Vielen Dank, dass Sie für Thunderbird gespendet haben und es hier auf Mastodon teilen! Diese Art der Unterstützung wird uns hoffentlich noch viele weitere Jahre erhalten bleiben.
Coming to @fosdem this week? So are we! We’ll be in Building K, Level 1, B-7 (fosdem.org/2025/stands/) Meet the team, play with Thunderbird for Android, find out how to get involved, and of course, pick up some Thunderbird stickers! #FOSDEM #OpenSource
This led to them including a self-update system which was openly implemented and documented. F-Droid was unaware they'd shipped it for half a year, and by then WireGuard had essentially escaped from in their words being held hostage by F-Droid.
This was a rare case where an app used developer signing keys via their flawed reproducible builds system. Most don't.
Per https://f-droid.org/en/docs/Inclusion_Policy/ The software must not download additional executable binary files (e.g. addons, auto-updates, etc.) without explicit user consent....
For the vast majority of apps they package, F-Droid downloads and builds whatever developers publish, then sign it with their own keys and release it. They aren't doing any real review as people believe. What they really do is run things through basic scans looking for libraries they've disallowed, primitive antivirus checks for common Android malware as if that's what malicious code in an open source project would be, etc. It took them that long just to realize an app openly took over updates.
F-Droid has incredibly poor security practices and a strong anti-security attitude held by most of the people involved. They've consistently engaged in coverups of vulnerabilities and targeting multiple security researchers with libel and harassment.
It's a massive single point of failure and not worthy of the trust many people are placing in it. It's adding another trusted party compared to using the apps built and signed by the developers. It is not avoiding trust in the developers of apps.
Regularly not shipping critical Firefox security patches for months is the norm for the main F-Droid repository. Whether or not they sign the apps themselves as they do for the vast majority of apps, updates can be indefinitely delayed based on issues with their outdated infrastructure or their Debian-style downstream patches needing to be updated.
For the small subset signed by the app developers, many kinds of disagreements between F-Droid and developers will mean an end to receiving updates.
You are not the only ones that struggle with f-droid. (There is an ongoing struggle to fix certificate pinning by f-droid by a former maintainer, which has neither been acknowledeg nor accepted).
But the question is: what alternatives are there? As far as i can tell, f-droid is the only large scale-repository of open source apps there is.
@Kulei @newhinton We recommend using Accrescent for the apps which are available through it. It's not specific to either open source apps or privacy focused apps but rather is meant to become a Play Store alternative.
Obtainium + App Verifier for getting apps directly from developers, although we'd prefer a leaner and more security focused approach than Obtainium.
While I appreciate bringing up the security concerns the existence of alternatives to #FDroid I do not think we have those when it comes to pure FOSS apps without the usual big corporate trackers/libs. #Accrescent lists a few apps and fails to provide relevant information about them (such as requested permissions). E.g. #Qlango includes multiple tracking libraries by #Meta / #Facebook and doesn't look like it is FOSS to any degree. Even while the #FDroid repo is not carefully curated I don't run into traps like these. 🤷
There is a need for a curated and maintained FOSS app repo and currently there is nobody but @fdroidorg providing it. #Obtainium, #Accrescent are mostly option for expert users who exactly know who to trust and what they are looking for. @Kulei @newhinton
#Accrescent IMO absolutely needs - better description of app - permissions list - license info of app - download size of apk - website link if available - (minimum Android sdk)
We already have plans to expand app descriptions, provide download size information, and utilize detailed compatibility specifiers including minimum SDK specifications pending some upcoming server changes. It's not yet clear whether or how to incorporate permission lists, license info, or website links (though we do at least plan to distinguish open source apps).
Dnešní den je na #Tenerife čistě procházkový. Takže cíl je jasný #Anaga! První trek byl na výšlap na kousek od Taborno. Bohužel počasí se nám zhoršilo, takže jsme si nemohli pořádně užít vyhledy na oceán. #garmin #beatyesterday #nature #walk #taborno
So how does this work? Even if I gave someone my bank details here in the UK, they could put money in, but not take it out without setting up a direct debit, which I'd be notified about before any money went out anyway. I presume the Canadian system works a little differently cbc.ca/news/canada/british-col…
I suspect that the details she actually filled in were authentication credentials, giving the scammers access to her account at which point they could just set up a new transfer in the other direction. Having said that, I still have many questions about the design of the system and the security of Canadian bank accounts. Designing any banking-related mechanism around links being sent to people seems unwise, as does allowing logins and transfers without a secure second factor.
@jscholes Can't speak for Canada, but the way those work here is that there is a second factor, but people still fall for it.
You enter your credentials on the fake website, the fake website immediately forwards them to your bank and orders a transfer, just with a different amount and recipient. You'll see the new, suspicious data in your app / text message, but most people don't check and just click "approve."
They most likely have a website that lets you pay somebody by online bank transfer. The way these work is that you pick your bank, are redirected to their site, log in there and have the details filled in automatically. This is a lot easier (and often a lot quicker) than the traditional way.
The way this scam works is that you get a website that looks just like the real one, but it never redirects you to your bank, capturing your login credentials instead.
Meta recently rolled out a Live AI feature for its Ray-Ban Meta smart glasses. Unfortunately, it’s hard to know when you should use it — and why you’d want to.
Absolutely zero surprise here. One of the biggest reasons we need real OSS (including data, as much as possible) to win in AI is because the alternatives are extremely grim from not just a speech perspective, but from a simple “whose facts” perspective. mastodon.xyz/@johl/11390104008…
It’s flawed as hell, but I do think there’s correlation between inculcation in the traditional skills around small-d democratic, Western, classical liberal civic values, and participation in FOSS. A software industry that centers those values [definitely not our current industry, nor China’s] is good for all of humanity, in the long run.
Anyone here witnessed/seen hour+ unskippable ads on #YouTube? Yes, you read that right. Supposedly, Google is only showing this to some users it suspects of using an adblocker.
We all know how #Google has become increasingly hostile towards adblocking technologies in the last couple years… but if this is true - and not some sort of bug - geez… doesn’t help they neither confirm or deny it in the news sources I’ve seen.
Ahora que los AI-bros de Silicon Valley están panicando con la salida de #Deepseek y sus capacidades a la par de las de #OpenAI aunque a una fracción del precio, además de ser en buena parte open source, una crítica habitual al modelo es que es chino y, entre otras cosas, te censura cualquier mención a los sucesos de la Plaza de Tiananmén en 1989.
Pues vamos a ponernos empíricos y hacerle la pregunta en local para ver qué hay de verdad. Nos bajamos la versión 14b del modelo y le pedimos un resumen de esos hechos.
Oh, sorpresa. Habla de represión, de censura y de una auténtica masacre.
El modelo no será perfecto y tendrá sus sesgos como todos. Pero criticarlo por ser chino no se sostiene.
After 4 years at AWS, I've left the Rust Platform team.
It's been a privilege working with so many great coworkers, doing everything they can to improve Rust in every way possible. I can't wait to see the results of their projects.
I am proud of my work to improve Rust's developer experience, and I plan to continue doing that.
@Adorable_Sergal Hi there. Tuta's servers remain secured and protected in our data centers. They will remain protected regardless of political changes. At Tuta giving our users the best privacy and security is our goal, and when such forces try to change this, for example Chat Control we actively fight to stop it.
I had not realized just how bad the news of the DeepSeek chatbot had been for Nvidia's stock price. I suppose that placing all your bets on a bullshit technology that nobody wants has its downsides.
FYI Nvidia's stock is still falling. Down 15% now. Considering they're the only company that actually made money from the AI bubble this is very bad news for the entire sector. And good news for humanity.
That being said let's hope that Nvidia is not the Lehman Brothers of 2025 because the last thing we need at this point is another 2008-style financial meltdown.
Hey friends! It’s nearly time for #FOSDEM, the annual free and open source event in Brussels. This weekend, the Mastodon team will be based in building H.
We’ll be raising funds for the project with some of our merch - beautiful limited edition winter mugs, pins, and t-shirts. We’ll also have fun stickers to share for free, so you can show your support for Mastodon everywhere!
(just so you know: we’re a bit short on larger t-shirt sizes, so come early if you want to buy one of those)
Just finished listening to the flourish systems change podcast episode with Dan Hill. Much of the discussion was on #DarkMatter in urban design. Happy that he mentioned the work of @darkmatterlabs.org.
Scariest cable I have that I actually use. It's a USB-C to Thinkpad "adapter" that I bought to power a thinkpad that shipped with a giant 135W brick-of-a-power-supply. This cable does work, but has the tendency to "overload" many USB chargers, causing them to reset. Fun times, but good for traveling so I don't have to lug the brick around with me as well.
@bagder some thinkpad require 135w or even 200w power bricks. I’m not sure about the 135, but the 200w I have predates (2021 model) the usb-c of standard that would allow that amount of power.
With my new PR, you can write "curl --url @file" and curl will download all the URLs in the provided file as if -O was used for each one of them. It can also get the list from stdin if you do "--url @-" in style with how other curl options work.
Tried out the new and popular “Deepseek” LLM with my standard “tell me facts about the author of PCalc” query. At least half were misleading or straight up hallucinations. LLMs are not a suitable technology for looking up facts, and anybody who tells you otherwise is… probably trying to sell you a LLM.
alright I forgot to comment on this, because it was around 2weeks ago, but i'm gonna go ahead and now comment on it. it was thanks to a certain post that I remembered to talk about it. so i'm gonna be doing a interview with humanware in some point in the future. and my tvi (teacher of the visually impaired for more context) basically said, hey don't talk about security. are you kidding me dood? don't talk about security? right, let's ignore the fact that the braille note is like 8fucking versions out of fucking date!!!!! let's also ignoe the fucking fact that this thing could be easy to hack if it gets into the wrong fucking hands. o, right, and let's also ignore the fact that there is literally a critical fucking vulnerability within android8 that the august update fails to fucking patch!!!!!!! forbes.com/sites/daveywinder/2… what's the excuse for not talking to humanware about security. "o it's fine, you've locked down your braille note enough". I get it, i'm basically a security guy, I have Google advanced protection, I have a duress password, I have an antivirus sitting on the braille note, I have keysofts software set to i'm fucking paranoid mode. but really? simpl don't talk about security? you're joking! if you really needed extra features humnware, just make your own OS based on Android, what is it, 16? you're just trying to be cheap so you can get your money from states and organizations around the world...
Google has confirmed a critical security threat for millions of Android 8, 9 and 10 users that could permanently kibosh your smartphone with a single malicious message
@fireborn Yeah you really need to go into the interview knowing what type of questions they will ask you. I suspect its not due to any technical knowledge you may have on security.
As some people already mentioned here or here, Copilot purposely stops working on code that contains hardcoded banned words from Github, such as gender or sex. I am labelling this as a bug because ...
Interestingly, one person captured by big tech found that Microsoft was perfectly in their rights to POST to you "since we could have no proof a user wasn't behind initiating that POST". Another reader wanted Microsoft to be prosecuted for hacking. Others chimed in how this explained their subscribe/unsubscribe links being weird lately: berthub.eu/articles/posts/shif…
tl;dr: Microsoft and other email security scanners will visit the links in email you transmit, and run the JavaScript in those links, including calls that lead to POSTs going out. This used to be unacceptable, since POSTs have side effects.
As the #BambuLab users are slowly waking up to what blog.bambulab.com/firmware-upd… means, it's a good time to remind everyone that the writing has been on the wall from day one.
It's not a "told you so", mind. It's a "this will continue and get worse". #Bambu will continue to tighten the ratchet.
#Prusa is far from perfect, but they deliver reliable #3dprinting based on open source software at an acceptable cost.
And if you missed it: they allow you to maintain warranty with custom firmware again.
As expected, #BambuLab released the standard corporate press release
1. All those things we just invented as the criticism we didn't do 2. Sure, you can use "developer mode" and lose our support 3. We tried to work with others, and it's their fault they didn't do it fast enough and by our rules 4. Everyone else is at fault for this misunderstanding though we might have contributed in the slightest of ways 5. "I am sorry that you are upset"
Someone on #Reddit complained about #BambuLab changing their warranty after they bought something and refusing service based on the new "terms". They used @internetarchive to prove that the change was made.
Das ist ein neuer alternativer Android-App-Store, der von sich behauptet, auf Privacy und Security fokussiert zu sein. Er wird auch über den @GrapheneOS Appstore angeboten.
Bei genauerem Hinsehen finden sich allerdings Apps, die Werbe- und Analysetracking enthalten, wie ich nach kurzer Prüfung feststellte.
hey, on the topic of the curl mailing list: is it available via a public-inbox archive somewhere? I had a quick peek but didn't immediately see a link anywhere.
edit: just to be clear, this is only an inquiry, not a feature request
Newswire: Tek Talk meets 1/27/25 at 8pm Eastern and welcomes Jeff Bishop to discuss new Outlook and its replacement of Windows Mail groups.io/g/tech-vi/message/85…
Mit der Spionage-App mSpy überwachen Menschen heimlich die Handys ihrer Partner:innen. Das ist illegal. Jetzt gibt ein Leak Einblick in die Kommunikation mit Kund:innen. Die zeigt, wie skrupellos die Täter:innen ihre engsten Bezugspersonen ins Visier nehmen – auch in Deutschland. #mSpyLeak
Testuji #Phanpy klienta pro Mastodon. Adresa je phanpy.cz/, Phanpy díky @Archosovy je v češtině. Moc pěkně vypadá, tak kdo ještě nezkusil, tomu doporučuji určitě vyzkoušet.
Es gibt darin einen wichtigen Aspekt, der oftmals nicht ganz so klar ist, aber daher will ich das noch mal kurz erklären, warum die Wurzel des Problems mit digitalen Großprojekten in Deutschland oftmals politisch ist. Ganz besonders bei der #ePA. Ein Thread am Morgen. 🧵
Herzlichen Dank, liebe @bkastl, für diese superverständliche Erläuterung eines der politischen Grundfehler bei der #ePA. Ich bin ja auch schon lange unterwegs, um zu erläutern, wie sich politische Entscheidungsfindung ändern muss, um digital sauber umsetzbare und grundrechtlich haltbare Beschlüsse zu fassen
Der gute @lacrosse@social.tchncs.de hat gestern bei @kuketzblog@social.tchncs.de einen sehr umfassenden Artikel zur #ePA geschrieben, der viel sehr genau trifft.
https://www.kuketz-blog.
@usul I have no fixed location this year (as wolfSSL has no booth this time). I mean to try to make sure me and my friends can hand them out in the cafeteria area most of the time. If not, ping me during the event and I can provide a place-of-the-moment.
Tak se zdá, že se po cca. 2,5 letech běhu své solo instance Mastodonu dostávám na limit databáze. Zkusím zapnout automatické mazání příspěvků starších jak 2 roky, co to udělá. #Mastodon #mastohost
@Michal Špondr Mně se moje Friendica (MySQL) dostala na 1,5 GB za půl roku. Jsem na svém železe, takže tam mám ještě dalších 200 GB. A můžu přidat, kdybych chtěl, ale nechci. Mám rád malé věci...
Twenty-six years ago on this day when we shipped #curl 5.5.1, the changelog was easier to gather than what they usually are today: curl.se/ch/5.5.1.html
Thunderbird: Free Your Inbox
in reply to Volker 🌻🟩 • • •Vielen Dank, dass Sie für Thunderbird gespendet haben und es hier auf Mastodon teilen! Diese Art der Unterstützung wird uns hoffentlich noch viele weitere Jahre erhalten bleiben.
(Übersetzt mit DeepL)