Diseased Open Source Software Community - it's about ethics in Code of Conducts

[AnOminous]

I keep meeting developers that seem to believe if something isn't having code committed at least monthly, it must be worthless, broken and abandoned.

Or maybe it just works so they don't feel the need to be constantly fucking with it.

 

[Kola]

Or maybe it just works so they don't feel the need to be constantly fucking with it.

With the pace of malware development and security hole discovery there's no such thing as "just works". Patch your shit regularly or you risk somebody else doing it better and taking over.

 

[Vecr]

With the pace of malware development and security hole discovery there's no such thing as "just works". Patch your shit regularly or you risk somebody else doing it better and taking over.

Depends on what the program is though. A web browser or operating system/kernel, yeah, but technically a really-well written program could go years without "core" code changes, but I would be really suspicious if more test cases and fuzzing targets don't get added.

 

[Markass the Worst]

With the pace of malware development and security hole discovery there's no such thing as "just works". Patch your shit regularly or you risk somebody else doing it better and taking over.

If there is an actual security issue yes it should be patched. But a lot of development time for these types of projects is not spent on security. In fact by adding more code they are arguably increasing the chances of security issues. Just a habit of writing new patches is not itself a fix to security issues.

 

[ditto]

Me last night: "I will go searching for a UI library that best suits my needs"

Github repo: *Giant Israeli flag*

When did open source just become a soap box for whoever leads the project? Sad thing is it's probably the best library choice,

Back in the day I thought the clisp menorah logo was too on-the-nose so I stuck with SBCL.

Compared to that repo it looks like the model of restraint.

 

[Cuckoman]

With the pace of malware development and security hole discovery there's no such thing as "just works". Patch your shit regularly or you risk somebody else doing it better and taking over.

AWK is pretty feature complete at this point and does not have much crunch or change at this point.
What missing features or unpatched CVEs do you recommend the maintainer for AWK should work on?

Sometimes software just becomes stable and feature complete and "just works".

 

[Vecr]

What missing features or unpatched CVEs do you recommend the maintainer for AWK should work on?

Did they check statistical coverage on the fuzzing targets? I know that even if the lines are technically covered by a fuzz target, it's sometimes so occasional that it's pretty much useless.

You need as many lines at possible being hit often, through all its entry points, with as many different inputs as possible.

 

[AnOminous]

With the pace of malware development and security hole discovery there's no such thing as "just works". Patch your shit regularly or you risk somebody else doing it better and taking over.

If you have troons patching it just to farm karma they're more likely to introduce security holes than fix them.

 

[Kola]

AWK is pretty feature complete at this point and does not have much crunch or change at this point.
What missing features or unpatched CVEs do you recommend the maintainer for AWK should work on?

Sometimes software just becomes stable and feature complete and "just works".

You didn't even bother to check and they're working on it around the clock: https://git.savannah.gnu.org/cgit/gawk.git/log/

No such thing as "feature complete". I was naive once too and added some packages that looked abandoned as dependencies because they were "feature complete". A few years later and there are gaping security holes that were discovered in the meantime, or it's incompatible with some other dependency that was updated recently, or it turns out that it was missing some important feature after all, and now you have to fork it and maintain it yourself.

For hobby projects, sure, it doesn't matter that much, though it's a pain in the ass when an old abandoned dependency limits what you can do. If you're maintaining serious software though, you have to keep updating it.

 

[UERISIMILITUDO]

When's Euclid going to update the Pythagorean theorem?

With the pace of malware development and security hole discovery there's no such thing as "just works".

There's no such thing as safe food.

No such thing as "feature complete".

There's no such thing as clean water.

If you're maintaining serious software though, you have to keep updating it.

Mathematical proofs rot.

 

[Casshern]

This may not be the place to post, but as of a few days ago BitWarden has became non-free software. They have added restrictions to an internal SDK that the entire set of programs cannot work without, and the CTO claims that this is allowed under the GPLv3, before locking the issue, stating this:

Thanks for sharing your concerns here. We have been progressing use of our SDK in more use cases for our clients. However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.

1. the SDK and the client are two separate programs
2. code for each program is in separate repositories
3. the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3

Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug.

Essentially stating this is allowed as they are “separate programs”, despite GPLv3 stating this:

The “Corresponding Source” for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work’s System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work. For example, Corresponding Source includes interface definition files associated with source files for the work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those subprograms and other parts of the work.

 

[Kola]

When's Euclid going to update the Pythagorean theorem?

There's no such thing as safe food.

There's no such thing as clean water.

Mathematical proofs rot.

How about you make your point instead of playing gay word games.

This may not be the place to post, but as of a few days ago BitWarden has became non-free software. They have added restrictions to an internal SDK that the entire set of programs cannot work without, and claim that this is allowed under the GPLv3 because they are “separate programs”, despite GPLv3 stating this:

Spoiler: GPLv3

The “Corresponding Source” for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work’s System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work. For example, Corresponding Source includes interface definition files associated with source files for the work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those subprograms and other parts of the work.

Confusion as old as GPL itself. If you license your code under GPL it doesn't place any restrictons you, it places restrictions on the people who use the license.

 

[UERISIMILITUDO]

How about you make your point instead of playing gay word games.

Perfect software can and does exist. Anyone who disagrees is ignorant and wrong.

 

[AmpleApricots]

It's like people even forgot what software is. Software is a tool. If the software is the right tool for the job, then the software is perfect. I can write a book in Wordstar on my 286. That software is from the 80s but will handle that perfectly well. The company who made it doesn't exist anymore, nor do I have the source code, nor might that source code even still exist anywhere. It still will handle the job, as it is a tool for that job. (as is the 286 running that particular sofware) Are there better or different tools for the same job? Perhaps. It doesn't matter. It doesn't diminish or invalidate that Wordstar can work in that role.

There's such a thing as scope and feature completeness. If Software 1.0 is an excellent text editor, but 2.0 also adds the ability to post pictures to social media and write drunken political emails to Null, it does not mean that 2.0 is better or more suited, as a tool, for the job I have for it, which is writing text. Why do I even have to explain this? Why does anyone? When has writing software and using software become some cargo-cult-esque ritualistic process where you are safe from the evil demons only if you do the right incarnations in the correct order at the correct times? Is this the result of programmers and users having no idea what they're doing?

I've been using a window manager that hasn't seen updates in seven+ years. Will my computer explode? No, because it manages windows in the same scope I needed it to seven years ago. This stability is a good thing, not a bad thing because I don't need to waste my time. I'm not sure how to put it in even simpler words.

 

[Anakin Soywalker]

Null recommend me BitWarden just a few days ago. I have a feeling this Joshua Moon fellow is behind this.

 

[Casshern]

If you license your code under GPL it doesn't place any restrictons you, it places restrictions on the people who use the license.

From my understanding this isn’t true, especially in this case. For one, as quoted above GPLv3 requires that “corresponding source” be supplied under GPLv3 as well, which would include the now non-free SDK that is required to make any part of BitWarden function, which is a restriction placed on the maintainer. Additionally, any and all changes that the modifier of GPL code makes and distributes must also be made available, which includes the maintainer, meaning maintainers are under even more restrictions than others.

Null recommend me BitWarden just a few days ago. I have a feeling this Joshua Moon fellow is behind this.

Yeah, it’s a real shame BitWarden has went down this path. Probably going to need to look into self-hosted solutions next.

 

[UERISIMILITUDO]

It's like people even forgot what software is.

They don't even know that it's just math.

Software is a tool.

Yes, but to too many it's a tool to inflate egos.

When has writing software and using software become some cargo-cult-esque ritualistic process where you are safe from the evil demons only if you do the right incarnations in the correct order at the correct times?

I like to blame UNIX. Look at this old poster:

Some programmers, especially UNIX programmers, see complicated and incomplete tools as a good thing, because they can hoard the useless knowledge and with it elevate themselves above others, in their minds. They think of themselves as wizards. If the computers were easy to use, without useless shit in the way, then they couldn't feel like wizards anymore. That would make them sad. They don't mind enjoying water, electricity, and other marvels of modern life without thinking about them, but computers are special and they need to insert themselves between computers and everyone else.

Is this the result of programmers and users having no idea what they're doing?

Yes. We're already at the point where dumbasses don't even think software can work correctly, as a fact.

 

[Cuckoman]

You didn't even bother to check and they're working on it around the clock: https://git.savannah.gnu.org/cgit/gawk.git/log/

No such thing as "feature complete". I was naive once too and added some packages that looked abandoned as dependencies because they were "feature complete". A few years later and there are gaping security holes that were discovered in the meantime, or it's incompatible with some other dependency that was updated recently, or it turns out that it was missing some important feature after all, and now you have to fork it and maintain it yourself.

1, That first page of changes are all minor tweaks to documentation and not feature work.

2, Yes, if your project depend on external packages you either have to go with a vendor and trust that they will maintain, test and keep the packages up to date.
OR
you will have to fork the packages and then you will need to maintain your personal/production fork yourself
and ensure that you have all important fixes from upstream in your repo within a reasonable time.

What you can not do is just track some random package from upstream and blindly pull their master branch and hope for the best.

 

[AnOminous]

I've been using a window manager that hasn't seen updates in seven+ years. Will my computer explode? No, because it manages windows in the same scope I needed it to seven years ago. This stability is a good thing, not a bad thing because I don't need to waste my time. I'm not sure how to put it in even simpler words.

What, you don't think ls and cat and grep need to be updated every five minutes to add new features?

 

[Weapons of Mass Tardation]

This may not be the place to post, but as of a few days ago BitWarden has became non-free software. They have added restrictions to an internal SDK that the entire set of programs cannot work without, and the CTO claims that this is allowed under the GPLv3, before locking the issue, stating this:

As a VaultWarden user, I'm kind of wondering how this will impact things. The self-hosted BW the one time I tried it was really stupidly bloated, but it wouldn't surprise me if some bean counter at BW got mad and there's going to be some work to lock out self-hosted instances.

Yeah, it’s a real shame BitWarden has went down this path. Probably going to need to look into self-hosted solutions next.

VaultWarden is good (in spite of being Rustwarez). The only thing that kind of sucked was having to extract it out of a Docker container (since I prefer to run my infra in LXC containers), but it's been absolutely rock solid. I really dislike having keyrings and vaults in the cloud (inb4 "the cloud datacenter is safer than your home network", for my own network and physical location I really doubt it). It might, unfortunately be time to go back to using KeepassXC.

It's like people even forgot what software is. Software is a tool. If the software is the right tool for the job, then the software is perfect. I can write a book in Wordstar on my 286. That software is from the 80s but will handle that perfectly well. The company who made it doesn't exist anymore, nor do I have the source code, nor might that source code even still exist anywhere. It still will handle the job, as it is a tool for that job. (as is the 286 running that particular sofware) Are there better or different tools for the same job? Perhaps. It doesn't matter. It doesn't diminish or invalidate that Wordstar can work in that role.

There's such a thing as scope and feature completeness. If Software 1.0 is an excellent text editor, but 2.0 also adds the ability to post pictures to social media and write drunken political emails to Null, it does not mean that 2.0 is better or more suited, as a tool, for the job I have for it, which is writing text. Why do I even have to explain this? Why does anyone? When has writing software and using software become some cargo-cult-esque ritualistic process where you are safe from the evil demons only if you do the right incarnations in the correct order at the correct times? Is this the result of programmers and users having no idea what they're doing?

I've been using a window manager that hasn't seen updates in seven+ years. Will my computer explode? No, because it manages windows in the same scope I needed it to seven years ago. This stability is a good thing, not a bad thing because I don't need to waste my time. I'm not sure how to put it in even simpler words.

So much of the churn is at least partially driven by having every pile of shit needlessly built to connect and phone home to the Internet. I think people underestimate how much software is just done (it's just not sexy and usually not hooked up to an IP network). I've got a lot of older PIC16F firmware for various things that does the job just as well as when I wrote it many years ago. Lots of industrial equipment like the older CNCs I look at occasionally are "done" and "just work", even if they're running on DOS or Windows 95. Knuth's O.G. TeX also comes to mind as something that's truly "complete" (though LaTeX users may disagree).