-- Leo's gemini proxy
-- Connecting to aelspire.info:1965...
-- Connected
-- Sending request
-- Meta line: 20 text/gemini
I’m really treating this capsule as my public diary…
Have I ever written that I change my opinions way too often? I’m person who constantly questions my own beliefs and opinions. So, they are easily swayed by occurring events.
And something happened – the infamous xz backdoor. You, dear reader, probably heard about it, so I’ll spare details. What is important in this posts, is that my opinions returned to the place they used to be before a Windows incident:
Very rarely life punches me straight in the face with proof that I’m right and the most of the world population is wrong. Every single thing about this incident proves my points. To think that at that time I started to think that maybe I was radicalized too much and need to take a few steps back…
⚠ Disclaimer: I’m probably interpreting facts in such way they match my opinions, so beware! I strongly suggest anybody to think for themselves.
Software and tech in general is too complicated. They are Rube Goldberg machines at this point. Obfuscated by default and problematic Autoconf made pregenerated tarballs the default source of software, and this made hiding malicious code much easier. Developers should be able to understand their whole stack. I’m not telling that anyone must scrutinously study every single line of whole stack of their dependencies, but anyone should strive to keep their projects small enough, so they will be able to do it in need.
Gazillion of dependencies, and in result gazillion of projects’ maintainers made this one particular plea for help disappear in the normal level of noise. We failed them. Starting such project in free time should never become leash which will bound someone to the project despite loosing any interest in it or life/health preventing from keeping to work on it. They should be able to state that project is finished, and any future bugfix or feature will be on shoulders of successors, or even just drop whole thing at the point, without feeling any guilt. There are many ways to handle event of maintainer declaring project as finished and/or stopping working on it:
If everything works, and no bug have an impact on a dependent project: Why bother? Leave it as is and normalize the idea of “finished software”.
If the dependency isn’t particularly important: This is good time to drop it.
If the dependency is important and there are bugs impacting the project: Fork it and fix bugs. There isn’t need to become a next maintainer of the dependency, just fix problematic bugs and move on. Maybe some time in future original maintainer will restart project, and will gladly welcome those fixes. Maybe more ambitious fork will appear and pull those fixes. And maybe nothing of such importance will happen, bazaar style development where many smaller forks are making different set of fixes and adding different set of features works too.
If the dependency can be swapped, swap it. Arch Linux in the past moved from xz to zstd.
And the best for dessert: If possible, offer help. This solution requires the most energy and time investment but is the best one for a community as a whole. If you are not a malicious actor…
And the last point:
> Systemd is such a big target that any vulnerability in systemd’s codebase will affect *almost all* distributions so I would be very surprised in any bigger bad hacker’s groups and national surveillance agencies don’t already have their own groups of systemd experts checking its codebase line by line looking for any potential vulnerability.
Yup, this is probably what happened and still is happening. Exploiting init system to achieve remove code execution was too hard but exploiting OpenSSH indirectly via systemd which uses xz was on the table.
So, maybe my opinions are sensible? Maybe I’m not just tinfoil-hatted radical?
And, The Rust programming language… I cannot describe even what I feel about it.
Things looked very different in ~1.0 era. The standard library was minimal, barren I would say, and many (anti-)features were actually removed before 1.0 to clean up the language. So, I had my hopes. The Rust was not small, simple and minimal but project was promising in regards of scope-creep-avoidance.
And now the Rust is everywhere, and moving from it triggers my FOMO really hard. There are many exciting project happening here. Lots of energy and ideas are flowing.
I think I’m feeling mixture of: Nostalgia, betrayed hopes, strong FOMO and desire to be part of community and build exciting things. But even those nostalgia tinted glasses cannot hide from me how things have changed…
I went for yet another soul-searching mental journey and decided to do git reset --hard on my life to the point where I was standing closest to my beliefs, before fixing school laptops crushed my soul. I’ve installed Alpine Linux on my PC again (with no eudev and no elogind), and returned to using Hare programming language as default language for my new projects (Sorry Rust. It’s not you, it’s me. I’m the problem).
At this point I’m mentally drained from constantly reevaluating and changing opinions and really want to do something more productive so I’m keeping my fingers crossed that nothing will sway my standing in near future.
-- Response ended
-- Page fetched on Sat May 4 01:00:41 2024