Hans-Christoph Steiner @eighthave@librem.one

@frehi I've heard some more details: Debian's Chromium maintainer actually got it to use the system libwebp https://salsa.debian.org/chromium-team/chromium/-/blob/master/debian/control

And Mozilla maintains the Firefox packages in Debian, they decided to not use the system libwebp, though their build system supports it.

@jr @niclas A rolling release distro wouldn't change this issue. If each package includes its own copy of libwebp, each one of those still needs to be updated. With this #WebP vuln, it was first reported as only affecting some iOS framework, then only Chrome. So lots of developers are still not aware that they have to ship an update with the latest libwebp version. With the distro model, just the library maintainer needs to be aware of the update, then all the apps automatically get the update

@frehi I've worked on Chromium quite a bit, in terms of patching and building, so I'm speaking from that experience. I don't know much about Firefox in Debian.

@frehi exactly, this is what Debian works hard to avoid, but #Google has refused to budge at all with #Chromium in this regard. They make it impossible to build in the distro style, with shared libraries, etc.. It must be all statically linked with everything from its own source package. Looks like Firefox also has started to go this route, though historically, they've had a more flexible build that was less hostile to distros.

"This bug also shows that we have an over-reliance on #fuzzing for security assurance of complex parser code. Fuzzing is great, but we know that there are many serious security issues that aren't easy to fuzz. For sensitive attack surfaces like image decoding (zero-click remote #exploit attack surface), there needs to 1) be a bigger investment in proactive source code reviews, and 2) a renewed focus on ensuring these parsers are adequately sandboxed." https://blog.isosceles.com/the-webp-0day/ #libwebp #WebP

The #WebP #security vulnerability CVE-2023-4863 demonstrates a huge advantage of the "distro" approach of shipping software, like #Debian pushes so hard to deliver. We see a mad scramble for many software vendors to ship with the patched version of #libwebp. In the distro model, the patch is shipped in the single lib package, then all of the software automatically uses the safe version. This leads to shorter times to get fixes to users with much less work overall.

@hexmasteen me too, I wonder why I didn't get a paywall on that one? I guess because of #NoScript?

@joncamfield Reminds me of how #Marxist analysis is making a comeback, since it puts labor and automation in a central position. I can't say I agree with Marxist policy proposals in general, but I think Marxist analysis is still very much a powerful tool for understanding the world.

I just read this op-ed about the intelligence of #LLM #AI (its 6 months old). It is the best piece I've read so far that demonstrates how things like #ChatGPT can bring in "banality of evil" amoral decision making where humans would be troubled by the moral issues in the situation.
https://www.nytimes.com/2023/03/08/opinion/noam-chomsky-chatgpt-ai.html

@sergii Actually, when you look at the economics of ride sharing services, the services with apps like Uber/Lyft/etc are not cost competitive with the telephone-based ones. Software developers and servers are super expensive, call center operators and phones are not. The business model of Uber especially avoids competing on efficiency. They take lots of VC funding to build a monopoly, so they can squeeze the drivers to the minimum possible wage.

@vitriolix graffiti and cobwebs on an old cement wall

I was in a European city new to me at an event where the planners assumed that Uber and Bolt where the only taxi options people would use. I asked for a taxi phone number, called and had a car in 5 minutes. That's much quicker than the account signup, and leaks much less private data. Taxi apps are not more efficient, horrible for privacy, and their business model is based on building a monopoly. I guess fancy UX in the apps really hooks people, or I'm missing something

https://www.sfchronicle.com/opinion/openforum/article/robotaxi-car-technology-traffic-18362647.php

#Wien Fluss

@bartvdpoel@mastodon.green Do you have a graph of energy expended producing the wind turbines versus their lifetime output? My guess is that the large ones are much more efficient in that regard, but I'd love to see data on that. I think the graphs look quite similar with solar.

Another problem that often goes ignored is how less attractive countries can keep the people that they have paid to educate. I know this first hand because my father was a doctor who was educated by the social system of #Austria including an annual stipend that he lived off of, then he left for #America once he finished his studies. Austria paid to educate a doctor but got little in return. This dynamic is common around the world, medical pros from poorer countries emigrate to richer ones. 3/3