Aussie living in the San Francisco Bay Area.
Coding since 1998.
.NET Foundation member. C# fan
https://d.sb/
Mastodon: @dan@d.sb
Open source projects are particularly vulnerable here since anybody can just grab the source and throw an LLM at it to see if it can find exploits.
On the other hand, this means that they should end up more secure. Open-source projects get far, far more vulnerability testing than closed-source projects. Security holes in closed-source systems can exist for years at a time, which is how things like the Pegasus malware work (undisclosed security holes).
This is how all language package managers work, unfortunately
npm does actually support signing and provenance (tracking how the package was built), so in some ways it can be more secure than other package managers. https://docs.npmjs.com/generating-provenance-statements
If you use one of the CI/CD systems they support (currently Github Actions and Gitlab CI), it can attach a signed attestation to the package stating the commit hash that was used to build the package, along with the steps taken to build it. This is combined with trusted packaging using OpenID Connect with short-lived tokens that are only obtainable in the correct CI environment, rather than using access tokens or username and password.
It only supports some CI systems because they have to guarantee that the connection between the CI system and npm is secure.
Some of the recent issues have been attacks on the CI system, rather than npm itself. For example, a Github Action that’s only supposed to run for commits to the main branch, but unintentionally runs for some subset of pull requests too.
Of course, all this stuff is optional, and pushing to npm directly from a developer’s computer still works and is still not verifiable at all.
I think the best approach is what Flathub/Flatpak, F-Droid (Android) and Composer/Packagist (PHP) do. You provide your repository URL, and they build the code on their end. Packages are always guaranteed to be built from code in the repo.
Debian Linux is also moving towards requiring repeatable builds, meaning that a package built from source should be byte-for-byte identical to the package in the repo.
What’s performance like? I found it to be very slow the last time I tried it.
in a world where chrome becomes the defacto browser
This is already the case.
Password protect it and just let friends use it? Or have it just for yourself :D
I just posted a comment about this :D
https://romm.app/ - Self hosted game ROM manager that lets you play retro games directly in the browser (using RetroArch cores compiled to WebAssembly).
https://retroassembly.com/ is a similar project.
There’s also https://gamevau.lt/ which is like a self-hosted version of Steam, for DRM-free games (like from GOG).
Game servers? https://linuxgsm.com/. Have an Unreal Tournament 99… tournament with friends.
Companies sometimes sell their own first-party data, but not nearly as often as people think. If a company has data that other companies don’t have, a lot of the time they’ll want to keep it for themselves, since it can give them a competitive advantage over other platforms.
If Amazon knows what movies and TV shows you like, they’re going to use that data to improve ad performance on their own platforms - suggested content on Prime Video, product ads on Amazon, etc. They’re not going to give it to some other company to use.
The one major exception to that are data brokers. These are companies that only exist to sell data. These are less well known companies. They often use public data and combine it with things like supermarket loyalty data and purchase history.
For a beginner, I’d probably stick to Github initially, just because there’s so many guides and tutorials on how to use it, and their free plan is still pretty generous.
A lot of the knowledge is transferable though. If you do want to try something else, Codeberg is pretty good for open-source.
To just learn about Git, you don’t even need a host like Github or Codeberg. You can have a Git repo just on your computer, and still get a bunch of the benefits of source control - a full history of everything, separate branches and worktrees so you can have multiple incomplete changes and switch between them, etc.
Or Forgejo, which is a fork of Gitea and is what Codeberg uses. They explain their advantages over Gitea here: https://forgejo.org/compare-to-gitea/
The tl;dr is that Forgejo is maintained by a non-profit whereas Gitea is maintained by a for-profit company, and Forgejo is completely open-source whereas Gitea is open-core with some features only available in their hosted service. Forgejo also has better testing and a bigger focus on security.
Maybe I’ll give that model a go if my current one ever dies.
I got an MX Master 3 as an upgrade, but couldn’t get used to the weird scrolling behaviour (similar to this: https://www.reddit.com/r/logitech/comments/wpp1c6/logitech_mx_master_3s_scrollwheel_is_still/), so ended up returning it and reverting to the $30 one.
Older people do this a lot. Either their full name, or “Lastname residence”
The scary thing these days is that someone needs just a few samples of your voice to be able to clone it using AI. I suspect that scammers will do that, if they’re not already doing it, then use it to scam family members. We’re going to get to a point where we can’t trust people are who they say they are.
Whoever wrote this message definitely knew what they were doing.
WAL mode makes writes a lot faster, which is sufficient for a bunch of use cases. Writers do still need to wait, but they have to wait for a shorter duration. It’s still not the right choice for write-heavy use cases, of course.
I’ve had the same cheap Logitech M705 mouse at work for over 10 years. It takes two AA batteries that last for around two years with daily use. Cost $30 when I first got it.
They do still sell it but have cheaped out a bit over the years - the scrollwheel is now plastic instead of metal and the sensors aren’t as good - but it still has that great battery life.
I don’t understand how these newer, fancier mice can’t achieve the same thing. I really hate that everything is moving towards built-in batteries. AAs are easy to instantly replace and I have a bunch of Eneloop rechargeable ones.
People that reverse engineer complex modern hardware are probably some of the best developers in the world.
Some mobile networks have spam protection that’s enabled automatically.
You could also have a “clean” number, especially if you don’t use your phone number anywhere haven’t answered a spam call before, and nobody used it before you (or the previous user was a long time ago).
Spam callers can’t robodial literally every number, so they rely on lists of phone numbers that are known to be good/active, for example if they’ve answered a spam call before, if the number has been in a data leak, etc.
I felt like a grown up once I got my paperless-ngx setup up and running.
I have a Scansnap ix1600 scanner. Everything is automated once I insert a document and click the button to scan it.
For documents I need to keep a physical copy of, I give each document a consecutive ASN (archive serial number) using QR code stickers. When importing the document, paperless-ngx sees the barcode and attached the correct archive number to the document.
If I need to find the physical copy, I first find it in Paperless-ngx, look at the archive number, then look in a folder where the documents are arranged by archive number. Easy.
Do you know exactly which SoC it uses?
It’s probably a 32-bit ARM processor. Most NAS-focused operating systems have removed support for these, if they even supported them at all. OpenMediaVault recently removed support for 32-bit ARM and only support 64-bit now: https://www.openmediavault.org/?p=4002.
Having said that, some OSes still support them. You should be able to get Debian running if it’s an ARMv7 CPU or newer. Debian did support older ones, but they’re being phased out and no longer build an installer for them.