Not like Apple cared to look at it when people reported it to them. So much for App Store safety.

https://news.ycombinator.com/item?id=47744660

You still need to use a privacy-centric browser

Check out Konform Browser. Least leaky one out there.

A dedicated Forgejo instance f.example.com.

For a small set of trusted “base” images (e.g. docker.io/alpine and docker.io/debian): A Forgejo Action on separate small runner, scheduled on cron to sync images to f.example.com/dockerio/ using skopeo copy.

Then all other runners have their docker/podman configuration changed to use that internal forgejo container registry instead of docker.io.

Other images are built from source in the Forgejo Actions CI. Not everything needs to be (or even should) be fully automated right off. You can keep some workflows manual while starting out and then increase automation as you tighten up your setup and get more confident in it. Follow the usual best practices around security and keep permissions scoped, giving them out only as needed.

Git repos are mirrored as Forgejo repo mirrors, forked if relevant, then built with Forgejo Actions and published to f.example.com/whatever/. Rarely but sometimes is it worth spending time on reusing existing Github Workflows from upstreams. More often I find it easier to just reuse my own workflows.

This way, runners can be kept fully offline and built by only accessing internal resources:

• apt/apk repo mirror or proxy
• synced base container images
• synced git sources

Same idea for npm or pypi packages etc.

Set up renovate¹ and iterate on its configuration to reduce insanity. Look in forgejo and codeberg infra repos for examples of how to automate rebasing of forked repo onto mirrors.

I would previously achieve the same thing by wiring together more targeted services and that’s still viable but Forgejo makes it easy if you want it all in one box. Just add TLS.

¹: Or anyone have anything better that’s straightforward to integrate? I’m not a huge fan of all the npm modules it pulls in or its github-centric perspective. Giving the same treatment to renovate itself here was a little bit more effort and digging than I think should really be necessary.

This comment and its support is baffling to me. How is this not obvious to professionals?

haven’t seen any uptick in issues lately that makes me more worried about browser updates than like 5 years ago.

Then you have not been paying attention and I urge you to start doing so!

Blogs:

https://socket.dev/blog

https://krebsonsecurity.com/

https://www.malwarebytes.com/blog

https://johnhammond.beehiiv.com/archive

https://www.bleepingcomputer.com/author/bill-toulas/

Is there something particular going on or that has occurred to make you say this? Wondering what I’m missing.

Not one thing in particular but a general trend driven by several factors. Things recently have, are, and will continue to heat up.

For one, past few months a few significant supply-chain attacks have been hitting popular developer tooling and libraries used for web development. As devs get compromised, this will “trickle down” to users.

For two, as stakes are rising, devs are burning out and the economy is shifting, crap like this is just considered “Monday” now. Already been common with browser addons for a while now.

As for browser themselves, take a closer look at release notes and changelogs (for forks, go to upstream). Note the number and severity of addressed issues and update frequency.

Adoption and evolution of LLMs also tie into this in multiple ways. Others have written in length about this. If there is one thing doomers and hypers agree on, it’s this.

Oh, and be careful with archive links.

Nice try, NSA

I think uBO does have that.

Open popup -> Ctrl-click ⏻

Hard to give good advice without knowing more where you’re @. Leaving out the human and organizational aspects, which might be at least as important:

It could do you well to “harden” your environment and take a hard look at the software you are already running, what it does, and how it got there. Try to remove rather than add. Reduce your surface-area and exposure. Consider what options you have to isolate and “lock down” what remains.

Cut out or replace any software that calls home. Isolate and sandbox things. Take a critical look at your supply-chain(s): Are you satisfied with your repos/registries/installation methods? How auditable are your services in reality? Can you improve on that? Are there things that should be mirrored and/or built from source? (BTW, reading the source of the stuff you use and rely on and building it is a good exercise in itself whether you end up relying on the output or not)

Get familiar with relevant monitoring and debugging tools for whatever you have. Learn how to verify and validate your assumptions of “what is going on”. This probably involves getting comfortable and intimate with traditional data-engineering processes and tooling.

This applies to everything: shared infrastructure “in the cloud”, IDE and browser on your local workstation, transitive dependencies of apps you are working on and their toolchains, etc.

Maybe you need/want to set up some mirrors and dedicated CI. Forgejo is one easy way to get started as it comes with a lot of the components you need in one package.

If not used to doing so already, force yourself to think from first principles. Take less things for granted. Practice active threat modeling. Think about trust. Audit yourselves.

The “Sec” part is more about processes, focus and mindset. What tools are important can vary widely depending on what you have to work with.

deleted by creator

Redditors have long been the best bullshit detectors, and increasingly great Turing testers.

🦾

So how is mentioning Vivaldi bad?

I would guess they were probably thinking more about your Zen Browser reference¹, and your comment on Mullvad Browser. Both are misinfo and I would agree it’s good to do a little DD on your own before posting hearsay. Even with the disclaimers it’s contributing to spreading and giving credibility to those claims.

¹: Perhaps the least inspiring major FF fork from a privacy perspective… https://codeberg.org/dialhome-study/browser-network-insights

deleted by creator

The Lemmy community is broadly 50:50 on their support for said calls for the violence.

1. There’s astroturfing. Careful with judging community vibes by obviously votes but also comments.

2. There is more to “The Lemmy community” than what’s on display on .ml.

I also believe nobody here is sending threats.

I wouldn’t be so sure of your tribe. 19 users so far upvoted a comment with among other concerning bits:

if you’re anti this bullshit “law” then you are also pro physically harming poor FOSS “contributors”.

You missed this option:

• Ignore the feature and don’t use it.

systemd is quite modular. For example, if you abhor systemd-resolved (not at unreasonable stance) it’s NBD to disable it.

Recently (<1 year?) I frequently see the notion that software is “tainted” by having been touched by Bad. I find this a bit silly. Especially if it’s from a user who’s not even spending time in the codebase.

@cm0002@literature.cafe you’re going too far with the reposting IMO and I urge to revalidate your entire approach.

This is a user question copy-pasted without their consent (and possibly even knowledge; they may not be getting notified of your reshare despite the @).

Others may overlook that the OP has no involvement in the post here and post answers that the OP never becomes aware of (since you gracefully remove links to the source post).

Besides, you’re literally incentivizing people to prefer posting on .ml in order to then be reshared by your accounts elsewhere. By rebroadcasting .ml content (especially when at a higher rate than other content), you’re introducing perverse incentives and cobra-effecting your whole anti-.ml-operation by driving posters to .ml. Even readers, when they end up browsing it from digging up the original sources for posts like this one.

There are other (I assume unintended) negative side-effects of what you are doing and they way you are doing it. You are single-handedly reshaping threadiverse but maybe not the way you intended or for the better…

Are you keeping at default window size, or resizing? If latter, it is expected. This is a gotcha when using tiling window managers as they often force a window size that may give you off. TB should otherwise start with static fixed window size. Enabling “Letterboxing” feature can help alleviate this somewhat.

On PG: Also been seeing weird vibes and some inexplicable moderation comms and actions when looking closer. Their “recommendations” and “guides” also raise eyebrows. Something is very strange there.

Hi dmitry,

I suggest committing more often and in smaller chunks. Makes the repo a lot more accessible for outsider,s and reduces risk for stuff like this, which I assume is not supposed to be committed?

You go first.

You are correct. Similar to how /etc/passwd used in all Linux distros has had mostly neglected “GECOS” field for full name and phone number for decades. I am yet to hear of SMS validation done against such phone numbers.

https://en.wikipedia.org/wiki/Gecos_field

Why not extend the GECOS field? I haven’t seen the conversation but assuming it has to do with access control. By putting it in passwd/shadow you’re limited by filesystem permissions on the whole file, meaning it becomes impossible or annoying to do selective disclosure to certain user/process without bolting some service similar to what systemd is doing on top.

Lots of references to discussion and alternative proposals are tracked by Kicksecure/Whonix: https://www.kicksecure.com/wiki/Age-api