Personally I'm a fan of standards, and I note that RFC 9110 recommends a minimum of a mere 8000 bytes. Real-life use cases aside, I don't think it would be incorrect of curl to place its limit somewhere around there.
does memory and cpu usage grow faster than O(n) with respect to the length of the URL? If so, it should be made smaller, I think. Otherwise perhaps not?
the report claims it does, but I cannot reproduce that so I think no. Still, if we don't need this large URLs we could also just cut down to decrease the risk of another future issue in the similar spirit.
many servers will reject by default urls above 8k. But there are probably special setups out there.
Other things start to break when urls go beyond 64k. h2 may have a problem with its header handling (although headers are outside the stream's window size).
h3 will have problems with initial congestion windows where headers count for the window.
I think 64k would therefore be a limit that should not by itself pose problems.
since I assume curl doesn't need to deal with hash manipulation in JS and data URLs, a limit of Kb might be OK. In Firefox we got bugs when we tried to limit it, because the hash would contain encoded data, or data URLs would encode images or video.
As a person who absolutely loves lock-free and wait-free algorithms, I have a suggestion - just don’t. There lies madness and sorrow. And also endless beauty, but mostly madness.
not that I think that it matters a lot but there are networks that do quotas per tcp stream and having multiple streams would actually make it really faster.
This is our first non-experimental release based on Android 16 QPR2 after our initial experimental 2025120800 release.
The change to the style of notification backgrounds is an upstream regression rather than an intentional change to a more minimal style. It will be fixed in a subsequent release since we decided it isn't important enough to delay this.
All of the Android 16 security patches from the current January 2026, February 2026, March 2026, April 2026, May 2026 and June 2026 Android Security Bulletins are included in the 2025121001 security preview release. List of additional fixed CVEs:
Vojtux - Accessible Linux distro which is almost pure Fedora
Vojtěch Polášek has put together a technical preview of a version of Fedora that should work well for blind or visually impaired users. While his goal is explicitly to see these improvements and changes become part of Fedora itself, for now you can use this implementation based on the Fedora MATE spin. :)
C'est dimanche, c'est le #pfffitt ! Édition spéciale "blagues de l'Est communiste" !
"Tu veux vivre en RDA ? Ne pense pas. Si tu ne peux pas t’empêcher de penser, ne parle pas. Si tu ne peux pas t’empêcher de parler, n’écris pas. Si tu ne peux pas t’empêcher d’écrire, ne signe pas. Si tu ne peux pas t’empêcher de signer, ne t’étonne pas."
Un touriste occidental, sûr de sa supériorité, à un citoyen russe : « Nous en Occident, nous avons le droit de critiquer notre gouvernement. » Le Russe, surveillant du coin de l’œil le mouchard de service : « Et alors ? Nous aussi, nous avons le droit de critiquer votre gouvernement ! »
#accessibility awareness: when you incorporate a link into an e-mail or any other written document, make sure the anchor text is detectable by some cue other than color. The other day my #colorblind colleague was quite confused because the e-mail he received mentioned a link he couldn't find anywhere...
There’s a vulnerability in Signal. You are developing an alternative. Do you:
A: skim read the report, see it contains the phrase ‘phone number’, and shitpost about Signal, or
B: Analyse the attack and see if it could be adapted to your protocol, then post about how you either were already protected or have deployed a mitigation?
If you chose option A, please don’t expect to be able to convince me that you are serious about security.
Another privacy vulnerability caused by the dependency on phone numbers.
In #ArcaneChat (and other #chatmail clients like #DeltaChat) you don't need a phone number (or any private data at all!) to register, so such attacks are simply impossible, keep your family safe, join arcanechat.me
@david_chisnall by saying "requires phone numbers" I was implying that you can discover people by phone numbers since that is the case in 99% if not 100% of all apps that offer phone number registration, that you can disable this feature is meaningless if it is opt-out and most people will leave it like that, by saying ArcaneChat is immune to this I meant because you can't discover people like that, people must get in contact directly via QR or invite link
Hey Tuta. I want one of those red Tuta bottles too! Can you put it in your Shop too? Or can I at least order one too?
I just researched to find the bottle and I found out that you Guys even have an Shop! I did not know that and I wish you could share it more so we would know about it. Specially here on Mastodon. First I was skeptic if that's another company, so I think there needs to be some things improved to not make that first impression.I will tell you those in my next posts here
Firstly the logo design of the Tuta Fanshop when you search in Google, it looks not like Tuta. I wish instead the logo from Tuta at the moment could be used for that and that the site name get's changed to something like: tutanotashop.com - because tuta is mail and tutanota is the shop. good to remember and better seperating. And only tutanotashop.com should stay, so it's not irritating to have .com and .de
And tuta.com is also the mail. So both would match better. Look my next post.
I found out about the Shop from your reddit post from 6 years ago about "Tutanota Fan Shop" - for me the Fan Shop here was irritating. I thought it's someone other doing it. So it would be better to take the "Fan" out of it. And I would find it helpful if we could find the Shop on tuta.com in the section below of "Blog" - more people would be interested and word of Tuta would be spread without need of recommeding.
I will tell some Feedback for the website and products in the next post
At the top it shows Tutanota privacy. done. right - I think your. privacy. matters. would fit better. I like that you offer Bio Merch! Some Clothes and Mugs do have white or black logo. In my opinion just the red logo is better. And I would find it better if the logo from tuta at the moment could be used instead. And privacy. done. right. in my opinion can be taken out too. Some Hoodies and T-Shirts just show the logo. It would be great if you could add Tutanota to it.
I would say you could take out "dance like no one's watching" too. I think that would not have a big impact. Maybe the point about seperating Tuta and Tutanota could be combined too. So it's easier for remembering Tuta to research.
I like: Your. Privacy. Matters. Sticker, Turnbeutel, Your. Privacy. Matters. Tasse and Eco-Friendly Cotton Tote.
Thanks for those great products and the shop. Please mention it more, since it's great! I hope my ideas and points can help you =)
@zahox Hey! Thanks so much for sharing your feedback, we do appreciate it. We have plans of redoing it entirely so we will take your pointers into consideration!
Another privacy vulnerability caused by the dependency on phone numbers.
In #ArcaneChat (and other #chatmail clients like #DeltaChat) you don't need a phone number (or any private data at all!) to register, so such attacks are simply impossible, keep your family safe, join arcanechat.me
When you post something about a vulnerability in another messenger and completely misrepresent it, in a way that implies that you don’t understand the cause of it at all, it gives me no confidence in your system.
The root cause is nothing to do with phone numbers. It depends on two things:
Being able to send messages to someone from some public identifier. Any messenger that doesn’t require an interactive flow for pairing devices (as some military systems do) has this feature.
Receiving read receipts from messages. Signal allows you to turn off read receipts if you are concerned about information leaks from them.
If you actually wanted to convince people your system was better you would:
Show that you don’t issue read receipts (which will put some people off because they are useful).
Show how you mitigate this kind of attack, by rate limiting this kind of message, adding jitter to responses, and so on.
Email-based flows tend to not be vulnerable to this kind of attack because they do most of the processing on the server, so you’d only be able to probe the server. But you wouldn’t bother because email has so little metadata protection that you don’t need to bother with an attack like this. From what I know of DeltaChat’s group chat protocol, I suspect there is a way of triggering a similar attack by sending broadcast invalid messages and timing the error response. If you really wanted to convince people that your system is better, you’d show a security analysis that explains why I’m wrong, rather than just say ‘I don’t understand this attacks but the researchers who published it didn’t bother trying to attack the protocol I use and so I’m sure it is secure!’ That is exactly the attitude to security that makes me distrust DeltaChat.
Oh and before anyone jumps in with anything about XMPP: this attack is completely trivial on XMPP. Send an invalid iq stanza to the client’s bare JID and time the response. And this is impossible to fix without redesigning the protocol because unknown iq stanzas must be forwarded to the client to enable future extension and clients must respond with errors.
@david_chisnall by saying "requires phone numbers" I was implying that you can discover people by phone numbers since that is the case in 99% if not 100% of all apps that offer phone number registration, that you can disable this feature is meaningless if it is opt-out and most people will leave it like that, by saying ArcaneChat is immune to this I meant because you can't discover people like that, people must get in contact directly via QR or invite link
#DeltaChat is for private chatting, so you normally don't put your link anywhere publicly, you could create a dedicated profile for public interactions tho, which, unlike in signal, it is super easy to do and you can have as many as you want,
and notice the use case I am talking here is family chat, not business and public interactions, that is why I said "keep your family safe" I am talking about family chat solution here
#DeltaChat is for private chatting, so you normally don't put your link anywhere publicly, you could create a dedicated profile for public interactions tho, which, unlike in signal, it is super easy to do and you can have as many as you want,
Okay, so your use case for 'private chatting' excludes journalists publishing contact information for whistleblowers? It excludes union organisation? It excludes protest organisation?
I guess that's fine, but maybe don't claim to be operating in the same space as Signal then.
and notice the use case I am talking here is family chat, not business and public interactions, that is why I said "keep your family safe" I am talking about family chat solution here
Then you need to learn about the concept of an anonymity set. If you have one mechanism for talking to your family and another different one for talking to your union rep, it's really easy for a passive adversary to track when you suddenly start using a different mechanism for high-value conversations.
@david_chisnall what kind of passive adversary are you talking about here? server, provider, global?
Identifying whether you are using this or that chat profile is not necessarily trivial, especially since the 2.33 releases which introduced multi-relay profiles. A single chat profile can jump between using different relays/hosts.
FWIW we share the recommendation of @arcanechat to split between a public profile (invite link published etc.) and private ones (no publishing).
> Okay, so your use case for 'private chatting' excludes journalists publishing contact information for whistleblowers? It excludes union organisation? It excludes protest organisation?
> I guess that's fine, but maybe don't claim to be operating in the same space as Signal then.
the ArcaneChat slogan is "private chats for the family" I don't get why you jump angry into my thread to attack, I never said anything about "whistleblowers" whatsoever, please, calm down 😅
@david_chisnall Sorry for jumping in as a random person here, but I think I have some relevant points. First of all, you admittedly both missed the mark about the cause of the security issue Arcane posted. Delivery receipts are separate from read receipts, and turning off read receipts in signal does not mitigate this issue.
Now as per Delta Chat's FAQ: delta.chat/en/help#what-do-the… It should have the same issue. Delta Chat claims to send "delivery" receipts, but as far as I can tell, there is no UI indication for the sender when a client receives the message (I tested both mobile and desktop). So unless there is an email sent that doesn't result in any UI indicator for the sender, I think Delta Chat is safe from this particular privacy issue. If it is the case that Delta Chat identified this bad decision and fixed it, please also update your FAQ to match!
The rest of y'all's argument seems to hinge on aspects of how delta chat and arcane chat are marketed/presented, rather than the technical details, so I'm not interested. But what I *do* find really interesting is the idea that "private" and "secure" chat programs would ever send automatic responses without user action. To me, it seems painfully obvious that "features" like this just create an attack surface for probing. Look... I use Signal (as well as Delta Chat), and I like it, and I'm not going to stop using either anytime soon. But it was disappointing to learn about this anti-feature. It *is* a legitimate criticism of Signal that needs to be addressed.
Also, while this issue had nothing to do with phone numbers, I think the fact that Delta Chat does not require phone numbers, and allows the creation of more identities than one might even *have* phone numbers, is an enormous advantage compared to Signal for people who want to protect the privacy of their identity and not just the contents of their messages.
What is Delta Chat? Delta Chat is a reliable, decentralized and secure instant messaging app, available for mobile and desktop platforms. Instant creation of private chat profiles with secure and i...
@capitalthree ArcaneChat/DeltaChat doesn't have delivery receipts, only read receipts, the only automatic responses the app does in your behalf is to handle invite links, for that you first have to share invite link with the malicious contact, as side effect they also expose when they are online so if you go to your contact list and see them at the top with a green dot while not chatting with them often you can detect this, in thr future this might change
@david_chisnall there is a clever scheme that I know one person does, which is that your public point of contact is an address that starts a conversation with a bot and the bot hands the user a private identity of yours to contact. Then you can have one public facing point of contact but you still gain private 1:1 identities. It's not very feasible for non-technical users but it could be improved
> rather than just say ‘I don’t understand this attacks but the researchers who published it didn’t bother trying to attack the protocol I use and so I’m sure it is secure!’ That is exactly the attitude to security that makes me distrust DeltaChat.
I don't understand why do you seem so upset, #DeltaChat has received several REAL PROFESSIONAL INDEPENDENT security audits, all listed here: delta.chat/en/help#security-au… can you provide a similar list of REAL sec. audits for Signal?
What is Delta Chat? Delta Chat is a reliable, decentralized and secure instant messaging app, available for mobile and desktop platforms. Instant creation of private chat profiles with secure and i...
Because you're spreading misinformation to score marketing points and spreading misinformation about secure messengers gets people killed.
I don't understand why do you seem so upset, #DeltaChat has received several REAL PROFESSIONAL INDEPENDENT security audits, all listed here: delta.chat/en/help#security-au
So, none after this particular class of attack was discovered and therefore none that include this in the threat model?
What is Delta Chat? Delta Chat is a reliable, decentralized and secure instant messaging app, available for mobile and desktop platforms. Instant creation of private chat profiles with secure and i...
@david_chisnall being careful of claiming that something is "secure" is good advise/critique. Users are easily misled other ways. As to delivery receipts, it's unlikely there is a big problem with #chatmail clients (of which delta chat and arcanechat are two) because you can not cause a delivery receipt from a peer. But there are likely online-leakage issues with the invite protocols securejoin.readthedocs.io like github.com/chatmail/core/issue… that require work and independent audits.
SecureJoin has two types of tokens: invite tokens and auth tokens. Currently SecureJoin invite token can be used to silently probe device online status. Auth token when successfully used results in...
@delta @david_chisnall Delta(s). Your design -- separation of chatting logic from transport -- is what will allow to overcome this observation and correlation constructions. You can swap to different transport, like ASMail from 3NWeb set, it is web-style federation, reducing metadata on servers, and correlations between servers. And then clients and servers may sit on mixnet, like Nym (say hi to them at 39c3).
@david_chisnall with the latest release and a small modification you could make it so every message you send to someone goes through a new account on a new server which is almost a Sealed Sender, but in a federated network
absolutely losing it. My mom received a spam call that got picked up by Google call screening on her phone, and it ended up responding with one of the more unhinged Asterisk voice recordings before hanging up LMAO
So... I need to do an eyes-free Windows 11 virtual machine install on Mac OS (Parallels). Is Narrator still non-functional on the current latest ISO image(s) from Microsoft? Should I go find an older version?
Parallels has an easy install thing that does the installing for you. When it's done you should be on the desktop of your new VM and you can then enable Narator from there.
@ondrosik Thanks for publishing it online for all of us to enjoy and reuse. It's very important to see an example of real personal creativity these times when AI is dominating the space of background music, jingles and other short tracks.
I've done what I set out to do by the end of the year. I made it to 180 tracks in the collection. I stopped at 171 in May of 2023, then I just couldn't focus on much music for the last couple of years which, as a composer, really depressed me, but this December I decided to really try and sit down to make a go of it, so I did. It may not seem like much, but not being able to write, when it's what I've done for 30 years felt very stifling and depressing in ways I cannot express.
My next goal is to hit 200, so I'll start work on that, hopefully soonest.
I just want to thank every person that favourited, reposted or interacted with me on my self-assigned journey recently. You're all wonderful humans, even those that said they had no use for such a project, which is totally fine. They still shared it most of the time, and I respect that.
Here's a collection of free-to-use short music for any kind of project imaginable. I've been working on this project for over 10 years on and off, and it's a labour of love.
Whether you're doing work for TV, Radio, Film, your next podcast, show reel, powerpoint presentation, youtube video or university assignment that requires something to intro or outro it, there should be something for you, and if not you directly, maybe someone you know.
This is not the final form. I add to it whenever I find inspiration to do so. Check back every so often as you may find more content was added when you weren't looking 🔇
Currently: 1210 items 766 MB download in mp3 over 9 hours of music.
Absolutely no AI was used (or harmed) in the making of this collection.
If you feel so inclined, please do boost for reach. Many thanks. onj.me/shorts
Přede mnou poslední pracovní týden (? možná - si ještě skočím do práce 22. a 23. chystat nové nástupy). Stihnout se toho musí jako obvykle tři prdele. V pondělí IT večírek. V úterý reinstalace notebooku majitelky. Ve středu výměna notebooku. Ve čtvrtek další večírek. A v pátek, aby toho nebylo málo, naaaaa Vsetíně, tam je luka, seče jú syneček.... Od rána až do večera. To bude náročné.
A samozřejmě očekávám uživatele, kteří si podají požadavek 19. prosince a 5. ledna se zeptají, proč to ještě není hotové.
@archos @cynik_obecny @nacelnik01 Taky funguju na solár, ale letos, jak není zima, jako že nemrzne, mi to vadí nějak méně. Ale bylo by fajn, kdyby se přestal posouvat čas, to mi vadí stejně jako nedostatek světla.
@archos Nemám. Hledám. Tak kdybyste o něčem věděli, dejte echo. Dva roky jsem se teď pohyboval v kybernetické bezpečnosti, vím něco o PAMech, sítích, vulnerability managementu, firewallech …
Nice one, just locked myself out of my Raspberry Pi because I apparently forgot the passphrase to my ssh key and back then didn't care so much to, you know, do the logical thing and save it somewhere. A good reason to try out the new imager. It was an almost clean installation anywaay so not loosing anything.
TFW you try to find a spec for something and when you finally found it on the Wayback machine, since trillion dollars corps can keep URL alive, and you go to save it, you are told it's already there...
Really impressed with my Bazzite VR experience today. Was able to play a few hours of Half Life: Alyx and Boneworks today :D The main issue I ran into (with both) is that Steam Link will cut out when you first launch the game when trying to pre-compile shaders. Sometimes this leads to Steam VR bugging out and requiring a reboot in order to reconnect. After the first launch the experience was completely seamless.
You know, I just had the funniest thing happen, I just hear heard part of this story aparently the US has just spent 142 million dollars to, and about that time I hit my down arrow key and my system said, Play the great toy robbery. Made my day.
@BorrisInABox well when I try and toot from it, I get Error while handling "compose post": ('Mastodon API returned error', 500, 'Internal Server Error', None)
their bulk downloader sucks because it fails often so I had to make a custom script to extract all the links I wanted out of their HTML so I could download them with curl
The AI Research Sector Is Being Destroyed by Something Incredibly Ironic The AI Research Sector Is Being Destroyed by Something Incredibly Ironic share.google/ZKLSNO6frU1btoX4h
On a more positive note, it's absolutely heartwarming seeing the number of patches and contributions from community members increasing in Thunderbird.
The massive undertaking of replacing old weird undocumented code with modern coding standards and languages, as well as increasing our documentation is slowly paying off.
Yes, we know, we accidentally broke a bunch of things in the process, sorry. This stuff is hard 🫠
@klittle667 Ray Porter narrating the Bobiverse series does a pretty good admiral ackbar. I don't generally read audio books, but I read that series, at least the first three, like that.
Winter blue tardis
in reply to YourFavoriteAtheist🇨🇦 • • •YourFavoriteAtheist🇨🇦
in reply to Winter blue tardis • • •Winter blue tardis
in reply to YourFavoriteAtheist🇨🇦 • • •Winter blue tardis
in reply to YourFavoriteAtheist🇨🇦 • • •YourFavoriteAtheist🇨🇦
in reply to Winter blue tardis • • •Winter blue tardis
in reply to YourFavoriteAtheist🇨🇦 • • •