JoeyJoeJoeJr @ JoeyJoeJoeJr @lemmy.ml

Posts

3

Comments

109

Joined

2 yr. ago

As a user, or a developer? As a user, I don't think it matters. As a developer, I think other licenses have similar carve outs, e.g. the GPLv3 section 8 is a whole section on "termination" - the copyright holder can revoke your rights for any ticky-tack violation of the license, and at their discretion, the revocation can be permanent.

Additionally, even with other FOSS licenses, the copyright holder can re-license the project. If I had to guess, this ability to re-license is probably why it is written as it is - the license is called the "FUTO Temporary License." I would assume it's written as is so they can re-license later, and they just want to cover their bases now. It's entirely possible that's incorrect, and they'll clamp down. I'm personally willing to give them the benefit of the doubt (though having said that, I have no intention of buying, using, or contributing to this project).

According to the license, it is better than source available. You can modify and redistribute, you just can't sell it. Other than that caveat, as far as I can tell, your rights are basically the same as with other open source licenses. (Feel free to correct me if I've missed something.)

Is there a particular aspect of the FUTO license you are concerned with? The code is publicly available, and the license seems to allow you to do anything you want, except sell the code. Other than not allowing you to re-package and sell the code, it seems like your rights are very similar to anything distributed via the GPL.

Am I missing something?

If you're ok with Jitsi, and you already use Brave, note that Jitsi is baked in. See https://brave.com/talk/ and check the "Who provides the Brave Talk service?" question:

The Brave Talk service is provided in partnership with 8x8. And the service is built on the open-source Jitsi platform.

(Note that 8x8 owns Jitsi)

See also the "How are my calls with Brave Talk encrypted?" question:

To start, all video and audio data transferred through Brave Talk is encrypted via transport layer encryption. This is similar to how many websites use HTTPS to ensure your traffic can’t be captured on public networks (e.g. coffee shop WiFi).

The video and audio from your call are transmitted to other participants with the help of a Video Bridge server that’s run by Brave’s partner, 8x8. When you enable Video Bridge Encryption in Security Options, your browser exchanges keys with other call participants, and these keys are used to encrypt the video and audio streams. Only people with keys can see your calls. Assuming honest but curious behavior, neither Brave nor its partner, 8x8, have this key by default.

However, there are some important limits to Video Bridge Encryption. If you want to include a phone participant in your call, have more than 20 participants, or want to include users with incompatible browsers (Safari, most iOS browsers, and browsers based on Chromium version 83 or below), this encryption setting will not work. If you record a call, 8x8’s servers will receive a set of keys to decrypt the video/audio stream in order to process and store that recording. Brave will continue to improve Brave Talk’s encryption properties and work to remove some of these limitations.

Read a more detailed description of Jitsi encryption (the open source basis for Brave Talk).

I noted in another comment that SearXNG can't do anything about the trackers that your browser can't do, and solving this at the browser level is a much better solution, because it protects you everywhere, rather than just on the search engine.

Routing over Tor is similar. Yes, you can route the search from your SearXNG instance to Google (or whatever upstream engine) over Tor, and hide your identity from Google. But then you click a link, and your IP connects to the IP of whatever site the results link to, and your ISP sees that. Knowing where you land can tell your ISP a lot about what you searched for. And the site you connected to knows your IP, so they get even more information - they know every action you took on the site, and everything you viewed. If you want to protect all of that, you should just use Tor on your computer, and protect every connection.

This is the same argument for using Signal vs WhatsApp - yes, in WhatsApp the conversation may be E2E encrypted, but the metadata about who you're chatting with, for how long, etc is all still very valuable to Meta.

To reiterate/clarify what I've said elsewhere, I'm not making the case that people shouldn't use SearXNG at all, only that their privacy claims are overstated, and if your goal is privacy, all the levels of security you would apply to SearXNG should be applied at your device level: Use a browser/extension to block trackers, use Tor to protect all your traffic, etc.

It's possible to hit issues, especially if different distros are using different major versions of desktop environments or applications, but in practice, I don't think it's something that really needs to be worried about.

If you were to upgrade/fresh install, and copy your home folder over, you'd have the same experience - it's not much safer than sharing the home partition, except that you're (hopefully) doing that less. You could still easily go from distro A using version 2 of something, to distro B using version 3, and then decide you don't like it and try to roll back to distro A. If in the process your config was upgraded in place (as opposed to a new, versioned config being made*), you could have problems rolling back.

With configs, you can usually just delete them (or, less destructively, rename them, in case you decide you want them back), and let the application make a new default one for you. With other files (e.g. databases), you might be in more trouble. But a good application will tell you before doing an upgrade like that, and give you a chance to backup the original before upgrading in place. When asked, it's probably a good idea to take a backup (and not just for this distro hoping case).

*For any developers reading this, this is the correct way to upgrade a config. Don't be destructive. Don't upgrade in place. Make a copy, upgrade the copy, and include a version in the file name. You can always tell the user, so they can remove the file if they want, but let them make the choice. If you can't (e.g. the database scenario, which could be large), tell the user before doing anything, so they can choose whether or not to backup.

Can you describe your use case more?

I don't think format matters - if you've got multiple processes writing simultaneously, you'll have a potential for corruption. What you want is a lock file. Basically, you just create a separate file called something like my process.lock. When a process wants to write to the other file, you check if the lock file exists - if yes, wait until it doesn't; if no, create it. In the lock file, store just the process id of the file that has the lock, so you can also add logic to check if the process exists (if it doesn't, it probably died - you may have to check the file you're writing to for corruption/recover). When done writing, delete the file to release the lock.

See https://en.wikipedia.org/wiki/File_locking, and specifically the section on lock files.

This is a common enough pattern there are probably libraries to handle a lot of the logic for you, though it's also simple enough to handle yourself.

You mean with config files stored in your home directory? Or something else?

When you install, whatever you install, partition your drive so that /home is it's own partition. Then if/when you reinstall, distrohop, whatever, you don't have to worry about copying over your data. Just use the same /home partition, and format the others. You can actually use this to try multiple distros at the same time - you can install them in different partitions, but have every install use the same /home partition. This is a nice way to test new distros without blowing away your stable install.

Now, for my distro recommendation - Ubuntu gets a lot of hate, but honestly, after 15+ years of Linux, and having tried Mint, Fedora, Arch, Manjaro, and many others, I always end up back on Ubuntu. It's easy, it's stable, and it stays out of my way.

The defaults are good, but you can customize as much as you want, and they offer a minimal install (as of 23.10, it is the default) which comes with very few applications, so you can start clean and choose all the applications you want.

Unless you are excited to tinker, I'd really recommend starting simple. Personality, I just want the OS to facilitate my other activities, and I otherwise want to forget about it. Ubuntu is pretty good for that.

They are explicitly trying to move away from Google, and are looking for a new option because their current solution is forcing them to turn off ad-blocking. Sounds to me like they are looking for a private option. Plus, given the forum in which we are having the discussion (Lemmy), even if OP is not specifically concerned with privacy, it seems likely other users are.

As for cookies, searxng can't do any more than your browser (possibly with extensions) can do, and relying on your browser here is a much better solution, because it protects you on all sites, rather than just on your chosen search engine.

"Trash mountain" results is a whole separate issue - you can certainly tune the results to your liking. But literally the second sentence of their GitHub headline is touting no tracking or profiling, so it seems worth bringing attention to the limitations, and that's all I'm trying to do here.

You mean between their instance and the final search engines? Or between them and a public instance of searxng?

In either case, I'm not sure it buys you anything in terms of privacy you wouldn't get by using the VPN and going directly to the search engines.

It looks like a few people are recommending this, so just a quick note in case people are unaware:

If you want to avoid being tracked, this is not a good solution. Searxng is a meta search engine, meaning it is effectively a proxy: you search on Searxng, it searches multiple sites and sends all the results back to you. If you use a public instance, you may be protected from the actual search engine*, because many people will use the same instance, and your queries will be mixed in with all of them. If you self host, however, all the searches will be your own - there is then no difference between using Searxng and just going to the site yourself.

*The caveat with using the public instances is while you may be protected from the upstream engine, you have to trust the admins - nothing stops them from tracking you themselves (or passing your data on).

Despite the claims in their docs, I would not consider this a privacy tool. If you are just looking for a good search engine, this may work, and it gives you flexibility and power to tune it yourself. But it's probably not going to do anything good for your privacy, above and beyond what you can get from other meta search engines like Startpage and DuckDuckGo, or other "private" search engines like Brave.

You manage the sources yourself, so if you don't want to search certain platforms, just don't add them.

You can actually sign the F-Droid app yourself, if you use reproducible builds.

There's reasonable odds the signatures still won't match though, because Google requires App Bundles now, and then they build and sign the APK, rather than allowing the developer to build and sign their own APK.

Technically you can use the same key (see "Best Practices" of this page), but it's kind of shady, and requires giving your private key to Google.

This isn't necessarily true - a developer choosing to not include their app in a repo can always opt for a self-updating mechanism.

Don't get me wrong - repos and tooling to manage all of your apps at once are preferred. But if a developer or user wants to avoid the Canonical controlled repo, I'm just pointing out there are technically ways to do that.

If you'd question why someone would use snap at all at that point... that would be a good question. The point is just that they can, if they want to.

The age and obscurity of the library is irrelevant - you could always include libraries bundled with the app, if they didn't exist in system repos. For example, in deb packages, you could include it in the data.tar portion of the package (see https://en.m.wikipedia.org/wiki/Deb_(file_format)).

Libraries with version names baked in are one solution to the dependency hell problem, but that requires support from the language/framework/tooling to build the application, and/or the OS (or things get hacky and messy quickly).

If you read that dependency hell page, you'll see another solution is portable apps, which specifically mentions Appimage, Flatpak, and Snap.

Additionally, if you read the Debian docs on How to Cope with Conflicting Requirements, the first solution they give is to "Install such programs using corresponding sandboxed upstream binary packages," such as "Flatpak, Snap, or AppImage packages."

Bin the consumer environment? It is nice and good practice but it is nowhere near as important as it used to be.

This is incorrect. The target audience for Flatpak is desktop users: https://docs.flatpak.org/en/latest/introduction.html#target-audience. Flatpaks are explicitly for consumer, graphical applications.

It's worth noting you can bypass the repo, and install snaps that you downloaded from some other source - see https://askubuntu.com/questions/1266894/how-can-i-install-a-snap-package-from-a-local-file.

That doesn't give you a separate "repo," but it does allow you to install snaps from anywhere.

It's actually less about the library being obscure, and more about version conflicts, which is actually more a problem with common libraries.

For example, let's say you want to install applications A, B, and C, and they each depend on library L. If A depends on Lv1, and B depends on Lv2, and C depends on Lv3, with traditional package management, you're in a predicament. You can only have one copy of L, and the versions of L may not be compatible.

Solutions like snap, flatpak, appimage, and even things like Docker and other containerization techniques, get around this issue by having applications ship the specific version of the library they need. You end up with more copies of the library, but every application has exactly the version it needs/the developer tested with.

I have no personal experience with this company, but I've followed them for a few years. I was initially very interested in their laptops, but was also very excited when the phone was announced. In the years since the phone was announced, I've heard and read many negative things about build quality and software on their laptops, and I've seen the shipment of the phones get repeatedly delayed. More recently, https://youtu.be/wKegmu0V75s showed up in my feed. I would recommend anyone considering purchasing from them watch that video, and do a little research into their security/openess claims, as well as customer satisfaction.

Again, I don't have the personal experience to say they are bad in anyway, but I don't want to see anyone get scammed, so I would recommend healthy skepticism and due diligence before making a purchase.

The community forked the core a while back: https://github.com/openVoiceOS/

See also https://neon.ai/, which builds on top of OVOS, and is who the Mycroft company officially passed the reigns to.