mastodon.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
The original server operated by the Mastodon gGmbH non-profit

Administered by:

Server stats:

336K
active users

What an Oxide and Friends last night! @bcantrill and I were joined by the one and only @AndresFreundTec to talk about his discovery of the xz backdoor. It’s an incredible story… so great to get into the details with Andres. Definitely check it out (or on the pod tomorrow).

youtu.be/jg5F9UupL6I

Adam Leventhal

I was really pleased by this background image so wanted to talk about it briefly. The concept was (of course!) simple: the (in)famous xkcd graphic with the thankless Nebraskan removed xkcd.com/2347/

Like all lazy people in 2024, I turned to Chat GPT for help. This didn't work out well. (Have I mentioned that I'm bad at Chat GPT?)

I should mention that we don't put a ton of time into Oxide and Friends (sorry!) so I try to bound these side-quests at least somewhat. Somewhat. I decided to find a physics simulator (like a lunatic) and SimPHY was the first one I stumbled onto that worked well enough. I roughed out the structure from the xkcd comic:

Then removed the linchpin:

Until I got to something that was suitably calamitous:

I threw it on the iPad that I "borrowed" from my older son and traced it in Procreate with his Apple Pencil. 100% it could have been better, but I already felt like a crazy person and wasn't sure it was going to work out

Then I threw the lines into Photoshop, applied the bucket tool, and ... good enough!

Check out the episode I made this for where we interview Andres Freund on his discovery of a backdoor in XZ—maintained by the metaphorical Nebraskan! youtu.be/jg5F9UupL6I

@jambulance too kind. I see only imperfections 😉

@ahl @jambulance imperfections are proof it's a thing you did by yourself (as opposed to some huge team). they're a thing to cherish :)

it's pretty awesome

@ahl That's called being an artist. We all do it.

And you did an amazing job, by the way, you matched Munroe's style so well I didn't realize it wasn't just a Photoshop of the original comic, and I'm a cartoonist who read XKCD religiously for over a decade.
@jambulance

@ahl @jambulance

Is there an animated version of this amazing artwork? 🙂🤷‍♂️

@simonzerafa @jambulance hah: no. Just that one frame was kind of a pain

@ahl

Well your version of the XKCD artwork was well recieved 😊

@ahl What does the simulation do if you *don't* remove the Nebraskan?

@ieure this… which seems about right

@ieure @ahl shit now I want to watch the cyber-thriller The Nebraskan and that's not something I was prepared for on a Wednesday, my dudes

@ieure @ahl I've just come back to this thread a day later and this is one of the greatest scientific questions ever asked

@timixretroplays @ahl Truly unfortunate that it didn't crush him and topple over anyway.

@ahl ah, yes, Angry Birds, Open Source Supply Chain Attack edition.

@ahl I appreciate all the work you did for this image!

@ahl this should be in a museum so people in 500 yrs wonder what the heck this is

@schaf @ahl Could feature in a Star Trek episode, like the Discovery one with the SQL Injection...

@ahl

I suspect this is the beginning of a new meme 🤔🤷‍♂️

@f @ahl

Well the signs.and signals are not auspicious 🫤🤷‍♂️

@ahl *saved to disk, might come in handy more sooner than later although I hope not* 👌

@ahl xkcd needs to update the comic to be interactive using a js physics demo: click any dependency and it dissappears.

@ahl I'm tempted to implement this in box2d now...

@gundersen @ahl Now I kinda want a tool that does this, but you provide a git repo and it generates the pile of boxes from the dependencies of the repository, with boxes sized according to the number of contributors/maintainers for each dependency.

@Ash_Crow @ahl wow, that would be awesome! I wish I had the time to implement this...

@gundersen @ahl Makes me wonder if someone could create a 3D game based on the dependency graph of packages.
Cyclic dependencies are going to be weird af, but packages rocketing up in the air because of those would be… quite real.

@ahl nice! Management will argue that it still somewhat stands, so nothing needs to be done about it. ;)

@ahl you forgot to label one of the middle larger blocks which are at rest as "marketed as stable product"

@ahl awesome! Can I use this for my teaching and training material?

@kbusse sure thing. Wouldn’t say no to attribution, but do what you like

@ahl saving this for inevitable usage in a PIR.

@ahl Wait, why is everyone referring to Andres as the Nebraskan? It was really more Lasse Collin, the sole maintainer of xz, who was an appealing target because he was sole maintainer of something the whole ecosystem depended on.

@ahl Regarding the announcement at the end about the book club: after hearing that the audiobook wasn't available in the US, I signed up for a libro.fm account, moved to Corfe Castle, Dorset, UK (looks like a nice place), and was easily able to change my account info in libro.fm to reflect the move.

@ahl @bcantrill @AndresFreundTec This was an awesome episode. Super interesting insights!

@ahl @bcantrill I'm sorry for the audio quality. I didn't realize that was happening. I never had done a call on discord before. I now see that there's an "input sensitivity" setting, and I guess that was set wrongly. Seems pretty odd that the default doesn't work though.

@ahl @bcantrill @AndresFreundTec

This was a really great podcast. With a hat-trick of goodness.

1. Super interesting details of the fantastic work by Andres Freund.

2. Dumping on the awful writing in the NYT (Roose's past clueless hyping of Crypto was terrible, thanks esp to Molly White for critiquing that)

3. The guest actually got introduced well. 🎉 🥳 🙂

@ahl just listened to this and it was extremely satisfying to hear your NYT takedown. I would watch a YouTube channel of this like it was ASMR