I wonder if it is a generation gap thing. The young folks these days have probably used only Gmail, Proton or one of these big email services that abstract away all the technical details of sending and receiving emails. Without some visibility into the technical details of how emails are composed and sent they might not have ever known that the email headers are not some definite source of truth but totally user defined and can be set to anything.
+1, Even if they validate DKIM/SPF+alignment (aka DMARC) that would only verify the domain. There is no local part verification possible for the receiver, the sending server needs to be trusted with proper auth
How is it not? For all but some old and insecure or fairly exotic setups, DKIM/DMARC validates the sender server is authorised for that domain and the server's account-based outbound filtering validates it was sent by the owner of that mailbox.
If the sending server doesn't do DKIM, it's fundamentally broken, move your email somewhere else. If the sending server lets any user send with an arbitrary local part, that's either intended and desired, or also fundamentally broken. If there are other senders registered on the domain with valid DKIM and you can't trust them, you have bigger problems.
> If the sending server doesn't do DKIM, it's fundamentally broken,
No, it just won't get very good deliverability, because everything it talks to is now fundamentally broken.
DKIM shouldn't exist. It was a bad idea from day one.
It adds very little real anti-spam value over SPF, but the worse part is exactly the model you describe. DKIM was a largely undiscussed, back-door change to the attributability and repudiability of email, and at the same time the two-tiered model it created is far, far less effective or usable than just end-to-end signing messages at the MUA.
DKIM isn't an antispam measure, it's an anti-impersonation measure. With DKIM, you can't impersonate a domain, which means you can trust that any email you get from an email provider was sent in accordance with that provider's security policy. In most cases, that policy is "one user owns one localpart and they can only send from it if they have their password". In cases where it's not, this is intentional and known by their users.
If you as a user can't trust your email server, you've already lost, no matter if something is authorized by an outbound email or a click on an inbound link. If your mail server is evil or hacked, it can steal your OTP token or activation link just as easily as it can send an email in your name.
Yes, end to end authentication is definitely better, but this isn't what people are discussing here. With enforced DKIM, "send me an email" has a nearly identical security profile to "I've emailed you a link, click on it". Both are inferior to end-to-end crypto.
There is a product called BOESHIELD T-9 which actually does, reportedly, work for this. It was suggested in some thread years ago and I got a can, it appears to work well enough keeping rust creep off my ancient drill press table.
Great to see Boeshield in this thread - so much of what's happening in this thread is the wrong product for a particular application. As you point out, Boeshield is a great product for protecting cast iron
Boeshield has a tendency to increase friction though unless buffed really hard.
Lanolin based coatings (fluid film, et al) don't have this issue.
Of course, i live in a super-humid place these days, so i have to control humidity anyway. This doesn't stop rust, but it means i can worry a lot less about which coatings and how often.
The entire point of choosing to use open source projects is that if you, the author, begin to enshitify the product (Or simply start to move in a direction different from users) users can fork the project and carry on an un-enshitified version.
If you can't compete with the author, you can't do that. So what is the point of picking software using this license over traditional closed source?
It's not _just_ read, it's read and modify but not redistribute in a way that competes with the original product,
> So what is the point of picking software using this license over traditional closed source?
I don't want to compete with Sentry (or a variety of other open-like applications), but I _do_ want to support my employers identity provider, fix bugs (and push them back), and maybe even add features that I/my team use. As an example, I've personally contributed multiple bug fixes, performance improvements and documentation changes to sentry's libraries. I don't want to compete with sentry, I want them to maintain my improvements and for other developers to benefit from my work.
Emergent behaviors are something it seems none of the tech-bros attempting to re-invent things from first principles ever account for in their plans. You can't just reason out complex systems because emergent things cannot be predicted that way.
The reason your carefully reasoned worldview isn't correct/doesn't match with reality is because of emergent behaviors.
The thing this and MANY similar approaches take that rule them out for my use is they dont do drawings. I draw in my notes somewhat infrequently but when i need to I need to. I've been stuck with onenote for that reason.
Surprised no one even mentioned the matrix protocol yet. Its still very rough around the edges, but for an old school IRC person talk of Discord as an alternative just hurts me.
Do I want my community to be completely owned by a corporation, so that all the work we put into the network effect belongs to a company and they can impose/change rules at any moment? Have we learned nothing?
Matrix is the modern IRC alternative, not discord. And in some cases, you can run a bridge between the two, so I use a matrix client as my daily IRC interface -- best of both worlds.
Even Discord is too hard for non-technical people. My attempt at a family server has dozens of stale accounts belonging to my parents. As much as it infuriates me, I now understand why WhatsApp is phone-only.
If you want a family server you will have to set it up for your non-technical family members if you want them to use it. You have to be the IT person and create the accounts, join the rooms, and so forth. Then you get them to install the app, give them the login, and help them change the password.
Once that's all out of the way they should be able to just click on the app and chat hassle free.
> You have to be the IT person and create the accounts, join the rooms, and so forth. Then you get them to install the app, give them the login, and help them change the password.
I did all that. It wasn't enough. They kept getting another family member to send them a new invite and then manage to somehow create a new account in the web UI each time. I guess that workflow worked for them so they didn't want to change it.
I don't think being phone-only is the key there. Telegram is not phone-only and I'd say it's as easy to use as WhatsApp. In fact, for non-technical people it essentially behaves as a blue WhatsApp and I've heard it described exactly like that, but if you want to go beyond that, the functionality is there. This kind of software that can accommodate several "levels" of users is sadly becoming rarer and rarer.
Discord is IMO quite a mess. I am definitely a technical user (also lived in IRC for years, that's why I'm on this thread) and as someone who just uses Discord from time to time, I regularly get confused by it and find a nontrivial amount of friction to get things done there. No wonder your parents struggle with it.
Not convinced - I certainly don't find Discord any more complex or harder to use than Telegram. The main problem my parents had was they kept losing their account details and creating new accounts, and I think any system that isn't phone-only will have that problem (yes you can make accounts unique by email address, but my parents have multiple email addresses that they mix up, so that doesn't solve the problem). Disabling web browser use and making it harder to sign up (or harder to use without signing up, or locking down server invites even more strictly) would "help" a bit, but I like having a chat system that people can try out in the browser before they commit to it.
This is not how email works, though.
reply