setuid root screen is a gift that just keeps on giving…

#CVE #CVE_2025_23395 #InfoSec #Linux #OpenSource
https://security.opensuse.org/2025/05/12/screen-security-issues.html

@josh ah, thanks for mentioning it!

“AWS-LC looks like a very active project with a strong community. […] Even the recently reported performance issue was quickly fixed and released with the next version. […] This is definitely a library that anyone interested in the topic should monitor.”

#OpenSSL #BoringSSL #WolfSSL #AWSLC #HAProxy #OpenSource #FreeSoftware #FOSS #OSS #TLS #QUIC
https://www.haproxy.com/blog/state-of-ssl-stacks

@jamesh I mean, there is a lot of GPL and LGPL licensed software with no UI where the redistributor manages to make a clear offer to provide complete corresponding source code….

@bignose we’ll see how things shake out… https://www.fsf.org/news/fsf-submits-amicus-brief-in-neo4j-v-suhy

@bignose indeed, this is the design of GPL and AGPL alike.

Unfortunately the license has not proven reliable protection for users from licensors adding restrictions in the courts as of yet.

https://sfconservancy.org/blog/2022/mar/30/neo4j-v-purethink-open-source-affero-gpl/

@bignose from license-discuss@ exchanges, he gets things like why SSPL is self serving… you can decide.

http://lists.opensource.org/pipermail/license-review_lists.opensource.org/2019-January/003938.html

@bignose https://www.zdnet.com/article/redis-returns-to-open-source-with-agplv3-license-but-not-everyone-is-happy/

@bignose it is possible he was misquoted…

Sadly, if I apply the “the purpose of the system is what it does” philosophy, I might have to admit that AGPL often does chill the act of making software available as a service.

Because that is the intent many adopters of AGPL licenses have.

The purpose of the AGPL is to provide for, and protect, the rights and freedoms of end-users of software when the software is provided as a networked service.

Using AGPLv3 for any other use is misuse at best, and abuse in some cases that cause community harm.

“The primary purpose of AGPL appears to be creating barriers for public cloud providers, which likely guarantees that major sponsors like Amazon and Google will continue to support Valkey.” - Vadim Tkachenko, Percona co-founder.

Respectfully, no. This is not the purpose or the reason.

#FreeSoftware #OpenSource #OSS #FOSS #SoftwareFreedom #AGPL #APLv3 #Copyleft

@hipsterelectron oh good point. 😅

@hipsterelectron steam extraction

@hyc @jwildeboer @zacchiro The philosophy on focusing on providing and protecting the rights for the software user has historically been: the user today may be the maintainer tomorrow.

That said, I think that criticism of the philosophy is warranted. We know that not all software users seek to be developers, and narrowly defining and defending freedoms based on the capacity to build and run software yourself is limiting (and potentially biasing).

@hyc @jwildeboer @zacchiro of course we've expressed our differing viewpoints of this in the past, but I'll go ahead and say mine again:

The objective of copyleft licenses is not to preserve or protect the original developer's rights.

It's all about the user, not the developer.

@jwildeboer @zacchiro I can +1 that.

A well functioning network of freely shared, reusable, and redistributed software requires that the software licenses alone are “reliable.”

Whenever separate agreements are deemed “needed” for the exchange of software, we should ask “why?”

@geerlingguy cutting in advertisements is quite a challenge at modern resolutions and frame rates! 😅

@jwildeboer @zacchiro the nuanced message I repeat is: if they demand a CLA for inbound contributions under a “permissive” license they probably aren’t getting more than you already granted with the license. They may be getting assurance that you have clear authority to make the contribution if you work for someone else.

The thing to watch out for is when the project is copyleft “outbound” and requires a CLA on “inbound” contributions that forgive obligations.

@jwildeboer @zacchiro the developers that choose to continue working on Valkey using mutual BSD-3 terms (with no CLA, just using the DCO) know that their work can be made proprietary, or be integrated into a copyleft licensed work that they cannot safely copy from if they want to give all the assurance that the code base is all “permissive” in license.

This already happened. And it’s (mostly) totally fine.

https://github.com/redis/redis/pulls?q=is%3Apr+Valkey