Kind reposts

I wrote this ⬆️ a few years ago. As the fallout from the #XZ hack reverberates, expect to see people calling for a "real name" policy for contributors to critical infrastructure. But, as I explain, there are several practical problems with that. https://shkspr.mobi/blog/2021/02/whats-my-name-again/ That's before we get to the ethical and privacy issues. Oh, and making it *easier* for attackers to target named individuals.

Maintenance is more important than innovation. This xz debacle is a symptom of a system that prioritizes lots of things above maintenance. Take this as a reminder to rest, to mend things & pay attention to what needs mending in yourself. Do the radical thing of working slowly and making all things more whole.

Personally, I’d rather celebrate a day about real living people than a fictitious magic zombie.

Attached: 1 image This text is not something we wrote in a rush this morning to meet the moment. We've had variations on this on our site from day 1. I believed it then and I believe it now.

people are saying the xz backdoor is likely the work of a nation state actor, and given that it appears to been slow rolled for a couple of years and immediately became obsolete before it was fully launched - you do have to admit it bears the hallmarks of a government IT project

New blogpost: _**[It is about trust, not software](https://neilzone.co.uk/2024-03-30-it-is-about-trust-not-software.html)**_ My reflections on the `xz` situation. > This isn't about software, it's about trust, and trust, especially *digital* trust, is easy to misplace...

"open source needs more funding!" *nation state pays for backdoor* "not like that!"

I know nobody wants to admit it, but security shit shows like heartbleed, log4shell, or xzgate are kinda exciting times to live thru. 🤓 Also I’m afraid it’s the only way to prove the problems we’ve been droning about for years are real and not made up by greedy maintainers.

My heart goes out to xz. A single maintainer, who was clearly in a rough place with mental health, screaming out to the world for some help and additional contributions, and somebody shows up wanti...

Attached: 1 image @bob

@0xabad1dea@infosec.exchange that's a warning to malware state actors - do not get between a db guy and performance. They will fuck you up.

my only contribution to the xz discourse: absolutely none of the supply chain stuff we're currently doing, including the things i like, would have stopped this. the only things that can stop this are (1) compulsively treating all code as untrusted, and (2) way, way stronger capability checks and restrictions in running systems. (1) is economically infeasible (the world runs on free labor from OSS), and (2) has had only very limited practical success.

Random, unordered, probably useless thoughts on today's apocalypxze... Part of the success in getting this into Debian may be the result of there being no xz maintainer there. It is "maintained" ...

@glyph @eb@social.coop I'm frustrated that big tech's efforts to increase core library security are "your project is too popular, you must use 2FA" and "the best reverse engineers in the world will find your bugs and put you on a 90 day disclosure deadline" and not "here is $100K/year and benefits to keep doing what you're doing at your own pace."

@eb@social.coop I really hope that this causes an industry-wide reckoning with the common practice of letting your entire goddamn product rest on the shoulders of one overworked person having a slow mental health crisis without financially or operationally supporting them whatsoever. I want everyone who has an open source dependency to read this message https://www.mail-archive.com/xz-devel@tukaani.org/msg00567.html

Attached: 1 image #xz #CVE #cve20243094 #Linux

It’s not surprising that a major security vulnerability is once again caused by maintainer burnout and someone stepping in to take over. We’ve all been talking about that risk for years. Sadly it’s also unsurprising that OSS teams still are going to need to plead with management to stay funded, and paid OSS maintainers will still do unpaid overtime to work with volunteers. 🙃.

Love to see forks emerge when a company gets greedy and transitions to source-available after years of accepting third party contributions and establishing market share under an open source license.

Hey, with people in the news getting sentenced to prison, facing the possibility of prison time, etc., just a reminder: it is not desirable, nor funny, that violence in prison (including sexual violence), be a part of someone's punishment. Even people you really, really do not like who have done really super bad things. It is to the United State's shame that violence in prison is part of our carceral system, and we should not celebrate it, ever. We should seek to eliminate it.

Attached: 1 image Going to need slightly bigger [truth table](https://en.wikipedia.org/wiki/Truth_table)... :calculator:

Hey everyone! #vultr just enshittified! They re claiming ownership of all intellectual property you host on their VMs. https://grimgreenfo.rest/notes/9rdle0uyo4d30029 Clear violation of copyright law. So, where are people moving to? What options are out there? that suck less?

I feel like subscriptions have generally made software quality worse. There was an argument that having to make paid upgrades to generate revenue to pay salaries put pressure on companies to change things that didn’t need changing, just to get that upgrade money, and subs reflected the holistic task of careful maintenance better. But in practice what’s often happened is the subscription props up bad decisions on product direction, because subs have to keep paying either way.

@noracodes@tenforward.social IMHO you should pay for open source if you are making a profit on it. Lots of companies are reselling proprietary software and are paying for licenses without having specific feature wishes for the software, they just pay for the maintenance.

"Vendor lock-in"? They wish. All these vendors are locked in here with ME.

Can web designers PLEASE STOP with the thing where the bulk of the website loads first and then things on the top load last so you invariable end up clicking on something you didn't mean to

@aral@mastodon.ar.al My little lad had a bad leukaemia when he was 20 months - in 2002. He had care at Great Ormond St - I calculated at the time (I’m an accountant) at somewhere between £250k and £500k, entirely free to us. And he lived. The US families sometimes didn’t fare so well. After they’d drained all insurance & resources their kids often died of something entirely treatable. Folks need to think very hard before voting for either #Tories or #Labour. @nhsactivistrn

Source Available != Open Source That's not an opinion. If it's SSPL, BUSL, etc., it's categorically not "open source" according to the Open Source Definition.

I’ll let you in on a secret: I love sporadically updated weblogs. I subscribe to over 1200 feeds and most of them are sporadic or even technically “inactive”. Months often pass between updates It means that every post published was important to the writer Back in the days of snail mail, letters that began with “It’s been a while since I last wrote to you” were the ones people cherished the most You don’t need to post every day or even every week to have a blog that matters

$1 million budget: 90% test coverage, comprehensive DevOps pipeline, all work rooted in user research, delivery every two weeks, all code in an open repo. $300 million budget: No tests, no CI/CD, no user research, delivery on an annual cadence, code is a secret because it's a trash fire.

Attached: 1 image

Remember folks. When VC is funding Corporation that releases a Open Source project its only a matter of time until they take it back. Their goal is to get their product embedded into your organization and abuse you for free work in the hopes they can eventually sell their corporation and cash out. Its always good for them, and rarely good for you.

Attached: 1 image @msw@mstdn.social Urgh what a miserable diff

If you're using Glassdoor, stop right now and delete your account. This company just made it completely clear it can't be trusted. Read this from @arstechnica https://arstechnica.com/tech-policy/2024/03/glassdoor-adding-users-real-names-job-info-to-profiles-without-consent/

It’s Long COVID Awareness Day. An estimated 65 million people suffer from it globally. Remember that the risk of long-term health issues in multiple organs increases after each infection, even if your …

Attached: 1 image Ok I’m doin the thread I said I wanted to do last week. (feel free to mute unless you enjoy a little second-hand drama as a Monday morning treat) Attn #devrel people! Are you job hunting? Does this pic of search results look familiar? Have you ever seen a bunch of job postings like this from Canonical and thought “gee I should apply to one of these”? I’m here to tell you: IT’S A TRAP! 🧵

Hot take: if I can say "they just tested positive" and you don't have to ask "for what?" then the pandemic isn't over.

Attached: 1 image

Attached: 1 image Putting framed quotes meant for the kitchen in the bathroom.

Radical salary transparency FTW? https://youtu.be/Bzmu5bcR3HQ?si=xcfkyVopAxahSMdh via @changelog@changelog.social @www.jvt.me@www.jvt.me

@JamieTanna talks about his decision to share his salary publicly on the "Changelog & Friends" podcast. Full audio 👉 https://changelog.com/friends/31Subscri...

Please don't call it FOMO: please call it ODARA (Organizers Didn't Allow Remote Attendance).

Who called it “intellectual property problems around the acquisition of training data for Large Language Models” and not Grand Theft ̶A̶u̶t̶o̶c̶o̶r̶r̶e̶c̶t̶ Autocomplete?

Y’all realize everyone in Helpdesk at your job can just import your browser cookies into their machine remotely and browse your Facebook at their leisure, right? Like, you understand what Administrator means? It means unquestioned god from anywhere. It’s not your machine IT’S THEIRS. All you do, all your access, it’s stored to be stolen. Anything hackers can do to ruin your life, IT can do better.

"Hopefully I will be less busy starting next week" will be written on my tombstone

They’re children. And their government is keeping them from doctors who practice a type of medicine that cures suicidal ideation at near miracle rates. If those kids do find relief, it'll be via their parents paying exorbitant out of pocket costs or by covertly ordering those drugs online with cryptocurrencies from sketchy overseas labs. Please don't play the Harry Potter video games and it defend it by saying they brought *you* childhood joy. https://www.thepinknews.com/2024/03/12/trans-puberty-blockers-nhs-england-prescribe-gender-affirming-healthcare/

“But AI is cheap!” It’s not, it has horrendous hardware, server housing and water and power requirements; it’s just that VCs are financing it now so you get in on the hype and later they will charge you rent and it will cost you way more—with inferior results—than, you know, hiring the writers and artists it’s stealing from, but those will be gone by then.

girl are you the ipv4 address space because you seem completely exhausted

Descriptions of autistic folks as having "trouble in social situations" but all my autistic friends get along great with each other in their social situations. This reads like all the "introverted people just need to learn small talk" instead of having articles where "extroverted people just need to learn to be quiet". Most of my friend AND professional colleague groups are filled with neurospicy folks. And we seem to get along just fine thank you very much. Anyhow. I imagine this isn't new to many folks here in the fediverse... Don't mind me. Just falling into a new research dive. - This research dive feels very meta, by the way.

Attached: 1 image This quote is a lot more threatening than they probably intended

Attached: 1 image