Being less flippant about this - the xz backdoor relied on a line that was present in the tarball release, but not in the git repo. Do we have any infrastructure for validating this kind of thing? (It's expected that the tarball would contain things that aren't in git - for example, the configure script doesn't exist in git, but is expected to be in the release. The problem is that extra code was injected into the configure script after it was generated)
Notices by Matthew Garrett (mjg59@nondeterministic.computer), page 3
-
Embed this notice
Matthew Garrett (mjg59@nondeterministic.computer)'s status on Saturday, 30-Mar-2024 06:36:42 JST Matthew Garrett
-
Embed this notice
Matthew Garrett (mjg59@nondeterministic.computer)'s status on Saturday, 30-Mar-2024 05:14:01 JST Matthew Garrett
Just finished writing my lengthy paper on how "Many eyes make all bugs shallow", time to check what's happening on the internet today
-
Embed this notice
Matthew Garrett (mjg59@nondeterministic.computer)'s status on Tuesday, 26-Mar-2024 14:45:51 JST Matthew Garrett
@trdebunked That is a take I hadn't really considered, thank you!
-
Embed this notice
Matthew Garrett (mjg59@nondeterministic.computer)'s status on Tuesday, 26-Mar-2024 14:45:45 JST Matthew Garrett
@trdebunked I think the obvious response there is just how much free software ended up depending on GNU behaviour (be that libc, gcc, or even somewhat more arguably Linux)
-
Embed this notice
Matthew Garrett (mjg59@nondeterministic.computer)'s status on Tuesday, 26-Mar-2024 14:45:36 JST Matthew Garrett
@trdebunked I think it's interesting tying this into the "systemd isn't really free software because it's so complicated" kind of argument. Free software is never going to be equivalently free for everyone - people who can code enjoy more freedom than people who can't (unless they have enough money to pay someone to do it). Where do boundaries get drawn?
-
Embed this notice
Matthew Garrett (mjg59@nondeterministic.computer)'s status on Tuesday, 26-Mar-2024 14:45:34 JST Matthew Garrett
@trdebunked (I don't think LLM models are inherently non-free - if someone supplied all the tools and the training data someone could rebuild that, the problem is that it would be implausibly expensive for most people to do so, but again that's not something that's been factored into the free software definition)
-
Embed this notice
Matthew Garrett (mjg59@nondeterministic.computer)'s status on Tuesday, 26-Mar-2024 14:22:07 JST Matthew Garrett
@trdebunked I completely agree there, you're pushing a free idea into an opaque blob in order to receive free code. But free software as defined in the 80s was fine with opaque compilers, and I don't think anything ever happened to expressly redefine that
-
Embed this notice
Matthew Garrett (mjg59@nondeterministic.computer)'s status on Monday, 25-Mar-2024 18:05:59 JST Matthew Garrett
@RoganDawes @ryanc There's not really a problem in the banner exchange - the client won't initiate key exchange until it's consumed the banner, so no matter who speaks first it could send a different packet type if the server had sent a signal in the banner
-
Embed this notice
Matthew Garrett (mjg59@nondeterministic.computer)'s status on Monday, 25-Mar-2024 10:32:17 JST Matthew Garrett
Is there a reason ssh doesn't support including server name in the handshake before key exchange so it can be proxied to the actual host via a single IP? I know you can make this work with proxycommand, it just seems like a weird absence in the protocol
-
Embed this notice
Matthew Garrett (mjg59@nondeterministic.computer)'s status on Monday, 25-Mar-2024 10:22:08 JST Matthew Garrett
@ryanc Looking at the RFC it sounds like the server is allowed to send additional information in the connection - a client that understood this would presumably be able to alter its behaviour (eg, send a desired hostname, get connected to the appropriate backend, re-start negotiation)?
-
Embed this notice
Matthew Garrett (mjg59@nondeterministic.computer)'s status on Monday, 25-Mar-2024 10:21:11 JST Matthew Garrett
@ryanc Oh hmm is this a "If we send any sort of extension packet here existing clients will break" situation?
-
Embed this notice
Matthew Garrett (mjg59@nondeterministic.computer)'s status on Sunday, 24-Mar-2024 16:40:44 JST Matthew Garrett
Being a middle aged homeowner means getting unreasonably excited about finally replacing all those 4000K recessed bulbs with something a touch warmer
-
Embed this notice
Matthew Garrett (mjg59@nondeterministic.computer)'s status on Wednesday, 20-Mar-2024 19:49:08 JST Matthew Garrett
Yo I've got a PhD in genetics from Cambridge and on the off-chance you need it I give you permission to say that Dawkins is a hack
-
Embed this notice
Matthew Garrett (mjg59@nondeterministic.computer)'s status on Wednesday, 20-Mar-2024 19:22:54 JST Matthew Garrett
If you're standing there facing people and thinking "They're not going to care about what I have to say" remember that a committee of people who know what the audience is interested in has already decided that the audience is interested in what you have to say
-
Embed this notice
Matthew Garrett (mjg59@nondeterministic.computer)'s status on Wednesday, 20-Mar-2024 19:22:54 JST Matthew Garrett
The first real conference talk I gave was on a large stage and I was timetabled against the first public presentation of d-bus and it was a community I had no real prior experience with and yeah it was fucking terrifying but I promise it does get easier
-
Embed this notice
Matthew Garrett (mjg59@nondeterministic.computer)'s status on Wednesday, 13-Mar-2024 03:34:40 JST Matthew Garrett
RIP to everyone killed by the borrow checker for their hubris but im different. and better. maybe even better than the borrow checker
-
Embed this notice
Matthew Garrett (mjg59@nondeterministic.computer)'s status on Thursday, 29-Feb-2024 11:51:57 JST Matthew Garrett
@sil I think this is an extremely interesting answer! From the FSF definition we assert that the source code alone is sufficient to understand, but in this hypothetical english→binary compiler we don't necessarily believe the english is sufficient because we don't know what happens next. Why doesn't this apply in existing languages?
-
Embed this notice
Matthew Garrett (mjg59@nondeterministic.computer)'s status on Thursday, 29-Feb-2024 11:51:41 JST Matthew Garrett
@sil That's a strong argument, but what if we had a deterministically trained LLM with only free software inputs?
-
Embed this notice
Matthew Garrett (mjg59@nondeterministic.computer)'s status on Thursday, 29-Feb-2024 06:10:39 JST Matthew Garrett
I have, for a number of reasons, seen a shitload of proprietary source code. Am I disqualified from writing free software because I might incorporate some of the concepts from that proprietary code into my allegedly free software?
-
Embed this notice
Matthew Garrett (mjg59@nondeterministic.computer)'s status on Wednesday, 28-Feb-2024 20:42:17 JST Matthew Garrett
@tante What if we also had a model that could take a binary generated in this way and give you the prompt that generated the output?