🌈 A. Wilcox delicately is a user on mst3k.interlinked.me. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.
🌈 A. Wilcox delicately @awilfox

Every time you write code that requires Chrome or CEF or Electron, just remember: you are giving Google control over you and your users.

You are letting them dictate what you can and cannot do. You are letting them view your user's potentially private activities (URLs are always sent to Google without Debian's patch set).

You are becoming a part of their toxic culture, their neocapitalism.

Remember that.

· Amaroq · 145 · 110

@sorin Chromium Embedded Framework. Spotify and Slack are the two biggest Linux apps I can think of that use it.

@awilfox @sorin Do you know why Firefox is not supporting such apps? (not anymore after they ditched FirefoxOs)

@djoerd @awilfox @sorin This annoys me to no end! They did have something like that for a while some years ago, but then stopped. Electron is increasingly popular, and that's great for Linux because we get apps we never would've gotten otherwise. But why doesn't Mozilla make an alternative? They have to see the potential! Instead they make screenshot tools and the millionth way to send files over the internet...

@forteller @djoerd @awilfox Don't really see what they could offer to compete with Electron.

@forteller @djoerd @awilfox Electron is made by Github. There is also Muon which is a fork maintained by Brave.

@awilfox

> URLs are always sent to Google without Debian's patch set

wh... what?

@rrix @awilfox discord, and atom, and visual studio code as well

@awilfox

> URLs are always sent to Google without Debian's patch set

does this mean what I suspect it does?! o_o

@awilfox
Without Electron, I wouldn't have many productivity apps like Slack, Remember the Milk and so on on Linux.

@mdfrg there's two ways I can go here

The first is: Yes you would, they'd just be written in a better framework that is not controlled, owned by, and monetised by Google

The other is: Then maybe those apps aren't worth using.

@awilfox @mdfrg I definitely vote for "not worth using." They offer precious little enhanced usability over a console app for IRC, yet consume upwards of 1.5GB of memory just to have two channels open. Insanity. But, hey, the web is the future!

(grumbles something about my lawn and kids these days.)

@mdfrg @awilfox By "they" I meant "Slack". Apologies for the confusing sentence.

@vertigo @awilfox @mdfrg Slack even has a built-in IRC gateway

People who insist on using the app can do so, those of us who care about good software can use the gateway with our IRC client of choice

@troubleMoney @vertigo @awilfox does a IRC client have message archive sync with search and build in file sharing tool?

@mdfrg @vertigo @awilfox It's a chat application

Anything you definitely need to archive should be done through email, anything else will be in chat logs, and file sharing should be done via network share like a rational person

@troubleMoney @mdfrg @vertigo network share?!

That sounds like either Samba (proprietary protocol even if the implementation is open source), or NFS which is complex as all hell to set up in a small business.

Unfortunately file sharing has never really gotten attention by people who care about networking, security, and good UX.

Apple's AFP was almost good and had a BSD licensed version but they got rid of it.

@awilfox @troubleMoney @vertigo
I really really hope he meant something like nextcloud. Cause if not, that's the reason people call us nerds and don't want to hear us. Try to explain how to download file from your FTP server to your mom's female friend vs 'I send you this on facebook'. No need to get angry folks, it's how the world is.

@mdfrg @awilfox @vertigo Hang on, I thought slack was for offices and such, i.e. somewhere with something approaching an IT person to set up network shares

@troubleMoney @awilfox @vertigo
My use case is a collaboration project I work with non tech people that we do in a spare time not in office. We use Slack to communicate and share files. It's vastly integrated (google driver, trello etc) and provides nice UX and it's dumb easy to use. Now try to convince those people that don't kniw what TLS or webdav is to configure an IRC client, install ZNC and learn how to use FTP

@troubleMoney @vertigo @mdfrg so yeah even if you have an office with dedicated IT staff, the only way you can hope to have SMB or NFS work properly in ways users can tolerate is with something like LDAP.

and let's not even start with the shift to remote work. then you need VPN to log in with LDAP/Kerb and use SMB/NFS, or worse, run everything public.

we don't have good solutions to these problems yet. and we need them. badly.

@awilfox @troubleMoney @vertigo That's the first reason why WannaCry, Petya & others gained their momentum. With better solutions, even Vault9 zerodays would't be such a problem. I truly respect @nextclouders for what they do to bring USABLE UX, SECURITY and EFFICIENT file sharing together.

@awilfox @troubleMoney @mdfrg @vertigo
Regarding the network share, if more people actually wanted simple networked filesystems, everything would have at least a 9p client available.
On *NIX systems you can get a client and server through plan9port though.

@awilfox @vertigo @mdfrg @troubleMoney (or, people who want to use something more targeted to the average user can use matrix, which can speak to irc and Slack servers)

@mdfrg @awilfox @troubleMoney No, but I rarely ever need those things.

However, if you do, there's always Citadel BBS software. It offers a web-based UI as well as classical text-mode interface, live chat, supports file uploads/downloads, et. al. It's actually pretty neat.

But, again, I only need the ability to chat. I tend to send files over e-mail, and important information tends to get archived on wikis.

Your usecase may vary.

@troubleMoney @awilfox @mdfrg Thanks for the looooooong thread my otherwise snarky comment generated though. It was interesting to read!

@vertigo @troubleMoney @awilfox
BBS FTW! I'm afraid I'm too young to remember those things and it's already too late to use them for people not familiar with the culture.

@mdfrg @awilfox @troubleMoney I disagree with that assessment; Uncensored! BBS gets new users periodically. Not terribly frequently, but often enough to say that it can still appeal to new users.

Some prefer the web interface, but some actually do prefer the SSH interface.

It's pretty awesome, actually. I do wish it were more popular though. Would love a console Mastodon interface that had more or less the look and feel of Citadel, for example.

@vertigo @awilfox @mdfrg

the problem is that Slack offers a better experience to newcomers than IRC does.

@kaniini @vertigo @mdfrg this is more of a failure of IRC to evolve, more than a success of Slack. Though I suppose it's the same end result.

@awilfox @kaniini @vertigo
It's not a problem of any shortcomings of the protocol, but rather the lack of good client with modern UX. dev should start to realize not everyone want to have a robust win95 experience

@kaniini @SLRock @vertigo @awilfox the problem IMHO lies in centralised server and closed source

@mdfrg @SLRock @vertigo @awilfox

proprietary software does not imply slavery.

it may be in bad taste, but like Linus, i prefer to use proprietary software that's well executed (Slack), rather than free software that is poorly executed (IRC).

however, in reality, i would prefer matrix if they would care more about security and less about shiny features.

@kaniini @mdfrg @SLRock @vertigo I prefer to write better executed free software 😺

@awilfox @mdfrg @SLRock @vertigo

I do not like IRC because it has a security model that imparts full control of the environment on IRC operators.

I spent over a decade trying to make the concept of IRC operators obsolete and failed.

@mdfrg @awilfox @SLRock @vertigo

welp, since you ask.

i have worked on basically every ircd out there: unreal, inspircd, ircu, hybrid, ratbox, charybdis.

i designed the IRC SASL binding, which brought the concept of pre-authentication to IRC, allowing things like I:lines (allow rules) to be selected based on what the services daemon said to do.

i designed and wrote an entire new services implementation called atheme, that was not derived from the ircservices lineage, that was intended to take away privilege from IRC operators and give it to the communities that existed on the IRC network. while IRC operators could override the security, they had to consciously make this decision.

using the atheme platform, we created a bunch of service modules that automated the most common tasks of IRC operators (spambot mitigations), which reduced the need for IRC networks to have so many IRC operators. we also attempted to reform the role of IRC operator into one of being a community leader.

but in the end, traditional IRC users, with traditional IRC egos, always kept winning out.

i suspect the main reason why this is, likely has to do with the fact that your average irc network operator is a prepubescent teenager who feels they are always right.

@vertigo @SLRock @awilfox @mdfrg

and what happened with atheme? other IRC ecosystem projects took advantage of the good features (the automation), but wrote off what we had to say as being "preachy."

@kaniini @vertigo @SLRock @awilfox welcome to open source :). The successful project doesn;t have to be the best one, just like with Darvininsm. It's not about being the strongest or the fastest, it's about being able to "adapt".

@mdfrg @vertigo @SLRock @awilfox

honestly, this isn't an open source thing, it's an IRC thing.

this isn't "worse is better."

it is, instead, a battle of philosophies. unfortunately the "traditional IRC user" philosophy won, even on freenode.

@kaniini @awilfox @SLRock @vertigo I send my complements for the work you've done. You cannot change people. nor should you ever try. These days devs shall already now they have to work on pair with some UX/PR experts by the drawing board before coding. The community beind IRC was always... specific, so don't get to gloomy with that. I think now it's a good time to reimplement IRC since it's primary used by tech (freenode) and with Matrix around the corner. What do you think about it?

@mdfrg @awilfox @SLRock @vertigo

I prefer to see freenode sunset and be replaced by Matrix (possibly with private internet access running a Matrix homeserver under the freenode domain), once a more stable and secure protocol is fleshed out.

The good news is that some of the charybdis people have started reworking the Matrix specs to introduce correct security.

But in a spiritual sense, I see Matrix as the correct successor to IRC.

freenode staff are literally the worst case of traditional IRC users I have ever seen.

People on freenode are legitimately afraid to engage freenode staff for their problems.

As somebody who was previously a freenode staffer, it makes me angry that the network has become this way, because the whole point of my work was to spread the original administrative philosophy behind freenode to other networks.

@kaniini @awilfox @SLRock @vertigo I see. What do you think it's a lesson here? Do you think there are some core errors in how IRC community is build? What is the underlying problem?

@mdfrg @awilfox @SLRock @vertigo

outside of EFnet/IRCnet, IRC has always been very authoritarian.

this authoritarian environment breeds meanness.

the reason why people are afraid to engage freenode staff in present day, is largely because engaging them can result in a k-line (network ban).

so now, when people on freenode have problems, they just move their community off of IRC (an open protocol), to Slack, Discord or Gitter (proprietary protocols).

the lesson is the same lesson it was 15 years ago: resolve problems through peaceful conflict resolution instead of k-lines.

rob tried to call this approach "catalyzing" because he felt that peaceful conflict resolution would result in more productive output.

the whole point of the atheme platform, as well as "atheme workflow" (the official way we suggested to run an atheme-based network) was to implement this philosophy.

but i guess it's easier to just ban people instead of actually solve things.

@vertigo @SLRock @awilfox @mdfrg

to expand on what i mean here: police uniforms show privilege, and this is seen as de-escalatory. but it is de-escalation through fear (fuck with this cop and who knows what will happen).

IRC operators in a traditional IRC environment are the same way. status is flaunted and many IRCds have created tons of ranks for the IRC operators, such as "Network Administrator" all the way down to "Help Operator."

these ranks are strictly cosmetic and mean essentially nothing on a technical level. they exist only so that people will see them in their IRC clients and know that they have that type of status.

it is the IRC equivalent of a paramilitary hierarchy.

it is, in some cases, useful to know if somebody is a cop, but is it useful to know what kind of cop they are?

the paramilitary hierarchy imposed by traditional IRC is what breads the meanness. the wrong people get IRC operator privilege, and then work their way to the top.

a good freenode example would be spb.

@mdfrg @awilfox @SLRock @vertigo

now, when it comes to the IRC paramilitary hierarchy, it is actually worse.

because if you get banned from #freenode, as an example, then other channel operators may ban you as well because clearly "you are a troll, you got banned from #freenode."

so this paramilitary hierarchy extends downward into the communities themselves, and the actions of the paramilitary hierarchy extend downward as well. for example, there are many channels that have `+b $c:#freenode` on their banlists, which means if you are banned on #freenode you are automatically banned from the other channels too.

that bad advice comes about as a result of overzealous channel operators feeling that they should "protect" their channels from people they most likely are never going to have any actual interaction with. because they are "trolls" afterall.

@kaniini @mdfrg @SLRock @vertigo oh at this point IRC is a lost cause. I'm going to start putting a small amount of energy into fixing UI with XMPP clients and see where that takes me.

Though chat is still rough for me after the toxic culture of IRCv3…

@awilfox @kaniini @SLRock @vertigo Toxic? What do you mean? XMPP rocks these days - I personally use prosody+gajim&cnversations.im combo and I'm VERY satisfied with it. It's simply MORE usable than What'sappp/signal. The only feature it's missing are phone calls.

@kaniini @awilfox @SLRock @vertigo It scales for me - just as much as Facebook messenger with 10 friends. I don;t need anything better. We should stop trying to find universal solution for every case scenario - there is none. XMPP is (now) very, ver good for 1&1 and 1&few IM with file and media sharing.

@mdfrg @awilfox @SLRock @vertigo

Matrix also works for those things and *does* (well, the protocol anyway, the reference implementation itself is terrible) scale.

@kaniini @awilfox @SLRock @vertigo "the reference implementation itself is terrible" - here is my whole point of this conversations. A good code with bad UX implementation will rot in dirt.

@mdfrg @awilfox @SLRock @vertigo

Matrix is the opposite: good UX implementation (Riot), bad code.

@kaniini @mdfrg @SLRock @vertigo I wouldn't call riot "good UX" but it is certainly much closer to one than IRC, I will give it that.

@kaniini @mdfrg @awilfox @SLRock @vertigo they're rewriting it in go but the project is perenially understaffed and it turns out writing good code is hard?

@chr @mdfrg @awilfox @SLRock @vertigo

the rewrite is even worse: it requires a bunch of other shit to run the server software.

I am hopeful for charybdis++, which is self-contained and also implements the Matrix protocol (as well as TS6 for proper gatewaying to legacy IRC networks).

@jeroenpraat @mdfrg @awilfox @SLRock @vertigo @matrix

oh trust me, they have already heard from us. we are the reason why there is now an actual conversation about the security architecture of the matrix protocol.

@kaniini @jeroenpraat @awilfox @SLRock @vertigo @matrix And how are they in terms of collaboration? How do you see, realistically, the future of @matrix ? In terms of other protocols joining and federating? Who's going to peer-review them?

@mdfrg @jeroenpraat @awilfox @SLRock @vertigo @matrix

i would say Matrix's protocol is going through a peer-review phase by the charybdis++ team right now.

the people involved with charybdis/charybdis++ have a lot of experience with S2S protocol security as applied to chat protocols.

now, the question of course is, who will peer-review the revised protocol, and to that one, i don't know yet. :)

@mdfrg @jeroenpraat @awilfox @SLRock @vertigo @matrix

as for the future of matrix?

i think increasingly lightweight implementations such as charybdis++ will win over dendrite (which is heavyweight) and synapse (which doesn't scale).

i see the role of matrix.org transforming to one of purely protocol stewardship, much like the XMPP foundation is.

@awilfox @kaniini @SLRock @vertigo Do you have any impact on GAJIM development? I have many possible feedback in terms of UX...

@mdfrg @kaniini @SLRock @vertigo never touched it. Only barely touched pidgin. Looking in to clients this weekend probably. Would like to improve multiple if I can figure out the code.

@awilfox @kaniini @SLRock @vertigo Las time I checked (2 months ago?) OMEMO didn't work, and PGP implementation is a joke. It's the only reason I use gajim, since Pidgin is...just prettier. And has purple-facebook. Why PGP doesn't work, it bothers me.

@kaniini @awilfox @SLRock @vertigo ...which is nowhere better than Slack. The only better thing is that the protocol itself iis open

@mdfrg @awilfox @SLRock @vertigo

Slack has a different security model: the communities just buy an instance from them and do what they want to. You just click some buttons to get one.

And the Slack client can be attached to multiple communities at once, so while it's obviously not federated, the control aspect falls to the community.

That is miles ahead of where IRC is.

With IRC, you get to either use somebody else's infrastructure and subject yourself to having to make sure that somebody else stays happy with you (unless they boot you off their network) or go buy a VPS from some company and spend time manually compiling and configuring ircd.

Then you have to learn how to secure it, etc.

@kaniini @awilfox @SLRock @vertigo There is nothing wrong in self hosting, I'm doing it myself with things like prosody and nextcloud even tough I'm not a tech guy. The main reason I managed to get things done it's a good documentation and caring community.

@mdfrg @awilfox @SLRock @vertigo

I think you misunderstand what I am saying.

IRC from a security POV is so fucked that it is literally more pleasant to use proprietary Slack or Discord if you want full control over your community (even though these are proprietary, but you are at least paying for the privilege of using them, so hopefully that means they won't screw with your community).

Communities on, say, freenode, for example, have to consider very carefully whether or not they want to involve freenode staff with their problems, because that could create even more problems.

With the proprietary services, there's no staff to involve, because you are in control of who is allowed on the instance.

@kaniini @SLRock @vertigo @awilfox Why not both? We, customers/users shall demand, dev should start to realize what they think it's good miiiiight not be usable in practice.

@vertigo @awilfox
You can convince the convinced as much as you want but (sad) truth is, as far as IM /chat apps are concerned is more a question of who uses what not what technology is more RAM efficientband superior. Besides, Slack is just different service than Irc, it's designed for different needs and workflow so you're comparing apples to oranges here.

@mdfrg @vertigo I agree that the issue is who uses what instead of what solution is technologically and UI superior.

However I don't really agree Slack and IRC are different use cases. Channels, some invite only, allowing users to talk to each other and PM. Slack adds file sharing like DCC but otherwise it's just plain old IRC reimplemented IMO.

@awilfox @vertigo
Agreed. It's mostly better looking Irc. Also, since I'm not that familiar with Irc: does it provide message sync and search? Does it use TLS?

@mdfrg @vertigo It doesn't do message sync unless you use ZNC which is more software to set up, and its client side so everyone has to set it up. I don't know of any message search beyond grep on ZNC logs (or find in page if you open in text editor).

It usually uses TLS these days. It can support TLS only, TLS and plaintext, or plaintext only.

@awilfox @vertigo
So you see, there are, in a fact, some substantial upgrades to UX made by Slack devs. You cannot expect a client to know how to setup ZNC, but you can send them link to Slack desktop app download page

@awilfox
I'm more of a user than a dev so you're giving me a choice between using some nice piece of software that I need or not using at all.

@awilfox I was surprised to see the world "neocapitalism" in this context, so I did a quick check on the definition of the term, and it doesn't seem like it's necessarily such a bad thing? I mean, it's certainly better than the rampaging capitalism that we have right now?

@awilfox I’m not familiar with Debian but I’d love to know more about that patch set!

@awilfox @amdt Chromium and Electron are two different things, the Debian patch is for chromium, not the underlying web rendering engine shared with Electron.
Electron apps don't send URLs to Google, you are either misguided or spreading FUD.
Actually, one of the most privacy respecting browsers, Brave (brave.com), is based on an Electron fork (Muon).

@fabricedesre @amdt this seems like misunderstanding.

Brave uses Chromium with changes, which does remove Google tracking, in addition to replacing ads on pages with Brave ads. Cite: arstechnica.com/information-te

Muon is not a fork of Electron. It is a framework similar to Electron, but based on the Brave fork of Chromium instead of CEF.

I'll Wireshark Atom later today.

@awilfox @amdt Chromium is built on top of Blink, a web rendering engine. It adds all the "chrome" part of the browser like bookmark management, sync, etc.

So is Electron, which adds nodejs integration to Blink to build apps.

About Muon (which I know pretty well), just read the Readme: "Muon is a fork of the Electron framework which is currently used in the Brave web browser."

And yes, maybe you should wireshark products *before* making claims...

@fabricedesre @amdt I have already wiresharked before, but will do it over to 1) have logs easily accessible, 2) see if anything has changed in what it hits / what protocols it uses (QUIC, SPDY, or just HTTP), 3) use the current version.

I don't see GAIA in Electron any more, so that's progress, but there's definitely more than Blink in Electron; Muon's readme clearly says it uses Chromium source with patches. Blink itself can't support Chrome extensions, for example.

@fabricedesre @amdt @awilfox Electron uses chromium. chromium's privacy policy page refers to google's privacy page, good luck to find wich parts apply to chromium or not… just because *you* trust google/electron/spyware analytics fans (electron devs community) doesn't mean those who dont are "spreading FUD"…

"one of the most privacy respecting browsers" brave does browser-in-the-middle to replages ads with it own, without user's consent (opt out-baspfed), it's the opposite of privacy-respecting

@devnull @fabricedesre @amdt @awilfox technically your whole toot is allégation without any slightest beginning of proof, so technically, it looks quite FUDy to me.

@a_geek_otter @fabricedesre @amdt @awilfox *sigh* Yeah, just because you don't know that Brave pretend to make "privacy friendly ads" to justify their action, it's necessiraly "FUD"

wired.com/2016/04/brave-softwa

@devnull @fabricedesre @amdt @awilfox your toot was about chromium, I answer about chromium. I don’t know about brave, and don’t care.

@a_geek_otter @fabricedesre @amdt @awilfox No, my toot way about both. And no, it's not FUD, just a fact that chromium's website page gives very few info, and refers to google's privacy policy, but maybe you should RTFW (Reda The Fucking Website) before falsely accusing me…

chromium.org/Home/chromium-pri

@awilfox @amdt @fabricedesre @a_geek_otter Saying that Electron uses chromium is not FUD either, nit only it's a fact, but it's also clearly stated in their README on their repo project

"The Electron framework lets you write cross-platform desktop applications using JavaScript, HTML and CSS. It is based on Node.js and Chromium"

github.com/electron/electron/b

@a_geek_otter @fabricedesre @amdt @awilfox Also, you don't even say what seems "FUD" to you. You didn't mention chromium in your 1st reaction. And since my toot is about botg brave injecting its own ads, electron using chromium's code, AND chromuim's unclear privacy policy ("google privacy policy apply for stuff"), your answer isn't "about chromium", it's a generic answer

@awilfox Isn't the new Signal desktop app implemented with Electron? Wonder if they have addressed these concerns...

@chillson I tend to avoid the crypto chat of the week. XMPP with OMEMO is nice, open, audited, secure, and I can fall back to OTR if people aren't ready to upgrade yet.

@awilfox @chillson
Isn't OMEMO derived from Aoxtl, which was designed by OWS?

@mdfrg @chillson it was derived from Axolotl but changed and independently verified by cryptographers

@awilfox @chillson
So you see, Signal it's not just another hip IM app but a new technology itself with modern protocol. No need to be sarcastic about it. Being open source it brought us OMEMO which is superior to OTR(group chat, offline messages mam, carbons, easier to use).

@awilfox What exactly are the URLs sent to google for (at least ostensibly)?

@awilfox not to split hairs, but isn't Electron made/controlled by GitHub?

@zer0her0 @awilfox

it is based on CEF which is based on Chromium which is controlled by Google.

turtles all the way down.

@kaniini @awilfox right but does electron still call home to google?

Great reference. 😜 and loved reading your IRC posts, thanks for the insight.

@zer0her0 @awilfox

that part, i don't know for sure. but it does mean that google still controls the behaviour of electron.

@awilfox I wasn’t aware of Electron having this issue. Thanks for the heads-up.

@animeirl @michbarsinai which issue? Electron is controlled by Google and breaks functional, standards-compliant HTML/CSS/JS regularly.

The sending URLs to Google thing only affects Chrome and Chromium, and older releases of Electron. Newer ones don't have that integration enabled.

@awilfox
I don't think Ayn Rand said anything about code that requires Chrome.