I often see Rust mentioned at the same time as MIT-type licenses. Is it just a cultural thing that people who write Rust dislike Libre licenses?

The word “libre” in the context of licensing exists to clarify the ambiguity of the word “free”, to emphasize that it means “free as in freedom” rather than “free as in beer” (aka no cost, or gratis) as the FSF explains here.

The MIT license is a “libre” license, because it does meet the Free Software Definition.

I think the word you are looking for here is copyleft: the MIT license is a permissive license, meaning it is not a copyleft license.

I don’t know enough about the Rust community to say why, but from a distance my impression is that yes they do appear to have a cultural preference for permissive licenses.

!meshtastic@mander.xyz is the more active of the two lemmy communities about it

as of March 19, yes it should be

from Change Agent: Gene Sharp’s Neoliberal Nonviolence :

Sharp’s ideas about nonviolent action are generally billed as apolitical, post-ideological, common sense activist strategy and tactics. But they actually flowed from a clear worldview. Sharp saw “centralized government” as the key vector of violence in the modern world. He supported “decentralizing” state functions to “independent,” “non-State” institutions—a prescription that sounds a lot like privatization. Importantly, he argued nonviolent action itself was the most strategic way to bring about this state transformation.

With the rise of the Reagan-era foreign policy of communist “rollback,” Sharp began promoting “strategic nonviolence” internationally through his Albert Einstein Institution (AEI). Sharp co-founded AEI with his former student Peter Ackerman, who was simultaneously right hand man to the notorious corporate raiding “junk bond king” Michael Milken. Later, Ackerman was a Cato Institute board member and advocate of disemboweling social security. AEI spent the 1980s, 1990s, and 2000s training activists, policymakers, and defense leaders around the world in Sharp’s nonviolent methods, supporting numerous “color revolutions”—again and again in state socialist countries whose administrations were attempting to oppose the privatization, austerity policies, and deregulation being pushed by the International Monetary Fund (IMF), World Bank, and U.S. Treasury-led “Washington Consensus.” Sharp’s “people-powered” nonviolent “ju-jitsu” would prove surprisingly effective, distinguishing itself as a powerful weapons system in the U.S. regime change arsenal. While AEI was an independent non-profit, it had significant connections to the U.S. defense and intelligence community. One prominent AEI consultant was Colonel Robert Helvey, former dean of the National Defense Intelligence College. AEI’s regular funders included U.S. government pass-throughs like the U.S. Institute for Peace, the International Republican Institute, and the National Endowment for Democracy.

Nice post, but your title is misleading: the blog post is actually titled “Supply Chain Attacks on Linux distributions - Overview” - the word “attacks” as used here is a synonym for “vulnerabilities”. It is not completely clear from their title if this is going to be a post about vulnerabilities being discovered, or about them actually being exploited maliciously, but the latter is at least not strongly implied.

This lemmy post however is titled (currently, hopefully OP will retitle it after this comment) “Supply Chain Attack found in Fedora’s Pagure and openSUSE’s Open Build Service”. edit: @OP thanks for changing the title!

Adding the word “found” (and making “Attack” singular) changes the meaning: this title strongly implies that a malicious party has actually been detected performing a supply chain attack for real - which is not what this post is saying at all. (It does actually discuss some previous real-world attacks first, but it is not about finding those; the new findings in this post are vulnerabilities which were never attacked for real.)

I recommend using the original post title (minus its “Overview” suffix) or keeping your more verbose title but changing the word “Attack” to “Vulnerabilities” to make it clearer.

TLDR: These security researchers went looking for supply chain vulnerabilities, and found several bugs in two different systems. After responsibly disclosing them, they did these (very nice and accessible, btw - i recommend reading them) writeups about two of the bugs. The two they wrote up are similar in that they both involve going from being able to inject command line arguments, to being able to write to a file, to being able to execute arbitrary code (in a context which would allow attackers to perform supply chain attacks on any software distributed via the targeted infrastructure).

Fuck this project, but… their source code can be free and open source even if they distribute binaries which aren’t. (Which they can do if they own the copyright, and/or if it is under a permissive non-copyleft FOSS license.)

And if the source code is actually FOSS, and many people actually want to use it, someone else will distribute FOSS binaries without this stupid EULA. So, this BS is still much better than a non-FOSS license like FUTO’s.

I immediately knew this was going to be from Microsoft users, and yeah… of course, it is.

Binaries distributed under this EULA do not meet the free software definition or open source definition.

However, unlike most attempts to dilute the concept of open source, since the EULA is explicitly scoped to binaries and says it is meant to be applied to projects with source code that is released under an OSI-approved license, I think the source code of projects using this do still meet the open source definition (as long as the code is actually under such a license). Anyone/everyone should still be free to fork any project using this, and to distribute free binaries which are not under this EULA.

This EULA obviously cannot be applied to projects using a copyleft license, unless all contributors to it have dual-licensed their contributions to allow (at least) the entity that is distributing non-free binaries under this EULA to do so.

I think it is extremely short-sighted to tell non-paying “consumers” of an open source project that their bug reports are not welcome. People who pay for support obviously get to heavily influence which bugs get priority, but to tell non-paying users that they shouldn’t even report bugs is implicitly communicating that 2nd and 3rd party collaboration on fixing bugs is not expected or desired.

A lot of Microsoft-oriented developers still don’t understand the free software movement, and have been trying to twist it into something they can comprehend since it started four decades ago. This is the latest iteration of that; at least this time they aren’t suggesting that people license their source code under non-free licenses.

as i said, it “is about to be released”.

or, one could also say that the the 3.0.0 source code has been released, but the official binaries haven’t been yet :)

edit: i see https://flathub.org/apps/org.gimp.GIMP has 3.0.0 now, and from https://testing.gimp.org/downloads/ i see that https://download.gimp.org/gimp/v3.0/linux/GIMP-3.0.0-x86_64.AppImage is also there. presumably https://www.gimp.org/downloads/ will be updated very soon.

Could anybody in short explain, what I have to understand from “it’s tagged”?

Git is the most popular version control system, which lets developers track changes to software source code. A “tag” applies a name (or version number) to a specific point in the history.

The commit shows that there was a longer with 3.0.0 tag before and now its just 3.0.0

The link goes to a commit which is tagged GIMP_3_0_0, and shows the change made in this commit. This commit happens to change the version line in a file called meson.build - this file configures Meson, which is used to build GIMP. The version is being changed from 3.0.0-RC3+git to 3.0.0. The string “RC3” in the previous version number is short for “release candidate 3”, and “git” here means that there were additional changes since “release candidate 3” was released.

What does that tell us? :D

So far the news and downloads pages still haven’t been updated, but the version being changed to 3.0.0 and this commit being tagged tells us that GIMP 3.0.0 is about to be released: official binaries and an announcement about it can be expected to appear very soon.

The tag means no more changes will be included in 3.0.0; if some show-stopping bug were discovered now, the version number would be incremented to 3.0.1 rather than to include a fix in 3.0.0. (Technically, a tag can be updated/replaced, but by convention it is not.)

yep. (see my other comment in this thread)

The three currently-maintained engines which (at their feature intersection) effectively define what “the web” is today are Mozilla’s Gecko, Apple’s WebKit, and Google’s Blink.

The latter two are both descended from KHTML, which came from the Konquerer browser which was first released as part of KDE 2.0 in 2000, and thus both are LGPL licensed.

After having their own proprietary engine for over two decades, Microsoft stopped developing it and switched to Google’s fork of Apple’s fork of KDE’s free software web engine.

Probably Windows will replace its kernel with Linux eventually too, for better or worse :)

How else are Chrome, Edge, Brave, Arc, Vivaldi and co getting away with building proprietary layers on top of a copyleft dependency?

They’re allowed to because the LGPL (unlike the normal GPL) is a weak copyleft license.

BSD tells me the team probably wants Ladybird to become not just a standalone browser but also a new competing base for others to build a browser on top of

it’s about the ladybird browser. i edited my comment to add details.

with mandatory male pronouns for users in the documentation.

(and no politics allowed!)

subtitles “fixed” in them without separate SRT file

can you turn them on and off? meaning, is there a text track embedded in the video file, or is the text actually rendered into each frame?

if the former, you can easily extract them into an SRT file (or another format) using ffmpeg: https://trac.ffmpeg.org/wiki/ExtractSubtitles

deleted by creator

shoutout to the person who reported this post. reason? “dangerous misinformation can lead to heat stroke and death”

I remember years ago reading about how the GEGL backend would one day enable some “non-destructive editing” features; I just decided to figure out how that works and I see it was sort-of implemented a long time ago but in 3.0 the UI is much better: many things under the Filter menu now have a Merge filter checkbox in their dialog. When that box is unchecked, then applying the filter will make it a (non-destructive!) layer effect and an fx icon will appear for the layer (in the dockable layers dialog, which you can reach with ctrl-L if it isn’t visible). You can apply any number of layer effects, and when you click the fx icon you can reorder them or modify their settings. Very cool!

Another tip (not new to 3.0): you can type / to open the Search actions window, which lets you quickly find various functionality without needing to dig through menus to figure out where something is :)

If you want to try a 3.0 release candidate before it is released, it’s easy to install it from the flathub-beta repo as described here. (That page is embarrassingly out of date and says “The current development release of GIMP is 2.99.6 (2021-04-26)” but if you follow the instructions there you’ll currently get version 3.0.0~rc3 which is the latest release candidate from earlier this month.)

I’m confused as to why this 404media story neglected to link to the post in question.

to get from this article to the post that it is about, i had to type in the bsky username from the screenshot and scroll through the timeline. to save others the effort:

https://bsky.app/profile/marisakabas.bsky.social/post/3liwlwvvq6k2s is the post which was removed.

https://bsky.app/profile/marisakabas.bsky.social/post/3lj3yrzc6is2p is the thread about it being removed and later restored.

Good question.

I see that the file served from https://packages.mozilla.org/apt/repo-signing-key.gpg is the same as the file at https://packages.cloud.google.com/apt/doc/apt-key.gpg

Apparently Mozilla outsources the operation of the Firefox APT repo to the Google Cloud “Artifact Registry” service 😦