i plan to package openrsync this weekend in alpine as an alternative to rsync (and probably switch the default rsync implementation in future)
-
@billchenchina @ariadne and avoid the latest security release with 6 CVE? 🤯
@fosdembsd
Better than a bunch of regressions.Breaking stuff in security updates is far worse, because users that are hurt by that usually stop applying all security updates.
-
i plan to package openrsync this weekend in alpine as an alternative to rsync (and probably switch the default rsync implementation in future)
@ariadne that could be a fun life stream
-
another sidebar: I haven't found a great less-capitalist alternative to "software supply chain" to describe components of software and their dependencies.
there is the commons, but that is a collection of all libre software. not the same thing.
@ariadne
"Dependency network" or something along those lines? -
@ariadne what exactly is capitalist about a supply chain?
@bri7 @ariadne recent common usage. the term implies a customer-vendor relation and it's used to browbeat open source volunteers into working as if they have a vendor-like obligation to corporations who will under no circumstances actually pay them
you could come up with a more cooperative version, but most of the people saying it are using it that way
i suggest the existing term "dependency tree", which does not suggest they have an actionable responsibility to you. or just the existing term "upstreams"
-
@ariadne i don't think "supply chain" is a particularly capitalist term, at the very least because the soviet union also had to deal with these (in fact, supply chains in the ussr were often built across constituent republics to boost interdependence)
-
@ariadne
"Dependency network" or something along those lines? -
@davidgerard @ariadne just to make it sure to folks who don't read me on the regular, i ain't a tankie, i think the soviet union was very flawed and fell into conservative thinking on a number of issues, and that's part of the reason why it failed and why we're in such a mess right now
but supply chains would probably continue to be a thing in any economy that isn't broken down to a "every town is entirely self-reliant" level
-
anyway: mad respect for tridge.
the man has done far more for software freedom than most of us have.
but he is still a person, and people can easily be convinced by these LLMs that things check out when they actually don't.
they use very persuasive language. if you depend on them, you will inevitably commit mistakes that you should have caught, because nobody does a perfect job. nobody.
@ariadne so many years of talking about swiss cheese security and defence in depth, and reading right over the part where the pr is supposed to be the SECOND review; the first review is 'as I am writing the code'.
Short circuiting that to 'the llm generated it, I reviewed it' is purposely discarding protections and nobody who buys into these things seems to care.
-
@davidgerard @ariadne just to make it sure to folks who don't read me on the regular, i ain't a tankie, i think the soviet union was very flawed and fell into conservative thinking on a number of issues, and that's part of the reason why it failed and why we're in such a mess right now
but supply chains would probably continue to be a thing in any economy that isn't broken down to a "every town is entirely self-reliant" level
-
@ariadne I feel like it’s import to distinguish vibe coding the odd one-time script or tool for personal use, and slopping out parts of essential, load-bearing infrastructure. The latter just has much higher stakes.
-
sidebar: given that there is interest in alternatives to GPL software that is now being vibecoded, and these alternatives largely tend to not be copyleft...
will vibe coding mean the death of copyleft?
The copyright implications of this are completely unknown. When someone vibe-codes Photoshop or Windows 11 and successfully defends that in court, *then* I'll believe it. For now, it's a legal minefield.
-
The copyright implications of this are completely unknown. When someone vibe-codes Photoshop or Windows 11 and successfully defends that in court, *then* I'll believe it. For now, it's a legal minefield.
Also: thanks for doing this. I'm relieved that *someone* is making sure there's a low-slop version of this vital tool available.
(Although I think we need a different prefix from "open" that implies slop-free open-source, but politely.)
-
Be aware that openrsync isn't a drop-in replacement for rsync. We ran into problems when Apple replaced rsync with openrsync in Sequouia. Scripts that had previously worked broke. We ended up installing the real rsync using homebrew because we couldn't get things to work with openrsync.
@catselbow @ariadne ditto. openrsync seems to have interoperability bugs, possibly at the protocol level? And does not implement all of rsync's options.
-
it's not relevant, or at least, the maintainer's choice to publicly document his decision to shoot himself in the foot regarding intellectual property rights is not relevant to distributions, because the overall package remains GPL regardless of the presence of uncopyrightable code.
@ariadne @tk @AmyZenunim Wouldn't it possibly be at least a headache if it contains plagiarized code from the unlicensed training data? I suppose it's not the distribution's job to find these cases until it is shown to them, after all that would be completely unrealistic to do at such a scale, but it doesn't seem entirely impossible to have ripple effects later.
However, I guess unless the kernel stops with LLM code that's the more likely impactful component regarding this: https://lore.kernel.org/lkml/e12330b9-c29e-45ca-9375-9e3d13426d85@horse64.org/T/
-
@whitequark @ariadne I feel like one reasons LLMs caught on in the tech sphere so well is that they are essentially psychological weapons in the way they’re optimized for persuasiveness, and they’ve been unleashed on a population of technically smart people who often don’t have the best social skills.
@jaseg@chaos.social @whitequark@treehouse.systems @ariadne@treehouse.systems That does make me wonder whether the fact that I'm an aspie is something that kind of inocculates me against them. My social skills are essentially entirely a conscious effort and LLMs are really terrible at "convincing" me on that level... Alternatively I may just be a grouch
-
what I will say is this. there are pieces of software that are frankly "mission critical".
for example, pkgconf, as a key component of most build toolchains, cannot have regressions because those regressions will reverberate throughout the entire "software supply chain" in the form of build errors. it is a mission critical piece of software.
this is why as lead maintainer of pkgconf I have implemented a number of policies and initiatives to reduce the likelihood of software errors and promote correctness in pkgconf as part of the pkgconf 3.0 work.
these initiatives include banning LLM contributions, requiring DCO signoffs on commits, refactoring the codebase to remove entire classes of vulnerability, improving the quality of the windows port so it is equivalent to its unix counterparts and reimplementing and expanding the test suite from scratch.
why? because every single thing I listed reduces the likelihood for regressions.
rsync, like pkgconf, is used at all times of the day, all around the world. I try to visualize the scope to which pkgconf is used and it is just not possible.
rsync is the same way: everyone is using it somehow, either to back up their data, or to mirror data from one machine to another. there are numerous utilities which make use of it somehow to provide functionality.
a regression in rsync is even less tolerable than a pkgconf regression: if you have errors in rsync, they can potentially cause data corruption or loss.
but rsync goes in basically the opposite direction from pkgconf: it embraces LLM contributions. it also has had several regressions since doing so.
@ariadne there are complaints about the LLM coding tools going up in price 3x-150x. Between that and the post IPO crash we might be able to ride this out
-
@whitequark @ariadne I feel like one reasons LLMs caught on in the tech sphere so well is that they are essentially psychological weapons in the way they’re optimized for persuasiveness, and they’ve been unleashed on a population of technically smart people who often don’t have the best social skills.
@jaseg @whitequark @ariadne That and it's another cycle in management belief that expensive quality can be replaced by cheap quantity. Unpaid interns, off shoring, horde of juniors, etc.
-
another sidebar: I haven't found a great less-capitalist alternative to "software supply chain" to describe components of software and their dependencies.
there is the commons, but that is a collection of all libre software. not the same thing.
@ariadne "dependency graph"?
-
@bri7 @ariadne recent common usage. the term implies a customer-vendor relation and it's used to browbeat open source volunteers into working as if they have a vendor-like obligation to corporations who will under no circumstances actually pay them
you could come up with a more cooperative version, but most of the people saying it are using it that way
i suggest the existing term "dependency tree", which does not suggest they have an actionable responsibility to you. or just the existing term "upstreams"
@davidgerard @bri7 @ariadne Old tarball install instructions commonly used "prerequisites", but there usually was no dependency tree (like if application X depended on a certain version of library P, you'd usually have to check P's INSTALL to find out you need some version of F to build it in the first place.)
To me, "upstream" usually designates a maintained source that you're deviating from for your own reasons, but that you'd still like to keep generally in sync with. That's something else than a dependency on a foreign component.
Anyways, "dependency tree" seems fine, and doesn't carry the connotation of a commercial relationship... (What happened to "the entire risk as to the quality and performance of the program is with you" anyways?)
-
another sidebar: I haven't found a great less-capitalist alternative to "software supply chain" to describe components of software and their dependencies.
there is the commons, but that is a collection of all libre software. not the same thing.
@ariadne
Less applicable to rsync, but "bootstrap chain".
