mastodon.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
The original server operated by the Mastodon gGmbH non-profit

Administered by:

Server stats:

373K
active users

@eb I really hope that this causes an industry-wide reckoning with the common practice of letting your entire goddamn product rest on the shoulders of one overworked person having a slow mental health crisis without financially or operationally supporting them whatsoever. I want everyone who has an open source dependency to read this message mail-archive.com/xz-devel@tuka

www.mail-archive.comRe: [xz-devel] XZ for Java

@eb "I never thought a sophisticated APT would backdoor *my* volunteer-maintained infrastructure that I got for free" sobs entire industry who voted for the "volunteer-maintained infrastructure that I get for free with no defense against sophisticated APTs" party

Irenes (many)

@glyph @eb please note that we are ALSO no fans of the "subsume free software into capitalism" solution that corporate and statist rhetoric has been pushing for a couple years now

@irenes @glyph @eb It's tricky to avoid the challenge that arises from the problem that (1) producing free software is work and (2) the workers live in a capitalist society and (3) the workers therefore need to pay for food and shelter.

Verily, there is no ethical consumption under capitalism.

@krans @irenes @glyph @eb alas, there is no ethical compression under capitalism

@mia @irenes @glyph @krans @eb Ethical compression of the working class does not exist.

@krans @glyph @eb sure. well, so the reason we personally call the thing we do "free software" is precisely to highlight the point that our own goal in publishing stuff without charge is very much to work towards a world without that problem, by creating something that exists as far outside it as we can manage (not all the way - obviously we have the free time to do that because of our other privileges)

@krans @glyph @eb people publish their work without financial cost for a long list of reasons, we don't speak for anyone but ourselves (Irenes) here

@irenes @krans@me.uk @glyph It's free like freedom, not like beer, and I can relate. I'm not dependent on donations for my livelyhood, but I put like ~5-10 hours into this today, it costed me $5.30 in hosting fees, and not one of the 35000 viewers donated. That's ok, I didn't have donations till recently, but this is what happens in the FOSS community. People like to be paid for their work, that just doesn't always happen. The fact people put free stuff out doesn't mean they don't want funding.

@eb @irenes @glyph not free as in free speech but free as in free association of equal producers.

If some extract all the value produced that's not free association of equal producers.

@irenes @glyph @eb I thought it was called "free software" because users are allowed to do whatever they want to with it including modifications, not because it's provided free of charge.

The founders of the Free Software movement were Libertarians, not Socialists (unfortunately).

I guess we were talking at cross purposes — sorry.

@krans @glyph @eb we're very proactive-death-of-the-author about this. the FSF has failed to provide ideological leadership due to RMS's top-down style, but many of the ideals are good ones and it's the job of the current generation to renew the movement if we want our children to be able to enjoy its fruits the way we did

@krans @glyph @eb but you're right, of course, it's a valid point. we just don't think trying to coin a new term would be useful, if anything it would be a distraction from the cultural work that matters

@krans @glyph @eb we see it as important that our work be free-as-in-speech, yes, but it is also very much free as in we absolutely refuse to ever ask for or accept money for it (outside the scope of our day job)

again, yes, serious privilege on our part

@irenes @krans @glyph > as in we absolutely refuse to ever ask for or accept money for it (outside the scope of our day job)

Speak for yourself lol

@eb @krans @glyph yes, we are speaking for ourselves (just Irenes, not you). as we already clarified up-thread, in our display name, and in our bio, we are plural.

@irenes

I think @rms did a huge error basing what was a hacker¹ movement on the value of freedom alone.

#Freedom (like #Communion) is a totalizant value, a value that can blind people from other important values, so much that it's the foundational value of #Capitalism (much like what #Communion was for #Comunism).

As we can all see that #FreeSoftware lost its political goals, being used much more to reduce human freedom than to increase it (#Google and #Facebook would not exists without exploiting huge amount of developers' work donated as Free Software, much like #GitHub #Copilot / #CopyALot), we should really move to something different.

Years ago I wrote the #HackingLicense ² to this aim, a (network) #copyleft license (and a shrink-wrap contract) that has been used successfully in a couple of projects.

It doesn't forbid commercial use of the covered works and even share the copyright with the users that comply with the license itself, BUT contractually impose a complete reciprocity, as any work that benefit in any way from the covered work must be distributed in the same way.

IOW, if you use my work under the Hacking License, I can use and distribute your work under the same terms. Even if it's a LLM, or a software including its output.

I'm not sure the Hacking License is the best tool to get back freedom, communion and #Curiosity, but at least it's a step in the right direction.

¹ tesio.it/2020/09/03/not_all_ha
² tesio.it/documents/HACK.txt

@krans @glyph @eb

Giacomo TesioNot all hackers are... AmericansGiacomo Tesio - Not all hackers are... Americans.

@Shamar @rms @krans @glyph @eb that's a good analysis. we do agree that, like, any complete statement of values should have more than one thing on it, or at least more elaboration of what they mean in-context.

we'll take a look at the license. we do think the work to be done is more social than legal, we suspect copyright law as a tool for change has gone about as far as it can.

@irenes @glyph @eb I stopped publishing FOSS because there were too many people who took the code, used it to make a tonne of money, and contributed nothing back other than abuse.

Now I get paid really well for doing *almost exactly the same work* in a really supportive proprietary R&D team, with customers who both pay huge license fees and treat us with respect.

🤷

@krans @glyph @eb and we don't blame you for that! it is a real and common experience

@irenes @glyph @eb I think that loops round to my earlier point, which is that the fact it's a real and common experience creates the opportunities exploited by the xz malefactor.

Seems like we're on the same page overall.

@krans @glyph @eb yes, we think we're in agreement on all that <3

@krans @irenes @glyph @eb it's not that hard really. The tools are there.
- spend time of your corporate paid developers on making commits to open source projects you use.
- hire the maintainer or others to improve, review or harden the project in cooperation with the maintainer.
- hire the maintainer (if applicable)
- pay them through their choice of receiving money.

This is not rocket science, and the only missing ingredient is the willingness of the corporation to spend money.

@mavu @krans @glyph @eb we encourage reading further down the thread, because there was a little talking at cross-purposes that got sorted out

@irenes yeah, this is the thing I've been struggling with - how the hell do we get sufficient code review of every part of the system while *also* allowing maintainers (if they want) to remain outside the corporate software industry

@Gaelan we don't have our thoughts in fully coherent form yet, but....

a few years ago somebody we respect told us we were wrong to use the word "community" for things as large and amorphous as, say, "the FOSS community". they told us that it only counts as a community if the people are invested in each other, if people KNOW each other and care about each other.

@Gaelan we've taken that to heart, and worked hard to be clear when we're identifying a group that is actually a community, vs. one that isn't. because as much as we might wish the free software movement to be a community, that doesn't happen by saying the word and hoping it'll conjure community into existence. it happens by people doing the work of learning to talk to and care about each other.

@Gaelan when we talk about, say, the queer techie community, we feel entirely safe in using that word. that's because every time we walk into a room with ten random queer techies, we already know three of them. the social connections are dense enough, and at the personal level they are meaningful enough - real friendships, people who'd fight together for survival if we had to, because of our common history.

@Gaelan it may sound idealistic or impossible, but essentially our proposal is to focus not just on the material need for code review, but on making that social graph more tightly connected, so that individual maintainers can have not just the financial or operational support they need, but the EMOTIONAL support.

@Gaelan if this sounds like a weird tangent, keep in mind that part of the story that came to a head yesterday was that the attacker used sockpuppets to essentially bully the project owner into adding a malicious maintainer. see the documentation collected at boehs.org/node/everything-i-kn

boehs.orgEverything I know about the XZ backdoorPlease note: This is being updated in real-time. The intent is to make sense of lots of simultaneous discoveries

@Gaelan the bullying and manipulation tactics worked because those behaviors are rampant in the larger FOSS social space.

@Gaelan none of this supply chain security stuff that people are talking about would have prevented this attack

we think our proposal could have

@irenes @Gaelan I don't want to hijack your conversation but I do want to say that I think you're right about several things here that have me rethinking some of my takes on the whole incident

@sjolsen @Gaelan that's really heartwarming to hear. thank you very much.