Netbooks and other GNU/Linux laptops
Conspicuous by their absence from electronics stores are laptops certified by the manufacturer as driver-compatible with free operating systems such as GNU/Linux, especially compact laptops with screens 11.6 inch or smaller. This "netbook" segment was formally EOL'd in 2012 in favor of tablets running more limited smartphone operating systems. System76 and Purism laptops are not only larger but also mail order, which means the buyer has no chance to try the screen and keyboard before buying.
More widespread support for non-SMS 2-factor authentication
Pay-as-you-go cellular plans in the United States still charge for incoming calls, yet 2-factor authentication on Twitter still sends SMS for each login attempt even if the user has set up TOTP.
Game mods
Video game consoles still don't support community-developed extensions to gameplay, with a few highly circumscribed exceptions.
Accidental music plagiarism
Copyright law obligates composers to create original music as opposed to music that is too similar to something that someone else wrote. Even accidental plagiarism can lead to infringement judgments with damages on the order of a million dollars (Bright Tunes Music v. Harrisongs Music), which spells sure financial ruin for small-time composers. But to my knowledge there's no search engine that a composer can put a piece of music into and see if someone else has already written and copyrighted something substantially similar.
Cross-site web subscription
A user is unlikely to be willing to spend $6 for an entire month's subscription to a website or a 300-pack of article views just to view a single article, putting the other 299 article views or 29.9 days of subscription to waste. It'd be better if a subscription. Google Contributor would be a start toward this, except it probably feeds subscribers' click streams back to the same company's adtech services (AdSense and DoubleClick).
Ad serving that respects viewers' privacy
Newspaper ads do not surveil each reader to infer a detailed interest profile specific to each reader. So why do web ads have to do so? It should be easier for website operators to sell their own ad space to advertisers, so that no ad network or ad exchange needs to snoop on readers' click streams.
Rural broadband
A lot of the United States is still outside the footprint of any fiber, cable, or DSL Internet provider. This means home Internet users are stuck on satellite or cellular connections, generally with a restrictive monthly cap that a household with multiple computing devices could trigger just by downloading semiannual operating system updates.
Transport Layer Security (TLS) on local area networks (LANs)
The Internet of Things (IOT) has no public key infrastructure (PKI). Many devices that connect to a home network expose a web-based configuration interface, such as a router, printer, thermostat, or network attached storage (NAS). But with more and more web platform features becoming available only in secure contexts (meaning HTTPS unless served from 127.0.0.1), operators of home servers will have to change them from cleartext HTTP to HTTPS. And because public certificate authorities (CAs) don't issue in the multicast DNS domain (.local), each head of household would have to buy a fully-qualified domain name for use by these devices' certificate provisioning process and keep this domain renewed. Is there an alternative to this being a huge windfall for domain registrars?
Code signing
Microsoft requires peripheral manufacturers to
Depending on context, more precise terms could be any of the following:
Pregnant with one offspring, in a species that ordinarily produces litters of 2
Pregnant with offspring missing its hind limbs, as an analogy to the term "half lady" formerly used for circus performers missing both legs high above the knees. These include Jeanie Tomaini (then) or Jen Bricker (now).
Halfway to term in pregnancy
There is no "managed to run it.". It's running.
"Barely running Linux" is likely to mean running without driver support for the hardware features that an end user would expect to be able to use with a port of Linux. A Linux system without input, accelerated graphical output, audio output, persistent file system, networking, or power management is a starting point. But until it's shown running an application as a proof of concept, such as something using SDL, it's still in a state that one could describe as "barely" or "managed to".
How would the public key for each author be verified? TOFU?
you are verifying that the author of X version 1.1 is the same as the author of X version 1.0.
So TOFU (trust on first use), as I suspected. Use of TOFU raises two follow-up questions:
1. If setting up a new machine, how would you already have the public key for the author of X version 1.0? 2. For a brand-new project, how would the author of X version 1.0 gain reputation for the project's public key?
No. I reply and ask them why the hell they're using that archaic compression algorithm.
Because of compatibility. Even a file compressed with "that archaic compression algorithm" is smaller than the combination of the same file compressed with a newer compression algorithm and a decompressor for the new compression algorithm that is itself compressed with "that archaic compression algorithm".
Establishing the trust is another big issue, especially when bringing up a particular environment for the first time on a given machine. How many people make a point of verifying the server key fingerprint the first time they connect to a particular SSH server?
Downloading new versions of programs is the source for overage issues when security updates for all the snaps that bundle a particular library cause you to redownload said snaps, in turn causing you to exceed the monthly Internet data transfer quota that your ISP imposes on your household.
Even if disk space and memory aren't in short supply on full-size tower PCs nowadays, they're still in short supply on compact laptop PCs. And I thought the price of DRAM had been trending upward over the past several years.
Dynamic linked libraries are still better, even as snaps, because you can still update the library in a snap. [...] So just because you linked against version 1.0.0 of libfoo, doesn't mean it will work against version 1.0.1.
If 1.0.0 and earlier have a security vulnerability, but the application does not work does not work with 1.0.1 and later, what should users of the application do to transition from the application to a replacement application?
Their bundles are convenient and not that wasteful of space
I remember reading horror stories of a "hello world" app written in the Swift language taking several megabytes because of the size of the required Swift runtime. The overhead per bundle would appear to encourage bigger, more complicated apps as opposed to the smaller, more focused apps associated with the UNIX philosophy.
If someone chooses to buy hardware that has no free drivers to run it, when alternatives do exist, who's to blame?
The person who bought it to give as a gift. Or the market, when alternatives do not in fact exist. On that note:
ASUS T100TA
alternatives do exist
I'm curious as to what they are. Which laptop or detachable with a 10 to 11.6 inch display do you recommend for running GNU/Linux without proprietary binary blobs?
Android 8+ device
alternatives do exist
I'm curious as to what they are. Which pocket computer with WLAN and cellular voice and data communication capability do you recommend for use without proprietary binary blobs?
Should we also blame Apple when a random USB gadget designed for Windows has no drivers for OS X?
Not usually, because Apple publishes enough information about I/O Kit to allow peripheral manufacturers to port drivers to macOS. Thus I would instead place blame on peripheral manufacturers with one exception: peripherals produced in such low volume that the extra cost to support macOS would be prohibitive, such as the "INL Retro" NES cartridge writer. For that, I'd blame the developers of popular programming languages' standard libraries for not providing a cross-OS framework that wraps each operating system's framework for user-mode drivers.
No the point is that you can't just take AOSP, build it and install it on any device.
Google is trying to fix that. Treble in Android 8 is an ABI allowing new versions of Android to install on top of the hardware abstraction layer provided by the manufacturer of an Android 8+ device. It'll be more like Windows or some GNU/Linux distributions, where the blobs are their own separate package and have their own test suite (Treble VTS on Android or HCK on Windows).
I can take the ubuntu source, build it and run it on just about any PC
And be without accelerated graphics, audio, WLAN, and suspend until you install blobs. Good luck building Debian or any other GNU/Linux distribution from source and installing it on an ASUS T100TA, for which many key blobs were never remade for Linux (source).
are you saying that it is a problem if your printer config page says "not secure" in the browser bar?
I'm saying it's a problem if I can't, for example, view media that I have stored on my NAS box because its presentation in the browser relies on JS APIs that are reserved for secure contexts.
They should at either have a maintainable list of sites I deem trusted, or be able to recognize local network devices and shut the fuck up when I am accessing them.
The latter leads to security failure, as your browser would trust "local network devices" operated by an attacker on the open WLAN at a coffee shop.
The sad thing is I am starting to prefer other browsers which don't have these annoying features.
Which might these be? The same features you decry in Google Chrome are likely to show up in other derivatives of Chromium, and Firefox is implementing the same features.
Name a computing device from the past ten years running any operating system that doesn't have any proprietary bits in it. CPUs in even Purism Librem PCs have proprietary microcode.
Or was your point that all computing devices are equally unacceptable because they have at least one line of proprietary code in them?
It isn't even an issue of money either. Let's Encrypt offers free certificates
Only to a domain owner. Neither Let's Encrypt nor any other CA included in the browsers' default certificate store offers any certificates for use with (say).local, the TLD reserved for use with multicast DNS. What certificate should (say) the configuration interface of your home NAS use?
Let's Encrypt makes it easy and free for every website to be https.
This is true of public websites. It is not true of private websites hosted by web servers on a home local area network. Examples include the configuration interface of your router or printer. These have no certificate because they have no fully-qualified domain name (FQDN).
Or is everyone who operates a LAN at home expected to already own a domain?
Someone who shouldn't be allowed to have a certificate for bankofarnerica.com shouldn't even be allowed to own the domain bankofarnerica.com in the first place. Typosquatting is in the bailiwick of the UDRP.
It's called using Splashtop/Teamviewer to access either a full system in the cloud (such as an Azure/AWS instance)
A "full system in the cloud (such as an Azure/AWS instance)" ceases to exist if I stop paying the recurring fee for continuing to run it.
or your desktop at home
Some ISPs in some countries allow incoming connections to residential subscribers' PCs. This works because each subscriber has a separate IP address that is dynamic but changes daily or less frequently.
But not all home ISPs can allow this. Because of IPv4 address exhaustion, ISPs in some countries put most subscribers behind a carrier-grade network address translation (CGNAT) appliance, making no allowance for incoming connections. The "desktop at home" then has an IPv4 address in a reserved range that is not publicly routable, which per RFC 6598 is 100.64.0.0/10. They charge a substantial additional recurring fee for a static IP address, with no middle tier for a dynamic IP address that changes daily or less frequently. This can be circumvented with a tunnel that accepts connections from both the home PC and the mobile device, but that's yet another recurring fee.
/work.
I imagine very few employers are willing to allow use of a desktop PC at work for an employee's personal projects. Some don't even pay extra for a static IP address at work, especially in the IPv4-poor countries that I mentioned earlier. This can be circumvented with a tunnel that accepts connections from both the home PC and the mobile device, but that's yet another recurring fee.
In addition, all three workarounds that you suggest become inaccessible once I stop paying the additional recurring fee to a cellular ISP for a cellular Internet connection on top of what I'm paying my home ISP for an Internet connection at home. Running the IDE locally does not require this additional recurring fee.
How is an AWS instance plus additional data transfer allowance for my phone really cheaper than a laptop over the laptop's expected service life?
Slashdot Mirror
Summarizing my list of unresolved axes to grind:
Netbooks and other GNU/Linux laptops Conspicuous by their absence from electronics stores are laptops certified by the manufacturer as driver-compatible with free operating systems such as GNU/Linux, especially compact laptops with screens 11.6 inch or smaller. This "netbook" segment was formally EOL'd in 2012 in favor of tablets running more limited smartphone operating systems. System76 and Purism laptops are not only larger but also mail order, which means the buyer has no chance to try the screen and keyboard before buying. More widespread support for non-SMS 2-factor authentication Pay-as-you-go cellular plans in the United States still charge for incoming calls, yet 2-factor authentication on Twitter still sends SMS for each login attempt even if the user has set up TOTP. Game mods Video game consoles still don't support community-developed extensions to gameplay, with a few highly circumscribed exceptions. Accidental music plagiarism Copyright law obligates composers to create original music as opposed to music that is too similar to something that someone else wrote. Even accidental plagiarism can lead to infringement judgments with damages on the order of a million dollars (Bright Tunes Music v. Harrisongs Music), which spells sure financial ruin for small-time composers. But to my knowledge there's no search engine that a composer can put a piece of music into and see if someone else has already written and copyrighted something substantially similar. Cross-site web subscription A user is unlikely to be willing to spend $6 for an entire month's subscription to a website or a 300-pack of article views just to view a single article, putting the other 299 article views or 29.9 days of subscription to waste. It'd be better if a subscription. Google Contributor would be a start toward this, except it probably feeds subscribers' click streams back to the same company's adtech services (AdSense and DoubleClick). Ad serving that respects viewers' privacy Newspaper ads do not surveil each reader to infer a detailed interest profile specific to each reader. So why do web ads have to do so? It should be easier for website operators to sell their own ad space to advertisers, so that no ad network or ad exchange needs to snoop on readers' click streams. Rural broadband A lot of the United States is still outside the footprint of any fiber, cable, or DSL Internet provider. This means home Internet users are stuck on satellite or cellular connections, generally with a restrictive monthly cap that a household with multiple computing devices could trigger just by downloading semiannual operating system updates. Transport Layer Security (TLS) on local area networks (LANs) The Internet of Things (IOT) has no public key infrastructure (PKI). Many devices that connect to a home network expose a web-based configuration interface, such as a router, printer, thermostat, or network attached storage (NAS). But with more and more web platform features becoming available only in secure contexts (meaning HTTPS unless served from 127.0.0.1), operators of home servers will have to change them from cleartext HTTP to HTTPS. And because public certificate authorities (CAs) don't issue in the multicast DNS domain (.local), each head of household would have to buy a fully-qualified domain name for use by these devices' certificate provisioning process and keep this domain renewed. Is there an alternative to this being a huge windfall for domain registrars? Code signing Microsoft requires peripheral manufacturers toThere is no half pregnant.
Depending on context, more precise terms could be any of the following:
There is no "managed to run it.". It's running.
"Barely running Linux" is likely to mean running without driver support for the hardware features that an end user would expect to be able to use with a port of Linux. A Linux system without input, accelerated graphical output, audio output, persistent file system, networking, or power management is a starting point. But until it's shown running an application as a proof of concept, such as something using SDL, it's still in a state that one could describe as "barely" or "managed to".
How would the public key for each author be verified? TOFU?
you are verifying that the author of X version 1.1 is the same as the author of X version 1.0.
So TOFU (trust on first use), as I suspected. Use of TOFU raises two follow-up questions:
1. If setting up a new machine, how would you already have the public key for the author of X version 1.0?
2. For a brand-new project, how would the author of X version 1.0 gain reputation for the project's public key?
They aren't really competing with the likes of Asmodee, Hans im Glück, Pegasus, Ravensburger, Kosmos, etc.
Hasbro is the American publisher of the Ravensburger game Memory.
No. I reply and ask them why the hell they're using that archaic compression algorithm.
Because of compatibility. Even a file compressed with "that archaic compression algorithm" is smaller than the combination of the same file compressed with a newer compression algorithm and a decompressor for the new compression algorithm that is itself compressed with "that archaic compression algorithm".
Establishing the trust is another big issue, especially when bringing up a particular environment for the first time on a given machine. How many people make a point of verifying the server key fingerprint the first time they connect to a particular SSH server?
How would the public key for each author be verified? TOFU? International travel to code signing parties?
Since when in this day and age is hard drive and memory space been an issue?
Since at least 18 months ago, the general price trend for memory space has been upward. (Source: Memory - Price Trends - PCPartPicker)
Programs aren't the source for storage issues.
Downloading new versions of programs is the source for overage issues when security updates for all the snaps that bundle a particular library cause you to redownload said snaps, in turn causing you to exceed the monthly Internet data transfer quota that your ISP imposes on your household.
Even if disk space and memory aren't in short supply on full-size tower PCs nowadays, they're still in short supply on compact laptop PCs. And I thought the price of DRAM had been trending upward over the past several years.
Dynamic linked libraries are still better, even as snaps, because you can still update the library in a snap.
[...]
So just because you linked against version 1.0.0 of libfoo, doesn't mean it will work against version 1.0.1.
If 1.0.0 and earlier have a security vulnerability, but the application does not work does not work with 1.0.1 and later, what should users of the application do to transition from the application to a replacement application?
Their bundles are convenient and not that wasteful of space
I remember reading horror stories of a "hello world" app written in the Swift language taking several megabytes because of the size of the required Swift runtime. The overhead per bundle would appear to encourage bigger, more complicated apps as opposed to the smaller, more focused apps associated with the UNIX philosophy.
Which laptop or detachable with a 10 to 11.6 inch display do you recommend
The FSF has a list of computers they recommend
Most are refurbished Lenovo ThinkPad laptops, and zero of those are in the size range I mentioned.
If someone chooses to buy hardware that has no free drivers to run it, when alternatives do exist, who's to blame?
The person who bought it to give as a gift. Or the market, when alternatives do not in fact exist. On that note:
ASUS T100TA
alternatives do exist
I'm curious as to what they are. Which laptop or detachable with a 10 to 11.6 inch display do you recommend for running GNU/Linux without proprietary binary blobs?
Android 8+ device
alternatives do exist
I'm curious as to what they are. Which pocket computer with WLAN and cellular voice and data communication capability do you recommend for use without proprietary binary blobs?
Should we also blame Apple when a random USB gadget designed for Windows has no drivers for OS X?
Not usually, because Apple publishes enough information about I/O Kit to allow peripheral manufacturers to port drivers to macOS. Thus I would instead place blame on peripheral manufacturers with one exception: peripherals produced in such low volume that the extra cost to support macOS would be prohibitive, such as the "INL Retro" NES cartridge writer. For that, I'd blame the developers of popular programming languages' standard libraries for not providing a cross-OS framework that wraps each operating system's framework for user-mode drivers.
No the point is that you can't just take AOSP, build it and install it on any device.
Google is trying to fix that. Treble in Android 8 is an ABI allowing new versions of Android to install on top of the hardware abstraction layer provided by the manufacturer of an Android 8+ device. It'll be more like Windows or some GNU/Linux distributions, where the blobs are their own separate package and have their own test suite (Treble VTS on Android or HCK on Windows).
I can take the ubuntu source, build it and run it on just about any PC
And be without accelerated graphics, audio, WLAN, and suspend until you install blobs. Good luck building Debian or any other GNU/Linux distribution from source and installing it on an ASUS T100TA, for which many key blobs were never remade for Linux (source).
are you saying that it is a problem if your printer config page says "not secure" in the browser bar?
I'm saying it's a problem if I can't, for example, view media that I have stored on my NAS box because its presentation in the browser relies on JS APIs that are reserved for secure contexts.
They should at either have a maintainable list of sites I deem trusted, or be able to recognize local network devices and shut the fuck up when I am accessing them.
The latter leads to security failure, as your browser would trust "local network devices" operated by an attacker on the open WLAN at a coffee shop.
The sad thing is I am starting to prefer other browsers which don't have these annoying features.
Which might these be? The same features you decry in Google Chrome are likely to show up in other derivatives of Chromium, and Firefox is implementing the same features.
Name a computing device from the past ten years running any operating system that doesn't have any proprietary bits in it. CPUs in even Purism Librem PCs have proprietary microcode.
Or was your point that all computing devices are equally unacceptable because they have at least one line of proprietary code in them?
Name a single product running AOSP.
Archos 43 Internet Tablet. Kindle Fire. Fire Phone. Every Android device intended for the People's Republic of China market.
It isn't even an issue of money either. Let's Encrypt offers free certificates
Only to a domain owner. Neither Let's Encrypt nor any other CA included in the browsers' default certificate store offers any certificates for use with (say) .local, the TLD reserved for use with multicast DNS. What certificate should (say) the configuration interface of your home NAS use?
GoDaddy, Gandi, Namecheap, and other registrars have registered over 14,000 paypal phishing certificates. Should we call for registrars' blood too?
Let's Encrypt makes it easy and free for every website to be https.
This is true of public websites. It is not true of private websites hosted by web servers on a home local area network. Examples include the configuration interface of your router or printer. These have no certificate because they have no fully-qualified domain name (FQDN).
Or is everyone who operates a LAN at home expected to already own a domain?
Someone who shouldn't be allowed to have a certificate for bankofarnerica.com shouldn't even be allowed to own the domain bankofarnerica.com in the first place. Typosquatting is in the bailiwick of the UDRP.
A CGNAT connection should not be considered a "real" Internet connection.
I agree. However, definition games don't change the reality that in some places, almost no home subscribers have a "real" Internet connection.
It's called using Splashtop/Teamviewer to access either a full system in the cloud (such as an Azure/AWS instance)
A "full system in the cloud (such as an Azure/AWS instance)" ceases to exist if I stop paying the recurring fee for continuing to run it.
or your desktop at home
Some ISPs in some countries allow incoming connections to residential subscribers' PCs. This works because each subscriber has a separate IP address that is dynamic but changes daily or less frequently.
But not all home ISPs can allow this. Because of IPv4 address exhaustion, ISPs in some countries put most subscribers behind a carrier-grade network address translation (CGNAT) appliance, making no allowance for incoming connections. The "desktop at home" then has an IPv4 address in a reserved range that is not publicly routable, which per RFC 6598 is 100.64.0.0/10. They charge a substantial additional recurring fee for a static IP address, with no middle tier for a dynamic IP address that changes daily or less frequently. This can be circumvented with a tunnel that accepts connections from both the home PC and the mobile device, but that's yet another recurring fee.
/work.
I imagine very few employers are willing to allow use of a desktop PC at work for an employee's personal projects. Some don't even pay extra for a static IP address at work, especially in the IPv4-poor countries that I mentioned earlier. This can be circumvented with a tunnel that accepts connections from both the home PC and the mobile device, but that's yet another recurring fee.
In addition, all three workarounds that you suggest become inaccessible once I stop paying the additional recurring fee to a cellular ISP for a cellular Internet connection on top of what I'm paying my home ISP for an Internet connection at home. Running the IDE locally does not require this additional recurring fee.
How is an AWS instance plus additional data transfer allowance for my phone really cheaper than a laptop over the laptop's expected service life?