Notices by Matt "msw" Wilson (msw@mstdn.social)

setuid root screen is a gift that just keeps on giving…

#CVE #CVE_2025_23395 #InfoSec #Linux #OpenSource
https://security.opensuse.org/2025/05/12/screen-security-issues.html

@zacchiro @jwildeboer I came here to say this. You don’t have to agree to the other licenses as a contributor. You just have to license your contribution in a way that Redis has the rights needed to use them as sub-licenses.

Contributors that license their contributions under MIT or BSD should not find this objectionable. Contributors that mindfully choose AGPLv3 to advance software freedom likely object.

But sadly few contributors make that mindful choice.

@jwildeboer @zacchiro indeed, it has not been BSD for some time, which is why Valkey exists.

My only point is that too often I see outrage from contributors who submitted code under MIT or BSD terms, perhaps following inbound=outbound licensing practices for a project, when their contributions are “taken” and made proprietary through a new restrictive license.

They don’t realize they gave _all_ permission to do that with their choice of license.

@GossiTheDog but do they need to be?

How many of them need to be actively managed in a globally coordinated way?

Should every organization attempt to interpret the information present in CVEs, and the CVE information ecosystem _directly_?

I frequently grump about what the #CVE system has become in practice. Folks may think that I’m not a proponent of the program. That’s not true at all. I’m an advocate for it, and for all those who pour their time and talent into it (often voluntarily).

But, IMO it is an overstatement to say that a CVE is a critical element in coordinating response to emerging vulnerabilities like heartbleed or log4shell. Embargoed critical vulns are rarely identified with CVEs among defenders.

#InfoSec #CVD

Reflecting tonight on the #CVE program, all it has given us, and how frustrated I’ve been because of what does, and what it fails to do.

Unfortunately there is no point in claiming that the purpose of a system is to do what it constantly fails to do…

#InfoSec #SBOM #OpenSource

I’m actually quite OK with this.

The broader community is very good at detecting situations like these as damage, and routing around.

Just like the Internet. Right?

We had public disclosure and known vulnerability databases before CVE. And nothing is stopping those who have a shared need from coming together to fill a vacuum…
#cve

This is what the #CVE and CPE system does.

We can chose to make the system different.

https://github.com/madler/zlib/issues/868#issuecomment-2807804350

When you choose to use a #FOSS license like BSD-3, you are choosing asymmetrical benefit relationship.

Others can “take without giving back” and there is nothing fundamentally wrong with that.

For example see the CRC64 performance improvements in #Redis copied from #Valkey.

#FreeSoftware #OpenSource #OSS

https://github.com/redis/redis/pull/13638

@hyc Speaking (only for myself) as someone who refused to use the "open source" term for a very long time, "giving back" isn't part of the bargain from my point of view.

To me, Free Software means that you can privately use the software however you'd like with no obligations "back" to the original author. Non-private use has limited obligations.

If you want to *protect* and *propagate* those freedoms for *others* (farther downstream), use a copyleft license.

So I deactivated my account on that other social media site with a one letter name.

This article by @anna speaks to me.

"I speak the language of technology—and if you're reading this, there's a high chance you do too. We're living bridges of domains mysterious and unknown to many, domains that make and will continue to make a difference in the scale of oppression and horrors being spread and perpetuated into the world. What you do with that capacity and that knowledge can mean the difference between life and death. Use it to empower others."

https://notapplicable.dev/freeze-but-fight.

@jbzfn no, they aren’t “abusing” anything.

And, naturally, FreeBSD uses a BSD license, not MIT as the post claims…

#FreeSoftware #OpenSource #FOSS #OSS

https://docs.freebsd.org/en/articles/bsdl-gpl/

"A community of scholars should not have to build walls as high as the sky to protect a reasonable expectation of privacy [msw: or 'security'], particularly when such walls will equally impede the free flow of information.

There is a reasonable trust between scholars in the pursuit of knowledge, a trust upon which the users of the Internet have relied for many years.

#FreeSoftware #OpenSource #FOSS #OSS #InfoSec #XZ

This policy of trust has yielded significant benefits to the computer science community and, through the contributions of that community, to the world at large.

Violations of such a trust cannot be condoned. Even if there are unintended side benefits, which is arguable, there is a greater loss to the community as a whole."

- The Cornell Commission: On Morris and the Worm

https://dl.acm.org/doi/10.1145/63526.63530

#FreeSoftware #OpenSource #FOSS #OSS #InfoSec #XZ

Given the latest attack on the Internet through persistent threat actors via xz-utils, what demands will be placed on the community of scholars (including Free and Open Source software developers) that build the software we all use and enjoy as digital public goods?

Will they be "walls as high as the skies?"

#FreeSoftware #OpenSource #FOSS #OSS #InfoSec #XZ

I don't speak for either community effort, though I've been freely sharing my personal opinions with both efforts. 😅

I wouldn't advise going with the CNCF unless you're happy with the policies that are already established (including the IP policy and project incubation / graduation process).

I can't see how those policies and practices are a good fit for either community.

@michael @msw I will place my bet on the project that attracts the most previously active contributors. Personally speaking I don’t think Drew’s fork will be it.

Wow, what an overwhelming community response in this PR. It is not a surprise when something like #Redis has become so loved by its community. There’s a clear sentiment that with this change it has been taken away.

I encourage folks to support #OpenSource maintainers who were doing the hard work as individuals. They didn’t ask for any of this disruption in their lives. They exist and their efforts matter.
#FOSS #OSS #FreeSoftware
https://github.com/redis/redis/pull/13157#issuecomment-2014355620

@ariadne @ocdtrekkie @theuni @schmittlauch @wwahammy @scott @msw @Atemu for the avoidance of doubt: Amazon is very clearly not an “open source company” and its branding has never claimed to be.