Degrading the text to image, then OCRing it is a lossy, more failure-prone waste of computing power than linking to source or just providing the text: it only poorly addresses 1 issue while adding extra steps. We still lose web connectivity, authenticity, searchability, fault tolerance while impairing usability & accessibility. I don’t think linking to the comment or pasting text is an extraordinary effort or harder than taking & clipping a screenshot, saving it to file, uploading it.

Since you didn’t understand it, here’s the full list of issues again: Images of text break much that text alternatives do not. Losses due to image of text lacking alternative such as link:

• usability
  • we can’t quote the text without pointless bullshit like retyping it or OCR
  • text search is unavailable
  • the system can’t
    • reflow text to varied screen sizes
    • vary presentation (size, contrast)
    • vary modality (audio, braille)
• accessibility
  • some users can’t read this due to lack of alt text
  • users can’t adapt the text for dyslexia or vision impairments
  • systems can’t read the text to them or send it to braille devices
• web connectivity
  • we have to do failure-prone bullshit to find the original source
  • we can’t explore wider context of the original message
• authenticity: we don’t know the image hasn’t been tampered
• searchability: the “text” isn’t indexable by search engine in a meaningful way
• fault tolerance: no text fallback if image breaks.

Contrary to age & humble appearance, text is an advanced technology that provides all these capabilities absent from images.

Then Google would have to put out of the fire of that vulnerability in their dependent software.

Not disclosing a vulnerability doesn’t stop attackers from exploiting it. A report simply indicates someone who noticed bothered to report it.

The problem is the vulnerability. False urgency is nothing more: Google’s urgency isn’t the maintainer’s & the maintainers don’t need to “meet the window”. Companies will be left with their pants on fire if they don’t act, too, but it will cost them more. Maintainers can just ignore the window to shift the burden back on moneyed interests as I explained before.

They’re bug reports: no one needs to fix them. This problem is solved easily enough by letting the chips fall.

If companies want them fixed badly enough, they can send bug fixes, which is much cheaper than the alternative (paying more engineers to develop & maintain non-open alternatives). Those companies have at least as much interest as anyone to keep that software maintained & secure.

The position of the FFmpeg X account is that somehow disclosing vulnerabilities is a bad thing.

The truth is never a bad thing. They don’t need to care. A bug is a bug: better to know than not.

For all we know, they had discouraged the others until these 8 emerged that couldn’t be discouraged. It’s still a democracy: leadership can’t just use a crowbar.

The leadership definitely sucks, though.

I wonder what they think git is.

Question asked & answered. Dislikes answer.

Reddit, gross.

Politicians aren’t new to talking among each other & forming factions. They had 41 days to get there.

keeping leadership in the loop

Awareness doesn’t mean leadership could stop them. If leadership positively encouraged them or didn’t try to discourage them, then that would mean something.

If they can intercept my password despite TLS, they can probably also steal my session.

That’s not necessarily true: it could leak due to flaw or defect that doesn’t affect the session token.

Security is all about layers & reducing risk/surface area of attack. By getting your secret, they can leak it. Leaking a secret they don’t have, however, is impossible: that’s secure by design.

I’m going to disagree that passkeys really have multifactor authentication built in.

Then you’re disagreeing with standards & definitions. Passkeys are encrypted in an authenticator that needs a biometric or secret (ie, something you are or know) to unlock the key (something you have).

Authenticator is a multi-factor cryptographic authenticator that uses public-key cryptography to sign an authentication assertion targeted at the WebAuthn Relying Party. Assuming the authenticator uses either a facial recognition, fingerprint or PIN for user verification, the authenticator itself is something you have while the facial recognition and fingerprint (biometric) are something you are and the PIN is something you know.

my one attempt to use it

While it’s fine to share, “I tried something once, it sucked” is not a great argument to generalize that the technology sucks or isn’t better than your limited impression. Maybe piefed sucks: if piefed implemented password authentication wrong, would you blame password authentication?

usual contribution was to derail every discussion and piss people off

Is that not the purpose of social media? Seems quite vital.

I am not reliant on an individual device continuing to work. In fact I could get all new devices tomorrow, with no access to any previous device, and log into all my accounts within minutes.

Exactly the same with a password manager which stores passkeys. Are you reading before responding?

All my passwords look like @A#vVukh9c$3Kw4Cs8NP9xgazEuJ3JWE and are unique.

You’re still transmitting the actual secret to the destination, so interception is a risk. Passkeys use asymmetric cryptography: no reusable secret is ever transmitted, only time-sensitive challenges that prove possession of the private key. Servers only store public keys, which aren’t secret by design.

Passkeys have multifactor authentication built-in whereas passwords do not.

Passkeys can be more convenient than passwords. My password manager has my passkeys. At login, my password manager raises a passkey prompt that I simply confirm.

That hasn’t been true since password managers stored passkeys, which I’ve been doing for years. That objection goes into the trash. 🗑️

There are quite a few uninformed takes here & the number of upvotes they got for it is stunning. Lemmy. 😞

Isn’t that the same thing? All my credentials & passkeys are in the cross-platform password manager available from all my devices & any web browser. Passkeys even have a cross-device flow, so we can just scan a QR code & use a phone to sign into anything.

Manually keying in a password just feels so boomer.

While I agree the Senate needs a new minority leader, does any congressional party leader truly control their caucus? Even Republicans can’t stop members of their caucus from voting differently. It wouldn’t be a democracy if they could.

Though still not normalizing text alternatives for drivers who need accessibility. 🤔