activistPnk

activistPnk, 4 days ago

Thanks… looks like I got my answer. Not a single bottle rejected!

activistPnk, 2 days ago (edited 2 days ago)

I doubt anyone does. I certainly do not. It would not be environmentally optimum to do so.

There is a stat that if you wash a typical dishwasher load worth of dishes by hand (with avg faucet output of 1 gallon/min), you will consume:

• 20 gallons of water if you are a novice
• 8 gallons of water if you are skilled

While a dishwashing machine uses ~4—5 gallons of water. So dishwashers are actually good for the environment. I will clear of any bulk waste before loading a dishwasher, but I do not hand rinse because it would be wasteful.

It’s essentially the same when returning bottles for reuse. People count on the industrial cleaning to do the full job (though I started the thread to get an idea of to what extent it really can be relied on). The refund for the bottle return is the same whether the bottles are clean or dirty, so there is no incentive for anyone to pre-clean them in any way.

activistPnk, 2 days ago

In Europe they charge 10¢/bottle for simple bottles and 40¢/bottle for the fancy clamp-down style. Then that gets refunded when they are returned. It’s a bit of a hassle because some brewers do not participate, in which case the reverse vending machine rejects the bottle which means you then have to carry it to a glass recycle bin. The brewers that do not participate use a thinner more fragile glass that would be unfit for reuse. So consumers have to stay on their toes and keep track of which brewers participate. Can get quite tricky with the obscure artisinal brews.

Ireland is introducing the same concept for plastic bottles of charging a fee for them then returning the fee in a reverse vending machine. I can’t imagine reusing those. They must be recycling them.

activistPnk, 2 days ago

I am aware that that happened in Oregon once, and even though the parts per million after one person’s bladder is empted into a tank of thousands of gallons is negligible, they emptied the whole water tank which covered a whole city and refilled it, and sent the guy a water bill for that.

I suggest watching the “how beer saved the world” documentary. It shows how they used filthy stagnant pond water with duck shit in it to brew beer, which was safe after the brewing process. But note the beer container is not part of the brewing process.

The water is not much of a risk. But filled bottles sit in warehouses with rats. Rats urinate on the bottles. This is why Europeans don’t drink directly from the bottle. I’m not sure why Americans are content drinking direct from the bottles… maybe US warehouses are rat-free.

activistPnk, 8 days ago (edited 8 days ago)

Great for speeding up browsing on a limited connection, pointless for energy savings

We know from this research that video conferencing has a notable emissions impact, which could only be a consequence of energy consumption. Bandwidth doesn’t just cost energy at home but also all the servers and equipment that carry the payload upstream to the other end.

Video conferencing is like sending low resolution images with many diffs. Still images in a browser would be higher res (and bigger with higher pixel addressability), though much fewer in numbers, but still considerably more consumption than text.

Btw your reverse tethering option probably stopped being maintained because that is now built in to Android

What happens on the server side with recent versions? PCs don’t normally expect network traffic on USB (edit: well, not sure about windows, but not linux AFAIK). Gnirehtet is installed on the PC and it uses ADB to run the mock VPN on the Android.

(edit) Looks like on the linux side it’s just a matter of setting up a bridge with no extra software. But for the Android side every approach I find calls for an app. Does anyone know which Android version introduced built-in reverse tethering?

activistPnk, 7 days ago (edited 7 days ago)

Nearly all the images you’ll encounter on your day to day browsing otoh is tiny and heavily compressed, bigger than text, but not enough to have a notable impact like video can.

I’ve noticed that people are quite bad at choosing the right compression algo for the job. And Wired mag concurs. SVG should be favored, but JPEG, PNG and GIF dominate. And even if you don’t have a vector graphic to start with, people often make the wrong choice between the three.

“reducing emissions can also be as simple as limiting the number of images that feature on each web page.”

– Wired

“Images are the single largest contributors to page weight. The more images you use and the larger those image files, the more data needs to be transferred and the more energy is required,”

– Vineeta Greenwood, account director at design agency Wholegrain Digital

edit: I just realized this is another problem Cloudflare brings us. When web admins opt to offload their job onto Cloudflare, they have less incentive to ensure their website is lean. The Wired article says web pages have quadrupled in weight since 2010. I’m sure much of that can be attributed to Cloudflare facilitating the bloat.

As far as reverse tethering, it’s under USB “internet” in settings

So you navigate this way: settings » USB internet? (my ~6+ y.o. device does not have USB anything in the top level)

Is the reverse tethering switch in a different place than the forwards tethering switch in your case? I found this well-written guide by someone who favors configs over software for this. Unfortunately the article has no date but it was archived in Oct.2020. He says root is required as well as terminal commands, but since it was possible with root for a long time I assume you’re saying recent versions make the option available without root. The article mentions this path:

Settings - Wireless & networks - Tethering & portable hotspot

and that’s what I have. There is a “USB tethering” boolean in the Tethering & portable hotspot page. I have always figured that option was strictly for forward tethering. And to reinforce that assumption, when Gnirehtet is running that “USB tethering” switch is in the off position (but perhaps because it uses the phony vpn approach). The article seems to be using that boolean for reverse tethering, unlike Gnirehtet.

activistPnk, 19 days ago (edited 19 days ago)

I only use it when I don’t know the route. Usually it’s when I’m on foot all day long in an unfamiliar foreign city.

Sometimes my memory is almost sufficient for the trip, in which case I turn off the screen and go purely off the audible instructions, which greatly increases the range by using less battery. But the timing and accuracy of the audibles is not accurate enough for completely unknown routes.

activistPnk, 18 days ago

So do you have your screen turned off most of the time?

Yes, because I’m usually not using it. I never use it as a phone and keep it permanently in airplane mode. Daytime navigation is its most common use, in which case I have the backlight on full power and the GPS on.

I usually get through a day fine with a charge.

I could probably get through a week if navigation were not involved. But when I do a day trip in a foreign city I have to carry a spare battery and still take every opportunity at bars and restaurants to recharge (which just gives ~5—10%). I also turn off the GPS when stopped to save battery, but this brings the inconvenience of reacquiring a fix.

If you bring a second phone, that is also a second device you’re carrying around, might as well be a small powerbank.

A powerbank needs to be wired to the phone and thus strapped to my arm. I’ll first test what an external GPS does and if that’s insufficient then I might consider an external battery.

The phone gets quite warm when navigating. I believe that’s because the GPS is computationally intensive. The heat is not only waste energy but it also heats the battery which then possibly impacts the battery performance and charging. So by using a separate device for the GPS, the impact from the heat should be reduced.

activistPnk, 18 days ago

That looks interesting. I might have to keep my eye out for these at the 2nd hand street markets. When you say supplement, do you mean the ROX feeds coordinates to the phone?

Apparently Sigma has a proprietary app for the phone. If you don’t use that app, are open standards supported? In the pre-smartphone days, it was common to get a dedicated device that merely ran a GPS receiver and the sent to coords to any bluetooth device (e.g. palm pilot) that paired to it. I think the standard is called NMEA. The ROX 4.0 manual makes no mention of NMEA so I’m not sure if that could be used to feed OSMand.

In any case, your finding seems to suggest using an external GPS has a substantial power savings on the phone that hosts the maps.

activistPnk, 29 days ago

I’m ideologically opposed to anything that prevents an adult from doing what they want to their own body.

A couple other comments seem to imply this a full-blown prohibition as well. To be clear, my interpretation is that this is not a total prohibition. From the article:

The government is set to introduce a historic new law to stop children who turn 14 this year or younger from ever legally being sold cigarettes in England, in a bid to create the first ‘smokefree generation’.

So IIUC, there is no possession or consumption offense, and anyone at any age can grow their own or import¹ it. They’re just making it inconvenient to acquire by controlling commerce. That inconvenience will certainly add to the cool factor of kids who become the resourceful hookup.

¹ I suppose they will be able to carry it into the country, but probably legit mail order shops will be controlled. Not sure.

On the other hand, a complete ban on smoking in public spaces could be helpful ? I’m not certain if it has been tried

IIRC, the smoking ban in restaurants and bars started in CA or NY, then swept around the world from there. Then NY supposedly banned smoking near outdoor bus stops or something. Not sure if that experiment spread.

activistPnk, 29 days ago

I saw no actions on that page. Then I dragged my cursor across the page and highlighting revealed they are using white text on a white background. I guess they did not consider that environmentalists might have images disabled in their browser.

Support Farmers and A More Resilient Food System

They are quite vague. One of the problems is livestock farmers are getting subsidies. They should be getting less support, not more. It’s unclear if this 2024 Farm Bill separates livestock farmers from the others.

Tell the World Bank to Stop Funding Fossil Fuels

Agreed. Though it’s a shame the action stops there. The advice should be to use cash as much as possible and to avoid these banks in particular.

activistPnk, 1 month ago

I’ve wanted to play with packet radio for a while now. It’s a shame the article pimps a Cloudflare site (winlink). It’s fitting in a sense though because there is a ban on using encryption over the ham radio bands. So the emails over packet radio must inherently be exposed to the world anyway.

activistPnk, 1 month ago (edited 1 month ago)

What other options are you talking about? I think the aloe was Aloe King by OKF and Arizona is the name of the iced tea maker. Neither have ties to Coca Cola AFAIK.

activistPnk, 1 month ago

But this is an entirely reasonable stance to take.

Snikket is FOSS. The source code is available to Google. The source code is also a more trustworthy source of evidence than Google simply running the code. How do they know from running the code whether it exports their contacts?

activistPnk, 1 month ago (edited 1 month ago)

This is good news in the sense that Snikket is forced to promote the better repository (F-Droid). It’s also favorable when some good apps like Snikket are simply unavailable in Google Playstore. If every app is available in Playstore, that solidifies Google’s disproportionate power – which they abuse. We need more apps to be only available outside of Playstore.

Snikket is also a good app to have that excludes Playstore because of its nature as a communications app. Advanced users likely tend to push their more novice correspondents to install Snikket. So going forward they will have to do their duty in spreading F-Droid.

activistPnk, 1 month ago (edited 1 month ago)

What are you missing? When Google has access to the source code, they have the ultimate most effective and simultaneously easy way to verify the criteria is met. Of course that’s relevant to the discussion. It’s how you know what the software does. Only closed-source projects have a problem demonstrating that they’ve satisfied the criteria.

activistPnk, 1 month ago (edited 1 month ago)

FOSS isn’t magic. Reviewing the source code doesn’t guarantee that the version you get matches the code you were provided. You unconditionally should not get any exemptions to store policy because your code is open source. That’s a terrible idea.

No one has suggested exemptions. Otherwise you need to quote where you get that idea from. You’re not grasping the fact that code enables criteria to be verified. It therefore needs no exemption.

The terrible idea we are grappling with is the idea to not review source code that is available. If the code does not match the binary, that is Google’s problem. Google is the repository and has the sole responsibility for either ensuring reproducable builds are in play (to the extent that they care) or compiling it themselves. But I doubt Google genuinely cares as the Playstore is proven to have a quite poor quality standard relative to other repositories.

Having actual written policies and meeting other criteria are the rules for a reason.

Those policies are not above criticism. If Google’s policies fail to include code reviews as verification that criteria is satisfied, that’s on Google and they have no expectation of not being condemned for their incompetent policy.

activistPnk, 1 month ago (edited 1 month ago)

The issue they’re complaining about is that they’re being held to additional standards because they ask for a sensitive permission.

That’s not Snikket’s complaint. Snikket naturally satisfies the standards at hand because they do not export address book data, so they have no reason to object to the standards Google is failing to verify. Their complaint is rightfully about Google’s incompetence in evaluating their compliance. It’s clear from Snikket’s account what a shit show it is at Google who failed copious times to evaluate their software.

There’s nothing more terrible in the position of a software repository than the incompetence of neglecting to review code as part of the acceptance process. I can’t think of a more foolish policy than to ignore the code of software for which you are trying to endorse the quality of.

activistPnk, 1 month ago (edited 1 month ago)

A. Code review doesn’t work.

You’re doing it wrong.

B. Code review takes a very large amount of highly qualified man hours to not work.

Not if a machine does it. And even if they use humans, it takes even more man hours to do the alternative dynamic analysis and traffic analysis. Code review saves countless man hours even if done 100% manually by humans.

C. Requiring review of proprietary code exposes Google to a crazy amount of antitrust and IP liability. Again, to not work.

Not applicable to FOSS code.

Code review doesn’t happen because it’s a laughably stupid idea that has virtually no chance of being beneficial in any way. It’s not an oversight.

Code reviews happen at every organisation I have worked for to catch unwanted code before deployment and testing. The reason we review code before testing is because it’s cheaper to review code than to test it. It’s laughably stupid to think code review doesn’t work only to then to spend more money on verification tests.

activistPnk, 1 month ago (edited 1 month ago)

An organization reviewing its own code is not the same, or similar in any way, to an organization reviewing a large volume of external code for malicious intent.

This is neither of those cases. This is trivially searching the code for where the address book API is called, and inspecting only the relevant code to that object for a specific usage. If you review the whole volume of code for the entire application, you’re doing it wrong. It’s trivial and for the reasons I’ve already explained, less effort than dynamic analysis and traffic analysis.

And it doesn’t work for a wide variety of reasons (including the one I already gave you that binaries don’t provide you any guarantees that they’re from the source).

And you apparently missed the response because you’ve neglected to address it. It was a defeated claim.

Onboarding is universally slow because new people take weeks to months to actually meaningfully understand big projects.

You’re thinking about hiring heads to work on code they need to understand in depth in order to edit the code. That’s not the case here. Code reviews are much cheaper than onboarding developers.

Again, you’re asking for FOSS code to get some special treatment and bypass the requirements already in place.

Again, no exemption has been requested. Google is either smart enough to make use of info at their disposal, or they are not. (answer: they are not).

It’s completely absurd, because every single one of those tests would still be unconditionally mandatory to get any kind of actual confidence in security.

Only if you do it wrong. A code review gives more confidence about what happens with the address book than testing. Only a fool would needlessly spend money on the more costly and redundant black box approach which yields results (guesswork!) with less confidence¹. Sure you can also do the black box analysis but that’s just wasting money when the bar has already been cleared. You would do both if lives depended on the code, but such standards are far above Google’s standards.

Choosing to skip them because someone in India skimmed the code would be way past gross negligence.

You’re still not getting it. No one advocates for an exemption. You need to get that out of your head. A code review is a way to more cheaply do the verification with higher confidence, not to bypass it.

¹ Hence why Google failed many times to get it right.

activistPnk, 1 month ago (edited 1 month ago)

“Just searching the code where the address book API is used” most certainly does not give you increased confidence.

That’s the starting point. It only takes 5 minutes to get there and find the object of interest. If you don’t spend 10-30 minutes more to see how the object is used, you’re doing it wrong. And if you try to read every single line of code in the project, you’re also doing it wrong.

Obfuscation is not that difficult.

Obfuscation is even easier to spot than to create, which on that basis alone would be good grounds to reject a package.

You can only possibly gain confidence if you fully understand every single line of code.

As I said, you need not read every single line of code. Just the code touching the address book.

I ignored it because it’s idiotic. Google isn’t and shouldn’t be building code for you unless you pay for it.

It’s looking more clear that English is not your first language. You continually fail to comprehend what I’ve said, which was the complete opposite of this comment, after you suggested yourself that a code review effort is that of a new hire onboarding effort.

One more time: a company having people review specific code for a specific purpose does not in any way resemble an adversarial code review against bad actors.

Again, that is not the purpose of the code review. If the purpose is to generally find malicious code, that’s a very different criteria than /not exporting an address book/. And if you move the goal posts to that mission, you have no fucking chance to do that with the simple black box analysis you’re advocating.

There are no parallels. A code review gives you literally zero confidence that the writer isn’t malicious

A code review is the absolute cheapest most effective way to find malicious code, if that’s your new goal. You will not find malicious code with any confidence by looking at a TLS traffic tunnel and playing with the app as a user. You can see that the app connects to the Snikket server and you can see that blobs are passed back and forth, which is expected anyway. From there, you have to guess from the timing and payload sizes that something is off, at which point you still really know fuck all. It’s a lot of effort to reach insufficient confidence to condemn the app.

unless you comprehensively understand every single line.

Clearly you’ve never written software. Malicious code does not affect every single line nor does finding malice need an understanding of every single line. Bugs would never be found on any large project if that were true. Every code review I’ve performed has been narrow in scope and yet I still find non-conformant code. A developer can work on a project for ~10-20 years of their life and still only see a small fraction of the code. Yet they still discover bugs in very little time. If you think you need to look at every single line, I suggest avoiding the software career path.

Open source project security is entirely and exclusively reputational.

Reputation matters whether a project is FOSS or not. But if it’s closed-source, reputation is all you have. Of course it’s nonsense to claim FOSS code cannot be reviewed by anyone who cares to step beyond reputation.