Threads for jtdowney
-
I would take a step back and ask why you are making the code open source in the first place. If you want just to share your work with others, then pick whatever you want. As long as you own all of the intellectual property related to the code, you can pick whatever license you desire.
However, if you want your project to be adopted within a corporate environment, you can’t expect things outside their standard set to get a lot of traction. That set was picked by lawyers to reduce the risk of the company having future issues with clean intellectual property rights to their product. Even if it was adopted by a company before they were big enough to have lawyers who cared, one day they will grow, get acquired, IPO, and there will be a team of people running license checks for stuff outside of the approved set. That is especially true for relatively unknown licenses like the one in this case. At that point, they’re likely going to stop engineering work to replace the components affected, too, once again, reduce risk.
Here is a hypothetical. A company adopts this component with the license as it was; they get acquired by a large, multinational public company. There is not a lawyer that would read this license and agree to run down every aspect of this license and ensure they’re complying with it. Some are easy, but many are vague enough to be a pain. So instead, they tell engineering to yeet it from the product.
Given all of that, to answer your prompt, you don’t. Companies are not taking a risk on small open-source components. If you want to get the Hippocratic License added to the set of approved licenses, it is a Sisyphean effort. The only way I see it happening is if your project gets to the level of something like Kubernetes or Linux, which (in a catch) often doesn’t happen without corporate support.
-
why open-source it? clearly, to provide some benefit. it’s a useful library.
i personally don’t care a great deal about adoption; what i do care about is “good use”. i personally don’t want to support the military or fossil fuel companies, say. just like i wouldn’t work at those companies.
i’m curious to gauge peoples views about expressing such sentiments via licenses. it seems like the hippocratic license - https://firstdonoharm.dev/ - is a very clear approach to do this; yet it seems to be met with quite some anxiety by people who think tech should somehow be “neutral”. it’s long been shown that neutrality only rewards the privileged; to make social change one needs to step out, somehow.
so my question is, as a tech community at large, do we just completely give up on licenses? (aside from the standard few?) or is there some room to innovative; some way to create social change for ourselves, our users, and the broader community? and if so, what is that mechanism?
-
I’ll ask it a different way. In an ideal world, would a company change its policies to adopt your open source software? If you want to change corporate governance, I don’t think you do it with progressive open source licenses. No engineering leader is going to go to a board and ask them to change broad policy so they can use an open source library.
-
and let me ask you in a different way - what would make them change?
-
-
A plurality of US states – Delaware (the important one for corporate governance!) included – allow corporations to incorporate or reincorporate as a public benefit corporation. It’s conceivable that a corporation could be subject to enough pressure by its employees and shareholders that it would reincorporate as a B corporation.
But while I think a niche could exist in B corporations for software licensed under the Hippocratic license & similar, it’s important to not mix cause & effect: your Hippocratic licensed software may be eligible for selection by a company because they chose to become a B corp, but it strikes me as exceptionally unlikely that a company will ever become a B corp to use your Hippocratic licensed software.
-
how is B-corp and the license even related?
i.e. we’re just taking about a simple license here, where the terms are of course only enforceable through some (hypothetical) law suit; i..e the license really just expresses some notion of personal preferences enforceable only if i feel like suing random companies that use it.
maybe one thing i could point out is the difference between a code of conduct and a license. we all feel (somewhat?) comfortable with a code of conduct expressing behaviour wanted in our spaces; why not licenses for those same desires?
-
how is B-corp and the license even related?
only if i feel like suing random companies that use it.
maybe one thing i could point out is the difference between a code of conduct and a license
Corporate governance seems like the thing being discussed here. You hope to impact governance through clauses in a license. However, governance is not limited to the time when you decide to sue some companies. Companies are bound to various agreements which require them to make some attempt to mitigate risk so that they can achieve the outcomes that the owners desire. The result is that they pick and choose which risks they want to take on by limiting the number of licenses they support and the scope of these licenses.
Regular corporations (and, I suspect B-corps too) are unlikely to want to increase the number of risks they are dealing with by using software with the Hippocratic license. We already know that many companies rule out GPL and derivative licenses entirely just to limit their risk. Some will pick and choose, but only when they have resource to review and fit it into their business.
Above I used terms like “various agreements” because I don’t have the time to write in the level of the detail I’d like to. Agreements come in many forms and we care most about the explicit ones which are written like contracts. Some agreements are more implicit and while still important, I’m ignoring these to simplify. Agreements include but aren’t limited to:
- Founding documents between the founders, or between the government and the founders.
- Partnership agreements with others selling/integrating your product, or providing code for your product.
- Agreements with organizations that represent employees.
- Customer contracts.
- Funding agreements with VCs, or banks.
For your license to succeed, you need to navigate all of these agreements. A license like MIT is relatively compatible because it’s limited in scope.
-
i see
i mean, suppose you are a regular developer living your life, and you feel like sharing code. clearly, i don’t want to engage at the level you mention with anyone who uses the code.
licenses seem like a reasonable way, no? or no. would you suggest there is no way? we should just give up and MIT everything?
-
licenses seem like a reasonable way, no? or no. would you suggest there is no way? we should just give up and MIT everything?
There is no way to achieve what you desire to any great extent with your approach. The trade-offs are for you to decide.
I would posit that most people don’t want to have relationships based on the requirements of the license you put forth. If you want to define your relationships and engagement through that license for your code, or companies you run, then that’s 100% fine. Many types of small communities can be sustained with hard work.
When you go in that direction don’t expect other people to reciprocate in various ways that they can in the open source world through code use, testing, bug reporting, doc writing, etc. If you use MIT then you’ll open the door to a lot more collaboration and usage. For many people who have a livelihood depending on open source, this is the only approach. When your livelihood doesn’t depend on open source it’s easier to pick and choose licenses, but even then the decision can limit who will engage with you.
-
-
-
-
-
-
-
-
You’ve forgotten one more potential situation: you want other open source projects and people to be able to use it, but don’t care at all about corporate usage, or even want to discourage it.
In such situations, licenses like the unlicense, AGPL, Hippocratic license, etc can be useful.
-
-
-
I might use this if I weren’t worried about linux users other than my main having access to tailscale’s net interface.
Someday I’ll get around to learning nftables. Today is not that day
Actually now that I think about it, if I were to filter all outbound packets by user, how would I host services on the tailnet via a daemon user? Can I use conntrack with nftables? What about UDP? Would I even care about isolating tailnet internal services to another user? Maybe I should focus on not needing to worry about network access by other users so I can rely on loopback as a safe interface. Maybe I should go crazy with network namespaces
-
-
-
It’s been a long time since I played with nftables, but IIRC you can mark packets originating from different UIDs and then you can make decisions based on metainformation. Have not tested the theory though.
-
-
-
Then, connect from the source device as normal:
$ ssh root@100.100.100.100Aren’t some of the advantages of using tailscale ssh lost if they only offer a server, not a client? I would appreciate some more technical detail.
-
-
-
-
You always have double encryption with ssh over wireguard (or any VPN). There are no client SSH keys because it knows what host you’re coming from and uses that information to match the ACL to grant access. As for the other technical details, their docs are pretty good and the code is open source.
-
-
-
-
This came up in another forum, specifically as an alternative to TLS.
It’s already been submitted, with no comments, so I’m interested if it’s had more traction, or if people have worked with it.
-
Noise is used by Wireguard. So in that regard it certainly has traction.
-
-
-
No, but those are related:
Noise is inspired by:
- The KDF chains used in the Double Ratchet Algorithm [23].
…
[23] T. Perrin and M. Marlinspike, “The Double Ratchet Algorithm,” 2016. https://whispersystems.org/docs/specifications/doubleratchet/
-
What parts of the Signal Protocol use Noise?
-
-
-
-
-
Seems to be missing a mention of Rancher Desktop.
-
For me it’s mu4e in Emacs. The speed of mailutils, convenient keybindings and sane composition defaults you don’t have to fight to submit patches.
-
-
I also use mu4e. I haven’t found another email client that offers the same speed of execution and of user input. It connects with my password manager with a single line of configuration:
(auth-source-pass-enable)which is builtin to Emacs. I also have the ability to define custom bookmarks to, with a single keystroke, show me all my inboxes, just my flagged emails, etc.The big feature for me though is contexts. For each email account I have, I define a
:match-funcfunction. I actually used a macro to create the functions to match on the account’s given Maildir. A large part of the mu4e workflow is marking messages to delete/flag/move/etc and then executing those marks (similar to dired). When I realized the contexts automatically reassign for each message you mark in “real time”, I was pleasantly surprised. This means, for example, if I there are a bunch of emails in a row from potentially different accounts, I can just spam thedkey to mark them for deletion, thenxto actually delete, and they will all go to their respective trash folders, not just the trash folder of the context you selected when you launched mu4e. -
Yet another vote for mu4e. Been using it for a few years and it’s great. A bonus is that it integrates especially well with orgmode; e.g. it’s trivial to link to emails from within orgmode TODOs, which is exceptionally helpful when a lot of TODOs come in via email :)
-
I used to use mu4e, but I could never get the moving parts of mu, mbsync and Office365 to play nice together
-
Same! Would love to hear from anyone with an Emacs-Office365 workflow they’re happy with to be honest.
-
I’m using Gnus/nnimap now, which works reliably, if sometimes a wee bit slow due to O365 throttling
-
-
-
-
-
pushcx
Sysop
1 year ago
|
link
| on:
Lobster burntsushi has left the site, algorithm detecting standing might be off
The logic showing that warning tries to avoid false positives. I don’t know what burntsushi saw it - he disowned all his comments when he deleted his account, so I don’t know what his last few comments were to see what the flags were or who made them. In the last three years no mod had a private conversation with him, either about his posting or anything to do with the site (the mod notes were added three years ago, so I can’t speak confidently about before then). I don’t have more insight into why he deleted his account and I’m sorry to see him go.
-
The disowned comments might be a bug: https://twitter.com/burntsushi5/status/1399716212028985351
-
I found the line in the logs, it’s a very unfortunate bug:
Parameters: {"authenticity_token"=>"[FILTERED]", "user"=>{"password"=>"[FILTERED]", "i_am_sure"=>"1", "disown"=>"0"}, "commit"=>"Yes, Delete My Account"}I’ll take a look at the threads linked there, thanks for the reference.
EDIT: filed the bug
-
-
The code is:
def self.disown_all_by_author! author author.stories.update_all(:user_id => inactive_user.id) author.comments.update_all(:user_id => inactive_user.id) refresh_counts! author endSo it just runs an
update comments set user_id=-1 where user_id=42query. Unless you’re going to restore from a backup, I don’t think this can just be corrected.Unfortunate indeed :-(
-
-
If this is to be done, it should probably be done for not just burntsushi, but also other users since december 2018 (which is when the bug was introduced). And if that commit contains other bugs as well, not just disowning comments, should it be done for it as well?
-
-
-
-
-
-
-
-
-
-
-
I used to do something similar with LVM on Linux servers. Leave a few gigs unallocated to a volume so you can dip into it in an emergency.
-
Does anyone know the backstory on this one? Did I miss Internet Drama™?
-
other thread: https://lobste.rs/s/cqdh3x/wireguard_for_freebsd_development_for_13
No idea of the veracity of any of the below…
some backstory: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=247853#c7
more backstory: https://lists.zx2c4.com/pipermail/wireguard/2021-March/006494.html
even more: https://lists.freebsd.org/pipermail/freebsd-hackers/2021-March/057082.html
yellow site thread: https://news.ycombinator.com/item?id=26475519
Do note: FWIW, Netgate does seem (at least from my perspective) to have a bit of a history of being kind of… weirdly hostile about some stuff? Example: whole opnsense badmouthing thing (domain registration, reddit community creation, etc). On the other hand, also known for contributing code to FreeBSD and donating to FreeBSD. Unsure what to make of it.
-
From my perspective, it was great that Netgate got the ball rolling on in-kernel FreeBSD wireguard. They clearly have a commercial stake in it but they contributed it to the FreeBSD project, even if it lacked important features (jail support) and they just dropped off the code and walked.
Clearly there were code quality and some security issues and Netgate was caught off guard and embarrassed, which no one likes to be. To me the part that is the worst of all of this is what Scott tried to pull in his private communication to Jason:
On Mon, Mar 15, 2021 at 6:08 PM Scott Long wrote:
I’ve also spoken with the FreeBSD Security Officer, and we’ve agreed that wireguard will be removed from all branches of FreeBSD until further notice. I’ve also informed Kyle of this. I do not support its reintroduction into FreeBSD, whether in the src tree or in the ports tree, at this time. As for pfSense, we are conducting an audit and will decide on the best course of action for our customers and our company.
That sort of “take the ball and go home” shit is not at all professional and trying to lean on the security team to enforce your grudge is messed up.
-
-
The Ars Technica article that forms the base of the HN submission is pretty good, IMO: https://arstechnica.com/gadgets/2021/03/in-kernel-wireguard-is-on-its-way-to-freebsd-and-the-pfsense-router/
-
-
-
-
-
jtdowney
2 years ago
|
link
| on:
"This destroyes the RSA cryptosystem" (by proving polynomial time bound on integer factorization)
My current feeling is we’re getting a glimpse of a brilliant person who may be having a mental health crises. There are prominent cryptographers who also believe that https://twitter.com/kennyog/status/1367132559117848583.
-
Applied Cryptography by Bruce Schneier is a really good primer on crypto. It’s old, but it’s a really good introduction to the basics, which haven’t changed over the 25 years since it was published.
-
-
-
Required caveats:
https://sockpuppet.org/blog/2013/07/22/applied-practical-cryptography/
https://www.schneier.com/blog/archives/2009/09/the_cult_of_sch.html
But in the introduction to Bruce Schneier’s book, Practical Cryptography, he himself says that the world is filled with broken systems built from his earlier book. In fact, he wrote Practical Cryptography in hopes of rectifying the problem.
-
-
Eraad
2 years ago
|
link
| on:
Ciphey - Automatically decrypt encryptions without knowing the key or cipher, decode encodings
Any encryption experts willing to explain what’s the catch with this kind of software? There must be a catch right?
-
You can look at the Supported Ciphers page and more or less figure it out. It targets historical (read pre-computer) ciphers like the Vigenère cipher. It is not magic and can’t break modern encryption systems. You can try out the cryptopals challenges if you want to give it a shot on your own.
-
-
-
Finally some good news.
Good to know that Microsoft finally went open source … not intentionally but still.
The ReacOS developers could not be more happy I think - to have ready to use/read reference instead of doing time consuming reverse engineering :)
-
-
-
I’m not sure ReactOS developers want to provoke more accusations like this: ReactOS ‘a ripoff of the Windows Research Kernel’, claims Microsoft kernel engineer
-
ReactOS people once halted the development for over a year to make sure there is no ill-gotten code in their repository, where code obtained by disassembling any Microsoft binary was considered just as illegal as leaked source code.
They take the “cleanroom” part very seriously.
Anyway, Windows XP API/ABI support in ReactOS is already very good. The real difficulty with using ReactOS as a free Windows alternative is that it doesn’t support anything beyond the Windows XP ABI, while all new software is now built with the Vista/7 ABI in mind. No modern toolchain, free or non-free, has an option to target WinXP anymore.
-
-
Starting the build of my new 3D printer a Voron 2.2 350mm.
-
I find it odd that CEO Super-Secure didn’t change their password in Slack after the widely publicized 2015 breach, even if they didn’t get a notice from Slack that they were included.
-
My thoughts exactly, especially since he totally threw out $5K of computer equipment…
-
-
feoh
4 years ago
|
link
| on:
Unlimited free private repositories with GitHub Free and a unified business offering with GitHub Enterprise
I’m not a fan of this change actually. I suspect that this will result in a thousand thousand repositories with useful bits of code to be read and re-used will go dark.
That’s a shame.
-
I stopped using GitHub years ago because I couldn’t have private repos for free. I’m sure most people who want to have private repos already do somewhere else.
-
-
-
Still seems legally dubious. According to Harvard Law School’s Copyright Basics, that is copyright infringement. Specifically:
- create a new work derived from the original work (for example, by translating the work into a new language, by copying and distorting the image, or by transferring the work into a new medium of expression)
-
-
-
-
-
-
-
-
-
-
-
having a degree of personal property is a sensible rule, so it would be wrong to steal someones chair in most cases. preventing people from making copies of something at no cost to you crosses the line into unjust power. copyright laws were never justified on the basis of morality: it was always justified on the basis that it would incentivise the creation of new works. maybe a 10 year copyright on books makes sense as a way to incentivize publishers to produce hard copies of a book, but that’s not a question of morality.
this is a good lecture: https://archive.org/details/Dr.RichardStallmanCopyrightVs.Community
-
-
-
-
-
-
-
-
-
Partly I do believe that you have a right to your labor, not just the product of your labor. Thus you have a right to your music video, even if the copying of that music video is free. You have a right to your code, even if it’s on github. You are morally in the wrong if you steal, even when that stealing doesn’t detract from the original work at all.
The natural right of property by the way emerged in the medieval period, and is the basis of all modern civilizations. It is the reason we have the capabilities we have today, and without it, the world would be in a worse place.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
This post has a bizarre mismatch of crypto primitives, and I can honestly say I’ve never seen a system that uses both DES and SHA-512 at the same time. I’d stay very far away from this. Maybe check out tink from Google.
-
There is no way in heck that linus will merge some DIY home rolled crypto code into the kernel
-
-
That’s a good point but missing key detail. I’ll add author did WireGuard which has had good results in both formal verification and code review.
-
-
-
-
-
-
Why not? How would Linus even know if some crypto code was DIY nonsense?
(The subtext of these commits from Jason is that the existing kernel crypto APIs are not particularly good, IMO.)
-
Free software with restrictions on use isn’t free software. Aside from being really hard to identify what does/doesn’t do harm (in essence making the Hippocratic unenforceable - is such software prohibited in United Nation humanitarian operations, since they are staffed by military personnel?), trying to put our current morals into license form just doesn’t work.
50 years ago, homosexual and transgender people were considered harmful, and would be prohibited under such a license, and at the time people thought this was right, moral, and just. I think it would be arrogant to pretend that we’re at the pinnacle of moral judgement now.
So let’s leave licenses open to all use, rather than ruling out behaviour we think is immoral now at the cost of the progressive future.
how do you feel about a code of conduct to enforce norms in a community? the same way, or differently? why?
Codes of conduct describe practices for how people develop the software, it doesn’t change the way free software can be used by users, or who is even allowed to be a user.
If you want to set rules on how you work as a team, that’s just fine, but that’s different from then prohibiting certain uses by people or organisations outside your team because you don’t agree with those uses.
To send a question back at you, how do you view the morality of use for things like evacuation and disaster relief efforts that involve the military (for example, in the UK a lot of COVID support was done by the military), which under the Hippocratic license would be, at first blush, prohibited?
i’d say it’s exactly the same; setting the code of conduct enforces who is in and who is out; same with the license.
i’d say it’s within the spirit of acceptable usage; so it would be fine.
Unfortunately licenses don’t operate on spirits or hopes, and the Hippocratic license says:
3.1. The Licensee SHALL NOT, whether directly or indirectly, through agents or assigns:
3.1.20. Military Activities: Be an entity or a representative, agent, affiliate, successor, attorney, or assign of an entity which conducts military activities;
This clearly sets out that if you, the licensee, are a representative of an org that conducts military activities, you cannot use the software. It’s clear cut and dry.
But the point that is being hit on here, by both of us, is there there is clearly nuance in use of the software. The intent of the relicensing is to limit it to peaceful and progressive, humanitarian use. The problem is that the legal wording of the license does actually prohibit this use if you happen to be from the wrong team when you are conducting those progressive/humanitarian goals. The software could not be used in any such efforts such as rapidly deployed military hospitals to disaster zones, military helicopter search and rescue teams, coast guard, etc.
But, I promise I’m not trying to say “military good” - the underlying point is that software ends up being used in all sorts of delicately nuanced and varied situations that we cannot possibly predict, and so by trying to suggest that we can ahead-of-time predict all these nuanced cases we will either be overly restrictive, or not restrictive enough. Given that the nature of progress is to improve upon ourselves, I would rather less restrictive to allow for uses I couldn’t have predicted, rather than stifle them because we are relatively backwards compared to our progressive peers in the future.
licenses, like all legal agreements, are merely systems through which the world is interpreted; i.e. it’s the spirit of the intention.
i’m not saying the hippocratic license is perfectly worded; and of course i didn’t design it; but it’s certainly possible to have different interpretations of a piece of legal writing.
i think i agree with you that i don’t want to be overly specific, and i’d probably agree that the hippocratic license is a bit too specific; so i’m open to alternatives (hence this conversation)
i’d hope there’s a middle ground between MIT and the Hippocratic license; and i think i’m arguing that i’d prefer to err towards hippocratic vs MIT, because at least that enables me to say something about what i want.
This is actually what lawyers try very hard to remove. They like things that are clear and settled.
for what it’s worth, while i think this is a side issue to the central point - namely, how can we as programmers have some say on how software is used; and in particular try and push our industry towards positive applications of software; or at least not planet-destroying usages - i don’t think you’re right at all.
law is all about interpreting the essence in certain settings; so while i’m sure the hippocratic license doesn’t get it perfect; i’m sure there is a way to make a best effort, that does not necessitate total prediction of the future.
Licenses based in morality are guaranteed to be restrictive, since morality itself is relative. Same with “positive applications”, or “not planet-destroying usages” - relative topics, and licenses based on these are bound to be restrictive. As an example, software that cannot be used for deforestation applications (say controlling the mechanical saw) cannot be used in locations where primary source of fuel is wood and no alternative exists.
In my experience, it is a futile effort to try and enforce some arbitrary definition of “positive applications”, “not planet-destroying” etc., without also restricting valid, legitimate, and moral use (moral as per the license author, who actually wishes to allow moral use).
A project with a proper FOSS license and a highly restrictive CoC can still be legitimately forked into a community with a different or even contradicting CoC.
A project with a restrictive license can’t be legitimately forked away into a contradicting license.
indeed!
and that’s exactly what i’m going for :)
My point is that this is what makes it not be “exactly the same” that you responded above. :)
A license ties your moral judgements to the code, a CoC ties your moral judgements to your community.
I understand that you want to tie moral judgements to code, but that’s where the disagreement lies. I, and I suspect other people you’re debating here, believe that we should be free to legitimately fork away from moral judgements. It’s less of a debate of whether the moral judgements are objectively correct or absolute or pious or whatever.
i see
i suppose what i’m getting at is, at what point do we as a tech community take a stand against various injustices? one way is through the companies we work for, and the communities we support. but what about the open-source work we do? are we doomed to just always be left open to abuse and misuse; or is there some avenue by which we can exercise personal judgement there as well? clearly there’s some level on which people are “okay” with this (i.e. GPL licenses, etc; which maybe while somewhat widely frustrating, also get traction). my interest lies in exploring that domain where we’re concerned with social good.
it seems a shame to not at least attempt to explore this space, given how pervasive software is.
I don’t think there’s much disagreement about the existence of injustices (no matter that our definitions of injustice changes over time) and the need to take actions against them.
The disagreement is more about whether action should be taken at all layers and aspects of life/society/technology, or whether there are some places where it’s more appropriate to encode restrictions vs others where it’s less appropriate.
In my view, the community code of conduct is a very appropriate avenue for this. We can create or think of other avenues, too! I don’t feel that the code license is a good fit, for many reasons already expressed elsewhere in this debate. :)
I understand the urge to be absolute and complete in sanctioning people we disagree with, and maybe it’s a political axis spectrum thing. I tend to land more on sanctions through voluntary relations (deplatforming, refusing to trade, etc) rather than through mechanical means (restricting access to technology, safety, food, oxygen, whatever extreme we can imagine). I’m sure it’s a varying spectrum for many people. I’ve seen some people express this as “higher level” (social) vs “lower level” (physical).