When the client is about to click on a button that isnāt implemented ā Read more
Fevela.me ā A newsreader-like client for the Nostr social network
I created Fevela, a fork of the great Jumble, because I wanted a Nostr social client that would give me back full control of my attention and time. So I designed an interface similar to that of old good newsreaders, which for me is perfect to encourage exploration of interesting content rather than doomscrolling. I then added some ad hoc filters that can help reduce noise and improve the signal.
Unlike traditional social media thatās designed to maximize your time on t ā¦ ā Read more
When I show up at a new client after being sold as an expert by sales ā Read more
When the client tells me I shouldāve handled responsiveness even though it was never in scope ā Read more
When the sales guy starts talking in a client meeting ā Read more
When I know the client and tell the new guy to comment out code instead of deleting it ā Read more
I keep getting this email occadionally:
Your iCloud storage is almost full
Now for various reasons, I donāt want my children to be using iCloud to store data, files, photos or any of the sort. Theyāre free to use iMessages, and other Apple services like the App Store, etc, but not storage.
So Iāve set about blocking iCloud Storage API(s) via AdGuard Home tonight as well as ensuring that my local network (client users) cannot bypass DNS policies and get out other sneaky ways, because some applications will just use other DNS servers, or DOH or DOT.
Client ID Metadata Document Adopted by the OAuth Working Group
The IETF OAuth Working Group has adopted the Client ID Metadata Document specification! ā Read more
My open letter, to the European Commission digital markets act team:
Hello,
I am joining other developers, concerned about Googles new plan, to approve every app and effectively destroy most of the competing 3rd party stores this way. The biggest one of these alternative stores, most known for their focus on user and developer privacy, already states, this would make it impossible for them to operate: https://f-droid.org/cs/2025/09/29/google-developer-registration-decree.html
Even communities like the XDA forum, where new developers are often introduced to the world of Android development, would likely be strongly impacted, as making, publishing and installing Android apps is made less accessible.
I am not just writing on their behalf, I run a small website myself (https://thecanine.ueuo.com/), that both provides legal modifications, for some android apps - for example adding an amoled dark theme, to the most popular XMPP chat client for Android, or increasing one of Androids keyboard apps height. This all comes after Googles previous changes to the Android operating system, that prevent users from installing old apps (old to Google, can mean only a couple of months, without an update - https://developer.android.com/google/play/requirements/target-sdk and the target version gets increased every year). I rely on apps developed by a single developer, even for things like making the pixel art presented on my website and sideloading as a way to make these apps work, before developers can catch up to Googleās new requirements - if Google is allowed to slowly kill these options, us digital artists will soon lose the tools we need to create digital art.
Germany must stand firmly against client-side scanning in Chat Control [pdf]
Article URL: https://signal.org/blog/pdfs/germany-chat-control.pdf
Comments URL: https://news.ycombinator.com/item?id=45464921
Points: 586
# Comments: 132 ā Read more
Of course, all things optional is fine. Like, it will be ignored (just like banner would) for clients having no knowledge of it.
(#abcdefghijkl https://example.com/tw.txt#:~:text=2025-10-01T10:28:00Z), because it can be simply hacked in to clients currently on hashv1 and provides an off-ramp to location-based addressing
I like that property (an off-ramp to location-based addressing), so I think I could live with that approach. ā
(Iām not sure why weāre using text fragments, though. Wouldnāt that link to the first occurence of 2025-10-01T10:28:00Z? Thatās not necessarily correct. And, to be proper URLs that Firefox and Chromium understand, it would also need to be written as 2025%2D10%2D01T10:28:00Z. The dash carries meaning, sadly. I think all this just creates needless complication. How about we just go with https://example.com/tw.txt#2025-10-01T10:28:00Z?)
@zvava@twtxt.net My clients trusts the first url field it finds. If there is none, it uses the URL that Iām using for fetching the feed.
No validation, no logging.
In practice, Iāve not seen issues with people messing with this field. (What I do see, of course, is broken threads when people do legitimate edits that change the hash.)
I donāt see a way how anyone can impersonate anybody else this way. š¤ Sure, you could use my URL in your url field, but then what? You will still show up as zvava in my client or, if you also change your nick field, as movq (zvava).
Great to see so many new clients popping up. š
Exactly, @zvava@twtxt.net, I agree. (Although, in my client at least, I wouldnāt use hashes anywhere.)
↳
In-reply-to
»
@bender Really? š¤
ā¤ Read More
Put another way, what you are proposing/pushing for requires hundreds of lines of code to change across a half dozen or so clients and lots of breaking changes, not to mention unknowns.
What I want us to do is make only a few half dozen or so lines of code changes to our clients and minimize the breaking changes and unknowns.
↳
In-reply-to
»
@bender Really? š¤
ā¤ Read More
@zvava@twtxt.net Going to have to hard disagree here Iām sorry. a) no-one reads the raw/plain twtxt.txt files, the only time you do is to debug something, or have a stick beak at the comments which most clients will strip out and ignore and b) Iām sorry youāve completely lost me! Iām old enough to pre-date before Linux became popular, so Iām not sure what UNIX principles you think are being broken or violated by having a Twt Subject (Subject) whose contents is a cryptographic content-addressable hash of the āthingāā¢ youāre replying to and forming a chain of other replies (a thread).
Iām sorry, but the simplest thing to do is to make the smallest number of changes to the Spec as possible and all agree on a āMagic Dateā for which our clients use the modified function(s).
↳
In-reply-to
»
@bender Really? š¤
ā¤ Read More
@prologic@twtxt.net considering other alternatives we have seeing (of which I have lost track already), yes. Why donāt you guys (client makers) take a step at a time and, for now, increase the hash length to deal with the collisions. Then location-based addressing can be addedā¦ or not, you know. š
TNO Threading (draft):
Each origin feed numbers new threads (tno:N). Replies carry both (tno:N) and (ofeed:<origin-url>). Thread identity = (ofeed, tno).
- Roots:
(tno:N)(implicitofeed=self).
- Replies:
(tno:N) (ofeed:<url>).
- Clients: increment
tnolocally for new threads, copy tags on reply.
- Subjects optional, not required.
ā¦
↳
In-reply-to
»
(#altkl2a) Here is just a small list of thingsā¢ that I'm aware will break, some quite badly, others in minor ways:
ā¤ Read More
@prologic@twtxt.net I know we wonāt ever convince each other of the otherās favorite addressing scheme. :-D But I wanna address (haha) your concerns:
I donāt see any difference between the two schemes regarding link rot and migration. If the URL changes, both approaches are equally terrible as the feed URL is part of the hashed value and reference of some sort in the location-based scheme. It doesnāt matter.
The same is true for duplication and forks. Even today, the ācannonical URLā has to be chosen to build the hash. Thatās exactly the same with location-based addressing. Why would a mirror only duplicate stuff with location- but not content-based addressing? I really fail to see that. Also, who is using mirrors or relays anyway? I donāt know of any such software to be honest.
If there is a spam feed, I just unfollow it. Done. Not a concern for me at all. Not the slightest bit. And the byte verification is THE source of all broken threads when the conversation start is edited. Yes, this can be viewed as a feature, but how many times was it actually a feature and not more behaving as an anti-feature in terms of user experience?
I donāt get your argument. If the feed in question is offline, one can simply look in local caches and see if there is a message at that particular time, just like looking up a hash. Whereās the difference? Except that the lookup key is longer or compound or whatever depending on the cache format.
Even a new hashing algorithm requires work on clients etc. Itās not that you get some backwards-compatibility for free. It just cannot be backwards-compatible in my opinion, no matter which approach we take. Thatās why I believe some magic time for the switch causes the least amount of trouble. You leave the old world untouched and working.
If these are general concerns, Iām completely with you. But I donāt think that they only apply to location-based addressing. Thatās how I interpreted your message. I could be wrong. Happy to read your explanations. :-)
Here is just a small list of thingsā¢ that Iām aware will break, some quite badly, others in minor ways:
- Link rot & migrations: domain changes, path reshuffles, CDN/mirror use, or moving from txt ā jsonfeed will orphan replies unless every reader implements perfect 301/410 history, which they wonāt.
- Duplication & forks: mirrors/relays produce multiple valid locations for the same post; readers see several āparentsā and split the thread.
- Verification & spam-resistance: content addressing lets you dedupe and verify youāre pointing at exactly the post you meant (hash matches bytes). Location anchors can be replayed or spoofed more easily unless you add signing and canonicalization.
- Offline/cached reading: without the original URL being reachable, readers canāt resolve anchors; with hashes they can match against local caches/archives.
- Ecosystem churn: all existing clients, archives, and tools that assume content-derived IDs need migrations, mapping layers, and fallback logic. Expect long-lived threads to fracture across implementations.
@zvava@twtxt.net Good question. This is the spec, I think:
https://twtxt.dev/exts/metadata.html#nick
It doesnāt say much. š¤
In the wild, Iāve only seen ātraditionalā nick names, i.e. ASCII 0x21 thru 0x7E.
My client removes anything but r'[a-zA-Z0-9]' from nick names.
@zvava@twtxt.net There would be only one hash for a message. Some to be defined magic date selects which hash to use. If the message creation timestamp is before this epoch, hash it with v1, otherwise hammer it through v2. Eventually, support for v1 could be dropped as nobody interacts with the old stuff anymore. But Iād keep it around in my client, because why not.
If users choose a client which supports the extensions, they donāt have to mess around with v1 and v2 hashing, just like today.
As for the school of thought, personally, Iād prefer something else, too. Iām in camp location-based addressing, or whatever it is called. There more I think about it, a complete redesign of twtxt and its extensions would be necessary in my opinion. Retrofitting has its limits. Of course, this is much more work, though.
@zvava@twtxt.net And yes yarnd does have a well documented API and two clients (CLI and unmaintained Flutter App)
↳
In-reply-to
»
(#bixispa) @zvava love the direction this is heading, hope this soon evolves into a basic Android app, usable with any instance.
ā¤ Read More
Wanting to add, this isnāt a twtxt client. It is Yarnd on steroids! š
↳
In-reply-to
»
(#z25erwq) @lyse a content warning is kind of like a forum spoiler cut, or like the
ā¤ Read More
<details> tag in HTML; it lets you write a sentence or so that someone can then click to expand to see the actual post. it's called a CW because most people use it to warn for potentially triggering/harmful subjects, but you can really use it for anything, like spoilers in a TV show or even for joke punchlines
@kat@yarn.girlonthemoon.xyz I reckon the original <details> need to have the open attribute set in order to expand it, so I cannot just define some custom CSS rules to do that in my browser.
But in regards to twtxt, my client wonāt hide anything in that realm anyway. :-) Itās just more noise.
JMP: Newsletter: (e)SIM nicknames, Cheogram Android updates, and Cheogram iOS alpha
Hi everyone!
Welcome to the latest edition of your pseudo-monthly JMP update! (itās been 7 months since the last one šØ)
In case itās been a while since you checked out JMP, hereās a refresher: JMP lets you send and receive text and picture messages (and calls) through a real phone number right from your computer, tablet, phone, or anything else that has a Jabber client. Among other things, JMP has these features: Y ā¦ ā Read more
i know yarn has a CLI client in yarnc but ngl i wish there was a TUI client. thatād be really fun
@zvava@twtxt.net Hooray for more twtxt clients š„³
I finally have my new (top-secret) twtxt client in a working state. Next comes the deployment, which I hope to finish tonight. Release date: TBD. Stay tuned!
@dce@hashnix.club Ah, oh, well then. š„“
My client supports that, if you set multiple url = fields in your feedās metadata (the top-most one must be the āmainā URL, that one is used for hashing).
But yeah, multi-protocol feeds can be problematic and some have considered it a mistake to support them. š¤
@dce@hashnix.club Twet is a far better command line client. Yea š
↳
In-reply-to
»
@itsericwoodward Also just a heads up, GIF(s) aren't supproted as an Avatar type on
ā¤ Read More
yarnd (what runs twtxt.net). I'd change this to something that's more supproted like PNG, JPEG, etc.
@eric@itsericwoodward.com Name change is no worries! š Interesting/funnily enough my client yarnd seems to have picked it up automatically which is nice (Iāve historically always had a few bugs to iron out there š¤£)
↳
In-reply-to
»
i'm helping someone get a reverse proxy going on windows and my god this operating system is dogshit
ā¤ Read More
@kat@yarn.girlonthemoon.xyz yeah itās pretty terrible these days. Most recent trouble I had was something as simple as installing and setting up the Tailscale client. On literally all my other devices (Linux and Android) that was a cinch, but on Windowsā¦. ohh boy, I had to mess around with reg edits and all sorts of crap and eventually bludgeoned it into working, but it was a bloody pain.
In 1996, they came up with the X11 āSECURITYā extension:
https://www.reddit.com/r/linux/comments/4w548u/what_is_up_with_the_x11_security_extension/
This is what could have (eventually) solved the security issues that weāre currently seeing with X11. Those issues are cited as one of the reasons for switching to Wayland.
That extension never took off. The person on reddit wonders why ā I think itās simple: Containers and sandboxes werenāt a thing in 1996. It hardly mattered if X11 was āinsecureā. If you could run an X11 client, you probably already had access to the machine and could just do all kinds of other nasty things.
Today, sandboxing is a thing. Today, this matters.
Iāve heard so many times that āX11 is beyond fixable, itās hopeless.ā I donāt believe that. I believe that these problems are solveable with X11 and some devs have said āyeah, we could have kept working on itā. Itās that people donāt want to do it:
Why not extend the X server?
Because for the first time we have a realistic chance of not having to do that.
https://wayland.freedesktop.org/faq.html
Iām not in a position to judge the devs. Maybe the X.Org code really is so bad that you want to run away, screaming in horror. I donāt know.
But all this was a choice. I donāt buy the argument that we never would have gotten rid of things like core fonts.
All the toolkits and programs had to be ported to Wayland. A huge, still unfinished effort. If that was an acceptable thing to do, then it would have been acceptable to make an āX12ā that keeps all the good things about X11, remains compatible where feasible, eliminates the problems, and requires some clients to be adjusted. (You could have still made āX11X12ā like āXWaylandā for actual legacy programs.)
Hereās an example of X11/Xlib being old and archaic.
X11 knows the data type ācardinalā. For example, the window property _NET_WM_ICON (which holds image data for icons) is an array of ācardinalā. I am already not really familiar with that word and Iām assuming that it comes from mathematics:
https://en.wikipedia.org/wiki/Cardinal_number
(It could also be a bird, but probably not: https://en.wikipedia.org/wiki/Cardinalidae)
We would probably call this an āintegerā today.
EWMH says that icons are arrays of cardinals and that theyāre 32-bit numbers:
https://specifications.freedesktop.org/wm-spec/latest-single/#id-1.6.13
So itās something like 0x11223344 with 0x11 being the alpha channel, 0x22 is red, and so on.
You would assume that, when you retrieve such an array from the X11 server, youād get an array of uint32_t, right?
Nope.
Xlib is so old, they use char for 8-bit stuff, short int for 16-bit, and long int for 32-bit:
That is congruent with the general C data types, so it does make sense:
https://en.wikipedia.org/wiki/C_data_types
Now the funny thing is, on modern x86_64, the type long int is actually 64 bits wide.
The result is that every pixel in a Pixmap, for example, is twice as large in memory as it would need to be. Just because Xlib uses long int, because uint32_t didnāt exist, yet.
And this is something that I wouldnāt know how to fix without breaking clients.
It annoys me when I clone a git repository A in order to build and self-host some software, only to realize later that I also needed to clone repos B, C and D. Iām not saying thatās a bad thingālogical separation of code between, say, a client and a server is very handyābut some projects do not communicate very well when you need multiple tools to get it running independently.
OpenBSD has the wonderful pledge() and unveil() syscalls:
https://www.youtube.com/watch?v=bXO6nelFt-E
Not only are they super useful (the program itself can drop privileges ā like, it can initialize itself, read some files, whatever, and then tell the kernel that it will never do anything like that again; if it does, e.g. by being exploited through a bug, it gets killed by the kernel), but they are also extremely easy to use.
Imagine a server program with a connected socket in file descriptor 0. Before reading any data from the client, the program can do this:
unveil("/var/www/whatever", "r");
unveil(NULL, NULL);
pledge("stdio rpath", NULL);
Done. Itās now limited to reading files from that directory, communicating with the existing socket, stuff like that. But it cannot ever read any other files or exec() into something else.
I canāt wait for the day when we have something like this on Linux. There have been some attempts, but itās not that easy. And itās certainly not mainstream, yet.
I need to have a closer look at Linuxās Landlock soon (āsoonā), but this is considerably more complicated than pledge()/unveil():
↳
In-reply-to
»
@bender Both Gopher and Mastodon are a way for me to ābabbleā. š
I basically shut down Gopher in favor of Mastodon/Fedi last year. But the Fediverse doesnāt really work for me. Itās too focused on people (I prefer topics) and I dislike the addictive nature of likes and boosts (Iām not disciplined enough to ignore them). Self-hosting some Fedi thing is also out of the question (the minimalistic daemons donāt really support following hashtags, which is a must-have for me).
ā¤ Read More
@movq@www.uninformativ.de Me too š ā Speaking of which i know youāve lost a bit of āmojoā or āenergyā (so have i of late), rest assured, I want to keep the status quo here with what weāve built, keep it simple and change very little. What weāve built has worked very well for 5+ years and we have at least 3 very strong clients (maybe 4 or 5?).
How One Path Traversal in Grafana Unleashed XSS, Open Redirect and SSRF (CVE-2025ā4123)
Abusing Client Path Traversal to Chain XSS, SSRF and Open Redirect in Grafana
[Continue rea ā¦ ā Read more
How to Play Fortnite on Mac with FnMacAssistant & Sideloadly
Gamers everywhere are happy that Fortnite is back for iPhone and iPad users, but thereās no Mac client in sight (yet anyway). But that doesnāt mean you canāt play Fortnite on the Mac, because if you have an Apple Silicon Mac, and youāre comfortable running some mods and tweaks, you can get the iOS/iPadOS version ā¦ [Read More](https://osxdaily.com/2025/05/31/how-to-play-fortnite-on-mac-with-fnmacassistant-sidel ā¦ ā Read more
$750 Bounty: for HTTP Request Smuggling on Data.gov
How a cleverly crafted desync attack revealed a hidden path to client-side compromise, JS injection and potential cookie theft
[Continue reading on InfoSec Write-ups Ā»](https://infosecwriteups.com/ ā¦ ā Read more