Joe Orton

The problem is not the reporting. There is no indication whatsoever that @FFmpeg discourages bug reports. Or benchmarks for that matter. If you’re going to use massive AI resources to find bugs in volunteer-maintained code, don’t just drop the reports and run—provide the patches to fix them or fund people to do the work. @halvarflake keeps on making references to closed source software. My post was specifically about how the whole behaviour is inappropriate for a FFmpeg. @FFmpeg is not Apple, Microsoft, Google or Amazon. Making references to what suits the needs of Microsoft is irrelevant to FFmpeg. Google’s behaviour is rude and violates the open-source culture. Look at the likes of my post. Lots of people agree with me. @halvarflake would argue, as you do, that disclosure is speech. Fine. But understand that you can use your free speech and still be a vile individual. Nobody is calling for censorship. This is not Germany 1933. What is being demanded is respect for open-source norms. It is like the Internet. You can pull files from my blog. But I am not Google, don’t swarm me with 12 billion requests. If need to issue 12 billion requests to my blog, build a cache first. Intensity matters. If you snap a picture of me in passing, that’s fine. If you stalk me, follow me around and publish 100 pictures of me a day, it is harassment. And please don’t be tone deaf… « there is no pressure ». Again: social norms. Don’t be a jerk.

@RedHat is hiring two engineers in Brno, CZ, to work on container projects. Check out the links if you are interested! redhat.wd5.myworkdayjobs.com/Jobs/job/Brno-… redhat.wd5.myworkdayjobs.com/Jobs/job/Brno-… #opensource #podman

@kbsingh Firewalls up

It's often assumed that standards work is inherently competitive. This post examines why Internet standards are often more collaborative than competitive, and outlines some implications of this approach. #standards #collaboration mnot.net/blog/2024/07/1…

As downstream maintainers we also face regular pressure from CVE-data-consumers (our customers) to address - and patch - what are cleary bogus CVE assignments. So will be interesting to see how this develops.

If you don't admire it, you likely fail to empathise with non-CNA maintainers facing bogus CVE assignments for bugs which they are *not* empowered to reject, like @bagder daniel.haxx.se/blog/2024/02/2…

It is hard not to admire (from a distance) the Linux kernel CNA approach of assigning CVEs en masse for bugs then rejecting a subset later. It looks like a denial of service attack on the CVE system - and in particular, those who blindly consume CVE data.

👀gitlab.com/redhat/centos-…

This xz thing is pure nightmare fuel for distro maintainers. Cold sweats.

I've gotten together with various former Redis contributors and we've started working on a fork: github.com/madolson/place…. We are all unhappy with the license change, and are looking to build a new truly open community to fill the void left by Redis. Come join us!

@Stagecoach_East Can you confirm whether the no.4 will still stop at Childerley/Caldecote turn?

On Sunday 14th April 2024, we will be making changes to some services within #Cambridgeshire and #Peterborough. A full list of routes with new timetables can be found on our website: stge.co/432yyXz

@ignatenkobrain Did you get anywhere?

@notroj The Y axis are `ms`. We'll try out the sdbm locktype and let you know.

@notroj Any idea why after github.com/apache/httpd/c… (well, gitlab.com/redhat/centos-…) httpd using dav_fs with preforking workers is extremely slow? Any quickfix (other than downgrade) available? See screenshot from our monitoring.

@ignatenkobrain Without knowing more about your workload hard to say more. Disabling both DavLockDiscovery and DavDepthInfinity might help too

@OctopusEnergy is the Power-up for tomorrow or Wednesday? Inquiring turkeys need to know.

Using the excess free electricity during @OctopusEnergy "Power-Up" days gives us a significant reduction in our gas consumption. Thanks!

Did you know there are approximately 85 organizations authorized to issue TLS certificates for the web today? Or that seven of them issue 99% of all certificates currently in use? The presence of the others is largely intended to accommodate web openness and national sovereignty—an admirable goal, albeit one that introduces a significant attack surface for every web user. But were you aware that the recent eIDAS legislation, that was just signed, will obligate browsers to trust all QWAC-approved CAs listed on the EU Trust List (esignature.ec.europa.eu/efda/tl-browser)? To illustrate, Spain has 13 CAs approved to issue these certificates and there are 27 member states in the EU. Additionally, did you know the legislation will not permit browsers to remove of CA with a history of repeated incompetence without government approval? The most famous of all CA distrust events was an EU CA known as DigiNotar, and those in the PKI space might say that 12 years ago and today, the Conformity Assessment Bodies would have caught that and dealt with it proactively. But is that true? Check out the history of Camerfirma (wiki.mozilla.org/CA/Camerfirma_…) and wonder why an organization with such poor operational practices that the internet isn't dependent on is still trusted by anyone? Then ask why the associated CAB still lets it be approved as a CA for issuance. For those who say that the web doesn't need Browsers for such actions, consider this recent incident involving a Turkish CA (bugzilla.mozilla.org/show_bug.cgi?i…). And for those who doubt governments would use CAs to gain visibility into web traffic, take a look at this case where a French CA was doing just that: arstechnica.com/information-te…. Supposedly the final text has a recital that was added to the language to suggest that the scope of these requirements is to be limited to trusting these CAs for identity information and not the domain but the document is still private so we don't know for sure. Even if true recitals are not binding and the bill has other issues, for example, it requires browsers to reinstate user interface that has been proven to be harmful and misleading to users. arstechnica.com/information-te…. It also prevents the Browsers from establishing additional requirements for the CAs above and beyond what is included in the associated EU legislation, for example, they won't be subject to certificate.transparency.dev which has helped catch many many issues. All this means calcifying the web making it impossible to move forward without legislative change and leaving the web less secure at the same time. Change will now be governed by regulators, lobbyists, and standards boffins that either benefit from this weakening of the web or have no accountability for its consequences. There are 195 sovereign nations in this world. each would love to be in a position to observe everything their citizens and everyone who interacts with them does. When the world's most liberal and democratic governments put into place the tools to enable mass surveillance and weaken internet security in this fashion what makes us think the rest won't as well.

I'm sure someone has suggested it already but there should be a tax (negative bounty) imposed on reporters by @Hacker0x01 for reports which are not genuine security bugs. Hold it back from future reports and give it to charity of project's choice.

Three hours of free electricity? Sounds good to me. Let's see if we can trip a breaker. #octopusenergy

@kbsingh @Raspberry_Pi Does the Zero 2 run Fedora?

Everyone is super excited about the @Raspberry_Pi 5 ... While I am just looking for a price drop and power reduction for the most useful RPI ever... The Zero2w .