> It only supports a subset of Javascript close to ES5 [...]
I have not read the code of the solver, but solving YouTube's JS challenge is so demanding that the team behind yt-dlp ditched their JS emulator written in Python.
I'm pretty happy with codeberg.org as a free host.
Alternatively, Forgejo, Gitea, or (based on praise I've seen from other people) maybe sourcehut.org.
I find GitLab's interface intolerable. Heavy reliance on javascript even for read-only access, nonintuitive organization, common operations hidden behind menus, mystifying icons... Every time I seek out a project's home and discover a GitLab instance, I find myself pausing to reconsider whether contributing to the project will really be rewarding enough to outweigh the unpleasant experience I'm about to have.
Gitlab interface is busy, yeah. But you it packs a lot of functionality in. If you want, you disable features like wiki and snippets to free up space on the side bar of a project. Or just look past it and find the part you want, issues merge requests, whatever.
After working for years with GitLab professionally, you know exactly where everything is.
Particularly making a contribution should anyhow be trivial - you push the branch and it shows a banner in the repo asking if you want to open a MR for the recently pushed branch.
I don't know why anyone would use GitHub actions. They seem like a weird, less powerful version of the GitLab CI. Now they want to charge for runtime on your own runner.
I was surprised to learn that Wayland still doesn't offer control of keyboard LEDs like Scroll Lock, so unprivileged programs that use those LEDs cannot be ported to Wayland.
Even if I didn't depend on such a program myself, I would find it strange that Wayland gives the compositor responsibility for only part of the keyboard: its keys, but not its indicator lights.
After all they started by locking down everything and then they are creating all the openings that real world programs need to do what people use computers for. It's probably a better approach that starting with everything open and attempting to lock down, but it takes a long time and some of us will be locked out by some hardware / software mismatch. In my case it seems that Noveau can't talk properly with the backlight control of my card. Neither X11 can with those new kernel and driver but at least it can use gamma correction to simulate a darker screen. Wayland does not have gamma correction or it doesn't work as it should, I can't remember.
> determine the PID of the process that you are talking to and use pidfd to validate where it is coming from.
The pidfd_open() man page doesn't list many things that can be done with a pidfd. What sort of validation do you have in mind?
I would love to have a reasonably snoop-proof secret storage service whose security model works with normal programs (as opposed to requiring Flatpaks or the like).
My reasoning behind the pidfd thing would just be as a way to try to avoid race conditions, though on second thought maybe it's not needed. I think you can take your pick on how exactly to validate the executable. My thought was to go (using /proc/.../exe) check that the file is root owned (and in a root owned directory structure) and then use its absolute path as a key. Seems like it would be a decent start that would get you somewhere on any OS.
I think it would also be feasible to add code signatures if we wanted to, though this would add additional challenges. As I noted elsewhere any scheme that wants to provide a true security boundary here would need to deal with potential bypasses like passing LD_PRELOAD. Still, I think that it has to be taken one step at a time.
Are you aware of Firefox's search keyword feature? You can bookmark the URL of a web site's search result page, replace the search text query parameter with %s, and enter a keyword in the bookmark details. From then on, entering that keyword followed by some new text in the address bar will perform the new search.
You can choose keywords that don't start with !, so typing them is easier than using Duck Duck Go's bang feature.
I use this a lot, but the problem with this, that still hasn't been fixed after all these years, is if you have 2 or more keyboard layouts, you can't make more than one bookmark pointing to the same URL with different search prefixes.
So if, for example, you wanted to make
> x <search_term>
and
> y <search_term>
both work the same, x and y being letters from 2 different alphabets but mapped to the same keys, you couldn't, without some JavaScript. If you just added those 2 keywords, even if you manually edited or created your bookmarks, one bookmark would override the other and the other would appear empty with no keyword.
The workaround I found was using a bookmark with this code in it (instead of the usual URL):
It's slower and sometimes doesn't work if you type "y" and then the query too fast, especially if you're pasting the query. So sometimes it doesn't work and searches with the browser's default search engine for "y <query>".
The number would be most of the people who use the keyboard shortcuts && who use 2 or more layouts && who don't want to change languages to search for something.
It's just muscle memory for me.
CTRL+T -> x <search_term> -> ENTER
Most often I enter <search_term> with CTRL+V, so the sequence is:
CTRL+T -> x CTRL+V -> ENTER
Nowhere in that sequence is the keyboard layout important (if you don't write anything, but just paste).
Just like CTRL+T works even if you're not writing in a layout where the "T" key is mapped to the letter "T", so should "x" work no matter what it's mapped to.
I think everyone who regularly writes eg both Spanish and English, or Chinese and English etc will be affected. That's a LOT of people. Not all languages rely heavily on accents or special symbols but those do. (For example in Spanish you don't want to mix up 'año' and 'ano' :)
You can also use a self hosted searxng as front-end. It's got many options for things like Wikipedia and it is being properly maintained. It's also really nice and 'quiet'. No ads or AI shoved in your face.
Thanks for pointing it out. I actually use a plugin which rewrites search queries for custom "bangs" which I switched to after waiting for others to be fixed. I didn't realize that the same exists built in.
I can understand this in in certain contexts, such as a site that exists solely to post public information of no value to an attacker.
A local volunteer group that posts their event schedule to the web were compelled to take on the burden of https just to keep their site from being labeled as a potential threat. They don't have an IT department. They aren't tech people. The change multiplied the hassles of maintaining their site. To them, it is all additional cost with no practical benefit over what they had before.
This is why more and more organizations get away with only having social media pages where they don't have to worry about security or other technical issues.
Unfortunately, placing the information on a social media page burdens the people seeking it with either submitting to the social media site's policies and practices, or else not having access to it. This is not a good substitute.
It also contributes to the centralization of the web, placing more information under the control of large gatekeepers, and as a side effect, giving those gatekeepers even more influence.
Most social media are free and easy to sign up for taking under a minute to do and have user bases that can be measured in the billions. Most people in the world are willing to follow the rules.
Most people don't use social media via the web. They use it via dedicated apps. I think it's natural that people who don't want to deal with the tech side of things will outsource it to someone else. The idea that everyone will host their own tech is unrealistic.
For now, in some jurisdictions, social media is "free" for your customers in the sense that it's supported by advertising.
It's not free for you of course because advertising isn't free and from their point of view what you'd be getting is free advertising so they want you to pay them to put it in front of your customers.
The work and technical expertise to setup let's encrypt is less than the work to register a domain, set up a web server, and configure DNS to point to it.
You seem to have missed what I wrote in the first place: They aren't tech people.
It is additional work, and requires additional knowledge.
It was also not available from most of the free web hosts that sites like these used before the https push. So investigating alternatives and migrating were required. In other words, still more work.
https://steamcommunity.com/games/221410/announcements/detail...
reply