No Food for Thought

Heartbleed was more than 7 years ago. This year, the new Heartbleed is Log4Shell, which is in no way less severe than Heartbleed. I lost several hours of work due to Log4Shell, and it cost way more for many of my colleagues. Will such ridiculous flaws keep being revealed ad vitam æternam?

Following Heartbleed, myself and others started a reflection which would result in the CII, which is being replaced by the OpenSSF. Last time I blogged about OpenSSF, it wasn't even one year old, and was still incubating. After a year and a half, how close was OpenSSF to avoiding Log4Shell?

The short answer is far. The practical part of OpenSSF, Project Alpha-Omega, has secured 5M USD which can partially be invested in identifying vulnerabilities. While this amount is significant, it is obviously far from being enough to secure even the critical open source components in a reactionary mode. The project's current scope is to get involved in the approximately 100 most critical open source components. Is Log4j part of these?

With the high number of components, that's a hard question to answer. And the OpenSSF's answer to these questions are based on the Open Source Project Criticality Score, which estimates Log4j as the 2543th most critical open source project, with a criticality score of 0.6231. Are there really 2542 projects more critical than Log4j? That might still not be a trivial question, but what is clear is that OpenSSF's ordering makes no sense. According to the list, the 355th most important is Zcash. If you don't know Zcash, you're excused; it is ‘an implementation of the "Zerocash" protocol’. An exception? Way above that, we find at #43 the Bitcoin Core project, which is dedicated to an alternative "currency". Zcash and Bitcoin Core respectively have a criticality score of 0.75 and 0.87.
2024 Update: I removed the link to the list, since it is a moving target and now points to a whopping 100 MB file. The scores have changed widely since this was posted, but remain unusably unreliable.

In short, OpenSSF is mostly at the same point as it was last year: incubating. There are positive aspects:

• OpenSSF recognizes its scoring is immature (it's qualified as beta)
• the Foundation has managed to raise significant funding.

But turning that funding and further resources into results will take a long time. OpenSSF's reaction to Log4Shell is interesting, but when we're still at an early stage of prioritization, we should refrain from wearing rose-colored glasses and acknowledge it will take more years to see real results.

So, here's hoping for a 2025 and beyond with fewer fires

Update

Brian Behlendorf's article has sparked controversy. I agree with Behlendorf in the sense that increasing the general funding of an open source project would be far from an efficient way to specifically help secure it. But the controversy is understandable in the sense that the way Behlendorf describes his stance is exaggerated:

Any senior programmer knows that the only perfect code is the one which doesn't exist. No program can be perfectly functional, performant and secure. Security is one quality, and as for any quality, aiming for (guaranteed) perfection would require infinite resources. All professional senior programmers have at some point been under pressure to deliver, which causes us at times to ship without being entirely convinced by quality, and we know very well that security is one of the first aspects many neglect under too much pressure.

More money/resources definitely helps with all qualities, including security.

If your tracking of Canadian politics focuses on the Parliament's composition, you might not have noticed anything particular in September. If you also pay attention to the budget though, you may have realized we're now 600 million CAD deeper in the red. Yes, Canada had a superfluous federal election last month, which concluded with a surreal gem in Trudeau's speech:

It may break our heart to think most votes in this election were cast "for" parties which have no plan to fix Canada's governance. But rather than accepting cynicism, we can choose hope by looking at a very similar election, in a country which simply uses a much less disproportional system.

L'Afghanistan passe incontestablement à travers une période désastreuse. Il n'est pas facile de voir du positif dans ce gaspillage monumental.

Sans diminuer le cauchemar vécu par les Afghans, au moins, un remarquable reportage de Fabrice de Pierrebourg publié dans L'Actualité permet aux francophones de mettre un baume sur la plaie en nous donnant l'impression de comprendre, en quelques pages seulement.

En espérant qu'on se souvienne

Some people think of "alternative currencies" as wonderful solutions to economic problems. But obviously, no currency can have any significant impact without becoming legal tender.

So what would happen if a country actually adopted an "alternative currency" as legal tender? Well, unless you're in El Salvador, you're in luck: it's already been tried.

December 2021 Update: There's even better news (that is, unless you still haven't fled El Salvador). If you were waiting for the occasion to test your great idea of building a city next to a volcano, someone else might do the job for you.

Nombre de femmes jeunes (moins de 36 ans) que je connais qui font du développement logiciel et sont nées...

• au Maghreb : Au moins 4
• au Canada : Zéro

Certes, le Maghreb est bien plus populeux que le Canada. Certes, le Québec a une grande diaspora maghrébine. Mais des conclusions semblent quand même s'imposer. Soit :

• le Canada vieillit dangereusement
• ou il n'a plus tant de leçons à donner en matière d'égalité des sexes!

Mise à jour 2022-06-01

• au Maghreb : Au moins 6
• au Canada : Toujours zéro!

Depuis mon adolescence, j'ai de la difficulté à trouver de l'inspiration quand vient le temps de suggérer des cadeaux. Mais après un éclair de génie, une demande inépuisable s'est ajoutée à ma liste de cadeaux :

Cette suggestion s'est avérée la plus pérenne de toutes. Malgré sa proéminence, elle figure d'ailleurs toujours dans ma liste, depuis au moins 10 ans. Avec tout ce temps, elle a quand même évolué. À l'origine, elle était formulée de manière plus simple :

Cette année encore, cette option n'a pas été aussi populaire que je l'aurais voulu pour quelques récidivistes de ma famille. Mais encore une fois pour mes 36 ans, je peux remercier tous mes amis d'avoir respecté ma suggestion favorite une fois de plus.

En fait, j'ai bien fait de reformuler la suggestion, car c'est bien plus que rien que plusieurs m'ont offert. Et cette année encore, ce n'est nul autre que le chef d'un parti fédéral bien proche de la nature qui m'a offert mon exemplaire le plus apprécié. Une déclinaison de ma suggestion tout aussi naturelle : une sortie au parc. Peut-être une ballade de rien, mais une opportunité qui m'a offert ma plus grande découverte culturelle de ma journée−et de loin.

Merci Alex, merci Xav. Merci Gustave, Frida, Céline, Léonie, Éliane et Arnaud. Merci, Aurélie, de m'avoir fait découvrir les vertus de ta culture, même si ce n'était pas intentionnel.
Et surtout, pour toutes les fois où il m'a prouvé que l'amitié peut durer malgré la distance et bien des années, merci au prochain Premier Ministre du Canada.

In 2015, 39% of Canadian voters gave their vote to the Liberal Party of Canada. 4 years later, that support had dropped to 33%. Less than what the PCC obtained, but still enough to form a government. One unfortunately unsatisfied with that pale result and the resulting minority of seats.

One could think these most qualified supports would have ensured the winner would respect its supporters. Yet...

What the liberals promised in 2015:

• "Balancing" an already balanced budget
• Making every vote count

What the liberals delivered, 6 years later:

• A record deficit now in the hundreds of billions of dollars
• As if that wasn't enough, a superfluous election. Using good ol' FPTP, the very same system which gave them their false 2015 majority, hoping it will do the trick, once more

Following such an unqualified failure, even 33% now seems like a most generous grade.

The PLC may have called a superfluous election. But let's try putting cynicism aside and not wasting that opportunity to further adjust the grade it's now deserved. And hopefully adjust that of the several parties which still promise to deal with cynicism. Fair Vote Canada documents the stance of the main parties about electoral reform.

How much have the United States evolved in terms of politics over the last couple decades? A couple of quotes might clarify.

George W. Bush, 2001-09-11

Joe Biden Jr., 2021-08-26

Here's hoping the second payback doesn't add too much to the couple trillion € and the couple hundreds of thousands of casualties from the first Afghan payback.

A lot of what we hear about environmental damage mitigation is about individual action. Don't eat endangered fish. As for the climate crisis, Don't eat beef, Don't eat meat, Don't throw paper in the trash, and some more difficult changes, like Don't use gasoline cars.

Much has already been said about the limits of that approach. Merely 20 firms are behind a third of all carbon emissions. The wealthiest 10% are responsible for half of all emissions. But suppose you're part of that 10%; should you feel guilty and become vegan?

Veganism is not a bad thing. My own carbon footprint is massively inferior to that of the average person of my wealth, in good part because I don't eat nearly as much red meat as those around me. But I still eat meat or fish every week.

Bicycles are not a bad thing. I lost track of how many bikes I purchased. But on occasion I still drive cars which are still mostly gasoline-powered.

Is veganism optimal? I don't know, but I will not become vegan unless society changes and makes it much cheaper for me and everyone to be. I also won't coin a term for someone who refuses to use a gasoline-powered car. Perhaps my cycling background gives me too much balance.

Individual action matters. If the most concerned of us do our very best, we can have an impact. But the greatest impact will come from tackling the greatest issues. Even if the poorest 90% cut 90% of its emissions, we'd still be in trouble. And it's not just about the richest. The responsibility is distributed most unevenly, with 73% of power plant emissions coming from just the worst 5%.

Realistic solutions need to be structured. The climate crisis needs overcoming individualism and implementing Polluter pays. In general, salvation from environmental disasters will come by pricing negative externalities.

The David Suzuki Foundation gives balanced advice on doing our part. Don't burn yourself out by focusing on just one aspect. And if voting is not impactful or visible enough for you, you can become a candidate for a party you'd like to see in your riding, or help founding a greener party.