Thank you for thoughtful engagement!

I think that becomes even more problematic. Why is it better that I shill for a company I'm getting kickbacks from (some VPN providers excel at this game) rather than one I'm responsible for? Besides, this just lead to submarining ("viral marketing" is an entire industry!) and people pretending to "have just stumbled across this project, what do you guys think?" or being "just a happy customer".. And to some extent t becomes a game of social status, where well-connected people can just ask their friends to post on their behalf.

Judge the message and topic, not the messenger (as long as they are human acting in good faith and not "written with help by AI", obv).

Besides of those issues, my personal preference would be to keep the focus on self-hosting. So talk of hardware or shipped software might be on-topic but not service providers. There are plenty of places to discuss cloud-hosting, VPNs, which PaaS is best, or whatnot.

And I would actually be much more interested in seeing a post from a founder talking about things their company is doing relevant to self-hosters, vs yet another post of "which provider is best right now and what do you use?" or "Company X currently has a sale/launched product Y".

While it might filter out some good stuff, I would be all for a ban of any promotion of commercial or proprietary products and services alltogether but allow for self-hostable and in particular FLOSS stuff (where I guess some carve-out or clever formulation could be made to allow for commercial but self-hostable software - either stance on that one seems fine to me).

Even so, it does not follow that this community should provide that commercialization venue. If you want me involved in solving your business problems or monetization strategy, we should discuss terms and rates first.

Sounds like a reasonable set of options!

If you work for a company or own the company you are still making a self- promotional post for a company, and the rule applies.

So if the exact same post is posted by a friend instead it's suddenly accepted? Why is self-promo meaningfully less desired than third-party-promo if they have similar results?

You seem to be vastly in the minority.

Might be! That one's framed as just personal preference and not policy suggestion because I don't think "allow all things I like and ban everything I don't" makes for good governance ;)

So a more restrictive rule?

More restrictive in one sense (what content and what's ok to "promote" for) but more allowing in another (you can talk about something even if you are involved or associated).

Thank your for replying, this is encouraging and sounds like moderation of this community is shaping up.

Whichever side the ruling falls I think that feedback channel would be very good. Just having a way for a submitter to ask from mod(s) why the submission was targeted might be the difference between them turning into a great contributor vs either just leaving or starting to play circumvention games (in especially bad cases turning into antagonistic trolls). Speaking from how I've seen those dynamics play out in other communities.

I would like some clarity on general apparent self-promotion of open source projects as well. As in, points 1-4 don't apply and 5 depends on your definition of "advertisement".

I'm bringing this up because I (once) previously attempted to share a project^1^ I maintain on here. I did take some effort to include some context and discussion points for selfhosters in order to make it more tailored and stay safe on Rule 3. It was quickly removed by mod. I tried reaching out to one of the mods to try to understand what was wrong. They were friendly and said they weren't involved and would forward to the relevant people and since then I haven't heard back. It would be very helpful to be able to get some feedback on why submission was removed so we can learn how future submission attempt could be improved (or abandoned).

^1^: FLOSS, no commercial or otherwise proprietary parts or relations, no slop or clank in the process

I would also recommend checking out Konform Browser, which has a focus on security, privacy and user control. Currently only providing builds for Linux. Given the browsers you mentioned I think it is highly relevant for your interests and IMO leader in that category (though as dev am obviously biased on that ;))

Thanks! Would be great to hear your thoughts and experience after trying it out, if you do! BTW, I keep fishing for feedback not just because I like hearing user stories but also since with no telemetry (or a qa team; lol), user reports become that much more valuable in development, catching issues and better understanding the UX ^^

But can it fool creepjs?

What does that mean for you, exactly? I know that there is a lot of different ideas out there on how to interpret these results and what "good" means so would be helpful to know what your expectations are to give meaningful answer to such question.

Anyway, I just tried running the test at creepjs.org and this is result: Test hangs at "57/58: Currently collecting: Private Click Measurement complete", with no errors in the js console.

Having compared results with some other fingerprinting suites previously, default settings should give plausible fingerprint corresponding to user base of existing browser. Only Cloudflare seems to hate it: Turnstile on sites in strict mode currently often throw a redirect loop when their troubleshooting tool says all is fine. Is that because fingerprinting protection "works to good" or is broken? You tell me!

I would appreciate an outside and less biased review, comparison or benchmark on stuff like this! Want to try and report back?

"Facebook Container" seems redundant if you already use Multi-Account Containers and set it up accordingly, yes. Other than that it doesn't sound over-the top at all and a reasonable configuration.

Doesn’t Strict mode block third-party cookies anyway?

Almost, but not entirely. For that you need First-party Isolation (privacy.firstparty.isolate pref: https://bugzilla.mozilla.org/show_bug.cgi?id=1330467),

containerises first-party cookies too, but I wouldn’t need that.

It does do that - if it didn't, there wouldn't be any "multi-account" to it.

With a profile like that you might also find Konform Browser relevant to your interests with more private defaults and convenient toggling of modes and features. https://konform-browser.codeberg.page/

It comes with a debloated version of Multi-Account Containers, which can also be installed as a normal addon into other Firefox builds: https://codeberg.org/konsortium/multi-account-containers-lite

All info on that site is several years stale and the site itself is unmaintained (last update 2022; git repo permanently archived 2024). Many of the details are not reflecting current state of things and this page is not a good resource for comparing browsers in 2026 (except as inspiration for replicating their methodology^1^).

Konform Browser is to my knowledge the only up-to-date webextension-capable browser today with literally 0 phone-home / background connections under defaults, and no telemetry or other superfluous undesired activity ever. (disclaimer: am dev. I'm certain it would be ranking as top if such a ranking was made today. Come @ me ;))

^1^: Separately recently published container-based flow for doing this kind of analysis and doing similar comparison. There are some basic results and comparison included in readme but would be cool to see someone take it to the next step, drill deeper, share more exhaustive and educative results, present it in a format more digestible for non-techies (whether using this setup or something different).

I think uBO does have that.

Open popup -> Ctrl-click ⏻

Just to be clear, most of these (think about egrep/fgrep for a moment) are deprecated and "shouldn't be used" in scripts for distribution. What's new is that you can't expect everyone else to have them and having dependency on them in shipped software is considered antipattern.

Nobody gives a shit what aliases and shims you use in your own shell.

On iptables: By now it's even gone from kernel and the turn tabled with the cli command now actually being a shim calling into its successor nft. IMO nft is much more approachable for beginners to pick up and the rules files become so much more readable and maintainable. If you're already committed to iptables syntax then cool - but with very few exceptions I don't think anyone needs to learn iptables today - just go straight to nft and you'll be happier for it. Similar for ifconfig.

Is this vibecoded or is there thinking behind why it will silently reuse existing user SSH keys by default? For an app like this I would expect it to exclusively use its own keys. Same for PGP.

I also find the ways dependencies are handled a bit unorthodox and surprising (possibly system-breaking even). For a python project it would make more sense with a lockfile and using a package manager for dependencies installed remotely via pip.

https://codeberg.org/NovaFuture/Peerbox/src/commit/60ed3b638d6dc6c82322f73a9ce1c3e44ecec5d2/conf/config.py#L148-L197

https://codeberg.org/NovaFuture/Peerbox/src/commit/60ed3b638d6dc6c82322f73a9ce1c3e44ecec5d2/system/mount/src/onion_client.py#L345

I also wonder why it bundles minified js for Quill editor v1.3.7 (from 2019) when unminified version would be easier to audit and maintain, and v2.0.3 was released in 2024?

Hi dmitry,

I suggest committing more often and in smaller chunks. Makes the repo a lot more accessible for outsider,s and reduces risk for stuff like this, which I assume is not supposed to be committed?

There is a longer discussion to be had about both what RFP does, how effective it is, and the relative impact on entropy of this particular feature.

For now I will just say that this: Providing configuration for this serves the projects goal of user control and freedom. It should be up to the user to make that call. Us as developer shouldn't unilaterally decide on behalf of everyone. We can't think of everything and we don't always know best. Of course we can still provide guidance and put what we believe is sensible as defaults. I find it odd to criticize empowering users in this way, in particular considering the status quo.

Were it up to me, everyone should have Letterboxing on by default, probably with similar reasoning. I don't see why you wouldn't use it. Everyone enabling it would make us all (ever so little) less fingerprintable. Arguably more meaningful impact than dark/light-theme. And less of an accessibility issue. Even so, we still leave this configurable in the same way as the dynamic theming.

You can also see this way of thinking reflected in allowing loading of your own add-ons from file and allowing userChrome customization. Probably niche power-user features with risks involved and sharp edges exposed but we are developers and maintainers of software, not your sysadmins^1^ or caretakers^2^.

If you fundamentally disagree, well, not all software has to be for everyone. Probably there is already something else (like Tor Browser) that serves your needs and aligns with your philosophy better?

^1^: ...xcept... you want us to be your sysadmin? 👉👈 Call me when you close that seed round bb 😘

^2^: Nope.

Are you keeping at default window size, or resizing? If latter, it is expected. This is a gotcha when using tiling window managers as they often force a window size that may give you off. TB should otherwise start with static fixed window size. Enabling "Letterboxing" feature can help alleviate this somewhat.

On PG: Also been seeing weird vibes and some inexplicable moderation comms and actions when looking closer. Their "recommendations" and "guides" also raise eyebrows. Something is very strange there.