HackerTrans
TopNewTrendsCommentsPastAskShowJobs

jahav

no profile record

comments

jahav
·3 tahun yang lalu·discuss
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CONS...

Important bits (10c and around):

* Libraries/non-end products are fine, unless monetized.

* Employee contributions seem to be fine.

* Foundations seem to be fine.

* Non-core developers are fine

Seems like significantly better version.
jahav
·3 tahun yang lalu·discuss
That is already part of CRA:

> It is of particular importance for manufacturers to ensure that their products do not contain vulnerable components developed by third parties.

> Manufacturers shall, upon identifying a vulnerability in a component, including in an open source component, which is integrated in the product with digital elements, report the vulnerability to the person or entity maintaining the component.

EDIT: Also, I concur the poster below. It's developers who oppose against management to allocate time for bugs and technical debt instead of new features.
jahav
·3 tahun yang lalu·discuss
It's called tidelift.com
jahav
·3 tahun yang lalu·discuss
First, I like how you included “popular” adjective. That alone disqualifies 99% of projects. These are the projects “hacked” by non-paid devs.

Second, some proof would be nice. I live in .net/nugget ecosystem and other than libraries backed by MS, most popular projects are not (at least ones I know of).
jahav
·3 tahun yang lalu·discuss
That is one of them, here is the second version with different amendedments by European Council: https://data.consilium.europa.eu/doc/document/ST-11726-2023-...

They are now hashing out a final consolidated version in a trialogue.
jahav
·3 tahun yang lalu·discuss
TBF there is a lot of things “free of charge” connected to commercial activity, e.g. Android, .NET Core, MongoDb, ElasticSearch, even RedHat with Linux …

I understand need to somehow include them, but the line should be at the for-profit companies and exclude non profits and individual developers.

How to formulate it without easy loopholes is no easy task.
jahav
·3 tahun yang lalu·discuss
You are asking how requiring open source with no money to satisfy plethora of regulations along with legal liability (I.e. making it a commercial grade) makes it less likely for open source be made?

Ask log4j or OpenSSL.

Go read this: https://blogs.eclipse.org/post/mike-milinkovich/european-cyb...
jahav
·3 tahun yang lalu·discuss
There is some hope for individual developers in EP amended version https://www.europarl.europa.eu/meetdocs/2014_2019/plmrep/COM... article 10c: > Developers contributing individually to free and open-source projects should not be subject to obligations pursuant to this Regulation.

Actually it’s an improved version. Hopefully it will make it through consolidation with EC version.
jahav
·3 tahun yang lalu·discuss
> it’s called professional accountability

Professional does for money, by definition. That doesn’t apply for most open source. RedHat employee contributing to Linux kernel is an exception, not a rule.
jahav
·3 tahun yang lalu·discuss
To put it bluntly, it means a significant risk when creating any open source project. It’s a common knowledge that there is no money in open source, but suddenly I am liable. Half of open source licenses is disclaimer of liability. Also a lot of other yet to be defined requirements (harmonised regulations it is called I believe).

Linux, World Wide Web… not worth the risk.

So I am making something in my free time, as a hobby, no monetary gain and suddenly I can easily get sued to oblivion. I need to at least buy insurance. My library is used left and right in commercial activity.

The impact assessment for CRA is a total lie. It assumes 100% decrease in cyber damages and laughably low compliance cost and very small amount of impacted entities (only companies, not individuals and each company makes one product).

TBF, version amended by EP explicitly excludes individual developers, hopefully it makes it through trialogue.

Edit: basically imagine authors of log4j. Remember that security flaw that impacted half the internet? That is what’s called liability. Did they use ‘ apply effective and regular tests and reviews of the security of the product with digital elements;’? Better make it industrial grade product, with no money, in their free time.
jahav
·3 tahun yang lalu·discuss
1. Reproduction is already heavily subsidized in many countries, be it direct grants, tax breats and so on. This is nothing new.

2. Most people actually want children. Getting someone to actually procreate with that will share burden.

3. Investing in children should hel to fund future pension payments. There is pretty good case for self-interest.

4. China won't care, neither will Russia or other parts of world.

5. Countries that will do that will have a better outcome than countries full of retirees. Unless AI takes over, natural selection will take care of rest
jahav
·3 tahun yang lalu·discuss
That assumes that new humans can be only by women.

There is no reason, why artificial womb, possibly with multiple selection box for genes, is not a very realistic possibility, along with state funded child rearing services. (see Norway)
jahav
·3 tahun yang lalu·discuss
Maybe, but normal developer interracts with sane parts.

Honestly, the biggest problem with git is sane environment for merge conflicts and that is out of scope of git CLI. In most cases, imposing rule for small PRs/feature branches will solve it.

git add, git commit, git log, git blame, git push, git rebase -i --onto. That is 95+% of what developers use (maybe an option here or there, like -m or --amend). Merges are done on CI after it passes.

There are a lot of arcane parts and switches. git-send-email is likely used a lot on kernel development, but very rarely in the rest of the world.

> I've got 10 years in it and it still bites me in the ass.

Can you give some examples? I had some problems in the beginnings, but it was because i tried to be "smart".

After I embraced KISS, everything works nicely. As long as I keep "public" branches protected, any splash zone is very small and at worst, just redo it(synergy with small PRs).
jahav
·3 tahun yang lalu·discuss
MS stores windows codebase in a single repo (https://devblogs.microsoft.com/bharry/the-largest-git-repo-o...). 300GB.

I don't really see a benefit of having all code of an org in a single repo. Single product, sure. But whole company? Why. Not to mention, these are serious outliers.

From security standpoint, it doesn't seem great, from practical side, it's not great (bandwidth cost ect).
jahav
·3 tahun yang lalu·discuss
Rather surprising that they don't offer sign up with Facebook/Google.

I know, i know, but that's pretty big speed bump in the onboarding process.
jahav
·3 tahun yang lalu·discuss
Probably, but I will take this victory. Google has power to make this happen.
jahav
·3 tahun yang lalu·discuss
Because they are collecting a shitload of data about me to make them work.

It's like a little camera accompanying you everywhere and you don't get to say no and it's used for anything they can get away with.
jahav
·3 tahun yang lalu·discuss
Maybe when uutils ship their gnu compatible version(deviations from GNU are considered bugs), macos will update.

MIT, Rust, active development... Maybe in few years.
jahav
·3 tahun yang lalu·discuss
I suspect such versions won't comply with Cyber Resilience Act (=company would be on hook for a fine). Browsers are in category 2 iirc.

Edit: rest of world might be fine(big maybe, these things have tendency to proliferate),eu citizens... screws are tightening.
jahav
·3 tahun yang lalu·discuss
You can try to patent anything, but patent might not be accepted.

The thing is that patent office is funded by patent fees, so there is an incentive to accept the patent plus they are often hard to read.