Open Source Software Community - it's about ethics in Code of Conducts

[Betonhaus]

Guys, I can't decide whether this is an elaborate troll: https://malus.sh.

I'm reasonably sure that it's a troll. No Jeet would use a shit smear as an example of a bad thing, and no quotes from customers would be that blunt. And it says point blank a lot of things that would normally be hidden in corpospeak. I don't have an example to upload to see what happens, however. It's possible that creator put in the same amount of work into it as if it was a legitimate project, in which case it'll try to do what it claims but very, very badly.

 

[Ferryman]

Guys, I can't decide whether this is an elaborate troll: https://malus.sh.

From the link, and I quote:

The Problem With Open Source:

Apache License Attribution​

Is your legal team frustrated with the attribution clause? Tired of putting "Portions of this software..." in your documentation? Those maintainers worked for free—why should they get credit?

AGPL Contamination​

Does your company forbid AGPL code? One wrong import and suddenly your entire proprietary codebase must be open sourced. The horror!

License Compliance Overhead​

Tracking licenses across hundreds of dependencies? Legal reviews taking weeks? Third-party audits finding "issues"? What if you could just... not deal with any of that?

Giving Back to Community​

Some licenses require you to contribute improvements back. Your shareholders didn't invest in your company so you could help strangers..

Robot-Powered Clean Room Recreation​

Our proprietary AI systems have never seen the original source code. They independently analyze documentation, API specifications, and public interfaces to recreate functionally equivalent software from scratch.
The result is legally distinct code that you own outright. No derivative works. No license inheritance. No obligations.

• ✓ 100% robot-written code
• ✓ Zero exposure to original source
• ✓ Functionally equivalent output
• ✓ Your choice of corporate-friendly license
• ✓ Full legal indemnification

*Through our offshore subsidiary in a jurisdiction that doesn't recognize software copyright

Seems legit to me. In fact, why don't we make a LinkedIn post sharing this wonderful resource so all of our fellow esteemed Open Source developers from Canonical and Red Hat can make use of it? I'm sure they'd be blown away by the results!

 

[Dante Alighieri]

Definitely a glorious shitpost, regardless of intention.

 

[Max Weber]

Speaking of licenses, OnlyOffice is starting shit over alleged breach of AGPL (vith OnlyOffice's additions): ONLYOFFICE flags license violations in “Euro-Office” project by Nextcloud and IONOS (archive)

Our position​

The “Euro-Office” initiative represents an evident and material violation of ONLYOFFICE licensing terms and of established principles of international intellectual property law. We require full and immediate compliance with all applicable licensing conditions, including — but not limited to — the preservation of ONLYOFFICE branding, logo, and all required attribution elements as defined in our licensing terms.

Only after full compliance is ensured, we will be ready to address and discuss the inaccurate and misleading statements about ONLYOFFICE that have been made in connection with this project.

As for the statement that “open collaboration with ONLYOFFICE was not possible for a number of reasons”, we believe that working within a proper legal and licensing framework is, in fact, the very foundation of any real collaboration. It has already proven to work for millions of users and hundreds of partners worldwide.

Commit removing OnlyOffice's additions to the license. (archive)

Remove unenforceable and non-obligatory Section 7 additions from copyright headers

Under AGPLv3 Section 7, downstream recipients may remove terms that
constitute "further restrictions" beyond what Section 7(a)-(f) permits,
as affirmed by the FSF.

Logo retention requirement (Section 7(b)):
Section 7(b) permits requiring preservation of "legal notices or
author attributions". A product logo is a trademark/brand element,
not a legal notice or author attribution. It therefore exceeds the
scope of 7(b), qualifies as a "further restriction" under Section 10,
and may be removed.

Trademark disclaimer (Section 7(e)):
Purely declaratory — the AGPLv3 does not grant trademark rights in
any case. The disclaimer creates no affirmative obligation on the
licensee and removing it changes no rights or obligations. There is
no legal basis requiring its preservation.

Contact address:
The postal address of Ascensio System SIA is informational only.
No provision of the AGPLv3 requires downstream recipients to preserve
the original licensor's contact details.

Appropriate Legal Notices reminder:
This paragraph merely restates the obligation already imposed by
AGPLv3 Section 5(d). It is not a Section 7 additional term and its
removal does not affect compliance obligations, which derive from
the license text itself.

The Section 7(a) warranty exclusion and CC BY-SA 4.0 notice for GUI
assets are retained as they are substantive terms that modify licensee
rights and obligations.

 

[SCV]

100% CVE-free at time of delivery. Freshly generated code, untouched by human hands or known vulnerability databases. Your compliance dashboard goes from red to green overnight.

This is a non-sequitur. Unless you're assuming the LLM writes entirely perfect code it will have CVEs. I don't think they're saying that (although they are trying to imply it) but instead saying because the code is new and completely untested it won't trigger any CVE scanners. Think about that. The benefit is removal of the ability to check if your code is secure easily.

Hell if there is a breach of some kind, why pay someone to investigate it and patch it manually? Just fucking regenerate that part of the code. Then you don't know if there's a vulnerability in the new code so you're not liable! Problem solved!

 

[Goose the Redeemer]

Can someone explain to me what's the deal with so many people praising ripgrep for being fast? In which case has grep ever been so slow that it mattered in any meaningful way? In which context exactly are people grepping for something that needs to be done so fast that it needs a rewrite of a tool that I never found a problem with?

RIPgrep is written in Rust, so that means that it's faster, safer, and bug-free.

rg can be useful in some situations, e.g. obscenely large files, but it is definitely overhyped and a good example of why rust shills will never be real programmers. The only people who think rg is better either don't know how to use the tools that already exist, or are doing something very wrong.

- grep is a standard, not a specific implementation; rg is not a grep and has no business having grep in the name
- tools do not exist in isolation which is why specifications (and conformance) are important; I can't (easily) integreate rg into my toolset so it is less valuable, even if it were faster
- the multi-threading etc. has a "warm up" time so it's actually slower for "small" use cases (which is almost everything that I've tried it for)
- "it it has better defaults" ? alias
- "it reads .gitignore" ? git grep
- "it has full unicode support" ? no it doesn't
- "but I have six gorillion niggabytes of code in a mixed language repo and I need to search all files of one specific language only but they're all over the place and I don't believe in file extensions so I have to search by mime-type" ? ngmi

 

[DavidS877]

File too long:
tail -5000 | grep
Too many files:
find . -type f -print0 | xargs -0 -P 12 grep
etc.

 

[Betonhaus]

This is a non-sequitur. Unless you're assuming the LLM writes entirely perfect code it will have CVEs. I don't think they're saying that (although they are trying to imply it) but instead saying because the code is new and completely untested it won't trigger any CVE scanners. Think about that. The benefit is removal of the ability to check if your code is secure easily.

Hell if there is a breach of some kind, why pay someone to investigate it and patch it manually? Just fucking regenerate that part of the code. Then you don't know if there's a vulnerability in the new code so you're not liable! Problem solved!

Honestly just looking at the page it's either a really elaborate troll or the OceanGate of software projects.

 

[The Real Slim Shady]

This is a non-sequitur. Unless you're assuming the LLM writes entirely perfect code it will have CVEs. I don't think they're saying that (although they are trying to imply it) but instead saying because the code is new and completely untested it won't trigger any CVE scanners. Think about that. The benefit is removal of the ability to check if your code is secure easily.

Their wording is actually correct. The slop output, being in principle new code, is not audited at all (and pravtically un-auditable in a reasonable time frame), so it will not have any CVEs assigned to it. A CVE is assigned when someone finds a possible vulnerability, and being a huge code base generated entirely by AI it's likely full of subtle security bugs.

 

[General Zoider]

Their wording is actually correct. The slop output, being in principle new code, is not audited at all (and pravtically un-auditable in a reasonable time frame), so it will not have any CVEs assigned to it. A CVE is assigned when someone finds a possible vulnerability, and being a huge code base generated entirely by AI it's likely full of subtle security bugs.

they are pretty much betting the farm on security through obscurity.

 

[Ferryman]

I don't really see ripgrep's value as a "replacement", I just use it since its a dep for Doom and Dirvish. Most of the RIIR software is just kinda pointless. Fzf is alright. Zoxide is extremely overrated and also made by "ajeet" unironically. Just use sh-z. Troon software is one thing, but jeetslop? No, sir!

they are pretty much betting the farm on security through obscurity.

Why do you think there's a new database breach every other week? For small, centralized projects that actually do get reviewed, AI is a neat and useful tool, but when you have Sanjay Poojar x20 shitting out giant logs a breach is pretty much a given. At this point they may as well give out peoples' data for free on account of how many incidents there've been just this year alone.

 

[General Zoider]

Why do you think there's a new database breach every other week? For small, centralized projects that actually do get reviewed, AI is a neat and useful tool, but when you have Sanjay Poojar x20 shitting out giant logs a breach is pretty much a given. At this point they may as well give out peoples' data for free on account of how many incidents there've been just this year alone.

whenever I look at the list of data breaches I forget what year it is, because it feels like we are back in the early 2000s

 

[indomitable snowman]

FFmpeg is moving to Rust

https://x.com/FFmpeg/status/2039115531744334180

 

[skunt]

crossposting this here because not many people check the claude thread and some people may find it interesting:

claude-code source code leaked lol

https://nitter.net/T3chFalcon/status/2038926178153529479 https://ghostarchive.org/archive/G2S5u
repos are being actively DMCA'd but people are dissecting it already

the github repos are getting DMCA'd but people are using LLMs to rewrite it in rust/python to get around it.

FFmpeg

i see you

 

[gampboonerisms]

I'm sorry, what the fuck is going on with FLOSS\software\Internet.
All of a sudden everything has gone to complete shit and nobody is putting it on the news or talking about it.
Legit question: what mail chains, irc channels, forums should I be signing up for to keep up with this atrocity.

 

[WielkiWapiesz2137]

Their wording is actually correct. The slop output, being in principle new code, is not audited at all (and pravtically un-auditable in a reasonable time frame), so it will not have any CVEs assigned to it. A CVE is assigned when someone finds a possible vulnerability, and being a huge code base generated entirely by AI it's likely full of subtle security bugs.

I wouldn't be surprised if some burocratic faggot decided that untested code with 0 CVE's looks better than one that had plenty but is tested because it looks better on paper if you are retarded

 

[Ferryman]

crossposting this here because not many people check the claude thread and some people may find it interesting:


the github repos are getting DMCA'd but people are using LLMs to rewrite it in rust/python to get around it.


i see you

Is there any stable link leading to the entire leaked codebase? Useful or not, I want it in my collection.

 

[Betonhaus]

FFmpeg is moving to Rust

https://x.com/FFmpeg/status/2039115531744334180

View attachment 8787049

btw it's currently almost 2am the next day in London.

 

[SCV]

Their wording is actually correct. The slop output, being in principle new code, is not audited at all (and pravtically un-auditable in a reasonable time frame), so it will not have any CVEs assigned to it. A CVE is assigned when someone finds a possible vulnerability, and being a huge code base generated entirely by AI it's likely full of subtle security bugs.

I know that. That's what I'm saying. "We used code with no known CVEs so we are not liable" is a feature. Then you never need to patch your shit and if someone did report a vulnerability, just have claude remake that section hey presto, back to 0 CVEs. All the data breaches that happen... already happen so no one will give a fuck about those.

FFmpeg is moving to Rust

https://x.com/FFmpeg/status/2039115531744334180

View attachment 8787049

Dude I saw this in a quoted post so the image isn't there and thought it was legitimate for a second. "But how they have so much hand tuned assembly?!". You have no idea how relieved I am it's merely the start of April.

 

[Harvey Danger]

I'm reasonably sure that it's a troll.

Seems legit to me.

It's real. Primagen covered it last week, he actually paid and used the service to test it out.