I think the key right now is that these are semi-automated scanning processes. Right now, companies like step security selectively publish. So, in order for a hacking group to find out if their malware is detected or not, they have to burn access to a useful package.
None of this is to say I think Microsoft shouldn't be doing something as part of the release process on NPM. However, there is real value in giving more independent third parties a window to do things semi-manually.
@exitb it is much more desirable for security scanning companies to compete to find issues in a timely manor. If npm blessed one as a gatekeeper to the whole system they would be between a rock and a hard place. Unable to priorities high impact packages over the long tail of packages no one uses without pissing people off. Unable to add experimental new detections that may be a little noisy at first due to the huge disruption it would cause. Be trivial to game as obscure packages could brute-force their way though then use the same hole on a mainstream package.
Then the ... malware will just add delays? Or do they really do manual in-depth analysis of all new code? Just running and seeing it do things is probably a lot easier.
Security scanners won't be "manual in-depth analysis of all new code" or "Just running and seeing it do things", but somewhere in-between - utilizing static analysis/machine learning. It's a cat-and-mouse game, but the library adding code that waits X days to run something obfuscated would be another pattern that they could look for.
I think attackers are unlikely to add a delay in the first place because the chance of their attack being found out before it activates would be too high. They seem to generally work on the assumption that they have a day or so before the package is yanked (e.g: from maintainer noticing their account is compromised) so need to move fast.
I'm aware, I'm just trying to get OP to explain why they're lying, though. 6 em dashes over the course of this article is not a lot of em dashes. It's a bullshit claim and they know it, so what's the point of making it?
The one on the shelf is probably a Akari paper lantern. I have an orange one that I quite like. You used to be able to buy them from Design Within Reach or the MoMA Design Store, but I can't find them on their sites now but they're on the Noguchi site. [1] The hanging sphere one might be similar.
For those not aware of them, Design Within Reach has a lot of nice famous designed furniture and shelving, but pricey. They often have 15% off season sales though. Good place to shop if you're into the stuff seen in this blog post.
"Paper lantern" generally. Many inexpensive import shops carried them in the Before Times. Widely available now. They offer a soft ambient glow. Not ideal as a reading lamp (a bit too diffuse), but quite good for general room lighting.
That was my impression, as well, but I recently met SFC people and they assured me that the judge is taking the third party beneficiary doctrine very seriously, it‘s not off the table. Funnily, because Vizio objected to the tentative ruling, it has little meaning now.
The trial in August will handle the TPB stuff, as well. It will be streamed, btw.
> GPL itself does not forbid you from dynamically linking
GPL does not contain the words "dynamically linking". That‘s just a common interpretation as a shortcut.
In this case there are arguments for the program-plugin communication to be "intimate" and as such falling under "derivative work". But it‘s easy to take the other side, as well.
I put the actual clause under, but let's forget the actual legal definition for a moment.
GPL license in spirit is about assuring the user freedoms. No user freedoms are limited in this case. You are free to modify and redistribute the software as you like. OrcaSlicer pulls changes from Bambu without any issues.
I don't think trying to enforce the license in this way, even if possible (which again I think if it was it would happen with Linux drivers long before), is the right thing to do anyway. All it's doing is painting the GPL as a liability to any business for no benefit.
TIL, they're back supporting each other (scroll to the bottom):
Update 2026-01-26
To recap, in March 2021, the FSFE was forced to suspend our collaboration with the FSF to protect our work for software freedom from their apparent disregard for fostering a safe and welcoming community for software freedom advocates. At the time, we also hoped it would be an effective way of getting them to change into a more welcoming, appealing, and ultimately effective organization working to advance software freedom.
Meanwhile, the FSF has been changing: they have appointed Zoë Kooyman their executive director, they have adopted a code of ethics for their voting members, they have brought on new board members, they have recently elected a new president, Ian Kelling, a staffer first nominated to the board by their staff union in 2021, and they have had Eko K. A. Owen join the FSF board as their new union staff representative. They have changed from an organization synonymous with its founder to one led by staff committed to software freedom.
As a result, the FSFE has come to believe we can best advance software freedom, and foster a respectful, inclusive community around both of us, by working together with the FSF once more.
reply