Pinned post

I want to be able to tell my friends why is better than the birdsite, so I wrote a thing: "Mastodon Is Better than Twitter: Elevator Pitch"

I want this to be as persuasive as possible to outsiders, so I'd appreciate as much feedback as possible from Mastodon users

Current status:

Adjusting the kerning … of a monospaced font.

> On my way to the 2022 conference for and – my first in-person conference since covid started.  Feels weird!

Of course, the part that feels the weirdest is being back in an airport for the first time in years. A short flight like this used to be so routine, but it sure doesn't feel that way now.

(It's worse due to how normally everyone else is acting. Most people don't have masks, whereas I have 3 – to have different comfort/security tradeoffs available)

Show thread

On my way to the 2022 conference for and – my first in-person conference since covid started. Feels weird!

Publishing a content hash would mean that the site couldn't roll out changes to their login page daily (contra the current CI/CD mantra). But a high security application really ought to version its releases, even for a web app (and, indeed, Bitwarden does:

So each release would be a time when users/extensions would update their known-good hash.

All of ^^^^ seems workable. But it also seems obvious enough that I wonder if I'm missing a big flaw. Any thoughts?

Show thread

If the hash of the main HTML document matches, that would mean that it requests all the same javascript files. A malicious server could mess with the content of those JS files. But JS already has the <script> "integrity" tag to check each script's contents against a known-good hash,

So, any change in any requested script (or CSS) would flunk the integrity check unless the HTML's hash gets updated – but changing *that* would make the HTML's hash flunk.


Show thread

> couldn't a site mitigate [the amount of trust in the server that client-side WebAuthn requires] by publishing a hash of the document HTML – basically like SSH's known_hosts?

To flesh that out, I'm imagining a site (eg, bitwarden) posting the hash of the HTML for their login page so that users can check the login page's actual hash against it (manually or maybe with an extension?)

Of course, the server hosting the hash could be compromised too, but it's a static page–a low surface area!


Show thread

The biggest flaw I've heard with WebAuthn/other attempts to do security critical or zero-trust tasks in client-side JS: even if you're *theoretically* not trusting the server with your secrets, you're *still* trusting them not to be so thoroughly compromised/malicious that they send malicious JS (which of course gets re-downloaded on each visit). See e.g.,

But couldn't a site mitigate that by publishing a hash of the document HTML – basically like SSH's known_hosts?


Did some by-hand curation of my proposed word list that 1Password should adopt

Should I tweet it at them?

Episode 44: Celebrating a Decade of Guix

Guix turns ten! We celebrate... by highlighting ten great things about Guix!
Hear all about functional package management, time-traveling operating systems, and why "Composable DSLs" are great!

Here's a post-mortem of what we saw on over Monday and Tuesday with the influx of new members from Twitter.

Thought you fine folks would be interested in something like this.

I completely derailed a scrum meeting today by adding mood music on my synth whenever anyone gave a status update.

"I wrapped up blah."

me: fanfare

"I’m running into some unanticipated complexity."

me: ominous music swells

There are dozens of fish or fish-like emoji (e.g., 🐟 🐠🎣🐡🦈🐬🐳🐋🐟.𓆝𓆟)

In fact, there are so many that, if I sent you a random one, a third party wouldn't have a good chance of guessing which one I'd sent.
This means we could adopt a new form of 2FA based on sending fish emoji

“In addition to your password, please log in with your one-time cod”

Hmm and my post ^^^^ is, oddly enough, now on the HN front page – even though it I didn't submit it and hardly anyone has upvoted it.

I guess no one is online this time of morning-ish on a Saturday?

Show thread

And now there's a followup to ^^^^
Unix philosophy without left-pad, Part 2: Minimizing dependencies with a utilities package,

I intended part 2 to be shorter, but it ended up nearly 2× as long. And, the thing is, the main topic I went on about was the value of concise code!

… I might have a problem.

Show thread

I've got a new blog post: _Following the Unix philosophy without getting left-pad_,

It's part of the Advent Calendar, but I tried to write it in as language-agnostic way as possible (and I actually spent more time talking about than Raku. and also get a few mentions)

The more powerful computer & smartphones get, the more you can undervolt them to get better battery life while still having a very usable device

This is honestly the first time I feel excitement about a Linux distribution. Been a proud user and sponsor of @linux_mint for years, but the @elementary folks are doing impressive design and usability work, and they have good marketing. Congratulations for the release!

Under appreciated facts:

* Context switching is very expensive for computers. It causes them to synchronize their CPU caches to main memory

* Context switching is very expensive for humans. It causes them to empty their mental cache

What distro and DE combo would you suggest for an x86 tablet?

Uefi is 32bit, CPU 64bit Intel atom Z3745, 2gb ram

PopOs looks like it's the best for touchscreens, but gnome might be a bit too heavy for 2gb ram.

Something lighter like lxqt or lxde on lubuntu for example seems more appropriate.

The one fact that gives me the most optimism about the future of tech is that, fundamentally, software development suffers from diseconomies of scale.

Show older

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.