I looked into this a few years ago[1]. The solution I came to involves putting the hash of the most recent Bitcoin block in your document, and then signing the hash of your document into the Bitcoin blockchain.

This cryptographically proves that the document was created/published within those two time bounds.

This of course doesn't help in all cases, i.e. you could edit an old document to make it look newer, but I'm not aware of any way to properly solve that particular problem without a trusted third-party.

[1] https://www.jamieweb.net/blog/proof-of-timestamp/

I use it to test my Content-Security-Policy by crawling my whole site and capturing any violation reports that are sent.

Mind sharing your script?

This has been absorbed into an internal repo now, but the original version that I wrote a couple of years ago is here: https://gitlab.com/jamieweb/travis-ci_csp-tester/

Cheers!

What's wrong with just plain old curl?

cURL doesn't load subresources or honour Content-Security-Policy headers as this is beyond the scope of what it's supposed to do.

Cloudflare Registrar - it's one of the only truly security-oriented ones out there, and they offer wholesale rates, which is a nice bonus.

I use Cloudflare Workers for:

* Serving a standard security.txt file for all websites within my account

* Automatically rewriting the case of URLs for a CMS that doesn't support case-insensitivity

* Adding security headers to sites that don't support adding them locally (e.g. third-party hosting)

* Proxying requests elsewhere directly from the 'edge', rather than having to run my own proxy

* Serving static config files, e.g. mta-sts.txt, proxy.pac

Just a head's up, while you can proxy websockets via cloudflare workers, you cannot have them act as the endpoint (https://support.cloudflare.com/hc/en-us/articles/200169466-U...).

FWIW, you can terminate WebSockets if you're in the Workers Unbound beta.

For those who've ended up here, my solution for now is to use Feedly.

How?

Feedly lets you 'subscribe' to YT channels, so you can see all of the uploads in your Feedly feed.

Just search for a channel when adding a source. If it doesn't come up, paste in a direct link to the channel homepage and it'll find it.

My main reason for disliking Snap is the fact that it allows anybody in the world to publish a package with minimal moderation. This completely undermines the inherent trust that system package managers should have.

When installing critical system packages, I want to be absolutely certain that these are legitimate/official, and that even if I make a minor error in typing a command, I won't inadvertently install some sort of typosquatted fake version of the package.

When using Apt with the default repositories, this isn't a problem at all, as only known, trusted packages are available. In other words, there's no chance of someone publishing a fierfox or apahce2 package to try to typosquat someone.

I don't even want to talk about the forced automatic updates either... these make it essentially impossible to have a stable/reliable system for specialist use cases, e.g. browser testing, bastion host, build environment, where control over updates is very important.

On the sandboxing - it's good in principle, but rarely seems to be implemented in a truly meaningful way, as ultimately once you have home drive access, you don't even need to worry about escalating privileges as everything valuable is probably in your home area! There's an xkcd about this somewhere...

> My main reason for disliking Snap is the fact that it allows anybody in the world to publish a package with minimal moderation. This completely undermines the inherent trust that system package managers should have.

Where do we get more maintainers? Sometimes in my development I release one new Wekan version per day. Canonical's Snap build servers download Wekan source code directly from GitHub, it is very transparent.

> On the sandboxing - it's good in principle, but rarely seems to be implemented in a truly meaningful way

Wekan Snap has strict sandbox, so code can not access any other directory that /var/snap/wekan/common. So in case someone would find exploit for web service, it can not escape sandbox. It is very important.

tac

Just to confirm, this only seems to relate to popcon/popularity-contest, and not the other data collection features.

The other two main ones are Apport for crash reporting, and ubuntu-report, which sends system info if opted-in at install.

Allow developers/engineers to use an OS and tooling that they're comfortable with. There must be choice between text editors, IDEs, browsers, shells, etc.

Also don't try to control this centrally. Once developers have proven themselves to be competent at operating a computer, they shouldn't be forced to use a locked-down corporate machine.

Yes, would love a 'pull' based system. You can usually tell just from the subject/preview whether you actually need an email.