Notices by Poul-Henning Kamp (bsdphk@fosstodon.org)

@chrisvest

Yes, not a bad one either.

But "alternative" malloc implementations need people to actively decide to use them, which is reactive to some specific problem.

phkmalloc, by being OS default, meant the 10K+ ports collection got exposed to it.

I remember only one or two "Bah!, FreeBSD is broken watch me not care!" upstream reactions, everybody else went "Ohh, I guess everybody but FreeBSD are unsafe!" and fixed the reported bugs.

Some even said thanks :-)

@pitrh

Wait, I know the answer to this one:

Lennart Poettering.

Right ?

@chrisvest

I guess I have to send him a laminated membership card to the Retired FreeBSD malloc Maintainers Association now ?

https://phk.freebsd.dk/sagas/phkmalloc/

@david_chisnall

I thought "maybe later" is what the creep say right after he has slipped the drug into her drink ?

#FreeBSD 14.3 is out, and first system already upgraded (painlessly).

https://www.freebsd.org/releases/14.3R/announce/

Tip o' the hat to @cperciva

Dont use DNS over HTTPS:

https://www.bsdhowto.ch/doh.html

Couldn't agree more.

I am somewhat torn on bug-bounties, but we'll leave that for another day.

The combination of bug-bounties and AI generates a "make-money-fast" economic opportunity, at the cost of FOSS maintainers.

https://www.theregister.com/2025/05/07/curl_ai_bug_reports/

For the record: #VarnishCache does not pay out bug-bounties (even if we wanted to, we have no money) and this shit-show will certainly not make us start.

@SteveBellovin @hpk

Not to #bikeshed but...

In my experience asking "whom?" only works if the person you ask have a competent(-ish) threat-model, which no normal people do.

The implicit focus on intentionality also downplays the much more frequent accidental loss of control.

At least for me, it works better to ask what outcomes we are trying to avoid, and work through both the intentional, incidental and accidental scenarios that lead there.

Now is the time to throw away the prototype and implement changes which will work.

1. Full and unconditional product liability for all software.
2. Mandatory recalls of unsafe software products.
3. Mandatory open sourcing of all systemically important software. ("OS", not "FOSS")
4. Mandatory independent 3rd party review of all systemically important software.
5. Mandatory reporting to independent accident investigation authority, with law-given full access to all aspects.

2/2

@philpem

I think all connected software/hardware needs to have a timer and detach themselves from the net, if it is not reset by periodic software updates.

Mind you: "Detach from the net" not "stop functioning".

I understand why the "security industry" which feeds of the CVE register is upset about it's potential demise.

But let's face it: MITRE's CVE register was a prototype, built in a world where there were (only!) 231 known security vulnerabilities in total.

We have learned a lot from that prototype.

It has shown us how big the problem is, that the IT-industry will not and can not solve the problem, and how to accidentally create fertile ground for organized crime with good intentions.

1/2

@fivetonsflax @rfc1036

And to society it doesn't matter if the technologist doesn't use the right tool, right procedure or just doesn't bother.

The way society fixes that is: "You do this, you are liable for the consequences."

Check out EU's revised Product Liability Directive: The only reason they revised it, was to explicitly include software and cloud services.

After 2026, religion will be the only product without product liability.

@fivetonsflax @rfc1036

The reason we have what you call sneer of as "gatekeeping" in trades where people can get hurt, is because competence saves lives.

Do you also think passenger air transport has too much gatekeeping in who flies planes ?

Brain surgery ?

Running an oil refinery or nuclear reactor ?

Every country has "gatekeeping" on who can drive a motor vehicle on public roads.

And yes, the IT industry BADLY need more "gatekeeping".

Trump's tariffs on the rest of the world are not about money, imports or exports, and therefore economist can make no sense of them.

The tariffs are plain and simply bullying, no more, no less.

Their only purpose is to make everybody important come begging, hat in hand, forced to recognize the "power" of the bully.

"Nice business/country you have there, too bad if anything happened to it..."

The correct response is to take your business elsewhere.

@graydon @cstross

I am increasingly convinced we need a tax on stored data.

Even a little as 1$/MB/year would seriously change decisions about what is stored and how long it is stored.

It would also bring into light who holds how much data.

It's weird to find out that there are no traces left of a deci-famous CPU you spent a lot of time debugging at assembler level.

And really ?

Has nobody saved /any/ manuals for the CCI Power6/32 Tahoe computer which gave name to the 4.3BSD UNIX release ?

(Aka Unisys 7000/40, Harris HCX-9 etc.)

@karinjiri @fuzzykb

I've always felt it was a mistake that init(8) couldn't take care of this.

It should read a /etc/programs file and do pretty much exactly what it already does for /etc/ttys

This website asks what happened in 1971, showing a lot of graphs:

https://wtfhappenedin1971.com/

The answer is: Rich people started treating other people as things and focused only on money.

Your periodic reminder that #microsoft is not a competent or serious company:

https://blog.orange.tw/posts/2025-01-worstfit-unveiling-hidden-transformers-in-windows-ansi/

(@bagder is remarkably restrained in the quoted responses. I would have gone off the rails, but do not need to, because we decided on day one that #varnishcache would not run on Windows).

If you think that is not bad enough, read the Cyber Safety Review Board's report about the Microsoft Exchange clowncar:

https://www.cisa.gov/sites/default/files/2024-04/CSRB_Review_of_the_Summer_2023_MEO_Intrusion_Final_508c.pdf

@theregister

FreeBSD boots on the Lenovo T14s with a Snapdragon CPU as of yesterday :-)