BTW thanks for sending me down a rabbit hole that Mastodon account is a gold mine ;)

I usually hate that meme of the macho muscly doge as symbol of perfection, but with all the glitter added i like it :P

I would go further and say that the concept we know as police never results in good outcomes for the population no matter who participates. Whether the surveillance/control they apply is “mass” or “targeted” is in my view not very relevant :)

Not that i disagree the situation over there is hellish, but if you’ve ever been to London for example you would know Xinjiang is far from the only mass surveillance hell on earth.

“We don’t work with advertisers. We only work with governments and secret police to slaughter their own population or go colonize other countries.” <-- that line of defense reminds me of the Amesys story, in which french television interviewed an Amesys representative who insisted their spyware they sold to north african dictatorships before the arab spring only ever caught terrorists and pedophiles ^^

For my personal usecase i don’t care too much about code signatures or 2FA. I’m just pointing out that code signature (PGP-signed commits/refs) would do so much more for security than whatever SMS charade they’re gonna setup ;)

Nope, nothing at all. It’s just a masquerade. I don’t like absolutist statements in general, but in that specific case, multi-factor auth does not provide code signature to other users, it’s just a gatekeeping mechanism for Github to authenticate you. This means whether they have a security breach or someone at Github wants to harm you, they definitely can push out malicious updates in your name, and therefore such measures have nothing to do with security in the context of “who wrote the code i’m downloading?”.

It’s a little bit like banks: they may require all the security measures they like, at the end of the day they can run away with all our money like they did in Greece and there’s absolutely nothing we can do about it.

To be fair, multi-factor authentication can help reduce the most obvious cases of password theft (eg. via a virus on a single device). But it does very little to stop phishing (unless using TOTP precisely, which is slowly becoming unsupported), bit/typo-squatting, etc.

We can disagree on political stuff all day, but you will find this very interesting.

I read it when you previously published it, and i’m personally not a fan of GrapheneOS approach. I was just pointing out posts on /c/privacy should be understandable by people passing by who don’t know the whole story, and that you could make a /c/graphenelies community dedicated to this particular story, where no additional context would be required in a post.

There is also a section where one of the Reddit power mods admittedly want Lemmy to stay obscure.

Fun fun fun :)

These people do not merely reside in my brain

Sorry i think you misunderstood me, and i meant no insult. I meant we other Lemmy users who are not in your brain need additional context/info to understand the matter.

As for the work I do, I have been arguably one of the people who have done the most legitimate work in privacy community

So to be clear i was not attacking/diminishing you in any way (or at least did not intend to) and you do not have justify your involvement. Still, thank you for taking part in privacy struggles.

Hehe. Although to be fair Purism is a social purpose company not a profit-aiming LLC. Still far off from a workers coop ;)

Good point, yet complex multinational supply chains make this task literally impossible. Computers are made of human suffering and eco-destruction. Even a company like Fairphone whose sole purpose is that of social justice is not even close to success in this matter.

You don’t need to add a phone number at all: https://lemmy.ml/post/257191/comment/176967

At least they support TOTP. I heard lately a lot of service providers (including banks) are dropping TOTP in favor of hardware tokens and phone apps. That’s a worrying trend.

And security keys can be independently manufactured (even by ourselves) and disposed of when desired

I think that’s part of the problem: we don’t need or want junk electronics for every single person/identity that goes online. It brings little benefits (a hardware token is much easier to steal than a private TOTP key on an encrypted system) and is bound to help destroy the environment ever more.

Anonymity (…) can protect victims of abuse, yes, but it can also protect online abusers

For sure, but there is a power imbalance that pseudonymity helps address. Harassers/stalkers/rapists are often empowered by their local legal system and law enforcement agencies: Facebook introduced a “real name” policy about 10 years ago pretending it would magically stopped harassment… has it?

You’re argument here is like saying HTTPS is meaningless now that almost everyone is using it, when the security uplift is such a huge net positive for everyone

I agree HTTPS is good (although it would be better with encrypted SNI and such). But 2FA for a centralized capitalist platform has nothing to do with security. If you want more-secure code distribution, use PGP git signatures and a distribution mechanism like guix channel introductions.

you’ll need MFA to use the website/app

That’s already the case to some extent, and i hate it. I hate that Github forces me to open my mail client every time i want to login (because my Tor browser doesn’t keep cookies across sessions).

Of course, it depends on your usecase. I use Github for minor contributions to volunteer projects. In this specific case, anything that gets in the way of user contribution is in my view a problem.

Thanks for sharing your thoughts. I hope you understand the nuance i’m trying to bring and that i’m not opposed to security practices in general. Hell, i would love if i could use PGP/SSH auth everywhere… :D

Sounds like a bug. When you turn on debug logging do you see anything specific? (i don’t even know if debug logging is a thing in Lemmy ansible setup). Can you maybe also try with another SMTP client like msmtp to see if you can reach your mail server from it? It’s possible that some network misconfiguration prevents it, or that your mail provider has blocked your IP/range for some reason.

Nice blog post, and always nice to see RSS feeds.

Thanks! The RSS feeds are generated by Zola, the SSG i use (and contribute to sometimes).

I think the best general solution for normal end-users getting packages they can trust is always a well-audited package manager.

I entirely agree! And i personally don’t think that distro packaging is dead (or should die), but i do believe there’s a crisis in the field: nix/guix certainly represent a far better model in a day and age where there are dozens of thousands of packages to maintain for many architectures.

The Debian/Fedora packaging system makes it more complex than it has to be to just push an update because most of the steps have to be done manually. Of course, i appreciate when some packages are maintained by trustworthy people inspecting the changelog, but no distro has the energy to do that for all packages…

I can’t imagine a general solution to Github workflows

Do you mean for CI/CD? I don’t understand why we need Github Actions at all. If only we could have a standardized protocol/vocabulary (like ForgeFed/ForgeFriends) to subscribe to updates across different forges, we could have pretty basic/standard tooling performing tasks as we like them.

This is a post about the biggest cult in privacy community witch hunting, and you do not recognise it.

I do recognize it because you talked previously about it. I just don’t think it’s pertinent to show in this form for people who don’t know about the entire story (even i don’t know the whole story). I would recommend either to make a community dedicated to this topic, with a stickied thread serving as introduction, or to give more context to your post on the topic. But shitposting random conversations about a topic of interest of yours into random communities is not really cool for people who do not reside in your brain :D

Also, bit of personal advice: you seem really obsessed with this community and story. I think it would do you good to focus on something else… You seem to imply it’s a “big” thing but seriously i’ve never met a single person using GrapheneOS and they only support Google phones so there’s no risk it’s becoming a big thing any time. Maybe try to get involved in Lineage or /e/OS or PostMarketOS communities? You may help build the mobile distro you wanna see instead of loosing a little bit of your sanity every time the GrapheneOS mods do something. Take care :)

SVGs can be minified after edition, but of course nothing will beat hand-crafted SVGs…

Vector images can be a good fit though! If you can fit a URL in there, a SVG could fit in too :)

From what i can read here default email.tls_type value is “none” and it’s not overridden in lemmy-ansible. Maybe try this?

Sorry but i don’t understand what this post is doing here:

• it’s not about privacy, as it’s about subscribing to public posts on public forums (unless this is supposed to raise awareness about why multiple identities/nicknames is important?)
• there’s not enough context to understand wtf is going on

I haven’t dug into lemmy setup/code yet but “465” sounds like lemmy is trying port 25 and the server says “no no no what are you doing plz use TLS over 465”