Notices by lj·rk 🔜 #FOSDEM (ljrk@todon.eu), page 3

@Melissabeartrix It never really occured to me what trans is or what it does entail. Having a trans partner (my first partner) helper. Realizing I am trans did the rest. Uhhh

While #Ladybird is trending, keep in mind the devs are misogynist and transphobic fucks 0:-)

https://exquisite.social/@thomholwerda/112716764371132291

Like:

> This is a purely technical project. As such, it is not an appropriate arena to advertise your personal politics or religious beliefs. Any changes that appear ideologically motivated will be rejected.

(https://github.com/LadybirdBrowser/ladybird/blob/master/CONTRIBUTING.md#on-ideologically-motivated-changes)

Uhuh, so, using implicit "he" in technical documentation is so not-ideological and so technical/rational, but changing it to a neutral(!) term is not.

Or:

> In Ladybird, we treat human language as seriously as we do programming language.

... so you're enforcing some, like, standards of how you speak friendly with each other, right? Haha, no:

> The following applies to all user-facing strings, code, comments, and commit messages:
>
> * The official project language is American English with ISO 8601 dates and metric units.
> * Use proper spelling, grammar, and punctuation.
> * Write in an authoritative and technical tone.
>
> Everyone is encouraged to make use of tooling (spell checkers, etc) to make this easier.

(https://github.com/LadybirdBrowser/ladybird/blob/master/CONTRIBUTING.md#human-language-policy)

This is so friggin' toxic. But going to report every date where they use "2024-07-02" as date format and not the full version including timestamp and timezone as demanded by ISO 8601 /s

@HauntedOwlbear @thomholwerda Jup.

@mattdm @mcc Unfortunately `-n` doesn't seem to be race-free though :/

https://unix.stackexchange.com/questions/248544/mv-move-file-only-if-destination-does-not-exist/248547?noredirect=1#comment428238_248547

With that in mind (if still true), I don't see any worth in a `-n` flag (invoking the "it's not UNIX" meme here :D). Then again, while there are many very bad options added by the GNU project if you ask me (GNU/tar's --checkpoint-action flag springs to mind), but this'd be a really useful flag in principle.

@mcc @mattdm

We had such an intense discussion about #FediBlock'ing #Threads and #FediPact... and in the end the problem just solved itself lol. We could've thunk that beforehand tbqh.
https://social.wake.st/@liaizon/112689839172827974

@anneroth Aber bitte nur, wenn's nicht strafrechtlich relevant ist (was ja mittlerweile recht viel sein dürfte, "Unterstützen von Terrorismus" undso). Das föderierte System von Matrix bedeutet eben auch, dass Nachrichten auf deutlich mehr Systemen liegen als nötig, schwer (rechtzeitig) gelöscht werden können und es mehr Ansatzpunkte gibt für Cops einzudringen. Und es gab zu viele Probleme in der Crypto als mir lieb ist.

Ich nutze Matrix auch gerne als Discord/Slack/Mattermost/Teams Ersatz zum organisieren von großen Gruppen. Aber Aktionen von LG o.Ä. sollten nicht via Matrix koordiniert werden.

@lisamelton @fahrni @kdawson To add: It would make exchanging patches with other WebKit based projects virtually impossible.

Things one *may* consider is to write new components in Swift or use something like SwiftUI for the interface. Things that are *relatively* easy to iterate on and where Apple has full control and can move fast.

In addition, one can try to tighten the knobs on any C++ code base, enforce a more restricted set of C++ that tries to prevent certain classes of bugs. Changes themselves can be applied on the whole code base using e.g., Coqinelle but must be carefully reviewed and tested each time for regressions. Even that will be a huge undertaking. And I bet Apple already has done quite some measures to ensure a high quality code base here.

(The only reasons for me not to use Safari on macOS are a) no uBlock Origin for not even that bad reasons but the alternatives don't really cut it for me, and b) no tab groups.)

@lisamelton Anything else would be a bad omission, you rock! <3

@jpaulgibson @lisamelton To the contrary, keep 'em coming, we need more visibility and I don't know them all. There are soooo many!

@clacke @hankg @lisamelton You just described my CS dept. :(

Lynn developed "generalized dynamic instruction dispatch" for IBM in 1966. 2 years later she was kicked out, just after Robert Tomasulo published the "Tomasulo Algorithm" for out-of-order execution of floating point instructions, utilizing Lynn's work. Everyone knows Tomasulo (and he did great work, mind you!), but no-one knows Lynn.

Later, in technical compsci, you may stumble upon highly integrated circuits, everyone there knows #VLSI, but not the inventor, our dear Dr. Conway.

Her story, her struggle against IBM who took decades to apologize to her for her mistreatment. She transitioned in darker times and pioneered not "only" in compsci. She was what many would call "greater than life". She died a few days ago.

Today, let's remember Lynn 🏳️⚧️, tomorrow we'll fight on ✊

2/2

My #CompSci lecturers often dropped the names of inventors. But only if they were men. We talked about Gordon Moore, obviously Turing 🏳️🌈 was mentioned, about Don Knuth, about Chomsky etc.

But when we discussed the #ARM architecture, we never talked about the inventor *Sophie Wilson*. We also never talked about *Mary Ann Horton*, despite her work on `vi` and `terminfo` -- but of course we mentioned Bill Joy. We discussed the Spanning Tree Protocol, but not its inventor *Radia Perlman*. We have the whole field of #SoftwareEngineering, but who coined the term? *Margaret Hamilton*. We mentioned the ENIAC and v. Neumann, but failed to talk about *Adele Goldstine*. We discussed the origins of #OOP and #Smalltalk but ignored *Adele Goldberg*. We programmed in #Assembly but never talked about the woman who wrote the first #Assembler, *Kathleen Booth*. And don't get me started on #Safari and our sweet @lisamelton <3 Or any of the (incomplete list) of *Ida Rhodes, Carol Shaw, Shafi Goldwasser, Edith Clarke, Annie Easley, Joyce Little*, ...

And today? Let's talk about our favorite trans woman CPU designer, Lynn Conway.

1/2

@lea Im gleichen Beitrag auch noch:

> Nemo möchte als Clownfisch wahrgenommen werden, nonbinär, klar. Und bald er auch noch die Schwerkraftgesetze für ungültig. Er ist ein junger Kerl, der eine ziemlich gute Nummer abliefert.

@tazgetroete halt weiterhin konsequent transphob.

@GossiTheDog @faebudo Every user will look at this and ask: And why is this a bad thing? If users are in the fear of getting locked out because their phone broke, no one will use the tech. And tbf, that's nothing I'd do either.

The good thing is that with E2E something can be stored securely in the cloud. Enrolling a new device only works if you know the password your wallet key is derived from + have the login data for your Google/iCloud/whatever account. Or at least a recovery contact has that.

@GossiTheDog @faebudo I'd still argue that this is the same for any synced Password managers and has virtually nothing to do with the Passkeys. If Apple implements their own SSH Key Manager, this doesn't make SSH Keys a bad authentication system.

Regardless, I tried looking into this and I cannot find any source that this actually works. AFAIK you can download the encrypted wallet and effectively bypass LoginAuthToken in the above scheme using SMS, but you still need to somehow decrypt the sk, which is encrypted using a key derived from a password. I don't see how this works with SMS reset and didn't manage to make it work either.

@faebudo @GossiTheDog The encrypted private key, AFAIK. So basically random data (good encryption = indistinguishable from random data).

@faebudo @GossiTheDog Typically you do something more or less resembling the following.

k_sk <- KDF(pass)
pk,sk <- GenKeyPair()
esk <- Enc(k_sk, sk)

The esk is uploaded, not the k_sk or sk.

@faebudo @GossiTheDog No, this is nothing about Passkeys, this is how password managers usually generate an encryption key for the wallet. None of the keys above is a Passkey.

Making this more clear, given all Passkeys and other data in the keychain kc, the following happens to upload it to the cloud:

ekc <- Enc(pk, kc)

The bundle of (ekc, esk) is uploaded to the cloud. When enrolling a new device, the user gives their master password and thus:

(ekc, esk) <- Download(LoginAuthToken)
k_sk <- KDF(pass)
esk <- Dec(k_sk, esk)
kc <- Dec(sk, ekc)

You have:

1. a password (never leaves the device)
2. a derived secret encryption key (never leaves device)
3. a randomly generated encryption keypair (pk,sk) (may be symmetric actually, fuzzy on the details right now), never leaves the device (in unencrypted fashion)
4. the keychain itself (never leaves the device in unencrypted fashion)
5. the keychain encryption with the generated key (yes, synched)
6. the keychain encryption keypair/key, itself encrypted with the derived secret (yes, synced)

Only encrypted data (= indistinguishable from random data) is uploaded.

And yes, this is phishing resistant and secure. This is how every proper synched password manager has operated for a long time.

1/2