A new issue of #ThisWeekInGNOME is now online!
#181 Happy New Year!
thisweek.gnome.org/posts/2025/…
Update on what happened across the GNOME project in the week from December 27 to January 03.thisweek.gnome.org
Remember how the orange pissant and his fascists claims drugs are flowing into the US from Canada.
Well, well, well it looks like the other way.
Coutts drug bust seized $2M in cocaine bound for Canada
calgary.ctvnews.ca/border-agen…
Authorities at the Coutts, Alta., border crossing seized 189 kilograms of cocaine, with an estimated value of about $2 million, that was being shipped into Canada.Calgary
Following the example of GitLab and other VC-funded open source companies, @element goes 'open source almost everything' with "Synapse Pro";
"Synapse itself remains open source, and Element will continue to develop it proactively, just as it has for the last 10 years ... Available under a commercial license, Synapse Pro will help fund and accelerate the continued open source development of Synapse for the benefit of all of Matrix."
element.io/blog/synapse-pro-sl…
Synapse Pro is Element’s best practice Matrix homeserver. It transforms the performance and economics of huge public sector deployments.Steve Loynes (Element Blog)
🥳 Big news! While half of Europe is hanging out in Hamburg at 38c3, we got bored and accidentally our web frontend.
It comes with a bunch of new features, which we'll post about in the next couple hours and days, but the one which will probably be most obvious is that we now feature a built-in, automatic dark mode based on your browser / OS preferences 🌙 .
Check it out at search.jabber.network !
The top 25 public chat rooms on the Jabber network.search.jabber.network
New Year, new release ✨
In Movim 0.29 you'll discover two important changes, Stories and Briefs 😯 !
Yes Movim is the very first XMPP client that introduces fully standard Stories (xmpp.org/extensions/xep-0501.h…). Share your day with your friends, from any device, in a few easy steps ❤️
Briefs allows you to publish short content on your profile and complete the existing more complete articles publications 📝
Checkout the complete release note to know everything about those exciting new features: mov.im/community/pubsub.movim.…
New year, new #release ! This time with plenty of new exciting features, let's have a look at…mov.im
Want to try out XMPP, head over to join.movim.eu/ and find a XMPP server where you can create a free account.
Movim is a social and chat platform that acts as a frontend for the XMPP network.
#AndroidAppRain at apt.izzysoft.de/fdroid today with 16 updated and 2 added apps:
* Git Sync: git client for syncing a repository between remote and a local directory
* Sunup: UnifiedPush provider using Mozilla's push server 🛡️
RB status: 384 apps (31.2%)
Enjoy your #free #Android #apps with the #IzzyOnDroid repo 
This is a repository of apps to be used with your F-Droid client. Applications in this repository are official binaries built by the original application developers, taken from their resp. repositories (mostly Github, GitLab, Codeberg).IzzyOnDroid App Repo
The Matrix Holiday Special, client updates, and 38C3. That and more happened over the year end holidays in Matrix!
matrix.org/blog/2025/01/03/thi…
Matrix, the open protocol for secure decentralised communicationsThib (matrix.org)
The FTC has ordered accessibility startup accessiBe to pay $1 million over allegations of false advertising and misleading product claims.Kyle Wiggers (TechCrunch)
Introducing Refine, an app to tweak advanced and experimental settings in GNOME. It is an alternative to GNOME Tweaks, and is a pet project I'm currently working to experiment with PyGObject and dconf, while following the data-driven, object-oriented, and composition paradigms.
The entire codebase is made up of widgets that provide all the functionality needed to add an option. For example, instead of adding each option programmatically in Refine, the ultimate goal is to have it all done in the UI file.
For example, if we want to add an option to enable or disable middle click paste, all we need is the following code in the UI file:
$RefineSwitchRow {<br> title: _('Middle Click Paste');<br> schema-id: 'org.gnome.desktop.interface';<br> key: 'gtk-enable-primary-paste';<br>}<br>RefineSwitchRow widget will do whatever it needs to do to ensure the option is available, grab the setting if it's available, and display it to the user. Many of these widgets provide extra functionality, such as a Reset button.You can get Refine on Flathub: flathub.org/apps/page.tesk.Ref…
Everything else (source code, screenshot, etc.) is in the project website: tesk.page/refine/, as well as the Flathub link.
#GNOME #Flatpak #Flathub #FOSS #OpenSource #GTK #Libadwaita
Refine, an app to tweak advanced and experimental features in GNOME, has reached 100,000 downloads on Flathub!!
flathub.org/en/apps/page.tesk.…
Refine is an alternative (not replacement!) to GNOME Tweaks, designed to be data-driven and take advantage of the composition paradigm.
If you appreciate Refine and have the means to help a developer out, please consider donating to support my work: tesk.page/#donate
#GNOME #GTK #GTK4 #Libadwaita #FOSS #OpenSource #Flathub #Flatpak #Refine
Transnational hacking and FOSS bonding in action! Family trip brought me across the Atlantic, but got a chance to meet @pan and bring a FairPhone for development. It's amazing when we can not only hack, but also meet and enjoy the human part of it :)
reshared this
@Seirdy What is the license of your robots.txt? (seirdy.one/robots.txt)
Would you mind to add SPDX headers?
I am considering your robots.txt as base for my own.
Seirdy likes this.
Fixed the typos. Regarding SPDX headers:
I think that the robots.txt file itself isn’t a significant enough creative work to warrant copyright protection regardless of the license I put on it, and to put a license on such a trivial work would instead communicate that it’s meant to be reused.
It’s not meant to be reused as-is anymore now that I have a longer article that actually explains how and why I block what I block, but it doesn’t make sense to enforce non-reuse either.
In other words: I’m not sure that the file can receive copyright protections, and to act as if it does by giving it e.g. a CC license would simply encourage people to re-use it when they should be thinking for themselves and applying the nuance I hoped to inspire in my article.
I would rather not use restrictive licenses on my site, especially on works that I don’t think do or should receive copyright protections. and i would rather not advertise that the robots.txt be copied. A bit of a tricky place to be.
Alongside ongoing deals on M4 iPad Pro models at up to $300 off and a return all-time low on Twelve...Justin Kahn (9to5Mac)
Apple Intelligence launched with 4GB of storage requirements, but now that number has almost doubled already—and adds up with each device.Ryan Christoffel (9to5Mac)
Introducing the new NLS audiobook players. NLS technology from 1934 to present. And one that stayed on the drawing board. FY24 highlights. Art that's made to be touched.National Library Service for the Blind and Print Disabled (NLS) | Library of Congress
I accidentally found another security vulnerability in fdroidserver whilst working on something related to IzzyOnDroid.
We warned them months ago but were ignored *sigh*
"Another fdroidserver AllowedAPKSigningKeys certificate pinning bypass"
They are now claiming they can't use my patches as-is because of "code quality issues" (private apis). Which... applies to exactly one patch, the one they actually merged 8 months ago.
Because the only way to fix the vulnerability was to monkey patch androguard (and an updated version is still not available in Debian, nor has the Debian stable fdroidserver package received any patches, despite those packages being maintained by the F-Droid team, so that monkey patch is still needed).
They are also downplaying the impact by insisting this vulnerability is only a problem for third party repositories relying on fdroidserver; which even if true is showing a concerning disregard for the security of repositories of other projects relying on fdroidserver.
I have no words to describe how little remaining faith I now have in F-Droid's security and code review processes.
I wrote an overview of the situation (without technical details of the exploits themselves as that's covered by the README):
github.com/obfusk/fdroid-fakes…
F-Droid Fake Signer PoC. Contribute to obfusk/fdroid-fakesigner-poc development by creating an account on GitHub.GitHub
Should someone stumble upon the security vulnerability disclosure at openwall.com/lists/oss-securit… – be assured the patches have already been applied at #IzzyOnDroid (and also that androguard is already aware: github.com/androguard/androgua…)
Also see the toot by the original finder: tech.lgbt/@obfusk/113765201775…
See: https://www.openwall.com/lists/oss-security/2025/01/03/1 Seems a good idea to patch ;) The regex in question -- ^META-INF/..(DSA|EC|RSA)$ -- is supposed to match all filenames that start with ...GitHub
@eighthave (2/2)
¹ I can follow it, but not create such on my own
² we would need time to set up a script for that; remember we're just a very small team with no grants; most work is still on my shoulders, next to a full-time $dayjob
³ we didn't use your implementation for fdroidserver back in spring but applied the patches provided by Fay, so signing key rotation is still supported at IzzyOnDroid
@eighthave (3/2)
"I'd need to see a v2-signed APK that is installable on Android that demonstrates the exploit it in order to consider this an actionable security vulnerability."
I'd rather not wait until an exploit is out-and-about. The patch is easy and not complex. Better safe than sorry. And one should fix (even potential) vulnerabilities *before* they become exploits.
@eighthave android.izzysoft.de/articles/n… outlines several of our layers. And you still have one of our scanners in your issuebot – though for some reason that seems not have to be run anymore for quite a long time (I never saw it in issuebot reports for about 2 years now).
You can find our scanning scripts at gitlab.com/IzzyOnDroid/repo (look at the Readme in the lib/ directory). We plan to make them available as Docker/Podman image, but no ETA yet.
Nachdem der Library-Scanner nun seit mehreren Jahren im IzzyOnDroid Repo im Einsatz ist war es an der Zeit, einige zusätzliche APK-Prüfungen zu etablieren.IzzyOnDroid
Take a look at apk_signer_fingerprint(): def get_first_signer_certificate(apkpath):...GitLab
@eighthave (4/5) quoting from f-droid.org/2024/05/24/mobifre…
> For more than 14 years, F-Droid has been developing solutions which act as pieces of the alternative mobile ecosystem puzzle. So it was a natural fit for F-Droid to become a contributing partner in the broader Mobifree project.
@eighthave (5/5) And looking at Mobifree, from nlnet.nl/mobifree/
> Our goal is to help mobile technology evolve to a more healthy state, provide people with concrete new tools and more reliable infrastructure, in order to provide better security and allow users more agency and choice.
"Better security". Should be the perfect fit for a security issue, no? 😉
@eighthave I was just wondering, as the corresponding issue carries the Mobifree label. And sorry, we have all hands full with work on IzzyOnDroid – so all we can contribute are those patches, we cannot help you rolling them out at F-Droid.org.
The patches work fine, we use them ourselves. Not sure though how they harmonize with your alternative implementation, which we didn't merge at our end (we use the patches we proposed back then). But we even provide a patch for that variant, please test.
Daniel's week report January 3, 2025
lists.haxx.se/pipermail/daniel…
new year, return values, webinar, graph comparisons, infrastructure, security
Really not a #ChuckTingle book cover?
Can only recall few software tools keeping backwards compatibility many protocols versions, with forward versions implementations. Then such security new/old reports, unavoidable?
AFAIK still no VSC http3 plugin, and only few for http2 ...While anyone just can test http3 from win/mac/lin shell default curl installs:
HT Curl Team!
Every year, the Dutch government adjusts taxes on electricity, gas, water as well as other things.
They publish a table on the official website here:
belastingdienst.nl/wps/wcm/con…
On Jan 1, there was no data about 2025 at all. Yesterday, on Jan 2, data appeared, stating the electricity tax to be € 0,10512 per kWh. Today, this number changed to € 0,10154 without any notice of change on that website. 😐
Bekijk de tarieven voor de verschillende milieubelastingen van 2017 tot en met 2024.www.belastingdienst.nl
Documenting #curl infrastructure. What more should I include, cover and discuss in here?
We're going to dive in with more depth on this, exploring why Bluesky's content tools are the second worst we've encountered in a long, rich history of internet censorship (just behind Meta, which are *awful).
The long and short of it is: language matters. masto.ai/@vagina_museum/113758…
Attached: 1 image us: come and visit a small independent quirky museum in london bluesky moderation team: no that's pornMastodon
Bluesky is a platform which automatically slaps content warnings on posts. It also offers very limited options for putting warnings on your own posts, which look like this.
As you'll see, there's a lot of options for "adult". Which is a *very* loaded term.
Sensitive content
I'm sad that the RNIB can sell a complex bit of digital audio equipment for half the price of a purely mechanical Braille device.
[Get a bargain in our New Year sale](rnibenews.org.uk/cr/AQjI5A0Qst…)
'50 years of giving the money to the wealthy people resulted in the poor people getting no money,' is not a terribly surprising result. 🤡
"50 years of tax cuts for the rich failed to trickle down, economics study says"
cbsnews.com/news/tax-cuts-rich…
Tax cuts for the wealthy didn't boost the economies of the U.S. and 17 other countries — but they did worsen income inequality.Aimee Picchi (CBS News)
SQLite is a remarkable piece of software and I've always been curious about the system and the project. Here are several little known facts about SQLite.
Some of the interesting and insane facts I learned about SQLiteavi.im
The world's richest man has joined a growing chorus of right-wing voices attacking Wikipedia as part of an intensifying campaign against free and open access information. Why do they hate it so much?
citationneeded.news/elon-musk-…
#Wikipedia #ElonMusk #USpolitics #USpol
The world's richest man has joined a growing chorus of right-wing voices attacking Wikipedia as part of an intensifying campaign against free and open access information.Molly White (Citation Needed)
Apple Fitness+ today announced a slew of new content to kick off the year, as well as a new integration...Benjamin Mayo (9to5Mac)
Ne das passt schon ganz gut so, die Dinge und vor allem Konstellationen beim richtigen Namen zu nennen. 😉
Schwarz-Geld im Kontext der FDP ist ziemlich auf den Punkt gebracht, meiner Meinung nach!😁
search.jabber.network
in reply to search.jabber.network • • •This release also marks the implementation of a feature people have been asking since forever: Search #xmpp / #jabber channels by language. You can now do that!
To search for all channels in french, you could type "lang:fr" in the search bar. Like this: search.jabber.network/search?q…
"lang:foo" can be combined with other search terms.
More information on how to search by language is found in the FAQ: search.jabber.network/docs/faq
"lang:fr" - search.jabber.network
search.jabber.networkreshared this
Gajim reshared this.
search.jabber.network
in reply to search.jabber.network • • •search.jabber.network
in reply to search.jabber.network • • •Another bit you may have noticed, especially if you visit the home page regularly, is that avatars now always load correctly.
The old website had a weird fun Python runtime type error which occurred sometimes when the browser had an avatar in the cache already.
Because we deleted the almost 10k lines of Python code and replaced it with Rust, that can't happen anymore
.
(Also, it's now faster and less memory use, which is nice.)
search.jabber.network
in reply to search.jabber.network • • •You can now add hashtags to your #xmpp / #jabber channels on search.jabber.network! Just add a series of hashtags to the end of your channel's description.
Note that we maintain an allowlist of tags here: search.jabber.network/tags/ Tags which are not on that list are ignored.
Suggest new tags we should add/allow in the replies to this thread!
Channel tag index - search.jabber.network
search.jabber.network