From lloy0076 at adam.com.au Fri Mar 1 00:42:35 2024 From: lloy0076 at adam.com.au (David Lloyd) Date: Thu, 29 Feb 2024 08:42:35 -0500 Subject: [Linux-aus] cancelling membership of Linux Australia In-Reply-To: References: <3084842.ktpJ11cQ8Q@xev> Message-ID: <93e4c8ae-1702-4375-ad58-4ced4cdad378@adam.com.au> The relevant parties know how to unsubscribe or leave the organisation; I suggest this image explains what is up: All That Is Solid ...: On Flouncing Labour MPs It seems that "to flounce" (which can mean "to move with exaggerated motions expressive of displeasure or impatience") has been adopted by the Internet denizens as describing people who insist on angrily announcing that they're leaving. On the other hand, staying around and *whinging* is _not_ leaving, _nor_ is it cancelling membership. "Cancelling membership whilst not cancelling membership" has another common description: "Having one's cake and eating it too." :) On 2/29/2024 4:37 AM, David Lay via linux-aus wrote: > To unsubscribe from this list, send a blank email to > linux-aus-unsubscribe at lists.linux.org.au > ------------------------------------------------------------------------ > *From:* linux-aus on behalf of > Russell Coker via linux-aus > *Sent:* Thursday, 29 February 2024 7:00 AM > *To:* linux-aus at lists.linux.org.au > *Subject:* Re: [Linux-aus] cancelling membership of Linux Australia > On Thursday, 29 February 2024 12:18:37 AEDT Dwight Walker via > linux-aus wrote: > > There is no way on linux.org.au to cancel membership apart from emailing > > council at linux.org.au or waiting till it expires far into the future. > > Why is this a problem?? They don't bill you for it. > > -- > My Main Blog > https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fetbe.coker.com.au%2F&data=05%7C02%7C%7C489ee4a2df49488ddab308dc38f42e6f%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638447868618812618%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=b6gOoB%2FFQq98IbCNfZ5jyPYUuXBZyrLgVVzFHPFWgt8%3D&reserved=0 > > My Documents Blog > https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdoc.coker.com.au%2F&data=05%7C02%7C%7C489ee4a2df49488ddab308dc38f42e6f%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638447868618821854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=oRqcS8k%2BzgG6zjfp3w3yXimfQXHp7KmSEKAse16ylr0%3D&reserved=0 > > > _______________________________________________ > linux-aus mailing list > linux-aus at lists.linux.org.au > https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.linux.org.au%2Fmailman%2Flistinfo%2Flinux-aus&data=05%7C02%7C%7C489ee4a2df49488ddab308dc38f42e6f%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638447868618826855%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=0pFWcz6ii9yI8wA9o20frqtvIDmWXXeuq1a3sZ4yZLw%3D&reserved=0 > > > To unsubscribe from this list, send a blank email to > linux-aus-unsubscribe at lists.linux.org.au > > _______________________________________________ > linux-aus mailing list > linux-aus at lists.linux.org.au > http://lists.linux.org.au/mailman/listinfo/linux-aus > > To unsubscribe from this list, send a blank email to > linux-aus-unsubscribe at lists.linux.org.au -------------- next part -------------- An HTML attachment was scrubbed... URL: From brian at linuxpenguins.xyz Fri Mar 1 09:42:08 2024 From: brian at linuxpenguins.xyz (Brian May) Date: Fri, 01 Mar 2024 09:42:08 +1100 Subject: [Linux-aus] cancelling membership of Linux Australia; NLA losing bookmarks when they migrated to FOLIO In-Reply-To: References: <3084842.ktpJ11cQ8Q@xev> Message-ID: <87zfvisxj3.fsf@linuxpenguins.xyz> Dwight Walker via linux-aus writes: > I complained to NLA if it was open source library software they could have > emailed CSV of bookmarks to each user using SQL query like in Koha open > source library software can do but they wouldn't or didn't know how and > everyone now had to just start with no bookmarks again and dredge them up > again somehow or find others or the same ones again by search in the time > ahead. In addition to the excellent advice from Kethy Reid, I would say you need to be very clear on (a) just what is it you are complaining about and (b) what would the other party need to do to rectify the situation. Point (a) it is not clear if your complaint is that NLA lost your bookmarks, if your complaint is they were not using open source software in the past, or if your main complaint is that they didn't pick your preferred choice of software. Yes, maybe one thing led to the other, but important to try to stick to the one point. It can get very confusing otherwise, and could for example lead to NLA becoming very defensive about their choice of software which may just be a distraction from dealing with your actual complaint. Point (b) What would NLA need to rectify the complaint? If they had backups, would sending you an export of your bookmarks be sufficient? If they don't have usable backups, would an apology be sufficient? etc. It is easy to discount (b) as obvious, but often it is far from obvious for the other party. And assume good faith. Mistakes can happen, even with open source software :-) -- Brian May @ Linux Penguins From kathy at kathyreid.id.au Mon Mar 11 11:39:38 2024 From: kathy at kathyreid.id.au (Kathy Reid) Date: Mon, 11 Mar 2024 11:39:38 +1100 Subject: [Linux-aus] Eureka Prize for Excellence in Research Software Message-ID: <6bd45565-e99d-462d-940a-ba9e0072bd9c@kathyreid.id.au> May be of interest to this list https://australian.museum/blog/science/excellence-in-research-software/ Kind regards, Kathy From contact at everythingopen.au Wed Mar 27 23:11:02 2024 From: contact at everythingopen.au (Everything Open) Date: Wed, 27 Mar 2024 22:11:02 +1000 Subject: [Linux-aus] Everything Open 2024 - 20 Days to go.... here's a quick (long) update! Message-ID: <590f50408919a22e769717275b71ebd0@everythingopen.au> Hello Everyone! The conference is getting very close. Evil Steve reminds me each day of how many days to go and today there?s 20 days to go! As they say, we are approaching the pointy end. Here is a summary of what has happened so far getting ready for the Everything Open 2024 in Gladstone. ### Oops We just realised an email was sent implying that lunch was catered. This is not the case. Plenty of food vendors are nearby. ##SWAG! We officially have 20 days left. Have you bought your tickets yet? While you are at it we have Swag available for purchase via Redbubble at: https://www.redbubble.com/shop/ap/158192555 We have everything from mouse pads, to hats, to blankets, to t-shirts, to hoodies, and duvet/doona covers for sale. Someone pretty please buy the throw blanket! (it looks so soft) ##Tickets Tickets are still available and will be until the last day of the conference. But don?t leave it until the last minute because you?re running out of time. ##Online We're acutely aware of the cost of living crisis in Australia currently, and that going to Everything Open is a large financial outlay with accommodation and flights, even if our tickets are reasonably priced due to our generous Sponsors and dedicated volunteer organisers. So, we're delighted to announce that we will be providing an Online Only option for those who wish to stream talks live during the conference. The ticket price of just $79 reflects the additional costs of providing a hybrid option for the three days of the conference, but we hope it makes Everything Open more affordable for more people. Ticket prices are available at: https://2024.everythingopen.au/attend/tickets/ and connectivity details will be provided closer to the event. ##Buses Although there are many ways to get to Gladstone for Everything Open 2024, we heard from many potential Delegates that airfares between Brisbane (BNE) and Gladstone (GLT) were cost prohibitive, dampening enthusiasm to attend #EverythingOpen 2024. While we can?t spin up a competing airline (Penguin Air, anyone?), we can put on a bus from Brisbane to Gladstone, and return from Gladstone to Brisbane, to get you to and from the conference. We are providing these buses for $40 each way. You can buy your bus ticket on the website with your conference tickets at https://2024.everythingopen.au/dashboard/ ##Accommodation Did you know that there are several accommodation options within 100 metres of the conference venue. The venue is right in the middle of the CBD with lots of eateries nearby. Check out https://2024.everythingopen.au/attend/travel-accommodation/#accommodation ## Stay a while Did you know APNIC are running tutorials at the venue before and after the conference. Check out: *Monday 15th - RPKI Routing Security Workshop https://academy.apnic.net/events?id=a0BOc000000IwVNMA0 *Friday 19th - Introduction to IPv6 Tutorial https://academy.apnic.net/events?id=a0BOc000000IyddMAC Gladstone and the district has much to offer if you choose to stay longer. ##Keynotes We have announced 3 amazing keynotes: Professor Aaron Quigley from CSIRO?s Data61 Jana Dekanovska from CrowdStrike Geoff Huston from Asia Pacific Network Information Centre (APNIC) Our fabulous locknote will be presented by Rae Johnston. Rae was the first Science & Technology Editor for NITV at SBS. A multi-award-winning journalist and broadcaster, she has a passion for the geekier side of life. ##Sessions We have some incredible speakers joining us. The conference schedule is now up on https://2024.everythingopen.au/schedule/. I?m sure there is plenty to whet your appetite. Session A/V streaming will be available after the conference but you may buy a live streaming ticket. Keep an eye out for tickets for this. ##Sponsors A HUGE shout out goes to our sponsors. Our current sponsors are: King Penguin: *Google (https://opensource.google/) *ARM (https://www.arm.com) *OpenSI (https://www.opensi.net/) Royal Penguin: *Red Hat (https://www.redhat.com/en/about) And a special thanks goes to: *The Sizzle (have you subscribed yet? You should! Here?s the link: https://thesizzle.com.au/), *O?Reilly (https://www.oreilly.com/) *CAVAL LTD (https://www.caval.edu.au) and our auspicing organisation Linux Australia (https://linux.org.au/) More information will be coming out VERY SOON so keep an eye out on our various platforms: *Mastodon: @EverythingOpen at fosstodon.org, hashtag #EverythingOpen *Twitter: @_everythingopen, hashtag #EverythingOpen *LinkedIn: Everything Open (https://www.linkedin.com/showcase/everythingopen/) *Facebook: Everything Open (https://www.facebook.com/EverythingOpenConference/) *Announce mailing list: Everything Open Announce (https://lists.linux.org.au/mailman/listinfo/eo-announce) Looking forward to seeing you there! Sae Ra Germaine From russell at coker.com.au Sat Mar 30 17:45:21 2024 From: russell at coker.com.au (Russell Coker) Date: Sat, 30 Mar 2024 17:45:21 +1100 Subject: [Linux-aus] FOSS phone development in Melbourne Message-ID: <1792742.VLH7GnMWUR@cupcakke> Yifei and I sometimes meet up in Melbourne to work on phone stuff and other FOSS things. If anyone is interested in joining us then please let me know off-list. I have a selection of phone hardware running Debian that can be used to test phone apps, so if you want to try stuff out but don't own the hardware then you can use my devices. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ From anibal at debian.org Sat Mar 30 19:47:23 2024 From: anibal at debian.org (=?iso-8859-1?Q?An=EDbal?= Monsalve Salazar) Date: Sat, 30 Mar 2024 19:47:23 +1100 Subject: [Linux-aus] [SECURITY] [DSA 5649-1] xz-utils security update Message-ID: At https://lists.debian.org/debian-security-announce/2024/msg00057.html it reads Users running Debian testing and unstable are urged to update the xz-utils packages. From anibal at debian.org Sat Mar 30 20:06:29 2024 From: anibal at debian.org (=?iso-8859-1?Q?An=EDbal?= Monsalve Salazar) Date: Sat, 30 Mar 2024 20:06:29 +1100 Subject: [Linux-aus] [SECURITY] [DSA 5649-1] xz-utils security update In-Reply-To: References: Message-ID: On Sat, 2024-03-30 19:47:23 +1100, An?bal Monsalve Salazar wrote: > At > > https://lists.debian.org/debian-security-announce/2024/msg00057.html > > it reads > > Users running Debian testing and unstable are urged to update the > xz-utils packages. This is very urgent. Debian version 5.6.1+really5.4.5-1 is now available at http://mirror.aarnet.edu.au/debian/pool/main/x/xz-utils/liblzma-dev_5.6.1+really5.4.5-1_amd64.deb http://mirror.aarnet.edu.au/debian/pool/main/x/xz-utils/liblzma5_5.6.1+really5.4.5-1_amd64.deb http://mirror.aarnet.edu.au/debian/pool/main/x/xz-utils/xz-utils_5.6.1+really5.4.5-1_amd64.deb http://mirror.aarnet.edu.au/debian/pool/main/x/xz-utils/xzdec_5.6.1+really5.4.5-1_amd64.deb From anibal at debian.org Sat Mar 30 20:51:52 2024 From: anibal at debian.org (=?iso-8859-1?Q?An=EDbal?= Monsalve Salazar) Date: Sat, 30 Mar 2024 20:51:52 +1100 Subject: [Linux-aus] How could we get society to adequately fund free software developers In-Reply-To: <2629DB93-AC76-488E-A894-B59B15862522@2023.bluespice.org> References: <2fbfdafc-31f1-43df-be49-f6b0725bfb3e@aerusso.net> <61e2abfa-b041-4f8d-af9b-a7183cc653e1@gmail.com> <87wmpkgrma.fsf@hope.eyrie.org> <2629DB93-AC76-488E-A894-B59B15862522@2023.bluespice.org> Message-ID: On Sat, 2024-03-30 09:58:22 +0100, Ingo J?rgensmann wrote: > Am 30.03.2024 um 08:56 schrieb Lucas Nussbaum : > >> Yes. In that specific case, the original xz maintainer (Lasse Collin) >> was socially-pressed by a likely fake person (Jigar Kumar) to do the >> "right thing" and hand over maintenance. >> https://www.mail-archive.com/xz-devel at tukaani.org/msg00566.html > > In his reply to that mail Lasse writes in > https://www.mail-archive.com/xz-devel at tukaani.org/msg00567.html: > >> It's also good to keep in mind that this is an unpaid hobby project. > > This reminds me of https://xkcd.com/2347/ - and I think that?s getting > a more common threat vector for FLOSS: pick up some random lib that is > widely used, insert some malicious code and have fun. Then also > imagine stuff that automates builds in other ways like docker > containers, Ruby, Rust, pip that pull stuff from the network and > installs it without further checks. > > I hope (and am confident) that Debian as a project will react > accordingly to prevent this happening again. > > But as a society (that is widely using FLOSS) I would also hope that > our developers will get proper funding instead of requiring them to > maintain such software in their spare time. The original thread is at: https://lists.debian.org/debian-devel/2024/03/msg00340.html How could we get society to adequately fund free software developers to avoid this type of security threat? At this time, the consequences of this injection of malicious code into xz-utils are not yet known with certainty. From andrew at etc.gen.nz Sat Mar 30 20:55:30 2024 From: andrew at etc.gen.nz (Andrew Ruthven) Date: Sat, 30 Mar 2024 22:55:30 +1300 Subject: [Linux-aus] [SECURITY] [DSA 5649-1] xz-utils security update In-Reply-To: References: Message-ID: <6709cb84db7adce07f72433d5b91991a494d7904.camel@etc.gen.nz> Hey folks, Not just Debian. If you run Fedora 41 (not released yet) or Fedora Rawhide, please see:?https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users On Sat, 2024-03-30 at 19:47 +1100, An?bal Monsalve Salazar via linux-aus wrote: > At > > https://lists.debian.org/debian-security-announce/2024/msg00057.html > > it reads > > ?Users running Debian testing and unstable are urged to update the > ?xz-utils packages. > > > _______________________________________________ > linux-aus mailing list > linux-aus at lists.linux.org.au > http://lists.linux.org.au/mailman/listinfo/linux-aus > > To unsubscribe from this list, send a blank email to > linux-aus-unsubscribe at lists.linux.org.au -- Andrew Ruthven, Wellington, New Zealand andrew at etc.gen.nz | Catalyst Cloud: | This space intentionally left blank https://catalystcloud.nz | -------------- next part -------------- An HTML attachment was scrubbed... URL: From brian at linuxpenguins.xyz Sun Mar 31 09:40:59 2024 From: brian at linuxpenguins.xyz (Brian May) Date: Sun, 31 Mar 2024 09:40:59 +1100 Subject: [Linux-aus] How could we get society to adequately fund free software developers In-Reply-To: References: <2fbfdafc-31f1-43df-be49-f6b0725bfb3e@aerusso.net> <61e2abfa-b041-4f8d-af9b-a7183cc653e1@gmail.com> <87wmpkgrma.fsf@hope.eyrie.org> <2629DB93-AC76-488E-A894-B59B15862522@2023.bluespice.org> Message-ID: <87il138hs4.fsf@linuxpenguins.xyz> An?bal Monsalve Salazar via luv-main writes: > How could we get society to adequately fund free software developers to > avoid this type of security threat? > > At this time, the consequences of this injection of malicious code into > xz-utils are not yet known with certainty. On one had, free software developers do need to be funded. Especially if people are using and relying on their software. https://xkcd.com/2347/ On the other hand, it is perfectly normal part of OSS for one maintainer to pass the reins on to another developer. I have seen it happen numerous times (as orginal developer, as new developer, and as user). And I am the maintainer of a number of projects that I only barely keep up with. This requires the new users trust the new maintainer. But I imagine in many cases users aren't even aware that there is a new maintainer. Even if you trust the new maintainer, do you also trust their security practises? There was at least one case where malware was found due to a hacked account. https://therecord.media/malware-found-in-npm-package-with-millions-of-weekly-downloads Most of the time none of is a news worthy story however. Either The new maintainers do a good job of contining the project. Or the circumstances change and the new maintainers end up in the exact same situation as the old maintainer. I have seen both sitations happen. This story reminds me of an npm package. The maintainer passed on the job to a new maintainer as they were no longer interested in maintaining the package. The new maintainer added a dependancy on another package which had back door code. Or something like that. Oh, think I found it: https://medium.com/intrinsic-blog/compromised-npm-package-event-stream-d47d08605502 Then again for another example, have a look at redis. Seems they managed to alienate the entire community with one PR (https://github.com/redis/redis/pull/13157). As a result there are a number of forks, such as keydb. How do we know we can trust the new maintainers? It probably is going to be OK, right? But is anybody checking the commits they make? It also makes me a bit uncomfortable with how shared libraries work. The recent attack demonstrates that a shared library can compromise a completely unrelated binary. It is a bit unfair to blame systemd here, it could be a NSS or PAM module that pulls in the compromised library. Makes me think maybe we need better isolation - but not sure how you would do this or if it is feasible. -- Brian May @ Linux Penguins From russell at coker.com.au Sun Mar 31 23:23:47 2024 From: russell at coker.com.au (Russell Coker) Date: Sun, 31 Mar 2024 23:23:47 +1100 Subject: [Linux-aus] Re: How could we get society to adequately fund free software developers In-Reply-To: <87il138hs4.fsf@linuxpenguins.xyz> References: <2fbfdafc-31f1-43df-be49-f6b0725bfb3e@aerusso.net> <87il138hs4.fsf@linuxpenguins.xyz> Message-ID: <23458296.6Emhk5qWAg@cupcakke> On Sunday, 31 March 2024 09:40:59 AEDT Brian May via luv-main wrote: > This requires the new users trust the new maintainer. But I imagine in > many cases users aren't even aware that there is a new maintainer. Brian makes some great points about the broader issues of trust in the integrity and competency of new maintainers. But it seems that we are now wondering if the alleged xz maintainer even is a real person. This could be addressed by the GPG web of trust, checking government IDs, and having video calls to interview people. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/