> And the activists are now against it, because the big guys are doing it.

The activists are against it because the big guys are exploiting us small guys, again. Nobody would give a shit if Meta was just torrenting Nintendo's IP and OpenAI was torrenting Netflix IP, except the lawyers working for these companies.

The point is, that's not the typical experience and people like that can be replaced. We don't willingly bring people like that on our teams, and we certainly don't aim to replace entire teams with clones of this terrible coworker prototype.

> Offense is still the best defense.

That's a psychotic thing to say about starting new wars and aiding genocides. The only thing that's being defended are the profits of western oligarchs.

Full system access = it's not sandboxed, it has access to anything that the user can access, and it seems to use systemd user units which don't require root access.

Maybe this is a social experiment and we're the test subjects.

> This is a great article. It's why I roll my eyes when someone asks "Show me the data" or the classic "Sources please."

That doesn't follow. Yes, there are going to be multiple interpretations of the data, however the data must exist otherwise you're just pulling claims out of thin air.

Being asked to provide the data is just an easy filter for people who just say things, who only have the narrative, like "the earth is a flat disc" - okay, show me some experimental data that would show this to be true.

But people have data. A lot of empirical data from their own lives. When something resonates with someone, it just means it fits the data they collected in their brains.

Most people aren't stupid. If they sound stupid, it's often because they have not heard a better narrative which fits their data.

Our society completely disregards the wisdom of old age. We probably meet hundreds of thousands of people in our lives. We collect both quantitative and qualitative data. That's statistically significant.

> the choice to stay alive shows they see some inherent value in the state of being alive.

Eh, you don't choose to live any more than you choose to breathe. Even if you don't want to live anymore you can't simply "choose" to no longer be alive. There's no suicide-fairy that neatly and quietly removes you from existence on command, and that would keep taking care of anyone who's depending on you.

There are some countries where assisted suicide is legal, if you can afford to make it there, and can make the case that it's truly what you want and believe is right for you. But, as you've noted, that doesn't take care of dependents unless they join you... Not that it can matter to you after your end, but in many cases, the emotional weight of what one's loss could do to others can indeed discourage them from going through with it.

The amount of javascript is really beside the point here. The problem is that privileged users can easily edit the code without strong 2FA, allowing automatic propagation.

How does 2FA prevent this here?

If they required 2FA every time you wanted to modify JS then it couldn't propagate automatically. Just requiring 2FA when you first log in wouldn't help, of course.

But only one person needs to authenticate to edit. The code will still run for everyone loading it.

More to the point, if they required 2FA every time you tried to modify the JS, nobody would do it because it would be too annoying. "Username, password... oh, the 2FA just timed out, gotta wait for the next one... what, that doesn't work? Does it want the old one? Oh... now it wants the next one... just a second... "

2FAs also may require a level of KYC that Wikipedia isn't after and advocating for 2FA might indirectly advocate for a lot more things than just 2FA.

KYC? I'm talking about standard 2FA methods like Time-based OTP codes.

It's not, application logic exposed on the client side is always an attack vector for figuring out how it works and how attack vectors could be devised.

It's simply a calculated risk.

How much business and application logic you put in your Javascript is critical.

On your second unrelated comment about Wikipedia needing to use 2FA, there's probably a better way to do it and I hope mediawiki can do it.

I don't know what you mean by application logic being exposed client-side. To change the content on the website, nuke articles, and propagate the malicious JS code you need to hijack privileged users' credentials and use them to trigger server-side actions.

It doesn't matter how much functionality the JS was originally responsible for, it could've been as little as updating a clock, validating forms, or just some silly animation. Once that JS executes in your browser it has access to your cookies and local storage, which means it can trigger whichever server-side actions it wants.

My second comment is not unrelated. The root cause of this mess is the fact that JS can be edited by privileged users without an approval process. If every change to the JS code required the user to enter their 2FA code (TOTP, let's say) then there would be no way for the worm to spread whenever users visited a page.

Ah, I’m not speaking about JavaScript within the content of wikipedia as you are.

I’m referring to the use of JavaScript in general in the building of web apps themselves. My comment is the same about 2FA.

I’m making these comments from the general perspective because I see it as a security risk when front end scriptability and app logic are more available than say server side apps.

Hope that clarifies my comments.

You say you understand that they're under no obligation to do anything, you already knew their reasoning, yet you still wrote a comment [seemingly] complaining about it. Was there a different purpose to it?

GrapheneOS evidently wants to helping people manage threat actors in their life. Having a terminal with full control of your own hardware would help with that goal because it lets you further control what your device and the software thereon does (there are apps you don't fully trust but need for daily life, where you might want to do TLS interception or modify what it stored about you before connecting to the internet again)

I simply agreed with the person who posted this sentiment by mentioning another place where an organisation acts contrary to its stated goal (Signal wants privacy, but also your phone number? I can come up with reasons like that it costs money and thus helps against spam, but it's still at odds and different solutions and opinions are possible)

If someone comes to one of my open source projects' bugtrackers and says "I want you to implement X", I can say "enjoy implementing that", or I can say "this is a bad idea because reasons". GrapheneOS does the latter. Responding to that, waylaying arguments, is not the same as demanding free work. They're free to not care

He directly answered your question, gave you an alternative, which in your reply you didn't even acknowledge, but moved the goalposts.

People who spend huge quantities of time trolling somebody who makes an excellent mobile operating system are really quite something. I used to think he was overselling the quantity and quality of it, but this post's comments have really turned me around on that one. So: thanks for that.

Good luck with that. Of all the things people don't really care about, I think that might be at the far end of the list.

Certification authentication is neat technology in principle, I use it internally, but in my experience anyone who recognizes it also hates it passionately. It's the thing that seemingly stops working every time their taxes are due, courtesy of terrible government software.

If I started telling people that they should be demanding certificate authentication from their banks, they'd probably think that I escaped an asylum.