Keyoxide: aspe:keyoxide.org:KI5WYVI3WGWSIGMOKOOOGF4JAE (think PGP key but modern and easier to use)

  • 0 Posts
  • 112 Comments
Joined 1 year ago
cake
Cake day: June 18th, 2023

help-circle




  • They were doing the same on other repos for months.
    Both their npm module and android client.
    On android they tried to get people to add their own fdroid repo because the official fdroid has not had updates for 3 months due to the license changes.

    Edit: Looking at it now compared to 4 days ago, they apparently got frdoid to remove bitwarden entirely from the repo. To me this looks like they are sweeping it under the rug, hiding the change pretending it has always been on their own repo they control.

    Next time they try this the mobile app won’t run into issues, the exact issues that this time raised awareness and caused the outcry on the desktop app, which similarly is present in repos with license requirements.

    If they were giving up on their plan, wouldn’t they “fix” the android license issue and resume updating fdroid, instead of burning all bridges and dropping it from the repo entirely, still pushing their own ustom repo? Where is the npm license revert?



  • It means previous versions remain open, but ownership trumps any license restrictions.
    They don’t license the code to themselves, they just have it. And if they want to close source it they can.

    GPLv3 and copyleft only work to protect against non-owners doing that. CLA means a project is not strongly open source, the company doing that CLA can rugpull at any time.

    The fact a project even has a CLA should be extremely suspect, because this is exactly what you would use that for. To ensure you can harvest contributions and none of those contributers will stand in your way when you later burn the bridges and enshittify.






  • Careful, Google is currently forcing apps to migrate from SafetyNet to PlayProtect!
    SafetyNet is used by tons of security theater apps like banking 2FA. It is an API of play services.
    PlayProtect is basically the same but you have to talk to it though google play. This is a blatant move by google to make exactly what OP is suggesting impossible, and means that if you do this, you may soon see many apps break that you are forced to use.


  • Yes, those could be detected.
    Ill see how large that portion is on my system in a bit, but I would expect it to come out as the minority.

    Non-detectible ones I can think of rn:

    • Tab muting manager
    • VPN manager
    • link redirect skippers
    • stats printers, like a tab counter
    • dynamic shortcuts, like opening the archived version of the current page on archive.org
    • old reddit redirect
    • cookie managers

    Many more of the ones you listed won’t be detectable on most websites.

    userscript managers (grease/tamper/violentmonkey etc.)

    A userscript manager is by definition detectible only on pages you define or install a userscript for. Even then, modern userscript managers like tampermonkey are running scripts in a separate scope that is completely sandboxed from the actual websites js context, you can’t even pass an object or function to the website and access it there, it will fail.
    Youtube has actively fought some userscripts and failed, which they probably wouldn’t have if those userscripts were detectible.

    User theme managers should be similar, but I can’t comment on them as I don’t use any.

    page translators

    Translators are only detectible when enabled.

    addons serving in-browser ads

    Why would you have an addon that serves ads?

    site-specific UI improvements (RES, SponsorBlock, youtube/SNS tweaks)

    Are site-specific, i.e. not detectible anywhere else

    privacy blockers (CanvasBlocker/JShelter/etc.)

    Please don’t use those anymore, use only uBo. Same for uMatrix.
    uBo is pretty good about not being detected, for obvious reasons.




  • TPM isn’t all that reliable. You will have people upgrading their pc, or windows update updating their bios, or any number of other reasons reset their tpm keys, and currently nothing will happen. In effect people would see Signal completely break and loose all their data, often seemingly for no reason.

    Talking to windows or through it to the TPM also seems sketchy.

    In the current state of Windows, the sensible choice is to leave hardware-based encryption to the OS in the form of disk encryption, unfortunate as it is. The great number of people who loose data or have to recover their backup disk encryption key from their Microsoft account tells how easily that system is disturbed (And that Microsoft has the decryption keys for your encrypted date).