HackerTrans
TopNewTrendsCommentsPastAskShowJobs

blm126

no profile record

comments

blm126
·в прошлом месяце·discuss
I think the key right now is that these are semi-automated scanning processes. Right now, companies like step security selectively publish. So, in order for a hacking group to find out if their malware is detected or not, they have to burn access to a useful package.

None of this is to say I think Microsoft shouldn't be doing something as part of the release process on NPM. However, there is real value in giving more independent third parties a window to do things semi-manually.
blm126
·в прошлом месяце·discuss
The one week cooldown option is not relying on other users to be a canary for you. Its just giving automated scanners a chance to notice. This is the perfect example. I don't think step security found this by accident. They are actively monitoring NPM package releases at some level.

There is something to be said that Microsoft should be scanning packages pre-release. They aren't, though, so for right now there is a ton of value with very little downside if people implement a one week cooldown period.

To answer your question directly, though. If everyone else moves to a one week cooldown, I would absolutely suggest a two week cooldown is a good idea. Being the "slow" moving organization is a good security trade-off so long as you don't take it to extremes and have escape hatches when you actually need to be moving quickly.
blm126
·2 месяца назад·discuss
I’m not on X, so it’s good to know I don’t matter in tech. I always suspected. Since I’m a paying GitHub customer, though, I should probably matter to them. The right forum for GitHub to post this is with their status page, their blog, their website, or an email to all their customers. Using any sort of social media for this kind of thing is either incredibly sloppy or very intentionally quiet. Given that my tiny employer has a better incident communication plan than this, my guess is this an attempt to downplay things.
blm126
·3 месяца назад·discuss
I’ve got the Framework desktop with strix halo. You can reserve memory for the GPU, but it’s straightforward at least on Linux to have the GPU dynamically grab memory as needed. I’ve got my VRAM set to 512MB and regularly use 120GB+for AI stuff.
blm126
·3 месяца назад·discuss
I wouldn't call it theft, exactly. Presumably work did get done. If I'm reading it right, its just a terrible conflict of interest. The board uses donations to pay companies to work on LibreOffice. That seems totally fine. Some of the board were running/part of companies that rely and work on LibreOffice. That also seems mostly fine? You want your board to represent your community. Then, those same board members directed work towards their companies.

That's definitely a conflict of interest, but I wouldn't call it theft unless you prove the foundation was getting a bad deal. Could the foundation have gotten the work done better or cheaper hiring non-represented companies? That's the question you have to answer to call this theft.

It doesn't seem that is really what the foundation is arguing though, so I'm guessing it wasn't that bad. It seems more their argument is that this violates the non-profit laws they operate under.
blm126
·5 месяцев назад·discuss
For desktop usage, I would be absolutely shocked if ext4 isn't the most common filesystem by a pretty wide margin. Its the default on Ubuntu, Debian, and Mint. Those are the 3 leading desktop distros.

No one is going to write a blog post titled "Why I just used the default filesystem in the installer" but that is what most people do. Things like btrfs and zfs are useful, complicated technologies that are fun to write about, fun to read about, and fun to experiment with. I'd be careful about assuming that leads to more general use, though. Its a lot like Guix and NixOS, in fact. They get all the attention in a forum like this. Ubuntu is what gets all the people, though.
blm126
·7 месяцев назад·discuss
I believe you stated the problem in a way that its unsolvable. Charge your customers money, so you can work for them. I'm not nearly as certain as you are that Netscape failed because it was charging money. Netscape just stopped updating for multiple years at the height of the browser wars.

For Firefox in particular, I would 100% be willing to pay for it. Individuals like me who will pay are rare, but companies that will pay aren't. I think the answer for modern Mozilla is a Red Hat style model. Charge a reasonable amount of money. Accept that someone is going to immediately create a downstream fork. Don't fight that fork, just ignore it. Let the fork figure out its own future around the online services a modern browser wants to provide.

Then, lean hard into the enterprise world. Figure out what enterprise customers want. The answer to that is always for things to never, ever change and the ability to tightly control their users. That isn't fun code to write, but its profitable and doesn't run counter to Mozilla's mission. That keeps Mozilla stable and financially independent.

Mozilla will maintain lots of influence to push forward their mission, because hopefully their enterprise customer base is big, but also they are the ones actually doing the work to make the downstream fork possible.
blm126
·8 месяцев назад·discuss
I wouldn't mix OAuth and OIDC up when thinking about this. OAuth is a chaotic ecosystem, but OIDC is fairly well standardized.

OIDC actually does have a discovery mechanism standardized to convert an email address into an authoritative issuer. Then, it has a dynamic registration mechanism standardized so that an application could register to new issuers automatically. Those standards could absolutely be improved, but they already exist.

The problem is that no one that mattered implemented them.

If you want to get anywhere with something like this, you need buy-in from the big email providers(Google, Microsoft, Yahoo, and Apple) and the big enterprise single sign on providers(Ping, OneIdentity, and Okta). All of those companies already do OIDC fairly well. If they wanted this feature to exist, it already would.

Instead, it seems like big tech is all-in on passkeys instead of fixing single sign on.