Post details
ātrans people don't want equality, they want special treatmen-ā Special treatment would be if LGBTQ+ people didn't have to pay taxes. You know, like churches. :trantifa:
ātrans people don't want equality, they want special treatmen-ā Special treatment would be if LGBTQ+ people didn't have to pay taxes. You know, like churches. :trantifa:
I have a lot more to say, but I'll hold it for now and simply wonder aloud... Which BigTech clouds are the "Lavender" & "Where's Daddy?" AI systems running on? What APIs are they using? Which libraries are they calling? What work did my former colleagues, did I, did *you* contribute to that may now be enabling this automated slaughter? (Also, content warning. This is some of the sickest shit I've ever read.) https://www.972mag.com/lavender-ai-israeli-army-gaza/
Your belated reminder, in the aftermath of the xz backdoor, that open source maintainers still owe you nothing: https://mikemcquaid.com/open-source-maintainers-owe-you-nothing/ Not only do they owe you nothing but: if they are running a large open source project at scale and have been doing so for a while: in almost every case they know vastly more about doing so than almost anyone else in the world does. Open source users and contributors: show some more gratitude and, frankly, deference to the maintainers who keep OSS alive.
accidentally wrote "saad" instead of "saas" in a text to my partner; they immediately coined "Software as a Disappointment" and honestly, where is the lie
... next month... Me: "Dear maintainer, can you please bump package XY?" Maintainer: ...furiously starts looking into the git diff looking for a backdoor.
Q1 2024 is officially behind us. So we figured that it was a great time for a bit of reflection on the exciting start to the year. In this episode, we sit down with our founders, Stephen, Chris, and Pete, to get a bit of perspective on how the last three months played out. We chat about On-call, our AI launch, and the hundreds of other features, bug fixes, and bits of polish and delight that we've shipped over the last 12 weeks. We also chat about the state of the company as a whole, our growth, and ultimately what's on the horizon.
I may be attending
.Robin Guldener from Nango talks to Mike about building an open, unified API, the value of building on top of Open Source products, and building a growing product team on this episode of the podcast.
Josh and Kurt talk about the recent events around XZ. Itās only been a few days, and itās amazing what we already know. We explain a lot of the basics we currently know with the attitude much of these ā¦
Which is smarter: specializing in a particular tech or becoming more of a generalist? It depends! Which is why Jerod invited āundercover generalistā Adolfo OchagavĆa on our āIt Dependsā series to weigh the pros & cons of each path.
Attached: 1 image One of my friends from $BIRBSITE posted this and I am dyingggggggg
Content warning: my take on the xz backdoor
Corollary: Your adversaries' SBOMs and dependency graphs *for your infrastructure* are better than yours.
That sound you hear is a flurry of people asking ChatGPT to write a business plan to monetize the XZ incident.
tech companies donate their april foolsā day joke budget to open source maintainers challenge 2024
Polite reminder about the Jia Tan XZ hack: if an organization is so well run and well funded that it's able to play that long a game to that degree of depth and sophistication, that organization does not have all its eggs in one basket.
When Elon Musk, JK Rowling and the cops are unhappy, you know itās a good law that will protect people. https://www.bbc.co.uk/news/uk-scotland-68703684
Thereās a combo hot take brewing in my head about the #xz and #redis debacles. It goes something like: When the shit hits the fan and part of the reason appears to be an overworked and underpaid maintainer, lots of people come out of the woodwork to demand more respect and money for them. But when a maintainer recognizes that theyāre in an unsustainable situation and dares to make a proactive change, well FUCK THAT GUY. WHO THE HELL DOES HE THINK HE IS?
nation state actor maintenance of an open source project may introduce a lot of backdoors, but it also helps a lot of PRs get merged, so, it;s impossible to say if its bad or not,
being forced to mute the word ābackdoorā is queerphobic
I think the most important lesson from the xz incident is that if you're losing an online argument about the quality of your open-source project, you can now safely accuse the opponents of being state-sponsored sock puppets and drop the mic
Happy Transgender Day of Visibility and Easter. May your eggs crack.
Them: Whatās the dumbest thing youāve ever done? Me: Awfully bold of you to assume Iāve peaked.
I wrote this ā¬ļø a few years ago. As the fallout from the #XZ hack reverberates, expect to see people calling for a "real name" policy for contributors to critical infrastructure. But, as I explain, there are several practical problems with that. https://shkspr.mobi/blog/2021/02/whats-my-name-again/ That's before we get to the ethical and privacy issues. Oh, and making it *easier* for attackers to target named individuals.
Maintenance is more important than innovation. This xz debacle is a symptom of a system that prioritizes lots of things above maintenance. Take this as a reminder to rest, to mend things & pay attention to what needs mending in yourself. Do the radical thing of working slowly and making all things more whole.
Week Notes 24#13 (4 mins read).
What happened in the week of 2024-03-25?
Proposals(re)accepted: add slices.Repeat functionaccepted: report use of too-new standard library symbols with go vetFrom around the communityBlog: Context-induced performance bottleneck in Go by Gabriel AugendreNew community Q&A site: godev.com, powerd by Apache AnswerBlog: Go Enums Still Suck...
Jacob talks about the backlash against open source maintainers seeking compensation, ethical use of software, financial support for maintainers, and complexities in licensing.
Personally, Iād rather celebrate a day about real living people than a fictitious magic zombie.
SQLite is often misconceived as a "toy database", only good for mobile applications and embedded systems because it's default configuration is optimized for embedded use cases, so most people trying it will encounter poor performances and the dreaded SQLITE_BUSY error. But what if I told you that by tuning a
Attached: 1 image This text is not something we wrote in a rush this morning to meet the moment. We've had variations on this on our site from day 1. I believed it then and I believe it now.
people are saying the xz backdoor is likely the work of a nation state actor, and given that it appears to been slow rolled for a couple of years and immediately became obsolete before it was fully launched - you do have to admit it bears the hallmarks of a government IT project
New blogpost: _**[It is about trust, not software](https://neilzone.co.uk/2024-03-30-it-is-about-trust-not-software.html)**_ My reflections on the `xz` situation. > This isn't about software, it's about trust, and trust, especially *digital* trust, is easy to misplace...
"open source needs more funding!" *nation state pays for backdoor* "not like that!"
Justin & Autumn take you with them to the 2024 SoCal Linux Expo where they asked six fellow attendees about their favorite open source projects and their least favorite commands.
stateunstableinblogdate3/29/2024 š Unstable Updating at the speed of light, blink once and a word could be gone! These nodes are eratic, unstable, dangerous, but that's why they are fun. Please note: ā¦
I know nobody wants to admit it, but security shit shows like heartbleed, log4shell, or xzgate are kinda exciting times to live thru. š¤ Also Iām afraid itās the only way to prove the problems weāve been droning about for years are real and not made up by greedy maintainers.
My heart goes out to xz. A single maintainer, who was clearly in a rough place with mental health, screaming out to the world for some help and additional contributions, and somebody shows up wanti...
Attached: 1 image @bob
@0xabad1dea@infosec.exchange that's a warning to malware state actors - do not get between a db guy and performance. They will fuck you up.
my only contribution to the xz discourse: absolutely none of the supply chain stuff we're currently doing, including the things i like, would have stopped this. the only things that can stop this are (1) compulsively treating all code as untrusted, and (2) way, way stronger capability checks and restrictions in running systems. (1) is economically infeasible (the world runs on free labor from OSS), and (2) has had only very limited practical success.
Random, unordered, probably useless thoughts on today's apocalypxze... Part of the success in getting this into Debian may be the result of there being no xz maintainer there. It is "maintained" ...
@glyph @eb@social.coop I'm frustrated that big tech's efforts to increase core library security are "your project is too popular, you must use 2FA" and "the best reverse engineers in the world will find your bugs and put you on a 90 day disclosure deadline" and not "here is $100K/year and benefits to keep doing what you're doing at your own pace."
@eb@social.coop I really hope that this causes an industry-wide reckoning with the common practice of letting your entire goddamn product rest on the shoulders of one overworked person having a slow mental health crisis without financially or operationally supporting them whatsoever. I want everyone who has an open source dependency to read this message https://www.mail-archive.com/xz-devel@tukaani.org/msg00567.html
Attached: 1 image #xz #CVE #cve20243094 #Linux
Itās not surprising that a major security vulnerability is once again caused by maintainer burnout and someone stepping in to take over. Weāve all been talking about that risk for years. Sadly itās also unsurprising that OSS teams still are going to need to plead with management to stay funded, and paid OSS maintainers will still do unpaid overtime to work with volunteers. š.
What can we learn about the backdooring of xz
/liblzma
, using OpenSSF Security Scorecards and dependency-management-data? (6 mins read).
Looking at how the recent CVE-2024-3094 vulnerability could provide insight into other cases of risk in dependencies and their lack of code review.
Jerod, KBall & Nick discuss the latest news: Devin, Astro DB, The JavaScript Registry, Tailwind 4 & Angular merging with Wiz. Oh, and a surprise mini-game of HeadLIES!