Follow

@kate Looks like they're desperate for funds. It is alarming, and we should support ff somehow.
If ff fails, the web will remain chromium-only (except maybe caves of gemini). That would leave google alone to set all the rules. Somewhat doomsday scenario. So don't be too picky and keep supporting ff. If they fail in funding, we all will get ads in chromium address bar or something worse.

@dudenas @kate As far as I'm concerned Google is already setting all the rules!

I wish Mozilla the best of luck in holding this back as long as possible, but unfortunately they find themselves having to make these compromises. I don't think they can do what it takes to save the web without losing what influence they still have...

@alcinnz @kate I still think their influence depends on our attitude. In this case to ads. If they are opt-in, we could just opt-in. I have no problem getting to know relevant businesses - most of info on the web is irrelevant anyway. If that could be done without tracking (e.g. subscribing to keywords) I'd probably prefer that instead of micropayments and instead google's monopoly of course.

@dudenas

> relevant corporations

see, I tend to see this as an oxymoron when I can imagine a world where people "promote" community/co-op/independent/etc solutions wildly to crowd big corporate advertisers out of everyone's mind space in the exact same way they currently buy ads everywhere and crowd "us" out.

I understand that wasn't the point of your message and you just meant "we should find whatever methods to fund mozilla". but.

@dudenas

my thoughts are like this:
if mozilla was promoting an awesome service browser users would love to use, that's one thing.

but when mozilla is featuring /Nike/ how on earth is that relevant to me. it's not.

@alcinnz @kate

Another thing - open source software, especially as crucial as ff, can be clearly classified as public good. It is weird how there is no political will to appreciate and fund it. At least in countries I see. Is it because there is no demand from voters? Maybe there is demand, but not yet articulated?

@dudenas
Most people don't know or care. I'm always surprised when people recognise ubuntu or Firefox. They know brands, not the political philosophy of FLOSS. When people do know, it's been because of social interactions with people in FLOSS. Sometimes the impression hasn't been positive for them. We have a collective responsibility for this if we want to inform people about FLOSS and how it benefits the public
@alcinnz @kate

@dudenas
Movements take time, especially when it's across a spectrum of different ideas of what software freedom is about. It's only when we can align our goals broadly that there's momentum to push for change.
@alcinnz @kate

@onepict @dudenas @alcinnz @kate

Ha, I was just about to mention @yogthos and their toot to the EU article abopen.com/news/european-commi

Good news indeed, and let's hope some very positive developments flow from here.

@humanetech
Yeah great minds think alike, or fools 😉. Although I think the movement for a common good would be supported by citizens generally. But it does rely of grass roots as much as the media, and politicians. Social contact is the best way to counter. Folks always yearn for community.
@dudenas @alcinnz @kate @yogthos

@onepict ha ha. Yes, community is crucial, and I think we can improve much further still in representing them online, especially on the fediverse. There's big interest in the 'common good' and grassroots movements small and large are everywhere. With the right mindset you stumble upon tons of positive development. But all is very fragmented and reinventing wheels. Also 'communities of action' where actual stuff happens, are much harder to establish and foster.

@dudenas @alcinnz @kate @yogthos

@dudenas @alcinnz @kate
Now as much as I'm skeptical about change happening from the outside, the news that @webmink and Amanda Brock of Open UK will be on the Open Standards board in the UK is a good start. gov.uk/government/groups/open-. We need to work together to influence all levels of society. From local governments to parliaments. I hope this is the start of more FLOSS in our public services.

@onepict @dudenas @alcinnz @kate
I've been testing the use of the word SOSS or secure open source software. The "free" in FOSS always has to be explained. Also everyone is now inundated with news of security breaches every so "Secure" resonates.

@jpaul
I do quite like the concept of libre myself, as free can mean different things. I'm a bit wary of the term secure as yes we do have security in the concept and many eyes can help with that. However the term can be misused as much by FLOSS projects as by proprietary player in the industry. So I'd be a bit worried when we had the next heartbleed etc. Although it is an interesting concept as a term.
@dudenas @alcinnz @kate

@onepict @dudenas @alcinnz @kate People flock to brandname software. Chrome isn’t better then FF, but it’s from Google which people perceive as better/cooler/hipper.

Or they’re looking for a free clone of some propriety software, and they aren’t willing to put up with any shortcomings, perceived or otherwise.

@dudenas @kate Agreed!

Personally I'm interested in exploring/demonstrating an alternative future for the web which doesn't require near as much effort & funding... That's what I see as what Mozilla can't do without loosing their influence...

uspol; California and socialising FOSS 

@dudenas

> Maybe there is demand, but not yet articulated?

I think this may be some kind of artefact of america being where a big portion of internet companies are located but also incredibly averse to advancing any bills to publicly fund anything

mozilla is out of California, and although it's a very 'blue' state it's also swarming with all the startups that swoop in to solve problems when no american in general feels like government programs could pass

> I It is weird how there is no political will to appreciate and fund it. At least in countries I see. Is it because there is no demand from voters? Maybe there is demand, but not yet articulated?

I tried to do my bit by emailing the tech spokespeople in NZ political parties a link to Nadia Eghbal's 'Roads and Bridges' report, with a bit of contextualizing comment about why it's important they read it.

fordfoundation.org/media/2976/

@dudenas @alcinnz @kate @onepict @humanetech

#NadiaEghbal #funding

@strypey @dudenas @alcinnz @kate @onepict @humanetech

Except that roads and bridges are not exactly virtual or electronic infrastructure, just to add to the confusion.. Tell a politician about virtualization and they immediately think about money.

@strypey @dudenas @alcinnz @kate @onepict @humanetech
@aral
Perhaps the Common Browser proposal should open with the line: The Common Browser Programme is not about money.

@strypey @dudenas @alcinnz @kate @onepict @humanetech @aral

So far just the idea has been floated, but apparently the need for it will become real. I would be very interested in this, also as an antidote to those who claim that open source is automagically commons, because most of the open sources have not been created by commoners. (see en.wikipedia.org/wiki/Elinor_O )

@gert @strypey @dudenas @alcinnz @kate @onepict @aral

Slightly OT.. I saw that Drew Devault started working on visurf, based on NetSurf and intends to create a HTML + CSS framework specifically targeted to smaller browsers as 1st-class citizens.

drewdevault.com/2021/09/11/vis

@humanetech @strypey @dudenas @alcinnz @kate @onepict @aral

There are many flaws that come to mind, but the "security" model of the browser with its central authority and the resulting burocracy is totally rediculous IMO.

@humanetech @gert @strypey @dudenas @alcinnz @kate @onepict Sadly, without client-side (you know, the side YOU control) JavaScript, it can’t be used to implement small web sites (how are you going to ensure your keys are held only by you?) The problem is trusting servers. Client-side JS that you own and control, if you can verify the source, isn’t the problem, it’s actually the solution to protecting your privacy on the web.

@aral @humanetech @gert @strypey @dudenas @alcinnz @kate @onepict

The key point here is ”if you can verify the source”. This is in practice impossible, and JS is executed as the page loads. We can’t expect people to inspect the source code of every page before rendering.

I don’t see why JS is needed to implement small sites. I only use it for warmedal.se/~wobbly/ and even then only for a nicer UX. It could as well have been an ordinary web form.

@tinyrabbit @humanetech @gert @strypey @dudenas @alcinnz @kate @onepict It is not impossible, it’s just not possible within the confines of current browsers. Entirely possible via an extension or third-party app, etc.

We need it for Small Web (small-tech.org/research-and-de) because there’s no other way for you to own your own keys or ensure that your content is end-to-end encrypted.

@aral
Hm, It may make sense as a longshot. But almost nobody can perform security audit on their own. That means, you need to trust someone's agency. As I think of it, a perfect model would be the one, where I could choose my agent I trust to verify content for me.

On client side, probably most antivirus software claim to audit web content.. But I admit, I usually consider them more annoying than most viruses.

@tinyrabbit @humanetech @gert @strypey @alcinnz @kate @onepict

@dudenas @tinyrabbit @humanetech @gert @strypey @alcinnz @kate @onepict Well, there’s verification and there’s verification. I’m not talking about source code audit but at least verifying that the signature of the file matches what the organisation you trusts says it should be. Beyond that, yes, a bigger issue is having trusted agents that actually perform things like source code audits.

@aral @dudenas @humanetech @gert @strypey @alcinnz @kate @onepict

So which companies should I trust? How do I decide? What about vanilla JS in <script> tags? Small unknown libs?

I don’t trust React, Angular or a dozen others equally bloated libs no matter which CDN offer them. I don’t think we can build a trust system that can provide any security or trust in a meaningful definition of those words.

1/2

@aral @dudenas @humanetech @gert @strypey @alcinnz @kate @onepict

If you want trustworthy e2ee then NO javascript is the way to go. But in practice we decide a vendor we trust with it, like Signal or Telegram, or we might use GPG.

I really don’t see how the client has any meaningful control over a client side script other than deciding whether it should be executed or not.

@tinyrabbit @aral @dudenas @humanetech @strypey @alcinnz @kate @onepict

> I don’t think we can build a trust system that can provide any security or trust in a meaningful definition of those words.

Perhaps not, but communities can.

@tinyrabbit

You trust who you choose to trust.
That's basically what's Free Software is about.
If you trust no one, you audit the source code yourself.

@aral @dudenas @humanetech @gert @strypey @alcinnz @kate @onepict

@Iutech @aral @dudenas @humanetech @gert @strypey @alcinnz @kate @onepict

I'm sorry, but this is pretty naive.

As I said, JS is executed in the browser before I've decided whether I trust it or not. Let's say I have a plugin where I allowlist sources. How do you suggest I keep that updated with all the hundreds of frameworks that pop up every day? And how do I deal with vanilla JS? Trust or not?

It makes more sense to block JS and only enable it on *sites* I trust. Not JS sources I trust.

@tinyrabbit

We need JS code signatures and signature verification (I believe that's what @aral was talking about).
Obviously that imposes constraints (like each update to the javascript code of a website would require to resign it) but it's not impossible, and these constraints are reasonable for security-minded people.

@dudenas @humanetech @gert @strypey @alcinnz @kate @onepict

@Iutech @aral @dudenas @humanetech @gert @strypey @alcinnz @kate @onepict

But any JS library will allow devs to do whatever JS is capable of doing, which is a lot. There's no guarantee that evilcorp.com uses the latest version of React in an ethical and -- to me -- secure way even if the source and signature check out.

@Iutech @aral @dudenas @humanetech @gert @strypey @alcinnz @kate @onepict

Sorry, we may be talking about different things. Let's say I trust goodsite.org to run JS, and they import Angular. Then of course I want to be certain that the file imported is the actual Angular source that they intend to run, and not something malicious inserted in a supply chain attack.

I just realised that's probably what you mean, in which case we're in full agreement 😆

@Iutech @tinyrabbit @aral @dudenas @humanetech @gert @strypey @alcinnz @kate @onepict I think the ship has sailed with respect to trusted code. The only solution is to not trust any code, and just isolate everything. It's the kind of pragmatic approach taken by Qubes OS.

Even if there was a practical way to only run trusted code, that code could still have bugs which leads to security issues. Letting the code run in isolated containers neatly deals with this issue, at the expense of making intra-container communication more cumbersome (as any Qubes user will know)

@loke @Iutech @tinyrabbit @aral @dudenas @humanetech @gert @strypey @kate @onepict

I used to take that "the ship has sailed" stance... Now I think there's additional reasons to see about walking it back...

Show newer

@aral @tinyrabbit @humanetech @strypey @dudenas @alcinnz @kate @onepict

Although many think SSH is also flawed, it needs neither central nor decentral authority. (ducking under the table)

@humanetech Relatedly I'm actively preparing to start implementing my own visual web browser (first targetting TVs & eReaders). I've already got auditory working very nicely!

I like targetting unusual human interface devices, provides me interesting constraints to keep me disciplined...

@gert @strypey @dudenas @kate @onepict @aral

@alcinnz

Super great to hear! I greatly admire your efforts.

Besides constraining you to appropriate scope, I think these are wonderful places to start as on these more locked-in devices our agency is taken away in ways that are harder to overcome.

I pray every day to 6,000 gods that my dumb TV does not break down, and I have to go in search of another 2nd-hand model that is not an ad-infested surveillance capitalism nightmare.

@gert @strypey @dudenas @kate @onepict @aral

@humanetech @gert @strypey @dudenas @kate @onepict @aral The other aspect especially when it comes to TVs is the question of what entertainment we can still enjoy outside of those "modern" devices...

Ofcourse there's "piracy"...

@alcinnz

YESS! DRM-free and the kinds of non-corporate quality and often personal content that the 'modern web' makes harder and harder for us to find :)

@gert @strypey @dudenas @kate @onepict @aral

@humanetech @gert @strypey @dudenas @alcinnz @kate @onepict @aral In any new browser I'd like to see support for p2p browser to browser communications. Similar to Beaker. That kind of approach might be the only way to break out from the currently quite centralised web.

@gert @dudenas
> Except that roads and bridges are not exactly virtual or electronic infrastructure

Eghbal's report uses physical infrastructure as a metaphor for digital infrastructure, as a way to work around the limited tech knowledge of political and financial decision-makers. I haven't read the whole thing yet but I read enough to think the strategy is worth a try.

@alcinnz @kate @onepict @humanetech

@dudenas @alcinnz @kate Simplistically, government funded FOSS software would impede capitalism, and people are perfectly content with freeware like Google Chrome.

FOSS is not something regular people care about or understand. They get stuff “for free” from MS, Google, FB, etc., and they are happy.

@jollyrogue @alcinnz @kate same way as public transport, schools and medicine also 'impede' private competitors.
But of course, the lack of public understanding is obvious.

@dudenas @alcinnz @kate Yes. 😂

People forget once an efficient solution is found, it’s supposed to be socialized and become part of the general pool of knowledge.

Information should be free, but people want to make it expensive. To adjust a quote.

@jollyrogue @dudenas @alcinnz @kate Impede capitalism I doubt. Capitalism practically runs on government-funded research.

@n8chz @dudenas @alcinnz @kate Indeed. 🙂 We wouldn’t be anywhere without taxpayer funded research or FOSS. Plundering the commons is not part of the narrative though.

The real story is capitalism doesn’t work without socialism.

@dudenas @alcinnz @kate Knowledge as commons is the only antidote to cargo cult. Curiosity is not a crime. Reverse engineering is not a crime. #pubwan

Sign in to participate in the conversation
tilde.zone

masto instance for the tildeverse