I initially found git a bit confusing because I was familiar with mercurial first, where a “branch” is basically an attribute of a commit and every commit exists on exactly one branch. It got easier when I eventually realized that git branches are just homeomorphic endofunctors mapping submanifolds of a Hilbert space.

You can use Wireshark to see the packets and their IP addresses.

https://www.wireshark.org/download.html

https://www.wireshark.org/docs/

A word of warning though: finding out about all the network traffic that modern software sends can be deleterious to mental health 😬

I do have wireguard on my server as well, I guess it’s similar to what tailscale does?

Tailscale uses wireguard but adds a coordination server to manage peers and facilitate NAT traversal (directly when possible, and via a intermediary server when it isn’t).

If your NAT gateway isn’t rewriting source port numbers it is sometimes possible to make wireguard punch through NAT on its own if both peers configure endpoints for eachother and turn on keepalives.

Do you know if Yggdrasil does something similar and if we exchange data directly when playing over Yggdrasil virtual IPv6 network?

From this FAQ it sounds like yggdrasil does not attempt to do any kind of NAT traversal so two hosts can only be peers if at least one of them has an open port. I don’t know much about yggdrasil but from this FAQ answer it sounds like it runs over TCP (so using TCP applications means two layers of TCP) which is not going to be conducive to a good gaming experience.

Samy Kamkar’s amazing pwnat tool might be of interest to you.

I have a device without public IP, AFAIK behind NAT, and a server. If I use bore to open a port through my server and host a game, and my friends connect to me via IP, will we have big ping (as in, do packets travel to the server first, then to me) or low ping (as in, do packets travel straight to me)?

No, you will have “big ping”. bore (and everything on that page i linked) is strictly for tunneling which means all packets are going through the tunnel server.

Instead of tunneling, you can try various forms of hole punching for NAT traversal which, depending on the NAT implementation, will work sometimes to have a direct connection between users. You can use something like tailscale (and if you want to run your own server, headscale) which will try its best to punch a hole for a p2p connection and will only fall back to relaying through a server if absolutely necessary.

See https://github.com/anderspitman/awesome-tunneling for a list of many similar things. A few of them automatically setup letsencrypt certs for unique subdomains so you can have end-to-end HTTPS.

Mattermost isn’t e2ee, but if the server is run by someone competent and they’re allowed to see everything anyway (eg it’s all group chat, and they’re in all the groups) then e2ee isn’t as important as it would be otherwise as it is only protecting against the server being compromised (a scenario which, if you’re using web-based solutions which do have e2ee, also leads to circumvention of it).

If you’re OK with not having e2ee, I would recommend Zulip over Mattermost. Mattermost is nice too though.

edit: oops, i see you also want DMs… Mattermost and Zulip both have them, but without e2ee. 😢

I could write a book about problems with Matrix, but if you want something relatively easy and full featured with (optional, and non-forward-secret) e2ee then it is probably your best bet today.

Tuta is most likely a honeypot, and in any case it is pseudo-open source so it’s offtopic in this community.

Not necessarily true - that right to modify/redistribute depends on the exact license being applied.

If you don’t have the right to modify and redistribute it (and to do so commercially) then it does not meet the definitions of free software or open source.

For example, the Open Watcom Public License claims to be an “open source” license, but it actually doesn’t allow making modifications.

The Sybase Open Watcom Public License does allow making modifications, and distributing modified versions. The reason why the FSF has not approved it is that it requires you to publish source code even if you only wanted to run your modified version yourself and didn’t actually want to distribute anything to anyone. (The Watcom license is one of the few licenses which is approved by OSI but not FSF. You can see the other licenses which are approved by one but not the other by sorting this table.)

The FSF’s own AGPL license is somewhat similar, but it only imposes the requirement if you run the software for someone else over a network. (Neither of these requirements are likely to be enforceable by copyright law, as I explained in my comment about the AGPL in the thread which this thread is about…)

This is also why we specifically have the terms “free software” or “FOSS” which imply they you are indeed allowed to modify and redistribute.

I would recommend reading this: https://www.gnu.org/philosophy/open-source-misses-the-point.en.html

I would recommend that you re-read that, because it actually explains that the two terms refer to essentially the same category of software licenses (while it advocates for using the term free software to emphasize the philosophical aspects of those licenses).

Opensource just means that the source code is available, FOSS however implies that you’re free to modify and redistribute the program

Incorrect. “Open Source” also means that you are free to modify and redistribute the software.

If the source code is merely available but not free to modify and/or redistribute, then it is called source-available software.

Thanks. They are no longer a mod of this community. (I wrote this comment to them and they did not reply.)

Hi @haui_lemmy@lemmy.giftedmc.com,

fyi icymi due to this thread someone posted this other thread asking “Is it appropriate for someone to be a mod here when they don’t understand open source, and insult users in the community?”.

I don’t have time to read all ~200 comments in these two threads, but I do think that being a moderator of /c/opensource@lemmy.ml requires knowing what FOSS is to be able to remove posts promoting things which are not.

Hopefully the replies here (again, I have not read even half of this thread…) have made you better informed?

In case you haven’t yet, I would highly recommend that you read these two documents (you can start with their wikipedia articles and follow links from there to the actual documents):

• https://en.wikipedia.org/wiki/The_Free_Software_Definition
• https://en.wikipedia.org/wiki/The_Open_Source_Definition

In short, the answer to your question (“Is there a License that requires the user to donate if they make revenue?”) is yes, there are many such licenses, but they are definitively not FOSS licenses (despite what some people who haven’t read the above definitions might try to tell you).

I won’t enumerate any of the non-FOSS licenses which attempt such a thing, because I recommend against the use of such licenses or software licensed under them.

BTW, I saw you wrote in another comment:

By now I get that FOSS mostly implies free work for corporations. I‘ll just go with agpl to ensure they get nothing from my work.

While corporations benefiting from FOSS while failing to financially support it at all is extremely commonplace, I vehemently disagree that that is what FOSS “mostly implies”. In fact, the opposite is more common: the vast majority of free software users are not paying anything to the companies who have paid for an enormous amount of the development of it. A few hundred companies pay tens of thousands of individual developers to develop and maintain the Linux kernel, for instance.

Regarding the second sentence of yours that I quoted above, in case you haven’t understood this yet: the AGPL does not prevent commercial use of your work. If you write a web app and license it AGPL, you are giving me permission to run it, modify it, redistribute my modified version, and to charge money for it without giving you anything.

What the AGPL does, and why many companies avoid it, is impose the requirement that I (the recipient of your software) offer the source code to your software (and any modifications I made to it) under that same license not only to anyone I distribute it to but also to anyone using the software over a network on my server.

If the software were licensed GPL instead of AGPL, I would only be required to offer GPL-licensed source code to people when I distribute the software to them. Eg, I could improve a GPL web app and it is legal to not share my improvements (to the server-side code) with anyone at all because the software is not being distributed - it is just running on my server.

By imposing requirements about how you run the software (eg, if you put an AGPL notice in the UI, I am not allowed to remove it) the AGPL is more than just a copyright license: violations of the GPL and most FOSS licenses are strictly copyright violations and can be enforced as such, but violating the part of the AGPL where it differs from the GPL would not constitute copyright infringement because no copying is taking place. Unlike almost every other FOSS license, the AGPL is both a copyright license and a end-user license agreement.

For this reason, many people have misgivings about the AGPL. However, if you want to scare companies away from using your software at all (and/or require them to purchase a different license from you to use it under non-AGPL terms, which is only possible if you require all contributors to assign copyright or otherwise give you permission to dual-license their work) while still using a license which the FOSS community generally accepts as FOSS… AGPL is probably your best bet.

HTH.

p.s. I’m not a lawyer, this isn’t legal advice, etc etc :)

two weeks later: GitLab confirms it’s removed Suyu, a fork of Nintendo Switch emulator Yuzu

sad to see their new git hosting is behind cloudflare 😢

It’s a mild pain and definitely not what we were promised

I think this is precisely what the ActivityPub model of federation promised, actually 😅

💯 points for the name.

They should make it use the sosumi sound for something so that maybe they can get sued by Apple Inc too 😂

Poor choice of git hosts though; won’t gitlab.com take down anything that a big company asks them to?

Ente doesn’t seem to require a CLA.

It turns out, they do have a CLA (with full copyright assignment 😢).

They’d need to implement something like SRP.

Update: I contacted the developers to bring my comment to their attention and it turns out they have already implemented SRP to address this problem (but they haven’t updated their architecture document about it yet).

It is, but in this case I think it isn’t actually a weakness for the reasons I explained.

That’s complicated to do correctly. Normally, for the server to verify the user has the correct password, it needs to know or receive the password, at which point it could decrypt all the user’s files. They’d need to implement something like SRP.

What I proposed is that the server does not know the password (of course), but that it knows a thing derived from it (lets call it the loginSecret) which the client can send to obtain the encryptedMasterKey. This can be derived in a similar fashion to the keyEncryptionKey (eg, they could be different outputs of an HKDF). The downside to the server knowing something derived from the passphrase is that it enables the server to do an offline brute force of it, but in any system like this where the server is storing something encrypted using [something derived from] the passphrase the server already has that ability.

Is there any downside to what I suggested, vs the current design?

And is there some reason I’m missing which would justify adding the complexity of SRP, vs what I proposed above?

The only reason I can think of would be to protect against a scenario where an attacker has somehow obtained the user’s loginSecret from the server but has not obtained their encryptedMasterKey: in that case they could use it to request the encryptedMasterKey, and then could make offline guesses at the passphrase using that. But, they could also just use the loginSecret for their offline brute-force. And, using SRP, the server still must also store something the user has derived from the password (which is equivalent to the loginSecret in my simpler scheme) and obtaining that thing still gives the adversary an offline brute-force opportunity. So, I don’t think SRP provides any benefit here.

edit: the two issues i raised in this comment had both already been addressed.

this was the developer’s reply on matrix:

1. We do have a CLA: https://cla-assistant.io/ente-io/ente
2. We will update the iOS app to offer you an option to point to your self hosted instance (so that you can save yourself the trouble of building it): https://github.com/ente-io/ente/discussions/504
3. The portion of the document that deals with authentication has been outdated, my bad. We’ve adopted SRP to fix the concerns that were pointed out: https://ente.io/blog/ente-adopts-secure-remote-passwords/