This should be the mentality of every company doing open source.Great points made.
Which is why ~all companies switches to offering software as a service, so this mindset doesn't apply :).
Yesterday I threw some ghidra output into an LLM with very little context and got what seemed to be a reasonable run down of the original back. We're probably knocking on the door of being able to throw a binary into an LLM and getting the original program back unless there is active obfuscation done.
It is a very exciting time for anyone who likes playing old, abandoned and buggy games :').
With that combination no wonder most successful companies are closed source.
That sure sounds like bad faith to me.
This bit stands out to me:
> You can’t take five years of community contributions, close the gate, and claim you’re grateful. I don’t think it works that way.
I think it's safe to say that Sam is not impressed with the the Cal.com decision and the way they framed it.
Answering a yes/no question with a "we're doing everything we can to ensure a smooth experience for our customers" is spindoctoring 101.
Unless you're also asking politicians to all become 100% dogmatic, I don't think that's a realistic suggestion.
Being normal practice does not make something right.
https://dictionary.cambridge.org/dictionary/english/bad-fait...
> I just think the security argument is a convenient frame for decisions that are actually about something else.
That would mean they think it’s bad faith. Claiming to do something because of A but to really do it because of B is dishonest
No one said this.
I thought your point was intent. Most people would not say to hide Jews from Nazis was bad faith I think.
That would be perfectly bad faith to the Nazis. There's no such factor as moral good or bad here; bad faith has more to do the intent you have towards each party. If the intent is to explicitly trick someone towards something you want or away from something you don't want, that is usually in bad faith. (There are some exceptions.) If the intent is just to explain something in a way others will understand, even if your explanation turns out to be (knowingly) inaccurate, that can sometimes be in good faith, though I wouldn't call it good practice.
And the intent here is to intentionally mislead, so how is that not bad faith?
1. A is lying to B, and they know that B doesn't know the truth. The intent is to make them believe the lie, which is intentionally misleading them and bad faith
2. A is lying to B, and they aren't sure if B knows it's a lie. The intent is to make them believe the lie, which is intentionally misleading them and bad faith
3. A is lying to B, and they know for sure B knows it's a lie. The intent is either to provoke an emotional reaction from either B or someone observing (which is bad faith), or performative for others who will see the lie and might fall into categories 1 or 2, which is bad faith
I don't understand how anyone could plausibly argue that lying to someone intentionally isn't bad faith. Maybe I'm the one falling for category three here
For example, if I lie to protect both myself and all other parties involved, that sometimes can be in good faith! It can be bad faith if I know that it hurts them and also know a less hurtful alternative, but if I really believe the less immediately hurtful alternative will lead to a worse overall outcome then I can still be acting in good faith. It's really a lot more nuanced than "deception bad". I have to deceive myself all the time to achieve good outcomes! now I wouldn't say my treatment of myself is good faith but I try sometimes.
Well - people can continue the GPLv2 fork anyway. So ultimately what Cal.com would do here does not matter; that's the beauty of GPL in general. It is a strict licence. I think GPLv2 was the better decision for the Linux kernel than, say, BSD/MIT.
> That code is exposed to constant scrutiny from attackers, defenders, researchers, cloud vendors, and maintainers across the globe. It is attacked relentlessly, but it is also hardened relentlessly.
It is clear that there is a business decision with regards to Cal.com jumping away from discourse, but the claim that open source is automatically better than closed source, when it comes to security, is also strange. Remember xz utils backdoor? Now, people noticed this eventually. Ok. How many placed trojans exist that people are unaware about? Perhaps there are more sophisticated backdoors. Perhaps AI is also used to help disguise them. I don't think that merely because something is open source, means it is automatically good or better with regards to security. Can you trust software? In California there are recent censorship bills to restrict 3D printing further, allegedly to curb on plastic guns (but in reality sponsored by lobbyists from the industry). Can a 3D printer print out a 3D printer that is not restricted? Is the state sniffing after people via laws not also a restriction? I guess it is possible to ensure a clean open hardware and open software system acting in tandem. But you kind of have to show that this is the case. See this old discussion about Trust, on reddit: https://old.reddit.com/r/programming/comments/1m4mwn/a_simpl...
The XZ attack is an extremely rare event coming likely from a state actor, which actually proves that FLOSS is a big target not easy to attack without huge effort. It was also caught not least thanks to the open nature of the repository. Also, AFAIK it wasn't even a change in the repo itself.
In short, using FLOSS is the way to ensure security. Whenever you touch proprietary staff, be careful and use compartmentalization.
I differ here. The reason why the corporations run Linux Foundation which pays Linus is cos of this license. Otherwise, they would take what they want and not interfere like they do with FreeBSD and OpenBSD. BSD/MIT leads to better compliance.
The only reason it stays this way is cos Linus owns the trademark. Wait until Linus steps down. Most likely a someone who aligns more with corporates will take charge and you'll see changes then.
If interested - https://www.unsungnovelty.org/posts/05/2023/open-source-proj...
Anyone who's launched anything on the web -- anything at all -- and looked at the logs will see all sorts of endpoints being requested for /wp-admin/ or random WordPress plugins, even if their site has never, and will never, run WordPress. Imagine this at scale, with every possible attack method imaginable, blindly hitting everything on the web. That's where I think we're headed, and closed source won't fix that.
Literally! If everyone can access the same system as Claude's Mythos, one solution is to have more people trying to identify your issue before the hackers have the chance to do it.
- refuses to even load on browser engines older than 2 years. for a webforum that's absolutely appaling. there's a barebones non-JS version. but it only loads for individual threads (not the forum homepage or anything else), so they must be linked to directly (e.g from a websearch engine)
- every single page navigation triggers the circle animation which blocks the view for up to 3 seconds. how is this not an obvious regression on webforum software that has existed for decades?
- various nonsensical functionality suggests an incoherent code base. like the input element for the searchbox disappearing if the browser window loses focus. if you switch tabs midway for whatever reason, you need to reopen the searchbox every time you get back. and you can't use an external editor to fill in the input. because as soon as you've focused the editor, the element that the editor hooked into no longer exists
- search results are crammed in a narrow responsive list with 5 entries. you need to press 'More' to see the rest of the results as yet another responsive list. you never know how many results there are in total. only that there are more than ones that loaded so far
- long threads are never rendered fully. only as incomplete chunks. so it doesn't work to set positional markers in the scroll buffer to jump back and forth. as soon as you scroll past the boundaries of the currently loaded chunk, the old content gets destroyed and replaced. it feels like having alzheimer's
- you can reply to any specific post in a thread and there will be a visual indicator about which post you replied to. except if you reply to the most recent post in a thread. so someones who reads a post has no way of knowing in advance whether it is being addressed to the post just above it, or to the thread as a whole
i hate discourse so much. i'll never understand why it got so much adoption by FOSS communities. it must be the virtue signalling
The original vB developers built Xenforo, which is still in the spirit of vB 3 but with some modern amenities like live updates and the like.
I also found Discourse to be... challenging to self-host.
Made a completely different experience. Every once in a while you have to run a command. Over the last 10-12 years there were I think 2 problems where this did not work out of the box.
I wish you folks could understand how clownish you sound.
Discord is bottomless sea of the same question being asked over and over and over, and the original question poster never seeing their replies. If there was not a notification when your own messages are replied, Discord would be 100% worthless.
Ooh, now I want to try convincing people to return from JS-heavy single-page apps to multi-page apps using normal HTML forms and minimal JS only to enhance what already works without it—in the name of security.
(C’mon, let a bloke dream.)
Of course for web apps (as distinct from web sites) most of what we do would be impossible without JavaScript. Infinite scrolling, maps (moving and zooming), field validation on entry, asynchronous page updates, web sockets, all require JavaScript.
Of course JavaScript is abused. But it's clearly safe and useful when used well.
https://developer.mozilla.org/en-US/docs/Learn_web_developme...
Not saying your broader point is incorrect, but useful to know.
See, that's where we went wrong. IMO the web is for web sites. Co-opting the browser for full applications has led to the significant degradement of modern software. If we must have a "write once, run anywhere" approach for modern development, can we at least use WASM bytecode and build a dedicated runtime that doesn't use the browser for GUI output?
Clearly though the world is using the web platform for writing applications. And I for one like the fact I can book a car, buy a secondhand book, or leave a restaurant review from a generic place that just works on all my devices.