Dusty 
@ChlorideCull@fuzzy.systems
Admin
25, ace/aro(?), some form of enby, autism and add, I work as a software developer, ancom
on all levels except physical, i'm drgn
plural system copiloted by Dusty and Klor, you can find him at @Klor
random gifts are OK (as long as it's not sexually explicit) and will make me very flustered
admin of fuzzy.systems, chairperson of fuzzy systems
will generally approve all follow requests as long as your account has *anything* in it
backup: @ChlorideCull
Joined Oct 2020
for the first time ever i've had ffmpeg fuck up creating a flac, so I had to get the official flac tools
Dusty
boosted
boosted
putting a pronoun picker in your game is not only the right thing to do it makes the worst people in humanity have huge meltdowns basically for free so i can only say i recommend it highly
Dusty
boosted
boosted
this is a slow game with deliberately clunky controls, and playing with the controller helps with that. It gets way too easy on PC.
let me tell you, the original wii u version of zombi is so good, it uses the fact that you need to take your eyes off the game to look at the gamepad to great effect - inventory management makes you look away from the game, letting your guard down, a zombie could sneak up on you, and there's also your map and radar on there
Dusty
boosted
boosted
It's like the opposite of the "when all you have is a hammer, everything looks like a nail" problem.
We've invented a few hammers that are just too good at doing everything, so we no longer need screwdrivers or drills or table saws.
So the toolbox got smaller and more boring. It's mostly just the same few tools over and over again.
hey look i published some analysis of an adware downloader from 2018 that's part of a network that's still active today - and the domain names are very funny https://chcl.se/2023/08/30/girlsmist.html
i really need to start publishing my malware analysis on my site or something, it's hard to convince people that I can be trusted with access to tools without any proof that I would use it for intended purposes...
Dusty
boosted
boosted
Here is a hopefully-useful notice about Linux kernel security issues, as it seems like this knowledge isn't distributed very widely based on the number of emails I get on a weekly basis:
- The kernel security team does not have any "early notice"
announcement list for security fixes for anyone, as that would only
make things more insecure for everyone.
- The kernel community does not assign CVEs, nor do we deal with them
at all. This is documented in the kernel's security policy, yet we
still have a number of people asking for CVE numbers even after
reading that policy. See my longer "CVEs are dead..." talk for full
details about how the CVE process is broken for projects like Linux:
https://kernel-recipes.org/en/2019/talks/cves-are-dead-long-live-the-cve/
- You HAVE to take all of the stable/LTS releases in order to have a
secure and stable system. If you attempt to cherry-pick random
patches you will NOT fix all of the known, and unknown, problems,
but rather you will end up with a potentially more insecure system,
and one that contains known bugs. Reliance on an "enterprise"
distribution to provide this for your systems is up to you, discuss
it with them as to how they achieve this result as this is what you
are paying for. If you aren't paying for it, just use Debian, they
know what they are doing and track the stable kernels and have a
larger installed base than any other Linux distro. For embedded,
use Yocto, they track the stable releases, or keep your own
buildroot-based system up to date with the new releases.
- Test all stable/LTS releases on your workload and hardware before
putting the kernel into "production" as everyone runs a different %
of the kernel source code from everyone else (servers run about
1.5mil lines of code, embedded runs about 3.5mil lines of code, your
mileage will vary). If you can't test releases before moving them
into production, you might want to solve that problem first.
- A fix for a known bug is better than the potential of a fix causing a
future problem as future problems, when found, will be fixed then.
I think I need to give another talk about this issue to go into the above in more detail. So much for me giving a technical talk at Kernel Recipes this year...
- The kernel security team does not have any "early notice"
announcement list for security fixes for anyone, as that would only
make things more insecure for everyone.
- The kernel community does not assign CVEs, nor do we deal with them
at all. This is documented in the kernel's security policy, yet we
still have a number of people asking for CVE numbers even after
reading that policy. See my longer "CVEs are dead..." talk for full
details about how the CVE process is broken for projects like Linux:
https://kernel-recipes.org/en/2019/talks/cves-are-dead-long-live-the-cve/
- You HAVE to take all of the stable/LTS releases in order to have a
secure and stable system. If you attempt to cherry-pick random
patches you will NOT fix all of the known, and unknown, problems,
but rather you will end up with a potentially more insecure system,
and one that contains known bugs. Reliance on an "enterprise"
distribution to provide this for your systems is up to you, discuss
it with them as to how they achieve this result as this is what you
are paying for. If you aren't paying for it, just use Debian, they
know what they are doing and track the stable kernels and have a
larger installed base than any other Linux distro. For embedded,
use Yocto, they track the stable releases, or keep your own
buildroot-based system up to date with the new releases.
- Test all stable/LTS releases on your workload and hardware before
putting the kernel into "production" as everyone runs a different %
of the kernel source code from everyone else (servers run about
1.5mil lines of code, embedded runs about 3.5mil lines of code, your
mileage will vary). If you can't test releases before moving them
into production, you might want to solve that problem first.
- A fix for a known bug is better than the potential of a fix causing a
future problem as future problems, when found, will be fixed then.
I think I need to give another talk about this issue to go into the above in more detail. So much for me giving a technical talk at Kernel Recipes this year...
🌹
Dusty
boosted
boosted
the hacker news people are NOT HAPPY that the demo video for my ffmpeg project is Richard Spencer getting punched in the face.
https://news.ycombinator.com/item?id=37269425
Richard Spencer getting punched in the face is the new Lenna!
Dusty
boosted
boosted
I am stepping back from the #Tusky project with immediate effect.
I discovered severe lapses in how the Tusky project's donations (received via #OpenCollective) were being handled. When I reported those to the project's private "Tusky Contributors" Matrix channel the financial admins tone policed the feedback, refused to engage with the concerns I and others raised, and demanded the discussion be stopped.
There is too much detail for a thread, so please read https://write.as/nikclayton/stepping-back-from-the-tusky-project.
Dusty
boosted
boosted
Hot take: packaging open source software is actual work (and is sometimes what we demurely call 'non-trivial' in this field). I say this as a sysadmin who has sometimes had to deal with the results of not packaging software and then not keeping up with the state of the software we didn't package but installed anyway.
(Sure, sometimes you get lucky and the packaging instructions are easy to write (Debian rules, RPM specfiles, whatever Arch uses, etc). And sometimes they aren't.)
Dusty
boosted
boosted
"CVE-2020-19909 is everything that is wrong with CVEs"
A claimed "9.8 CRITICAL" flaw in #curl that does not exist.
https://daniel.haxx.se/blog/2023/08/26/cve-2020-19909-is-everything-that-is-wrong-with-cves/
Dusty
boosted
boosted
This is nice to see..
A student can't afford to pay the $8 per month for #Obsidian sync, so builds a #FOSS alternative. Then posts to HN and says "I probably violate ToS, so will take down the repo if asked".
Then the Obsidian CEO replies. Explains they aren't VC-funded and the $8 bucks subscription keeps the light on. Applauds the work of the student, points to other open ways that content sync can be handled and gives advice "if you rename, there's no ToS problem". 👍
Dusty
boosted
boosted
fatfur
Commissioned this from SYLKYS0F7 on twitter and gosh I just love being a big fat kitty 🐱💜✨
Dusty
boosted
boosted
This is possibly the dumbest thing that has ever been on the main page of English Wikipedia but it makes me laugh every time I remember it (from April Fools Day 2005) https://en.wikipedia.org/wiki/Wikipedia:April_Fools%27_Main_Page/2005
Dusty
boosted
boosted
i submitted a false positive to microsoft and they just classified it as a different virus 💀
Admin
25, ace/aro(?), some form of enby, autism and add, I work as a software developer, ancom
on all levels except physical, i'm drgn
plural system copiloted by Dusty and Klor, you can find him at @Klor
random gifts are OK (as long as it's not sexually explicit) and will make me very flustered
admin of fuzzy.systems, chairperson of fuzzy systems
will generally approve all follow requests as long as your account has *anything* in it
backup: @ChlorideCull
Joined Oct 2020
