Di4na

Di4na, 1 month ago to random

So we have it now. Rust solved a large number of the safety problems of the system language level. Not everything ofc, but still. Lot of them. And it is actually being adopted.

So I have a question for my cybersecurity/infosec crowd.

Have you introspected why 3 decades of yelling about that stuff got no results, 3 decades of sanitisers and fuzzers barely moved the needle, but Rust slam dunked it?

Where is the retrospective of what went wrong? Where are the learnings?

Di4na, 1 month ago to random

Well, I finally have data to back my model of the software world out there. And the data is relatively solid and shows what I keep saying.

You are all on our turf now. Please accept that you have no idea what you are talking about. Sit down. Listen. Ask questions.

But respect our work. We are trying to keep the world running, 1h per month.

https://www.softwaremaxims.com/blog/open-source-hobbyists-turf

Di4na, 18 days ago to random

For everyone that calls for ways to make open source more secure, or for all their magical solutions that will provide money and resources to FOSS maintainers, please read this.

This is a rare account of the reality of maintainers, things that are hard, but also how much knowledge and niche expertise you need for anything in there.

That is why just giving money to experts will not help that much. It is too hard to train experts in this. But we may make it easier

http://rhaas.blogspot.com/2024/05/hacking-on-postgresql-is-really-hard.html

Di4na, 8 months ago to random

So i will not have time until the weekend, at best, to write a full blogpost about it.

But fucking hell is this a ball of crap with nearly no ties to reality. I understand you all would love the real world to work like in this "manifesto" but... I am sorry, this is not reality.

https://openssf.org/blog/2023/08/24/join-us-in-adopting-the-open-source-consumption-manifesto/

Di4na, 11 months ago to random

I rarely agree with the conversation of "lack of reciprocity" for FOSS maintainers. Reciprocity itself does not make sense to talk about in this situation imho.

But I do think that there is a double standard. Here is my example for today. Do better corp.

Just. Give your employees frigging security tokens.

https://www.softwaremaxims.com/blog/2fa-community-participation

Di4na, 1 year ago to random

I think I finally found a name to put on the work that needs to be done to bring all the fantastic ideas that come out of academia and esolang into the tooling for developers out there.

And I think this is the way out of the pit of pain and security vulnerabilities our digital infrastructure is in rn.

What do you think?

We Need More Process Engineering in Software

https://www.softwaremaxims.com/blog/process-engineering-software

Di4na, 3 months ago to random

I came to a realisation yesterday.

Noone read the Road and Bridges report in the FOSS advocacy world. They are all focused on end user FOSS applications.

None of them realised 80% of all apps are FOSS code. And noone seems to ask where it comes from.

We are legitimately infrastructure at this point, as noone realise we exist.

And we are crumbling under the maintenance. And we are not organised to change that. I have no solutions to offer.

Get loud i guess.

Di4na, 16 days ago to random

Before writing a full blog post, I want to gather some reactions.

What if we made it legally obligated that if an employee can show (putting aside the validation mechanism here, lot of options with different tradeoffs) they contribute to open source a bit (and i really mean a low amount. Even an obscure package count, even a few PR to fix real bug) on their non work time.

Then the employer have to give them one more (paid) free day a week. 80% job for the salary of 100% one.

Di4na, 11 months ago to random

Who the fuck thought that passkeys and passwordless were a good idea?

One week into having moved to a yubikey 5 (after years of my previous yubikey), and every service on the planet wants me to use it as a passkey and not just a 2fa otp.

Except it is crap. Like at this point, I just want to delete 2FA from everything due to how worse the UX was.

It is time to unplug that experiment, this is going to make people stop doing the secure thing.

Di4na, 7 months ago to random

Today has not been a particularly good day, but it was not a bad day either, and just...

I don't think it will resonate with anyone who does not have ADHD, and honestly idk if I need it to. But I need to yell about it and this is the best place.

I had no idea things could be this easy. The meds are not solving everything but like. Is it how it is for y'all? You can just... DO THINGS?!?!616?!

And yes I am crying saying it.

Oh Also. Some things can actually make you feel better after doing?!

Di4na, 1 year ago to opensource

As a maintainer of OpenSource libraries and packages, there is something that kept feeling off in the whole Software Supply Chain discourse. I think this comes down to something simple.

I am not a Supplier.
You can read more explanation there https://www.softwaremaxims.com/blog/not-a-supplier

#opensource

Di4na, 9 months ago to random

Has anyone tracked where Musk got the obsession with X as the killer app for everything?

The only real thing i can find as inspiration in my knowledge of the cultural material he draw from is The eXchange from SR. But iirc it is from 3rd edition aka 98, so could be a reverse influence.

Or is this a SAC?

Maybe @cstross or @davidgerard or your own networks? This guy has to have it from somewhere.

Di4na, 1 year ago to random

Do I have anyone with a tool that could query the full range of code bases for idk... all the big FOSS tools? In my followers network? If yes, I would love to get data on the following questions.

"How many projects have a bin or scripts directory? What is the distribution of languages used in these?". Bonus point if you can count the "build tasks" too, things like npm assets.build or equivalent. Use of make as a task runner, and not as a build system, would probably be interesting too.

Di4na, 2 months ago to random

The White House declared we have to be Memory Safe now!

So great! None of us had any idea!

Wait, but why is there no analysis of how we are still memory unsafe decades after the start of these yelling about it?

Let's me re share my answer to that crowd from a few months ago. I am definitely not bitter. Defo.

https://www.softwaremaxims.com/blog/memory-safety-end-history

Di4na, 1 month ago to random

Whoever wrote, reviewed, and approved this at the OpenSSF.

Consider leaving the organization. I am not joking. You have no idea what you are talking about; you know nothing about Open Source, and you seem to know nothing about Security, either.

Even less all these things combined. Just. Leave. Resign. It is ok to realize you are not the right person for that position. It happened to me before.

Have some self-respect.

https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/

Di4na, 4 months ago to random

@kurtseifried @joshbressers following some regulations discussions lately, i thought you would like this one
http://highscalability.com/blog/2023/8/16/the-swedbank-outage-shows-that-change-controls-dont-work.html

When you look at what we recommend for supply chain security, how different is it? ;)

Di4na, 3 months ago to random

I pay at least 3 streaming services. I am more than happy to buy dvd, blu rays or digital versions of the shows and movies i want to watch.

And yet, i literally cannot find a good legal way to watch the shows i am interested in, in my country, except by "renting" a digital file. In a 4th totally different platform that only works on half of my machines.

Do i really have to pirate again, when I am ready to shell out hundreds of euros for a legit working copy?

What the flying horse?!?!

Di4na, 7 months ago to random

Open question to possible FOSS lawyers out there.

Would a "license" that provide all the classic open source tenets but give fines for ever contacting the authors be possible and enforceable?

I don't think it is a good idea, but i am wondering about some things.

Di4na, 26 days ago to opensource

PSA:

If you want to create an event to workshop solutions to help heavily ressource constrained maintainers, consider starting from the pov of "what kind of event a resource constrained maintainer could participate in".

Otherwise, your event will join the long list of useless one.

#opensource #foss

Di4na, 18 days ago to random

I know we don't talk about it in the software field that much but.

We should all read the Horizon Enquiry transcripts. Really

https://www.bbc.com/news/articles/c1d4j5m3l08o

https://postofficeinquiry.dracos.co.uk/

Di4na, 1 month ago to random

You want the funniest one? Until the past couple of years, the attackers could have just... Released a new autotools version. No need to convince the previous maintainer or anything.

Because there was none. If they had showed up to release a new version, everything using autotools would be infected. And it would probably be easier to hide.

This was... Actually not that impressive of an attack?

Di4na, 3 months ago to random

Redoing in case someone has a stash

If some of you are at #FOSDEM today, i would happily appreciate a gift of a few 3M Auras.

Long story short, mine stayed at home due to complex reasons. And no, other masks will not work. I tested a lot of them for the past few years, all other seal badly on my face.

Di4na, 2 months ago to random

My thoughts on the google whole "secure by design" thing.

Really cute. But also 1M? That is... A small team of engineers for a year. That is the value of Rust for Google. And they cite the amount multiple times as if it was worth praise!

And after they wonder why our digital infrastructure is mostly built and maintained by weekend warriors that are burning out.

It gets lonely in there.

Di4na, 1 month ago to random

Shower thought. If i accept Synopsys and Tidelift numbers, at least 50% of all the code running in apps out there is not only FOSS, but maintained by unpaid weekend warriors.

So probably on something like 1 to 2 engineer-hour a month.

This has massive implications. Among others, that to get enough funding to make sense in our current market for engineers, you would need to pay them to be idle most of the time. It creates a massive asymetry in terms of bangs for the bucks against paying.

Di4na, 1 month ago to random

What about "yet giving the ability to give advice require deeper proof of expertise and understanding of the life of maintainers?"

Said otherwise. Fuck off.

>>> yet granting someone administrative access to the source code as a maintainer requires a higher level of earned trust, and it is not given away as a “quick fix” to any problem.

https://openssf.org/blog/2024/04/15/open-source-security-openssf-and-openjs-foundations-issue-alert-for-social-engineering-takeovers-of-open-source-projects/