aside from leaving them behind

Why are we conforming to fit the software’s needs instead of vice-versa? Fuck the devs who can’t be assed to make it work for proton at the least. This isn’t my job, I’m not being paid to use software that goes against my values. There’s tens of thousands of games out there and I’m gonna let myself get so hung up on the few hundred that don’t work that i just go back to m$?

Fuck. That. They deserve to get left behind. No piece of media is worth compronising on my values to consume.

Not to mention that self-hosting/federation comes with a million small headaches.

If the devs are paid, do you want to pay them to work on the project or work on maintaining a contact infrastructure?

If they aren’t paid, do you want them using what little free time they have working on the app or working on maintaining a communications network?

If it’s someone else’s forum/matrix/chat server, are you okay with 1. a third party having access to your communications and 2. being able to force a comms blackout for any reason whatsoever?

Or would you rather they use their time and money focusing on finding a provider who meets every need of the project AND every user?

I think it’s just the utopia image with colors inverted, which is a visual gag that I’m loving

they’ve been doing this since 10 and “featured apps”

The choice of Rust limited the ability for people to contribute.

That’s unfortunate. I think rust is particularly tailored to big projects with many contributors that need the performance boosts of a “low level” language. This goes especially for web apps, since they’re likely to grow in size directly correlated to number of users and use time.

I get that the compiler is viewed as “training wheels” by the C and C++ coders, but it’s nearly impossible to ensure memory safety on a large project without something or someone checking and enforcing it, since no one can be reasonably expected to parse thousands of lines of code and keep the data flow in mind at all times while considering edge cases and also trying to add on to it while other also grow it.

Do you mean anonymize as in hide which specific mod took a particular action? Because that makes sense as an anti-harassment feature, and doesn’t conflict with everyone who’s retorting about transparency.

Mod actions should be publicly available, but not necessarily which mod is taking the action. That can just lead to witch hunts and ignores the complicity of other mods

There is this desire to be as widely federated on an instance and the idea that everything on the Fediverse is something they want to be able to see.

Reminds me of Geek Socual Fallacy #1

Here’s the journal article itself

This whole thing stinks of advertising. They use a sample size of 24 people. The results are underwhelming: “Each disease cohort concordantly demonstrated increases in the NAD+/NADH ratio but did not reach significance individually” (“when we massaged the numbers, the result we wanted popped out”). Looking at the graphs, it looks like the upper half (highest baselines) of the patients worsened over the 12 week study.

My favorite lines?

“The objective of the Phase 2 REPAIR-MS and REPAIR-PD clinical trials was to investigate the effects of CNM-Au8” and “CNM-Au8® is a suspension of faceted, clean-surfaced gold nanocrystals” and course:

“Clene Nanomedicine, Inc., funded this study.”

None of the above. This study is as fishy as they come

So we’ve extracted so much gold from the earth there’s not enough left for our bodies?

I know this probably isn’t the case, but the image of extracting precious metals from human tissue solely to squeeze every last drop out of nature is hilarious to me. Plausible, but hilarious nonetheless. Mine owners leaving toxic lakes in the middle of Parkinson’s patients when the earth runs out of gold.

1. If it’s distributed through github, and there’s no push to move elsewhere by users and contributors, then it’s effectively hosted on/through github
2. The analogy breaks down for collaborative projects, which is where the issues with github arise
3. If their problem is with the project’s distribution method, presumably the answer is yes

shit stash

“Simple” is misleading, as that’s also the branding of a suite of mobile apps (that were bought out and turned into data-harvesting/advertising tools).

Also this isn’t a file manager, it’s a password manager. Although the same dev also makes a file manager.

“Gluten Free Vegans” at that. OP doesn’t dislike animal rights, they just specifically dislike people with a potentially life-threatening allergy standing up for animal rights.

Let’s be honest though, they’ve just written both off as “overly restrictive fad diets followed by people who annoy me by talking about their lifestyles”

OP is the human embodiment of a conservative stand-up comedian, or as Tim Heidecker put it

I honestly don’t get the parallel here… They both annoy you when they talk about their respective “thing”?

You clearly used one of those adapters for a regular toilet. If you do it right, and get the new plumbing installed and an actual bidet, you can have confortable temperature water spraying on your dirty rosebud.

Also no, I don’t own one… yet. I’ve just looked into it.

For the record I agree with @fernandofig@reddthat.com, but I also want to add that a DoS is not necessarily a security risk. If it can be leveraged to expose sensitive information, then yes, that’s a vulnerability; this isn’t that.

Digging into the CVEs:

CVE-2024-24989:

#Security Advisory Description

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. (CVE-2024-24989)

Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3.

#Impact

Traffic is disrupted while the NGINX process restarts. This vulnerability allows a remote unauthenticated attacker to cause a denial-of-service (DoS) on the NGINX system. There is no control plane exposure; this is a data plane issue only.

CVE-2024-24990 basically says the same.

Some choice clauses:

undisclosed requests can cause NGINX worker processes to terminate

Traffic is disrupted while the NGINX process restarts.

So it doesn’t take down the server nor the parent process, it kills some threads which then… restart.

Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental

I was able to find that the affected versions:

NGINX Plus R30 P2 and R31 P1
Open source subscription R5 P2 and R6 P1 Open source mainline version 1.25.4

but most importantly:

The latest NGINX Open source stable version 1.24.0 is not affected.

And saving me the hassle of linking and quoting all 5 of the version history pages for the affected products, the uniting factor is: they’re all based on Open Source versions 1.25.*

None of them are using the latest stable version.

It’s not even going to affect most sites, and definitely not ones for whom downtime is a major issue: they would not be using the non-stable version, much less enabling experimental features in a non-stable version.

But the part that irks me the most is the dillution of what a CVE is. Back in the day, it meant “something that can lead to security breaches,” now it just seems to mean “hey guys, I found a bug.” And that’s bad because now you have one of two outcomes: 1. unnecessarily panicking users by leading them to believe their software is a security risk when it isn’t, or 2. compromising the integrity and usability of CVE reports by drowing the important ones in waves of “look guys, the program crashes when I can leverage root privileges to send it SIGKILL!”

If this was just a bug hunter trying to get paid, that’s one thing, but these were internally assigned and disclosed. This was an inside job. And they either ignored or never consulted the actual experts, the ones they have within their own staff: the devs.

Why? To what end? Did they feel left out, what with not having any CVEs since 2022? Does this play some internal political struggle chess move? Do they just hate the idea of clear and unambiguous communication of major security holes to the general public? Are they trying to disrupt their own users’ faith in their paid products? Does someone actually think a DoS is the worst thing that can happen? Is there an upper level manager running their own 1.25 instance that needs this fixed out-of-band?

It’s just all so asinine.

Context:

TLDR: The devs don’t like bugs in released software being assigned CVEs, which requires a special security update instead of a standard bugfix included in the regular update cycle.

:The most recent “security advisory” was released despite the fact
: that the particular bug in the experimental HTTP/3 code is
: expected to be fixed as a normal bug as per the existing security
: policy, and all the developers, including me, agree on this.
:
: And, while the particular action isn’t exactly very bad, the
: approach in general is quite problematic.

There was no public discussion. The only discussion I’m aware of
happened on the security-alert@ list, and the consensus was that
the bug should be fixed as a normal bug. Still, I was reached
several days ago with the information that some unnamed management
requested an advisory and security release anyway, regardless of
the policy and developers position.

And nginx’s announcement about these CVEs

Historically, we did not issue CVEs for experimental features and instead would patch the relevant code and release it as part of a standard release. For commercial customers of NGINX Plus, the previous two versions would be patched and released to customers. We felt that not issuing a similar patch for NGINX Open Source would be a disservice to our community. Additionally, fixing the issue in the open source branch would have exposed users to the vulnerability without providing a binary.

Our decision to release a patch for both NGINX Open Source and NGINX Plus is rooted in doing what is right – to deliver highly secure software for our customers and community. Furthermore, we’re making a commitment to document and release a clear policy for how future security vulnerabilities will be addressed in a timely and transparent manner.

They don’t seem to care that much about performance unless it means reduced powet consumption.

Looks like their main reasoning for dropping vulkan was: 1. it has too many dependencies, which violates their principal of minimalism, and 2. it’s not backwards compatible enough for their arbitrary definition of backwards compatibility. I guess it should support hardware back to the very first gpu, but also have less dependencies

It’s like if Twitter, Threads, and Bluesky all were the same behind the scenes and gave you access to read the posts and follower the on the other sites. “Mastodon” is just the collective term for all those sites that are linked together.

Also you can have a lot more control over what you see and who you interact with, but you don’t have to if you just want to login and look at memes. You can also run your own site ti have even more control, but, once again, you don’t have to.

If you mean you just don’t get the appeal of the “microblogging” format, or the culture that arose online surrounding it, I can’t explain that. It’s not everybody’s cup of tea.