Lunduke
News • Science & Tech
"If this one guy got hit by a bus, the world's software would fall apart."
(Funny? Yes. But the reality is far worse...)
April 04, 2024
post photo preview
  • How many critical software packages are maintained by a small, unpaid team (or, worse, a single person)?
  • What happens when that person gets bored with the project... or decides to do something malicious (as in the case with a recent backdoor in the XZ compression tool)... or... gets hit by a bus?

These are not only fair questions to ask... but critical as well.

The reality is that we're not simply talking about a handful of key software packages here -- the entirety of our modern computing infrastructure is built on top of thousands of projects (from software packages to online services) that are built, maintained, and run entirely by one person (or, when we're lucky, 2 or 3 people).

One wrong move and the Jenga tower that is modern computing comes crashing down.

Source: xkcd

Just to give you an idea of how widespread -- and dire -- this situation truly is, I would like to call your attention to two projects that most people don't even think about... but that are critical to nearly every computer system in use today.

The TZ Database

Dealing with Timezones in software can be tricky.  Many rules, many time zone details.  As luck would have it, a standard database (TZ Database) was built to make it easier for software projects to get those details right.

And, every time those timezone details (across the world) are changed -- something which can happen several times per year, often with only a few days notice -- that database needs to be updated.

What happens if those details are not updated... if the timezone data is incorrect?

At best?  A few minor scheduling inconveniences.  At worst?  Absolute mayhem... computer-wise.  Times can become significantly out of sync between systems.  Which can mess up not only scheduling (an obvious issue), but security features as well (as some encryption tools require closely synced time).

To give you an idea of how widespread the TZ Database is, here is just a teeny tiny fraction of the number of software projects which rely upon it:

  • Every BSD system: FreeBSD, OpenBSD, Solaris
  • macOS & iOS
  • Linux
  • Android
  • Java, PHP, Perl, Ruby, Python, GCC, Javascript
  • PostrgreSQL, MongoDB, SQL Server

Yeah.  It's basically a list of "all software".  And that's just a sample of the software which heavily relies on the TZ Database for making sure timing (and everything that is time-critical) is correct.

Now.  With something this absolutely critical, surely a highly paid team of people -- from multiple companies -- is responsible for keeping it updated... right?

Oh, heavens, no.

Two people.  Two!

While the database itself has been officially published on ICANN (the "Internet Corporation for Assigned Names and Numbers") servers for the last few years, only 2 people actually maintain the TZ Database.

SQLite

Did you know that SQLite is the most used database system in the entire world?  More than MySQL, MS SQL Server, and all the rest of them.  Good odds, SQLite is used on more systems than all other database systems in the world... combined.

In fact, SQLite is a critial component in the following systems:

  • Android, iOS, macOS, & Windows
  • Firefox, Chrome, & Safari
  • Most set top boxes and smart TVs
  • An absolutely crazy number of individual software packages (from Dropbox to iTunes)

Now, ready for the fact you knew was coming?

SQLite is maintained by... 3 guys.

Not "3 lead developers who oversee an army of open source contributors"... just 3 guys.  Total.  And they don't accept public patches or fixes.

"SQLite is open-source, meaning that you can make as many copies of it as you want and do whatever you want with those copies, without limitation. But SQLite is not open-contribution."

A piece of software that is practically the cornerstone of modern computing.  Trillions of dollars worth of systems relying upon it -- every second of every day.  3 guys.

Corporations rest on the shoulders of... a couple volunteers

Add those two projects together.  5 guys, in total, are responsible for Timezones and SQLite databases.  Software and data used on practically every computer on the planet.

And that's just the tip of the iceberg.  Critical projects -- often with small teams of (more often than not) unpaid voluneers -- form the core of the vast majority of major software projects.  Including commercial ones.

ImagemagickXZFFmpeg?

You'll find those at the heart of more systems than you can count.  Good odds you use all three, every day, and don't even notice it.

And, as the small team behind FFmpeg pointed out in a recent X post, getting those large corporations to contribute -- in any meaningful way -- can be like pulling teeth:

The xz fiasco has shown how a dependence on unpaid volunteers can cause major problems. Trillion dollar corporations expect free and urgent support from volunteers.

 

Microsoft / Microsoft Teams posted on a bug tracker full of volunteers that their issue is "high priority"

 

 

After politely requesting a support contract from Microsoft for long term maintenance, they offered a one-time payment of a few thousand dollars instead.

 

This is unacceptable. 

 

We didn't make it up, this is what Microsoft actually did:
https://trac.ffmpeg.org/ticket/10341#comment:4

 

The lesson from the xz fiasco is that investments in maintenance and sustainability are unsexy and probably won't get a middle manager their promotion but pay off a thousandfold over many years.

 

But try selling that to a bean counter

In short: Microsoft wanted to benefit from the (free) work done by FFmpeg... but was only willing -- at most -- to toss a few peanuts at the team.  And, even then, that (mildly insulting) offer of meager support was only done when Microsoft needed assistance.

A few parting thoughts...

There are valuable lessons to be learned from all of this -- including the need for real, meaningful support (by large corporations) of the projects they rely so heavily upon.

But, for now, I'd like to leave you with a few observations.

  1. Corporations don't hesitate to throw large sums of money at Tech Trade Organizations (such as The Linux Foundation -- which brings in hundreds of Millions every year from companies like Microsoft)... yet they are hesitant to provide significant funding to projects they rely directly upon to ship their own, often highly profitable, products (see the projects listed earlier in this article).
  2. How many of these smaller projects -- which Linux desktops and servers rely entirely upon -- receive regular funding from The Linux Foundation (or companies which fund The Linux Foundation)?  I'll answer that question for you: Next to none.
  3. Even high profile Open Source projects -- such as KDE or GNOME -- struggle to bring in enough funding to afford two full time developers on payroll.
  4. We have avoided catastrophe, thus far, through dumb luck.  The recent XZ backdoor, for example, was found by a lone developer who happened to notice a half second slowdown... and happened to have the time (and interest... and experience) to investigate further.  The odds of that being discovered before significant harm was done... whew!... slim.  So much dumb luck.

Go take a look at that XKCD comic at the begining of this article again.  Funny right?  And it makes a solid point.

You know what's terrifying, though?  The reality is far more precarious. 

There's not simply one project -- by one guy -- holding all of modern computing up.

There's thousands of projects.  Each made by one guy.  And hundreds of those projects (at least) are load-bearing.

Dumb luck only lasts for so long.

community logo
Join the Lunduke Community
To read more articles like this, sign up and join my community today
18
What else you may like…
Videos
Podcasts
Posts
Articles
4Chan and Kiwi Farms File Lawsuit Against UK

It is both an important legal case... and a brilliant trolling of the British government.

The article:
https://lunduke.substack.com/p/4chan-and-kiwi-farms-file-lawsuit

More from The Lunduke Journal:
https://lunduke.com/

00:21:00
Microsoft Fires "Intifada" Employees

This last week, a group of anti-Jewish Microsoft employees got rowdy. Microsoft fired some of them and sent The Lunduke Journal a statement. Then held a media briefing. Let's watch it together.

More from The Lunduke Journal:
https://lunduke.com/

00:27:39
Video of "Worker Intifada" Occupying Microsoft President's Office

Last week the Microsoft "Worker Intifada" ransacked a farmers market and chanted "Go away, Jews!" Today they got arrested in Microsoft's President's office. We have the video.

The Brad Smith office "occupation" video clips:
https://x.com/LundukeJournal/status/1960502030692229479

More from The Lunduke Journal:
https://lunduke.com/

00:19:50
November 22, 2023
The futility of Ad-Blockers

Ads are filling the entirety of the Web -- websites, podcasts, YouTube videos, etc. -- at an increasing rate. Prices for those ad placements are plummeting. Consumers are desperate to use ad-blockers to make the web palatable. Google (and others) are desperate to break and block ad-blockers. All of which results in... more ads and lower pay for creators.

It's a fascinatingly annoying cycle. And there's only one viable way out of it.

Looking for the Podcast RSS feed or other links? Check here:
https://lunduke.locals.com/post/4619051/lunduke-journal-link-central-tm

Give the gift of The Lunduke Journal:
https://lunduke.locals.com/post/4898317/give-the-gift-of-the-lunduke-journal

The futility of Ad-Blockers
November 21, 2023
openSUSE says "No Lunduke allowed!"

Those in power with openSUSE make it clear they will not allow me anywhere near anything related to the openSUSE project. Ever. For any reason.

Well, that settles that, then! Guess I won't be contributing to openSUSE! 🤣

Looking for the Podcast RSS feed or other links?
https://lunduke.locals.com/post/4619051/lunduke-journal-link-central-tm

Give the gift of The Lunduke Journal:
https://lunduke.locals.com/post/4898317/give-the-gift-of-the-lunduke-journal

openSUSE says "No Lunduke allowed!"
September 13, 2023
"Andreas Kling creator of Serenity OS & Ladybird Web Browser" - Lunduke’s Big Tech Show - September 13th, 2023 - Ep 044

This episode is free for all to enjoy and share.

Be sure to subscribe here at Lunduke.Locals.com to get all shows & articles (including interviews with other amazing nerds).

"Andreas Kling creator of Serenity OS & Ladybird Web Browser" - Lunduke’s Big Tech Show - September 13th, 2023 - Ep 044

🌈 💥 I suppose that I would spend my time with "Tropico", or the first two "Fallout" games, or entertain myself with "Day of the Tentacle."

😸 I actually felt a little better, "Doom Scrolling" the post.

post photo preview

Reinstalling OSX on my old PPC Mac Mini. It verifies the install CD whether you like it or not. I can't stand that kind of thing. “Oh now, it's for your own good, you know”. My own good is “not having to sit around for half an hour waiting for verification of a disc that I already know is good and don't actually care if it isn't anyway because it's a 20-year-old OS on a 20-year-old machine and I'm only doing this because I messed up a Linux install and actually want to check that the hard disk will still boot an OS”.

Grr.

19 hours ago
post photo preview
Android to Require Developer ID Checks
Want to publish Android software? You'll need to let Google verify your identity. Plus: Google commits to supporting Sideloading and Third Party App Stores.

Google has announced that they will be requiring all Android Apps — including “sideloaded” apps installed outside of the Google Play Store — to undergo developer identity verification.

Android Developer ID Check

“Starting next year, Android will require all apps to be registered by verified developers in order to be installed by users on certified Android devices,” says Google. “Think of it like an ID check at the airport, which confirms a traveler's identity but is separate from the security screening of their bags; we will be confirming who the developer is, not reviewing the content of their app or where it came from.”

 

These requirements will go into full effect in September of 2026 (one year from now), but only for developers in four countries: Brazil, Indonesia, Singapore, and Thailand.

Countries which, according to Google, suffer from “fraudulent app scams, often from repeat perpetrators”.

The idea seems simple enough: If a developer is known to make Android malware, Google will have the ability to block their software from being installed. Thus preventing the spread of Malware.

We will see how well this system works, in practice, next year.

 

It also remains to be seen when this “Google App Developer Identity Verification” requirement will be enforced in other countries (such as the USA). For the moment, Google is simply saying “2027 and beyond”… so there’s still time left for this policy to be modified.

As part of the process, Google is launching a new “Android Developer Console”, specifically for developers to verify their identity and register their applications.

The Practical Impact

What does this new “ID verification” for Android Devs mean… in the real world?

Once this change is worldwide:

  • A developer must be “verified” before their software can be installed via any mechanism — including Sideloaded Apps, and alternative App Stores (such as F-Droid).

  • Developing and publishing Android software, in an anonymous fashion, will no longer be supported.

Google is also, it appears, committing to continuing to allow “sideloading” and third party App Stores for the foreseeable future.

In other words: If a user wants to sideload software, or use F-Droid, Google will allow that. But Google is going to know the real-world identity of the developer / publisher of any software that gets installed.

The War on Sideloading, Revised

Google and Apple have been at war with the concept of “sideloading” (aka “Installing software the normal way”) for several years now. With both companies adding new features to their systems which allow them to block the ability of users to install “non-approved” software.

 

In that context, this particular announcement from Google is a bit of a double edged sword.

From Google’s announcement:

“To be clear, developers will have the same freedom to distribute their apps directly to users through sideloading or to use any app store they prefer. We believe this is how an open system should work—by preserving choice while enhancing security for everyone.”

On the one hand, requiring ID verification for developers is clearly a big step towards increased control over what software is installable on the systems we own.

On the other hand, Google is making it clear they intend to support sideloading & third party App Stores into the future.

Something they have been hesitant about in the past.

Read full Article
post photo preview
All Lunduke Journal Videos Now Free for Everyone
All Articles. All Audio Podcasts. And, yes, all Videos from The Lunduke Journal. Free. For subscribers and non-subscribers alike. On all publishing platforms.

The Short-Short Version: Articles, Podcasts, and Videos — from The Lunduke Journal — are now, once again, free for absolutely everyone. Subscribers and non-Subscribers alike. On all publishing platforms.

The Slightly Less Short Version

A little over two weeks ago, The Lunduke Journal implemented a change. All of the Articles & Audio Podcasts would remain free for everyone… but the Videos would now be published as subscriber exclusives. Non-subscribers would no longer have access to videos.

This was what is known as a “Huge Mistake Made by a Total Bonehead”.

 

While the motivation for that change was well intentioned (to provide some perks for all of the amazing subscribers who make The Lunduke Journal possible, and maybe encourage some new subscribers in the process)… in practice it was an absolute disaster.

The key problem with making all of the videos “Subscriber Exclusives” was, in hindsight, incredibly obvious:

Many people will subscribe to The Lunduke Journal on one platform… but prefer to watch (or read… or listen) to The Lunduke Journal on a completely different platform.

For example: Someone who subscribes on Locals may watch the videos on YouTube. Another person who subscribes on Substack may watch on Rumble. And so on.

And, by making those videos “Subscriber Only”, it made watching The Lunduke Journal’s videos significantly more difficult for… Subscribers. The very people it was supposed to be a perk for.

Whoopsie Daisy

Well. Shoot. I’m man enough to admit when I’ve made a mistake. And, boy howdy, was that a mistake!

 

Effective immediately, Videos are now officially free for everyone (just like the Articles & Podcasts). On all platforms which The Lunduke Journal publishes to. Because making sure reading, listening to, and watching The Lunduke Journal is convenient for all of you is a top priority.

Over the next day, all of the “Subscriber Exclusive” videos (published over the last 2 weeks) will become free for everyone.

Running The Lunduke Journal is Not Easy

Just as an aside: What we’re doing with The Lunduke Journal is… unique.

Pretty much every Tech Journalist is funded by Big Tech. Money for advertisements. Money for sponsorships. Money for “paid articles” that look like real journalism but are, in fact, just repackaged ads and press releases.

Take away that Big Tech money and 9 out of 10 Tech News outlets would go out of business tomorrow. Which means they all need to keep Big Tech happy. And that shows in their coverage (and their refusal to touch many important news stories).

By choosing to not take a single penny from Big Tech, The Lunduke Journal has the freedom to tell the truth. To follow the Tech News stories wherever they lead (no matter who it makes grumpy).

But it also means that keeping The Lunduke Journal in business is even trickier than it is for all of those Brand X Tech News Outlets (which already have a hard time staying afloat, even with the Big Tech moolah).

What’s amazing… is that we, against all odds, have pulled it off. For several years now, The Lunduke Journal has stayed in business without taking a dime from Big Tech. And that’s all thanks to all of you. Thank you for making this possible.

If you haven’t grabbed a subscription, just a reminder that now is a great time to do that. 50% off through the end of August (which is a few days from now).

Want to support The Lunduke Journal having all videos (and everything else) for free for the world? That would be a great way to do it.

Once again. Seriously.

Thank you.

-Lunduke

Read full Article
post photo preview
Omarchy 2.0 - The Arch-Based, Hyprland, Non-Woke Distro
The 2.0 release of the unabashedly nerdy, developer focused, & DEI-free Linux distribution is here. And people are flocking to it.

Omarchy, an Arch-based Linux distribution which self-describes as “An opinionated Arch + Hyprland Setup”, has just published their 2.0 release.

 

Omarchy was started by David Heinemeier Hansson (DHH), the creator of Ruby on Rails, as a command-line and developer focused (and unabashedly nerdy) configuration of Arch Linux.

In the short time since it began (back in June), Omarchy has captured a massive amount of interest and has grown to become a full-fledged distribution in its own right.

Omarchy 2.0 boasts a new ISO installation method, AUR-free installation, a Chrome micro-fork with live theme switching, a Starship prompt, a new icon, and 400 other changes (from 45 contributors).

 

According to DHH, the Omarchy Discord now has over 6,000 members with the website having received over 100,000 unique visitors in the last month.

Not too shabby for a Linux distribution that is only 2 months old.

Speaking of Discord, if the Omarchy installation fails, it displays a QR code with an invite link to the Omarchy support channel. I thought that was a rather nice touch.

 

Worth noting that Omarchy — and the Hyprland window manager, which Omarchy uses by default — both were added to “Lunduke’s Non-Woke Software List” this month.

 

Omarchy is yet another Open Source project which has steered clear of Woke & DEI politics… and has seen tremendous success and adoption. We have seen that same scenario play out repeatedly now, with projects like OpenMandriva, XLibre, Hyprland, & Brave.

Avoid DEI. Experience a flood of users, contributors, and excitement.

A pattern is emerging. Hopefully more projects learn this important lesson.


The Lunduke Journal is the last bastion of truly independent Tech Journalism. Ad Free, Big Tech Free, Non-Woke, & Audience Supported.

Read full Article
See More
Available on mobile and TV devices
google store google store app store app store
google store google store app tv store app tv store amazon store amazon store roku store roku store
Powered by Locals