Show more

Come work with us at @sovtechfund for a unique job opportunity where you'll be at the intersection of bug bounty programs and public interest.

As the BRP Manager, you'll spearhead our efforts to enhance bug resilience in FOSS projects, leveraging responsible bug bounty programs and more to make a meaningful impact in open source critical infrastructure.

Apply now at sovereigntechfund.de/jobs/bug-

(You're welcome to apply even if you don't meet 100% of the description, it's just a wishlist)

@paoloredaelli @sammi @element "gratis" is clear to many English speakers since they also speak other languages, like EU standard English. For the majority of mother tongue English speakers, my guess is "gratis" would be weird but somehow understandable. There would be many who had never heard the word. "Gratuity" is probably the closest word in English, but has a different meaning.

(For context, my mother tongue is English, father tongue German, and I speak a bit of some other languages.)

@richiekhoo @sovtechfund yes, self-funded maintainers are an essential target for this kind of funding. I would also include volunteer maintainers, which is not the same thing. Many maintainers of key software pieces do want funding for the work, but funding can still go to others writing patches, etc

There also needs to be help getting companies understand that it is in their own interest to let their developers contribute to any project they rely on, no matter how indirectly they rely on it.

Major push to impose a U.S. site-blocking law. Nothing has changed since SOPA. Of course, lawful content would also be blocked arstechnica.com/tech-policy/20 #Quad9

@mvgorcum @paoloredaelli @element Ok, good to know! I was looking at the client, so I overlooked that. It is important that they've released key pieces, the bridges, as Let's hope this means they will contribute to the shared maintenance of the Matrix ecosystem for all the pieces they use.

Lots of hackers would love to go in an contribute to new projects. If there was a way that people could make a living doing that, we would greatly improve the ecosystem. Lots of devs want to improve the code they work on, but so many company ban employees from contributing to . One promising new model is maintenance funding from governments and foundations, like @sovtechfund and . Since 93% of codebases use , this affects the entire software ecosystem

4/4

Show thread

This also happens in companies, but the dynamic functions a bit differently. The maintainers will start quitting their jobs, reducing the number of people who know the code. In a number of companies, I've seen this happen where the end result is an essential system that no present employee understands. So no one is allowed to touch it as long as it is working. This happens at mega corps and small companies alike. I experienced it at Merrill Lynch, a wealthy bank that was always cutting costs 3/

Show thread

This can turn into a downward spiral, because it can drive away contributors, making things worse. Then only the ones who really feel responsible for their user base will continue working on it. Then ultimately they can burnout and the thing goes down in flames. The is a version of this dynamic. The maintainer was caught in that dynamic and felt he could not keep up, and was desparate for help since so many essential pieces of software rely on it.

2/

Show thread

There is a dynamic that arises when there is a growing difference between the amount of maintenance required and available developer time. The maintainers need help to keep up. Until then, they need to ensure that the essentials are maintained. That in turn makes it harder for others to contribute, because the maintainer cannot afford to take any risks that might trigger unexpected work sometime later. So the maintainers have less time to review, less time to help complete merge requests, etc 1/

@alloydflanagan @downey @neil From what I see, it is the other way around: Automattic has a pretty good track record of FOSS (Wordpress, Pocket Casts) while at this point, Beeper is mostly just a consumer of FOSS produced by others. So hopefully Automattic will follow the Pocket Casts pattern and start open sourcing the Beeper app.

@paoloredaelli yeah, I'm sure they're using the existing libraries from @element. The real question is: will they open up their app and get it on !

just acquired and , two chat apps that work with a bunch of bridges to popular apps :

* blog.beeper.com/2024/04/09/bee
* automattic.com/2024/04/09/auto

I really hope they open source it.
Since they are going for a fee-for-service model like Wordpress, I'm optimistic. This is key for breaking the network effects that companies rely on: .

@IzzyOnDroid @fdroidorg I'm happy to see @obfusk continuing with the very important work on signature analysis and the related tooling. I was worried she had stopped working on it after quitting F-Droid. That work is bigger than F-Droid, it is otherwise missing in the Android ecosystem.

@IzzyOnDroid @obfusk @fdroidorg sorry, I guess I should have started a new thread. I'm not so good at the social medias...

@IzzyOnDroid @obfusk @fdroidorg That was not directed at you, that was my takeaway from the analysis I posted in the 1/2 post. The TL;DR.

@IzzyOnDroid @obfusk @fdroidorg They key takeaway is:

If a binary repo maintainer is not careful about where they get their APKs and relies completely on AllowedAPKSigningKeys to verify the APKs, then this is an important issue.

2/2

@IzzyOnDroid @obfusk @fdroidorg All I'm asking is for . The tone you sense was my panic as I scrambled to figure out the proof-of-concept to ensure that users are kept safe. Signature verification is a key part of that. I cleared my schedule this morning to deal with this.

Thanks to @obfusk to doing the hard work of the proof-of-concept and the patch. I posted my preliminary analysis of the issue on gitlab.com/fdroid/fdroidserver

1/2

Show more
image/svg+xml Librem Chat image/svg+xml