@cypherpunks@lemmy.ml avatar



cultural reviewer and dabbler in stylistic premonitions

This profile is from a federated server and may be incomplete. Browse more on the original instance.

@cypherpunks@lemmy.ml avatar

As the image transcript in the post body explains, the image at the bottom is a scene from a well-known 1998 film (which, according to Wikipedia, was in 2014 selected for preservation in the United States National Film Registry by the Library of Congress as being “culturally, historically, or aesthetically significant”).

This meme will not make as much sense to people who have not seen the film. You can watch the referenced scene here. The context is that the main character, The Dude (played by Jeff Bridges) has recently had his private residence invaded by a group of nihilists with a pet marmot (actually portrayed by a ferret) and they have threatened to “cut off his Johnson”. In an attempt to express sympathy, The Dude’s friend Walter (played by John Goodman) points out that, in addition to the home invasion and threats, the nihilists’ exotic pet is also illegal. The Dude’s retort “what, are you a fucking park ranger now” is expressing irritation with that observation, because it is insignificant compared with the threat of the removal of his penis.

This meme attempts to draw a parallel between this humorous scene and XZ developer Lasse Collin’s observation that the XZ backdoor was also a violation of Debian’s software licensing policies.

Thank you for reading my artist’s statement.

@cypherpunks@lemmy.ml avatar

Ok, I just stickied this post here, but I am not going to manage making a new one each week :)

I am an admin at lemmy.ml and was actually only added as a mod to this community so that my deletions would federate (because there was a bug where non-mod admin deletions weren’t federating a while ago). The other mods here are mostly inactive and most of the mod activity is by me and other admins.

Skimming your history here, you seem alright; would you like to be a mod of /c/linux@lemmy.ml ?

@cypherpunks@lemmy.ml avatar

Ok, you and @d3Xt3r are both mods of /c/linux@lemmy.ml now. Thanks!

How the xz backdoor highlights a major flaw in Nix (shadeyg56.vercel.app)

The main issue is the handling of security updates within the Nixpkgs ecosystem, which relies on Nix’s CI system, Hydra, to test and build packages. Due to the extensive number of packages in the Nixpkgs repository, the process can be slow, causing delays in the release of updates. As an example, the updated xz 5.4.6 package...

cypherpunks, (edited )
@cypherpunks@lemmy.ml avatar

As of today, NixOS (like most distros) has reverted to a version slightly prior to the release with the Debian-or-Redhat-specific sshd backdoor which was inserted into xz just two months ago. However, the saboteur had hundreds of commits prior to the insertion of that backdoor, and it is very likely that some of those contain subtle intentional vulnerabilities (aka “bugdoors”) which have not yet been discovered.

As (retired) Debian developer Joey Hess explains here, the safest course is probably to switch to something based on the last version (5.3.1) released prior to Jia Tan getting push access.

Unfortunately, as explained in this debian issue, that is not entirely trivial because dependents of many recent pre-backdoor potentially-sabotaged versions require symbol(s) which are not present in older versions and also because those older versions contain at least two known vulnerabilities which were fixed during the multi-year period where the saboteur was contributing.

After reading https://www.nongnu.org/lzip/xz_inadequate.html (first published eight years ago…) I’m convinced that migrating the many projects which use XZ today (including DPKG, RPM, and Linux itself) to an entirely different compression format is probably the best long-term plan. (Though we’ll always still need tools to read XZ archives for historical purposes…)

How do we know if there aren't a bunch of more undetected backdoors?

I have been thinking about self-hosting my personal photos on my linux server. After the recent backdoor was detected I’m more hesitant to do so especially because i’m no security expert and don’t have the time and knowledge to audit my server. All I’ve done so far is disabling password logins and changing the ssh port....

cypherpunks, (edited )
@cypherpunks@lemmy.ml avatar

Thanks. They are no longer a mod of this community. (I wrote this comment to them and they did not reply.)

@cypherpunks@lemmy.ml avatar

Opensource just means that the source code is available, FOSS however implies that you’re free to modify and redistribute the program

Incorrect. “Open Source” also means that you are free to modify and redistribute the software.

If the source code is merely available but not free to modify and/or redistribute, then it is called source-available software.

@cypherpunks@lemmy.ml avatar

Not necessarily true - that right to modify/redistribute depends on the exact license being applied.

If you don’t have the right to modify and redistribute it (and to do so commercially) then it does not meet the definitions of free software or open source.

For example, the Open Watcom Public License claims to be an “open source” license, but it actually doesn’t allow making modifications.

The Sybase Open Watcom Public License does allow making modifications, and distributing modified versions. The reason why the FSF has not approved it is that it requires you to publish source code even if you only wanted to run your modified version yourself and didn’t actually want to distribute anything to anyone. (The Watcom license is one of the few licenses which is approved by OSI but not FSF. You can see the other licenses which are approved by one but not the other by sorting this table.)

The FSF’s own AGPL license is somewhat similar, but it only imposes the requirement if you run the software for someone else over a network. (Neither of these requirements are likely to be enforceable by copyright law, as I explained in my comment about the AGPL in the thread which this thread is about…)

This is also why we specifically have the terms “free software” or “FOSS” which imply they you are indeed allowed to modify and redistribute.

I would recommend reading this: gnu.org/…/open-source-misses-the-point.en.html

I would recommend that you re-read that, because it actually explains that the two terms refer to essentially the same category of software licenses (while it advocates for using the term free software to emphasize the philosophical aspects of those licenses).

cypherpunks, (edited )
@cypherpunks@lemmy.ml avatar

Hi @haui_lemmy,

fyi icymi due to this thread someone posted this other thread asking .

I don’t have time to read all ~200 comments in these two threads, but I do think that being a moderator of /c/opensource@lemmy.ml requires knowing what FOSS is to be able to remove posts promoting things which are not.

Hopefully the replies here (again, I have not read even half of this thread…) have made you better informed?

In case you haven’t yet, I would highly recommend that you read these two documents (you can start with their wikipedia articles and follow links from there to the actual documents):

In short, the answer to your question (“Is there a License that requires the user to donate if they make revenue?”) is yes, there are many such licenses, but they are definitively not FOSS licenses (despite what some people who haven’t read the above definitions might try to tell you).

I won’t enumerate any of the non-FOSS licenses which attempt such a thing, because I recommend against the use of such licenses or software licensed under them.

BTW, I saw you wrote in another comment:

By now I get that FOSS mostly implies free work for corporations. I‘ll just go with agpl to ensure they get nothing from my work.

While corporations benefiting from FOSS while failing to financially support it at all is extremely commonplace, I vehemently disagree that that is what FOSS “mostly implies”. In fact, the opposite is more common: the vast majority of free software users are not paying anything to the companies who have paid for an enormous amount of the development of it. A few hundred companies pay tens of thousands of individual developers to develop and maintain the Linux kernel, for instance.

Regarding the second sentence of yours that I quoted above, in case you haven’t understood this yet: the AGPL does not prevent commercial use of your work. If you write a web app and license it AGPL, you are giving me permission to run it, modify it, redistribute my modified version, and to charge money for it without giving you anything.

What the AGPL does, and why many companies avoid it, is impose the requirement that I (the recipient of your software) offer the source code to your software (and any modifications I made to it) under that same license not only to anyone I distribute it to but also to anyone using the software over a network on my server.

If the software were licensed GPL instead of AGPL, I would only be required to offer GPL-licensed source code to people when I distribute the software to them. Eg, I could improve a GPL web app and it is legal to not share my improvements (to the server-side code) with anyone at all because the software is not being distributed - it is just running on my server.

By imposing requirements about how you run the software (eg, if you put an AGPL notice in the UI, I am not allowed to remove it) the AGPL is more than just a copyright license: violations of the GPL and most FOSS licenses are strictly copyright violations and can be enforced as such, but violating the part of the AGPL where it differs from the GPL would not constitute copyright infringement because no copying is taking place. Unlike almost every other FOSS license, the AGPL is both a copyright license and a end-user license agreement.

For this reason, many people have misgivings about the AGPL. However, if you want to scare companies away from using your software at all (and/or require them to purchase a different license from you to use it under non-AGPL terms, which is only possible if you require all contributors to assign copyright or otherwise give you permission to dual-license their work) while still using a license which the FOSS community generally accepts as FOSS… AGPL is probably your best bet.


p.s. I’m not a lawyer, this isn’t legal advice, etc etc :)

@cypherpunks@lemmy.ml avatar

there is enough garbage there now that they could just make the tourist permit require everyone to bring down more than they take up with them

cypherpunks, (edited )
@cypherpunks@lemmy.ml avatar

maybe it’s important to note he isn’t on trial for treason? The charges are for hacking and espionage.

He isn’t on trial for treason in courts of law, but he is in the court of public opinion - various commentators and some officials (including Senator Joe Lieberman and then-CIA Director Mike Pompeo) have used the word to describe his publishing.

@cypherpunks@lemmy.ml avatar

what was the prompt you used?

@cypherpunks@lemmy.ml avatar

what is the end result?

@cypherpunks@lemmy.ml avatar

do you read this meme as being either for or against the US telling Ukraine to stop bombing Russian energy infrastructure? 🤔

@cypherpunks@lemmy.ml avatar

lol, ok, but i’m actually still baffled as to how you interpreted this meme – both before and now

  • All
  • Subscribed
  • Moderated
  • Favorites
  • bokunoheroacademia
  • kavyap
  • InstantRegret
  • Durango
  • magazineikmin
  • GTA5RPClips
  • everett
  • thenastyranch
  • Youngstown
  • slotface
  • rosin
  • cubers
  • cisconetworking
  • DreamBathrooms
  • relationshipadvice
  • mdbf
  • tacticalgear
  • osvaldo12
  • tester
  • khanakhh
  • lostlight
  • Leos
  • ethstaker
  • modclub
  • normalnudes
  • HellsKitchen
  • anitta
  • sketchdaily
  • All magazines