Every system in an RPG should be designed and tailored to max the possible immersion you can get from the game.

Having to deal with inventory management doesn’t always improve immersion. Inventory optimization doesn’t immerse me; rather, it gives me a puzzle to solve.

At that point, you could say “male characters.”

Oh 100% agreed - in this instance, it’s clear that OBS has a well maintained package that should be prioritized. But they could keep their repo first and remove OBS (and other known-to-be-well-maintained apps) from it to accomplish that.

They put their repo first on the list.

Right. And are we talking about the list for OBS or of repos in general? I doubt Fedora sets the priority on a package level. And if they don’t, and if there are some other packages in Flathub that are problematic, then it makes sense to prioritize their own repo over them.

That said, if those problematic packages come from other repositories, or if not but there’s another alternative to putting their repo first that would have prevented unofficial builds from showing up first, but wouldn’t have deprioritized official, verified ones like OBS, then it’s a different story. I haven’t maintained a package on Flathub like the original commenter you replied to but I don’t get the impression that that’s the case.

Why did Fedora make their packages take priority? Is it because the priority is otherwise random and if you don’t have a priority set, that leads to the issue they mentioned? Because if so, that sounds like a reasonable action by Fedora and like the real culprit is Flathub.

You can self-host Bitwarden, too. My understanding is that VaultWarden is much simpler to self-host, though. Note that VaultWarden isn’t a “fork”; it’s a compatible rewrite in Rust (Bitwarden’s codebase, by contrast, is primarily C#).

I also use Bitwarden and strongly prefer it over every other password manager I’ve tried or investigated, for what that’s worth. I’d recommend it to 99% of non-enterprise users (it’s probably great for enterprise use as well, TBF).

The only use case I wouldn’t recommend it for is when you don’t want your passwords stored in the cloud, in which case KeePass is the way to go. To be clear, that recommendation does not apply if you’re syncing your vault with a cloud storage provider - even one you’re hosting, like SyncThing - even if your vault is encrypted. At that point just use Bitwarden or VaultWarden, because they’re at least audited with your use case in mind (Vaultwarden has only been audited once afaik, though).

Sure, but mortgage interest can easily be enough to make that worth it without any other deductions. With $300K principal and a 5% loan, that’s $15K - about the same as a single taxpayer’s standard deduction and roughly half of a married couple’s standard deduction.

You cannot encrypt email End to End.

Incorrect.

https://support.mozilla.org/en-US/kb/introduction-to-e2e-encryption

It has to be stored in plaintext somewhere.

1. It doesn’t.
2. Even if it did, that wouldn’t mean it wasn’t E2EE.

Yahoo does not offer encrypted email.

It doesn’t need to. https://support.mozilla.org/en-US/kb/thunderbird-and-yahoo

I primarily use Standard Notes. It’s a fantastic tool and I can use it anywhere, online or offline. It’s not great for collaboration, though, and it doesn’t have a canvas option. But I use it for scratch pads, for todo lists, for project tracking, for ideas, plans, plotting for my tabletop (Monster of the Week) game, software design and architecture, for drafting comments, etc…

Standard Notes also has a ton of options for automated backups. I get a daily email with a backup of my notes; I can host my notes on my home server and the corporate one; I can also set up automated backups on any desktop.

I don’t use it for saving links. I’m still using Raindrop.io for that, even though I’m self-hosting both Linkding and Linkwarden.

For sharing and collaboration, I either publish to Listed with Standard Notes or use Hedgedoc, which is great for collaboration and does a great job presenting nodes, too.

For canvas notes, I use GoodNotes on a tablet or the Onyx Boox’s default Notes app. I’d love a better FOSS, self-hosted option, especially for the Boox, but my experiences thus far have been negative (especially on the Boox).

I’ve been trying out SilverBullet lately, since I want to try out cross-note querying and all that, but I’m too stuck in my habits and keep going back to Standard Notes. I think I’ll have better luck if I choose one app and go with it.

I also have a collection of Mnemosyne notebooks that I use with fountain pens (mostly the Lamy 2000, but also quite commonly a Platinum 3776 or a Twsbi). Side note: the Lamy 2000 was my first fountain pen and after getting it I went deep into fountain pens. I explored a ton of different options, found a lot of nice pens across a number of brands… and yet how I still haven’t found something that I consistently like more. The Pilot VP is great but deceptive; a fancy clicky pen that only holds 30 minutes of ink (in a converter, at least) is decidedly inconvenient.

I’ve also been checking out Obsidian on my work computer. So far I haven’t seen anything that makes me prefer it over my existing set of tools.

Hedgedoc is fantastic. If you’re okay with your notes app being web-only (without an app or even a PWA) and you don’t need canvas notes or multi-note queries, you should check it out.

First, every note is Markdown, but it supports a ton of things natively. It has native Vim, Emacs, and Sublime (the default) editors and it’s built to be great for collaboration (if you want).

It also has

• syntax highlighting for a ton of languages
• Mermaid.js support
• LaTeX support
• easy drag and drop image uploads
• a solid mobile interface (for a webapp in your browser, at least)
• built in revision history
• support for other diagram tools, like graphviz, flowchart.js
• a bunch of other little Markdown enhancements that make using it feel oddly intuitive

And best of all, they have a Hedgehog for the icon! (I may be biased.)

If you’re a C developer who doesn’t know Rust, no.

And it’s I who should take a course in encryption and cybersecurity.

Yes. I was trying to be nice, but you’re clearly completely ignorant and misinformed when it comes to information security. Given that you self described as a “cryptography nerd,” it’s honestly embarrassing.

But since you’ve doubled down on being rude, just because I pointed out that you don’t know what you’re talking about, it’s unlikely you’ll ever learn enough about the topic to have a productive conversation, anyway.

Have fun protecting your ignorance.

If a communication norm is just about other people’s preferences, why should they change? Who’s to say that other people’s preferences are more important than their own, particularly given that this particular preference is shared by millions of other people.

If inconsistent use of capitalization actually hinders understanding for some subset of their audience, then that’s a different story. My experience is that people are more likely to be annoyed than to actually have issues understanding all lowercase text. All caps text, on the other hand, is a different matter - and plenty of government and corporate entities are fine putting important text in all caps. But all caps text is a known accessibility issue. When I search for “all lowercase accessibility,” though, all I get is a bunch of results saying to not use all caps text for accessibility reasons.

If you have sources showing that all lowercase text is an accessibility concern, then you should share them. Heck, you should have led with that. But as it is, your argument ultimately boils down to “someone else should change what they do, that works for them, because it annoys me.”

Fight Club 5th Edition.

• Android: https://play.google.com/store/apps/details?id=com.lionsden.fc5
• iPhone / iPad / Mac: https://apps.apple.com/us/app/fight-club-5th-edition/id1484084460

Nice try FBI.

Wouldn’t “NSA” or “CIA” be more appropriate here?

Well, if my pin is four numbers, that’ll make it so hard to crack. /s

If you’re using a 4 number PIN then that’s on you. The blog post I shared covers that explicitly: “However, there’s a limit to how slow things can get without affecting legitimate client performance, and some user-chosen passwords may be so weak that no feasible amount of “key-stretching” will prevent brute force attacks” and later, “However, it would allow an attacker with access to the service to run an “offline” brute force attack. Users with a BIP39 passphrase (as above) would be safe against such a brute force, but even with an expensive KDF like Argon2, users who prefer a more memorable passphrase might not be, depending on the amount of money the attacker wants to spend on the attack.”

If you can’t show hard evidence that everything is offline locally, no keys stored in the cloud, then it’s just not secure.

If you can’t share a reputable source backing up that claim, along with a definition of what “secure” means, then your claim that “it’s just not secure” isn’t worth the bits taken to store the text in your comment.

You haven’t even specified your threat model.

BTW, “keys” when talking about encryption is the keys used to encrypt and decrypt,

Are you being earnest here? First, even if we were just talking about encryption, the question of what’s being encrypted is relevant. Secondly, we weren’t just talking about encryption. Here’s your complete comment, for reference:

I have read that it is self hostable (but I haven’t digged into it) but as it’s not a federating service so not better than other alternative out there.

Also read that the keys are stored locally but also somehow stored in the cloud (??), which makes it all completely worthless if it is true.

That said, the three letter agencies can probably get in any android/apple phones if they want to, like I’m not forgetting the oh so convenient “bug” heartbleed…

Just so you know, “keys” are used for a number of purposes in Signal (and for software applications in general) and not all of those purposes involve encryption. Many keys are used for verification/authentication.

Assuming you were being earnest: I recommend that you take some courses on encryption and cybersecurity, because you have some clear misconceptions. Specifically, I recommend that you start with Cryptography I (by Stanford, hosted on Coursera. See also Stanford’s page for the course, which contains a link to the free textbook). Its follow-up, Crypto II, isn’t available on Coursera, but I believe that this 8 hour long Youtube video contains several of the lectures from it. Alternatively, Berkeley’s Zero Knowledge Proofs course would be a good follow-up, and basically everything (excepting the quizzes) appears to be freely available online.

it wouldn’t be very interesting to encrypt them, because now you have another set of keys you have to deal with.

The link I shared with you has 6 keys (stretched_key, auth_key, c1, c2, master_key, and application_key) in a single code block. By encrypting the master key (used to derive application keys such as the one that encrypts social graph information) with a user-derived, stretched key, Signal can offer an optional feature: the ability to recover that encrypted information if their device is lost, stolen, wiped, etc., though of course message history is out of scope.

Full disk encryption also uses multiple keys in a similar way. Take LUKS, for example. Your drive is encrypted with a master key. You derive the master key by decrypting one of the access keys using its corresponding pass phrase. (Source: section 4.3 in the LUKS1 On-Disk Format Specification (I don’t believe this basic behavior was changed in LUKS2).)

Its impossible to verify what code their server is running.

Signal has posted multiple times about their use of SGX Secure Enclaves and how you can use Remote Attestation techniques to verify a subset of the code that’s running on their server, which directly contradicts your claim. (It doesn’t contradict the claim that you cannot verify all the code their server is running, though.) Have you looked into that? What issues did you find with it?

I posted a comment here going into more detail about it, but I haven’t personally confirmed myself that it’s feasible.

Both of the reasons you’ve provided are nonsensical:

• It isn’t performed automatically if you disable it, and they did (and explained why)
• They said they don’t believe capitalization aids with clarity. They didn’t express the same opinion about punctuation and paragraph breaks.

Message history won’t be fully fixed. It can’t be without storing message backups in some cloud somewhere (whether it’s to iCloud, Google Drive, Dropbox, or Signal’s servers) and Signal omits its message history from system backups on iOS and Android.

iOS users are completely incapable of backing up their message history in the event of their phone being lost, stolen, or broken. This omission isn’t justified in any way, as far as I’m aware; I don’t know of any technical reason why following the exact same process as on Android wouldn’t work.

Android users are able to back up locally via Signal, but that isn’t on by default, can’t be automated, needs to be backed up separately, requires you to record a 30 digit code to decrypt it, and has limitations on when it can be used for a restore (can’t restore on iOS, for example). See https://support.signal.org/hc/en-us/articles/360007059752-Backup-and-Restore-Messages for more details.

Message history on linked devices - meaning iPads and desktop computers - is being improved, but it still won’t mean that a user who loses or trades in their phone as they get a new phone will be able to simply restore their phone from a system backup and restore their Signal message history. And even that isn’t anywhere near as easy as on Telegram, where a user can just log in with their password and restore their message history, no backup needed.

It’s great that they’re improving the experience for linked devices, but right now that doesn’t actually help if you lose, break, or trade in your phone. Maybe they’ll later allow users to restore to a phone from a linked device or support backups on iPhones, but right now the situation with message history isn’t just an unfriendly UX, but one that is explicitly and intentionally unreliable for a huge portion of Signal’s user-base.

Also read that the keys are stored locally but also somehow stored in the cloud (??),

Which keys? Are they always stored or are they only stored under certain conditions? Are they encrypted as well? End to end encrypted?

which makes it all completely worthless if it is true.

It doesn’t, because what you described above could be fine or could have huge security ramifications. As it is, my guess is that you’re talking about how Signal supports secure value recovery. In that case:

1. The key is used to encrypt your contacts, profile name, group avatars, social graph, etc., but not your messages.
2. Your key is only uploaded to the cloud if you have a recovery PIN or passphrase
3. Your key is encrypted using your PIN or passphrase using techniques (key-stretching, storing in server secure enclaves) that make it more difficult to brute force

The main criticism of this is that you can’t opt out of it without opting out of the Registration Lock, that it necessarily uses the same PIN or passphrase, and that, particularly because it isn’t clear that your PIN/passphrase is used for encryption, users are less likely to use more secure pass phrases here.

But even without the extra steps that we can’t 100% confirm, like the use of the Secure Enclave on servers and so on, this is e2ee, able to be opted out by the user, not able to be used to recover past messages, and not able to be used to decrypt future messages.

If my gender doesn’t exist, doesn’t that mean that I don’t exist? And if I don’t exist, then I can’t get a passport or hold office? That sucks, but that also means I also don’t have to pay taxes and can’t be charged with a crime. Heck, you can’t even chase me! What’re you gonna do, tell the police to go after the “man wait no, woman, wait no 🤯”?

These motherfuckers just Polyphemus’d themselves, and I’m “Nobody.”

Seriously, though, denying passports to intersex people is some science-denying bullshit.

I believe this is legally supposed to take 60 days before it’s effective but read that some transphobes are already enforcing it.