First there is a fork of Organic Maps, which is called CoMaps. If I understood it correctly, the development on Organic Maps nearly halted for some reason regarding the company that owns it. CoMaps now wants to pick it up again.

Also for navigation I use Magic Earth. It uses OSM data but is not FOSS itself, which is unfortunate. But it offers traffic data which is crucial for good arrival time estimation or avoiding traffic jams.

I need to look it up again, but I read about a study that showed that the results improve if you tell the AI that your job depends on it or similar drastic things. It’s kinda weird.

I’d hope so too, but as there are so few platforms offering proper support for hardware keys, I wouldn’t hold my breath for it.

What you call “much smaller mini edition” is still more extensive and thorough than 99% of posts on this platform :D and I really enjoy and appreciate it!

Thank you again for this high quality post! It’s always a pleasure to read.

I’m happy that GOG finally added proper F2A, though I’m a little sad that they didn’t implement FIDO U2F. It’s not only way more convenient to just use a hardware token as a second factor, but if my knowledge is correct, it’s also more secure.

Du könntest dir mal Processing ansehen. Das ist eine grafische Bibliothek, die in einer IDE gebundled ist. Man programmiert das ganze in einer Java-ähnlichen Sprache. Ich habs selbst noch nie benutzt, aber hatte in der Vergangenheit schon mal Videos vom YouTuber CodeBullet gesehen und er benutzt das um seine Mini-Games zu erstellen. Das sah eigentlich recht gut und intuitiv zu benutzen aus.

And if you need it in a browser, there is Collabora, which exists as a paid business version with support or a free non-support version, that can easily be deployed with Nextcloud. Another alternative would be CryptPad.

If you also need your mails in your browser, there are multiple providers like mailbox.org that offer mail encryption even through the online mail interface.

Je nachdem wie risikofreudig du bist, kannst du das direkt in einem Rutsch erledigen.

I grew up with trackballs because my dad preferred them to the old mice with a ball underneath. So for office work I still use one too. But it’s still just a pointing device so I’d say it would be similar to learn using a split keyboard or a dvorak layout or something. You’d still press one key after antother.

The CharaChorder is so different in the way your “typing” multiple keys at once. I feel like it has such a steep learning curve because you have to not only learn another button layout but the whole way your thinking about typing and writing in general. I’m afraid I’d just get frustrated and never use it, even though I thinks it’s extremely cool.

Law ready for this?

Oh ja das stimmt! Tress of the Emerald Sea zähle ich zu meinen absoluten Lieblingsbüchern.

Ich lese—oder viel mehr höre—aktuell “Yumi and the Nightmare Painter” von Brandon Sanderson. Außerdem habe ich seit sehr langer Zeit mal wieder die erste Staffel von VGHS gesehen.

Der schwarze Schimmel in meiner Dusche ist da anderer Meinung!

Do you mean the CharaChorder? I thought about getting one in the past bit it looks like a super steep learn curve and I’m not sure if I’m willing to subject myself to it.

I never tried to win any argument. Hell I was not even aware that I’m participating in one. I just wanted to share the info, that even if the vendor is absolutely trustworthy and even if you validated the script by downloading and looking at it, there’s still another hole that’s not obvious to see.

Yes it’s unlikely, but again, I never said it were. There are also arguments you can run curl with, to tell it to do the download first and then push it through the pipe afterwards, though I don’t know them by heart now.

It won’t cost you anything to set those parameters, when you insist to use curl | bash, just in the off chance that someone’s trying to do what I mentioned.

But I’m also someone who usually validates their downloads with a checksum so maybe I’m just weird. Who knows.

Oh, you’re welcome, kind person :)

It is actually a passive detection based of the timing of the chunk requests. Because curl by default will only request new chunks when the buffer is freed by the shell executing the given commands. This then can be used to detect that someone is not merely downloading but simultaneously executing it. Here’s a writeup about it:

https://web.archive.org/web/20250209133823/https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/

You can also find some proof-of-concept implementations online to try it out yourself.

You shouldn’t install software from someone you don’t trust anyway because even if the installation process is save, the software itself can do whatever it has permission to.

“So if you trust their software, why not their install script?” you might ask. Well, it is detectable on server side, if you download the script or pipe it into a shell. So even if the vendor it trustworthy, there could be a malicious middle man, that gives you the original and harmless script, when you download it, and serves you a malicious one when you pipe it into your shell.

And I think this is not obvious and very scary.