today's leftovers

posted by Roy Schestowitz on Jan 31, 2023

• OSI License Review Working Group Seeks Input on Changes

  The Open Source Initiative, the organization that decides what is or is not an open source license, are thinking about making some changes to how it handles its license review process, and they’re looking for community input before putting any new policies in place.

  Back in 2020, OSI established a License Review Working Group which was tasked with the job of examining and improving the organization’s license review process, which is how OSI decides whether a license receives its seal of approval as an OSI approved open source license.

• FOSS could be an unintended victim of EU crusade to make software more secure

  But FOSS is in the most danger. The underlying assumption of the regulation is that cybersecurity exists in the digital market like fire resistance does in that for soft furnishings. Putting regulatory cost burdens on a part of the market with no revenue and no gatekeeping on its distribution channels cannot work; there are no prices to increase to absorb compliance costs and no tap to turn off to keep the stuff off the market.

  And FOSS can't be outlawed. To re-engineer infrastructure and applications to exclude it would be unthinkably expensive and undoubtedly vastly destabilizing for cybersecurity resilience. To allow grandfathering – allowing pre-regulatory software components to continue to be used but demand compliance if new or updated – would freeze the sector to death. And what "cybersecurity framework" would catch the sort of errors that currently only appear after intensive analysis by the few teams of good and bad hats who are already fully employed for better or worse on a tiny percentage of extant software.s

• [Old] Open-source software vs. the proposed Cyber Resilience Act

  We feel the current proposal misses a major opportunity. At a high level the 'essential cybersecurity requirements' are not unreasonable, but the compliance overhead can range from tough to impossible for small, or cash-strapped developers. The CRA could bring support to open-source developers maintaining the critical foundations of our digital society. But instead of introducing incentives for integrators or financial support via the CRA, the current proposal will overload small developers with compliance work.

  We would love to be wrong about most of our analysis. So if you believe the situation to be less grim than we portray it to be, please talk to me so I can update this overview. However, if you share our concerns, this is what you can do: [...]

• A call to action: Think seriously about “safety”; then do something sensible about it

  What might “something sensible to do” be? I suggest making a list of issues that could be considered safety issues (including UB) and finding ways of preventing them within the framework of P2687R0. That’s what I plan to do.

  And anyway, what is “the overarching software community”? To the best of my knowledge, no experts from the ISO C++ standards committee were consulted.

• Game of Trees 0.83 released

  Version 0.83 of Game of Trees has been released (and the port updated): [...]

• Ransomware Payments Are Down

  Chainalysis reports that worldwide ransomware payments were down in 2022.

  Ransomware attackers extorted at least $456.8 million from victims in 2022, down from $765.6 million the year before.

  As always, we have to caveat these findings by noting that the true totals are much higher, as there are cryptocurrency addresses controlled by ransomware attackers that have yet to be identified on the blockchain and incorporated into our data.

• It's not you, it's SQL

  And that something was MongoDB. MongoDB happily took our Python dictionaries, stored them away somewhere, and sometimes even gave them back later. No hand-crafted SQL strings littering our Python codebase, and everything still worked.

  It was like a veil had been lifted. “What was with all the ceremony, SQL? My controllers are so lean now, and my schema is whatever I want it to be." We paused just long enough to take a sip of our Spicy Maya Mocha from Coupa Cafe. "I mean, so what if none of my writes are ever actually confirmed by my new database? These are just hamster-likes and wristwatch-enthusiast-pokes! We can lose a few and still get to our Series B.”

• DIGI SOMs integrate pre-certified dual-band Wi-Fi 5/BL5 and Gigabit Ethernet connectivity

  The Digi ConnectCore MP1 is an industrial embedded System-on-Module platform which integrates the STM32MP157C microprocessor and a 3D GPU....

• 10 ways to integrate event-driven automation into IT operations

  Try Event-Driven Ansible, a new open source project in developer preview that helps you create event-driven automation scenarios across IT domains.

• How to Install DokuWiki on Debian 11

  DokuWiki is an open-source wiki application written in PHP programming language.