Contributing on GitHub requires JS and that creates challenges and some are discouraged

Again, if anyone wants to open an account but is unwilling to do
this because it requires JS, then I’m happy to do this via Tor on your behalf.

How are you going to transfer the account ownership without compromising the other person’s identity (e.g. by linking your communication with the person and the account you created)?

Also how does anyone know you are the trustworthy you and not someone who has stolen your identity?

So many ways in which you can contribute.

Then why not implement and use the privacy-respecting ones?

Could someone who isn’t scared of JS be so kind as to post me the
contents of Sign in to GitHub · GitHub
Thanks in advance

Why can’t you do it yourself? I mean - you offer to create accounts for those who don’t want to use JS, then this.

Well, if anyone would, it would have to be you…

Come on, we can’t have come this far only to find out you actually secretly love the JS. Don’t hit me with that plot twist. I don’t think I could handle it…

Because I just did it for him.

Would you like an account? I’ll make you one. Then you can use the command line and commit patches via Tor, once you’ve finished being “busy with stuff”.

If that doesn’t work, I guess if you do want to contribute patches, I propose that you print the diffs out onto IBM punched cards, and post them to the following address:
Suite 509
SBM Tower
1 Queen Elizabeth II Ave
Place D’Armes
Port Louis
Mauritius

They will be then fed into an IBM 2501, then written to an IBM 9332-400 DASD, then placed on an ocean freighter, who will then go out into international waters, where the DASD will be spun up.

Then, the diff file will be loaded onto a Qubes OS machine booted from PXE and running entirely in RAM, with 6 different satellite internet providers’ transceivers plugged in, with accounts registered with different names for each provider.

The diff will then be encrypted using the Qubes OS public key that we all use to verify downloads, and then broken into 28-byte chunks.

It will then be sent to the Qubes devs via Tor, with each 28-byte chunk taking not only a unique onion route, but also being initiated from one of the 5 satellite transceivers, ensuring that to the fullest extent possible, nobody has a clue what the hell is going on.

Upon successful completion of upload, the punched cards will then be shredded, set on fire, and the resulting ashes thrown overboard into the Indian Ocean.

Oh yeah, all the vessel’s crew also will be blindfolded while doing this, for your protection.

No JavaScript or CSS anywhere.

I recommend posting them in a waterproof satchel. If the cards lose their stiffness and cause the machine to jam, your patch will be rejected.

Oh, and don’t forget to wear gloves.

Well, if anyone would, it would have to be you…

Damn! You caught me.

Because I just did it for him.

Brave, brave, brave, brave Sir Robin!
He was not in the least bit scared of JS.

Oh, and don’t forget to wear gloves.

I prefer mittens. This is a special form of client-side hashing, so that when I type on the keyboard, nobody will be able to see which fingers I actually use. And this protects the keyboard from typing DDoS!

Bravely Bold Sir Robin, rode forth from the castle of Ruby-lot
He was not afraid to console.log, O’ Brave Sir Robin!
He was not at all afraid to weaken his types in nasty ways!
Brave, Brave, Brave, Brave Sir Robin
He was not the least bit scared to use a variable out of scope,
Or to have his prototype polluted, and his exceptions thrown!
To have his friends not callback, and his cache used up!
And his Symfony uglified, and typefaces mangled, Brave Sir Robin!
His functions indexed, and his code minified, and his floating points weird,
And his typescript linted, non-constructors misused, and his promises handled and his variables concat–

Sir Robin: “That- that’s enough lads, looks like there’s dirty work a foot”

(To be fair, “JS” would be a pretty badass name for a dragon in a fairytale… )

Also:

image612×408 56.8 KB

If someone can make one up for the Holy Handgrenade, that would make my week

Oh, I hadn’t considered mittens. Cancel everyone’s time off, back to the drawing board, scrum meeting NOW! This changes everything…

image500×500 67.8 KB

Still working on Sourcehut, of course. Will keep you updated

It seems like there are some fundamental cypherpunk concepts being forgotten about in this conversation.

Plain text is the least secure. After that comes TLS which is better than plain text. You are making good arguements about the problems with TLS. Now is the part where OpenPGP comes in. PGP is the final evolution in security, it’s better than TLS. If the data is tampered with during TLS then you can detect that with digital signatures.

The server/website we are having an account at will have full power over your account if they want to. Yes they can take over you account and pretend to be you. But what they can’t do is sign something with your private key.

Although they are stricly solutions to topic, they are most likely not solutions that make these users happy because it’s about anonymity. All your solutions don’t let us have anonymity because it requires having an account here in this qubes-os forum which requires an email. Or they need to send it to you via email but email is not anonymous.

(To be fair, “JS” would be a pretty badass name for a dragon in a fairytale… )

It’s a tinny sort of word.

Still working on Sourcehut, of course. Will keep you updated

“Alright, off you go!”

What movie is that quote from?

What movie is that quote from?

https://inv.nadeko.net/watch?v=nLJ8ILIE780

@capsizebacklog

PGP is the final evolution in security, it’s better than TLS.

Anonymising or securing other users email accounts is beyond my remit. I
assume that someone concerned with these issues would already have
dealt with those matters.

PGP key is available in multiple places.

I work with what I am given. If you can provide a secure alternative
that provides the same features as GitHub at no cost then I am sure the
team would consider it. I dont see that as yet.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

They are indeed solutions to the topic. If you are unable to use a
secure, anonymised, email, then I do not understand your position.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

Anonymising or securing other users email accounts is beyond my remit. I
assume that someone concerned with these issues would already have
dealt with those matters.

The question is not about email but about linking, and that is possible without email too.

PGP key is available in multiple places.

It is not that simple.

I work with what I am given. If you can provide a secure alternative
that provides the same features as GitHub at no cost then I am sure the
team would consider it. I dont see that as yet.

At no cost = non-material cost. Welcome to post-capitalism.

Which other ways are there if you use tor browser in whonix? The only two I can think of is email and mouse movement patterns and user behavior patterns. The latter two are only partially solved by disabling JS because that fingerprinting can be done with just CSS as well. Solving the email problem would be a big step in solving the whole problem. I don’t understand why unman can’t simply say the name of the anonymous and secure email provider, all it takes is a few words. If his anonymity is harmed by saying the name of the email provider then I don’t think it’s actually an anonymous email account. Anonymity loves company. I suspect unman thinks he has an anonymous email but actually doesn’t.

I think cost is a valid obstacle when we don’t have billions of USAID funding which other projects have. I also don’t know what it would cost to host a github alternative for qubes os. If it was just a few dollars then I could donate that but if we’re talking hundreds of dollars then that’s a problem.

I dont understand this.
Any one can search for, and find, the names of anonymous email
providers. There is no special art to that. You could do worse than look
at NordVPN’s blog

As anyone can tell, I dont use one of those services when dealing with
Qubes matters. (I would say that, wouldnt I? Perhaps I do?)

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

Which other ways are there if you use tor browser in whonix?

This has nothing to do with browser or JS. It is about infrastructure being owned and the potential of correlating activity, as well as common sense.

Even if you take care of completely anonymizing yourself, the other party (in this case - the proxy registerer) is not completely anonymous and you have zero guarantee that it is not a target, under surveillance, or otherwise compromised. This is not personal, just principles.

And vice versa - if you are completely anonymous, you have no way to “authenticate” yourself in front of your proxy registerer, so he does not know who he is trusting when sending data. Oversimplified example: It might be that you are a GitHub agent who collects evidence that person X creates accounts against GitHub’s terms, which puts your proxy at risk.

The point is: there cannot be trust between unknown entities. An anonymous entity is part of the infrastructure.

I think cost is a valid obstacle when we don’t have billions of USAID funding which other projects have.

Well, I haven’t seen a transparency report about who the Qubes project receives donations from and how it spends them, so I can’t say what is valid or not. We also don’t know what the actual technical requirements for self hosting are, so we can’t possibly know what it may cost.

Any one can search for, and find, the names of anonymous email
providers. There is no special art to that. You could do worse than look
at NordVPN’s blog

Proton, Tuta, Mailfence require JS for registration.

SecMail requires personal data for registration (an existing email address too). So does AnonAddy.

PrivateMail is paid, i.e. can’t be not anonymous.

Guerilla Mail - interesting but I don’t see how one could possibly use E2EE with it.

Really? After a first thread about the small number in the team, (of
interest only if based on a mistaken assumption), the thread took an
extensive swerve left in to the suggestion (without any evidence) that
potential contributors are being put off by use of JS. And here we are.

I think this is simply false.

So why dont you work on those requirements, and bring an informed paper
to the team that sets out your concerns, what solution(s) you propose,
how they might be implemented, and what the benefit will be to Qubes.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

Yes you are on to what I was going to say. For an email provider to give us anonymous email accounts they have to meet these requirements:

1. .onion website
2. No personal info on account registration such as phone number or backup email address.
3. If payment is required, then it has to be with monero.
4. The email addresses should not be blacklisted by all the other popular email providers because then it’s useless.

This is a good suggestion. I think that’s what we have been doing already, discussing pros and cons of different alternatives, trying to find a good alternative. We will continue trying to find the best solutions

Really? After a first thread about the small number in the team, (of
interest only if based on a mistaken assumption), the thread took an
extensive swerve left in to the suggestion (without any evidence) that
potential contributors are being put off by use of JS. And here we are.

My reply to @capsizebacklog was in regards to the transfer of ownership of the account created by a proxy registerer. That process does not need to use a browser.

As for the thread, I just dropped a short side note in the previous one regarding JS and GitHub, which others replied to, and the thread was split. I don’t know if that is a factor putting off potential contributors and what evidence you expect but the current state of GitHub doesn’t allow even reading of issues without JS. You keep insisting that gh + you acting as a proxy is a solution to that, but it is not, because it is inappropriate - not only because it is not anonymous but also because it is illogical to register just to read (supposedly) publicly available info.

I think this is simply false.

Well, I have explained what I mean. You don’t explain, just reject.

So why dont you work on those requirements, and bring an informed paper
to the team that sets out your concerns, what solution(s) you propose,
how they might be implemented, and what the benefit will be to Qubes.

Because:

• I am not a Qubes developer
• I am not familiar with devs’ requirements
• I have already explained the problem I see and have shared potential alternatives.
• I don’t understand why a special paper is required