I don’t doubt it, but this is a good place to start.
This claim has interesting phrasing:
Adding X11 sandboxing via a nested X11 server, such as Xpra, would not be difficult, but Flatpak developers refuse to acknowledge this and continue to claim, “X11 is impossible to secure”.
If you look at the GNOME post, you’ll see they haven’t argued against including a nested X server at all:
Now that the basics are working it’s time to start looking at how to create a real sandbox. This is going to require a lot of changes to the Linux stack. For instance, we have to use Wayland instead of X11, because X11 is impossible to secure.
I’m not saying they haven’t refused to acknowledge this elsewhere, but it’s strange to point to this blog post which acknowledges that the sandbox is very much a work-in-progress and agrees with Madaidan that X11 is hard to secure.
Does Xpra provide better sandboxing than XWayland? If not, I think the Flatpak developer’s solution to this is: just use Wayland. And obviously, there’s plenty of room to improve with the permissions Flatpak does offer.
I did some searching on the Flatpak Github for issues and found that you can actually use Xpra with Flatpak, and the answer is “just use Wayland”:
As odd as this may sound, you should not enable (blind) unattended updates of Flatpak packages. If you or a Flatpak frontend (app store) simply executes flatpak update -y, Flatpaks will be automatically granted any new permissions declared upstream without notifying you. Using automatic update with GNOME Software is fine, as it does not automatically update Flatpaks with permission changes and notifies the user instead.
It’s great that GNOME Software notifies you when permissions change! I don’t use Flatpak enough to know, but I hope flatpak update notifies you too if you don’t use the -y option.
Aussies tend to be quite direct. It’s basically our natural state. I get how it can be perceived as hostile, but I don’t actually think Brodie is very abrasive. He seems like a pretty relaxed guy.
I use both GNOME and KDE. I do have a system tray, but it’s for a single program: fcitx-mozc. If I didn’t need to build ibus-mozc from source, I would just use that. iBus IMEs get their own spot in the top right without needing appindicators. That being said, I don’t need the system tray either as I can just switch between Japanese and English with CTRL+SPACE. But it’s nice to have some kind of constant indication what IME I’m using.
On the subject of a dock, though, I love the way GNOME completely separates it from the workspace. It just takes up space and I don’t have any utility for it. Windows and macOS only allow you to hide the dock; not remove it completely. I’ve accidentally opened the dock by moving my cursor to the corner of the screen way too many times and it is sooo annoying. This never happens on GNOME because it’s just not possible.
Also I tend to think it’s been designed for people who are more comfortable using a keyboard. I’m mostly a mouse person.
That’s absolutely true, but you can navigate GNOME completely with a mouse. If you’re on a laptop, you can use the trackpad to flick between workspaces with three fingers. Every aspect of the GNOME desktop is navigable with the mouse, including the Activity Overview. GNOME’s workflow changed the way I use computers.
One thing I miss from KDE is GNOME’s tiling. KDE’s is far more inconsistent. But there are a lot of things I like more about KDE too. I use it in basically the same way as GNOME.
That being said…it’s kind of odd to me how swiftly Mozilla of all companies/orgs is to embrace a code forge hosted by Microsoft for their main software. Surreal, even.
Every Dell laptop I’ve ever owned has had a key repeat issue. Mind you, this was an issue on Windows too. Otherwise, I bought a Dell Latitude last year and it has worked great.
I don’t work with music at all, so most of this update doesn’t mean much to me. However, it’s nice to see the export window was improved—I want my single-click behavior, damn it.
The telemetry is limited to update-checking and error reports. Distributions will disable update-checking because they already handle updating Audacity. Error reports need to be manually submitted. It’s possible that most distributions just disable networking altogether when building Audacity, if it even exists in their repositories at all. Fedora’s package is waaay out of date. Arch disables networking altogether.
Audacity has still instituted a CLA. This is quite worrying. But nothing has happened yet.
I should have specified that the Audacity CLA allowed Muse Group to relicense Audacity from GPLv2 to GPLv3. Yes, I agree with you that not all CLAs are bad. While you keep the copyright to all your contributions, because the copyright is assigned to them (? I’m not actually sure about this), they can relicense it. The CLA agreement.
You grant MUSECY SM LTD, an affiliate of MuseScore and Ultimate Guitar, (“Company”) the ability to use the Contributions in any way. You hereby grant to Company , a perpetual, non-exclusive, worldwide, fully paid-up, royalty free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute your Contribution and such derivative works.
There was quite a lot of confusion and outrage about this at the time, so I can’t recall whether Muse Group specifically said they wanted to include Audacity in Apple’s app store or this was given as an example of why the CLA could be beneficial. My rebuttal was this is not a particularly noble cause. There was also the argument that the FSF requires you to sign a CLA for its own projects so it can reserve the right to relicense it if it benefits the project. My rebuttal to this was…well, it’s the FSF. The day the FSF relicenses their software under a non-free license is the day they die.
Google et al. run crawlers primarily to populate their search engines. This is a net positive for those whose sites get scraped, because when they appear in a search engine they get more traffic, more page views, more ad revenue.
This is not necessarily true. Google’s instant answers are designed to use the content from websites to answer searcher’s questions without actually leading them to the website. Whether you’re trying to find the definition for the word, the year a movie came out, or a recipe, Google will take the information they’ve scraped from a website and present it on their page with a link to the website. Their hope is that the information will be useful enough that the searcher never needs to leave the search engine.
This might be useful for searchers, but it doesn’t help the sites much. This is one of the reasons news companies attempted to take action against Google a few years ago. I think a search engine should provide some useful utilities, but not try to replace the sites they’re ostensibly attempting to connect users to. Not all search engines are like this, but Google is.