Before I share with you the tune I just released, I wanted to offer this video of Jacob Collier performing together with Anushka Shankar and others. This is an absolute wow! youtube.com/watch?v=kgVRqM_PT5… I want to duck hearing this level of musicianship!
To celebrate A Rock Somewhere's Grammy nomination for Best Global Music Performance, here’s our first ever live performance together of the song in Amsterdam...
Breaking news: FTC order requires AcessiBe to pay $1 Million for deceptive claims that its AI product could make websites compliant with accessibility guidelines ftc.gov/news-events/news/press…
@Bruce There was a lot about DS9 that I liked. I like the Sisko character but not the way Brooks portrayed him. I loved the complexity of the Odo character but the overall hostility of his people toward "solids" is an interesting plot device but it doesn't really make sense to me. I also feel that Babylon 5 is a better show. I'm not sure if you've read about the Babylon5 controversy as it relates to DS9 but there's a possibility that some concepts from B5 were borrowed, to put it politely, when DS9 was being developed.
@Bruce For me, I was OK with the religious themes of the Bejorans although Trek has always bothered me because you hardly ever see religion as being practiced by humans. It's as if they're saying, well, the aliens have their religions with their weird beliefs and deities but we humans have outgrown such things. One thing I love about Babylon 5 is that religion plays an important role among all of the various races, including humans. This was important to the show's creator, who, ironically, was an atheist.
@Bruce There may have been some borrowed concepts but it's likely that the writers weren't plagiarizing. The shows definitely have their similarities but certainly enough differences that it doesn't feel like DS9 is a total rip-off, although some B5 fans might not agree. I haven't read any DS9 novels, except for the excellent trilogy about the Cardassian occupation. I know you also recommended Pliable Truths and this is a book I'd like to read. I still haven't finished the actual series, though, as I stopped at the beginning of season 7.
@Bruce I really liked the Janeway character, both as a captain and as a person. And the series finale was fabulous. I wish we had seen more about what happened after they got back but the relaunch novels handled this. I think I read the first four of them, Homecoming was the first if I'm remembering correctly,, and they were, for the most part, very good.
@ricky_enger @Bruce Hey, there. I actually love Brooks's speaking voice. For me, it was the way his voice got when he launched into one of his passionate speeches; it just didn't sound believable to me. The character itself, though, is great. I'm also not a fan of the Ferengi and I just found their culture to be either tiresome or just ridiculous.
@Bruce I loved DS9 and got even more from it after a rewatch. I appreciated Brooks' portrayal of Sisko but I've heard several others who agree with you. With the Founders, I always thought their feelings about solids came about because of contempt for beings they perceived as lesser, a thirst for power, and an inability to understand why inferior beings could disagree with them. I've seen similar behavior in humans so it was believable for me.
@ricky_enger @Bruce @Ranger1138 I will be very, very interested in your feelings about B5. I wish I could hang out with both of you as you watch it for the first time. Along with Doctor Who, Babylon 5 is one of my favorite shows. The show most definitely could use audio description and it is regretable that this was never added.
@ricky_enger @Bruce Yes, that's true, and the Quark/Odo dynamic was wonderful. I think my problem is that I'm not really into comic relief when that's the purpose of the whole episode but Trek often did that to balance out the serious stories. B5 doesn't do that quite as much, although there is definitely some comic relief in their episodes they don't have a character whose purpose is to provide it. To me, the comedy that you do see in B5 is actually funnier than what you see in many Trek episodes but that's just me and comedy, as with so many other things, varies widely as to what works or doesn't work with an individual.
@Bruce I looked at the Ferengi as comic relief, though maybe that wasn't always the intention. It was for the Grand Nagus bits for sure. Wallace Shawn does such a fabulous job with that. I also feel like the show plays on our assumptions of Ferengi as one-dimensional and it's what makes Rom's and Nog's stories more impactful. They're doing the unexpected. And yeah I like the Quark/Odo dynamic too.
@ricky_enger @Ranger1138 Joe, I assume you're going to start her off with the remastered "the Gathering" as opposed to the original? We don't want the poor woman losing interest before she even sees the first episode. 😀
@ricky_enger I may skip the pilot. I actually saw the original movie, on laser disc when I worked at a video store, but had forgotten it by the time the first season aired. Then revisited afterwards. I think it actually plays better that way. I know that's heresy. I'm thinking about doing a clubhouse room with some of my friends from my Star Wars club During the massive rewatch.
@smfeir @Ranger1138 @ricky_enger Well, "in the Beginning" was very good but it gives quite a lot of it away; I won't say much more as Ricky hasn't seen it yet. I see "in the Beginning" as a gift to fans who had been watching the first four seasons. Unfortunately, B5 has not been described, as far as I know, and it really needs it.
@Ranger1138 @ricky_enger Yeah! My husband got me to watch In The Beginning first, which is not the pilot but gets you into the story. However, I think Midnight on the Firing Line is fine to begin with. Coming in a bit late, so I thought I'd ask: is this described? Would love to find B 5 described!
@smfeir @Ranger1138 @ricky_enger True. If I were starting someone out on the first episode, I might give them a few pieces of information that took place during the pilot, mainly about Kosh. I prefered the remastered pilot over the original but it did have a major reveal that wasn't in the original that I'm a bit surprised that JMS allowed.
@Ranger1138 @ricky_enger Yeah. Mike thought it would help to start there, but it really didn't. The Gathering is good, but not really needed to have an appreciation for the series.
Oh, you would notice the differences pretty quickly. The remastered version had incidental music that was more in line with the series. In the original pilot, the music was much different and the story just seemed to move along much slower, even though the remastered version had more dialog. There was a difference with the narration of the theme (the theme music for the series has narration from important characters) and a scene with Kosh in the remastered series that ... I won't talk about until and assuming Ricky makes it past Season 3.
@smfeir @ricky_enger The only B5 that's described is the animated movie. Which also has an amazing commentary track by JMS. In his autobiography, Becoming Superman, he talks a lot about how he thought he would go blind at an early age. That gave me hope for possible description. And a few people I know had reached out about description for this last remastered set. But as you know, as it has been with the franchise since day one, he doesn't have complete control over what makes it to home video release. So I think the last opportunity for us to have it described officially came and went with that set. Or at least until the next Remastering rolls around in five years... or more
@Ranger1138 @smfeir @ricky_enger I didn't know the animated movie was described. I bought it on iTunes when it was released and there was no AD track. Where can we find the AD for "the Road Home"?
I want express my sincere THANKS to YOU and the 130,000+ others who have subscribed to the AskBob newsletter since 2005. This year I celebrated the 19th anniversary of this newsletter, and there are over 3000 articles here now.
Certainly helps to have a lot of money and be an incoming president! Judge sets date for Trump hush-money sentencing but rules out prison term - The Guardian apple.news/AuN9BmQtkR4ulOrcNBZ…
Many of our clients are unfamiliar with VPATs, but their buyers are requesting that they produce a VPAT before their product or service will be considered for
The Freedom Scientific training team offers ongoing opportunities for you to join us in live training sessions and advance your skills. We’re excited to announce our jam-packed January training sch…
Authorities at the Coutts, Alta., border crossing seized 189 kilograms of cocaine, with an estimated value of about $2 million, that was being shipped into Canada.
Following the example of GitLab and other VC-funded open source companies, @element goes 'open source almost everything' with "Synapse Pro";
"Synapse itself remains open source, and Element will continue to develop it proactively, just as it has for the last 10 years ... Available under a commercial license, Synapse Pro will help fund and accelerate the continued open source development of Synapse for the benefit of all of Matrix."
🥳 Big news! While half of Europe is hanging out in Hamburg at 38c3, we got bored and accidentally our web frontend.
It comes with a bunch of new features, which we'll post about in the next couple hours and days, but the one which will probably be most obvious is that we now feature a built-in, automatic dark mode based on your browser / OS preferences 🌙 .
This release also marks the implementation of a feature people have been asking since forever: Search #xmpp / #jabber channels by language. You can now do that!
To search for all channels in french, you could type "lang:fr" in the search bar. Like this: search.jabber.network/search?q…
"lang:foo" can be combined with other search terms.
You can now add hashtags to your #xmpp / #jabber channels on search.jabber.network! Just add a series of hashtags to the end of your channel's description.
Note that we maintain an allowlist of tags here: search.jabber.network/tags/ Tags which are not on that list are ignored.
Suggest new tags we should add/allow in the replies to this thread!
In Movim 0.29 you'll discover two important changes, Stories and Briefs 😯 !
Yes Movim is the very first XMPP client that introduces fully standard Stories (xmpp.org/extensions/xep-0501.h…). Share your day with your friends, from any device, in a few easy steps ❤️
Briefs allows you to publish short content on your profile and complete the existing more complete articles publications 📝
This is a repository of apps to be used with your F-Droid client. Applications in this repository are official binaries built by the original application developers, taken from their resp. repositories (mostly Github, GitLab, Codeberg).
Introducing Refine, an app to tweak advanced and experimental settings in GNOME. It is an alternative to GNOME Tweaks, and is a pet project I'm currently working to experiment with PyGObject and dconf, while following the data-driven, object-oriented, and composition paradigms.
The entire codebase is made up of widgets that provide all the functionality needed to add an option. For example, instead of adding each option programmatically in Refine, the ultimate goal is to have it all done in the UI file.
For example, if we want to add an option to enable or disable middle click paste, all we need is the following code in the UI file:
That's it. The RefineSwitchRow widget will do whatever it needs to do to ensure the option is available, grab the setting if it's available, and display it to the user. Many of these widgets provide extra functionality, such as a Reset button.
Transnational hacking and FOSS bonding in action! Family trip brought me across the Atlantic, but got a chance to meet @pan and bring a FairPhone for development. It's amazing when we can not only hack, but also meet and enjoy the human part of it :)
I think that the robots.txt file itself isn’t a significant enough creative work to warrant copyright protection regardless of the license I put on it, and to put a license on such a trivial work would instead communicate that it’s meant to be reused.
It’s not meant to be reused as-is anymore now that I have a longer article that actually explains how and why I block what I block, but it doesn’t make sense to enforce non-reuse either.
In other words: I’m not sure that the file can receive copyright protections, and to act as if it does by giving it e.g. a CC license would simply encourage people to re-use it when they should be thinking for themselves and applying the nuance I hoped to inspire in my article.
I would rather not use restrictive licenses on my site, especially on works that I don’t think do or should receive copyright protections. and i would rather not advertise that the robots.txt be copied. A bit of a tricky place to be.
I love to see coding tutorials like this make the coder code for accessibility by giving them examples and stating up front they do not treat accessibility as an afterthought write-on.org/html/ #CSS #WebDev #HTML #Accessibility #A11y
NLS Lays Out Its New Digital Player | News October–December 2024 - National Library Service for the Blind and Print Disabled (NLS) | Library of Congress loc.gov/nls/about/news/news-oc…
Introducing the new NLS audiobook players. NLS technology from 1934 to present. And one that stayed on the drawing board. FY24 highlights. Art that's made to be touched.
F-Droid now claims PoC 5a is not an "actionable security vulnerability" because "APKs signed by v1-only are not even installable on latest Android versions". This is false. As long as targetSdk < 30 (and e.g. the official F-Droid client has 29) they will install just fine. I even confirmed this by installing my PoC APK on both Android 13 and 14 just in case, something they apparently neglected to bother with before making that claim.
They are now claiming they can't use my patches as-is because of "code quality issues" (private apis). Which... applies to exactly one patch, the one they actually merged 8 months ago.
Because the only way to fix the vulnerability was to monkey patch androguard (and an updated version is still not available in Debian, nor has the Debian stable fdroidserver package received any patches, despite those packages being maintained by the F-Droid team, so that monkey patch is still needed).
They are also downplaying the impact by insisting this vulnerability is only a problem for third party repositories relying on fdroidserver; which even if true is showing a concerning disregard for the security of repositories of other projects relying on fdroidserver.
I have no words to describe how little remaining faith I now have in F-Droid's security and code review processes.
See: https://www.openwall.com/lists/oss-security/2025/01/03/1 Seems a good idea to patch ;) The regex in question -- ^META-INF/..(DSA|EC|RSA)$ -- is supposed to match all filenames that start with ...
the regex fix is a good one, we'll look into merging that. I'd need to see a v2-signed APK that is installable on Android that demonstrates the exploit it in order to consider this an actionable security vulnerability. APKs signed by v1-only are not even installable on latest Android versions, and Android 7.0 and above support v2+ signatures. Looks like obfusk's proof of concept is a v1-only APK. Do you even ship v1-only APKs in IzzySoft anymore?
@eighthave The regex fix is also considered by Androguard, yeah. And I didn't make the POC; that area is not in my expertise¹. I could check if there are any v1-only APKs in our repo² (not aware of any right away, though, but we still have some older apps here – and there are still some older devices around; we support "device longevity" 😉). But v1 IS important here, as we still support signing key rotation³ (and have at least 1 app using that).
¹ I can follow it, but not create such on my own ² we would need time to set up a script for that; remember we're just a very small team with no grants; most work is still on my shoulders, next to a full-time $dayjob ³ we didn't use your implementation for fdroidserver back in spring but applied the patches provided by Fay, so signing key rotation is still supported at IzzyOnDroid
"I'd need to see a v2-signed APK that is installable on Android that demonstrates the exploit it in order to consider this an actionable security vulnerability."
I'd rather not wait until an exploit is out-and-about. The patch is easy and not complex. Better safe than sorry. And one should fix (even potential) vulnerabilities *before* they become exploits.
I understand your concern. From what I know, the IzzySoft repo relies much more on AllowedAPKSigningKeys to provide a secure repo than f-droid.org or guardianproject.info (the repos I'm involved in running). Both had extra verification before AllowedAPKSigningKeys existed, so there, its just an extra layer of protection. The goal of AllowedAPKSigningKeys is to make it easy for non-technical people to manage binary APK repos securely. That is a work in progress, and your reports help
@eighthave Well, if you think AllowedSigningKeys is the only protection we're using, you're a bit misinformed 😉 Of course we have multiple layers in place, too. But not all binary APK repos have, some are relying on the "built-in protection".
Good to hear you have more layers of verification. I'd like to read about what you're doing, since you've been handling the auto-download of APKs for a long time, so perhaps there is more we could add to `fdroid update`. Could you point me to them? There is a good foundation for us to build on: APK v2+ signatures are quite robust and APK signing keys tend to be quite stable over time. That makes it possible to automate checks so repo operators don't have to know all about signing.
@eighthaveandroid.izzysoft.de/articles/n… outlines several of our layers. And you still have one of our scanners in your issuebot – though for some reason that seems not have to be run anymore for quite a long time (I never saw it in issuebot reports for about 2 years now).
You can find our scanning scripts at gitlab.com/IzzyOnDroid/repo (look at the Readme in the lib/ directory). We plan to make them available as Docker/Podman image, but no ETA yet.
Nachdem der Library-Scanner nun seit mehreren Jahren im IzzyOnDroid Repo im Einsatz ist war es an der Zeit, einige zusätzliche APK-Prüfungen zu etablieren.
indeed AllowedAPKSigningKeys was inspired by the various custom scripts and processes we had in place already. We welcome contributions to improve AllowedAPKSigningKeys. We don't currently have funding to work on it. We would gladly help someone put together a funding proposal to work on it.
@eighthave It's not just about F-Droid and Guardian, Hans. You are promoting fdroidserver for all those decentralized repositories, it's your software. IzzyOnDroid has not a single grant (wouldn't your Mobifree grant cover that?), our team is much smaller than yours (~3 vs ~30) – and not a single one here at IoD is being paid vs. 2+ full-time at F-Droid (we're all doing all this in our spare time, I spend 4+ hours each day after my regular 9h $dayjob for example, not counting weekends. (1/5)
(2/5) Still we tried to contribute in the past, more than once (and also on this issue). Our contributions were refused then. But the patches we speak of are available at the POC, like last time. Feel free to use them, of course! They're working fine with fdroidserver here at IzzyOnDroid 😉
> For more than 14 years, F-Droid has been developing solutions which act as pieces of the alternative mobile ecosystem puzzle. So it was a natural fit for F-Droid to become a contributing partner in the broader Mobifree project.
> Our goal is to help mobile technology evolve to a more healthy state, provide people with concrete new tools and more reliable infrastructure, in order to provide better security and allow users more agency and choice.
"Better security". Should be the perfect fit for a security issue, no? 😉
I'm not sure the point you're trying to make here. EU Horizon grants such as Mobifree are large partnerships between around 10 projects. The work and goals are all nailed down between the partners. These kinds of funds are not free money to spend as we please.
@eighthave I was just wondering, as the corresponding issue carries the Mobifree label. And sorry, we have all hands full with work on IzzyOnDroid – so all we can contribute are those patches, we cannot help you rolling them out at F-Droid.org.
The patches work fine, we use them ourselves. Not sure though how they harmonize with your alternative implementation, which we didn't merge at our end (we use the patches we proposed back then). But we even provide a patch for that variant, please test.
Things with the Mobifree label are things that are being considered as part of that grant. It is definitely not a promise. It is quite likely we will work on AllowedAPKSigningKeys as part of Mobifree, I'd like to, but no guarantees. Currently, I'm thinking of making AllowedAPKSigningKeys only support v2+ signatures, since v1 signatures are deprecated, on their way out, and really overly complicated. I see no sense in trying to build security guarantees on top of them.
@eighthave Thanks Hans! But you are aware that you still have v1-only APKs in the repo, right? Not saying AllowedAPKSigningKeys is active for them. And yes, it's older apps (just random findings). A full scan could reveal them all (we need to do the same here at IoD as well, have that on our list, but we are even more "understaffed" than you and still without any grants).
Since you're investing a lot of effort into AllowedAPKSigningKeys, I highly recommend switching the effort to parsing the signing certificate from v2+ signatures, and away from inspecting the deprecated v1 signatures. Apps with targetSdkVersion 30 or higher entirely ignore v1 signatures, so they are gradually disappearing from use.
@eighthave Isn't that what fdroidserver promises to provide to those using it to maintain a repository? We do not "invest a lot of effort into AllowedAPKSigningKeys" – we simply apply it consequently. Signature pinning is expected to be done by fdroidserver; we *accidentally* found flaws there, we even provided patches which were refused. We still have v1-only APKs as the F-Droid.org repo has them, yes. But we don't write/maintain fdroidserver. Are you saying it is unsafe for use by other repos?
I'm saying v1 signatures should not be something that anyone relies on any more. Our current thinking is to remove support for v1-only signatures from AllowedAPKSigningKeys because of the weakness of v1 signatures means we cannot provide good security, so it would only provide a false sense of security. For distributing v1-only signed APKs, I'd recommend verifying them via an alternate method other than certificate pinning.
fdroidserver is fully safe for the tasks it was built for. It has been independently audited as well (we have two more audits coming up). If you have a trusted collection of APKs, then fdroidserver provides the entry point to a trustworthy pipe to the F-Droid client. It cannot protect against malicious upstreams, upstreams losing their signing keys, etc. It cannot fix the deprecated v1 signatures. Require v2+ signatures, and AllowedAPKSigningKeys works with no known weaknesses.
@mnalis Same as IzzyOnDroid most likely: older apps which have long-time seen no updates anymore. At IoD, we've just removed several of those (which were additionally using weak keys, or had other issues as well), leaving only those in that have strong enough keys etc. Some were left for further investigation, in one case (app still actively maintained) we reached out to the devs asking for additional v2 signing. @eighthave
@eighthave Would it make sense (if those abandoned v1 apps are still useful so should not be archived/removed) to recompile and re-sign those abandoned apps with F-droid.org keys (I'm assuming they're not RB), so people who install them from F-droid these days won't be vulnerable to fake upgrades elsewhere on the net (as I'm understanding is the risk currently)? Or maybe tag them with that "Vulnerable" flag that F-droid apps (esp. browsers) get occasionally?
@mnalis I guess none of us have tried those old ones for RB – and with the projects dead and their devs no longer around, that would not help anyway (as with RB, both F-Droid & IoD would ship the upstream APK, which has that signing issue). Wile at IoD we build apps from source FOR RB, we don't sign ourselves. But (most of) the v1-only apps at F-Droid just needed to be re-signed (adding v2) as they are signed by F-Droid – right, @eighthave ?
Vanavond staan Venus en de maansikkel vlakbij elkaar, een prachtige samenstand. En heel soms passeert er nog een onverwachte bezoeker frankdeboosere.be/nachthemel/j…
.
David Goldfield
Unknown parent • • •David Goldfield
Unknown parent • • •David Goldfield
Unknown parent • • •David Goldfield
Unknown parent • • •David Goldfield
Unknown parent • • •David Goldfield
Unknown parent • • •David Goldfield
Unknown parent • • •Ricky Enger
in reply to David Goldfield • • •David Goldfield
Unknown parent • • •Ricky Enger
in reply to David Goldfield • • •David Goldfield
Unknown parent • • •Ricky Enger
in reply to David Goldfield • • •David Goldfield
in reply to Ricky Enger • • •David Goldfield
Unknown parent • • •Joe Steinkamp
in reply to David Goldfield • • •David Goldfield
Unknown parent • • •Sara Feir
in reply to David Goldfield • • •David Goldfield
Unknown parent • • •Sara Feir
in reply to David Goldfield • • •David Goldfield
Unknown parent • • •Sara Feir
in reply to David Goldfield • • •Joe Steinkamp
in reply to David Goldfield • • •David Goldfield
in reply to Joe Steinkamp • • •