Thorsten Alteholz: My Debian Activities in September 2018
As promised in an earlier post, I raised the number of accepted packages to 215, as well as the number of rejects to 69 this month. The overall number of packages that got accepted this month was 314.
October 2018 report: LTS, Mastodon, Firefox privacy, etc
I've played around with the latest attempt from the free software community to come up with a "federation" model to replace Twitter and other social networks, Mastodon. I've had an account for a while but I haven't talked about it much here yet.
My Mastodon account is linked with my Twitter account through some unofficial Twitter cross-posting app which more or less works. Another "app" I use is the toot client to connect my website with Mastodon through feed2exec.
And because all of this social networking stuff is just IRC 2.0, I read it all through my IRC client, thanks to Bitlbee and Mastodon is (thankfully) no exception. Unfortunately, there's a problem in my hosting provider's configuration which has made it impossible to read Mastodon status from Bitlbee for a while. I've created a test profile on the main Mastodon instance to double-check, and indeed, Bitlbee works fine there.
Before I figured that out, I tried upgrading the Bitlbee Mastodon bridge (for which I also filed a RFP) and found a regression has been introduced somewhere after 1.3.1. On the plus side, the feature request I filed to allow for custom visibility statuses from Bitlbee has been accepted, which means it's now possible to send "private" messages from Bitlbee.
Those messages, unfortunately, are not really private: they are visible to all followers, which, in the social networking world, means a lot of people. In my case, I have already accepted over a dozen followers before realizing how that worked, and I do not really know or trust most of those people. I have still 15 pending follow requests which I don't want to approve until there's a better solution, which would probably involve two levels of followship. There's at least one proposal to fix this already.
Another thing I'm concerned about with Mastodon is account migration: what happens if I'm unhappy with my current host? Or if I prefer to host it myself? My online identity is strongly tied with that hostname and there doesn't seem to be good mechanisms to support moving around Mastodon instances. OpenID had this concept of delegation where the real OpenID provider could be discovered and redirected, keeping a consistent identity. Mastodon's proposed solutions seem to aim at using redirections or at least informing users your account has moved which isn't as nice, but might be an acceptable long-term compromise.
Finally, it seems that Mastodon will likely end up in the same space as email with regards to abuse: we are already seeing block lists show up to deal with abusive servers, which is horribly reminiscent of the early days of spam fighting, where you could keep such lists (as opposed to bayesian or machine learning). Fundamentally, I'm worried about the viability of this ecosystem, just like I'm concerned about the amount of fake news, spam, and harassment that takes place on commercial platforms. One theory is that the only way to fix this is to enforce two-way sharing between followers, the approach taken by Manyverse and Scuttlebutt.
Only time will tell, I guess, but Mastodon does look like a promising platform, at least in terms of raw numbers of users...
Reproducible Builds: Weekly report #179
The Devil Is in The Details Of Project Verify’s Goal To Eliminate Passwords
A coalition of the four largest U.S. wireless providers calling itself the Mobile Authentication Taskforce recently announced an initiative named Project Verify. This project would let users log in to apps and websites with their phone instead of a password, or serve as an alternative to multi-factor authentication methods such as SMS or hardware tokens.
Any work to find a more secure and user-friendly solution than passwords is worthwhile. However, the devil is always in the details—and this project is the work of many devils we already know well. The companies behind this initiative are the same ones responsible for the infrastructure behind security failures like SIM-swapping attacks, neutrality failures like unadvertised throttling, and privacy failures like supercookies and NSA surveillance.
Research on moving user-friendly security and authentication forward must be open and vendor- and platform-neutral, not tied to any one product, platform, or industry group. It must allow users to take control of our identities, not leave them in the hands of the very same ISP companies that have repeatedly subverted our trust.
Touch ID and Face ID Don’t Make You More Secure [Ed: Of course sharing biometrics with the state or the "security state" isn't about security but mere subjugation]
Touch ID and Face ID area great. We like them, and we use them. But they’re convenience features, not security features, and you have fewer legal protections when using them in the US. When necessary, you can temporarily disable them.
This also applies to Android phones with fingerprint sensors, iris scans, or other biometric features.
How Face ID could be a game-changer for aggressive US border agents
Apple’s Touch ID is already on its way out. Just five years ago, iPhones began getting the famed fingerprint scanner that makes unlocking your phone dozens of times a day even easier.
But all of the new iPhones released this year—iPhone XS, iPhone XS Max, and iPhone XR—only have Face ID. They do not have Touch ID.
Canonical/Ubuntu: Roundup of Ubuntu Server Progress and Appeal to Hype (AI/ML)
Google Pixel Slate, Android 'Smart' Watch and Google's Censorship/Ban of SuperSU (Root Access)
Devices/Embedded Linux From Enea/Xilinx and Advantech
Microsoft Takeover of GNU/Linux Machines by Debian/APT
