ruffsl @ ruffsl @programming.dev

I'm a robotics researcher. My interests include cybersecurity, repeatable &

---

Read more

Posts

77

Comments

97

Joined

2 yr. ago

I think the comment that the_lego is replying to also highlights the false equivalency of calling the anti-WEI crowd as criminals, as was not a good look for Google.

They have apologized for using the word criminals & bullies in a broader context and I appreciate that. However, the initial part of the comment is very telling of how they view those who oppose.

• https://news.ycombinator.com/item?id=36916991

Related:

• Is Web Environment Integrity a risk to the accessibility of the Internet?
  • https://programming.dev/post/831937
• Google’s nightmare “Web Integrity API” wants a DRM gatekeeper for the web
  • https://programming.dev/post/916235
• Mozilla opposes Web Integrity API proposal
  • https://programming.dev/post/929260

Please only post programming memes to !programmer_humor@programming.dev .

Cool! Could you share that link with the !cobol@programming.dev community?

This proposed standard raises my concerns about the ability to continue using the public internet with user-preferred hardware/software and custom extensions, and does not instill my confidence in maintaining the level of freedom and accessibility users currently enjoy:

Some examples of scenarios where users depend on client trust include:

• Users like visiting websites that are expensive to create and maintain, but they often want or need to do it without paying directly. These websites fund themselves with ads, but the advertisers can only afford to pay for humans to see the ads, rather than robots. This creates a need for human users to prove to websites that they're human, sometimes through tasks like challenges or logins.

What information is in the signed attestation?

The proposal calls for at least the following information in the signed attestation:

• The attester's identity, for example, "Google Play".
• A verdict saying whether the attester considers the device trustworthy.

How does this affect browser modifications and extensions?

Web Environment Integrity attests the legitimacy of the underlying hardware and software stack, it does not restrict the indicated application’s functionality: E.g. if the browser allows extensions, the user may use extensions; if a browser is modified, the modified browser can still request Web Environment Integrity attestation.

Is there a GitHub ticket to track this issue?
The current Lemmy workaround sounds non-optimal.

Not sure there's anything officially formed just yet, but you could checkout what the former transcribers for r/TranscribersOfReddit are up to:

• MurdoMaclachlan’s Transcription Archive - Lemmy.world
  • https://programming.dev/post/618470
• FAQ: Why Transcribe?
  • https://lemmy.world/post/1423666
• How can transcribers best help you on Lemmy?
  • https://rblind.com/post/2250756

Isn't it nice being able to correct titles.

Image transcription: Screenshot

A wide crop of a screenshot zoomed in on r/place's pixel canvas, where a white on black pixelated font reads:

never forget what
was stolen from you!
r/save3rdpartyapps

With the slogan boarded on the right by the r/blind logo (a snoo wearing sunglasses, holding a cane, standing next to a guide dog). The small p.d logo for programming.dev is squarely tucked above and to the left of RBlind's snoo. Lastly, boarded along the bottom is a row of third party Reddit app icons, from left to right:

1. Apollo
2. ?
3. Boost for Reddit
4. ?

...
13. Reddit is Fun
14. Sync for Reddit

I'm a human volunteer content transcriber and you could be too! 

What is your local system clock; 16 seconds behind your NTP server? That, or OP just has a similarly inverted clock skew.

I guess OP could be posting from the future. Hey @akrz@programming.dev , what is the closing price of SMP 500 tomorrow? :P

Perhaps pict-rs, Lemmy's image hosting backend, could auto downscale image uploads and only fail if the input was egregiously large to preserve upload bandwidth and avoid DDoSing. Would still be another added workload for the server.

Perhaps down scaling would be best done on the client side, then the resulting effect would be more transparent to the user before submission. Could that be done in easily in JS? Then that could help save storage and egress expenses for hosting funded only by donations.

Not sure how to help on iOS. Perhaps you could modify the manifest file for the PWA, before installing it, and change the display property to something other than fullscreen or standalone, so that the browser navigation bar is retained, but at that point, might as well use the browser anyway.

https://developer.mozilla.org/en-US/docs/Web/Manifest/display

Perhaps you could file a ticket on the Lemmy UI repo about iOS PWA navigation? Although, surely iOS web devs must have a solution to such a common UI pattern.

Yea, luckily Android can use the back navigation gesture in the PWA to traverse the site much like a browser tab's history. Android even has the lesser know forward navigation as well: handy when you accidentally pressed the back navigation gesture, but don't want to have to find the link you clicked before to get back to the same page you backed out of.

I wish the website or PWA had more of a short term memory about the state of pages you visit. As when I go back and forth posts and feeds, I have to return the content sort option back to what I was using before I left the comment section, as well as re-minimize the same comment threads, even if those comment subtrees never changed sence I folded them previously.

Also, be sure to checkout this community: !learn_programming@programming.dev

There have been duplicate threads in both !meta@programming.dev and !programming@programming.dev cropping up about every few days, just after the previous related post falls off top of the local active/hot feeds. So I think pinning this mega thread for a while would help consolidate the discussion. Related:

• How can we keep the fediverse federated?
  • https://programming.dev/post/432661
• Should programming.dev defederate from Meta if they implement ActivityPub?
  • https://programming.dev/post/427323
• Are We going to defederate from Threads
  • https://programming.dev/post/479583

In reply to an offline discussion:

I get Facebook is evil and all, but having trouble understanding why it shouldn't be federated. Is the fear that FB content will overwhelm the network/resources? All arguments I see are philosophical or emotional. Thinking users should be able to filter content they don't want and operators should behave more like a DNS service (routing). Thinking FB federation would only increase adoption

Increase adoption? Probably, but taking a more pragmatic standpoint, setting aside Facebook's notorious history, I'd prefer a more cautious approach by first incentivizing organizations, institutions, and perhaps even individuals to join the FediVerse by not relying on a centralized instance.

• Dutch government starts own Mastodon instance as reaction to the instability of Twitter
  • https://lemmy.world/post/1291838

If users can spread out using other federated platforms, diversifying stakeholders in the network, then this could help establish some degree of protocol ossification for ActivityPup.

• E.g. seem my comment here:
  • https://programming.dev/comment/738123

In this regard, I shared similar concerns with reddit users who were at first asking app developers to trivialise user onboarding by defaulting everyone to lemmy.world . Given recent security incidents, I think this week has been a notable (if not a thankfully early and forgiving) reminder of the perils of putting all our eggs into one basket/instance. IMHO, sustaining perpetual diversity of our network is key for the Fediverse's survival, and perhaps for the Internet itself in general.

• Lemmy.world (and some others) were hacked
  • https://programming.dev/comment/810967
  • https://lemmy.world/post/1290412

Instead, we could prioritize federating with more independent stakeholders first, rather than with a single social media instance that is already larger (by several orders of magnitude) than the current Lemmy-verse, let alone the entire Fediverse.

Sources:

• FediDB - Fediverse Network Statistics
  • https://fedidb.org/
• Facebook Threads
  • https://www.theverge.com/2023/7/10/23787453/meta-instagram-threads-100-million-users-milestone

There are defeatists that suggest if ActivityPup can not passively withstand such onslaughts, then it's domize is already assured. Yet I would argue that communities are not passive, and that maintaining a public garden takes proactive efforts and vigilance, lest it be lost and succumb to wild overgrowth or a monoculture of human induced invasive species. Thus we should strategically seek to federate with instances that have self invested communities focused on self preservation, rather than instances that only have fiduciary obligations in monetization.

If I could stretch this agricultural medafor to its limits, then I'd say we do not yet have the moderation tooling or modern farming equipment to cultivate quality content on an industrial scale. Taking on to much land at once without enough self invested community members, where we'd have to pick up the slack as unpaid moderators (cough-Reddit), could lead to mismanagement of limited (and voluntary) resources. Given the historic issues of content moderation on Facebook's platform, and my impression that Facebook users in general are ambivalent to the self preservation of the company in comparison to its hosted content, I think it safe to say we'd have better success in learning to walk before attempting to run with global scale conglomerates.

While some may feel this remains a philosophical argument, I'd argue it is more of a pragmatic one, given the current maturity of the Lemmy software, the scale of current stakeholders, and realistic resources at our current disposal, taking on Facebook's level of traffic would be biting off more than we could chew.

For anybody wondering what the Mastodon security issue is - CVE-2023-36460, you can send a toot which makes a webshell on instances that process said toot. #CVE202336460 #TootRoot

• https://cyberplace.social/@GossiTheDog/110667416012211236

For anybody wondering what the Mastodon security issue is - CVE-2023-36460, you can send a toot which makes a webshell on instances that process said toot. #CVE202336460 #TootRoot

• https://cyberplace.social/@GossiTheDog/110667416012211236

Looks like they posted some more updates scene I check this morning:

• Recap of the Lemmy XSS incident & steps for mitigation
  • https://lemmy.world/post/1293336
• Lemmy.world (and some others) were hacked
  • https://lemmy.world/post/1290412

I came across this community, which it reminded me of your choice of avatar, and figured you'd be interested:

• https://lemmy.zip/c/netscape