[ANN] [CVE-2024-9680] Update Tor Browser & Firefox immediately

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild.

Links:

• https://blog.torproject.org/new-release-tor-browser-1357/
  
• https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/
  

n … ⌘ Read more

@2024-10-08T19:36:38-07:00@a.9srv.net Thanks for the followup. I agrees with most of it - especially:

Please nobody suggest sticking the content type in more metadata. 🙄

Yes, URL can be considered ugly, but they work and are understandable by both humans and machines. And its trivial for any client to hide the URLs used as reference in replies/treading.

Webfinger can be an add-on to help lookup people, and it can be made independent of the nick by just serving the same json regardless of the nick as people do with static sites and a as I implemented it on darch.dk (wf endpoint). Try RANDOMSTRING@darch.dk on http://darch.dk/wf-lookup.php (wf lookup) or RANDOMSTRING@garrido.io on https://webfinger.net

It has twts cache which used if timeline is set to jew. Maybe i.should fork twet to make wishes like newlines (i see two squares), showing conversations, showing twts if not found in cache and parsing medata to configure url, nick and followers (currenly it duplicated in config and twtxt file)

Finally pubnix is alive! That’s im missing? Im only reading twtxt.net timeline because twtxt-v2.sh works slowly for displaying timeline…

I mean, this: https://darch.dk/timeline/replies?url=http://darch.dk/twtxt.txt

Thank you @aelaraji@aelaraji.com, I’m glad you like it. I use PHP because it’s everywhere on cheap hosting and no need for the user to log into a terminal to setup it up. Timeline is not mean to be use locally. For that I think something like twtxt2html is a better fit. (and happy to see you using simple.css on you new log page;)

So this is a great thread. I have been thinking about this too.. and what if we are coming at it from the wrong direction? Identity being tied to a given URL has always been a pain point. If i get a new URL its almost as if i have a new identity because not only am I serving at a new location but all my previous communications are broken because the hashes are all wrong.

What if instead we used this idea of signatures to thread the URLs together into one identity? We keep the URL to Hash in place. Changing that now is basically a no go. But we can create a signature chain that can link identities together. So if i move to a new URL i update the chain hosted by my primary identity to include the new URL. If i have an archived feed that the old URL is now dead, we can point to where it is now hosted and use the current convention of hashing based on the first url:

The signature chain can also be used to rotate to new keys over time. Just sign in a new key or revoke an old one. The prior signatures remain valid within the scope of time the signatures were made and the keys were active.

The signature file can be hosted anywhere as long as it can be fetched by a reasonable protocol. So say we could use a webfinger that directs to the signature file? you have an identity like frank@beans.co that will discover a feed at some URL and a signature chain at another URL. Maybe even include the most recent signing key?

From there the client can auto discover old feeds to link them together into one complete timeline. And the signatures can validate that its all correct.

I like the idea of maybe putting the chain in the feed preamble and keeping the single self contained file.. but wonder if that would cause lots of clutter? The signature chain would be something like a log with what is changing (new key, revoke, add url) and a signature of the change + the previous signature.

# chain: ADDKEY kex14zwrx68cfkg28kjdstvcw4pslazwtgyeueqlg6z7y3f85h29crjsgfmu0w 
# sig: BEGIN SALTPACK SIGNED MESSAGE. ... 
# chain: ADDURL https://txt.sour.is/user/xuu
# sig: BEGIN SALTPACK SIGNED MESSAGE. ...
# chain: REVKEY kex14zwrx68cfkg28kjdstvcw4pslazwtgyeueqlg6z7y3f85h29crjsgfmu0w
# sig: ...

Kinda cool tool for bringing together all your timeline based data across socials.

https://github.com/timelinize/timelinize

@prologic@twtxt.net on the the timeline with mentions filter I missing the latest mention that comes up in the mentions page.

Oh.. And you are mentioning my dev instance here 😄

It looks okay on my timeline: http://darch.dk/timeline/conv/omu7e4q

@Prologic@twtxt.net can you pleas fix this line in your twtxt.txt:
# follow = dbucklin@www.davebucklin.com https://www.davebucklin.com/twtxt.txt?nick=dbucklin

It is cause this weird effect on my timeline, where you are now called dbucklin
http://darch.dk/timeline/?profile=https://twtxt.net/user/prologic/twtxt.txt

@prologic@twtxt.net and @bender@twtxt.net for a start a single user twtxt/yarn pod could look like this 😉

Image

Image

ProcessOne: ejabberd Docs now using MkDocs

Image

The ejabberd Docs website did just get a major rework: new content management system, reorganized navigation, improved markdown, and several improvements!

ejabberd started in November 2002 (see a timeline in the ejabberd turns 20 bl … ⌘ Read more

ProcessOne: ejabberd Docs now using MkDocs
The ejabberd Docs website did just get a major rework: new content management system, reorganized navigation, improved markdown, and several improvements!

ejabberd started in November 2002 (see a timeline in the ejabberd turns 20 blog post). And the first documentation was published in January 2003, using LaTeX, see [Ejabberd Installation and Op … ⌘ Read more

The wording can be more subtle like “This feed have not seen much activity within the last year” and maybe adding a UI like I did in timeline showing time ago for all feeds

Image

I agree that it good to clean up the Mastodon re-feeds, but it should also be okay for anyone to spin up a twtxt.txt just for syndicating they stuff from blog or what ever.

The “not receiving replies” could partly be fixed by implementing a working webmentions for twtxt.txt

Just fleshed out the README for timeline at https://github.com/sorenpeter/timeline - Comments/corrections and PRs are welcome:)

@bender@twtxt.net you can over at http://darch.dk/timeline/conv/ba3xbfa or by looking at the raw txt https://lyse.isobeef.org/twtxt.txt
I can’t help it that twtxt.net only have temporary caching ¯_(ツ)_/¯

Thanks for your feedback @lyse@lyse.isobeef.org. For some reason i missed it until now. For now I have implemented endpoint discovery for #webmentions as a metadata field in the twtxt.txt like this:
# webmention = http://darch.dk/timeline/webmention

Added support for #tag clouds and #search to timeline. Based on code from @dfaria.eu@dfaria.eu🙏

Image

It not that easy @xuu@txt.sour.is since I implemented webmentions in a different way that how it have been done in yarnd to work with txt-files. You can find the code in webmention_endpoint.php and new_twt.php at main · sorenpeter/timeline

@eapl.me@eapl.me Take a look at http://darch.dk/timeline/conv/i4nt3ma

Just hacked together this small webfinger endpoint to be used as a companion with timeline: .well-known/webfinger/index.php at main · sorenpeter/timeline

@shreyan@twtxt.net What do you mean when you say federation protocol?

• Either use webfinger for identity like mastodon etc. or use ATproto from Bluesky (or both?)

• We can use webmentions or create our own twt-mentions for notifying someones feed (WIP code at: https://github.com/sorenpeter/timeline/tree/webmention/views)

I’m not sure we need much else. I would not even bother with encryption since other platforms does that better, and for me twtxt/yarn/timeline is for making things public

@eaplme@eapl.me

Didn’t know of bytesypider and bytedance, I assume those are bots, although I no idea why they are pointing to that address to your site
https://wordpress.org/support/topic/psa-bytedance-and-bytespider-bots-recommend-blocking/
You gave me a good idea to block bytespider. Its just weird what it pulls in.

twtxt-php isn’t sending User-Agent headers as it’s in the original spec:
https://twtxt.readthedocs.io/en/latest/user/discoverability.html
sending user agent would be a nice thing to have so that people using regular twtxt clients can find you and anyone else hosting twtxt-php or timeline

HTTP logs are annoying but webmention has an issue that it needs a server to check for webmentions. The server can be an external one or hosted on the same server as far as I can find.
But also HTTP logs need a server that one can view the logs.

@eaplme@eapl.me
Yarn could the twtxt I want more then regular twtxt. Though I do like not having to host a yarn pod.

That client looks really cool. A web client that connects to a regular twtxt without the need to host a full yarn pod for just one user and feed.
What is the difference between twtxt-php and timeline from sorenpeter? Does it have a way to follow feeds from the web ui?

I was looking at it and what prevents someone from downloading the .config file and getting the password? Also how would I generate a totp password to use?
I should try to host that it might be the right not a full on yarn pod but also can post from my phone.

The weird thing is in my server logs it shows that your site pulled in the useragent as https://eapl.me/twtxt/?url=https%3A//neotxt.dk/user/darch/twtxt.txt with bytesypider from bytedance? That sounds weird. Plus I can’t grep just twtxt in my logs and find your feed.

Gracias. Also the git repo now contain code that should actually work

Testing posting for my new http://darch.dk/timeline/

hrxi: Windows support for Dino
Hello, I’m back!

It’s been four years since I participated in my first Google Summer of\
Code. I’m hrxi, a mathematics student from Germany. I got accepted
into this year’s Google Summer of Code program with the XMPP software\
foundation as the mentoring
organisation. I chose the extended\
timeline, so I am
going to work on [ … ⌘ Read more

Why is loading the timeline on the micro.Blog app Soo slow? 🤔 ⌘ Read more

Yudkowsky moved AI alignment research forward by 4 years, but he also sped up timelines by 2.5 years, so it all cancels out

Right now I have to setup jenny for my timeline. Just added myself to the Registry so that part is done.

i think in practice people were most convinced by timelines, if not arguments, then observations abt progress.

China’s Mars mission on track to lead the world in retrieving Martian rocks by 2031, says programme veteran
China’s timeline is two years ahead of a US-European planned Mars mission to return samples to Earth for laboratory testing, according to Sun Zezhou. ⌘ Read more

timeline of audio formats [[https://en.wikipedia.org/wiki/Timeline_of_audio_formats]] #links

@prologic@twtxt.net Is there a desire to, in the future, add some opt-in AJAX to refresh the Timeline?

@prologic@twtxt.net Why not @timeline

@darch@twtxt.net
Getting this when trying to use it:

error executing template timeline: template: timeline:131:43: executing "twt" at <formatForDateTime>: wrong number of args for formatForDateTime: want 2 got 1

@prologic@twtxt.net You will have to agree that always using reply (like I am doing on this one) loses everything on translation after the third or fourth replies. It simply doesn’t promote engagement. On top of that, all replies show on the timeline as well, without much—to none—context.

Improving Git protocol security on GitHub
We’re changing which keys are supported in SSH and removing unencrypted Git protocol. Only users connecting via SSH or git:// will be affected. If your Git remotes start with https://, nothing in this post will affect you. If you’re an SSH user, read on for the details and timeline. ⌘ Read more

I want read-only iOS client that just does the simplest model: pull a list of feeds, make a timeline.

@lucidiot@tilde.town “nuclear realtor” I like this twtxt. [meta: I guess I’ll often just reply with “I like this” or , although perhaps liking could be a primitive. I’ll do it rarely enough to not clutter my timeline tho]

Seems like twtxt-el does not retrieve a timeline. #emacs

@prologic@twtxt.net to answer some of your previous questions, i’m using txtnish for my timeline and user controls, and plain twtxt for posting. the alternative to that would be setting up a bunch of shell aliases or small scripts. or making my own client in Go. There’s a thought… ;)

Fixed txtnish timeline formatting of hashtags on BSD by installing coreutils and replacing fmt with gfmt in the configuration file #twtxt #txtnish #gnu #bsd

@freemor@freemor.homelinux.net Oh well, I played with txtnish commands and now you’re back in my timeline x)

Why is the timeline in reverse order? Meaning, I’d expect to see the most recent twtxts in the end of the output

@freemor@freemor.homelinux.net Nope, nothing changed :/ I even deleted you and followed you again. You just don’t appear in my timeline. It’s weird

GitHub - mholt/timeliner: All your digital life on a single timeline, stored locally https://github.com/mholt/timeliner

@kas@enotty.dk What ? No I don’t, I just use twtxt normally and use the timeline command :/

@freemor@freemor.homelinux.net : Ah, I still don’t see your posts in my timeline even though the file is good on my browser :/