Navigation

Language Selection

Search

On centralized development forges

Submitted by Roy Schestowitz on Thursday 2nd of December 2021 02:50:47 PM Filed under

Since the launch of SourceForge in 1999, development of FOSS has started to concentrate in centralized development forges, the latest one of course being GitHub, now owned by Microsoft. While the centralization of development talent achieved by GitHub has had positive effects on software development output towards the commons, it is also a liability: GitHub is now effectively a single point of failure for the commons, since the overwhelming majority of software is developed there.

In other words, for the sake of convenience, we have largely traded our autonomy as software maintainers to GitHub, GitLab.com, Bitbucket and SourceForge, all of which are owned by corporate interests which, by definition, are aligned with profitability, not with our interests as maintainers.

It is indeed convenient to use GitHub or GitLab.com for software development: you get all the pieces you need in order to maintain software with modern workflows, but it really does come at a cost: SourceForge, for example, was caught redistributing Windows builds of projects under their care with malware.

While GitHub or the other forges besides SourceForge have not yet attempted anything similar, it does serve as a reminder that we are trusting forges to not tamper with the packages we release as maintainers. There are other liabilities too, for example, a commercial forge may unilaterally decide to kick your project off of their service, or terminate the account of a project maintainer.

In order to protect the commons from this liability, it is imperative to build a more robust ecosystem, one which is a federated ecosystem of software development forges, which are either directly run by projects themselves, or are run by communities which directly represent the interests of the maintainers which participate in them.

Login or register to post comments
Printer-friendly version
2123 reads
PDF version

More in Tux Machines

Security Leftovers

Security updates for Thursday [LWN.net]

Security updates have been issued by Fedora (microcode_ctl, rubygem-nokogiri, and vim), Mageia (htmldoc, python-django, and python-oslo-utils), Red Hat (container-tools:2.0, kernel, kernel-rt, kpatch-patch, and pcs), SUSE (ardana-barbican, grafana, openstack-barbican, openstack-cinder, openstack-heat-gbp, openstack-horizon-plugin-gbp-ui, openstack-ironic, openstack-keystone, openstack-neutron-gbp, python-lxml, release-notes-suse-openstack-cloud, autotrace, curl, firefox, libslirp, php7, poppler, slurm_20_11, and ucode-intel), and Ubuntu (bind9, gnome-control-center, and libxrandr).
Apple Safari, Microsoft Windows 11 & Teams, Hacked During $800,000 0-Day Fest [Ed: Microsoft puts back doors in its things, so security is never the goal, nor is it accomplished]
Red Hat Kubernetes security report finds people are the problem

Kubernetes, despite being widely regarded as an important technology by IT leaders, continues to pose problems for those deploying it. And the problem, apparently, is us. The open source container orchestration software, being used or evaluated by 96 per cent of organizations surveyed [PDF] last year by the Cloud Native Computing Foundation, has a reputation for complexity. Witness the sarcasm: "Kubernetes is so easy to use that a company devoted solely to troubleshooting issues with it has raised $67 million," quipped Corey Quinn, chief cloud economist at IT consultancy The Duckbill Group, in a Twitter post on Monday referencing investment in a startup called Komodor. And the consequences of the software's complication can be seen in the difficulties reported by those using it.
CISA Releases Analysis of FY21 Risk and Vulnerability Assessments | CISA

CISA has released an analysis and infographic detailing the findings from the 112 Risk and Vulnerability Assessments (RVAs) conducted across multiple sectors in Fiscal Year 2021 (FY21).
ISC Releases Security Advisory for BIND

The Internet Systems Consortium (ISC) has released a security advisory that addresses a vulnerability affecting version 9.18.0 of ISC Berkeley Internet Name Domain (BIND). A remote attacker could exploit this vulnerability to cause a denial-of-service condition.
CVE-2022-1183: Destroying a TLS session early causes assertion failure

An assertion failure can be triggered if a TLS connection to a configured http TLS listener with a defined endpoint is destroyed too early.

Videos/Shows: Red Hat Enterprise Linux 9, The Linux Link Tech Show, Bad Voltage, and BSD Now

Red Hat Enterprise Linux 9 overview | security functionality and performance for IT environments - Invidious

In this video, I am going to show an overview of Red Hat Enterprise Linux 9 and some of the applications pre-installed.
The Linux Link Tech Show Episode 954
Bad Voltage 3×46: Srtrerarm Deck

Stuart Langridge, Jono Bacon, and special guest star Jorge Castro present Bad Voltage, in which those of the team not currently having fun on a beach in Spain dig into the latest tech news, including (but not limited to)...
BSD Now 455: Ken Thompson Singularity

OpenBSD is the Perfect OS post Nuclear Apocalypse, Multiprocess support for LLDB, porting the new Hare compiler to OpenBSD, Writing my first OpenBSD game using Godot, FreeBSD 13 on Thinkpad T460s, and more.

today's howtos

GNU Linux (distro independent) – how to set fixed ip (brute force overwrite) – temporarily (also possible for DNS)

this is a quick bash hack, to set an additional fixed ip to the user’s interface, this will (brute force) OVERWRITE all mess done by network managers of various origins: (there should be only one config file to config network settings and it is: /etc/network/interfaces, instead of 10x entities inventing it’s own standard, confusing the heck out of users, just keep the standard that is already there?)
How to Enable More Multi-Touch Gestures in Ubuntu 22.04 GNOME 42 | UbuntuHandbook

This simple tutorial shows how to enable 3-finger & 4-finger multi-touch gestures in Ubuntu 22.04, Fedora 36 and other Linux with GNOME 40+, while the desktop by default supports only few gestures.
How to Install Open Source osTicket on Ubuntu 20.04

A server can contain many important business applications. These applications can help us to deploy even a support ticket system to better manage the technical service of a company. Today, you will learn how to install osTicket on Ubuntu 20.04.
How to Install and Use Bitwarden on Linux

A password manager is an application that lets you generate new passwords and store existing ones securely. It eliminates the need to create and remember strong and complex passwords yourself for all your accounts. Depending on the device and operating system you're using, you can find all kinds of password managers. Bitwarden is a free-to-use password manager that comes with all the essential password management features. Follow along to learn how to install and set up Bitwarden on Linux.
How to install Borgmatic for easy Linux server backups | TechRepublic

Do you have a reliable backup solution running on your Linux servers? If not, what’s your plan for disaster recovery? The word “disaster” alone should be enough to help you realize backups are an absolutely crucial part of your organization. If you’re in the market for a new Linux backup solution, there’s a lesser-known solution that does an outstanding job, and it’s fairly easy to install and configure. That solution is Borgmatic. This simple, configuration-driven backup solution protects your files (and even databases) with client-side encryption and even offers third-party integration for things like monitoring. I want to walk you through the process of installing Borgmatic on Ubuntu Server 22.04. When complete, you should feel confident your important data is regularly being backed up.
How to install the Caddy web server on Ubuntu Server 22.04 | TechRepublic

Caddy is a powerful open-source web server, written in Go, that can be used to host web applications in a production environment. Caddy features built-in automated TLS certificate renewals, OSCP stapling, static file serving, reverse proxy, Kubernetes ingress and much more. Caddy can be run as a stand-alone web server, an app server or even within containers. In this tutorial, I’m going to walk you through the steps of installing Caddy on Ubuntu Server 22.04 and then how to create a simple, static site.

Jive Search is your private self-hosted search engine

Ever wanted your own search engine that you can host, control and make sure your searches are not leaked or recorded?. Then it is time to check Jive Search. Jive Search is a free, open-source search self-hosted search engine that you can run on your machine or server. The app is written using the Go programming language for better performance. Also: MinIO is an open-source multi-cloud object storage for Amazon S3 for enterprise

Latest News

LWN.net Weekly Edition for May 12, 2022

This edition contains wall-to-wall coverage from the 2022 Linux Storage, Filesystem, Memory-Management, and BPF Summit, including:

Dealing with negative dentries: how the kernel can manage the cache of file-name lookup failures better.
Recent RCU changes: a quick overview of read-copy-update (RCU) followed by descriptions of some of the bigger changes that have gone into it over the last few years.
How to cope with hardware-poisoned page-cache pages: What should the kernel do when memory errors corrupt a page in the page cache?
Page pinning and filesystems: this year's discussion on how to solve the problems with get_user_pages().
Ways to reclaim unused page-table pages: a lot of the memory used to hold page tables is not needed in that role and could be put to better uses.
The ongoing search for mmap_lock scalability: the 2022 version of the perennial page-fault scalability topic, perhaps with some solutions on the horizon this time.
Improving memory-management documentation: how to capture some of the "tribal knowledge" behind memory management and make it available to more developers.
The state of memory-management development: : Andrew Morton describes some changes to how memory-management patches are handled.
Seeking an API for protection keys supervisor: protection keys can help to harden the kernel, but the best way of managing them is still unclear.
Better tools for out-of-memory debugging: understanding out-of-memory problems is not easy; what can be done to improve the situation?
Changing filesystem resize patterns: filesystems that are created small, but continually resized to be much larger, are causing some headaches.

today's leftovers

Distro Delights, New Release Mania, Forking KDE, Windows in a Bottle

If you are looking for a really cool Linux computing platform with lots of extras and a twist on traditional desktop design, check out Modicia OS Ultimate. Italy-based Modicia Web Design and Development Company recently released its latest upgrade — Modicia O.S. 22. You probably won’t stumble on this gem in hiding if you distro hop or browse through traditional outlets for Linux operating systems; but it is definitely a discovery worth finding. It is one of the easiest Linux offerings I have used. Modicia Ultimate installs without hassles and has no learning curve to get started. It is a great platform for personal and small business use as well. Get it here. The popular CentOS alternative, AlmaLinux, is now available on Oracle Cloud. AlmaLinux OS Foundation on May 5 announced its availability on the Oracle Cloud Infrastructure marketplace, continuing AlmaLinux’s penetration into the cloud.
The Linux Foundation and Fintech Open Source Foundation Announce the Schedule for Open Source in Finance Forum London 2022, July 13
OSI to the European Commission: make space for patent-free standards too

One of the biggest hidden challenges facing the software and technology world is the evolving conflict between old electronics vendors and the new software-defined universe. It’s arising because of patents embedded within international standards. We think it needs fixing because it especially affects Open Source. It may come as a surprise to find that some supposedly “open“ standards – including those ratified by standards development organizations (SDOs) like ISO, CEN and ETSI – can’t be implemented without going cap-in-hand to the world’s largest companies to buy a license. This is because both the SDOs and regulators allow so-called SEPs – “standard-essential patents” – to be tolerated due to the legacy approach of standards in hardware contexts.

Programming Leftovers

Interacting with the Pootle Bot on Gerrit

Have you received “A polite ping, still working on this bug?” message on one of your Gerrit submissions? You can simply send an arbitrary reply to avoid the patch being abandoned within a month. Here we discuss more about Pootle bot, which is one of the QA (Quality Assurance) tools for the LibreOffice QA team to manage old submissions.
Optimizing your QML application for compilation to C++

This is the start of a series of posts where I'm going to share some insights on how to adjust a QML application to get the most out of qmlsc, the QML Script Compiler. In contrast to previous posts, I won't talk about the abstract architecture or the high level picture.
Compiling QML to C++: Annotating JavaScript functions

This is the second installment in the series on how to adjust your QML application to take the maximum advantage of qmlsc. In the first post we've set up the environment and taken an initial measurement. I highly recommend reading that one first.
PaloAlto init-cfg.txt Bootstrap Config file Layout with Examples

When you install and configure the PaloAlto firewall, when the firewall boots up for the first time, it does the bootstrapping process. PaloAlto uses the settings defined in the bootstrap files, including the init-cfg.txt and bootstrap.xml under the config folder to configure the initial state of the firewall.
$30 compact multi-sensor board works with any microcontroller with I2C (Crowdfunding) - CNX Software

SENSE is a compact multi-sensor board supporting measurement of air quality, sound, light intensity, temperature, proximity, etc… and designed by Zack Seifert, a seventeen-year-old electronics enthusiast and president of his school’s robotics team.
I will just quickly do a blog post...

I got ”inspired” by my writing of the previous blog post, and wrote in a channel about my experience some time ago. So why not also do a blog post about doing a blog post :) So… I was planning to use GitLab’s Pages feature via my Hugo fork as usual to push it through. So like, concentrate on writing and do a publish, right, like in good old times? I did so, but all I got both locally and in remote pipeline was stuff like…
Rust: A Critical Retrospective

Since I was unable to travel for a couple of years during the pandemic, I decided to take my new-found time and really lean into Rust. After writing over 100k lines of Rust code, I think I am starting to get a feel for the language and like every cranky engineer I have developed opinions and because this is the Internet I’m going to share them. The reason I learned Rust was to flesh out parts of the Xous OS written by Xobs. Xous is a microkernel message-passing OS written in pure Rust. Its closest relative is probably QNX. Xous is written for lightweight (IoT/embedded scale) security-first platforms like Precursor that support an MMU for hardware-enforced, page-level memory protection. In the past year, we’ve managed to add a lot of features to the OS: networking (TCP/UDP/DNS), middleware graphics abstractions for modals and multi-lingual text, storage (in the form of an encrypted, plausibly deniable database called the PDDB), trusted boot, and a key management library with self-provisioning and sealing properties. One of the reasons why we decided to write our own OS instead of using an existing implementation such as SeL4, Tock, QNX, or Linux, was we wanted to really understand what every line of code was doing in our device. For Linux in particular, its source code base is so huge and so dynamic that even though it is open source, you can’t possibly audit every line in the kernel. Code changes are happening at a pace faster than any individual can audit. Thus, in addition to being home-grown, Xous is also very narrowly scoped to support just our platform, to keep as much unnecessary complexity out of the kernel as possible.
Huang: Rust: A Critical Retrospective

Andrew 'bunnie' Huang has posted an extensive review of the Rust language derived from the experience of writing "over 100k lines" of code.
This Week In Rust: This Week in Rust 443
Caolán McNamara: Dark Style Preference with GTK

Added something to track the org.freedesktop.appearance.color-scheme property as used by the GNOME 42 Dark Style Preference setting. Screencast recorded with the new iteration of GNOME's screen built-in recorder which is quite snazzy.

Syndication & Social Media

Follow the site via RSS/Twitter.

Full RSS:

RSS feeds for particular topics are also available

Twitter:

Content (where original) is available under CC-BY-SA, copyrighted by original author/s.

Support Tux Machines

Help Support TM
Wall of Appreciation

Gizmoz

FOSSMint

Debug Point

LXer

UbuntuBuzz

SparkyLinux

Linux Journal

Linux Today

System 76

Pop!_OS 22.04 LTS has landed!

Kernel Planet

Purism

LinuxSecurity.com Advisories

Debian

It's FOSS

OMG! Ubuntu!

GamingOnLinux

Slashdot

DW Latest Releases

DistroWatch

More on Tux Machines: About ● Gallery ● Forum ● Blogs ● Search ● News ● RSS Feed

Part of Bytes Media ● Sister sites below.

FSF

Ubuntu Buzz

LinuxLinks

Content available under CC-BY-SA

Navigation

Language Selection

Search

Tux Machines Section/s

Authors Information

LWN

Active forum topics

Collabora

9to5Linux

Gnu Planet

FOSS Force

FOSSLinux

Phoronix

OpenSource.com

Kde Planet

Fedora Magazine

Mozilla