@penguin42@mastodon.org.ukI've finished my deadcoding pass on the #linux kernel; 139 insertions( ), 21936 deletions(-) on Linus's tree, there's another 2300 that are/have been in -next, and I've got about another 30 patches that have been posted but I need to prod the maintainers more; so it _might_ hit 25kloc removed. Which sounds a lot until you realise it's only about 0.06% of the kernel.
So p…
@hynek@mastodon.socialTo make the solution to my Git problem searchable, I’ve dusted off the TIL section of my homepage:
TIL: How to Push and Pull from GitHub Pull Request Branches
https://hynek.me/til/github-pull-request-git-push-pull/
@mgorny@social.treehouse.systems
@tiotasram@kolektiva.socialSubtooting since people in the original thread wanted it to be over, but selfishly tagging @… and @… whose opinions I value...
I think that saying "we are not a supply chain" is exactly what open-source maintainers should be doing right now in response to "open source supply chain security" threads.
I can't claim to be an expert and don't maintain any important FOSS stuff, but I do release almost all of my code under open licenses, and I do use many open source libraries, and I have felt the pain of needing to replace an unmaintained library.
There's a certain small-to-mid-scale class of program, including many open-source libraries, which can be built/maintained by a single person, and which to my mind best operate on a "snake growth" model: incremental changes/fixes, punctuated by periodic "skin-shedding" phases where make rewrites or version updates happen. These projects aren't immortal either: as the whole tech landscape around them changes, they become unnecessary and/or people lose interest, so they go unmaintained and eventually break. Each time one of their dependencies breaks (or has a skin-shedding moment) there's a higher probability that they break or shed too, as maintenance needs shoot up at these junctures. Unless you're a company trying to make money from a single long-lived app, it's actually okay that software churns like this, and if you're a company trying to make money, your priorities absolutely should not factor into any decisions people making FOSS software make: we're trying (and to a huge extent succeeding) to make a better world (and/or just have fun with our own hobbies share that fun with others) that leaves behind the corrosive & planet-destroying plague which is capitalism, and you're trying to personally enrich yourself by embracing that plague. The fact that capitalism is *evil* is not an incidental thing in this discussion.
To make an imperfect analogy, imagine that the peasants of some domain have set up a really-free-market, where they provide each other with free stuff to help each other survive, sometimes doing some barter perhaps but mostly just everyone bringing their surplus. Now imagine the lord of the domain, who is the source of these peasants' immiseration, goes to this market secretly & takes some berries, which he uses as one ingredient in delicious tarts that he then sells for profit. But then the berry-bringer stops showing up to the free market, or starts bringing a different kind of fruit, or even ends up bringing rotten berries by accident. And the lord complains "I have a supply chain problem!" Like, fuck off dude! Your problem is that you *didn't* want to build a supply chain and instead thought you would build your profit-focused business in other people's free stuff. If you were paying the berry-picker, you'd have a supply chain problem, but you weren't, so you really have an "I want more free stuff" problem when you can't be arsed to give away your own stuff for free.
There can be all sorts of problems in the really-free-market, like maybe not enough people bring socks, so the peasants who can't afford socks are going barefoot, and having foot problems, and the peasants put their heads together and see if they can convince someone to start bringing socks, and maybe they can't and things are a bit sad, but the really-free-market was never supposed to solve everyone's problems 100% when they're all still being squeezed dry by their taxes: until they are able to get free of the lord & start building a lovely anarchist society, the really-free-market is a best-effort kind of deal that aims to make things better, and sometimes will fall short. When it becomes the main way goods in society are distributed, and when the people who contribute aren't constantly drained by the feudal yoke, at that point the availability of particular goods is a real problem that needs to be solved, but at that point, it's also much easier to solve. And at *no* point does someone coming into the market to take stuff only to turn around and sell it deserve anything from the market or those contributing to it. They are not a supply chain. They're trying to help each other out, but even then they're doing so freely and without obligation. They might discuss amongst themselves how to better coordinate their mutual aid, but they're not going to end up forcing anyone to bring anything or even expecting that a certain person contribute a certain amount, since the whole point is that the thing is voluntary & free, and they've all got changing life circumstances that affect their contributions. Celebrate whatever shows up at the market, express your desire for things that would be useful, but don't impose a burden on anyone else to bring a specific thing, because otherwise it's fair for them to oppose such a burden on you, and now you two are doing your own barter thing that's outside the parameters of the really-free-market.
@castarco@hachyderm.ioI'm not sure if this is going to make a difference ( #LLMs weren't able to read #licenses or terms & conditions before when these were not formalized in a "machine-readable" way (plus, besides licenses we already had the robots.txt declarative files; even if those were not as expressive as this new proposal).
So, is this extra work for web developers and maintainers? Are we going to operate under the new assumption that if we didn't do the work of implementing this then we are granting permission to scrapper bots to steal all our online creations?
Or can this be a net gain for creators in some specific way?
@gedankenstuecke@scholar.socialIt's at least the second time that I see maintainers of "#opensource" be actively and strongly upset that people (as in other free/open source devs, not big corps) actually make use of the licensing terms that they gave to their software.
It's just baffling to me. Is it that people don't understand the implications of the licenses they choose? That they never actually believed in the freedoms they gave but just thought it sounded sexy somehow, wanting to have their cake and eat it too?
@jonippolito@digipres.club"They’re unknowingly becoming the bad guys”: AI-powered bounty hunters think they’re helping, but their fabricated bug reports are overwhelming solo maintainers like cURL’s Daniel Stenberg—who’s paid $92K for real flaws and now may scrap the program.
https://www.
@aral@mastodon.ar.alThe only way Microsoft should be involved in a European Sovereign Tech Fund is if we fund it by taxing the living shit out of them.
But having them organise and influence it (and who gets funded by it), thereby de facto giving Microsoft EU taxpayer subsidies? Get the fuck out of here.
There are no words to describe how angry this attempt at corporate capture gets me when we’ve been working on sovereign tech in the EU for the past seven years with zero EU funding (not for lack of …
@frankel@mastodon.top#PgBouncer is useful, important, and fraught with peril
https://jpcamara.com/2023/04/12/pgbouncer-is-useful.html
@adulau@infosec.exchangeSomething that’s been bothering me for years in the security world: why do researchers demand bug bounties for vulnerabilities in open source projects, when the very contributors maintaining and fixing those issues get nothing, just goodwill?
It feels deeply unfair. The burden falls on unpaid maintainers, yet bounty hunters get rewarded. If you want a paid bounty, maybe help fund the people who actually fix the mess too.
@mgorny@social.treehouse.systemsHere are some key takeaways from implementing #PyPI attestations in #Gentoo:
• With OpenPGP, you need to validate the authenticity of a key. With attestations, you need to validate the authenticity of the identity (i.e. know the right GitHub repository). No problem really solved here.
• They verify that the artifact was created by the Continuous Deployment workflow of a given repository. A compromised workflow can produce valid attestations.
• They don't provide sufficient protection against PyPI being compromised. You can't e.g. detect whether new releases weren't hidden.
On the plus side, TOFU is easier here: we don't have to maintain hundreds of key packages, just short URLs on top of ebuilds.
Security-wise, I think PEP 740 itself summarizes it well in the "rationale and motivation" section. To paraphrase, maintainers wanted to create some signatures, and downstreams wanted to verify some signatures, so we gave them some signatures.
#security #Python
@arXiv_csCR_bot@mastoxiv.pageBeneath the Mask: Can Contribution Data Unveil Malicious Personas in Open-Source Projects?
Ruby Nealon
https://arxiv.org/abs/2508.13453 https://arxiv.org/p…
@ripienaar@devco.socialInteresting take https://opensourcemaintenancefee.org
Wonder what people think about this.
@aral@mastodon.ar.alWe do need a European Sovereign Tech Fund, yes.
What we don’t need is Microsoft – a trillion-dollar surveillance capitalist from the US that peddles proprietary technology and is helping Israel carry out its genocide of the Palestinian people as we speak – having anything whatsoever to do with it.
#microsoft
@arXiv_csSE_bot@mastoxiv.pageRoseau: Fast, Accurate, Source-based API Breaking Change Analysis in Java
Corentin Latappy (LaBRI), Thomas Degueule (LaBRI), Jean-R\'emy Falleri (LaBRI), Romain Robbes (LaBRI), Lina Ochoa (TU/e)
https://arxiv.org/abs/2507.17369
