stuck with the GPL forever

If you accept a patch and don’t have the ability to relicense it, you can remove it and re-license the new codebase. You can even re-implement changes made by the patch in many cases, whether those changes are bug fixes or new features.

If you re-implement the change, you do need to ensure this is done in a way that doesn’t cause it to become a derivative work, but it’s much easier if you have copyright to 99% of a work already and only need to re-implement 1% or so. If you’ve received substantial community contributions and the community is opposed to relicensing, it will be much harder to do so.

A clean room implementation - where the person rewriting the code doesn’t look at the original code, and is only given a description of the functionality - which can include a detailed description of the algorithm - is the most defensible way to perform such a rewrite and relicense, but it’s not the only option.

You should generally consult an attorney when relicensing and shouldn’t just do it casually. But a single patch certainly doesn’t mean you’re locked in forever.

Where did I contest your point?

The president won [the] popular vote

Only if you ignore the huge amounts of voter suppression. If you don’t, then he lost the popular vote and the electoral vote - netting 45.8% of the popular vote to Kamala’s 52.7%, and he earned at most (and probably less than) 252 electoral votes to Kamala’s 286.

If you’re in the US, automatic is fine. Manuals make up like 1 percent of new cars and maybe 4% of used cars here. It doesn’t hurt to know how to drive one, but it doesn’t benefit you much, either. I drove a manual once, but it was a rental in another country. I’ve never been faced with needing to - or even having the opportunity to - drive a manual in the US.

However, learning on a manual does make it easier to understand certain ways of how cars work, even on automatics (less so on CVTs), so if you like understanding things more, I recommend manual even in the US. You can still get that understanding driving automatics, though - just a bit more effort.

Outside the US, most places I know of manual is the default. If manuals make up even 30 percent or so of cars where you live, I strongly suggest learning to drive one.

I can’t guess where your interests lie

OP does say they have a boyfriend

Even with an HOA, you can still end up needing to pay tens of thousands for surprise repairs in the forms of special assessments, especially if the HOA is poorly managed.

Why specifically do you want to be a trans man online?

• Is it because you’re fetishizing the idea of being a trans man?
• Because you’re actually trans (aka an egg) and you just haven’t come to terms with it irl?
• Both?

I attended a 1-on-1 meeting that a billionaire scheduled with me but that they themselves did not attend.

If your recommend protein intake is 70 grams per day (meaning you weigh about 195 pounds / 87 kg) and you’re only getting 20 grams per day, then you are likely already experiencing health issues.

From https://www.verywellhealth.com/protein-deficiency-symptoms-8756264 you could expect to experience:

• Weakness and fatigue, meaning you’ll feel exhausted - mentally, physically, or both
• Skin, Hair, and Nail Problems
• Mood changes, including the development of mood disorders, such as depression
• Compromised immune system
• Slowed wound healing
• Decline in bone strength
• Fatty liver
• Weight loss due to your muscles and organs being broken down - but my understanding is this is mostly relevant if your overall caloric intake is quite low (starvation levels)
• Weight gain due to fluid retention or increased hunger

Not all of those are immediately noticeable.

However, I’m with the other commenter who said that they think it’s likely that you’re under-estimating your daily protein intake. What method did you use for tracking and calculating it?

At that point, you could say “male characters.”

You can self-host Bitwarden, too. My understanding is that VaultWarden is much simpler to self-host, though. Note that VaultWarden isn’t a “fork”; it’s a compatible rewrite in Rust (Bitwarden’s codebase, by contrast, is primarily C#).

I also use Bitwarden and strongly prefer it over every other password manager I’ve tried or investigated, for what that’s worth. I’d recommend it to 99% of non-enterprise users (it’s probably great for enterprise use as well, TBF).

The only use case I wouldn’t recommend it for is when you don’t want your passwords stored in the cloud, in which case KeePass is the way to go. To be clear, that recommendation does not apply if you’re syncing your vault with a cloud storage provider - even one you’re hosting, like SyncThing - even if your vault is encrypted. At that point just use Bitwarden or VaultWarden, because they’re at least audited with your use case in mind (Vaultwarden has only been audited once afaik, though).

Sure, but mortgage interest can easily be enough to make that worth it without any other deductions. With $300K principal and a 5% loan, that’s $15K - about the same as a single taxpayer’s standard deduction and roughly half of a married couple’s standard deduction.

I don’t think gravitational waves traveling at the speed of light is the same as the gravitational attraction being apparently felt faster than light travels.

I don’t know how you would measure gravitational waves without measuring gravitational attraction.

It’s not light that is “communicating” that attraction.

Nobody said it was. The “speed of light” isn’t about “light”. Gravity propagates at the same speed, aka “c.”

This Reddit discussion on r/AskPhysics might help clear up your misconceptions. Notably:

Just to clarify: when people talk about the speed of gravity, they mean the speed at which changes propagate. It’s the answer to questions like: if I take the Sun and wiggle it around, how long does it take for the Earth to feel the varitation in the force of gravity? And the answer is that changes in gravity travel at the speed of light.

But that’s not what you’re asking about. Whenever you’re close to the Earth, gravity is always acting on you: it’s not waiting until you step off a cliff, like in the Coyote and the Roadrunner. The very instant your foot is no longer on the ground, gravity will start to move it downwards. The only detail is that it takes some time for it to build up an appreciable speed, and this is what allows us to do stuff like jump over pits: if you’re fast enough, gravity won’t be able to accelerate you enough - but gravity is still there.

I get the sense that you’re thinking about the second scenario when objecting to the concept that gravity travels at the speed of light.

https://bigthink.com/hard-science/speed-of-gravity/

I’m familiar with SSL in the context of webdev, where SSL (well, TLS) is standard, but there the standard only uses server certificates. Even as a best practice, consumer use cases for client certificates, where each client has a unique certificate, are extremely rare. In an app, I would assume that’s equally true, but that shared client certificates - where every install from Google Play uses the same certificate, possibly rotated from version to version, and likewise with other platforms, like the App Store, the apk you can download from their site, F-Droid, if they were on it, and releases of other apps that use the same servers, like Molly. Other platforms might share the same key or have different keys, but in either case, they’re shared among millions of users.

I’m not sure Signal does have a client certificate, but I believe they do have a shared API access key that isn’t part of the source code, and which they (at least previously) prohibited the use of by FOSS forks (and refused to grant them their own key)

That said, I reviewed that code, and while I’m not a big fan of Java and I’m not familiar with the Android APIs, I’m familiar with TLS connections in webdev, the terms are pretty similar cross-language, and I did work in Java for about five years, but I didn’t see anything when reviewing that file that makes me think client certificates are being generated or used. Can you elaborate on what I’m missing?

you’re the only one with your SSL keys. As part of authentication, you are identified. All the information about your device is transmitted. Then you stop identifying yourself in future messages, but your SSL keys tie your messages together. They are discarded once the message is decrypted by the server, so your messages should in theory be anonymised in the case of a leak to a third party. That seems to be what sealed sender is designed for, but it isn’t what I’m concerned about.

Why do you think that Signal uses SSL client keys or that it transmits unique information about your device? Do you have a source for that or is it just an assumption?

The sender ('s unique device) can with 100% accuracy be appended to the message by the server after it’s received.

How?

If I share an IP with 100 million other Signal users and I send a sealed sender message, how does Signal distinguish between me and the other 100 million users? My sender certificate is encrypted and only able to be decrypted by the recipient.

If I’m the only user with my IP address, then sure, Signal could identify me. I can use a VPN or similar technology if I’m concerned about this, of course. Signal doesn’t consider obscuring IPs to be in scope for their mission - there was a recent Cloudflare vulnerability that impacted Signal where they mentioned this. From https://www.404media.co/cloudflare-issue-can-leak-chat-app-users-broad-location/

404 Media asked daniel to demonstrate the issue by learning the location of multiple Signal users with their consent. In one case, daniel sent a user an image. Soon after, daniel sent a link to a Google Maps page showing the city the user was likely in.

…

404 Media first asked Signal for comment in early December. The organization did not provide a statement in time for publication, but daniel shared their response to his bug report.

“What you’re describing (observing cache hits and misses) is a generic property of how Content Distribution Networks function. Signal’s use of CDNs is neither unique nor alarming, and also doesn’t impact Signal’s end-to-end encryption. CDNs are utilized by every popular application and website on the internet, and they are essential for high-performance and reliability while serving a global audience,” Signal’s security team wrote.

“There is already a large body of existing work that explores this topic in detail, but if someone needs to completely obscure their network location (especially at a level as coarse and imprecise as the example that appears in your video) a VPN is absolutely necessary. That functionality falls outside of Signal’s scope. Signal protects the privacy of your messages and calls, but it has never attempted to fully replicate the set of network-layer anonymity features that projects like Wireguard, Tor, and other open-source VPN software can provide,” it added.

I saw a post about this recently on Lemmy (and Reddit), so there’s probably more discussion there.

since the sender is identified at the start of every conversation.

What do you mean when you say “conversation” here? Do you mean when you first access a user’s profile key, which is required to send a sealed sender message to them if they haven’t enabled “Allow From Anyone” in their settings? If so, then yes, the sender’s identity when requesting the contact would necessarily be exposed. If the recipient has that option enabled, that’s not necessarily true, but I don’t know for sure.

Even if we trust Signal, with Sealed Sender, without any sort of random delay in message delivery, a nation-state level adversary could observe inbound and outbound network activity and derive high confidence information about who’s contacting whom.

All of that said, my understanding is that contact discovery is a bigger vulnerability than Sealed Sender if we don’t trust Signal’s servers. Here’s the blog post from 2017 where Moxie describe their approach. (See also this blog post where they talk about improvements to “Oblivious RAM,” though it doesn’t have more information on SGX.) He basically said “This solution isn’t great if you don’t trust that the servers are running verified code.”

This method of contact discovery isn’t ideal because of these shortcomings, but at the very least the Signal service’s design does not depend on knowledge of a user’s social graph in order to function. This has meant that if you trust the Signal service to be running the published server source code, then the Signal service has no durable knowledge of a user’s social graph if it is hacked or subpoenaed.

He then continued on to describe their use of SGX and remote attestation over a network, which was touched on in the Sealed Sender post. Specifically:

Modern Intel chips support a feature called Software Guard Extensions (SGX). SGX allows applications to provision a “secure enclave” that is isolated from the host operating system and kernel, similar to technologies like ARM’s TrustZone. SGX enclaves also support a feature called remote attestation. Remote attestation provides a cryptographic guarantee of the code that is running in a remote enclave over a network.

Later in that blog post, Moxie says “The enclave code builds reproducibly, so anyone can verify that the published source code corresponds to the MRENCLAVE value of the remote enclave.” But how do we actually perform this remote attestation? And is it as secure and reliable as Signal attests?

In the docs for the “auditee” application, the Examples page provides some additional information and describes how to use their tool to verify the MRENCLAVE value. Note that they also say that the tool is a work in progress and shouldn’t be trusted. The Intel SGX documentation likely has information as well, but most of the links that I found were dead, so I didn’t investigate further.

A blog post titled Enhancing trust for SGX enclaves raised some concerns with SGX’s current implementation, specifically mentioning Signal’s usage, and suggested (and implemented) some improvements.

I haven’t personally verified the MRENCLAVE values for any of Signal’s services and I’m not aware of anyone who has (successfully, at least), but I also haven’t seen any security experts stating that the technology is unsound or doesn’t actually do what’s claimed.

Finally, I recommend you check out https://community.signalusers.org/t/overview-of-third-party-security-audits/13243 - some of the issues noted there involve the social graph and at least one involves Sealed Sender specifically (though the link is dead; I didn’t check to see if the Internet Archive has a backup).

Message history won’t be fully fixed. It can’t be without storing message backups in some cloud somewhere (whether it’s to iCloud, Google Drive, Dropbox, or Signal’s servers) and Signal omits its message history from system backups on iOS and Android.

iOS users are completely incapable of backing up their message history in the event of their phone being lost, stolen, or broken. This omission isn’t justified in any way, as far as I’m aware; I don’t know of any technical reason why following the exact same process as on Android wouldn’t work.

Android users are able to back up locally via Signal, but that isn’t on by default, can’t be automated, needs to be backed up separately, requires you to record a 30 digit code to decrypt it, and has limitations on when it can be used for a restore (can’t restore on iOS, for example). See https://support.signal.org/hc/en-us/articles/360007059752-Backup-and-Restore-Messages for more details.

Message history on linked devices - meaning iPads and desktop computers - is being improved, but it still won’t mean that a user who loses or trades in their phone as they get a new phone will be able to simply restore their phone from a system backup and restore their Signal message history. And even that isn’t anywhere near as easy as on Telegram, where a user can just log in with their password and restore their message history, no backup needed.

It’s great that they’re improving the experience for linked devices, but right now that doesn’t actually help if you lose, break, or trade in your phone. Maybe they’ll later allow users to restore to a phone from a linked device or support backups on iPhones, but right now the situation with message history isn’t just an unfriendly UX, but one that is explicitly and intentionally unreliable for a huge portion of Signal’s user-base.

The concern is valid, and it has caused a lot of distrust in many companies due to the Snowden leaks, but that distrust is founded in the leaks.

Snowden explicitly endorsed Signal, too - and as far as I know he’s never walked that endorsement back.

https://signal.org/blog/sealed-sender/ explains the feature.

https://github.com/signalapp/Signal-Android/issues/13842 has some links into the code base showing where sealed sender is implemented.