They are using brave search results, like they do with others. Frankly, you could build totally identical arguments (and to be honest, much more serious) for "partnering" with Google and Microsoft, but then the product wouldn't exist and wouldn't be as good.

The relationship with the Brave founder is so indirect, that this - to me - feels like an argument from someone who is looking for reasons to get angry. Kagi probably uses AWS (or other clouds), which funds Amazon (known for terrible worker rights), funds Google, fossil fuel industry, etc. It's a sad reality, but you simply can't exist nowadays in the moral and ethical way many people would like. You can, only if you are a privileged one. Technologically speaking, Google can probably do it, for example (own hardware, DCs, tech etc.). We can choose to fight those that directly support political agendas we disagree with, or we can damage the smallest players by demanding they will be 100% pure and ethical by not having any relationship with those with those agendas.

In my personal opinion, such unrealistic ethical requirements end up being a reactionary choice as they will ultimately impede new - better - players to emerge and will leave the existing - worse - dominating.

The fact that Lemmy’s core team is taking a fairly laissez faire position on moderation, user safety, and tooling is problematic, and could be a serious blocker for communities currently hosted on Lemmy.

At this point, most of the solutions the ecosystem has relied on have been third-party tools, such as db0’s fantastic Fediseer and Fedi-Safety initiatives. While I’m sure many people are glad these tools exist, the fact that instances have to rely on third-party solutions is downright baffling.

Honestly, what? Why would be baffling to have third party tools in this ecosystem? It would be baffling if that was the case for Facebook. Also the devs did work on some moderation features, but they probably have tons of other stuff to work on, all for an amount of money which is a low salary for one developer.

I mean, it's not a spell, it's a sentence. If reading it will make it spread, as in more people will agree and support it, the problem is already there.

How dare workers in (potentially desperate?) need of a job to look for jobs. They are men and belonging to that category automatically makes them rich and privileged. The working class should be united against common enemies, not divided because of gender. While it's obvious that women in tech are discriminated, alienating fellow victims, even if males, is not the answer to the problem.

Capital really won the class war...

That’s not the argument being made. What’s baffling is to pretty much only rely on the efforts of third party devs to fill in the missing gaps. It’s a profoundly bad strategy.

I literally quoted the article:

At this point, most of the solutions the ecosystem

I mean, there are some moderation features in Lemmy, for sure with gaps, but there are many gaps on other aspects as well, and if people can't run the instances due to other technical issues, there is also nothing to moderate, so obviously prioritization is complex when resources available (dev) are so limited.

That said, I really don't see the problem of third parties. We rely on third parties for one of the most fundamental features, which is community discovery (lemmyverse.net), for example. What's the problem with that? I think that's literally one of the benefits of making an open platform, where other people can build other tools in the ecosystem. We are not purchasing a service, we are not talking about an organization who has a substantial revenue and tons of people and can't deal with basic functionalities. We are talking about a project with a team that is smaller than the team that in Facebook deals with which colors to make buttons, and it's "paid" 1/20th of that. So I still don't understand, what is "baffling"? Because from where I stand, all things considered, it's totally normal that a project with these resources and that gained popularity less than a year ago has still tons of gaps and a long roadmap, and that tools in the ecosystem address some of these gaps.

It’s like with Bethesda releases a shitty half-finished game

No it's not. Bethesda is company that sells you a proprietary product while having a revenue in the order of hundreds of millions. The relationship between Bethesda customers and Lemmy users has absolutely nothing in common.

Here, Lemmy makes some money

Lemmy makes no money. Considered the opportunity cost, Lemmy loses money. A single dev with a full time job can easily double the amount that Lemmy devS earn. Not to talk about the fact that the money they make are donations, without a contract bounding them to anything and also not granting them anything (tomorrow everyone could cancel donations and the income would disappear).

They can’t do that if the tooling is too brittle, shitty, or threadbare to actually handle the deeply fucking intense problem of managing and maintaining a server and community on the open Internet, where literally anything and everything goes. Factor in a myriad of local jurisdictions and laws about data and content, and a lot of these things end up becoming severe liabilities.

Sure, but again, if those were the only problems and the devs would be sipping cocktails in Hawaii splurging on those 4k/month, I would agree with you. If they think priorities are elsewhere, or are also elsewhere, they might have their reasons. In fact, in the article there is a complaint about them answering in a "hostile" manner, but I also understand that the issue in question is probably the 100th issue in a week/month in which other people tell them what they should do. This is a regular problem in OSS (See https://mastodon.uno/@bagder@mastodon.social - the maintainer of curl - for plenty of examples). After they understood better what's the problem, their stance changed as well, which is also reasonable.

Look at it this way: with federation, a handful of volunteers themselves are doing labor for free, for the devs, by propping up their platform, client ecosystem, and reputation in the space. If this gets bad enough, people will literally say “fuck it” and walk away.

I don't look at it in this way at all. I think the devs made it extremely clear (even given the political stance of both) that despite the happiness of seeing their project flourish, they have no interest in growth as an end. In fact, I would say that nobody is doing work for the devs. But I see that we have a fundamentally different perception on the dynamics in Lemmy, so I see no reconciliation between our opinions.

Gender is absolutely not the only nor the most important discriminating factor in tech. Being a foreigner and, probably most commonly, being old is an extreme disadvantage in tech. Similarly, a woman coming from a wealthy family might be a privileged compared to a man coming from a poor background (which translates into lower access to education, resources, etc.).

Look at the video in the article, and tell me you don't notice some commonalities among the men in the queues.

I see mostly foreigners, who most likely have no network of support, and need a job to maintain a VISA before getting kicked out of the country. Are they in a better or worse position compared to a local woman? Does it even make sense to start asking these questions?

I want to challenge this vision where discriminations are only looked at through the lens of gender division. This is shortsighted because discrimination on the workplace is extremely diverse and it exists for the benefit of those same sponsors of this event.

It is well known that those are the only two options. Also, the problem here is that the task is not possible, according to UN personnel, not me or you. So this feels a lot as just a way to create plausible deniability by saying "we tried hard to spare civilians".

Be respectful of others.

This comment is in clear violation of the rules of this community. Be better, if you want to criticize others.

They have literally an explanation for this on their website. You might disagree, but saying "it makes no sense"...makes no sense.

Also, they discontinued the earbuds and still no jack on FP5, so the idea that "they wanted to sell their own buds" doesn't seem to be likely.

I had a look at your history, and you seem really incapable of behaving in a civil way, often using insults. I don't think this is a good strategy to get your point across.

They have millions in funding, they will always move at a faster pace. The question is in which direction they will move, I suppose.

Problem for what?

I exist, I need a job to live, I have job, I try my best not to be an asshole, I fight (and vote) for a better society, for social and civil rights.

Why exactly I - since I am a man I feel included in your statement - should be THE problem?

tl;dr, yes, it does.

Containers are nothing like VMs, and containers in Linux are basically a combination of a feature called Cgroups, which allows to restrict the resources (like memory, etc.) available to a process or group of processes, and namespaces. Namespaces are a construct in which certain namespaced resources are separated from each other, and processes can only see those belonging to their namespace. A simple example is a mount namespace. When you launch a container, you see a / directory which is not the root directory of your system.

Now, the problem is, that not all the resources are namespaced, so there is still quite a lot that processes within containers can do interacting with the main system resources, especially if they are root.

A root process within a container generally can do lots of things that the actual root process can do outside of it. For example, mounting parts of the filesystem (if you run with --privileged), loading kernel modules, etc. Podman can run rootless, in the sense that it uses also User namespaces, meaning a user 0 (root) inside a container is actually mapped to something else outside, but also docker nowadays can do the same.

So yeah, in general, running the applications with the less amount of privileges is a good idea and you should do it whenever you can. Even if you do need some privileges, you should add only the Capabilities needed, not just go straight to root.

I stopped hearing discussions about it long ago. I suppose the thing died down.

One thing I will never understand is their endless complaint about moderation tools. They had/have a decent amount of donation, why they didn't just put a bounty on the features they needed in github and encourage contributions in that space (if not contributing directly)? It feels like it was sterile criticism when they had/have the means to actually work on the solution.

EDIT: Adding to the above. From their opencollective page, they are in +6k$. Even 1000$ on a feature and I think plenty of people will want to contribute. Considering that they were complaining about a handful of features, I don't see how it was not feasible. That will both give back to the developers and get them where they are. Win-win...?

Blaming culture does not help with vulnerability disclosure. Vulnerabilities do happen and will happen again.

Writing a parser is not trivial and remember that it was a tiny project until a month ago.

The whole landscape of health trackers is depressing. I bought a fitbit last year as I could expend it at work, and I ended up leaving it in a drawer exactly for the uneasy feeling of sharing very sensitive data. Health data is probably the most impactful on personal lives (insurances, banks, etc.), and it's astonishing to me how it's too much to ask to a company that makes watches to have watches as their mine business model.

I understand sharing data for further analysis etc., but I should be able to use my health tracker locally, only talking to my phone app and nothing else, similar to how gadgetbridge works. I was eyeing banglejs specifically to be able to do this, even though it's not really a health tracker.

I would say Docker. There is no substantial benefit in running podman, while docker is a widely adopted tool (which means more tooling in the ecosystem, easier to find answers to questions etc.). The difference is not huge tbh, and some time ago the biggest advantage for podman was being able to run rootless, while docker was stuck with a root daemon. This is not the case anymore (docker can run rootless), so I would say unless you have some specific argument to use podman, stick with docker.

But it is an asshole move to show up to an event meant for one group of people when the original issue is how over represented your group is. I’m a developer. The grind sucks. But I would be an asshole to show up to this.

If I was out of job, I would honestly care less about the fact that "my group" is over represented. There is no white male lobby that pays my mortgage. That said, I - as in the actual me - would not go to such event either, but that's also because I wouldn't go to any job fair atm since I don't need a job.

It's great to see how different people priorities are! For me this is one of the least interesting features ever, I have never used a laptop with a trackpad to do any (meaningful) work. That said, I am really glad if people with different priorities will get the chance to have their preferred flow in Linux!

You see, it's not required for me to agree with whom you are criticizing, to criticize your inability to be civil. So keep making as many strawmen you like. We are in a post complaining about user behavior/content and your behavior and content are both completely unacceptable in a community.

Also, you can stop name-calling, this may have an effect when someone else values your opinion, I don't.

The problem you raise is real, but also avoidable. Nobody forces you to actually communicate via signal with people on WhatsApp. In fact, if you do have people on WhatsApp you want to talk to, you already have an account on WhatsApp and you can keep using that. However, some people might appreciate the possibility to have this bridged communication, especially because it allows for much easier migration to signal (and similar) from people who "everyone is on WhatsApp". The more people move over, the more signal-to-signal communication can happen, etc.

Ultimately it is exactly like email. I think it's still worth using proton, even though 80% of your emails will be coming from or going to a gmail account.

The crux is having the ability to:

• know when you are talking with a user on WhatsApp
• block or refuse to talk with a user on WhatsApp.

Once you can choose, hardcore privacy people can keep talking only between signal users, but the interoperability can help more people moving over in the meanwhile.

I personally agree with this, but:

• this is hardly a community event. Being a woman (or a man) doesn't make you a member of a community by default (being a member in my opinion requires deliberate participation) plus this is a job fair sponsored by some of the biggest companies in US.
• what if you don't have a community? For example, a foreigner? Is it OK to alienate these people (an even weaker minority)?

In other words, I would agree if we were talking about the tech-bros with families worth 6 digits behind and huge networks they can leverage. However way more attributes are a determining factors than just gender.

Just to add to this, Valve is a company with a very peculiar organization, in which the structure is very horizontal and that does its own thing (the structure is not without problems, but it's still very interesting). They also have a surprisingly little amount of employees for such a company! Numbers vary between 350 and 1000!

Flatpak is generally very good for security. Especially considerino you can override some defaults, you can have fairly tight isolation.

This statement makes no sense. Federated search means nothing. Ultimately someone needs to scrape, index, store and retrieve data. At the moment, a handful can do it efficiently, and to have a wide coverage, engines use also other APIs. Kagi does this, for example, by combining Google and others (e.g. brave) with their own indexer.

How do you imagine a "federated" search would be any different? Using multiple APIs is effectively "federating".

As I said in another comment, to be fully ethical you should not run on any major cloud (owned by Amazon, Google, Microsoft, Oracle and IBM), not run on anything on fossil fuels (few DCs), not use any API of major companies (google, apple, etc.) and so on. So basically if we ever want a new, better, solution (tech) we just need to materialize a few billions of dollars to allow this fully ethical solution with no dependency on immoral parties. Alternatively, the whole market dynamic should be disrupted, because that's the problem.

The only thing that makes this case worse in docker is that more info is in ENV variables. The vulnerability has nothing to do with containers though, and using ENV variables to provide sensitive data is in general a bad decision, since they can be leaked to any process with /proc access.

Unfortunately, ENV is still a common way which people use to pass data to applications inside containers, but it is not in any way a requirement imposed by the tech.

I personally package the files in a scratch or distroless image and use https://github.com/static-web-server/static-web-server, which is a rust server, quite tiny. This is very similar to nginx or httpd, but the static nature of the binary removes clutter, reduces attack surface (because you can use smaller images) and reduces the size of the image.

You don't care until "bigotry" means what you think it means and not what someone else thinks, or until the same principle is pushed by other groups who happen to not care if "songs or artists perpetuating ____ get censored".

There is already a problem with monopoly in terms of which music is available, I can't wait to have those companies decide even more which songs can be published based on totally arbitrary principles and without any accountability. I am pretty sure that articles about this trash song will have the consequences of generaring more listens than if this was just ignored. I, for once, would have never known this song existed without this article, and now I am fairly curious to go check the lyrics to make a better idea about the article itself. Straisand effect and all...

You can use docker inspect command to dump any meaningful info about the running containers. You can get details about networking, images etc.

Also you can check systemd units (or whatever your system uses) in case they are used to launch containers or docker compose files.

Running ps you should also be ablen to see if docker-compose is used, and in general this uses standard names (docker-compose.yml/.yaml), so you can simply find / -name those.

This is pure rhetoric, I can flip the argument:

"You care more about the gender than about my material condition."

Also, the moment I need to let prevail abstract concepts over my material condition (i.e., caring about "my group" being over represented while I am out of a job) is the moment in which the class unity is broken. Me and those women who are out of a job have so much in common that there is no reason for me to consider us part of two separate groups. That's the whole point of my argument, I advocate for worker solidarity and I absolutely feel that this attitude is overall harmful for it.

Proton stores your keys

Proton stores an encrypted blob.

All they need now is your decryption password & they can read your messages

"All they need now is your private key". It's literally a secret, they use bcrypt and then encrypt it. Also, "they" are not generally in the threat model. "They" can serve you JS that simply exfiltrates your email, because the emails are displayed in their web-app, they have no need to steal your password to decrypt your key and read your email...

It isn’t transparent, because most users aren’t running their own frontend locally and tracking all the source code changes.

Probably we misunderstand what "transparent" means in this context. What I mean is that the average user will not do any PGP operation, in general. Encryption happens transparently for them, which is the whole thing about Proton: make encryption easy and default.

Now you’re merely trusting them to not send you a custom JS payload to have your decryption password sent to the server.

Again, as I said before, they control the JS, they can get the decrypted data without getting the password...? You always trust your client tooling. There is always a point where I trust someone, be it the "enigmail" maintainers, Thunderbird maintainers (it has access to messages post-decryption!), the CLI tool of choice etc.

How many users are actually utilizing their hidden API to ensure that decryption/encryption is only done client-side?

I mean, their clients are open-source and have also been audited?

If they have your private key, how many users do you think are using long enough passwords to make cracking their password more challenging?

I don't know. But here we are talking about a different risk: someone compromising Proton, getting your encrypted private key, and starting bruteforcing bcrypt-hashed-and-salted passwords. I find that risk acceptable.

This is just entirely inaccurate and you’ve failed to provide any "proof’ for your generalizations here.

See other post.

If you actually understood PGP you’d know you can generate and use local-only keys with IMAPS and have support to use any IMAP client.

Care to share any practical example/link, and how exactly this means not having a fat client that does the encryption/decryption for you?

There is no security benefit in their implementation other than to lock you into a walled garden and give you a false sense of security.

Right, because *DAV protocol are so secure. They all support e2ee, right...? There is a security benefit, and the benefit is trusting the client software more than a server, especially if shared. You can export data and migrate when you want easily, so it's really a matter of preference.

IDF soldiers have long been safe and secure in Israel without any pushback from residents. It's time for them to reap the rewards of their support. If they still stand by the IDF, so be it.

This is your alter ego from across the border speaking.

The point is simple, the moment you have the biggest chunk of the userbase, you have more weight in establishing praxis for standards & protocols. In fact, the protocol needs to catch up with you, rather than viceversa. Google did the same with Chrome, for example. Try to start a browser today, and with all the stuff that Google forced into standards and that your browser need to comply with, you will fail. Even just forcing a pace in changes to ActivityPub can mean that a number of tools that are developed by volunteers won't be able to keep up.

Imagine Meta brings in 100m users. This is a fraction of their userbase, but it is 8x the whole fediverse. Imagine now that they make some change that doesn't comply with ActivityPub, what do you do, break the tool that is used by the 90% of the users, or adapt? And what if they push changes to ActivityPub, so that everyone needs to catch up quickly: lemmy, mastodon, pixelfed, etc. How soon before some tools with less active development will die because non-compliant? (Similarly to how some browser break with some sites)

Yes, it is a metasearch engine. It's basically like proxy+aggregator or multiple engines.

This whole thing happened while a young woman is in power. This has to do with submission to economic power, not with gender and age.

My idea is definitely biased by the fact that I am a security engineer by trade. I believe a company is ultimately responsible for the security of their users, even if the threat is the users' own behavior. The company is the one able to afford a security department who is competent about the attacks their users are exposed to and able to mitigate them (to a certain extent), and that's why you enforce things.

Very often companies use "ease" or "users don't like" to justify the absence of security measures such as enforced 2fa. However, this is their choice, who prioritize not pissing off (potentially) a small % of users for the price of more security for all users (especially the less proficient ones). It is a business choice that they need to be accountable for. I also want to stress that despite being mostly useless, different compliance standards also require measures that protect users who use simple or repeated passwords. That's why complexity requirements are sometimes demanded, or also the trivial bruteforce protection with lockout period (for example, most gambling licenses require both of these, and companies who don't enforce them cannot operate in a certain market). Preventing credentials stuffing is no different and if we look at OWASP recommendation, it's clear that enforcing MFA is the way to go, even if maybe in a way that it does not trigger all the time, which would have worked in this case.

It’s up to each user to determine how securely they want to protect their data.

Hard disagree. The company, i.e. the data processor, is the only one who has the full understanding of the data (sensitivity, amount, etc.) and a security department. That's the entity who needs to understand what threat actors exist for the users and implement controls appropriately. Would you trust a bank that allowed you to login and make bank transfers using just a login/password with no requirements whatsoever on the password and no brute force prevention?

During the short time Google also acquired users, who moved from other XMPP software because...well, the software was more integrated with other stuff. So when you then defederate, the rest is left with less users and a terrible experience.

Google did the same with Chrome and the web standards too. Look at the browser competition nowadays...

As someone who is being pressured to move to macOS (M1) from Linux for work, I feel you. I was just having a conversation in another thread about trackpads and I feel that Apple really built the workflow around gestures, which leaves people who would rather use keybindings quite out of luck. I know there is rectangle, but it doesn't even go close to what a good WM gives.

It's actually fairly simple: if the server never has access to the keys or the plaintext of messages (or calendar events, etc.), then you need a client tool to handle decryption and encryption operations.

They use PGP, and they have implemented this feature in a way that it's completely transparent to the user to make it mainstream. So they chose building dedicated tools (bridge, web client), rather than letting users use their own tools, because the PGP tooling sucks hard and it's extremely inaccessible for the general population.

This means that you need a fat client, whatever you do, or otherwise the server will have access to the data and there is no e2ee. Instead of using enigmail or other PGP plugins/tools, they built the bridge.

I think it sees that the browser is trying to execute code that is suspicious (the payload of the XSS was pretty obvious).