We really like #qoto services. Today we came to learn there are #Cloudflare fetches on #qotoDotOrg's mastodon for the instance icons.

To see the fetches use F12 for the Network tab.

It gets CSS from miy.pw, one Cf website, and that CSS gets icons for each instance type at 34.wtf, another Cf, based on HTML content.

Aside from inefficient couldn't this track/out users to Cf?

@MitiGator
@strypey
@bojkotiMalbona @witchescauldron @msaunders @paulsutton@qoto.org
@lupyuen

@zleap

Good question. This comes from the instance tracker feature added to some of our themes (its how we add a banner to posts that show what instance users are from using unique colors and icons for each instance).

We specifically provide theme versions for most of our themes that are o-ticker versions that wont fetch this css or add the tickers. This is specifically for people who dont want to use the tickers third-party css.

So if anyone is worried about this I'd suggest users simply switch to one of the no-ticker themes.

@dsfgs @MitiGator@101010.pl @strypey @bojkotiMalbona @witchescauldron @msaunders @lupyuen

@freemo @dsfgs @MitiGator@101010.pl @strypey @bojkotiMalbona @witchescauldron @msaunders @lupyuen

This is what I like about fedi, a concern / question is raised, and rather than trying to fob people off, you get a response such as this, that explains the issue and suggest possible solutions.

@freemo

I have just made a Short video on how to change the theme. It is transcoding as I type this.

diode.zone/w/nb4X32PpDbewqTBZi

@zleap I cant view it since im in egypt and internet is god awful slow here. But we should find a good spot to put it for people to find it in the future.

@freemo Good point, it is still transcoding at the moment. I have a few similar videos, so could be useful for tutorials etc.

Hi zleap and Freemo (et al),

Thanks for the prompt reply and a video even, @zleap! Unfortunately, we're unable to watch videos at this time, also.

There are, to us, peculiarities to this ticker plugin. It seems to use JS (node.js) on some pages despite us having JS disabled in Tor? @torproject.

It looks like very inefficient client-side code too, iterating…1/3
@MitiGator @strypey @bojkotiMalbona @witchescauldron @msaunders @alex @lupyuen
@freemo

2/3… through thousands of instances per toot on the page? A server-side-added 'class' descriptor may help a lot, especially for users whose battery-life is a concern.

At the very least, however it might be safer/more private/faster to serve the tiny file/icons locally?

In it current form, we…2/3

@zleap @strypey @bojkotiMalbona @witchescauldron @msaunders @alex @lupyuen @freemo

3/3… wonder if the ticker should be opt-in at signup, with a "(note: uses Cloudflare)".

What is the story behind this ticker being on the site? We see it's used on kurage.cc (mentioned in the CSS). Do we know other sites using it?

@zleap @strypey @bojkotiMalbona @witchescauldron @msaunders @alex @lupyuen @freemo

@dsfgs

When im back near some proper internet ill link you to the creator of the tickers so you can ask them. There are quite a few instances that use it.

Reason we cant host the css is because yhe maibtainer updates it fairly often as new instances are added or updates.

We did consider maki g it nondefault but after asking the qoto users the vast majority wanted to keep it as default. That said i think its fair to more prominently notify users that it uses cloudflare in our about page so they can be better informed.

@zleap @strypey @bojkotiMalbona @witchescauldron @msaunders @alex @lupyuen

@freemo
Thanks for your reply.

Yes, stating on the About page that the Ticker is Cloudflare would be is a step forward.

The sheer scale of data that Cf can collect/infer may be high but at least ppl will know.

If anyone wants to "tickr tinkr", a server-side 'class'ification of #InstanceType seems a worthy endeavour.

In considering #selfHost vs Cf, a) does the developer…1/2

@zleap @strypey @bojkotiMalbona @witchescauldron @msaunders @alex @lupyuen

@freemo
2/2… offer files for selfHost? b) when not self-hosting are the remote files integrity-checked (ie 'integrity' attribute)? They should be for when Cf gets attacked (we all know its gonna happen).

It seems the developer updates the CSS every 3-4 months? A script to check for an update each quarter may work well! When #TruthSocial federates though maybe be ready to get that update early :P

@zleap @strypey @bojkotiMalbona @witchescauldron @msaunders @alex @lupyuen

@dsfgs @torproject @MitiGator@101010.pl @strypey @bojkotiMalbona @witchescauldron @msaunders @alex @lupyuen @freemo

is it worth this being brought up on the forum, partly as this is a matter of choice for end users but also something that admins can make clear as to the options the end users have, and the pros vs cons of this.

@zleap

Yea i think the forum would be a good spot to elaborate on the details and inform users. The about page should briefly mention it and then link to the forum for more info.

Since i am in egypt with a broken leg it might be a bit before i get the chance though.

@dsfgs @torproject @MitiGator@101010.pl @strypey @bojkotiMalbona @witchescauldron @msaunders @alex @lupyuen

@freemo @dsfgs @torproject @MitiGator@101010.pl @strypey @bojkotiMalbona @witchescauldron @msaunders @alex @lupyuen
No problem no rush anyway as it is nearly christmas / new year so people may be busy anyway.

@zleap
Hi, everyone well? Has any progress been made on this whole #qotoCloudflare issue?

At a good internet supply, @freemo? It will be good to know the ticker maker to know the instances using it. Is it @yi0713? When you asked the folks about the ticker and they voted for default, did they know it was Cf-hosted?

Is anyone able to address how on postPages the ticker loaded with JS(?) when JS disabled?

@torproject @MitiGator @strypey @bojkotiMalbona @witchescauldron @msaunders @alex @lupyuen

@dsfgs

I will likely be back around good internet in a day or two if all goes well. Can you remind me then.
@miyon is the ticker maker i think.

It was quite some time ago we voted about the default theme, pretty sure cloudflare was known at the time of the vote as i had mentioned it when i first put the theme together. I need to search for the vote for and verify.

@zleap @yi0713 @torproject @MitiGator@101010.pl @strypey @bojkotiMalbona @witchescauldron @msaunders @alex @lupyuen

@freemo
Even better if it could be scheduled. Then no remind needed.

Thanks for including @miyon

Cloudflare are only getting more monolitthic/dangerous. It might be interesting to see what your users discuss in a fresh RFC.

We'd be willing to devote time to improving the ticker in future (uses a lot of screen space in addition to being a possible client-side CPU drainer). Ideas @eugen?

@zleap @torproject @MitiGator @strypey @bojkotiMalbona @witchescauldron @msaunders @lupyuen

@dsfgs

Despite the fact that my users didnt seem to care too much about cloudflare in the past i will say its a service i myself like to avoid using when at all possible. So if we can get cloudflare out of the picture and keep the tickers going id personally find that to be preferable.

@miyon @eugen @zleap @torproject @MitiGator@101010.pl @strypey @bojkotiMalbona @witchescauldron @msaunders @lupyuen

@freemo @dsfgs @miyon @eugen @torproject @MitiGator@101010.pl @strypey @bojkotiMalbona @witchescauldron @msaunders @lupyuen

I agree there and if we have to use it , then make it clear we are using it and why.

@bojkotiMalbona

I think the intent here is to just quickly mention it in our about page with a link to a more detailed forum article explaining it. In the forum we can add that link (after review it) so people can be informed. In the end they jave the option to use themes without css hosted on cloudflare so im good with that. All for links to help people be informed but im not trying to make a political issue out if it. As long as people are informed im ok with them deciding for themselves if they care. Some people dont want to be tracked, others really dont care, im ok with either group.

@zleap @lupyuen @msaunders @witchescauldron @strypey @MitiGator@101010.pl @torproject @eugen @miyon @dsfgs

@freemo @bojkotiMalbona @lupyuen @msaunders @witchescauldron @strypey @MitiGator@101010.pl @torproject @eugen @miyon @dsfgs

I think this is a good way forward, provide information and allow people to make informed choices as to which themes they want to use.

@freemo
It worth mentioning, knowingly exposing users to Cloudflare tracking by default, in today's age, is political already. They're absorbing the internet. On this occasion its nothing that can't be solved with a 'wget', 'sed -i' and some checks. We admit a server-side solution would be better.

@bojkotiMalbona @zleap @lupyuen @msaunders @witchescauldron @strypey @MitiGator @Gargron

Hi @miyon,

Greetings from Australia. Do you offer a selfHost option for ticker out of the box? May you be so helpful as to provide a list of instances that are using miy.pw or 34.wtf as they are (now?) Cloudflare-surveilled, your help would be greatly appreciated.

@freemo @bojkotiMalbona @zleap @lupyuen @msaunders @witchescauldron @strypey @MitiGator @Gargron

Hello everyone.

I'm Miyon-Miyon.

I am the image character of #InstanceTicker, but since September, I have been removed from the management project members due to my busy schedule, and the actual operator (comitter) is @weepjp .

Please wait for @weepjp 's reply.

@dsfgs @freemo @bojkotiMalbona @zleap @lupyuen @msaunders @witchescauldron @strypey @MitiGator @Gargron

@miyon
Thanks Miyon,

Maybe there is one thing you can help with. How was the decision made to become Cloudflare? Was there extreme difficulty with the requests?

We are trying to understand how websites become cf'd in the first place.

@weepjp @freemo @bojkotiMalbona @zleap @lupyuen @msaunders @witchescauldron @strypey @Gargron

Thanks @dsfgs ,

1) I am currently preparing a "Non CloudFlare version" of #InstanceTicker.

2) This version will replace all reference images with dataURIschemes instead of externalURLimages. This will increase the capacity of the CSS.

3) Due to the nature of customCSS, I have decided that all images need to be converted to webp format to optimize size and data volume.

This will take some time to prepare.
@freemo @bojkotiMalbona @zleap @lupyuen @msaunders @witchescauldron @strypey @Gargron

@weepjp
Thanks weepjp,

Sounds like a project!

In the interim is there a version of the current ticker for selfHost? Not to be too alarmist but everyday is another day Cf are gathering data on Fedi.

Which instances are currently running it?

What is currently being done to trick Tor into loading content dynamically(?) on Post pages?

Other technical matters discussed below without tagging others.

@freemo @miyon @bojkotiMalbona @zleap @lupyuen @msaunders @witchescauldron @strypey @Gargron

OTHER TECHNICAL MATTERS:

You mentioned embedding images in CSS via #dataURLs yes? Will you consider testing this in Tor browser and FOSS browsers generally first?.

Maybe an #imageMap will work better (for all users). Then depending on the icon you want to use you offset the background image in a ':before' element?

There's a way to address this server-side and we think it would likely improve UX. If updating ticker, maybe think about going server-side?

@weepjp @freemo @zleap @miyon

Show more

> selfHost

It seems that another person made something similar.
github.com/cutls/OpenSticker

> Which instances are currently running it?

Display ticker list:
miy.pw/css/0.php

Custom server (Req ranking): miyon.miyon.org/@InstanceTicke

> Tor
I have no knowledge of Tor.
I can't improve for Tor.

From now on, if you have a lot of questions and requests, I will close #InstanceTicker.

@dsfgs @freemo @miyon @bojkotiMalbona @zleap @lupyuen @msaunders @witchescauldron @strypey @Gargron

@dsfgs

Yes ideally it can and should be avoided. No reason it needs to be the case here that they get exposed to it.

@bojkotiMalbona @zleap @lupyuen @msaunders @witchescauldron @strypey @MitiGator@101010.pl @Gargron

@freemo
Yes, and its important to be consistant on any opposition to Cloudflare (all CAGEFAM, really but Cloudflare is the 'elephantine tentacle-squid in all the rooms').

@bojkotiMalbona @zleap @lupyuen @msaunders @witchescauldron @strypey @Gargron

@dsfgs

I am not as vigilant about it as you. Like i do try to avoid it on any services i host, mostly because i know some of my community cares and i want them to feel safe and protected. But its not a big fight for me other than avoiding them where i can. Like i dont invest much time in spreading the word and all the things that a more active person like yourself might do. For me its just common sense to avoid it.

@bojkotiMalbona @zleap @lupyuen @msaunders @witchescauldron @strypey @Gargron

Sign in to participate in the conversation
Qoto Mastodon

QOTO: Question Others to Teach Ourselves
An inclusive, Academic Freedom, instance
All cultures welcome.
Hate speech and harassment strictly forbidden.