I don’t often do much with image editing, so GIMP has been perfectly adequate for me for decades. I’ve never rented a copy of Photoshop and don’t care about it.
I’ve noticed small but consistent improvements over the years. People who complain about the UX should just go use Photoshop. It’s fine. Layers work well, retouching and filters are easy. I don’t really understand the complaints.
I’m very glad GIMP exists, and I hope it continues to make FOSS haters cope and seethe for the next 50 years. Keep whining about the name please!
This is exactly it, it’s death by a thousand stupid cuts by throwing everything at the wall and hoping that something sticks. They know that many of these laws won’t pass constitutional scrutiny, but by the time they make their way to the Supreme Court, the damage will be done and 10 new stupid laws will take their place. The anti gun lobby has been doing the exact same thing for years.
> Apt… yes is an App Store run by an operating system organization (Debian org). That feels pretty unsurprising. Debian’s parent organization (headquartered in the US) probably needs to comply with this.
And that right there is exactly the fucking problem. A zero profit collective “store” that publishes zero profit hobbyist “apps” is now going to have to invest in some kind of harebrained compliance scheme that will only grow from here.
In a couple of years is my “app” in Debian’s store going to require some goddamn TPS report and certification to tell California that everything is above board? It’s incredibly likely! By itself this law does nothing but lay the groundwork for regulation of “apps”, which by itself might be acceptable, but including FOSS distribution channels and hobby apps in the scope of this law is nothing short of evil. It’s laying the groundwork for a frontal assault on FOSS, and if you don’t see that then I don’t know what to tell you.
My guess is that Linux wasn’t extensively considered in the writing of this law, but when the next stage comes along and people start complaining, legislators will shrug and say “oh well, they need to comply”—and lobbyists for the big 3 proprietary software firms will back that position up. This is setting up a killshot for consumer Linux.
It’s the camels nose into the tent of regulating how an OS should behave. This is anathema for FOSS operating systems. It will cause complete madness if different jurisdictions start regulating operating systems in their own way and could honestly kill FOSS OSes.
IMO it's more likely to lead to a renaissance in FOSS OS use. Not requiring a legal entity and being geographically diffuse makes them immune to this kind of pressure in a way that Apple and Microsoft are not.
is it though? If you setup a PC for a 12 year old and prompts you something like [12~16] and thats reported to whatever, what exactly is the fear? You can scream slippery slope but these laws are just going to boil down to technical capability because enforcement isn't realistic.
There's real harms by large businesses such as Meta. Should we pretend those arms don't exist?
It is a slippery slope, and enforcement can quickly go from unrealistic to mandatory as we’re seeing in the UK.
> There's real harms by large businesses such as Meta. Should we pretend those arms don't exist?
Frankly I don’t care. Hands off my operating system. I will set up a guerilla sneakernet before I comply with something like this. Find another way to deal with it.
> Also, where does anything in the CA bill mandate age verification? It's saying the OS needs to prompt for age bracket info and allow the third party apps to query that. That is far different from verification.
Regardless of the technical details of the law(s), the devs are sensibly refusing to prompt for age on a fricking calculator.
Hopefully Linux distros get on board with this and announce non-CA/CO compliance as policy.
Ultimately, it does not matter. This legal notice is just theater, as anyone from CA or CO can still download, build and use the program. Linux distributions will just do the same.
Certainly. However, The developer seems to want to avoid the $2,500 per violation by any child who accesses the calculator, and might see a dick pic... because that calculator firmware does indeed allow for image viewing, and application development. It's more powerful than your PC back in the late 1990s.
All new PCs sold in the late 1990s handedly beat these specifications. On CPU, storage, RAM, and display. The DM42 firmly remains an embedded system that's just enough for the calculator software and not much more.
If you want to take it back to the early 1980s, you start reaching the claim being true.
I had a program on my overclocked TI-83 in 1998 that displayed a single pseudo-greyscale dithered photograph of a topless Pamela Anderson, which has left me hopelessly psychologically scarred. Ban this filth
Well, no, that's not how laws like this work. Of course people in these states can just install the software and it is very likely nothing more will come from that unless some politico in one of these states decides she has a beef against the company, group or person which distributes the software. When that happens she'll have this law at hand to whack them with because the knowingly violated state law so they need to be dealt with, won't anyone think of the children?.
I'd also put notice in the usage that the offices of the representatives of the politicians that voted for this law they are not allowed to use the software as a historical wall of shame.
For Linux it will be way more problematic because:
- A lot of of corporate contributions comes from SV.
- Linux Foundation is incorporated in CA.
- Linus himself is CA's resident AFAIR.
So there is zero chance of claiming no jurisdiction. The only hope is whoever is enforcing this batshit wouldn't go after what is essentially not an OS for the purpose of the bill, but rather an internal component (it would be like going after a vendor of bolts and nuts for noncompliance of a toaster).
It's more likely to be an issue for distributions like Debian, Ubuntu, Red Hat, etc.
Although, if I'm understanding this correctly, I think all they would have to do to comply is have something during installation that asks for the age category, and write a file that is world readable, but only writable by root that contains that category that applications can read.
That is already way too much as far as I'm concerned. It's not that it's difficult, it's that it's arbitrary and a form of commanded speech or action. Smallness and easiness isn't an excuse.
If you write a story, there must be a character in it somewhere that reminds kids not to smoke. That's all. It's very easy.
I actually don't mind mandating the market take reasonable actions. The EU mandating USB C was an excellent move that materially improved things.
However I think mandated actions should to the greatest extent possible be minimal, privacy preserving, and have an unambiguous goal that is clearly accomplished. This legislation fails in that regard because it mandates sharing personal information with third parties where it could have instead mandated queries that are strictly local to the device.
Under no circumstances should we be “mandating” how hobbyists write their software. If you want to scope this to commercial OSes, be my guest. That’s not what was done here.
I'm not sure where the line between "hobby" and "professional" lies when it comes to linux distributions. Many of them are nonprofit but not really hobbyist at this point. Debian sure feels like a professional product to me (I daily drive it).
We regulate how a hobbyist constructs and uses a radio. We regulate how a hobbyist constructs a shed in his yard or makes modifications to the electrical wiring in his house.
I think mandating the implementation of strictly device local filtering based on a standardized HTTP header (or in the case of apps an attached metadata field) would be reasonably non-invasive and of benefit to society (similar to mandating USB C).
> I'm not sure where the line between "hobby" and "professional" lies when it comes to linux distributions. Many of them are nonprofit but not really hobbyist at this point. Debian sure feels like a professional product to me (I daily drive it).
"Professional" means you're being paid for the work. Debian is free (gratis), contributors are volunteers, and that makes it not professional.
What about Ubuntu? Its a combination of work by volunteers and paid employees, it is distributed by a commercial company, and said company sells support contracts, but the OS itself is free.
And there are developers who are paid to work on various components of linux from the kernel, to Gnome, does that make it professional?
Is Android not professional, because you don't pay for the OS itself, and it is primarily supported by ad revenue?
I would argue they're not, because they're not fully under the responsibility of a commercial entity, because they're open source. Companies can volunteer employees to the project, even a project they started themselves, but the companies and employees can come and go. Open source projects exist independently as public goods. Ultimately, it just takes anyone in the world to fork a project to exclude everybody else from its development.
Mint started off as Ubuntu. Same project, with none of the support contracts, no involvement from Canonical needed at the end of the day, etc.
On a practical level, it doesn't make sense to put thousands of dollars per user in liabilities to non-compensated volunteers whatever the case may be with regards to the employment of other contributors.
At some point it seems to devolve from a meaningful discussion about how things should be done into a semantic argument (which are almost always pointless).
> it doesn't make sense to put thousands of dollars per user in liabilities to non-compensated volunteers
I agree when it comes to individuals. But it probably does make sense to hold formally recognized groups (such as nonprofits) accountable to various consumer laws. I think the idea odd that Windows, RHEL, Ubuntu, and Debian should all be regulated differently within a single jurisdiction given that they seem to me largely equivalent in purpose.
You've confused and confabulated like 11 different things there. None of what you said has anything to do with either what I said or what the law says.
The way this currently exists is basically unenfoceable because the critical terms are not even defined. It's not even ultimately intelligible, which is a prerequisite to enforcing, or even being able to tell where it does and does not apply, and whether some covered entity is or is not in compliance.
And then another state will pass a law mandating scanning of all local images, and another state will want automated scanning of text, and a different country will want a backdoor for law enforcement. We have to stop this here and now.
"Linux" is just the source code to the kernel, pure free speech, and it can't run by itself in order to ask anybody anything. Underage programmers will benefit from the education of reading it.
Stop spreading disinformation. Linus and others did most of the work in the kernel. GNU project on the kernel side was architecture astronaut vaporware aka "Hurd". They were much more successful in userland (coreutils, gcc and the toolchain, gdb, Emacs, to name a few).
I meant the userland specifically. By calling what is fundamentally a GNU system running on a different kernel just "linux" it makes people think linux and his crew made all of the userland, in part because saying a college student made "an entire operating system" is far more profitable for news agencies than acknowledging his important but overall relatively small role in what they call "linux"
Because the kernel is the irreplaceable piece. None of what GNU did is: there are numerous implementations of coreutils and shells and at least one non-GNU production-quality compiler toolchain (clang-llvm), a few alternative libcs. And many distribution do actively use the non-GNU parts. But none of this is useful without the kernel that is compatible with computers people have. And the only usable kernel we have is Linux (while BSDs are out there too, they take a much different tightly-integrated approach to userspace).
To add to this: I can appreciate the significance of GNU, especially in early Linux distributions, but the position of "GNU was the real OS, Linux was just the kernel" is also deceptive, IMO.
Sure, a lot of the userspace was GNU, but a lot of it ... wasn't. Things like PAM, the init system, and the network config tools, off the top of my head. A lot of system-specific tools come from "not-GNU", too.
You can't discount how much of early Linux was "GNU", and how big a deal GCC and GNU libc (and the rest!) were, but it's disingenuous in my opinion to call GNU an "operating system" that you just plugged Linux, the kernel, into. Even today, as far as I can tell, there is still not a true GNU system. Guix comes close, in terms of being "GNU-ish", but the most usable Hurd distro (AFAIK!) is Debian, where, again, a lot of components come from Debian, rather than GNU.
And, as you say, modern systems have drifted even further from being GNU. They have lots of GNU components, but so did, say, the Sprite OS, or a lot of 4.4BSD derivatives.
- The real, fundamental economy has been propped up by shale oil
- Shale is running out, energy needs are increasing rapidly
- Debt is coming due
- Tariffs are an effort to manage the debt situation by creating a Eurodollar vacuum
- Politicians and the public don’t really understand this, so the whole thing is going to end up framed as a geopolitical conflict rather than a debt crisis
- The framing is dangerous and may create a real kinetic conflict due to misunderstandings at home and abroad
As a systems thinker I suspect this is closer to reality than the usual narratives. Historically, most large scale conflicts reduce to resource conflicts, even if they have political or ideological involvement.
It's not a big deal because the Ars Technica summarisation is wrong. You can (and enterprise controllers do in fact) tie IPs and MACs to association IDs (8bit number per client+BSS) and thus prevent this kind of spoofing. I haven't had time to read the paper yet to check what it says on this.
Also client isolation is not considered "needed" in home/SOHO networks because this kind of attack is kinda assumed out of scope; it's not even tried to address this. "If you give people access to your wifi, they can fuck with your wifi devices." This should probably be communicated more clearly, but any claims on this attack re. home networks are junk.
This is mostly accurate, to clarify the association IDs tie into what VLANs will be assigned and that does block all of the injection/MITM attacks. This also assumes that the VLAN segments are truly isolated from one another, as in they do not route traffic between each other by default including for broadcast and multicast traffic.
However client isolation should be a tool people have at their disposal. Consider the need for people to buy cloud IOT devices and throw them on a guest network (https://arstechnica.com/security/2024/09/massive-china-state...). It's also about keeping web-browsers away from these devices during regular use, because there are paths for malicious web pages to break into IOT devices.
What exactly a VLAN is (or rather, properly: broadcast domain) gets kinda fuzzy in enterprise controller based wifi setups… and client isolation isn't really different from what some switches sell as "Private VLAN" (but terminology is extremely ambiguous and overloaded in this area, that term can mean entirely different things across vendors or even products lines).
What exact security guarantees you get really depends on the sum total of the setup, especially if the wireless controller isn't also the IP router, or you do local exit (as opposed to haul-all-to-controller).
Yep, unfortunately fuzzy. For enterprise wifi deployments, one amusing thing to do when configuring 802.1X is to test ARP spoofing the upstream radius server after associating, and self-authenticate.
It might be interesting to go and apply some of the sneaky packet injection mechanisms in this paper actually to try to bypass ARP spoofing defenses.
What can you even do on the local network these days? Most everything is encrypted before it leaves the device. I guess you could cast stuff to the TV.
Probably more of a problem if combined with other exploitable issues in other devices. Like if your TV doesn't properly check signatures on its firmware upgrades…
you are definitely correct that it is potentially a big deal because it breaks expectation around network segmentation and isolation
however, most people will read "breaks wi-fi encryption" and assume that it means that someone can launch this attack while wardriving, which they cant.
>assume that it means that someone can launch this attack while wardriving, which they cant.
As a former wardriver (¡WEPlol!), it only makes this more difficult. In my US city every home/business has a fiber/copper switch, usually outside. A screw-driver and you're in.
Granted, this now becomes a physical attack (only for initial access) — but still viable.
----
>the next step is to put [AirSnitch] into historical context and assess how big a threat it poses in the real world. In some respects, it resembles the 2007 PTW attack ... that completely and immediately broke WEP, leaving Wi-Fi users everywhere with no means to protect themselves against nearby adversaries. For now, client isolation is similarly defeated—almost completely and overnight—with no immediate remedy available.
----
I think the article's main point is that so many places have similarly-such-unsecured plug-in points. Perhaps even a user was authorized for one WiFi network segment, and is already "in" — bless this digital mess!
As a funny personal anecdote, my brother is a state judge. His most personal thoughts & correspondances are crafted upon typewriters (mine as well). He isn't officially allowed to just use any phone/computer/network. He is a "high value target" [0],
My personal attorney still doesn't use "the cloud" for client documents (which is respectable) — has local servers, mostly offline. No typewriter, though =P
----
I'm just an electrician.
[0] Does it bother anybody else that Pam Bondi has reports specifically of which documents each congressman reviewed (photographed by AP, during recent testimony)?
In addition to equvinox (hey again):
In enterprise networks you should rely on 802.1x or what's also valid use case is the use of ipsec to ensure the local client connection is "safe".
Some 802.1x have inherent mitm attacks that have been called out since 2004 and never got the v2 (https://www.rfc-editor.org/rfc/rfc6677.html). EAP-TLS however is the best practice here + VLANs.
Once again I feel justified in hard wiring all connections. I do have a wireless network for a couple of portable devices, but everything else has a plug and a VLAN.
It’s very difficult to have too much network security.
I’ve noticed small but consistent improvements over the years. People who complain about the UX should just go use Photoshop. It’s fine. Layers work well, retouching and filters are easy. I don’t really understand the complaints.
I’m very glad GIMP exists, and I hope it continues to make FOSS haters cope and seethe for the next 50 years. Keep whining about the name please!
reply