Ah ok. You aren't doing auth. I don't understand how this is relevant.

Yeah, it seems like this doesn't read /etc/shadow so can't do auth?

https://linux.die.net/man/5/slapd-perl looks interesting though. Didn't think I'd have another chance to write perl.

Are you doing auth in the reverse proxy for Jellyfin? Do you use Chromecast or any non-web interface? If so I'm very interested how you got it to work.

The concern is that it would be nice if the UNIX users and LDAP is automatically in sync and managed from a version controlled source. I guess the answer is just build up a static LDAP database from my existing configs. It would be nice to have one authoritative system on the server but I guess as long as they are both built from one source of truth it shouldn't be an issue.

Yes, LDAP is a general tool. But many applications that I am interested in using it for user information. That is what I want to use it for. I'm not really interested in storing other data.

I think you are sort of missing the goal of the question. I have a bunch of self-hosted services like Jellyfin, qBittorrent, PhotoPrism, Metabase ... I want to avoid having to configure users in each one individually. I am considering LDAP because it is supported by many of these services. I'm not concerned about synchronizing UNIX users, I already have that solved. (If I need to move those to LDAP as well that can be considered, but isn't a goal).

I do use a reverse proxy but for various reasons you can't just block off some apps. For example if you want to play Jellyfin on a Chromecast or similar, or PhotoPrism if you want to use sharing links. Unfortunately these systems are designed around the built-in auth and you can't just slap a proxy in front.

I do use nginx with basic with in front of services where I can. I trust nginx much more than 10 different services with varying quality levels. But unfortunately not all services play well.

Even then how you you know? I don't think anyone can reliably look at a vegetable and tell you how nutritious it is. I don't think it is reasonable to have the general population being experts in evaluating vegetables.

I think what could work here is mandated labeling. This is required for most foods but generally not produce. I think there are some reasonable reasons for this, but for farms producing huge volumes it seems that occasional testing that gets reported at the store would make sense.

How are you configuring this? I checked for Jellyfin and their are third-party plugins which don't look too mature, but none of them seem to work with apps. qBittorrent doesn't support much (actually I may be able to put reverse-proxy auth in front... I'll look into that) and Metabase locks SSO behind a premium subscription.

IDK why but it does seem that LDAP is much more widely supported. Or am I missing some method to make it work

But it does boil down to business pressures. The business prefers more and bigger produce to more nutritional produce.

Is that a bad thing? Maybe not. Maybe you can just eat more to get your nutrition since higher yield should reduce cost.

But the point still stands that there is very little business pressure to make a nutritious product.

But the problem is that most self-hosted apps don't integrate well with these. For example qBittorrent, Jellyfin, Metabase and many other common self-hosted apps.

NixOS makes it very easy to declaratively configure servers. For example the users config to manage UNIX users: https://nixos.org/manual/nixos/stable/options#opt-users.users

Yet another service to maintain. If the server is crashing you can't log in, so you need backup UNIX users anyways.

I mean it is always better to have more open source. But the point of the multi-hop system is that you don't need to trust the server. Even if the server was open source:

1. You wouldn't know that we are running an unmodified version.
2. If you need to trust the server then someone could compel us to tap it or monitor it.

The open source client is enough to verify this and the security of the whole scheme.

I use NixOS.

Here is the problem with crop quality:

1. Most of the purchase decision is what is observable at the store.
   • Does it look good.
   • What is the price.
   • How is the smell, texture, weight...
2. Some happens at home, and you might remember for next time.
   • How does it taste.
   • How long does it last.
   • Does it make you feel satisfied.
3. It is basically impossible to know how good food was for you.
   • You eat a lot of food and the response is delayed.
   • Even if you have a response you probably don't properly understand your body.
   • In the end most of the "health" of food is just your believes and marketing.

So there is basically no business pressure to have crops be nutritious.

Because these buckets probably don't exist (citation needed on all of these, I don't have access to data from a large online store).

I suspect that this is actually a "good" recommendation in the face of many other facts.

1. Any recommendation has a very low risk of success. Outside of searching contexts (where there is clear intent) I suspect that the chance of a recommendation leading to a purchase is <1%.
2. You usually make more money from bigger sales. So showing a 1% expected $1k GPU is better than showing a 20% expected purchase $20 pair of sunglasses (and I doubt any recommendation has 20% purchase rate outside of clear sources intent).
3. People return things. Return rate is much higher than 1% on many platforms and some good chunk of these will want a similar product to replace the defective/bad/unsuitable one.
   • For Amazon this maybe isn't a good excuse because they should be able to incorporate return information into the recommendations. But even then, lots of people may prefer to order a second one before going through with the return. Maybe they want to do a comparison to be sure that they like the new one more before sending the first back.
4. People do have uses for multiple even for things that wouldn't seem that way at first glance. If I just bought a GPU and am happy with it maybe my partner needs an upgrade (or gets a little jealous). Maybe I will see a similar or identical product recommended and get it for her. Maybe I like my new fridge and also want to replace my second basement fridge with it, or maybe the quietness of the new one made me realize how loud the other one is and I want to get a similar model to replace it.
5. People recommend things to each other. Maybe I just bought a GPU and my buddy is asking if I like it. The next day I see a recommendation for a GPU that I think is a good open for them, I send the link.

Yes, all of these scenarios are unlikely, but I suspect that is actually significantly higher than the baseline, and for the big items that people usually complain about much more profitable. I suspect you see these ads because they work. Not as in they are often right, but that they have higher expected value than other available ads.

Yeah, I can't believe how hard targeting other consoles is for basically no reason. I love this Godot page that accurately showcases the difference:

https://docs.godotengine.org/en/stable/tutorials/platform/consoles.html

Currently, the only console Godot officially supports is Steam Deck (through the official Linux export templates).

The reason other consoles are not officially supported are:

• To develop for consoles, one must be licensed as a company. As an open source project, Godot has no legal structure to provide console ports.
• Console SDKs are secret and covered by non-disclosure agreements. Even if we could get access to them, we could not publish the platform-specific code under an open source license.

Who at these console companies think that making it hard to develop software for them is beneficial? It's not like the SDK APIs are actually technologically interesting in any way (maybe some early consoles were, the last "interesting" hardware is probably the PS2). Even if the APIs were open source (the signatures, not the implementation) every console has DRM to prevent running unsigned games, so it wouldn't allow people to distribute games outside of the console marker's control (other than modded systems).

So to develop for the Steam Deck:

1. Click export.
2. Test a bit.

To develop for Switch (or any other locked-down console):

1. Select a third-party who maintains a Godot port.
2. Negotiate a contract.
   • If this falls through go back to step 1.
3. Integrate your code to their port.
4. Click export.
5. Test a bit.

What it could be (after you register with Nintendo to get access to the SDK download):

1. Download the SDK to whatever location Godot expects it.
2. Click export.
3. Test a bit.

All they need to do is grant an open source license on the API headers. All the rest is done for them and magically they have more games on their platform.

Mullvad is one of the best options if you care about privacy. They take privacy seriously, both on their side and pushing users towards private options. They also support fully anonymous payments. Their price is also incredibly reasonable.

I'm actually working on a VPN product as well. It is a multi-hop system so that we can't track you. But it isn't publicly available yet, so in the meantime I happily recommend Mullvad.

The only mentioned benefit seems to be privacy.

Apparently it prevents this auto embedding:

YouTube injects their video link directly in its RSS feeds in a way that will cause some RSS Readers to automatically embed the YouTube video

But it is just a media link. It isn't like YouTube is doing something nefarious. This are just doing RSS (somewhat) like intended. If your feed reader renders these links without any confirmation it is an issue that will affect all feeds and you should change the settings on your feed reader.

In general I like openness providing feeds for sites that don't have them but this seems a little pointless. I guess it is basically a proxy service that hides your IP at this point?

HTTP/1.1 403 UNAUTHORIZED
{
  "error": {
    "status": "UNAUTHORIZED",
    "message": "Unauthorized access",
  },
}

I would separate the status from the HTTP status.

1. The HTTP status is great for reasonable default behaviours from clients.
2. The application status can be used for adding more specific errors. (Is the access token expired, is your account blocked, is your organization blocked)

Even if you don't need the status now, it is nice to have it if you want to add it in the future.

You can use a string or an integer as the status code, string is probably a bit more convenient for easy readability.

The message should be something that could be sent directly to the user, but mostly helpful to developers.

The same use case why moving your mouse across a tab doesn't focus it? It is important to have a difference between the current focus of actions and the state of each individual UI element. Keyboard users will want to be able to move their focus across the tabs without switching which one is active.

Yeah. I like old school tabs that were clearly attached to the thing that they switched. I definitely prefer the KDE UX here.

I don't think it is that simple. I think that outline is about the "focus". So if I press enter it will activate that tab, if I press tab it will move the focus to the "Entire Screen" tab.

The UX issue is that there are two concepts of focus in this UI. There is "which tab is active" and "what UI element will pressing enter activate". These two are not sufficiently differentiated which leads to a confusing experience.

Or maybe there can just be no keyboard focus indicator by default, but that may be annoying for keyboard power users. But this is generally how it works on the web, you have to press tab once to move keyboard focus to the first interactive element.

The one that always gets me is GNOME's screen sharing portal.

There is this outline around the "Application Window" tab which makes it seem selected. I use this UI multiple times a week and I need to pause for a sec every single time. I always think "I want to share a window", "oh it is already selected" then stare at the monitors for a while before I realize why I can't understand what I am looking at.

This is basically admitting that consumers don't actually value their subscription service for the cost. If users were buying used bikes and signing up for subscriptions Peloton would be thrilled, they would do everything that they could to encourage that like free trials. But it must be that most people who buy used bikes don't find the subscription worth it and cancel within a few months. Adding this fee both extracts more money and creates a sunk cost fallacy that will cause them to go longer before cancelling.

If the product sold itself they would just let people pay them subscriptions, its basically free money.

Vista sucked so bad. I got a nice new laptop and it was constant pain. One of the real breaking points was that it would refuse to let me modify or delete some files even as superuser. If I recall correctly they weren't even system files, maybe a separate partition or something.

I tried installing XP but there was some sort of driver issue with my CD drive. It would start installing fine, but then once it tried to reboot off of the HDD to finish the installation it couldn't find the installation CD to finish copying things, so the install just crashed half-way done.

I installed Ubuntu on a partition, dual booted for a while. After a few months I realized that I never even used the Windows partition anymore so I wiped it.

Likely what is happening is that the game is probing audio devices and triggering the mic on your headphones to get picked up. This switches them into the "headset" profile which has awful audio quality. I don't know why the UI isn't showing that, make sure you are checking while the game is running and the audio sounds bad.

If you want your headphone mic to work there is not much choice. There isn't a standard bluetooth profile with good audio and mic. If you never want to use your headphone mic you can probably configure some advanced settings in your audio manager (probably PulseAudio or PipeWire).

These are all good points. This is why it is important to match your recommendations to the person. For example if I know they have Chrome and a Google account I might just recommend using that. Yes, it isn't end-to-end encrypted and Google isn't great for privacy but at least they are already managing logins over all of their devices.

In many cases perfect is the enemy of better. I would rather them use any password manager and unique passwords (even "a text file on their desktop") than them sticking to one password anywhere because other solutions are too complicated.

It depends on your threat model. It does mostly reduce the benefit from 2FA, but you are probably still very safe if you use a random password per site. I mostly use 2FA when forced (other than a few high-value accounts) so I don't worry about it. For most people having a random password which is auto-filled so that you don't type it into the wrong site is more than sufficient to keep themselves secure.

Firefox Sync is end-to-end encrypted. So Firefox's password manager with syncing does this.

Honestly nothing. I recommend this to everyone because it is the easiest way to set up and offers huge advantages.

1. No more password reuse, per site random passwords.
2. Auto-fill reduces chance of phishing attacks work because you get suspicious if the password doesn't auto-fill.
3. Most browsers will integrate it into their sync service to reduce the risk of you losing your passwords.

I think these are the two biggest benefits and every browser password manager will accomplish both.

These are real issues however they are pretty easy to mitigate, and I would say that the upsides of a password manager far outweigh the downsides.

1. Make sure that you are regularly typing your master password for the first bit. After that you'll never forget it. You can also help them out by saving a copy of their master password for them at least until they are sure they have memorized it. There are also password managers where you can recovery your account as long as you have the keys cached on at least one device.

2. This is far, far outweighed by the risk of password reuse. This is because when a single one of the sites you use gets hacked then people will take that credential list and try it on every other site. So with a password manager there is just one target, without it is one of hundreds of sites where you reused your password. Many password managers also have end-to-end encryption so without your password the sync service can't be hacked (as it doesn't have access to your passwords).

Basically they license out the system to companies. You can get a rough idea here: https://what3words.com/business

The idea is that by making it free to individuals they build up market familiarity and expectation. Free personal use is just marketing for the paid product. Then they can turn to businesses and convince them that they should offer their system as a service and charge them for it.

The closest alternative is probably Plus Codes. They are driven by Google but are free to use for everything with a pretty plain and simple Terms of Use.

Instead of words they use an alphanumeric encoding. The main downside is that this can be less memorable but the upside is that it works for users of all languages and you can shorten the codes by using a Country or City reference as well as control the precision.

what3words is proprietary and the owner is profit-hungry and litigious, I would recommend avoiding it.

Some basic info: https://en.wikipedia.org/wiki/What3words#Proprietary

The best option is probably using a geo: URL. This should open in all devices in their favourite mapping application. Example. If you want to link to a specific store or similar beyond just a location you can add a "query" which some apps will use to highlight that. Example.

Another decent option is Plus Codes. These are a bit shorter and easier to manage but lack a URL format as far as I can tell. MJ75+P3 Toronto, Ontario.

You can also just link to an alternative service such as Open Street Maps. This avoids Google but still imposes a particular service on others.

Also Canada, and I think in California.

Yeah, this is basically my line. If I intentionally subscribed I will be sure to unsubscribe properly once (maybe twice). But if it was unsolicited then it will be marked as spam.

Probably not. Google Ads explicitly allows mismatch between displayed domain and actual domain. This is literally a supported configuration with no tricks.

The link you sent gives me a "Redirect Notice" interstitial that mitigates this attack greatly.

Allowing showing different domains than the actual click target is wildly reckless and should be punishable.

"Oh but our poor advertisers want to use click tracking and it is too hard to set up on their main domain". Oh boo hoo, I'm sure if it is important to them they will figure it out.