-
2016-11-08T18:36:05Z via AndStatus To: Public
Does Snowden get to vote? He hasn't been tried or convicted. He might have residency issues for local races. There's also the logistical issue of him getting a mail in ballot that isn't delivered by a three letter agency giving him obligatory new wristwatch...
Good question...
-
2016-10-20T06:25:03Z via Identi.ca Web To: Public CC: Followers
Any GNU/Linux or Puppet users groups having a meeting in or near Santa Clara, CA during the week next week?
I doubt I'll have a car or time to get into the City.
-
2016-10-13T07:30:29Z via Identi.ca Web To: Public CC: Followers
20 years of KDE and HA deployments are PLUG's October topics
KDE 20 year Celebration My Journey
An overview of HashiCorp's opensource tool set and how to get started on using it yourself
Thursday, 2016Okt13 @ 19:00
Desert Breeze Substation - 251 North Desert Breeze Blvd 85226, Chandler, AZ
https://plus.google.com/events/coj4cp624bjn306rkl5v1aksoko
Tuesday is Stammtisch with a jobs networking event starting at 18:00
https://plus.google.com/events/c0bikjafj9q0h5nqivjcl2e8vm0
Dana likes this.
Dana shared this.
-
2016-10-12T15:21:43Z via Identi.ca Web To: Public CC: Followers
Free Software Awards nominations are open
http://www.fsf.org/news/the-free-software-foundation-seeks-nominations-for-the-19th-annual-free-soft...
-
2016-09-29T05:29:59Z via Identi.ca Web To: Public CC: Followers
Software Freedom Law Center's 12th annual conference program announced.
The conference will be streamed for those who can't make it.
https://softwarefreedom.org/events/2016/sflc-fall-conference/
-
2016-09-28T21:30:25Z via Identi.ca Web To: Public CC: Followers
Stupid article title, but some good points about traditional *NIX design and why it's good whereever you stand on systemd.
Watch for an upcoming systemd security release.
https://www.agwa.name/blog/post/how_to_crash_systemd_in_one_tweet
https://marc.ttias.be/oss-security/2016-09/msg00243.php
-
2016-09-25T06:01:40Z via Identi.ca Web To: Public CC: Followers
Enjoyed this article on basic security for developer environments. Most of it is good advice overall, but especially so for those who have the keys to the kingdom ( sysadmins ) or those who make the locks for the kingdom ( developers ).
http://www.linuxjournal.com/content/securing-programmer
-
2016-09-20T21:49:57Z via Identi.ca Web To: Public CC: Followers
SeaGL 2016 schedule is now online
See you in November.
https://osem.seagl.org/conference/seagl2016/schedule
-
2016-09-16T05:12:30Z via Identi.ca Web To: Public CC: Followers
Protest against DRM for web standards in Lisbon next week.
https://www.defectivebydesign.org/blog/world_wide_web_consortium_being_followed_protests
-
Christopher Allan Webber at 2016-09-10T19:40:37Z via AndStatus To: Public
Nice words from @Brett Smith about the Social Working Group and the work we're doing.
der.hans likes this.
der.hans shared this.
-
Glyn Moody at 2016-09-10T19:30:53Z via AndStatus To: Public
TorrentFreak Gets Its First YouTube Copyright Claim, And It’s Bull…. - https://torrentfreak.com/torrentfreak-gets-its-first-youtube-copyright-claim-and-its-bull-160910/ #copyright working against creators - again..
der.hans shared this.
-
Glyn Moody at 2016-09-10T19:18:53Z via AndStatus To: Public
If You're A Journalist Who Thinks That Pointing Out Lies Shows Bias, You're Not A Journalist - https://www.techdirt.com/articles/20160909/01072835472/if-youre-journalist-who-thinks-that-pointing-... isn't this obvious?
der.hans likes this.
der.hans shared this.
-
Glyn Moody at 2016-09-09T21:27:52Z via AndStatus To: Public
Austrian Courts Uphold Creative Commons License Terms -- For Now - https://www.techdirt.com/articles/20160906/07565035445/austrian-courts-uphold-creative-commons-licen... #austria #cc #copyright
der.hans likes this.
der.hans shared this.
-
Glyn Moody at 2016-09-08T17:47:52Z via AndStatus To: Public
New #Snowden leaks reveal “collect it all” #surveillance was born in the UK - http://arstechnica.co.uk/tech-policy/2016/09/snowden-leaks-collect-all-signals-surveillance-born-in-... all about Menwith Hill Station
der.hans shared this.
-
Candy from Strangers
Elena ``of Valhalla'' at 2016-09-08T17:45:26Z via AndStatus To: Public
A few days ago I gave a talk at ESC about some reasons why I think that using software and especially libraries from the packages of a community managed distribution is important and much better than alternatives such as pypi, nmp etc. This article is a translation of what I planned to say before forgetting bits of it and luckily adding it back as an answer to a question :)
When I was young, my parents taught me not to accept candy from strangers, unless they were present and approved of it, because there was a small risk of very bad things happening. It was of course a simplistic rule, but it had to be easy enough to follow for somebody who wasn't proficient (yet) in the subtleties of social interactions.
One of the reasons why it worked well was that following it wasn't a big burden: at home candy was plenty and actual offers were rare: I only remember missing one piece of candy because of it, and while it may have been a great one, the ones I could have at home were also good.
Contrary to candy, offers of gratis software from random strangers are quite common: from suspicious looking websites to legit and professional looking ones, to platforms that are explicitly designed to allow developers to publish their own software with little or no checks.
Just like candy, there is also a source of trusted software in the Linux distributions, especially those lead by a community: I mention mostly Debian because it's the one I know best, but the same principles apply to Fedora and, to some measure, to most of the other distributions. Like good parents, distributions can be wrong, and they do leave room for older children (and proficient users) to make their own choices, but still provide a safe default.
Among the unsafe sources there are many different cases and while they do share some of the risks, they have different targets with different issues; for brevity the scope of this article is limited to the ones that mostly concern software developers: language specific package managers and software distribution platforms like PyPi, npm and rubygems etc.
These platforms are extremely convenient both for the writers of libraries, who are enabled to publish their work with minor hassles, and for the people who use such libraries, because they provide an easy way to install and use an huge amount of code. They are of course also an excellent place for distributions to find new libraries to package and distribute, and this I agree is a good thing.
What I however believe is that getting code from such sources and using it without carefully checking it is even more risky than accepting candy from a random stranger on the street in an unfamiliar neighbourhood.
The risk aren't trivial: while you probably won't be taken as an hostage for ransom, your data could be, or your devices and the ones who run your programs could be used in some criminal act causing at least some monetary damage both to yourself and to society at large.
If you're writing code that should be maintained in time there are also other risks even when no malice is involved, because each package on these platform has a different policy with regards to updates, their backwards compatibility and what can be expected in case an old version is found to have security issues.
The very fact that everybody can publish anything on such platforms is both their biggest strength and their main source of vulnerability: while most of the people who publish their libraries do so with good intentions, attacks have been described and publicly tested, such as the fun typo-squatting one (http://incolumitas.com/2016/06/08/typosquatting-package-managers/" target="_blank">archived URL) that published harmless malicious code under common typos for famous libraries.
Contrast this with Debian, where everybody can contribute, but before they are allowed full unsupervised access to the archive they have to establish a relationship with the rest of the community, which includes meeting other developers in real life, at the very least to get their gpg keys signed.
This doesn't prevent malicious people from introducing software, but raises significantly the effort required to do so, and once caught people can usually be much more effectively prevented from repeating it than a simple ban on an online-only account can do.
It is true that not every Debian maintainer actually does a full code review of everything that they allow in the archive, and in some cases it would be unreasonable to expect it, but in most cases they are at least reasonably familiar with the code to do at least bug triage, and most importantly they are in an excellent position to establish a relationship of mutual trust with the upstream authors.
Additionally, package maintainers don't work in isolation: a growing number of packages are being maintained by a team of people, and most importantly there are aspects that involve potentially the whole community, from the fact that new packages that enter the distribution are publicity announced on a mailing list to the various distribution-wide QA efforts.
Going back to the language specific distribution platforms, sometimes even the people who manage the platform themselves can't be fully trusted to do the right thing: I believe everybody in the field remembers the npm fiasco where a lawyer letter requesting the removal of a package started a series of events that resulted in potentially breaking a huge amount of automated build systems.
Here some of the problems were caused by some technical policies that caused the whole ecosystem to be especially vulnerable, but one big issue was the fact that the managers of the npm platform are a private entity with no oversight from the user community.
Here not all distributions are equal, but contrast this with Debian, where the distribution is managed by a community that is based on a social contract and is governed via democratic procedures established in its constitution.
Additionally, the long history of the distribution model means that many issues have already been met, the errors have already been done, and there are established technical procedures to deal with them in a better way.
So, shouldn't we use language specific distribution platforms at all? No! As developers we aren't children, we are adults who have the skills to distinguish between safe and unsafe libraries just as well as the average distribution maintainer can do. What I believe we should do is stop treating them as a safe source that can be used blindly and reserve that status to actual trustful sources like Debian, falling back to the language specific platforms only when strictly needed, and in that case:
actually check carefully what we are using, both by reading the code and by analysing the development and community practices of the authors;
if possible, share that work by becoming ourselves maintainers of that library in our favourite distribution, to prevent duplication of effort and to give back to the community whose work we get advantage from.der.hans , sazius , Sarah Elkins , j1mc and 5 others like this.
der.hans , Sarah Elkins , S.M. Oliva , Laura Arjona and 1 others shared this.
-
AS2 hits Candidate Recommendation!
Christopher Allan Webber at 2016-09-06T17:30:07Z via AndStatus To: Public
ActivityStreams 2.0 and Activity Vocabulary hit Candidate Recommendation status, at last!
Major props to @Evan Prodromou and James Snell, the two main co-editors on the spec.
This is great news for the fediverse!
uıɐɾ ʞ ʇɐɯɐs , Luis A. Guzman , Alex Jordan , Douglas Perkins and 12 others like this.
Luis A. Guzman , Alex Jordan , Claes Wallin (韋嘉誠) , der.hans and 2 others shared this.
-
Glyn Moody at 2016-09-06T17:28:48Z via AndStatus To: Public
no, Theresa May hasn't been pushed to the side of G20 photos because of Brexit - https://www.theguardian.com/world/2016/sep/06/no-theresa-may-hasnt-been-pushed-to-the-side-of-g20-ph... interesting background
der.hans likes this.
der.hans shared this.
-
Glyn Moody at 2016-09-06T17:25:51Z via AndStatus To: Public
Warner Brothers flags own site for #piracy, orders Google to censor pages - http://arstechnica.co.uk/tech-policy/2016/09/warner-bros-flags-own-site-for-piracy-dmca-google/ #DMCA still a huge problem #copyright
der.hans likes this.
der.hans shared this.
-
Glyn Moody at 2016-09-06T03:48:00Z via AndStatus To: Public
Promo/Events/Parties/KDE 20 Anniversary - https://community.kde.org/Promo/Events/Parties/KDE_20_Anniversary get ready to celebrate #opensource #freesw
der.hans likes this.
der.hans shared this.
Meanwhile...
-
der.hans favorited Good morning, pumpiverse
-
der.hans favorited Perl 5.24 transition underway