I’m certain that the shitshow that the big teleco equipment providers ship isn’t any better. Some stuff that I’m NDA’d would make anyone sane just close their computer and hit nearest pub.
I find amazing that so many people are discovering Niri right now (me too!). Last weekend I even took the time to write a short ArchWiki page about it. It’s not complete and I encourage people to add stuff to it.
May I ask: how does using Alacritty with Niri work, given that Alacritty (last I checked) had some kind of strict one-window-only policy? They encourage using tmux to get multiple sessions etc, which I do. But for it to work in a reasonable way with Niri I’d want multiple windows. How does that work?
A chromecast is just a wireless cable connecting my laptop to my tv. I don’t want it to have a “device authentication certificate” that expires, any more than I want my USB cables to contain these things. The purpose of this certificate isn’t anything that benefits me, it sounds like an anti-consumer measure for enforcing someones business model. Can anyone explain?
Presumably it’s there to prevent anyone from releasing devices that “work with Chromecast” without approval from Google. So yeah, it’s not really in your interest. It definitely means that Cast is not an open protocol, which is a shame.
I wish someone just made a “wireless HDMI cable”, but Chromecasts were never really that. I chose not to buy one once I found out they don’t let you actually use them like an external display - you can’t show anything you want, it has to be a chrome tab.
The problem with Miracast is that it uses a separate WiFi Direct connection, so it needs OS and hardware support (can’t just work over a regular TCP/IP network like Chromecast) and can’t be routed, sent over Ethernet, competes with client usage of the WiFi interface, etc… I’ve never had it work well.
I wish there was a standard like Miracast but over an existing TCP/IP network/AP. The closest thing is AirPlay, but that’s not an open standard either and last I checked there was no open source AirPlay sender out there to cast from Windows/Linux machines…
The closest thing is AirPlay, but that’s not an open standard either
In December the EU Commission in relation to the DMA proposed forcing Apple to among other things open up AirPlay. My first reaction was that it would be hilarious if AirPlay, against Apple’s will, ended up becoming a better alternative to Google Cast for everyone. So I guess keep your fingers crossed?
Microsoft actually has a protocol extension to Miracast for that [0], it does still use WiFi Direct for display discovery though which annoyingly means your device has to have a WiFi card for it to work. Not very many of the open source implementations support it though, the only one I know of that does is GNOME Network Displays.
Chromecast does let you cast your display to them, you can do that from Chrome (cast display) or Android.
On the receiving end it’s just an instance of Chrome, but I’m guessing it’s just implemented by having a web page display a WebRTC feed (which is just as well).
From what I understand of the Cast protocol, in most cases, the client (phone) just tells the Chromecast device what to do; it doesn’t actually stream the content. There is a mode that allows the client to tell the Chromecast to connect back to the client and stream from it directly, which is exposed in the Chrome browser, but that isn’t used by streaming services.
It is possible I suppose that Netflix and co demanded that the communication channel between the client app and the Chromecast device be protected, even if you generally aren’t using it to send protected data.
I don’t think that makes much sense. DRM stuff like Netflix would just rely on Widevine support in the Chromecast itself. So a third party device not licensed to play Widevine content just won’t work with Netflix (but should work with everything else).
That is, the device authentication for Chromecast is one thing (and one certificate), and the authentication for Widevine DRM is separate (with its own certificate).
DRM stuff like Netflix would just rely on Widevine support in the Chromecast itself.
Well, yes, different devices, 1st party vs 3rd party, have different Widevine/chrome-cdm “protection” features, and the streaming party (netflix, disney+) might check that level vs their policies. This is why some apps indeed fail to cast to Xiaomi sticks etc.
What’s your marketing budget? If you aren’t aligned with the marketing budget havers on this, how do you expect them to treat you when your goals diverge?
See also, fast expiring certificates making democratized CT logs infeasible, DNS over HTTPS consolidating formerly distributed systems on cloudflare. It’s not possible to set up a webpage in 2025 without interacting with a company that has enough money and accountability to untrustworthy governments to be a CA, and that sucks.
HTTPS is cool and all, but I wish there was a usable answer that wasn’t “just centralize the authority.”
Sigh. Lobsters won’t let me post. I must be getting rate limited? It seems a bit ridiculous, I’ve made one post in like… hours. And it just shows me “null” when I post. I need to bug report or something, this is quite a pain and this is going to need to be my last response as dealing with this bug is too frustrating.
See also, fast expiring certificates making democratized CT logs infeasible, DNS over HTTPS consolidating formerly distributed systems on cloudflare.
Can you tell me more about these? I think “infeasible” is not accurate but maybe I’m wrong. I don’t see how DoH consolidates anything as anyone can set up a DoH server.
t’s not possible to set up a webpage in 2025 without interacting with a company that has enough money and accountability to untrustworthy governments to be a CA, and that sucks.
You can definitely set up a webpage in 2025 pretty with HTTPS, especially as you can just issue your own CA certs, which your users are welcome to trust. But if your concern is that a government can exert authority within its jurisdiction I have no idea how you think HTTP is helping you with that or how HTTPS is enabling that specifically. These don’t feel like HTTPS issues, they feel like regulatory issues.
HTTPS is cool and all, but I wish there was a usable answer that wasn’t “just centralize the authority.”
There are numerous, globally distributed CAs, and you can set one up at any time.
Lobsters has been having some issues, I had the same trouble yesterday too.
The CT log thing is something i read on here iirc, basically that CT logs are already pretty enormous and difficult to maintain, if there are 5x as many cert transactions cause they expire in 1/5 the time the only people who will be able to keep them are people with big budgets
I suppose i could set up a DoH server, but the common wisdom is to use somebody else’s, usually cloudflare’s, the fact that something is technically possible doesnt matter in a world where nobody does it.
especially as you can just issue your own CA certs
Are you joking? “please install my CA cert to browse my webpage” may technically count as setting up a web page but the barrier to entry is so high I might as well not. Can iphones even do that?
There are numerous, globally distributed CAs, and you can set one up at any time.
That’s a lot more centralized than “I can do it without involving a third party at all.”
I dunno, maybe I’m just romanticizing the past but I miss being able to publish stuff on the internet without a Big Company helping me.
The CT log thing is something i read on here iirc, basically that CT logs are already pretty enormous and difficult to maintain, if there are 5x as many cert transactions cause they expire in 1/5 the time the only people who will be able to keep them are people with big budgets
Strange but I will have to learn more.
I suppose i could set up a DoH server, but the common wisdom is to use somebody else’s, usually cloudflare’s
Sure, because that’s by far the easiest option and most people don’t really care about centralizing on Cloudflare, but nothing is stopping people from using another DoH.
Are you joking? “please install my CA cert to browse my webpage” may technically count as setting up a web page but the barrier to entry is so high I might as well not. Can iphones even do that?
iPhones being able to do that isn’t really relevant to HTTPS. If you want to say that users should be admins of their own devices, that’s cool too.
As for joking, no I am not. You can create a CA, anyone can. You don’t get to decide who trusts your CA, that would require work. Some companies do that work. Most individuals aren’t interested. That’s why CAs are companies. If you’re saying you want a CA without involving any company, including non-profits that run CAs, then there is in fact an “open” solution - host your own. No one can stop you.
You can run your own internet if you want to. HTTPS is only going to come up when you take on the responsibility of publishing content to the internet that everyone else has to use. No one can stop you from running your own internet.
That’s a lot more centralized than “I can do it without involving a third party at all.”
As opposed to running an HTTP server without a third party at all? I guess technically you could go set up a server at your nearest Starbucks but I think “at all” is a bit hard to come by and always has been. Like I said, if you want to set up a server on your own local network no one is ever going to be able to stop you.
I dunno, maybe I’m just romanticizing the past but I miss being able to publish stuff on the internet without a Big Company helping me.
Which drawbacks? I ask not because I believe there are none, but I’m curious which concern you the most. I’m sympathetic to wanting things and not wanting their consequences haha that’s the tricky thing with life.
HTTPS: I want the authentication properties of HTTPS without being beholden to a semi-centralized and not necessarily trustworthy CA system. All proposed alternatives are, as far as I know, bad.
DNS: I want the convenience of globally unique host names without it depending on a centralized registry. All proposed alternatives are, as far as I know, bad.
These kind of accusations are posts that make me want to spend less on lobsters.
Who knows if it’s planned or accidental obsolescence? Many devices and services outlive their teams by much longer than anticipated. Everyone working in software for a long while has experienced situations like those.
I also find the accusation that HTTPS is leading to broken devices rather wild…
I want to offer a different view: How cool is it that the devices was fixable despite Google’s failure to extend/exchange their certificate. Go, tell your folks that the Chromecast is fixable and help them :)
For me, it’s takes like yours that irritate me. Companies that are some of the largest on the planet don’t need people like you to defend them, to make excuses for them, to try to squelch the frustration directed towards them because they’re either evil or incompetent.
By the way, there is no third option - either they’re evil and intended to force obsolescence upon these devices, or they’re incompetent and didn’t know this was going to happen because of this incompetence.
The world where we’re thinking it’s cool that these devices are fixable tidily neglects the fact that 99% of the people out there will have zero clue how to fix them. That it’s fixable means practically nothing.
For me, it’s takes like yours that irritate me. Companies that are some of the largest on the planet don’t need people like you to defend them, to make excuses for them, to try to squelch the frustration directed towards them because they’re either evil or incompetent.
Who cares? No one is defending Google. People are defending deploying HTTPS as a strategy to improve security. Who cares if it’s Google or anyone else? The person you’re responding to never defends Google, none of this has to do with Google.
By the way, there is no third option - either they’re evil and intended to force obsolescence upon these devices, or they’re incompetent and didn’t know this was going to happen because of this incompetence.
Who cares? Also, there is a very obvious 3rd option - that competent people can make a mistake.
Nothing you’ve said is relevant at all to the assertion that, quoting here:
This is the future the “HTTPS everywhere” crowd wants ;)
Even though you’re quoting me, you must be mistaken - this post is about Google, and my response was about someone who is defending Google’s actions (“Who knows if it’s planned or accidental obsolescence?”).
I haven’t a clue how you can think that a whole post about Google breaking Google devices isn’t about Google…
To the last point, “https everywhere” means things like this can keep being used as an excuse to make fully functional products in to ewaste over and over, and we’re left wondering if the companies responsible are evil or dumb (or both). People pretending to not get the connection aren’t really making a good case for Google not being shit, or for how the “https everywhere” comment is somehow a tangent.
Take what you want from my employment by said company, but I would guess absolutely no-one in private and security has any wish/intention/pressure to not renew a certificate.
I have no insider knowledge about what has happened (nor could I share it if I did! But I really don’t). But I do know that the privacy and security people take their jobs extremely seriously.
This isn’t about who you criticize, I would say the same if you picked the smallest company on earth. This is about the obvious negativity.
This is because the article isn’t “Chromecast isn’t working and the devices all need to go to the trash”.
Someone actually found out why and people replied with instructions how to fix these devices, which is rather brilliant. And all of that despite google’s announcements that it would discontinue it..
This is the future the “HTTPS everywhere” crowd wants ;)
I’m not exactly sure what you meant by that, and even the winky face doesn’t elide your intent and meaning much. I don’t think privacy and security advocates want this at all. I want usable and accessible privacy and security and investment in long term maintenance and usability of products. If that’s what you meant, it reads as a literal attack rather than sarcasm. Poe’s law and all.
Not all privacy and security advocates wanted ‘HTTPS everywhere’. Not all of the ‘HTTPS everywhere’ crowd wanted centralized control of privacy and encryption solutions. But the privacy and security discussion has been captured by corporate interests to an astonishing degree. And I think @gerikson is right to point that out.
Do you seriously think that a future law in the US forcing Let’s Encrypt (or any other CA) to revoke the certificates of any site the government finds objectionable is outside the realms of possibility?
HTTPS everywhere is handing a de facto publishing license to every site that can be revoked at will by those that control the levers of power.
I admit this is orthogonal to the issue at hand. It’s just an example I came up with when brewing some tea in the dinette.
In an https-less world the same people in power can just force ISPs to serve different content for a given domain, or force DNS providers to switch the NS to whatever they want, etc. Or worse, they can maliciously modify the content you want served, subtly.
Only being able to revoke a cert is an improvement.
Holding the threat of cutting off 99% of internet traffic over the head of media companies is a great way to enforce self-censorship. And the best part is that the victim does all the work themselves!
The original sin of HTTPS was wedding it to a centralized CA structure. But then, the drafters of the Weimar constitution also believed everything would turn out fine.
They’ve just explained to you that HTTPS changes nothing about what the government can do to enact censorship. Hostile governments can turn your internet off without any need for HTTPS. In fact, HTTPS directly attempts to mitigate what the government can do with things like CT logs, etc, and we have seen this work. And in the singular instance where HTTPS provides an attack (revoke cert) you can just trust the cert anyways.
edit: Lobsters is basically completely broken for me (anyone else just getting ‘null’ when posting?) so here is my response to the reply to this post. I’m unable to reply otherwise and I’m getting no errors to indicate why. Anyway…
Yeah, “trust the cert anyway” is going to be the fig leaf used to convince a compliant SCOTUS that revoking a certification is not a blatant violation of the 1st amendment. But at least the daily mandatory webcast from Dear Leader will be guaranteed not to be tampered with during transport!
This is getting ridiculous, frankly.
You’ve conveniently ignored everything I’ve said and focused instead of how a ridiculous attack scenario that has an obvious mitigation has 4 words that somehow you’re relating to SCOTUS and 1st amendment rights? Just glossing over that this attack makes almost no sense whatsoever, glossing over that the far easier attacks apply to HTTP at least as well (or often better) as HTTPS, glossing over the fact that even more attacks are viable against HTTP that aren’t viable against HTTPS, glossing over that we’ve seen CT logs actually demonstrate value against government attackers, etc etc etc. But uh, yeah, SCOTUS.
SCOTUS is going to somehow detect that I trusted a certificate? And… this is somehow worse under HTTPS? They can detect my device accepting a certificate but they can’t detect me accessing content over HTTP? Because somehow the government can’t attack HTTP but can attack HTTPS? This just does not make any sense and you’ve done nothing to justify your points. Users have been more than charitable in explaining this to you, even granting that an attack exists on HTTPS but helpfully explaining to you why it makes no sense.
In the near future, on the other side of an American Gleichschaltung, a law is passed requiring CAs to revoke specific certificates when ordered.
If the TLS cert for CNN.com is revoked, users will reach a scary warning page telling the user the site cannot be trusted. Depending on the status of “HTTPS Everywhere”, it might not be able to proceed past this page. But crucially, CNN.com remains up, it might be accessible via HTTP (depending on HSTS settings) and the government has done nothing to impede the publication.
But the end effect is that CNN.com is unreadable for the vast number of visitors. This will make the choice of CNN to tone down criticism of the government very easy to make.
The goal of a modern authoritarian regime is not to obsessively police speech to enforce a single worldview. It’s to make it uneconomical or inconvenient to publish content that will lead to opposition to the regime. Media will parrot government talking points or peddle harmless entertainment. There will be an opposition and it will be “protected” by free speech laws, but in practice accessing its speech online will be hard to impossible for the vast majority of people.
If the USA apparatus decides to censor CNN, revoking TLS cert wouldn’t be the way. It’ll be secret court orders (not unlike recent one British government has sent to Apple), and, should they not comply, apprehension of key staff.
And, even if such cert revocation happened, CNN would be able to get new one within seconds by contacting any other ACME CA, there are even some operating in EEA.
I think your whole argument is misguided, and not aimed at understanding failures of Google, but at lashing at only tangentially related problem space.
And my comment is not defence of Google or Cloudflare, I consider both to be malicious for plethora of reasons.
You’re still thinking like the USSR or China or any totalitarian government. The point isn’t to enforce a particular view. The point is to prevent CNN or any other media organization from publishing anything other than pablum, by threatening their ad revenue stream. They will cover government talking points, entertainment, even happily fake news. Like in Russia, “nothing is true and everything is possible”.
And, even if such cert revocation happened, CNN would be able to get new one within seconds by contacting any other ACME CA, there are even some operating in EEA.
Nothing is preventing the US from only allowing certs from US based issuers. Effectively, if you’re using a mainstream browser, the hypothetical law I have sketched out will also affect root CAs.[1]
I think your whole argument is misguided, and not aimed at understanding failures of Google, but at lashing at only tangentially related problem space.
I proposed a semi-plausible failure mode of the current CA-based certification system and suddenly I’ve gotten more flags than ever before. I find it really interesting.
[1] note that each and every one of these attempts to block access will have quite easy and trivial workarounds. That’s fine, because as stated above, having 100% control of some sort of “truth” is not the point. If nerds and really motivated people can get around a block by installing their own root store or similar, it will just keep them happy to have “cheated the system”. The point is having an atomized audience, incapable of organizing a resistance.
I proposed a semi-plausible failure mode of the current CA-based certification system and suddenly I’ve gotten more flags than ever before. I find it really interesting.
The flags are me and they’re because your posts have been overwhelmingly low quality, consisting of cherry picking, trolling, rhetoric, and failing to engage with anyone’s points. You also never proposed any such attack, other users did you the favor of explaining what attack exists.
The closest thing you’ve come to defining an attack (before others stepped in to hand you one) is this:
Holding the threat of cutting off 99% of internet traffic over the head of media companies
It’s not that interesting why you’re getting flagged. IMO flags should be required to have a reason + should be open, but that’s just me, and that’s why I virtually always add a comment when I flag a post.
This is one of the only posts where you’ve almost come close to saying what you think the actual problem is, which if I very charitably interpret and steel-man on your behalf I can take as essentially “The US will exert power over CAs in order to make it hard for news sites to publish content”. This utterly fails, to be clear (as so many people have pointed out that there are far more attacks on HTTP that would work just as well or infinitely better, and as I have pointed out that we have seen HTTPS explicitly add this threat model and try to address it WITH SUCCESS using CT Logs), but at least with enough effort I can extract a coherent point.
I have around 30 flags right now in these threads (plus some from people who took time off their busy schedule to trawl through older comments for semi-plausible ones to flag). You’re not the only one I have pissed off.[1]
(I actually appreciate you replying to my comments but to be honest I find your replies quite rambling and incoherent. I guess I can take some blame for not fully cosplaying as a Project 2025 lawyer, instead relying on vibes.)
It’s fine, though. I’ve grown disillusioned by the EFF style of encryption boosting[2]. I expect them to fold like a cheap suit if and when the gloves come off.
[1] but I’m still net positive on scores, so there are people on the other side too.
[2] they’ve been hyperfocussed on the threat of government threats to free speech, while giving corporations a free pass. They never really considered corporations taking over the government.
Hm, I see. No, I certainly have not flagged all of your posts or anything, just 2 or 3 that I felt were egregious. I think lobsters should genuinely ban more people for flag abuse, tbh, but such is the way.
It’s interesting that my posts come off as rambly. I suppose I just dislike tree-style conversations and lobsters bugs have made following up extremely annoying as my posts just disappear and show as “null”.
I’ve been getting the “null” response too. There’s nothing in the bug tracker right now, and I don’t have IRC access. Hopefully it will be looked at soon.
As to the flags, people might legitimately feel I’m getting too political.
Yeah, “trust the cert anyway” is going to be the fig leaf used to convince a compliant SCOTUS that revoking a certification is not a blatant violation of the 1st amendment. But at least the daily mandatory webcast from Dear Leader will be guaranteed not to be tampered with during transport!
The point of this hypothetical scenario would be that the threat of certificate revocation would be out in the open, to enforce self-censorship to avoid losing traffic/audience. See my comment here:
I’m not sure any of those are good examples of planned obsolescence. As far as I can tell, they’re all services that didn’t perform very well that Google didn’t want to support, tools that got subsumed into other tools, or ongoing projects that were halted.
I think it’s reasonable to still wish that some of those things were still going, or that they’d been open-sourced in some way so that people could keep them going by themselves, or even that Google themselves had managed them better. But planned obsolescence is quite specifically the idea that you should create things with a limited lifespan so that you can make money by selling their replacements. As far as I can tell, that doesn’t apply to any of those examples.
I get that it’s a tongue in cheek comment, but this is what falls out of “we want our non-https authentication certificates to chain through public roots”.
There is no reason for device authentication to be tied to PKI - it is inherently a private (as in “only relevant to the vendor” , not secret) authentication mechanism so should not be trying to chain through PKI, or PKI-like, roots.
Why is this a hyperbole? It is clear that even an enterprise the size of Google, famous for it’s leetcode-topping talent is unable to manage certificates at scale. This makes it a pretty good point against uncritical deployment of cryptographic solutions.
When Microsoft did that I wasn’t standing embarrassed in front of my family failing to cast cartoons on the TV. So it was their problem, not my problem.
Maybe. I think there are two ways to interpret it - “HTTPS Everywhere” means “literally every place” or it means “everywhere that makes sense, which is the vast majority of places”. But, to me, neither of these implies “you should deploy in a way that isn’t considered and that will completely destroy a product in the future”, it just means that you should very likely be aiming for a reliable, well supported deployment of HTTPS.
I was replying more to the “planned and enforced obsolescence” conspiracy theorizing.
It is true that managing certificates at scale is something not a lot of large organizations seem to be able to pull off, and that’s a legitimate discussion to have… but I didn’t detect any good faith arguments here, just ranting
Even if half of the things I have heard about Brave are wrong, why even bother when so many other great, free alternatives exist. The first and last time I tried it was the home page ad fiasco… uninstalled and went back to Chrome.
These days I try to use Firefox, but escape hatch to Chrome when things don’t work. I know there are better alternatives to both Firefox and Chrome, I’ll start exploring them… maybe? It’s hard for me to care about them since most of them are just Chrome/Firefox anyway. I’ll definitely give Ladybird a go when it’s ready. On paper, at least, it sounds like the escape from Google/Mozilla that is desperately needed.
Kagi bringing Orion to Linux feels promising. It’s OK on Mac, though after using it for 6 months I switched back to Safari. It looks like they’re using Webkit for that on Linux, not blink, which is a happy surprise IMO. That feels like a good development. (I’m also looking forward to Ladybird, though. Every so often I build myself a binary and kick the tires. Their progress feels simultaneously impossibly fast and excruciatingly slow.
If I understand correctly, Orion is not open source. That feels like a huge step backward and not a solution to a browser being controlled by a company with user-hostile incentives. I think Ladybird is more in line with what we really need: a browser that isn’t a product but rather a public good that may be funded in part by corporations but isn’t strongly influenced by any one commercial entity.
they have stated that open sourcing is in the works
That help page has said Kagi is “working on it” since 2023-09 or earlier. Since Kagi hasn’t finished that work after 1.5 years, I don’t believe Kagi is actually working on open sourcing Orion.
Their business model is, at the minimum, less user hostile than others due to users paying them money directly to keep them alive.
If US DoJ has their way, google won’t be able to fund chrome any more the way it was doing so far. That also means apple and firefox lose money too. So Kagi’s stuff might work out long term if breakup happens.
That’s totally valid, and I’d strongly prefer to use an open source UA as well!
In the context of browsers, though, where almost all traffic comes from either webkit-based browsers (chiefly if not only Safari on Mac/iPad/iPhone), blink-based browsers (chrome/edge/vivaldi/opera/other even smaller ones) or gecko-based browsers (Firefox/LibreWolf/Waterfox/IceCat/Seamonkey/Zen/other even smaller ones) two things stand out to me:
Only the gecko-based ones are mostly FOSS.
One of the 3 engines is practically Apple-exclusive.
I thought that Orion moving Webkit into a Linux browser was a promising development just from an ecosystem diversity perspective. And I thought having a browser that’s not ad-funded on Linux (because even those FOSS ones are, indirectly ad-funded) was also a promising development.
I’d also be happier with a production ready Ladybird. But that doesn’t diminish the notion that, in my eye, a new option that’s not beholden to advertisers feels like a really good step.
Of the blink-based pure FOSS browsers, I use Ungoogled Chromium, which tracks the Chromium project and removes all binary blobs and Google services. There is also Debian Chromium; Iridium; Falkon from KDE; and Qute (keyboard driven UI with vim-style key bindings). Probably many others.
The best Webkit based browser I’m aware of on Linux is Epiphany, aka Gnome Web. It has built-in ad blocking and “experimental” support for chrome/firefox extensions. A hypothetical Orion port to Linux would presumably have non-experimental extension support. (I found some browsers based on the deprecated QtWebKit, but these should not be used due to unfixed security flaws.)
I wasn’t sure Ungoogled Chromium was fully FOSS, and I completely forgot about Debian Chromium. I tried to use Qute for a while and it was broken enough for me at the time that I assumed it was not actively developed.
When did Epiphany switch from Gecko to Webkit? Last time I was aware of what it used, it was like “Camino for Linux” and was good, but I still had it on the Gecko pile.
According to Wikipedia, Epiphany switched from Gecko to Webkit in 2008, because the Gecko API was too difficult to interface to / caused too much maintenance burden. Using Gecko as a library and wrapping your own UI around it is apparently quite different from soft forking the entire Firefox project and applying patches.
Webkit.org endorses Epiphany as the Linux browser that uses Webkit.
There used to be a QtWebKit wrapper in the Qt project, but it was abandoned in favour of QtWebEngine based on Blink. The QtWebEngine announcement in 2013 gives the rationale: https://www.qt.io/blog/2013/09/12/introducing-the-qt-webengine. At the time, the Qt project was doing all the work of making WebKit into a cross-platform API, and it was too much work. Google had recently forked Webkit to create Blink as a cross-platform library. Switching to Blink gave the Qt project better features and compatibility at a lower development cost.
The FOSS world needs a high quality, cross-platform browser engine that you can wrap your own UI around. It seems that Blink is the best implementation of such a library. WebKit is focused on macOS and iOS, and Firefox develops Gecko as an internal API for Firefox.
EDIT: I see that https://webkitgtk.org/ exists for the Gnome platform, and is reported to be easy to use.
I see Servo as the future, since it is written in Rust, not C++, and since it is developed as a cross platform API, to which you must bring your own UI. There is also Ladybird, and it’s also cross-platform, but it’s written in C++, which is less popular for new projects, and its web engine is not developed as a separate project. Servo isn’t ready yet, but they project it will be ready this year: https://servo.org/blog/2025/02/19/this-month-in-servo/.
I used to contribute to Camino on OS X, and I knew that most appetite for embedding gecko in anything that’s not firefox died a while back, about the time Mozilla deprecated the embedding library, but I’d lost track of Epiphany. As an aside: I’m still sorry that Mozilla deprecated the embedding interface for gecko, and I wish I could find a way to make it practical to maintain that. Embedded Gecko was really nice to work with in its time.
The FOSS world needs a high quality, cross-platform browser engine that you can wrap your own UI around.
I strongly agree with this. I’d really like a non-blink thing to be an option for this. Not because there’s anything wrong with blink, but because that feels like a rug pull waiting to happen. I like that servo update, and hope that the momentum holds.
Wikipedia suggests the WebKit backend was added to Epiphany in 2007 and they removed the Gecko backend in 2009. Wow, time flies! GNOME Web is one I would like to try out more, if only because I enjoy GNOME and it seems to be a decent option for mobile Linux.
I have not encountered any website that doesn’t work on firefox (one corporate app said it required Chrome for some undisclosed reason, but I changed the useragent and had no issue at all to use their sinple CRUD).
What kind of issues do you find?
I’ve wondered the same thing in these recent discussions. I’ve used Firefox exclusively at home for over 15 years, and I’ve used it at my different jobs as much as possible. While my last two employers had maybe one thing that only worked in IE or Chrome/Edge, everything else worked fine (and often better than my coworkers’ Chrome) in Firefox. At home, the last time I remember installing Chrome was to try some demo of Web MIDI before Firefox had support. That was probably five years ago, and I uninstalled Chrome after playing with the demo for a few minutes.
I had to install Chromium a couple of times in the last years to join meetings and podcast recording that were done with software using Chrome-only API.
When it happens, I bless flattpak as I install Chromium then permanently delete it afterward without any trace on my system.
If you are an heavy user of such web apps, I guess that it makes sense to use Chrome as your main browser.
I can’t get launcher.keychron.com to work on LibreWolf but that’s pretty much it. I also have chrome just in case I’m too lazy to figure out what specifically is breaking a site
Thanks, yeah, that’s it. I knew it was some specific thing that wasn’t supported I just couldn’t remember and was writing that previous comment on my phone so I was too lazy to check. But yeah, it’s literally the only site I could think of that doesn’t work on Firefox (for me).
It’s pretty rare to be fair, so much so that I don’t have an example of the top off my head. I know, classic internet comment un-cited source bullshit, sorry. It was probably awful gov or company intranet pages over the years.
Some intensive browser based games run noticeably better on Chrome too, but I know this isn’t exactly a common use case for browsers that others care about.
For some reason, trying to log in to the CRA (Canadian equivalent of the IRS) always fails for me with firefox and I need to use chrome to pay my taxes.
I run into small stuff fairly regularly. Visual glitches are common. Every once in a while, I’ll run into a site that won’t let me login. (Redirects fail, can’t solve a CAPTCHA, etc.)
Some google workspace features at least used to be annoying enough that I just devote a chrome profile to running those workspace apps. I haven’t retried them in Firefox recently because I kind of feel that it’s google’s just deserts that they get a profile on me that has nothing but their own properties, while I use other browsers for the real web.
I should start keeping a list of specific sites. Because I do care about this, but usually when it comes up I’m trying to get something done quickly and a work-around like “use chrome for that site” carries the day, then I forget to return to it and dig into why it was broken.
It’s fully offline. The language models are a few megabytes. THAT’S AMAZING. Sure the translations are far from fluent, but I use it all the time to get the gist of articles in French, German, Spanish etc., and I don’t need them to be fluent, just understandable.
If you want online LLM stuff I mean they have you covered but again that’s online and LLM.
i get it, but please have a look at the screenshot. it’s not even just the translation that’s bad, it’s also (presumably) parsing the html incorrectly, doubling up the text in various parts (e.g. altano’s username and the flag button), and adding nonsensical text (e.g. “si tratta di un’azienda” == “it’s about a company”???). it’s so odd that the translation built into a major browser cannot parse html correctly
but of course, the main issue is that the translation is bad. the sentences sound weird, words have incorrect articles/endings (which are absolutely trivial to get right in that case). it even translated “gaslight” into “austriare” which is a completely made up word that makes zero sense
and this was english to italian, which shouldn’t be as hard as chinese to turkish or finnish to japanese
i’m sorry for complaining about someone’s hard work that they provided for free. it’s better than nothing, and it’s better than automatically translating things literally word for word, but it’s just… really not much better than that…
truth be told I’ve only been using it with English on the target end and it’s been fine when translating a stray site in French, German, Russian, Chinese, etc. I never translate text to my native language, before LLMs the translators all were terrible.
Came here to comment the same. The quality of the translations isn’t even the biggest issue though. The UX Chrome has is just way better. You can force translate and when the page updates dynamically it kinda “just works”. With Firefox it is impossible to do any real tasks on a government/bank website. The fact that there is no option in the context menu is also baffling to me.
It’s notable that Tiberian Dawn is written in C++. According to their GDC postmortem, it took hours to compile and eventually they used developer workstations as a compilation farm, like they did for VQA video encoding already.
I’ve monitored domain expirations for a while, using whois via scripts. I’m on macOS; it has whois built-in, but nothing for rdap that I can see. Checking Debian and Ubuntu, I’m not seeing anything in packages. I’m surprised, but maybe I’m not fully awake yet and missing something blatantly obvious.
There is a CLI tool linked from the announcement, it can produce json output for easy parsing. But since it’s just HTTP and JSON it’s not hard to roll your own either:
The macOS whois comes from the FreeBSD whois that I hacked on to improve its whois server discovery and handling of referrals (and missing referrals).
Last time I looked (several years ago) I would have needed some significant support libraries in the FreeBSD base system to get whois(1) to support RDAP. IIRC libfetch could do https for me but I would have needed something for json. (edit: looks like there’s still no json parser.) It was a bit too much extra work to take on back then, but I still think it would be right for whois(1) to use both/either protocol depending on what each registry provides.
I believe the parent is pointing out that OS’s typically should have a built in support or already have chosen a package which supports domain information lookups (and have it pre-installed). E.g. whois cli. There seems to be nothing by default for RDAP yet, which is concerning for a “sunsetting” announcement.
When I last needed this in 2020 all gTLDs supported RDAP but few ccTLDs did. Based on this deployment tracker 1/4 of ccTLDs now support it, with a further 1/4 supporting “stealth RDAP” whatever that means (the link is broken).
Of the domains I cared about, it looks like the ICANN lookup tool isn’t working for .al, .co, de, .es, .me, .ng, .rs, .se, or .us, at least. I haven’t checked many domains.
It looks like “stealth rdap” means that the ccTLD has an rdap server, but it’s not set up for autodiscoverability. One attempt to probe them found them for .de and .us, from my list above.
> cp -R src/ dest
> eza -aT dest
dest/
└── src/
├── .hidden
└── unhidden
It only produces dest/.hidden if the dest folder didn’t exist yet. As compared with macOS where the trailing slash on src/ makes cp copy the contents of the directory rather than the directory itself.
I have worked in this space for one of the big players.
It’s bad, okay? Terribly terribly bad. Mountains of protocols designed-by-commitee, 4 major generations of everything and every non-toy device is supposed to implement all of them. The list of documents is incredibly long too.
And that’s still the better part, additional software that you do not need but really really do want or you’d need 10x more employees. The one used to monitor, manage, make reports, forward packets, upsell. It’s all unfathomably terrible.
That there are working new modem implementations could be considered some divine miracle the complexity is so ridiculous.
The trick to cp -a src/. dst is neat and not one I remember seeing before. I have, however, learned through painful experience that rsync -a src/ dst/ is the equivalent with rsync. It’s annoying that they handle these edge cases differently, and I’m sure that’s part of why I’ve got rsync wrong so many times. (And perhaps I do recursive rsync more often than recursive cp.)
rsync’s trailing-slash-dependent behaviour absolutely baffles me every time. I’m not sure why but I prefer this cp trick. It doesn’t make any more intuitive sense… but maybe the weirdness of the trailing /. makes it less likely you’ll unintentionally use it.
I’m weird as I strongly prefer using desktop file managers – especially when paired with utilities like everything and listary – to actually manage files. So I probably have had used rsync in a suprisingly strong ratio vs my cp(1) usage. And I’ve come to prefer rsync way? Humans are weird.
Thank you. Globstar was an aside in the post, as it is tangentially related to the main topic. I knew already that globstar couldn’t be used to copy hidden files. What I didn’t know was what to use in its stead. That’s what the post is about.
Why? Shorter expiry times don’t require any new browser support, 90 days certificates will continue to be available, shorter certs are opt-in, and other TLS certificate providers are available (even if your parameters are “free” and “supports ACME”).
It puts a lot more centralized dependency on LetsEncrypt. If your site has to get a new cert every 6 days and something happens to LE, your site is now unusable without intervention.
It’s not out of the realm of possibility that an attacker could force LE’s issuing/validating servers offline for 6 days (which is also the longest possible expiry in this scenario, there could be sites that have to renew the same day the outage starts).
The ACME client can implement multiple issuers and do some kind of load balancing or fallback between them, should one of them be inaccessible. Like Caddy does.
I get why for the browser guard, but why for this? If regular 90 day certificates are already working, then there is absolutely no reason that a 6 day one wouldn’t. Sure you might need to do some work on the backend to sort out the automation (though that is hopefully already being done with 90 day certs), but for the client side this should not matter whatsoever.
Let’s encrypt is great. HTTPS should not be reserved to companies which can afford to pay for certificates, which was what happened before, and it should not be difficult to set up, either. I don’t care what content you’re serving, plain HTTP (and others) should just not be used, it’s a big tracking and attack vector.
The article explained why they want to start offering 6-day certificates. It is because if your private key leaks then anyone can impersonate your site until the certificate expires, unless you revoke the certificate with the leaked key. And certificate revocation is not reliable.
I accept that certificate revocation is somewhat unreliable, but I will admit I am puzzled about just who it is that loses their private keys so frequently that they need a maximum of a 6-day period in which the leaked key could be used.
Unfortunately since it’s opt-out there will be some amount of time where it is on, and I have not seen a way to prevent it from being on ever. Appreciate trying to help.
Sure thing let me take a look. I have created a issue on GitHub tracking this – feel free to add any context that might be useful (things like what iOS version you’re presently on etc).
A pull for a normal image makes one pull for a single manifest.
I think this is per layer limit, so one more complicated image could drain the limit itself. Very nice of DH, makes me dislike MSFT and IBM just a little less.
Unauthenticated users
10 per IPv4 address or IPv6 /64 subnet
This seems to be geared more towards user tracking instead of reducing their server load to me. 10 pulls per single IPv4 is ridiculous, especially when someone’s behind CGNAT (and CGNAT + no IPv6 for consumers is quite popular, at least in Poland), as this will be used in no time.
UP; sorry, my internet is flaky and somehow I managed to post the same comment three times
Random sidenote: I wish there was standard shortcuts or aliases for frequently typed commands. It’s annoying to type systemctl daemon-reload after editing a unit, e.g. why not systemctl dr? Or debugging a failed unit, journalctl -xue myunit seems unnecessarily arcane, why not --debug or friendlier?
Well I guess fu rolls better of the tongue than uf. But I remember literally looking up if there isn’t anything like -f and having issues with that. Oh well.
I’m not sure it would be “clever”. At best it would make transactional changes (i.e. changes that span several files) hard, at worst impossible. It would also be a weird editing experience when just saving activates the changes.
I wonder why changes should need to be transactional? In Kubernetes we edit resource specs—which are very similar to systemd units—individually. Eventually consistency obviates transactions. I think the same could have held for systemd, right?
I wonder why changes should need to be transactional
Because the services sd manages are mote stateful. If sd restarted every service each moment their on-disk base unit file changes [1], desktop users, database admins, etc would have terrible experience.
Compared to CSS, filter list syntax is more verbose when describing complex rules:
! Make HN post text readable
news.ycombinator.com##.toptext:style(color: #333)
news.ycombinator.com##.toptext a:style(color: #1973c2)
! Note the repeated domain.
! Unlike in CSS, you cannot write comments inside of a rule,
! e.g. to document the reason for one of multiple CSS declarations.
! Any comment documenting a rule has to go on its own line.
I personally like to use uBlock Origin for content-blocking rules. Its syntax doesn’t require writing display: none;, I can easily search through my rules for all sites within a single text box, and I can sometimes replace my custom rules with others’ custom content-blocking filter lists (example). For other types of restylings, where I might want comments to justify specific values, I prefer Stylus.
The main reason I haven’t dug into ublock origin more is that I haven’t found a way to configure it from my dotfiles, so I have to set the settings manually and copy it around to all the different machines I use by hand. Do you know if there’s a way around this? (I guess if I used firefox sync or whatever it could do this but I want all my stuff in one place!)
Probably nothing if you use uBlock Origin. I don’t use uBlock though. I use Firefox’s tracking protection set to Strict, which takes care of 90% of things, and is built-in
Yep, anything that’s doing tracking, which is most ads served by Google, Facebook etc on websites. It doesn’t get all ads, but enough that I’m happy with it.
How does a company get so backwards? They went with utmost haste from leading to following. Where once I thought the sky was the limit for this product, now I just think they’re stuck on the exact same plateau as everyone else.
I think they have some definite polish on aspects of their editor, but I was (and still am) put off by the funding model for the editor. Good quality engineering isn’t free and I remain unconvinced that hockey stick growth style models are practical for guiding reasonable product development.
Another thing that gets me is marrying a reasonably fast process (the editor’s insertion speed and search speed) with a much slower process (LLM inference).
According to the Minimizing Latency: Serving The Model section, they are sending the text to online services to get predictions? Apart from the privacy concerns, I wonder who is paying for the GPU cost, and how does that factor in their business model.
FWIW I should be a little more precise and say “either LLM inference or network requests” since there’s clearly capacity to send over the net. Both seem slower (and more variable) than local editor business.
What’s backwards here? The presence of LLM at all?
I’ve come to consider this kind of LLM tab completion essential. It’s the only piece of LLM software I use and I find it saves me a lot of time, at least the implementation in Cursor. It often feels like having automatic vim macros over the semantics of the code rather than the syntax of the code. Like if I’m refactoring a few similar functions, I do the first one and then magically I can just press tab a few times to apply the spirit of the same refactor to the rest of the functions in the file.
My question is: why is that good? “Magical” is one of those words in programming that usually means something has gone horribly wrong.
Don’t get me wrong: I want my tool to make it easy to make mechanical changes that touch a bunch of code. I just don’t want the process to do it to be a magical heuristic.
You’re the one saying that the company is doing something backwards, I think it’s on you to justify that when asked, not to come back with a question tbh.
“Magical” is one of those words in programming that usually means something has gone horribly wrong.
Statements like these are just dogma/ rhetoric. Words like “magical” are just like “simplicity” or “ugly”, they mean something different to everyone.
I just don’t want the process to do it to be a magical heuristic.
Why not? What if it’s a problem best suited by heuristics?
Don’t get me wrong: I want my tool to make it easy to make mechanical changes that touch a bunch of code. I just don’t want the process to do it to be a magical heuristic.
I’m in a similar boat.
I’m less bullish on having the LLM do a large-scale refactoring than I am on using an LLM to generate a codemod that I can use to do the large-scale refactoring in a deterministic fashion.
But for small-scale changes—I wouldn’t even necessarily call them “refactorings”—like adding a new field to a struct and then threading that all way through, I’ve found that our edit predictions can cut down on a lot of the mundanity of a change like that.
The big question is: what environment does that codemod target?
For a system like this to work well there has to be a consistent high-level way of defining transformations that many people will use and write about so that models will understand it well. For that to happen you need an abstraction over the idea of a syntax node.
I’m not sure about Zed but you can do that with Cursor. The tab model is very small and fast, but Cursor has a few options ranging from “implicit inline completion suggestions with tab” to “long form agent instructions and review loop” similar to what you describe - you ask it to do stuff in a chat like interface, it proposes diffs, you can accept the diffs or request adjustments. But, I find explicitly talking to the AI much slower and more flow interrupting compared to tab completion.
I do use a mode that’s in between the two where I can select some text, press cmd-k, describe the edit and it will propose the diff inline with the document. Usually my prompt is very terse, like “fix”, “add tests”, “implement interface”, “use X instead of Y”, “handle remaining cases” that sort of thing.
I use plenty of heuristics in my editor already, like I appreciate fuzzy-file-find remembering my most opened files and up-weighting them, same with LSP suggestions and auto-imports. The AI tab completion experience is a more magical layer on top, but after using it for about an hour it starts to feel just like regular tab completion that provides “insert function name”, it’s just providing more possible edits. Another time saver I appreciate is when it suggests an edit to balance some parenthesis/braces for a long nested structure that I’m struggling to wrangle in my own.
I do use a mode that’s in between the two where I can select some text, press cmd-k, describe the edit and it will propose the diff inline with the document. Usually my prompt is very terse, like “fix”, “add tests”, “implement interface”, “use X instead of Y”, “handle remaining cases” that sort of thing.
These days, my favorite use of LLMs is to write a // TODO comment at the appropriate place, send a snippet with the lines to be changed to the LLM, and replace the selection with the response. With the right default prompt, this works really well with the pipe command in editors like Neovim, Kakoune, etc. and a command line client like llm, or smartcat.
The place I miss an LLM the most is in my shell. I’d love to be able to fall back to llm to construct a pipeline rather than needing to read 6 different manpages and iterate through trial and error. Do you have a setup for ZSH/bash/etc that’s lightweight? I haven’t seen anything inspiring in this area yet outside proprietary terminal emulators (I’m not interested)
I’m spoiled because I can’t do anything like that. I’m inventing a genuinely new technology, so I always have to think for myself because there’s no one to follow or imitate. I’m sure it sounds weird to hear me be excited about building my internal model for where changed requirements will manifest as need for changed code, but my mental model of that is razor sharp, and thinking about where changes are needed myself gives me leave to think about whether my code is expressive enough and has strong architecture.
But yeah, I know I’m the weird one. I’m the kid that retyped the red-underlined word instead of right clicking to correct spelling, the idea being that I wanted learn how to spell and spot/correct spelling mistakes instead of the machine.
Once the diff gets big enough it starts to have problem of its own. How will you know if it’s all correct without redoing all the work? What if the diff is stale by the time it is reviewed and approved? Generating a script instead of a diff solves those problems, and incidentally has another property that I prize very highly: it is just as useful to humans as it is to LLMs. Once you can define large changes as small scripts typing will no longer be the odious part of making changes that touch a lot of code.
I’m certain that the shitshow that the big teleco equipment providers ship isn’t any better. Some stuff that I’m NDA’d would make anyone sane just close their computer and hit nearest pub.
I find amazing that so many people are discovering Niri right now (me too!). Last weekend I even took the time to write a short ArchWiki page about it. It’s not complete and I encourage people to add stuff to it.
The first interesting bit mentions xkb options. I appreciate that a lot, as an user of few extremely esoteric ones that luckily someone supports.
May I ask: how does using Alacritty with Niri work, given that Alacritty (last I checked) had some kind of strict one-window-only policy? They encourage using tmux to get multiple sessions etc, which I do. But for it to work in a reasonable way with Niri I’d want multiple windows. How does that work?
I don’t think that Alacritty has that problem anymore. I’ve never found a problem with opening multiple instances of Alacritty, one per window.
I’d imagine by spawning multiple processes.
A chromecast is just a wireless cable connecting my laptop to my tv. I don’t want it to have a “device authentication certificate” that expires, any more than I want my USB cables to contain these things. The purpose of this certificate isn’t anything that benefits me, it sounds like an anti-consumer measure for enforcing someones business model. Can anyone explain?
Presumably it’s there to prevent anyone from releasing devices that “work with Chromecast” without approval from Google. So yeah, it’s not really in your interest. It definitely means that Cast is not an open protocol, which is a shame.
I wish someone just made a “wireless HDMI cable”, but Chromecasts were never really that. I chose not to buy one once I found out they don’t let you actually use them like an external display - you can’t show anything you want, it has to be a chrome tab.
The protocol you are looking for is called Miracast.
The problem with Miracast is that it uses a separate WiFi Direct connection, so it needs OS and hardware support (can’t just work over a regular TCP/IP network like Chromecast) and can’t be routed, sent over Ethernet, competes with client usage of the WiFi interface, etc… I’ve never had it work well.
I wish there was a standard like Miracast but over an existing TCP/IP network/AP. The closest thing is AirPlay, but that’s not an open standard either and last I checked there was no open source AirPlay sender out there to cast from Windows/Linux machines…
In December the EU Commission in relation to the DMA proposed forcing Apple to among other things open up AirPlay. My first reaction was that it would be hilarious if AirPlay, against Apple’s will, ended up becoming a better alternative to Google Cast for everyone. So I guess keep your fingers crossed?
I think I remember reading that MiracleCast originally only supported that mode of operation due to incompleteness, but it’s been a long time.
Microsoft actually has a protocol extension to Miracast for that [0], it does still use WiFi Direct for display discovery though which annoyingly means your device has to have a WiFi card for it to work. Not very many of the open source implementations support it though, the only one I know of that does is GNOME Network Displays.
[0] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mice/9598ca72-d937-466c-95f6-70401bb10bdb
Chromecast does let you cast your display to them, you can do that from Chrome (cast display) or Android.
On the receiving end it’s just an instance of Chrome, but I’m guessing it’s just implemented by having a web page display a WebRTC feed (which is just as well).
It’s more likely a DRM thing, so that Disney and Netflix will let you play stuff on it, right?
From what I understand of the Cast protocol, in most cases, the client (phone) just tells the Chromecast device what to do; it doesn’t actually stream the content. There is a mode that allows the client to tell the Chromecast to connect back to the client and stream from it directly, which is exposed in the Chrome browser, but that isn’t used by streaming services.
It is possible I suppose that Netflix and co demanded that the communication channel between the client app and the Chromecast device be protected, even if you generally aren’t using it to send protected data.
I don’t think that makes much sense. DRM stuff like Netflix would just rely on Widevine support in the Chromecast itself. So a third party device not licensed to play Widevine content just won’t work with Netflix (but should work with everything else).
That is, the device authentication for Chromecast is one thing (and one certificate), and the authentication for Widevine DRM is separate (with its own certificate).
Well, yes, different devices, 1st party vs 3rd party, have different Widevine/chrome-cdm “protection” features, and the streaming party (netflix, disney+) might check that level vs their policies. This is why some apps indeed fail to cast to Xiaomi sticks etc.
Planned and enforced obsolescence via certificates.
This is the future the “HTTPS everywhere” crowd wants ;)
It will be interesting to see if Google fixes this. On the one hand, brand value. On the other, it’s a chance to force purchase of new hardware!
Not me. I want HTTPS Everywhere and I also don’t want this.
What’s your marketing budget? If you aren’t aligned with the marketing budget havers on this, how do you expect them to treat you when your goals diverge?
See also, fast expiring certificates making democratized CT logs infeasible, DNS over HTTPS consolidating formerly distributed systems on cloudflare. It’s not possible to set up a webpage in 2025 without interacting with a company that has enough money and accountability to untrustworthy governments to be a CA, and that sucks.
HTTPS is cool and all, but I wish there was a usable answer that wasn’t “just centralize the authority.”
Sigh. Lobsters won’t let me post. I must be getting rate limited? It seems a bit ridiculous, I’ve made one post in like… hours. And it just shows me “null” when I post. I need to bug report or something, this is quite a pain and this is going to need to be my last response as dealing with this bug is too frustrating.
Can you tell me more about these? I think “infeasible” is not accurate but maybe I’m wrong. I don’t see how DoH consolidates anything as anyone can set up a DoH server.
You can definitely set up a webpage in 2025 pretty with HTTPS, especially as you can just issue your own CA certs, which your users are welcome to trust. But if your concern is that a government can exert authority within its jurisdiction I have no idea how you think HTTP is helping you with that or how HTTPS is enabling that specifically. These don’t feel like HTTPS issues, they feel like regulatory issues.
There are numerous, globally distributed CAs, and you can set one up at any time.
Lobsters has been having some issues, I had the same trouble yesterday too.
The CT log thing is something i read on here iirc, basically that CT logs are already pretty enormous and difficult to maintain, if there are 5x as many cert transactions cause they expire in 1/5 the time the only people who will be able to keep them are people with big budgets
I suppose i could set up a DoH server, but the common wisdom is to use somebody else’s, usually cloudflare’s, the fact that something is technically possible doesnt matter in a world where nobody does it.
Are you joking? “please install my CA cert to browse my webpage” may technically count as setting up a web page but the barrier to entry is so high I might as well not. Can iphones even do that?
That’s a lot more centralized than “I can do it without involving a third party at all.”
I dunno, maybe I’m just romanticizing the past but I miss being able to publish stuff on the internet without a Big Company helping me.
Strange but I will have to learn more.
Sure, because that’s by far the easiest option and most people don’t really care about centralizing on Cloudflare, but nothing is stopping people from using another DoH.
iPhones being able to do that isn’t really relevant to HTTPS. If you want to say that users should be admins of their own devices, that’s cool too.
As for joking, no I am not. You can create a CA, anyone can. You don’t get to decide who trusts your CA, that would require work. Some companies do that work. Most individuals aren’t interested. That’s why CAs are companies. If you’re saying you want a CA without involving any company, including non-profits that run CAs, then there is in fact an “open” solution - host your own. No one can stop you.
You can run your own internet if you want to. HTTPS is only going to come up when you take on the responsibility of publishing content to the internet that everyone else has to use. No one can stop you from running your own internet.
As opposed to running an HTTP server without a third party at all? I guess technically you could go set up a server at your nearest Starbucks but I think “at all” is a bit hard to come by and always has been. Like I said, if you want to set up a server on your own local network no one is ever going to be able to stop you.
What did that look like?
I want the benefits of HTTPS without the drawbacks. I also want the benefits of DNS without the drawbacks.
On the one hand, I am completely sincere about this. On the other, I feel kind of foolish for wanting things without wanting their consequences.
Which drawbacks? I ask not because I believe there are none, but I’m curious which concern you the most. I’m sympathetic to wanting things and not wanting their consequences haha that’s the tricky thing with life.
HTTPS: I want the authentication properties of HTTPS without being beholden to a semi-centralized and not necessarily trustworthy CA system. All proposed alternatives are, as far as I know, bad.
DNS: I want the convenience of globally unique host names without it depending on a centralized registry. All proposed alternatives are, as far as I know, bad.
These kind of accusations are posts that make me want to spend less on lobsters. Who knows if it’s planned or accidental obsolescence? Many devices and services outlive their teams by much longer than anticipated. Everyone working in software for a long while has experienced situations like those. I also find the accusation that HTTPS is leading to broken devices rather wild…
I want to offer a different view: How cool is it that the devices was fixable despite Google’s failure to extend/exchange their certificate. Go, tell your folks that the Chromecast is fixable and help them :)
For me, it’s takes like yours that irritate me. Companies that are some of the largest on the planet don’t need people like you to defend them, to make excuses for them, to try to squelch the frustration directed towards them because they’re either evil or incompetent.
By the way, there is no third option - either they’re evil and intended to force obsolescence upon these devices, or they’re incompetent and didn’t know this was going to happen because of this incompetence.
The world where we’re thinking it’s cool that these devices are fixable tidily neglects the fact that 99% of the people out there will have zero clue how to fix them. That it’s fixable means practically nothing.
Who cares? No one is defending Google. People are defending deploying HTTPS as a strategy to improve security. Who cares if it’s Google or anyone else? The person you’re responding to never defends Google, none of this has to do with Google.
Who cares? Also, there is a very obvious 3rd option - that competent people can make a mistake.
Nothing you’ve said is relevant at all to the assertion that, quoting here:
Even though you’re quoting me, you must be mistaken - this post is about Google, and my response was about someone who is defending Google’s actions (“Who knows if it’s planned or accidental obsolescence?”).
I haven’t a clue how you can think that a whole post about Google breaking Google devices isn’t about Google…
To the last point, “https everywhere” means things like this can keep being used as an excuse to make fully functional products in to ewaste over and over, and we’re left wondering if the companies responsible are evil or dumb (or both). People pretending to not get the connection aren’t really making a good case for Google not being shit, or for how the “https everywhere” comment is somehow a tangent.
Nope, not mistaken. I think my points all stand as-is.
Take what you want from my employment by said company, but I would guess absolutely no-one in private and security has any wish/intention/pressure to not renew a certificate.
I have no insider knowledge about what has happened (nor could I share it if I did! But I really don’t). But I do know that the privacy and security people take their jobs extremely seriously.
Google has form in these matters, and the Chromecast as a brand even has an entry here:
https://killedbygoogle.com/
But in the future I’ll be more polite in criticizing one of the world’s biggest companies so that this place is more welcoming to you.
This isn’t about who you criticize, I would say the same if you picked the smallest company on earth. This is about the obvious negativity.
This is because the article isn’t “Chromecast isn’t working and the devices all need to go to the trash”. Someone actually found out why and people replied with instructions how to fix these devices, which is rather brilliant. And all of that despite google’s announcements that it would discontinue it..
I’m not exactly sure what you meant by that, and even the winky face doesn’t elide your intent and meaning much. I don’t think privacy and security advocates want this at all. I want usable and accessible privacy and security and investment in long term maintenance and usability of products. If that’s what you meant, it reads as a literal attack rather than sarcasm. Poe’s law and all.
Not all privacy and security advocates wanted ‘HTTPS everywhere’. Not all of the ‘HTTPS everywhere’ crowd wanted centralized control of privacy and encryption solutions. But the privacy and security discussion has been captured by corporate interests to an astonishing degree. And I think @gerikson is right to point that out.
Do you seriously think that a future law in the US forcing Let’s Encrypt (or any other CA) to revoke the certificates of any site the government finds objectionable is outside the realms of possibility?
HTTPS everywhere is handing a de facto publishing license to every site that can be revoked at will by those that control the levers of power.
I admit this is orthogonal to the issue at hand. It’s just an example I came up with when brewing some tea in the dinette.
In an https-less world the same people in power can just force ISPs to serve different content for a given domain, or force DNS providers to switch the NS to whatever they want, etc. Or worse, they can maliciously modify the content you want served, subtly.
Only being able to revoke a cert is an improvement.
Am I missing something?
Holding the threat of cutting off 99% of internet traffic over the head of media companies is a great way to enforce self-censorship. And the best part is that the victim does all the work themselves!
The original sin of HTTPS was wedding it to a centralized CA structure. But then, the drafters of the Weimar constitution also believed everything would turn out fine.
They’ve just explained to you that HTTPS changes nothing about what the government can do to enact censorship. Hostile governments can turn your internet off without any need for HTTPS. In fact, HTTPS directly attempts to mitigate what the government can do with things like CT logs, etc, and we have seen this work. And in the singular instance where HTTPS provides an attack (revoke cert) you can just trust the cert anyways.
edit: Lobsters is basically completely broken for me (anyone else just getting ‘null’ when posting?) so here is my response to the reply to this post. I’m unable to reply otherwise and I’m getting no errors to indicate why. Anyway…
This is getting ridiculous, frankly.
You’ve conveniently ignored everything I’ve said and focused instead of how a ridiculous attack scenario that has an obvious mitigation has 4 words that somehow you’re relating to SCOTUS and 1st amendment rights? Just glossing over that this attack makes almost no sense whatsoever, glossing over that the far easier attacks apply to HTTP at least as well (or often better) as HTTPS, glossing over the fact that even more attacks are viable against HTTP that aren’t viable against HTTPS, glossing over that we’ve seen CT logs actually demonstrate value against government attackers, etc etc etc. But uh, yeah, SCOTUS.
SCOTUS is going to somehow detect that I trusted a certificate? And… this is somehow worse under HTTPS? They can detect my device accepting a certificate but they can’t detect me accessing content over HTTP? Because somehow the government can’t attack HTTP but can attack HTTPS? This just does not make any sense and you’ve done nothing to justify your points. Users have been more than charitable in explaining this to you, even granting that an attack exists on HTTPS but helpfully explaining to you why it makes no sense.
Going along with your broken threading
My scenario was hypothetical.
In the near future, on the other side of an American Gleichschaltung, a law is passed requiring CAs to revoke specific certificates when ordered.
If the TLS cert for CNN.com is revoked, users will reach a scary warning page telling the user the site cannot be trusted. Depending on the status of “HTTPS Everywhere”, it might not be able to proceed past this page. But crucially, CNN.com remains up, it might be accessible via HTTP (depending on HSTS settings) and the government has done nothing to impede the publication.
But the end effect is that CNN.com is unreadable for the vast number of visitors. This will make the choice of CNN to tone down criticism of the government very easy to make.
The goal of a modern authoritarian regime is not to obsessively police speech to enforce a single worldview. It’s to make it uneconomical or inconvenient to publish content that will lead to opposition to the regime. Media will parrot government talking points or peddle harmless entertainment. There will be an opposition and it will be “protected” by free speech laws, but in practice accessing its speech online will be hard to impossible for the vast majority of people.
I feel like your entire argument hinges on this and it just isn’t true.
If the USA apparatus decides to censor CNN, revoking TLS cert wouldn’t be the way. It’ll be secret court orders (not unlike recent one British government has sent to Apple), and, should they not comply, apprehension of key staff.
And, even if such cert revocation happened, CNN would be able to get new one within seconds by contacting any other ACME CA, there are even some operating in EEA.
I think your whole argument is misguided, and not aimed at understanding failures of Google, but at lashing at only tangentially related problem space.
And my comment is not defence of Google or Cloudflare, I consider both to be malicious for plethora of reasons.
You’re still thinking like the USSR or China or any totalitarian government. The point isn’t to enforce a particular view. The point is to prevent CNN or any other media organization from publishing anything other than pablum, by threatening their ad revenue stream. They will cover government talking points, entertainment, even happily fake news. Like in Russia, “nothing is true and everything is possible”.
Nothing is preventing the US from only allowing certs from US based issuers. Effectively, if you’re using a mainstream browser, the hypothetical law I have sketched out will also affect root CAs.[1]
I proposed a semi-plausible failure mode of the current CA-based certification system and suddenly I’ve gotten more flags than ever before. I find it really interesting.
[1] note that each and every one of these attempts to block access will have quite easy and trivial workarounds. That’s fine, because as stated above, having 100% control of some sort of “truth” is not the point. If nerds and really motivated people can get around a block by installing their own root store or similar, it will just keep them happy to have “cheated the system”. The point is having an atomized audience, incapable of organizing a resistance.
The flags are me and they’re because your posts have been overwhelmingly low quality, consisting of cherry picking, trolling, rhetoric, and failing to engage with anyone’s points. You also never proposed any such attack, other users did you the favor of explaining what attack exists.
The closest thing you’ve come to defining an attack (before others stepped in to hand you one) is this:
It’s not that interesting why you’re getting flagged. IMO flags should be required to have a reason + should be open, but that’s just me, and that’s why I virtually always add a comment when I flag a post.
This is one of the only posts where you’ve almost come close to saying what you think the actual problem is, which if I very charitably interpret and steel-man on your behalf I can take as essentially “The US will exert power over CAs in order to make it hard for news sites to publish content”. This utterly fails, to be clear (as so many people have pointed out that there are far more attacks on HTTP that would work just as well or infinitely better, and as I have pointed out that we have seen HTTPS explicitly add this threat model and try to address it WITH SUCCESS using CT Logs), but at least with enough effort I can extract a coherent point.
I have around 30 flags right now in these threads (plus some from people who took time off their busy schedule to trawl through older comments for semi-plausible ones to flag). You’re not the only one I have pissed off.[1]
(I actually appreciate you replying to my comments but to be honest I find your replies quite rambling and incoherent. I guess I can take some blame for not fully cosplaying as a Project 2025 lawyer, instead relying on vibes.)
It’s fine, though. I’ve grown disillusioned by the EFF style of encryption boosting[2]. I expect them to fold like a cheap suit if and when the gloves come off.
[1] but I’m still net positive on scores, so there are people on the other side too.
[2] they’ve been hyperfocussed on the threat of government threats to free speech, while giving corporations a free pass. They never really considered corporations taking over the government.
Hm, I see. No, I certainly have not flagged all of your posts or anything, just 2 or 3 that I felt were egregious. I think lobsters should genuinely ban more people for flag abuse, tbh, but such is the way.
It’s interesting that my posts come off as rambly. I suppose I just dislike tree-style conversations and lobsters bugs have made following up extremely annoying as my posts just disappear and show as “null”.
I’ve been getting the “null” response too. There’s nothing in the bug tracker right now, and I don’t have IRC access. Hopefully it will be looked at soon.
As to the flags, people might legitimately feel I’m getting too political.
Genuine question, is this aimed at me?
Nope. Unless you are a lawyer for Project 2025.
Yeah, “trust the cert anyway” is going to be the fig leaf used to convince a compliant SCOTUS that revoking a certification is not a blatant violation of the 1st amendment. But at least the daily mandatory webcast from Dear Leader will be guaranteed not to be tampered with during transport!
Wouldn’t you agree that certificate transparency does a better job detecting this kind of thing than surreptitiously redirecting DNS would?
The point of this hypothetical scenario would be that the threat of certificate revocation would be out in the open, to enforce self-censorship to avoid losing traffic/audience. See my comment here:
https://lobste.rs/s/mxy0si/chromecast_2_s_device_authentication#c_lyenlf
Flagged as trolling. I’m also extremely critical of Google’s killing of various services.
I’m not sure any of those are good examples of planned obsolescence. As far as I can tell, they’re all services that didn’t perform very well that Google didn’t want to support, tools that got subsumed into other tools, or ongoing projects that were halted.
I think it’s reasonable to still wish that some of those things were still going, or that they’d been open-sourced in some way so that people could keep them going by themselves, or even that Google themselves had managed them better. But planned obsolescence is quite specifically the idea that you should create things with a limited lifespan so that you can make money by selling their replacements. As far as I can tell, that doesn’t apply to any of those examples.
Trust Google to not even manage to do planned obsolescence right either…
Please refrain from smirky, inflammatory comments.
I get that it’s a tongue in cheek comment, but this is what falls out of “we want our non-https authentication certificates to chain through public roots”.
There is no reason for device authentication to be tied to PKI - it is inherently a private (as in “only relevant to the vendor” , not secret) authentication mechanism so should not be trying to chain through PKI, or PKI-like, roots.
Hyperbole much? Sometimes an expired certificate is just an expired certificate
Why is this a hyperbole? It is clear that even an enterprise the size of Google, famous for it’s leetcode-topping talent is unable to manage certificates at scale. This makes it a pretty good point against uncritical deployment of cryptographic solutions.
Microsoft let microsoft.com lapse that one time. Should we give up on DNS?
When Microsoft did that I wasn’t standing embarrassed in front of my family failing to cast cartoons on the TV. So it was their problem, not my problem.
(It is still bricked today btw)
No one has ever argued for “uncritical deployment” of any solution, let alone cryptographic ones.
Maybe I’m reading too much into “HTTPS everywhere” then.
Maybe. I think there are two ways to interpret it - “HTTPS Everywhere” means “literally every place” or it means “everywhere that makes sense, which is the vast majority of places”. But, to me, neither of these implies “you should deploy in a way that isn’t considered and that will completely destroy a product in the future”, it just means that you should very likely be aiming for a reliable, well supported deployment of HTTPS.
I was replying more to the “planned and enforced obsolescence” conspiracy theorizing.
It is true that managing certificates at scale is something not a lot of large organizations seem to be able to pull off, and that’s a legitimate discussion to have… but I didn’t detect any good faith arguments here, just ranting
Even if half of the things I have heard about Brave are wrong, why even bother when so many other great, free alternatives exist. The first and last time I tried it was the home page ad fiasco… uninstalled and went back to Chrome.
These days I try to use Firefox, but escape hatch to Chrome when things don’t work. I know there are better alternatives to both Firefox and Chrome, I’ll start exploring them… maybe? It’s hard for me to care about them since most of them are just Chrome/Firefox anyway. I’ll definitely give Ladybird a go when it’s ready. On paper, at least, it sounds like the escape from Google/Mozilla that is desperately needed.
Kagi bringing Orion to Linux feels promising. It’s OK on Mac, though after using it for 6 months I switched back to Safari. It looks like they’re using Webkit for that on Linux, not blink, which is a happy surprise IMO. That feels like a good development. (I’m also looking forward to Ladybird, though. Every so often I build myself a binary and kick the tires. Their progress feels simultaneously impossibly fast and excruciatingly slow.
If I understand correctly, Orion is not open source. That feels like a huge step backward and not a solution to a browser being controlled by a company with user-hostile incentives. I think Ladybird is more in line with what we really need: a browser that isn’t a product but rather a public good that may be funded in part by corporations but isn’t strongly influenced by any one commercial entity.
I believe they have stated that open sourcing is in the works1
Their business model is, at the minimum, less user hostile than others due to users paying them money directly to keep them alive.
Disclaimer: Paid Kagi user.
That help page has said Kagi is “working on it” since 2023-09 or earlier. Since Kagi hasn’t finished that work after 1.5 years, I don’t believe Kagi is actually working on open sourcing Orion.
If US DoJ has their way, google won’t be able to fund chrome any more the way it was doing so far. That also means apple and firefox lose money too. So Kagi’s stuff might work out long term if breakup happens.
That’s totally valid, and I’d strongly prefer to use an open source UA as well!
In the context of browsers, though, where almost all traffic comes from either webkit-based browsers (chiefly if not only Safari on Mac/iPad/iPhone), blink-based browsers (chrome/edge/vivaldi/opera/other even smaller ones) or gecko-based browsers (Firefox/LibreWolf/Waterfox/IceCat/Seamonkey/Zen/other even smaller ones) two things stand out to me:
I thought that Orion moving Webkit into a Linux browser was a promising development just from an ecosystem diversity perspective. And I thought having a browser that’s not ad-funded on Linux (because even those FOSS ones are, indirectly ad-funded) was also a promising development.
I’d also be happier with a production ready Ladybird. But that doesn’t diminish the notion that, in my eye, a new option that’s not beholden to advertisers feels like a really good step.
There are non-gecko pure FOSS browsers on Linux.
Of the blink-based pure FOSS browsers, I use Ungoogled Chromium, which tracks the Chromium project and removes all binary blobs and Google services. There is also Debian Chromium; Iridium; Falkon from KDE; and Qute (keyboard driven UI with vim-style key bindings). Probably many others.
The best Webkit based browser I’m aware of on Linux is Epiphany, aka Gnome Web. It has built-in ad blocking and “experimental” support for chrome/firefox extensions. A hypothetical Orion port to Linux would presumably have non-experimental extension support. (I found some browsers based on the deprecated QtWebKit, but these should not be used due to unfixed security flaws.)
I wasn’t sure Ungoogled Chromium was fully FOSS, and I completely forgot about Debian Chromium. I tried to use Qute for a while and it was broken enough for me at the time that I assumed it was not actively developed.
When did Epiphany switch from Gecko to Webkit? Last time I was aware of what it used, it was like “Camino for Linux” and was good, but I still had it on the Gecko pile.
According to Wikipedia, Epiphany switched from Gecko to Webkit in 2008, because the Gecko API was too difficult to interface to / caused too much maintenance burden. Using Gecko as a library and wrapping your own UI around it is apparently quite different from soft forking the entire Firefox project and applying patches.
Webkit.org endorses Epiphany as the Linux browser that uses Webkit.
There used to be a QtWebKit wrapper in the Qt project, but it was abandoned in favour of QtWebEngine based on Blink. The QtWebEngine announcement in 2013 gives the rationale: https://www.qt.io/blog/2013/09/12/introducing-the-qt-webengine. At the time, the Qt project was doing all the work of making WebKit into a cross-platform API, and it was too much work. Google had recently forked Webkit to create Blink as a cross-platform library. Switching to Blink gave the Qt project better features and compatibility at a lower development cost.
The FOSS world needs a high quality, cross-platform browser engine that you can wrap your own UI around. It seems that Blink is the best implementation of such a library. WebKit is focused on macOS and iOS, and Firefox develops Gecko as an internal API for Firefox.
EDIT: I see that https://webkitgtk.org/ exists for the Gnome platform, and is reported to be easy to use.
I see Servo as the future, since it is written in Rust, not C++, and since it is developed as a cross platform API, to which you must bring your own UI. There is also Ladybird, and it’s also cross-platform, but it’s written in C++, which is less popular for new projects, and its web engine is not developed as a separate project. Servo isn’t ready yet, but they project it will be ready this year: https://servo.org/blog/2025/02/19/this-month-in-servo/.
I used to contribute to Camino on OS X, and I knew that most appetite for embedding gecko in anything that’s not firefox died a while back, about the time Mozilla deprecated the embedding library, but I’d lost track of Epiphany. As an aside: I’m still sorry that Mozilla deprecated the embedding interface for gecko, and I wish I could find a way to make it practical to maintain that. Embedded Gecko was really nice to work with in its time.
I strongly agree with this. I’d really like a non-blink thing to be an option for this. Not because there’s anything wrong with blink, but because that feels like a rug pull waiting to happen. I like that servo update, and hope that the momentum holds.
Wikipedia suggests the WebKit backend was added to Epiphany in 2007 and they removed the Gecko backend in 2009. Wow, time flies! GNOME Web is one I would like to try out more, if only because I enjoy GNOME and it seems to be a decent option for mobile Linux.
I have not encountered any website that doesn’t work on firefox (one corporate app said it required Chrome for some undisclosed reason, but I changed the useragent and had no issue at all to use their sinple CRUD). What kind of issues do you find?
I’ve wondered the same thing in these recent discussions. I’ve used Firefox exclusively at home for over 15 years, and I’ve used it at my different jobs as much as possible. While my last two employers had maybe one thing that only worked in IE or Chrome/Edge, everything else worked fine (and often better than my coworkers’ Chrome) in Firefox. At home, the last time I remember installing Chrome was to try some demo of Web MIDI before Firefox had support. That was probably five years ago, and I uninstalled Chrome after playing with the demo for a few minutes.
I had to install Chromium a couple of times in the last years to join meetings and podcast recording that were done with software using Chrome-only API.
When it happens, I bless flattpak as I install Chromium then permanently delete it afterward without any trace on my system.
If you are an heavy user of such web apps, I guess that it makes sense to use Chrome as your main browser.
I can’t get launcher.keychron.com to work on LibreWolf but that’s pretty much it. I also have chrome just in case I’m too lazy to figure out what specifically is breaking a site
Firefox doesn’t support WebUSB, so that’s probably the issue.
Thanks, yeah, that’s it. I knew it was some specific thing that wasn’t supported I just couldn’t remember and was writing that previous comment on my phone so I was too lazy to check. But yeah, it’s literally the only site I could think of that doesn’t work on Firefox (for me).
It’s pretty rare to be fair, so much so that I don’t have an example of the top off my head. I know, classic internet comment un-cited source bullshit, sorry. It was probably awful gov or company intranet pages over the years.
Some intensive browser based games run noticeably better on Chrome too, but I know this isn’t exactly a common use case for browsers that others care about.
Probably not a satisfying reply, apologies.
For some reason, trying to log in to the CRA (Canadian equivalent of the IRS) always fails for me with firefox and I need to use chrome to pay my taxes.
I run into small stuff fairly regularly. Visual glitches are common. Every once in a while, I’ll run into a site that won’t let me login. (Redirects fail, can’t solve a CAPTCHA, etc.)
Some google workspace features at least used to be annoying enough that I just devote a chrome profile to running those workspace apps. I haven’t retried them in Firefox recently because I kind of feel that it’s google’s just deserts that they get a profile on me that has nothing but their own properties, while I use other browsers for the real web.
I should start keeping a list of specific sites. Because I do care about this, but usually when it comes up I’m trying to get something done quickly and a work-around like “use chrome for that site” carries the day, then I forget to return to it and dig into why it was broken.
for what it’s worth the translation feature in firefox is terrible https://i.ibb.co/spNhv92Q/translation.png
i don’t know why they’d ship something this bad
It’s fully offline. The language models are a few megabytes. THAT’S AMAZING. Sure the translations are far from fluent, but I use it all the time to get the gist of articles in French, German, Spanish etc., and I don’t need them to be fluent, just understandable.
If you want online LLM stuff I mean they have you covered but again that’s online and LLM.
i get it, but please have a look at the screenshot. it’s not even just the translation that’s bad, it’s also (presumably) parsing the html incorrectly, doubling up the text in various parts (e.g. altano’s username and the flag button), and adding nonsensical text (e.g. “si tratta di un’azienda” == “it’s about a company”???). it’s so odd that the translation built into a major browser cannot parse html correctly
but of course, the main issue is that the translation is bad. the sentences sound weird, words have incorrect articles/endings (which are absolutely trivial to get right in that case). it even translated “gaslight” into “austriare” which is a completely made up word that makes zero sense
and this was english to italian, which shouldn’t be as hard as chinese to turkish or finnish to japanese
i’m sorry for complaining about someone’s hard work that they provided for free. it’s better than nothing, and it’s better than automatically translating things literally word for word, but it’s just… really not much better than that…
truth be told I’ve only been using it with English on the target end and it’s been fine when translating a stray site in French, German, Russian, Chinese, etc. I never translate text to my native language, before LLMs the translators all were terrible.
Came here to comment the same. The quality of the translations isn’t even the biggest issue though. The UX Chrome has is just way better. You can force translate and when the page updates dynamically it kinda “just works”. With Firefox it is impossible to do any real tasks on a government/bank website. The fact that there is no option in the context menu is also baffling to me.
It’s notable that Tiberian Dawn is written in C++. According to their GDC postmortem, it took hours to compile and eventually they used developer workstations as a compilation farm, like they did for VQA video encoding already.
I recall either Valve doing similar thing for baking lights? They wrapped MPI and run that off the dev PC’s.
I’ve monitored domain expirations for a while, using whois via scripts. I’m on macOS; it has whois built-in, but nothing for rdap that I can see. Checking Debian and Ubuntu, I’m not seeing anything in packages. I’m surprised, but maybe I’m not fully awake yet and missing something blatantly obvious.
There is a CLI tool linked from the announcement, it can produce json output for easy parsing. But since it’s just HTTP and JSON it’s not hard to roll your own either:
curl -s https://rdap.verisign.com/com/v1/domain/example.com|jq -r '.events[] | select(.eventAction == "expiration") | .eventDate'https://data.iana.org/rdap/dns.jsoncontains the bootstrap data where you can find the endpoints for TLDs.I guess one difficulty is that not all TLDs seem to support this yet so you might have to fall back to whois for those that don’t.
The macOS whois comes from the FreeBSD whois that I hacked on to improve its whois server discovery and handling of referrals (and missing referrals).
Last time I looked (several years ago) I would have needed some significant support libraries in the FreeBSD base system to get whois(1) to support RDAP. IIRC libfetch could do https for me but I would have needed something for json. (edit: looks like there’s still no json parser.) It was a bit too much extra work to take on back then, but I still think it would be right for whois(1) to use both/either protocol depending on what each registry provides.
I believe libucl can parse JSON, although I haven’t used it.
If using homebrew,
brew install icann-rdapwill install ICANN’s rdap client mentioned in the article.I believe the parent is pointing out that OS’s typically should have a built in support or already have chosen a package which supports domain information lookups (and have it pre-installed). E.g. whois cli. There seems to be nothing by default for RDAP yet, which is concerning for a “sunsetting” announcement.
maybe some day the whois(1) utility will redirect to RDAP data.
Cool, RDAP was a bit nicer to use.
When I last needed this in 2020 all gTLDs supported RDAP but few ccTLDs did. Based on this deployment tracker 1/4 of ccTLDs now support it, with a further 1/4 supporting “stealth RDAP” whatever that means (the link is broken).
https://regiops.net/sites/default/files/documents/10-ROW13-Gavin%20Brown-Stealth%20RDAP.pdf
Of the domains I cared about, it looks like the ICANN lookup tool isn’t working for .al, .co, de, .es, .me, .ng, .rs, .se, or .us, at least. I haven’t checked many domains.
It looks like “stealth rdap” means that the ccTLD has an rdap server, but it’s not set up for autodiscoverability. One attempt to probe them found them for .de and .us, from my list above.
hm it appears this behavior is a GNUism. on MacOS I can run
cp -R src/ destand it copies the files inside src, like rsync.that works on Linux the same. As opposed to
cp -R src destorcp -R src/* destNo it doesn’t.
Linux:
It only produces
dest/.hiddenif thedestfolder didn’t exist yet. As compared with macOS where the trailing slash onsrc/makescpcopy the contents of the directory rather than the directory itself.Right, I blame my lack of attention on skipping my pills today. Thanks for the clarification!
I have worked in this space for one of the big players.
It’s bad, okay? Terribly terribly bad. Mountains of protocols designed-by-commitee, 4 major generations of everything and every non-toy device is supposed to implement all of them. The list of documents is incredibly long too.
And that’s still the better part, additional software that you do not need but really really do want or you’d need 10x more employees. The one used to monitor, manage, make reports, forward packets, upsell. It’s all unfathomably terrible.
That there are working new modem implementations could be considered some divine miracle the complexity is so ridiculous.
So what this “article” boils down to is “I learned that “*” globbing doesn’t included hidden files.
Not sure how this is news, per se. I’m sure it must be for someone…
The trick to
cp -a src/. dstis neat and not one I remember seeing before. I have, however, learned through painful experience thatrsync -a src/ dst/is the equivalent with rsync. It’s annoying that they handle these edge cases differently, and I’m sure that’s part of why I’ve got rsync wrong so many times. (And perhaps I do recursive rsync more often than recursive cp.)Anyway, don’t sneer at someone who is learning in public.
rsync’s trailing-slash-dependent behaviour absolutely baffles me every time. I’m not sure why but I prefer this cp trick. It doesn’t make any more intuitive sense… but maybe the weirdness of the trailing
/.makes it less likely you’ll unintentionally use it.I’m weird as I strongly prefer using desktop file managers – especially when paired with utilities like everything and listary – to actually manage files. So I probably have had used rsync in a suprisingly strong ratio vs my
cp(1)usage. And I’ve come to prefer rsync way? Humans are weird.Ain’t it more of “I learned that ‘.’ Makes cp copy all files” ?
Wild guess, but I think there is a lot of commands and scripts that use * but should use .
Thank you. Globstar was an aside in the post, as it is tangentially related to the main topic. I knew already that globstar couldn’t be used to copy hidden files. What I didn’t know was what to use in its stead. That’s what the post is about.
This is very bad for web openness and long term accessibility, much like the Rails browser version guard.
Why? Shorter expiry times don’t require any new browser support, 90 days certificates will continue to be available, shorter certs are opt-in, and other TLS certificate providers are available (even if your parameters are “free” and “supports ACME”).
It puts a lot more centralized dependency on LetsEncrypt. If your site has to get a new cert every 6 days and something happens to LE, your site is now unusable without intervention.
It’s not out of the realm of possibility that an attacker could force LE’s issuing/validating servers offline for 6 days (which is also the longest possible expiry in this scenario, there could be sites that have to renew the same day the outage starts).
That explains why it introduces potential fragility but not why 6 day certs are bad for the open web and accessibility.
The ACME client can implement multiple issuers and do some kind of load balancing or fallback between them, should one of them be inaccessible. Like Caddy does.
I get why for the browser guard, but why for this? If regular 90 day certificates are already working, then there is absolutely no reason that a 6 day one wouldn’t. Sure you might need to do some work on the backend to sort out the automation (though that is hopefully already being done with 90 day certs), but for the client side this should not matter whatsoever.
Let’s encrypt is great. HTTPS should not be reserved to companies which can afford to pay for certificates, which was what happened before, and it should not be difficult to set up, either. I don’t care what content you’re serving, plain HTTP (and others) should just not be used, it’s a big tracking and attack vector.
The article explained why they want to start offering 6-day certificates. It is because if your private key leaks then anyone can impersonate your site until the certificate expires, unless you revoke the certificate with the leaked key. And certificate revocation is not reliable.
I accept that certificate revocation is somewhat unreliable, but I will admit I am puzzled about just who it is that loses their private keys so frequently that they need a maximum of a 6-day period in which the leaked key could be used.
I don’t get how “so frequently” comes into it. If you loose your key very very rarely, you don’t care about for how long it could be misused?
Any individual doesn’t, but the whole web does. And if let’s encrypt loses trust, then the whole web suffers.
One key is one key/site which is 100s of millions of keys. Those 100s of millions of keys do pose a risk to trusting let’s encrypt on the whole.
You only need to lose your private keys once for the validity duration to matter.
Unless you consider less than a year (the longest expiration in typical use, AFAIK) to be “long term”, I don’t get your point.
Is there a possibility of relaxing the iOS version restriction? I’m not upgrading to the pushed AI features until the phone gets bricked. Thank you!
https://www.wired.com/story/how-to-turn-off-apple-intelligence/
Unfortunately since it’s opt-out there will be some amount of time where it is on, and I have not seen a way to prevent it from being on ever. Appreciate trying to help.
It won’t do anything unless you engage it.
Sure thing let me take a look. I have created a issue on GitHub tracking this – feel free to add any context that might be useful (things like what iOS version you’re presently on etc).
EDIT2: if you use podman, consider using Google’s mirror https://github.com/containers/podman/blob/1e7f810f714240f5d68f92baa1ab39ee53a249f5/test/registries.conf#L17
EDIT: nope, I was wrong
I think this is per layer limit, so one more complicated image could drain the limit itself. Very nice of DH,makes me dislike MSFT and IBM just a little less.This seems to be geared more towards user tracking instead of reducing their server load to me. 10 pulls per single IPv4 is ridiculous, especially when someone’s behind CGNAT (and CGNAT + no IPv6 for consumers is quite popular, at least in Poland), as this will be used in no time.
UP; sorry, my internet is flaky and somehow I managed to post the same comment three times
UPC / Play, eh? I think they’re the biggest CGNAT culprit here.
Can it finally use the root servers for DNS queries, so I won’t need to trust a DNS reseller like Quad9?
What do you mean by “reseller” exactly?
‘recursive resolver’ with extra spicy naming
I know what quad9 is and I know what a recursive resolver is. What exactly are you saying here? Quad9 is not selling anything.
ssl cracked a joke, a pretty good one at that. I chuckled at it, and you should, too.
Random sidenote: I wish there was standard shortcuts or aliases for frequently typed commands. It’s annoying to type
systemctl daemon-reloadafter editing a unit, e.g. why notsystemctl dr? Or debugging a failed unit,journalctl -xue myunitseems unnecessarily arcane, why not--debugor friendlier?I’m using these:
this is shorter to type, completion still works and I get my less options
Typing this for me looks like sy<tab><tab> d<tab> - doesn’t your shell have systemd completions ?
It does but what you describe doesn’t work for me.
what doesn’t work ? in any modern shell when you are here and type tab twice you will get to daemon-reload. ex: https://streamable.com/jdedh6
your shell doesn’t show up a tab-movable highlight when such prompt appears? If so, try that out. It’s very nice feature.
journalctl -u <service> --followis equally annoyingjournalctl -fu
My favorite command in all linux. Some daemon is not working. F U Mr. Daemon!
so this does exist - I could swear I tried that before and it didn’t work
I wasn’t sure whether to read it as short args or a message directed at journalctl.
Thankfully it can be both! :)
You gotta use -fu not -uf, nothing makes you madder then having to follow some service logs :rage:
That’s standard getopt behaviour.
Well I guess fu rolls better of the tongue than uf. But I remember literally looking up if there isn’t anything like -f and having issues with that. Oh well.
Would it be “too clever” for
systemdto wait for unit files to change and reload the affected system automagically when it changed?I’m not sure it would be “clever”. At best it would make transactional changes (i.e. changes that span several files) hard, at worst impossible. It would also be a weird editing experience when just saving activates the changes.
I wonder why changes should need to be transactional? In Kubernetes we edit resource specs—which are very similar to systemd units—individually. Eventually consistency obviates transactions. I think the same could have held for systemd, right?
Because the services sd manages are mote stateful. If sd restarted every service each moment their on-disk base unit file changes [1], desktop users, database admins, etc would have terrible experience.
[1] say during a routine distro upgrade.
Shorter commands would be easier to type accidentally. I approve of something as powerful as systemctl not being that way.
Does tab completion not work for you, though?
What’s the benefit of this approach vs. e.g. filtering them all through Ublock Origin (which lets you add custom filters blocking such stuff outl?
Can you change fonts and do other arbitrary CSS with uBlock? If you can, that’s news to me.
I thought uBlock only supported removing/hiding elements.
You can, with uBlock Origin’s
:style() operator. For example, OP’s user style for danluu.com could be written like this:Compared to CSS, filter list syntax is more verbose when describing complex rules:
I personally like to use uBlock Origin for content-blocking rules. Its syntax doesn’t require writing
display: none;, I can easily search through my rules for all sites within a single text box, and I can sometimes replace my custom rules with others’ custom content-blocking filter lists (example). For other types of restylings, where I might want comments to justify specific values, I prefer Stylus.This is really cool; thanks for sharing!
The main reason I haven’t dug into ublock origin more is that I haven’t found a way to configure it from my dotfiles, so I have to set the settings manually and copy it around to all the different machines I use by hand. Do you know if there’s a way around this? (I guess if I used firefox sync or whatever it could do this but I want all my stuff in one place!)
uBo can indeed push and pull settings using the firefox-sync-shared storage.
Probably nothing if you use uBlock Origin. I don’t use uBlock though. I use Firefox’s tracking protection set to Strict, which takes care of 90% of things, and is built-in
Firefox tracking protection blocks ads?
Yep, anything that’s doing tracking, which is most ads served by Google, Facebook etc on websites. It doesn’t get all ads, but enough that I’m happy with it.
How does a company get so backwards? They went with utmost haste from leading to following. Where once I thought the sky was the limit for this product, now I just think they’re stuck on the exact same plateau as everyone else.
I think they have some definite polish on aspects of their editor, but I was (and still am) put off by the funding model for the editor. Good quality engineering isn’t free and I remain unconvinced that hockey stick growth style models are practical for guiding reasonable product development.
Another thing that gets me is marrying a reasonably fast process (the editor’s insertion speed and search speed) with a much slower process (LLM inference).
According to the Minimizing Latency: Serving The Model section, they are sending the text to online services to get predictions? Apart from the privacy concerns, I wonder who is paying for the GPU cost, and how does that factor in their business model.
FWIW I should be a little more precise and say “either LLM inference or network requests” since there’s clearly capacity to send over the net. Both seem slower (and more variable) than local editor business.
What’s backwards here? The presence of LLM at all?
I’ve come to consider this kind of LLM tab completion essential. It’s the only piece of LLM software I use and I find it saves me a lot of time, at least the implementation in Cursor. It often feels like having automatic vim macros over the semantics of the code rather than the syntax of the code. Like if I’m refactoring a few similar functions, I do the first one and then magically I can just press tab a few times to apply the spirit of the same refactor to the rest of the functions in the file.
My question is: why is that good? “Magical” is one of those words in programming that usually means something has gone horribly wrong.
Don’t get me wrong: I want my tool to make it easy to make mechanical changes that touch a bunch of code. I just don’t want the process to do it to be a magical heuristic.
You’re the one saying that the company is doing something backwards, I think it’s on you to justify that when asked, not to come back with a question tbh.
Statements like these are just dogma/ rhetoric. Words like “magical” are just like “simplicity” or “ugly”, they mean something different to everyone.
Why not? What if it’s a problem best suited by heuristics?
I’m in a similar boat.
I’m less bullish on having the LLM do a large-scale refactoring than I am on using an LLM to generate a codemod that I can use to do the large-scale refactoring in a deterministic fashion.
But for small-scale changes—I wouldn’t even necessarily call them “refactorings”—like adding a new field to a struct and then threading that all way through, I’ve found that our edit predictions can cut down on a lot of the mundanity of a change like that.
The big question is: what environment does that codemod target?
For a system like this to work well there has to be a consistent high-level way of defining transformations that many people will use and write about so that models will understand it well. For that to happen you need an abstraction over the idea of a syntax node.
can the LSP protocol married somehow to tree-sitter be the answer here?
Tree sitter is far closer to being the answer than LSP is
My ideal interaction would be something like, “an LLM writes a script that modifies code and I decide whether I want to run that script”.
I’m not sure about Zed but you can do that with Cursor. The tab model is very small and fast, but Cursor has a few options ranging from “implicit inline completion suggestions with tab” to “long form agent instructions and review loop” similar to what you describe - you ask it to do stuff in a chat like interface, it proposes diffs, you can accept the diffs or request adjustments. But, I find explicitly talking to the AI much slower and more flow interrupting compared to tab completion.
I do use a mode that’s in between the two where I can select some text, press cmd-k, describe the edit and it will propose the diff inline with the document. Usually my prompt is very terse, like “fix”, “add tests”, “implement interface”, “use X instead of Y”, “handle remaining cases” that sort of thing.
I use plenty of heuristics in my editor already, like I appreciate fuzzy-file-find remembering my most opened files and up-weighting them, same with LSP suggestions and auto-imports. The AI tab completion experience is a more magical layer on top, but after using it for about an hour it starts to feel just like regular tab completion that provides “insert function name”, it’s just providing more possible edits. Another time saver I appreciate is when it suggests an edit to balance some parenthesis/braces for a long nested structure that I’m struggling to wrangle in my own.
These days, my favorite use of LLMs is to write a
// TODOcomment at the appropriate place, send a snippet with the lines to be changed to the LLM, and replace the selection with the response. With the right default prompt, this works really well with the pipe command in editors like Neovim, Kakoune, etc. and a command line client like llm, or smartcat.The place I miss an LLM the most is in my shell. I’d love to be able to fall back to llm to construct a pipeline rather than needing to read 6 different manpages and iterate through trial and error. Do you have a setup for ZSH/bash/etc that’s lightweight? I haven’t seen anything inspiring in this area yet outside proprietary terminal emulators (I’m not interested)
I’m spoiled because I can’t do anything like that. I’m inventing a genuinely new technology, so I always have to think for myself because there’s no one to follow or imitate. I’m sure it sounds weird to hear me be excited about building my internal model for where changed requirements will manifest as need for changed code, but my mental model of that is razor sharp, and thinking about where changes are needed myself gives me leave to think about whether my code is expressive enough and has strong architecture.
But yeah, I know I’m the weird one. I’m the kid that retyped the red-underlined word instead of right clicking to correct spelling, the idea being that I wanted learn how to spell and spot/correct spelling mistakes instead of the machine.
Once the diff gets big enough it starts to have problem of its own. How will you know if it’s all correct without redoing all the work? What if the diff is stale by the time it is reviewed and approved? Generating a script instead of a diff solves those problems, and incidentally has another property that I prize very highly: it is just as useful to humans as it is to LLMs. Once you can define large changes as small scripts typing will no longer be the odious part of making changes that touch a lot of code.