I heard Codeberg already struggles with spammers, so I get that. But letting big surveillence data companies like the credit card companies solve this, seems like one of the worst ideas. I’ve seen e.g. discourse use a gradual trust system, there likely are other ways.

I wasn’t arguing against Passkeys, just pointing out how they are often perceived.

I was definitely arguing against TPMs, however. https://gist.github.com/osy/45e612345376a65c56d0678834535166 https://pluralistic.net/2024/01/18/descartes-delenda-est/#self-destruct-sequence-initiated https://www.elevenforum.com/t/tpm-2-0-is-a-must-they-said-it-will-improve-windows-security-they-said.13222/ https://scispace.com/pdf/tpm-2-0-uefi-and-their-impact-on-security-and-users-freedom-2e1ldhodqq.pdf https://www.gnu.org/philosophy/can-you-trust.en.html (But Passkeys apparently don’t need them, see my KeepassXC mention before.)

Passkeys seem to be advertised in ways that puts people off (edit: not saying that makes them bad):

• TPMs, Secure Enclaves, etc. are deeply closed-source and security by obscurity. Until there is an open TPM implementation available, many users may prefer not to rely on them. It seems like KeepassXC allows circumventing TPM for Passkeys, but most people probably don’t know that.

• Too much “trust me bro, my cloud is safe” advertising from big Passkey advocates like Google to try to get people to use their invasive services.

• A classic hardware key may be indistinguishable from a normal password being entered. But Google has announced they want to push passkeys against user’s wishes here: “Is opting-into passkey mandatory? No, […]. However, over time, as users become more accustomed to passkeys, we might limit where we allow passwords to be used because they’re less secure than passkeys.” Again, not a great look.

• Collecting biometric data is always dangerous, too many attack vectors during processing. I’m aware that Passkeys can be used without that, but many people may be put off by that push.

I think that’s why Passkeys have poor adoption among privacy advocates, even though most problems seem fixable.

Caring about privacy and caring about the details of a security protocol are distinct. You’d be surprised how many people who care about privacy are deeply wary of passkeys because of the biometric factor, which is unfortunat

Gitlab.com has similar problems, sadly. Meanwhile, I haven’t ever heard of Codeberg doing somethign similar, but who knows I guess.

Gitlab has a horrible UI when you have a smaller screen or lower end device, and I heard also not really great server-side performance compared to forgejo and gitea.

Also, the gitlab.com instance randomly blocks people or demands their credit card data.

It is shocking that this (apparently???) doesn’t seem to be illegal.

AGI talk seems for now to be merely hype to get investors.

LLMs seem likely to be dead end for any logical thought: https://www.forbes.com/sites/corneliawalther/2025/06/09/intelligence-illusion-what-apples-ai-study-reveals-about-reasoning/ This means at the end of the day you just get a sloppy illusion with no useful coherence as soon as it exceeds the complexity of a literal lazy copy&paste job: https://fortune.com/2025/08/18/mit-report-95-percent-generative-ai-pilots-at-companies-failing-cfo/

There is currently no technological innovation to fix this. Instead, AI progress seems to be stalling: https://futurism.com/artificial-intelligence/experts-concerned-ai-progress-wall

LLMs seem likely to be dead end for any logical thought: https://www.forbes.com/sites/corneliawalther/2025/06/09/intelligence-illusion-what-apples-ai-study-reveals-about-reasoning/ This means at the end of the day you just get a sloppy illusion with no useful coherence as soon as it exceeds the complexity of a literal lazy copy&paste job: https://fortune.com/2025/08/18/mit-report-95-percent-generative-ai-pilots-at-companies-failing-cfo/

There is currently no technological innovation to fix this. Instead, AI progress seems to be stalling: https://futurism.com/artificial-intelligence/experts-concerned-ai-progress-wall

Therefore, it’s not naive to assume it may go nowhere until proven otherwise.

I don’t really trust IBM to know what they’re doing, but it’s still a nice sign.

The lack of intelligence is inherent for LLMs: https://www.forbes.com/sites/corneliawalther/2025/06/09/intelligence-illusion-what-apples-ai-study-reveals-about-reasoning/

This is likely why Apple is the only big tech company that hasn’t entered the AI race with tons of debt and tons of data centers. They’re likely seeing the writing on the wall.

While there could be a new technique arriving to solve this some day, there also may never be one.

It’ll backfire for any non-trivial code base at some point. LLM plagiarized code is just too inherently lacking any sense of big picture. Gen AI doesn’t have the necessary intelligence. I keep linking it but it keeps being relevant: https://www.forbes.com/sites/corneliawalther/2025/06/09/intelligence-illusion-what-apples-ai-study-reveals-about-reasoning/

I doubt it. https://www.forbes.com/sites/corneliawalther/2025/06/09/intelligence-illusion-what-apples-ai-study-reveals-about-reasoning/ Gen AIs are literally so unable to have any basic logical thought, I think this is merely the hype.

To anybody still being scared, watch this: https://www.youtube.com/watch?v=3400S4qMH6o

I have no Android phones. Just avoid the privacy disaster apps entirely. Switch your banks, buy transport tickets that are printed out. It’s a nuisance but it’s possible.

Available options for mostly open systems among others seem to be the PinePhone, the ClockworkPi uConsole, and the Librem 5. The latter two seem to have significant shipping delays and more technical caveats, however.

While on some level I agree, perhaps it’s time to push Linux phones as well?

For anybody who has any sort of techie knowledge, that could be a better long term option once Linux phones get more momentum and funding.

Seems like part of the problem is that once they identify AI being involved in a contribution, they’re not rejecting it immediately.

I disagree TPM is a good candidate.

And I think many of us reject the premise we should submit to any central id provider for half of the internet in the first place. There are less risky approaches: https://www.politico.com/news/2025/10/13/california-law-online-age-checks-00606115

Here are my sources:

1. https://pluralistic.net/2025/08/14/bellovin/ (I don’t agree with every bit of that article.)

   In practice, the security and privacy guarantees of the CL protocol require two different kinds of wholly independent institutions: identity providers (who verify your documents), and certificate authorities (who issue cryptographic certificates based on those documents). If these two functions take place under one roof, the privacy guarantees of the system immediately evaporate.

   (“CL” seems to refer to a common zero knowledge proof algorithm.)

2. https://github.com/eu-digital-identity-wallet/av-doc-technical-specification/blob/main/docs/architecture-and-technical-specifications.md#332-enrolment-methods-without-existing-identification

   Technical Requirements: An Age Verification App shall support the following: […] Request from the operating system a tamper-evident attestation of AVI properties

   (As far as I know, they mean device attestation with this where you no longer fully control your device.)

3. https://github.com/eu-digital-identity-wallet/av-app-android-wallet-ui/issues/20

   The EUDI Wallet team is participating in a wider, EU-wide collective sleepwalk into a serious trap: You, along with the entire EU Digital-Identity movement, are hard-wiring the EU’s civic governance to Apple and Google’s hardware and software stack.

4. https://github.com/eu-digital-identity-wallet/av-app-android-wallet-ui/issues/15

   Requires accepting “Terms of Service” to access basic functions of being a citizen. Your demo video shows you requiring accepting “Terms of Service” and “Data Protection Information” which I guess should really be “Privacy Policy”.

Feel free to share your sources.

There are solutions to this like having a doc comment right next to the function which is picked up by some API generator. Then it’s easier to keep in sync. That can work well even in languages without explicit parameter types.

Of course it won’t help LLMs as much, but I personally don’t mind that.