Di4na

Di4na, 15 days ago to random

Before writing a full blog post, I want to gather some reactions.

What if we made it legally obligated that if an employee can show (putting aside the validation mechanism here, lot of options with different tradeoffs) they contribute to open source a bit (and i really mean a low amount. Even an obscure package count, even a few PR to fix real bug) on their non work time.

Then the employer have to give them one more (paid) free day a week. 80% job for the salary of 100% one.

Di4na, 17 days ago to random

I know we don't talk about it in the software field that much but.

We should all read the Horizon Enquiry transcripts. Really

https://www.bbc.com/news/articles/c1d4j5m3l08o

https://postofficeinquiry.dracos.co.uk/

Di4na, 18 days ago to random

For everyone that calls for ways to make open source more secure, or for all their magical solutions that will provide money and resources to FOSS maintainers, please read this.

This is a rare account of the reality of maintainers, things that are hard, but also how much knowledge and niche expertise you need for anything in there.

That is why just giving money to experts will not help that much. It is too hard to train experts in this. But we may make it easier

http://rhaas.blogspot.com/2024/05/hacking-on-postgresql-is-really-hard.html

Di4na, 26 days ago to opensource

PSA:

If you want to create an event to workshop solutions to help heavily ressource constrained maintainers, consider starting from the pov of "what kind of event a resource constrained maintainer could participate in".

Otherwise, your event will join the long list of useless one.

#opensource #foss

Di4na, 1 month ago to random

After listening to your podcast on security.txt, i have a use case to mandate it @joshbressers @kurtseifried

If i can easily extract an information of where to contact you, i can validate that you actually read the inbox of that email

Makes it something i can check for compliance.

Di4na, 1 month ago to random

This is a reminder to everyone who wants a Ferris Plushie to add your email to this so that they know it is worth doing a run.

I definitely do not still feel bad from missing both runs....

https://devswag.com/products/rust-ferris

Di4na, 1 month ago to random

What about "yet giving the ability to give advice require deeper proof of expertise and understanding of the life of maintainers?"

Said otherwise. Fuck off.

>>> yet granting someone administrative access to the source code as a maintainer requires a higher level of earned trust, and it is not given away as a “quick fix” to any problem.

https://openssf.org/blog/2024/04/15/open-source-security-openssf-and-openjs-foundations-issue-alert-for-social-engineering-takeovers-of-open-source-projects/

Di4na, 1 month ago to random

I cannot reboost enough so I will do it this way.

This is the single thing published about xz by an org that seems to have actually done the work.

If you want a voice to amplify, the @sovtechfund seems to be the only one that listened to maintainers'. So please go read it and amplify it. Let's try to make visible orgs that are humble and do the work.

And thank you to everyone at the @sovtechfund for doing this work, like this. ♥️ It helps so much.

https://mastodon.social/@sovtechfund/112213715109225305

Di4na, 1 month ago to random

So we have it now. Rust solved a large number of the safety problems of the system language level. Not everything ofc, but still. Lot of them. And it is actually being adopted.

So I have a question for my cybersecurity/infosec crowd.

Have you introspected why 3 decades of yelling about that stuff got no results, 3 decades of sanitisers and fuzzers barely moved the needle, but Rust slam dunked it?

Where is the retrospective of what went wrong? Where are the learnings?

Di4na, 1 month ago to random

Well, I finally have data to back my model of the software world out there. And the data is relatively solid and shows what I keep saying.

You are all on our turf now. Please accept that you have no idea what you are talking about. Sit down. Listen. Ask questions.

But respect our work. We are trying to keep the world running, 1h per month.

https://www.softwaremaxims.com/blog/open-source-hobbyists-turf

Di4na, 1 month ago to random

Whoever wrote, reviewed, and approved this at the OpenSSF.

Consider leaving the organization. I am not joking. You have no idea what you are talking about; you know nothing about Open Source, and you seem to know nothing about Security, either.

Even less all these things combined. Just. Leave. Resign. It is ok to realize you are not the right person for that position. It happened to me before.

Have some self-respect.

https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/

Di4na, 1 month ago to random

OH: I want to make a "go fuck yourself openssf" badge

I am sure this is how you educate maintainers and get traction with them. I mean, I am not a security expert nor someone the OpenSSF would choose to listen to or pay, so I am obviously not knowledgeable about this. You should definitely listen to them. They obviously know how to make the OpenSource ecosystem more secure.

Di4na, 1 month ago to random

You want the funniest one? Until the past couple of years, the attackers could have just... Released a new autotools version. No need to convince the previous maintainer or anything.

Because there was none. If they had showed up to release a new version, everything using autotools would be infected. And it would probably be easier to hide.

This was... Actually not that impressive of an attack?

Di4na, 1 month ago to random

I am sure we will all talk about how this was doing all the "secure" stuff properly, got caught by Valgrind, and the right thing to do was to disable the check.

Because we built tools to find out, and then tools to explore and fix, the problem that are so unergonomic.

That when we need them, the only good, right and logical step to do is to disable them. Because noone can understand what to do with the report.

I am sure we are definitely going to talk about that.

Di4na, 1 month ago to random

In the light of the xz stuff, I will recommend, again, that people try to internalise this before responding.

Your model of how this whole stuff work is probably not useful. Accept it, even if you are supposed to be really good at this. Sit this one down. Don't say your hot takes. Come talk to me instead and let's talk. Please.

You. Are. Not. Helping.

https://www.softwaremaxims.com/blog/not-a-supplier

Di4na, 1 month ago to random

I know I am late to it, but I finally read https://kellyshortridge.com/blog/posts/rfi-secure-by-design-response/
Thank you @shortridge for being one of the rare person in this domain that make sense.

You are one of the reason I still write about this. I may not have a lot of hope, but at least I feel less lonely.

(And yes, I do not agree with everything, but faaaaar better than all the other answers)

Di4na, 1 month ago to random

I finally got time to read @hazelweakly post on Observability.

Multiple reactions but mostly:

• YAaaaaaaas thank you, we agree so much. Also it helps to feel seen when i keep pointing out these points about questions, answer and learnings
• This is something we need both at the org level and at the engineer level. This is where our tools are atrocious. And by that i also mean compilers and languages.

Go read it and ask questions and talk about it please.

https://hazelweakly.me/blog/redefining-observability/

Di4na, 1 month ago to random

Shower thought. If i accept Synopsys and Tidelift numbers, at least 50% of all the code running in apps out there is not only FOSS, but maintained by unpaid weekend warriors.

So probably on something like 1 to 2 engineer-hour a month.

This has massive implications. Among others, that to get enough funding to make sense in our current market for engineers, you would need to pay them to be idle most of the time. It creates a massive asymetry in terms of bangs for the bucks against paying.

Di4na, 2 months ago to random

My thoughts on the google whole "secure by design" thing.

Really cute. But also 1M? That is... A small team of engineers for a year. That is the value of Rust for Google. And they cite the amount multiple times as if it was worth praise!

And after they wonder why our digital infrastructure is mostly built and maintained by weekend warriors that are burning out.

It gets lonely in there.

Di4na, 2 months ago to random

The White House declared we have to be Memory Safe now!

So great! None of us had any idea!

Wait, but why is there no analysis of how we are still memory unsafe decades after the start of these yelling about it?

Let's me re share my answer to that crowd from a few months ago. I am definitely not bitter. Defo.

https://www.softwaremaxims.com/blog/memory-safety-end-history

Di4na, 3 months ago to random

I came to a realisation yesterday.

Noone read the Road and Bridges report in the FOSS advocacy world. They are all focused on end user FOSS applications.

None of them realised 80% of all apps are FOSS code. And noone seems to ask where it comes from.

We are legitimately infrastructure at this point, as noone realise we exist.

And we are crumbling under the maintenance. And we are not organised to change that. I have no solutions to offer.

Get loud i guess.

Di4na, 3 months ago to random

Thanks to everyone at #FOSDEM that came to tell me they appreciate my advocacy in the Policy devroom. And to everyone that let me talk and suffered my fair too "in your face" worldview.

I hope this will start more discussion, and you can reach me here or in a plethora of other places.

Please don't hesitate to do it. We all talk of the visible FOSS, but we also need to talk of the 80% that is inside all these proprietary projects.

They are what we built out society on.

Di4na, 3 months ago to random

Redoing in case someone has a stash

If some of you are at #FOSDEM today, i would happily appreciate a gift of a few 3M Auras.

Long story short, mine stayed at home due to complex reasons. And no, other masks will not work. I tested a lot of them for the past few years, all other seal badly on my face.

Di4na, 3 months ago (edited 3 months ago) to random

If some of you are in #FOSDEM tomorrow, i would happily appreciate a gift of a few 3M Auras.

Long story short, mine stayed at home due to complex reasons. And no other masks will not work. I tested a lot of them for the past few years, all other seal badly on my face.

Di4na, 3 months ago to random

I pay at least 3 streaming services. I am more than happy to buy dvd, blu rays or digital versions of the shows and movies i want to watch.

And yet, i literally cannot find a good legal way to watch the shows i am interested in, in my country, except by "renting" a digital file. In a 4th totally different platform that only works on half of my machines.

Do i really have to pirate again, when I am ready to shell out hundreds of euros for a legit working copy?

What the flying horse?!?!