I write English / Escribo en Español.

Vidya / videojuegos. Internet. Cats / Gatos. Pizza. Nap / Siesta.

This user’s posts under CC-BY-NC-SA license. Ask me if you need a different permission.

  • 2 Posts
  • 138 Comments
Joined 2 years ago
cake
Cake day: July 26th, 2023

help-circle






  • Regarding things like dockers and flatpaks, I mostly “solve” it by only running official images, or at least images from the same dev as the program, where possible.

    But also IMO there’s little to no reason to fear when using things like flatpaks. Most exploits one hears of nowadays are of the kind “your attacker needs to get a shell into your machine in the first place” or in some cases evn “your attacker needs to connect to an instance of a specific program you are running, with a specific config”, so if you apply any decent opsec that’s already a v high barrier of entry.

    And speaking of Debian, that does bring to mind the one beef I have with their packaging system: that when installing a package it starts the related services by default, without even giving you time to configure them.



  • I don’t.

    Yeah, hot take, but basically there’s no point to me having to keep track of all that stuff and excessively worry about the dangers of modernity and sacrifice the spare time I have on watching update counter go brrrr of all things, when there’s entire peoples and agencies in charge of it.

    I just run unattended-upgrades (on Debian), pin container image tags to only the major version number where available, run rebuild of containers twice a week, and go enjoy the data and media I built the containers and installed for software for.








  • Technically the only way you can vet, is by having root access to their servers and law officer level access to their documents.

    Failing that, I can think of four baseline conditions to venture that a given product “shouldn’t” enshittify, or that at least the utility of the project is recoverable (or forkable) if it does:

    Req 0: Copiability. The software actually provides a full offline (or local) service. There’s no way (that I know of!) to enshittify something that can live fully independently from its “mothership”.

    Req 1: “Letter and Spirit”. License has to be Free Software (not just “Open Source”) with all the liberties that come with it. (I assume in the future, an exception might be made to allow for New Ethical licenses that would be not FOSS as per the current definition)

    Req 2: Reproducibility. Someone else has to have verified that using the source release builds the whole product (at most excepting “assets” like logos). This is usually verified empirically by someone getting to run and maintain a competing instance.

    Req 3: No bite hand. The provider must have not used legal measures to exercise violence or restrictions against users of the product (be those consumers or devs). This includes eg.: using the DMCA to punish reviews, or punish implementation of req 2.

    If a combination of provider and product completes those four requirements, I feel relatively well assured that the product can’t reasonably enshittify, or at least that if it were to happen, there will be enough advance notice and devel momentum that the value of the product can be recovered from it.