Notices by Olivier Forget (teleclimber@social.tchncs.de)

Uh, is it normal for an automated #security scanner to be unaware of #debian patched packages?

Like how OpenSSH 9.2p1 is vulnerable to CVE-2023-38408 but the Debian version 1:9.2p1-2+deb12u5 is patched. But the security scanner sees the "9.2p1" string and sounds the alarm.

https://security-tracker.debian.org/tracker/CVE-2023-38408

Is this a common problem for people running Debian servers?

Given the way things have been going in the US, the work I put into #Dropserver feels more important today than it was two days ago.

Americans must have agency over their interactions on the internet. https://dropserver.org is unfinished, imperfect and limited in scope, but it's my part in resisting.

@bentsai It's amazing that we went from being excited for apps to do more with our phones to app that help us do less.

Now I just need to find an equivalent for Android!

@alcinnz so true about tech ideas too. People having ideas is great, demanding a commission for the idea is BS.

Oohh Go 1.24 brings os.Root, which allows you to open a directory and present its contents using the FS (filesystem) interface. It prevents access to files outside the root, meaning malicious/erroneous code will not be able to operate on parts of the filesystem that they should not be touching.

So it's a little sandboxing feature in Go's standard lib. Nice!

Official announcement: https://tip.golang.org/doc/go1.24

https://pkg.go.dev/os@master#Root

via @antonz:

https://c.im/@antonz/113820837861807347

🎉 I got my Framework in late December 2021. It was a bit of a gamble at the time still, but I'm glad the company is still here and kicking.

Here's to many more years!

https://fosstodon.org/@frameworkcomputer/113799865563226716

PS: my laptop is still going great.

Quick recap of my work on #Dropserver in 2024:

https://olivierforget.net/blog/2025/dropserver-progress-december-2024/

#selfhosting #foss

From this great post on #sqlite https://avi.im/blag/2024/sqlite-facts/ I learned (or re-learned?) that the test suite for sqlite is proprietary. This has some implications:

- You can't properly fork sqlite without buying the test suite, making community forks unlikely to survive
- What happens when the company Hwaci goes under / gets bought / whatever. Hipp and Wyrick aren't getting any younger.

I sure hope there is a plan to push all test and supporting code to a foundation when the time comes.

So Affinity Photo is making all kinds of requests from the Macs it's installed on. Don't know why it does that, but it's not good.

On the Mac sandbox the ability to make client requests is a boolean: all or nothing. Since most apps like to connect to get additional resources/whatever, it's usually on, right? As a result: zero protection against this.

https://mastodon.ar.al/@aral/113759435866651420

This is why I've been putting so much thought into outgoing net requests for #Dropserver. It's hard to get right.

1/

While there are technical challenges related to the sandbox, especially when dealing with different platforms (like Mac and Linux) the real challenge is having a good enough DX (for the app dev) and UX (for the app user) to allow/deny requests.

At the very least, an app should not be able to dial out willy nilly to a bunch of random domains. Also, it should be blocked from dialing out to local / private IPs unless explicitly allowed.

2/2

Blog post: my thoughts on depending on third-party commercial services to help with home-hosting / self-hosting.

https://olivierforget.net/blog/2025/self-hosting-third-party-services/

I try to distill the characteristics of services that don't defeat the purpose of home-hosting. I'm convinced broad use of home servers won't happen without the help of external services, so it's good to think about what makes them good/bad.

#selfhosting

Nice. A video explaining how to use an old PC to create a basic home server... using #Windows instead of going down the prickly path of getting Linux on it first.

This is the way. Go to where the people are. And they are on Mac and Win.

https://m.youtube.com/watch?v=zPmqbtKwtgw

#selfhosting

@b0rk Back in 2006ish a friend sent me a book called "Building websites with PHP4 and MySQL" (or something along those lines). And I started building. I didn't have a job so I built something that a friend needed. I learned things along the way, like proper indexing of DB tables, etc... It's always felt hard, and it's still hard, but sticking to the most mainstream technologies and not getting lured by shiny objects is a sure way to make things easier.

I am really interested in https://porffor.dev/ ! Direct compilation of JS -> WASM opens up a lot of possibilities. It turns out there are several efforts on this front:

- Hermes (by fb) https://github.com/facebook/hermes
- @cfallin is blogging through his work: https://cfallin.org/blog/2024/08/27/aot-js/
- JAWSM https://github.com/drogus/jawsm

There may even be others. I'll admit I didn't have this on my JavaScript bingo card.

@scottjenson @happyborg There are also other things that fall under the badly named "AI" term that are not generative but just as useful. Things like facial recognition is incredibly useful for one's photo gallery, in addition to object recognition, but it should all run locally (and it already does, but more efficient/faster/better would be better).

FYI #Github #Dependabot flags that #Go crypto #vulnerability in your project even if you aren't affected. It checks if you import the package, not if you actually use the affected functions. govulncheck does it correctly.

Lucky for me that means I don't have to change anything in my project.

Thanks to @filippo

@alcinnz what are you programming in? I find that with strong types and good practices (like using enums instead of string values) and of course an ide hooked up to a good language model it's actually hard to make a typo.

In fact it's hard to make a typo when you don't type! With auto complete based on symbols that fit the type, I rarely write more than the first few chars of a var or function name.

(In my case Go + vscode achieve the above)

PSA: "private" can mean different things in different context:

https://www.linode.com/community/questions/11484/top-tip-the-linode-private-networkip-is-not-private-at-all

private can mean:
- not fully public
- fully safeguards you against *every* other peer

@b0rk FYI @baldur has a book/course that is all about building frontends in a modern way and without build tools. Import maps play a big role in it.

https://www.baldurbjarnason.com/courses/uncluttered/

(Unfortunately looks like it's not for sale anymore?)

From "The New Internet" on @tailscale's blog:

https://tailscale.com/blog/new-internet

"...and today you have or don’t have a TLS cert, tomorrow you’ll have or not have Tailscale"

But a browser's Secure Context[1] depends on TLS. Any thoughts on pushing for change there? Can Wireguard be an alternative for TLS and get a secure context?

[1] https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts