I recently read a complaint about the opposite. Someone deleted their Proton account and their handle was made available 1 year later. They were rightfully angry because the next user would potentially start receiving mail from things like the original user’s bank. The new user could perform password resets on accounts where the original user had not yet changed the email address on file.
You question forced me to revisit this and take a closer look. I have in my notes “If someone’s fingerprint is untrusted, they will get an encrypted msg that they cannot read.” So I entered a 1:1 window with the one person who only ever gets errors from me, entered /omemo fingerprint, and it simply showed the person’s fingerprint. Then I did the same for someone who has fewer issues with me, and printed next to their fingerprint is “(trusted)”. Ah ha! The other acct has an untrusted fingerprint and Profanity does a shitty job of informing the user. The absense of a “(trusted)” when asking for the fingerprint is the crucial indicator.
To answer your question, I think keys are managed automatically. I never had to add a key. But I have had to trust fingerprints. In the new version of profanity it’s possible to enter /omemo trustmode blind. That would also solve my problem but I don’t want to be sloppy. So I have to guide the other user to their own fingerprint and confirm it.
(edit)
Well this is bizarre. There are a couple people who I can talk to in Profanity just fine with OMEMO enabled, and their fingerprint also lacks the “(trusted)” next to it. Yet my trustmode is “manual”.
Thanks for the info… i’ll check out poezio for sure.
Regarding the bug, it has already been reported→ https://github.com/profanity-im/profanity/issues/1615
The server is snikket.chat.
I am not sure what causes the OMEMO error though as I am not a iOS user.
I believe Profanity is mostly to blame for those errors. Profanity loses track of keys and fingerprints of other users, and I think what it does is encrypts the msg to myself, then transmits it without encrypting to the recipient. Then the recipient gets a msg that’s encrypted to others but they cannot decrypt it. Then to worsen matters it seems XMPP uses the same incorrect error message for many different situations. Profanity really needs to change so if any of the recipients keys are not found, it should refuse to send the msg. I see a bogus error on my end as well, and the fix is to disable OMEMO the re-enable it (/OMEMO end; /OMEMO start).
In any case, thanks for the suggestion. I’ll see if I can get someone to try that app. I cannot be fussy about features. I really just need text msgs to work.
“Just searching the code where the address book API is used” most certainly does not give you increased confidence.
That’s the starting point. If you don’t spend a few minutes more to find the object and see how it is used, you’re doing it wrong.
Obfuscation is not that difficult.
Obfuscation is even easier to spot than to create, which on that basis alone would be good grounds to reject a package.
You can only possibly gain confidence if you fully understand every single line of code.
As I said, you need not read every single line of code. Just the code touching the address book.
I ignored it because it’s idiotic. Google isn’t and shouldn’t be building code for you unless you pay for it.
It’s looking more clear that English is not your first language. You continually fail to comprehend what I’ve said, which was the complete opposite of this comment, after you suggested that a code review effort is that of a new hire onboarding effort.
One more time: a company having people review specific code for a specific purpose does not in any way resemble an adversarial code review against bad actors.
Again, that is not the purpose of the code review. If the purpose is to generally find malicious code, that’s a very different criteria than /not exporting an address book/. And if you move the goal posts to that mission, you have no fucking chance to do that with the simple black box analysis you’re advocating.
There are no parallels. A code review gives you literally zero confidence that the writer isn’t malicious
A code review is the absolute cheapest most effective way to find malicious code, if that’s your new goal. You will not find malicious code with any confidence by looking at a TLS traffic tunnel and playing with the app as a user.
unless you comprehensively understand every single line.
Clearly you’ve never written software. Malicious code does not affect every single line nor does it need an understanding of every single line. Every code review I’ve performed has been narrow in scope and yet I still find non-conformant code. If you think you need to look at every single line, I suggest avoiding the software career.
Open source project security is entirely and exclusively reputational.
Reputation matters whether a project is FOSS or not. But if it’s not FOSS, reputation is all you have. Of course it’s nonsense to claim FOSS code cannot be reviewed by anyone who cares to step beyond reputation.
An organization reviewing its own code is not the same, or similar in any way, to an organization reviewing a large volume of external code for malicious intent.
This is neither of those cases. This is trivially searching the code for where the address book API is called, and inspecting only the relevant code to that object for a specific usage. If you review the whole volume of code for the entire application, you’re doing it wrong. It’s trivial and for the reasons I’ve already explained, less effort than dynamic analysis and traffic analysis.
And it doesn’t work for a wide variety of reasons (including the one I already gave you that binaries don’t provide you any guarantees that they’re from the source).
And you apparently missed the response because you’ve neglected to address it. It was a defeated claim.
Onboarding is universally slow because new people take weeks to months to actually meaningfully understand big projects.
You’re thinking about hiring heads to work on code they need to understand in depth in order to edit the code. That’s not the case here. Code reviews are much cheaper than onboarding developers.
Again, you’re asking for FOSS code to get some special treatment and bypass the requirements already in place.
Again, no exemption has been requested. Google is either smart enough to make use of info at their disposal, or they are not. (answer: they are not).
It’s completely absurd, because every single one of those tests would still be unconditionally mandatory to get any kind of actual confidence in security.
Only if you do it wrong. A code review gives more confidence about what happens with the address book than testing. Only a fool would needlessly spend money on the more costly and redundant black box approach which yields results (guesswork!) with less confidence¹. Sure you can also do the black box analysis but that’s just wasting money when the bar has already been cleared. You would do both if lives depended on the code, but such standards are far above Google’s standards.
Choosing to skip them because someone in India skimmed the code would be way past gross negligence.
You’re still not getting it. No one advocates for an exemption. You need to get that out of your head. A code review is a way to more cheaply do the verification with higher confidence, not to bypass it.
¹ Hence why Google failed many times to get it right.
A. Code review doesn’t work.
You’re doing it wrong.
B. Code review takes a very large amount of highly qualified man hours to not work.
Not if a machine does it. And even if they use humans, it takes even more man hours to do the alternative dynamic analysis and traffic analysis. Code review saves countless man hours even if done 100% manually by humans.
C. Requiring review of proprietary code exposes Google to a crazy amount of antitrust and IP liability. Again, to not work.
Not applicable to FOSS code.
Code review doesn’t happen because it’s a laughably stupid idea that has virtually no chance of being beneficial in any way. It’s not an oversight.
Code reviews happen at every organisation I have worked for to catch unwanted code before deployment and testing. The reason we review code before testing is because it’s cheaper to review code than to test it. It’s laughably stupid to think code review doesn’t work only to then to spend more money on verification tests.
The issue they’re complaining about is that they’re being held to additional standards because they ask for a sensitive permission.
That’s not Snikket’s complaint. Snikket naturally satisfies the standards at hand because they do not export address book data, so they have no reason to object to the standards Google is failing to verify. Their complaint is rightfully about Google’s incompetence in evaluating their compliance. It’s clear from Snikket’s account what a shit show it is at Google who failed copious times to evaluate their software.
There’s nothing more terrible in the position of a software repository than the incompetence of neglecting to review code as part of the acceptance process. I can’t think of a more foolish policy than to ignore the code of software for which you are trying to endorse the quality of.
FOSS isn’t magic. Reviewing the source code doesn’t guarantee that the version you get matches the code you were provided. You unconditionally should not get any exemptions to store policy because your code is open source. That’s a terrible idea.
No one has suggested exemptions. Otherwise you need to quote where you get that idea from. You’re not grasping the fact that code enables criteria to be verified. It therefore needs no exemption.
The terrible idea we are grappling with is the idea to not review source code that is available. If the code does not match the binary, that is Google’s problem. Google is the repository and has the sole responsibility for either ensuring reproducable builds are in play (to the extent that they care) or compiling it themselves.
Having actual written policies and meeting other criteria are the rules for a reason.
Those policies are not above criticism. If Google’s policies fail to include code reviews as verification that criteria is satisfied, that’s on Google and they have no expectation of not being condemned for their incompetent policy.
What are you missing? When Google has access to the source code, they have the ultimate most effective and simultaneously easy way to verify the criteria is met. Of course that’s relevant to the discussion. It’s how you know what the software does. Only closed-source projects have a problem demonstrating that they’ve satisfied the criteria.
I’ve wanted to play with packet radio for a while now. It’s a shame the article pimps a Cloudflare site (winlink). It’s fitting in a sense though because there is a ban on using encryption over the ham radio bands. So the emails over packet radio must inherently be exposed to the world anyway.
This is good news in the sense that Snikket is forced to promote the better repository (F-Droid). It’s also favorable when some good apps like Snikket are simply unavailable in Google Playstore. If every app is available in Playstore, that solidifies Google’s disproportionate power – which they abuse. We need more apps to be only available outside of Playstore.
Snikket is also a good app to have that excludes Playstore because of its nature as a communications app. Advanced users likely tend to push their more novice correspondents to install Snikket. So going forward they will have to do their duty in spreading F-Droid.
Snikket is FOSS. The source code is available to Google.
breathability is the key criteria for clothing. Polyester and synthetic fabrics are nearly all terrible at this compared to natural fibres.
Natural fibers cannot be grouped together in this way because there is a huge variation.
This is where cotton fails and synthetic microfibers come out ahead. Cotton retains water, swells when wet, and suffocates as water tension spans the threads that are thickened by the swelling. Synthetic microfibers wick moisture away, and do not swell when wet, which gives excellent breathability. Cotton is fine as long as you don’t sweat. Or exceptionally, if it’s extremely hot in some windy situations the water retention can be a plus. I used to don cotton and hose myself down before getting on a motorcycle on a hot dry day. The evaporative cooling effect worked wonders with the high relative wind. But outside of that niche, such as sports, microfibers are king which is why sporting goods shops fetch high prices for high tech synthetics. As someone who sweats profusely more than normal, cotton is a non-starter in warm climates. Evaporation from soggy cotton simply cannot keep up with the rate that I add sweat. So a cotton t-shirt gets soaked in sweat and remains wet the whole workout session, and for days thereafter.
I used to wear tighty whities which made my gear sweat. Switched to Pategonia boxers and wow what a difference in breathability.
Wool and synthetics are similar w.r.t. comfort hence the term “smart wool”. But indeed natural wool is pricey and non-vegan.
Doesn’t sound familiar, but maybe there is more than two.
(edit) just had a brief look at bombas. They seem like a great product but I didn’t see notice of a lifetime warranty.
Voting with your money works. But only when there are good options to vote for.
There are a couple BifL sock makers, but no BifL underwear makers. That’s the problem. If someone made loose-fitting stretchy aramid boxers with a drawstring that lasts 1+ lifetimes, people would pay $100/ea for them.
HUGE amounts of clothes are being trashed, many of them new; never worn. I wish I kept the link around. There were several articles in the past few years showing massive piles of clothes along the coastline of some poverty-stricken countries, with all the dyes leeching into the ocean. Fast fashion is the culprit.
Probably what disgusts me the most are political campaign t-shirts. Surely it’s the worst instance of obsolescence by design in clothing. Andrew Yang claimed to be an environmentalist yet his campaign t-shirts were made of non-sustainable cotton. Attempts to spotlight that were censored by Reddit.
If it’s OK and just doesn’t fit I donate it.
All the charities collecting clothes in my area are fussy. They want no flaws, and they want clothes to be cleaned. Apparently there is no infrastructure for repairing them or even simply washing them. Neighbors don’t bother… they just stuff a trash bag with clothes and put it out with other trash. Sometimes someone notices that and tears open the bag and rifles through it for stuff. I’ve moved into places where the previous tenant just left clothes and blankets behind. I dumped them in the clothing donation bins anyway, without washing. But it’s dicey… I could just be adding to their burden and have no idea if the clothes and blankets get used.
Patagonia boxers are made using recycled plastics and they also accept worn out boxers for recycling. Patagonia is the only boxers I have found that are very loose fitting (baggy in fact), silky feeling, yet stretchy, yet moisture-wicking all at once. Nothing like this seems to exist in Europe.
So here’s a debate: synthetic vs cotton
Synthetic boxers can be recycled and can be made from recycled plastics. But every time synthetic clothes get washed they shed microplastics which most sewage treatment centers cannot filter out. You would have to buy a special filter to attach to your washing machine. Researchers in Ghent discovered that the bacteria that loves perspiration also loves synthetic clothes but not cotton. This is why synthetic clothes get stinky fast and thus need more frequent washing than natural fibers.
Cotton production consumes absurd amounts of water (2700 liters of water to produce 1 t-shirt). And when you wash it, hang drying takes /days/ (whereas microfibers hang dry in a couple hours). So people use energy wasting tumble dryers when cleaning cotton. But cotton has the advantage of being biodegradable. You can simply compost/landfill finished cotton as long as it doesn’t have harmful dyes that leech out. There is also a cotton t-shirt that is claimed to wearable 7 times before each wash. IIRC it’s blended with silver for anti-microbial effects.
The environmental debate can go either way depending on which problem you want to focus on, but cotton is clearly lousy performing underwear considering how it retains water and gets soggy. The only natural fiber that performs well for underwear is wool (ideally Marino from what I’ve read). But the prices on that are extortionate. €60+ for one pair of wool boxers, and they’re tight fitting.
Anyway, the OP’s thesis is lost. There is no BifL boxers AFAIK.
There are BifL socks though, called “Darn Tough” which have a lifetime warranty. They have 1 competitor but I forgot the brand. Both use marino wool.
Patagonia plans to open a store in Amsterdam.
I have a shopaholic aunt who is said to wear things she buys once on avg. She could open her own 2nd hand shop (or if she moved her stock to Europe she could open ~6 2nd-hand shops). Many women in my family are inflicted with this disease to varying degrees. It’s a gender-specific disease that I think men are immune to.
Enshitification warning: #Arstechnica manages to push bandwidth-wasting autoplay video in a way that bypasses Firefox’s setting to disable autoplay.