Notices by Red Rozenglass (rozenglass@fedi.dreamscape.link)
-
Embed this notice
Red Rozenglass (rozenglass@fedi.dreamscape.link)'s status on Saturday, 31-May-2025 02:58:50 JST 
Red Rozenglass
@wolf480pl@mstdn.io @josemanuel@qoto.org @Suiseiseki@freesoftwareextremist.com I enjoy freedom, and I'm grateful for the work of GNU volunteers, but the number of instructions executed to run true is 146,925 instructions, doing 67 syscalls. To be fair, a lot of this is due to dynamic linking and glibc C runtime initialization, which is standard on most GNU systems. -
Embed this notice
Red Rozenglass (rozenglass@fedi.dreamscape.link)'s status on Saturday, 10-May-2025 11:56:45 JST
Red Rozenglass
@ActuallyAubrey@void.lgbt if you close your eyes and listen, deep deep in there, in the softest undertones of this world's song, you can hear it. it whispers to you: you are loved, aubrey, all of you. the parts you're proud of, and you will grow, the weaknesses you detest, and will overcome, the lessons you will learn, the stories you will tell; everything about you, a message, you, the medium: love abound, for you, for the world, for all.
you exist aubrey, /you/.
this is the greatest love,
you only need listen.
the ethereal wired carry those words for you, aubrey, from the other side of this blue world, through waves of magical light, over great skies, and under vast oceans, and across hundreds of blinking clicking sleepless machines; a prayer that those words may reach you, a prayer by someone who, perhaps, really cares: @tjhexf@transfem.social -
Embed this notice
Red Rozenglass (rozenglass@fedi.dreamscape.link)'s status on Wednesday, 07-May-2025 17:59:26 JST
Red Rozenglass
@expergetech@labyrinth.zone @chjara@akko.wtf @lanodan@queer.hacktivis.me @erincandescent@erincandescent.net @alina@girldick.gay We have only one way to write it in Arabic really, letter-wise: محمد. The problem in transliteration comes from Arabic's diacritics (Harakat) system, those are optional short vowels that you may write for clarity, but you don't have to, because fluent Arab people just "know" by intuition / osmosis / grammar rules and roots of words, but novice Arab learners or foreigners would barely register the difference in the sounds sometimes, let alone be able to guess the right diacritics.
There's only one set of correct Harakat for the name: مُحَمَّد. But, if you drop some of those vowels, because they are optional, a novice Arabic learner would likely be confused. So, that's how you get all that variety of names, depending on what's dropped and not guessed correctly. For example, double 'mm' vs single 'm', they missed Al-Shad'dah[1], which roughly doubles the sounds of the consonant under it. Ending with 'ed' instead of 'ad', they mistook the Al-Fat'hah[2] (angled dash on top of the letter), with Al-Kasrah[3] (angled dash under the letter).
Now, imagine this happening for each possible combination of the five diacritics, while being interpreted by many different chains of dozens and dozens of other languages; Turkish, Farsi, various European languages, Chinese, and all other countries where Muslims have been, and it would be surprising why there isn't even more ways to write that name (there are :D).
The closest way to sound it right, in English, in my opinion, is Muhammad. Note also that there are /different names/ that sound close, like Mahmoud and Hamad, and that probably adds to the confusion of non-fluent speakers (think Jane, Janet, etc.).
Fun fact, Muhammad is apparently the most popular boy name on the planet o.o
[1]: https://en.wikipedia.org/wiki/Shaddah
[2]: https://en.wikipedia.org/wiki/Arabic_diacritics#Fat%E1%B8%A5ah
[3]: https://en.wikipedia.org/wiki/Arabic_diacritics#Kasrah -
Embed this notice
Red Rozenglass (rozenglass@fedi.dreamscape.link)'s status on Tuesday, 06-May-2025 19:52:05 JST
Red Rozenglass
Hando's block list is beautifully diverse. People from all over the world, of all countries and all backgrounds, from the most radical leftist to the most radical rightist, and from the most radical third-positionist to the most radical inter-dimensionalist, furry lovers, trad-wife lovers, the ultra gay and the ultra just-a-little-bit-gay, all united in being blocked for loli.
Ah fedi, you never disappoint. -
Embed this notice
Red Rozenglass (rozenglass@fedi.dreamscape.link)'s status on Tuesday, 06-May-2025 05:49:35 JST
Red Rozenglass
@lain@lain.com @ElDeadKennedy@shitposter.world In coat's / jacket's / suit's inner pocket. Or, lacking the reasonable options, in pants' right side pocket. -
Embed this notice
Red Rozenglass (rozenglass@fedi.dreamscape.link)'s status on Tuesday, 06-May-2025 05:44:36 JST
Red Rozenglass
@lain@lain.com I tried to carry a wallet because the wife got me one, I then proceeded to lose it within a few weeks, with IDs and money and other important stuff. I think the wallet most likely fell off my pocket in a park. Never lost stuff before a wallet, never lost again after a wallet. Wallet bad.
I instead put things in different pockets in my pants and jacket, based on importance and access frequency. Small money bills, note-paper, pen, to low importance pockets, IDs or big money, in high importance pocket. Almost never touch high importance pockets, so things in them never get lost.
Wallet made me practically pull out every important thing I'm carrying when all I wanted was small change. Maybe the solution is to carry multiple wallets, but I'm too traumatized to even try again. -
Embed this notice
Red Rozenglass (rozenglass@fedi.dreamscape.link)'s status on Sunday, 04-May-2025 21:06:29 JST
Red Rozenglass
@VIPPER@new.asbestos.cafe @david@pl.dav1d.lol @Suiseiseki@freesoftwareextremist.com
>Read Only Memory >hack around.
The OS storage /is/ read-only, in almost all phones I had the displeasure of using. You have to use "security exploits" to work around that, "unlocking the bootloader", then write a minor "recovery" image to a different partition, boot from that, then overwrite the OS partition. ROM is a popular term to describe Android OS images, but you're right, even though it is popular to call them that, it is traditionally wrong.
Replicant with the modem disabled
Without a cellular connection, nor internet access on the go, I fail to see the point of a "phone" other than being a small ARM computer but with terrible software development ergonomics, that sits somewhere under my desk, connected through wired adb to my desktop machine, and on which I run minor ARM software experiments... which is what I do right now :)
I do not have a tracking device for government or bank related proprietary malware.
I don't live in the land of the free. In my case it is sadly not optional. I live under a peculiar political situation, and without a phone I could easily end up detained or worse. Putting it aside and not using it every day is the best I can do, as far as I can see. Some people of similar situations to mine have to scan their fingerprints on their phones while enabling GPS location tracking, so the government can confirm their exact location at any time. I thankfully, only have to respond to phone notifications, SMS, and calls.
If you run the malware in the end anyway, humanity loses.
I agree. Keep fighting the good fight, friend. -
Embed this notice
Red Rozenglass (rozenglass@fedi.dreamscape.link)'s status on Sunday, 04-May-2025 18:56:57 JST
Red Rozenglass
@VIPPER@new.asbestos.cafe @david@pl.dav1d.lol @Suiseiseki@freesoftwareextremist.com
I use a GNU/Phone.
I use paper, it's more than enough. I used to hack around Android ROMs, trying to get more freedom, but I realized that it's a fool's errand, we're tracked and spied on anyway, no matter what ROM you use. I haven't used Android for years, then I used it again a bit more, but then dropped it again for almost a year now, and I'm very content. Peace of mind is worth all the "features". I have a device with a free-ish ROM that I don't take with me anywhere, and access only through adb / scrcpy, to do some government / bank related stuff that can't be done without a stupid phone. And people's expectations around me (family and work) are adjusted by now, they know I don't respond if I'm not at home (using my computer). -
Embed this notice
Red Rozenglass (rozenglass@fedi.dreamscape.link)'s status on Wednesday, 30-Apr-2025 16:30:50 JST
Red Rozenglass
@SuperSnekFriend@poa.st @Suiseiseki@freesoftwareextremist.com An operating system that includes a lot of free / open-source software, like OpenSSL, Bash, Vi, in addition to an "open-source" kernel, but also includes some closed-source proprietary software in some core parts of the operating system, to improve the user-experience. The direction of development of the OS is mostly driven by corporate interest, funding, and development resources, with the primary goal of reliably satisfying professional users in corporate settings. Is the OS in question:
[ ] OSX
[ ] Debian
[ ] RHEL
[ ] All of the above
If the line is to be drawn, where would it be? Includes proprietary software in the default install is a clear and unambiguous cut, but goes against the hivemind PR of the "Linux development community", who are getting brainwashed little by little into accepting more and more, not seeing Theseus ship changing around them.
The conversation can be had whether having /some/ firmware blobs installed by the OS automatically is not /too/ bad, or that it should be made easier for the user to install them if they wish to harm their freedom, but that doesn't mean the words are suddenly muddy and mean nothing. Free software, really means having the freedom.
I mourn the Debian project, what remains is a zombie wearing its skin. -
Embed this notice
Red Rozenglass (rozenglass@fedi.dreamscape.link)'s status on Wednesday, 30-Apr-2025 16:30:47 JST
Red Rozenglass
@Suiseiseki@freesoftwareextremist.com @wowaname@freesoftwareextremist.com @SuperSnekFriend@poa.st
also i flat-out disagree with you that free software includes the freedom to use proprietary software.
don't overload what "free software" already means, please.
I wasn't arguing for this, but the opposite; I prefer the sharp definition of "free software". But I can see how "Free software, really means having the freedom" in my previous message can potentially be interpreted both way, my bad.
makes a compelling argument that anything made legally downloadable is implicitly "yours" by nature of how the web works
Breakout the reverse engineering toolkit,
and all software is free software >:3
Patched Final Fantasy VI ROMs, nom >. -
Embed this notice
Red Rozenglass (rozenglass@fedi.dreamscape.link)'s status on Tuesday, 22-Apr-2025 13:44:58 JST
Red Rozenglass
@wowaname@freesoftwareextremist.com just checked the code a bit, pleasantly surprised that it's not a hellhole of fasm macros in fasm marcos. file systems, mouse driver, tcp/udp stacks, wifi drivers, not a single silly macro in sight. just good-ol' "real programming". -
Embed this notice
Red Rozenglass (rozenglass@fedi.dreamscape.link)'s status on Monday, 21-Apr-2025 04:02:54 JST
Red Rozenglass
@lain@lain.com arabic spotted. may allah cure your soul and your nose. -
Embed this notice
Red Rozenglass (rozenglass@fedi.dreamscape.link)'s status on Saturday, 19-Apr-2025 01:54:39 JST
Red Rozenglass
@Suiseiseki@freesoftwareextremist.com Likely mmap. Mapping a range of addresses is not really allocating the memory. For example, using the LMDB C library, if you create a 20GiB database file, it appears that your processes is using 20GiB of memory, but that's just virtual memory addresses, being backed by a file on disk, not RAM.
20TiB still sounds ridiculous, it's usually a case of "I'll map 1TiB here, because we'll never need 1TiB of addresses", and then that thing gets called 20 times, and you get 20TiBs of virtual memory. -
Embed this notice
Red Rozenglass (rozenglass@fedi.dreamscape.link)'s status on Friday, 18-Apr-2025 06:58:26 JST
Red Rozenglass
@p@fsebugoutzone.org You're saying that the end of Eternal September can be brought about, theoretically, by having a few centralized global monopolies here and there, that sweep up the invader swarms back out of our beautiful wounded wired and into massive sandbox prisons where they can be happily stupid together? Simply ingenious. And even better, perhaps, inevitable! -
Embed this notice
Red Rozenglass (rozenglass@fedi.dreamscape.link)'s status on Thursday, 17-Apr-2025 04:35:32 JST
Red Rozenglass
@lanodan@queer.hacktivis.me @domi@donotsta.re @wolf480pl@mstdn.io I'm not saying someone must review the CVEs, I'm saying someone must ensure they're fixed in important running systems. The easy bar I'm talking about is doing "apt upgrade" on Debian stable, or "npm audit fix" in a Node project.
CVEs are not for me to review in detail, they are a communication system for the developers and upstream maintainers, who write them, to notify me (downstream), and perhaps tell me their expert opinion about the issue, to help prioritize my work. I assume package X maintainers know their package well enough, so when my RSS feed says they published a severity 9 remote-execution CVE, I immediately contact every client I have to coordinate sessions for reviewing their situation and whether it affects them, and to coordinate upgrading their package X installations as needed. But if a CVE has a severity 2 of barely anything, I don't have to even look at it until next maintenance cycle, if ever really. I just assume it will be fixed next time I upgrade X whenever. It is not a perfect system, a severity 2 might actually cause damage, and a severity 9 might actually not apply in a specific context. But it is an important tool nonetheless.
In this context though, I don't care much about the US gov CVE central DBs. Those are, like I said, are just to scare business people. What I care about is upstream security advisories, published when important issues crop up, I RSS/Atom/curl-script subscribe to them, to get notifications when things require my attention. Automatic scanners can be helpful though, when we get thrown into a project that doesn't have due process in place already, and automatic scanners depend on said central CVE database sometimes.
As for the Linux Kernel, no, it does not need thousands of CVEs for a few weeks. There are a few hundreds published per-year[1], most years, and a much smaller number demand immediate emergency attention. Still, for my current clients and personal needs at least, listening for Linux Kernel advisories from Debian / Gentoo / Slackware is enough. Those come usually in batches, unless something major came up.
https://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33 -
Embed this notice
Red Rozenglass (rozenglass@fedi.dreamscape.link)'s status on Wednesday, 16-Apr-2025 22:47:17 JST
Red Rozenglass
@domi@donotsta.re @wolf480pl@mstdn.io @lanodan@queer.hacktivis.me
cut costs by getting away with ignoring security, why not us too?
Because the competitor can then pay hackers to attack us, and take us out of the market, and it would be almost impossible for us to prove they did it. I used that argument before. That business guy's response was "can we hire attacks against our competitors then? we've been DDoSed before, maybe it was them!" lol
Had to remind him it's illegal, and might come back to bite us, remember to fear God or Satan or whatever something you worship, dear brother! I thought I came here to make a case for a better security posture, not to teach basic morality.
Thankfully, as far as I know, we didn't end up attacking anyone. -
Embed this notice
Red Rozenglass (rozenglass@fedi.dreamscape.link)'s status on Wednesday, 16-Apr-2025 10:50:19 JST
Red Rozenglass
@lanodan@queer.hacktivis.me @domi@donotsta.re @wolf480pl@mstdn.io Running at zero published CVEs should be a really low-bar to clear, unless the project has 1200 NPM dependencies, none of which care about backward compatibility, so patching them up implies a dozen breaking changes, and thus code changes, to make it compatible. Of course, most projects nowadays seem to be built up of 32 micro-services each of which has a 1000 NPM transitive dependencies, or 500 Pip packages for aRtIfIcIaL iNtElLiGeNcE, or at least 200 NuGet packages for "Enterprise Integration", plus 3 different types of databases, and two queuing / message busses platforms (throw one extra an external "PaaS"), and four different OSes, and two Kubernetes cluster providers, and 50 docker container images with 13 different bases...
CVE reports will not save them, nothing will save them. No system is safe.
Hand-writing plain assembly is safer at that point.
But the world goes on i guess ^-^ -
Embed this notice
Red Rozenglass (rozenglass@fedi.dreamscape.link)'s status on Wednesday, 16-Apr-2025 07:51:03 JST
Red Rozenglass
@lanodan@queer.hacktivis.me @domi@donotsta.re @wolf480pl@mstdn.io The real use for US-gov-backed CVE public databases is to scare business and project management people into allocating resources for maintenance of critical already running systems. You bring them a fancy PDF report with a formatted list of 50 CVEs, 7 of which are "Critical" severity (make sure to color them red), links to scary official-looking .gov website, and tell them it must be fixed now or they get to take responsibility for what happens if they say no. Make sure to CC the whole accessible chain of command to keep records.
This necessary evil saves many organizations filled with idiots from getting hacked, and leaking confidential medical (or otherwise) data for the stupidest things. Especially when you discover, while going over their system patching CVEs one by one, that they have a publicly exposed database with a password of (concat organization-name "abc"). This "tactic" is used (and misused) in countless organizations and government agencies the world all over.
I wish this was sarcasm... -
Embed this notice
Red Rozenglass (rozenglass@fedi.dreamscape.link)'s status on Tuesday, 08-Apr-2025 08:13:19 JST
Red Rozenglass
In other news, why did no one tell me about xxd -i before:
-i | -include
Output in C include file style. A complete static array defini‐
tion is written (named after the input file), unless xxd reads
from stdin.
For example, you can add this to your build pipeline, to turn a string to an embedded array of characters. Just #include printf-template.html.h in your code. If printf-template.html contains printf control sequences, like %s, they do work if you pass them to printf(). You can have an HTML file parametrized with printf() for example.
xxd -i printf-template.html > printf-template.html.h
I assume you can embed anything this way; strings, images, 3D models, etc. This seems cross-platform enough. I'm starting to wonder if the new #embed C standard proposal is really needed, or just bloat now. (Even parameterized #embed sounds like something replaceable with some UNIX piping before you pass the data to xxd -i). -
Embed this notice
Red Rozenglass (rozenglass@fedi.dreamscape.link)'s status on Sunday, 06-Apr-2025 23:08:45 JST
Red Rozenglass
@menherahair@eientei.org I use fakeroot to build as a normal user, almost all SlackBuilds work when built this way, in my experience. Alternatively, sometimes I use a build chroot, check the results, then copy and install the package to the target machine.
@nyanide@lab.nyanide.com I know many people don't read SlackBuilds, especially beginners using helper package management tools. I do read almost all SlackBuilds I install. At the very least, I read the info and README and such, but do a quick glance at the SlackBuild itself.
All GNU social JP content and data are available under the