ProfileCreator VS amfora

> How many users have devices that they are really administrators of? Fewer and fewer.

As long as nobody has forced you to join your computer to a domain and accept the installation of group-policy overrides, you're still fundamentally an administrator of that machine.

You might not ever feel the need to administrate it, because the OS vendor is often co-administering the machine (see: Windows or macOS when you use a local account rooted in their cloud SSO) but the OS vendor hasn't restricted you from doing your own administration in the way that a corporation or institution administering the domain your device belongs to would restrict you. You still have the ambient authority to administer your machine, whether you ever bother to elevate yourself or not.

You can still install your own X.509 roots of trust. Even on, say, iOS! (You must administer the iOS device using tools — e.g. https://github.com/ProfileCreator/ProfileCreator — that run outside of the device on a "real computer"; but that's just a fact of history, to do with how system administrators generally prefer to interact with computers, not a property of the target device's security. A config profile is just a file format; if someone ever wanted to make a profile editor that ran on iOS itself, they could.)

(And if we're talking about a machine that is corporate or institutionally controlled? Well, then it's the responsibility of the people who manage your device — your IT department — to decide whether a given cert should be given trust.)

> What is the technical challenge of setting up your own HTTP server that can be browsed with an off the shelf browser on your local computer?

The approach where you run a proxy that wraps untrusted connections into trusted ones is fully general, but yes, only really applicable to the most advanced users. But then, only the most advanced users really need the full power of this approach. Only someone with a lot of experience in network security should consider themselves capable of vouchsafing a non-TLS HTTP connection as worth being trusted. You have to basically come up with an "attestation heuristic" for the remote yourself — that it stays on the same IP, that its DNS records haven't changed owner, that the server is still sending the same Server response header, etc.

If your needs are slightly weaker — if you can assume that every remote is at least using self-signed TLS certs rather than not using TLS at all — then the problem is vastly simplified: you can directly trust any cert by putting it that cert directly into your X.509 trust store (in effect making it a root-of-trust — though it doesn't have the X.509 property that enables other certs signed by the cert to be trusted transitively, so it's a leaf-node root-of-trust. A "stump of trust", if you will.) You don't need to run any local servers to do this.

I don't have much experience with Jamf specifically so I don't know if they have a tool for this, but you can you software like iMazingand ProfileCreator to create the profiles from a GUI and then push the profiles from to devices using Jamf. Using either of these apps, under "Restrictions", you'll be able to deselect whatever iCloud service you want to be blocked and then save it to a profile.

In Mosyle in the management profiles section you have an option called Certificates/Custom Profiles, there you can upload a .mobileconfig created with for example Profile creator: https://github.com/ProfileCreator/ProfileCreator which nicely includes the Nudge schema and other common used apps :-), this should be the same effect than in the JAMF video, its almost the same thing instead of cut an paste from the AJMF article, upload de .mobileconfig created by the App.

There are many examples and several ways to generate a profile that will grant the appropriate perms, personally I have used ProfileCreator: https://github.com/ProfileCreator/ProfileCreator

On a side note, you might try this for manually creating profiles. https://github.com/ProfileCreator/ProfileCreator

If you have a Mac available ProfileCreator works well as an alternative to Apple Configurator, and it has a few more options.

Gemini is a joke. The main proponents like Drew Devault chuck a tantrum when browsers allow users to optionally show favicons https://github.com/makew0rld/amfora/issues/199

https://github.com/makew0rld/amfora/issues/199

You'll need a different web browser since Firefox and Chrome based Browsers all only support HTTP/HTTPS afaik. I suggest using deedum if you're on Android, if you're on windows I suggest installing this browser, it's a more or less simple graphical Browser written in C# so it should work. Just download the release zip and extract, you can probably go from there., if you're on Linux, I suggest Amfora it's a text based browser but it has served me well.

And that's the caveat with SourceHut and the current discussion around it. While I respect Drew and his work, he isn't exactly the most approachable person in OSS.

If you and several other people happen to have a hard requirement for a specific feature that he (or his buddy Simon) don't see fit for, you won't get that feature, even if you volunteer to implement and maintain it. The only thing you're left with is basically to fork SourceHut, host it yourself and maintain your feature all by yourself, dealing with continuously patching a very much still-in-development (and therefore ever changing) software. That is something you're probably not going to do, especially considering SourceHut's architecture and way of doing things.

SourceHut isn't exactly extensible/pluggable and hosting it as a one man show or even a small company becomes a huge PITA, as soon as you diverge from the holy grail that is Drew's way of doing things (Alpine, no containers, no good config management, no easy way to scale things, and the dedication to invest your blood and tears into maintaining this thing).

Hence I really cannot comprehend the current trend that is "let's all dump GitHub for this, and that, and SourceHut". So far, SourceHut really hasn't made an effort to prove itself worthy of the influx of OSS projects. And while I do see Drew commenting here, reassuring folks he won't ban anyone over any internet disagreement, reading the public mailing lists of the SourceHut repos doesn't really show much of a welcoming behavior either. I mean, he's the person behind what has become one of the most popular Gemini servers, and as soon as that was the case, he began threatening client apps to arbitrary block them for doing things that don't align with his values (in this case, [showing a favicon](https://github.com/makeworld-the-better-one/amfora/issues/19...)). And the cabal of elite internet Amish, that have been on SourceHut since its early days and that makes a large portion of the platform, aren't that different either.

I do agree with GitHub being the wrong place for OSS projects, but I don't agree with SourceHut being the right one. At least for as long as it doesn't become obvious that its founder and the community around him has changed and started to genuinely appreciate people for the work they're doing, regardless of their own ideological beliefs.

I use Sway and I pay to host my code on SourceHut. I admire Drew and I think he is making invaluable contributions to FOSS.

That said, he has a history of... rash? impulsive? reactions to situations that might have been resolved with less bad blood if he had stepped away from the keyboard until he was less upset. The classic example is when he got upset about people wanting to unofficially add favicons to the Gemini protocol, and he threatened to blackhole any IP address which requests a favicon. https://github.com/makeworld-the-better-one/amfora/issues/19...

I do not know if there is some specific recent event triggering vitriol, but the way this post is written, it sounds like Drew thinks it is resulting from less recent actions like the favicon threat.

In Drew's defense, he has made (limited) apologies and I do believe he is trying to do better. https://drewdevault.com/2021/04/26/Cryptocurrency-is-a-disas... has a note at the bottom, saying:

> I realize that my blog has been a source of a lot of negativity in the past, and I regret how harsh I've been with some of the projects I've criticised. I will make my arguments by example going forward: if I think we can do better, I'll do it better, instead of criticising those who are just earnestly trying their best.

But it is also true that many people will not be quick to forgive him, and some people never will. It will take him time to undo the negative image he has created with some people, but after seeing Linus Torvald's positive changes, I am optimistic that Drew can change for the better if he wants to, and help create a welcoming community for everyone. If he doesn't give up first.

amfora gemini client

Should be able to run a basic gemini client just fine, maybe even amfora?