Maybe I don’t understand the use case for bentopdf, and considering how popular it is, that is likely true
Especially in this day and age, be careful with believing something is right (or even popular) just becuse it looks popular. Talking about generalities of gameable metrics and the cognitive pattern, not to dunk on the project apart from their communications doing the same mistake.
It's not as much the general style as the particular contents of this release. Your previous release notes did not give the bad impression this one does. Since you did ask for any feedback I let you know why I am now less likely to use or recommend the tool compared to before. The amount of text and emojis spent begging for TrustPilot reviews also contributes.
FWIW, netstat is considered legacy and deprecated. The in-vogue way to do the same thing is ss -lpn | grep 8080.
netstat like ifconfig still works and is shipped in the net-tools package if you like it but if you're learning it's better to build a habit with ss and ip right away.
https://arturogl.com/2023/10/18/linux-new-tools-replacing-netstat/
Try to ignore the GH stars and other engagement numbers. Or at least try not to put focus on them in your communications. It's a distraction for you and you are making it a distraction for your audience. GH stars are not a useful signal as they are easily gamed and bought. Maybe yours are all organic, legitimate, and a legitimate cause for personal celebration. But you are just giving false credence to them (and thereby those illegitimately gaming the system) and removing focus from your own app. I don't think it belongs in release notes or a great way to lead your pitch here.
Most of the first half of the release notes rubs me a bit the wrong way and feels like it's not the place for those messages. Your "Very Important Note" feels less relevant than the "Dad Joke" section (which does have potential entertainment value) and probably has the exact opposite effect than the one you intend.
A CA can be an encrypted volume on a live USB stick. It's mostly for the CRLs you might want something online. A static HTTP server where you manually dump revocations is enough for that.
Unless you do TOFU (which some do and btw how often do you actually verify the github.com ssh fingerprint when connecting from a new host?), you need to add the trust root in some way, just as with any other method discussed. But that's no more work than doing the same with individual host keys.
And what's the alternative? Are you saying it's less painful to log in and manually change passwords for every single server/service when you need to rotate?
If this is inside the threat model, you put a passphrase on that key and load it in an external process like ssh-agent or gpg-agent. Maybe even move it to a separate physical device like HSMs or crypto hardware wallets (many of which can be used for this purpose btw).
This is also neat: https://doc.qubes-os.org/en/latest/user/security-in-qubes/split-gpg-2.html#notes-about-split-gpg-2
Not if you use certificates signed by your own internal CA and trust the CA instead of straight up trusting the public keys explicitly.
This way you can generate new SSH or TLS keys trusted across a bunch of machines without having to touch those machines directly for every key, since they are signed by your trusted authority. If you configure CRLs properly you can also revoke them centrally.
mTLS (mutual TLS) is actually quite common out there. And SSH certificates moreso than public keys.
So clients get issued certificates that they can authenticate with. TLS for HTTPS but both ways. It sounds like this is what you're asking about?
If you feel overwhelmed by this, an easy rule of thumb is sticking to distro packages of a trusted dist. Ideally ones with long track record, centralized packaging and tiered rollouts.
Roughly,
High community trust: Debian, SUSE, Fedora, Ubuntu
Depends on the package but at least everything is transparent with some form of process, contributors vetted, and a centralized namespace: Arch, Alpine, Nixpkgs
Anything and anyone goes, you are one typo away from malware but hey, at least things get taken down when folks complain: AUR, GitHub, NPM, DockerHub, adding third-party ppa/copr
IDGAF: curl | sh
Of course.
As Arch becomes mainstream and more of an attractive target for attackers I think we will get more of the same thing happening regularly in NPM: Legitimate popular packages getting compromised because a maintainer got infected or phished.
As well as botting of votes and comments.
It was certainly not intended as a character assessment and it's unfortunate you took it that way. I'm talking about how the release notes (and in passing your post) were written and not about you as a person or maintainer, or even the project itself.
I do hold release notes of a public project with thousands of users to a different standard than anon lemmy.world comments in a feedback thread. Is that interesting or surprising?
I believe there was actionable feedback given. You are of course free to dismiss it.