Signal is only available on F-Droid via an unofficial build from the Guardian Project. The maintainers of the Guardian Project lag behind on updates for their repos, so their repository should not be used for any apps important for security.

I think it’s self-explanatory

This depends whether you care about security or software freedom guarantees. Because if it’s security that is the priority, F-Droid is a much weaker option than Obtanium+Appverifier because they use their own signing keys for nearly all apps. If F-Droid’s build infrastructure is ever compromised, then almost every app you have downloaded through it is also compromised. The inability for developers to control their own signatures is part of the reason Signal does not release on F-Droid.

Accrescent is a much better option than anything else because it still allows developer-managed keys, although it doesn’t have many apps. Google Play (although it does have high-security infrastructure) has the same problem as F-Droid of centrally managed keys. Obtanium with Appverifier at least lets you ensure that your app is signed by the developer.

This happens when YouTube blocks or rate limits your IP address to prevent bot activity.

Yeah, I’m actually a bot working for the NSA, sorry.

That markup work to try to hide what’s on your laptop doesn’t work, and someone can easily see what’s on your screen from this photo. You should use an actual box or do what you did with the emoji to cover sensitive info.

What specifically do you dislike about zsh?

Now, EPFL researchers… have released new software that allows users to download open-source AI models and use them locally, with no need for the cloud to answer questions or complete tasks.

It’s cool that they got LLMs running on local clusters of computers, but with the way it’s written, they make it sound like people have not already been using local LLMs for a long time (including GPT-OSS 120B).

The safest way would be to get AppVerifier and check the original developer’s signature

Okay, that’s a fair reason to use Gemini.

If you are trying to cater to people with a specifically “high threat model” (who are going to want zero-trust privacy protections), then the journals are an issue you’ll have to somehow address.

Even if a user does not type full details like their name, small things like “I got banana ice cream today” and “I went for a night drive” can build a detailed profile over time, which even if ephemeral could be correlated using the database if that is sent for every query.

It’s important to note that the Vivaldi browser is proprietary software

If Gemini truly can’t see PII (no way to add “notes” for example) then I don’t think that would be too big of a concern for most people, at least for those who don’t have a distain for LLMs in the first place. Though I do feel that people with “high threat models” (would be good to be precise about what a “high threat model” is in this instance) would prefer to have a local app that interfaces with a local Ollama API, rather than an internet-connected service.

What precisely is Gemini “calculating” here and why can’t its function be replaced on a lightweight local LLM?

Edit: After reading the information from the website, it sounds like there are a lot of opportunities for users to accidentally identify themselves to AI providers or open up de-anonymization attack vectors. If I were very concerned about my identity being linked to my recovery behavior, I would probably not use this service as it is now.

No, it does not. mysearchengine.co/homepage literally redirects to the domain that the user mentioned.

It’s possible that the domain for the search engine you were using got sold. You’ll have to find a new one.

Okay. Well, in this case it would probably be a good idea to at least have the update process also verify developer signatures, since otherwise it’s not only trust on first visit, but trust every update.

And yeah, I agree that a standalone package might be a good solution, as long as it is signed.

If the user trusts the server to serve safe JavaScript each time they connect with an empty cache (which is cleared often for privacy-conscious users), I’m not sure how this adopts a very different security posture from the Trust On First Use security model that’s used by many other apps, even if the app itself implements secure MITM mitigations using data from shared links.

When you have an app with dedicated updates, it is possible to verify that it is genuinely from the developer or maintainer. Web browsers’ certificate validation protects against connecting to a fake server, but it does not protect the user if the server is compromised when they first connect.

The most security-conscious users are going to end up hosting the JavaScript in a webserver on localhost, and at that point it might as well be a dedicated application.

You can run appimages in Tails

Removed by mod

What’s the alternative? Keeping Nicolás Maduro in charge?

Yeah, any authentication cookie will be unique to you, so if you do use one, Google will be able to track you across browsing sessions, which is likely what you’re trying to mitigate by clearing them.