> just put Excel inside Winboat or something, but they won't have it
Just curious, is it about different tools / workflow / the new thing to learn (and those are valid reasons!) or are there some technical issues with for example Winboat?
They've never used Winboat (or anything Linuxey really), so it's definitely not a fault with Winboat itself.
Honestly I think they really just don't want to change and they're trying to look for ways out because they know that "I don't want to!" isn't going to fly with me if I'm expected to be tech support.
The same thing occurred on the trivy repo a few days ago. A GitHub discussion about the hack was closed and 700+ spam comments were posted.
I scrolled through and clicked a few profiles. While many might be spam accounts or low-activity accounts, some appeared to be actual GitHub users with a history of contributions.
I’m curious how so many accounts got compromised. Are those past hacks, or is this credential steeling hack very widespread?
Are the trivy and litellm hacks just 2 high profile repos out of a much more widespread “infect as many devs as possible, someone might control a valuable GitHub repository” hack? I’m concerned that this is only the start of many supply chain issues.
Edit: Looking through and several of the accounts have a recent commit "Update workflow configuration" where they are placing a credential stealer into a CI workflow. The commits are all back in february.
Update: It looks like the accounts have all been deleted by github, including their repos. They are 404 pages now. Their repos + recent malicious commits are all just 404 pages now.
I'm curious what the policy is there if the accounts were compromised. Can the original users "restore" their accounts somehow? For now it appears the accounts are gone. Maybe they were entirely bot accounts but a few looked like compromised "real" accounts to me.
Yep my coworker hnykda, first reply confirming the report, got his account deleted for a while earlier. Definitely not the best way of handling this...
Reporting spam on GitHub requires you to click a link, specify the type of ticket, write a description of the problem, solve multiple CAPTCHAs of spinning animals, and press Submit. It's absurd.
Over the last ~15 years I have been shocked by the amount of spam on social networks that could have been caught with a Bayesian filter. Or in this case, a fairly simple regex.
Well, large companies/corporations don't care about Spam because they actually benefit from spam in a way as it boosts their engagement ratio
It just doesn't have to be spammed enough that advertisers leave the platform and I think that they sort of succeed in doing so.
Think about it, if Facebook shows you AI slop ragebait or any rage-inducing comment from multiple bots designed to farm attention/for malicious purposes in general, and you fall for it and show engagement to it on which it can show you ads, do you think it has incentive to take a stance against such form of spam
> Well, large companies/corporations don't care about Spam because they actually benefit from spam in a way as it boosts their engagement ratio
I'm not sure that's actually true. It's just that at scale this is still a hard problem that you don't "just" fix by running a simple filter as there will be real people / paying customers getting caught up in the filter and then complain.
Having "high engagement" doesn't really help you if you are optimizing for advertising revenue, bots don't buy things so if your system is clogged up by fake traffic and engagement and ads don't reach the right target group that's just a waste.
Yes we are still talking about attestation from the government for the specific privilege part.
You get your document with fields like "can drive", "is over 18" and so on. It's valid for some time; physical ID is valid for like 10 years and then you have to get a new document, this digital one is valid for lets say 30 days and if it expires you get a new one.
Then you present only those fields you want, when you want, without anyone talking to the government at all. All the other party needs to check is "is the document valid" and "do presented fields match the document". Like checking a tls certificate for a given domain name or purpose.
Strictly speaking there is no "routing through the government" of any information. The government just "issues a certificate" valid for X days without knowledge with whom, how or when you are using it.
> Strictly speaking there is no "routing through the government" of any information. The government just "issues a certificate" valid for X days without knowledge with whom, how or when you are using it.
I don't understand how you keep claiming there is no "routing through the government" right next to your explanations that the government is the one providing the documents every 30 days.
Obviously something in the document is tied to your ID and the government has mechanisms to revoke it. No matter how many layers you put on top of that, this all has to come back to the government's control.
I understand that the salts can be sent to 3rd party websites. However there's obviously a reason that those are only valid for 30 days instead of indefinitely.
Yes, something in the document is tied to my ID. There's my name in there for example :). I don't have to share that information, because what government signed is a uniquely salted hash of my name and passed the salt to me.
If I choose to share that salt, and provide my name, someone could hash all that information and compare it to the government-issued document to verify if my name really is john smith (or if my claim "I'm over 18" is valid).
If I don't, they have no way of knowing.
> no "routing through the government"
> government is the one providing the documents
I'm also lost. I mean, this is the government issued ID we are talking about, right? How are you expected to get it if not from the government? "Are you over 18" claim is part of that government issued ID.
They don't have to know which sites or when you are visiting, but they do have to issue you the document.
(To be clear, there are also other options, it doesn't have strictly to be government; for example banks around here can provide ID documents - for their clients. There's a list of who is trusted for what https://eidas.ec.europa.eu/efda/trust-services/browse/eidas/...).
> However there's obviously a reason that those are only valid for 30 days instead of indefinitely.
It's the same reason why we prefer tls certificates with short lifespans.
Why would I allow a government to tell me which devices I own can or cannot be approved? People have a short memory of history. Government works for the people, not the other way around.
> A true zero knowledge ID check with blind signatures
That is not true and "true zero knowledge ID check" + "age verification" with blind signatures is what's being implemented by the EU ID project.
So someone's id leaks. It happens. In EUDI there are things called "cryptographic accumulators of non-revocation proofs". If your ID leaks it goes into the accumulator. Similar to the certificate revocation lists. During check, you include claims "im over 18" and "my id is not in the accumulator".
This is included in the standard.
This is also (I can only assume) one of the reasons why EUDI wallets require play integrity / attestation / secure element on the device. So your private key won't be easily leaked and no one can steal your ID.
You're assuming the leak was accidental, the person knows about it, and they didn't intend for others to use it.
What happens when someone sets up a marketplace where people can sell those blind signatures using their ID for $2 each? And then kids just pay $2 to have someone else blindly use their ID to validate the account, because supposedly the system is structured so that nobody can tell which ID was used or tie it back to the account?
E.g. the German ID card can all on it's own, just using a server certificate configured/parametrized for this and signed by the government, do a simultaneous pseudonym passkey mint and age gate check.
That way you could easily block ID reuse; note that the passkey is locked to the card not the person as it's cryptographically derived from the pair of the card's private internal key, and the server's private key that goes to the certificate.
Access to this part of the card is secured by PAKE between the transport layer (TLS) encrypting and user interface providing NFC reader (for example phone with the app, or dedicated hardware) using a PIN.
That's where the google play integrity / attestation comes into the effect.
In theory you cannot export your private key from the device (from the secure element), so for each $2 someone would have to quickly unlock their phone, scan code via the app and so on.
Private keys from secure elements leak all the time. There will be a flawed implementation that someone exploits, an insider will smuggle a key out etc.
This is why true zero-knowledge systems for this sort of thing aren't practical and will never be. Because a SINGLE leak will break it and there will be no way to even detect it.
The attestation systems you reference don't even allow true zero knowledge attestation, they involve a trusted intermediary to convert your burned-in private key to a temporary key which you use for attestation with a third party.
And the temporary key isn't even a product of a blind signature. And it's rate limited. So if a service selling these temporary keys shows up they will be able to easily trace it to the burned-in key responsible - then revoke it and if possible initiate legal action.
This also means that whenever you register to a service using one of these schemes you are registering with your real identity, it's only a question of how hard and how many parties need to collude to extract it.
And in the event that they really do blindly sign tokens generated on your device, then their scheme will not survive adoption. As it gets adopted, the value of these blind signatures will rise and services that sell them will pop up. There will be no way of tracing the sold blind signature to the compromised/colluding device and rate limiting will merely necessitate a farm of such devices as opposed to a single leaked key.
> That is not true and "true zero knowledge ID check" + "age verification" with blind signatures is what's being implemented by the EU ID project.
You are mistaken. In the EUDI wallet project, unlinkable signature schemes are currently being discussed among cryptographers and a month ago Longfellow very basic support for Longfellow has been merged into the reference wallet.
You're making it seem that unlinkable signatures are very established and the default, while they are not. They're not yet properly defined, experimental and mostly unimplemented by member states. Linkable ECDSA signature are currently the default in the EUDI wallet project.
> EU's planned system requires highly invasive age verification
EUDI wallets are connected to your government issued ID. There is no "highly invasive age verification".
We are literally sending a request to our government's server to sign, with their private key, message "this john smith born on 1970-01-01 is aged over 18" + jwt iat. There are 3 claims in there. They are hashed with different salts. This all is signed by the government.
You get it with the salts. When you want to prove you are 18+ you include salt for the "is aged over 18" claim, and the signed document with all the salts and the other side can validate if the document is signed and if your claim matches the document.
No face scanning, no driver license uploading to god-knows-where, no anything.
> to obtain 30 single use, easily trackable tokens that expire after 3 months
This is the fallback mechanism. You are supposed to use bbs+ signatures that are zero knowledge, are computed on the device and so on. It is supposed to provide the "unlinkability". I don't feel competent enough to explain how those work.
> jailbreaking / "prevent tampering"
This is true. The eidas directive requires that secret material lives in a dedicated hardware / secure element. It's really not much different than what a banking app would require.
> You have to blindly trust that the tokens will not be tracked
This is not true, the law requires core apps to be opensource. Polish EUDI wallet has been even decompiled by a youtuber to compare it with sources and check if the rumors about spying are true. So you can check yourself if the app tracks you.
Also we can't have a meaningful discussion without expanding on definition of "tracking".
Can the site owner track you when you verify if you are 18+? Not really, each token is unique, there should be no correlation here.
Can the government track you? No, not alone.
Can the site owner and the government collude to track you? Yes they can! Government can track all salts for your tokens, site can collect all salts, they can compare notes. There are so called policy mitigations currently: audits and requirements for governments to remove salts from memory the moment stuff is issued.
Can they lie? Sure.
Can the site owner and the government collude to track you if you are using bbs+? No. Math says no.
> Can the site owner and the government collude to track you? Yes they can! Government can track all salts for your tokens, site can collect all salts, they can compare notes. There are so called policy mitigations currently: audits and requirements for governments to remove salts from memory the moment stuff is issued.
It's not zero knowledge for me then. Also - if there is ANY possibility to track anyone. And/or centrally mark someone "nonverified" then it makes more problems than solves.
Even if I trust my govt (no way), even if it'd be fully ZK with no way to track anyone… still govt would have a way to just block some individual "because".
And the best part… Age verification will not solve "children problem". I think it's parents problem to take care of their children, AV will be pretty easy to bypass - kid will just borrow ID for a moment and… voila! Govts (or some people) are creating problem and solution that do not exists.
I do not like way internet went, I do not like more way it's headed now.
> It's not zero knowledge for me then. Also - if there is ANY possibility to track anyone. And/or centrally mark someone "nonverified" then it makes more problems than solves.
> Even if I trust my govt (no way), even if it'd be fully ZK with no way to track anyone… still govt would have a way to just block some individual "because".
Is this even actually possible? If you want any sort of identity verification you HAVE to trust someone, whether age or full ID. Literally impossible.
Zero trust systems in society don't work. If you don't care "who" then yes, zero trust is just fine... but then what's the point of "age verification"?
I was more responding to the part about not trusting your own gov cuz how do you build a system where you don't trust a central authority when identity is required.
You don't have to trust somebody not to track how the resulting credential is used. And that is what "zero knowledge" means. It means that after you finish the protocol, nobody has learned anything but what they were supposed to learn (in this case, "the person at the other end of this connection is over 18"). If it leaks anything else about the person, it's not zero knowledge. If somebody learns which of the issued credentials was used, it's not zero knowledge. If parties can collude to get information they're not supposed to get, it's not zero knowledge.
It's a technical term of art, not some politician's bullshit. And it isn't complicated to understand.
> This is not true, the law requires core apps to be opensource. Polish EUDI wallet has been even decompiled by a youtuber to compare it with sources and check if the rumors about spying are true. So you can check yourself if the app tracks you.
The "open source" apps connect to proprietary backends run by a third party that you have to blindly trust. If EUDI wallets were truly open source and free from blindly trusting any authority, then you could simply remove that requirement and issue your own tokens without the use of potentially malicious third party.
It is not at all like TLS. With TLS you at least can get your own certificate signed by an official CA, and use that private key on whatever system you want.
It is literally TLS in a trench coat with some json sprinkled on top.
Where I think we are not in agreement the question of "who to trust" and "for what purposes".
Are you going to trust me when I tell you that I'm over 18 if I provide you with the document signed by my cousin, Honest Ahmed?
Are you going to trust me when I show you the document signed by my government?
(this is the trick question, you don't have a choice, law says you must; there's a list of who you need to trust and for what purposes; like a certificate root store in your browser)
You forgot to mention the additional remote attestation shackles you put on that trenchcoat.
Note that I - as opposed to the posts parent - used an official trusted CA as an example.
TLS: I see your ID with some governments signature in your hand, I trust you to be you.
EUDI: I see a note you wrote and I see some signed documents that you have just been to the government brain scanner, which attests you are not faking that note, and as a nice side effect the scanner scans other things in your brain, e.g. that you watch every advert diligently, send your current location regularly to your local police office and other things.
The problem is you are not creating a government issued single purpose device but you are confiscating something many user experience as a brain extension to be under the government's control as a whole.
In the context of world politics and the hunt for sovereign hosting etc it also seems incredibly weird to put all of EUs identity handling in the hands of two American companies.
For clarity, the US could over night make all European digital wallets nonfunctional by requiring app stores to remove them and have them uninstalled remotely (iirc there is such a feature but it’s very rarely used).
Likely? No, still a very strange thing to put into law though.
Many banks have gone the way of requiring 2FA on an unrooted phone, but giving you a way out by also offering you 2FA via smartcard (using a smartcard reader and a bank-issued card). I suspect a similar thing could be done here, with the smartcard providing the trusted hardware/secure element?
> Government can track all salts for your tokens, site can collect all salts, they can compare notes.
That is not zero knowledge. Given that actual zero-knowledge systems are well understood, the only reason to deploy a system that allows that would be if you planned to abuse it.
Zero knowledge in such a system requires a minimum of 3 independent parties. There are quite a few solutions out there, I think the most developed ones are online voting systems, because tracking and de duplication is essential.
The impossibly high bar they set "Perfect" at in order to make it the enemy of good, and fight against any progress being made to keep children out of adult spaces.
That being said, it's my personal opinion that I'd love to simply have my device store a token and send it to any site when requested. I'd then like those sites to give me toggles to remove all non-verified content - and therefore my internet experience could be sans-juvenile squeakers.
> This is true. The eidas directive requires that secret material lives in a dedicated hardware / secure element. It's really not much different than what a banking app would require.
This is unacceptable. So much talk about independence from the US, you simply cannot make it a hard requirement to use the duopoly to be a citizen (as if it wasn't a quasi-hard requirement already)!
Funny how they just handwave it like it's a totally normal thing, like the insane situation with banking apps. Most people don't care as they run with whatever's available without modification, but we still should fight for the right to run the code we want on devices we own.
Consider the car analogy: if you want to drive on public roads, you need to drive an attested, unmodified vehicle that complies with the relevant regulations. If you want to play around and modify the car, that's fine, but then you don't get to use it around other people. You're also not allowed to buy some random, unknown Chinese or Indian car and drive it on the road. People already accept this when framed as a safety issue. I suspect they care more about their cars than their phones, and won't care about the requirements on the phone anyway because they're not planning to modify it, and as long as WhatsApp and Instagram keep letting them exchange shopping list additions and pictures of vacation cocktails, then what's the problem?
To be clear, I'm not in favor of a participation-in-society ban for jailbreaking your phone, but there's already precedent for it.
The analogy is a bit shaky IMO, as you can certify individual, heavily modified, foreign or even self-built cars in EU member states.
For cars, the local certification authority themselves decides what is road-worthy or not, not VW et al. You can add third party parts without the manufacturers consent. This is not the case for Android or iOS attestation, you're pretty much at the mercy of the foreign manufacturer and their local laws.
May I infer from your response that your quarrel is not with a central authority having the final word in what code you're allowed to execute on your own device, but rather that it should be the government and not a corporation signing the binaries that are permitted to run?
If you're expecting a perfect analogy, you're not going to find one. Law in its application also doesn't deal in exactness, but in generalities and vibes: that's why lawyers argue, and judges decide.
I'm familiar with the process for individually certifying unique and modified vehicles in several European countries. Invariably, the process is costly and onerous, which serves as a deterrent.
Cars can and do kill 1,500,000 people every single year, equivalent to a jumbo jet full of people every couple hours, plus an equal number of crippled and injured, plus untold number of pollution deaths. That's a ridiculous comparison (if anything cars are not regulated enough). Who am I endangering when running microg on my phone??
I will continue advocating for the devil, then! These are the top bogeymen we need to thwart in order to protect...
-children and women, harmed through unregulated and unobserved communications enabling human trafficking and the spread of CSAM.
-social healthcare systems, harmed by enabling the proliferation of illegal drugs, which leads to the over-taxing of an already straining public good, reducing access to people who would need help outside of drug-caused issues.
-society at large, harmed by enabling drug-funded terrorists to trade in weapons and coordinate their destructive actions out of sight of law enforcement.
For your and others' safety, please leave your signing keys at the door.
> This is the fallback mechanism. You are supposed to use bbs+ signatures that are zero knowledge, are computed on the device and so on.
You're mistaken. SD-JWT with linkable ECDSA signature is the main mechanism. An unlinkable signature scheme is being discussed on the fringes of the EUDI-project (whether it be BBS+ or Longfellow) and very bare-bones support for Longfellow has been added to the reference wallet a month ago. However the Implementing Acts have no support for such a mechanism yet, and most member states will only implement ECDSA based mechanisms (SD-JWT and ISO 18013) for the foreseeable future.
It's therefore very likely the EUDI wallet and/or a age verification solutions will launch with issuer linkable ("easily trackable") signatures.
> This is true. The eidas directive requires that secret material lives in a dedicated hardware / secure element. It's really not much different than what a banking app would require.
Most banking apps run on GrapheneOS, will this? Nearly all EU banking websites run on Firefox on Linux, will this?
Why did you not quote the App Store/Google Play Services part, which is much worse?
> There are so called policy mitigations currently: audits and requirements for governments to remove salts from memory the moment stuff is issued.
I'm sure this will be as diligently carried out as GDPR enforcement. [0].
Now your EU government requires you to have an unmodified Google or Apple device to use any age restricted services. Cementing the US mobile OS duopoly and locking out any free systems and desktop etc. forever.
Any governmental service taking part in this is a violation of civil rights and even if you don't care about those, maybe you care about digital sovereignty.
This is so lightly handwaved away, almost as if attention needs to be drawn away. By the looks of this I'd say the end of general computing might be the actual goal, and all the age verification is just yet another "think of the children" pretense?
> This is true. The eidas directive requires that secret material lives in a dedicated hardware / secure element. It's really not much different than what a banking app would require.
Except the state is not a bank, of which there are many. The state is not optional, and trusting an American company with, of all things, the digital precondition for social existence, is suicidal.
> We are literally sending a request to our government's server to sign, with their private key, message "this john smith born on 1970-01-01 is aged over 18" + jwt iat. There are 3 claims in there. They are hashed with different salts. This all is signed by the government.
If the "18+ claim" can't be linked to your identity and doesn't have any rate limits, someone can set up a token-as-a-service to sell tokens on the black market.
> Government can track all salts for your tokens, site can collect all salts, they can compare notes. There are so called policy mitigations currently: audits and requirements for governments to remove salts from memory the moment stuff is issued.
> Can the site owner and the government collude to track you if you are using bbs+? No. Math says no.
How does the math say no? Big tech companies already log absolutely everything. What's going to stop the government from keeping all the salts they're issuing and then mandating that site operators add the salts to their existing logs?
> Can they lie? Sure.
Well, they've lied to us over and over when it comes to surveillance, so I think at this point it's reasonable to assume they're lying unless it's technically impossible. Where's the in-person key verification that used to be in Whatsapp? How do the authorities get notified when someone makes a poorly thought out joke using Snapchat private messages before getting on a plane? Why is there a war on end-to-end encryption?
We're going to pay a fortune for these supposed zero knowledge systems and that's what it's about. Select companies are going to get paid to issue tokens and the scale is going to create a few new billionaires.
The people in charge are going to gain a ton of power when they betray everyone and disenfranchise us.
> someone can set up a token-as-a-service to sell tokens on the black market
They can! Singing requires either PIN or finger on the fingerprint, and signed "proof" is valid for like 60 seconds. This whole end-to-end attestation with play integrity is supposed to make setting up token-as-a-service things impractical.
> What's going to stop the government from keeping all the salts they're issuing and then mandating that site operators add the salts to their existing logs?
> How does the math say no
BBS+ signatures. Hashes you receive from the government and hashes you send to the site operator are different and not correlated.
> Singing requires either PIN or finger on the fingerprint, and signed "proof" is valid for like 60 seconds. This whole end-to-end attestation with play integrity is supposed to make setting up token-as-a-service things impractical.
So how would I use this on Linux then? Because I'd be rather unhappy if a bunch of websites became unusable on Linux due to government-mandated security restrictions.
My (Canadian) government's health portal already refuses to load if you use Linux (despite it being 100% web-based), meaning that I'm completely unable to book vaccinations or view procedure results without workarounds. Luckily it only checks the user agent, so it's pretty easy to override this right now, but that wouldn't be possible if cryptography/attestation were involved.
Governments and businesses have already decided that it's fine to mandate that you own an unmodified smartphone made by one of the major manufacturers, so it's not much of a stretch to assume that they will also eventually require you to run an attested OS image made by one of the two major manufacturers. The fact that some run Linux internally isn't going to help your case: governments do a lot of things internally that you're not allowed to do. I used to watch cops in Amsterdam park on the sidewalk to go get a kebab, for example.
> This whole end-to-end attestation with play integrity is supposed to make setting up token-as-a-service things impractical.
Indeed according to some (i.e. the Commission) it's supposed to, but they should know better. And many member state wallet developers do know better.
Play Integrity can easily be bypassed unless you want to exclude a very large amount of users – especially disadvantaged people using older phones – because there are many vulnerable phones in use by those users, and you only need one to build such an age attribute faucet.
> We are literally sending a request to our government's server to sign
You've already lost. You're at the government's mercy. They can simply refuse to sign.
"Mr. John Smith, we noticed you've published some poorly-worded comments online. Why are you locked out of your account, you say? Oh, that's just an unfortunate technical issue with our signing system, happens all the time. Anyway, this is a friendly reminder for you to improve your online etiquette. Have a nice day."
You mean the journalists that are pro age-verification and pro banning everything that's slightly critical and constantly demonize everyone going against them?
Plenty of democracies in Europe and elsewhere regularly and repeatedly fail to actually represent the desires and interests of the citizenry, but they keep getting reelected anyway. Why should this time be any different?
I'm sure they do fail, but at least they have the theoretical ability for citizens to more directly challenge crimes comitted by the government itself. Unlike the U.S., which removed it by statutes, most other common law countries, and all civil law countries, citizens retain the ability to force criminal prosecution (either by private prosecution or by appeal to a magistrate with proof a crime has been committed).
I have no idea what this has to do with the EU implementing age verification because politicians want it, and the powerlessness of EU citizens to arrest or impede the government's machinations. Feels Gish Gallopy.
What I can say that's at least tangentially relevant to the topic at hand is that I've lived for a couple of decades in both the USA and the EU, being a citizen of both, and have found Americans generally much more politically informed and involved. I find Europeans, particularly Irish, very well informed about U.S. politics that they are powerless to influence, and next to oblivious of anything going on at home. Given that Ireland has the EU Presidency right now and is choosing to use its bully pulpit to advocate for British-style draconian Internet regulation, that's doubly a shame.
Australia has two major parties that agree on absolutely everything, and a virtually non-existent civil society. No true free debate can take place in such circumstances. The Australian government loves falsely claiming a popular imprimatur for policies that have never been properly debated or put before the people.
The only reason we have any rights left is because the Australian government is - thankfully - comically incompetent.
"Australia is a lucky country" is a quote every Australian knows. Few know the full quote: "Australia is a lucky country, run mainly by second rate people who share its luck. It lives on other people's ideas, and, although its ordinary people are adaptable, most of its leaders (in all fields) so lack curiosity about the events that surround them that they are often taken by surprise." - Donald Horne.
I encourage all my teenage countrymen to use as many social media apps as they desire. Mullvad is a decent VPN and you can pay for it anonymously. Freedom of speech and freedom of association are your human rights. No government gets to take them away from you.
That's a fallacy. You don't have any evidence to support the claim that this system of age verification is popular and more importantly, whether it would remain popular if people had a full understanding of how it worked and how it can be abused.
It might be popular to have age verification conceptually and only as long as it's only used "as advertised", which is not the same thing.
This is one of the biggest issues of democracy. As long as your propaganda machine is strong enough (and anti-privacy propaganda is one of the strongest) you can pass just about anything and pretend that society put on the shackles of surveillance and coercive control voluntarily.
People just submitted it. I don't know why. They "trust me". Dumb fucks.
Or you live in a democracy so you throw a fit until your government backs down. No amount of journalists is going to change the US or the UK at this point.
OK so those processes are launched not by systemd, but by dbus itself.
There's probably a /usr/share/dbus-1/services/org.freedesktop.IBus.service file in your system and if dbus sees something that tries to talk to IBus, and IBus is not running yet, dbus will launch it for you as directed in that file. In it's own namespace unless directed otherwise.
There's an optional integration between dbus and systemd, look for SystemdService in man dbus-daemon. IBus does not set it. Perhaps it should. I don't know.
> I ran into this problem because ibus runs later than setxkbmap and undoes the keyboard settings.
that must've been pain to debug :). I can see on my system that there's a systemd user service that I could launch with `systemctl --user start org.freedesktop.IBus.session.generic.service`, maybe that would work better than on-demand via dbus in your case.
Thankfully, people living on the east are completely immune to ethnic stereotypization and propaganda, like you clearly demonstrate. They even get to have their own opinions. Oh the wonders of geography and lineage.
LOL. Have you ever read what Ukrainians said in the last 35 years? Not some pretty recital from CNN, ABC, BBC, DW, but actual words said and written by actual Ukrainians?
Or, for that matter, have you ever read Reddit? I'm 100% sure that if I open any subreddit like /r/politics, in the first 10 posts there will be something like "burn all Russians", "we must nuke Russia", "Russian are subhumans and they must be eliminated from Earth". Such phrases are so pervading there that I stopped visiting reddit even for reading technical subreddits. BTW, Reddit moderators never ban users for calling to kill Russians (also, in 2022 Meta openly said it is ok to say such things openly, just to note that nazism is welcome in the West, or to be precise, it never went away and it wasn't an invention of Hitler).
Yes, people say a lot of dumb and reductive shit everywhere, I've been around. What I'm saying is that while it's entirely reasonable to get upset about it and react accordingly, you also have the option of exercising self-awareness and agency, and not swing the pendulum the other way.
Case in point, maybe the most rational action to take after reading something that strikes you as stereotypization is probably not whipping out a stereotype about "westerners" or whatever of your own. Where the dividing line between west and east moves around about as much as the dividing line between balkan and not balkan, of course.
I know that PHP will treat a string as if it were a number if you try to use it in a context where number is expected; JS does the same thing. But why would that affect JSON deserialization in a way that makes numbers and strings indistinguishable in principle (causing the loss of precision as described here)?
Just curious, is it about different tools / workflow / the new thing to learn (and those are valid reasons!) or are there some technical issues with for example Winboat?