It’s copies everywhere

I’ve read that. Defining a supplier as someone with whom you have a direct business relationship with seems intentionally narrow in an unhelpful way that just further muddies the waters around the issue at hand. Making something generally available to others means that you’re supplying others with that thing. While it’s true that you may have no further obligations to those that receive your software, the person receiving the software needs to evaluate their risks around using and depending on that software regardless of the existence of a business relationship with the supplier. Hence supply chain risk evaluation is always necessary. That risk evaluation, or lack thereof, can result in a security problem. These problems can propagate widely within a software ecosystem. This is true with and without the existence of direct business relationships between suppliers and recipients of software.

The whole article can be summarized by saying if you want support services related to the software written by others, negotiate a support agreement related to that software. That has nothing to do with taking a wide or narrow interpretation of the word supplier.

You might be onto something here.

Developers should think about what libraries they trust, but it seems that most of the time they’ll choose whatever is most convenient for handling the immediate problems they’re working to solve.

Would you mind sharing some details around what you learned?

Federation issues are sneaky

I’m fascinated by Raku myself.

It didn’t make any sense to me when it was originally announced, it still doesn’t. I don’t understand the project’s goals or how it’s supposed to reach those goals. The mission statement is incomprehensible to me.

Sounds like your project is building arrays in different dimensions and multiplying them.

Maybe give polars and pandas a try.

Definitely check out SciPy

People keep telling me that scrapy is the best for scraping but I haven’t had time to try it yet.

Entirely depends on the project you want to build

You’ll own nothing and you’ll be happy - Ida Auken

Consider using https://www.fossil-scm.org/

Although I understand if you don’t wish to stop using git.

My local library gives me access to O’Reilly Online, so free textbook access for just about any topic.

Have you submitted feedback to Mozilla?

💀

90’s? I assumed it was from the 80s or earlier

Building from source is the opposite of hacky. It’s the recommended way to deal with things like this where you are concerned about trust and security. I understand that it’s not something you’ve done before, but it not as complicated as it sounds. There are many tutorials on how to build programs from source.

I understand that providing official packages for fedora/rhel, Ubuntu/debian, and arch-based distro packages along with a flatpack and Appimage would make a lot of sense, but for whatever reason, signal has decided not to. Perhaps you can message the signal team to ask why they choose not to do this.

I like the ethos behind Purism, I was worried they wouldn’t be profitable at all. I hope this is enough profitablity to attract greater investment to grow and create economies of scale and lower the retail price and reduce lead times to be in line with the rest of the market.

I’ve been comparing crates on crates.io against their upstream repositories in an effect to detect (and, ultimately, help prevent) supply chain attacks like the xz backdoor1, where the code published in a package doesn’t match the code in its repository.

The results of these comparisons for the most popular 9992 crates by download count are now available. These come with a bunch of caveats that I’ll get into below, but I hope it’s a useful starting point for discussing code provenance in the Rust ecosystem.

No evidence of malicious activity was detected as part of this work, and approximately 83% of the current versions of these popular crates match their upstream repositories exactly.