ditto
kiwifarms.net
- Joined
- Aug 17, 2019
They should rename it to "BIG DICK" in all caps.
Diseased Open Source Software Community - it's about ethics in Code of Conducts
- Thread starter CrunkLord420
- Start date
-
🐕 I am attempting to get the site runnning as fast as possible. If you are experiencing slow page load times, please report it.
- Joined
- Dec 28, 2014
Plank
kiwifarms.net
- Joined
- Apr 21, 2019
95 percent of FSF software is either outdated junk or stuff that works well enough. Most of it is clunky as fuck and ancient in design but it works for most people and is still used mostly due to momentum.
GCC, both the compiler and the larger ecosystem, was the primary real world relevance for the FSF. Stallman designed GCC to be a GNU/FSF lock-in for the open source world. Once Clang/LLVM matured, that GNU/FSF lock-in was nullified, the importance of the FSF to the open source world was greatly diminished. Clang/LLVM didn't mean the FSF software was no longer needed - it meant that GCC was no longer irreplaceable.
An almost completely FSF/GNU free Linux system is fairly easy to run today. You can already run a BSD type userland along with the complete Clang/LLVM toolchain and most people wouldn't know the difference other than various GNU specific command line options or the details of how binaries are built.
No one in the open source world is looking to the FSF to anything other than ideological leadership these days. Stallman retaining his control or not is not going to have any practical effect on the open source world outside of bragging rites for the GNU votaries or the nutcase SJWs.
- Joined
- Sep 7, 2016
Minnesota is known as the preferred destination for the original snow niggers so the Somalians must have gotten confused on their way to Sweden, they're not a very bright people.
- Joined
- Jul 6, 2020
A bunch of refugees got sent to minnesota under the obama adminstration, I guess california was getting full
lolwatagain
kiwifarms.net
- Joined
- Jul 19, 2017
Alright, give me all of your puzzle pieces, because after reading the paper, I can only conclude that this article was either written by a fucking moron who failed to understand the paper, FAKE NEWS, or pure damage control. In all likelihood, it's all three.
Let's talk about the first issue that really sticks out even if you just skim the paper.
This is not successful insertion. This is the catch rate. In other words, this is the percent of vulnerabilities that were caught by maintainers as a percentage of the total. This is clearly explained by the paper
Nowhere do they claim that they successfully inserted vulnerabilities 60% of the time. In fact, they do not claim that they inserted any of the vulnerabilities in this data set. They do not state where they obtained the merged and blocked vulnerabilities in this portion of the paper:
However, it's clear that they are not the source of the dataset because they state that they could only identify a limited number of "indirect-call" methods, and they couldn't be assed to spend the time finding more because of how fucking complicated it is. If they carefully crafted these exploits they should know how many of the fucking things exist.
Earlier in the paper they discuss the types of authors who contribute patches and vulnerabilites as well as the types of vulnerabilities and their breakdown:
I do not know where the authors obtained this data, and that is the greatest fucking sin of this fucking paper. As an outsider, I don't know if Linux maintains a database of merged and blocked patches, but as an outsider I should be able to figure out where this fucking data came from. Likewise, I'm not entirely sure how the baseline values are calculated:
Based on this paragraph, I think that they calculated it based on what the researchers were able to personally find through manual review and tool-based analysis alone, while the other categories required fuzzing to identify, but I'm trying to read this as an outsider and I may be wrong.
Now for the second issue, which really reeks of fucking damage control:
First, removing every patch submitted from a University of Minnesota email address sounds like a PR stunt to try to control the damage, mainly because the three patches the authors submitted were submitted with gmail addresses.
And none of the three patches were merged to the linux kernel tree, they were changed after the maintainer confirmed them:
The entire phrasing just reeks of damage control, maybe the UMN patches are shit, but in my opinion, the big takeaways from the paper are troubling. There are a number of known potential exploits that could become full exploits as a result of a third party accidentally or maliciously inserting code that's missed by the Linux maintainers. And instead of allowing people to submit preventive patches that could fix them before they become full blown exploits, they refuse to do so until it becomes a problem. It's a very exploitable situation and if someone hasn't exploited it already, it's because there is no fucking money in Linux exploits because it's only used by a subset of greasy neckbeards.
Attachments
- Joined
- Dec 16, 2019
Motherfuckers, half the fun of this retarded autistic language was making dick jokes with it.
- Joined
- Mar 3, 2021
Good catch. Others probably pointed out the lack of references to data to the lead author too, as he's since published a full disclosure for the case study at least (why he didn't just include everything as a supplementary from the start is baffling and bad practice).
- Joined
- May 9, 2017
For desktops, sure. For servers, mobile devices, embedded systems, and literally fucking everything else? There's Linux in them thar hills.
lolwatagain
kiwifarms.net
- Joined
- Jul 19, 2017
But do they get these kernel updates? I would imagine that the servers do, but the embedded systems?
Edit: Now, if only the SmartBulb bitcoin mine was real.
Last edited:
ditto
kiwifarms.net
- Joined
- Aug 17, 2019
Someone totally not affiliated with the Russian government wants to stick Yandex and Google analytics into Audacity
Basic telemetry for the Audacity
Basic telemetry for the Audacity
- Joined
- Mar 28, 2021
God damn it. Guess I'm going to have to find a different sound editing program then.
- Joined
- Apr 25, 2020
That's a pull request, not an announcement that they're implementing it.
If these reaction stickers are any indication, I think you can safely stick with Audacity for the time being.
- Joined
- Sep 23, 2018
Yeah. Audacity is a widely-enough used tool, and this is an unpopular-enough decision, that I'm willing to bet that if this PR got merged in, there'd be a widely-supported fork of Audacity without that merge within a day or two.
Here's a separate thread about this controversy.
Edit: Just to throw in my two cents, I usually don't have a big problem with telemetry and as a developer I can definitely see the value in getting a good understanding of how people are using the program, since end users often use a program quite differently from how someone who developed it used it (which probably explains why Audacity's UI is like one of those hidden image posters). And from what I've seen, collecting the data is completely opt-in, so if an end user didn't want the program to do this, they could just click "no" and it wouldn't happen. I suspect the problem most people have is that they took shortcuts by relying on Google and Yandex services to collect the data, and if they had gone with a self-hosted and self-developed or FOSS system instead, there would have been at least slightly less push-back.
Last edited:
- Joined
- Feb 3, 2013
Yeah but there's a lot more money in exploits for personal computers than there is for servers and embedded systems.
- Joined
- Apr 13, 2021
No, there's LOADS of money in exploits for servers. Hacks someone's PC, and you potentially have one person's personal info to sell on the black market. Hack a server and you potentially have thousands. You just don't hear about it as much both because of the differences in OS, and because companies tend to do their best to keep everything locked down, but your average normie's approach to security is a lot less rigorous, if they think of it at all.
- Joined
- Dec 1, 2018
You're both right/wrong. PCs are the low hanging fruti because every user has to be their own security guy, which means that security on most PCs is equivalent to a bunch of broken windows and an ajar front door with a hanging "please knock!" sign. And most people knock because they're fundamentally good and they've yet to learn that not knocking is a thing you can do and besides, the couch probably isn't worth the effort to steal anyway. Servers have actual security because they have real assets, liability, and above all enough concern to hire someone to do security. At the very least, even the smallest biz will pay the extra $5/mo to their host to keep nginx or whatever up to date for them. So it's a lot more difficult to compromise enterprise servers, but it's potentially a lot more lucrative. As the attacker, depending on your risk appetite and competence, either one could have the "more money".
- Joined
- Apr 13, 2021
So basically, it's roughly equivalent to the difference between a quick-and-dirty smash-and-grab, and a full-on organized bank robbery.
- Joined
- Dec 1, 2018
Yes but I prefer to define it by target IE convenience store vs bank rather than by the method.
- Joined
- Dec 17, 2019
Audacity got bought out, the users don't have any say. Best/worst case they'll close the PR after too much pressure, and implement it anyway behind a closed-source license in a couple months.