Matt "msw" Wilson

The sun rises at the horizon, reflecting of the water of Eagle Harbor. The car deck of the Washington State ferry Tacoma is in the foreground.

#FerryLife #WAWX #Seattle #Sunrise

Strengthening Liquibase Community for the Future Liquibase Community now uses the Functional Source License (FSL). Learn what this means for developers, contributors, and enterprises, and how it protects sustainability.

"As adoption has grown, so has our responsibility to ensure the project remains sustainable and continues to thrive. That’s why, with the release of Liquibase 5.0, we are updating the license for Liquibase Community."

www.liquibase.com/blog/liquiba...

Metrics are increasingly employed as trust deteriorates. Recommended reading ⬇️

#monktoberfest

a.co/d/im8AStV

Coming to a New Awareness of Organizational Culture

Ref: Edgar H. Schein sloanreview.mit.edu/article/comi...

#monktoberfest

“Organizational culture is the pattern of basic assumptions that a given group has invented, discovered, or developed in learning to cope with its problems […], and that has worked well enough to be considered valid, and, therefore, to be taught to new members.”
The stories we tell are how we teach.

"apparently web traffic is down because Google is giving you an answer already in the results, and you no longer have the need to visit a website"

I mean, this has been a complaint for a while, even before AI entered the timeline? Who needs to go to a music lyrics website when it's in the Info Box?

"Piracy lost, but it was always going to lose. Streaming won."

But did the reader / listener / viewer win?

And did the content creators win?

🤔

PSA: attacks on public infrastructure like software package registries are on the rise. Here’s an active one targeting folks who have crates.io accounts.

I am happily paying Nabu Casa for Home Assistant Cloud.

And in the words of @booch.com “Every line of code represents a moral decision"

It’s really hard for OSS projects too. Imagine a leaked GH access token from a project maintainer who is not responding, and who is not an employee because OSS isn’t a company. How do you the project get that token revoked? You can’t. You have to de-list the maintainer from your GH org.

Tricky thing is when people have built their own automation (predating Actions), using CI/CD tools and services, making for something other than a “pure GitHub” implementation. 😬

That said: prevention > detection, as always

Also, speaking for myself, hurray for watchful, diligent security folks detecting things before vandals could fix their syntax error.

GitHub Actions - Updating the default GITHUB_TOKEN permissions to read-only - GitHub Changelog Previously, GitHub Actions gets a GITHUB_TOKEN with both read/write permissions by default whenever Actions is enabled on a repository. As a default, this is too permissive, so to improve security…

Later in 2023 GitHub changed the default permissions for access tokens.

Unfortunately this leaves older projects, organizations, and enterprises with an unsafe default.
github.blog/changelog/20...

“All this to prove one thing: that vulnerable workflows can’t keep a secret.”

This was true in 2023 as it is now. You have to make sure you scope down GitHub access tokens.

Here is a blog post that describes a similar problem as reported in CodeBuild in the context of GitHub Actions workers back in early 2023.
karimrahal.com/2023/01/05/g...

From my POV, the most important message for everyone who is doing the hazardous work of developing software in public on platforms like GitHub: you have to pay *close attention* to GitHub token permission scoping.
It’s not well known outside of security research circles how often GitHub tokens leak.

Project Definition | Linux Foundation Documentation

You can see what's on the menu of legal services when you set up a project here... LF Projects LLC is generally for software projects, Joint Development Foundation Projects, LLC is generally for standards development...
docs.linuxfoundation.org/lfx/project-...

It's a corporate holding structure of the Linux Foundation, used as the owner of intellectual property, etc.

A committed community of maintainers doesn't have a LLC registered in Delaware that can hold trademarks... This is infrastructure Linux Foundation provides.

lfprojects.org

Valkey is maintained by the Valkey maintainers, not by a neutral foundation. Linux Foundation provides the tent, but without committed maintainers the tent is empty.

The thing that keeps the power of any one company in check isn't the Linux foundation, it's a committed community of mutual interest.

Open Source Is Too Important To Dilute The definition of "open source" is quietly eroding. When these lines blur, trust breaks — and open source doesn’t work without trust.

There's much to agree with in Dan's piece on defending the definition of Open Source. On details, I quibble.

"Today, Valkey is maintained by a neutral foundation, ensuring no one company can take it away from open source."

Linux Foundation doesn't maintain Valkey. thenewstack.io/open-source-...

A ghost nightlight with the word Kiro

Thrilled for the launch of @kiro.dev today! We started with two main ideas that led to Kiro's spec-driven development features:
1) AI can help us build better products through rapid prototyping
2) Devs can declare their app's requirements to get better results from AI, close to production-grade code

Hello, I hope this message finds you well. As part of our ongoing efforts to comply with the EU Cyber Resilience Act (CRA), we are currently conducting a cybersecurity risk assessment of third-party software vendors whose products or components are integrated into our systems. To support this initiative, we kindly request your input on the following questions related to your software product "libcurl" with version 7.87.0. Please provide your responses directly in the table below and do reply to all added in this email,

It has officially begun. The CRA info request counter is no longer at zero.

OH: "And so, it begins."

The CVE... The "disputed" tag is on the record, which is the system working as designed.

www.cve.org/CVERecord?id...

This is not an adventure that FOSS maintainers should have to endure, in my opinion.

Unfortunately The Rules don't prohibit allocating a CVE for an identified weakness that was never in a released Product...

www.cve.org/resourcessup....

I think it’s more Red Hat’s business model than any of the firms listed above.

And those who know the history of libxml2 (and friends like libxslt) know that Red Hat funded a lot of its development, directly and indirectly, via employing DV.

I do not like this timeline.

While there is much more that industry can do, and NEEDS to do, we should recognize that in the past Google has directly sponsored libxml2 development.

It's not *just* been Project Zero sending vulnerability disclosures to the maintainer.
gitlab.gnome.org/GNOME/libxml...