[[https://mu.se][their website]], Muse is the parent company behind many musical
applications and tools. It was founded by Eugeny Naidenov just days
before it acquired Audacity. Before all of this, Eugeny Naidenov founded
[[https://www.ultimate-guitar.com/][Ultimate Guitar]] (UG) in 1998. The service grew rather quickly and now
has over 300 million users. UG acquired [[https://deanzelinsky.com/][Dean Zelinsky Guitars]] in 2012,
[[http://agilepartners.com/][Agile Partners]] in 2013, [[https://musescore.org/][MuseScore]] in 2017, and [[http://trycrescendo.com/][Crescendo]] in 2018. Muse
Group was established in 2021 and it seems as if all of the services UG
acquired were (or will be) transferred to Muse Group, as well as UG
itself. Immediately following its establishment, Muse not only acquired
I say 30 April because that's when Muse published their [[https://mu.se/newsroom/tpost/6dhedma301-muse-group-acquires-audacity-expanding-c][press release]]
and when Martin Keary (Tantacrul) published a video entitled [[https://www.youtube.com/watch?v=RMWNvwLiXIQ][/I’m now in
charge of Audacity. Seriously./]] According to his comment,[fn:17] Martin
will help with proposing Audacity's roadmap and many of its future
features as well as working with the community. This has been his role
with MuseScore since he joined that project and he will be continuing it
here.
~-----BEGIN PERSONAL OPINION-----~
Looking at [[https://www.martinkeary.com/][his website,]] I also suspect he will play a large role in
redesigning Audacity's interface. Considering that he was instrumental
in designing [[https://www.martinkeary.com/#/ubuntu-touch-os/][the best mobile interface I've ever had the absolute
pleasure of experiencing,]] I have high hopes that this is the case.
~------END PERSONAL OPINION------~
*** Telemetry implementation
**** Implementation Basics
A few days after the acquisition, a PR was opened that adds /Basic
telemetry for the Audacity/. This implementation collects "application
opened" events and sends those to Yandex to estimate the number of
Audacity users. It also collects session start and end events, errors
for debugging, file used for import and export, OS and Audacity
versions, and the use of effects, generators, and analysis tools so they
can prioritise future improvements. Sending this data would be optional
and the user would be presented with a dialogue the first time they
launch the application after installation or after they update to the
including release. This description was mostly copied directly from [[https://github.com/audacity/audacity/pull/835#issue-629891447][the
PR description itself.]]
**** Frontend Implementation
This is fairly straightforward and a pretty standard UI for prompting
users to consent to analytics and crash logging. This section is
included because the community has strong opinions regarding the
language used and its design, but that will be discussed later. The
screenshot below is copied directly from the PR.
[[/assets/pngs/audacity-pr/consentdialogue.png]]
**** Backend Implementation
Many of the code reviews include the reviewer's personal opinion so I
will summarise the comment, provide the code block in question, and link
directly to the comment in a footnote.[fn:9]
#+BEGIN_SRC c
if (!inputFile.Write (wxString::FromUTF8 (ClientID + "\n")))
return false;
#+END_SRC
[[https://github.com/crsib/audacity/blob/c9264d2478fe2af82aeb6e2a0295b00b3a27ce53/libraries/lib-telemetry/TelemetryManager.cpp#L199-L200][Lines 199-200 of TelemetryManager.cpp]] save the user's unique client ID
to a file.[fn:8] This allows the analytics tool (in this case, Google
Analytics) to aggregate data produced by a single user.
#+BEGIN_SRC c
def_vars()
set( CURL_DIR "${_INTDIR}/libcurl" )
set( CURL_TAG "curl-7_76_0")
#+END_SRC
[[https://github.com/crsib/audacity/blob/c9264d2478fe2af82aeb6e2a0295b00b3a27ce53/cmake-proxies/libcurl/CMakeLists.txt#L3-L6][Lines 3-6 of CMakeLists.txt]] "vendor in" libcurl.[fn:10] This is when an
application directly includes sources for a utility rather than making
use utilities provided by the system itself.
#+BEGIN_SRC c
ExternalProject_Add(curl
PREFIX "${CURL_DIR}"
INSTALL_DIR "${CURL_DIR}"
GIT_REPOSITORY https://github.com/curl/curl
GIT_TAG ${CURL_TAG}
GIT_SHALLOW Yes
CMAKE_CACHE_ARGS ${CURL_CMAKE_ARGS}
)
#+END_SRC
[[https://github.com/crsib/audacity/blob/c9264d2478fe2af82aeb6e2a0295b00b3a27ce53/cmake-proxies/libcurl/CMakeLists.txt#L29-L36][Lines 29-36 of CMakeLists.txt]] add curl as a remote dependency.[fn:11]
This means that the machine building Audacity from its source code has
[[https://github.com/crsib/audacity/blob/c9264d2478fe2af82aeb6e2a0295b00b3a27ce53/src/telemetry/TelemetryDialog.cpp#L93-L94][Lines 93-94 of TelemetryDialog.cpp]] add buttons to the dialogue asking
the user whether they consent to data collection.[fn:12]~SetDefault~
focuses the button indicating that the user does consent. This means
that if the user doesn't really look at the dialogue and presses
Spacebar or Enter, or if they do so accidentally by simply bumping the
key, they unintentionally consent to data collection. If the user
desires, this can later be changed in the settings menu. However, if
they weren't aware what they were consenting to /or that they did
consent/, they won't know to go back and opt out.
There are other problems with the code that include [[https://github.com/audacity/audacity/pull/835#discussion_r628816050][simple mistakes,]]
[[https://github.https://github.com/audacity/audacity/pull/835#discussion_r628774985][styling that's inconsistent with the rest of the project,]] [[https://github.com/audacity/audacity/pull/835#discussion_r628500849][unhandled
return values resulting in skewed data,]] [[https://github.com/audacity/audacity/pull/835#discussion_r628792423][use of inappropriate functions,]]
and [[https://github.com/audacity/audacity/pull/835#discussion_r628818054][spelling errors in the comments.]] I believe these are less important
Another issue that was brought up by a couple of individuals was the
lack of a privacy policy.[fn:16] The consent dialogue links to one, but, at the
time of writing, one does not exist at [[https://www.audacityteam.org/contact/privacy-policy/][the provided URL.]] I have [[https://web.archive.org/web/20210510012924/https://www.audacityteam.org/contact/privacy-policy/][archived
the state of the page]] in case that changes in the future.
**** Opinions on the backend
#+BEGIN_SRC c
if (!inputFile.Write (wxString::FromUTF8 (ClientID + "\n")))
return false;
#+END_SRC
The issue many individuals take with this snippet is saving the
~ClientID~. Say an individual has an odd file that causes Audacity to
crash any time they try to open it. Say they attempt to open it a
hundred times. Without giving the client a unique ID, it could look like
there are 100 people having an issue opening a file instead of just the
one. However, by virtue of each installation having an entirely unique
ID, this telemetry /is not anonymous/. Anonymity would be sending
statistics in such a way that connecting those failed attempts to a
single user would be impossible. At best, this implementation is
/pseudonymous/ because the client is given a random ID, you don't have to
sign in with an account or something.
#+BEGIN_SRC c
def_vars()
set( CURL_DIR "${_INTDIR}/libcurl" )
set( CURL_TAG "curl-7_76_0")
#+END_SRC
Timothe Litt's comment gives a good description of why "vendoring in"
libcurl is a bad idea[fn:19] and Tyler True's comment gives a good
overview of the pros and cons of doing so.[fn:18] Many people take issue
with this /specifically/ because it's libcurl. Security flaws in it are
/very/ common and Audacity's copy would need to be /manually/ kept up to
date with every upstream release to ensure none of its vulnerabilities
can be leveraged to compromise users. If the Audacity team was going to
stay on top of all of the security fixes, they would need to release a
new version every week or so.
#+BEGIN_SRC c
ExternalProject_Add(curl
PREFIX "${CURL_DIR}"
INSTALL_DIR "${CURL_DIR}"
GIT_REPOSITORY https://github.com/curl/curl
GIT_TAG ${CURL_TAG}
GIT_SHALLOW Yes
CMAKE_CACHE_ARGS ${CURL_CMAKE_ARGS}
)
#+END_SRC
The problem with downloading curl at build-time is that it's simply
disallowed for many Linux- and BSD-based operation systems. When a
distribution builds an application from source, its build dependencies
are often downloaded ahead of time and, as a security measure, the build
machine is cut off from the internet to prevent any interference.
Because this is disallowed, the build will fail and the application
won't be available on those operation systems.
Note, however, that these build machines would have the option to
disable telemetry at build-time. This means the machine wouldn't attempt
to download curl from GitHub and the build would succeed but, again,
telemetry would be disabled for anyone not on Windows or macOS. This
defeats the whole purpose of adding telemetry in the first place.
devices is likely the [[https://remarkable.com/][reMarkable.]] They had a [[https://venturebeat.com/2019/10/08/remarkable-raises-15-million-to-bring-its-e-paper-tablets-to-more-scribblers/][hugely successful
crowdfunding campaign]] and produced the reMarkable 1, followed by [[https://blog.remarkable.com/remarkable-2-the-next-generation-paper-tablet-91b47d0080cb][the
After watching all of [[https://www.youtube.com/c/MyDeepGuide][MyDeepGuide's]] [[https://www.youtube.com/playlist?list=PLsSI9-gaSSmiXwb7Vjk5Vb-nB41UTnrXd][extensive playlist on the
Before I purchased a Supernote, [[https://old.reddit.com/r/Supernote/comments/lhffyd/sync_targets_open_document_formats_and_crossnote/][I wrote a post]] asking about a couple of
things that concerned me: sync targets, open document formats, and
cross-note links. I don't really plan to write full documents on the
device but having the option to do so would still be nice. The other
features are absolutely killer for me as I would like to maintain a
Zettelkasten (I wrote about [[/vim-as-a-markdown-editor/][using Vim to do so]] last year but didn't end
up sticking with it) and manage document synchronisation with my own
Nextcloud server. The community was quick to respond and confirm that
Zettelkasten functionality would be implemented soon™. u/hex2asc
responded /the day after/ and said that WebDAV would be supported but not
earlier than May (September update: it's still not supported), ODF would
likely not be supported, and cross-note links were definitely a
possibility. Another community member has been avidly following the
The first part of our stack is Nebula, the tool that creates a network
between all of our devices. With traditional VPNs, you have a client
with a persistent connection to a central VPN server and other clients
can communicate with the first by going through that central server.
This works wonderfully in most situations, but there are a lot of
latency and bandwidth restrictions that would make remote support an
unpleasant experience. Instead of this model, what we want is a /mesh/
network, where each client can connect directly to one another /without/
going through a central system and slowing things down. This is where
Nebula comes in.
In Nebula's terminology, clients are referred to as /nodes/ and central
servers are referred to as /lighthouses/, so those are the terms I'll use
going forward.
Mesh networks are usually only possible when dealing with devices that
have static IP addresses. Each node has to know /how/ to connect with the
other nodes; John can't meet up with Bob when Bob moves every other day
without notifying anyone of his new address. This wouldn't be a problem
if Bob phoned Jill and told her where he was moving; John would call
Jill, Jill would tell him where Bob is, and the two would be able to
find each other
With Nebula, nodes are Bob and John and Jill is a lighthouse. Each node
connects to a lighthouse and the lighthouse tells the nodes how to
connect with one another when they ask. It /facilitates/ the P2P
connection then /backs out of the way/ so the two nodes can communicate
directly with each other.
It allows any node to connect with any other node on any network from
anywhere in the world, as long as one lighthouse is accessible that
knows the connection details for both peers.
**** Getting started
The /best/ resource is [[https://github.com/slackhq/nebula][the official documentation,]] but I'll describe the
process here as well.
After [[https://github.com/slackhq/nebula#1-the-nebula-binaries-or-distribution-packages-for-your-specific-platform-specifically-youll-need-nebula-cert-and-the-specific-nebula-binary-for-each-platform-you-use][installing the required packages,]] make sure you have a VPS with a
static IP address to use as a lighthouse. If you want something dirt
cheap, I would recommend one of the small plans from [[https://buyvm.net][BuyVM.]] I do have a
[[https://my.frantech.ca/aff.php?aff=3783][referral link]] if you want them to kick me a few dollars for your
purchase. [[https://www.hetzner.com/cloud][Hetzner]] (referral: ~ckGrk4J45WdN~) or [[https://www.netcup.eu/][netcup]] (referral:
~36nc15758387844~) would also be very good options; I've used them all and
am very comfortable recommending them.
**** Creating a Certificate Authority
After picking a device with a static IP address, it needs to be set up
as a lighthouse. This is done by first creating a Certificate Authority
(CA) that will be used for signing keys and certificates that allow our
other devices into the network. The ~.key~ file produced by the following
command is incredibly sensitive; with it, anyone can authorise a new
device and give it access to your network. Store it in a safe,
preferably encrypted location.
#+BEGIN_SRC bash
nebula-cert ca -name "nebula.example.com"
#+END_SRC
I'll explain why we used a Fully-Qualified Domain Name (FQDN) as the
CA's name in a later section. If you have your own domain, feel free to
use that instead; it doesn't really matter what domain is used as long
as the format is valid.
**** Generating lighthouse credentials
Now that we have the CA's ~.crt~ and ~.key~ files, we can create and sign
The next step is creating our lighthouse's config file. The reference
config can be found in [[https://github.com/slackhq/nebula/blob/master/examples/config.yml][Nebula's repo.]] We only need to change a few of
the lines for the lighthouse to work properly. If I don't mention a
specific section here, I've left the default values.
The section below is where we'll define certificates and keys. ~ca.crt~
will remain ~ca.crt~ when we copy it over but I like to leave the node's
cert and key files named as they were when generated; this makes it easy
to identify nodes by their configs. Once we copy everything over to the
server, we'll add the proper paths to the ~cert~ and ~key~ fields.
#+BEGIN_SRC yaml
pki:
ca: /etc/nebula/ca.crt
cert: /etc/nebula/
key: /etc/nebula/
#+END_SRC
The next section is for identifying and mapping your lighthouses. This
needs to be present in /all/ of the configs on /all/ nodes, otherwise they
won't know how to reach the lighthouses and will never actually join the
network. Make sure you replace ~XX.XX.XX.XX~ with whatever your VPS's
public IP address is. If you've used a different private network range,
those changes need to be reflected here as well.
#+BEGIN_SRC yaml
static_host_map:
"192.168.100.1": ["XX.XX.XX.XX:4242"]
#+END_SRC
Below, we're specifying how the node should behave. It is a lighthouse,
it should answer DNS requests, the DNS server should listen on all
interfaces on port 53, it sends its IP address to lighthouses every 60
seconds (this option doesn't actually have any effect when ~am_lighthouse~
is set to ~true~ though), and this lighthouse should not send reports to
other lighthouses. The bit about DNS will be discussed later.
#+BEGIN_SRC yaml
lighthouse:
am_lighthouse: true
serve_dns: true
dns:
host: 0.0.0.0
port: 53
interval: 60
hosts:
#+END_SRC
The next bit is about [[https://en.wikipedia.org/wiki/Hole_punching_%28networking%29][hole punching]], also called /NAT punching/, /NAT
busting/, and a few other variations. Make sure you read the comments for
better explanations than I'll give here. ~punch: true~ enables hole
punching. I also like to enable ~respond~ just in case nodes are on
particularly troublesome networks; because we're using this as a support
system, we have no idea what networks our nodes will actually be
connected to. We want to make sure devices are available no matter where
they are.
#+BEGIN_SRC yaml
punchy:
punch: true
respond: true
delay: 1s
#+END_SRC
~cipher~ is a big one. The value /must/ be identical on /all/ nodes /and/
lighthouses. ~chachapoly~ is more compatible so it's used by default. The
devices /I/ want to connect to are all x86 Linux, so I can switch to ~aes~
and benefit from [[https://www.reddit.com/r/networking/comments/iksyuu/comment/g3ra5cv/?utm_source=share&utm_medium=web2x&context=3][a small performance boost.]] Unless you know /for sure/
that you won't need to work with /anything/ else, I recommend leaving it
set to ~chachapoly~.
#+BEGIN_SRC yaml
cipher: chachapoly
#+END_SRC
The last bit I modify is the firewall section. I leave most everything
default but /remove/ the bits after ~port: 443~. I don't /need/ the ~laptop~ and
~home~ groups (groups will be explained later) to access port ~443~ on this
node, so I shouldn't include the statement. If you have different needs,
take a look at the comment explaining how the firewall portion works and
make those changes.
Again, I /remove/ the following bit from the config.
#+BEGIN_SRC yaml
- port: 443
proto: tcp
groups:
- laptop
- home
#+END_SRC
**** Setting the lighthouse up
We've got the config, the certificates, and the keys. Now we're ready to
actually set it up. After SSHing into the server, grab the [[https://github.com/slackhq/nebula/releases/latest][latest
release of Nebula for your platform,]] unpack it, make the ~nebula~ binary
executable, then move it to ~/usr/local/bin~ (or some other location
[fn:19] [[https://github.com/audacity/audacity/pull/835#issuecomment-834451187][Link to the comment]] and [[/assets/pngs/audacity-pr/privatelibcurl.png][link to the screenshot]]
[fn:18] [[https://github.com/audacity/audacity/pull/835#issuecomment-834010117][Link to the comment]] and [[/assets/pngs/audacity-pr/vendorproscons.png][link to the screenshot]]
[fn:17] [[https://github.com/audacity/audacity/pull/835#issuecomment-836069326][Link to the comment]] and [[/assets/pngs/audacity-pr/tantacrulrole.png][link to the screenshot]]
[fn:16] [[https://github.com/audacity/audacity/pull/835#discussion_r627762185][Link to the comment]] and [[/assets/pngs/audacity-pr/missingprivacypolicy.png][link to the screenshot]]
[fn:15] [[https://github.com/audacity/audacity/pull/835#issuecomment-834286641][Link to the comment]] and [[/assets/pngs/audacity-pr/darkpattern.png][link to the screenshot]]
[fn:14] [[https://github.com/audacity/audacity/pull/835#discussion_r627764300][Link to the comment]] and the screenshot is the same as previous
[fn:13] [[https://github.com/audacity/audacity/pull/835#discussion_r627756976][Link to the comment]] and [[/assets/pngs/audacity-pr/vaguedialogue.png][link to the screenshot]]
[fn:12] [[https://github.com/audacity/audacity/pull/835#discussion_r628124998][Link to the review]] and [[/assets/pngs/audacity-pr/defaultconsentbutton.png][link to the screenshot]]
[fn:11] [[https://github.com/audacity/audacity/pull/835#discussion_r628008821][Link to the review]] and [[/assets/pngs/audacity-pr/externaldependency.png][link to the screenshot]]
[fn:10] [[https://github.com/audacity/audacity/pull/835#discussion_r628005925][Link to the review]] and [[/assets/pngs/audacity-pr/vendorcurl.png][link to the screenshot]]
[fn:9] Note that because I am not a C programmer, these reviews might
not be entirely accurate and I wouldn't be able to catch the reviewer's
error. I am relying on other community members to catch issues and
comment on them; none of the reviews I link to have such comments so I'm
assuming they are correct.
[fn:8] [[https://github.com/audacity/audacity/pull/835#discussion_r627993755][Link to the review]] and [[/assets/pngs/audacity-pr/writeanalyticsid.png][link to the screenshot]]
[fn:7] /Optical Character Recognition/: the program looks at your
handwriting and tries to turn it into text.
[fn:6] In this situation, latency refers to how long it takes for "ink"
[fn:3]Taken from their [[https://support.remarkable.com/hc/en-us/articles/360006699537-About-reMarkable-2-][support page about the reMarkable 2;]] search the