using the word “toot” was a bad decision, as Eugen acknowledged when he made his mobile apps stop using the word back in May. And as of this month, it’s finally gone from the web app too. Good riddance!

the server software is non-free. iiuc it would be easy enough to reverse engineer the protocol from the client software (which is free software) but (last I checked, anyway) the server URLs are not configurable so you would actually need to patch and recompile the client to use a different server.

I’m certainly not recommending snaps, but, it is important to acknowledge the problem they’re trying to solve. “The debian model” means using years-old versions of everything, having a single set of dependency versions every program must share, and giving every package’s control scripts root access while you install it. This paradigm made sense when it was developed 25 years ago but it is far from ideal today.

i still ♥ Debian but there are tons of things I need to use which I can only get from somewhere else, so, “the Debian model” for me nowadays means a stable base system and then lots of software from other distributors (sometimes flatpak or appimage, but also a lot of podman containers of various distros).

What I am almost never willing to do is use 3rd party entries in my apt sources.list file on an actual host system (though I do in containers when necessary) - down that path lies madness.

yeah, I am aware, and I do actually think the xdg portal stuff is generally a good idea for a lot of programs… but the way it works right now sacrifices a lot of usability and doesn’t gain much security.

passing files given as commandline arguments seems like an easy problem to solve, but the linked file situation with SVG is much harder (probably requires a whole new flow for xdg portals where a program can request access to a bunch of files and prompt the user once to allow access to all of them). in the absence of any solution, imo it is silly that they’re shipping inkscape as a snap with strict confinement today.

I’m unsurprised to see lots of good reasons here why not to use them already, and none for why anyone does :)

I imagine the vast majority of snap users are using them only because Ubuntu ships a few things (like firefox) as snaps by default now.

I tried the Inkscape snap recently on an ubuntu system where i needed the latest release, and found that due to its sandboxing security theater (last I heard it is still not difficult break out…) it is impossible to open files from the commandline. And, even worse, when you use the Open command from File menu, it just passes the one file you selected in to the sandbox, so, when you open a file which has references to other files (which is not uncommon with SVG) it is not able to load them! So, I ended up using Inkscape’s AppImage instead.

better?

true, though, i guess a lot of people use mostly (or entirely?) degoogled android things but then need/want/decide to use some shitty apps that bring back the tracking.

(i think there are android distributions that don’t actually make any connections to google? i’m not sure.)

i can’t tell if you’re saying that you read the arguments against phone numbers (for personal communication) that i linked to and you disagree with them all, or if you’re saying you didn’t read them.

xmpp and matrix are both interesting and useful, but both were first designed to send unencrypted messages which has led to many complications/difficulties/caveats when using them with e2ee nowadays.

sorry i don’t have time to properly enumerate those issues here right now :)

in a nutshell: imo you shouldn’t use anything that requires a phone number, and especially not things that use phone numbers as the identifier your contacts need to know to reach you. i wrote some reasons why here.

https://dessalines.github.io/essays/why_not_signal.html (by @dessalines, one of the authors of lemmy) has a lot of other reasons why not to use signal; i have mixed feelings about all of the things in their list of alternatives there but I think I’d use any of them before signal.

any privacy-related product that touts being in switzerland as a feature is immediately suspect. threema’s cryptography is some goofy stuff they made up themselves with numerous shortcomings documented elsewhere, but a big one which for me makes it not worth spending time looking in to further is that their forward secrecy story is this:

Threema provides forward secrecy on the network connection (not on the end-to-end layer).

This means that a malicious server can record all of your encrypted end-to-end messages, and decrypt them later if they ever obtain the key from one of the participants in the conversation. E2E forward secrecy is an extremely basic feature, invented more than 30 years ago and present in almost every new encrypted protocol released in the last decade. But threema decided to not even try!

Having FS between the user and the server, but not end-to-end between the users, only makes sense if you completely “trust” the server - which you’re supposed to do because they’re in Switzerland, I guess. But in that case, why bother with end-to-end encryption at all? 🤡

you could setup a bot to follow your own pixelfed from your mastodon and repeat every post. but, why? if you instead only post your photos to pixelfed and other stuff to mastodon, people get the choice of following either your photos OR your links and microblog posts (as we used to call them over a decade ago when the fediverse was called the federated social web) OR they can follow both. and that way, when someone on friendica or another mastodon replies to your pixelfed post, pixelfed-only users can see their reply, right? (i don’t know, i haven’t actually used pixelfed…)

the feature you’re looking for is called “cross-posting”, and there are many tools that do it, but this is an inferior stopgap solution to the problem of lack of interoperability in the incumbent platforms… which activitypub is attempting to provide a better solution for.

another downside to cross-posting is the lack of deduplication: if i want to just use one thing and follow your mastodon but i also want to see the comments on your pixelfed, i might end up following both and then seeing all of your posts twice.

(NB activitypub is also a technically lacking architecture in many ways… but it is better than cross-posting)

tldr you can post on your mastodon (and/or put in your profile there) “you can also follow my pixelfed (probably using whatever you’re using to read this) if you want to see my photos too”.

I’m not going to give a VPN-selling privacy tips site any credit for steering people to Firefox; Firefox has been one of the top browsers for longer than a lot of web users today have been alive.

Tutanota’s encryption is not compatible with anything else, and their freemium business model seems implausible. My understanding is that when you send an encrypted email to a non-tutanota user it sends them a link to the tutanota website, where they send some javascript on-the-fly which does the decryption (and hopefully doesn’t exfiltrate the key - but good luck verifying that at the time you’re actually using it). This is security cosplay, and can be very convenient for some adversaries who might otherwise be thwarted by people using some standardized encryption with software that isn’t running in a web browser. I recommend against Tutanota.

“What VPN do you use” is a complicated and personal question :)

For accessing lemmy I am using Tor Browser, with all of its problems. Neither Tor nor any VPN are really sufficient for hiding your location from serious adversaries, but for hiding from the copyright police while torrenting I recommend Mullvad. Click here to get a 68% discount when you sign up with my affiliate code!

Headline: “all trackers”

First sentence: “most third-party trackers”

I already had this website flagged in my memory as being full of shit, and this headline is another datapoint supporting that conclusion. Their recommendations are more bad than good; I mean, they recommend things like NordVPN and Signal and Threema among lots of other garbage. Their mission page says “No paid rankings, paid content, or paid linking schemes” and “We follow standard webmaster guidelines and do not accept payment for links or content in any form”… but then also admits “If you buy through links on this site, we may earn a commission, which helps support our mission.” 🤣

Obviously the reason their first VPN suggestion is NordVPN (a shady company that is most likely not only giving data to cops but also selling it to other companies), and they offer you a 68% Off Coupon for it, obviously that has nothing to do with them being paid earning a commission.

🤦 🤮

(I don’t have an opinion about the DuckDuckGo Android App Tracking Protection thing; assuming it is free software enough that it can be installed from f-droid, it might be worth looking in to.)

Signals alternative to SMS

lmao, simplex is not Signal’s and also not exactly an alternative to SMS.

fwiw the confusion in this thread was presumably inspired by another recent one asking for a Signal alternative for SMS (which simplex is also not, but was mentioned there).

https://www.redhat.com/sysadmin/podman-docker-compose says root is required but https://brandonrozek.com/blog/rootless-docker-compose-podman/ (a year later) says it isn’t

I think OP is not looking for an encrypted chat but rather looking for a replacement app to send unencrypted SMS messages (and store them encrypted on the device) like Signal has done since it was called TextSecure and is finally going to stop doing now.

🤦

aside from the other tragically confused bits here, fwiw the BDFL of mastodon thankfully came to his senses and dropped the word “toot” six months ago

GPA. GNU Privacy assistant.

what makes you pick this, of all programs? just because it hasn’t had a release in four years?

Skimming the commit log one can see it certainly has had some bugs, and given that it is written in C it is reasonable to assume it has had some security-relevant ones. (eg, i’m not certain but this commit from a few months prior to the latest release looks like it could be fixing an actually exploitable bug?)

Currently there are 13 commits newer than the latest release. From a quick glance none appear to be obviously fixing security bugs (i guess there will be a new release when they next find some) but there are actually as-yet unreleased commits there fixing bugs… such as this one, made two days after the last release, which fixes searching being left-anchored.

in what way(s) specifically do you think he objects to the unix philosophy?

have you read his rebuttal to that claim (point #10 here)?

(disclaimer: i am using systemd on some, but not all, of my gnu/linux systems today… and after years of finding it irritating I am actually coming around to appreciate it.)