That sucks, I didn’t realize GitHub has locked down their contact form that much. They have a “Can’t sign in?” link on the support page in case you haven’t seen it, but I’m guessing it’s not useful?
As a last resort, there are some anonymous phone number rental services (payable in cryptocurrency): https://kycnot.me/?t=service&q=phone
ok, just so you know there is also the qubes-devel mailing list – github and that mailing list are the two official places where development & contributions happen.
The mailing list is where discussions happen. Any code contribution (development) must go through a pull request on GitHub.
so maybe for you it would be easiest to start a thread on the mailing list citing the github issue?
That assumes that one can read the issue and the comments in it.
no? people can sign & attach a patch, just like lot of other mailing lists for FOSS.
that hasn’t been brought up as an issue previously, the issue of this thread is signing into github.
no? people can sign & attach a patch, just like lot of other mailing lists for FOSS.
Here is the answer I received when discussing improvements to the firewall and pasting code in the list:
If you open a pull request on github, we have quite extensive set of
tests I can schedule from there.
I guess the whole process is configured in a way which requires that.
BTW, the mailing list itself is hosted with Google (another PRISM company) and the “To view this discussion” links in message footers are not viewable in Tor Browser and disabled JS. Example:
https://groups.google.com/d/msgid/qubes-devel/Zk6I9FsTh2YLoFs3%40mail-itl
that hasn’t been brought up as an issue previously, the issue of this thread is signing into github.
This thread was split from another where you can see how it started and what was mentioned.
in that thread i do not see you once mentioning that you cannot use github, nor do i see a patch rejected because you are not using github.
you proposed a patch via the list, received feedback on improving the content of the patch, there wasn’t an updated patch, and it was left there.
i dont know the purpose of “to view this discussion” but it is a mailing list, you can view content in a mail client. there are also third-party mirrors of the list (and the other Qubes OS mailing lists) with simpler/cleaner UI:
https://www.mail-archive.com/qubes-devel@googlegroups.com/
https://marc.info/?l=qubes-devel&r=1&w=2
ok sorry you need to use JS to view the team’s current github tasks on github, i think that’s a niche concern currently - there are a lot of other places where you can see what the team is working on.
obviously it would be amazing to not use github or google. just because we dont trust infrastructure doesn’t mean we need to use shitty/annoying/privacy-invasive infrastructure. it is certainly something we are aware of, we will keep an eye on the alternatives, and maybe in the future things will change.
but the underlining point remains: for contributors who dont want to use JS on the github website, you can use github via git. if you’re unable to use github, you can contribute via the mailing list. that option has existed before we used github and will probably exist (in some form) afterward as well.
Notify me when that idea is taken seriously by the Qubes OS team.
hi, you are complaining on the official user forum that is not hosted by microsoft or google.
I never complain, but feel free to interpret all/any of my one-liner quotes however you want to perceive them.
I have submitted to the mailing list. Please accept it.
I guess Microsoft (GitHub) and Amazon should be also on that list.
Then the next evolution would be to say “no cloud servers”. Related: Self-Hosting vs Third Party Hosting
In an ideal world, gitweb (such as GitHub) would be using decentralized hosting.
Decentralized hosting - serverless without a server - are unfortunately very weak movements, both for demand from users and development focus for developers. Instead mandatory more and more centralization in the form of clouds, CDNs is happening.
Decentralized hosting - sometimes also called serverless (as in without server) - even had their word definition amended. For reference, see definition of serverless.
in that thread i do not see you once mentioning that you cannot use github, nor do i see a patch rejected because you are not using github.
That is not quite correct but I won’t go into it since it is off-topic. I hope you don’t mind.
i dont know the purpose of “to view this discussion”
It is self-explanatory.
ok sorry you need to use JS to view the team’s current github tasks on github, i think that’s a niche concern currently - there are a lot of other places where you can see what the team is working on.
This is focused only on one thing of multiple others mentioned in the current discussion.
obviously it would be amazing to not use github or google.
What do you mean?
just because we dont trust infrastructure doesn’t mean we need to use shitty/annoying/privacy-invasive infrastructure. it is certainly something we are aware of, we will keep an eye on the alternatives,
See claws-mail for example - a small but active FOSS project which:
and maybe in the future things will change.
The “we are still working on” issue linked in the docs is from June 2018. Which alternatives have been considered during that time?
yeah its strange really. But a lot of that is privacy stuff and qubes os is stricly about security even though they are so closely coupled because if a dev doesnt have anonymity then that becomes a big security threat.
Another point related to this discussion is if there is even a point in being able to enable JS at all when using tor browser? Because whonix docs says in many places that you should not do anything on tor which uses your real identity. And if you have JS enabled that means they can track your mouse movement and that’s one of the most accurate unique digital fingerprints that exist. So if they are tracking mouse movement which is a high probability then they know exactly who you are and Tor isn’t helping.
But a lot of that is privacy stuff and qubes os is stricly about security
With Snowden on home page.
Citation required.
There is a wiki chapter Keep Anonymity Modes separate but it isn’t saying exactly that.
Quote Mouse Fingerprinting
Disabling JavaScript cannot mitigate this as it can also be done with just CSS. The author of the kloak software tool has noted high accuracy device fingerprinting can be performed with DOM event timestamps and this affects both keyboard and mouse events.
A solution was implemented that involves slights delays of mouse events to throw off phase estimation in kloak.
Includes footnotes with references.
But then it’s unavailable in Qubes at time of writing. Future:
But getting more and more off-topic.
Seems fair.
No mention of privacy in the quoted tweet.
Seems fair.
No mention of privacy in the quoted tweet.
For those who don’t recognize the most popular privacy activist, the home page mentions that explicitly.
Didn’t know css was so effective, that’s very sad to hear. That goes from being able to use 0.1% of the internet down to 0%, great!
Kloak to prevent mouse movement tracking sounds like it could be a good solution, I’ll have a look at it. But I wonder what I will do until qubes 4.3 is released. I guess I’ll keep using my old laptop until then.
To me it’s obvious that @capsizebacklog meant that if you want to stay anonymous, you shouldn’t use your real identity. This is indeed more or less what’s written in the docs, isn’t it?
My opinion is not very important, but I strongly disagree with this
Yes, github is potentially a little inconvenient for signup for some number of users. But it’s far from impossible. Additionally, suggesting that signing up is inherently de-anonymizing is nonsense, in my opinion. How is it any different than using this forum?
If someone is able to use Qubes and write up issues or write code to contribute, then they know how to protect themselves behind a pseudonymous account on github
Qubes gitlab would just be a big pile of wasted time and money, would probably be unused, and would only serve as an easy target for attempting various targeted attacks. For example, “dumb” bugs like XSS could become very powerful on a gitlab instance used only by Qubes developers/contributors/users
Using github provides a lot of security benefits that aren’t immediately obvious, or even considered security controls
I won’t get into the workflow problems that would be created because I don’t know enough about the CI/CD stuff. But seems a major consideration also
Sounds like a solution in search of a problem, assuming it was a well intentioned suggestion
Additionally, suggesting that signing up is inherently de-anonymizing is nonsense, in my opinion.
Anonymity means having no name. A pseudonym is a name, an identifier.
The more unique the combination of parameters you can add around a pseudonym, the more accurate the fingerprint (even without an explicit pseudonym).
I wonder what is your methodology of claiming that observable facts are nonsense.
How is it any different than using this forum?
As a technical possibility against user privacy through the same technology, it is not. Yet:
GitHub is proprietary software operated by an actor with particular history.
The other is FOSS, operated by a different actor (in the case of currently hosted forum).
If someone is able to use Qubes and write up issues or write code to contribute, then they know how to protect themselves behind a pseudonymous account on github
What makes you think that every programmer or bug reporter is an also an expert (or interested) in privacy protection? The two things are unrelated.
Using github provides a lot of security benefits that aren’t immediately obvious, or even considered security controls
GitHub has been censoring whole countries. Suppose one is a developer/contributor in some of those countries and gets blocked at certain time. How is his potentially long-term contribution secured?
