It's definitely a sign that popular packages should be moved from AUR to the official repository. I've got some stuff from AUR simply because it's something I need and that's where it is, and I never really verify it's safe; I just trust it blindly. Clearly a bad idea. I guess I should learn to avoid AUR and when I do use something from it, we more aware it's an exception and I need to check it more thoroughly. That's something I normally only do only for stuff that's neither from AUR nor the official repo.
A package maintainer has to be interested and willing to support it. Sometimes packages get dropped from the official repositories into AUR when the maintainer loses interest, and noone else wants to pick up the slack.
It's still surprising someone was able to infect so many packages. But I admit I don't really know how AUR works. Can anyone with access simply update anything? Do packages not have owners who check contributions?
Packages in the AUR have some number of maintainers. When a maintainer no longer wants to maintain the package they can disown it, and when all maintainers do so the package becomes orphaned. An orphaned package can then be adopted by any user.
At any time there's a large number of orphaned packages in the AUR, and the attacker(s) targeted those.
Obviously way too easy to take over these 'orphaned' packages if it can be done in an automated manner. GitHub/NPM/etc doesn't have this issue, they need to stop equivicating. Sounds more like an anonymous FTP site.
It's basically GitHub (in terms of "User's generated content") but tailored and specific to Arch/Arch-derived distributions. Packages have owners, but everything is very "freeform" in general on the AUR. It wasn't uncommon you could be added as a maintainer by just sending a mail to the current maintainer, since it's basically "Hey let me contribute to your repository" (simplified), today people keep track a bit better and avoided that I've seen. But still, it's on a individual basis.
Just like GitHub, AUR is completely devoid of peer-reviews, users uploads their own PKGBUILD and share with others, and the expectation is that users review stuff before they install it, just like on GitHub, or just like on the internet in general.
Yeah, the AUR is basically build scripts for github repos or a link to someones pre-built binary. It suffers from all the same problems that the underlying infrastructure suffers from. You could very easily argue that since github/npm/cargo/<your package manager of choice> has a supply chain issue so does the AUR.
You mean these specific Danish EU civil servants were the ones pushing chat control? Or are we actually talking about completely different people? Not every European is the same person.
The EU should fine such intentional violations with a billion euros per violation. That would stop this immediately and force cloud providers to split off their European side into separate companies that don't fall under US law.
Chat Control is not law. Of course there are some people inside the EU pushing for privacy violation, just like there are everywhere else, but it's not law. For now, the law protects privacy, and Microsoft violated it. That is the issue at hand.
And it's not "The EU", but really one EU commissioner. Many organs of the EU including the EU Legal Service have criticised CSAR (Chat Control) and the European Parliament has voted against it, effectively killing it.
I have to agree. I'm working on a complex technical proposal that's a bit too far outside my expertise (I tend to submit it to actual experts for a more thorough review). I've worked with Opus and Gemini to review it and work out all the problems and inconsistencies, and I thought it was in a pretty good state.
As an additional check, I just submitted it to Fable, and it eviscerated it. Tons of inconsistencies found, issues skimmed over or ignored, too optimistic assumptions, math that doesn't really add up if you look at it in context. And as far as I can tell, all of these issues are entirely valid. I now feel embarrassed I'd already sent it to a few people for review. This clearly needs more work.
You've got to be the person with the idea. I'm currently doing that. I spent the past year working on a frustrating project where everybody else did everything wrong, so now I'm building it on my own, hoping to sell it to them. (No idea if that will work)
I haven't seen the livestream, but I just heard that they intend to have their AI automatically change your passwords on websites if it considers them insecure, which sounds to me like the worst idea for AI so far, and that bar is high.
The better use case would be to make AI cancel that damn subscription that lets you jump through 20 dark pattern questions and then tells you to call customer support.
I would definitely like an AI that helps me avoid dark patterns and enshitification. Is there a browser that automatically solves annoying captchas for you?
It's essentially impossible to write a traditional program that can go through the full process of logging in and changing a password autonomously, without writing fragile site-specific procedures.
And if something breaks, and something will break - it's Software+Apple, their support will talk to you for 3 hours very professionally, giving you the scenic route of everything IT support has done in last 300 years and then they will schedule another call, apparently with an expert, on which you will be told to reboot your devices (yeah, all of them), and next stop will be asking you to reinstall your devices clean, of course they will remind you to backup data and how iCloud plans can help. After all that you will be asked to go to a support centre and drop your laptop there (that is, if your device is still under warranty).
While more readable code is certainly nice, this article ignores the major advantage of XSLT being XML: you can use XSLT to generate XSLT.
And while that sounds like just a funny gimmick, it has real practical applications:
If you've got a CMS that generates HTML from XML documents, you can write the XSLT for that by hand of course. But if there are common patterns that most sites use (menus, for example), while different customers use their own custom document format, it would be really nice if you could generate that XSLT from the data model definition. Long ago I've worked on a CMS that did exactly that.
> The schedule times are more of a guideline: "You know you'll eventually get there, because there are one or two trains per hour in the big cities." If a train is canceled, you simply take the next one – ticket inspectors are used to this because the system adapts too.
That's a fine attitude when your trains run every 10 minutes, like intercities between Amsterdam and Utrecht do, but not when it's only once an hour.
I don't think there's any station in Netherland that doesn't have at least one train per hour.
I've had a train from Essen to Düsseldorf get cancelled at the end of Spiel! In Essen. Thousands of people had to get to Düsseldorf to catch the last ICE there. The replacement bus wasn't going to make it. I ended up paying a fortune for a taxi. And then the ICE arrived at a different platform than announced.
There's nothing about the German train system that's even remotely acceptable. It's not funny enough to call it a joke. It's a tragedy.
This is the answer. They thought they could get away with it. And from what I understand, they nearly did, because the original victim couldn't afford the risk of a lengthy and expensive lawsuit.
reply