Hans-Christoph Steiner @eighthave@librem.one

@rene_mobile I'm having similar struggles with a Dell that is closely related to one that is approved by Ubuntu. It shows how much device support is almost in place, it is low hanging fruit just waiting for a little integration work. With all the recent talk of #DigitalSovereignty it seems there should be some way to get govs to chip in to fund people to integrate and upstream this stuff so that there is real choice of hardware to run #FreeSoftware on.

#Bitcoin hardware maker is laying off staff! That is great news, that is a clear sign that people are pulling back from Bitcoin. And they couldn't pivot to #AI, so perhaps another good sign.
https://www.theregister.com/2023/10/10/bitmain_furloughs_report/

@static yes exactly. its not a good root of trust.

It would help if people showed their interest on the issues there. It can be just a 👍 or even better, post about your use cases

Perhaps the most difficult case ever for #Debian packagers: #Gradle They do all the things that make packaging a nightmare:

* Build the tool with itself
* Circular dependencies: Gradle needs #Kotlin to build which needs Gradle to build...
* Depend on snapshots to build releases, but then they don't keep a way to reproduce the snapshot releases https://github.com/gradle/gradle/issues/26516
* Java-style bundling of all dependencies
* Hidden proprietary depends https://github.com/gradle/gradle/issues/16439

thanks ebourg for keeping on!

Weeks later, Google posted a proper CVE. A publicly funded civil society org, @citizenlab found this #vuln, while two of world's largest corps, #Google and #Apple, sat on it while making sure that their affected products were patched. That sure makes them look good to non-technical users. They are built on #FreeSoftware, and have more than enough resources to be a responsible steward, but failed to do the standard practice #CVE, screwing everyone else.

https://arstechnica.com/security/2023/09/google-quietly-corrects-previously-submitted-disclosure-for-critical-webp-0-day/

#BigTech #WebP

@frehi I've heard some more details: Debian's Chromium maintainer actually got it to use the system libwebp https://salsa.debian.org/chromium-team/chromium/-/blob/master/debian/control

And Mozilla maintains the Firefox packages in Debian, they decided to not use the system libwebp, though their build system supports it.

@jr @niclas A rolling release distro wouldn't change this issue. If each package includes its own copy of libwebp, each one of those still needs to be updated. With this #WebP vuln, it was first reported as only affecting some iOS framework, then only Chrome. So lots of developers are still not aware that they have to ship an update with the latest libwebp version. With the distro model, just the library maintainer needs to be aware of the update, then all the apps automatically get the update

@frehi I've worked on Chromium quite a bit, in terms of patching and building, so I'm speaking from that experience. I don't know much about Firefox in Debian.

@frehi exactly, this is what Debian works hard to avoid, but #Google has refused to budge at all with #Chromium in this regard. They make it impossible to build in the distro style, with shared libraries, etc.. It must be all statically linked with everything from its own source package. Looks like Firefox also has started to go this route, though historically, they've had a more flexible build that was less hostile to distros.

"This bug also shows that we have an over-reliance on #fuzzing for security assurance of complex parser code. Fuzzing is great, but we know that there are many serious security issues that aren't easy to fuzz. For sensitive attack surfaces like image decoding (zero-click remote #exploit attack surface), there needs to 1) be a bigger investment in proactive source code reviews, and 2) a renewed focus on ensuring these parsers are adequately sandboxed." https://blog.isosceles.com/the-webp-0day/ #libwebp #WebP

The #WebP #security vulnerability CVE-2023-4863 demonstrates a huge advantage of the "distro" approach of shipping software, like #Debian pushes so hard to deliver. We see a mad scramble for many software vendors to ship with the patched version of #libwebp. In the distro model, the patch is shipped in the single lib package, then all of the software automatically uses the safe version. This leads to shorter times to get fixes to users with much less work overall.

@hexmasteen me too, I wonder why I didn't get a paywall on that one? I guess because of #NoScript?

@joncamfield Reminds me of how #Marxist analysis is making a comeback, since it puts labor and automation in a central position. I can't say I agree with Marxist policy proposals in general, but I think Marxist analysis is still very much a powerful tool for understanding the world.

I just read this op-ed about the intelligence of #LLM #AI (its 6 months old). It is the best piece I've read so far that demonstrates how things like #ChatGPT can bring in "banality of evil" amoral decision making where humans would be troubled by the moral issues in the situation.
https://www.nytimes.com/2023/03/08/opinion/noam-chomsky-chatgpt-ai.html