Out of curiosity, will there be a way that a mobile client could connect back to the Holos install for interaction? I really like the idea of everything living on a machine that isn't going to lose it's connection if I drive to an area with no signal but it still would be nice to interact with when I'm away from home.
@bobkmertz Each Holos install runs its own ActivityPub server, so a desktop and a mobile would normally be two separate accounts. But multi-device sync via the relay is planned: one account, several devices staying in sync. That would cover exactly your use case.
One question not in the FAQ, this sounds like a mobile first solution and all posting is done from the mobile device with Holos installed.
Is it possible to login to the Holos based account from a web-browser and post from there?
I ask as I rarely, if ever, use mobile devices to read Mastodon posts, far less write/interact (I'm too wedded to keyboards and don't like touch screens for typing!)
@slackline Holos is mobile only for now because the server runs directly on the device, there's no central API a browser could connect to. A desktop version is planned, which should be a better fit for keyboard users. Each device runs its own server, so a desktop account would be separate from a mobile one.
“With your permission, your child’s lead teacher may wear a small teacher-worn camera that captures the teacher's approximate first-person perspective, and/or we may place a fixed video camera in the classroom,” a document given to parents and later shared with 404 Media reads.
“With your permission, your child’s lead teacher may wear a small teacher-worn camera that captures the teacher's approximate first-person perspective, and/or we may place a fixed video camera in the classroom,” a document given to parents and later …
My first motivation when I started working on Open Source was listening to contributors full of ideas. That's the real engine. Fedilab actually got many built-in features before they became available on Mastodon itself (which created extra work later, syncing databases once they were officially added). But that's exactly what drives me. Not following a scheme, just following what you want to build. That's how I work on my projects, and I can't change that.
It's not about saying Fedilab is better than any other project, of course. It's just about how I personally approach development. And about thanking all the people who contributed with suggestions, bug fixes, translations and financial support. All of this is why Fedilab is still here after 9 years. Without that, Fedilab would be nothing. A project only works when people trust it. So thank you for still being there.
Well, for me, Fedilab is better than other apps I've tried; otherwise, I wouldn't be using it. Yes, it's important to do what you enjoy, but once your projects reach a certain size, you have to be careful not to take on too many new things and end up not doing anything properly. There's also no shame in asking for help and accepting it.
I will attest that Fedilab indeed listens to their users. You often make polls regarding features, and I felt listened everytime I mentioned a bug or an idea.
You are the one developer that actually listened to my ideas/suggestions and then worked to implement those, even when I was just suggesting them through social media 'cause I didn't know how to use github at the time. I have always been grateful for that. And you made a really good impression on me about free and open source software in general. You have inspired me to become an open source developer myself, even if for much smaller projects than yours. Thank you for everything ❤️
@futureisfoss Wow, what a kind message. Knowing that listening back then inspired you to build your own open source projects is more rewarding than any feature. Thank you so much for sharing this.
I wasn't really active on any social media before I joined the fediverse, so this was all very new to me and I was still learning the ways of the internet. Those bug reports and feature requests I sent you on Mastodon were the first time I have ever talked to a developer before, and you listened to me! It later inspired me to contribute to other projects via Github/Codeberg once I figured out how those worked, and eventually became one of the developers of a small Linux distro.
@futureisfoss yeah, I had suggested the thing about the pronouns fields on profile being shown next to the display names. And that was implemented as well 💜 codeberg.org/tom79/Fedilab/iss…
## # Describe the improvement
- [x] Mastodon
- [ ] Pleroma
- [ ] Friendica
- [ ] Pixelfed
Someone noticed that Moshidon (and potentially Megalodon) clients look if there is a custom field on the profil…
Looking for folks involved & enthusiastic in providing #Xfce support who may also be interested in becoming a moderator for the Xfce community in the #Fediverse
Looking to build a community focused on user support, promoting community resources, Xfce news, and dev announcements.
Five years ago today, on May 15, 2021, WhatsApp’s controversial new privacy policy came into effect. The update sparked global criticism and raised public awareness of the economic incentives behind data-driven online platforms.
This was such a group effort. We couldn’t have done it without an international group of volunteers led by @riverbirchtree organising on Signal and without those of you on the fediverse who helped fund her scholarship to Milan.
Thank you for your boundless humanity. This day, which coincides with the anniversary of our Nakba, underscores that we are a people living under a historical injustice that has persisted for 780 years. The world must support our people in achieving justice. Identity is our most precious possession🇵🇸🇵🇸🇵🇸✌️ chuffed.org/project/177144
In the wake of a shattered home, I wake each day beside my wife and children, spread across what remains of our former life. Our roof collapsed, taking with it both shelter and the steady rhythm of daily work.
Thank you all for your lovely messages of support. I’m sorry if I haven’t been able to reply to every one of you individually (apart from with a little favourite to say thank you). It’s been a long few days and we’re trying to be here for Joy as much as we can.
Documentary that follows a 30-year archaeological, geological and artistic adventure as scientists endeavour to understand and conserve the extraordinary art of the Chauvet cave.
Almost as if they weren’t listening then and they aren’t listening now (or that they don’t really have a problem with any of this nor any desire to take any action beyond what is de facto performative posturing).
GDMR: The regulation EU citizens deserve.
No, you didn’t misread it and, no, it’s not a typo. GDMR – the General Data Minimisation Regulation – can end surveillance capitalism in the EU.
The problem is that no such regulation exists.
Almost as if they weren’t listening then and they aren’t listening now (or that they don’t really have a problem with any of this nor any desire to take any action beyond what is de facto performative posturing).
the only way to enforce age verification of minors is through total internet supervision of everybody. And it won't help with any of the problems on the internet, because facilitating and effectively rewarding terrible behaviour optimises the revenue of the main players.
If you want a better internet, step one is to ban behaviour-based profiling for advertising, with no "consent" loophole. It makes surveillance ("tracking cookies") immediately illegal (no "legitimate interest" excuse, GDPR does the rest). That trashes the direct "more bullying and hate leads to greater revenue" connection, which immediately removes the incentive to put active effort into more vicious online spaces. This applies to Google, Meta, X, Reddit, etc.
Note that the "consent is not an excuse" part is critical. "Ask me later" just means that people are worn down into clicking "yes" eventually, just to get it out of the way, you know yourself the dark patterns, you know yourself the cookie consent forms, where "none of them" is tedious and must be repeated on every visit, but "yes please" is simple and eternal. Try changing that decision later.
Ban the surveillance. Yes, it's many companies' entire business model. That's too bad for them, should have tried being socially positive. Yes, many services will have to start some sort of subscription or pay per use model instead of being fake-free. That's OK, they'll also be disincentivised to enshittify.
It'd make the internet better for everyone, including children, who could continue to find and create so many positive communities online, instead of being blanket-banned.
This entry was edited (Friday, May 15, 2026, 8:01 AM)
There is a new #friendica app github.com/LiveFastEatTrashRac… - looks super good and I've heard they are promoting our instance too since it is quite lively and reliable.
I only tested the app a bit since I do not use mu phone much, but hey @Rokosun maybe you should give it a try! :) Maybe we finally have a great Friendica app :)
Kudos to the people who are making these things. You are awesome people!
If the recent #0day attacks against Linux kernel+servers were launched against #chatmail relays, privacy of chatting with #deltachat is preserved. Why? Because we already assume the server could be actively hostile, and still not read or see any avatar, names or messages.
Since the March 2.48 zero-metadata releases relays/servers do not see cryptographic identities, and get no chance to launch "machine-in-the-middle" (MITM) attacks.
With the latest 2.48+ releases, a chat message reveals close to zero metadata to servers. For cryptographers and messenger enthusiasts, here are the key points on how we turned email very close to ...
This is a Qubes 4.3-only release, and takes advantage of some of its new features to provide a more robust and secure way for journalists to review submissions.
We create a lot of trade-free stuff, and hopefully this month we will release something new. Let's see.
We need 200 people to donate €5 a month in order to support our projects long term. We only accept equal donations of €5 to spread the load and make everyone equal within this campaign.
See the donation page for a detail look at what TROM does ;)
Apple and Google are gradually expanding their use of hardware-based attestation. They're convincing a growing number of services to adopt it. Google's Play Integrity API and Apple's App Attest API are very similar. Apple brought it to the web via Privacy Pass, which Google intends on doing too.
@apicultor @MAlBarram Mastodon doesn't provide configuration for character limit, it has to be patched, which means maintaining our own variant of the package and is a pain to deal with. We did post it as a single post with 1 extra post added at the end on X. The posts were sized to fit on Bluesky which has a lower character limit than Mastodon but is more than half the size of Mastodon so it limits how much fits into one here.
Google's Play Integrity API requires hardware attestation for the strong integrity level and is gradually phasing in requiring it for the more commonly used device integrity level. Apple already has it as a requirement. Over the long term, this will increasingly lock out hardware and OS competition.
The purpose of these systems is disallowing people from using hardware and software not approved by Apple or Google. This is wrongly presented as being a security feature. Banks and government services are the main ones adopting it but Apple and Google are encouraging every service to use it.
Apple's Privacy Pass brought hardware attestation to the web to help with passing captchas on their own hardware. Many people saw that as harmless since few sites would be willing to lock out non-Apple-hardware users. Apple and Google are both likely to bring broader hardware attestation to the web.
Google's reCAPTCHA is planning an approach where they use Privacy Pass on Apple hardware, their own approach on Google Mobile Services Android devices and a QR code scanning system to require an iOS or Google certified Android device for Windows and other systems:
Banking and government services increasingly require using a mobile app where they can use attestation to force using an Apple or Google approved device and OS. Apple's privacy pass, Google's 'cancelled' Web Environment Integrity and now reCAPTCHA Mobile Verification are bringing this to the web.
Current media coverage for reCAPTCHA Mobile Verification misunderstands it and the impact of it. They're bringing a hardware attestation requirement to Windows, desktop Linux, OpenBSD, etc. by requiring a QR scan from a certified smartphone to pass reCAPTCHA in some cases. They could expand it more.
Control over reCAPTCHA puts Google in a position where they can require having either iOS or a certified Android device to use an enormous amount of the web. Google defines certification requirements for Android which includes forcing bundling Google Chrome, etc. It's enormously anti-competitive.
Google's Play Integrity API bans using GrapheneOS despite it being far more secure than anything they permit. It also bans using any other alternative. This isn't somehow specific to an AOSP-based OS. You can't avoid this by using a mobile OS based on FreeBSD instead. You'll just be more locked out.
Google's Play Integrity API permits devices with no security patches for 10 years. The device integrity level can be bypassed via spoofing but they can detect it quite well and block it once it starts being done at scale. The strong integrity level requires leaked keys from TEEs/SEs to bypass it.
Play Integrity API is highly insecure and it isn't particularly hard to temporarily bypass it. There are frameworks for spoofing the software checks and leaked keys for bypassing hardware attestation can be purchased. However, bypasses are getting harder and are becoming increasingly short lived.
It doesn't provide a useful security feature, but it does lock out competition very well. Services requiring Apple App Attest or Google Play Integrity are primarily helping to lock in Apple and Google having a duopoly for mobile devices. Play Integrity is more relevant due to AOSP being open source.
Governments are increasingly mandating using Apple's App Attest and Google's Play Integrity for not only their own services but also commercial services. The EU is leading the charge of making these requirements for digital payments, ID, age verification, etc. Many EU government apps require them.
Instead of governments stopping Apple and Google from engaging in egregiously anti-competitive behavior, they're directly participating in locking out competition via their own services. Requiring people to have an Apple device or Google-certified Android device is anti-competition, not security.
reCAPTCHA Mobile Verification will currently work with sandboxed Google Play on GrapheneOS but it clearly exists to provide a way for them to start using hardware attestation on systems without it. People without an iOS or Android device will be locked out when this is required even without that.
This isn't about security or any missing functionality. GrapheneOS can be verified via hardware attestation. Google bans using GrapheneOS for Play Integrity because we don't license Google Mobile Services and conform to anti-competitive rules already found to be illegal in South Korea and elsewhere.
Services shouldn't ban people from using arbitrary hardware and operating systems in the first place. Google's security excuse is clearly bogus when they permit devices with no patches for 10 years but not a much more secure OS. It's for enforcing their monopolies via GMS licensing, that's all.
For example, all those new laws for age verification are to prevent you from using an operating system or ROM that cannot be minored or controlled. Blocking reCAPTCHA on a non-approved, non-certified government and corporate sanctioned devices is just 1 piece of the big picture.
For example, the USA has made any new router not made in the USA illegal to import or sell. They can apply for an exception if they agree to include their new control chip or firmware.
They will, depending on need, release a device with GrapheneOS — or delay it — and work closely with you to identify the methods and vulnerabilities you discover, as well as how you implement features to overcome the planned “new normal,” so that, behind the scenes, they can undermine and circumvent your work in the future. The investment — which includes you — is intended to strengthen relations and acquire additional contracts. 😭
@Linux Motorola Mobility is a subsidiary of Lenovo and definitely doesn't have the relationship you're describing with the US government. Motorola was split up in 2011 and Motorola Mobility was acquired by Lneovo in 2014. You're confusing entirely different companies together, not that it would make sense regardless since GrapheneOS is open source. They don't need to do anything special to see what we're doing.
If you’re looking for an actual document that says, “Yes, we’re trying to screw over the American people,” a written confession in a convenient PDF file, you won’t find one. Ever.
So true! One little thing: This would also be bad if it weren't a bogus excuse. Because Remote Attestation in a device for the general public in itself is evil, and it will always be abused. The whole purpose of Remote Attestation is to enable a service to ban people from using arbitrary hardware and OSes. And in extension, to ban people from using arbitrary client apps for those services.
@thomas Using attestation doesn't imply allowing only a specific set of hardware and operating systems. That's not at all implied and isn't even possible for an implementation only providing pinning-based verification rather than root-based verification.
i complained on many official service they ignore it, the ombudsman was called and they seem to ignore it too.
they all aswer the bullshit that you are labelled insecure by official tool, because google tool automatically mark non licensed OS as insecure regardless of their actual security.
Google has the entirety of its commercial success thanks to the openness and interoperability of the #WWW. To try an captcha it to build a walled garden is, frankly speaking, an act of disrespect for @timbl and the entire web community.
Microsoft has tried it. Apple has tried it as well. Both have finally had the insight that working with the community is much more rewarding and profitable than working against it.
Let's work toward Google having that same revelation as well.
Unified Attestation is another anti-competitive system being pushed by multiple European companies. It will similarly lock people out from using arbitrary hardware and software. That's not a solution and is far worse than Android's much more open hardware attestation API.
Unified Attestation is another anti-competitive system being pushed by multiple European companies. It will similarly lock people out from using arbitrary hardware and software. That's not a solution and is far worse than Android's much more open hardware attestation API.
Android provides a standard hardware attestation system with support for alternate operating systems via allowing their verified boot key fingerprints. It's mainly used with Google's root of trust and remote key provisioning service but the API supports alternative roots of trust.
Volla's Unified Attestation is fully built on Android's hardware attestation API. It solely exists to create a centralized authority and service determining what's allowed under their control.
🔐 Introducing: Unified Attestation An open-source project for verifying the integrity of Android apps—as an alternative to Google's Play Integrity. The goal is to make apps such as banking and payment apps usable on independent Android systems without relying on Google services.
We invite developers, ROM projects, and app providers to get involved.
Android's hardware attestation shouldn't be used to lock out users not using specific hardware or OSes. However, the fact that it permits arbitrary roots of trust and OSes at least allows services to permit more. Google could use it to permit GrapheneOS for Play Integrity if that was about security.
This entry was edited (Sunday, May 10, 2026, 5:38 PM)
if it was about security this system would be more close to Https certificate (not identique of course for obvious techical reason) than what google make now (with themselve as sole capable certificate controler).
We really need to start using containers for running the OS itself instead of flashing the OS. Shameless plug but LosOS (gitlab.com/losos-linux) does that.
@dasmatus AOSP and GrapheneOS already heavily use sandboxing throughout the OS and are in the process of heavily adopting hardware-based virtualization for isolation. Running an operating system in a container or VM doesn't help with attestation but rather makes it substantially harder to pass from apps doing detection of emulation and virtualization via anti-tampering. A large part of the Play Integrity API software checks are focused on detecting emulation or virtual machines.
@dasmatus It's worth noting the Play Integrity API software checks are largely not enforced up front but rather used to detect spoofing and the enforcement comes later. This prevents being able to know exactly how it was caught via GPU fingerprinting, etc. They don't care about small scale spoofing and wait until it's larger scale to take actions to stop it which is often done in a far more naive way than how it was detected. Over time, they're making it stronger and bypasses shorter lived.
@dasmatus The software-based checks alone are already impractical to bypass reliably over the long term. The hardware based checks where leaked keys from exploiting a TEE/SE are needed to bypass them are a whole separate story. They shipped a DICE-based remote provisioning model years ago for the hardware checks and that's going to make future leaked keys much less valuable due to their short lives so it will be necessary to keep leaking more which they can start cracking down on over time.
I am fucking furious at the attempted murder of the world wide web and open internet, and I swear to god I will become the grumpy old man using meshtastic email over digital HAM if I have to!
do not know almost anyone else who is making this exact point that "security" is a euphemism for "national security" and is actively opposed to privacy or auditability. certainly not user security. @dwaynemonroe has identified the extreme closeness of monopolistic and fascistic hierarchical unaccountable and potentially even illegal control
This is a major issue. Even to make appointments in DE at local Government Offices one has to jump through ID processes that in my case only work via my wife's iPhone.... it should be constitutionally illegal. It is a denial of right.
The Brazilian government app "gov.br" requires Play Integrity too. There's no fallback, no alternative verification method.
I've sent complaints to the Brazilian entities suggested in the "Keep Android Open" website, but they either reply with a template message or completely ignore it.
Google is pretty much our Evil Corp, but where is fsociety? 👹
I side loaded the EU's sample age verification app - which seems to work on my GrapheneOS phone. Is there a way to know if it is only working because I also have the PlayStore installed?
requirement of age verification is especially disgusting in this sense, because it being sold under "moral sauce", not as some security feature, per se. At same time, instead of adopting some cross-platform standard W3C could create (or already created a draft of), it all become another smelly pit of corporate lobbysts and other forms of corruption.
it seems we can't even avoid it by avoiding smartphones altogether. I'm really concerned that for people who eg only have access to the internet through a library/school/borrowed computer, they'll be banned from most of the web for the crime of not being able to afford a smartphone
This entry was edited (Sunday, May 10, 2026, 6:17 PM)
At this time the NHS app in the UK has a 'use Chrome (yes/no)' prompt that pops up each time i'm logging in. I've written to the developers to point out how egregious this is.
@Ra I can't use the online services of my healthcare provider on my desktop (cant login on their website) without having their app on an android or apple device. I'am effectively being locked out of all of their online services (except contacting them via email).
@FantasmitaAsex reCAPTCHA is extremely widely adopted. A portion of services using alternatives won't solve how much damage they can do to alternatives via control of reCAPTCHA.
Only a tiny proportion of apps use the Play Integrity API and ban GrapheneOS with it. It's something like 1/10000 apps or even lower but for banking apps it's around 1/10 and important government apps around 2/10. However, it's widely adopted enough that it's a huge barrier to GrapheneOS adoption for people already.
So let me get this straight... we're going to need to scan a special mark... to buy and sell and participate in civil society... and require an expensive American piece of hardware that surveills you or we're shut out... this sounds vaguely familiar.
My bank has been this way for months already. They got rid of other 2FA methods they used to support and require a Google-approved Android OS or iOS... even to log in to their banking UI on a desktop/laptop.
It's infuriating, and it means I'm now 100% locked in to a proprietary app on a proprietary OS (controlled by 1 of 2 companies, both headquartered in California, USA) on a proprietary phone for banking and public transit (in Europe), with no alternative possible. 😖
@garrett Most banking apps still work on GrapheneOS but Play Integrity API adoption is expanding and it's nearly impossible to convince an app to stop using it once they've started. We've only successfully convinced a couple apps to stop. We've convinced a lot more apps to start permitting GrapheneOS by using the Android hardware attestation API as an alternative which can be used to permit arbitrary hardware and operating systems but that's still very problematic including for GrapheneOS.
@garrett We provide documentation at grapheneos.org/articles/attest… on how apps can use the Android hardware attestation to permit GrapheneOS and other hardware / operating systems which aren't certified by Google. This API supports permitting alternate roots of trust and non-stock operating systems. We use new signing keys for each new device model so new devices won't be listed without them updating it and their list won't include alternate builds of GrapheneOS. Apps should not be doing this at all.
Hardware Attestation should only be used in situation when device is supposed to not be owned by the user. Like an internal service of a company making sure only company-provided devices are accessing it.
I also see other tendency: Bank I am customer of, in a EU-candidate country, when add some services, makes them available only from mobile device. For example, purchase of travel insurance, which normally happens beforehand, not during travel itself. I don't see a logical reason to limit a service availability to a weaker in UX sense mobile platform with small screen, half if it usually eaten by on-screen keyboard, and lack of proper mouse/keyboard).
The European Union is developing a digital identity system that incorporates FIDO2 standards for secure authentication. Some governments (like the Austrian) already support FIDO2 for authentication and identification. Banks should just do that, too.
Het lijkt me dat @kimvsparrentak hier ook wel een mening over zal hebben? Het kan toch niet zo zijn dat login in Europa straks wordt gegatekeeperd door twee Amerikaanse bedrijven?
I’ve been reflecting on this. For the UK, wondering if we might consider a government petition that explicitly requests that all public (or publicly funded) services can be accessed and used without being forced to use any (especially any foreign) third party service?
I wonder of there's someone you can contact in the Canadian government to try to hard-block this from becoming a requirement with our government, banks, etc., from a national security perspective. You might find a receptive audience given that we're trying to gain some independence from the US.
My feeling is that the government knows that reliance on American tech is a problem and a trap, but they don't have a good grasp of the details or the alternatives.
This is such a messed up shitshow. I fear that technical workarounds won't cut it. This is going to need political pressure, which seems unlikely to happen 🙁
@7cd4a72311bad46117e0f692dddc5f31a543b47ff4265b028f8d820ac808ab3c @MAlBarram We have a partnership with Motorola Mobility (Lenovo) and are working with them towards their 2027 devices providing all of our requirements and providing official GrapheneOS support. We're actively working with them on getting the requirements implemented and GrapheneOS ported to their devices. It has nothing to do with the thread we posted though since it's not going to help with any of this.
You should read the thread we posted which is about them bringing the Play Integrity API to the web including for desktops by requiring having a phone certified by it or an iOS device in order to pass checks on the web and desktops too.
@cargot_robbie @ggrey They could use the hardware attestation API to enforce a minimum patch level while still not allowing GrapheneOS or other secure alternative options though. It's not implied that using the hardware attestation API would mean permitting other options at all. We've convinced a dozen banking apps to start permitting GrapheneOS but it's a small portion of the banks which have adopted the Play Integrity API. Convincing them not to do this at all is nearly impossible.
@ggrey Banks likely can be persuaded that they are being made useful stooges to Google and Apple's monopolistic aims, but I expect it will require exploits of such older devices @GrapheneOS
@jaypatelani Android Open Source Project is Linux. Linux doesn't mean glibc, systemd and GNOME. Using the far less private and secure desktop Linux software stack on mobile doesn't do anything to address any of this. It drastically reduces compatibility with the massive mainstream mobile app ecosystem including the large open source mobile app ecosystem for Android so it doesn't matter as much that apps are banning using anything non-Google-certified from that regard since it's already that way.
Certainly it won't be easy. I think we have more allies in this than are currently obvious. The manufacturers that provide Android devices won't like an environment where Google Android is the only game in town. Samsung's entire software offering is proof that they at least are unwilling to cede the entire software stack to Google. The more strictly Google cuts off older devices or unpatched devices, the more control they will be exerting against those manufacturers
There are IMHO few cases when hardware attestation (which btw is the ultimate in anti handicapped stance one can take, I literally remember a decade ago how a colleague modified his Linux workstation to deal with his personal mix of handicaps)
And if there is a need for that there is no need to go with a vendor lock-in solution as the grapheneos crew correctly points out.
But security theater is cheaper than haviyng real competent engineer look over the security design for real.
This entry was edited (Thursday, June 11, 2026, 8:09 AM)
my banking app locked me out just today and i had to scramble to get back access to my account. it's insane how real life availability impact is ignored in favor of some vague "security" promise.
and in germany this is now getting baked into the requirements for health apps and banking apps via bsi tr-03161. especially for health applications i do not want to be forced to rely on some megacorp ecosystem to use them. that's fucking terrible.
imo one weak point currently is the availability of a trusted independent app store for proprietary applications. foss is great, but if we truly want to be an alternative to google and apple we need something like that
@naph Support the Accrescent project which is for both open source and closed source applications. It ships developer builds of applications signed with developer keys. In the future it can have filters to only show open source apps and can have verification of reproducible builds but it's not artificially limited to it.
Hardened OSs like #GrapheneOS do a great job, but we have a major blind spot: The Hardware.
Modern phones are networks of dozens of "black box" computers (UFS, Baseband, Wi-Fi) running proprietary code we can't audit, disable, secure or replace.
Why this matters: 1️⃣ Persistence: Malware in your UFS/SSD controller survives a factory reset. 2️⃣ Tracking: Hardware Attestation acts as an immutable digital fingerprint. 3️⃣ Shadow Attacks: Zero-click exploits hit your Wi-Fi or Baseband before the OS can even react.
We are calling for #HardwareSovereignty. Inspired by the #OpenBSD philosophy, we demand: ✅ Open & replaceable firmware for ALL subsystems. ✅ User-controlled hardware toggles. ✅ Trust minimization that includes the manufacturer.
It's time to move from "Vendor-Enforced Security" to User Sovereign
... Show more...
Hardened OSs like #GrapheneOS do a great job, but we have a major blind spot: The Hardware.
Modern phones are networks of dozens of "black box" computers (UFS, Baseband, Wi-Fi) running proprietary code we can't audit, disable, secure or replace.
Why this matters: 1️⃣ Persistence: Malware in your UFS/SSD controller survives a factory reset. 2️⃣ Tracking: Hardware Attestation acts as an immutable digital fingerprint. 3️⃣ Shadow Attacks: Zero-click exploits hit your Wi-Fi or Baseband before the OS can even react.
We are calling for #HardwareSovereignty. Inspired by the #OpenBSD philosophy, we demand: ✅ Open & replaceable firmware for ALL subsystems. ✅ User-controlled hardware toggles. ✅ Trust minimization that includes the manufacturer.
It's time to move from "Vendor-Enforced Security" to User Sovereignty. Read the full Open Letter here: pastebin.com/RzRbzhwn
Aaron Swartz joined the RSS working group when he was 13. At 15 he became a foundational member of Creative Commons. He was working on precursors to markdown at 16.
We should not be locking young people out of our communities and keeping them away from digital tools that can open doors for them, expand their knowledge, sharpen their skills, and help them grow into well-rounded adults.
@lo_fye That lacking experience is actually at least partly a good thing. Less expert-blindness, less copying other folks, less having slowly learned to accept unacceptable things, etc. can have advantages.
I agree that we should allow kids access to technology.
But Aaron Schwartz of all people never got to grow into a "well-rounded adult" since he killed himself at 26. That's a rather unfortunate choice of words for that particular example.
I'm not sure about the point of the post. 1. anecdotal evidence is not a solid back up for an argument. 2. I don't think anybody is blocking young people from tinkering at home? 3. Putting hurdles in the way adds motivation to learn or find creative ways how to circumvent them. 4. Big corporations have teams of psychologists convincing people to spend time on their platforms. The assumption that young people are cleverer than them is disrespecting the psychological profession.
this ❤️ for so many people I know, online communities in the late 90s / early 00s were a way to find your people and learn so many different things.
Maybe instead of shutting kids out, we should make the people at the top of the food chain accountable for their fuck ups in creating tooling and platforms that are addictive ON PURPOSE, where misinformation & abuse are rampant.
but what if they use their skills to advocate for youth rights? or find community that affirms them when everyone IRL is hostile toward them? or make me jealous because my environment didn't let me do cool stuff at that age? you ever thought of that?
one person who ended up hacking chromebooks with us joined the project when he was ~13. He's currently finishing high-school and his name is all over LKML, I bet he will get a really decent job in the future. Talking and hanging out with him (online due to living half of the globe away) has always been great.
This entry was edited (Monday, May 11, 2026, 10:15 PM)
After stumbling over this take a second time I think I know what bugs me about it:
Everybody can factually have privacy already: just don't go out, close your windows, have no computer or phone.
Now, nobody wants to go that far.
But consider people enabling big tech, buying into their services, not questioning, not resisting, not giving a shit, not willing to accept the smallest inconvenience.
Sure they deserve it, too. But if everybody sits around waiting to get what we all deserve - maybe we deserve whatever we get. And that paints a grim picture.
Honestly there should be better regulations for these things. It shouldn't be people's responsibility to choose and pick every single piece of software they use to make sure it respects their privacy, and currently it's not just that but you also have to be on top of everything and switch apps/services when they get bought out by a shady company or start getting enshittified - most folks frankly don't have time for all that.
sorry, not equivalent. We need the right to walk along a road without having to wear a suit of armour, jump out of the way every time a car comes along, enforce safety and speed limits, and generally not punish those who don't have a car. (Works both literally and as an allegory)
You misunderstood. I agree 💯. But I agree in a way that questions what asking for a right is worth, when the problem isn't the absence of ("well deserved") rights, but the harshness of reality.
Everybody deserves good health (thats a given!), but that can't be grounds to "defend" people being careless.
BTW, I also agree big-tech needs to be regulated. But as long as it isn't you can't ignore reality.
I was going to favorite the post after I read it as "everyone deserves piracy" though I guess the privacy one is true too and not as illegal, though it is well on its way. @veronica
PSA: please update Tails with the latest release. It is an emergency release to fix a critical security vulnerability in the Linux kernel, as well as security vulnerabilities in Tor Browser and in the Tor client. blog.torproject.org/new-releas…
This release is an emergency release to fix a critical security vulnerability in the Linux kernel, as well as security vulnerabilities in Tor Browser and in the Tor client.
We have received a Copyright claim from Amazon for our @PeerTube instance videos.trom.tf/ . Hetzner, the hosting company where we have the dedicated server at, gave us 24h to resolve it.
The problem?
The video in question, a documentary about "aliens", a garbage piece of content, was NOT hosted on our instance, of course. But since Peertube is federated the idiots sent the claim to our hosting company. Even if UNDER the video you can see that video is "Posted By:" and the instance and username. It takes a few seconds to see where the video is hosted.
But who cares...maybe Amazon has "AI Agents" employed and they simply find a video of theirs on a URL and see the IP of that URL and submit a Copyright claim to the hosting where that domain is registered?!
Bunch of idiots.
But it is very concerning the fact that they can do these and we, the ones who host (and for free fo
... Show more...
We have received a Copyright claim from Amazon for our @PeerTube instance videos.trom.tf/ . Hetzner, the hosting company where we have the dedicated server at, gave us 24h to resolve it.
The problem?
The video in question, a documentary about "aliens", a garbage piece of content, was NOT hosted on our instance, of course. But since Peertube is federated the idiots sent the claim to our hosting company. Even if UNDER the video you can see that video is "Posted By:" and the instance and username. It takes a few seconds to see where the video is hosted.
But who cares...maybe Amazon has "AI Agents" employed and they simply find a video of theirs on a URL and see the IP of that URL and submit a Copyright claim to the hosting where that domain is registered?!
Bunch of idiots.
But it is very concerning the fact that they can do these and we, the ones who host (and for free for that matter), need to quickly "fix" these things even if the claim has nothing to do with our server.
We eventually had to block that URL, thanks Peertube for allowing that, else these idiots cannot understand that it was not us who were hosting that video.
So first up, I am not a lawyer, even if I play one on TV. Seems to me though that even if you didn't post the video, that if your server is seeding it, then technically you, among others, *are* hosting it?
Surely in this case though you could comply just by defederating that particular piece of content / user?
It's interesting though that Amazon are recognizing Peertube content, even if just for copyright. That to me suggests they're keeping an eye on it, even if they likely don't consider it a major threat... yet.
> if your server is seeding it, then technically you, among others, *are* hosting it?
I don't think that's how @peertube works. Remote videos are discoverable by searching on a PT service, but it's the viewer that's seeding them by watching (because WebTorrent), not the PT service providing the search results.
You're right that copyright lawyers and often judges haven't cared much about such nuances though, or we would have won the CopyWars.
It is ridiculous to act as if the content is "on your server" and you have to deal with it. If it is federated, go after the source. Else you swift the responsibility on the TV if one watches "pirated" content on "it".
If you make the instances that "display" a piece of remote content, liable for the content, you are destroying the internet itself. I cannot be responsible for a remote content. Federation cannot work if this is the case. It is utterly insane to do that. It is like making your Browser responsible for the content people display on it.
@maddad If a forum page embeds a YT video isn't it displaying just a link?
Anyway, if we become relevant they will drown us in lawsuits, not because their claims are reasonable but because we can't afford the lawyers to prove that.
That's how the justice system works.
I guess only #EFF could solve this by defending some cases to establish a rule of law.
@FinchHaven The way Peertube federates is different from how Mastodon does its federation. As long as the video in question is not stored on your server and is just streamed from a different instance then that instance should be contacted for the removal - that's what any competent lawyer would do. But now what they've achieved is merely made us put up a curtain to hide the video from their view, a video that still exists on the original instance and free for anyone to watch.
@FinchHaven > And you clearly don't understand the usage of the word "Federated"
You probably intended this as a nonchalant segue into your next point (I've done this). But FYI it comes across as quite patronising and out of context. @trom is hosting a PeerTube server. Chances are they have a pretty good understanding of the range of things "federated" can mean in this context.
You're not wrong that a lawyer might see a search result as a 'source' for copyright purposes. This is exactly what they've done with TPB et al. But ...
@FinchHaven > federated makes *every* federated instance the [a] source
On Mastodon et al, yes. Because text posts are automatically delivered in full to everyone following the account that posted it. But PeerTube doesn't work that way, it just sends a title and a link to followers (or the wasted storage and bandwidth would be extreme).
Well. I think this is analogous for holding torrent tracker owners liable for torrent content.
The contents of torrents tracked by a tracker never go even near the tracker. The tracker only helps leechers find seeders. But still, somehow, magically, the tracker owner is doing the copyright infringement. @peertube
Gossi the dog had a similar issue, but from a Microsoft linked company.
Reponse was to reply to the email saying we are launching at you hete on the internet. Because Microsoft don't understand how the internet works, then a link to the discussion thread.
@harib_murshidi I'm guessing it was probably some conspiracy theorist nonsense about aliens, or else he wouldn't describe a documentary as garbage.
People watch documentaries to learn about something real and true, but if it's full of misinformation then it is not only a garbage film but also harmful to society.
Despite any right or wrong. That's how power works. And the fediverse is not save from oligarchs and/or their power. We should keep this in mind. And hopefully find a way to avoid such threats somehow.
No one/admin can risk any lawsuit were the other side is something like A.
we have recived insane amounts of false / fake takedown notices. While in the US his is illegal and you can sue (and even get ppl in jail for this) in Europe this is not illegal. There is nothing you can do about. If Hetzner causes you issues DM me i am sure we can find an easy solution.
I hope this doesn't mean PeerTube is going the way of YT where you don't own your content anymore, because a big part of PeerTube is actually owning your content and not being at the mercy of an evil megacorporation.
![Birdhouse in Your [Redacted]](photo/contact/80/1207621?ts=1779190917)
Rokosun
in reply to Holos Social • • •Oh wow that looks amazing!
cc: @tio
Tio likes this.
Tio
in reply to Rokosun • •like this
Rokosun and Holos Social like this.
Bob K Mertz
in reply to Holos Social • • •Out of curiosity, will there be a way that a mobile client could connect back to the Holos install for interaction? I really like the idea of everything living on a machine that isn't going to lose it's connection if I drive to an area with no signal but it still would be nice to interact with when I'm away from home.
#HolosSocial #E2EE
Holos Social
in reply to Bob K Mertz • • •Each Holos install runs its own ActivityPub server, so a desktop and a mobile would normally be two separate accounts. But multi-device sync via the relay is planned: one account, several devices staying in sync. That would cover exactly your use case.
state
in reply to Holos Social • • •