Quoting: Purple Library GuyI'd say it has an upside that the NFTs don't, though, and it's fundamental: The game is free.

There are many free NFT-dropping games. This scheme is what they call “Play-to-Earn”: play, regularly drop NFTs or crypto-coins (or in this case Steam items) then try to sell them to someone who sees some value in them.

Here is a list of free Pay-to-Earn NFT-based idle games: https://playtoearn.com/blockchaingames/All-Blockchain/Idle/All-Status/All-Device/NFT/All-PlayToEarn/Free-To-Play [External Link].

The game creator doesn't have to make you pay or even to scam you to make money: they can for instance drop themselves a high-value token and try to sell it like everyone else. When people value something because it is rare and you control the rarity, ultimately you control the value.

View this comment - View article - View full comments

it does drop Banana Steam Items every so often and everyone then dumps them onto the Steam Marketplace hoping to make some extra cash, which you can then use to buy Steam games

So basically all the downsides of the modern usage of NFTs (speculation, dubious valuation, Ponzi scheme) without any of the upsides (decentralization, no vendor lock-in, potentially lower transaction fees).

View this comment - View article - View full comments

Quoting: WMan22I wish there was an auto swap utility akin to prime-run/Nvidia Optimus where I could use the proprietary driver for games that run better with it, and NVK for games that run better with that, like A Hat In Time.

Even if I could use it by just swapping to it like a desktop environment in SDDM, where it'd be like Plasma (NVK Wayland) or (NVK X11)

This way I could like, check on the progress periodically without compromising my core experience, cause hot damn NVK is moving impressively fast in terms of updates and new features.

I have something close to that in NixOS using specialisations [External Link]: in a way you can see it like a dualboot where I have one NixOS install with proprietary Nvidia and stable Mesa for my iGPU and another install with source-built unstable Mesa all the way, except everything that can be shared is.
These days I use Mesa for work and some gaming (mainly osu!) and reboot to the proprietary driver for stuff that isn't there yet.

You can probably achieve something similar with OSTree-based distros like Fedora Silverblue/Kinoite as it supports “parallel-installable filesystem trees [External Link]”.

View this comment - View article - View full comments

Quoting: ElectricPrismHaving read and reflected more, I feel like there are at least 2 points to drive home.

1. Why in the hell is anyone still using Github for FOSS? Projects should go independent or literally anywhere else.

2. This really drives home the point that __BINARY CANNOT BE TRUSTED__ -- we really should hammer this idea in HARD.

If you can't see the source, how are you going to verify (I) A Signature, and (II) What the software does and does not do.

I could see it being Legally Mandated that ALL SOFTWARE is required to publish their source code to ensure that malicious foreign actors haven't hidden things in the software.

__BINARY CANNOT BE TRUSTED__ -- of course most of you already know this -- Easy-Anti-Cheat? What does it really do? Denuvo? What does it really do? How do we know that it's safe? How can be verify that software is safe?

Binary Cannot Be Trusted. Fuck GitHub.

While there is some truth to what you're saying this is mostly unrelated to the issue at hand:

1. This would have happened whether the project source code was hosted on GitHub or not. The malicious archives were also available from xz.tukaani.org and the project also has its own git hosting at git.tukaani.org. How does that help mitigate the issue in any way?

2. The affected tarballs were source archives, not binaries. They do happen to contain binary test data because xz is a tool that reads/writes binary data. This test data is not supposed to be used at build time, only during tests by developers or on a CI setup, and it's not supposed to be executable. Now the malicious maintainer introduced some compressed scripts and executable code masquerading as test data in there some time ago, and in the last 2 releases they added a build step that reads and executes that at build time. That extra build step that only exists in the source archives is human-readable code and not binary. No one trusted the binary that gets loaded in the end because because no one knew it even existed.

Binary Cannot Be Trusted. Fuck GitHub.
Source Archives Cannot Be Trusted. Fuck Tar.

View this comment - View article - View full comments

Quoting: Liam Dawethe buttons are way too big

Maybe this has to do with translations: in the current version when the interface is in French the labels are larger and the cover feels misaligned as a result. (eg. “View Store Page” vs “Consulter la page du magasin”)
So maybe (hopefully?) they set the width of the buttons to max(translations) to spot that kind of issues during the beta and will revert to buttons that adapt to the actual text length on release?

View this comment - View article - View full comments

Quoting: denyasisNo, it can't infect "the system", but since we're executing programs out of /home, isn't that good enough? The malware is still running under the users permissions, it can still execute in /home, read data, access the network, etc.

Relevant xkcd: https://xkcd.com/1200/ [External Link]

Quoting: BlackBloodRumIt is possible the malware has been trained to handle Linux, in which case it will try to get access to your home directory. Worst case here is your home directory gets hosed, and data which your user has permission to modify is altered, which is fairly minor.

Worst case is rather that it uploads your ~/.ssh, ~/.mozilla and ~/.thunderbird to some remote server.
I would not call that “fairly minor” either way, what is more valuable on your computer than your data?

View this comment - View article - View full comments

Quoting: ElectricPrismIsn't Ubisoft the one where if you don't login for a few months they delete your purchases?

No and no:
* After 4 years of inactivity they send a notice to give you 30 days to cancel the deletion.
* If and only if you've got no game to loose in the process. [External Link]

View this comment - View article - View full comments

Quoting: hardpenguinThis is a legitimate business tactic that does not violate open source principles at all.

I completely agree. This also seems to be quite common for creative software, two other (great) examples on the top of my head where the official no-cost binary is only for demo purposes:

• Aseprite [External Link], a pixel art editor/animator: “WARNING: You CANNOT SAVE files with the trial version”


• Ardour [External Link], a DAW: gives the choice between binary and source upfront, the demo binary “periodically goes silent after 10 minutes”.

EDIT: it seems Aseprite isn't open source anymore (since 2016), but still source-available :sad:

View this comment - View article - View full comments

Quoting: GeamanduraThe processor doesn't need to be able to access your RAM to be a security risk. If its crypto engines or RNG engine is analyzed and a flaw in the algorithm is detected, it can be exploited to weaken anything that has been encrypted with this processor.

This can be said about basically any piece of security hardware or software. “it could be broken someday” ≠ “it's a backdoor”

View this comment - View article - View full comments

Quoting: LinasThis is great news. Does anyone know if it is possible to run Steam headless on a home server just for the purpose of caching game files?

I have no idea about running Steam headless, but you might want to take a look at lancache instead, it has been supported by Steam since 2020 already:
https://lancache.net/news/2020/01/14/steam-client-now-supports-lancache/ [External Link]

View this comment - View article - View full comments