Well, that’s this afternoon planned then.

The way I help, as a Sysadmin, is primarily by using foss software in my job and feeding back with bug reports, issues and so on. I’ve raised several hundred issues on Github this way, and try to do them concisely, accurately and with as much relevant information as I can.

That’s really neat, and in the Debian main repos.

micro looks very impressive. I’m too invested in vi to move away from that, but it’s great to see alternatives, especially those focused on being easy to use (like jed)

Only weird thing from the cap I saw was that you need to edit a json file to change keybindings - doesn’t that go against the ‘easy to use’ edict, or is that something that’s planned to be changed?

Fair point.

If the distro team is compromised, then that leaves all their users open too. I’d hope that didn’t happen, but you’re right, it’s possible.

I think bus factor would be a lot easier to cope with than a slowly progressing, semi-abandoned project and a White Knight saviour.

In a complete loss of a sole maintainer, then it should be possible to fork and continue a project. That does require a number of things, not least a reliable person who understands the codebase and is willing to undertake it. Then the distros need to approve and change potentially thousands of packages that rely upon the project as a dependency.

Maybe, before a library or any software gets accepted into a distro, that distro does more due diligence to ensure it’s a sustainable project and meets requirements like a solid ownership?

The inherited debt from existing projects would be massive, and perhaps this is largely covered already - I’ve never tried to get a distro to accept my software.

Nothing I’ve seen would completely avoid risk. Blackmail upon an existing developer is not impossible to imagine. Even in this case, perhaps the new developer in xz started with pure intentions and they got personally compromised later? (I don’t seriously think that is the case here though - this feels very much state sponsored and very well planned)

It’s good we’re asking these questions. None of them are new, but the importance is ever increasing.

software developers are criticizing Microsoft and GitHub for taking down some of the affected code repositories

Surely it’s sensible of Github to take down malicious code? It’s not just honest, hardworking people trying to make sense of this that have eyes, it’s others looking for inspiration from what appears to be a sophisticated and very dangerous supply chain attack.

I like the energy, but this doesn’t qualify as “lesser known”

I respectfully disagree.

I had redcare via Age Concern for my mum before she went into a home with dementia - it was a few years ago and it was all that was available.

Nowadays, the panic alarms are, I believe, entirely self contained using a sim card and mobile connectivity and include location information - so they are not reliant on local power or internet connection. That locational information could be life saving - one time my mother got very confused, left her flat and was wandering around outside in freezing conditions. Luckily someone heard her calling out and took her home, but she could easily have died that night and was so confused that she didn’t think to use her dongle which was still around her neck, and it is doubtful it would have been in range of her base station anyway. A modern system can also include geofencing and even positional data (if someone falls down), takes it off, or battery runs low and automatically alert. Just like redcare, the modern systems are manned 24/7 just the same.

Sometimes old school is not best.

Many/most password managers do TOTP in their browser extensions already - at least on paid tiers. (Bitwarden, Lastpass for sure).

It’s the only way a team can effectively use TOTP, which still offers a lot of protection.

It takes years to build a good reputation in OSS, and only one dumb thing (like opt-out of personal data) to ruin it.

(Yes, IPs may be considered personal data in that they can be used to identify individuals, and so subject to the GDPR and, potentially, the very high fines associated with that. Unless you’re evil, don’t collect any personal or identifying data unless you absolutely have to, and very triple sure the user knows what you’re sending and why)

We are writing to inform you that we have discovered two Home Assistant integration plug-ins developed by you ( https://github.com/Andre0512/hon and https://github.com/Andre0512/pyhOn ) that are in violation of our terms of service

Did the guy explicitly agree to their Terms of service? If not, how can he be in breach of them?

cease and desist all illegal activities

What illegal activities exactly?

Feels like unenforceable scare tactics, but IANAL.

When there is a war, there are war crimes - it’s not surprising, it’s not new and it’s not special. Every single time, regardless of nationality, race, creed, invader or defender. Every single time. You give a lot of people guns, teach them to de-humanise the enemy and then put them through unimaginable stresses, it’s inevitable that some will do bad things. Those who orchestrate such actions and trigger events like this know, accept and want these atrocoties to achieve their own ends.

I respect Paul Biggar for having an opinion and writing a well researched and unimpeachable personal blog about it. Why should any of us who hold feelings have to suppress them?

It’s sad that he’s become yet another victim of this unwinnable war, it’s even sadder that he won’t be the last.