Hans-Christoph Steiner @eighthave@librem.one

@jakubmueller Society already has many ways for people to get advice on who to trust: government services, non-profits, certification agencies, trusted media, friends, religious organizations, reputation, family, and more.

A large part of how people came to trust Google or Apple is because of their own massive spending on marketing and PR to convince people to trust them. Being on the receiving end of that is a poor method for reliable verification of whether something is trustworthy.

When organizations that use #Debian maintain the packages they use in Debian, the whole ecosystem gains. The more organizations that do that, the more efficient the whole ecosystem becomes for all users. Here's a recent example from #FDroid:

https://f-droid.org/2023/10/10/f-droid-maintains-in-debian.html

I'm a Debian Developer, I'm happy to help get organizations working in this way. Reach out if you're interested!

@vitriolix https://meshed.cloud/@webmink/111221486835309132 just announced @meshedinsights.com

"#Apple may be exaggerating a bit here. It wants to provide a safe experience, but in 2022 the company still removed 186,195 apps that had been previously approved. So its review process has some gaps."

https://www.theregister.com/2023/10/09/apple_app_store/

I hope the #EU will keep the pressure on #DMA #gatekeepers like #Apple and give #FreeSoftware app stores the opportunity to compete with Apple by providing more trustworthy reviews that include reviewing the source code.

@rene_mobile I'm having similar struggles with a Dell that is closely related to one that is approved by Ubuntu. It shows how much device support is almost in place, it is low hanging fruit just waiting for a little integration work. With all the recent talk of #DigitalSovereignty it seems there should be some way to get govs to chip in to fund people to integrate and upstream this stuff so that there is real choice of hardware to run #FreeSoftware on.

#Bitcoin hardware maker is laying off staff! That is great news, that is a clear sign that people are pulling back from Bitcoin. And they couldn't pivot to #AI, so perhaps another good sign.
https://www.theregister.com/2023/10/10/bitmain_furloughs_report/

@static yes exactly. its not a good root of trust.

It would help if people showed their interest on the issues there. It can be just a 👍 or even better, post about your use cases

Perhaps the most difficult case ever for #Debian packagers: #Gradle They do all the things that make packaging a nightmare:

* Build the tool with itself
* Circular dependencies: Gradle needs #Kotlin to build which needs Gradle to build...
* Depend on snapshots to build releases, but then they don't keep a way to reproduce the snapshot releases https://github.com/gradle/gradle/issues/26516
* Java-style bundling of all dependencies
* Hidden proprietary depends https://github.com/gradle/gradle/issues/16439

thanks ebourg for keeping on!

Weeks later, Google posted a proper CVE. A publicly funded civil society org, @citizenlab found this #vuln, while two of world's largest corps, #Google and #Apple, sat on it while making sure that their affected products were patched. That sure makes them look good to non-technical users. They are built on #FreeSoftware, and have more than enough resources to be a responsible steward, but failed to do the standard practice #CVE, screwing everyone else.

https://arstechnica.com/security/2023/09/google-quietly-corrects-previously-submitted-disclosure-for-critical-webp-0-day/

#BigTech #WebP

@frehi I've heard some more details: Debian's Chromium maintainer actually got it to use the system libwebp https://salsa.debian.org/chromium-team/chromium/-/blob/master/debian/control

And Mozilla maintains the Firefox packages in Debian, they decided to not use the system libwebp, though their build system supports it.

@jr @niclas A rolling release distro wouldn't change this issue. If each package includes its own copy of libwebp, each one of those still needs to be updated. With this #WebP vuln, it was first reported as only affecting some iOS framework, then only Chrome. So lots of developers are still not aware that they have to ship an update with the latest libwebp version. With the distro model, just the library maintainer needs to be aware of the update, then all the apps automatically get the update

@frehi I've worked on Chromium quite a bit, in terms of patching and building, so I'm speaking from that experience. I don't know much about Firefox in Debian.

@frehi exactly, this is what Debian works hard to avoid, but #Google has refused to budge at all with #Chromium in this regard. They make it impossible to build in the distro style, with shared libraries, etc.. It must be all statically linked with everything from its own source package. Looks like Firefox also has started to go this route, though historically, they've had a more flexible build that was less hostile to distros.