Skull giver

Wayland doesn’t permit applications to capture the input if their windows are not in focus. Applications just scanning the keyboard to detect key presses won’t work.

Somewhere last year, the global shortcut portal spec was merged into xdg-desktop-portals. This allows applications to register global hotkeys without allowing every window to spy on every other window. I don’t know what versions/distros you need to get that support, but you’ll probably need something released this year.

Applications don’t seem all that eager to implement this API, though. You can work around it by using your desktop environment’s system shortcuts and assigning them to shell commands that will pass messages through for you through network APIs/DBUS/UNIX sockets/whatever your application accepts.

Alternatively, your planned Python script could do the necessary portal calls if you’re still willing to go the script route.

I would trust the absolute bottom of the barrel services with unimportant things like blogs, but I don’t want my password manager to be hosted there. It just feels too sketchy to me.

It’s a testament to Vaultwarden’s update policies, not to my amazing server practices!

You’re right that this is a terrible idea and it will inevitably bite me in the ass, but keeping up to date with a dozen of self hosted services is a faff and I’ll accept the 15 minutes of docker fuckery to revert the updates if it means I don’t need to remind myself to perform server maintenance.

You can just open a port in the firewall/port forward a local server if your home ISP isn’t shit. If it is shit, you can run it in the cloud somewhere. I wouldn’t go with Amazon, they’re terribly expensive for hobby projects (who needs multi zone failover for a personal hobby project), any $5 VPS provider will do. Just make sure to install updates automatically so you don’t need to keep a close eye on maintenance and you should be golden.

Alternatively, if you don’t want to expose your server to the internet, you can set up a VPN server on your cloud server and only expose the password manager to your VPN. Wireguard is relatively simple to set up for this purpose, but tailscale (and whatever the self-hosted tailscale server is called) makes things even easier.

If you run your own server, you can use the slurs setting to block certain words or patterns. This will work across apps and across accounts.

For most people, any kind of word filtering needs to be implemented by the app(s) instead.

I’ve put Vaultwarden online and have configured it to backup over the network through duplicity. Updates are automatic (I have a cronjob that just does docker pull/stop/rm/run without checking the error codes). No downtime so far!

It’s been a while since I’ve used the official Bitwarden server, but Vaultwarden is pretty much foolproof. It’s one of the easiest programs to self-host that I’ve come across.

The official Bitwarden server: 2-4GB of RAM, mostly because of the SQL server and all of the separate containers. Probably at least two CPU cores to prevent one process from lagging everything out. 12-24GB of storage.

For Vaultwarden, the Rust reimplementation of the backend server: I don’t know, about 128MB of RAM? It’s using about 40MB of RAM on my server. It’s using about a minute of CPU time per hour for my install. Storage requirements are “the size of the docker container plus some database files”.

Both: a TLS certificate (Let’s Encrypt) and as much free space as you plan on sending through their encrypted file sharing service. Also the storage and configuration for your automated backups, of course.

Vaultwarden isn’t audited and it takes longer to get all of the features because it’s a hobby project and not an enterprise company. Bitwarden is set up to easily scale to whole company/whole enterprise usage. Vaultwarden is set up for “you and your family” scale which probably works fine for larger scales but I don’t think it’s set up for it out of the box.

I don’t feel a particular high after working out, but I feel better than when I don’t do it. It’s not a “whoohoo everything is great” feeling, just general contentness and a good mood.

I don’t get a lot of that in the gym. The gym is boring as hell, and my solution to burning calories without getting bored to death is watching Netflix on those cardio bikes. I’m not getting any enjoyment out of the activity itself but it passes the time and I still get to feel the mood improvement after I’m done.

Both left wing and right wing people are vulnerable to bullshit and fake news, but extreme right wing media is easier according to troll farm content producers themselves. It’s easy to fall for hateful outrage, especially if you can find an “us versus them” narrative to build your hate upon. Whether it’s “capitalists versus socialists” or “gay people versus Christians”, if you can create the illusion of two (and only two) positions, you can easily attract attention.

The “I just want everyone to be happy together” crowd is a bit harder to put into two opposing camps, but as you can clearly see on Reddit, blaming “capitalists” or “employers” or “landlords” or billionaires or any other group that has shit you want to have is an easy way to build outrage for the “enlightened” mind. Neither “side” is immune to this crap, but conservative ideas just seem to catch more people. It’s quite sad, really, I would love people being converted into egalitarian progressives through algorithmic bullshit much more, even if it’s still unethical of course.

As for why Youtube would do this: if you can get dragged into an hour long Joe Rogan podcast, you make Youtube money. Attention = ads = advertiser income if you apply this at a scale large enough. Right wing outrage media just manages to trick more people into watching more stuff, and that’s why the algorithm defaults to it even on new, fresh IP addresses. Even Youtube’s own people don’t know entirely for sure why some topics or videos are featured, it’s all left to an automated AI that optimizes for certain tasks (watch time etc.) through any means it can.

If you don’t want this, you have options. If you have a Google account, either opt out of personal ads (yes you can actually do that) so you only get generic recommendations based on your IP address, or manually select your preferences in your account so you get ads and content that work for you. The stuff your partner or kids watch will influence the ads you see.

You can also try poisoning the algorithm. You have kids, so getting your account recommendations to focus on kid content shouldn’t be too hard. Two or three hours of skibidi toilet mashups in the background (mute the volume, but not through the browser, and make sure Youtube thinks it’s playing in the foreground) should mess up their recommendations. There are also websites and tools that will open up a ton of videos of certain stereotypical characters from time to time.

As a final note: I don’t know how old your kids are, but if they’re old enough it’s possible that someone in your household has fallen for the Tate bullshit. The “alpha male” bullshit is frighteningly common among teenage boys who are trying to figure out who they are/want to be/what they want to do with their life, and the struggles of wanting to fit in. It’s far from the only reason (I live alone and I get that crap in my feed sometimes) but it’s better to be on the lookout for this crap.

Ubuntu on desktop, Manjaro on laptop, SteamOS on the Deck.

One day I’ll move from Ubuntu onto something else but reinstalling is gonna be such a pain…

I don’t have a guide for you, sorry. I’ve looked into it briefly but I can’t say I care enough to fix it.

I’m pretty sure you’ll be able to go federation only by blocking everything that’s not an application/ld+jsoncontent type (technically application/ld+json; profile="https://www.w3.org/ns/activitystreams" but some servers don’t send the correct Accept headers). The Lemmy frontend submits plain JSON and POST requests and it doesn’t implement the client-server ActivityPub API, so that should be the easiest way to keep federation working while whitelisting your personal IP addresses.

Charities and other types of non profits have to comply with the GDPR too. Just because you’re not making any money doesn’t mean you can ignore privacy law.

I think it also depends on how you tell the tax authority about your donations. There are tax rules about gifts versus donations versus income. It can easily be beneficial to report donations as income for some small company rather than pay tax over donations, depending on the country where you live. Alternatively, you could commit tax fraud and not report the donations at all, but then privacy law is probably not your biggest concern.

I don’t think a networked service repeating collected data to the internet would fall under “purely personal or household activity”.

The exception would make perfect sense for a personal address book or something like that, but if you manage to collect enough data to make leaks a problem for other people I don’t think you’ll get away with “just a personal project”.

Defederation is an interesting issue. Perhaps deletes and updates should always be federated, as long as they’re authorized with the proper signature. I honestly don’t know how that’s implemented.

That said, I’m sure someone contacting the server admin will be able to get their data corrected or deleted.

Offline servers should get the deletes in most federated software. I’ve seen some slightly troubling modifications to Lemmy (disabling the retry queue because offline servers were clogging up the scheduling mechanism) but that’s not standard as far as I know.

I’m not even sure what a data breach would look like. I’m guessing the server logs which include the IP addresses, usernames, and password hashes?

If this does go wrong, I’m wary of what will happen. I’m pretty sure Fediverse servers are on thin ice.

You can disable most endpoints in your application firewall, or put them behind a whitelist. For federation to succeed you don’t need all that many publicly reachable endpoints (mostly a bunch of inboxes and the data for your own user account).

I don’t think the privacy policy is sufficient. My post will end up on your server but also on the server this community is hosted on, from which it’ll end up on hundreds or thousands of other servers. I’ve never agreed to any of their privacy policies and terms of service and neither has anyone else here.

The concept of the Fediverse doesn’t work well with traditional corporate interpretations of privacy law. Going strictly by the way it’s interpreted for traditional social media, you’re on the hook for any personal data your private instance stores and makes available. This approach effectively kills the concept of the Fediverse, so I sort of fear the inevitable DPA investigation and/or lawsuits.

Many versions of Lemmy haven’t been deleting data at all, merely setting a flag in the database that a post has been deleted rather than actually getting rid of the contents.

As for federated data, deletes do federate. I would say that a server ignoring an authorized delete request would be in violation of the law, but then there’s the matter of a lack of any data processing agreements with other servers.

I do wonder what the legal implications of servers ignoring deletion requests are. Would Facebook be on the hook for deleted data still being stored on a scraper’s server? Would LinkedIn be liable for all of those sketchy mirrors online? I personally don’t think so. On the other hand, federation is push based, rather than the result of responding to a request from a third party.

The GDPR also applies to invidivuals. It’s not very common, but if you start your own private data collection for shit and giggles you’ll have to take the necessary steps to comply with the GDPR. Of course you won’t need a data privacy officer or anything like that as an individual, but you do need to take certain precautions.

Now, with the way social media works, I’m pretty sure you can get away with claiming all data collected is necessary to make the system work in the first place, and Lemmy doesn’t even collect all that much data.

Most instances also accept donations and other financial incentives as well. That makes the entire system more complicated. With lemmy.world and other servers being run by Europeans, I’d say a significant part of Lemmy definitely does need to comply with the GDPR.

The GDPR applies to any instance collecting personal data about EU citizens (and probably adjacent countries with similar laws). You can choose to ignore the law if you don’t do any business in the EU and don’t plan on ever going there, but you can’t decide whether or not it applies to you.

I think the general consensus on GDPR compliance for federated networks is “we’ll see about it when someone complains”. I doubt any DPA is going to waste time on a random hobby instance or even a medium sized public instance since the only personal information you’re even collecting on here is either public data (your posts), your username and password, and your IP address. Federating instances don’t even receive the last bits of information.

I can see someone starting a lawsuit against a standards incompliant server that ignores deletes and edits, though.

As for portability, such an export should be quite easy to accomplish; fetch someone’s account data from the database, add in that person’s ActivityPub outbox, and you’re pretty much done. The GDPR provides you with 30 days to comply with requests but this data shouldn’t take more than a few seconds to extract.

Seeing as the development of Lemmy is sponsored by NLNet (a Dutch organisation) I’m sure someone will have thought about it at some point at least!

This is something I really like Mastodon for. The good apps will go through standard OAuth authentication rather than username/password authentication, which also means you can use passkeys/2FA to protect your account which apps often don’t bother implementing in any way.

That said, who’s to say the in-app browser window you’re entering your password into is really your browser and not just a malicious Chrome build the evil app developers added to mislead you? There’s a slightly elevated risk with storing your password in every app, but malicious app developers will be able to phish you regardless.