Show newer
Sven Slootweg (soft-deprecated)

meta, facebook, subtoot 

Ah yes, dude who has been working with Facebook tries to lecture people who have been trying to protect their communities for years that they have their priorities all wrong and they should care more about building moderation tools.

Hey. Hey Dan. You know what we all have been trying to push for for years, only to have it blocked by the same person who is now being all excited about Facebook getting involved? The same person you're defending in your post? Yeah, exactly.

Funnily, *we* didn't need to turn it into apologia for federating with known bad actors. Because *we* actually recognize that "keeping out bad actors" and "pushing for better moderation tooling" are two sides of the same coin, and not opposed to each other.

I don't know, man. Maybe you should be listening more and lecturing less.

0
Sven Slootweg (soft-deprecated) boosted
עַלִּיזָה :QueerCat_Trans: :QueerCat_Autism: ✡️

Why can’t you suspend users in Pixelfed? Why is the only option marking their accounts as spam?

Why are mod management tools in Pixelfed still the worst of any software across the fediverse?

You want to talk about a commitment to improve moderation meaningfully? Why are you worried more about some ridiculous-ass reel app over key moderation features?

I held back before, but now it’s clear you’re just a bad faith actor looking to fulfill your own childish impulses of fame and building the “next big thing”.

If Loops and Sup are anything like how you treat the Pixelfed project, they’ll be jokes at the expense of the users and admins who try their best to make the most out of these broken platforms.

I don’t know how you sleep at night.

#pixelfed

RE: https://mastodon.social/users/dansup/statuses/112183645970011670

0
Sven Slootweg (soft-deprecated) boosted
lnl

now imagine a more powerful threat actor coming up with usernames without numbers

0
Sven Slootweg (soft-deprecated) boosted
vanta rainbow black 🌈 💖 ✨

thankfully not friends with people like the second one anymore but yeah this tracks lol

1+
Sven Slootweg (soft-deprecated) boosted
*
charlag

tech, xz falloff, open source sustainability 

people who love what they are doing so much that they are doing it for free in their free time instead of resting or having fun or making money or spending time with people they love, despite corporate bullshit, despite shitty laws, despite shitty attacks on them, despite LLM spam, despite ungrateful jerks, despite mental and physical issues.

I don't know peeps but I think this "capitalism" thing doesn't deliver somehow

Show thread
1
Sven Slootweg (soft-deprecated)

CW-boost: ableism, schools 

mstdn.social/@autism101/112184

0
Sven Slootweg (soft-deprecated) boosted
james
The thing that I think annoys me the most about the whole xz thing is all the hand wringing about “software supply chain”. We are not your supply chain. If any other industry had a supply chain wherein every single link said “no warranty either express or implied” in big block caps they’d shit themselves. Yes I think folks maintaining critical parts of the system should be looked after but also maybe we should all just lower our expectations a bit?
0
Sven Slootweg (soft-deprecated) boosted
The research fairy

If "boiling the oceans to run the server farms" isn't number one on your "existential risks to humanity posed by AI" then you can stop talking about existential risks to humanity forever thanks

1+
Sven Slootweg (soft-deprecated)

To get ahead of the predictable marketing pitches from capitalist vultures:

No, automated vulnerability detection and "AI" will *not* solve 'supply chain problems' and especially not backdoors like the xz one. The technology is incapable of doing that, on a very fundamental level.

Anyone trying to sell you on automated stuff as the solution, is lying to your face and trying to scam you.

0
Sven Slootweg (soft-deprecated) boosted
Electric Gremlin

@vyr There were people trying to reach maintainers with ye olde "What's the status of this??" 20min after the news hit oss-sec.

You know the kind. Meatsona in a polo avatar, talking about supply chains and audits and critical business need to someone who objectively has not a single reason to care.

0
Sven Slootweg (soft-deprecated) boosted
fit check for my napalm era

@trysdyn the other takeaway for today is that if you're a project maintainer, you can get a foreign intelligence agency to do a bunch of scutwork for you on their dime, provided you catch the exploit when it comes

1
Sven Slootweg (soft-deprecated) boosted
iliana

"what did we learn today?"

if you're going to backdoor your own software and your repo is on github, you should have a public mirror elsewhere because github will just disable your repo without understanding the consequences

"what?"

what?

0
Sven Slootweg (soft-deprecated) boosted
iliana

pretty interesting that github has only one hammer to respond to incidents like this and it's "block access to the repository so that nobody can see the source code history" apparently

(if i'm being generous, this might be to prevent dogpiling. but it sure does make all the commit references in the oss-security email this morning useless)

1+
Sven Slootweg (soft-deprecated) boosted
Blake Leonard

After seeing how the XZ maintainer's burnout and mental health decline was exploited to the potential detriment of the whole world, we're totally going to be supporting our developers more, right guys? We're totally going to fund critical OSS and pay maintainers enough to hire on other maintainers to take the burden off of them and reduce burnout, right? Right?

0
Sven Slootweg (soft-deprecated) boosted
e. hashman 🇵🇸

Inevitably, a vuln caused by maintainer burnout and underresourcing is going to spark more arguments about how to pay maintainers (hopefully sustainably).

As a former maintainer, things I would have liked to consider working on projects full-time include:
- a steady paycheque in line with industry salaries
- guaranteed for at least 2 years of employment
- with healthcare & other benefits
- and I can't be the only maintainer.

1
Sven Slootweg (soft-deprecated) boosted
Daenney

One thing that the xz compromise also shows; simply having more eyes on something doesn’t make things inherently more secure.

Multiple distributions pulled the vulnerable xz updates. I doubt anyone really vetted the changes. I don’t blame distribution maintainers for that, they do a lot of work typically for free. But a lot of people have bought into the idea that getting your packages through a distro’s official channels somehow makes you safer. It probably helps with unexpected issues due to misaligned dependencies, but it does little for attacks like these.

In truth we got lucky that one person noticed some odd behaviour and decided to investigate.

0
Sven Slootweg (soft-deprecated)

To expand on this: you don't need to manage them. You don't need to track their progress. You don't need a special team for them, or a 'head of open-source'.

You pay them a salary in the same way that you would pay a salary to eg. someone who you don't really have any work for, but don't want to see leaving for a competitor either: you add them to payroll and just let them do their thing.

They're already a maintainer so they know how to manage the project. There are no further expenses or organizational overhead for you.

Show thread
0
Sven Slootweg (soft-deprecated) boosted
Sven Slootweg (soft-deprecated)

Do you want to stop "supply chain compromises" as a company? Here's a very simple way to do so: pay a stipend to a maintainer of something you depend on.

You don't really need dependency tracking tools. You don't need to exactly parcel out the 'right' proportionate amount of money to every maintainer. All of that operational complexity is unnecessary.

It doesn't even matter *which* maintainer you pick, as long as it's one who isn't receiving a stipend yet, and you pay them enough to constitute a salary.

It will cost you exactly one developer salary. If every able company does this, the problem of supply chain compromises is solved tomorrow.

All you need to do is simply *do it*, and talk about it so that other companies will too.

1+
Sven Slootweg (soft-deprecated)

I would very much like for the conversation around xz to focus on how corporations have neglected their responsibilities to fund the work and support the maintainer, instead of focusing on the trustworthiness of the previous maintainer

0
Sven Slootweg (soft-deprecated) boosted
jackson& :ms_agender_flag: :ms_deminonbinary_flag: 🔙

synadm maintainers:

JOJ0 (repo owner)
Ascurius
JacksonChen666 (me)

now the more interesting part is availability in maintaining the project:

JOJ0: pretty busy IRL
Ascurius: no idea what happened to them. their matrix homeserver seems broken and they have done nothing on the synadm repo for maybe about a year.
JacksonChen666: I have been temporarily given the lead for synadm by JOJ0, and did a couple of things recently. so I'm active.

so synadm currently only has 1 active maintainer. the other 2 aren't really available.

Show thread
0
Show older
Pixietown

Small server part of the pixie.town infrastructure. Registration is closed.

Resources

Developers

What is Mastodon?

pixie.town

  • About
  • v3.5.19patch-2024-07-04

More…

v3.5.19patch-2024-07-04 · Privacy policy