The Pi 4 is still fine for a lot of low end use cases and starts at $35. The Pi 5 is in a harder position. I think the CM5 and Pi 500 are better showcases for it than the base model.
Between the microcontrollers, Zero models, the Pi 4, and the Pi 5, they have quite a full-range from very inexpensive and low power to moderate price/performance SBCs.
One of the bigger problems with Pi 5, is that many of the classic Pi use cases don't benefit from more CPU than the Pi 4 had. PCIe is nice, but you might as well go CM5 if you want something like that. The 16GB model would be more interesting if it had the GPU/bandwidth to do AI/tokens at a decent rate, but it doesn't.
I still think using any other brand of SBC is an exercise in futility though. Raspberry Pi products have the community, support, ecosystem behind them that no other SBC can match.
I used GrapheneOS for about half a year as my primary phone OS. It does not scramble your GPS in any way (it has the same course/fine-grained GPS permissions as regular Android), but it does allow you to block a lot more app permissions. It's more likely that they haven't set the correct permission(s) for that information to bubble through to emergency services.
I would also be surprised if there weren't cell phone system-based fallbacks for emergency services. The carriers have a good idea of where you're at based on the towers you're connected to. There are plenty of situations where GPS doesn't work.
It's frustrating and sad to see the road that Google is headed down with Android and Pixels. The recent AOSP changes were a big red flag, now this.
I've had many Nexus and Pixel devices because I like the freedom that they offer me. I don't use Apple devices because they're so locked down and I can't use the hardware and software in ways that I'd like to use it. Google's about to be added to that shitlist, and there aren't really many alternatives.
I was running k3s locally for all home infra stuff because I too enjoy containers (and some of the things that Kubernetes provides.) Recently I found NixOS and am greatly enjoying that. The container dance gets tiring after a while and having a declarative system is extremely powerful.
Recently I managed to register an account with a password that the login page rejects. I had to hack the frontend script just to log in. And it's my insurance company.
I've only used it through RDP on Wayland and it's been fine visually. Downloading it can be a challenge if you don't know where to look (Github, not Microsoft's App Store...)
I haven't used Putty since I stopped using Windows for anything serious (in the early 00s.) It was my favorite quick and dirty SSH and serial client before then though!
It was bad enough that we had to tell developers to trust some rando website to download a tool that we'd use to potentially plug in sensitive production usernames + credentials.
And now they've gone and made it worse by posting some new site and confirming the new link is real on their weird "hachyderm" social media post thing. Yeah, talk about a grey-beard get-off-my-lawn developer screaming at the wind and wanting to make it worse for themselves and their "brand".
We're talking in context of Putty which is itself an extremely niche software. But if you think of just the software/tech people - Mastodon is quite an important place.
> And now they've gone and made it worse by posting some new site and confirming the new link is real on their weird "hachyderm" social media post thing.
And the actual text of https://www.chiark.greenend.org.uk/~sgtatham/putty/ , where the new site is excplicitly linked and explained, didn't make it better? Maybe you just need Mommy to blow on your boo-boo?
There's a link on one side and a meta tag on the other. It's as simple as you can make the validation between two sites. It's not even fediverse-specific really - there were other services doing something similar before.
It's because freedom and correctness is hard. Yeah, most people prefer convenience and would rather someone be the source of authority to do it for them, but people on fediverse are not those kind of people.
It means that whoever owns the website marked as verified also owns the social account. See https://joinmastodon.org/verification for a quick overview of how it works.
No, it means a certain link exists on the website. On Hacker News of all sites, I would think we should all know that's not sufficient evidence of identity for an update regarding the source of critical software like a terminal.
Nobody claimed it validates the identity in any way. It validates that the person at the other website confirms it's their social account and the social account matches the other direction. The real identity is not involved here in any way and never was. You're disagreeing with someone nobody here raises.
But the link validation confirms that if you believed that the original download site belongs to the author, then you would have almost the same guarantee about the social account. (+/- the chances of the putty website being hacked)
Yes, your caveat at the end there is exactly why this method shouldn't be trusted, as it's indistinguishable from an attacker with access to embed a single link.
So it doesn't confirm the account belongs to the author, it confirms the site has a specific link and nothing more.
Adding a <meta> tag or creating a page with certain content are already used even for more impactful verification, like getting issued a certificate for that domain.
If an attacker does have broad access to edit the HTML of your website, I feel that's already the issue and Mastodon verifying that "this person controls this website" isn't even really wrong.
So you have read that page and understand its purpose is to link social media profiles for informational purposes, but don't understand that it's not suitable for any kind of auth, let alone in a software supply chain?
By the XFN spec, it "demonstrates that the same person has control over [the pages]". The docs page I linked links to two further specs for using it for authentication in the way that Mastodon does.
I'm sorry. The XHTML Friends Network rel tag is neither reliable identification nor authentication. It's designed to say "this is my blog" in low stakes environments.
No sane sober person would use it to authenticate messages about changing URLs in a software supply chain.
No, if somebody has access to edit your home page directly, your blog, your company site, etc - you've already lost the game.
How is this any different than your email address being compromised? How is this different than having your laptop compromised and somebody downloading your .ssh folder?
The issue here isn't "is this reliable identification" - because it IS reliable. Your concern is "how likely is this to be compromised vs other things" and that's a fair concern - but there are plenty of very secure web sites out there. This isn't saying "I am john doe and this is my identity", this is saying with some confidence "this person on mastadon is the same person as the person who wrote this web site copy" and that's a totally fine piece of identification for the right context.
If an attacker has control over the page to edit arbitrary HTML, that chain is already compromised. Even if the attacker's exploit only allowed certain attributes, just the href and rel attributes needed for this protocol would already be enough to execute javascript and load stylesheets on that page.
This is in addition to the original site linking to the new one with a news post. Does that also mean nothing because an attacker could add a news post to the page?
Sure, but by the time you've verified that, you could also have just visited the PuTTY website (the old/current one) to verify that putty.software is legit.
