Komunitas
ibbit.at
Editor’s Note: Over the course of nearly 300 posts, Jonathan Bennett set a very high bar for this column, so we knew it needed to be placed in the hands of somebody who could do it justice. That’s why we’re pleased to announce that Mike Kershaw AKA [Dragorn] will be taking over This Week In Security! Mike is a security researcher with decades of experience, a frequent contributor to 2600, and perhaps best known as the creator of the Kismet wireless scanner. He’ll be bringing the column to you regularly going forward, but given the extended period since we last checked in with the world of (in)security, we thought it would be appropriate to kick things off with a review of some of the stories you may have missed. Hacking like it’s 2009, or 1996 Hello all! It’s a pleasure to be here, and it already seems like a theme of the new year so far has bringing in the old bugs – what’s old is new again, and 2026 has seen several fixes to some increasingly ancient bugs. Telnet Reported on the OpenWall list, the GNU inetd suite brings an update to the telnet server (yes, telnet) that closes a login bug present since 2015 linked to environment variable sanitization. Under the covers, the telnet daemon uses /bin/login to perform user authentication, but also has the ability to pass environment variables from the client to the host. One of these variables, USER, is passed directly to login — unfortunately this time with no checking to see what it contains. By simply passing a USER variable of “-froot”, login would accept the “-f” argument, or “treat this user as already logged in”. Instant root! If this sounds vaguely familiar, it might be because the exact same bug was found in the Solaris telnetd service in 2007, including using the “-f” argument in the USER variable. An extremely similar bug targeting other variables (LD_PRELOAD) was found in the FreeBSD telnetd service in 2009, and other historical similar bugs have afflicted AIX and other Unix systems in the past. Of course, nobody in 2026 should be running a telnet service, especially not exposed to the Internet, but it’s always interesting to see the old style of bugs resurface. Glibc Also reported on the OpenWall list, glibc — the GNU LibC library which underpins most binaries on Linux systems, providing kernel interfaces, file and network I/O, string manipulation, and most other common functions programmers expect — has killed another historical bug, present since 1996 in the DNS resolver functions which could be used to expose some locations in the stack. Although not exploitable directly, the getnetbyaddr resolution functions could still ease in breaking ASLR, making other exploits viable. Address Space Layout Randomization (ASLR) is a common method of randomizing where in memory a process and its data are loaded, making trivial exploits like buffer overflows much harder to execute. Being able to expose the location of the binary in memory by leaking stack locations weakens this mechanism, possibly exposing a vulnerable program to more traditional attacks. MSHTML In February, Microsoft released fixes under CVE-2026-21513 for the MSHTML Trident renderer – the one used in Internet Explorer 5. Apparently still present in Windows, and somehow still accessible through specific shortcut links, it’s the IE5 and Active-X gift that keeps giving, being actively exploited. Back in the modern era… After that bit of computing nostalgia, let’s look at some interesting stories involving slightly more contemporary subjects. Server-side JS It’s easy to think of JavaScript as simply a client-side language, but of course it’s also used in server frameworks like node.js and React, the latter being used heavily in the popular Next.JS framework server components. Frameworks like React blur the lines between client and server, using the same coding style and framework conventions in the browser and in the server-side engine. React and NextJS allow calling server-side functions from the client side, mixing client and server side rendering of content, but due to a deserialization bug, React allowed any function to be called from a non-privileged client. Cleverly named React2Shell, it has rapidly become a target for bulk exploitation, with Internet-scale monitoring firm GreyNoise reporting 8 million logged attempts by early January 2026. At this point, it’s safe to assume any Internet-exposed vulnerable service has been compromised. Too much AI As previously covered by Hackaday, the Curl project is officially ending bug bounties due to the flood of bogus submissions from AI tools. The founder and project lead, Daniel Sternberg, has been critical of AI-generated bug bounties in the past, and has finally decided the cost is no longer worth the gains. In many ways this calls to mind the recent conflict between the ffmpeg team and Google, where Google Project Zero discovered a flaw in the decoding of a relatively obscure codec, assigning it a 90-day disclosure deadline and raising the ire of the open source volunteer team. The influx of AI-generated reports is the latest facet of the friction between volunteer-led open source projects, and paid bug bounties or other commercial interests. Even with sponsorship backing, the reach of popular open-source libraries and tools like Curl, OpenSSL, BusyBox, and more is often far, far greater than the compensation offered by the biggest users of those libraries — often trillion dollar multinational companies. Many open source projects are the passion project of a small set of people, even if they become massively popular and critical to commercial tools and infrastructure. While AI tooling may generate actionable reports, when it is deployed by users who may not themselves be programmers and are unable to verify the results, it puts the time drain of determining the validity, and at times, arguing with the submitter, entirely on the project maintainers. As the asymmetry increases, more small open source teams may start rejecting clearly AI generated reports as well. OpenSSL, Again The OpenSSL library, another critical component of Internet infrastructure with a very small team, suffers from a vulnerability in PKCS12 parsing which appears to be a relatively traditional memory bug leaning to null pointers, stack corruption, or buffer overflows, which in the best case causes a crash and the worst case allows for arbitrary code execution. (Insert obligatory XKCD reference here.) PKCS12 is a certificate storage format which bundles multiple certificates and private keys in a single file – similar to a zip or tar for certificate credentials. Fortunately PKCS12 files are typically already trusted, and methods to upload them are not often exposed to the Internet at large, unfortunately, potential code execution even when limited to a trusted network interface is rarely a positive thing. Notepad++ The Notepad++ team has released a write-up about the infrastructure compromise which appears to have enabled a state-level actor to deliver infected updates to select customers. Notepad++ is a fairly popular alternative to the classic Notepad app found on Windows, with support for syntax highlighting, multiple programming languages, and basic IDE functionality. According to the write-up by the team based on findings by independent researchers, in June 2025 the shared hosting service which served updates to Notepad++ was compromised, and remained so until September of 2025. The root of the issue lies in the update library WinGUp, used by Notepad++, which did not validate the downloaded update, leaving it vulnerable to redirection and modification. With control of the update servers, the attackers were able to send specific customers to modified, trojaned updates. An important take-away for all developers: if your project can self-update, make sure that the update process is secure against malicious actors. Which can mean the complex issues of not only validating the certificate chain, but sometimes embedding trusted certificates in your software (or firmware) and using them to validate that the update file itself has not been modified. WiFi Isolation Finally, we have a new paper on WiFi security, with a new attack dubbed “AirSnitch”. From a team of collaborators including Mathy Vanhoef (a frequent publisher of modern WiFi attacks including the WPA2 KRACK attacks, and a driving force behind deprecating WPA2), AirSnitch defeats a protection in wireless networks known as “client isolation”. Client isolation acts essentially as a firewall mechanism, which attempts to offer wireless clients an additional layer of security by preventing communication between clients on the same network. Optimally, this would prevent a hostile or infected client from communicating with other clients, despite being on the same shared network. On a WPA encrypted WiFi network, each client has an individual key used for encryption, and a shared group key used by all clients for broadcast and multicast communication. For one client to communicate with another, the access point must decrypt the traffic from the first and re-encrypt it to the second. Preventing communication between clients should be as simple as not performing the encryption between clients, however by cloning the MAC address of the target client and establishing a second connection to the access point, and further manipulating the internal state of the access point with injected packets, a hostile device can cause the access point to share the data of the target, essentially converting the behavior of the network to a legacy Ethernet hub. How significantly this might impact you will vary wildly, and likely the full impacts of the attack will take some time to be understood. An attacker still needs access to the network – for a WPA network this means the PSK must be known, and for an Enterprise network, login credentials are still required. Typically home networks don’t use client isolation at all – most home users expect devices to be able to communicate directly, and most public access networks use no encryption at all, leaving clients exposed to the same level of risk by default. Networks with untrusted clients, like educational campus networks or business bring-your-own-device networks, are likely at the greatest risk, but time will tell. From Blog – Hackaday via this RSS feed
Komunitas
ibbit.at
The TX50U isn’t very Linux-friendly If you’ve used Linux for a long time, you know that we are spoiled these days. Getting a new piece of hardware back in the day was often a horrible affair, requiring custom kernels and lots of work. Today, it should be easier. The default drivers on most distros cover a lot of ground, kernel modules make adding drivers easier, and dkms can automate the building of modules for specific kernels, even if it isn’t perfect. So ordering a cheap WiFi dongle to improve your old laptop’s network connection should be easy, right? Obviously, the answer is no or this would be a very short post. Plug and Pray The USB dongle in question is a newish TP-Link Archer TX50U. It is probably perfectly serviceable for a Windows computer, and I got a “deal” on it. Plugging it in caused it to show up in the list of USB devices, but no driver attached to it, nor were any lights on the device blinking. Bad sign. Pro tip: lsusb -t will show you what drivers are attached to which devices. If you see a device with no driver, you know you have a problem. Use -tv if you want a little more detail. The lsusb output shows the devices as a Realtek, so that tells you a little about the chipset inside. Unfortunately, it doesn’t tell you exactly which chip is in use. Internet to the Rescue? Note that most devices (including the network card) have drivers since this was taken after the driver install. The fingerprint scanner (port 5 device 3) does not have a driver, however. My first attempt to install a Realtek driver from GitHub failed because it was for what turned out to be the wrong chipset. But I did find info that the adapter had an RTL8832CU chip inside. Armed with that nugget, I found [morrownr] had several versions, and I picked up the latest one. Problem solved? Turns out, no. I should have read the documentation, but, of course, I didn’t. So after going through the build, I still had a dead dongle with no driver or blinking lights. Then I decided to read the file in the repository that tells you what USB IDs the driver supports. According to that file, the code matches several Realtek IDs, an MSI device, one from Sihai Lianzong, and three from TP-Link. All of the TP-Link devices use the 35B2 vendor ID, and the last two of those use device IDs of 0101 and 0102. Suspiciously, my dongle uses 0103 but with a vendor ID of 37AD. Still, it seemed like it would be worth a shot. I did a recursive grep for 0x0102 and found a table that sets the USB IDs in os_dep/linux/usb_intf.c. Of course, since I had already installed the driver, I had to change the dkms source, not the download from GitHub. That was, on my system, in /usr/src/rtl8852cu-v1.19.22-103/os_dep_linux/usb_intf.c. I copied the 0x0102 line and changed both IDs so there was now a 0x0103 line, too: {USB_DEVICE_AND_INTERFACE_INFO(0x37ad, 0x0103, 0xff, 0xff, 0xff), .driver_info = RTL8852C}, /* TP-Link Archer TX50U */ Now it was a simple matter of asking dkms to rebuild and reinstall the driver. Blinking lights were a good sign and, in fact, it worked and worked well. DKMS If you haven’t used DKMS much, it is a reasonable system that can rebuild drivers for specific Linux kernels. It basically copies each driver and version to a directory (usually /usr/src) and then has ways to build them against your kernel’s symbols and produce loadable modules. The system also maintains a build/install state database in /var/lib. A module is “added” to DKMS, then “built” for one or more kernels, and finally “installed” into the corresponding location for use by that kernel. When a new kernel appears, DKMS detects the event — usually via package manager hooks or distribution-specific kernel install triggers — and automatically rebuilds registered modules against the new kernel headers. The system tracks which module versions are associated with which kernels, allowing parallel kernel installations without conflicts. This separation of source registration from per-kernel builds is what allows DKMS to scale cleanly across multiple kernel versions. If you didn’t use DKMS, you’d have to manually rebuild kernel modules every time you did a kernel update. That would be very inconvenient for things that are important, like video drivers for example. Of course, not everything is rosy. The NVidia drivers, for example, often depend on something that is prone to change in future Linux kernels. So one day, you get a kernel update, reboot, and you have no screen. DKMS is the first place to check. You’ll probably find it has some errors when building the graphics drivers. Your choices are to look for a new driver, see if you can patch the old driver, or roll back to a previous working kernel. Sometimes the changes are almost trivial like when an API changes names. Sometimes they are massive changes and you really do want to wait for the next release. So while DKMS helps, it doesn’t solve all problems all the time. Extras and Thoughts I skipped over the part of turning off secure boot because I was too lazy to add a signing key to my BIOS. I’ll probably go back and do that later. Probably. You have to wonder why this is so hard. There is already a way to pass the module options. It seems like you might as well let a user jam a USB ID in. Sure, that wouldn’t have helped for the enumeration case, but it would have been perfectly fine to me if I had just had to put a modprobe or insmod with a parameter to make the card work. Even though I’m set up for rebuilding kernel modules and kernels, many people aren’t, and it seems silly to force them to recompile for a minor change like this. Of course, another fun answer would be to have vendors actually support their devices for Linux. Wouldn’t that be nice? You could write your own drivers if you have sufficient documentation or the desire to reverse-engineer the Windows drivers. But it can take a long time. User-space drivers are a little less scary, and some people like using Rust. What’s your Linux hardware driver nightmare story? We know you have one. Let us hear about it in the comments. From Blog – Hackaday via this RSS feed
Komunitas
lemmy.ml
Lihat kiriman asli pada platform media sosial terkait.
Komunitas
hexbear.net
Educator, essayist, journalist, scholar, social critic, and activist W.E.B. DuBois, was born to Mary Sylvina Burghardt and Alfred Dubois on February 23, 1868 in Great Barrington, Massachusetts. He excelled in the public schools of Great Barrington, graduating valedictorian from his high school in 1884. Four years later he received a B.A. from Fisk University in Nashville, Tennessee. In 1890 DuBois earned a second bachelor degree from Harvard University. DuBois began two years of graduate studies in History and Economics at the University of Berlin in Germany in 1892 and then returned to the United States to begin a two year stint teaching Greek and Latin at Wilberforce University in Ohio. In 1895, DuBois became the first African American to earn a Ph.D. at Harvard University. His doctoral thesis, “The Suppression of the African Slave Trade in America,” became the first book published by Harvard University Press in 1896. Later that year DuBois married Nina Gomer and the couple had two children. After the death of his first wife in 1950, DuBois married Shirley Graham who remained his wife until his death. DuBois also joined Alpha Phi Alpha and Sigma Pi Phi Fraternities. Before the close of the 19th century, DuBois also taught at the University of Pennsylvania and Atlanta University. During this time, he became the first scholar to systematically study African American urban life. DuBois’s first post-dissertation book, The Philadelphia Negro, released in 1899, determined that housing and employment discrimination were the principal barriers to racial equality and black prosperity in the urban North. His work and conclusions initiated the field of African American urban history. DuBois lacked black public appeal of his contemporaries such as Booker T. Washington, Marcus Garvey, and Paul Robeson. He remained scathingly critical of white racism his entire life and unlike Washington he was unwilling to seek compromise in the quest for civil rights and racial justice. In 1903, DuBois published a groundbreaking collection of essays, The Souls of Black Folk, which challenged the civil rights strategies of black leaders like Washington while inspiring a cadre of young black activist scholars to use their work to combat racial oppression. In 1905 DuBois and other black leaders created the Niagara Movement to provide an organizational challenge to segregation and discrimination. DuBois edited the organization’s magazines, the Moon and the Horizon. As the Niagara Movement declined, DuBois became the co-founder of the National Association for the Advancement of Colored People (NAACP) in 1909 and served as the editor of its magazine, The Crisis, until 1934 when he was fired by the organization. DuBois’s departure from the NAACP reflected his disillusionment over the continuing power of white racism and what he felt was the compromising approach of black leaders, including his NAACP colleagues. Moreover, DuBois’s speeches and editorials made him unpopular with many whites and some blacks who, fearing white backlash, refused to support his positions on race. DuBois, however, continued to believe scholarship could promote racial equality. He wrote numerous books and articles including Black Reconstruction in America in 1935. Largely discounted by scholars at the time, the book eventually became the basis for a dramatic reappraisal of the Reconstruction era by scholars in the 1960s and 1970s. His conclusions regarding the progress made by African Americans during the decade of Reconstruction have now been accepted by almost all mainstream historians. By the early 1950s, at the height of the Cold War, DuBois devoted much of his energy to promoting peace between the United States and the Soviet Union. He embraced this controversial position at great personal and professional peril. His only foray into politics, a failed run in 1950 as a Socialist for the US Senate seat from New York, drew the attention of the Federal Bureau of Investigation (FBI). Stripped by the State Department of his passport in 1950 and criticized by many former allies and associates in the civil rights struggle, DuBois became a Communist, believing it offered the only hope for working class people around the world and the only major challenge to racism. In 1961 DuBois gave up his citizenship and left the United States permanently for Accra, Ghana. With the support of Ghanaian President Kwame Nkrumah, DuBois became the editor of the proposed Africana Encyclopedia. Before the project was completed, DuBois died in Accra on August 27, 1963, on the eve of the March on Washington, the largest civil rights demonstration in the US to that date. The Souls of Black Folk hello everyone - happy Black history month 🌌 here’s a massive archive list of Black and Marxist writing and film (with downloads!) to check out xoxo Megathreads and spaces to hang out: 🐻 Link to all Hexbear comms https://hexbear.net/post/1403966 🐼 Hexbear Matrix Chat https://matrix.to/#/#Hexbear:matrix.org 📀 Come listen to music and Watch movies with your fellow Hexbears nerd, in Cy.tube](https://live.hexbear.net/c/movies 🔥 Read and talk about a current topics in the News Megathread https://hexbear.net/post/7531752 ⚔ Come talk in the New Weekly PoC thread https://hexbear.net/post/7600771 🏳️⚧️ Talk with fellow Trans comrades in the New Weekly Trans thread https://hexbear.net/post/7538588 👊 New Weekly Improvement thread https://hexbear.net/post/7525475 🧡 Disabled comm megathread https://hexbear.net/post/7454726 ☕ Parenting Chat https://hexbear.net/post/7526773 🐉 Anime & Manga discussion thread https://hexbear.net/post/7546692 🎩Fashion megathread https://hexbear.net/post/7228810 reminders: 💚 You nerds can join specific comms to see posts about all sorts of topics 💙 Hexbear’s algorithm prioritizes comments over upbears 💜 Sorting by new you nerd 🐶 Join the unofficial Hexbear-adjacent Mastodon instance toots.matapacos.dog Links To Resources (Aid and Theory): Aid: 🌈 LGBTQ+ Resource Post 🍉 Resources for Palestine 🐌☕ Zapatista Coffee Theory: ❤️Foundations of Leninism ❤️Anarchism and Other Essays Financial Support to the Bearsite 🇨🇳 https://liberapay.com/hexbear 🇷🇺 https://www.patreon.com/hexbear
Komunitas
slrpnk.net
cross-posted from: https://lemmy.zip/post/58622442 cross-posted from: https://hexbear.net/post/7576731 cross-posted from: https://news.abolish.capital/post/25614 Kathleen Watts’ flowers bloom much brighter now that the wind no longer blows black. Pulling weeds in the garden outside her redbrick house, she recalled when coal dust would sometimes drift through her quiet corner of northern England, a rolling patchwork of farms and villages under the shadow of what was once the United Kingdom’s largest coal-burning power station. “When the dust came our way, we’d have to come out and clean our windows,” said Watts, who has lived in the North Yorkshire village of Barlow for more than 30 years. “And when we’d get snow in winter, there’d be a lot of black over it.” Thankfully, she said, the wind usually blew northeast, pushing the station’s smoke and dust toward Scandinavia. Locals liked to joke that the air pollution was mostly Norway’s problem. There, it caused bouts of acid rain that damaged forests and poisoned lakes. The U.K. has quit coal — a lengthy process culminating in the closure of the country’s last deep-pit coal mine in 2015 and the shutdown of the U.K’s last coal plant in 2024. The giant station near Barlow, however, is busier than ever, fueled now by American forests rather than English coalfields. Trees felled, shredded, dried, and pressed into pellets in Louisiana and Mississippi are shipped across the Atlantic Ocean, loaded onto trains, and then fed into the station’s immense boilers. Operated by Drax Group, the station gradually stopped burning coal until it made a full switch to wood in 2023. It now burns enough pellets to generate about 6 percent of the country’s electricity. Purple flowers crowd a field near the Drax power station in Drax, England. The former coal plant now runs entirely on wood pellets, which the company markets as “sustainable biomass.” Tristan Baurick / Verite News The U.K. government, in a bid to meet its ambitious climate goals, is giving Drax the equivalent of $2.7 million a day in subsidies to keep burning pellets, which the company touts as “environmentally and socially sustainable woody biomass.” But a growing number of Brits aren’t buying it. After years of celebrating the shift away from coal, U.K. residents are realizing that wood pellets aren’t the cleaner, greener alternative they were supposed to be. “I still have difficulties in my little brain figuring out how you can grow wood at the other end of the Earth, chip it, ship it to here … and then burn it, and say, ‘Isn’t that nice and green?’” said Steve Shaw-Wright, a former coal miner who serves on the North Yorkshire Council. Burning wood for power instead of one of the dirtiest fossil fuels offers the illusion of sustainability and robust climate action, said William Moomaw, an emeritus professor of international environmental policy at Tufts University. But in reality, it’s doing more harm to the environment than burning fossil fuels, he said. “England is off coal — isn’t that wonderful?” Moomaw said. “But there’s no mention of the fact that it’s because they’re now burning wood from North America, which emits more carbon dioxide per kilowatt of electricity than does coal.” Sawdust piles up at Drax’s wood pellet mill near Urania, Louisiana. The mill presses sawdust into pellets that are burned in a former coal plant in Yorkshire, England. Eric J. Shelton / Mississippi Today The Drax station in North Yorkshire emitted more than 14 million tons of carbon dioxide in 2024, making it the largest single source of CO2 in the U.K., according to a report last year from the climate research group Ember. That amount is more than the combined emissions from the country’s six largest gas plants and more than four times the level of the U.K.’s last coal plant. A Drax spokesperson called Ember’s research “deeply flawed” and accused the group of choosing to “ignore the widely accepted and internationally recognized approach to carbon accounting,” which is used by the United Nations and other governments. But several scientists say burning wood can’t help but produce more emissions. Wood has a lower density than coal and other fossil fuels, so it must be burned in higher volumes to produce the same amount of energy. Between 2014 and 2019 — a period when coal was in steep decline — the country’s CO2 emissions from U.S.-sourced pellets nearly doubled, according to a report by the Chatham House research institute in London. “Almost all of this U.K. increase was associated with biomass burnt at Drax,” the report’s authors wrote. The station’s cross-continental supply chain is also heavy on emissions. For every ton of pellets Drax burns, about 500 pounds of CO2 are released just from making and transporting the product, according to Chatham House. About half of Drax’s supply chain emissions are tied to production, while transportation via trucks, trains, and ships accounts for 44 percent, according to the company’s estimates. The switch from coal to pellets created a new pollution problem in Louisiana and Mississippi, where most of the station’s fuel is produced. Drax’s pellet mills have repeatedly violated air quality rules at its two Louisiana mills, located near Bastrop and Urania, and its mill in Gloster, Mississippi. The mills emit large quantities of formaldehyde, methanol, and other toxic chemicals linked to cancers and other serious illnesses, according to regulatory findings and public health studies. Residents of these poor, mostly Black communities say the mills’ dust and pollution are making them sick. In October, several Gloster residents sued the company, alleging that Drax has “unlawfully released massive amounts of toxic pollutants” in their community for nearly a decade. The Drax spokesperson said the company is improving its mills’ pollution controls in line with a longstanding dedication to “high standards of safety and environmental compliance.” On its website, Drax says the company is “committed to being a good neighbor in the communities where we operate,” offering funding for environmental education programs, ensuring its wood is sourced from “well-managed forests,” and supporting land conservation efforts, including the establishment of a 350-acre nature reserve near Watts’ home in Barlow. Much of the timber that Drax harvests comes from private lands in the Southern United States that function more as tree farms than natural forests. But in recent years, Drax has sourced an increasing share of its wood from western Canada, including from British Columbia’s treasured old-growth forests. In 2024, Drax agreed to pay a nearly $32 million penalty after U.K. energy regulators determined the company had been misreporting data on where it sources its wood and how much of it comes from environmentally important woodlands. The practice of pelletizing Canada’s mature trees appears ongoing, according to a recent report by the environmental group Stand.earth. Citing logging data from 2024 and 2025, the group claims Drax has been accepting truckloads of trees from British Columbia that were hundreds of years old. Drax downplayed the report, emphasizing that the logs were legally harvested and of insufficient quality to go to sawmills. Drax sees itself as one of the most environmentally conscious companies on the planet. “Sustainability is the cornerstone of long-term success and the transformation of our business,” said Miguel Veiga-Pestana, Drax’s chief sustainability officer, in a statement. While most pellets Drax makes in the U.S. are derived from logged trees, the company also uses sawdust and other leftovers from lumber mills. The company supports forest thinning, a practice it says can ease crowding in densely planted timberlands, improve the health of the remaining trees, and diversify habitat for wildlife. “By ensuring that we source sustainable biomass, and that we embed sustainable practices into every facet of our operations, we can build lasting value,” Veiga-Pestana said. Water vapor escapes a cooling tower at the Drax power station in Drax, England. The station is the largest wood pellet-burning facility in the U.K. and was originally developed to burn coal. Gary Calton / The Guardian The value of the entire utility-scale wood pellet industry depends on what many scientists call an “accounting loophole” entrenched in some of the earliest international policies aimed at combating climate change. During the 1990s, the United Nations’ Framework Convention on Climate Change and the Kyoto Protocol established land use and energy use as two separate categories for counting a country’s greenhouse gases. To avoid double counting wood burning across both land-use and energy-use categories, the U.N. assigned wood pellet emissions only to the land-use sector, believing that normal forest regrowth would keep pace with the modest harvests for pellet production. The wood pellet industry at the time was tiny, selling the bulk of its products to homeowners with small pellet-burning stoves. Any carbon released by burning would be balanced by new trees that work as natural CO2 absorbers, the thinking went. The effect, though, was that regulators would count CO2 from burning oil and coal, but CO2 from burning timber could stay off the books. “Drax and other bioenergy companies took that and said, ‘Look, we have no impact — we’re instantly carbon neutral,’” said Mary Booth, director of the environmental organization Partnership for Policy Integrity. Read Next Europe gets ‘green energy.’ These Southern towns get dirty air. Tristan Baurick This exemption was incorporated into the Kyoto Protocol, the first international treaty that set legally binding greenhouse gas reduction targets. Experts were soon warning of troubling consequences. In a study published in the journal Science in 2009, scientists said the exemption was an “accounting error” that could spur deforestation and hinder attempts by governments to curb emissions. “The error is serious, but fixable,” said Tim Searchinger, a Princeton University energy policy expert, in a statement at the time. “The solution is to count all the pollution that comes out of tailpipes and smokestacks whether from coal and oil or bioenergy, and to credit bioenergy only to the extent it really does reduce greenhouse gas emissions.” Other scientists challenged the industry’s claim that planting trees would neutralize power station emissions. According to a study from the Massachusetts Institute of Technology, it can take 44 to 104 years for forest regrowth to pay back the carbon debt from pellet burning. While the planet waits decades for the trees to regrow, glaciers melt, seas rise, and weather from droughts to hurricanes grows more extreme. Trucks haul lumber in and out of the Amite BioEnergy wood pellet production facility operated by the Drax group in Gloster, Mississippi, on September 24, 2025. Kathleen Flynn / The Guardian Despite these warnings, the European Union latched on to wood burning as a relatively quick and cheap way to meet tighter climate mandates. Rather than blanket the landscape with wind turbines and solar panels, countries could dust off old coal plants and put them on a diet of “carbon-neutral” pellets. The shift toward bioenergy accelerated in 2009, when the European Union set a target of getting 20 percent of its energy from renewables by 2020. Pellet demand in Germany, Belgium, Italy, and other European countries immediately began to increase, but in the U.K., the growth was explosive. Between 2012 and 2018, the U.K.’s pellet consumption surged by 471 percent, according to the U.S. Department of Agriculture. The U.K. left the European Union in 2020, and it remains the world’s biggest buyer of wood pellets. In 2024, the country imported nearly 10.3 million tons, a record high spurred partly by a dip in pellet prices. Wood burning has helped the U.K. come within striking distance of its goal to eliminate oil and gas from its electrical generation by 2030. Nearly 74 percent of the national grid is powered by what the government calls “low carbon” energy sources. Wood pellets and other forms of bioenergy supply about 14 percent of the low-carbon mix, with wind, solar, and hydropower accounting for the rest. Every workday, Ian Cunniff climbs into his orange overalls, pounds his helmet tightly on his head, and steps into a cage that drops 459 feet into a maze of dark tunnels littered with old machinery. The stout Yorkshireman is one of the last miners still working in the coal pits, but now his job is to lead tours along the rich seams he once risked his life to dig out. Cunniff is a guide for the National Coal Mining Museum at Caphouse Colliery, a former West Yorkshire mine dating back to the 1790s. His last “real” mining job was at Kellingley Colliery, the U.K.’s last deep coal pit and a major feeder of Drax’s power station before it switched to wood. In the depths of the Caphouse mine, Cunniff grew wistful over the coal still embedded in the walls. The seams once provided nearly everything a man and his family needed, he said. “It was your future; it was your retirement. So much of it has never been touched.” Miners, union members, and the local community take part in a protest march in 2015 in Knottingley, England, marking the end of deep-pit coal mining in Britain. Christopher Furlong / Getty Images Wood pellets didn’t kill the U.K.’s coal industry. It began to wither as the country shifted from cheaper, imported coal in the 1980s to natural gas in the 1990s. Coal’s decline left gaping holes in Yorkshire’s economy and social fabric. The wood pellet industry has contributed some jobs and tax dollars, but it can’t replace what the region once had, said Shaw-Wright, the county council member. “With coal, you didn’t really need to get an education much because you were going to get a job at the pit,” he said. “And if you had a job at the pit, you would have it for life.” At its height between the two world wars, the industry employed 1.2 million people in the U.K. In some northern England counties, 1 in 3 residents was employed in coal mining. The Selby Complex, a group of deep-pit mines near the Drax power station, employed about 3,500 workers before it shut down in 2004. The industry also supported cooperative groups that funded social halls, community brass bands, libraries, sports clubs, and welfare programs for injured miners and their families. In contrast, the Drax-dominated bioenergy industry employs about 7,400 people across the U.K., including about 1,000 people at the Drax station. The increasingly automated industry has seen its job numbers fall by more than a third since 2014, according to data from the U.K.’s Office of National Statistics. A similar trend is playing out in Louisiana and Mississippi, where the three Drax wood pellet mills employ far fewer people than the older pulp and paper mills that once played a dominant role in the Deep South. The paper mill in Bastrop, for instance, once employed 1,100 people. Drax’s pellet mill near the town has just 71 workers on its payroll. Read Next The biomass industry promised these Southern towns prosperity. So why are they still dying? Tristan Baurick Shaw-Wright appreciates the economic activity the wood pellet industry brings to Yorkshire but said most of the region’s recent job growth actually comes from a surge in distribution centers for online retailers — a trend that has turned Yorkshire into the country’s “capital of warehousing.” Many of these massive facilities now sit on former coal fields, including the old Kellingley Colliery, yet the work of unloading and sorting parcels doesn’t provide the pay, stability, or sheer number of jobs that mining once did. After giving another tour, Cunniff rested in the colliery’s old locker room. He knows coal isn’t coming back, but he doesn’t believe cutting and burning trees to power the grid is any better — for Yorkshire or the planet. “So you’re taking away what’s cleaning the atmosphere, and you’re burning it?” he said. “That’s the big picture, isn’t it?” The Drax power station is the dominant feature across several miles of North Yorkshire countryside. Its 12 cooling towers are each big enough to hold the Statue of Liberty. Every day, about 17 trains full of pellets arrive to top off four storage domes with a combined 360 million-ton capacity. The pellets are pulverized as fine as flour and blown into several boilers. Stored in hangar-like structures in the station’s center, the boilers consume some 8 million tons of pellets each year with fires that reach 2,500 degrees Fahrenheit. Just outside the station’s 3 miles of razor-wire fencing is a village, also called Drax, with one tiny pub. Inside, there was little love for the big neighbor. “They’re taking wood from where they shouldn’t be taking it,” Tony Emmerson said as he sipped a beer at The Huntsman’s bar. “I think we should go back to coal, personally. We’ve got a hundred years of coal right here just waiting to be burned.” Many of Drax’s post-coal era promises — lower energy bills, cleaner air, and a decarbonized grid — have proven hollow, Emmerson said. “They get all this tax money but we don’t get cheaper power bills,” said Peter Rust, The Huntsman’s owner. “And they say they’re carbon neutral, but how’s that possible when you have to bring the pellets across an ocean?” Trains unload wood pellets into giant storage domes each day at the Drax power station in Yorkshire, England. Gary Calton / The Guardian The growing doubts about the wood pellet industry are seeping into public debate, leading the government to rethink its support for Drax. Last February, Prime Minister Keir Starmer’s government decided that the current subsidies for Drax would be cut in half in 2027. The subsidy renewal, which lasts until 2031, also requires Drax to increase the proportion of “sustainably sourced” biomass from 70 percent to 100 percent. Michael Shanks, the energy minister, told Parliament that the government made the move because Drax was making “unacceptably large profits” and “simply did not deliver a good enough deal for bill payers.” Shanks, however, emphasized that wood pellets will still play a key role in powering the U.K.’s grid, and he welcomed Drax’s new efforts to bolster its green credentials. That includes a massive investment in carbon capture and storage technology. For years, Drax has been planning a pipeline that would divert about 8.8 million tons of the station’s CO2 emissions into storage under the North Sea. Reduced subsidies, though, are likely to slow these projects, the company has warned. Many Yorkshire residents knew exactly — and proudly — where the Drax station’s coal came from. They’re much less sure about where the wood is sourced. Watts, the gardener in Barlow, assumed the trees were grown on English farms. Shaw-Wright was also far off the mark, thinking the pellets came from Australia. At The Huntsman, guesses were slightly closer, with people calling out South America and Eastern Europe — regions that together supply only 10 percent of the station’s fuel. The fact that the U.S. meets nearly 80 percent of the station’s demand was a surprise to many. Environmental groups, meanwhile, have been campaigning for a broader understanding of the industry’s impacts. U.K.-based Reclaim the Power and Biofuel Watch have been highlighting the concerns about emissions as well as the pollution affecting mill towns in Mississippi and Louisiana. Several groups had planned to stage a large protest outside the Drax station in August 2024. Drawing hundreds of activists from around the country, the “Drax Climate Camp” was to feature five days of “communal living and direct action.” But police preemptively arrested 25 protesters and halted a convoy of vehicles carrying tents, composting toilets, wheelchair-accessible matting, and other gear. Activists staged a much smaller protest outside the police station where their fellow campaigners were held, but the groups decided the camp couldn’t continue without the equipment. Climate protesters hold signs outside a police station in York, England, in August 2024. Several of their fellow activists were arrested during preparations for a protest near the Drax power station in rural Yorkshire. Gary Calton / The Guardian Police patrol outside the Drax power station in Yorkshire. Dozens of officers were called to the station in 2024 to prevent a planned protest encampment. Gary Calton / The Guardian The aborted protest got Shaw-Wright thinking more about the connection between the pellet mills in the Deep South and the electricity that lights his home. “Louisiana, that’s where they make the ‘gumba’ and they love cooking crocodiles, right?” Shaw-Wright said, half joking. “I think people will be surprised where the wood comes from and … know nothing of how it’s produced or what it entails. We need to be educated more about the communities that, in essence, benefit the Drax power station. And we all benefit from it. But if it’s at the expense of others, it gives you a different perspective.” Rust, the pub owner, wasn’t so reflective, but he was deeply disappointed the camp was quashed. “I thought we were going to get loads more customers,” he said. “I bought loads more bottles when I heard about it. I thought finally Drax was going to do some good for me.”
Komunitas
news.abolish.capital
February 17, 2026 – Officials at the Food and Drug Administration (FDA) published a final guidance document on Friday that advises drug companies to set “duration limits” for livestock antibiotics in animal feed, without legally obligating them to do so. The duration limit—the maximum length of time a drug should be given—covers medically important antibiotics, which are those used for livestock that are also important in human medicine. When such antibiotics are used for long periods, the risk of bacteria developing resistance to those antibiotics increases. As bacteria develop resistance to more drugs, treating human illnesses becomes harder. In a notice announcing the final guidance, officials said it is “intended to mitigate development of antimicrobial resistance for these antimicrobial drugs.” But public health advocates said the new policy represents a step backward. They note that the agency did not include an upper limit for all drugs, nor did it require companies to consider how duration limits might contribute to increasing antibiotic resistance that could harm humans. The news comes just weeks after FDA data revealed a 2024 spike in sales of medically important drugs for use in cattle, pigs, and poultry. “While FDA claims the guidance is to mitigate antibiotic resistance, it allows drug makers to set durations solely based on animal health needs determined by the drug makers,” Steve Roach, the Safe and Healthy Food Program director at Food Animal Concerns Trust, said in a statement. “FDA could have chosen to set a limit consistent with its mission to protect human health as it has in the past, but decided not to.” As part of a larger plan to encourage the responsible use of medically important antibiotics in agriculture, the FDA has been working for years to push manufacturers to create duration limits for older drugs. But more than a quarter of the drugs still don’t have them. In 2023, the agency published a draft of the guidance, drawing pushback from public health advocates and members of Congress. The agency received more than 4,500 comments on the proposal, the vast majority of which were from advocates and individuals who “requested that FDA limit all durations of use to no more than 21 days,” according to the FDA. Comments submitted by industry associations, drug companies, and veterinary organizations included concerns about timelines, clear wording in labeling, and that data used be “of high quality and transparent.” According to the FDA, “all comments were considered as the guidance was finalized.” The guidance issued last week includes no suggested timelines. Instead, it gives companies leeway to set both a “typical” and “maximum” duration based on multiple factors related to disease risk and how the drug is being used. The agency asks companies to submit their proposed duration limits along with scientific justification, to be approved for drug labels within the next three years. It also suggests companies include precautionary statements, such as,“Feed this drug only to the number of animals necessary to treat, control, or prevent the indicated disease in accordance with the approved conditions of use.” None of the recommendations are legally binding. (Link to this post.) The post FDA Finalizes Controversial Guidelines for Livestock Antibiotics appeared first on Civil Eats. From Civil Eats via This RSS Feed.
Komunitas
lemmy.ml
“Paid for by a state actor” Yes, who knows. Could be a lone “black hat” or a group of “black hats”. Who knows. Could be the result of a lot of public criticism in the news regarding Pegasus spyware. Who knows. Could be paid by companies without any state actors involved. Who knows. Could be a lone programmer who wants power or is seeking revenge for some heated mailing list discussion. Who knows. The question of trust has been mentioned in this case of a sole maintainer with health problems. What I asked myself is : How did this trust develop years ago ? People trusted Linus Torvalds and used the Linux kernel to build Linux distributions with to the point that the Linux kernel became from a tiny hobby thing a giant project. At some point compiling from source code became less fashionable and most people downloaded and installed binaries. New projects started and instead of tar and gzip things like xz and zstd were embraced. When do you trust a person or a project, and who else gets on board of a project ? Nowadays something like : curl -sSL https://yadayada-flintstones-revival.com | bash is considered perfectly normal as the default installation of some software. Open source software is cool and has kind of produced a sort of revolution in technology but there is still a lot of work to do.
Komunitas
sh.itjust.works
I’d like to start by saying that I don’t have any skin in the game and progress is progress, regardless of how it’s done. What worries me is the amount of misinformation that I’ve seen in this (and other) subs about how dangerous the hypervisor method is and people being confidently incorrect about how to mitigate any potential risks that might come as a result of disabling security features on your device. If you want to use it, that’s completely fine, but you should know what you’re getting into. I work in security, so take this as you will. EDIT: I’m adding this here since it seems that it wasn’t clear for some people. The risks that I’m talking about below are centered around the idea that you get infected with a kernel / firmware level rootkit / bootkit, not your usual run of the mill malware. If you’re not familiar with what these types of infections are and how it’s possible for them to survive even full wipes, I recommend reading up on them: https://en.wikipedia.org/wiki/Rootkit / https://www.crowdstrike.com/en-us/cybersecurity-101/malware/bootkits/ Here’s some of the things that I’ve seen thrown around: “I’m only using it temporarily then re-enabling all the security features once I’m done with the game”- This would be completely useless. It’s like putting on a bulletproof vest after getting shot. “I turn off my internet when I use the hypervisor method so I’m safe” - If a really bad infection gets on your system, then it’s gonna stay there. It doesn’t matter if you temporarily turn off your internet. This is useless and at most you’re only avoiding the inevitable (unless you never connect that PC to the internet / LAN ever again). “I use Windows on a secondary partition for hypervisor games / I will format my PC once I’m done with the hypervisor games” - For the type of infections that you’re exposing yourself to with this method, it doesn’t matter if you use a separate partition or if you format your PC. These are persistent. “The hypervisor method is open source so it’s safe” - Open source doesn’t mean safe. Are you looking at the code / understanding it every single time you’re downloading a new hypervisor bypass? If not, then this means literally nothing unless big brained people analyze every single crack that’s out there. There’s been numerous popular pieces of open source software that were vulnerable / contained malicious artifacts and were undiscovered for months. Just look at the latest incident with Notepad++. This is one of the biggest misconceptions when it comes to open source, with people automatically assuming that it’s 100% safe. “If anything was malicious people would report it / it would be immediately obvious” - False, and I’m going to point to Notepad++ again. If I was a threat actor and I wanted to do the most amount of damage, I’d play it smart and infect all of my releases but not do anything about it for some time. Malware can lay dormant for as long as you want. You can release “cracked” games for years, then once you have enough compromised PC, activate the “sleeper agent”. This is the smartest way to go about it because as we’ve seen already, people are very quick to say “oh yeah, this release is safe, I played it and it worked perfectly, I had no issues”, legitimizing potentially compromised cracks. “Third party kernel anti cheat is just as dangerous” - theoretically true, but in practice, no. Multi billion dollar corporations want you to keep playing their games and unless they get severely compromised, their anti cheats will never steal all of your personal / financial information. With a hypervisor bypass you’re trusting random strangers on the internet with the keys to your house and hoping they don’t break in and steal everything. “Windows Defender is still active so I’m protected” - Defender might as well be a piece of wood at that point. If the “brain” of your computer is compromised, you can’t trust your AV to actually work as it should anymore So, what can you do? Realistically, the only truly safe option that you have is to use an isolated PC with its own network that never gets to interact with any of your other home devices. It goes without saying that you shouldn’t log into any sensitive accounts on there. You’d need to be extremely careful with peripherals / external storage as well and not share anything between your computers. Any type of device that has its own memory can turn into an attack vector, depending on how sophisticated the infection is. I’m not trying to spread fear, but you need to be aware that unfortunately the hypervisor method is objectively the worst way to crack / bypass a game and the risk that you’re exposing to by using it is extremely high. Will it happen to you? Nobody knows, but before you do it, ask yourself if you’re ok with potentially compromising all of your devices and losing access to your accounts. The fact that a very large group of people have suddenly started disabling security features without questioning the stuff that they’re running on their machines is sure to attract the eyes of bad actors. It’s free real estate and you have to be absolutely native to think that nobody will want to make use of this attack vector Be smart, please
Komunitas
lemmy.world
Remember when the meme was about Internet Explorer? IE: What is my purpose? Me: You download Chrome! IE: Oh…my god! Now Chrome isn’t trusted. Even duck duck go is getting dubious. It seems there’s almost nowhere to turn. Your data is their data, and if you dont like it, you can lump it.
Komunitas
lemmy.world
They don’t understand how to use a search engine effectively anymore or how to rapidly filter through large amounts of information to find answers This bit, at least, may be at least as much a fault of the environment - the increasing awfulness of search results these days. It used to be you could search a specific issue (e.g., “borked.exe high CPU usage” or “how to partition a drive”) and your first results would be relatively well-written sites run by actual tech people. More recently, though, it feels like: The first 5-8 results are near-identical “help” sites that are 40% introduction, 40% basic troubleshooting steps, 15% “download our app!”, and 5% actually useful tips. There are tech site results listed… but they’re from 2016, a different software version, maybe even a different OS. "Okay, so, to fix this problem you first need… [SIGN IN TO CONTINUE READING] If you’re very, very lucky, you’ll find a Reddit (or now, Lemmy) thread on the issue. I’d consider myself pretty technically savvy, and even I find it frustrating to search for IT info or fixes these days. The newest problem is AI-written answers cooked up for you on the spot, which are frequently completely unhelpful yet pushed to the top of the results.
Komunitas
lemmy.world
First, sorry for the long post and billion questions (and hopefully it’s ok in this community? I saw a couple multiple-question posts without one in the title but I might have misunderstood the rule) So, my PC is running W10 with ESU, and I’m very paranoid about… most things really, but the relevant one here is malware. I don’t just randomly download stuff from the internet, but I know you can get malware even without consciously doing that, and even though I have an AV (Bitdefender Free) I’m hesitant to just stay on W10 after the free ESU ends. But there’s no way in hell I’m switching to 11. So, besides staying on regular W10, my main options would be Linux or W10 LTSC. And I have various questions regarding these three choices. I consider myself relatively tech savvy compared to the average person, but definitely ignorant on the matter compared to the average Lemmy user. So it’s not exactly an ELI5, but definitely an ELI15 or something. I also have access to a different, W11 PC that I could use as “testing environment”. Option 1: Switching to Linux Even regardless of security updates, Microsoft is getting on my nerves and I’ve been telling myself I need to switch to Linux or at least dual-boot for a while, but there’s various things making me question it: (For most purposes, “Linux” here refers to Mint since that’s usually the one I see recommended for beginners, but if other distros work better for certain aspects I’d appreciate to know) 1a - Is there no file system that works perfectly on both Linux and Windows? I could technically dual-boot using two different drives, but what if I need to access/move files between two drives with different file systems? Which issues would I face if, say, one is NTFS and the other is ext4? I think all of my drives are currently in NTFS, would I have to reformat everything to safely access them from Linux without worrying about data/metadata loss? 1b - I read that to open an .exe on Linux I would have to do it through WINE, and that there’s a database to check compatibility of individual programs with it, but are the worst compatibility issues just “the program doesn’t open”, or can a compatibility issue result in data loss/corruption too? 1c - I’m currently using Firefox on Windows, is it possible to copy all my settings and data (browsing history included) from the Windows version to the Linux one? 1d - Other than specific .exe without WINE compatibility, are there any relatively common file types which can’t be opened with Linux that I should be aware of? (Mostly talking about picture/video/audio/text files, compressed archives or similar). 1e - What can I mess up by testing an USB live version? Are there any things I should be careful about? I’ve heard “changes aren’t saved”, but that’s referring only to OS configuration, right? And, going back to file systems, can I even access the data that’s on my NTFS drive from a live version or would I just be working with the stuff inside the USB? 1f - I read often that “you can’t get viruses on Linux”, but that’s mostly because they’re not developed specifically for it, so you might “get” them but they won’t work, right? If I dual boot, is there the chance that I get a malware while browsing with Linux and then it infects my pc when I boot Windows (even without consciously opening unknown .exe files)? 1g - Which Pc components should I pay attention to because they/their drivers might not work on Linux? Is there a site/tool that can check if my current hardware would have any issues? (For example, I have a Nvidia graphics card and I think I read that might be a problem?) Option 2: Windows 10 LTSC Linux would be the ideal, but if I get too paranoid or can’t invest enough time in it to figure how it works before October, my second choice would be W10 LTSC, since from what I understood, that one has much more extended security updates. I do have my share of doubts about it too, though: 2a - I heard there’s various different versions of W10 LTSC (IoT or not, RTM, 2021, I think there’s even an Enterprise version that isn’t LTSC?), but what are the actual differences? Is one version objectively better than the others? 2b - I know LTSC is meant to be used in a “company environment”, but are there any downsides to it compared to the Home version? Does it have some hard limitations on what can I do with it? (For example, can I play every Steam game currently supported by regular W10 on it?) 2c - The main place where I’m finding LTSC information is Massgrave, is the procedure to keep files on their page safe/advised or should I backup and format just in case? And after doing that, can I activate it with a Key bought from a third-party site? (I heard their Activation Script isn’t 100% perfect, and keys are not that expensive anyway) Option 3: Regular Windows 10 If both Linux and LTSC end up being too overwhelming to trust myself with, the only choice left would be to stay on W10 with Bitdefender, at least for my main PC. Though I’m still pretty anxious about malware: 3 - I initially thought that you could get malware only by consciously downloading files, opening mail attachments, going on uncertified sites or plugging in infected devices, but apparently there’s some types of malware that can infect your PC without you consciously doing anything? (For example, I read the WannaCry attack affected even machines that did none of the above?) Is there nothing you can do to prevent this from happening on an unsupported OS besides “not connecting it to the internet at all”? Is this just not a viable choice if I don’t want to risk losing my files or having my data stolen? Even getting some of these answered would be great, and of course, if you think I have some misconceptions that need to be corrected I’d love if you did so, thanks in advance!
Komunitas
lemmy.dbzer0.com
LibreWolf as my browser (it’s a more secure and private version of Firefox, comes with a pre-installed adblocker and removes all the unnecessary junk) (Flatpak) with some of the following extensions: LibRedirect for redirecting privacy-invasive websites to private frontends ff2mpv Read Aloud (text-to-speech) Buster for solving CAPTCHAs Dark Reader Violentmonkey for userscripts like Lemmy Universal Link Switcher (it’s really useful) DownThemAll Search by Image Server-Status (GitHub) shows information about a web server like country/region (via local GeoIP database lookup), SSL certificate information and more. Good open source alternative to Flagfox. Thunderbird for emails (Flatpak) Proton Mail Bridge (Flatpak) Merkuro Calendar Ptyxis (Flatpak) as my terminal. It’s optimized for containers (e.g. distrobox). foot is a pretty good alternative if you want something more minimalistic and don’t care about containers. There are countless other good options like Kitty, Alacritty, Konsole, WezTerm and many others. Emacs as my IDE KWrite, Kate or NotepadQQ for quickly editing text documents. There’s also Apostrophe for GNOME. QOwnNotes for local/Nextcloud-synced notes (Iotas for GNOME) There are other good options like Trilium Notes or Joplin. Speech Note speech-to-text note-taking (https://piped.video/watch?v=zlLVgTB42Bo) Akregator as my RSS client (Newsflash for GNOME) Strawberry as my music player (Amberol or Rhythmbox if you’re on GNOME) Spot for Spotify (Flatpak) Cider for Apple Music (unfortunately not FOSS anymore) Feishin for connecting to my self-hosted Navidrome music server rescrobbled for saving my music listening history to Last.fm. Also works with self-hosted ListenBrainz. Jellyfin Desktop for connecting to my self-hosted Jellyfin media server mpv as my video player (Celluloid on GNOME) FreeTube for watching YouTube videos This modded YouTube Music client that has an adblocker and many other cool features: https://th-ch.github.io/youtube-music/ Kasts for listening to podcasts (also has the ability to sync with gpodder.net or self-hosted GPodder on Nextcloud) LibreOffice (Flatpak) There’s also OnlyOffice. Skanpage for scanning documents GNUcash for accounting Notesnook or Standard Notes for end-to-end encrypted note-taking Anki Flashcards (Flatpak) Logseq (FOSS Obsidian alternative) Flameshot for screenshots (GitHub, Flatpak) Kdenlive for video editing GIMP, Krita and Inkscape for graphics stuff Blender for animation stuff Natron for VFX LMMS and Ardour for music production Virtual Machine Manager for creating/managing KVM/QEMU VMs (Boxes for GNOME) Nextcloud Desktop for connecting to my home server Signal Desktop (Flatpak) There’s also Flare for GNOME, which uses GTK instead of Electron and feels more native (Flatpak) Element (or NeoChat if you use KDE, Fractal for GNOME) for Matrix WebCord for Discord. There are some native GTK clients like Abaddon and Dissent. Paper Planes (Native GTK Telegram client) Konversation or HexChat for IRC (Polari on GNOME) Tokodon as my Mastodon client qBittorrent for downloading torrent content. (You can use KTorrent on KDE and Fragments on GNOME) Pika Backup for taking backups (There’s a pretty good video about it: https://piped.video/watch?v=W30wzKVwCHo) Timeshift for btrfs snapshots Gradience to customize GTK4 appearance Bitwarden for syncing my password database with my self-hosted Vaultwarden server (also works with their public cloud syncing option). Use KeePassXC if you prefer something entirely local. LocalSend for sharing files on the local network (basically works like AirDrop) (also works over NetBird or Tailscale btw) NetBird for creating a flat VPN network between my devices KDE Connect for better integration with my phone. Also works over NetBird btw. Check out GSConnect if you’re on GNOME. KRunner for quickly finding files or applications (Ulauncher for other desktops, rofi for window managers) Safing Portmaster (Firewall and DNS blocking solution. Check out OpenSnitch if you just need a firewall) LACT for controlling AMD GPUs Flatseal for managing Flatpak permissions (On KDE this is integrated in the system settings) Bottles for managing Wine prefixes (Flatpak) If you like gaming: Lutris for managing my games Heroic for Epic Games and GOG Prism Launcher for Minecraft Dolphin for emulating Wii and GameCube Ryujinx for emulating the Switch RPCS3 for PS3 emulation Vita3K for PSVita emulation PPSSPP for PSP Cemu for Wii U emulation For the CLI: fish shell starship tmux fd as an alternative to find bat instead of less (written in Rust, has some nice syntax highlighting) ripgrep fzf zoxide yt-dlp streamlink ncmpcpp ncspot newsboat
Komunitas
lemmy.world
I have my own backup of the git repo and I downloaded this to compare and make sure it’s not some modified (potentially malicious) copy. The most recent commit on my copy of master was dc94882c9062ab88d3d5de35dcb8731111baaea2 (4 commits behind OP’s copy). I can verify: that the history up to that commit is identical in both copies after that commit, OP’s copy only has changes to translation files which are functionally insignificant So this does look to be a legitimate copy of the source code as it appeared on github! Clarifications: This was just a random check, I do not have any reason to be suspicious of OP personally I did not check branches other than master (yet?) I did not (and cannot) check the validity of anything beyond the git repo You don’t have a reason to trust me more than you trust OP… It would be nice if more people independently checked and verified against their own copies. I will be seeding this for the foreseeable future.
Komunitas
lemmy.world
A VPN is a must if you wanna go down this route Soulseek (and I recommend the Nicotine+ client over the official one) is a fantastic source for all music in all formats, and particularly obscure off-label shit you won’t get anywhere else. You’ll even have some success finding audiobooks there, although this is very hit-and-miss. I wish audiobook pirates would use it more heavily. It’s P2P, like Napster used to be. You’ll have to share something or you’ll get auto-ignored by most users. RuTracker is a great non-private/non-ratio-monitoring torrent site for music (does require a free account though). I’ve never had a single torrent from there that wasn’t seemingly seeded by a Godzilla’s dick. Obviously it’s in Russian, but there’s really no difficulty navigating around. The only thing you might struggle with is signing up for an account, but just have your favourite translation tool open in another tab 👍 If you don’t mind slow download speeds (from the likes of RapidGator), I enjoy Exystence. It’s a blog that shares link to the latest albums and offers both lossy and lossless versions. Nice RSS subscription to have. If you do find yourself using RapidGator a lot, don’t waste money buying a sub directly from them, it’s insanely pricey. Instead, get a reseller like Real Debrid, which costs like 10% as much and also covers you for about two-dozen other file hosters. I highly recommend putting as much distance between your credit card and the company as possible, just for safety reasons. Using PaySafeCard is fine, as Real Debrid will never see your details in that case. I don’t have any specific reason to be weary of them, I just don’t trust random/small/hitherto unheard of companies as a rule.
Komunitas
feddit.org
Is the Bonetale mod infected with a virus? Hello, I wanted to download the Bonetale mod from the link I provided. I scanned it with VirusTotal, and over 30 antivirus programs showed it as a virus. Then I saw some people on Reddit saying it wasn’t infected, but I’m still not sure if it is.
Komunitas
lemmy.world
Steam made it easy to buy, download and play games. So much of the competition was focused on preventing piracy to the detriment of the user experience. Steam was buy, download, and play all your games in one place with a minimum of bullshit. Then they implemented Steam Greenlight. It let some smaller studios get onto a major platform and proved out that there was a demand for those titles. They were then smart enough to realize that trying to gatekeep those studios with the “Greenlight” process was stupid and opened the flood gates. Really, this goes back to Gabe Newell’s comments about piracy (a decade and a half ago [1]): We think there is a fundamental misconception about piracy. Piracy is almost always a service problem and not a pricing problem,” he said. “If a pirate offers a product anywhere in the world, 24 x 7, purchasable from the convenience of your personal computer, and the legal provider says the product is region-locked, will come to your country 3 months after the US release, and can only be purchased at a brick and mortar store, then the pirate’s service is more valuable. Steam was a real competitor to LimeWire/Kazaa/etc. The other options, at the time, were stuck in the mentality of treating their customers like pirates. And once people bought into the Steam ecosystem, getting them to buy into any other ecosystem was almost impossible. Steam’s main trick wasn’t building a community, it was building trust. Users trust Valve to not fuck them over. That’s a hard thing to create and it’s fragile. If you look at a competitor like EA’s Origin, many folks won’t even consider it. EA’s reputation of fucking customers is well established. No one wants to sink hundreds to thousands of dollars into a storefront with such an anti-user reputation.
Komunitas
lemmy.bestiver.se
The following interview covers Rust and compilers, source control and monorepos, community engagement and vibe coding. @steveklabnik and I had the pleasure of speaking a few times over a few months. He wrote the Rust Book, Jujutsu for Everyone, worked at Oxide and gave many interesting talks. I thank @smlckz and @hoistbypetard for their assistance proofreading. **How did you discover programming?** I grew up on a beef farm. My dad, his dad and his dad were all butchers. My uncle was a programmer in the 70s and 80s and brought a computer over to show what he did. I was 7 when I saw it and knew I wouldn't go outside anymore. Sorry dad. My little sister became the farm boy, she's a veterinarian now. I learned BASIC, then C, C++, Java. I don't remember not being able to program. I grew up reading slash dot (had a 5 digit id) and absorbed the culture around open source and free software. So I just ended up contributing to open source and joining a startup after college. People know me for Rust now, but I was involved in Ruby for years before that. Back then, in Rubyland, there was a guy named Why the Lucky Stiff, a deliberately constructed identity doing important work. When he disappeared, I wanted to keep it going. He disappeared because people revealed his private persona to the world, which he wanted to keep separate. I made the choice there. **Many quite dislike their work and only want to talk about personal projects, but as a public personality does your professional and personal lives and interests totally merge together?** It's definitely a bit weird. I've been dating someone for about a year now and had to explain this **my being an online person** thing which clarified a lot of stuff. What matters most to me is impact, I'm trying to improve the world, make things better. For me, the best way is being a relatively public person; a public persona helps push things forward. I have a joke about a secret gamer identity; my Discord is my gamer name first which I change to Steve Klabnik in technical/programming Discords. That's most to keep from leaking my literal name into video game spaces, but if I had to maintain a public Steve and a private Steve, that'd be a little harder. So I got used to being a public person. It's easier to get things done when your goal's also your job, so I don't try to maximize personal income but find things I want to do. These days I don't have time to do a second job after my first job, whereas I used to have the time to work 80 hours around the clock. Hitting 40, I've been thinking about getting older... On the other hand, if I'm checking Lobsters, HN, Bluesky at night... Since I've often been in developer relations, like PR, if there were a crisis in the Rust community at Friday night... I'm always a bit on. **How did you avoid a you-shaped hole when you left Ruby or Oxide? How do you help keep something going without you?** I had the habit of picking up and maintaining other existing projects no one was working on. If someone else wanted to take over, great! But there wasn't so much of a crisis to leave things as I left them before. Some of those projects already had replacements like Resque and Sidekiq too. I also felt increasingly weird maintaining Why's stuff after he deliberately destroyed it. Worse, his projects were deeply tied into Ruby internals and deprecating APIs, making it difficult and time-consuming to maintain. This maintenance burden also informed his departure, which I came to learn first hand. I started going to Ruby conferences where people asked me to talk about things I cared about. But well, I cared about Rust and talked about it, connecting those communities together. So there was no clean break. Unless you commit info suicide on your persona like Why, which I couldn't do. I still like the Ruby community but did deliberately decide to focus my attention away; I haven't written Ruby in a long time. For Oxide, I said I was quitting and asked to discuss a transition plan. I started pair programming every day to onboard someone to the project I was working on by myself. It took about 6 weeks to hand everything over. **Matklad has an article about what open source projects need. You also have a few along these lines. What advice do you have for a newer community which wants to build these things up and stay maintained long term?** A big thing I did in Rust and want JJ to follow is open source is an act of creation. You want something to exist, so you build it. That need for creation's often born out of unhappiness with how things exist today. I used to teach programming as a job and tell people if the program existed bug-free, you wouldn't be programming. It's the act of moving things from a state you don't like to one you do. When writing code, you're creating features which don't exist or fixing problems which do. It's easy and tempting for projects to fixate on the criticism they create by existing, but this is unhealthy. As an example, Rails was focused on Java sucking, but when you fixate on someone else sucking, you're not focused on improving your own stuff and rot. And what happens if you win? You lack a positive narrative to keep growing and eat yourself alive if you can't find another enemy. Well, it turns out JavaScript's not actually that bad and Rails missed the boat on JavaScript-heavy applications. Rails didn't fail into irrelevance, but did lose cultural dominance. So the Rust world focused on not saying Rust is great because C++ is terrible. There is criticism, but the project can't be about that. It's bad on a personal and a strategic level. Hating on others makes you a bad person. Instead, you have to focus on excited people building and creating. In the jj community, we should be "git is fine, we just like jj better" not "git sucks, jj is good". This is important and healthier for a community long term. I haven't been involved in Rust for about 3 years, but before there was a clear perspective that we were building a community, which meant we needed to bring people into the community. There's a funnel from all the people who hear the name "Rust", then who click on Rustlings, then who make a contribution... **How do you manage projects and communities in open source?** With open source, you can't compel people to do certain things. Well, programmers are prima donnas in a few ways, so even as employees you can't force them to do anything or they'll push back. So you need the soft skills to sell the vision and convince people to help. Building consensus is always a nice thing. People will follow good examples, but also bad ones. If leadership encourages a brash, off-the-cuff communication style, they will attract and retain similar people. If leadership is more measured, they'll accumulate a community of measured people. If I find words or styles of communication which resonates, I'll see community members replicate those same arguments. There's a classic book "High Output Management" by the Intel guy from the 90s, whose whole thing was that a CEO's job is purely cultural transmission to others because that's the only way you can affect change at scale. A CEO can't just stand on the assembly line and do everyone else's job better at the same time, after all. When managing, you reproduce the culture you want to see and it either works or it doesn't! It's a second order way of working, not doing it yourself but creating the environment where the work is done. Especially the higher you go, e.g. what distro is integrating what systems is all intraproject management and intracommunity coordination, 100% soft skills, because you're not even in the project you're managing. As an example, Ubuntu is currently integrating the Rust based uutil, but can't force them to do anything. Ubuntu's communication must be like "hey, we want this in order to make that happen, are you interested in it?" Then the uutil people hopefully say "yes, we will take your advice and do this, because this is a shared goal." **How do you approach course design, textbook writing?** The Rust Book was me making a 50 pg. tutorial called Rust for Rubyists in 2013, which I then rewrote into 175ish pages. Later I got Carol in as my coauthor and we wrote what's now on the site. The jj tutorial is 100% me besides the Gerrit chapter. For all of these, I write down what I'm learning in the order I learn because writing helps me understand. There's no better way to know what a new person needs than by being new yourself. The problem's that not everyone is you, so you have to go beyond. The trick with the Rust Book's that it has extra constraints from being official e.g. not using many external packages lest it bias the ecosystem. Normally writing Rust involves many third party libraries, which you don't do in the course at all. I also felt the need to include all language features because it was going to be the primary way for people to learn. For the final version, I wrote down a ton of concepts I knew and went through the reference writing down more features to cover. I wrote them on note cards and started arranging them into a concept map. You need to know x before you learn y. The difficulty's all the dependencies especially early on. Guy Steele showed how to grow a language. To learn Rust, you have to build the smallest possible "kernel" to bootstrap your understanding on, growing the language one piece at a time. This meant putting ownership and borrowing as soon as reasonable, because it was the newest thing really impacting people. After functions, variables, loops and borrowing, readers have a base to understand the rest. In the 2nd version of the jj tutorial, I'm focusing more heavily on workflows. People want to know what they can actually do with something more than what it is. Especially experienced programmers are willing to hand-wave things although they claim to want the details. They just want to get things done, at first. Those are the two major design philosophies for a book-length tutorial, start building from small parts or just run with it, explaining as you go. With jj, most people just want to get things done; there aren't many version control fanatics. **How do you yourself learn?** I read existing documentation then try to do stuff, mess around. When learning a programming language, I try to implement a text adventure game going back to the first thing I ever did on a computer at my grandma's house playing the Collosal Cave Adventure. I've always loved text adventures. You get a little bit of I/O, data management, loops and stuff, enough to get a feel for writing something real. The one I wrote in Rust just had nine rooms, but that's enough to really get going. But you can't write a game in jj. I just had to use it, run into problems and ask for help. **How do you think about languages, APIs and design?** Simon Peyton Jones' "avoid success at any cost" motto for Haskell is really interesting, with multiple interpretations. The most important thing is build the thing you want to build. You have deliberately decide your priorities and what you care about. Oxide's really big on values. Figure out what's most important then put them in an order. Rust cares about safety, performance, correctness in that order. On a different axis, Rust always wanted to be used by many people, so choices leading to broad industry adoption were important to us. I have an article about the language strangeness budget where you can only be weird about so many things before no one uses your thing anymore. You have to be deliberate and careful about where you innovate. Now, this advice only matters if aiming for broad adoption, but the key is making that deliberate choice. If you just want something fun for yourself, great! But you're making the compromise of it only being for yourself. Designing is inherently about making tough choices. Be aware and deliberate. Design requires taste and taste requires broad exposure and experience. If you don't realize there's a choice because you don't have enough context to know what your options are, you will do things accidentally, not deliberately. **If you could reinvent/change any aspect of Rust, what would you do alternatively?** A lot happened because we wanted to ship a useful thing with only so much time in the day, so some things were less deliberate than others. There's an alternate version of Rust with significantly faster compiler times, because while we cared about compile times when designing we always prioritized other values more. We never asked ourselves how this feature or implementation impacted compiler analysis time and there are several spots where something slightly different would have much faster compiler times, which people do care about. But had we spent time on that, we would have neglected other things and not been any more successful. I think whatever language eventually succeeds Rust will be much faster to compile and borrow checking will never be the big time sink when compiling. **Rue's readme says it's mostly a way of working on different compiler optimizations. Which of those have been most interesting?** Honestly, Rue's only public because GitHub charges for actions when your repo is private and I'm addicted to CI. Now, I love compilers and organized my college classes to get to compilers first but never worked on the Rust compiler, that just wasn't the best way to utilize my skills. So I wanted to mess around with compilers. Conceptually, I understood single static assignment with block params vs. fine nodes from reading papers, but never actually seriously looked at implementation code. Partly, I just want some code I can look at and mess around with without responsibilities. There's a big difference between intellectually understanding something and actually writing code for it. I knew about React's architecture for like years before I wrote a line of React - my understanding only grew when I actually coded and experimented with it. I've only been working on it for a few months, but I have a small effectively useless language (without strings). My goal is building out a full production compiler pipeline for this tiny, useless language because most people make languages useful then try to refactor the compiler; I'm doing the opposite. What if I grew the compiler wide and the language very short? While I don't have strings, I have 7 different layers of IR and will probably reach full incremental compilation before adding strings. That's just what I care about building. It took Rust like 2 years to implement MIR because there was a whole production programming language, but it took me a few hours because no one uses it and there are no features. Implementing compiler internals is easier without surface features! I do have some language design features, but I'll only work on that when the compiler's ready. I only want to add features required to improve the compiler. **Hey, a few months have passed since we last spoke!** It's interesting how some of my thoughts have changed! I recently spent more time with Rue and came to appreciate Zig more, for example. A lot of Rust's complexity comes from wanting to be as low level and fast as C. In Rue, what if we don't make decisions based on those values? I assume Rue will have a runtime etc. Higher than Rust but lower than Go. It builds on some of Swift and Hylo's mutable value semantics. If you don't have references as a language construct, you can get rid of lifetimes! If you don't put references in structs nor return references, you don't need lifetimes and the borrow checker goes away! You lose a little efficiency, but oh well. Rust has affine types, but I think linear types are also neat. Linear types and borrowing's also weird... There's an issue of expressed and acted values too. The Rust team cares about compiler performance, has people working on it etc. We did care about this, but no enough to require RFCs to analyze compiler impacts and reject things for compiler overhead. I don't mean to criticize - I was there and involved too. (I still think the compiler will get faster, and maybe it'd be better from scratch but some features put a ceiling on it.) With Rue, how close can I get to Rust while caring about compiler performance? Recently, I've come to appreciate Zig a lot more for its decisions. Concretely, macros can introduce new items, so you have to expand all macros before type checking a Rust program. At least one of the Rust analyzer devs said they'd remove the ability of macros introducing items. Heavily relying on monomorphization impacts compile time significantly, because you generate a lot of similar code then expect LLVM to filter it out. In Rust, conditional compilation is based on attribution. Zig made me uncomfortable in the past; dead code elimination finds things that aren't used and eliminates them, making the binary smaller. But you can also view that as a failure; any code generated but thrown away means you did work producing it before dumping it. Rust programs often generate a lot of code which it eventually dumps later. Zig just doesn't compile or process things if you know it won't occur! This had made me uncomfortable if e.g. had errors in some other branch e.g. compiling for Linux while the Windows config is fundamentally broken. **How did you approach building a system of values and getting buy-in for people?** I am kind of old school. A lot of it flows top-down; you can't have an outsider show up and impose values on a community. They have to come from some legitimate source in the community itself. Expressing values requires action too. People will notice if you say one thing and do another. On some level, **what leadership does** creates the actual values. It's tricky in general, because even rational adults find it hard to always act in accordance with their values. **How'd you decide which your values would be then?** I joked that my parents' biggest mistake was telling me to do what I thought was right, which caused a lot of friction when we disagreed! I have changed a lot as a person over the course of my life. I'd like to think that things happened which I took under consideration and made changes after. It often happens in software development communities that you find yourself among people you don't want to be like. You have to ask whether you're the kind of person you want to be, and make changes to align yourself. Earlier in my career, I loved talking shit on languages, tools and communities I thought were bad - but then I realized who I was becoming and made serious changes. **How do you approach programming? What's unusual about your methods?** My weirdest thing is not customizing my software. I don't set color schemes. I don't have a dot-files repo. A long time ago, teaching programming as a job, I helped people with their setups and wanted to understand the default user experience; I didn't want to recommend a program I only liked because I had 45 extensions... I didn't want to get out of touch. I don't use an ad-blocker. A hater once wrote that my Rust code seemed simpler and more straight forward, which I thought was a very nice thing for a hater to say! I tend not to write macros at all. I also avoid fancy advanced type system tricks. Although Rust has the reputation of a complicated, big language, you don't have to use it that way. I'm actually pretty tolerant of boilerplate these days. Handing off a project at Oxide, I mentioned some packages would reduce duplicates and boilerplate, but seeing the struct fields copied from one struct to another is more straightforward than some macro automatically doing it besides this one exception where.... **I can't get over no ad-block.** A lot of pages have terrible intrusive ads, which guide my behavior to stay away from them. My relationship with privacy has also changed. I used to think tracking me was offensive and upsetting, but now I live such a public life with hundreds of hours of talks on youtube, where ads are the least of my worries. **Oxide rewrites basically everything. How'd you make sure you were actually writing better fitting replacements?** In other organizations, there's constantly a low-key conflict between programmers and management about what we spend time on. People often slip refactoring in before shipping the ticket, because they'll never get permission to refactor after closing the ticket. Oxide looks at what exits, what it needs and figures out whether they should build it or use something. Culturally, a lot of programmers read Joel Spolsky 25 years ago. Oxide is like if that article had never been written and people would rewrite when useful. It comes down to what's fit for purpose. Software's often an 80% fit. Do you just live with that other 20%? Perhaps some people can live with a bigger misfit than others. This does slow down when we ship, but quality emerges from really working on this ourselves. That's an intangible but important benefit. We had more willingness to experiment and try than other places, which paid off. Oxide's leadership really cares about knowing your tools well. So if a tool doesn't yet exist, it's fine to make that tool for future productivity benefits. We wrote our own debugger for our own embedded real time operating system, which paid off when we had to debug firmware issues. Brian et al. had seen this approach work out in the past, so the whole organization buys in too. Oxide's the only company to rewrite AMD's CPU firmware. They didn't believe us until it happened. **How deeply did you dive into less popular programming paradigms?** I used to joke that I didn't do LSD in college but did Haskell instead; not sure which is more harmful! I used to experiment a lot. Earlier in my career, I cared a lot about programming for its own sake and now I care more about what I can do with programs. High level languages seem to have an inherent low end of where they can go. (I know this isn't directly true, you can write an OS in Lisp.) I care less about "everything is a..." type languages. "Everything is an object" is like a Beatles cover band, it's not a novel thing because we already explored that space but the interesting developments aren't there. The vitalization of lower level languages is some cyclical effect after spending a lot of energy on higher level languages. I do find Unison cool. There's definitely room for alternative paradigms, but I want to see them prove themselves before investing a lot of time in it. Time's precious. I think I experienced enough with most of that stuff. There are some unexplored avenues like effect systems though. **How do you manage and prioritize your time?** It's hard and changed a lot for me this past year. I'm now in a serious relationship with someone who has kids, adding constraints I didn't previously have. A year ago, I could do whatever whenever, but now I care about people and have obligations to them. But when I feel I want to do the thing, I just do the thing as hard as possible. For example, I started working on Rue in August, got busy in September and set it down until the end of December when I spent a few frantic weeks on it. Claude and I shipped 100 commits on Christmas day! I wait for inspiration to spark then push on it as hard as I can. I have time blocks, spend time with work, spend time with my girlfriend, spend time on me, and within those I just do whatever I feel. **How do you structure commits?** I'm a big believer in CI and use it on PRs, even on personal projects. I don't push to main myself, either. Well, I use trunk. I care more about whether CI passes than perfectly crafting the exact commit I want. Committing to use PRs for everything, looking over the diff for 10k lines sucks on GitHub. So I tend towards very small changes. Ideally under 1000-line diffs. I once had a client where the CEO would disappear for a few months, then appear and commit something to master, so the rest of the company would frantically try to rebase all their work on top of everything. The original principles of CI matter a lot. I prefer high velocity of a small number of commits, rather than big perfect ones. Sometimes this means shipping duplication to master, then cleaning it up in a later PR, because keeping things factored while adding a new feature might suck. I trust my tests, keep my cycles quick and keep things small. Sometimes that even means feature flags; I'll ship broken features behind flags which won't get shown in production, and remove the flag when the feature's done, rather than work on a branch for a long time and eventually ship it in the end. At least, these processes work better for me. I'd rather have more small things than fewer larger things. **What about version control inspired you enough to leave Oxide?** I always loved git. I was early on it. I really hated how CVS worked (i.e. the above story.) Distributed version control just seemed straight up better to me. Code matters, but this is the software we entrust all our work output to. If git deleted all our repos tomorrow, it'd be a problem but not so bad because distributed, because backups, while your CVS repo going down would ruin you. You're the sum of all the people you spend time with. That's true of tools, too. We spend hours and hours with version control, if that tool can get better, it'll help a lot of people. I got involved with Rails, because I realized I could help every single webapp at once. I got involved with Ruby to help an even bigger set of people. I got involved with Rust, because making the OS better helps everyone! Moving down the stack gives you higher leverage to help more people and DVCS is quite low; there are few things you can do to make JavaScript, C and Rust developer's lives better at the same time. I like doing high leverage things. Working on version control is interesting to me because it can help a lot of people. I also really just like jj. But another thing: I never worked at a FAANG, but they've all converged on some things different from the rest of our industry, like monorepos. At some scale, they just move to monorepos for rational reasons (which aren't important right now.) This implies a lot of other things: path dependence and unexpected technology choices and unique systems. They have their own version control systems, often based on Mercurial for interesting historical reasons. In the past, rich people had access to things other people didn't. But today, there's no better Coca-Cola than Coca-Cola. Elon and me drink the same cola! Software's largely like this too. But FAANG companies have these entire stacks not available to the rest of us. If I wanted to use a monorepo and use Piper, that's just not an option; it's internal to Google, tied to their individual infrastructure... So I think there's some sort of Prometheus play around stealing the fire from the gods. I've been toying with my own personal monorepo for all projects. You know what sucks? Setting up integrations, IDEs etc. every time I start a new project! I'm very monorepo brained. I'm interested in tools like jj which show that world to the rest of us. **What are the benefits of a monorepo?** If I want CI to pass, my commits are limited. If it takes an hour for my CI to run, I get 24 commits a day and that's it. To scale up, you need to start to think about whether literally every test should run on every commit: No. How do you determine which tests to run? How do I share dependencies across projects? How do I integrate build systems with all the projects? There are a lot of big topics. But then it's quick to start a new project. It removes coordination costs. At Oxide, every team can use any tools they want. So some teams run on Gerrit, others on GitHub etc. which is cool but moving teams means relearning a new stack. On the flip side, a monorepo's homogeneity means you don't have to learn something new to work on another part of the code base. But now the monorepo's huge. Making everyone download the whole repo kind of sucks. Trade offs. At scale, different trade offs make more sense. These tools also assume scale. Cargo doesn't scale up to a Google sized monorepo. Buck, Blaze or Bazel are built for monorepos, annoying to use on small scales. I feel like there's a smoother transition somewhere with more powerful tools. **How did you become "AI-pilled?"** A year ago, I would have said these tools were BS and didn't matter. I try to be an informed hater though and realized I hadn't tried them in a while. I never liked autocomplete, so the first generation of "spicy autocomplete" did nothing for me. But agents are a fundamentally different way of working. Claude and ChatGPT also started writing ok Rust code. I had a rough 2024. In 2025, I did a lot of soul searching and considered the implications of these new tools, what my actual opinions about software development were etc. And I don't know man, I barely wrote any code last year. I don't know if I'm going to write any code this year personally, by hand, like at all. I started programming at 7. This might be the first year I don't code since then. It's uncomfortable and strange. I hate the whole "if you don't learn this stuff, you'll fall behind" rhetoric from AI people. When Rails came out, everyone loved and flocked to it. But you know what? Not everyone actually did, only a small vocal minority. The people who didn't learn Rails weren't left behind. They didn't lose their career for not jumping on the hottest trend. It's reasonable and rational to not care. But I enjoy them. They are tools which require skill. People are willing to acknowledge that vim is useful, even if they use Emacs. I see AI tooling like vim. You have to approach it like a scientist or an engineer. You can't just say "build me a Google clone". Using them in an engineering-science-y way to produce good results takes different kinds of skills than directly writing code yourself. I used to care a lot about being one with the code; some of my best memories are spending a weekend solving a bug in college. But these days that just means I spent my whole weekend being frustrated and didn't get anything done! I've been meaning to write about how to approach this, but it takes so much heat from people online... Some of my friends are vehement anti-AI people which has made our friendship awkward, which sucks, because I like my friends. I also talk about this less on e.g. Lobsters than I normally would. I just do it in private channels to avoid the shit. But I should be more open about it, it can help people. **People have been complaining about AI-driven PR spam.** My work in open source predisposed me to be ok with AI here. There have always been crap PRs by people who don't know what they're doing. That's the normal state of things for open source! You just get a bunch of junk from people you don't know. Some might be great, don't get me wrong. You need to have processes in place to make sure a PR is good before merging and that's true no matter who authors the code. **How do you use it?** I'll briefly go into how these tools work. I'll assume you're using Claude here. You send a request to the model. What's in the request? The tool author's system prompt, the prompt you typed in, then a bag of context (e.g. the conversation history). You can tweak all these parameters. Sometimes the correct approach is throwing the system prompt away and writing your own (using an API). People were obsessed with prompt engineering for a while - thinking prompts were the primary lever. But the context window is the biggest percentage of input. So recently people have been talking about context engineering. When the context window fills up, LLM performance goes down. You can make worse prompts if you do a better job context engineering. We used to argue about horizontal vs. vertical slicing for apps, DB, framework, application, view layers vs. feature folders. From a context perspective, a folder per feature is easier for an agent or a person to figure out what's needed (assuming you separated your feature out). How do you ensure the context window only has what's relevant to the goal? In Rue, I have these architecture decision records (ADR) describing a design and its rationale. I'll tell Claude to read ADR 1 and 5 and then mention I want to modify the type system. It's like tickets, you want a ticket with a minimum reproduction. I don't think these are new things, rather we've been collectively paying these practices lip service, and those who actually follow them will do better with these tools. A well-structured codebase means both a human and an agent will have a better time; it's just easier to notice an agent flailing around than realize a developer taking 3 weeks to ship a fix is the same symptom. LLMs are like an average user, which is a nice feedback mechanism too. In the first iteration of Rue, Claude was trying to dump the assembly for a program it was debugging. It kept passing -S which wasn't implemented instead of --emit-asm- which I thought was nicer. But it turns out -S is a standard flag across compilers, assuming it exists is a good assumption. So I implemented that as an LLM to stop it from flailing around. There's value in watching what an LLM assumes. It will give reasonable attempts or answers, because it's seen everything. If you can make something easy enough for Claude to understand, it might be a good model. [Comments](https://lobste.rs/s/w1bsle/lobsters_interview_with_steveklabnik)
Komunitas
awful.systems
Hi. I am a software engineer with a background in IT security. My girlfriend is a literal network security engineer. I showed her this thread and she said: don’t bother, just use http on your local network. Anyways, I am going to disengage from this thread now. Skepticism against things one doesn’t fully understand can be healthy, but this is an insane mix of paranoia and naïveté. You are not a target; the things you are afraid of will never happen; and if they did, they would not have the consequences you think they would. Your router will NOT magically expose your traffic to the internet (what would that even mean?? Like, if it spontaneously started port forwarding to your Jellyfin server (how? By just randomly guessing the port and IP???), someone would still need to actively request that traffic, AND know your login credentials, AND CARE). Your ISP does not give a shit about you owning or streaming copyrighted material over your local network. It has no stake in that. Graphene is not an ultimate arbiter of IT security, but the reason it “distrusts networks” is because you take your phone with you, constantly moving into actual untrusted networks (i.e. ones you do not own). Hosting Jellyfin on Graphene will not make it more secure, whatsoever. If every device is assumed compromised, and compromising devices with knowledge that you watch media is a threat in your model, then even putting an SD card with media in your phone and clicking play is dangerous. Which is stupid. If you actually assume your router is malicious, then please assume that when you initially downloaded your VPN client, it was also compromised and your VPN is not trustworthy. The way I see it, you have two options: educate yourself on network security to the point of being able to trust your network setup; or forget about hosting anything
Komunitas
lemmy.blackeco.com
Here’s the text in the image If you people had half a clue what its like to run and mod a popular torrent site half the comments here would be just thanks. You think 1337x has a huge team of people moderating FREE content for you all? Let me clue you all in, this is most certainly NOT the case. Very few people modding site right now. I can tell you this, NO one and I mean NO one is working with anyone to make money off of people on site involving moderators or admins. The people that are actively modding the site have full time jobs with families and do not look at uploads coming threw 24/7. The torrent in question was removed when it was checked and verified. Please excuse the delay as we were not fast enough for some of you and your free content. What mods are there are there just because of the community no other reason. Getting paid? Please, stop it now. You should be wary of any software or games you download from anywhere. If you dont trust 1337x then dont go there, but to start smashing on what few moderators who are just there to support you people in your quest for good pirated material is just wrong and no where near correct. For the people who think we are in cahoots with anyone involved with site and donations for your information none of the mods like the change that has recently happened involving donations. What sense does it make to take donations to remove ADS when and if you loose the account you are screwed? The password recovery does not work on 1337x as of now and has not for a very long time. As mods/Admins we have zero access to the backed of the site. No control Whatsoever. Never have never will. Site owner barely has any communication with the Mods if you all want to know the truth. Posts like the OP has here makes me want to quit and let fate take its course to be perfectly honest with all the ungrateful comments for FREE CONTENT!
Komunitas
lemmy.world
I hate when people say things like “research confirms”. That’s not how this kind of science works. They link to ResearchGate, which is fine enough since it has a full download of a pre-print, but here’s the original closed-access article’s page for those who do have institutional access. I categorically do not trust a business magazine like Inc. as a secondary source on sociological scientific literature. The author, Jessica Stillman, is listed as the source of the “Expert Opinion”, but if you look at her bio and even her website, she has zero expertise to be evaluating this. It’s fine to write an opinion; it’s not fine to misleadingly label someone as an “expert”. The thesis of the study as stated in the abstract (of the preprint; I’m too lazy to access through my institution right now) is as follows: Here, results from four studies (total N = 1018) report the construction and validation of the Corporate Bullshit Receptivity Scale (CBSR), a novel measure of individual differences in susceptibility to corporate bullshit.[*] Results show that corporate bullshit receptivity is distinct from a general affinity for corporate speech, negatively associated with measures of analytic thinking, and positively related with other bullshit-related constructs in theoretically-consistent ways. Importantly, corporate bullshit receptivity is positively associated with several workplace perception variables and is a robust negative predictor of work-related decision-making. Overall, the findings establish the CBSR as a valid and reliable tool to aid researchers and practitioners in examining the causes, correlates, and consequences of receptivity to bullshit in organizations. * Defined as “semantically empty and often confusing style of communication in organizational contexts that leverages abstruse corporate buzzwords and jargon in a functionally misleading way” I encourage people to read the study('s preprint or print edition) and evaluate its methodology instead of read a headline, think “Yeah, that conforms to my existing biases”, and walk away feeling smug. I’m not remarking on the quality of the study itself, as I’m reading the methodology later when I have time.