I don't think this lawsuit has much merit, to be honest. #1 and #3 are pretty easily disproven.

#2 on the other hand, I've never really considered it much, but I don't know if it's a strong enough problem. And if the lawsuit wins on this ground, it will cause all sorts of headaches for developers who publish their games on multiple platforms. This isn't the CD-ROM era anymore, after all.

View this comment - View article - View full comments

sed "s/cloud/another person's computer/"

Yes, I get it's a meme, but in this case it's very true. If you don't want data loss for anything important, you need to be prepared to self-host that data on your own computer.

View this comment - View article - View full comments

Quoting: tpauNow we need the same for <turing too :)

As much as I would like this, they have to draw the line somewhere when it comes to old architecture support. For them that is Turing, which made its debut in 2019. And as much as I hate to say it, 5 years is pretty typical for hardware support across most industries.

Still, the push for making the open kernel module a 1st class citizen is great news!

View this comment - View article - View full comments

Quoting: sudoerGNU/Linux as it is now is a chaotic system developed mainly for server use, a victim of antagonizing corporations, each one with their "own" technologies, simply adopted by the PC, us

Citation needed. And I would suspect that Stallman and Torvalds both would have objection to the statement that the GNU/Linux ecosystem is mainly for server use.

Quoting: sudoerSeeing all that, FreeBSD and Haiku make more sense.

I've tried to use FreeBSD as a daily desktop driver, and it utterly fails to embrace the advances that desktop Linux has pushed over the last decade. As a server OS it is fantastic at what it does, though, provided the applications you want to use are available.

What does this have to do with the XZ tools issue? Nothing. FreeBSD used the same code as everyone else, and had to do the same audits to determine whether it affected them or not.

View this comment - View article - View full comments

Quoting: Nic264Source Archives Cannot Be Trusted.

I'm not convinced this is 100% correct. It is still possible to inject malicious code whether or not you are downloading the source code directly or via an archive file.

Reproducible builds plus reproducible archives PLUS much better source code auditing is necessary. The first two alone (reproducible builds plus reproducible archives) will still net the possibility of malicious code (as an OpenSUSE dev confirmed).

Basically, to prevent this going forward, we will need a paradigm shift in source code handling and security best practices, and a LOT more eyeballs on these critical projects that have the potential to sabotage the entire ecosystem.

View this comment - View article - View full comments

Long overdue.

This issue (malicious software that is freely available) is precisely why you do not grant your users nearly unchecked access to repositories, and why 3rd party repositories are a dangeous thing.

For the record, this also applies to the Arch AUR, Ubuntu PPAs, Fedora COPR and RPMFusion, OpenSUSE OBS, and even Flathub.

View this comment - View article - View full comments

Quoting: ElectricPrism1. Why in the hell is anyone still using Github for FOSS? Projects should go independent or literally anywhere else.

In principle I agree with you, and a lot of people agree with you.

In practice it's not so simple. There are good reasons for well-established large and important projects to remain on Github and not migrate to another host (like Gitlab or self-hosting). Some of it is politics (office politics, mailing list politics, or straight up Washington DC politics). Some of it is feasibility. Some of it is because projects are just unbothered by Microsoft owning Github. Some of it is laziness.

In this particular case, I'm not convinced that hosting XZ on Github was a factor in this specific Supply Chain attack.

View this comment - View article - View full comments

People have done a pretty in-depth analysis, and the conclusion: This was an insider job (also known as a supply chain attack). There's a good chance this was done by a nation-state actor.

We are going to see a LOT more of this going forward. Be on your toes.

View this comment - View article - View full comments

Quoting: doragasuWow, looks really confusing to me...

It's Geometry Wars with an obstructed and dynamically changing view.

Not the first game [External Link] I've seen that uses multiple "windows" for gameplay. Definitely a neat gimmick.

View this comment - View article - View full comments

Posted this before, and I'm posting it again.

Still won't allow my kids to play this.

https://www.theguardian.com/games/2022/jan/09/the-trouble-with-roblox-the-video-game-empire-built-on-child-labour [External Link]

https://www.bizjournals.com/sanjose/news/2023/08/23/roblox-class-action-filed.html [External Link]

https://www.youtube.com/watch?v=_gXlauRB1EQ [External Link]
and
https://www.youtube.com/watch?v=vTMF6xEiAaY [External Link]

View this comment - View article - View full comments