It’s now running OpenBSD; still have to work out how to get FDE working.

Kyle boosted


We need to talk about packaging, signatures, checksums and reproducible builds:

On your system you have a keyring of packagers' GPG keys that you inherently trust.

Releases get signed with a key, which verifies the packager as the author, and supposedly lets you and your system trust their contents.

But do you really trust your packagers? How could you? Do you know them personally and monitor their packaging work?

Would you even know if they release a package with malicious content?

@fribbledom It was really heartening to see Debian making an effort towards this.

The problem is intermediates are often signed for ~3 years - just long enough for a lot of the engineers who set them up to have left or to be mostly forgotten because they just work. Three years comes faster than you think...

The core problem is people mostly only think about roots and leaves; it’s not until you get bit by this that it starts to become institutional memory.

I remember running into this at a past employer where TLS certs were core to the business. It happened on a New Year’s Day, and I spent a lot of that holiday trying to fix it.

@stephenjahl That and Westworld sometimes make me think I should subscribe to HBO.

Kyle boosted

I've kind of had an itch to actually build the UI for my LoRa modem. Here's me demoing it with a paperclip antenna (all of ~150m range here :))

Does anyone know any good IoT Matrix rooms?

@d71107 Yes! When my friend who also uses the site (and is helping me build it) posts, I'm more likely to reach out via Signal to reply. It's a more meaningful interaction than what I have elsewhere, usually.

Did some backpacking this weekend; it was extremely short because it was all we could find on pretty short notice. I'll never complain about a chance to wake up in the redwoods, though.

Kyle boosted

“The next-generation DNS”, a hosted, private DNS resolver with DoT and DoH support and blocklists.

I built my own S/MMS microblogging site and decided to write up a little about it:

@stephenjahl I guess I don't mind the verification of a single device; what I want is the verification of all of a user's devices (of which @qbit has a few) by verifying one device.

Also finding out about blocking due to drama plays into all the preconceptions I had about mastodon. ¯\_(ツ)_/¯

I’ve been giving riot a go and... it’s barely usable. Constant problems with undecryptable messages, the key verification process is cumbersome. There should be an option to TOFU or verify all. Signing out caused my iPad to lose all its keys and I had to approve from a different device. I don’t know how this is supposed to be an acceptable alternative from a usability standpoint to other offerings.

Show more
Librem Social

Librem Social is an opt-in public network. Messages are shared under Creative Commons BY-SA 4.0 license terms. Policy.

Stay safe. Please abide by our code of conduct.

(Source code)