Loading...
 

No Food for Thought

Food is something you should provide to your brain long before coming to this blog. You will find no food recipes here, only raw, serious, non-fake news for mature minds.

Open Source Security Foundation

admin Sunday December 13, 2020

A couple of months ago, when writing about the end of EU-FOSSA 2, I criticized its reactionary nature. Just like I had done a few years ago about the Core Infrastructure "Initiative", EU-FOSSA's private counterpart.

That is why we can feel very grateful once again to the Linux Foundation's Jim Zemlin for setting up OpenSSF, replacing the CII this year. Not only does the Open Source Security Foundation lose the "initiative" in its name, but it really is a lot less reactionary, established as a permanent project:

OpenSSF FAQ wrote:
The CII was funded largely by grants, OpenSSF will be supported by Linux Foundation membership dues with targeted organization contributions to support initiatives. The CII’s ongoing work is being transitioned to the OpenSSF, and we expect that the CII will eventually be dissolved as the OpenSSF replaces it.


A lot has changed since Heartbleed. The next challenge would be to see security efforts more integrated into primary software projects, rather than in secondary projects, still somewhat reactionary afterthoughts.

Here's hoping for truly organic security (which doesn't prevent external security assessments)

Update

Wanting to become more universal than the CII, OpenSSF is facing a serious challenge: prioritization. By trying to become neutral, it appears it's so far risking its auditing efforts to be irrelevant, with its current method computing Qt's criticality as way lower than... some Bitcoin software cry And beyond noting that the current metrics are broken, I don't see an easy fix without completely changing the approach.
Here's hoping common sense prevails

Preventing Corporate Success

admin Sunday December 6, 2020

Lack of supply is a problem Western states take very seriously. A lot more than the weight of excessive regulation.

So when a market is lacking suppliers and failing to satisfy consumer expectations, what are governments to do? Increasing supply would of course address the issue, but come with challenges and take time. The better (or at least much more popular) option is attacking existing suppliers. Obviously, doing so, the issue is worsened. But using anti-competition legislation, at least, the "solution" is simple, quick, and puts pressure on suppliers rather than on those who could help. It goes without saying, the best part is giving the impression that the government is doing something about the problem... and the ultimate bonus: stealing funds from the most successful suppliers and moving them to the state!

If you thought excessive regulation would at some point trigger a move towards balance, you must resist wishful thinking. In reality, excessive governmental regulation is causing businesses to create even more regulation in response.

Now let's be clear - it is obvious that Google expected the existence of “Five Rules of Thumb for Written Communications” to become public. But is that reason enough not to take the occasion to pause and reevaluate our direction?

Congratulations, Google, for this unsurpassed valuable move to not only alleviate the impact on you, but also try to kill dominant fallacies enhance the environment for the interest of all markets best

Artificial Intelligence's Next Achievement: Unlimited Trolling?

admin Friday November 6, 2020

Large-scale peer production projects rely much on contributions from potentially anonymous individuals. International volunteer projects, such as Wikimedia, are largely based on a general sense of trust and fail to verify identities of (apparent) contributors. While this already creates huge issues for Wikimedia and many more, ongoing developments in artificial intelligence could soon enable cheap attacks of such projects causing massively larger wastes of effort, threatening these projects' viability.

Now is the time for globally verifiable identities.

Leaving the PHP Framework Interoperability Group

admin Sunday October 4, 2020

Last December, I struggled with documentation tags while using Eclipse with a private PHP project. I eventually realized Eclipse wasn't necessarily the one to blame. The specification for PHPDoc's @param tag is found in PSR-19, a standard recommendation published by the PHP Framework Interoperability Group. According to that specification, many @param tags would be ambiguous, since the last 2 elements are optional. The tags with which Eclipse struggled were such ambiguous tags, but the real problem was the specification.

I was quite surprised to find such a serious issue, but went to check its status. I then had an even greater surprise: I could not find the issues reported in PSR-19. Or for that matter, any of the PHP Standard Recommendations.

At that point, I joined the php-fig group and - not knowing a proper way to do so - reported the meta-issue on that mailing list.

In the following months, I saw significant activity on the mailing list, from a significant number of contributors, but no answer to my question. Nor any reference to an ITS. In August, as the issue persisted, I simply "bumped" the thread (repeated my question).

Unfortunately, it has now been 9 months since my report, and the problem is still the same as far as I can see. I was going to add that I still don't know if my PSR-19 issue was reported, but in fact, I noticed while writing this post that Ben Mewburn reported the PSR-19 problem 2 months before I joined the group. Why was nothing done? Simply because... just like me, it seems he reported nowhere else than on the mailing list! eek


I love Javadoc, and PHPDoc is very important. Some PSR-s are very valuable, and I find it most unfortunate to give up on a major PHP institution, but as such an issue now has apparently persisted for over 4 years, and as there was no progress months after reports, I prefer not to remain associated with the FIG, and am hereby announcing I will no longer contribute to the PHP FIG - and therefore to PHP Standard Recommendations - unless required to.

As for the initial issue, I will live with it - but I'll recommend my customers/employers to avoid PHP frown
For instance, Javadoc's equivalent @param tag doesn't have that issue. For a very simple reason: it doesn't have to specify the type, which is already in the function definition - where it should be.

EU-FOSSA 2 ends

admin Saturday September 26, 2020

The European Union's second FOSSA project has ended with incredible results. EU-FOSSA undoubtedly made free software way more secure.

But does that mean free software is more secure now? Putting the initial excitement aside, we have to remember that EU-FOSSA is reactionary. It is a massive effort to deal with a huge problem. But EU-FOSSA is not a structured approach to the problem which can really help long-term. Moreover, with just Heartbleed's damage estimated over €500M, it is obvious that a few million euros cannot suffice to make most free software reasonably insecure. A real solution needs real will.

Thankfully, there are 2 efficient approaches for long-term solutions:

  • The bazaar management approach is to rate projects/products, so that users can make better security choices.
  • The cathedral approach is to get permanently involved in product development.

Of course, these approaches are not really exclusive. The EU could get involved in core software, while merely rating less important projects.

Until the EU or the world gets really serious about limiting vulnerabilities, it may be that the problem - unfortunately - keeps getting worst.

Courage

admin Thursday September 10, 2020

I didn't expect watching an interview with a sports professionnal would make me discover a great quote. At least not this one. But the CBC's interview with Jeffrey Orridge showed reality does not always conform to our expectations. Which is a good thing - at times rolleyes

Rollo May wrote:
The Opposite of Courage Is Not Cowardice; It Is Conformity.

No Monopoly on Stupid Lawmaking

admin Tuesday July 21, 2020

You may know Giphy, the online database and search engine for short looping videos. But you probably don't know who owns Giphy.

Probably because you don't care, yet some lawmakers seem to care so much they're challenging Facebook's acquisition of Giphy. On what grounds? Anti-trust laws. Really; it seems GIF-s have been elevated to the rank of scarce strategic resources. But there's more to it: the same people are proposing an anti-market law which they dubbed "Pandemic Anti-Monopoly Act".

As no one should have a monopoly on lawmaking, I'm proposing the Pandemic Anti-Stupidity Act - No more stupid laws while we already have to deal with a pandemic, please.

Image

A Great Source of Developer Happiness Open to All

admin Wednesday June 24, 2020

After many years contributing to open source projects, I can't say results of SlashData's developer survey surprise me much, but it's good to see my feelings are shared.

That being said, I think what developers fundamentally want is not necessarily open source per se, but to avoid the miserable feeling of being tasked to reinvent a wheel. Those who have the necessary talent want to create generic solutions to widespread problems which can and will help as much people as possible, not just their little organization. Here's hoping for more code sharing, more satisfied developers, less wasting of our top talents in duplication, and fewer but better wheels.

Fully Free

Kune ni povos is seriously freethough not completely humor-free:

  • Free to read,
  • free to copy,
  • free to republish;
  • freely licensed.
  • Free from influenceOriginal content on Kune ni povos is created independently. KNP is entirely funded by its freethinker-in-chief and author, and does not receive any more funding from any corporation, government or think tank, or any other entity, whether private or public., advertisement-free
  • Calorie-free*But also recipe-free
  • Disinformation-free, stupidity-free
  • Bias-free, opinion-free*OK, feel free to disagree on the latter.
  • Powered by a free CMS...
  • ...running on a free OS...
  • ...hosted on a server sharedby a great friend for free