Notices by Matthew Garrett (mjg59@nondeterministic.computer), page 8

@Suiseiseki Software doesn't stop being software just because it's in ROM

@liw Imagine a Yubikey that understands TPM quotes and can blink an LED at you during boot to tell you your laptop is in the expected state

@liw I actually have a bunch of use cases for wanting to modify that, which pushes us into an interesting space

Yeah great ok the manufacturer also has no ability to patch my fridge but how does that help me this differentiation between software in ROM and software in flash is absolute bullshit, it's all software and it should all be free and modifiable

RMS printer moment, but it's about my fridge failing to run the ice maker fill tube heater for long enough so it freezes so the ice maker gets no water and makes no ice, but also the software controlling this is in ROM so the FSF says it's fine even though there's no way I can fix it even though I am entirely capable of reverse engineering and patching it otherwise

@ryanc was underneath the car, and prioritised not being there over pictures

BART deciding to make my day exciting by having some electrical component on my train car literally explode is not the vibe I was looking for

@GossiTheDog This is hilariously Northern Ireland (both the initial fuckup, but also the somewhat confused response of everyone else, including the journalist)

I never expected to have to be searching my mailbox for the term "cum-cum-cum-cum-cum" (yes, including hyphens), but this year continues to be full of surprises

Ludicrously long shot, but do I know anyone who knows anyone involved with whoever is running the att.net mail service? My address there bounces with an inscrutable 550, and it's linked to my AT&T account which makes things awkward

MAIL FROM: mjg59@srcf.ucam.org
250 2.1.0 mjg59@srcf.ucam.org... Sender ok
RCPT TO: mjg59@att.net
550 5.2.1 mjg59@att.net... blank mailhost - invalid address, relay=[176.126.240.207]

Hey Theo

There is a well defined process for how elections are run (https://opensource.org/about/board-of-directors/elections). This year, several candidates were removed from the election results for supposedly refusing to use proprietary software to sign the board agreement. The requirement to do so is not stated anywhere in the election process. The bylaws allow the board to ignore the will of the electorate, but removing candidates who didn't violate any election rules is just fucking ridiculous.

If the membership chose a candidate that the board refuses to appoint, the membership deserves to know that.

Like many nonprofits, membership of the @osi board of directors is technically down to the existing board choosing to appoint new directors. OSI "membership" (in the sense that donors can become "members" of the organisation) isn't a thing that's defined by the by-laws, it's a process that the directors have chosen to adopt. As such, the elections that members participate in are just guidance for the board's decisions, rather than anything they're obliged to respect.

Every semester I teach best practices around build pipelines, and every semester someone mentions SolarWinds, and if I, as a company, wanted to set up an entirely independent build pipeline that was entirely independent of the rest of my infrastructure and was managed by different people so I could build in two places and verify binary outputs were identical, how would I do that today? (Assume my build is already reproducible, let's not complicate things)

When Twitter launched encrypted DMs they were bad. They haven't improved. The person behind them is now a senior member of DOGE and getting appointed to the board of a government-backed mortgage giant: https://mjg59.dreamwidth.org/71188.html

Nobody is going to try to make money on a proprietary fork of an MIT Coreutils. Nobody is hiding their trade secrets there. This isn't the 80s.

What is a bigger issue is the more symbolic nature of things. People had the opportunity to pick a copyleft licence and chose not to. We can view this as an attack on copyleft (albeit one that's likely symbolic at best), or we can accept that the copyleft community has been doing a poor job winning the hearts and minds of new generations of developers

What Coreutils-adjacent GPL enforcement there has been centred around Busybox, a GPLed implementation of many POSIX and Unixish tools, commonly used in embedded devices. Busybox-related enforcement has been an effective tool in obtaining compliance, to the extent that it's been reimplemented under a permissive licence with the explicit goal of reducing enforcement risk. Coreutils has simply never been subject to enforcement in the same way, so there's no significant impact.

I'm a huge proponent of copyleft licensing, I'm in favour of using the GPL as a tool to ensure users have the ability to modify the software on their devices, and I'm just having trouble getting too worked up about the Rust reimplementation of Coreutils being MIT. Philosophically? Yeah, it sucks. Practical outcomes? Almost certainly none. The GPL violators aren't going to change coreutils implementation to avoid being sued, the FSF wasn't going to do that anyway

My god https://github.com/ArcaneNibble/i-cant-believe-its-not-webusb is an incredible hack but also I'm now wondering whether there ought to be a spec for devices to explicitly opt into WebUSB