Notices by David Chisnall (*Now with 50% more sarcasm!*) (david_chisnall@infosec.exchange)

@winterschon

the same applies to so many package managers, I

The one that still always bites me on Debian-based systems is that apt install and apt upgrade do not imply apt update. So they will try doing the thing with a stale snapshot of the state of the remote repository. Often this means it will install the five packages that haven't been updated and then notice that the sixth doesn't exist (it was replaced with a newer version) and fail in the middle of modifying my system.

Conversely, this is two of my favourite features of FreeBSD's pkg. First, any operation that involves the remote repo implies pkg update (this doesn't always help. One time I forgot I had done pkg upgrade and then came back two days later after a new package set had been deployed), so it always starts from a plausible state. Second, it has a separate fetch and install phase, so will not start installing until it has a consistent snapshot of packages that it needs, so if the package repo changes in the middle, you don't end up having to uninstall packages that were installed but are now the wrong version.

@winterschon One of the things that makes me believe the systemd people are not serious is that they decided to turn the noun-verb interface of service into a verb-noun interface in systemctl, in spite of decades of HCI research telling them to do the opposite.

I would be a much happier person if I could spend 10% less of my life not saying to people 'Please don't do the obviously stupid thing, it will cause long-term problems that are avoidable by simply not doing the thing, or, ideally, by doing a less-stupid thing'.

Why do web browsers not include breathalysers?

@gwynnion

I want my browser to be a user agent. The thing that extends the agency of the user to their interaction with a remote system. That's basically the opposite of what any 'AI' integration does.

We want to grow our economy. I know, let's listen to companies that keep laying off thousands of employees! They'll be experts in job creation!

UK Labour Party strategy, as far as I can tell.

Our 2015 #CHERI paper won the Test of Time Award at IEEE Security and Privacy today!

Back then, CHERI capabilities were 256 bits (for a 64-bit address space) and were only just usable as C pointers. We didn’t have the pure-capability ABI properly supported in the compiler and were mostly using explicit annotations. Oh, and the prototype was still using MIPS.

CHERI has come a long way since then!

Oh, and back then we thought 15 authors on a paper was a lot!

(They told us a while ago but it was embargoed until the official announcement)

@lproven @theregister

But if you're not interested in running Docker containers on your storage server, or you don't want to integrate your storage with your Kubernetes clusters, there's good news: zVault has picked up the final FreeBSD version of TrueNAS CORE.

Note that you can run FreeBSD Docker / OCI containers on zVault with Podman or containerd. And many Linux ones, if they work in the Linuxulator.

I hope we'll have a bhyve shim soon so that it's also possible to run Linux containers in a VM with the storage exported from the host (so ZFS clones and so on, but shared over VirtIO-FS rather than nullfs mounts).

@ariadne

I really struggle to understand the motivation for things like Flatpack. As I understand it, the train of thought is something like:

1. Shipping up-to-date software is hard.
2. When a security update in a library comes out, we need to update everything that depends on it.
3. This requires effort and is an intrinsically hard problem.
4. Let’s make it a distributed system where everyone has to do the work independently and no one gets to benefit from amortising the effort!
5. ???
6. Easy software distribution!

@w7voa That’s the wrong headline. Their party affiliation doesn’t matter. The executive is threatening to arrest members of the legislature for doing their jobs. That is a direct attack on the independence of the legislature, not a partisan issue. It should be immediate grounds for impeachment.

@ChrisMayLA6 The only reason I didn't 'buy the dips' is that I don't think he's sufficiently competent to do market manipulation. The dips will be where he expects, but I don't think the recovery will be.

@drahardja I read elsewhere that the margin call comes when the stock price hits around 140 (144?). It's currently more than double that, at 298. The lowest it got since the takedown effort was around 220. It's really not clear who is still buying TSLA: presumably people with a vested interest in propping up Musk personally rather than people who think the company has a future.

@drahardja I certainly hope so. Currently it's up 35% above a week or so ago.

Stock prices normally reflect the company's fundamentals eventually, but, as John Maynard Keynes said:

Markets can remain irrational longer than you can remain solvent.

This works in both directions: a stock can remain overvalued for a long time.

Buying Tesla stock isn't just a way of investing in the company, it's also a way of buying favour with Musk. As long as he is shadow President, there are going to be a lot of people (Russian and Chinese governments, for example, as well as wealthy individuals) who are happy to throw a few billion at the stock in exchange for influence with Musk. And guess who just gutted the SEC?

@drahardja Fingers crossed!

I did read today that a big pension fund voted yesterday to ban their fund managers from buying any more TSLA because they don't think it's long-term viable. They're not dumping yet, but they probably want to sell slowly to avoid tanking their value while they do. Hopefully others will start to follow soon.

@ryanc So, C?

@patrickcmiller

Judge Vince Chhabria pushed back on Meta attorneys arguing that the company's Llama AI models posed no threat to authors in their markets

Even if this were 100% true, it doesn't matter. The DMCA established statutory damages in addition to actual damages for copyright infringement. You don't have to show that you lost money as a result of copyright infringement, only that the infringement occurred. I'm not a fan of this, given how it's been abused, but if the law is going to be enforced against poor people it should be enforced against multi-billion-dollar corporations.

The argument that I'd love to see them make is that training a neural network is a form of lossy compression (they can easily find expert witnesses to testify this). If training a neural network is not copyright infringement then a camera recording of a cinema is not and neither is creating an H.264 rip of a DVD. And that's really not a precedent anyone wants to set.

@aeva

It's been over 20 years since audio made me switch from Linux to FreeBSD.

The new version of OSS is proprietary, what shall we do?

FreeBSD: Well, the old version is still BSDL, I guess we'll just fork it and add low-latency in-kernel sound mixing and extend it with the features OSS 4 added.

Linux: Rip that stuff out of the kernel and replace it with ALSA, which doesn't do software mixing in the kernel at all!

KDE: Wait, now two apps can't go 'ping' on Linux. Let's write a sound daemon.

GNOME: Wait, now two apps can't go 'ping' on Linux. Let's write a sound daemon.

KDE and GNOME: Oh, now KDE and GNOME apps can't go 'ping' at the same time. I guess we should agree on some standards.

PulseAudio: Hi everyone! I have come to save you from the perils of usable sound! But now you can have sound move from your speakers to USB headphones when you plug them in! Maybe! If you get the config right.

Everyone: Nooo, someone let Lennart Poettering write some code! We're doomed!

Hans Petter Selasky: Wait, that thing with moving audio sounds useful. Rewriting all of your software to do it? Less so. *Writes virtual_oss to provide a layer that lets you send audio to USB devices with userspace drivers or to different in-kernel devices*.

PipeWire: Okay everyone, we can all agree PulseAudio was a bad idea, but we've rewritten all of the code and have a migration path. I guess we're good now?

FreeBSD: Curses, hps just died. I guess he won't be fixing all the things anymore. We'll need to start maintaining virtual_oss and integrate it with the base system. Should probably also fix a bunch of issues in the kernel drivers and make sure low-latency sound mixing is reliable and robust with new hardware. By the way, software that you wrote 20+ years ago still works fine with the kernel and userspace drivers and has low-latency mixing.

Does anyone still click on links to YouTube? If I wanted to be bombarded by ads, I'd move to the USA and buy a TV.

I remain confused by the 'it's not a Nazi salute, it's a Roman salute' defence. Oh, sorry, I didn't mean to associate you with a genocidal imperial regime that put people in death camps, when you actually meant to be associated with the genocidal imperial regime built on slavery that just murdered people without transporting them anywhere first and then enslaved their families. My mistake?

@whitequark I use Vivado on a Mac using Docker and Rosetta with a load of LD_PRELOAD things to stop it crashing on launch. Is there a non-cursed way of running this nightmare of a program?