Notices by Evan B🥥ehs (eb@social.coop), page 2

@luis_in_brief @benwis @brainwane @glyph @geofft @diazona @djc oh that’s sick, it’s so funny that you never know who you’re speaking to on here lol. Congrats on how successful tidelift has been :)

@benwis @brainwane @luis_in_brief @glyph @geofft @diazona @djc there’s some website (I forget what it is) that basically you pay x amount of dollars and it audits your entire dependency tree and attempts to pay maintainers proportionally. Unfortunately iirc it was kinda flawed but I think it’s a solid idea

Holy shit.

Unfolding now: https://news.ycombinator.com/item?id=39865810

- https://www.openwall.com/lists/oss-security/2024/03/29/4
- https://github.com/tukaani-project/xz/commit/cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0

An incredibly technically complex #backdoor in xz (potentially also in libarchive and elsewhere) was just discovered. This backdoor has been quietly implemented over years, with the assistance of a wide array of subtly interconnected accounts:

- https://github.com/tukaani-project/xz/commit/ee44863ae88e377a5df10db007ba9bfadde3d314
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708
- https://github.com/jamespfennell/xz/pull/2

The timeline on this is going to take so long to unravel

#security #linux

https://boehs.org/node/everything-i-know-about-the-xz-backdoor

I have begun a post explaining this situation in a more detailed writeup. This is updating in realtime, and there is a lot still missing.

#security #xz #linux

Can somebody explain why #meta is a threat to the Fediverse? Like I get that they are evil corporate and probably up to no good but if you want all the fediverse data it's incredibly simple to get (just add .rss, .json, setup a ghost instance, or use the API with zero authentication), so no need for this. Plus, I doubt anybody is switching fedi → #threads. Plus, a few might go threads → fedi. AP is lead by passionate people like @evan, so they can't control it. What's in it for evil #facebook?

@CassandraZeroCovid @evan you must have glazed over the part where I said mastodon has next to no privacy. Every post you make is federated to thousands of other servers controlled by thousands of different people. From the web, anybody can get a machine readable feed of your posts without logging in by adding .json or .rss to the end of the url. Almost all data, if Facebook wanted, they could already get

@evan it’s funny everybody is answering yes while simultaneously hating threads with all their guts

@evan perhaps, the argument is “anybody can implement it but we don’t need to federate with you”

Imagine you have a dam. Fish want to get through the floodgates, but the gates are locked. You want to open the gates when a fish wants to pass through.

If you are a tech bro, you might say “we can use AI to solve this problem”

If you are the municipality of Utrecht, you instead say “what if we put a livestream of the canal on the internet and instructed viewers to push a button when they see one”

https://visdeurbel.nl/

@gianni @samlavigne

@atomicpoet @fediversenews It's right below lol

@evan How so?

@evan My apologies, I will keep that in mind. Thanks for entertaining the question this time!

@evan Must it be food *I* hunted, fished, or gathered? This distinction would put me on the other extreme