Posts by doublelayer

Re: Mint and capabilities

"Since Linux is the most used operating system in the world on servers, mobiles and embedded devices do you think they aren't looking for security holes in it 24/7? Think again I'd say. It's just that they can't find any (or very few)."

Yes, they are, and they find them. The main reason why desktops would be different is that, to hack into a server, you generally have to find something wrong with the configuration. And they do. Put out a Linux system on the public internet and within an hour you'll have had a thousand attempts to get into it. If there are vulnerabilities in that that are already known, those thousand will try them. It's not just trying basic passwords in SSH even though those are very common. But still, you have to find your own door in. The number of Linux-compatible ransomware strains, specifically designed because there are a lot of Linux servers and that's the most valuable thing to encrypt demonstrates this.

With a desktop, you have the other method of trying to get a user to do something for you. Email them a shell script and tell them to run it. The shell script downloads a binary and runs it. No vulnerabilities needed, you now have access to that user's privileges just as much as if that was a Windows box. Of course the admins can configure the box to make that more difficult, but they can do that to a Windows machine too and they don't. If you think anything is impregnable, you do not understand security.

Re: Gaming the system

Given that inbound bandwidth is one of the few things they don't charge for, this doesn't seem very useful. I am charged for each put request to S3, but if I put an object there and it is a gigabyte in size, I'm not charged any more for that. I would be charged to store it, but if I simply read it and deleted it, that is very cheap. Therefore, building a protocol around free unauthorized put requests wouldn't save you much at all.

Re: This is just one example

Because we're debating about one or two servers versus cloud. A company that needs neither of those because the only employee's personal mobile phone and company email (companyname@gmail.com) is all the communication they use isn't relevant.

Bucket names are globally unique. [name].s3.amazonaws.com. The first to register it is the one who gets to use it. There is no naming your bucket the same as mine. The first one of us to set it up gets the name. In this case, their name was evidently used as a placeholder somewhere and people didn't update it with a real address.

I don't think that's the point in the statement. This bucket demonstrates two things:

1. If you don't allow public accesses, you can still be charged for unsuccessful attempts.

2. If you do allow public accesses and an open source library uses your bucket name and people don't change it, they end up handing you gigabytes of their data. They probably don't want you to have gigabytes of their data. They have a security problem. I think this is what they were trying to say.

Re: Myth of charging Nokias once a week

I tried an Android device provided by an employer with a different low-power configuration: screen off, no apps in use, hotspot on broadcasting a WiFi signal, three devices connected to the hotspot for 24 hours a day, transmitting over the data connection frequently. It lasted five days. When I turned the hotspot off and didn't use much other than messages and MFA apps, it lasted two and a half weeks. So this probably varies based on the device, but it does happen.

Re: Myth of charging Nokias once a week

That might have been true of Snake, but looking up some specs from the time, it probably wasn't true of calling. The Nokia 3210 from 1999 advertised a talk time of 3 to 4.5 hours. That was sales time, so I'm inclined to divide it a bit, but let's take that at face value. Every smartphone manages a lot more talk time than that unless the battery is seriously broken.

Re: Stupid execs

"They only had to stick to Symbian and its large install base instead of trying out 4 other platforms who never ever took off..."

That doesn't work forever. Eventually, people want new features and if one manufacturer isn't providing them, they'll buy from a different one. This is especially true for things that don't have much connected to them. Switching from Windows to something else means finding new applications. Switching from Symbian to Android only meant that for those users who had many applications running on their phones, and while some existed, there were fewer of them and fewer people using their phones for such things than there are today. That means that a lot of users looking at the two only had to consider learning a new interface when switching.

Re: Robots.txt says hi

Because these companies have demonstrated that they definitely care. When, for example, there is a paywall in front of it, which is much stronger than robots.txt, they bypass it anyway. What makes you think that a simple rule in that file would do anything, especially when the copy they absorbed was obtained from a site where you don't control that file anyway? Some of them have said that they respect robots.txt for the general web crawls. Let's assume we believe them. It doesn't apply to extra datasets like books 1-4 or probably more at this point or the dedicated news ones. You know, the datasets where most of the copyrighted works are.

Let's see an example. From nytimes.com/robots.txt:

User-agent: Amazonbot

Disallow: /

User-agent: anthropic-ai

Disallow: /

[...]

User-agent: ChatGPT-User

Disallow: /

User-agent: ClaudeBot

Disallow: /

User-agent: Claude-Web

Disallow: /

User-agent: cohere-ai

Disallow: /

User-agent: DataForSeoBot

Disallow: /

User-agent: Diffbot

Disallow: /

User-agent: FacebookBot

Disallow: /

User-agent: Google-Extended

Disallow: /

User-agent: GPTBot

Disallow: /

[...]

So we should be pretty assured that the New York Times has no articles in the training data, right?

Re: A solution maybe?

I'm not sure it matters. The problems with AI are not things that a well-meaning user hits. If you are writing a paper, use prompts to an LLM to aid in writing, then go back and meticulously* analyze every sentence to make sure that it never says anything your research didn't show, then you're fine. The problems come when the LLM is used because the writer no longer cares about accuracy and just wants something that looks convincing. It doesn't matter that they're using an LLM instead of a ghost writer or even their own effort to write about fictional research. The only difference is that faking papers to that extent used to be hard and now it's trivial, so you'll see a lot more of it. Hacks like banning the use of AI to write papers are trying to make this point. What is misconduct now is the same kind of thing that was misconduct before.

* This comment had no LLM input, meticulously nonetheless.

Re: Very interestingt

We could do that, and there are some examples where we have. There are some open source programs that have been widely adopted. I'm thinking of things like Firefox, Signal, Audacity, etc, where they have been designed so that the average user can use them and they have been adopted by many people in the general public. Firefox may no longer be the most used browser, but it's still used by a lot of people and doesn't take technical knowledge to run.

Getting people to build with that in mind is a challenge we should face, and it is more likely to happen if those people are effectively told to do it, which usually means paying them to do it. It doesn't work as well if people only do what they want. I know this firsthand. I've written a program which only has a CLI interface, and I know there are at least a few people who don't know how to use that, don't want to learn, and would like a GUI. But the work of writing a GUI for this is quite a bit (this program has a bunch of parameters and several of them have special parsers, so a simple form is not going to be enough). It is plenty of work for me to do and it isn't interesting, so I haven't done it yet. I know that, if I want the general public to use this, I'm going to have to get over that and actually start writing that bit.

What I don't see is how this payment model will actually encourage anyone to do that. It doesn't pay people specifically to design with the average user in mind. It doesn't exclude people who only write for technical users. Quite importantly, it doesn't help convince people to run the thing if the devs did make it easier to use, and another reason why we don't always design with that in mind is that not many average users will run it even if we did because they don't want to do the small amount of extra work that our version would necessarily have over a managed version. Consider LibreOffice. For a lot of people, this can do all the same things as Microsoft Office can. Some exceptions may exist for some power users, but for the average student, there is no important difference. I don't have Microsoft Office on my computer. I've told people about this and showed them what I have. Still, I have been asked to help them find deals on Office licenses, and when I showed them the options, they preferred paying for a non-subscription license rather than using the other version for free. This was not because LibreOffice wasn't capable of doing something; they never tried it and I know that it can do the stuff they need done. They just valued the relatively cheap price over their idea of what learning an alternative would require. If we want them to adopt an open source version, we will have to be able to explain why they should. License details won't change this.

Re: Very interestingt

I agree that we should try to fix this. I don't think your solution does, and from your statements, I'm surprised you think it does. The problems of paying developers and causing them to write user-focused software are quite independent of each other. If I'm completely wrong and the Post-Open license is a global success, it will pay developers for their work, but it won't do anything to make them write their software differently.

If you want to make open source software more popular among the general public, then you have two problems to solve:

1. Somehow get the average computer user to understand why open source, or proprietary but we try to pretend it's the same, is better than using what they already have. Your primary asset will be privacy. Your primary liability is that they will now have to pay for it (at minimum, they'll have to pay for servers where necessary and more powerful equipment where the current software would outsource to the cloud). If you can convince the general public to embrace privacy, I'm all ears. I've been banging my head against that wall for a long time, and I'm likely to keep doing it, but I can't say I've made much progress.

2. Convince developers to do the boring work making their software more user friendly. You can't count on companies doing this for them. Companies could have improved any number of applications, but few of them chose to do so. You could just ask them, but I don't think that's likely to get as much support as you'll need. My suggestion here is that you make an actual company where you pay them to do it, then try to sell the resulting software or, if you're making real open source, the hosting thereof. If you can solve problem 1, that will work fine. If you can't, it's likely to fail. I've seen a few people fail at this mission before. It hasn't stopped me from considering trying to do it from time to time, but it has stopped me from actually quitting my job to found a company competing with big tech with more expensive products.

Re: Very interesting

Depending on how you try to do it, they may be mutually exclusive, or rather they may torpedo each other. Let's use an example I mentioned: Jitsi for video conferencing. Someone replied saying that they considered and rejected it because it wasn't good enough. Fair enough; they were probably considering it for actual work purposes whereas I was setting it up for an early pandemic situation where many other things were overloaded. It looked fine to me, but I wasn't trying to run a business from it. Let's say that we relicense Jitsi under this new license. The main effect will be that nobody ever uses it again.

A business can adopt Jitsi now. If they don't like what it does, they can pay someone, either their own employee or one of the original devs, to fix that problem and keep using it. Or they could just live with it. If they have to pay 1% of revenue for this, then they have to compare it to the alternatives. Teams does not cost 1% of revenue. Google Meet doesn't cost 1% of revenue. Nothing costs that much. Your version is now extremely more expensive than anything else. The money that's supposed to make the post-open version better won't show up because the proprietary ones are both better and cheaper.

This also raises a philosophical point. If someone made this post-open videoconferencing tool, why is that any better than a proprietary tool? Open source is better in my mind because of the freedoms it provides me. Some of those freedoms are already explicitly lost with a post-open version, and I don't see how most of the remaining freedoms will last if this takes off. It no longer works as a community effort. It's just another proprietary product with more onerous license terms. There are few differences in practice between a post-open product and all the other non-open "you can give us your code for free and we can still decide not to let you run it" licenses.

Re: define your freedom

The quote was also considering corporate requirements. So have all the open source licenses. It's been clear from the start that individual use only would not qualify. Maybe you think that is wrong, in which case you are free to write a different kind of license, but there is a reason why I don't support those.

Re: Very interesting

As I understand it, the rules work as follows:

1. Company earning less than $5M, using the code but not in a product: no payment.

2. Companies under $5M: using in a product: 1%.

3. Companies above $5M, using the code anywhere: 1%.

So it sounds like the medium-sized company using it internally would have to pay around $50k per year for their internal use. This is why I don't think it will be accepted. Companies will get near that threshold and either hide the fact that they're using it or go find something else.

Re: Doesn't go far enough in some ways, goes too far in others

It looks like the original commenter understood that and thought that was a bad idea. I think that's one of the only good ideas in it, so I won't be arguing their point for them, but I don't think your clarification did much to counter their statements.

Re: Who will benefit?

Even though I oppose this license quite strongly, I don't think this is a major concern. Getting small amounts of money may complicate tax filing, but it also gives you extra money to help deal with that problem. If the amount of the payment is so low that you don't care, you are free to decline the money, not receive it as income, and therefore not have to file. How much it adds to the difficulty of calculating your taxes depends on what country you're in, but for most situations, it's one number added and one piece of paper. I don't think developers are going to have too much trouble figuring this out.

The noncommercial use only tools are a valid concern, but I wonder how many developers are relying much on these in their work. A lot of development tools are already open source, so it doesn't apply to them. If the expenses would end up being more than the revenue from doing the work, then the developer has the options to find a tool that doesn't impose that cost or to decline the money so they're noncommercial again and can use the tool. While I don't think people would do that for tax reasons, if the tool prices were more than the revenue, they might.

Re: Pay who first?

The context of that sentence means that, of the two mentioned groups: artists and stockholders, the artists get their money first. You are right that other debt would get paid before artists, but the artists payments, if any, would come before any payments to stockholders.

Re: Very interesting

The sales pitch of "I can remove your $7 million license department and all it will cost you is $3 billion per year" doesn't sound like it will convince many companies, especially because there are two reasons why their license department probably won't get any smaller at all:

1. I'm guessing that simply paying the assigned amount to the organization isn't enough and a listing of used projects and some way of figuring out how important it is to the company* will be needed to distribute funds as fairly as possible. Someone needs to track and report this. That sounds like the open source compliance department.

2. There will still be lots of software that is still open source, so the compliance department still needs to exist to deal with that.

You know this better than I do, so maybe I'm missing something.

* I assume that funds will be allocated based on how much a given project is used in the company, meaning that my 200-line library which I got someone to include in one rough internal tool won't receive as much money as the million-line project with critical security requirements used in hundreds.

Re: Very interesting

"Big firms don't like change - give them a choice of paying out some money or writing their own version of libz or openssl, they're going to pay up."

I don't agree. For example, when Elastic switched their license to a non-open one so that cloud providers couldn't use it anymore, AWS could have opened a negotiation, figured out how much to pay, and given them the money to keep hosting Elastic Search. They could have afforded that easily. If Elastic tried to bargain too aggressively, AWS could have just bought out the company. The recent sale to IBM is about the same as one year of 1% revenue collection. Amazon could have owned Elastic entirely, meaning that not only do they not have to pay any more fees, but they could start to collect them from other cloud providers instead. Amazon did not choose to do either of these things. They forked and supported it, allowing other contributors to help them, but still taking on plenty of extra work requirements. They did this because it costs less to pay some people to run this, including some of the people who contributed back when they didn't own it, than to buy or license it. If the price is high enough, companies will choose work over money, and 1% of revenue, while it looks small, really isn't.

Re: Very interesting

The fee is supposed to be 1% of revenue, so the cloud provider, unless they are also making only £4M, will be paying more. As I described above, I think that will mean that cloud providers end up making sure that projects like this are not used in their systems and their doing it will make sure they're not used in lots of other ones as well.

Re: Very interesting

So go proprietary. We already acknowledge that public good by having copyright, and it's a lot longer and more powerful than patents. You can write whatever you want and sell it to anyone you want. The one thing you shouldn't do if you want to sell something is give it away first.

I've written code as open source, but I've also written proprietary stuff. There have been projects where I thought I might be able to sell them and that I'd rather do that than let anyone use and modify it for free. Advantage: I could get paid, and not through external schemes but for the work I'd already done. Disadvantage: I wasn't going to get free work from contributors or the free publicity from lots of users picking up the free version. I was free to decide how I'd sell this. I could let the buyers see the code or keep it private. I could let buyers modify the code or block them. But it was still proprietary, because in order to make sure that I could sell it, I didn't grant anyone a license to use, modify, and distribute the way that I do when I put an open source license on things. If they wanted to use it, they had to pay me for the privilege and it would come with more restrictions.

Re: Very interestingt

"The problem is that our developers make software for themselves and people like them. How do you get them to make apps for the common person?"

I don't think this correctly describes what exists. There are a lot of open source applications out there that do the same things as proprietary ones. Since you mentioned Google, I can think of very few things that Google has that there isn't an open source alternative to (mainly Search). People choose to use Google Meet instead of Jitsi or something like it because Google Meet doesn't require you to admin a server, do manual account management, or pay for bandwidth. People either don't understand the privacy differences between them or don't care, but the problem isn't that an open version is unavailable. The same thing applies to Docs and the online version of LibreOffice from Collabora, Maps and OSM-based software, and on and on.

Re: Very interesting

It doesn't run any interference. It isn't intended to. All it's intended to do is to get money from corporate users and hopefully return it to the developers, which I don't think it will actually do.

However, I am less concerned about the things that you mention. I already have a form letter for requests to add something to an open source project that aren't on my plan. It tells them that the suggested feature is not on my roadmap, that it is open source so they are free to contribute, and that I use a variety of methods to decide what is worth my time to implement it. Essentially, I tell them that if they want me to write something that I don't plan to write, either they provide me convincing evidence that a lot of people would benefit, they provide me with money, or they do the work. I will usually review their idea a bit so that, if it's something I won't merge, I can tell them ahead of time. If they have sent a request, they'll usually get something like that.

If they threaten me, they won't even get that. I do not respond well to threats. I haven't had the same experience that you have because I've received very few abusive communications. Those I have received have been from individuals, and I've informed them that I consider their messages inappropriate, and if they keep sending threats, add an email rule to automatically delete them.

Re: Very interesting

I think one central disagreement we have is this: "If you want to get paid to make Open Source". You may want to be paid to do all sorts of things which doesn't guarantee that you will get paid the amount you want. One of the downsides of writing open source is that others can take your work and use it without having to pay you. They might, and you can do things to encourage it, but you don't have any guarantee of that specifically because I have the freedoms to use it, modify it, and distribute it without having to do something for you or get your permission. The alternative is obvious: proprietary. You write the software, you sell the software, you get money. People who try to pretend that these two can be merged end up making something that looks and works a lot like proprietary software, then try to claim that they're operating in the same spirit as actual open source authors. They are not.

I don't think I'm telling you anything you haven't seen before, in fact anything you haven't argued a lot better than I have. For example, I can refer you to this article. This includes comments from the OSI and from you about claims of something being open source when it's not. I don't think you're claiming that this new license would be an open source one as it obviously isn't compliant with the OSD, but I think it's also harmful to try to claim it's even slightly close to the spirit. If you think the original open source idea has failed, fine, but make it obvious that this is a third, unrelated, path so real open source isn't damaged as badly if any of my concerns expressed above prove valid.

Re: Pay who first?

In the case of bankruptcy, payments in contracts are preferred over payments to stockholders. The specifics of the contracts would decide where the artists fall in relation to bank loans, landlords, server bills, or the like, but they would definitely rank above payments to the stockholders. Outside of bankruptcy, the payments to the artists occur first on the balance sheet, before the profit numbers are calculated, and any dividend payments or effects on stock prices occur based on those subsequent profit numbers.

Of course, this is not what we're talking about anyway. The discussion was not about when they're payed. It is about how much they're payed. It wouldn't matter if they were sorted above any other debt from the business if the payments were tiny, and the complaints from artists are not about where they fall in the sorting algorithm, but about the absolute size of the payments.

Re: What does the "C" stand for . . .

Of course it's more complicated than that. If I buy a car and it has a faulty brake system where, after a year of driving, the brake stops working and accelerates the car straight into whatever is in front of me, you don't blame me for having chosen that faulty car. The blame goes to the manufacturer who built it, and the consequences for them will be different if it's something they knew could happen or not. If I messed with the car and broke the brake, then it does become my fault. The software running the car is not something the average driver controls, meaning that there are plenty of reasons to hold the manufacturer, not the owner, responsible for failures that are entirely due to software malfunction.

The money that will be spent will actually intend to implement your decision, as it is the manufacturers who want to make sure that, if their software proves unsafe, they're not the ones who have to pay. There are situations where putting it all on the manufacturers is unfair as well. It really is a complex issue that needs more discussion and regulation.

Re: What does the "C" stand for . . .

Not really, though it could be brought up. If it relies on any laws from the original country, it is not a valid precedent, and if it is counteracted by any laws of the new country, it would hold no relevance. However, there are some cases where one common law country does consider common law decisions from other ones, so it might be considered if a similar case was brought up in the UK or US. There is a reason to think that courts would decide the same thing independently just because there's no logical alternative of what to do.

Re: Picking the data to delete

"It was "courageous" (as sir Humphrey would say) to use an evanescent MFS file system as enough not entirely clueless users would place files in subdirectories of /tmp and run their own periodic job to "touch" those files so they escaped the grim reaper."

Or it was the necessary condition to educate them that temporary directories are actually temporary, not just extra storage provided if you thought to use it. It had to be pretty obvious that the quotas on their home directories existed for a reason, namely that disk wasn't unlimited. Using a different directory for temporary data was acceptable, while trying to use it to bypass the quota was not.

I often create a ramdisk on my systems because I have processes that generate gigabytes of actually temporary files, so storing them in memory makes the operations on them faster and doesn't wear my disk storing data. I know that if the computer loses power that the operations on those temporary files need to start again. That's why the ones I put there are truly temporary. Losing data there is a good reminder that it isn't intended for important files. That's what I have a nonvolatile disk for.