosing not to deal with CSS specificiy to avoid its pitfalls).
IME, the BEM components I wrote were more effective and portable the smaller they were. I ended up with things like
text text--small text--italic, which were basically in-house versions of Tailwind (before I knew what it was).So, to paraphrase Adam, I rather have static CSS and change HTML than the reverse.
You can use utility classes & Open Prop names & still not use exclusively utility classes. No one has said Tailwind can’t be used for utility when needed, but in practice I see almost all name go away. There is nothing to select on that works for testing, or scraping, or filter lists.
Having a system is difficult since you have to make it stringly-typed one way or another, but that doesn’t discount the semantics or considering the balance needed. Often the UI & its architecture are low-priority or an afterthought since matching the design as quickly as possible tends to trump anything resembling maintainability & the same can happen in any code base if no standards are put in place & spaghetti is allowed to pass review.
It really is just the same old tired arguments on both sides tho really here. This isn’t the first time I have seen them & that post doesn’t really convince me given it has an agenda & some of the design choices seem intentionally obtuse without use of “modern” CSS from like the last 4–5 years.
Is this something that happened to you? Why would the back-end team decide on what technology the front-end team should use?
On multiple occasions have I seen a CTO, tech lead, or back-end team choose the stack for the front-end either before it was even started or purely based on a some proof-of-concept the back-end devs built & did not want the stack to change… just that it was entirely rewritten/refactored.
It raises the question that maybe the abstractions that were adopted by CSS are not the right ones in the long term, as other solutions are more team-friendly, easier to reason about.
I find the original tailwind blog post really enlightening: https://adamwathan.me/css-utility-classes-and-separation-of-concerns/
Separation of presentation and content makes a lot of sense for a document format, and has been widely successful in that segment (think LaTex). But for how the web is used today (think landing websites or webapps), the presentation is often part of the content. So the classic “Zen garden” model of CSS falls apart.
I’m in the same boat. I was appalled by it the first time I saw it.
But it fits my backend brain and makes building things so much easier. I like it in spite of myself. I’ve just never been able to bend my brain to automatically think in terms of the cascade, and reducing that to utilities makes it so much more workable for me, and lets me try things out faster. I’m excited about this release.
I am happy that you got a decent website up with Tailwind. I’m sad that you had a hard time with CSS and the conclusion you reached was that you were the one that sucked.
I really can’t be bothered to learn CSS or deal with “web standards”.
Didn’t web apps take off with users because they didn’t have to download and install software? You just create an account and off you go. Electron gets rid if that advantage.
Then it became the norm and loads of stuff was web based, electron seemed like the cheapest way to make a desktop app using existing devs at a company that also produced a web app.
Now HTML and js are all over the place and developing a native app is niche and expensive so electron makes sense.
I feel like the history of electron is a history of cost cutting to achieve cross-platform compatibility. Same goes with web apps.
As a solo dev, I produce web apps for work because all my users have a web browser regardless of platform, so I can sympathise with this approach. But in a perfect world it’d be a native app for each of them.
Also the McDonald’s screen sucks and is a terrible example
Stop playing so much balatro. Enjoy my newly configured atuin. Do more yoga
Balatro sucked me in for several weeks. Can’t even remember what I was trying to achieve now
yeah this past weekend went by in a blink