I dislike it. Usually I’d use packages from my Linux distribution. Or package it myself and maybe upstream the effort if my distro has a user repository. Now (this way) it’s down to everybody download random files from the internet and execute them. Specifically what every Linux tutorial instructs you not to do. Plus there’s no updates, no security, no version control or transparency. It’s not licensed in any free way, so I can’t fix it or adapt it to my liking, I can’t help you write better Python code…

But it’s your software project. You’re perfectly fine to do whatever you want with it. And it’s certainly commendable to write software, whether you do it for yourself, or put it out there in some way.

To give some perspective: BitTorrent was released in 2001. So in the 90s, you’d be looking at some precursor to that. And the first CD recorder to cost less than $1000 was sold in 1995. Before that, they’d cost something like a car.

We definitely shared and copied a lot of floppy disks back then. And music on tapes.

Shouldn’t the upgrade also update the bootloader’s default entry to a new kernel? The way I’ve been doing it was apt update && apt dist-upgrade. And then reboot once every 1 to 2 years if I feel like it, am bored, or there’s all these news articles about a severe bug in the kernel.

Syncthing or Nextcloud. There’s a bunch of Linux sync software: https://awesome-selfhosted.net/tags/file-transfer--synchronization.html

Traditionally, you’d just put it on a NFS volume and be done with it. Or make it a boring plain old independent laptop with nightly backups configured, if your users always work from the same machine and don’t like… switch to a different computer in the middle of a task.

I have a port forwarding without any tunnel to third parties and Wireguard.

@xoron@programming.dev Does the currently deployed version on chat.positive-intentions.com work? I tried to connect and try some more. But somehow it doesn’t ever connect. I’m following the procedure in the Youtube video. It reloads something on the page intermittently but never connects to the other browser.

And already after opening the page, it says: “My peer ID is: xy”
But then immediately “peer disconnected” and “peer closed: undefined”. Even before I do anything. Is it supposed to say that?

I tried several combinations of Chromium 147 and LibreWolf 150. And whatever Vanadium is on my phone. I tried phone-computer and two different browsers on the same computer. Is that an issue? Other PeerJS applications work just fine.

And does the QR scanner work? It opens the camera and scans the QR code just fine, but then reloads and doesn’t put any ID into the field?! So I guess that’s broken and I need to copy-paste it?

Edit: Your file demo seems to work better. It at least gets to the point where it tries to open a connection. For some reason it also fails (ICE failed, your TURN server appears to be broken, see about:webrtc for more details). But at least that demo gets far enough to listen to connections and try to initialize them.

Uh, sorry your code is a bit difficult to read. There seems to be one implementation in the ‘src’ directory, which is referenced in your ProVerif pi code. But then there’s another one(?) in the ‘signal-protocol-core’ directory which seems to be the one that’s actually built?

And how did you arrive at those proverif files? Do they come from your Rust code? How? And how do you make sure they relate to your code? I mean for all I know they could contain some correct design, while your code does something else… I’m not really an expert at this, but they seem (to me) just to appear in some commit but I don’t really get how it relates to the Rust code. Or how it came to be.

And then it’s a bit difficult to tell for me whether your Chat uses the cryptography code from the ‘cryptography’ repository. Or the one from the ‘signal-protocol’ repository. It seems to load both?! But your own AI security audit flagged a lot of issues with your ‘cryptography’ repository. I can’t tell if that’s still up-to-date information but there was some report with mostly exclamation marks and red crosses in it. And a recommendation not to do it this way.

While at it, I had a look at the browser’s developer console, and you have a lot of JavaScript warnings and errors there. Which I guess isn’t good?! And another sidenote: If I were you and developing a secure and private messenger, I’d skip all the requests to Google fonts, AWS, JSdelivr, third party JS CDN, analytics… It directly connects to Youtube and another analytics service which gets broad permissions. The infrastructure isn’t entirely controlled by you, for example the signalling server is the default free one. All of that isn’t great for privacy. Plus your content security policy has way too many asterisks in it with external domains and domains you control but there’s debugging stuff on there. And I don’t think you even put further restrictions on what JavaScript can be loaded or injected, other than the CSP?!

And the hax just traslates code and is supposed to do a bit of type-checking and see if your code generates things with the correct length. It doesn’t currently do any theorems or verification regarding cryptography, does it? I’m not sure where to look.

Sorry I’m not exactly a security researcher… Maybe my layman’s audit is shit… But I think there’s quite some stuff going on which pretty much renders any verification of a component irrelevant. I could be wrong though. But I’d still be interested to hear how the code relates to the ProVerif files, and what kind of assurance there is, they’re the same.

diving into cryptography we have formals proofs and verification we can use

Did you do formal proofs or verification? I had a quick look at the repos and I can’t find them.

It’s a broad topic. Everytime I see some new AI-coded project linked in the selfhosted community, it’s kinda shit… I had hallucinated installation instructions. Very overexagerrated claims of what it’s supposed to do… Sometimes it looks okay but some buttons don’t do anything and then I look at the code and everything is more of a stub. Some projects have ridiculous security issues like someone finds a master key buried in the code, and of course none of the “developers” ever noticed because noone ever had a look at the code…

You’re somewhere in the same territory. Maybe you’re the one who gets it applied properly. But once I’m going to notice the tell-tale signs of vibe-coding, I’m going to start looking at it with the prejudice that got shaped by my prior experience. And I tend to be right most of the times.

But with that said, I don’t think it’s healthy to have a war over it, ban people and yell at each other. Most I want is transparency. I think all software projects should just disclose if and how they use AI, to what extent. And the users can make up their mind.

And with cryptography code… Isn’t that a bit dangerous? From my own experience, AI models tend to learn a lot of example code and the standard documentation of libraries… Wikipedia articles and such… And then generate responses closer to that, than completely new thoughts… But(!) all these examples, tutorials and boilerplate code use a lot of shortcuts to explain it in simpler terms. Shortcuts that weaken security. And I wouldn’t be surprised if your AI is then going ahead to reproduce that, and casually forget about the steps to prepare the numbers and follow up on the next steps if that wasn’t ever in the Wikipedia example code. And I’ve seen a lot of wrong advice on StackOverflow and Reddit, so you better hope it also didn’t internalize that. There’s some fairly common myths about security or cryptography details out there. And I never know if your average Claude learned more from Reddit discussions, or from computer science technical literature… And you probably used Claude to skip reading the computer science books as well (and have a really close look at the code), or you probably would have just typed it down yourself. So I’d expect your software to be roughly as sound as newbie code, up to the average of projects that’s out there on GitHub, which your AI has probably learned from. Not any better than that.

The entire page is an advertisement for an AI tool that helped uncover it. Guess that’s the demonstration on how it augments a report.

I think there’s pros and cons to everything. That way would have been less of a dickhead move towards the Forgejo developers. But a big letdown to admins as they don’t know what’s up with the software they’re running on their servers. The way the author chose gives some new intelligence to admins, and they can now act on it, since it’s public knowledge. But it’s annoying to the devs.

I guess I as a Forgejo user am kinda greatful they did it this way. Now I got to learn the story and can allocate 2h on the weekend to see if my personal Forgejo container is isolated enough and whether the backups still work.

(But that’s just my opinion after reading one side of the story. Maybe there’s more to the story and they’re being a dick nonetheless…)

Edit: And regarding just dropping the security team an informal mail… I don’t know if that’s clever. You’d normally either follow some security policy, or don’t engage. Sending them other kinds of mails which violate their policy (an internal carrot) might not be the best choice.

Thx very much. That’s valuable info. I edited my comment and crossed it off my list of software to evaluate for future projects. I already got the vibe-coding and a bit of sketchiness by scrolling through the latest commits and issue tracker.

Thanks for pointing it out. Yeah it does. I just copy-pasted what I found and didn’t check.

Mint is based on Ubuntu. It’s not strictly tied to any Debian release channel?! There’s LMDE as well. That’s based on stable.

Yes. I’ve been somewhat lucky as well. Upgraded my homeserver to 48GB to run a few virtual machines and maxed out my old laptop well before prices skyrocketed. Got to check if I still pay the ~8€ a month for my netcup VPS or if they increased price for existing customers as well…

Sounds reasonable. Yeah, good luck. I’m sure you’ll figure it out. Unfortunately it’s always a bit difficult to diagnose problems over the internet, without typing in the commands and seeing the exact output. But there should be a way to make it work, F2FS is designed for something like this.

Did you read the Wiki? You need to either pass the compress_extension option when mounting it. The Arch Wiki lists how to enable compression on all text files. And I gave you the version with a ‘*’, which enables compression for all files. Or you do a chattr -R +c ... on specific files or directories to compress them. Maybe you missed that and that’s why it doesn’t compress?!

There’s probably also a way to debug it and somehow figure out what it does and how many files/sectors got compressed on the filesystem. Linux usually buries that kind of information somewhere in /sys or /proc, or there’s special commands to figure it out. But I’m not really an expert on it.

And there’s also files which just can not be compressed any further because they’re already compressed. Most images, for example. Or music or ZIP archives. If you try to compress those, they’ll usually stay the same size.

Was pretty much clear since last year. At the latest in December when they switched to “maintenance mode”. And now they archived it.

https://blog.vonng.com/en/db/minio-is-dead/

Alternatives include Garage, SeaweedFS (and RustFS).

Edit: RustFS looks very sketchy. Read object Object’s comment below before using it.

I haven’t tried it. But looks to me you need to add “compression” when formatting it. And then later when mounting, you’d add options like compress_algorithm=zstd,compress_extension=*

Remember to enable compression. Usually the Arch Wiki is a great resource to learn stuff: https://wiki.archlinux.org/title/F2FS

And don’t forget to back up your data if you’re messing around with your computer. One typo with the device names is enough to accidentally delete your harddrive.