The Reddit space is just a bunch of pictures of people’s home Labs it’s not really a self-hosted community at all.

It’s not interesting to explore and read like this one is.

It’s suffered from a common phenomena of any community that grows in popularity where it caters to the lowest common denominator and loses its niche.

No, now they taste that sad slightly burnt air with a tablespoon of salt.

I didn’t really mention immich directly here.

This is a problem which is endemic to casual software development like many FOSS projects. It’s a reality of how free software tends to be built in general vs commercial software.

The issue here is that these are solvable problems, release compat isn’t a new problem. It’s just a problem that takes dedicated effort to solve for, just like any other feature.

This is something FOSS apps tend to lack simply due to the nature of how contributions tend to work for free software. Which is an unfortunate reality, but a reality none the less.

People really underestimate the value of stability and predictability.

There are some amazing FOSS projects out there ran by folks who don’t give a crap about stability or the art of user experience. It holds them back, and unfortunately helps drive a fragmented ecosystem where we get 2,3,5 major projects all trying to do the same thing.

“spreading misinformation” is a phrase mostly used by feds when they see something they consider to be “wrong think” or not “politically correct”. They use this anti-misinformation campaign to support their censorship and mass surveillance system.

Immediately jumping to discredit and dismiss instead of engage by way of over generalization and accusation is not a good look my man.

The comment two above this links to a tool that literally does live syncing on a line by line level. Unless you’re editing the same lines at the same time you’re not going to get sync conflicts.

I use it as well and it works wonderfully in real time.

I very specifically want an app that collates all the information that can possibly be gathered about me in a way that I can utilize and abuse it myself. For me there is a lot of utility and value to be found with this sort of thing.

Of course the security posture of said app needs to be rather robust. And instead of it being an app it should instead be an SDK that I can then choose and control my own storage medium for.

Never not

I’m not sure why you’re so dismissive of this? It’s kind of asinine.

Does everyone everywhere only ever use computers in an enclosed room? Is everyone with something value to exfiltrate easily accessible to kidnap and beat with a wrench?

This is valuable for corporate espionage, political purposes, or for nation states. If miniaturized, even easier for targeted attacks where it might be difficult to inject malware, or for broad attacks on office workers.

And the best part is that it doesn’t leave a trace which beating someone with a wrench and malware would do…

That doesn’t answer the question.

Domains can expire, be sold, have their hosting (nameservers) changed…etc it’s very conceivable given the current climate that it could be a malicious site used for data exfiltration from prospective voters. The security posture, if any, of the owner are also unknown, meaning it may be unknowingly compromised.

Especially when you have people willing to drop tens of millions of dollars on voter suppression.

Plain and simple, don’t enter your personal information into a 3rd party site. Use your official government provided ones for this purpose.

Yeah that’s the problem is guessing what they meant.

I’m not claiming some grand level of knowledge here. I also cannot enumerate all risks. The difference is that I know that I don’t know, and the danger that poses towards cognitive biases when it comes to false confidence, and a lack of effective risk management. I’m a professional an adjacent field, mid way into pivoting into cybersecurity, I used to think the same way, that’s why I’m so passionate here. It’s painful to see arguments and thought processes counter to the fundamentals of security & safety that I’ve been learning the past few years. So, yeah, I’m gonna call it out and try and inform.

All that crap said:

And you are right, the problem gets moved. However, that’s the point, that’s how standardization works, and how it’s supposed to work. It’s a force multiplier, it smooths out the implementation. Moving the problem to the OS level means that EVERYONE benefits from advanced in Windows/Macos/Linux. Automatically.

It’s not signal’s responsibility, it shouldn’t be unless that’s a problem they specifically aim to solve. They have the tools available to them already, electron has a standardized API for this, secureStorage. Which handles the OS interop for them.

I’m not arguing that signal needs to roll their own here. The expectation is that they, at least, utilize the OS provided features made available to their software.

Another risk with Monitor, which may get better with time. Is that FOSS rust projects have a tendency to slow down or even stall due to the time cost of writing features, and the very small dev community available to pick up slack when original creators/maintainers drop off, burn out, or get too busy with life.

To be clear: I have nothing against rust. It’s a fantastic language filling in a crucial gap that’s existed for decades. However, it’s I’ll suited for app development, that’s just not it’s strength.

Why are you here if you’re just going to insult hobbyists in the community dedicated to hobbyists.

This isn’t the kind of vibe /c/selfhosted needs

Having Signal fill in gaps for what the OS should be protecting is just going to stretch Signal more than it already does. I would agree that if Signal can properly support that kind of protection on EVERY OS that its built for, go for it. But this should be an OS level protection that can be offered to Signal as an app, not the other way around.

Damn reading literacy has gone downhill these days.

Please reread my post.

But this should be an OS level protection that can be offered to Signal as an app, not the other way around.

1. OSs provide keyring features already
2. The framework signal uses (electron) has a built in API for this EXACT NEED

Cmon, you can do better than this, this is just embarrassing.

That’s all hinges on the assumption that your computer is pwned. Which is wrong

You don’t necessarily have to have privileged access to read files or exfiltrated information.

That point doesn’t matter anyways though because you’re completely ignoring the risk here. Please Google “Swiss cheese model”. Your comment is a classic example of non-security thinking… It’s the same comment made 100x in this thread with different words

Unless you can list out all possible risks and exploits which may affect this issue, then you are not capable of making judgement calls on the risk itself.

That’s not how this works.

This sort of “dismissive security through ignorance” is how we get so many damn security breaches these days.

I see this every day with software engineers, a group that you would think would be above the bar on security. Unfortunately a little bit of knowledge results in a mountain of confidence (see Dunning Kruger effect). They are just confident in bad choices instead.

“We don’t need to use encryption at rest because if the database is compromised we have bigger problems” really did a lot to protect the last few thousand companies from preventable data exfiltration that was in fact the largest problem they had.

Turns out that having read access to the underlying storage for the database doesn’t necessarily mean that the database and all of your internal systems are more compromised. It just means that the decision makers were making poor decisions based on a lack of risk modeling knowledge.

That said the real question I have for you here is:

Are you confident in your omniscience in that you can enumerate all risks and attack factors that can result in data being exfiltrated from a device?

If not, then why comment as if you are?

And there are ways to mitigate this attack (essentially the same as a AiTM or pass-the-cookie attacks, so look those up). Thus rendering your argument invalid.

Just because “something else might be insecure”, doesn’t in any way imply “everything else should also be insecure as well”.

That’s not how this works.

If the stored data from signal is encrypted and the keys are not protected than that is the security risk that can be mitigated using common tools that every operating system provides.

You’re defending signal from a point of ignorance. This is a textbook risk just waiting for a series of latent failures to allow leaks or access to your “private” messages.

There are many ways attackers can dump files without actually having privileged access to write to or read from memory. However, that’s a moot point as neither you nor I are capable of enumerating all potential attack vectors and risks. So instead of waiting for a known failure to happen because you are personally “confident” in your level of technological omnipotence, we should instead not be so blatantly arrogant and fill the hole waiting to be used.

Also this is a common problem with framework provided solutions:

https://www.electronjs.org/docs/latest/api/safe-storage

This is such a common problem that it has been abstracted into apis for most major desktop frameworks. And every major operating system provides a key ring like service for this purpose.

Because this is a common hole in your security model.