I think a long time ago a vicious cycle began in the advertising space where predatory ads had more incentive to pay for ad space, so sensible people start to perceive ads in general as predatory. Now no sensible advertiser that’s trying to promote a legitimate product for legitimate reasons will do so by buying ad space, thus reinforcing the increasingly accurate perception that all ads are predatory.

Yeah that’s my big takeaway here: If the people who are rolling out this technology cannot make these assurances then the technology has no right to exist.

“Instantly” on a geological scale 🙃

I imagine the number goes up considerably when you account for showering, washing clothes and dishes, and water used while cooking. It would go up even more if you account for the water used to produce the food consumed by the individual.

I’m sure you’re on the shop floor for every one of those conversations.

But anyway, enjoy being confidently incorrect: https://www.consumerreports.org/cars/car-safety/tesla-driver-monitoring-fails-to-keep-driver-focus-on-road-a3964813328/

Weird how this notion of “personal responsibility” applies to every person except for those people who choose to intentionally misrepresenting the product by branding it in ways that are misleading. The people running this company aren’t responsible for their role in misleading the public, just because the fine print happens to indicate that the product isn’t actually what it’s marketed as?

Now you’ll probably say something to the effect of “I never said that! You’re putting words in my mouth!” except what other motivation can you have to jump to the defense of the liar and blame people for being misled, except that you want to put all the responsibility on individuals for being misled and not on the company that is systematically and intentionally misleading them? Maybe you just manage to derive a smug sense of superiority thinking of yourself as someone who is invulnerable to this kind of tactic so blaming the victims lets you feel good about yourself.

I’m disappointed to learn that she was born British so she can never run for president in America.

… Not that the FTC chair is known to be a pipeline to the presidency, but I’m ready to turn over every stone at this point.

Life insurance premiums are about to skyrocket for Boeing whistleblowers.

Sounds like there are going to be a lot of machines running a fresh install of Linux next year. Microsoft really does ♥️ Linux.

Except it’s actually an “Every language and library that provides this feature” problem because literally no one was aware that this sanitization problem even existed, and Rust is among the first to actually fix it.

The entire problem with cmd.exe was not known and so obviously not documented when the Rust standard library developers were implementing the API, and the same goes for the standard library developers of every other language. Rust was among the first to fix this problem in their API, with many other languages opting to just document the issues instead of actually protecting users from it.

To take all this information and distill it down to trumpeting “Rust has a CVSS level 10 security vulnerability!!” without context is stupidity at best and maliciously disingenuous at worst.

Nitpicking whether the statement can be construed as true within a certain framing just demonstrates malicious intent when the reality is that users of Go, Python, and Java, whose standard libraries have taken a position of Won’t Fix, are in a FAR more dangerous position than Rust users who are actually in the safest position of anyone in any language ecosystem besides perhaps Haskell.

Because this is the status of the bug across the standard libraries of various languages, per this article and others:

• Erlang (documentation update)
• Go (documentation update)
• Haskell (patch available)
• Java (won’t fix)
• Node.js (patch will be available)
• PHP (patch will be available)
• Python (documentation update)
• Ruby (documentation update)

Notably C and C++ are missing from this list because their standard libraries don’t even offer this capability. Half of these standard libraries are responding to the issue by just warning you about it in the function documentation. Rust is one of the few that actually prevents the attack from happening.

The original BatBadBut bug report used JavaScript to illustrate the vulnerability.

If the issue exists in the standard library of every language that provides this capability and Rust’s standard library is the first to fix it, how is it a Rust issue?

It would be more accurate to say that it’s an issue in almost every language EXCEPT Rust at this point.

The only reason it isn’t being called a C or C++ issue is because their standard libraries don’t even attempt to offer this capability. But you can bet that all sorts of C/C++ libraries that do offer this, like Qt, will also be having this issue.

Funny how the headline makes it sound like a Rust specific problem, as if the Rust language is unsafe or the core team was incompetent, but then other affected language standard libraries include

• Erlang (documentation update)
• Go (documentation update)
• Haskell (patch available)
• Java (won’t fix)
• Node.js (patch will be available)
• PHP (patch will be available)
• Python (documentation update)
• Ruby (documentation update)

So actually this is a vulnerability that originates in Windows, and Rust and Haskell are the only languages that are actually protecting users from it as of right now, with Node.js and PHP to follow.

This is why the position I take is that when there is any room for doubt, lean into whichever belief would lead to the most compassionate outcome.

There will always be uncertainty, always facts that you can’t know, but the compassionate choice is pretty much never wrong, at worst it might be inefficient, but that’s okay. Anyone who’s trying to convince you that something that harms or dehumanizes anyone is necessary probably has an ulterior motive and is profiting somehow off of the harm and dehumanization.

All JSON is valid YAML, so after you’ve converted the file to JSON, just… save it with a YAML file extension and call it a day…?

You keep arguing that open source projects are strict with their code base reviews

Go ahead and quote the words I said that suggest this. You have a talent for claiming that people have said things they have never actually said.

The only claims I’ve made in this conversation are:

1. The open source ecosystem does NOT strictly rely on confidence in individual project maintainers because audits and remedial measures are always possible, and done more often than most people are aware of. Of course this could and should be done more often. And maybe it would if we didn’t have so many non-contributing freeloaders in the community.
2. Most of the widely used open source projects are not being done by hobbyists or volunteers but rather by professionals who are getting paid for their work, either via a salary or by commission as independent contractors.
3. You don’t seem to have a firm grasp on how open source software is actually developed and managed in general.

Nothing about the portion of the sentence you highlight actually implies that they haven’t already been getting paid to do open source work. That’s an interpretation that you’re projecting onto the sentence because it fits your narrative. The poster never identified themself to be a volunteer. I’ve already reframed the sentence for you in a previous post, but I’ll try one more time: “Whenever any tech company is willing to pay me to do work related to my open source project, I sit down with them and talk about my rates” is a semantically equivalent sentence to what the poster said.

You’re also taking one single datapoint which has ambiguous credibility to begin with and extrapolating it to characterize a massive industry that you, like countless others, benefit from while hardly knowing anything about how the sausage gets made.

I’d be surprised if you’ve ever offered a substantive contribution to an open source project in your life, so I won’t be losing any sleep if a freeloader loses confidence in the ecosystem. But realistically you’ll be using open source software for the rest of your life because the reality is that closed source software really can’t compete in terms of scale, impact, and accessibility. If you actually care about the quality and security of the things you depend on, then do something about it. And prattling ignorance on social media does not count as doing something.

Your interpretation is simply not supported by the literal words being said by the person. “we can sit down and talk about my rates” implies that this person already has rates that they charge for the labor they do.

You’re projecting a meaning into the person’s words that simply aren’t there because you want it to fit a narrative that has is not commensurate with reality.

You brought up your credentials earlier so now I’ll bring up mine: My full time job, which I get paid a very competitive salary for, is to develop exclusively open source software. I have many collaborators in the industry, both at my same organization and from others (some non profits, some academic labs, some government agencies, but mostly private for-profit organizations) who contribute to open source projects either full time or part time.

I don’t have one single collaborator who is the mythical unreliable open source volunteer you’re talking about. Every single person I’ve worked with has a commercial or professional (i.e. academic, mission-driven) interest in the developmental health of open source software. When we decide what dependencies we use, we rule out anything that looks like a pet project or something with amateur maintenance because we know if the maintainer slacks off or goes rogue then that’s going to be our problem.

The xz case is especially pernicious. This is a person who by all initial appearances was a respected professional doing respectable work. He/they (perhaps there was a team involved) went to great lengths to quietly infiltrate the ecosystem. I guarantee someone could do the same thing at a private company, but admittedly they’re less likely to have as broad of an impact as they can by targeting the open source ecosystem.

I really wish you would just stop trying to defend Linux and open source development, and listen to the concept/opinion I’m actually stating

I am listening, and I’m telling you that you’re wildly misunderstanding the nature of the open source industry. You, like many many other software developers, are ignorant about the vast bulk of widely used open source software gets developed.

The key sentence in the post you linked which constituted more than 50% of the words being stated by the poster and yet you somehow conveniently missed which completely negates the whole narrative that you’re trying to promote:

Speaking as an open source maintainer, if a tech company would like to pay me to do ~anything for my open source project, we can sit down and talk about my rates.

Which means this person is NOT simply a volunteer as you insinuated here:

When someone suggested a level of effort to be put on code checked in to prevent security issues from happening, the maintainer pushed back, stating that they will decide what level of effort they’ll put in, because they’re doing the work on a volunteer basis.

but in fact is available to be paid a fair rate for the labor they perform. In fact your entire description of the post is mischaracterizing what is being said in the post.

I don’t know how you could have accidentally missed or misinterpreted one of the two sentences being said by the poster, and the longer of the two sentences at that. It was also the first sentence in the poster’s statement. It seems more likely to me that you missed that on purpose rather than by accident. Maybe you’re just so eager to find evidence to match your narrative that your brain registered the entire point of the post incorrectly. Allow me to reframe what’s being said to simplify the matter:

As a self-employed contractor, if you demand that I perform free labor for you, I will decline that request.

Now just add a much more frustrated tone to the above and you get the post you linked.