It seems like you don’t have a very broad exposure to closed source development.

Probably not. 15 years is not that long, what do I know, I’m just on senior expert level.

Companies run skeleton crews on crap products that don’t make money. Stuff they give away for free or that’s only used by legacy customers. Stuff they can’t shutdown because of contracts or because it still making a bit of money.

You might notice if you get escalated to development enough that it’s always like the same guy or two. It’s because they might only have a couple of guys working on it.

This is where your lack of knowledge about products like that shines through. It’s common to only get the same guy or two, because that’s the people designated (or willing) to talk to customers.

In real life, OpenSSL was run by a single person. That’s not a skeletton crew, that’s abandonment.

From what you are writing you aren’t a programmer and you haven’t worked in a software corporation before, but instead just extrapolate from your experiences with customer support.

OSS on the other side has the downside of being free.

That means it’s:

• massively underfunded because nobody donates
• no SLA-style contracts to hold anyone accountable
• most of the time no 3rd party security audits because free software (especially libraries or system tools) don’t go through procurement and thus don’t require them
• everyone expects that “someone” will have already reviewed it becouse the code is open and used by millions of projects, while in reality they are maintained by some solitary hero hacking away in his basement

If stuff like OpenSSL was CSS, it would be at least a mid-sized company making lots of revenue (because it’s used everywhere, even small license fees would rack up lots of revenue), with dozens of specialists working there, and since it would go through procurement there would be SLAs and 3rd party security audits.

But since it’s FOSS, nobody cares, nobody donates and it was a singular developer working at it until heartbleed. Then some of the large corporations which based their whole internet security on this singular dude’s work realized that more funding was necessary and now it is a company with multiple people working there.

But there are hundreds of other similarly important FOSS projects that are still maintained by a solitary hero not even making minimum wage from it. Like as shown with the .xz near miss.

Just imagine that: nobody in their right mind would run a random company’s web app with just one developer working in their spare time. That would be stupid to do, even though really nothing depends on that app.

But most of our core infrastructure for FOSS OSes and internet security depends on hundreds of projects maintained by just a single person in their free time.

HTML5 + CSS3 seems to be Turing complete too: https://lemire.me/blog/2011/03/08/breaking-news-htmlcss-is-turing-complete/

If the teacher was so wrong, explain to me how a majority of the students would have understood that question and been able to figure out the correct answer and provided the correct format?

But did they? How do you know? Have you seen the other students’ assignments?

Most likely, this specific task wasn’t actually a homework task at all but created just for this meme.

But teachers like this exist, and I stand by that that these teachers are wrong. Understanding and actually thinking about a problem are much more important skills than to obey blindly and follow pre-set directions without even reading what the question actually says.

I’d say, a student that answers the question as expected is failing in regards to reading comprehension.

And from my experience, if a question is worded as wrongly as the one in the meme, then half the class will have it wrong and there will be a group of parents at the next parent-teacher conference complaining about it.

True, even with the “Is this possible?” the student’s answer should have been ok. But with the “how” the teacher’s answer is plainly wrong.

In my country, the written final exams include a Q&A section in the beginning of the test, where the teacher and the headmaster are present, and where they present the tasks and students are allowed to ask questions. After that section, the headmaster leaves and students and teachers aren’t allowed to talk for the rest of the test.

I noticed a missing specification in one of the tasks. It was a 3D geometry task, and it was missing one angle, thus allowing for infinite correct results. During the Q&A section I asked about that, and my teacher looked sternly past me to the end of the room and said “I am sure the specifications are correct”. If there was an actual error in the specifications, the whole test would have been voided and would have to be repeated at a later date, for all the students attending.

As soon as the headmaster was out of the room, he came to me and asked where he made the mistake. He then wrote a fitting spec on the whiteboard.

I liked that guy. He was a good teacher.

That’s not what it is, no.

Teachers make mistakes, like any human being, and a good teacher can deal with the fact that they made a mistake and that a student found said mistake.

A teacher who insists on being right over being correct is a bad teacher, because a teacher is supposed to teach a child understanding and knowledge, not blind obedience above anything else.

That’s how you end up with a population who agree with the leader even if he tells them the sky is green.

Yeah, if the question was “Is this possible?” then the teacher’s answer would be reasonable.

But the “how” in the question implicates that it’s actually factual and the student should come of with an explanation how. Which they did perfectly.

That’s definitely a problem with every bit of code, that everyone relies on stuff they don’t or can’t review.

My point is that FOSS provides a false sense of security (“Millions of people use this library. Someone will already have reviewed it.”).

But the bigger issue is that FOSS is massively underfunded. If OpenSSL was for-profit, it would be a corporate project with dozens if not hundreds of developers. Nobody would buy a piece of core security infrastructure from a self-employed dude working away in his basement. That would be ridiculous to even think about that. And if this standard component was for-profit, even very low license fees would generate huge amounts of revenue (because it’s used in so many places) and this would allow for more developers to be employed.

And since it would be an actual thing that companies would actually buy, they’d demand that third-party security audits of the software would be done, like on any paid-for software that companies use. They’d also demand some SLA contracts that would hold this fictional for-profit OpenSSL accountable for vulnerabilities.

But since it’s FOSS, nobody cares. Companies just use it, nobody donates. It’s for free, so the decision to use it usually doesn’t even go through procurement and anything related to it. I tried to get my old company to donate to OpenSSL in the wake of Heartbleed, and the company said they don’t have a process to donate to something, so can’t be done.

So everyone just uses this little project created by one solitary hero and nobody pays for it. And so that dude works alone in his basement, with literally the online security of the whole world resting on his shoulders.

Luckily after Heartbleed a lot of large corporations started to donate to OpenSSL, but there are hundreds of other equally important projects that still nobody cares about. As seen e.g. with the .xz near miss.

My former argument? You might be confusing who you are talking to, since you answered to my first post in this thread.

You also seem to remember leftPad wrong. What happened there was that someone made a tiny library that did nothing but to pad a string. Something so trivial that any programmer should be able to do that within a minute. But still tens of thousands of projects, even large and important libraries, would rather add a whole dependency just to save writing a line of code. In fact, in most dependency management systems it requires more characters to add that dependency than to write that oneliner yourself.

The issue with leftpad was that the maintainer of that “library” was angry for unrelated reasons and pulled all his libraries, which then broke thousands of projects and libraries because leftpad wasn’t available any more.

My point was that everyone just relies on upstream doing their stuff and hardly anyone bothers to check that the code they include is actually doing what it should. And everyone just hopes that someone else already did their job of reviewing upstream, because they can’t be bothered to do it themselves.

A better example though would be Heartbleed. OpenSSL is used in everything. It’s one of the core libraries for modern online communication. Everyone and their grandma used it, most distros, all the cloud providers and so on. Everyone has been making money using the security that OpenSSL provides. Yet OpenSSL was massively underfunded with only one permanent developer who was also underpaid for what he was doing. And apparently nobody thoroughly reviewed the OpenSSL code. Somehow in version 1.0.1 someone made a mistake and added the Heartbleed bug. Stuff like that happens, nobody’s perfect, and if there’s only one person working on this, mistakes are bound to happen.

And then this massive security vulnerability just stayed in there for over two years, allowing anyone to read out whatever’s in the memory of any server using OpenSSL. Because nobody of the billions of people using OpenSSL daily actually reviewed and analysed their code. Because “so many people use OpenSSL, someone surely already reviewed it”.

Or take Log4Shell. That’s a bug that was so trivial it was even documented behaviour. To find this, someone wouldn’t even have had to review the code, just reviewing the documentation of Log4J would have been enough. And still this one was in production code for 8 years. For a library that’s used in almost every Java program.

Nobody reviews upstream.

If upstream makes a mistake, that mistake is in the code. And then everyone just happily consumes what they get.

And upstream is often just a random library thanklessly maintained by some dude in their spare time.

Edit: Just to prove my point: Think of your last big FOSS project that you worked on. Can you list every single dependency and every single transient dependency that your project uses? For each of these dependencies, do you know who maintains it and how many people work on each of these dependencies? Do you know if everyone of these people is qualified and trustworthy enough to put reliable and secure code in your project? Or do you, like everyone else, just hope that someone else made sure it’s all good?

Are you sure?

All I’m saying is leftPad, if you still remember.

As a programmer I do not believe you when you claim that you read through all the code of all the libraries you include.

Especially with more hardcore dependencies (like OpenSSL), hardly anyone reads through that.

I dont know the actual solution to this problem. At least for the religeous folks, it will have to involve religeous figures demonstrating acceptance and disavowing sects that refuse along with a lot of actual progress and exposure to get people to empathise and humanise lgbtq+ people and realise that theyre not a threat. Its possible, its actually quite easy once the balls rolling, but its a difficult thing to do to start i think.

In that regard, especially protestant churches are like the open source community: You don’t like what your church is doing? Just fork it and create a new variant that is even more radical.

In the case of the catholic church and other churches with centralized authority it’s more like “Let’s ignore what the Pope says and instead be holier than the Pope, but with holy we mean radical”.

Tbh, I don’t think the base problem is religion/churches here. The base problem is that a huge portion of the population are incredibly fearful and insecure, often bordering (or venturing deeply) into the territory of anxiety disorders. And instead of that getting addressed in therapy, populists (both political and religious) abuse that fear and insecurity to gain power.

The real solution would be easily available free therapy for everyone, preferably during young age, to make sure that at least the large majority of people enter adult life without being petrified of their own shadow.

I tried it on a few OLED smartphones too, couldn’t see a difference.

I tried it with some HDR demo videos, so I expected that these would show off the difference especially well, but I couldn’t see the difference at all.

I’ll try it again with clouds and teals, but I don’t have a huge affinity for distinguishing minute colour differences in general (I’m not colour blind or anything, but it’s hard for me to differentiate between very similar colours), so that might play into it.

You could have written something very similar about the USA, just that their oligarchy started a few centuries earlier.

Tbh, I haven’t done time, but that’s still me.

I upgraded from an old laptop to a 4070. I tried HDR and I don’t see a difference at all. I turned off all the lights, closed the blinds and turned the (hdr compatible, I checked) screen to max brightness. I don’t see a difference with HDR turned on or off.

Next I tried path tracing. I could see a difference, but honestly, not much at all. Not nearly enough to warrant reduced FPS and certainly not enough to turn down other graphics settings to keep the FPS.

To me, both are just buzzwords to get people to fork over more money.

Tbh, you aren’t wrong. I still keep getting anti-COVID memes and stuff from the lockdowns that’s kept alive by the out-of-touch rightwing clowns in my extended family. They keep all that stuff alive even though it’s been 4 years now and nobody remembers what it felt like.

Beware, things are not that easy with Linux. If you use Windows, you use Windows. There are different versions but they are just differently old versions of the same thing. Same company, same people, same stuff. So you can say things like “Windows shares your data with Microsoft”, because there’s only 1-2 current versions of Windows at a time.

Since Linux is so open, there are thousands of different distributions created by thousands of different companies or even hobbyists doing that on their own time. And since it’s so open, it can be configured any which way.

For example, ChromeOS and Android are two Linux distributions created by Google, and both of them collect and share your data like crazy.

Some of the more classical Linux distributions (like e.g. Ubuntu) also ask you if you want to share data with them, but most of them allow you do decline and many of them really don’t share data at all (unless you run programs that do share data again).

So what you can say about data protection in regards to Linux is:

• It’s not Windows/Microsoft, which shares a lot
• Depending on the distro, it can share just as much as Windows, or nothing at all, or a configurable amount
• There are Linux distros that are very privacy focussed and share little to no data

But no, using any Linux doesn’t necessarily mean your data is protected in any special way.

Have you heard of Stallman’s new project TNL?

There’s pretty much three core OSes out there:

• Windows
• Linux
• BSD

Amost everything else is just a variation of these.

Android, ChromeOS, PS3 OS, tons of embedded systems like car entertainment systems, and of course all the traditional Linux distros like Ubuntu, Mint, PopOS, Fedora, and so on are Linux.

MacOS, iOS, Switch OS, pfSense and tons of embedded systems like routers, and of course all the traditional BSD distros like FreeBSD, NetBSD or OpenBSD and so on are BSD based. (Though Switch OS, to be fair, is mostly it’s own thing, only borrowing significant portions from BSD.)

Per se, it’s actually not. There are thousands and thousands of hobby-level kernels floating around. Many university courses actually include making your own simple kernel.

The big issue is that the kernel is the core of the whole ecosystem. Everything builds upon it. So if you build a new kernel, you pretty much need to rebuild everything built on top of it.

As a bad comparison, imagine you came up with a genious new shape for a car fuel hose nozzle. You know, the thing you plug into your car to refuel it. Designing a new nozzle is easy. Getting it made isn’t much harder either. Retrofitting billions of cars to work with that new shape is an almost impossible amount of work. So while making a new nozzle is no problem at all, actually implementing it is almost impossible.

The same holds true for the kernel. Making “a kernel” isn’t a big issue. Getting it to work with all PCs with all their diverse hardware and software is close to impossible.

The Linux kernel and the drivers running in it easily have billions of work hours invested into it, and still it doesn’t work perfectly with every piece of hardware you might have in your PC.