Time Nick Message 00:47 MTDiscord sfan5: Yo. Have you even heard about https://kitsunemimi.pw/ (and https://servers.minetest.net/ as the result) being blocked by ISPs because of youtube-dl? 02:17 Blockhead256[m] Pexin: I'm afraid I can't help much with Inside the Box stuff - I've never actually played it. I just stumbled upon a PR that related to trampolines and added what I knew about trampoline behaviour from following development. 06:29 MTDiscord Why would YouTube dl cause those to be blocked by an isp? 06:30 MTDiscord Unless you can now pirate a YouTube video 07:28 muurkha jordan4ibanez: there was a recent appalling court decision about this 07:28 MTDiscord That's brutal 07:28 MTDiscord Youtube had a good run though, but not really 10:14 sfan5 @savilli no. how would I even find this out? 10:55 Blockhead256[m] ISPs really are complicit in such tosh 10:55 Blockhead256[m] Political censorship and censorship on behalf of major copyright holders 10:55 Blockhead256[m] Not to mention, have fun in the year 2023 if your internet is interrupted while you dispute with them 10:55 Blockhead256[m] yt-dlp still works fine for me though :) 10:56 Blockhead256[m] but what has the server list got to do with youtube-dl though? 10:57 Blockhead256[m] because the same host serves a version of it? Someone had to go and report this obscure website 10:57 Blockhead256[m] just wow 10:58 mrkubax10 maybe shared IP? 10:58 muurkha Blockhead256[m]: servers.minetest.net. 300 IN CNAME kitsunemimi.pw. 10:58 Blockhead256[m] yeah two DNS records pointing to that same IP 10:59 mrkubax10 so that's the reason probably 10:59 muurkha it's a DNS record that points to the name, not to the IP 11:00 muurkha but that's a minor quibble in this context 11:06 MTDiscord might be related to https://torrentfreak.com/youtube-dl-hosting-ban-paves-the-way-to-privatized-censorship-230411/ .. ISP in some place might had to block all web servers that host any version of ytdl due to that court rule 11:08 MTDiscord if that's the case then it's possible that this had got the server blocked by ISP: https://kitsunemimi.pw/ytdl/ 11:08 muurkha yeah 13:21 MTDiscord The Minetest server list is not really what I would have expected as a heuristic for whether somebody actually lives in the "free world" or not. 15:43 MinetestBot 02[git] 04SmallJoker -> 03minetest/minetest: InventoryManager: Disallow resizing or deleting inventory lists that … 130fb6dba https://github.com/minetest/minetest/commit/0fb6dbab360813536b5b62a7ee4aa03e7757eeb4 (152023-04-22T15:42:36Z) 18:30 celeron55_ https://devclass.com/2023/01/24/eus-proposed-ce-mark-for-software-could-have-dire-impact-on-open-source/ 19:22 MTDiscord They're just like, let's just destroy everything 19:25 Pexin my google fu is weak. what does compliance even mean in this case, other than paying a central authority for a digital signature? 19:25 muurkha remembeer the EU already banned, of all things, borax 19:26 Pexin exactly what type of "security" is it meant to protect? 19:26 muurkha supply chain malicious code injection attacks? just guessing 19:28 Pexin if nothing else, the bit about "unfinished software" makes the whole thing sound like a joke 19:30 muurkha what is the proper response to the combination of such immense ineptitude with such immense power? 19:30 MTDiscord All software is unfinished, and if someone stops updating it claiming yes finished. Well, now it's unfinished and outdated. 19:31 muurkha nearly all. TeX is plausibly finished 19:41 potatoxel[m] noh 19:43 MTDiscord Bro the entire existence of humanity in the internet age relies on open source software. If they mess that up and it all gets pulled back. Pulled off. They don't even understand the scope of the horrors they will experience. They think 290 billion is a lot for security? Let's triple that number and change the b to a t. Everything you're using in your life which is technological is using open source software under the hood, even your 19:43 MTDiscord car. These people are idiots for even attempting to stifle this 19:57 muurkha jordan4ibanez: similarly disastrous government policies have happened many times before 19:58 muurkha Madagascar just kicked off a famine with price controls on staple foods 20:07 MTDiscord "how can free software developers afford the cost of compliance" Well, who says they should care? And if it would be like CE marking then there's no direct costs at all as long as product is already safe to use. 20:08 MTDiscord But I guess it probably isn't anything like CE marking... 20:10 muurkha software is never safe to use; it always has defects. we call them 'bugs' 20:11 MTDiscord Same goes with hardware that can still have CE markings, they also call them bugs or sometimes defects. 20:11 muurkha except maybe seL4 or something. but they had to patch it for Spectre 20:11 muurkha with hardware the guy who put the defects in there is getting paid to take the risk 20:12 MTDiscord But like hardware reputable software also goes through QA testing, that also happens with open source and even with small projects. 20:12 muurkha naw, most SaaS is tested in production through gradual rollout 20:13 MTDiscord And I wouldn't call that safe unless it is safe for environment it targets, but then.. well it is safe. 20:13 MTDiscord Safety after all is relative, not absolute. 20:15 MTDiscord CE marking for example is a stamp than tells customer that manufacturer of product (not some trusted authority but manufacturer) guarantees that certain requirements are fullfilled. 20:19 MTDiscord What if a requirement causes a security flaw? 20:19 MTDiscord If linked article is anywhere near correct then situation should be somewhat similar and for many open source projects situation is kind of similar already if you consider documentation and how it works out in the end depends mostly on exact requirements. 20:19 MTDiscord If requirements cause a security flaw then I guess requirements aren't well thought. And then I guess people would begin avoiding such "security" lables. 20:20 MTDiscord If for example CE marking would make power tools inherently unsafe then ppl would probably start avoiding anything with CE marking. 20:23 MTDiscord There's already standards that attempt to handle this and many open source projects do fulfill a lot of security related standards required for example by many government computer infrastructure systems, I guess issue is more that there's no simple stamp for consumers. 20:26 MTDiscord If it is good or bad probably depends mostly on 2 things: requirements for stamp and what one has to do to get such security stamp. 20:39 muurkha in the EEA the CE marking is not a voluntary thing 20:40 muurkha ppl can't avoid things with CE marking there 20:40 muurkha and the EEA is the world's biggest economy, we aren't talking about a few villages in Zimbabwe 20:43 celeron55_ i don't think the CE analogy in that post is very good. don't get hung up on that 20:45 muurkha you're right, I'm sorry 20:45 celeron55_ and besides it anyway looks like nobody understands how CE works. CE is just basically the company producing a product stamping a paper that says "this product conforms to the relevant EU standards and thus we can put it on the EU market". if you don't do that you're not allowed to sell it in EU 20:46 muurkha right, and if you do do that and it's not true then you're criminally liable 20:47 celeron55_ also, more often than not companies do use external companies to do the paperwork and checks. just figuring out which standards the product has to comply with can be difficult 20:48 celeron55_ but you can do it all in house if you want to. like you say, whoever signs the paper is liable if the product is found to not conform 20:49 celeron55_ (of course and employee signing it makes the company liable, not the employee) 20:49 celeron55_ an employee* 20:49 MTDiscord How will this affect open source development like libraries, apps, and games? 20:49 celeron55_ that's the question 20:50 muurkha it would have to go underground, like in Iran 20:51 muurkha purely pseudonymous 20:51 MTDiscord Also minetest is located in San Francisco Cali USA so it's safe until america just pokes itself in the chest like that thing 20:51 muurkha celeron55_ and sfan5 are not located in sf.ca.us 20:51 MTDiscord I think people are just going to pretend that it never happened 20:51 muurkha they are located in the EEA 20:51 MTDiscord Then that means the entirety of the eu would have to block github 20:51 rubenwardy Minetest is not in San fran 20:52 celeron55_ it does seem like to me that it's aimed towards IoT type things which are already heavily covered by EU standards, and what they have found out there are no standards for cybersecurity related things 20:52 MTDiscord It's on github's servers yes? I'm looking at it right now 20:52 Pexin minetest is in your heart. 20:52 muurkha no, it means people who upload code to github would get sued in the EU for it, and lose 20:52 MTDiscord Not sure how that's going to work, it's in america 20:53 MTDiscord And if github pulls access from the eu, phew boi 20:53 celeron55_ if github has to ban EU from accessing github due to some legislation, then minetest can't be on github and your argument is invalid 20:53 MTDiscord It's in the arctic code vault 20:54 muurkha right, which means past contributors can't escape liability under such laws by removing it from github 20:54 muurkha just like in Iran 20:54 Pexin vast likelyhood is this is just another "offer the worst thing imaginable, wait for backlash, then replace with the second worst thing, and the people will Love you for it (all according to keikaku)" 20:55 MTDiscord oof, you're both very correct 20:55 MTDiscord Welp, the only thing we can really do is tell other projects like gnome, kde, linux, and blah blah 20:56 Pexin to elaborate: because 1) the public has the attentionspan of a goldfish, and 2) politicians have this thing down to a literal science 20:56 MTDiscord Oracle, linux foundation, fsf yada yada 20:59 MTDiscord This is oss what happens to this? https://github.com/gcc-mirror/gcc so absolutely dangerous 20:59 celeron55_ anyway. i haven't read the CRA, but i'm assuming it's some sort of requirement to use some kind of quality management method not too far off from something like ISO 9001 for the cybersecurity related parts in a commercial product. the main thing that means is that if you're selling a commercial product, you can't just ship it with open source software you downloaded from the internet without checking 20:59 celeron55_ it over and not having any security processes/practices in place. however again i haven't read it, if someone knows it's not something like that, let me know 20:59 MTDiscord What happens to some git mirror is dangerous? 20:59 celeron55_ the pdf is 87 pages, i need to find some time 20:59 MTDiscord It's a git mirror straight from the gcc project 21:00 MTDiscord Yeah, it's a mirror 21:00 MTDiscord Among with countless other mirrorsa 21:00 MTDiscord So what happens when eu snoops up to the master branch's repo and then server and finds who owns it when they do not comply? 21:01 MTDiscord And not even listed as a official mirror. 21:02 MTDiscord Yeah exactly, that's what I'm getting at. Open source is like a dynamic environment, what happens if they take this to robocop levels and go after every person that hosts a copy of it? 21:02 MTDiscord It's unfinished 21:02 MTDiscord They'll probably start with themselves in that case and it'll take long enough before they get away with themselves... 21:03 celeron55_ it being on github surely doesn't count as it being a product that's being traded in the EU 21:03 celeron55_ altough, that seems to be one of the questions 21:04 celeron55_ it clearly needs to be made sure that you can make software downloads available on the internet without them being subject to these rules. that seems to be the point of the post i linked 21:05 MTDiscord After all EU has been driving open source to public sector for very long time, during last year there's been some talk about if it causes security issues. Mostly connected to one specific geopolitical conflict round EU borders. 21:05 MTDiscord Yeah seriously 21:05 celeron55_ i'm glad they're bringing some regulations onto the IoT crap market though 21:06 potatoxel[m] internet of tomatoes ;o 21:06 MTDiscord Hack into someone's coffee machine and run a crypto miner because they left root with password " " :P 21:06 celeron55_ one of the main goals seem to be that products that are IoT crap are marked as such. the surprise "oh i need to register to this chinese server in order to use the product" need to go 21:07 muurkha celeron55_: if it were just what you were describing, ASF et al. wouldn't be up in arms. it imposes liability on software authors if their software is defective 21:07 potatoxel[m] most my software is defective ;o 21:07 celeron55_ muurkha: have you read it? i'd be very glad if i could ask questions from someone who has had the time to read it 21:07 muurkha not people who host copies, as jordan4ibanez seems to think 21:07 potatoxel[m] but its just games i made for fun 21:08 muurkha Minetest itself would probably not be affected 21:08 MTDiscord I'm not sure about that, it seems pretty vague in wording 21:08 muurkha but irrlichtmt might be, if someone uses it to build a 3D view of a self-driving car environment 21:09 celeron55_ why would the developers be liable? the one liable should be the one who brings the end product to the market 21:09 celeron55_ are you sure that's the case 21:09 MTDiscord Headline: "Tesla uses minetest for the new model 12, simulates roads in voxels, more news at 11" 21:10 MTDiscord It's silly 21:10 potatoxel[m] minetest crashes, so tesla crashes, person died because minetest is buggy 21:10 potatoxel[m] oh no ;o 21:10 MTDiscord the Tesla would stop at chunk borders :trollface: 21:10 muurkha celeron55_: sadly I have not, just people's commentary. I do kind of know where people like Simon Phipps stand, though 21:11 potatoxel[m] MTDiscord: lol 21:11 celeron55_ i'm going to link this to the guy in my company who does our CE stuff. he will have to read it on company time and then i can ask questions from him. life hack 21:11 MTDiscord That's genius! 21:11 potatoxel[m] lol 21:11 muurkha celeron55_: the developers would be liable if the CRA is enacted because its point is to make them liable 21:12 celeron55_ i refuse to believe that from anyone who hasn't read the paper. that makes no sense to me 21:12 potatoxel[m] when you make people that are writing free code liable, you just make less of them write it. or none of them write it. 21:12 muurkha I agree that it makes no sense 21:12 MTDiscord Oh right so like here's the other one I forgot to ask: Which developer? The one that wrote the library? Or the one that made the entry point? Or the one that made the line of code that caused the crash? Or is it the developer that checked the code before it went into the master branch? 21:12 muurkha and I also agree that you shouldn't trust me 21:12 potatoxel[m] like why would me writing code and putting it in my website make me liable for someone who uses it 21:12 muurkha on this, anyway 21:13 MTDiscord I guess would be similar to if someone uses rat poison to produce meatball stew who would then be liable if someone gets sick. 21:13 potatoxel[m] i didnt read it either just talking about what i heard 21:13 celeron55_ in finland we had a widely publicized court case about a company that had totally shit security practices and leaked patient information due to it. the court gave practically no liability to the developers or even the CEO, and put all the liability on the hacker that basically connected to ther internet facing database without a password 21:13 MTDiscord Are they all jointly responsible? Vagueness is dangerous boi 21:13 muurkha potatoxel[m]: see Simon Phipps' commentary: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services/F3376611_en 21:13 potatoxel[m] anyway, all the text i just wrote is provided to you under no warantee, not even merchentability for a particular purpose. also its not legal or medical advice, or any advice. 21:14 celeron55_ if the CRA says what muurkha is saying, that would put the court case totally on its head 21:14 muurkha celeron55_: I don't think you should believe me but I do think you should believe Simon :) 21:14 MTDiscord How did they even let that pass into a branch, never mind the master branch. That's mind boggling 21:16 celeron55_ muurkha: it does sound worrying 21:25 Desour the article linked by celeron55_ is quite old (january). here's something more recent (found via web search): https://linuxfoundation.eu/cyber-resilience-act 22:49 muurkha thanks, Desour!