Time for your daily dose of #RustLang complaints. Yep, the ecosystem is doing great.
#UV depends on tokio-tar library. Tokio-tar is broken on #PowerPC, doesn't have a bug tracker (!) and seems to be quite dead, with a bunch of PRs ignored since 2022 (last activity mid-2023). Nevertheless, I've filed a PR to fix PowerPC, with little hope that it'll be merged, released and that we could get UV working on PowerPC.
On top of that, it seems that tokio-tar was forked in early 2021 from async-tar. It doesn't seem to have synced the few commits from 2021, and async-tar is dead since late 2021. But at least it has a bug tracker to keep track of how dead it is.
Rewriting stuff in Rust is great. Maintaining it afterwards for the sake of reverse dependencies isn't.
Time for your daily dose of #RustLang complaints. Yep, the ecosystem is doing great.
#UV depends on tokio-tar library. Tokio-tar is broken on #PowerPC, doesn't have a bug tracker (!) and seems to be quite dead, with a bunch of PRs ignored since 2022 (last activity mid-2023). Nevertheless, I've filed a PR to fix PowerPC, with little hope that it'll be merged, released and that we could get UV working on PowerPC.
As we all know, one of the primary purposes for #RustLang rewrites is improving security. And there is no better way to make your code secure than by not including it at all.
On the Sunday's Council Meeting, #Gentoo has approved the new #AI contribution policy:
""" It is expressly forbidden to contribute to Gentoo any content that has been created with the assistance of Natural Language Processing artificial intelligence tools. This motion can be revisited, should a case been made over such a tool that does not pose copyright, ethical and quality concerns. """
On the Sunday's Council Meeting, #Gentoo has approved the new #AI contribution policy:
""" It is expressly forbidden to contribute to Gentoo any content that has been created with the assistance of Natural Language Processing artificial intelligence tools. This motion can be revisited, should a case been made over such a tool that does not pose copyright, ethical and quality concerns. """
I suppose everyone and their grandmother is now using the xz/sshd exploit to further their own agenda, so I am going to take this opportunity to further mine as well.
1. #Autotools are a bad build system. If configure scripts are completely unreadable, there should be no surprise that people won't notice obfuscated malicious code in there, provided that everything else is obfuscated by design.
2. Static linking and vendoring is bad. Do you know why the prompt #security response was possible? Because we just had to revert to older liblzma. We didn't have to check, patch and re-release hundreds of projects. It wouldn't be this easy with #RustLang and cargo.
3. You can blame #OpenSource for being underfunded and open to abuse in core system packages. However, no IT project can be resilient to a sufficiently powerful bad actor, and that it happened to xz is just an incident. Corporate projects aren't resilient to it, neither is proprietary, closed-source software.
So, embrace #Meson, embrace dynamic linking, embrace distribution packaging and donate to open source developers.
I suppose everyone and their grandmother is now using the xz/sshd exploit to further their own agenda, so I am going to take this opportunity to further mine as well.
1. #Autotools are a bad build system. If configure scripts are completely unreadable, there should be no surprise that people won't notice obfuscated malicious code in there, provided that everything else is obfuscated by design.
@mgorny About the Open Source part: I cannot see, how the attract would be found, had it been closed source. It's clearly showing, that Open Source is working.
You've probably seen it elsewhere already, but: xz-utils 5.6.0 and 5.6.1 release tarballs contain an elaborate exploit that injects a backdoor into SSH. #Gentoo systems shouldn't be affected since our OpenSSH doesn't link to liblzma — apparently the exploit targets distributions that patch OpenSSH to link with libsystemd, which in turn may link to liblzma. However, it's not clear if the exploits doesn't do anything else, so we've masked the new versions.
You've probably seen it elsewhere already, but: xz-utils 5.6.0 and 5.6.1 release tarballs contain an elaborate exploit that injects a backdoor into SSH. #Gentoo systems shouldn't be affected since our OpenSSH doesn't link to liblzma — apparently the exploit targets distributions that patch OpenSSH to link with libsystemd, which in turn may link to liblzma. However, it's not clear if the exploits doesn't do anything else, so we've masked the new versions.
A #Wikipedia editor has arbitrarily decided to remove #JPEGXL from the "Comparison of browser engines" table as "irrelevant", based on the #Google decision not to support it. That's a nice example of lack of objectivity, and letting the reality be defined by Google monopoly — and not even #GAFAM, because Apple supports the format.
@mgorny The arrogance in that editor's comments is insane.
>
I also removed JPEG XL for the same reason. Google decided not to support it in Chrome, so therefore it's irrelevant to the real Web.
None of those arguments matter compared to lack of Blink support and thus doomed to irrelevance on the Web.
Why have a comparison page at all if Blink is the only engine that matters? Edit the page to have only a single sentence that says that "comparison of web engines is irrelevant because other browser engines besides Blink are irrelevant".
@mgorny The arrogance in that editor's comments is insane.
>
I also removed JPEG XL for the same reason. Google decided not to support it in Chrome, so therefore it's irrelevant to the real Web.
None of those arguments matter compared to lack of Blink support and thus doomed to irrelevance on the Web.
@mgorny This will make my day to have read someone who is self-proclaim being objective and talking about "the real web", something vague and hardly more subjective
I've just learned that there's https://nostalebots.xyz/ and I've just reported two organizations. Let's make a shame list of projects that disrespect their users, and send #StaleBot after their bug reports.
If you want to mark my bug report stale, at least bother doing it personally, just like I bothered filing it. Or ideally, run my reproducer if I managed to provide one.
#Gentoo has not been accepted to participate in #Google#SummerOfCode this year. Apparently, they prefer to give away their money on awful "#AI" (#LLM) projects that waste megawatts of energy to propel #enshittification of Internet, rather than the old good Gentoo that they keep exploiting and that wastes energy primarily on doing hobby stuff, that make Internet a better place.
@mgorny The AI gold rush is a recurring pattern based on a hype that will stay around for a while. GSoC going after the same reaffirms the nature of that enterprise. Gentoo on the other hand, has a special place in the world.
Today I'm asking the #Gentoo arch testers to stop testing stuff using 387 arithmetic. Yep, the one that causes random differences in rounding by using 80-bit registers (vs 64 bits for a regular double), and therefore spams us with useless test errors. Sure, the test suites are broken in the first place by expecting exact results but many upstreams just don't care — and we'd rather focus on real issues. I mean, too often they don't even care about 32-bit arches at all, and bothering them about ancient FPU won't help.
That said, we've already switched the 32-bit multilib builds on amd64 to use `-mfpmath=sse`. The next step would to do the same in new #x86 profiles. While at it, we're also going to need to raise the baseline to SSE2 (e.g. `-march=pentium-m`, `-march=pentium4` or just `-msse2`).
Today I'm asking the #Gentoo arch testers to stop testing stuff using 387 arithmetic. Yep, the one that causes random differences in rounding by using 80-bit registers (vs 64 bits for a regular double), and therefore spams us with useless test errors. Sure, the test suites are broken in the first place by expecting exact results but many upstreams just don't care — and we'd rather focus on real issues. I mean, too often they don't even care about 32-bit arches at all, and bothering them about ancient...
""" IN 1999, AFTER ten years of careful work, a researcher at Imperial College in London named Russell Foster proved something that seemed so unlikely that most people refused to believe it. Foster found that our eyes contain a third photoreceptor cell type in addition to the well-known rods and cones. These additional receptors, known as photosensitive retinal ganglion cells, have nothing to do with vision but exist simply to detect brightness — to know when it is daytime and when night. They pass this information on to two tiny bundles of neurons within the brain, roughly the size of a pinhead, embedded in the hypothalamus and known as suprachiasmatic nuclei. These two bundles (one in each hemisphere) control our circadian rhythms. They are the body's alarm clocks. They tell us when to rise and shine and when to call it a day.
[…]
"What's really interesting about these third receptors," Foster told me when we met in his office at Brasenose College, just off the High Street, "is that they function completely independently of sight. As an experiment, we asked a lady who was completely blind — she had lost her rods and cones as a result of a genetic disease — to tell us when she thought the lights in the room were switched on or off. She told us not to be ridiculous because she couldn't see anything, but we asked her to try anyway. It turned out she was right every time. Even though she had no vision — no way of 'seeing' the light — her brain detected it with perfect fidelity at a subliminal level. She was astonished. We all were." """
(Bill Bryson, The Body: A Guide for Occupants)
""" IN 1999, AFTER ten years of careful work, a researcher at Imperial College in London named Russell Foster proved something that seemed so unlikely that most people refused to believe it. Foster found that our eyes contain a third photoreceptor cell type in addition to the well-known rods and cones. These additional receptors, known as photosensitive retinal ganglion cells, have nothing to do with vision but exist simply to detect brightness — to know when it is daytime and when night. They pass...
""" Heat is lost at the surface, so the more surface area you have relative to volume, the harder you must work to stay warm. That means that little creatures have to produce heat more rapidly than large creatures. They must therefore lead completely different lifestyles. An elephant's heart beats just thirty times a minute, a human's sixty, a cow's between fifty and eighty, but a mouse's beats six hundred times a minute — ten times a second. Every day, just to survive, the mouse must eat about 50 percent of its own body weight. We humans, by contrast, need to consume only about 2 percent of our body weight to supply our energy requirements. One area where animals are curiously — almost eerily — uniform is with the number of heartbeats they have in a lifetime. Despite the vast differences in heart rates, nearly all animals have about 800 million heartbeats in them if they live an average life. The exception is humans. We pass 800 million heartbeats after twenty-five years, and just keep on going for another fifty years and 1.6 billion heartbeats or so. It is tempting to attribute this exceptional vigor to some innate superiority on our part, but in fact it is only over the last ten or twelve generations that we have deviated from the standard mammalian pattern thanks to improvements in our life expectancy. For most of our history, 800 million beats per lifetime was about the human average, too.
We could reduce our energy needs considerably if we elected to be cold-blooded. A typical mammal uses about thirty times as much energy in a day as a typical reptile, which means that we must eat every day what a crocodile needs in a month. What we get from this is an ability to leap out of bed in the morning, rather than having to bask on a rock until the sun warms us, and to move about at night or in cold weather, and just to be generally more energetic and responsive than our reptilian counterparts. """
(Bill Bryson, The Body: A guide for Occupants)
""" Heat is lost at the surface, so the more surface area you have relative to volume, the harder you must work to stay warm. That means that little creatures have to produce heat more rapidly than large creatures. They must therefore lead completely different lifestyles. An elephant's heart beats just thirty times a minute, a human's sixty, a cow's between fifty and eighty, but a mouse's beats six hundred times a minute — ten times a second. Every day, just to survive, the mouse must eat about 50...
I'm considering relicensing my projects to #GPL, going forward. Or — at least these projects that involve more lines of code than the GPL copyright notice takes. Why? Perhaps it's just a matter of growing up to realize how bad corporations are. But the more important question is: why did I use permissive licenses in the first place?
Perhaps it was a matter of good nature, a belief in a "permissive" definition of freedom. I wanted my code to help people. It didn't matter to me if somebody else would make money from it, or use it as a part of proprietary software, as long as the original remained free.
Perhaps it was a matter of simplicity — having a short license that I could understand.
Perhaps it was lack of belief in GPL and its enforcement. Things like nVidia repeatedly working around Linux license, grsecurity going proprietary, Oracle's AGPL-based extortion threats or government after government violating OpenSC license. After all, even if some corporation wanted to infringe on my copyright, what could I do?
But I think it's time to change that. Seeing more and more #OpenSource projects go to shit, I think it's time to make a strong statement. To say "I believe in #FreeSoftware, and to hell with corporate exploitation!"
I'm considering relicensing my projects to #GPL, going forward. Or — at least these projects that involve more lines of code than the GPL copyright notice takes. Why? Perhaps it's just a matter of growing up to realize how bad corporations are. But the more important question is: why did I use permissive licenses in the first place?
@mgorny Yeah enforcement against mega-corporations can't really work at individual level, you'd need a project big enough that some organisations could do the enforcement, but against smaller players, which are far more numerous I've rarely seen cases of violation, more like doing weird shit like a zip file on a random website for AGPL software…
Meanwhile here GPL is a license family I tend to avoid due to it's pretty bad license compatibility, which even today ends up forcing duplicate work. That said for recent projects I'm picking the MPL-2.0 rather than BSD-3-Clause which I used to pick, this way it's balanced between copyleft and reusability, I really wish it could forbid usage in outright proprietary software though.
@mgorny Yeah enforcement against mega-corporations can't really work at individual level, you'd need a project big enough that some organisations could do the enforcement, but against smaller players, which are far more numerous I've rarely seen cases of violation, more like doing weird shit like a zip file on a random website for AGPL software…