Notices by Poul-Henning Kamp (bsdphk@fosstodon.org)

I am somewhat torn on bug-bounties, but we'll leave that for another day.

The combination of bug-bounties and AI generates a "make-money-fast" economic opportunity, at the cost of FOSS maintainers.

https://www.theregister.com/2025/05/07/curl_ai_bug_reports/

For the record: #VarnishCache does not pay out bug-bounties (even if we wanted to, we have no money) and this shit-show will certainly not make us start.

@SteveBellovin @hpk

Not to #bikeshed but...

In my experience asking "whom?" only works if the person you ask have a competent(-ish) threat-model, which no normal people do.

The implicit focus on intentionality also downplays the much more frequent accidental loss of control.

At least for me, it works better to ask what outcomes we are trying to avoid, and work through both the intentional, incidental and accidental scenarios that lead there.

Now is the time to throw away the prototype and implement changes which will work.

1. Full and unconditional product liability for all software.
2. Mandatory recalls of unsafe software products.
3. Mandatory open sourcing of all systemically important software. ("OS", not "FOSS")
4. Mandatory independent 3rd party review of all systemically important software.
5. Mandatory reporting to independent accident investigation authority, with law-given full access to all aspects.

2/2

@philpem

I think all connected software/hardware needs to have a timer and detach themselves from the net, if it is not reset by periodic software updates.

Mind you: "Detach from the net" not "stop functioning".

I understand why the "security industry" which feeds of the CVE register is upset about it's potential demise.

But let's face it: MITRE's CVE register was a prototype, built in a world where there were (only!) 231 known security vulnerabilities in total.

We have learned a lot from that prototype.

It has shown us how big the problem is, that the IT-industry will not and can not solve the problem, and how to accidentally create fertile ground for organized crime with good intentions.

1/2

@fivetonsflax @rfc1036

And to society it doesn't matter if the technologist doesn't use the right tool, right procedure or just doesn't bother.

The way society fixes that is: "You do this, you are liable for the consequences."

Check out EU's revised Product Liability Directive: The only reason they revised it, was to explicitly include software and cloud services.

After 2026, religion will be the only product without product liability.

@fivetonsflax @rfc1036

The reason we have what you call sneer of as "gatekeeping" in trades where people can get hurt, is because competence saves lives.

Do you also think passenger air transport has too much gatekeeping in who flies planes ?

Brain surgery ?

Running an oil refinery or nuclear reactor ?

Every country has "gatekeeping" on who can drive a motor vehicle on public roads.

And yes, the IT industry BADLY need more "gatekeeping".

Trump's tariffs on the rest of the world are not about money, imports or exports, and therefore economist can make no sense of them.

The tariffs are plain and simply bullying, no more, no less.

Their only purpose is to make everybody important come begging, hat in hand, forced to recognize the "power" of the bully.

"Nice business/country you have there, too bad if anything happened to it..."

The correct response is to take your business elsewhere.

@graydon @cstross

I am increasingly convinced we need a tax on stored data.

Even a little as 1$/MB/year would seriously change decisions about what is stored and how long it is stored.

It would also bring into light who holds how much data.

It's weird to find out that there are no traces left of a deci-famous CPU you spent a lot of time debugging at assembler level.

And really ?

Has nobody saved /any/ manuals for the CCI Power6/32 Tahoe computer which gave name to the 4.3BSD UNIX release ?

(Aka Unisys 7000/40, Harris HCX-9 etc.)

@karinjiri @fuzzykb

I've always felt it was a mistake that init(8) couldn't take care of this.

It should read a /etc/programs file and do pretty much exactly what it already does for /etc/ttys

This website asks what happened in 1971, showing a lot of graphs:

https://wtfhappenedin1971.com/

The answer is: Rich people started treating other people as things and focused only on money.

Your periodic reminder that #microsoft is not a competent or serious company:

https://blog.orange.tw/posts/2025-01-worstfit-unveiling-hidden-transformers-in-windows-ansi/

(@bagder is remarkably restrained in the quoted responses. I would have gone off the rails, but do not need to, because we decided on day one that #varnishcache would not run on Windows).

If you think that is not bad enough, read the Cyber Safety Review Board's report about the Microsoft Exchange clowncar:

https://www.cisa.gov/sites/default/files/2024-04/CSRB_Review_of_the_Summer_2023_MEO_Intrusion_Final_508c.pdf

@theregister

FreeBSD boots on the Lenovo T14s with a Snapdragon CPU as of yesterday :-)

@Ruth_Mottram

We probably had a narrow window, no more than three decades, to try to transform our western democracies into something ecologically sustainable.

But there were no short term profits in it, so we didn't.

As Brecht let Jenny sing in the finale:

"Erst kommt das Fressen, dann kommt die Moral."

Today US voters condemned any land less than 8 meters above sea level, world-wide, because they think junk-food has become too expensive.

2/2

@Ruth_Mottram

Personally I have no contingency plan in front of me, because this is not a deviation from the trajectory I expected.

Democracy only flourished X the costs of broad increases in standard of living could be externalized (ie: conquests, colonies, slaves, overfishing, pollution etc).

(I'm not sure if 'X' is "because" or "while" and that is only of academic interest anyway.)

In other words: Democracy seems to be a luxury item.

1/2

I wonder how many Europeans are staring at some document with "contingency plan" in the title right now...

I'm amazed that there has been zero coverage of this:

EU's new Product Liability Directive got voted through last thursday.

No later than two years from now, software, stand-alone, cloud or embedded are subject to "no-fault liability" (ie: doesn't matter how or why, only that it is defective.)

Here's the directive:

https://data.consilium.europa.eu/doc/document/PE-7-2024-INIT/en/pdf

Gentlemen, start your panic…

PS: Yes, there is a FOSS exemption, but only "outside commercial activity". (Ie: The guy in Nebraska but not RedHat)

Lots of common sense here...

https://www.theregister.com/2024/09/19/kelsey_hightower_civo/?td=rt-3a

@lina @thephd

Yes, I've seen lots of quality code written by people who tried to do so over the last 40 years.

But as I said: I have never seen a silver bullet hit.

Rust is absolutely a step forward, but it is not a silver bullet either.

And as I already said, I have nothing against it's use in FreeBSD.

The only thing I resist is wasting time and effort on importing it into the FreeBSD tree, just because we as a project have this "src or forget it" attitude.

1/2