IRC channel logs

2021-12-14.log

back to list of logs

<gbrlwck>river, all: not sure if i'm missing some context, but i think the industrial revolution with steel and oil was already kind of the second one. before predominantly wood was used (for both building and fueling), which lead to europe being mostly free of forests. industries had to adapt to that fact, and we're again at a similar point: plastics and fossil fuels have unarguably no future, so industries try to reach for reusable mat
<gbrlwck>and renewable energy sources....
<gbrlwck>on a rather unrelated note: i seem to be unable to compile the super simple eputs.c and the following files (L49 in live-bootstrap/sysa/mes/mes.kaem). do i need to compile and include strlen.c (and everything else declared in string.h) first?
<river>im writing a blog post on software supply chain attacks. I'll mention at least: ABP, stylish, filezilla, debian md_rand.. any other suggestions?
<gbrlwck>what perspective/aspects of the issue do you want to address?
<gbrlwck>imho projects like Guix (Nix) and of course the ones frequently discussed here (M2, stage0, MES) are really interesting
<river>im interested in when things went wrong
<river>i also remember linux mint and sourceforge (and npm)
<muurkha>well obviously leftpad
<muurkha>the sourceforge attack was sort of similar to "predatory open-access journals"
<river>interesting perspective, how do you see them as similar?
<muurkha>basically you have this presumption that there's a social structure in academia or open source work that prevents crap from spreading
<muurkha>because if free software has malware in it, who would use it? you can just fork your own malware-free copy and recompile it (as f-droid does often)
<muurkha>(you should probably also mention Karger and Thompson)
<muurkha>and if a scientific paper has glaring gaps in its methodology or reproducibility, who would publish it?
<muurkha>but in both cases that only works if someone is looking
<muurkha>oh, Heartbleed, there are allegations that Heartbleed was a bugdoor
<muurkha>there are aspects of the sourceforge situation that are sort of more similar to the Elsevier problem: a malicious actor gains control over a central clearinghouse used for convenience by participants in the system
<muurkha>in the Elsevier case they're using it to extract rents for access, while the SF.net problem was injecting harmful, corrupted information alongside good information
<muurkha>(again, with the intent of extracting economic rents)
<muurkha>one instance of the Heartbleed=bugdoor allegation is found in Felix Schuster's dissertation
<gbrlwck>> when things went wrong
<gbrlwck>maybe Bill Gates' letter to hobbyists is the starting point?
<gbrlwck>it may well be taken as the point where software was being produced for profit, and not just (as rms' dream supposed) as things people do and like to share like cooking recipes with your neighbors
<muurkha> https://www.dailydot.com/debug/heartbleed-bug-robin-seggelmann/
<gbrlwck>imho "where things went wrong" is more on how our society works -- stuff is done if and only if there are profits to be expected. which also holds true for software development.
<muurkha>CONTU declared software copyrightable in the US in 01974: https://en.wikipedia.org/wiki/Software_copyright#History
<muurkha>but that didn't become statute until 01980
<muurkha>so the Open Letter to Hobbyists should be seen as a significant part of that debate
<muurkha>gbrlwck: I don't think it's entirely true that "stuff is done if and only if there are profits to be expected" but to the extent that it's true it's just the fundamental nature of life
<gbrlwck>muurkha: care to give an example?
<muurkha>unprofitable organisms die without reproducing and stop doing stuff, unprofitable empires are conquered by their neighbors and stop doing stuff, unprofitable companies go bankrupt and stop doing stuff
<gbrlwck>i really wouldn't "naturalize" how capitalism works.
<gbrlwck>"worth" is created by stealing (or skimming off) excess labor done by workers. this has nothing to do with nature
<muurkha>yes, of course capitalism improves the situation enormously
<gbrlwck>improves?
<muurkha>but it doesn't entirely eliminate the problem
<gbrlwck>organisms aren't "profitable". they're either fit for their environments or they are not. then they may die or evolve. that's life
<muurkha>organisms can expend more energy than they consume, depleting their fat stores until they die of starvation, or they can consume more than they expend, adding to them. and similarly for other essential nutrients like cyanocobalamin and cholesterol
<muurkha>that's profit and loss
<gbrlwck>nah, economics just tend to use such analogies to look smarter where in fact they are usually unable to explain /what/ profit and loss is
<muurkha>I don't think name-calling adds anything useful to this discussion, gbrlwck
<muurkha>a householder can store up more grain than is eaten by her family and the rats and moths and bandits, allowing them to grow and multiply, or she can store up grain slower, leading to starvation. that's profit and loss
<gbrlwck>did i call you names? i honestly mean no disrespect!
<muurkha>you said I was "using such analogies to look smarter". if I wanted to look smarter I wouldn't have set my IRC nickname to "idiot"
<gbrlwck>muurkha means idiot?
<muurkha>yes
<muurkha>profit is increase in power; loss is diminishment in power
<gbrlwck>TIL
<gbrlwck> also i said "economics", not "you" or muurkha
<gbrlwck>but muurkha, if you want to discuss, maybe you need to take some time in between statements. or are you just intending to hold a monologue?
<muurkha>IRC doesn't work that way
<muurkha>you can answer something someone said that isn't the most recent thing they said
<muurkha>capitalism improves the situation enormously. in feudalism the way a powerful person can increase in power is by going out and conquering more territory
<muurkha>profits for knights are measured in rape, plunder, slaves, and redrawn fief boundaries
<muurkha>in capitalism, instead, they must make products that benefit other people. of course nature red in tooth and claw does not disappear; capitalists still engage in negative-sum destruction of value
<muurkha>but the fundamental nature of the capitalist game redirects greed to the service of the public
<gbrlwck>irc may not work that way, but i will surely not "discuss" with a growing wall of text.
<gbrlwck>distribution of wealth is now worse than in feudalism, btw
<muurkha>you could of course have free enterprise without the alienation of the products of wage-labor
<gbrlwck>i despise the idea that greed is somewhat natural or inheret to humans (or life)
<river>I remember also the FTDI thing, where the intentionally bricked clones. that's more hardware related but still
<muurkha>you can despise it, but that doesn't make it less likely to be true, it just makes you less able to comprehend the truth or engage in discussion in a productive way
<muurkha>as Arrow pointed out in The Nature of the Firm, capitalism itself, in the Marxian sense of alienated wage labor appropriated by the owners of the means of production, is opposed to the market economy; within a firm there is no market
<gbrlwck>THE truth? engage in discussion in a productive way? these really don't seem to be my things ;)
<muurkha>prides of lions that don't hunt die out, so lion genes that promote greedy hunting propagate
<gbrlwck>i think you misspelled hungry
<muurkha>hunger is greed, the greed to assimilate the living tissues of other organisms into your own
<gbrlwck>and no. capitalism is not opposed to the market economy. capitalism is peak market economy.
<muurkha>it sounds like you aren't familiar with Arrow's work
<muurkha>but if you aren't interested in the truth or engaging in discussion in a productive way there's no point in talking to you
<gbrlwck>never heard of that. also sounds like arrow is not familiar with marx :P
<muurkha>he wouldn't have won the Nobel Prize in Economics if he weren't familiar with Marx
<gbrlwck>no, i'm not interested in discussing things with people who believe in THE truth (or that they /know/ it)
<muurkha>then stop talking
<muurkha>river: the FTDI attack is an extremely important point
<muurkha>like Thompson's Turing Award lecture (or rather the admissions that followed it) it points out that supply-chain attacks aren't necessarily by outsiders
<muurkha>(of course I don't know the truth about everything, and even what I "know" is fallible, but if there's no objective reality then there's no point in talking at all)
<gbrlwck>muurkha: so i should stop expressing myself bc you don't think it's valuable or true? not sure if that level of hostility adds anything to the discussion
<gbrlwck>muurkha: ah, objective reality! much different from "the truth"
<muurkha>you should stop expressing yourself because we're trying to have a discussion here about things that objectively happen in the objective universe, and your solipsistic nonsense interferes with that
<muurkha>and you've already declared that you have no interest in the truth or in engaging in discussion in a productive way
<gbrlwck>you still haven't shown how my first statement doesn't hold true: that in this world stuff is done if and only if someone expects a profig
<muurkha>so there is no possible benefit to anyone from talking or listening to you
<muurkha>I mean you've literally declared yourself to be a griefer and troll
<gbrlwck>wow, chillax! that's really not what i said.
<gbrlwck>how/where?
<gbrlwck>whuat!?
<muurkha>18:27 < gbrlwck> THE truth? engage in discussion in a productive way? these really don't seem to be my things ;)
<muurkha>18:30 < gbrlwck> no, i'm not interested in discussing things with people who believe in THE truth (or that they /know/ it)
<muurkha>so I think, and this is not objective truth but my quite possibly subjective values, that you should not engage in any discussion at all, and certainly should not interfere when other people are trying to engage in discussion in a productive way to find the truth
<muurkha>but at the very least you should seek your solipsistic lulz somewhere else
<gbrlwck>what was that about name-calling?
<muurkha>shh. the adults are talking
<muurkha>so, to summarize, FTDI, Karger, Thompson, CONTU 01974 and US Congress 01980 https://en.wikipedia.org/wiki/Software_copyright#History
<muurkha>Open Letter to Hobbyists
<muurkha>Dr. Seggelmann says he didn't insert Heartbleed on purpose but understands why people might think so: https://www.dailydot.com/debug/heartbleed-bug-robin-seggelmann/
<muurkha>and I think you mentioned npm but I think leftpad was the real wakeup call to the fragility of npm
<muurkha>and then there was some dataflow library in npm that got backdoored to steal your bitcoin?
<muurkha>maybe related to the sourceforge shenanigans, Shelley Powers (burningbird) accepted payment about 15 years ago to put links to irrelevant sites in her blogroll in order to boost their pagerank, but I can't find the details anymore
<muurkha>flatmap-stream was the dataflow library: https://dev.to/ben/npm-package-discovered-to-have-bitcoin-stealing-backdoor-j7i
<muurkha>02018
<muurkha>a relevant paper at https://arxiv.org/abs/2002.01139 also mentions eslint-scope
<muurkha>and rest-client in RubyGems
<muurkha>other countermeasures, besides reproducible builds, include least-authority containers like Docker, Flatpak, Ubuntu's Snap, and perhaps most interestingly CHERI RISC-V
<muurkha>obviously that won't help you if your compiler has a Karger–Thompson backdoor in it but it will keep flatmap-stream, eslint-scope, or rest-client from stealing your bitcoin or your ssh keys
<muurkha>also, formal-methods approaches like the seL4 verification. these are potentially vulnerable to Karger–Thompson-like attacks on the proof verifier, but metamath in particular has worked very hard to separate out the "proof verifier" into a separate component that it is small enough to audit the binary, as well as have many independent verifiers
<muurkha>river: I hope that is helpful!
<muurkha>and I apologize for falling for gbrlwck's trolling and adding a bunch of irrelevant noise to the discussion as a result