Hans-Christoph Steiner @eighthave@librem.one

It would help if people showed their interest on the issues there. It can be just a 👍 or even better, post about your use cases

Perhaps the most difficult case ever for #Debian packagers: #Gradle They do all the things that make packaging a nightmare:

* Build the tool with itself
* Circular dependencies: Gradle needs #Kotlin to build which needs Gradle to build...
* Depend on snapshots to build releases, but then they don't keep a way to reproduce the snapshot releases https://github.com/gradle/gradle/issues/26516
* Java-style bundling of all dependencies
* Hidden proprietary depends https://github.com/gradle/gradle/issues/16439

thanks ebourg for keeping on!

Weeks later, Google posted a proper CVE. A publicly funded civil society org, @citizenlab found this #vuln, while two of world's largest corps, #Google and #Apple, sat on it while making sure that their affected products were patched. That sure makes them look good to non-technical users. They are built on #FreeSoftware, and have more than enough resources to be a responsible steward, but failed to do the standard practice #CVE, screwing everyone else.

https://arstechnica.com/security/2023/09/google-quietly-corrects-previously-submitted-disclosure-for-critical-webp-0-day/

#BigTech #WebP

@frehi I've heard some more details: Debian's Chromium maintainer actually got it to use the system libwebp https://salsa.debian.org/chromium-team/chromium/-/blob/master/debian/control

And Mozilla maintains the Firefox packages in Debian, they decided to not use the system libwebp, though their build system supports it.

@jr @niclas A rolling release distro wouldn't change this issue. If each package includes its own copy of libwebp, each one of those still needs to be updated. With this #WebP vuln, it was first reported as only affecting some iOS framework, then only Chrome. So lots of developers are still not aware that they have to ship an update with the latest libwebp version. With the distro model, just the library maintainer needs to be aware of the update, then all the apps automatically get the update

@frehi I've worked on Chromium quite a bit, in terms of patching and building, so I'm speaking from that experience. I don't know much about Firefox in Debian.

@frehi exactly, this is what Debian works hard to avoid, but #Google has refused to budge at all with #Chromium in this regard. They make it impossible to build in the distro style, with shared libraries, etc.. It must be all statically linked with everything from its own source package. Looks like Firefox also has started to go this route, though historically, they've had a more flexible build that was less hostile to distros.

"This bug also shows that we have an over-reliance on #fuzzing for security assurance of complex parser code. Fuzzing is great, but we know that there are many serious security issues that aren't easy to fuzz. For sensitive attack surfaces like image decoding (zero-click remote #exploit attack surface), there needs to 1) be a bigger investment in proactive source code reviews, and 2) a renewed focus on ensuring these parsers are adequately sandboxed." https://blog.isosceles.com/the-webp-0day/ #libwebp #WebP

The #WebP #security vulnerability CVE-2023-4863 demonstrates a huge advantage of the "distro" approach of shipping software, like #Debian pushes so hard to deliver. We see a mad scramble for many software vendors to ship with the patched version of #libwebp. In the distro model, the patch is shipped in the single lib package, then all of the software automatically uses the safe version. This leads to shorter times to get fixes to users with much less work overall.

@hexmasteen me too, I wonder why I didn't get a paywall on that one? I guess because of #NoScript?

@joncamfield Reminds me of how #Marxist analysis is making a comeback, since it puts labor and automation in a central position. I can't say I agree with Marxist policy proposals in general, but I think Marxist analysis is still very much a powerful tool for understanding the world.

I just read this op-ed about the intelligence of #LLM #AI (its 6 months old). It is the best piece I've read so far that demonstrates how things like #ChatGPT can bring in "banality of evil" amoral decision making where humans would be troubled by the moral issues in the situation.
https://www.nytimes.com/2023/03/08/opinion/noam-chomsky-chatgpt-ai.html

@sergii Actually, when you look at the economics of ride sharing services, the services with apps like Uber/Lyft/etc are not cost competitive with the telephone-based ones. Software developers and servers are super expensive, call center operators and phones are not. The business model of Uber especially avoids competing on efficiency. They take lots of VC funding to build a monopoly, so they can squeeze the drivers to the minimum possible wage.

@vitriolix graffiti and cobwebs on an old cement wall

I was in a European city new to me at an event where the planners assumed that Uber and Bolt where the only taxi options people would use. I asked for a taxi phone number, called and had a car in 5 minutes. That's much quicker than the account signup, and leaks much less private data. Taxi apps are not more efficient, horrible for privacy, and their business model is based on building a monopoly. I guess fancy UX in the apps really hooks people, or I'm missing something

https://www.sfchronicle.com/opinion/openforum/article/robotaxi-car-technology-traffic-18362647.php