Lunduke
News • Science & Tech
"If this one guy got hit by a bus, the world's software would fall apart."
(Funny? Yes. But the reality is far worse...)
April 04, 2024
post photo preview
  • How many critical software packages are maintained by a small, unpaid team (or, worse, a single person)?
  • What happens when that person gets bored with the project... or decides to do something malicious (as in the case with a recent backdoor in the XZ compression tool)... or... gets hit by a bus?

These are not only fair questions to ask... but critical as well.

The reality is that we're not simply talking about a handful of key software packages here -- the entirety of our modern computing infrastructure is built on top of thousands of projects (from software packages to online services) that are built, maintained, and run entirely by one person (or, when we're lucky, 2 or 3 people).

One wrong move and the Jenga tower that is modern computing comes crashing down.

Source: xkcd

Just to give you an idea of how widespread -- and dire -- this situation truly is, I would like to call your attention to two projects that most people don't even think about... but that are critical to nearly every computer system in use today.

The TZ Database

Dealing with Timezones in software can be tricky.  Many rules, many time zone details.  As luck would have it, a standard database (TZ Database) was built to make it easier for software projects to get those details right.

And, every time those timezone details (across the world) are changed -- something which can happen several times per year, often with only a few days notice -- that database needs to be updated.

What happens if those details are not updated... if the timezone data is incorrect?

At best?  A few minor scheduling inconveniences.  At worst?  Absolute mayhem... computer-wise.  Times can become significantly out of sync between systems.  Which can mess up not only scheduling (an obvious issue), but security features as well (as some encryption tools require closely synced time).

To give you an idea of how widespread the TZ Database is, here is just a teeny tiny fraction of the number of software projects which rely upon it:

  • Every BSD system: FreeBSD, OpenBSD, Solaris
  • macOS & iOS
  • Linux
  • Android
  • Java, PHP, Perl, Ruby, Python, GCC, Javascript
  • PostrgreSQL, MongoDB, SQL Server

Yeah.  It's basically a list of "all software".  And that's just a sample of the software which heavily relies on the TZ Database for making sure timing (and everything that is time-critical) is correct.

Now.  With something this absolutely critical, surely a highly paid team of people -- from multiple companies -- is responsible for keeping it updated... right?

Oh, heavens, no.

Two people.  Two!

While the database itself has been officially published on ICANN (the "Internet Corporation for Assigned Names and Numbers") servers for the last few years, only 2 people actually maintain the TZ Database.

SQLite

Did you know that SQLite is the most used database system in the entire world?  More than MySQL, MS SQL Server, and all the rest of them.  Good odds, SQLite is used on more systems than all other database systems in the world... combined.

In fact, SQLite is a critial component in the following systems:

  • Android, iOS, macOS, & Windows
  • Firefox, Chrome, & Safari
  • Most set top boxes and smart TVs
  • An absolutely crazy number of individual software packages (from Dropbox to iTunes)

Now, ready for the fact you knew was coming?

SQLite is maintained by... 3 guys.

Not "3 lead developers who oversee an army of open source contributors"... just 3 guys.  Total.  And they don't accept public patches or fixes.

"SQLite is open-source, meaning that you can make as many copies of it as you want and do whatever you want with those copies, without limitation. But SQLite is not open-contribution."

A piece of software that is practically the cornerstone of modern computing.  Trillions of dollars worth of systems relying upon it -- every second of every day.  3 guys.

Corporations rest on the shoulders of... a couple volunteers

Add those two projects together.  5 guys, in total, are responsible for Timezones and SQLite databases.  Software and data used on practically every computer on the planet.

And that's just the tip of the iceberg.  Critical projects -- often with small teams of (more often than not) unpaid voluneers -- form the core of the vast majority of major software projects.  Including commercial ones.

ImagemagickXZFFmpeg?

You'll find those at the heart of more systems than you can count.  Good odds you use all three, every day, and don't even notice it.

And, as the small team behind FFmpeg pointed out in a recent X post, getting those large corporations to contribute -- in any meaningful way -- can be like pulling teeth:

The xz fiasco has shown how a dependence on unpaid volunteers can cause major problems. Trillion dollar corporations expect free and urgent support from volunteers.

 

Microsoft / Microsoft Teams posted on a bug tracker full of volunteers that their issue is "high priority"

 

 

After politely requesting a support contract from Microsoft for long term maintenance, they offered a one-time payment of a few thousand dollars instead.

 

This is unacceptable. 

 

We didn't make it up, this is what Microsoft actually did:
https://trac.ffmpeg.org/ticket/10341#comment:4

 

The lesson from the xz fiasco is that investments in maintenance and sustainability are unsexy and probably won't get a middle manager their promotion but pay off a thousandfold over many years.

 

But try selling that to a bean counter

In short: Microsoft wanted to benefit from the (free) work done by FFmpeg... but was only willing -- at most -- to toss a few peanuts at the team.  And, even then, that (mildly insulting) offer of meager support was only done when Microsoft needed assistance.

A few parting thoughts...

There are valuable lessons to be learned from all of this -- including the need for real, meaningful support (by large corporations) of the projects they rely so heavily upon.

But, for now, I'd like to leave you with a few observations.

  1. Corporations don't hesitate to throw large sums of money at Tech Trade Organizations (such as The Linux Foundation -- which brings in hundreds of Millions every year from companies like Microsoft)... yet they are hesitant to provide significant funding to projects they rely directly upon to ship their own, often highly profitable, products (see the projects listed earlier in this article).
  2. How many of these smaller projects -- which Linux desktops and servers rely entirely upon -- receive regular funding from The Linux Foundation (or companies which fund The Linux Foundation)?  I'll answer that question for you: Next to none.
  3. Even high profile Open Source projects -- such as KDE or GNOME -- struggle to bring in enough funding to afford two full time developers on payroll.
  4. We have avoided catastrophe, thus far, through dumb luck.  The recent XZ backdoor, for example, was found by a lone developer who happened to notice a half second slowdown... and happened to have the time (and interest... and experience) to investigate further.  The odds of that being discovered before significant harm was done... whew!... slim.  So much dumb luck.

Go take a look at that XKCD comic at the begining of this article again.  Funny right?  And it makes a solid point.

You know what's terrifying, though?  The reality is far more precarious. 

There's not simply one project -- by one guy -- holding all of modern computing up.

There's thousands of projects.  Each made by one guy.  And hundreds of those projects (at least) are load-bearing.

Dumb luck only lasts for so long.

community logo
Join the Lunduke Community
To read more articles like this, sign up and join my community today
18
What else you may like…
Videos
Podcasts
Posts
Articles
End of the Internet? Dead Internet Theory + Disappearing Content = Rut Roh

The Internet is mostly made by AI... but that's ok, it's all being deleted anyway.

00:28:24
The Future of Computing: A.I. and Advocacy. ...Seriously?

Microsoft, Firefox maker Mozilla, & Red Hat envision a future where computers are focused on Artificial Intelligence & Political Advocacy (and Activism). Where do others, like Apple & Ubuntu, stand?

00:28:46
The Open Source Community is Neither "Open" nor a "Community"

Other words that don't describe the Open Source World: Free, Democracy, Welcoming, Inclusive, Honest.

00:32:04
November 22, 2023
The futility of Ad-Blockers

Ads are filling the entirety of the Web -- websites, podcasts, YouTube videos, etc. -- at an increasing rate. Prices for those ad placements are plummeting. Consumers are desperate to use ad-blockers to make the web palatable. Google (and others) are desperate to break and block ad-blockers. All of which results in... more ads and lower pay for creators.

It's a fascinatingly annoying cycle. And there's only one viable way out of it.

Looking for the Podcast RSS feed or other links? Check here:
https://lunduke.locals.com/post/4619051/lunduke-journal-link-central-tm

Give the gift of The Lunduke Journal:
https://lunduke.locals.com/post/4898317/give-the-gift-of-the-lunduke-journal

The futility of Ad-Blockers
November 21, 2023
openSUSE says "No Lunduke allowed!"

Those in power with openSUSE make it clear they will not allow me anywhere near anything related to the openSUSE project. Ever. For any reason.

Well, that settles that, then! Guess I won't be contributing to openSUSE! 🤣

Looking for the Podcast RSS feed or other links?
https://lunduke.locals.com/post/4619051/lunduke-journal-link-central-tm

Give the gift of The Lunduke Journal:
https://lunduke.locals.com/post/4898317/give-the-gift-of-the-lunduke-journal

openSUSE says "No Lunduke allowed!"
September 13, 2023
"Andreas Kling creator of Serenity OS & Ladybird Web Browser" - Lunduke’s Big Tech Show - September 13th, 2023 - Ep 044

This episode is free for all to enjoy and share.

Be sure to subscribe here at Lunduke.Locals.com to get all shows & articles (including interviews with other amazing nerds).

"Andreas Kling creator of Serenity OS & Ladybird Web Browser" - Lunduke’s Big Tech Show - September 13th, 2023 - Ep 044
post photo preview

News fast update!

Last weekend, on what was pretty much a dare, I decided to not look at any "news" for the week. I signed out of all social media, except for FB and Discord. I'm in a couple motorcycle groups on FB that revolve around the Mid-Atlantic Backcountry Discovery Route. I just looked at that, and didn't even load up the main feed. Discord just for chat, though I even kept that to a minimum. I didn't click through anything that even remotely looked like news. I didn't go to Slashdot or CNN or Fox or the orange site, any of it. I skipped the current affairs people I follow on Youtube.

I didn't watch or read any of Bryan's new stuff. Heck, the only time I even signed into Locals was when I accidentally fired up the Android app, which I promptly closed. (I was trying to open my banking app and it's right beside Locals.)

In other words, I currently don't have a clue about anything. I see there's a new Q&A. I'ma go watch it now.

Going forward, I think a lot of what I...

A few days back @Lunduke shared a screenshot of his Mac desktop. While desktop customization is really limited on macOS, I've found if you get creative, you can make it a pretty unique looking system despite Apple's best efforts. I submit to court, exhibits A, B, and C. The wallpaper is from Unsplash. The browser is Brave with a theme from the Chrome Web Store. My preferred theme (Halo - Ghosts of Reach) wouldn't install because Microsoft did something to make it only work on Edge 🙄, but I thought this one was pretty slick too. The terminal emulator in the photo is the built in macOS Terminal with the Silver Aerogel profile and the text color changed to white. The other browser photo is LibreWolf with Purple Prism theme from the Firefox Addons site. This one is closer to the Ghosts of Reach theme, and I prefer it to the one I'm using on Brave. Anyway, I just figured I'd show that you can actually make a pretty unique looking desktop on a Mac. It's not perfect, but it's ...

post photo preview
Last week at The Lunduke Journal (May 19 - May 25, 2024)
Open Source! The Future of Computing! The End of the Internet! Yowza, what a week!

We tackled some pretty big topics last week!  The nature of "The Open Source Community", the future of computing (according to "the powers that be"), and the... end of the Internet?  Yikes.  Intense stuff!

Luckily, we ended the week with various nerdy goofiness.  You know.  To cleanse the palate.

Oh!  Have I thanked all of The Lunduke Journal subscribers yet today?  No?  Well, gosh darn it, I should!  You amazing nerds make all of this possible.

The Videos

The Articles

Previous Few Weeks

And, would you look at that?  A new week is about to begin!  If the past is a good indictor of the future... better buckle up, Buttercup!  This next week is gonna be a fun ride!

Read full Article
post photo preview
Instantly Become an Elite Movie Hacker
(with 3 simple tools)

Feeling lazy?  Want anyone who happens to walk past your computer screen to think you are incredibly busy writing — or compiling — a mountain of code?

Filming a movie about a squad of elite hackers and need the computer screens to... you know... look the part?

Or, heck, are you just a bit bored and want to make your computer do something funky looking?

Whichever situation you find yourself in, here are three different tools that will make your computer appear like it is hard at work doing some seriously elite hacking and coding.

1 - Genact

Genact is described as a “nonsense activity generator”. And boy does it do its job well.

Pretend to be busy or waiting for your computer when you should actually be doing real work! Impress people with your insane multitasking skills. Just open a few instances of Genact and watch the show. Genact has multiple scenes that pretend to be doing something exciting or useful when in reality nothing is happening at all.

Runs on Linux, Windows, and Mac… and creates screens like this:

Compiling!

 

Memory Dumping!

 

Download-inating!

Genact has a whole boatload of different modules to help you pretend to do a bunch of different things: Mining crypto, handling docker images, compiling kernels, viewing logs… it’s all here.

2 - Hollywood

Hollywood is a Linux-only option, and it looks oh-so-cool. It runs in a terminal, and opens up a whole bunch of different applications (mostly real performance and network monitoring tools) each of which displays constantly updating bits of information.

The whole point is to make your computer look super busy… and super hacker-y. Just like in a movie.

In fact, Hollywood looks so good that it’s been used in multiple TV shows.

For example, here it is in a segment for NBC Nightly News:

So much elite hacker-y-ness!

Yeah. The news. A fake “make your computer look like it’s hacking something” application. On the news. If that’s not a great representation of the sorry state of TV News, I don’t know what is.

Just for the sake of completeness… here’s a shot of two investigators -- from that news report -- pointing to the random, gibberish output of Hollywood… and pretending like it’s super fascinating, real data that is somehow relevant to the news segment.

"Hmm.  Yes.  My elite hacker brain is thinking about this very real hacker stuff on this computer screen.  Look!  Right there!  Hacker stuff!"

That is, I kid you not, absolutely real.  This was on the news.

And here’s Hollywood in a sketch on Saturday Night Live:

"Don't interrupt me!  Can't you see I'm hacking!"

Seriously.  Hollywood is tons of fun to play with.  Even if you're not filming a news report.

3 - HackerTyper.net

HackerTyper.net is a bit different than the other ones.

Here’s how it works:

  1. Open up HackerTyper.net.

  2. Start hitting keys on the keyboard. Any keys at all. Doesn’t matter.

  3. Perfectly formatted C code appears on the screen!

Alloc's and Struct's and Int's!  Huzzah!

Now you can write code just like actors in the movies! Just sit back and pound away at your keyboard -- like a deranged, drunken monkey -- with complete disregard for what keys you’re actually pressing!

Whichever of these three options you choose -- HackerTyper, Hollywood, or Genact -- you are now fully equiped to become the most elitest of elite movie hackers.  (You're even ready to be on the evening news.)

Read full Article
post photo preview
Funny Programming Pictures Part XLI
That's, like, 41 in normal, non-fancy numbers.

Behold!  Pictures... from... the Internet!

 

Dangit, Bilbo!  Knock it off!

 

I would... still apply the .gitignore rules.  ... right?  I think?

 

HTTP jokes are all the rage these days.

 

According to every PM and Scrum Master I've ever worked with, this is true.

 

False.  Five months.

 

The Amazon Shareholders would like to thank you for your contribution.

 

It's totally normal for the value of a currency to fluxuate by 10% every day.  At random.  Wink wink.

 

You think a measly garage door is going to stop Flanders from asking you about LLM's?

 

Ok.  This one's not about programming or computers.  But.  You know.  Think about it.

 

This comic is highly misleading.  In real life, the "issues" bag is roughly twice the size.  Also the corporation stole the tree.

 

Can't argue with that.

 

He he.  Still one of my favorites.

 

I should make a rule about this within The Lunduke Journal.  Anyone who mentions "AI" has to drop a quarter in the tip jar.  I'd be rich!  Rich, I say!

 

Dagnabbit.

 

I'm not saying Infrastructure guys are pansies nowadays.  But they're pansies nowadays.

 

Yup.

 

It takes screenshots of your mouth.

 

You see... because they have small brains.
Read full Article
See More
Available on mobile and TV devices
google store google store app store app store
google store google store app tv store app tv store amazon store amazon store roku store roku store
Powered by Locals