Sven Slootweg (soft-deprecated) @joepie91@pixie.town
- Future new account
- @joepie91@slightly.tech
- Matrix
- @joepie91:pixie.town
- Pronouns
- they/them, he/him, whatever, it's not like I have any idea either 🙃
In the process of moving to @joepie91. This account will stay active for the foreseeable future! But please also follow the other one.
Technical debt collector and general hype-hater. Early 30s, non-binary, ND, poly, relationship anarchist, generally queer.
- No alt text (request) = no boost.
- Boosts OK for all boostable posts.
- DMs are open.
- Flirting welcome, but be explicit if you want something out of it!
- The devil doesn't need an advocate; no combative arguing in my mentions.
Sometimes horny on main (behind CW), very much into kink (bondage, freeuse, CNC, and other stuff), and believe it or not, very much a submissive bottom :p
My spoons are limited, so I may not always have the energy to respond to messages.
Strong views about abolishing oppression, hierarchy, agency, and self-governance - but I also trust people by default and give them room to grow, unless they give me reason not to. That all also applies to technology and how it's built.
Joined Aug 2019
I would very much like for the conversation around xz to focus on how corporations have neglected their responsibilities to fund the work and support the maintainer, instead of focusing on the trustworthiness of the previous maintainer
Sven Slootweg (soft-deprecated)
boosted
:ms_deminonbinary_flag:
synadm maintainers:
JOJ0 (repo owner)
Ascurius
JacksonChen666 (me)
now the more interesting part is availability in maintaining the project:
JOJ0: pretty busy IRL
Ascurius: no idea what happened to them. their matrix homeserver seems broken and they have done nothing on the synadm repo for maybe about a year.
JacksonChen666: I have been temporarily given the lead for synadm by JOJ0, and did a couple of things recently. so I'm active.
so synadm currently only has 1 active maintainer. the other 2 aren't really available.
Sven Slootweg (soft-deprecated)
boosted
💾
Quest: Find a 5V power supply with suitable barrel plug
Event log:
find a 5V power supply with a barrel plug too small
find a 5V power supply with a barrel plug too big
find a 5V power supply with USB output
@james@strangeobject.space FWIW, I get much faster boot times than that (~5s) with Plasma on X11. I don't think 30s is typical...
xz
@eater (This is basically a 'trusting trust' type of situation, except one we have plausible evidence for)
xz
@eater xz is a part of *the build process itself* in many cases - extracting source archives, that sort of thing. So it could have affected the source of other applications at any point in that process, in a way that's impossible to trace back.
So anything that has come into contact with xz at any point in its build or distribution process, while this new maintainer was involved, is now suspect. That's... a double-digit percentage of packages on a typical system, I suspect.
xz, gloating
@syn Yes, but not for the specific purpose of knowing what packages to rebuild if a backdoor were ever discovered
Sven Slootweg (soft-deprecated)
boosted
1am infodumping about optical fibers is completely normal and neurotypical, innit?
politiek
@WH Tja. Zo iemand hadden we dus min of meer, in Sylvana Simons, maar dat is geen witte vrouw die voor gevestigde belangen opkomt, en dus werd die in de media en publieke opinie geheel kapot gemaakt.
Deze tactiek werkt alleen maar op deze schaal als je je privileges al mee hebt en niet te ver van de gevestigde orde afligt. Wel radicaal klinken maar vooral niet radicaal zijn, zeg maar.
xz, gloating
@syn (It's kind of hard to classify these things because Nix is in a category of software where "benefits we didn't anticipate" are expected as a category, it's just not known which benefits they will be)
xz, gloating
@syn Yes, though arguably an accidental one, sort of - it's not really what the dependency system was *designed* for afaik, just a consequence of the design choices
xz
It occurs to me that a lot of distros probably have a lot of already-built packages that involved one of the suspicious xz versions in their build process, and I don't know that they all have the tooling to track which packages need to be rebuilt...
Do you want to stop "supply chain compromises" as a company? Here's a very simple way to do so: pay a stipend to a maintainer of something you depend on.
You don't really need dependency tracking tools. You don't need to exactly parcel out the 'right' proportionate amount of money to every maintainer. All of that operational complexity is unnecessary.
It doesn't even matter *which* maintainer you pick, as long as it's one who isn't receiving a stipend yet, and you pay them enough to constitute a salary.
It will cost you exactly one developer salary. If every able company does this, the problem of supply chain compromises is solved tomorrow.
All you need to do is simply *do it*, and talk about it so that other companies will too.
Sven Slootweg (soft-deprecated)
boosted
My heart goes out to xz. A single maintainer, who was clearly in a rough place with mental health, screaming out to the world for some help and additional contributions, and somebody shows up wanting to help. Could you imagine how happy that maintainer was? They were no longer alone.
And it turns out the only reason somebody wanted to help them was nefarious. I can’t imagine how they feel right now as everyone is blaming them. I hope they’re ok.
And it turns out the only reason somebody wanted to help them was nefarious. I can’t imagine how they feel right now as everyone is blaming them. I hope they’re ok.
Sven Slootweg (soft-deprecated)
boosted
@aral Quite by accident, I have found that some managers respond to describing quality checks and safety inspections as 'the paperwork that keeps the CTO out of prison' can change attitudes in several layers in the company in one go. Most project managers seem to realise that if the CTO is going to be incarcerated, they are going down with them.
@hierarchon @iliana Oh yeah, I don't doubt that there are edgecases where this *would* have helped. There are some of those for most things.
What bothers me more is the outsized importance that people tend to place on it - for a while, everybody and their dog was talking loudly about how post-install scripts should be disallowed, as if that will solve all the dependency security issues overnight...
@noplasticshower@zirk.us @swelljoe (I get paid for auditing open-source dependencies, actually)
@hierarchon @iliana Thought in a similar vein: it makes no sense to get all suspicious about post-install scripts in a package manager; the purpose of the package manager is literally *to install software. That will run on the system.*
The malicious code could be anywhere, whether you allow post-install scripts or not really isn't going to matter...
Sven Slootweg (soft-deprecated)
boosted
most of my personal reactions to the xz thing today have been "this is almost the perfect crime and it's incredible it was caught this early"
- Future new account
- @joepie91@slightly.tech
- Matrix
- @joepie91:pixie.town
- Pronouns
- they/them, he/him, whatever, it's not like I have any idea either 🙃
In the process of moving to @joepie91. This account will stay active for the foreseeable future! But please also follow the other one.
Technical debt collector and general hype-hater. Early 30s, non-binary, ND, poly, relationship anarchist, generally queer.
- No alt text (request) = no boost.
- Boosts OK for all boostable posts.
- DMs are open.
- Flirting welcome, but be explicit if you want something out of it!
- The devil doesn't need an advocate; no combative arguing in my mentions.
Sometimes horny on main (behind CW), very much into kink (bondage, freeuse, CNC, and other stuff), and believe it or not, very much a submissive bottom :p
My spoons are limited, so I may not always have the energy to respond to messages.
Strong views about abolishing oppression, hierarchy, agency, and self-governance - but I also trust people by default and give them room to grow, unless they give me reason not to. That all also applies to technology and how it's built.
Joined Aug 2019
