Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://were.social/objects/5d873ee6-5205-433f-bf95-72ad3f201c34">arcanicanis (arcanicanis@were.social)'s status on Tuesday, 16-Dec-2025 07:16:39 JST</a><a href="https://were.social/users/arcanicanis" title="arcanicanis@were.social"><img src="https://gnusocial.jp/avatar/10459-48-20220918060352.webp" width="48" height="48" alt="arcanicanis" style="position: absolute; left: 0; top: 0;">arcanicanis</a></section><article><p>I have a different tilt on this subject, but I'll address the foreground points first:</p><ul><li>Yes, FOSS is just as prone to supply chain attacks as proprietary software is, though I argue you still have more transparency than a proprietary project</li><li>OpenSSL had very plenty of folks arguing the project was an unmanageable mess (for all the #ifdefs everywhere; sometimes even nested by several levels) long before Heartbleed, just nobody bothered to back any alternatives, I assume just because nobody'd back something "not as popular" as OpenSSL?</li><li>I hold plenty of spite with some of the PR around Signal, as well as sentiments by Moxie Marlinspike, or even the latest "but we 'NEED!' AWS, why can't people understand this..." cope post; but that's probably a separate dissertation entirely.</li><li>I have annoyances with the Signal client itself, of how rapidly they shove out updates (I assume bumping library versions, etc), that I doubt I'd have the patience to keep up, if I wanted to pull the fools game of completely picking it apart (and I doubt anyone defending it has audited it for themself).</li></ul><p>I just prefer small, minimalist solutions, and where libs are only imported unless absolutely necessary, and where there's not more risk in creating an ad-hoc in-house counterpart (e.g. I probably wouldn't trust myself to safely implement ECDSA sign/verify myself, maybe)</p><p>Culturally the parts that piss me off with open source and free software (but not anything to make me forego or stop supporting it):</p><ul><li>It's almost all about "free as in [free] beer" now, people generally don't care about the "freedom" part in it anymore. Corporate influences are also obviously trying to steer people away from free software licenses too.</li><li>A lot of big projects now are just effectively as indistinguishable from proprietary software in terms of modability. Even sh't web applications like Mastodon, as far as I understand, require a rebuild of the software just to change a favicon even, and sometimes made very specifically to prevent you from making deviations.</li><li>Much of it's in corporate style development practices, of such class-heavy design patterns, like the design patterns you'd use to dumb something down enough to throw at an army of code monkeys to chug through writing, rather than something focusing more succinctness, minimalism, etc.</li><li>The "I'm going to shut off my brain, and import any lib, that solves my problem, without having to exert brain power". Queue the memes of someone importing a Nodejs module to uppercase/lowercase-transform text. This is the crap that exacerbates sourcing attacks, as aforementioned. It's even hilarious when people import something for a role, having zero idea of the capabilities of said thing. Wait a minute, you say Markdown supports inline arbitrary HTML? Surprise! You now probably have an XSS vulnerability you weren't expecting, because you didn't read the freaking tin.</li><li>The weird sort of monoculture that people try to force. People will actively try to talk you down over making a competing open source project, because "Z exists, it's already 'good enough', why are you bothering?" Same also with the herd mentality of people only clinging to whatever is "the most popular", viewing anyone that uses something else as weird, even if there's a broad divide where alternatives carry far more meritocratic value than the "most popular" option.</li></ul><p>BUT MOST IMPORTANTLY ABOVE ALL:</p><p>How utterly, thoroughly, lazy and apathetic people are now to just writing any code at all (outside of career), and all the people that are so eager to be backseat project managers who probably have barely even written any code at all.</p><p>The bar is so, SO low for anyone to start poking around with software development, but they don't.</p><p>People may complain about some project lacking a feature or functionality, or some way to do something different, but they will NEVER ever take any actionable effort to actually doing anything. They've uttered it, they've snapped their fingers at someone, and that's all the exertion they will do, ever.</p><p>A high school aged kid in present time could trivially make a Discord replacement with video/voice WebRTC calling, with all the resources and existing backend tools that exists, pieced together, with a little bit of code glue here and there, but people don't. You might see one or two projects pop up (a la Revolt, etc), but everyone will just be sideliners, observing from the outside, but never take action themselves, but always armchair critique instead.</p><p>I don't know if it's just the constant supply of all these VC startups with introductory "free" offers, that have made people so grossly entitled, to just sit back and expect everything to just 'appear' for them, with no effort, but it's depressing how unwilling people are to MAKE things anymore. e.g. I can find plenty of chats with protocol discussion, but no action on implementation, almost ever.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/5958349#notice-11721856">In conversation</a><time datetime="2025-12-16T07:16:39+09:00" title="Tuesday, 16-Dec-2025 07:16:39 JST">about 3 months ago</time> <span>from <span><a href="https://were.social/objects/5d873ee6-5205-433f-bf95-72ad3f201c34" rel="external" title="Sent from were.social via ActivityPub">were.social</a></span></span><a href="https://were.social/objects/5d873ee6-5205-433f-bf95-72ad3f201c34">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
arcanicanis (arcanicanis@were.social)'s status on Tuesday, 16-Dec-2025 07:16:39 JST arcanicanis
I have a different tilt on this subject, but I'll address the foreground points first:
- Yes, FOSS is just as prone to supply chain attacks as proprietary software is, though I argue you still have more transparency than a proprietary project
- OpenSSL had very plenty of folks arguing the project was an unmanageable mess (for all the #ifdefs everywhere; sometimes even nested by several levels) long before Heartbleed, just nobody bothered to back any alternatives, I assume just because nobody'd back something "not as popular" as OpenSSL?
- I hold plenty of spite with some of the PR around Signal, as well as sentiments by Moxie Marlinspike, or even the latest "but we 'NEED!' AWS, why can't people understand this..." cope post; but that's probably a separate dissertation entirely.
- I have annoyances with the Signal client itself, of how rapidly they shove out updates (I assume bumping library versions, etc), that I doubt I'd have the patience to keep up, if I wanted to pull the fools game of completely picking it apart (and I doubt anyone defending it has audited it for themself).
I just prefer small, minimalist solutions, and where libs are only imported unless absolutely necessary, and where there's not more risk in creating an ad-hoc in-house counterpart (e.g. I probably wouldn't trust myself to safely implement ECDSA sign/verify myself, maybe)
Culturally the parts that piss me off with open source and free software (but not anything to make me forego or stop supporting it):
- It's almost all about "free as in [free] beer" now, people generally don't care about the "freedom" part in it anymore. Corporate influences are also obviously trying to steer people away from free software licenses too.
- A lot of big projects now are just effectively as indistinguishable from proprietary software in terms of modability. Even sh't web applications like Mastodon, as far as I understand, require a rebuild of the software just to change a favicon even, and sometimes made very specifically to prevent you from making deviations.
- Much of it's in corporate style development practices, of such class-heavy design patterns, like the design patterns you'd use to dumb something down enough to throw at an army of code monkeys to chug through writing, rather than something focusing more succinctness, minimalism, etc.
- The "I'm going to shut off my brain, and import any lib, that solves my problem, without having to exert brain power". Queue the memes of someone importing a Nodejs module to uppercase/lowercase-transform text. This is the crap that exacerbates sourcing attacks, as aforementioned. It's even hilarious when people import something for a role, having zero idea of the capabilities of said thing. Wait a minute, you say Markdown supports inline arbitrary HTML? Surprise! You now probably have an XSS vulnerability you weren't expecting, because you didn't read the freaking tin.
- The weird sort of monoculture that people try to force. People will actively try to talk you down over making a competing open source project, because "Z exists, it's already 'good enough', why are you bothering?" Same also with the herd mentality of people only clinging to whatever is "the most popular", viewing anyone that uses something else as weird, even if there's a broad divide where alternatives carry far more meritocratic value than the "most popular" option.
BUT MOST IMPORTANTLY ABOVE ALL:
How utterly, thoroughly, lazy and apathetic people are now to just writing any code at all (outside of career), and all the people that are so eager to be backseat project managers who probably have barely even written any code at all.
The bar is so, SO low for anyone to start poking around with software development, but they don't.
People may complain about some project lacking a feature or functionality, or some way to do something different, but they will NEVER ever take any actionable effort to actually doing anything. They've uttered it, they've snapped their fingers at someone, and that's all the exertion they will do, ever.
A high school aged kid in present time could trivially make a Discord replacement with video/voice WebRTC calling, with all the resources and existing backend tools that exists, pieced together, with a little bit of code glue here and there, but people don't. You might see one or two projects pop up (a la Revolt, etc), but everyone will just be sideliners, observing from the outside, but never take action themselves, but always armchair critique instead.
I don't know if it's just the constant supply of all these VC startups with introductory "free" offers, that have made people so grossly entitled, to just sit back and expect everything to just 'appear' for them, with no effort, but it's depressing how unwilling people are to MAKE things anymore. e.g. I can find plenty of chats with protocol discussion, but no action on implementation, almost ever.
In conversationabout 3 months ago from were.socialpermalink

Public

Embed Notice

HTML Code

Corresponding Notice