The Community Archive, described as "An open database and API anyone can build on," currently hosts "5.5M tweets and 11.0M liked tweets contributed from 246 accounts." As an advocate for open data, I appreciate the project's potential, especially its collection of tweet archives from many great posters.​ However, I recently identified a significant vulnerability: the unintended public exposure of Twitter Circle tweets—messages intended for a limited audience.​ ## Discovery of the Vulnerability **February 17, 2025** : Before uploading my own Twitter archive to the project, I wanted to make sure that Circle tweets were appropriately filtered. There were none. I contacted the project creator, Xiq for clarification.​ **February 19, 2025** : He responded and said he had previously spot-checked his tweets and found no Circle tweets in the archives, assuming they were excluded by default.​ **February 20, 2025** : Using the Archive's Advanced Search feature, I discovered many Circle tweets from several users fairly quick, confirming the vulnerability. and disclosed it to Xiq. _Examples have been identified but are withheld here to protect user privacy._ Further investigation revealed that **Circle tweets lack identifiable markers in Twitter archives** , which makes it hard-to-impossible to filter them. ## Timeline of Disclosure **February 20, 2025** : Reported the issue to Xiq, detailing the vulnerability and its potential impact.​ He acknowledged the issue, indicating a need for time to assess before making an announcement.​ **March 4, 2025** : Followed up with him; he mentioned progress in identifying affected tweets and efforts to determine if they were Circle tweets.​ **March 9, 2025** : He reported a potential solution using the syndication API, estimating a 90-hour process to check 1,000 tweets every 15 minutes, as well as plan to protect users in the future. **March 13, 2025** : Requested a status update; no response received.​ **March 17, 2025** : Verified that Circle tweets remain publicly accessible in the Community Archive and contacted Xiq again. I set a firm 48-hour deadline for public disclosure and emphasized the urgency. About 9 hours after that, he sent out an email to users, outlining some measures: disabling the access to the affected dates in the archive (**not quite; see below**), disabling downloads of the raw JSON archives (**note: this doesn't appear to have fully happened and people can still download them from the website**). The affected dates are also wrong: Twitter started testing Circles on May 3, 2022 and finished rolling it out for everyone on August 30, 2022 (https://blog.x.com/en_us/topics/product/2022/introducing-twitter-circle-new-way-tweet-smaller-crowd). While Twitter officially shut down Circles on Oct 31, 2023, there was a workaround to post new ones for another week or two perhaps, and even as of today, per my testing, you can still post new replies to existing circle tweets. These are definitely edge cases, but cases nonetheless. ## Current Status As of **March 18, 2025, 2:16a GMT** , you can still see some circle tweets posted before August 2023 in the Community Archive and (potentially) after the official shutdown; and you can still download people's raw archives from the website. Presumably both of these will be patched soon, however I'm unwilling to wait any longer on this. ## Potential Impact — serious privacy risks Unauthorized Access: Private Circle tweets are accessible publicly, violating user expectations of confidentiality.​ The irony that Twitter shut down Circles after they started leaking twice is not lost on me. Data Exploitation: The exposed tweets could be misused, leading to personal or professional repercussions for affected people.​ ## Recommendations for Affected Users If you've uploaded your archive previously, **delete it immediately** until this issue is fully fixed​. If you haven't upload it yet, I strongly advise you **not to do so** at this time. ## Final Thoughts These issues matter. Privacy matters—and it should always take precedence over convenience, especially when handling sensitive data. While I'm glad some steps have finally been taken, several remain incomplete, and at this stage, keeping users in the dark only increases potential harm. If anything, I regret not publicly posting about this sooner; well-intentioned delays only compound the risk.

Did you know? You can self-host and/or mirror almost all of Bluesky's infrastructure today! > This article assumes familiarity with the architecture of Bluesky, general *nix knowledge and basic knowledge of TypeScript, Go and Rust toolchains ## PDS The most obvious one: having your own PDS and owning your data. You can find the GitHub repository with instructions here; you can migrate your existing account with the GOAT tool, for which Bryan Newbold has written an excellent howto post. ## Relay Bryan has a great blog post on how to set up your own Relay right here. Things have grown since, so make sure you have at least ~4.5 TB of disk space (maybe more). Two important comments, not in the post: make sure to use the `--disk-persister-dir=/data/events` flag as well as enable compaction. ## Jetstream Jetstream is like having your own Relay firehose, but uses a fraction of the bandwidth, storage, and gives you friendly JSON instead of CBOR-encoded MST blocks. After cloning the GitHub repository, you can either use the included `docker-compose.yaml` with `make up` or build it directly with `make build` and use your favorite keep-this-process-running-pretty-please tool (systemd, pm2 etc.) Don't forget to take a look at the available CLI arguments/env variables, which let you do things like change the default retention (24 hours) or override the Firehose cursor and backfill it with 3 days of data—which is what's available from the official relays. ## plc.directory mirror To get a mirror of plc.directory, with almost all users on Bluesky (they do support did:web, but they are few and far between), clone str4d's `plc` repo, switch to the `mirror` branch, run `cargo run --features mirror -- mirror run mirror.db`, then sit back and wait 5-10 hours. Once it's done and up-to-date, you have a full replica in a neat sqlite3 DB. You can monitor its status with something like `watch -n60 'sqlite3 mirror.db "select count(*) from identity;"'` in a tmux pane. ## The official web/mobile app, also known as `social-app` Clone the repo, run `yarn && yarn web`, and you have a fully-functional copy of it in mere minutes that you can modify to your heart's desire. Doing this on mobile is a lot more involved and documented here. ## AppView The elephant in the room is, of course, running your own Bluesky AppView. If you're interested, DM me on Bluesky to join my working group to make it happen!

# Intro I'm obsessed with small and light computers. I'm also a happy Mac user for about a decade and a half now, and I badly wish Apple would make a new 12" MacBook with an M3 chip. That's not likely to happen, so I found a fairly cheap (£390; battery at 83%) ThinkPad X1 Nano Gen 1, which is a true featherweight at 907 g/1.99 lbs. Quick specs: i5-1130G7, 16 GB RAM, 13" 2160x1350 screen, 512 GB SSD (upgradeable M.2 2242). It's a pretty okay laptop. The screen is bright (450 nits), the keyboard has a shorter travel than most modern ThinkPad keyboards, and this is good. The trackpad is surprisingly decent for a non-Mac under Linux (really bad on Windows). The speakers are terrible. It also gets hot but the fans are fairly quiet. Performance is better than expected, getting 1910 (Single-Core) and 6288 (Multi-Core) under Geekbench 6 when set to Performance, though it should be noted it gets throttled after a while. Will it replace my 14" M1 Pro MBP as my primary laptop? No, but it's useful for all kinds of other things. It's been a while since I tried any sort of desktop Linux. Since I'm trans I was only allowed to install either Arch or NixOS. I don't have the Nix kind of gender dysphoria so Arch it was. This post is partly a note to self, but others may benefit from it as well. # Getting started I'm a Debian girl. If I can, I use that where possible. I've briefly used Arch when playing around with the Steam Deck but that was about that. I naively thought I'd get a simple Live CD for Arch to install but quickly learned Arch is for ricers. Off I went to find some batteries included and settled on EndeavourOS (EOS). (I also installed Windows 11 on the laptop; that may be for another post) #### An aside: Ventoy > The easiest way to play around with different ISOs in 2024 is Ventoy, which is up there on the list of delightful technologies next to Tailscale and a few others. It installs itself into a UEFI partition on a flash drive; afterwards you can simply copy arbitrary ISOs on it, no need to mess around with anything else. It's so pleasant to use, it has nice defaults such as automatically disabling the Secure Boot requirements for Windows 11 and other tweaks. Anywho, after booting off the EOS Live CD—let's reflect for a moment we're still calling them Live CDs—I set the scaling to 150% and installed it. I used XFS for the main partition, as one should, I read a blog about this that I can't find right now. I installed KDE as my main DE as it's the only one that has any sort of half-decent fractional scaling support and this laptop definitely needs that. # Interlude: dual booting The best way to dual boot it with Windows 11 is to install that first; when installing, make a larger UEFI boot volume and leave free space for Linux at the end of the partition table. If you did everything right (which I didn't the first time) then dual boot _should_ work with `systemd-boot`. You should **not** use grub2 in 2024 unless you like waiting minutes for it to unlock your LUKS-encrypted root partition or compromising on security. # The main setup We have `pacman` of course, though it took me a while to get used to its somewhat arcane syntax. EOS also ships with `yay`, which lets you easily install things from the AUR (Arch User Repository) from which you can install a whole lot of things not found in the official Arch repos. Let's install a whole lot of things: sudo pacman -Syu alsa-firmware alsa-utils bfs btop clang cmake core/dbus-daemon-units direnv direnv exa fprintd github-cli htop krdp libfprint llvm perl-file-mimeinfo sof-firmware tree ttf-nerd-fonts-symbols-mono zsh yay -Syu 1password caprine chafa discord fastfetch flatpak fnm gimp google-chrome irccloud lib32-gnutls mpv mullvad-vpn raindrop rbenv-latest ruby-build signal-desktop-beta slack-desktop spotify sublime-text-4 telegram-desktop transmission-qt wine wine-gecko wine-mono winetricks xfconf There, much better. `yay` is a bit annoying because you'll have to press enter a lot and sometimes choose something other than the default but overall, not too bad. Now for a bunch of miscellaneous things. ## Audio (getting sound working) It wouldn't be desktop Linux without sound issues now, would it. This laptop ships with two set of speakers and a Realtek ALC287 chipset. After a _lot_ of frustration and googling, the magic command you have to run after each reboot is: sudo hda-verb /dev/snd/hwC0D0 0x1d SET_PIN_WIDGET_CONTROL 0x0 After this, things mostly work, except muting the speakers when plugging in headphones and vice versa. ## Drawing the rest of the owl #### Rustup curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh #### Oh-my-zsh (and essential plugins) sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" git clone https://github.com/zsh-users/zsh-autosuggestions ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-autosuggestions git clone https://github.com/zsh-users/zsh-syntax-highlighting.git ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-syntax-highlighting #### Dotfiles Make sure the default OMZ config doesn't nuke the history file! git clone --bare [email protected]:me/dotfiles.git $HOME/.dotfiles alias dotfiles='/usr/bin/git --git-dir=$HOME/.dotfiles/ --work-tree=$HOME' rm .ssh/known_hosts && mv ~/.zsh_history ~/.zsh_history_before && dotfiles checkout #### Dropbox Install with `flatpak` because the AUR version doesn't work well: flatpak install flathub com.dropbox.Client #### Github Log in, add our SSH key: gh auth login #### `wl-copy` To easily copy things to the clipboard from the CLI. git clone [email protected]:YaLTeR/wl-clipboard-rs.git cd wl-clipboard-rs/ cargo install --path . #### Swap into a file sudo fallocate -l16G /swapfile sudo chmod 600 /swapfile sudo mkswap /swapfile sudo swapon /swapfile echo "/swapfile swap swap defaults 0 0" | sudo tee /etc/fstab sudo swapon --show free -m #### Download Cursor From cursor.com, distributed, sadly, as an AppImage. #### Install WezTerm From source, the AUR version is old and we want it up-to-date. git clone --recursive [email protected]:wez/wezterm.git cd wezterm cargo build --release Add it (`/target/release/wezterm`) to the KDE Application Launcher by right clicking on the Start button -> Edit Applications... #### Force Spotify to run under Wayland Which seems to make it faster too. Add these lines to `~/.config/spotify-flags.conf`: --enable-features=UseOzonePlatform --ozone-platform=wayland #### Firmware updates sudo fwupdmgr update #### `ssh-agent` Create a `systemd` service at `~/.config/systemd/user/ssh-agent.service`: [Unit] Description=SSH key agent (User service) [Service] Type=simple Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket ExecStart=/usr/bin/ssh-agent -D -a $SSH_AUTH_SOCK [Install] WantedBy=default.target Then systemctl --user enable --now ssh-agent systemctl --user status ssh-agent

Need to get that first post out of the way.