I think there is a line to be drawn between what is theoretically better and what is meaningfully useful.

It is realistically not useful information for an attacker to know what country you are from by observing your UTC offset. It’s simply much easier to guess this information by observing your other behaviours. For example, the text and time of your post is already leading me to guess UTC+5:30 as the time zone in question. But again, knowing what country you’re from is not really useful information most of the time, as even if my guess is correct, that narrows it down to a whopping one-eighth of the human population.

Okay bud. Have a biscuit 🍪

Password is necessary for two-factor authentication. The factors of authentication are something you know (like a password), something you have (like a cell phone), and something you are (like a biometric).

An example of three-factor authentication would be this—imagine a spy going into a secret bunker. They need to scan their iris, insert a key card, and then enter a passcode before the door opens. This has all three factors of authentication; the passcode is something they know, the key card is something they have, the iris scan is something they are.

If it just sends a code to your phone, that’s one-factor authentication (something you have). Anyone with your phone can get into your account. Unless, of course, your phone hides its notifications and you have a screen lock. Then that’s actually two-factor authentication because you also need to know the phone PIN or have the biometric.

If it just asks for a password, that’s one-factor authentication (something you know).

If it asks for your password and then sends a code to your phone, which you need a fingerprint or face scan to unlock, you have achieved three-factor authentication.

Edit: Interesting tidbit—in the USA, you can rent a mailbox at the post office to receive mail when you don’t want to give out your real address. Useful for privacy reasons. I’m sure they have similar things in other countries. These mailboxes come with a key. This is actually two-factor authentication, because the keys usually don’t have the mailbox number written on them! So you have to have the key and also have to know which mailbox among the hundreds at the post office it opens.

TOTP is standardised by RFC 6238 so all TOTP clients must comply with the standard and therefore work equally well. Pick the one whose UI you like the most and is otherwise good enough for your use case and personal preferences. It’s similar to arguments over CPU thermal paste—its presence or absence makes a much larger difference than the method of application.

You do, however, want to pick something that is free and open-source and also popular. Google Authenticator (closed source) definitely is a functional TOTP client but you have to trust that the Google engineers have done a good job building a secure app. Since it’s Google, they probably have, but a principle in security is that you should not have to trust more people than absolutely necessary.

Yes, but this is like replacing the front door of your house with a bank vault door. Yes, it’s more secure, but there is a point of “reasonably secure enough” for most people and at some point, you are just inconveniencing yourself for no tangible gain.

It’s not a hard concept. In almost every well-designed security system, the weakest links are invariably the humans

The passwords are stored locally. You can test this yourself by turning off your WiFi or disconnecting your Ethernet cable and then going to about:logins. All the passwords will still be there.

Ubuntu Server, Debian, or Rocky Linux will save you a lot of headaches.

Most software is designed with these major distros in mind and using something more obscure will just cause problems later on when you realise that there are no guides written for it by the software vendor. Fixing broken software gets old really fast especially when it causes your stuff to break when you’re actually trying to use it.

I have a script running that uses the Namecheap API to automatically get wildcard certs from Let’s Encrypt. I didn’t pay a dime for this. Did something change?

Nothing wrong with Boost Mobile, or any other discount telecom provider either. It’s not like the phone signals taste different lmao

It’s just a hallmark of “I bought the cheapest domain name TLD available”.

That’s not necessarily bad if all you need is something to get the job done, but there is a stereotype associated with it.

I think it is generally okay to bundle the root domain certificate and the wildcard for its subdomains into a single renewal.

So for example:

example.com
*.example.com

The data is all stored server-side. The worst that could happen is the sync connection stops working and you need to redownload the files. Nothing gets deleted by these commands. They will still be on your disk and accessible by you.

If this breaks Nextcloud, it indicates something’s wrong with your installation.

I’m guessing you’re talking about the client, right? The data folder on the server shouldn’t be touched or modified, except by Nextcloud.

Check who owns the folder. I’ll assume the folder is at ~/Nextcloud, but if it’s not, just substitute in the path to the Nextcloud folder.

You can check who owns the folder using ls:

ls -la ~/Nextcloud

This should give you something like:

drwx------ 10 user group    4096 2024-03-04 00:00 Nextcloud

Where the word “user” is in the above example should be the name of the owner of the directory. Where the word “group” is should be the group.

If either is root, check to make sure the Nextcloud client is not running as root (using sudo or otherwise).

Otherwise, give yourself ownership of the directory:

sudo chown username:username -R ~/Nextcloud

Replace username with your username.

Mine is… eh. It’s alright. I don’t use any of the apps. Just the actual sync functionality. Sometimes when I’m moving files around there’s a problem where the entire thing just stops responding. My MediaWiki instance still works, just not Nextcloud. Not sure why this happens and not sure if it also happens to other people.

For comparison, it is running on a Contabo VPS M

With due respect, you do not have the authority to dictate what it means for me to support free software. Nor anyone else.

When it comes to community-building and social networking, the popularity metric is absolutely an important consideration. If you are choosing where to start the official community for your software project, and you choose an obscure service, people will make unofficial communities in the more popular services, and you end up with all the supposed drawbacks anyway. Normal non-technical users who are looking to join a community won’t prefer an official community on a service they’ve never used before to an unofficial community on a popular service. That’s why people make unofficial user subreddits and community Discord servers. Those unofficial communities could and in many cases will outgrow the official community. This has happened many times before and will happen many times again. Then, new users, even if they see both, will see an unofficial community on, say, Reddit with many more users than the official one, and when this happens, developers either start participating in the unofficial community posting announcements and whatnot there, and if that happens, there becomes little reason to join the official community.

This article has a few primary arguments for not using Discord—

• because it is proprietary software
• because it has poor accessibility
• because control over moderation and other administrative tools is ultimately in the hands of Discord rather than the community.

I know this opinion is going to be unpopular but here I go anyway.

Other than the accessibility argument, I find these arguments quite weak. Yes, Discord is proprietary software, but the reason it’s used is because a lot of people are familiar with it and many people already have Discord accounts.

Although I’m a firm supporter of free software, I also believe that it’s more important to use the right software for the job than to idealistically use inferior software just because it happens to be open-source. And yes, I regard most of the alternatives to Discord listed in the article to be inferior solely because they are unfamiliar to users. Sometimes, the superior choice happens to be proprietary and I don’t think there’s anything wrong with that. That’s the way it is sometimes; you can’t win every fight, as much as you’d like to.

If your goal is to foster a community of regular users and make it easy for normal users to interact with contributors, there is no choice that will hamper that goal more than using an obscure alternative software that nobody’s heard of.

With respect to chat logs and administration tools… for the most part, nobody cares. Discord’s tools are sufficient for most groups and few people consider the drawbacks to outweigh the other benefits.

Smells like a scam

You seem to think that regulation doesn’t work. Luckily, we have a test case set up for us in real-life.

In the United States, consumers relied on voting with their wallets. In the European Union, regulatory agencies forced Apple to take pro-consumer moves through regulation.

Now take a look at which approach produced results and which approach left consumers continuing to complain about the lack of interoperability and the lack of competition in Apple’s walled garden.

I’m not the parent commenter, but Apple Silicon has much wider app support than ARM on Windows. There’s also Rosetta, which works alright, I suppose. Not spectacularly and usually not anywhere near native performance but it’s at least okay.