I've thought about making such a system before, but never considered making it a single flat file¹. How are you going to identify who keeps inviting these bad actors?
Assuming the list is under source control, the commit history can answer this question but it's manual work whereas a tree/graph system shows you directly who is making the bad judgement calls (may be intentional or not, so this person can keep contributing so long as those contribs are good, but not invite further people). I don't understand the added value of a bunch of software around what is essentially an allowlist where the commit history already shows why someone was added or removed
> the purpose of the trust metric is to certify that a given user account on Advogato is known by the Advogato community to actually belong to the individual who claims it and is known to be a member of the free software and open source community. The user may be an crank, annoying, or of a political persuasion that you don't agree with. What the trust metric attempts to guarantee is that they really are who they say they are
Sounds like a slightly different goal but certainly an interesting system to look at
> My definition of PKI is the one we’re using for TLS, some random array of “trusted” third parties can issue keys
Maybe read the actual definition before assuming you're so much smarter than "HN". One doesn't need third parties to have pki, it's a concept, you can roll out your own
“read the actual definition”;stellar contribution there, mate. I checked and sure enough its exactly in line with my comments.
I’ve been discussing the practical implementation of PKI as it exists in the real world, specifically in the context of bootloader verification and TLS certificate validation. You know, the actual systems people use every day.
But please, do enlighten me with whatever Wikipedia definition you’ve just skimmed that you think contradicts anything I’ve said. Because here’s the thing: whether you want to pedantically define PKI as “any infrastructure involving public keys” or specifically as “a hierarchical trust model with certificate authorities,” my point stands completely unchanged.
In the context that spawned this entire thread, LineageOS and bootloader signature verification, there is a chain of trust, there are designated trusted authorities, and signatures outside that chain are rejected. That’s PKI. That’s how it works. That’s what I described.
If your objection is that I should have been more precise about distinguishing between “Web PKI” and “PKI generally,” then congratulations on missing the forest for the trees whilst simultaneously contributing absolutely nothing of substance to the discussion.
But sure, I’m the one who needs to read definitions. Perhaps you’d care to actually articulate which part of my explanation was functionally incorrect for the use case being discussed, rather than posting a single snarky sentence that says precisely nothing?
The tone matched the engagement I received. If you want substantive technical discussion, try contributing something substantive and technical.
I've explained the same point three different ways now. Not one person has actually demonstrated where the technical argument is wrong, just deflected to TOFU comparisons, philosophical ownership debates, and now tone policing.
If Aachen has an actual technical refutation, I'm all ears. But "read the definition" isn't one, and neither is complaining about snark whilst continuing to avoid the substance.
> I've explained the same point three different ways now.
But you're demonstrably wrong. The purpose of a PKI is to map keys to identities. There's no CA located across the network that gets queried by the Android boot process. Merely a local store of trusted signing keys. AVB has the same general shape as SecureBoot.
The point of secure boot isn't to involve a third party. It's to prevent tampering and possibly also hardware theft.
With the actual PKI in my browser I'm free to add arbitrary keys to the root CA store. With SecureBoot on my laptop I'm free to add arbitrary signing keys.
The issue has nothing to do with PKI or TOFU or whatever else. It's bootloaders that don't permit enrolling your own keys.
> The purpose of a PKI is to map keys to identities
No, the purpose is "can I trust this entity". The mapping is the mechanism, not the purpose.
> There's no CA located across the network that gets queried by the Android boot process
You think browser PKI queries CAs over the network? It doesn't. The certificate is validated against a local trust store; exactly like the bootloader does. If it's not signed by a trusted authority in that store, it's rejected. Same mechanism.
> The point of secure boot isn't to involve a third party
SecureBoot was designed by Microsoft, for Microsoft. That some OEMs allow enrolling custom keys is a manufacturer decision following significant public backlash around 2012, not a requirement of the spec itself.
> The issue has nothing to do with PKI [...] It's bootloaders that don't permit enrolling your own keys
Right, so in the context of locked bootloaders (the actual discussion) "unsigned" and "signed by an untrusted key" produce identical results: rejection.
Look I'm not even clear where you're trying to go with this. You honestly just come across as wanting to argue pointlessly.
You compared bootloader validation to TLS verification. The purpose of TLS CAs is to verify that the entity is who they claim to be. Nothing more, nothing less. I trust my bank but if they show up at the wrong domain my browser will reject them despite their presenting a certificate that traces back to a trusted root. It isn't a matter of trust it's a matter of identity.
Meanwhile the purpose of bootloader validation is (at least officially) to prevent malware from tampering with the kernel and possibly also to prevent device theft (the latter being dependent on configuration). Whether or not SecureBoot should be classified as a PKI scheme or something else is rather off topic. The underlying purpose is entirely different from that of TLS.
> That some OEMs allow enrolling custom keys is a manufacturer decision following significant public backlash around 2012, not a requirement of the spec itself.
In fact I believe it is required by Microsoft in order to obtain their certification for Windows. Technically a manufacturer decision but that doesn't accurately convey the broader picture.
Again, where are you going with this? It seems as though you're trying to score imaginary points.
> Where exactly am I "demonstrably wrong"?
Your claimed that the point of SecureBoot is to involve a third party. It is not. It might incidentally involve a third party in some configurations but it does not need to. The actual point of the thing is to prevent low level malware.
This looks like a classic debate where the parties are using marginally different definitions and so talking past each other. You're obviously both right by certain definitions. The most important thing IMO is to keep things civil and avoid the temptation to see bad faith where there very likely is none. Keep this place special.
Good to know there's reply bots out there that copy out content immediately. I rarely run into edit conflicts (where someone reads before I add in another thing) but it happens, maybe this is why. Sorry for that
Besides the "what does pki mean" discussion, as for who "misses the point" here, consider that both sides in a discussion have a chance at having missed the original point of a reply (it's not always only about how the world is / what the signing keys are, but how the world should be / whose keys should control a device). But the previous post was already in such a tone that it really doesn't matter who's right, it's not a discussion worth having anymore
I'm an Anki user, on and off since 10 years or so, but was still confused. If I understood correctly, the entities here are:
- Anki, as set up by dae aka Damien, is like the brand name and desktop implementation with the spaced repetition algorithm
- AnkiWeb is what I thought this hub thing was. It's where you download decks
- AnkiHub is a third party (started by "AnKing", now 35 employees) who sells decks as a monthly subscription and has their content on the deep web (you need to create an account and agree to terms to even see a listing of what's there besides a few featured parts). This is who is getting ownership of the former two. Because they write that Anki will remain open source at its "core", I presume that means that things will, at best, stay stable rather than anything (like AnkiWeb the deck sharing platform) becoming open
- AnkiDroid is a separate open source project (an Android app). The corporation is hiring the main developer, but it's not yet clear to me whether they're just going to get paid to work more on AnkiDroid or if they're also getting other tasks
> - AnkiDroid is a separate open source project (an Android app). The corporation is hiring the main developer, but it's not yet clear to me whether they're just going to get paid to work more on AnkiDroid or if they're also getting other tasks
----
To copy from my message on Discord:
> I’m moving to a full-time position working on Anki [incl. AnkiWeb & AnkiMobile]. I’m really excited about this, but there’s a mountain of pending, somewhat undefined work which will need to be done, and it’ll need my full-time attention for a while.
> I’ll still be contributing to AnkiDroid, but I won’t be able to commit as much time as I am doing currently (at least for the first few months while things stabilize). I’ll be here on evenings/weekends, and will be contributing in other ways (hopefully: unified Note Editor, JS addons etc… ), but I expect to slow down with code contributions to ensure I’m staying on on top of PR reviews & general force multiplier work. I’m definitely Org Admin’ing for GSoC over the summer [assuming Google gives us the greenlight], it’s historically been a VERY light role.
> In all honesty: I’m expecting things to be business as usual, I have more than enough capacity to keep up with the notification queue. Even if I completely dropped off the planet, we’re a great team and the improvements would keep on flowing. AnkiDroid’s bus factor has been >>> 1 for a LONG time now.
Information on Discord visible only if you sign up for it (and afaik, in some countries, upload identification)... that does seem rather in line with the deep web architecture that AnkiHub uses. Maybe this would be good in a ticket or the Anki forums, since it's relevant to the people using and contributing to the app. Here on HN it's now also findable in web searches as a side effect of copying it I guess
Worth noting you don't need to use it. Anki comes with a syncserver implementation for a while now, and there are docker images too. It's worth it for the transfer speeds alone IMO.
Anki is under AGPL too, which has an anti-DRM clause, so many type of enshittification of anki or their addons (e.g. to prevent sharing of their decks) would be unenforceable too.
As such I see no obvious things that would be susceptible to enshittification here.
Just as a counterpoint, to avoid people getting the wrong idea about the complexity involved - I use it and it took literally minutes. The most confusing part was that the sync settings in Ankidroid referred to Ankiweb.
It's mostly due to time/resource/technical constraints [some of our strings come from a shared backend], but we can do better here, especially if there's now a lot more community interest in the feature.
Pull requests welcome! Do feel free to get in touch on the issue/Discord.
Was about to do that, but it turned out it's already fixed in the current version - so literally the only minor issue I hit on my way to a custom sync server is resolved already :)
The pip instructions are bad. Typical Python things: Non-reproducible, not involving a proper lock file. Cargo instructions seem not much better, since they are only referring to a tag in the git repo. The installation from "package build" leak user and password in shell history.
Overall this doesn't inspire much confidence in how solid and tested the procedure is.
I see. I am not claiming, that it is your job to fix that.
On that page though, the same issues are present. The pip install does not make use of any lock file.
pip install anki
Isn't a command we should be seeing in 2026. Unless it is a one-off experiment setup. There should be proper lock files, not just version numbers, especially in the Python and JS ecosystems this has become less and less acceptable.
Leaks username and password to shell command history. Again, can be fine for a one-off quick hack, but is not a great practice, since the shell command history is not the most secure place to store ones credentials in. This could be easily mitigated by adding leading " " (space), at least in environments I am familiar with, but better would probably be putting the credentials in a config file, so that they never hit the shell command history.
The repo already has a lock file for uv. It would be better to make use of that lock file, when using Python to install. And in fact, when one downloads a release of Anki for desktop and runs it the first time, it does make use of uv, creating a venv, and (unconfirmed) hopefully makes use of the uv lock file.
I see these kinds of issues very frequently in Python projects. As someone, who has previously worked on providing docker images for data science workflows, enabling reproducible research, I am quite sensitive to this. But also I hear from friends, that they are traumatized by Python projects installing things in system python and other shenanigans. In general there seem to be tons of people doing Python projects, who don't have a clear idea of how to make things safe and reproducible, which is giving Python projects in general a bad reputation. All while good solutions to these problems exist and existed for years.
In fairness, Python as an ecosystem doesn't make it clear, either. I used to write a ton of Python back in the v2 days. I came back to Python to write a web crawler in summer 2025 and couldn't believe how it was still a bunch of arcane commands to create a virtual environment and install dependencies and capture the dependencies. Yes, an IDE like Pycharm handles this (thank goodness), but jiminy crickets, why doesn't "pip" refuse to even work until you've done "pip init" which generates a requirements.txt and then every pip install should check for a requirements.txt in the PWD. If it doesn't exist, refuse to install the dep. If the file does exist, append the version of the dep to that file.
It's 2026. Even JavaScript can do this.
pip is the de facto manager for the entire language. It should be better. With Node Package Manager for JS, the installation default is at the project level. You have to do a command line override to install globally.
PIP is the opposite. In fact, the only way to install at the project level is to create a virtual environment and trick PIP into thinking it's installing at the global level!
What language operates like this in 2026? Maven installs at the project level. Unison at the project level. Haskell at the project level. JS/TS at the project level.
(Same person as above but felt that this part had a separate purpose so I've moved it into its own comment)
The ecosystem is currently such that it seems hard to enshittify it. They say they have no intention of doing that and I believe it, but their vision of a healthy and good product might involve a fair price (for rich countries at least) whereas it was always free so far
Time will tell; it sounds like there's currently no plans either way, but it's also simply open enough that users can always just install the open source software and share decks with each other by whatever file transfer/sharing means. Everything that's already there won't simply go away. I'm going to keep using AnkiDroid and building the language deck I am working on
This may be true, but as someone who picked up Anki as a desktop app back around 2009 it feels a little crazy.
I also can’t imagine making cards on a phone, given how much switching between apps/windows is involved and how poor mobile platforms are at multitasking. It’s difficult to envision it being anything but maddening.
That's how some people do their "computing" these days, if they do any that deserves the name at all. I had to do some of that on vacation. With a modern phone it's possible, but mentally taxing. Phones feel like MS-DOS operating systems, where each application is fullscreen. Most people are just consumers. This is probably true for Anki decks as well. Only a small minority creates decks, the vast majority only consumes.
Why'd people choose a closed ecosystem but then care about open software? I assume the main crowd is on AnkiDroid, either via f-droid or google play, and that the few iOS people don't care about a new corporation taking over the rights
In America perhaps. Android is more popular in other countries, most people I know use Anki for free. The desktop app and sync are useful for editing cards and managing a large collection. Both of those are free too, but for how long?
> The iOS app has never been free and that's the way most people use it these days.
Where are you getting the stats that drive this claim? How are you measuring usage on platforms that don't necessarily collect usage metrics, e.g. desktop versions?
Does it? I've looked at it only briefly (like enabled it, waited a while for it to download something big, then got a basic shell) but it seemed much less capable than Termux. Can you get cell tower info or copy to clipboard for example, or use other Android APIs?
Edit: looked into it a bit more, /etc/issue says it's a Debian 13 (latest stable), apt works with sudo (this is a locked-down device where I don't have root permission on, why does it need a fake sudo to use apt?) but of course programs like wavemon are useless because Android doesn't let you access the WiFi interface. There's no settings besides port forwarding and resetting the "partition". I don't see any documentation or info on how/whether you can interface with the rest of the system in any way. Looking on the web for Android terminal or "Linux developer environment" (as the system settings calls it) is predictably useless and only results in Google's unrelated Android SDK or other terminal emulator apps
Edit 2: okay, beware of it: I was curious if the same "you can't make the OS not kill your script" problem also happened in this OS terminal and.. it's worse. So I ran `while true; do date >> latest.txt; sleep 10; done` to see how long it'd stay alive and then did some other tasks like turning the screen off and on, opening a navigation app and zooming into a dense city, and loading a few websites. Locked the screen once more for good measure and then unlocked and opened the terminal. Guess what? It's broken. Not just crashed: I simply cannot start it anymore. The only "error handling" (Fehlerbehebung it says) step it offers is to delete all data and start with a clean system. The stack trace says there's a nullpointer in TerminalWebViewClient, with the next line being in Trichrome. It's a web browser apparently
YMMV, but I've had pretty good luck with just force closing it and launching again when getting errors like that. It doesn't necessarily mean the whole environment is corrupt, even though that is the recovery option that is presented.
It is very unreliable though. I hope Android 17 improves it, as other than the restart issues, I've generally found it to be very functional.
Assuming the list is under source control, the commit history can answer this question but it's manual work whereas a tree/graph system shows you directly who is making the bad judgement calls (may be intentional or not, so this person can keep contributing so long as those contribs are good, but not invite further people). I don't understand the added value of a bunch of software around what is essentially an allowlist where the commit history already shows why someone was added or removed
¹ https://github.com/mitchellh/vouch?tab=readme-ov-file#vouche...
reply