davidbgk
/
larlet-fr-david
Watch 1
Star 0
Fork 0
Code Releases 0 Activity
Browse Source

Article

master
David Larlet 3 weeks ago
parent
8cbe660314
commit
2131206805
Signed by: David Larlet <david@larlet.fr> GPG Key ID: 3E2953A359E7E7BD
11 changed files with 810 additions and 77 deletions
Split View Show Diff Stats
  1. 8
    0
      david/2024/03/30/index.html
  2. 441
    0
      david/2024/04/02/index.html
  3. 23
    0
      david/2024/_sources/2024-04-02 - Porte.md
  4. 87
    0
      david/2024/commun/index.html
  5. 9
    3
      david/2024/index.html
  6. 87
    0
      david/2024/opensource/index.html
  7. 87
    0
      david/2024/protopie/index.html
  8. 26
    26
      david/blogroll/index.html
  9. 4
    3
      david/index.html
  10. 26
    45
      david/log/index.xml
  11. 12
    0
      david/recherche/index.html

+ 8
- 0
david/2024/03/30/index.html View File

@@ -152,6 +152,10 @@
title="Aller à la page de recherche"
rel="search" data-no-instant>Recherche</a>
• <a rel="next"
href="/david/2024/04/02/"
title="Publication suivante : Porte">Suivant →</a>
</p>
</nav>
@@ -227,6 +231,10 @@ L’aube viendra dans sa mârde&nbsp;blanche.</p>
<a href="/david/2024/" title="Liste des publications récentes">↑ En 2024</a>
• <a rel="next"
href="/david/2024/04/02/"
title="Publication suivante : Porte">Suivant →</a>
</p>
</nav>


+ 441
- 0
david/2024/04/02/index.html View File

@@ -0,0 +1,441 @@
<!DOCTYPE html><!-- This is a valid HTML5 document. -->
<!-- Screen readers, SEO, extensions and so on. -->
<html lang="fr">
<!-- Has to be within the first 1024 bytes, hence before the `title` element
See: https://www.w3.org/TR/2012/CR-html5-20121217/document-metadata.html#charset -->
<meta charset="utf-8">
<!-- Why no `X-UA-Compatible` meta: https://stackoverflow.com/a/6771584 -->
<!-- The viewport meta is quite crowded and we are responsible for that.
See: https://codepen.io/tigt/post/meta-viewport-for-2015 -->
<meta name="viewport" content="width=device-width,initial-scale=1">
<!-- Required to make a valid HTML5 document. -->
<title>
Porte
— David Larlet</title>
<script>
function toggleTheme(themeName) {
document.documentElement.classList.toggle(
'forced-dark',
themeName === 'dark'
)
document.documentElement.classList.toggle(
'forced-light',
themeName === 'light'
)
}
const selectedTheme = localStorage.getItem('theme')
if (selectedTheme !== 'undefined') {
toggleTheme(selectedTheme)
}
</script>
<!-- Documented, feel free to shoot an email. -->
<link rel="stylesheet" href="/static/david/css/style_2024-03-09.css">
<!-- See https://www.zachleat.com/web/comprehensive-webfonts/ for the trade-off. -->
<link rel="preload"
href="/static/david/css/fonts/century_supra_ot_a_regular.woff2"
as="font"
type="font/woff2"
media="(prefers-color-scheme: light), (prefers-color-scheme: no-preference)"
crossorigin>
<link rel="preload"
href="/static/david/css/fonts/century_supra_ot_a_bold.woff2"
as="font"
type="font/woff2"
media="(prefers-color-scheme: light), (prefers-color-scheme: no-preference)"
crossorigin>
<link rel="preload"
href="/static/david/css/fonts/century_supra_ot_a_italic.woff2"
as="font"
type="font/woff2"
media="(prefers-color-scheme: light), (prefers-color-scheme: no-preference)"
crossorigin>
<link rel="preload"
href="/static/david/css/fonts/century_supra_ot_b_regular.woff2"
as="font"
type="font/woff2"
media="(prefers-color-scheme: dark)"
crossorigin>
<link rel="preload"
href="/static/david/css/fonts/century_supra_ot_b_bold.woff2"
as="font"
type="font/woff2"
media="(prefers-color-scheme: dark)"
crossorigin>
<link rel="preload"
href="/static/david/css/fonts/century_supra_ot_b_italic.woff2"
as="font"
type="font/woff2"
media="(prefers-color-scheme: dark)"
crossorigin>
<meta name="description" content="For me, the two big lessons from #XZ were first, the lack of resources supporting crucial Open-Source infrastructure, but then and especially, the demonstration that the attackers are numerous, skilled and patient. We already knew about numerous and skilled but this episode, where the attacker was already well-embedded in the project by May 2022, opened a few eyes, including mine.">
<!-- That good ol' feed, subscribe :). -->
<link rel="alternate"
type="application/atom+xml"
title="Feed"
href="/david/log/">
<!-- Generated from https://realfavicongenerator.net/ such a mess. -->
<link rel="apple-touch-icon"
sizes="180x180"
href="/static/david/icons2/apple-touch-icon.png">
<link rel="icon"
type="image/png"
sizes="32x32"
href="/static/david/icons2/favicon-32x32.png">
<link rel="icon"
type="image/png"
sizes="16x16"
href="/static/david/icons2/favicon-16x16.png">
<link rel="manifest" href="/static/david/icons2/site.webmanifest">
<link rel="mask-icon"
href="/static/david/icons2/safari-pinned-tab.svg"
color="#07486c">
<link rel="shortcut icon" href="/static/david/icons2/favicon.ico">
<meta name="msapplication-TileColor" content="#f7f7f7">
<meta name="msapplication-config"
content="/static/david/icons2/browserconfig.xml">
<meta name="theme-color"
content="#f7f7f7"
media="(prefers-color-scheme: light)">
<meta name="theme-color"
content="#272727"
media="(prefers-color-scheme: dark)">
<!-- Is that even respected? Retrospectively? What a shAItshow…
https://neil-clarke.com/block-the-bots-that-feed-ai-models-by-scraping-your-website/ -->
<meta name="robots" content="noai, noimageai">
<style type="text/css">
.tippy-content {
min-width: 280px;
padding: .5rem;
font-size: calc(var(--fluid-0) * 0.8);
font-family: var(--labor-font);
letter-spacing: initial;
text-align: left;
}
.tippy-content h3 {
margin-top: 0;
}
.tippy-content h3 img {
max-width: 2rem;
max-height: 2rem;
display: inline-block;
}
.tippy-content .tippy-links {
display: flex;
justify-content: space-around;
}
.tippy-content a {
padding: .4rem;
color: #F06048;
}
</style>

<body data-instant-intensity="viewport-all">
<article>
<header>
<hgroup>
<h1>Porte</h1>
<p>Le <time datetime="2024-04-02">2 avril 2024</time></p>
</hgroup>
</header>
<nav>
<p>
<a rel="prev"
href="/david/2024/03/30/"
title="Publication précédente : Jour 2">← Précédent</a> •
<a href="/david/" title="Aller à l’accueil" rel="up">Accueil</a>
<a href="/david/recherche/"
title="Aller à la page de recherche"
rel="search" data-no-instant>Recherche</a>
</p>
</nav>

<blockquote lang="en">
<p>For me, the two big lessons from #XZ were first, the lack of resources supporting crucial Open-Source infrastructure, but then and especially, the demonstration that the attackers are numerous, skilled <em>and patient</em>. We already knew about numerous and skilled but this episode, where the attacker was already well-embedded in the project by May 2022, opened a few eyes, including&nbsp;mine.</p>
<p>The advantage, to various flavors of malefactor, of subverting core pieces of Open-Source infrastructure, is incalculable. <mark>#XZ was the one we caught; how many have we&nbsp;missed?</mark></p>
<p><cite><em><a data-link-domain="tbray.org" href="https://www.tbray.org/ongoing/When/202x/2024/04/01/OSQI" hreflang="en"
title="Consultation de l’article (anglais)">ongoing by Tim Bray · OSQI</a>
<a href="/david/cache/2024/8ffe1e30cd3dd6446468bd6d03550457/" hreflang="en"
data-tippy data-description=""
data-source="https://www.tbray.org/ongoing/When/202x/2024/04/01/OSQI"
data-date="2024-04-04"
data-favicon="https://www.tbray.org/favicon.ico"
data-domain="tbray.org"
><svg xmlns="http://www.w3.org/2000/svg"
width="24" height="24" viewBox="0 0 24 24" fill="none"
stroke="currentColor" stroke-width="2" stroke-linecap="square"
stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle>
<path d="M9.09 9a3 3 0 0 1 5.83 1c0 2-3 3-3 3"></path>
<line x1="12" y1="17" x2="12.01" y2="17"></line>
</svg>
<span class="sr-only">[archive]</span></a></em></cite></p>
</blockquote>
<p>J’ai laissé le web 2&nbsp;jours et hop, une <a data-link-domain="fr.wikipedia.org" href="https://fr.wikipedia.org/wiki/Porte_d%C3%A9rob%C3%A9e">porte dérobée</a> a été fermée à temps. C’est <a data-link-domain="boehs.org" href="https://boehs.org/node/everything-i-know-about-the-xz-backdoor" hreflang="en"
title="Consultation de l’article (anglais)">la chronologie</a>
<a href="/david/cache/2024/b4d0d377662e30cef4e944448d41338c/" hreflang="en"
data-tippy data-description="Please note: This is being updated in real-time. The intent is to make sense of lots of simultaneous discoveries"
data-source="https://boehs.org/node/everything-i-know-about-the-xz-backdoor"
data-date="2024-04-04"
data-favicon="https://boehs.org/favicon.ico"
data-domain="boehs.org"
><svg xmlns="http://www.w3.org/2000/svg"
width="24" height="24" viewBox="0 0 24 24" fill="none"
stroke="currentColor" stroke-width="2" stroke-linecap="square"
stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle>
<path d="M9.09 9a3 3 0 0 1 5.83 1c0 2-3 3-3 3"></path>
<line x1="12" y1="17" x2="12.01" y2="17"></line>
</svg>
<span class="sr-only">[archive]</span></a> qui est surprenante dans sa durée et pose immédiatement la question de savoir s’il s’agit d’une exception ou s’il y a déjà des portes un peu partout, exploitées par plus ou moins de&nbsp;monde.</p>
<p>Lorsqu’on voit ce que <a href="/david/2024/03/28/#hr-140">sont prêts à faire les GAFAM+</a>, je n’ai aucun doute sur le fait qu’ils se rueraient sur de telles «&nbsp;opportunités&nbsp;». On parle souvent de malveillance dans ces cas là, je pense que l’on peut facilement mettre tout ce qui est <em>growth hacking</em> et <em>marketing</em> dans ce&nbsp;périmètre.</p>
<p>Pour en revenir à des OSQI (Open Source Quality Institutes) nationaux, cela me rappelle des initiatives comme <a data-link-domain="copiepublique.fr" href="https://copiepublique.fr/">copie publique</a> ou cette idée de <a href="/david/2023/01/11/">MécénatDeCompétencesPublic</a>&#8239;.</p>
<p>Transformer l’Open-Source en bien commun est peut-être le chantier de la décennie à venir. J’espère en faire partie à mon&nbsp;échelle.</p>

<blockquote lang="en">
<p>Tuesday, Hans-Christoph Steiner, a longtime developer of F-Droid, explained that a very similar situation nearly led F-Droid to push an update that would have introduced a security vulnerability into the product three years ago: “Three years ago, F-Droid had a similar kind of attempt as the Xz backdoor,” he posted on Mastodon. “A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn’t found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a SQL injection vulnerability. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think it’s relevant&nbsp;now.”</p>
<p>Other open source developers and security experts have pointed to the dynamic of bullying and the general reliance on a small number of volunteer developers. They explained that it’s a problem across much of the open source software ecosystem, and is definitely a problem for the large tech companies and infrastructure who rely on these often volunteer-led projects to build their for-profit software on top&nbsp;of.</p>
<p><cite><em><a data-link-domain="404media.co" href="https://www.404media.co/xz-backdoor-bullying-in-open-source-software-is-a-massive-security-vulnerability/" hreflang="en"
title="Consultation de l’article (anglais)">Bullying in Open Source Software Is a Massive Security Vulnerability</a>
<a href="/david/cache/2024/14da9039de50c54f159f333ea3dc73f1/" hreflang="en"
data-tippy data-description="The Xz backdoor and a near miss on the F-Droid app store show how the entitled attitude of some people in the open source community can be used to push malicious or insecure code."
data-source="https://www.404media.co/xz-backdoor-bullying-in-open-source-software-is-a-massive-security-vulnerability/"
data-date="2024-04-04"
data-favicon="https://www.404media.co/content/images/size/w256h256/format/png/2023/08/favicon-3.svg"
data-domain="404media.co"
><svg xmlns="http://www.w3.org/2000/svg"
width="24" height="24" viewBox="0 0 24 24" fill="none"
stroke="currentColor" stroke-width="2" stroke-linecap="square"
stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle>
<path d="M9.09 9a3 3 0 0 1 5.83 1c0 2-3 3-3 3"></path>
<line x1="12" y1="17" x2="12.01" y2="17"></line>
</svg>
<span class="sr-only">[archive]</span></a></em></cite></p>
</blockquote>

<nav>
<p>
<a href="/david/2024/commun/"
title="Liste de tous les articles 2024 associés à cette étiquette"
rel="tag">#commun</a>
<a href="/david/2024/opensource/"
title="Liste de tous les articles 2024 associés à cette étiquette"
rel="tag">#opensource</a>
<a href="/david/2024/protopie/"
title="Liste de tous les articles 2024 associés à cette étiquette"
rel="tag">#protopie</a>
<a href="/david/2024/#tags" title="Liste de toutes les étiquettes 2024">tous ?</a>
</p>
</nav>
<nav>
<p>
<a rel="prev"
href="/david/2024/03/30/"
title="Publication précédente : Jour 2">← Précédent</a> •
<a href="/david/2024/" title="Liste des publications récentes">↑ En 2024</a>
</p>
</nav>

<form action="/david/recherche/" method="get">
<fieldset>
<legend>Recherche</legend>
<label for="input-search">Termes de votre recherche :</label>
<input id="input-search" type="search" name="s" aria-describedby="indexation-infos" required>
<input type="submit" value="Chercher">
<p id="indexation-infos">
<small>
Seuls les contenus de ces 8 dernières années sont indexés.
</small>
</p>
</fieldset>
</form>
<aside>
<theme-toggle></theme-toggle>
</aside>
</article>
<hr>
<footer>
<p>
<a href="/david/" title="Aller à l’accueil">Accueil</a>
<a href="/david/log/" title="Accès au flux RSS">Suivre</a>
<a href="http://larlet.com"
title="Go to my English profile"
data-instant>Pro</a>
<a href="mailto:david%40larlet.fr" title="Envoyer un courriel">Email</a>
<abbr title="Hébergeur : Alwaysdata, 62 rue Tiquetonne 75002 Paris, +33184162340">Légal</abbr>
</p>
<template id="theme-selector">
<form>
<style type="text/css">
fieldset div {
text-align: center;
}
</style>
<fieldset>
<legend>Thème</legend>
<div>
<label>
<input type="radio" value="auto" name="chosen-color-scheme" checked>
Auto
</label>
<label>
<input type="radio" value="dark" name="chosen-color-scheme">
Foncé
</label>
<label>
<input type="radio" value="light" name="chosen-color-scheme">
Clair
</label>
</div>
</fieldset>
</form>
</template>
</footer>
<script src="/static/david/js/instantpage-5.1.0.min.js" type="module"></script>
<script>
class ThemeToggle extends HTMLElement {
constructor() {
super()
const themeSelectorTemplate = document.querySelector('#theme-selector')
const form = themeSelectorTemplate.content.firstElementChild
this.attachShadow({ mode: 'open' })
this.shadowRoot.appendChild(form.cloneNode(true))
}

connectedCallback() {
const form = this.shadowRoot.querySelector('form')
form.addEventListener('change', (e) => {
const chosenColorScheme = e.target.value
localStorage.setItem('theme', chosenColorScheme)
toggleTheme(chosenColorScheme)
})

const selectedTheme = localStorage.getItem('theme')
if (selectedTheme && selectedTheme !== 'undefined') {
form.querySelector(`[value="${selectedTheme}"]`).checked = true
}
}
}

const prefersColorSchemeDark = '(prefers-color-scheme: dark)'
window.addEventListener('load', () => {
let colorsLayer = undefined
let hasDarkRules = false
for (const styleSheet of Array.from(document.styleSheets)) {
let mediaRules = []
for (const layerRule of styleSheet.cssRules) {
if (!(layerRule instanceof CSSLayerBlockRule)) {
continue
}
if (layerRule.name === 'colors') {
colorsLayer = layerRule
}
for (const cssRule of layerRule.cssRules) {
if (cssRule.type !== CSSRule.MEDIA_RULE) {
continue
}
// WARNING: Safari does not have/supports `conditionText`.
if (cssRule.conditionText) {
if (cssRule.conditionText !== prefersColorSchemeDark) {
continue
}
} else {
if (cssRule.cssText.startsWith(prefersColorSchemeDark)) {
continue
}
}
mediaRules = mediaRules.concat(Array.from(cssRule.cssRules))
}
}

// WARNING: do not try to insert a Rule to a styleSheet you are
// currently iterating on, otherwise the browser will be stuck
// in a infinite loop…
for (const mediaRule of mediaRules) {
// Safari requires the `0` second parameter (even if default).
colorsLayer.insertRule(mediaRule.cssText, 0)
hasDarkRules = true
}
}

if (hasDarkRules) {
if ('customElements' in window && !customElements.get('theme-toggle')) {
customElements.define('theme-toggle', ThemeToggle)
}
}
})
</script>
<script src="/static/david/js/popper-2.11.8.min.js"></script>
<script src="/static/david/js/tippy-bundle-6.3.7.umd.min.js"></script>
<script>
tippy('[data-tippy]', {
content(reference) {
reference.addEventListener('click', (e) => e.preventDefault())
return `
<h3 lang="fr">
<img src="${reference.dataset.favicon}" loading="lazy">
<a href="${reference.dataset.source}"
>Article sur ${reference.dataset.domain}</a></h3>
<p lang="${reference.hreflang}"><em>${reference.dataset.description}</em></p>
<div class="tippy-links" lang="fr">
<a href="${reference.href}">Archive au ${reference.dataset.date}</a>
</div>
`
},
allowHTML: true,
interactive: true,
delay: [150, 700],
hideOnClick: false
})
</script>
<script type="module">
import { annotate } from '/static/david/js/rough-notation-0.5.1.esm.min.js'

const markObserver = new IntersectionObserver((entries, observer) => {
const computedStyle = getComputedStyle(document.documentElement)
const markBackground = computedStyle.getPropertyValue('--mark-background')
for (const entry of entries) {
if (entry.intersectionRatio === 0) continue
const markElement = entry.target
markElement.style.backgroundColor = 'inherit'
const annotation = annotate(
markElement, {
type: 'highlight',
multiline: true,
color: markBackground,
// animate: !window.matchMedia('(prefers-reduced-motion: reduce)').matches
animate: false
}
)
annotation.show()
observer.unobserve(markElement)
}
}, {threshold: 1.0})

for (const markElement of document.querySelectorAll('mark')) {
markObserver.observe(markElement)
}
</script>

</body>
</html>

+ 23
- 0
david/2024/_sources/2024-04-02 - Porte.md View File

@@ -0,0 +1,23 @@
# Porte

> [en] For me, the two big lessons from #XZ were first, the lack of resources supporting crucial Open-Source infrastructure, but then and especially, the demonstration that the attackers are numerous, skilled *and patient*. We already knew about numerous and skilled but this episode, where the attacker was already well-embedded in the project by May 2022, opened a few eyes, including mine.
>
> The advantage, to various flavors of malefactor, of subverting core pieces of Open-Source infrastructure, is incalculable. ==#XZ was the one we caught; how many have we missed?==
>
> <cite>*[ongoing by Tim Bray · OSQI](https://www.tbray.org/ongoing/When/202x/2024/04/01/OSQI)*</cite>

J’ai laissé le web 2 jours et hop, une [porte dérobée](https://fr.wikipedia.org/wiki/Porte_d%C3%A9rob%C3%A9e) a été fermée à temps. C’est [la chronologie](https://boehs.org/node/everything-i-know-about-the-xz-backdoor) qui est surprenante dans sa durée et pose immédiatement la question de savoir s’il s’agit d’une exception ou s’il y a déjà des portes un peu partout, exploitées par plus ou moins de monde.

Lorsqu’on voit ce que [sont prêts à faire les GAFAM+](/david/2024/03/28/#hr-140), je n’ai aucun doute sur le fait qu’ils se rueraient sur de telles « opportunités ». On parle souvent de malveillance dans ces cas là, je pense que l’on peut facilement mettre tout ce qui est *growth hacking* et *marketing* dans ce périmètre.

Pour en revenir à des OSQI (Open Source Quality Institutes) nationaux, cela me rappelle des initiatives comme [copie publique](https://copiepublique.fr/) ou cette idée de [MécénatDeCompétencesPublic](/david/2023/01/11/) .

Transformer l’Open-Source en bien commun est peut-être le chantier de la décennie à venir. J’espère en faire partie à mon échelle.

> [en] Tuesday, Hans-Christoph Steiner, a longtime developer of F-Droid, explained that a very similar situation nearly led F-Droid to push an update that would have introduced a security vulnerability into the product three years ago: “Three years ago, F-Droid had a similar kind of attempt as the Xz backdoor,” he posted on Mastodon. “A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn’t found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a SQL injection vulnerability. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think it’s relevant now.”
>
> Other open source developers and security experts have pointed to the dynamic of bullying and the general reliance on a small number of volunteer developers. They explained that it’s a problem across much of the open source software ecosystem, and is definitely a problem for the large tech companies and infrastructure who rely on these often volunteer-led projects to build their for-profit software on top of.
>
> <cite>*[Bullying in Open Source Software Is a Massive Security Vulnerability](https://www.404media.co/xz-backdoor-bullying-in-open-source-software-is-a-massive-security-vulnerability/)*</cite>

#commun #opensource #protopie

+ 87
- 0
david/2024/commun/index.html View File

@@ -134,6 +134,93 @@
</p>
</nav>
<h2>
<a href="/david/2024/04/02/" title="Lien permanent vers cet article">Porte</a> <time datetime="2024-04-02">2 avril 2024</time>
</h2>

<blockquote lang="en">
<p>For me, the two big lessons from #XZ were first, the lack of resources supporting crucial Open-Source infrastructure, but then and especially, the demonstration that the attackers are numerous, skilled <em>and patient</em>. We already knew about numerous and skilled but this episode, where the attacker was already well-embedded in the project by May 2022, opened a few eyes, including&nbsp;mine.</p>
<p>The advantage, to various flavors of malefactor, of subverting core pieces of Open-Source infrastructure, is incalculable. <mark>#XZ was the one we caught; how many have we&nbsp;missed?</mark></p>
<p><cite><em><a data-link-domain="tbray.org" href="https://www.tbray.org/ongoing/When/202x/2024/04/01/OSQI" hreflang="en"
title="Consultation de l’article (anglais)">ongoing by Tim Bray · OSQI</a>
<a href="/david/cache/2024/8ffe1e30cd3dd6446468bd6d03550457/" hreflang="en"
data-tippy data-description=""
data-source="https://www.tbray.org/ongoing/When/202x/2024/04/01/OSQI"
data-date="2024-04-04"
data-favicon="https://www.tbray.org/favicon.ico"
data-domain="tbray.org"
><svg xmlns="http://www.w3.org/2000/svg"
width="24" height="24" viewBox="0 0 24 24" fill="none"
stroke="currentColor" stroke-width="2" stroke-linecap="square"
stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle>
<path d="M9.09 9a3 3 0 0 1 5.83 1c0 2-3 3-3 3"></path>
<line x1="12" y1="17" x2="12.01" y2="17"></line>
</svg>
<span class="sr-only">[archive]</span></a></em></cite></p>
</blockquote>
<p>J’ai laissé le web 2&nbsp;jours et hop, une <a data-link-domain="fr.wikipedia.org" href="https://fr.wikipedia.org/wiki/Porte_d%C3%A9rob%C3%A9e">porte dérobée</a> a été fermée à temps. C’est <a data-link-domain="boehs.org" href="https://boehs.org/node/everything-i-know-about-the-xz-backdoor" hreflang="en"
title="Consultation de l’article (anglais)">la chronologie</a>
<a href="/david/cache/2024/b4d0d377662e30cef4e944448d41338c/" hreflang="en"
data-tippy data-description="Please note: This is being updated in real-time. The intent is to make sense of lots of simultaneous discoveries"
data-source="https://boehs.org/node/everything-i-know-about-the-xz-backdoor"
data-date="2024-04-04"
data-favicon="https://boehs.org/favicon.ico"
data-domain="boehs.org"
><svg xmlns="http://www.w3.org/2000/svg"
width="24" height="24" viewBox="0 0 24 24" fill="none"
stroke="currentColor" stroke-width="2" stroke-linecap="square"
stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle>
<path d="M9.09 9a3 3 0 0 1 5.83 1c0 2-3 3-3 3"></path>
<line x1="12" y1="17" x2="12.01" y2="17"></line>
</svg>
<span class="sr-only">[archive]</span></a> qui est surprenante dans sa durée et pose immédiatement la question de savoir s’il s’agit d’une exception ou s’il y a déjà des portes un peu partout, exploitées par plus ou moins de&nbsp;monde.</p>
<p>Lorsqu’on voit ce que <a href="/david/2024/03/28/#hr-140">sont prêts à faire les GAFAM+</a>, je n’ai aucun doute sur le fait qu’ils se rueraient sur de telles «&nbsp;opportunités&nbsp;». On parle souvent de malveillance dans ces cas là, je pense que l’on peut facilement mettre tout ce qui est <em>growth hacking</em> et <em>marketing</em> dans ce&nbsp;périmètre.</p>
<p>Pour en revenir à des OSQI (Open Source Quality Institutes) nationaux, cela me rappelle des initiatives comme <a data-link-domain="copiepublique.fr" href="https://copiepublique.fr/">copie publique</a> ou cette idée de <a href="/david/2023/01/11/">MécénatDeCompétencesPublic</a>&#8239;.</p>
<p>Transformer l’Open-Source en bien commun est peut-être le chantier de la décennie à venir. J’espère en faire partie à mon&nbsp;échelle.</p>

<blockquote lang="en">
<p>Tuesday, Hans-Christoph Steiner, a longtime developer of F-Droid, explained that a very similar situation nearly led F-Droid to push an update that would have introduced a security vulnerability into the product three years ago: “Three years ago, F-Droid had a similar kind of attempt as the Xz backdoor,” he posted on Mastodon. “A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn’t found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a SQL injection vulnerability. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think it’s relevant&nbsp;now.”</p>
<p>Other open source developers and security experts have pointed to the dynamic of bullying and the general reliance on a small number of volunteer developers. They explained that it’s a problem across much of the open source software ecosystem, and is definitely a problem for the large tech companies and infrastructure who rely on these often volunteer-led projects to build their for-profit software on top&nbsp;of.</p>
<p><cite><em><a data-link-domain="404media.co" href="https://www.404media.co/xz-backdoor-bullying-in-open-source-software-is-a-massive-security-vulnerability/" hreflang="en"
title="Consultation de l’article (anglais)">Bullying in Open Source Software Is a Massive Security Vulnerability</a>
<a href="/david/cache/2024/14da9039de50c54f159f333ea3dc73f1/" hreflang="en"
data-tippy data-description="The Xz backdoor and a near miss on the F-Droid app store show how the entitled attitude of some people in the open source community can be used to push malicious or insecure code."
data-source="https://www.404media.co/xz-backdoor-bullying-in-open-source-software-is-a-massive-security-vulnerability/"
data-date="2024-04-04"
data-favicon="https://www.404media.co/content/images/size/w256h256/format/png/2023/08/favicon-3.svg"
data-domain="404media.co"
><svg xmlns="http://www.w3.org/2000/svg"
width="24" height="24" viewBox="0 0 24 24" fill="none"
stroke="currentColor" stroke-width="2" stroke-linecap="square"
stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle>
<path d="M9.09 9a3 3 0 0 1 5.83 1c0 2-3 3-3 3"></path>
<line x1="12" y1="17" x2="12.01" y2="17"></line>
</svg>
<span class="sr-only">[archive]</span></a></em></cite></p>
</blockquote>

<nav>
<p>
<a href="/david/2024/commun/"
title="Liste de tous les articles 2024 associés à cette étiquette"
rel="tag">#commun</a>
<a href="/david/2024/opensource/"
title="Liste de tous les articles 2024 associés à cette étiquette"
rel="tag">#opensource</a>
<a href="/david/2024/protopie/"
title="Liste de tous les articles 2024 associés à cette étiquette"
rel="tag">#protopie</a>
<a href="/david/2024/#tags" title="Liste de toutes les étiquettes 2024">tous ?</a>
</p>
</nav>
<h2>
<a href="/david/2024/03/28/" title="Lien permanent vers cet article">Collectif</a> <time datetime="2024-03-28">28 mars 2024</time>
</h2>

+ 9
- 3
david/2024/index.html View File

@@ -228,6 +228,12 @@
</p>
<h2>Avril 2024</h2>
<p>
<a href="/david/2024/04/02/">Porte</a>.
</p>
<h2 id="tags">Par tags</h2>
<p>
@@ -238,7 +244,7 @@
<a href="/david/2024/apprentissage/" rel="tag">#apprentissage (16)</a>,
<a href="/david/2024/aventure/" rel="tag">#aventure (4)</a>,
<a href="/david/2024/cinema/" rel="tag">#cinéma (1)</a>,
<a href="/david/2024/commun/" rel="tag">#commun (10)</a>,
<a href="/david/2024/commun/" rel="tag">#commun (11)</a>,
<a href="/david/2024/communaute/" rel="tag">#communauté (6)</a>,
<a href="/david/2024/courage/" rel="tag">#courage (1)</a>,
<a href="/david/2024/decentralisation/" rel="tag">#décentralisation (1)</a>,
@@ -262,7 +268,7 @@
<a href="/david/2024/lecture/" rel="tag">#lecture (5)</a>,
<a href="/david/2024/liens/" rel="tag">#liens (1)</a>,
<a href="/david/2024/opendata/" rel="tag">#opendata (1)</a>,
<a href="/david/2024/opensource/" rel="tag">#opensource (9)</a>,
<a href="/david/2024/opensource/" rel="tag">#opensource (10)</a>,
<a href="/david/2024/parentalite/" rel="tag">#parentalité (5)</a>,
<a href="/david/2024/partage/" rel="tag">#partage (9)</a>,
<a href="/david/2024/parvenir/" rel="tag">#parvenir (3)</a>,
@@ -270,7 +276,7 @@
<a href="/david/2024/poesie/" rel="tag">#poésie (3)</a>,
<a href="/david/2024/processus/" rel="tag">#processus (10)</a>,
<a href="/david/2024/propriete/" rel="tag">#propriété (1)</a>,
<a href="/david/2024/protopie/" rel="tag">#protopie (8)</a>,
<a href="/david/2024/protopie/" rel="tag">#protopie (9)</a>,
<a href="/david/2024/psychologie/" rel="tag">#psychologie (11)</a>,
<a href="/david/2024/solastalgia/" rel="tag">#solastalgia (5)</a>,
<a href="/david/2024/sport/" rel="tag">#sport (6)</a>,

+ 87
- 0
david/2024/opensource/index.html View File

@@ -134,6 +134,93 @@
</p>
</nav>
<h2>
<a href="/david/2024/04/02/" title="Lien permanent vers cet article">Porte</a> <time datetime="2024-04-02">2 avril 2024</time>
</h2>

<blockquote lang="en">
<p>For me, the two big lessons from #XZ were first, the lack of resources supporting crucial Open-Source infrastructure, but then and especially, the demonstration that the attackers are numerous, skilled <em>and patient</em>. We already knew about numerous and skilled but this episode, where the attacker was already well-embedded in the project by May 2022, opened a few eyes, including&nbsp;mine.</p>
<p>The advantage, to various flavors of malefactor, of subverting core pieces of Open-Source infrastructure, is incalculable. <mark>#XZ was the one we caught; how many have we&nbsp;missed?</mark></p>
<p><cite><em><a data-link-domain="tbray.org" href="https://www.tbray.org/ongoing/When/202x/2024/04/01/OSQI" hreflang="en"
title="Consultation de l’article (anglais)">ongoing by Tim Bray · OSQI</a>
<a href="/david/cache/2024/8ffe1e30cd3dd6446468bd6d03550457/" hreflang="en"
data-tippy data-description=""
data-source="https://www.tbray.org/ongoing/When/202x/2024/04/01/OSQI"
data-date="2024-04-04"
data-favicon="https://www.tbray.org/favicon.ico"
data-domain="tbray.org"
><svg xmlns="http://www.w3.org/2000/svg"
width="24" height="24" viewBox="0 0 24 24" fill="none"
stroke="currentColor" stroke-width="2" stroke-linecap="square"
stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle>
<path d="M9.09 9a3 3 0 0 1 5.83 1c0 2-3 3-3 3"></path>
<line x1="12" y1="17" x2="12.01" y2="17"></line>
</svg>
<span class="sr-only">[archive]</span></a></em></cite></p>
</blockquote>
<p>J’ai laissé le web 2&nbsp;jours et hop, une <a data-link-domain="fr.wikipedia.org" href="https://fr.wikipedia.org/wiki/Porte_d%C3%A9rob%C3%A9e">porte dérobée</a> a été fermée à temps. C’est <a data-link-domain="boehs.org" href="https://boehs.org/node/everything-i-know-about-the-xz-backdoor" hreflang="en"
title="Consultation de l’article (anglais)">la chronologie</a>
<a href="/david/cache/2024/b4d0d377662e30cef4e944448d41338c/" hreflang="en"
data-tippy data-description="Please note: This is being updated in real-time. The intent is to make sense of lots of simultaneous discoveries"
data-source="https://boehs.org/node/everything-i-know-about-the-xz-backdoor"
data-date="2024-04-04"
data-favicon="https://boehs.org/favicon.ico"
data-domain="boehs.org"
><svg xmlns="http://www.w3.org/2000/svg"
width="24" height="24" viewBox="0 0 24 24" fill="none"
stroke="currentColor" stroke-width="2" stroke-linecap="square"
stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle>
<path d="M9.09 9a3 3 0 0 1 5.83 1c0 2-3 3-3 3"></path>
<line x1="12" y1="17" x2="12.01" y2="17"></line>
</svg>
<span class="sr-only">[archive]</span></a> qui est surprenante dans sa durée et pose immédiatement la question de savoir s’il s’agit d’une exception ou s’il y a déjà des portes un peu partout, exploitées par plus ou moins de&nbsp;monde.</p>
<p>Lorsqu’on voit ce que <a href="/david/2024/03/28/#hr-140">sont prêts à faire les GAFAM+</a>, je n’ai aucun doute sur le fait qu’ils se rueraient sur de telles «&nbsp;opportunités&nbsp;». On parle souvent de malveillance dans ces cas là, je pense que l’on peut facilement mettre tout ce qui est <em>growth hacking</em> et <em>marketing</em> dans ce&nbsp;périmètre.</p>
<p>Pour en revenir à des OSQI (Open Source Quality Institutes) nationaux, cela me rappelle des initiatives comme <a data-link-domain="copiepublique.fr" href="https://copiepublique.fr/">copie publique</a> ou cette idée de <a href="/david/2023/01/11/">MécénatDeCompétencesPublic</a>&#8239;.</p>
<p>Transformer l’Open-Source en bien commun est peut-être le chantier de la décennie à venir. J’espère en faire partie à mon&nbsp;échelle.</p>

<blockquote lang="en">
<p>Tuesday, Hans-Christoph Steiner, a longtime developer of F-Droid, explained that a very similar situation nearly led F-Droid to push an update that would have introduced a security vulnerability into the product three years ago: “Three years ago, F-Droid had a similar kind of attempt as the Xz backdoor,” he posted on Mastodon. “A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn’t found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a SQL injection vulnerability. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think it’s relevant&nbsp;now.”</p>
<p>Other open source developers and security experts have pointed to the dynamic of bullying and the general reliance on a small number of volunteer developers. They explained that it’s a problem across much of the open source software ecosystem, and is definitely a problem for the large tech companies and infrastructure who rely on these often volunteer-led projects to build their for-profit software on top&nbsp;of.</p>
<p><cite><em><a data-link-domain="404media.co" href="https://www.404media.co/xz-backdoor-bullying-in-open-source-software-is-a-massive-security-vulnerability/" hreflang="en"
title="Consultation de l’article (anglais)">Bullying in Open Source Software Is a Massive Security Vulnerability</a>
<a href="/david/cache/2024/14da9039de50c54f159f333ea3dc73f1/" hreflang="en"
data-tippy data-description="The Xz backdoor and a near miss on the F-Droid app store show how the entitled attitude of some people in the open source community can be used to push malicious or insecure code."
data-source="https://www.404media.co/xz-backdoor-bullying-in-open-source-software-is-a-massive-security-vulnerability/"
data-date="2024-04-04"
data-favicon="https://www.404media.co/content/images/size/w256h256/format/png/2023/08/favicon-3.svg"
data-domain="404media.co"
><svg xmlns="http://www.w3.org/2000/svg"
width="24" height="24" viewBox="0 0 24 24" fill="none"
stroke="currentColor" stroke-width="2" stroke-linecap="square"
stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle>
<path d="M9.09 9a3 3 0 0 1 5.83 1c0 2-3 3-3 3"></path>
<line x1="12" y1="17" x2="12.01" y2="17"></line>
</svg>
<span class="sr-only">[archive]</span></a></em></cite></p>
</blockquote>

<nav>
<p>
<a href="/david/2024/commun/"
title="Liste de tous les articles 2024 associés à cette étiquette"
rel="tag">#commun</a>
<a href="/david/2024/opensource/"
title="Liste de tous les articles 2024 associés à cette étiquette"
rel="tag">#opensource</a>
<a href="/david/2024/protopie/"
title="Liste de tous les articles 2024 associés à cette étiquette"
rel="tag">#protopie</a>
<a href="/david/2024/#tags" title="Liste de toutes les étiquettes 2024">tous ?</a>
</p>
</nav>
<h2>
<a href="/david/2024/03/21/" title="Lien permanent vers cet article">Fourchette</a> <time datetime="2024-03-21">21 mars 2024</time>
</h2>

+ 87
- 0
david/2024/protopie/index.html View File

@@ -134,6 +134,93 @@
</p>
</nav>
<h2>
<a href="/david/2024/04/02/" title="Lien permanent vers cet article">Porte</a> <time datetime="2024-04-02">2 avril 2024</time>
</h2>

<blockquote lang="en">
<p>For me, the two big lessons from #XZ were first, the lack of resources supporting crucial Open-Source infrastructure, but then and especially, the demonstration that the attackers are numerous, skilled <em>and patient</em>. We already knew about numerous and skilled but this episode, where the attacker was already well-embedded in the project by May 2022, opened a few eyes, including&nbsp;mine.</p>
<p>The advantage, to various flavors of malefactor, of subverting core pieces of Open-Source infrastructure, is incalculable. <mark>#XZ was the one we caught; how many have we&nbsp;missed?</mark></p>
<p><cite><em><a data-link-domain="tbray.org" href="https://www.tbray.org/ongoing/When/202x/2024/04/01/OSQI" hreflang="en"
title="Consultation de l’article (anglais)">ongoing by Tim Bray · OSQI</a>
<a href="/david/cache/2024/8ffe1e30cd3dd6446468bd6d03550457/" hreflang="en"
data-tippy data-description=""
data-source="https://www.tbray.org/ongoing/When/202x/2024/04/01/OSQI"
data-date="2024-04-04"
data-favicon="https://www.tbray.org/favicon.ico"
data-domain="tbray.org"
><svg xmlns="http://www.w3.org/2000/svg"
width="24" height="24" viewBox="0 0 24 24" fill="none"
stroke="currentColor" stroke-width="2" stroke-linecap="square"
stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle>
<path d="M9.09 9a3 3 0 0 1 5.83 1c0 2-3 3-3 3"></path>
<line x1="12" y1="17" x2="12.01" y2="17"></line>
</svg>
<span class="sr-only">[archive]</span></a></em></cite></p>
</blockquote>
<p>J’ai laissé le web 2&nbsp;jours et hop, une <a data-link-domain="fr.wikipedia.org" href="https://fr.wikipedia.org/wiki/Porte_d%C3%A9rob%C3%A9e">porte dérobée</a> a été fermée à temps. C’est <a data-link-domain="boehs.org" href="https://boehs.org/node/everything-i-know-about-the-xz-backdoor" hreflang="en"
title="Consultation de l’article (anglais)">la chronologie</a>
<a href="/david/cache/2024/b4d0d377662e30cef4e944448d41338c/" hreflang="en"
data-tippy data-description="Please note: This is being updated in real-time. The intent is to make sense of lots of simultaneous discoveries"
data-source="https://boehs.org/node/everything-i-know-about-the-xz-backdoor"
data-date="2024-04-04"
data-favicon="https://boehs.org/favicon.ico"
data-domain="boehs.org"
><svg xmlns="http://www.w3.org/2000/svg"
width="24" height="24" viewBox="0 0 24 24" fill="none"
stroke="currentColor" stroke-width="2" stroke-linecap="square"
stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle>
<path d="M9.09 9a3 3 0 0 1 5.83 1c0 2-3 3-3 3"></path>
<line x1="12" y1="17" x2="12.01" y2="17"></line>
</svg>
<span class="sr-only">[archive]</span></a> qui est surprenante dans sa durée et pose immédiatement la question de savoir s’il s’agit d’une exception ou s’il y a déjà des portes un peu partout, exploitées par plus ou moins de&nbsp;monde.</p>
<p>Lorsqu’on voit ce que <a href="/david/2024/03/28/#hr-140">sont prêts à faire les GAFAM+</a>, je n’ai aucun doute sur le fait qu’ils se rueraient sur de telles «&nbsp;opportunités&nbsp;». On parle souvent de malveillance dans ces cas là, je pense que l’on peut facilement mettre tout ce qui est <em>growth hacking</em> et <em>marketing</em> dans ce&nbsp;périmètre.</p>
<p>Pour en revenir à des OSQI (Open Source Quality Institutes) nationaux, cela me rappelle des initiatives comme <a data-link-domain="copiepublique.fr" href="https://copiepublique.fr/">copie publique</a> ou cette idée de <a href="/david/2023/01/11/">MécénatDeCompétencesPublic</a>&#8239;.</p>
<p>Transformer l’Open-Source en bien commun est peut-être le chantier de la décennie à venir. J’espère en faire partie à mon&nbsp;échelle.</p>

<blockquote lang="en">
<p>Tuesday, Hans-Christoph Steiner, a longtime developer of F-Droid, explained that a very similar situation nearly led F-Droid to push an update that would have introduced a security vulnerability into the product three years ago: “Three years ago, F-Droid had a similar kind of attempt as the Xz backdoor,” he posted on Mastodon. “A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn’t found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a SQL injection vulnerability. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think it’s relevant&nbsp;now.”</p>
<p>Other open source developers and security experts have pointed to the dynamic of bullying and the general reliance on a small number of volunteer developers. They explained that it’s a problem across much of the open source software ecosystem, and is definitely a problem for the large tech companies and infrastructure who rely on these often volunteer-led projects to build their for-profit software on top&nbsp;of.</p>
<p><cite><em><a data-link-domain="404media.co" href="https://www.404media.co/xz-backdoor-bullying-in-open-source-software-is-a-massive-security-vulnerability/" hreflang="en"
title="Consultation de l’article (anglais)">Bullying in Open Source Software Is a Massive Security Vulnerability</a>
<a href="/david/cache/2024/14da9039de50c54f159f333ea3dc73f1/" hreflang="en"
data-tippy data-description="The Xz backdoor and a near miss on the F-Droid app store show how the entitled attitude of some people in the open source community can be used to push malicious or insecure code."
data-source="https://www.404media.co/xz-backdoor-bullying-in-open-source-software-is-a-massive-security-vulnerability/"
data-date="2024-04-04"
data-favicon="https://www.404media.co/content/images/size/w256h256/format/png/2023/08/favicon-3.svg"
data-domain="404media.co"
><svg xmlns="http://www.w3.org/2000/svg"
width="24" height="24" viewBox="0 0 24 24" fill="none"
stroke="currentColor" stroke-width="2" stroke-linecap="square"
stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle>
<path d="M9.09 9a3 3 0 0 1 5.83 1c0 2-3 3-3 3"></path>
<line x1="12" y1="17" x2="12.01" y2="17"></line>
</svg>
<span class="sr-only">[archive]</span></a></em></cite></p>
</blockquote>

<nav>
<p>
<a href="/david/2024/commun/"
title="Liste de tous les articles 2024 associés à cette étiquette"
rel="tag">#commun</a>
<a href="/david/2024/opensource/"
title="Liste de tous les articles 2024 associés à cette étiquette"
rel="tag">#opensource</a>
<a href="/david/2024/protopie/"
title="Liste de tous les articles 2024 associés à cette étiquette"
rel="tag">#protopie</a>
<a href="/david/2024/#tags" title="Liste de toutes les étiquettes 2024">tous ?</a>
</p>
</nav>
<h2>
<a href="/david/2024/03/28/" title="Lien permanent vers cet article">Collectif</a> <time datetime="2024-03-28">28 mars 2024</time>
</h2>

+ 26
- 26
david/blogroll/index.html View File

@@ -176,21 +176,41 @@
<h2>Leurs dernières publications</h2>
<dl>
<dt>
<a href="https://winnielim.org/notes/hongkong-at-632am/">hongkong at 6:32am</a>,
01-04-2024
<a href="https://www.arthurperret.fr/veille/2024-04-04-implosion-de-la-bulle-ia.html">[Veille] L’implosion de la bulle IA</a>,
04-04-2024
</dt>
<dd>
hongkong, at 6:32am in the morning. there was a cafe open with delicious coffee.
https://ploum.net/2024-04-04-la-bulle-ai.html Excellent billet de Ploum sur l’implosion désormais amorcée de la bulle IA. C’est clair, concis et percutant. On peut même le faire lire à quelqu’un qui ne sait pas ce qu’est ChatGPT, tout est expliqué et contextualisé. À diffuser largement !
— <a href="https://www.arthurperret.fr/">Arthur Perret</a>
</dd>
</dl>
<dl>
<dt>
<a href="https://thom4.net/2024/04/02/ambigu/">☕️ Journal : Brunch ambigü</a>,
02-04-2024
</dt>
<dd>
On sort les assiettes et les différentes préparations que chacun‧e a ramené. Une personne dit : Quelle table bien dre
— <a href="https://thom4.net/">Thomas Parisot</a>
</dd>
</dl>
<dl>
<dt>
<a href="https://winnielim.org/notes/95-months-i-am-the-tree-and-she-is-the-forest/">95 months: i am the tree and she is the forest</a>,
02-04-2024
</dt>
<dd>
"our selfies are so boring! let’s take cool pictures like john lennon and yoko ono!” and thereafter she no longer looks at the camera lens…i love her because she’s always making me laugh like this with all her quirky thoughts and ideas, and that includes the way she sees and loves me. throughout all the peaks and the extreme lows she’s been there with me, not just when i’m at my best but…
— <a href="https://winnielim.org/">Winnie Lim (en)</a>
</dd>
</dl>
<dl>
<dt>
<a href="https://winnielim.org/journal/sending-out-pieces-of-my-self/">sending out pieces of my self</a>,
30-03-2024
<a href="https://winnielim.org/notes/hongkong-at-632am/">hongkong at 6:32am</a>,
01-04-2024
</dt>
<dd>
In one of my recent posts I documented my experience with the risograph, and at the bottom of the post I wrote that I’ll be giving away 5 pieces of the poster...
hongkong, at 6:32am in the morning. there was a cafe open with delicious coffee.
— <a href="https://winnielim.org/">Winnie Lim (en)</a>
</dd>
</dl>
@@ -214,16 +234,6 @@
— <a href="https://blog.ecologie-politique.eu/">Aude</a>
</dd>
</dl>
<dl>
<dt>
<a href="https://www.arthurperret.fr/cours/make.html">[Cours] Make</a>,
28-03-2024
</dt>
<dd>
Voici un guide introductif en français sur le logiciel Make, un outil simple et fiable pour automatiser des tâches. Commencé il y a quelques mois, il est désormais finalisé. Merci à David Larlet ainsi qu'à Louis-Olivier Brassard pour leur relecture et leurs conseils. Le contenu du guide est inclus ci-dessous mais je vous encourage à le consulter sur mon site pour bénéficier de la mise en forme…
— <a href="https://www.arthurperret.fr/">Arthur Perret</a>
</dd>
</dl>
<dl>
<dt>
<a href="https://ynote.hk/mots/humeur/marcher.html">Marcher</a>,
@@ -274,16 +284,6 @@
— <a href="https://emmaclit.com/">Emma</a>
</dd>
</dl>
<dl>
<dt>
<a href="https://thom4.net/2024/03/16/miso-anniversaire/">☕️ Journal : Miso anniversaire</a>,
16-03-2024
</dt>
<dd>
Parmi les pots en verre qui s’accumulaient dans le bac de tri, je retrouvais souvent un petit contenant de miso. Toutes les semaines ou d
— <a href="https://thom4.net/">Thomas Parisot</a>
</dd>
</dl>
<dl>
<dt>
<a href="https://n.survol.fr/n/en-voiture-ou-marreter-sur-la-chaussee">En voiture, où m’ar­rê­ter sur la chaus­sée ?</a>,

+ 4
- 3
david/index.html View File

@@ -468,6 +468,7 @@
</style>
<p>Liste des publications récentes en ordre anté-chronologique :</p>
<p>
<a href="/david/2024/04/02/" data-commun data-opensource data-protopie title="Étiquettes : commun, opensource, protopie.">Porte</a>,
<a href="/david/2024/03/30/" data-experience data-foret data-partage title="Étiquettes : expérience, forêt, partage.">Jour 2</a>,
<a href="/david/2024/03/29/" data-experience data-foret data-partage title="Étiquettes : expérience, forêt, partage.">Jour 1</a>,
<a href="/david/2024/03/28/" data-commun data-equipe data-protopie title="Étiquettes : commun, équipe, protopie.">Collectif</a>,
@@ -566,7 +567,7 @@
<a href="/david/2024/apprentissage/" data-tag="apprentissage" rel="tag">#apprentissage (16)</a>,
<a href="/david/2024/aventure/" data-tag="aventure" rel="tag">#aventure (4)</a>,
<a href="/david/2024/cinema/" data-tag="cinema" rel="tag">#cinéma (1)</a>,
<a href="/david/2024/commun/" data-tag="commun" rel="tag">#commun (10)</a>,
<a href="/david/2024/commun/" data-tag="commun" rel="tag">#commun (11)</a>,
<a href="/david/2024/communaute/" data-tag="communaute" rel="tag">#communauté (6)</a>,
<a href="/david/2024/courage/" data-tag="courage" rel="tag">#courage (1)</a>,
<a href="/david/2024/decentralisation/" data-tag="decentralisation" rel="tag">#décentralisation (1)</a>,
@@ -590,7 +591,7 @@
<a href="/david/2024/lecture/" data-tag="lecture" rel="tag">#lecture (5)</a>,
<a href="/david/2024/liens/" data-tag="liens" rel="tag">#liens (1)</a>,
<a href="/david/2024/opendata/" data-tag="opendata" rel="tag">#opendata (1)</a>,
<a href="/david/2024/opensource/" data-tag="opensource" rel="tag">#opensource (9)</a>,
<a href="/david/2024/opensource/" data-tag="opensource" rel="tag">#opensource (10)</a>,
<a href="/david/2024/parentalite/" data-tag="parentalite" rel="tag">#parentalité (5)</a>,
<a href="/david/2024/partage/" data-tag="partage" rel="tag">#partage (9)</a>,
<a href="/david/2024/parvenir/" data-tag="parvenir" rel="tag">#parvenir (3)</a>,
@@ -598,7 +599,7 @@
<a href="/david/2024/poesie/" data-tag="poesie" rel="tag">#poésie (3)</a>,
<a href="/david/2024/processus/" data-tag="processus" rel="tag">#processus (10)</a>,
<a href="/david/2024/propriete/" data-tag="propriete" rel="tag">#propriété (1)</a>,
<a href="/david/2024/protopie/" data-tag="protopie" rel="tag">#protopie (8)</a>,
<a href="/david/2024/protopie/" data-tag="protopie" rel="tag">#protopie (9)</a>,
<a href="/david/2024/psychologie/" data-tag="psychologie" rel="tag">#psychologie (11)</a>,
<a href="/david/2024/solastalgia/" data-tag="solastalgia" rel="tag">#solastalgia (5)</a>,
<a href="/david/2024/sport/" data-tag="sport" rel="tag">#sport (6)</a>,

+ 26
- 45
david/log/index.xml View File

@@ -6,13 +6,38 @@
<link href="https://larlet.fr/david/" rel="alternate" type="text/html" />
<link href="https://larlet.fr/david/log/" rel="self" />
<id>https://larlet.fr/david/</id>
<updated>2024-04-02T12:00:00+01:00</updated>
<updated>2024-04-04T12:00:00+01:00</updated>
<author>
<name>David Larlet</name>
<uri>https://larlet.fr/david/</uri>
</author>
<rights>Copyright (c) 2004-2024, David Larlet</rights>
<entry xml:lang="fr">
<title type="html">Porte</title>
<link href="https://larlet.fr/david/2024/04/02/" rel="alternate" type="text/html" />
<updated>2024-04-02T12:00:00+01:00</updated>
<id>https://larlet.fr/david/2024/04/02/</id>
<summary type="html">

&lt;blockquote lang=&quot;en&quot;&gt;
&lt;p&gt;For me, the two big lessons from #XZ were first, the lack of resources supporting crucial Open-Source infrastructure, but then and especially, the demonstration that the attackers are numerous, skilled &lt;em&gt;and patient&lt;/em&gt;. We already knew about numerous and skilled but this episode, where the attacker was already well-embedded in the project by May 2022, opened a few eyes, including&amp;nbsp;mine.&lt;/p&gt;
&lt;p&gt;The advantage, to various flavors of malefactor, of subverting core pieces of Open-Source infrastructure, is incalculable. &lt;mark&gt;#XZ was the one we caught; how many have we&amp;nbsp;missed?&lt;/mark&gt;&lt;/p&gt;
&lt;p&gt;&lt;cite&gt;&lt;em&gt;&lt;a href=&quot;https://www.tbray.org/ongoing/When/202x/2024/04/01/OSQI&quot;&gt;ongoing by Tim Bray ·&amp;nbsp;OSQI&lt;/a&gt;&lt;/em&gt;&lt;/cite&gt;&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;J’ai laissé le web 2&amp;nbsp;jours et hop, une &lt;a href=&quot;https://fr.wikipedia.org/wiki/Porte_d%C3%A9rob%C3%A9e&quot;&gt;porte dérobée&lt;/a&gt; a été fermée à temps. C’est &lt;a href=&quot;https://boehs.org/node/everything-i-know-about-the-xz-backdoor&quot;&gt;la chronologie&lt;/a&gt; qui est surprenante dans sa durée et pose immédiatement la question de savoir s’il s’agit d’une exception ou s’il y a déjà des portes un peu partout, exploitées par plus ou moins de&amp;nbsp;monde.&lt;/p&gt;
&lt;p&gt;Lorsqu’on voit ce que &lt;a href=&quot;https://larlet.fr/david/2024/03/28/#hr-140&quot;&gt;sont prêts à faire les GAFAM+&lt;/a&gt;, je n’ai aucun doute sur le fait qu’ils se rueraient sur de telles «&amp;nbsp;opportunités&amp;nbsp;». On parle souvent de malveillance dans ces cas là, je pense que l’on peut facilement mettre tout ce qui est &lt;em&gt;growth hacking&lt;/em&gt; et &lt;em&gt;marketing&lt;/em&gt; dans ce&amp;nbsp;périmètre.&lt;/p&gt;
&lt;p&gt;Pour en revenir à des OSQI (Open Source Quality Institutes) nationaux, cela me rappelle des initiatives comme &lt;a href=&quot;https://copiepublique.fr/&quot;&gt;copie publique&lt;/a&gt; ou cette idée de &lt;a href=&quot;https://larlet.fr/david/2023/01/11/&quot;&gt;MécénatDeCompétencesPublic&lt;/a&gt;&amp;#8239;.&lt;/p&gt;
&lt;p&gt;Transformer l’Open-Source en bien commun est peut-être le chantier de la décennie à venir. J’espère en faire partie à mon&amp;nbsp;échelle.&lt;/p&gt;

&lt;blockquote lang=&quot;en&quot;&gt;
&lt;p&gt;Tuesday, Hans-Christoph Steiner, a longtime developer of F-Droid, explained that a very similar situation nearly led F-Droid to push an update that would have introduced a security vulnerability into the product three years ago: “Three years ago, F-Droid had a similar kind of attempt as the Xz backdoor,” he posted on Mastodon. “A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn’t found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a SQL injection vulnerability. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think it’s relevant&amp;nbsp;now.”&lt;/p&gt;
&lt;p&gt;Other open source developers and security experts have pointed to the dynamic of bullying and the general reliance on a small number of volunteer developers. They explained that it’s a problem across much of the open source software ecosystem, and is definitely a problem for the large tech companies and infrastructure who rely on these often volunteer-led projects to build their for-profit software on top&amp;nbsp;of.&lt;/p&gt;
&lt;p&gt;&lt;cite&gt;&lt;em&gt;&lt;a href=&quot;https://www.404media.co/xz-backdoor-bullying-in-open-source-software-is-a-massive-security-vulnerability/&quot;&gt;Bullying in Open Source Software Is a Massive Security&amp;nbsp;Vulnerability&lt;/a&gt;&lt;/em&gt;&lt;/cite&gt;&lt;/p&gt;
&lt;/blockquote&gt;
&lt;nav&gt;&lt;p&gt;&lt;a href=&quot;https://larlet.fr/david/2024/commun/&quot;&gt;#commun&lt;/a&gt; &lt;a href=&quot;https://larlet.fr/david/2024/opensource/&quot;&gt;#opensource&lt;/a&gt; &lt;a href=&quot;https://larlet.fr/david/2024/protopie/&quot;&gt;#protopie&lt;/a&gt;&lt;/p&gt;&lt;/nav&gt;&lt;hr/&gt;&lt;p&gt;&lt;a href=&quot;mailto:david@larlet.fr&quot;&gt;Réagir ?&lt;/a&gt;&lt;/p&gt;</summary>
</entry>
<entry xml:lang="fr">
<title type="html">Jour 2</title>
<link href="https://larlet.fr/david/2024/03/30/" rel="alternate" type="text/html" />
@@ -1301,48 +1326,4 @@ Et je sais enfin qui je&amp;nbsp;suis…&lt;/p&gt;
&lt;nav&gt;&lt;p&gt;&lt;a href=&quot;https://larlet.fr/david/2024/ecriture/&quot;&gt;#écriture&lt;/a&gt; &lt;a href=&quot;https://larlet.fr/david/2024/processus/&quot;&gt;#processus&lt;/a&gt; &lt;a href=&quot;https://larlet.fr/david/2024/psychologie/&quot;&gt;#psychologie&lt;/a&gt;&lt;/p&gt;&lt;/nav&gt;&lt;hr/&gt;&lt;p&gt;&lt;a href=&quot;mailto:david@larlet.fr&quot;&gt;Réagir ?&lt;/a&gt;&lt;/p&gt;</summary>
</entry>
<entry xml:lang="fr">
<title type="html">Galaxie</title>
<link href="https://larlet.fr/david/2024/02/26/" rel="alternate" type="text/html" />
<updated>2024-02-26T12:00:00+01:00</updated>
<id>https://larlet.fr/david/2024/02/26/</id>
<summary type="html">
&lt;p&gt;Anecdote du jour qui met le sourire de bon&amp;nbsp;matin.&lt;/p&gt;
&lt;figure&gt;
&lt;a href=&quot;https://larlet.fr/static/david/2024/2024-02-26-neige-galaxie.jpg&quot;
title=&quot;Cliquer pour une version haute résolution&quot;&gt;
&lt;img
src=&quot;https://larlet.fr/static/david/2024/2024-02-26-neige-galaxie.jpg&quot;
width=&quot;4032&quot; height=&quot;3024&quot;
srcset=&quot;/static/david/2024/2024-02-26-neige-galaxie.jpg 4032w, /static/david/2024/2024-02-26-neige-galaxie_660x440.jpg 660w, /static/david/2024/2024-02-26-neige-galaxie_990x660.jpg 990w, /static/david/2024/2024-02-26-neige-galaxie_1320x880.jpg 1320w&quot;
sizes=&quot;min(100vw, calc(100vh * 4032 / 3024))&quot;
loading=&quot;lazy&quot;
decoding=&quot;async&quot;
alt=&quot;De la neige qui tombe à gros flocon.&quot;&gt;
&lt;/a&gt;
&lt;figcaption&gt;L’espace d’un instant, par la&amp;nbsp;fenêtre.&lt;/figcaption&gt;
&lt;/figure&gt;

&lt;blockquote&gt;
&lt;p&gt;— Oh la belle neige&amp;#8239;!&lt;br /&gt;
—&amp;nbsp;Il pleut des étoiles, la galaxie est en train de tomber.&lt;br /&gt;
—&amp;nbsp;❤️&lt;/p&gt;
&lt;/blockquote&gt;
&lt;hr /&gt;

&lt;blockquote lang=&quot;en&quot;&gt;
&lt;p&gt;CSS Variable Groups is a way to define multiple properties under the same namespace and pass the entire group around, addressing several pain points around design tokens, design systems, and integrating third-party&amp;nbsp;components.&lt;/p&gt;
&lt;p&gt;&lt;cite&gt;&lt;em&gt;&lt;a href=&quot;https://lea.verou.me/docs/var-groups/&quot;&gt;Proposal: CSS Variable&amp;nbsp;Groups&lt;/a&gt;&lt;/em&gt;&lt;/cite&gt;&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Heureusement que Lea Verou &lt;a href=&quot;https://larlet.fr/david/2024/02/18/&quot;&gt;me lit&lt;/a&gt; et traduit ça en proposition de &lt;a href=&quot;https://github.com/w3c/csswg-drafts/issues/9992&quot;&gt;standardisation&lt;/a&gt; en quelques jours au lieu de chialer&amp;nbsp;😅🙇. Trop&amp;nbsp;hâte&amp;#8239;!&lt;/p&gt;
&lt;hr /&gt;

&lt;blockquote lang=&quot;en&quot;&gt;
&lt;p&gt;&lt;mark&gt;Maybe that’s ok.&lt;/mark&gt; The amount of power you give plugin authors is a delicate balance. Giving them too much power could impact the stability of your project. But giving them too little power makes it hard for them to solve their problems — in that case you might as well not have&amp;nbsp;plugins.&lt;/p&gt;
&lt;p&gt;&lt;cite&gt;&lt;em&gt;&lt;a href=&quot;https://css-tricks.com/designing-a-javascript-plugin-system/&quot;&gt;Designing a JavaScript Plugin&amp;nbsp;System&lt;/a&gt;&lt;/em&gt;&lt;/cite&gt;&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Problématique du jour&amp;nbsp;: comment concevoir un système de &lt;em&gt;plugins&lt;/em&gt; qui soit le bon compromis entre flexibilité et stabilité&amp;#8239;? Ce n’est pas si évident, encore plus dans un écosystème aussi évolutif que&amp;nbsp;JavaScript.&lt;/p&gt;
&lt;nav&gt;&lt;p&gt;&lt;a href=&quot;https://larlet.fr/david/2024/parentalite/&quot;&gt;#parentalité&lt;/a&gt; &lt;a href=&quot;https://larlet.fr/david/2024/poesie/&quot;&gt;#poésie&lt;/a&gt; &lt;a href=&quot;https://larlet.fr/david/2024/solastalgia/&quot;&gt;#solastalgia&lt;/a&gt;&lt;/p&gt;&lt;/nav&gt;&lt;hr/&gt;&lt;p&gt;&lt;a href=&quot;mailto:david@larlet.fr&quot;&gt;Réagir ?&lt;/a&gt;&lt;/p&gt;</summary>
</entry>
</feed>

+ 12
- 0
david/recherche/index.html View File

@@ -276,6 +276,12 @@
</template>
<script id="search-index" type="application/json">[
{
"title": "Porte",
"url": "/david/2024/04/02/",
"date": "2024-04-02",
"content": "For me, the two big lessons from #XZ were first, the lack of resources supporting crucial Open-Source infrastructure, but then and especially, the demonstration that the attackers are numerous, skilled and patient. We already knew about numerous and skilled but this episode, where the attacker was already well-embedded in the project by May 2022, opened a few eyes, including\u00a0mine. The advantage, to various flavors of malefactor, of subverting core pieces of Open-Source infrastructure, is incalculable. #XZ was the one we caught; how many have we\u00a0missed? ongoing by Tim Bray \u00b7\u00a0OSQI J\u2019ai laiss\u00e9 le web 2\u00a0jours et hop, une porte d\u00e9rob\u00e9e a \u00e9t\u00e9 ferm\u00e9e \u00e0 temps. C\u2019est la chronologie qui est surprenante dans sa dur\u00e9e et pose imm\u00e9diatement la question de savoir s\u2019il s\u2019agit d\u2019une exception ou s\u2019il y a d\u00e9j\u00e0 des portes un peu partout, exploit\u00e9es par plus ou moins de\u00a0monde. Lorsqu\u2019on voit ce que sont pr\u00eats \u00e0 faire les GAFAM+, je n\u2019ai aucun doute sur le fait qu\u2019ils se rueraient sur de telles \u00ab\u00a0opportunit\u00e9s\u00a0\u00bb. On parle souvent de malveillance dans ces cas l\u00e0, je pense que l\u2019on peut facilement mettre tout ce qui est growth hacking et marketing dans ce\u00a0p\u00e9rim\u00e8tre. Pour en revenir \u00e0 des OSQI (Open Source Quality Institutes) nationaux, cela me rappelle des initiatives comme copie publique ou cette id\u00e9e de M\u00e9c\u00e9natDeComp\u00e9tencesPublic\u202f. Transformer l\u2019Open-Source en bien commun est peut-\u00eatre le chantier de la d\u00e9cennie \u00e0 venir. J\u2019esp\u00e8re en faire partie \u00e0 mon\u00a0\u00e9chelle. Tuesday, Hans-Christoph Steiner, a longtime developer of F-Droid, explained that a very similar situation nearly led F-Droid to push an update that would have introduced a security vulnerability into the product three years ago: \u201cThree years ago, F-Droid had a similar kind of attempt as the Xz backdoor,\u201d he posted on Mastodon. \u201cA new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn\u2019t found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a SQL injection vulnerability. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think it\u2019s relevant\u00a0now.\u201d Other open source developers and security experts have pointed to the dynamic of bullying and the general reliance on a small number of volunteer developers. They explained that it\u2019s a problem across much of the open source software ecosystem, and is definitely a problem for the large tech companies and infrastructure who rely on these often volunteer-led projects to build their for-profit software on top\u00a0of. Bullying in Open Source Software Is a Massive Security\u00a0Vulnerability"
},
{
"title": "Jour 2",
"url": "/david/2024/03/30/",
@@ -792,6 +798,12 @@
"date": "2024-01-01",
"content": "33\u202f% de 44\u00a0millions de consommateurs vont faire le Dry January 22\u202f% des consommateurs ont une conso excessive, c\u2019est-\u00e0-dire 10\u00a0verres/semaine max et plus de deux\u00a0verres/jour. Les seniors sont aussi tr\u00e8s touch\u00e9\u00b7es. L\u2019alcool est une drogue.. On peut faire la f\u00eate sans alcool et\u00a0s\u2019\u00e9clater. Quand on arr\u00eate\u00a0: bienfaits sur le foie, la peau, le coeur, etc\u2026 Pb\u00a0: m\u00e9moire, troubles cognitifs, responsable de cancer, pb sommeil, d\u00e9compensation de maladie psy,\u2026 41000\u00a0d\u00e9c\u00e8s par an en\u00a0France. Les cinq sympt\u00f4mes d\u00e9finissent un probl\u00e8me de\u00a0d\u00e9pendance\u00a0: Perte de\u00a0contr\u00f4le Usage\u00a0compulsif Envie\u00a0r\u00e9pressive Usage\u00a0chronique Cons\u00e9quences psychiques, physiques, sociales,\u2026 Bon Dry J. pour celleux qui le font\u202f! Moi j\u2019en\u00a0suis\u202f! @Air@framapiaf.org Dans mon entourage, de plus en plus de personnes que j\u2019estime ne boivent pas d\u2019alcool, de plus en plus de personnes qui vieillissent en deviennent d\u00e9pendantes. Je suis davantage attir\u00e9 par la premi\u00e8re option\u2026 et pas pour un seul\u00a0mois. Je me sens pr\u00eat, on verra bien o\u00f9 cela me\u00a0m\u00e8ne. Grosse envie de reprendre la CSS par ici en ce d\u00e9but d\u2019ann\u00e9e. Avec le dilemme de faire chuter cette motivation si je publie d\u00e8s maintenant avec l\u2019ancienne (qui restera effective sur les anciens articles). Je vais essayer de me\u00a0retenir."
},
{
"title": "Porte",
"url": "/david/2024/04/02/",
"date": "2024-04-02",
"content": "For me, the two big lessons from #XZ were first, the lack of resources supporting crucial Open-Source infrastructure, but then and especially, the demonstration that the attackers are numerous, skilled and patient. We already knew about numerous and skilled but this episode, where the attacker was already well-embedded in the project by May 2022, opened a few eyes, including\u00a0mine. The advantage, to various flavors of malefactor, of subverting core pieces of Open-Source infrastructure, is incalculable. #XZ was the one we caught; how many have we\u00a0missed? ongoing by Tim Bray \u00b7\u00a0OSQI J\u2019ai laiss\u00e9 le web 2\u00a0jours et hop, une porte d\u00e9rob\u00e9e a \u00e9t\u00e9 ferm\u00e9e \u00e0 temps. C\u2019est la chronologie qui est surprenante dans sa dur\u00e9e et pose imm\u00e9diatement la question de savoir s\u2019il s\u2019agit d\u2019une exception ou s\u2019il y a d\u00e9j\u00e0 des portes un peu partout, exploit\u00e9es par plus ou moins de\u00a0monde. Lorsqu\u2019on voit ce que sont pr\u00eats \u00e0 faire les GAFAM+, je n\u2019ai aucun doute sur le fait qu\u2019ils se rueraient sur de telles \u00ab\u00a0opportunit\u00e9s\u00a0\u00bb. On parle souvent de malveillance dans ces cas l\u00e0, je pense que l\u2019on peut facilement mettre tout ce qui est growth hacking et marketing dans ce\u00a0p\u00e9rim\u00e8tre. Pour en revenir \u00e0 des OSQI (Open Source Quality Institutes) nationaux, cela me rappelle des initiatives comme copie publique ou cette id\u00e9e de M\u00e9c\u00e9natDeComp\u00e9tencesPublic\u202f. Transformer l\u2019Open-Source en bien commun est peut-\u00eatre le chantier de la d\u00e9cennie \u00e0 venir. J\u2019esp\u00e8re en faire partie \u00e0 mon\u00a0\u00e9chelle. Tuesday, Hans-Christoph Steiner, a longtime developer of F-Droid, explained that a very similar situation nearly led F-Droid to push an update that would have introduced a security vulnerability into the product three years ago: \u201cThree years ago, F-Droid had a similar kind of attempt as the Xz backdoor,\u201d he posted on Mastodon. \u201cA new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn\u2019t found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a SQL injection vulnerability. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think it\u2019s relevant\u00a0now.\u201d Other open source developers and security experts have pointed to the dynamic of bullying and the general reliance on a small number of volunteer developers. They explained that it\u2019s a problem across much of the open source software ecosystem, and is definitely a problem for the large tech companies and infrastructure who rely on these often volunteer-led projects to build their for-profit software on top\u00a0of. Bullying in Open Source Software Is a Massive Security\u00a0Vulnerability"
},
{
"title": "Jour 2",
"url": "/david/2024/03/30/",

Write Preview
Loading…
Cancel
Save