Yes, software that is in a package manager is similarly easy on a Mac. There’s an app store, which can be used to install the dependencies for homebrew (which is a good package manager for most of the stuff that Linux package managers maintain, including building stuff from source). Going outside of a package manager is relatively easy (but needs to be enabled, as the defaults basically discourage users from installing software not verified by Apple), but that method of software installation still beats running .exe/.msi installers downloaded from the internet, beats running random shell scripts, probably beats downloading docker containers and flatpaks, and is not that far removed from installing from the AUR or something like pip/conda: you still need to know what you’re doing, and you have to trust the source/maintainer. None of that is unique to any operating system, except those that simply don’t allow you to install software not reviewed/approved by the manufacturer (Apple mobile devices, Android devices by default).

High DPI screen support in Linux is still troublesome, especially between multiple screens with different DPI/resolution, especially between GTK and Qt programs.

And I haven’t played around with Asahi yet, but it’ll be hard to top the built-in power/suspend/hibernate/resume behavior and its effect on battery life (especially in being able to just count on it to work if you suspend for days, where it seamlessly switches to hibernate and starts back up very quickly). But on my old Intel MacBook, the battery life difference between MacOS and and Linux is probably two to one. Some of it is Apple’s fault for refusing to document certain firmware/hardware features, but the experience is the experience.

I gave up on Homebrew because it was difficult to install.

It just includes as a dependency the Mac command line developer tools, which can be installed pretty easily from what I remember.

And what I like is that it’s a normal Unix style shell, with almost all the utilities you’d expect.

you have to drag the icon in to install things.

I mean that’s about 100 times better than Windows’ default of running an installer that isn’t easily reversible.

It’s just a type of injury. Injuries themselves don’t give you a right to sue, you have to be injured by someone else doing something wrong.

Can I sue for blindness? Yes, if someone caused my blindness in a way that they’d be liable for. Same with other injuries like broken bones or lost employment or embarrassment or paralysis.

So if someone drives drunk and hits you with their car, paralyzing you and causing loss of enjoyment of life, you can sue them and would have to prove liability (they caused your injury in a way that causes them to have to pay for it) and damages (the amount of money they owe you based on how injured you are). Something like loss of enjoyment of life would be part of the second part of the analysis.

Instances don’t actually own the copyright to comments. The poster owns the copyright and licenses it to the instance. Which lets the instance use it, but not sublicense to others.

I think that it’s foolish to concentrate people and activity there even further, it defeats the point of a federation.

It defeats some of the points of federation, but there are still a lot of reasons why federation is still worth doing even if there’s essentially one dominant provider. Not least of which is that sometimes the dominant provider does get displaced over time. We’ve seen it happen with email a few times, where the dominant provider loses market share to upstarts, one of whom becomes the new dominant provider in some specific use case (enterprise vs consumer, mobile vs desktop vs automation/scripting, differences by nation or language), and where the federation between those still allows the systems to communicate with each other.

Applied to Lemmy/kbin/mbin and other forum-like social link aggregators, I could see LW being dominant in the English-speaking, American side of things, but with robust options outside of English language or communities physically located outside of North America. And we’ll all still be able to interact.

For my personal devices:

• Microsoft products from MS DOS 6.x or so through Windows Vista
• Ubuntu 6.06 through maybe 9.04 or so
• Arch Linux from 2009 through 2015
• MacOS from 2011 through current
• Arch Linux from 2022 through current

I’ve worked with work systems that used RedHat and Ubuntu back in the late 2000’s, plus decades of work computers with Windows. But I’m no longer in a technical career field so I haven’t kept on top of the latest and greatest.

When they say modules, does that mean mainboards?

They mean each part. Here’s their store for individual parts.

This announcement includes a new display, so anyone with the old display can swap out their old one for the new one. People can swap out batteries. Keyboards. Touchpads. It’s a modular design so that each module can be swapped out if broken, or if there’s been an upgrade the user wants.

Our data centers and backbone internet/Tier 1 internet providers are basically the best in the world. The US Department of Energy maintains a network with 46 Tbit/s connections between its labs.

Those small USB drives are too slow anyway, often limited to USB 2.0 interfaces or slow flash modules. I’ve switched over to an SSD specifically because of how slow booting and installation is from a standard 10-year-old USB stick.

every distro I’ve tried has a strong sense that if you’re using the GUI you don’t need or deserve admin controls

It’s more that GUI programs can’t be trusted with root privileges. They’re not designed for that, and can break things in unpredictable ways.

I don’t think the First Amendment would ever require the government to host private speech. The rule is basically that if you host private speech, you can’t discriminate by viewpoint (and you’re limited in your ability to discriminate by content). Even so, you can always regulate time, place, and manner in a content-neutral way.

The easiest way to do it is to simply do one of the suggestions of the linked article, and only permit government users and government servers to federate inbound, so that the government hosted servers never have to host anything private, while still fulfilling the general purpose of publishing public government communications, for everyone else to host and republish on their own servers if they so choose.

Our vending machines usually dispense sodas in 20-ounce bottles, or 12-ounce cans.

16-ounce pints are a very common size for beers (and even coffee), but not for sodas.

The 1 liter bottles aren’t common throughout the US, and from what I’ve seen, seem to mainly show up in the northern states near Canada.

None of what I’m saying is unique to the mechanics of open source. It’s just that the open source ecosystem as it currently exists today has different attack surfaces than a closed source ecosystem.

Governance models for a project are a very reasonable thing to consider when deciding whether to use a dependency for your application or library.

At a certain point, though, that’s outsourced to trust whoever someone else trusts. When I trust a specific distro (because I’m certainly not rolling my own distro), I’m trusting how they maintain their repos, as well as which packages they include by default. Then, each of those packages has dependencies, which in turn have dependencies. The nature of this kind of trust is that we select people one or two levels deep, and assume that they have vetted the dependencies another one or two levels, all the way down. XZ did something malicious with systemd, which opened a vulnerability in sshd, as compiled for certain distros.

You’re assuming that 100% of the source code used in a closed source project was developed by that company and according to the company’s governance model, which you assume is a good one.

Not at all. I’m very aware that some prior hacks by very sophisticated, probably state sponsored attackers have abused the chain of trust in proprietary software dependencies. Stuxnet relied on stolen private keys trusted by Windows for signing hardware drivers. The Solarwinds hack relied on compromising plugins trusted by Microsoft 365.

But my broader point is that there are simply more independent actors in the open source ecosystem. If a vulnerability takes the form of the weakest link, where compromising any one of the many independent links is enough to gain access, that broadly distributed ecosystem is more vulnerable. If a vulnerability requires chaining different things together so that multiple parts of the ecosystem are compromised, then distributing decisionmaking makes the ecosystem more robust. That’s the tradeoff I’m describing, and making things spread too thin introduces the type of vulnerability that I’m describing.

dispensing soda

Only the 2 liter bottles. We still generally use 12 ounce cans and 20 ounce bottles. Our gas station/fast food fountain drinks are also measured in fluid ounces.

In the broader context of that thread, I’m inclined to agree with you: The circumstances by which this particular vulnerability was discovered shows that it took a decent amount of luck to catch it, and one can easily imagine a set of circumstances where this vulnerability would’ve slipped by the formal review processes that are applied to updates in these types of packages. And while it would be nice if the billion-dollar-companies that rely on certain packages would provide financial support for the open source projects they use, the question remains on how we should handle it when those corporations don’t. Do we front it ourselves, or just live with the knowledge that our security posture isn’t optimized for safety, because nobody will pay for that improvement?

100%.

In many ways, distributed open source software gives more social attack surfaces, because the system itself is designed to be distributed where a lot of people each handle a different responsibility. Almost every open source license includes an explicit disclaimer of a warranty, with some language that says something like this:

THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.

Well, bring together enough dependencies, and you’ll see that certain widely distributed software packages depend on the trust of dozens, if not hundreds, of independent maintainers.

This particular xz vulnerability seems to have affected systemd and sshd, using what was a socially engineered attack on a weak point in the entire dependency chain. And this particular type of social engineering (maintainer burnout, looking for a volunteer to take over) seems to fit more directly into open source culture than closed source/corporate development culture.

In the closed source world, there might be fewer places to probe for a weak link (socially or technically), which makes certain types of attacks more difficult. In other words, it might truly be the case that closed source software is less vulnerable to certain types of attacks, even if detection/audit/mitigation of those types of attacks is harder for closed source.

It’s a tradeoff, not a free lunch. I still generally trust open source stuff more, but let’s not pretend it’s literally better in every way.

Good writeup.

The use of ephemeral third party accounts to “vouch” for the maintainer seems like one of those things that isn’t easy to catch in the moment (when an account is new, it’s hard to distinguish between a new account that will be used going forward versus an alt account created for just one purpose), but leaves a paper trail for an audit at any given time.

I would think that Western state sponsored hackers would be a little more careful about leaving that trail of crumbs that becomes obvious in an after-the-fact investigation. So that would seem to weigh against Western governments being behind this.

Also, the last bit about all three names seeming like three different systems of Romanization of three different dialects of Chinese is curious. If it is a mistake (and I don’t know enough about Chinese to know whether having three different dialects in the same name is completely implausible), that would seem to suggest that the sponsors behind the attack aren’t that familiar with Chinese names (which weighs against the Chinese government being behind it).

Interesting stuff, lots of unanswered questions still.

Apple, too. The 2012 MacBook Pro had a high DPI display, and everything scales normally even when dragging windows over to non-HiDPI external monitors.

That’s not even getting into the mobile OSes, which have to deal with nonstandard display sizes and resolutions all the time, across multiple settings for accessibility.