Hans-Christoph Steiner @eighthave@librem.one

@legind I haven't used https://wordpress.org/plugins/simply-static/ but it sounds like it goes one better by generating the whole site as static files that can be hosted on any webserver or CDN. No database necessary.

@legind There seems to be some kind of "Wordpress as static site generator" mode now, it would be key to have that simple to use. This points to a reason why I think the GNU/Linux distro model is so important: shared maintenance of the long tail, so that many small orgs can maintain their services without going bust.

@a_sator In Österreich geht es viel besser als in andere Länder. Ich fähre regelmässig von Wien nach Semmering mit dem #Railjet, esse an Bord Fruhstück als ich hinfahre, und Abendessen nachher. Ganz gemütlich. Ich bin auch mit den ÖBB nach Goldeck und Saalbach gefahren. Ich habe kein Auto. Viele Gebiete sind fast unmöglich mit den Öffis.

@ljacomet I just saw your slides for your talk "Protecting your organization
against attacks via the
build system", a great overview! I'm a #Debian dev who has worked on packaging #Gradle. We'd love to make it as close to your version as possible. There is a proprietary build dependency that blocks that from happening. https://github.com/gradle/gradle/issues/16439

Then compare this to getting package updates via the official #Debian repositories, which includes a wide array of proven techniques for securely shipping software packages and #updates. In addition, Debian has good track record over decades. In most setups, I think it is safe to enable the "unattended-upgrades" package which automatically downloads and installs updates for the majority of packages in Debian. This is the best choice for users who do not have the means to do further examination

Another key discussion area for #updates is a #developer updating the libraries that they use in their app. Ideally the developer would review all source code changes that the lib update includes. This rarely happens in practice, and we see lots of apps inadvertantly include malware via libs that have been taken over. for example https://portswigger.net/daily-swig/popular-npm-package-ua-parser-js-poisoned-with-cryptomining-password-stealing-malware This is where devs should be thinking about how much they trust lib authors to maintain secure accounts, domain names, upload processes, etc.

@jack "Updates" also means distros pulling in new upstream versions. The update maximalists often complain that stable distros do not update their packages often enough. That is a technical discussion, which is also good to have in public. "Updates" is a tricky word too, since in American English, it is a variety of meanings while some languages have adopted "Updates" to specifically mean end user software updates. I'm a native American English speaker, sometimes I forget those differences 2/2

@jack I agree that end users who do not look into their software providers should just install updates. That does not mean that we should ban all other discussions about updates, which it sounds like you are recommending. It is dangerous to lull people into complacency to just accepting the status quo because they are not technical. If someone feels threatened, they can also seek out expert advice for things they do not understand. "Updates" also has differences in meaning based on context 1/2

@jack I can't imagine a reason why knowing your software providers is a bad practice, that's what I'm talking about. You can tell Bruce Schneier that "Security is a process, not a product" is bad advice, since I was quoting him. Stable release processes are very much still a thing, as are running releases. The security properties of each have key differences.

There seems to be a common mode of thinking about #software these days that is something like "updated software is always best". I agree there is some truth to that, but it is unfortunately not that simple. Most vulns were introduced in an update, they were not there from the beginning. "Security is a process, not a product", so how the software is developed changes the relationship between updates and #security, e.g. software that never issues stable updates vs. software with stable releases.

@jeffalyanak I can compare Vienna, New York, and the Bay Area, since that's where I've lived. Accessibility in mass transit in CA and NY is terrible, that's clear. In Vienna, it works well and is also still being improved (the last of the unaccessible trams and buses will be replaced by 2026) : https://www.visitingvienna.com/transport/accessibility/

Like @amaditalks recommended, accessibility is built into the process, it is not punted to external "advocacy" organizations.

@amaditalks @jeffalyanak I agree that when living in a city built for cars, it will be hard to get around without one, no matter one's abilities and disabilities. There are many cities around the world with the car is not the focus, and looking at those cases, it is pretty clear that a good, car-free design disadvantages the fewest people. This kind of design does disadvantage cars, but cars are not people. Cities built around cars have a much steeper slope to reach effective car-free areas.

I guess I left out my personal motivation: as the father of two curious boys, I'd love for the #internet to be a place of free exploration again, like I first experienced it in 1994. It is far too easy for an 11 year to find things they can never unsee, or really even understand. And even worse, lots of it is coming from services that are literally trying to hook people and get them addicted.

The real power to control the problems related to porn comes from the payment. If sites can't accept credit cards or build substantial advertising businesses, there will be much less money going to middlemen. For me the open question is how much to be concerned about also making it harder for the performers to get money //