Freedombone Blog

Freedom in the Cloud

Fediverse debrief

I'm going to take time out from the fediverse for a while. It's not that I've been "cancelled", although the level of hostility recently has been exceeding my personal comfort zone and becoming comparable to Twitter.

A critical design problem of this type of system based upon the ActivityPub protocol seems to be that there isn't any granular control over who you associate with or on what terms. It means that adversaries have unlimited potential to reply on your posts or send menacing DMs. Of course it's easily possible to block them, but the sheer volume of this problem recently means that it becomes like a cat and mouse game, or a game of whack-a-mole.

So it's time for me to step back and think about whether ActivityPub is useful as a method of public communications, and whether I ought to be recommending systems in which the user doesn't have much control over who they associate with other than follow or block. Maintaining an increasingly large blocklist and the amount of research which that requires seems unrealistic.

As an analogy from the past, I abandoned trying to support blog comments for similar reasons. The amount of spam became too much to manage, and automated methods such as CAPTCHAs or cryptic questions failed to prevent it.

For now I think the Zap or Hubzilla approach is better, although there are far fewer users of those systems. With something like Zap it is reasonable to expect that the first time self-hoster could have a good experience on the system, rather than immediately being bombarded by communications which they havn't chosen to opt into.

The end of the Web?

Something seems to be going on with the web. It seems to be heading towards a kind of endgame. For practical purposes there are only two web browser engines which most people use and they're both directly or indirectly controlled by Google. As I write this Google is busying itself trying to prevent ad blockers from working and without ad blocking the experience of browsing the modern web is some combination of insecure, annoying and occasionally horrifying. Targeted ads are like an unwelcome stalker who follows you around.

At the same time W3C - an organization already having profound flaws - appears to be handing over the definition of the HTML standard to Google. Mozilla I regard as being a proxy for Google because it's where they get their money from, and Apple, Microsoft, Mozilla and Google control WHATWG. Since Microsoft gave up making its own browser recently this really leaves Apple and Google as the new pilots of the HTML "living standard".

We can maybe see the future of the web in the form of what Google recently did with confidential emails in Gmail. If you're sending an email that way then it no longer gets transferred via the email protocol. Instead the email becomes merely a notification that something has happened on a Google server and you then have to log in to that server to read it. This is how open standards finally die, having been totally appropriated and subsumed under a superficial appearance of convenience and security theatricality.

A prediction is that in the early 2020s HTML is something delivered centrally by Google and optimized for ad delivery and metadata collection. There is a new era of utility computing in which Google data centers are the mainframes and the idea of personal computers being personal or decentralized is something quaint from the distant past. Unless Mozilla can really clean up their act I think they're heading towards a Netscape-like oblivion, although the codebase will live on and perhaps metamorphose into other things.

Now is a good time to reinvent the web and to revisit its most basic premises. Who should the web work for? Should it be just an ad delivery platform? Who should run the web and who should make the standards?

The changing face of FOSS project hosting

With Github introducing a way for projects to receive donations via its site the business model which Microsoft is going to be deploying is getting clearer. They say that they won't be taking any percentage of the donations for a year, but presumably after that anything goes. Once you have them by the income then it also becomes a lot harder for developers to vacate the platform and they're more likely to accept bad practices being foisted upon them as part of an often subconscious cost/benefit analysis. Microsoft could start leveraging its patent portfolio this way, by taking a bigger percentage of donation money from popular projects as a patent protection racket.

With Gitlab being backed by venture capital from Google it's only a matter of time before they exit and maybe do something similar. I'm not against FOSS projects receiving donations, but it's easy to see how this could become a way to lock developers onto monolithic proprietary platforms in a manner where they can't easily escape and where they may feel compelled to accept ugly tradeoffs.

So I think what's needed is a distributed git project hosting system. At this point a giant chorus of developers will say:

But git is already a distributed system

Which it is. But the important parts which facilitate low friction collaboration aren't distributed. Git itself only really supports the 1990s email-based collaboration model used by the Linux kernel. Unless you really have a buttoned down email workflow using something like Mutt and procmail, this isn't easy for most people.

The aim should be to be able to make a pull request or file an issue on a project without needing to have an account on someone's home server. Some form of identity which works with anything but doesn't make life easy for spammers.

If we don't have a good solution for this within the next couple of years then I can foresee that Free Software development is going to become a lot less accessible. Developers are going to feel that they have no choice other than to accept advertising in their hosting system or a requirement to use specific Microsoft tools and unpleasant compromises like that.

The Disappearing Firefox Addons

If you are a Firefox user or use one of its derivatives such as Tor browser then it may not have escaped your attention that all your addons disappeared, including even the default ones such as NoScript.

This appears to have been just a mistake with someone at Mozilla not renewing a certificate. Although LetsEncrypt exists TLS certificate expiry is still not all that uncommon even sometimes on well known sites. Disappearing addons has been a big problem with a relatively mundane cause, but it's a problem which reveals the underlying centralized architecture.

In a decentralized or distributed web one person forgetting to renew a certificate wouldn't be a big deal. It would only affect them or anyone accessing their server or peer. But in the web we've actually got one person at Mozilla forgetting something can render all Firefox browsers effectively useless - or at least a lot less secure. If you're relying upon NoScript in Tor browser to defend you then you could suddenly find that your defenses vanish. Welcome to the totalized web.

Checking signatures on installed software is normal. However, Firefox goes beyond this and repeatedly checks signatures every 24 hours even if addon code has not changed. It does this with a hardcoded constant called XPI_SIGNATURE_CHECK_PERIOD and there's also another constant called MOZ_REQUIRE_SIGNING which indicates that at some point the ability to manually turn off signature checking in about:config is going to go away.

Like most people, I was unaware of all this until NoScript disappeared and couldn't be re-enabled, resulting in the inevitable WTF moment. Apparently there was a minor scandal about addon signing a few years ago, but I must have missed that bandwagon and was probably busy with other things.

So how can this be improved? Within the current paradigm I think that signatures should only be checked when the source code changes. This means creating a hash of the code and storing that. If the hash doesn't match only then should the signature check take place. This would have made yesterday's debacle a lot less acute. In most cases things would have continued to work and Mozilla would have had time to update their certificate without any big fuss. Hashes could be stored natively such that they can't be spuriously modified by other addons.

It may also be worth considering whether addons such as NoScript are so essential that they should be built into the browser codebase, rather than being something separate. In the longer term I think that's a better way to go. Mozilla is unlikely to do it, but Tor browser developers could.

Going beyond the current paradigm, the web needs to actually be decentralized or distributed. One company shouldn't be deciding what browser addons people can run and have the ability to turn them off either through malice or oversight. There has been a lot of browser consolidation such that there are now really only two web engines, and this space could do with some disruption - especially with regard to ad blocking. A new browser which has ad blocking as a core feature I think could get quite a lot of traction quite quickly.

The Long Climate Crisis

There have been children protesting today in London as part of the Extinction Rebellion movement. I've been plotting climate change related data for a long time now and indeed there will be trouble ahead. What I think is going to happen in the next few decades isn't going to be a sudden catastrophe but instead is going to resemble what KMO once called The Sucky Collapse.

In the sucky collapse nothing spectacular happens. It's like a no-frills version of austerity. The quality of life just deteriorates slowly over a long period of time. It gets harder to grow crops. Heat waves and other extreme weather events become more common. Food, and consequently everything else, becomes more expensive and a bigger percentage of the population are living in poverty. There will be events which look like tsunamis but where the waters don't subsequently return to previous levels, leaving some areas permanently flooded. Issues resulting from that will affect a significant fraction of the world's population.

Since it's easier to imagine the end of the world than the end of capitalism things like the following are predictable:

Bioengineering of crops to better handle more arid or salt marsh growing conditions

The air conditioning industry booms Maybe there are air conditioning tycoons. Places like England where air conditioning was uncommon become growth areas.

Average food production moves northwards out of equatorial regions

Attempts to grow crops at sea on floating platforms. probably with mixed success because it's a very harsh environment. Maybe bioengineered seaweed becomes a more common type of food, comparable to corn or rice today.

Resource wars over access to water and arable land

Migrations to higher ground This will further embolden anti-immigrant political parties and "fortress Europe" style mentality. "I've got mine".

What should we do about climate change? Will climate strikes and rebellions work?

Strikes and rebellions are an attempt to put pressure on governments. Previous attempts to get governments to agree to anti-pollution policies in the 1990s and 2000s didn't work. The agreements were not legally binding and the biggest polluters carried on regardless, often explicitly with government support. So the rebellion represents an attempt to increase the pressure level. Whether this will work remains to be seen, but we already know roughly what needs to take place. Carbon dioxide pollution needs to fall towards net zero within a couple of decades if the worst of the damage to the planet is to be avoided. Coal fired electricity production needs to either be phased out or there needs to be 100% "carbon capture" and storage. The last time I checked, electricity production is about 20% of all CO2 pollution.

I'm sure that many people won't want to hear it but we can't capitalism our way out of this by selling more stuff to more people. "Cap and trade" didn't work and also doesn't seem like a project which can be revived. The era of endless economic "growth" on a finite planet needs to end. In addition to decreasing pollution we also need to decrease consumption and that necessarily also means decrease in inequality. We can't afford to have ridiculously rich people squandering vast amounts of resources. They will have to live more modestly, like everyone else.

And what, you may enquire, are you doing? I don't have much influence over anything or anyone and I already live "basically like a student" with minimal consumption, but this year I've also reduced my electricity use. I no longer run the traditional desktop computer which takes 200W and instead replaced it with a 10W single board computer. My personal electricity use is now within the range where if I had the money and the realestate I could probably suffice on solar panels.

Integrating RSS

Twenty years after the invention of RSS its fortunes as a protocol appear to be dwindling. The Firefox browser has done an especially lamentable job of making RSS easy to use. The main reason for that seems to be not that it isn't a useful technology but that it doesn't readily enable the kinds of surveillance which largely fund the contemporary web. There is typically no tracking on a list of links and traditionally there havn't been many attempts to insert ads into RSS feeds. RSS feeds are also not subject to any AI-driven timeline algorithms which bias some content above others.

RSS readers have existed within Freedombone for a long time, first with Tiny Tiny RSS then SmolRSS and now there is integration of RSS into the web interface via a system called RSS Garden. The aim is to make subscribing to and reading RSS feeds maximally convenient.

Image description

There's an RSS button you can select on the admin or home screens on the web interface, which lists entries for feeds you're subscribed to and you can add or remove feeds by clicking on the title at the top.

Image description

And of course the web interface is either available on the local network or via an onion address.

Image description

Because the home screen may be available to multiple members of your household adding and removing feeds is only accessible by the admin, so that for example someone can have parental control of what feeds get listed. Later this might be elaborated into a true multi-user reader experience.

RSS integration is currently only available on the buster development branch which is expected to be formally released in one or two months time.