With so much abject capitulation to Trump by rich, scared men, it’s affirming and a high honor to highlight when women have stood up firmly against him this week. My write-up on three such women: open.substack.com/pub/statusku…
Google has officially launched its Chrome Web Store for Enterprises, allowing organizations to create a curated list of extensions that can be installed in employees' web browsers.
Lest we forget the lessons of the XZ Utils backdoor, which was nearly a year ago now, I'll repost @ariadne's post about what we can learn from it: ariadne.space/2024/04/02/the-x…
I was thinking about this today because I happened to look at the transitive dependencies of a program that uses libxml2, and noticed that Debian's build of libxml2 depends on liblzma (the library in XZ Utils where the backdoor was inserted).
On March 29th, Andres Freund dropped a bombshell on the oss-security mailing list: recent XZ Utils source code tarball releases made by Jia Tan were released with a backdoor.
I think we should normalize building libraries with just the features required by a particular application, which is something that Debian and most distros definitely don't do. At the same time, if I build everything from source, I'm responsible for all the security updates.
Then again, if a library is built with all unnecessary features and transitive dependencies eliminated, then depending on the library and the transitive dependencies, perhaps a lot of security updates become irrelevant.
Thinking about all this as I consider whether to build ffmpeg from source with minimal features. Perhaps ffmpeg is one of the worst offenders when it comes to "junk drawer" libraries as discussed in the article.
i don't think ffmpeg fits the definition of a junk drawer, such as it is, because those transitive dependencies are the core reason you use ffmpeg. they're not really side functionality, it's stuff needed to support the wide range of features ffmpeg has.
libsystemd accumulating a dependency on libxz in a highly load-bearing binary, just because it's got some weird feature used in one place is very different from ffmpeg having a dependency on libxz so it can decode and encode video containers
@dotstdy True. Still, the fact that a typical distro build of ffmpeg has lots of dependencies linked as shared libraries, even though one typically uses very few of them, means that someone could repeat an XZ-style attack via any one of them. If we don't at least modify our processes to avoid a repeat of the same kind of attack, then we've learned nothing.
@dotstdy I think ffmpeg lives in a different part of the ecosystem than openssh; specifically, the part where the code is big and complicated enough that you ought to be leaning hard into sandboxing and privilege reduction to limit its blast radius rather than trying to reduce its binary footprint (because even in the best possible case, the binary footprint is going to be huge, as josh points out)
"one typically uses very few of them" isn't really true though, you'll use different codecs for different media, and fundamentally that requires a wide range of support libraries. furthermore, the xz backdoor was interesting due to *which* process it injected into - the openssh daemon. unless you start linking ffmpeg into openssh you don't have anything close to the same threat model.
if that is your takeaway i think you missed the point.
the point is that application authors shouldn’t pull in junk drawer libraries for a few convenience functions, not that we should build multiple copies of the same library to support different apps.
or more directly to the point, the person who originated the patch all the linux distributions were using to integrate systemd’s readiness notifications and openssh should have just included a reimplementation of sd_notify(), which is a fairly trivial function to write.
Thanks for that clarification. I'm still inclined to go further by building stripped-down versions of dependencies for my specific application, but I won't use your post to justify it.
I also think we should maybe move the "modularize and use dlopen() a bit more" slider a bit further out; and maybe there's room there for DX improvement as well (dlopen/dlsym are… clunky…). If the decision to include features can be made by installing packages, Debian doesn't _need_ to do "just the features required", it's the end user doing that with more and smaller packages.
Turns out the amount of code from libsystemd that is relevant to us is... almost nonexisting. To the point of it being simpler to just open-code our own notification function & looking at env...
I like Gentoo for the fact, that you can decide if you want certain features, and can there by decide against certain dependencies. It's not perfect or complete, but it can remove the burden of updating everything by hand, and minimises the number of library copies. Not sure this will help you right now, but if you want to try something later, it may be interesting
Arrow Lake's had three months of Windows and BIOS updates to fix its performance, and my testing shows in some games, it's worse pcgamer.com/hardware/processor…
In a community assembly, the Indigenous Ayuujk residents of Mogoñe Viejo, Oaxaca, decided to rebuild a resistance encampment on the path of the neoliberal Interoceanic Corridor megaproject in the northern part of the Isthmus of Tehuantepec.
I set out to capture an image of the 2024 G3 ATLAS comet. It was an amazing experience seeing it with my own eyes. Capturing a Comet is not something that I've done before so I wanted to share my experience and what I learned along the way
We're creating something truly special here with the fediverse, and I am so thankful for everyone who contributes to it, whether with your time, money, or just by sharing your thoughts, your creations, your silly little jokes. Keep it up!
The World Wide Web Consortium (W3C) is an international community where Member organizations, a full-time staff, and the public work together to develop Web standards.
Nice to see some @pixelfed coverage on CNET. Not only that, the article provides step-by-step instructions on how to export everything from Instagram and import it into Pixelfed. 👏
Solving a 17 years old issue of #Thunderbird by exposing the default sorting and threading options in the settings, and allowing a quick "Apply to all" button (or choose folders separately). Soon, on a daily release near you... #UX #usability
@quentind this feature and many others are already available on Daily so if you feel comfortable running that it would be awesome! I’m sharing an updated roadmap for 2025 before the end of next week
@quentind it’s tricky to add that because not all languages follow a similar structure of “1 or 2”, so that would make it hard to translate. It’s a minor thing but it’s better to leave it without so it’s easier to adapt for all locales
V jeho príbehu je logická diera. Nedokáže vysvetliť, v čom sú demonštrácie proti nášmu ústavnému zriadeniu, keď na nich ľudia žiadajú, aby sme neodchádzali z Európskej únie a NATO, aby sme nepodporovali vojnových zločincov.
Premiér, prezident aj vedenie parlamentu hovoria, že na Slovensku je ohrozená demokracia a republike hrozí prevrat. Snažia sa vyvolať zdanie, že je to vážne a že majú dôkazy. Akurát ich nechcú ukázať.
Tieto ich dnešné výpoty stačí interpretovať oveľa jednoduchšie. Pripusťme, že majú úplnú pravdu. Ale ak by ju mali, tak sa dá veľmi ľahko a logicky predpokladať, že práve teraz OČTK a kľudne aj NAKA (či ako to teraz premenovali) vykopáva dvere súbežne na viacerých miestach, robí prehliadky a zatýkačky. Pretože to by v prípade, že nekecajú, muselo nastať, ináč by tie ich včerajšie a dnešné tančeky značne komplikovali, ba až ohrozovali prácu zodpovedných orgánov.
No a keďže zatiaľ takú správu nikde nevidím, tak jediný logický uzáver je, že sú to iba politické blúznenia a priznanie sa k zneužívaniu SIS na politické manipulácie.
🇬🇧 After running #IzzyOnDroid on my own for over 10 years, we became a small team over a year ago. All done in our spare time, no grants.
That finally changed this week.
We're excited that we're one of seven projects being accepted for the NGI #Mobifree grant! 🥳
Finally we will be able to focus on some more things on our wish list that we've wanted to do for the community for a long time. Stay tuned, we'll update you with details later!
🇩🇪 Nachdem ich #IzzyOnDroid über 10 Jahre lang allein betrieben hatte, wurden wir vor einem Jahr ein kleines Team. Wir haben alles in unserer Freizeit gemacht, ohne Bezahlung.
Das hat sich diese Woche geändert.
Wir freuen uns, dass wir 1 von 7 Projekten sind, die für den NGI #Mobifree Grant angenommen wurden! 🥳
Endlich können wir uns auf Dinge auf unserer Wunschliste konzentrieren, die wir schon lange für die Gemeinschaft tun wollten. Wir halten Euch auf dem Laufenden!
@radasbona zumindest nicht ohne Account. Ich habe mich schon vor ~10 Jahren von den Google Services getrennt ("Google-freie Geräte"), und meinen Account hat Google bereits vor Jahren "wegen Inaktivität" gelöscht – diese Crawler fallen für mich daher ohnehin aus. Und für IoD heißt es schließlich: offizielle APKs von den jeweiligen Entwicklern, in den jeweiligen Repositories mit dem Quellcode bereitgestellt. Also nix mit Binaries aus dem PlayStore.
@radasbona Häh? Nix PlayStore hier, aber auch gar nix 😉 IzzyOnDroid & F-Droid. Habe keine Apps aus dem PlayStore hier im Einsatz. Und auch kein vergoogeltes System: ShiftOS-L auf den SHIFTies, sonst LOS. Als Client derzeit Neo Store, der sich um die F-Droid Repos kümmert.
@radasbona Ja? Und ich habe kein Google-ROM drauf hier. Müsste mal nachschauen, welche System-Webview da verwendet wird. Bei ShiftOS-L ist dafür ja das SHIFT eigene F-Droid Repo eingebunden. Aus meinem Adebar Report (uff, muss mal wieder einen frischen ziehen – dieser hier ist bereits über 1 Jahr alt) stammt der angehängte Screenshot. Details im ALT Text (nein, ich nutze auf diesem Gerät keine Email).
Du bekommst die updates mit den Rom updates, jetzt komm ich mit. Danke.
Das fällt bei mir raus, hab mein stock rom per shizuku/canta entgoogelt. Das hat den selben Effekt und ist leichter. Seit die Kids da sind hab ich keine Zeit mehr Handys zu flashen. 😇
@radasbona Das ist mit @shiftphones total easy: ShiftOS-L kommt ja aus dem eigenen Haus. Da die Geräte Google-zertifiziert sind, müssen sie (MADA verlangt das) mit den Google-Diensten ausgeliefert werden; das ist ShiftOS-G (kurz: SOS-G). SOS-L kannst Du direkt auf dem Gerät herunterladen, und dann über die integrierte Update-Funktion installieren. Dann noch ein Factory-Reset (um die G-Reste zu entfernen), fertig ist das Google-freie Gerät
Die lange schwelenden Konflikte rund um Best Practice bei F-Droid zeitigen nun erste, konstruktive Früchte. So fixt die ganz frische Version 2.35 Probleme rund um v1-only-Signaturen. Update wärmstens empfohlen.
"Nepenthes generates random links that always point back to itself - the crawler downloads those new links. Nepenthes happily just returns more and more lists of links pointing back to itself."
With today's update, we've improved the look of the alt text modal you see when composing new posts on #Mastodon, and added some information about the significance of alt text for accessibility and how to write it.
The provinces would whine, but Canada should accept any refugee claimants from the US. 11 million new people contributing to the country. That's 2-3 new major cities and all the investment that goes with it and building those cities. Think of how many gloss reports about high speed trains to connect them we could print if we added that much to our GDP overnight.
Wanna learn how to SCREAM or SING for free?Sign Up for our free four-part screaming or singing crash courses!Screaming ►►►http://bit.ly/Screaming101 Singin...
SecureDrop is open source whistleblowing software. The project is at a critical inflection point as we get ready to build the next-gen version based on a modern cryptographic protocol.
100% remote, full-time, $110-$120K base salary with comprehensive benefits for US-based employees. (If you're not in the US, we can discuss consultancy models.)
We are looking for speakers interested in talking about gaming, cell phone app, a better design experience for apps, and advances in apps. #LAS2025 Call for Proposals is now open! Submit your talk proposal by February 15 at linuxappsummit.org/cfp/ and inspire the Linux app community.
The Linux App Summit (LAS) is designed to accelerate the growth of the Linux application ecosystem by bringing together everyone involved in creating a great Linux application user experience.
Love this piece from @teenvogue.bsky.social on how gender has varied around the world, across time. LOADS of cultures recognize more than two genders. teenvogue.com/story/gender-var…
Trump is dismantling our nation's largest resource for medical science research. The NIH and various sub-agencies are responsible for an incredible amount of work in disease research.
On one of the long drives during my tour to the South of France last week, I was listening to Daniel Stenberg (a.k.a bagder) talk about curl(1) on episode 808 of Floss Weekly, and at one point I be...
PSA for distro packagers who are looking at tcl9. By default it embeds the standard library into a zip file that it literally appends to the binary, and predicatably distro packaging tools will tend to disappear that. Turn off zipfs. core.tcl-lang.org/tcl/file?ci=…
For #AdoorableThursday a rare find: a piece of a #Roman wooden door found during the excavations at the Bloomberg building. Well-preserved due to the damp soil of the lost Walbrook river under the City of #London. Dating 43-100 AD.
@Tutanota es un servicio de correo, calendario y contactos con #seguridad postcuántica y de vanguardia en #privacidad para proteger tus comunicaciones en línea.
En este artículo conocerás por qué es la alternativa a Gmail que necesitas.
Despite the rollback of DEI programs, disability inclusion remains essential. Discover how legal protections, market demand, and technological advancements will sustain accessibility in business and beyond.
CCleaner Professional 2024 helps clean, optimize, and maintain up to three PCs for a year. It’s compatible with various Windows OS, making it an essential tool for PC users.
Microsoft Defender isn't bad, but it's still not enough to fully protect your PC. You don't have to pay extra, though. We’ve tested and ranked the best free antivirus apps.
Matt Campbell
in reply to Matt Campbell • • •Matt Campbell
in reply to Matt Campbell • • •Then again, if a library is built with all unnecessary features and transitive dependencies eliminated, then depending on the library and the transitive dependencies, perhaps a lot of security updates become irrelevant.
Thinking about all this as I consider whether to build ffmpeg from source with minimal features. Perhaps ffmpeg is one of the worst offenders when it comes to "junk drawer" libraries as discussed in the article.
Josh Simmons
in reply to Matt Campbell • • •Josh Simmons
in reply to Josh Simmons • • •Matt Campbell
in reply to Josh Simmons • • •Glyph
in reply to Matt Campbell • • •Josh Simmons
in reply to Matt Campbell • • •Ariadne Conill 🐰
in reply to Matt Campbell • • •if that is your takeaway i think you missed the point.
the point is that application authors shouldn’t pull in junk drawer libraries for a few convenience functions, not that we should build multiple copies of the same library to support different apps.
or more directly to the point, the person who originated the patch all the linux distributions were using to integrate systemd’s readiness notifications and openssh should have just included a reimplementation of sd_notify(), which is a fairly trivial function to write.
Matt Campbell
in reply to Ariadne Conill 🐰 • • •equi
in reply to Matt Campbell • • •(self-plug:) here's how removing a junk drawer libraries looks like: github.com/FRRouting/frr/pull/…
I also think we should maybe move the "modularize and use dlopen() a bit more" slider a bit further out; and maybe there's room there for DX improvement as well (dlopen/dlsym are… clunky…). If the decision to include features can be made by installing packages, Debian doesn't _need_ to do "just the features required", it's the end user doing that with more and smaller packages.
remove libsystemd-dev external dependency & --enable-systemd switch by eqvinox · Pull Request #8508 · FRRouting/frr
GitHubTheConstructor (he/him)
in reply to Matt Campbell • • •