Konform Browser and other bits and bobs.

  • 10 Posts
  • 66 Comments
Joined 6 months ago
cake
Cake day: January 18th, 2026

help-circle


  • If you work for a company or own the company you are still making a self- promotional post for a company, and the rule applies.

    So if the exact same post is posted by a friend instead it’s suddenly accepted? Why is self-promo meaningfully less desired than third-party-promo if they have similar results?

    You seem to be vastly in the minority.

    Might be! That one’s framed as just personal preference and not policy suggestion because I don’t think “allow all things I like and ban everything I don’t” makes for good governance ;)

    So a more restrictive rule?

    More restrictive in one sense (what content and what’s ok to “promote” for) but more allowing in another (you can talk about something even if you are involved or associated).




  • Thank you for thoughtful engagement!

    I think that becomes even more problematic. Why is it better that I shill for a company I’m getting kickbacks from (some VPN providers excel at this game) rather than one I’m responsible for? Besides, this just lead to submarining (“viral marketing” is an entire industry!) and people pretending to “have just stumbled across this project, what do you guys think?” or being “just a happy customer”… And to some extent t becomes a game of social status, where well-connected people can just ask their friends to post on their behalf.

    Judge the message and topic, not the messenger (as long as they are human acting in good faith and not “written with help by AI”, obv).

    Besides of those issues, my personal preference would be to keep the focus on self-hosting. So talk of hardware or shipped software might be on-topic but not service providers. There are plenty of places to discuss cloud-hosting, VPNs, which PaaS is best, or whatnot.

    And I would actually be much more interested in seeing a post from a founder talking about things their company is doing relevant to self-hosters, vs yet another post of “which provider is best right now and what do you use?” or “Company X currently has a sale/launched product Y”.

    While it might filter out some good stuff, I would be all for a ban of any promotion of commercial or proprietary products and services alltogether but allow for self-hostable and in particular FLOSS stuff (where I guess some carve-out or clever formulation could be made to allow for commercial but self-hostable software - either stance on that one seems fine to me).


  • I would like some clarity on general apparent self-promotion of open source projects as well. As in, points 1-4 don’t apply and 5 depends on your definition of “advertisement”.

    I’m bringing this up because I (once) previously attempted to share a project1 I maintain on here. I did take some effort to include some context and discussion points for selfhosters in order to make it more tailored and stay safe on Rule 3. It was quickly removed by mod. I tried reaching out to one of the mods to try to understand what was wrong. They were friendly and said they weren’t involved and would forward to the relevant people and since then I haven’t heard back. It would be very helpful to be able to get some feedback on why submission was removed so we can learn how future submission attempt could be improved (or abandoned).

    1: FLOSS, no commercial or otherwise proprietary parts or relations, no slop or clank in the process


  • Sounds frustrating and I can see how that can be confusing. Had similar peeves with other imposed limitations that initially drove motivation of developing this project so can relate!

    While we have to recognize that there is inherent conflict in expectations of “browser doesn’t disclose my location” and “website knows my timezone” and that Konform Browser will continue defaulting to privacy, you highlight gap in UX and user control that I agree can be improved on. Shouldn’t be too much work to add more make more discoverable selective settings UI for this too in a future release.

    There’s some other aspects that often play into this particular scenario and can vary per site:

    • Apps showing relative time like “10 hours ago” or “in 15 minutes” should not be affected by any of this.
    • Scheduling for events on services like the ones you mention also shouldn’t be affected by this: Time for events is global but display will be affected.
    • There are are a lot of bugs in webapps out there that can be interacting with localtime in incorrect ways. It’s complicated1.

    Try being a part of a team in multiple timezones, some of which follow Daylight Savings Time (from different dates) and some not. Now schedule a recurring weekly meeting for the same time and coordinate that over chat. This is just inherently messy. Communicating this properly in UI is subtle and confusion like the one you described often arise when webapp developers assumptions and user assumptions don’t align. Some even say we should do away with timezones alltogether.

    1: Someone even made list of lists of falsehoods programmers believe about time



  • If you’re talking about Librewolf’s “resist fingerprinting”:

    To set the record straight, ResistFingerprinting was originally developed by Tor Browser developers, and is for some time now part Firefox (and therefore all forks) behind the privacy.resistFingerprinting (“RFP”) preference. So credit there goes to those devs, Tor Projectt, ad Mozilla. Konform Browser and Tor Browser have this on by default. There is also the related more recent and complex privacy.fingerprintingProtection (“FPP”) system. LibreWolf has historically been on RFP too - I’m not up to date if that’s still the case or if they’ve migrated over to FPP yet as I understand that is the intention of maintainers. The difference between the two is more than I bear to explain here and a bit of a rabbit hole x)




  • But can it fool creepjs?

    What does that mean for you, exactly? I know that there is a lot of different ideas out there on how to interpret these results and what “good” means so would be helpful to know what your expectations are to give meaningful answer to such question.

    Anyway, I just tried running the test at creepjs.org and this is result: Test hangs at “57/58: Currently collecting: Private Click Measurement complete”, with no errors in the js console.

    Having compared results with some other fingerprinting suites previously, default settings should give plausible fingerprint corresponding to user base of existing browser. Only Cloudflare seems to hate it: Turnstile on sites in strict mode currently often throw a redirect loop when their troubleshooting tool says all is fine. Is that because fingerprinting protection “works to good” or is broken? You tell me!

    I would appreciate an outside and less biased review, comparison or benchmark on stuff like this! Want to try and report back?





  • A dedicated Forgejo instance f.example.com.

    For a small set of trusted “base” images (e.g. docker.io/alpine and docker.io/debian): A Forgejo Action on separate small runner, scheduled on cron to sync images to f.example.com/dockerio/ using skopeo copy.

    Then all other runners have their docker/podman configuration changed to use that internal forgejo container registry instead of docker.io.

    Other images are built from source in the Forgejo Actions CI. Not everything needs to be (or even should) be fully automated right off. You can keep some workflows manual while starting out and then increase automation as you tighten up your setup and get more confident in it. Follow the usual best practices around security and keep permissions scoped, giving them out only as needed.

    Git repos are mirrored as Forgejo repo mirrors, forked if relevant, then built with Forgejo Actions and published to f.example.com/whatever/. Rarely but sometimes is it worth spending time on reusing existing Github Workflows from upstreams. More often I find it easier to just reuse my own workflows.

    This way, runners can be kept fully offline and built by only accessing internal resources:

    • apt/apk repo mirror or proxy
    • synced base container images
    • synced git sources

    Same idea for npm or pypi packages etc.

    Set up renovate1 and iterate on its configuration to reduce insanity. Look in forgejo and codeberg infra repos for examples of how to automate rebasing of forked repo onto mirrors.

    I would previously achieve the same thing by wiring together more targeted services and that’s still viable but Forgejo makes it easy if you want it all in one box. Just add TLS.

    1: Or anyone have anything better that’s straightforward to integrate? I’m not a huge fan of all the npm modules it pulls in or its github-centric perspective. Giving the same treatment to renovate itself here was a little bit more effort and digging than I think should really be necessary.



  • Is there something particular going on or that has occurred to make you say this? Wondering what I’m missing.

    Not one thing in particular but a general trend driven by several factors. Things recently have, are, and will continue to heat up.

    For one, past few months a few significant supply-chain attacks have been hitting popular developer tooling and libraries used for web development. As devs get compromised, this will “trickle down” to users.

    For two, as stakes are rising, devs are burning out and the economy is shifting, crap like this is just considered “Monday” now. Already been common with browser addons for a while now.

    As for browser themselves, take a closer look at release notes and changelogs (for forks, go to upstream). Note the number and severity of addressed issues and update frequency.

    Adoption and evolution of LLMs also tie into this in multiple ways. Others have written in length about this. If there is one thing doomers and hypers agree on, it’s this.

    Oh, and be careful with archive links.