Notices by LisPi (lispi314@udongein.xyz), page 10
-
Embed this notice
LisPi (lispi314@udongein.xyz)'s status on Saturday, 06-Apr-2024 20:14:29 JST 
LisPi
@Di4na Considering we haven't even remotely begun to liberate the hardware which is at the root of our systems, I don't think we have won.
Software was only ever the easy part, and even there the corposcum monopolies and their legislator cronies are doing their best to limit the effective Freedom of users (consider the criminalization of interoperability and adversarial interoperability). That they derive most of their tools from our labor intended to liberate in order to oppress is just a sick and ironic joke (and the best we could do in retaliation is just sabotage with results of indiscriminate harm, a profoundly undesirable notion).
But even if we managed to pull things back into the control of the users and ensure their software systems actually *serve the user*?
At the moment, the majority of us do our computing on hardware where any Freedom that software grants us could be pulled under our feet a moment's notice, should some hitherto unknown backdoor or vulnerability (what's the difference?) be activated.
Battles have been won, the campaign moved forward, but we're *far* from being able to just shout victory. -
Embed this notice
LisPi (lispi314@udongein.xyz)'s status on Saturday, 06-Apr-2024 07:31:12 JST
LisPi
@lanodan @trevorflowers @csolisr The problem with unions, at least here, is that they *also* often have paperwork red tape requirements. So they wouldn't meaningfully differ from government, and in fact might be worse since they often have harsher requirements on recency of employment, certification/license and whatnot. (Needless to say, there's a lot to fix.)
I think the overwhelming majority of people involved in stuff like I2P are pseudonymous, and for good reason since the project feels a fair bit more serious about traffic obfuscation than Tor. -
Embed this notice
LisPi (lispi314@udongein.xyz)'s status on Saturday, 06-Apr-2024 07:11:31 JST
LisPi
@lanodan @trevorflowers @csolisr That has a number of flaws, but most particularly an insistence on papers.
A lot of Free Software programmers do *not* have the academic certifications and so on paper do not have the "professional competency" they actually have. In some cases, due to a variety of issues unrelated to monetary cost, they *cannot* acquire said certification either.
It is also an issue for Libre work on politically inconvenient technologies (though it is equally an issue with pseudonymous authorship of some investigative stuff), such that alternative acknowledgements of specialization/competence might also pose a risk by flagging one as a target for feds. -
Embed this notice
LisPi (lispi314@udongein.xyz)'s status on Saturday, 06-Apr-2024 04:57:25 JST
LisPi
@Makura @yassie_j @halva Why is it even legal for some jackass to interfere with that? -
Embed this notice
LisPi (lispi314@udongein.xyz)'s status on Saturday, 06-Apr-2024 04:57:17 JST
LisPi
@Makura @halva @yassie_j No, I mean, the CEO should be exposed to criminal liability for interfering with legally-mandated work safety standards. -
Embed this notice
LisPi (lispi314@udongein.xyz)'s status on Thursday, 04-Apr-2024 13:08:49 JST
LisPi
@lanodan @niconiconi More like editor-librarians than just librarians. -
Embed this notice
LisPi (lispi314@udongein.xyz)'s status on Wednesday, 03-Apr-2024 13:19:29 JST
LisPi
@mia > - don't try to feel better by telling yourself others have it worse
Does that include comparing with oneself in terms of "it could be worse"? Both hypothetically and in knowledge of fact from having previously experienced said worse state? -
Embed this notice
LisPi (lispi314@udongein.xyz)'s status on Wednesday, 03-Apr-2024 11:05:43 JST
LisPi
Bioconservatism is such a weird ideology.
"We must stay as we are because have always been this way (false). Progress is verboten. Change is verboten. Especially intentional change. Self-agency over one's physical form is verboten." -
Embed this notice
LisPi (lispi314@udongein.xyz)'s status on Monday, 01-Apr-2024 13:28:53 JST
LisPi
https://github.com/systemd/systemd/pull/31550/files
I'm not seeing any way for a sysadmin to prevent the use of gratuitous dependencies without having to rebuild the whole program.
This is a pretty common problem with systemd-related programs, really.
Distro defaults don't mean I'm interested in keeping the same defaults. And switching out systemd with a custom build isn't as trivial as other programs where a bit of PATH shenanigans suffices (at least without breaking a lot of the package manager's stuff). -
Embed this notice
LisPi (lispi314@udongein.xyz)'s status on Monday, 01-Apr-2024 10:12:06 JST
LisPi
@martin_ueding @glyph @AndresFreundTec @kirschwipfel > Sounds good. But some projects have a build stage which generates lots of things. Packagers for distributions need to up the needed environment and perform these steps. It seems much easier to use a provided artifact in these cases.
If you don't care about reliability, build-reproducibility and trustworthiness of your distro, sure.
> I think this attack is hard to defend against: An evil insider in the project with control over the code and artifacts.
Compromise of artifacts is a lot easier, you can ask the Linux Mint project about that.
> One could also hide malicious stuff in the code itself directly, in plain sight.
That requires a project with such awful code practices (accepting random unauditable blobs) that you'd hope the package maintainers would simply refuse to add it in the first place. -
Embed this notice
LisPi (lispi314@udongein.xyz)'s status on Monday, 01-Apr-2024 10:12:04 JST
LisPi
@glyph @AndresFreundTec That is true.
Binary artifacts have no business existing in Free Software (or near-binary considering how auditable pre-generated config scripts end-up being). The way it was compromised in this case is almost certain to have happened before and reminds me of the SourceForge malware debacle (so arguably that's another famous example of it happening before).
I"m not sure if many other projects do like Guix and record the checksum of the whole repository so as to ensure reproducibility purely from source. -
Embed this notice
LisPi (lispi314@udongein.xyz)'s status on Monday, 01-Apr-2024 10:12:02 JST
LisPi
@kirschwipfel @glyph @AndresFreundTec > If the packager chooses to use the official tarball as "the source", validating the checksum would not have helped. :-(
Unfortunately, yeah.
> Also whether it's always possible to run running autoreconf depends on the content of the tarball.
Of course if it isn't a C project then it probably isn't. If it is such a project, then one should have such tooling installed.
> Which brings me to the (preliminary) conclusion that we'd better use repos as source of trust
That is more sensible generally, as the history of an object and its belonging to a project is a reified (and verifiable) relationship under code versioning sytems, unlike arbitrary buckets of files. -
Embed this notice
LisPi (lispi314@udongein.xyz)'s status on Sunday, 31-Mar-2024 13:37:15 JST
LisPi
@esm Lisp Machines never died, we won. It was all just a nightmare. -
Embed this notice
LisPi (lispi314@udongein.xyz)'s status on Sunday, 31-Mar-2024 04:14:29 JST
LisPi
@lanodan @ipg @halva You don't have to make the core in C and there are quite a few self-hosted languages that don't.
Linux has a stable ABI for userspace (mostly), so it is possible to even do the whole thing from scratch and communicating directly with the system that way, skipping C entirely. In general instead such languages deem it simpler to make a C wrapper which can communicate with their own ABI instead. -
Embed this notice
LisPi (lispi314@udongein.xyz)'s status on Saturday, 30-Mar-2024 13:03:24 JST
LisPi
@Suiseiseki There was a path-based execution vulnerability in Emacs for decades at some point, iirc. https://nvd.nist.gov/vuln/detail/CVE-2022-45939
https://www.technadu.com/dell-releases-fix-decades-old-vulnerability-affecting-100-million-pcs/272220/
First result on a search.
Neither of these compromised the functionality of the program noticeably to the users in the overwhelming majority of circumstances.
https://windowsreport.com/outlooks-decades-old-vulnerability-allowed-for-catastrophic-attacks-without-any-user-interaction/
And then there's this one. For what was once perceived as a flagship product (not some neglected thing everyone ignores).
http://blog.securitymouse.com/2014/06/raising-lazarus-20-year-old-bug-that.html
Versatile.
So yeah, it is definitely a risk and the popularity of the project doesn't seem to prevent it from happening. -
Embed this notice
LisPi (lispi314@udongein.xyz)'s status on Saturday, 30-Mar-2024 12:10:45 JST
LisPi
@Suiseiseki @snacks Or it is noticed at some unknown point by glowies, and the critical vulnerability it enabled only gets fixed decades later. -
Embed this notice
LisPi (lispi314@udongein.xyz)'s status on Saturday, 30-Mar-2024 08:10:25 JST
LisPi
@lanodan @dfeldman @dalias Gross.
I sure hope there's a project ongoing to re-create the bootstrap chain then? -
Embed this notice
LisPi (lispi314@udongein.xyz)'s status on Saturday, 30-Mar-2024 08:03:59 JST
LisPi
@lanodan @dfeldman @dalias Huh, how the hell did that happen? -
Embed this notice
LisPi (lispi314@udongein.xyz)'s status on Saturday, 30-Mar-2024 07:56:58 JST
LisPi
@lanodan @dfeldman @dalias Looks like Mono isn't trustworthy then.
Incidentally, this is or was a major issue with Ada, the fact it can't (or couldn't) be bootstrapped without a prior Ada compiler. -
Embed this notice
LisPi (lispi314@udongein.xyz)'s status on Saturday, 30-Mar-2024 06:20:38 JST
LisPi
@a1ba @teidesu Free Software is not proof of the absence of malice. Proprietary Software/Malware however is proof of its presence.
It's a better point to start from.
All GNU social JP content and data are available under the