Empathy in open source: be gentle with each other · baby steps

"#Empathy is not about being nice or making the other person feel good or even feel better. Being empathetic means understanding what the other person feels and then showing them that you understand.

Understanding what the other person feels doesn’t mean you have to feel the same way. It also doesn’t mean you have to agree with them, or feel that they are “justified” in those feelings."

by @nikomatsakis


Weeks later, Google posted a proper CVE. A publicly funded civil society org, @citizenlab found this , while two of world's largest corps, and , sat on it while making sure that their affected products were patched. That sure makes them look good to non-technical users. They are built on , and have more than enough resources to be a responsible steward, but failed to do the standard practice , screwing everyone else.



We have found an actively exploited #zero #click vulnerability that was used to deliver #NSO group’s #Pegasus #spyware citizenlab.ca/2023/09/blastpas

UX designers who eliminated the filesystem from user consciousness in name of simplicity ruined the world and are morally culpable for shriveling minds of children who are unable to tackle the challenges of today thanks to a choice sold as advocacy for the user but was ultimately motivated by control of a disempowered customer.

@frehi I've heard some more details: Debian's Chromium maintainer actually got it to use the system libwebp salsa.debian.org/chromium-team

And Mozilla maintains the Firefox packages in Debian, they decided to not use the system libwebp, though their build system supports it.

@jr @niclas A rolling release distro wouldn't change this issue. If each package includes its own copy of libwebp, each one of those still needs to be updated. With this vuln, it was first reported as only affecting some iOS framework, then only Chrome. So lots of developers are still not aware that they have to ship an update with the latest libwebp version. With the distro model, just the library maintainer needs to be aware of the update, then all the apps automatically get the update

@frehi I've worked on Chromium quite a bit, in terms of patching and building, so I'm speaking from that experience. I don't know much about Firefox in Debian.

@frehi exactly, this is what Debian works hard to avoid, but has refused to budge at all with in this regard. They make it impossible to build in the distro style, with shared libraries, etc.. It must be all statically linked with everything from its own source package. Looks like Firefox also has started to go this route, though historically, they've had a more flexible build that was less hostile to distros.

"This bug also shows that we have an over-reliance on for security assurance of complex parser code. Fuzzing is great, but we know that there are many serious security issues that aren't easy to fuzz. For sensitive attack surfaces like image decoding (zero-click remote attack surface), there needs to 1) be a bigger investment in proactive source code reviews, and 2) a renewed focus on ensuring these parsers are adequately sandboxed." blog.isosceles.com/the-webp-0d

Uhoh, looks like #libwebp might have had additional security fixes _after_ the release of v1.3.2, which was what OS vendors use to address #CVE-2023-4863:



If so, then we're seeing the shellshock effect, where discovery of one issue gets everybody's attention on it to quickly discover additional problems, so maybe expect follow-up releases.


The vulnerability CVE-2023-4863 demonstrates a huge advantage of the "distro" approach of shipping software, like pushes so hard to deliver. We see a mad scramble for many software vendors to ship with the patched version of . In the distro model, the patch is shipped in the single lib package, then all of the software automatically uses the safe version. This leads to shorter times to get fixes to users with much less work overall.

@hexmasteen me too, I wonder why I didn't get a paywall on that one? I guess because of ?

@joncamfield Reminds me of how analysis is making a comeback, since it puts labor and automation in a central position. I can't say I agree with Marxist policy proposals in general, but I think Marxist analysis is still very much a powerful tool for understanding the world.

I just read this op-ed about the intelligence of (its 6 months old). It is the best piece I've read so far that demonstrates how things like can bring in "banality of evil" amoral decision making where humans would be troubled by the moral issues in the situation.

I'd LOVE more serious journalists digging into the recent proliferation/funding of these advocacy orgs, who use stirring tales of harm to push for surveillance, w/o engaging with ppl/orgs who do front line service work for victims (and generally reject these narratives)

Show thread

@sergii Actually, when you look at the economics of ride sharing services, the services with apps like Uber/Lyft/etc are not cost competitive with the telephone-based ones. Software developers and servers are super expensive, call center operators and phones are not. The business model of Uber especially avoids competing on efficiency. They take lots of VC funding to build a monopoly, so they can squeeze the drivers to the minimum possible wage.

Visiting the Norwegian city of Bergen, I cycled along a stunning 3-km bike path blasted through a mountain.

It's the longest bike tunnel in the world -- and a centerpiece of Bergen's plans to reduce driving.

I wrote about it in Bloomberg CityLab.

#norway #bergen #bike #cycling


I was in a European city new to me at an event where the planners assumed that Uber and Bolt where the only taxi options people would use. I asked for a taxi phone number, called and had a car in 5 minutes. That's much quicker than the account signup, and leaks much less private data. Taxi apps are not more efficient, horrible for privacy, and their business model is based on building a monopoly. I guess fancy UX in the apps really hooks people, or I'm missing something


Show more
image/svg+xml Librem Chat image/svg+xml