No Food for Thought

A couple of months ago, when writing about the end of EU-FOSSA 2, I criticized its reactionary nature. Just like I had done a few years ago about the Core Infrastructure "Initiative", EU-FOSSA's private counterpart.

That is why we can feel very grateful once again to the Linux Foundation's Jim Zemlin for setting up OpenSSF, replacing the CII this year. Not only does the Open Source Security Foundation lose the "initiative" in its name, but it really is a lot less reactionary, established as a permanent project:

A lot has changed since Heartbleed. The next challenge would be to see security efforts more integrated into primary software projects, rather than in secondary projects, still somewhat reactionary afterthoughts.

Here's hoping for truly organic security (which doesn't prevent external security assessments)

Update

Wanting to become more universal than the CII, OpenSSF is facing a serious challenge: prioritization. By trying to become neutral, it appears it's so far risking its auditing efforts to be irrelevant, with its current method computing Qt's criticality as way lower than... some Bitcoin software And beyond noting that the current metrics are broken, I don't see an easy fix without completely changing the approach.
Here's hoping common sense prevails

Lack of supply is a problem Western states take very seriously. A lot more than the weight of excessive regulation.

So when a market is lacking suppliers and failing to satisfy consumer expectations, what are governments to do? Increasing supply would of course address the issue, but come with challenges and take time. The better (or at least much more popular) option is attacking existing suppliers. Obviously, doing so, the issue is worsened. But using anti-competition legislation, at least, the "solution" is simple, quick, and puts pressure on suppliers rather than on those who could help. It goes without saying, the best part is giving the impression that the government is doing something about the problem... and the ultimate bonus: stealing funds from the most successful suppliers and moving them to the state!

If you thought excessive regulation would at some point trigger a move towards balance, you must resist wishful thinking. In reality, excessive governmental regulation is causing businesses to create even more regulation in response.

Now let's be clear - it is obvious that Google expected the existence of “Five Rules of Thumb for Written Communications” to become public. But is that reason enough not to take the occasion to pause and reevaluate our direction?

Congratulations, Google, for this unsurpassed valuable move to not only alleviate the impact on you, but also try to kill dominant fallacies enhance the environment for the interest of all markets best

Competition matters. In Canada, the Competition Act aims to promote competition. Unfortunately, the Competition Bureau (the government agency tasked with applying the law) lacks the resources to increase competition. Most of the little resources it has are wasted in anti-competitive practices aiming to restrain businesses. Thankfully, Canada has been governed by the Conservative Party of Canada for years.

Lately, the transaction fees requested from merchants by some credit card networks have been growing. The Competition Bureau, which justifies its existence by populist attacks against successful businesses using practices portrayed by the Bureau as anti-competitive, has threatened the Evil Visa and MasterCard with legal action, blaming the very same practices the State has been adhering to for years.

But these threats have been dropped. Surely, the government has reasoned its agency in order to avoid market interference, right? Unfortunately, reality is quite different. Even with the Conservative Party of Canada in power, Visa and MasterCard feared impending interference to a point where they both "voluntarily" reduced their fees by some 10%, which sufficed to satisfy mister the Minister of Finance.

Visibly, after creating the Competition Bureau and backing its abuses, the Conservative Party of Canada cannot claim it promotes liberal conservatism. It would also be surprising if it was green conservatives who had won a ’Lifetime Unachievement’ Fossil award. And a government funding an agency which reduces competition with a > 50 million CAD budget - while pushing a "stimulus package" - is certainly not fiscally conservative. So if the conservative party is not conserving the free market and the confidence of investors, nor the environment, nor wealth, what is it conserving? Perhaps it is trying to conserve its seats.

Here is a proposal for a populist party in Canada - namely, the Conservative Party of Canada. Stop interfering with the market, or stop pretending to be conservatives, and rename yourself to what you truly are - one more Populist Party of Canada.

Large-scale peer production projects rely much on contributions from potentially anonymous individuals. International volunteer projects, such as Wikimedia, are largely based on a general sense of trust and fail to verify identities of (apparent) contributors. While this already creates huge issues for Wikimedia and many more, ongoing developments in artificial intelligence could soon enable cheap attacks of such projects causing massively larger wastes of effort, threatening these projects' viability.

Now is the time for globally verifiable identities.

2023 Update

It turned out this prediction was quite right (though not entirely).

Last December, I struggled with documentation tags while using Eclipse with a private PHP project. I eventually realized Eclipse wasn't necessarily the one to blame. The specification for PHPDoc's @param tag is found in PSR-19, a standard recommendation published by the PHP Framework Interoperability Group. According to that specification, many @param tags would be ambiguous, since the last 2 elements are optional. The tags with which Eclipse struggled were such ambiguous tags, but the real problem was the specification.

I was quite surprised to find such a serious issue, but went to check its status. I then had an even greater surprise: I could not find the issues reported in PSR-19. Or for that matter, any of the PHP Standard Recommendations.

At that point, I joined the php-fig group and - not knowing a proper way to do so - reported the meta-issue on that mailing list.

In the following months, I saw significant activity on the mailing list, from a significant number of contributors, but no answer to my question. Nor any reference to an ITS. In August, as the issue persisted, I simply "bumped" the thread (repeated my question).

Unfortunately, it has now been 9 months since my report, and the problem is still the same as far as I can see. I was going to add that I still don't know if my PSR-19 issue was reported, but in fact, I noticed while writing this post that Ben Mewburn reported the PSR-19 problem 2 months before I joined the group. Why was nothing done? Simply because... just like me, it seems he reported nowhere else than on the mailing list!

I love Javadoc, and PHPDoc is very important. Some PSR-s are very valuable, and I find it most unfortunate to give up on a major PHP institution, but as such an issue now has apparently persisted for over 4 years, and as there was no progress months after reports, I prefer not to remain associated with the FIG, and am hereby announcing I will no longer contribute to the PHP FIG - and therefore to PHP Standard Recommendations - unless required to.

As for the initial issue, I will live with it - but I'll recommend my customers/employers to avoid PHP
For instance, Javadoc's equivalent @param tag doesn't have that issue. For a very simple reason: it doesn't have to specify the type, which is already in the function definition - where it should be.

The European Union's second FOSSA project has ended with incredible results. EU-FOSSA undoubtedly made free software way more secure.

But does that mean free software is more secure now? Putting the initial excitement aside, we have to remember that EU-FOSSA is reactionary. It is a massive effort to deal with a huge problem. But EU-FOSSA is not a structured approach to the problem which can really help long-term. Moreover, with just Heartbleed's damage estimated over €500M, it is obvious that a few million euros cannot suffice to make most free software reasonably insecure. A real solution needs real will.

Thankfully, there are 2 efficient approaches for long-term solutions:

• The bazaar management approach is to rate projects/products, so that users can make better security choices.
• The cathedral approach is to get permanently involved in product development.

Of course, these approaches are not really exclusive. The EU could get involved in core software, while merely rating less important projects.

Until the EU or the world gets really serious about limiting vulnerabilities, it may be that the problem - unfortunately - keeps getting worst.

Aller chez le dentiste, ça peut faire c*ier, mais en sortant, on est sûr de retrouver le sourire...

Écriteau commençant à souffrir de son âge au Carrefour Sainte-Foy

I didn't expect watching an interview with a sports professionnal would make me discover a great quote. At least not this one. But the CBC's interview with Jeffrey Orridge showed reality does not always conform to our expectations. Which is a good thing - at times

You may know Giphy, the online database and search engine for short looping videos. But you probably don't know who owns Giphy.

Probably because you don't care, yet some lawmakers seem to care so much they're challenging Facebook's acquisition of Giphy. On what grounds? Anti-trust laws. Really; it seems GIF-s have been elevated to the rank of scarce strategic resources. But there's more to it: the same people are proposing an anti-market law which they dubbed "Pandemic Anti-Monopoly Act".

As no one should have a monopoly on lawmaking, I'm proposing the Pandemic Anti-Stupidity Act - No more stupid laws while we already have to deal with a pandemic, please.

via GIPHY