Not to mention that self-hosting/federation comes with a million small headaches.

If the devs are paid, do you want to pay them to work on the project or work on maintaining a contact infrastructure?

If they aren’t paid, do you want them using what little free time they have working on the app or working on maintaining a communications network?

If it’s someone else’s forum/matrix/chat server, are you okay with 1. a third party having access to your communications and 2. being able to force a comms blackout for any reason whatsoever?

Or would you rather they use their time and money focusing on finding a provider who meets every need of the project AND every user?

Now seems like a good time to plug Mull browser, a privacy oriented version of firefox

Then again, msybe mozilla really is just hurting for cash

The choice of Rust limited the ability for people to contribute.

That’s unfortunate. I think rust is particularly tailored to big projects with many contributors that need the performance boosts of a “low level” language. This goes especially for web apps, since they’re likely to grow in size directly correlated to number of users and use time.

I get that the compiler is viewed as “training wheels” by the C and C++ coders, but it’s nearly impossible to ensure memory safety on a large project without something or someone checking and enforcing it, since no one can be reasonably expected to parse thousands of lines of code and keep the data flow in mind at all times while considering edge cases and also trying to add on to it while other also grow it.

Do you mean anonymize as in hide which specific mod took a particular action? Because that makes sense as an anti-harassment feature, and doesn’t conflict with everyone who’s retorting about transparency.

Mod actions should be publicly available, but not necessarily which mod is taking the action. That can just lead to witch hunts and ignores the complicity of other mods

There is this desire to be as widely federated on an instance and the idea that everything on the Fediverse is something they want to be able to see.

Reminds me of Geek Socual Fallacy #1

1. If it’s distributed through github, and there’s no push to move elsewhere by users and contributors, then it’s effectively hosted on/through github
2. The analogy breaks down for collaborative projects, which is where the issues with github arise
3. If their problem is with the project’s distribution method, presumably the answer is yes

“Simple” is misleading, as that’s also the branding of a suite of mobile apps (that were bought out and turned into data-harvesting/advertising tools).

Also this isn’t a file manager, it’s a password manager. Although the same dev also makes a file manager.

For the record I agree with @fernandofig@reddthat.com, but I also want to add that a DoS is not necessarily a security risk. If it can be leveraged to expose sensitive information, then yes, that’s a vulnerability; this isn’t that.

Digging into the CVEs:

CVE-2024-24989:

#Security Advisory Description

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. (CVE-2024-24989)

Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3.

#Impact

Traffic is disrupted while the NGINX process restarts. This vulnerability allows a remote unauthenticated attacker to cause a denial-of-service (DoS) on the NGINX system. There is no control plane exposure; this is a data plane issue only.

CVE-2024-24990 basically says the same.

Some choice clauses:

undisclosed requests can cause NGINX worker processes to terminate

Traffic is disrupted while the NGINX process restarts.

So it doesn’t take down the server nor the parent process, it kills some threads which then… restart.

Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental

I was able to find that the affected versions:

NGINX Plus R30 P2 and R31 P1
Open source subscription R5 P2 and R6 P1 Open source mainline version 1.25.4

but most importantly:

The latest NGINX Open source stable version 1.24.0 is not affected.

And saving me the hassle of linking and quoting all 5 of the version history pages for the affected products, the uniting factor is: they’re all based on Open Source versions 1.25.*

None of them are using the latest stable version.

It’s not even going to affect most sites, and definitely not ones for whom downtime is a major issue: they would not be using the non-stable version, much less enabling experimental features in a non-stable version.

But the part that irks me the most is the dillution of what a CVE is. Back in the day, it meant “something that can lead to security breaches,” now it just seems to mean “hey guys, I found a bug.” And that’s bad because now you have one of two outcomes: 1. unnecessarily panicking users by leading them to believe their software is a security risk when it isn’t, or 2. compromising the integrity and usability of CVE reports by drowing the important ones in waves of “look guys, the program crashes when I can leverage root privileges to send it SIGKILL!”

If this was just a bug hunter trying to get paid, that’s one thing, but these were internally assigned and disclosed. This was an inside job. And they either ignored or never consulted the actual experts, the ones they have within their own staff: the devs.

Why? To what end? Did they feel left out, what with not having any CVEs since 2022? Does this play some internal political struggle chess move? Do they just hate the idea of clear and unambiguous communication of major security holes to the general public? Are they trying to disrupt their own users’ faith in their paid products? Does someone actually think a DoS is the worst thing that can happen? Is there an upper level manager running their own 1.25 instance that needs this fixed out-of-band?

It’s just all so asinine.

Context:

TLDR: The devs don’t like bugs in released software being assigned CVEs, which requires a special security update instead of a standard bugfix included in the regular update cycle.

:The most recent “security advisory” was released despite the fact
: that the particular bug in the experimental HTTP/3 code is
: expected to be fixed as a normal bug as per the existing security
: policy, and all the developers, including me, agree on this.
:
: And, while the particular action isn’t exactly very bad, the
: approach in general is quite problematic.

There was no public discussion. The only discussion I’m aware of
happened on the security-alert@ list, and the consensus was that
the bug should be fixed as a normal bug. Still, I was reached
several days ago with the information that some unnamed management
requested an advisory and security release anyway, regardless of
the policy and developers position.

And nginx’s announcement about these CVEs

Historically, we did not issue CVEs for experimental features and instead would patch the relevant code and release it as part of a standard release. For commercial customers of NGINX Plus, the previous two versions would be patched and released to customers. We felt that not issuing a similar patch for NGINX Open Source would be a disservice to our community. Additionally, fixing the issue in the open source branch would have exposed users to the vulnerability without providing a binary.

Our decision to release a patch for both NGINX Open Source and NGINX Plus is rooted in doing what is right – to deliver highly secure software for our customers and community. Furthermore, we’re making a commitment to document and release a clear policy for how future security vulnerabilities will be addressed in a timely and transparent manner.

They don’t seem to care that much about performance unless it means reduced powet consumption.

Looks like their main reasoning for dropping vulkan was: 1. it has too many dependencies, which violates their principal of minimalism, and 2. it’s not backwards compatible enough for their arbitrary definition of backwards compatibility. I guess it should support hardware back to the very first gpu, but also have less dependencies

I agree it’s a terrible metric of success in life, but at the same time the older I get the more I feel like 1. the revolution/apocalypse that I was promised isn’t coming and, 2. you can’t retire with a bank account full of good character and well-rounded education. There’s a lot more cynicism toward the idea that all knowledge and skills are equally worth pursuing couched in that, which would take hours or days or longer to convince someone who hadn’t already given up hope, but suffice it to say that no education is perfect and the ones that are closest put you into lifelong debt.

To that end, Randall could have also labeled the Y axis “success later in life” and still made a pretty good point. Most educators, education scientists, developmental psychologists, counselors and caretakers that I’ve talked to, read, listened to on documentaries and podcasts, etc. all seem to agree that homework is bullshit that doesnly aid learning. The same aforementioned group readily admit that forcing the kids to stay seated in a room while reading from textbooks/getting lectured to isn’t a method that works to instill curiosity nor encourage long-term retention for most people.

But it sure does teach us the useful skills of doing meaningless, repetitive busywork for hours on end on our own time after work, and sitting through mind-numbing meetings where someone you don’t have a personal connection to talks at length about a topic that doesn’t matter to you.

How’s the job market working out for all the Perl devs these days?

I’m assuming you mean hardware? Because Rockbox is already FOSS (GPLv2)

At this point I’m mostly using MS PowerPoint, but its lack of linux support really drives me mad.

Considering the community we’re in, it’s odd that there’s not a bigger dealbreaker (mostly kidding, all my job software is proprietary and I just have to suck it up). With the dawn of Office online, the OS shouldn’t really an issue anymore, or does the online version lack features you need?

[PowerPoint] comes bundled with the Office Suite, the majority of apps from which I’ve never used.

That’s how they get you. You’re already paying $X for them, might as well use them. Now that you’re used to them, it’s hard to justify switching to a different app with an entirely new workflow that may not even have all the features you want.

I’m interested to hear your thoughts and your experiences with presentation-making software?

Not much, but I have used PowerPoint to make the most basic of presentations. It’s fine.

I’ve used all the other popular LibreOffice alternatives (Writer, Calc, Draw). Based on ny experience with Draw (and the UI of all), I’m gonna go out on a limb and say that in general LO is good at handling data and text, and not so great/easy-to-use with graphics.

As for your requirements, 1+2 are very reasonable, almost given for a presentation software—although the videos may narrow down your pool.

3 is where things get uncommon; wanna know how I know you work in STEM? Actually, given that you’re clearly making presentations often, and can work remotely, I’m gonna go out on a limb and guess: professor? Then again, you clearly don’t shy away from learning computer nerdery and trying new software (incl. Linux), so you might be an engineer who just happens to give a lot of presentations instead.

Back on topic: 3 should be more specific. My understanding of LaTeX is that it’s basically a fully-fledged publishing software on its own… or rather, a standard language that publishing softwares can use, similar to how MS Office uses XML behind the scenes everywhere. Your requirement is basically that the software use a specific format for displaying stuff on screen, but the context suggests you just want LaTeX because it supports autoformatting of math equations. Surely most presentation softwares have some way of achieving that without having a full-on LaTeX rendering engine included. I’m guessing you’ve already tried good ol’ Insert>Object>Formula or using LibreOffice’s Math to create what you want before copying it to Impress?

Lastly 4 is a doozy. It seems like such a simple request to the non-devs. The unfortunate truth is that for anything more complex than a “Hello World,” the program requires multiple pathways to access system libraries and hardware resources, and even then taking into consideration limitations and idiosyncrasies of different hardware architectures. It’s not as simple as adding a flag to your compiler. For Mac and Windows that’s not an issue because they’re getting paid to port and they get more money for doing so, there’s financial incentive. For linux devs… Well…

There are two types of Linux devs: the majority, who contribute for fun and donations, do what they do because it helps them achieve their goals and might as well share, or they just genuinely care about giving back to the community. The other type, who there’s less of, are the ones who do it for work. They do it because there’s a niche customer base who use their software professionally and for specific industry applications; that’s where companies like Red Hat come into play. It’s rare that you find offerings for more general types of software, like entire office suites.

In other words, we’re lucky to have LibreOffice (and any web apps, which have the luxury of being OS agnostic). You want another miracle???

Here’s my list of “maybe somedays” that I’d love to have all run off a single machine:

1. Hash cracking. Red teaming isn’t my career yet, but it would be nice if I had the tools ready when I get to that milestone

2. locally served “Cloud” gaming. I’m tired of being limited to a single desktop when I could be playing skyrim on my phone, but I hate supporting *aaS models—I want to own my cake and eat it too.

3. VM server. Basically turn everything else into a thin client. Also, what @ursakhiin@beehaw.org said. If I ever want to do realistic training, and not just stick to hackthebox indefinitely, I’m going to need to mimic a full network’s worth of computers with multiple VLANs. Or have multiple different OSes emulated to do all kinds of pentesting.

4. Finally start those Mastodon/Matrix/Lemmy/every other federated app instances that I’ve been right around the corner from hosting for ages

5. media server

6. Websites and web-apps, even if only locally served. Possibly have copies of wikipedia and archive.org and other highly usefulness-to-power-consumption ratio sites for when I eventually go off grid

7. maybe email… maybe. I hear it’s more of a headache than it’s worth, though, so maybe not

8. home IoT server. Handling all the functionalities so I don’t have to stream security cam footage to some random company’s untrustworthy server across however many hops along the way

and probably a few other ideas i’ve had over the years that I can’t think of at the moment.

Could I accomplish all this on a couple powerful towers and a half dozen smaller/cheaper/more power efficient devices? Certainly, but this reduces cables, network overhead, and weird edge case problems having that many devices on a single-maintainer network causes. Instead of dealing with updating, upgrading, and hardening a dozen or more devices, this would give me a single point of failure that I can build resentments against whenver it has a hiccup.

people are always going to be floating ways to save capitalism in the face of communities privileging freedom over greed.

this completely misses the point of free software, and fails to solve the problems Mr. Perens identifies with Open Source. He claims it fails to serve the “common person” (end users) and then proposes a solution that serves… only devs.

Open Source has completely failed to serve the common person. For the most part, if they use us at all they do so through a proprietary software company’s systems, like Apple iOS or Google Android, both of which use Open Source for infrastructure but the apps are mostly proprietary… Indeed, Open Source is used today to surveil and even oppress them.

All these problems are already solved by free software. the rebranding of “open source” was a compromise on the principles of free software to make the movement palatable to profit-seekers. In the end, it predictably failed to improve anything. The solution isn’t to reinvent the wheel, it’s to stop making the wheel square because the square lobby insists they’ll only use it if it’s square. The solution is copyleft, and free software being used more than it’s defanged cousin.

The common person doesn’t know about Open Source, they don’t know about the freedoms we promote which are increasingly in their interest

That’s a feature, not a bug. On one hand, if people knew about free software they wouldn’t be as good consumers. On the other hand, internals should be opaque to users; just as devs don’t want to have to know how the logic gates in the CPU are routing their code to write code, end users shouldn’t have to worry about the politics of the communities that developed their code.