Dear Linux desktop apps, you have full authorization to create a folder in my ~/.config directory, you are even invited to stuff your data in my ~/.local/share directory, and let's not forget about that ~/.cache y'all! Wunderbar! Much freedom!
So, now, please repeat after me:
π I π SHALL π NOT π MAKE π A π FOLDER π IN π YOUR π HOME π DIRECTORY π
Thank you kindly
https://wiki.archlinux.org/title/XDG_Base_Directory#User_directories links the specification in the section above.
# Keybase, we have a problem. The Keybase software and service are both littered with severe bugs that create a security and legal nightmare. Here are some of the issues: * Deception: Their software is a server masquerading as a client app. They simply call it an βappβ on this page: <a href="https://keybase.io/docs/the_app/install_linux">https://keybase.io/docs/the_app/install_linux</a> but itβs actually a surreptitious <em>server</em> that runs continuously in the background as a daemon. * Deception: Tor mode serves only to mislead users. The tool actually surreptitiously phones home to the central server of Keybase, Inc. without using Tor at all. This is not the usual DNS leak that Tor users are accustomed to, the connection itself takes place outside of the #Tor network. Itβs not incidental. This is in their <em>privacy policy</em>: βWhen you access or use the Service,we automatically collect and store information about your browsing habits and your use of the Service (βUsage Informationβ),including: a. Your computerβs IP addressβ¦ f. Session times and lengthsβ * Malice: Keybase is designed to reverse usersβ edits to the <code>run_keybase</code> script. So users who try to patch the leaks by introducing torsocks wrappers in that script will learn who really owns that tool on the next upgrade or downgrade, when the script is overwritten. The overwriting is also silent, so some users will be unaware when their traffic becomes exposed. This also means adding firejail sandboxing to that script will also be reversed. Itβs no accident, they enforce it in the ToS that you agree to: βWe may automatically check your version of the Software. We may also automatically download to your computer or device new versions of the Software.β * SoftwareFreedom: The javascript on <a href="http://www.keybase.io">www.keybase.io</a> is non-free software (it fails the #LibreJS test). * Malice: There are so many security bugs that keybase developer Jack OβConnor (βoconnor663β) is outright deleting some of the more embarrassing security-critical bug reports. This censorship is the most malicious variety because it blocks other users from becoming aware of pitfalls in software that they have trusted. (Hence this article, which is out of reach for Jack OβConnor to censor) * Malice: The login webform is coded as a pop-up to force users to disable their ad blockers. * Malice: Users who are wise enough to distrust the keybase server have no way to receive messages that are collected through the <em>Keybase Chat</em> mechanism. * Deception: People who send messages using <em>Keybase Chat</em> are not given feedback on non-delivery. So humans are actually composing messages that are silently black-holed! Nothing is more reckless and irresponsible than a messaging service that fails to deliver without telling the sender. Whatβs even more perverse is that non-delivery is not a rare event-- itβs simply a matter of the recipient not running their junk software. So itβs designed to cause widespread harm, the scale of which that could provoke a class action. So theyβve actually written a clause in their ToS to attempt to block class actions: βAny Claim must be brought in the respective partyβs individual capacity, and not as a plaintiff or class member in any purported class, collective,representative, multiple plaintiff, or similar proceeding (βClass Actionβ).β They also have: INDEMNIFICATION, LIMITATION OF LIABILITY, ARBITRATION, and NO WARRANTY clauses to block all actionability of their malice. * Bug: Further exacerbating the previous two issues is the fact that the βKeybase Chatβ button cannot be disabled. Users not running the dodgy software are still forced to have this blackhole-feeding mechanism on their profiles. * Hypocrisy: Keybase sends all notifications in-the-clear as plaintext despite having the recipients pubkey and having built their own software to use it. Keybase, Inc does not eat their own dog food. * Bug: If you disable the (insecure) notifications and you are not running their (insecure) software, then you have no way of knowing that someone has tried to send a message. So human-written messages are not only black-holed, but both sender and recipient are unaware of the non-delivery. * Bug: The Keybase installer creates the directory β/keybaseβ with all world privileges (and yes, they root it in β/β). The keybase developers have said they believe that mounting a filesystem to that directory blocks access to it (so they are unaware of bind mounts). * Malice: advertising is opt-out, not opt-in. From their ToS: βwe may send you communicationsβ¦promotional information and materialsβ¦We give you the opportunity to opt-out of receiving promotional electronic mail from us by following the opt-out instructions provided in the message.β They are encouraging users to use an unsubscribe link in a spam message. Informed users know is a bad idea, as it signals that an e-mail address is actively in use. * Bug: Keybase does not sign their e-mail messages, thus exposing their users to phishing attacks. Keybase, Inc again demonstrates they donβt eat their own dog food. * Deception: They say files are end-to-end encrypted, but this legal loophole gives them immunity for any shenanigans in that regard: βWe collect and store files and information that you transmit to other parties using the Service or that you elect to store on the Service.β * Deception: This appears on the Keybase website: βThe Keybase website is ok, but the Keybase app is faster, safer, and more powerful than doing it in a browser.β When they say the βwebsite is okβ, itβs a gross oversight to imply that you can rely on the website alone when doing so entails forfeiting access to inbound messages (for which the collection cannot be disabled). And when they say the βapp is saferβ, itβs a lie.
@yarmo There's one app that immediately creates a folder in my home directory (with a space in the name) before you even get a chance to look at config options.
I can't trust an app that's designed with such disdain for the user.
...I'd like to add one exception: IFF the software asks the user first and asks for a pathname (with a ~/.* default).
*sometimes* I'd like to have thoses things where I see them
@yarmo
meanwhile electron apps put their cache in your .config, I used to manually move it to .cache and symlink it back
.config/Discord/Cache -> .cache/discord
@yarmo +9001%
EVERYTHING should be under $HOME/.config/$APPNAME and never just under $HOME!
Even CLI tools and shells should do that!
keyshooter
Yarmo π
Caesar
Ψ§Ψ¨Ψ±Ψ§ΩΫΩ
Fahad
grin
Joel 
Paul Wilde 
:dontpanic_nobg:
Jackie Jude
Ryuno-Ki
rugk
censored for βtransphobiaβ
FoolishOwl
karsonπ
Alexey
Fabianγγγ‘γγ’γ³γπ³οΈβπ
Nordern
Snail
Cleo Menezes Jr. π΅
Tykayn
nm0i
Thomas Touhey
ruffy
π» Feufochmar
Claudius (legacy account)
aeva
Aral Balkan
Mr. Teatime
Yurii Kadirov πΊπ¦
Antanicus
Giovanni ZL2GX
Fish Id Wardrobe
Dhruva Sambrani(Tech)
Digitual 
stupidgenius
Dominic
UnkleBonehead
armin
Stuart Langridge
DaVince
Cysio 
β
razze
David Herzog
redstrate
Matthijs De Smedt
Austin Nunn 
π³οΈβππ
Gen X-Wing
Generic Person
Siguza
Peter Lacey-Bordeaux
Kevin Karhan 