This is how all language package managers work, unfortunately

npm does actually support signing and provenance (tracking how the package was built), so in some ways it can be more secure than other package managers. https://docs.npmjs.com/generating-provenance-statements

If you use one of the CI/CD systems they support (currently Github Actions and Gitlab CI), it can attach a signed attestation to the package stating the commit hash that was used to build the package, along with the steps taken to build it. This is combined with trusted packaging using OpenID Connect with short-lived tokens that are only obtainable in the correct CI environment, rather than using access tokens or username and password.

It only supports some CI systems because they have to guarantee that the connection between the CI system and npm is secure.

Some of the recent issues have been attacks on the CI system, rather than npm itself. For example, a Github Action that’s only supposed to run for commits to the main branch, but unintentionally runs for some subset of pull requests too.

Of course, all this stuff is optional, and pushing to npm directly from a developer’s computer still works and is still not verifiable at all.

I think the best approach is what Flathub/Flatpak, F-Droid (Android) and Composer/Packagist (PHP) do. You provide your repository URL, and they build the code on their end. Packages are always guaranteed to be built from code in the repo.

Debian Linux is also moving towards requiring repeatable builds, meaning that a package built from source should be byte-for-byte identical to the package in the repo.

Password protect it and just let friends use it? Or have it just for yourself :D

I just posted a comment about this :D

https://romm.app/

https://romm.app/ - Self hosted game ROM manager that lets you play retro games directly in the browser (using RetroArch cores compiled to WebAssembly).

https://retroassembly.com/ is a similar project.

There’s also https://gamevau.lt/ which is like a self-hosted version of Steam, for DRM-free games (like from GOG).

Game servers? https://linuxgsm.com/. Have an Unreal Tournament 99… tournament with friends.

Companies sometimes sell their own first-party data, but not nearly as often as people think. If a company has data that other companies don’t have, a lot of the time they’ll want to keep it for themselves, since it can give them a competitive advantage over other platforms.

If Amazon knows what movies and TV shows you like, they’re going to use that data to improve ad performance on their own platforms - suggested content on Prime Video, product ads on Amazon, etc. They’re not going to give it to some other company to use.

The one major exception to that are data brokers. These are companies that only exist to sell data. These are less well known companies. They often use public data and combine it with things like supermarket loyalty data and purchase history.

For a beginner, I’d probably stick to Github initially, just because there’s so many guides and tutorials on how to use it, and their free plan is still pretty generous.

A lot of the knowledge is transferable though. If you do want to try something else, Codeberg is pretty good for open-source.

To just learn about Git, you don’t even need a host like Github or Codeberg. You can have a Git repo just on your computer, and still get a bunch of the benefits of source control - a full history of everything, separate branches and worktrees so you can have multiple incomplete changes and switch between them, etc.

Or Forgejo, which is a fork of Gitea and is what Codeberg uses. They explain their advantages over Gitea here: https://forgejo.org/compare-to-gitea/

The tl;dr is that Forgejo is maintained by a non-profit whereas Gitea is maintained by a for-profit company, and Forgejo is completely open-source whereas Gitea is open-core with some features only available in their hosted service. Forgejo also has better testing and a bigger focus on security.

People that reverse engineer complex modern hardware are probably some of the best developers in the world.

I felt like a grown up once I got my paperless-ngx setup up and running.

I have a Scansnap ix1600 scanner. Everything is automated once I insert a document and click the button to scan it.

1. Scanned documents are saved to an SMB share on my home server - it’s a built-in feature on the scanner.
2. Paperless-ngx is watching that folder and grabs the files.
3. Paperless-ai uses AI to add metadata to document (title, tags, correspondent).

For documents I need to keep a physical copy of, I give each document a consecutive ASN (archive serial number) using QR code stickers. When importing the document, paperless-ngx sees the barcode and attached the correct archive number to the document.

If I need to find the physical copy, I first find it in Paperless-ngx, look at the archive number, then look in a folder where the documents are arranged by archive number. Easy.

For backups I use Borgbackup with Borgmatic, to two different storage VPSes (hosted by two different providers in two different regions).

deleted by creator

deleted by creator

To get started, I’d say to get a cheap block account from the Reddit Usenet deals wiki: https://www.reddit.com/r/usenet/wiki/providerdeals/. A block account gives you a fixed amount of download (1TB, 2TB, whatever) that lasts indefinitely. If you use it just for music or books (for example), one block could last you a very long time. If you find yourself needing more data, you can get a monthly subscription with unlimited data.

You also need an indexer, which is how you search for content. DrunkenSlug, NZBGeek, and NZBPlanet are popular. These cost money, but sometimes they have a lifetime plan where you just pay once. Sometimes they have open registration, but other times you need to get an invite from an existing user. There’s free indexers like NZBKing, but they’re often full of junk, and lack encrypted content.

SABnzbd is the most popular downloader software. It’s free and open-source.

• Add account to SAB.
• Search for what you want on the indexer.
• Download the nzb file (points to where the files are located on Usenet) and add it to SAB to download the contents.

I think that’s it for the basics. There’s more to it - different backbones have different data so one provider might have data that a different provider is missing , you can fully automate downloads with Lidarr/Radarr/Sonarr/Readarr, you can aggregate results from multiple indexers using NZBHydra/Prowlarr - but you can figure that out as you go :)

• KaZaA, Limewire & Bearshare - P2P for the masses

There’s still a few P2P systems from that era that are still around. Soulseek is still doing very well for music, and some users on there have a bunch of things you can’t easily find anywhere else. DC++ and eMule/eDonkey2000 are still around but with much smaller networks.

One of the OG P2P file sharing methods (dating back to 1990) is still around too - IRC DCC.

Interesting - I didn’t see that. They say “You can add your own copyright as well”, so you don’t have to give up your rights to the code. They do still need to comply with the terms of the Apache license.

Their contribution agreement forces you to give up copyright to them.

The license just looks like the standard Apache license though, which doesn’t require this. With the Apache license, contributors still own the copyright to their code, but they license it to the project. Did you see a document in the repo that says something different?

if you need a POSIX interface

SSHFS isn’t POSIX compliant. It doesn’t support hard links, file locking, atomic renames, full support for changing file permissions, umasks, and probably other things.

Versity S3 Gateway is another option that’s trying to focus on simplicity. https://github.com/versity/versitygw

Out of all these, SeaweedFS is the most scalable. Seaweed’s design is based off some of Facebook’s whitepapers about their warm storage system, and it works especially well for use cases that have a very large number of small files (like images).

SSHFS is very unreliable. At least use NFSv4 or even SMB/CIFS.