Posts by doublelayer

Re: Very interesting

I disagree. I think it will be a harmful idea both in the short and long terms. There are several problems with it. I could write many pages on why, but I don't think you want to read that much, so here's a short list of the problems I see with it.

1. It limits the freedom to fork, because if I fork someone's project, who gets paid for use of my fork? Me or them? Or both of us somehow? This is an important issue because, if I get paid for the fork, the original authors will need to prevent me from forking to collect their revenue.

2. It introduces more incentives to get yourself included as a developer. How is the money allocated among developers? Does doing pointless work to increase your lines of code increase your payout? How much extra work does this add for the maintainers? If it is allocated equally to developers, then why don't I contribute a single commit from the accounts of everyone I know to get payouts?

3. It centralizes the authority for this in one organization. Nonprofit or not, that's no guarantee of anything. ISOC/PIR was a nonprofit, but that didn't stop a months-long fight to try to prevent them selling off the .org registry. Do we want to give much power to a single, license-mandated organization? Do we really think we'd have control over what decisions they make?

4. It goes against one of the aims of open source that caused Mr. Perens to resign from the OSI in 2020. From that article: "One of the goals for open source was you could use it without having to hire a lawyer. You could put [open source software] on your computer and run it and if you don't redistribute or modify it, you don't really have to read the license." This no longer applies for companies of a certain size. Sure, I'm not a company worth $5 million, so it's not me that's affected, but that doesn't make it good.

5. Your assumption that "an acceptance that 1% of revenue is a not unreasonable licensing cost". No, they won't do that. 1% of Google's revenue is $3.08 billion with more of that next year. That's just for projects that adopt this license. Other open source stuff doesn't get included. This means two things. First, if they pay it, they are almost certainly not paying any more to other open source software because they've already paid plenty in their mind. Second, they have a large incentive not to use this stuff and, where necessary, to build a different version. They have history in doing it. When Busybox demonstrated that they were eager to defend their licenses, Google made sure that they used something else in Android, and that got adopted elsewhere as well. Do you want to give companies an incentive measured in the billions per year to make sure these projects don't get adopted?

6. It eliminates the benefit of open source which made it usable without conducting license audits.

7. It continues the, in my opinion harmful, tendency to pick a villain and declare that their use of open source is exploitative. A license designed around my opinion on who is good or who is bad is not going to be a good one. Changing the person who makes the decision will not improve this. There is a reason why the original OSD had two explicit non-discrimination clauses and five in total. Encouraging people to drop this, which already goes against that definition, will likely result in even more of them being dropped.

I've long considered Bruce Perens one of the people who best expressed my views on open source, its structure, and its importance. That is no longer the case. If you want proprietary, write proprietary.

Re: Picking the data to delete

Don't count on that. On some systems, /tmp is stored in RAM. Disconnect power and /tmp is wiped. I write software to assume this will happen, which means if I need something to recover from a crash, it has to go somewhere else, such as /var/tmp, although a dedicated location for the program is more likely.

One possibility is that their experience differs from yours. I've described my own history with self-running a mail server in another comment, which involved trying to get off some spam lists that I was on before turning the server on for the first time merely because of my IP address. The part I didn't mention was that, before I did that, I had to get a new hosting provider for the mail server because the company that I used to host other things was on a lot more spam lists. The ability to quickly set up a new rented server was great for me when I wanted to host something, but it was also useful for spammers. I didn't even bother setting one up there because I checked on it, but if I had, I think it would have been rejected by a lot of sites using expansive blocklists.

Maybe the person commented as they did because they had such a mail server, either one of their own or run by a company that were bad at their job. They may be overgeneralizing how common it is, but I'm inclined to think that they actually did encounter the problems they're describing rather than making it up. Even now where I have email through my own domain, though unfortunately not on self-hosted instances, I have encountered at least one service that rejected the address. I was registering for a promotion, and perhaps they were afraid that my domain was going to try to register a lot of times, although they had no problem with Gmail accounts and setting up a bunch of those is frequently managed by spammers. Either way, they did not accept it. This has only happened the once, but some sites are that aggressive.

Re: Talking of blocking emails…

That is the challenge of running your own mail server. You have to be careful not to have even the smallest misconfiguration from unofficial standards, or you will end up on spam lists that are difficult to get out of. Still, you probably have a chance of doing that. The other problem is that many of those lists will still list you if someone from an IP range even slightly similar to yours does anything dodgy, including if they are hacked. It doesn't matter that their IP address is different from yours, attached to a different account, and your addresses have been operating under your control and without issue for years. Someone will still block first and ask questions later.

I have operated my own mail server before, and with relatively good results*, but nowadays, I let someone else do that hard work and just point my MX records to them. I don't like having to do this, given that I self-run all the other services attached to my domains, but if I need the emails to definitely arrive all the time, I don't have much of a choice. It might be different if I had a dedicated IP range for my services which I could keep clean, but I don't. I do wonder how aggressive this will be when IPV6-only servers eventually happen, because I am able to get my own IPV6 block more easily than my own IPV4 one.

* To my knowledge, my self-run server didn't get added to any spam lists. I was certainly able to send from it to Office365 and GMail. However, there were some smaller lists that included massive IP blocks which included my host. I had limited success applying to have my IP removed from the blocks. I knew it was only a matter of time before those seemingly unused blocklists would end up affecting something I cared about.

This is Wyden. He is the one legislator who consistently pushes against such things and tries to get privacy respected. He's not the hypocrite here. This is probably not a good thing for the likelihood of this bill being passed, though, as his fellows have been ignoring his suggestions for decades.

Re: Interoperability

I think you're correct in general but incorrect about this. In this case, the bill simply requires that the government use an open standard instead of a proprietary thing. That makes it necessary for a standard to be created and encourages its use, but people are free to create an incompatible version and make it available. It just won't be purchased for U.S. government use. This bill will promote the existence of a standard, hopefully a good one, without enforcing it on everyone. I would support it.

Where I agree with you is when laws are passed mandating that nothing may exist that isn't interoperable with a standard. That prevents someone from choosing to give up interoperability in order to get some feature not supported by the standard. This is important to me because, for many of the things that have done this, the thing they wanted to include that wasn't in the standard was encryption, which is a feature I value quite a bit. It's also the most likely place where encryption will be limited by legislation. I think we should have the choice to build incompatible things, but I have no problem with the government refusing to buy them.

I'm sure someone would do something, but less sure that whatever they did would be useful. Refurbishing hardware that's fifteen years older has a lower cost to result because they generally want it to boot up the same environment that it came with. They may have to emulate some hardware to do that, but the interfaces aren't complex, and they're not trying to bolt too much on. For a modernized Windows 98 to work, they'd have to do a lot more, such as getting it to boot natively on modern hardware, to interact with modern peripherals, and to run the software needed to perform modern tasks. None of those things are straightforward in comparison to getting an old computer with most of its old parts to run the software it came with.

Re: Who will actually lose out

People have lots of theories. They say it's about social media not wanting competition. They say it's about some content moderation decision. They say it's an attempt to affect the election. They say there is a real propaganda or privacy risk. I don't think any of these really do it.

Politicians have decided that China is dangerous, and this is a thing that a lot of people use which was created in China, so it must be dangerous. Exactly how it is dangerous and what you could do about it that would best reduce the danger are problems politicians don't want to bother with. Whether this law is legal is another one they didn't spend much time on. In their minds, it is a threat and they've done their duty in responding to it, and that's the level of detail they care about. It could actually be a serious threat, it could be completely harmless, or it could have potential problems that are being exaggerated, and it wouldn't matter to the people passing the law. They probably are thinking about whether they can use this as an argument when campaigning, but even this is not their primary concern.

Re: Harvest Away......Avoidance Is Possible.........

If enough people do that, they can always come back and ask for another law. You can use a burner phone now, but there are lots of countries that forbid them and require you present identification to have a phone number. They're not universally dictatorships either, though many dictatorships do it. Of course, that doesn't mean that every phone in the country has done that, but it does make it harder. They cannot make it impossible to get around some of this, but they can make it difficult unless you have plenty of knowledge and a lot of determination. The other problem is that if you think you have plenty of knowledge and don't, you could end up standing out like a spotlight. Just because circumvention is possible doesn't stop this from being a bad law.

If we start with the idea that they want cameras at all, and some people clearly do or the open source and private options mentioned in the first comment wouldn't exist, it isn't that surprising that a lot of users ended up with proprietary cloud-based versions. I don't want any cameras, and I'm fortunate not to need any, but let's consider this from the perspective of a nontechnical person who does want or need them.

You can build a surveillance camera on your own from available parts. So can I. The average user, on the other hand, finds that kind of effort difficult and does not see the benefits from the hardware. They are right; the version you build from a Raspberry Pi is likely to cost more, require more maintenance, and have fewer features than finding a company that mass-manufactures millions of dedicated devices. Even if they got one or used a prebuilt camera that only uses local network traffic to collect information, the server portion is inconvenient. If they have a camera on their house, they probably want to see through it when they are away from their house. The typical solutions to this challenge include making a VPN to your home network or renting a server and configuring it to allow remote access. Neither is convenient for someone who does not have servers already and doesn't know how to configure, secure, and maintain them.

Even if they did both of those things, some users may want certain information. For example, something to look for people approaching their house which notifies them, the ability to talk to a person at their door even if they're not home, and the ability to quickly share data from the camera with others if needed. A lot of that is difficult from a web app and would work better with native ones. Now we're into an area where it's not that quick for us to make that from scratch either and we'd likely look for an open source option, but the open source versions can't work with every device in existence because they don't have standard interfaces.

It is not surprising that people who want cameras end up buying the cheap products with software that can do what they want. It is disappointing that they do so from companies that have thoroughly violated their users' and everyone else's privacy. I hope that this is mostly down to ignorance of how bad companies like Ring have been for their users rather than failing to understand the consequences of Ring's actions. Still, we have to look at things from their perspective if we're going to fix things or even just correctly explain why they're doing the things we wouldn't.

Re: Assumptions -- No -- Never heard of them!!

what about "Innocent Until Proven Guilty"

Not a problem from the point of view of police calling for real encryption to be banned. They simply get the local government to pass a law saying that only a certain encryption algorithm (the one that doesn't work) is permitted. Now the people who use something else are guilty and can be treated as such. Various countries go through a cycle of proposing this every few years. Australia and the UK are frequent culprits. The US seems to ignore this particular pathway, having tried it back in the 1990s, and instead just allow their law enforcement to do whatever they want with people's data with very few limits. Either way, they don't see this as a big hurdle.

Re: Given that---

It's not only about killing people. It is also about imprisoning them. Or even charging them if they haven't actually done anything worth charging. Moreover, it's about accessing the communications they shouldn't need, whether that results in imprisonment or charges or not. For example, if a police officer with access chooses to look up someone they know just because they're curious, that person is not likely to be charged or imprisoned, but they have been harmed.

If the police don't kill innocent people ever, that is not sufficient. What you need to be certain of to make this in any way justifiable is that the police are infallible and will never commit any abuse, no matter how small, and will never commit any error that permits someone else to commit an abuse. Are you that certain of them? I'm not that certain of anything.

Some of those bodies are American, but it won't do much good. The stuff China needs to develop chips around an ISA are public, as in I can just download them from the internet and they already have. I don't think China would respect or even acknowledge a legal term saying they're not to do that. Politicians, as expected, have no understanding of what actions are possible or even what the things they say mean. I'm pretty sure that this request came from politicians reading an article that said something along the lines that "China may turn to instruction sets like RISC-V" and just assumed that they could do something to prevent that from happening, not bothering to understand what any of those big words mean.

At most, they could prevent US-Chinese joint efforts to develop a chip. There probably are some, but it's not going to have a big effect if they move all their operations to one of the two countries.

Re: Disappointing

They don't want an open source OS that their competitors could sell to Chinese users and people outside China still wouldn't buy. With one of their own, they can try to keep any additions to themselves, which means more buyers of their devices inside China. By the way, there's nothing unusual with that in the "Chinese mentality" area; Chinese companies are not well-known for universally caring about open source or trying to team up with one another, and that's true in nearly every industry. They can say all they like about wanting to export Harmony OS outside China, but I wouldn't expect it to work. Lots of companies have tried that, a couple of them putting plenty of money into the idea. They all failed.

There are only two ways that Harmony OS will catch on outside China:

1. Huawei just releases the current version of Harmony OS. That is to say, they release a standard Android phone and make sure it says "Harmony OS" on the start screen and settings app. Sure, it will have a Huawei app store and HMS running on it, but it's still Android. Even with this, I don't think it will work well, but there's a bit of a chance.

2. They seriously subsidize the devices to make them cheaper than all the competition, then aim for developing markets. If they don't get developers on board, they'll have to subsidize even more to get them below the KaiOS devices, and that's saying a lot.

I don't think they're going to do either of these, and therefore I think this attempt, if they're even serious about it, will go nowhere.

Re: A DPRK IP address, you say?

What do you think they'd be allocating that space to? Internal stuff gets internal IPs in the 10/8 block. The small block also means it's really easy to do intensive portscans of it at all times.

Re: And how would that work?

"what would “your Instagram feed” look like without tracking?"

I have some ideas they could try:

1. A list of posts from the list of accounts you selected to follow with a sort box on the top so you can pick between various methods of ordering them (newest, most positively reviewed, most positively reviewed by a lot of people, most reviewed by people in any direction, any other sorters you might find useful).

2. A list like that, but in addition to those posts, you see posts from other accounts that are linked to the accounts you chose to follow. This would use public information like which accounts those people chose to follow.

3. A personalized feed of posts picked by asking you to voluntarily give them some information about what you like so they can search for it. You could push some buttons instructing their algorithm what you like and what you don't like, and various programs could scan for patterns in those then predict whether you'll like certain other posts. They don't need to base that information on what someone else liked if they can use an algorithm on the content. You could deliberately indicate these things instead of collecting and using other pieces of information like how long they think you looked at a thing.

4. An anonymized collection linking views and followed posts, but without including user IDs. It doesn't help when you want to see the full history of someone's actions, but the point is that we don't want them to see a full, or partial, history of someone's actions, nor do we want anyone who breaks in to have the ability to retrieve one.

I don't use Instagram. Do any of these look workable to you?

A lot of modern flip phones have WiFi. Yes, they also usually have a basic web browser, but you are free not to use it, and if I remember correctly from when my friends showed me the experience of using a flip phone to browse, you wouldn't want to use it anyway. There are many phones more capable than this one but without the interfaces of a normal smartphone, so they can often let you opt out of smartphone activities because they either can't install apps or can install them but you wouldn't be able to use them well.

Re: If people want to side load crap onto their phone, they can buy an Android

From the point of view of an individual consumer, Apple's market is a monopoly or irrelevant. It is not the same as a single store. When someone buys an iPhone, they become unable to choose another store unless they replace it. If one store offers something, they generally don't get to lock me in there and tell me that, even though there is another store selling the same thing across the road, I can't use any products from their store with any products from that store.

As for the smartphone market as a whole, while it's not the one the law is talking about, Apple have an oligopoly position. Market regulators usually also regulate those. The laws are usually written specifically to let them. The reason is that, when a market has two real competitors in it and they start to adopt suspiciously similar terms (Apple and Google have a lot of the same terms in their store agreements), then there's not much difference from a normal monopoly. So they also get to regulate the phone operating system market under those rules, such as, for one example I'm just randomly picking out of the air, rules on app distribution that apply to all OSes for mobile phones.

Re: If people want to side load crap onto their phone, they can buy an Android

Governments are supposed to have monopolies on some things, like making laws or sentencing people to prison. That's what we're going for. So yes, well spotted, they tend to be one. Of course, when we see a government trying to have a monopoly or even get involved in something we don't want them to, we complain and try to prevent that from happening, just like we complain when Apple tries to. I'd say our track record on getting results is higher for governments than it is for Apple, though not dramatically.

Re: Time ticking also for

Yes, not being able to remove something is exactly the same kind of issue as not being able to install any competitor to that thing. There's a minor difference in scale involved. As long as I can still install Firefox, set it as default, and ignore Edge, it's not a big deal to me. Yes, the links in the settings will still open Edge, which is annoying. However, I have a recommendation to you. Don't click them. Even if they open in Firefox, they don't send you anywhere remotely useful.

IOS's lack of choice is actually a lack of choice. Microsoft's preinstallation doesn't prevent you from choosing something else freely, nor does it make it harder to do so.

Re: Dependency

I note that you didn't answer my first and larger question: which of Apache or the Linux Foundation are you also blaming and why?

I also note that I said nothing about my opinions of systemd, but you have jumped to conclusions that I have no objections, then jumped to another conclusion that I "seem blind to appalling defects and fundamental flaws". I may oppose systemd's use as well, but by deciding based on no evidence, you confirm that we cannot actually discuss the related but not identical issue of whether choosing to use it should be a blight on an entire organization rather than, for example, the group that chose it alone (many Debian developers work on something unrelated). If you insist on seeing any questions as opposing points you didn't even make, a discussion seems precluded. You would still be capable of answering question number 1, though.

As it happens, I don't. I develop software on Linux servers. There are times when it gets tested on Windows, but often, running on Windows is not required and I am free to use Linux-only interfaces.

If you understand what I'm saying, you may find out that I'm not saying "switching to Linux is bad" or "you can't switch to Linux". I am saying that switching to Linux is hard, and that if you want to do it, you will have to have answers for them. Dismissing those hard things will only lead to wondering why nobody accepted your change request.