Reading that Canonical thread was jaw-dropping. Paraphrased: "Rust is more secure, security is our priority, therefore deploying this full-rewrite of core utils is an emergency. If things break that's fine, we'll fix it :)".
I would not want to run any code on my machines made by people who think like this. And I'm pro-Rust. Rust is only "more secure" all else being equal. But all else is not equal.
A rewrite necessarily has orders of magnitude more bugs and vulnerabilities than a decades-old well-maintained codebase, so the security argument was only valid for a long-term transition, not a rushed one. And the people downplaying user impact post-rollout, arguing that "this is how we'll surface bugs", and "the old coreutils didn't have proper test cases anyway" are so irresponsible. Users are not lab rats. Maintainers have a moral responsibility to not harm users' systems' reliability (I know that's a minority opinion these days). Their reasoning was flawed, and their values were wrong.
This leaves such a bad taste in my mouth. If you fucking found 44 CVEs with some relatively amateurish ones (I'm no security engineer but even I've done that exact TOCTOU mitigation before) in such a core component of your system a month before 26.04 LTS release (or a couple months if you count from their round 1), surely the response should be "we need to delay this to 28.04 LTS to give it time to mature", not "we'll ship this thing in LTS anyway but leave out the most obviously problematic parts"?
The snap BS wasn't enough to move me since I was largely unaffected once stripping it out, but this might finally convince me to ditch.
It's insane that this is going into an LTS. It's the kind of experiment I'd expect them to play with in a non-LTS and revert in LTSes until it's fully usable, like they did with Wayland being the default, which started in 2017
If you don't want Canonical's packages, you should probably just be using Debian rather than Ubuntu. It's not 2008 anymore, stock Debian is quite user-friendly.
Worth noting is that in Debian experimental coreutils defaults to coreutils-from-uutils [0]. This came as a big surprise and as far as I can tell there's been no discussion. A Canonical developer seems to have unilaterally overwritten the coreutils package without discussing with the maintainer. All the package renames that are in Ubuntu aren't in Debian so you can't switch to GNU utils either without deep trickery in a separate recovery environment.
I'm used to running experimental software but I wasn't ready for my computer to not boot one day because of uutils. The `-Z` flag for `cp` wasn't implemented in the 9 month old version shipped in Debian at that time so initramfs creation failed...
It's in experimental only, not unstable or testing. That said I'm surprised it hasn't even propmpted discussion on debian-devel (sans [0]). I would've thought that at least enough Debian developers run experimental to have noticed and raise the issue, but no. I thought about starting a thread myself but couldn't be bothered.
There aren't true 1:1 clones, but there's ripgrep (inspired by GNU grep) and fd (inspired by GNU find). Those two I like, though. I think they're thoughtfully designed and in ripgrep's case at least (I just haven't read posts/comments by fd's author), it was developed with some close study of other grep implementations. I still use GNU grep and GNU find as well, but rg and fd are often nice for me.
I’ve gotta agree. Some horror stories were going around about their interview process. It seemed highly optimized to select people willing to put up with insane top-down BS.
> while a portion of this rise obviously consists of troubled/[...], a huge part of the rise of gambling is from desperation
Is that really so? It's a get-rich-quick scheme and absolutely no one is under any illusions otherwise, including the people gambling their rent money. They know it's a very long shot and that most people don't make bank, but they hope it'll go different for them.
WallStreetBets, just another form of gambling, is filled with posts of people losing everything but it doesn't seem to stop newbies.
The gap between troubled/problem/addicted and "desperate" has to be paper thin, if it exists at all.
Am I crazy, or was this press release fully rewritten in the past 10 minutes? The current version is around half the length of the old one, which did not frame it as a "simplification" "grounded in flexibility" but as a deeper partnership. It also had word salad about AGI, and said Azure retained exclusivity for API products but not other products, which the new statement seems to contradict.
It’s extraordinary how much standards have slipped. Completely rewriting a major press release that’s already been sent out, while pretending it’s ostensibly the same document would have been a major corporate scandal just 15 years ago.
> Never thought I'd say this but OpenAI is the 'open' option again.
Compared to Anthropic, they always have been. Anthropic has never released any open models. Never released Claude Code's source, willingly (unlike Codex). Never released their tokenizer.
I'm tired of words being misused. We have hoverboards that do not hover, self-driving cars that do not, actually, self-drive, starships that will never fly to the stars, and "open"… I can't even describe what it's used for, except everybody wants to call themselves "open".
Penalties don't work for government agencies. Taxpayers would pay for it and it doesn't act as an incentive.
The way to fix it is to empower one government agency to do aggressive pentesting against every other agency, hospitals, banks, infrastructure, and big corporations, with salaries matching the private sector. Impose a legally-enforced deadline to fix any issues, with a fine (for private actors) or demotion of the guy in charge of infosec (for state agencies).
Forget compliance checklists, KPMG "audits" and all that crap, just have government-sponsored hackers trying to get into everything like an attacker would.
France seems to have had a ton of government hacks in the past year at various levels, so it's sorely needed.
I agree with the premise that SSII audits are useless, but your solution sounds like bandaid on a cancer. The real solution solution is stop this surveillance machine madness!
I understand that identity is required for property deeds and bank accounts for tax reasons and that should 100% not be online. But for the rest, it should be entirely outlawed to collect personal information beyond what's necessary for the service, including for government agencies.
Make healthcare (really) free => no social security database to hack. Give me back humans in offices for taxes and drivers licences => no ANTS database to hack. etc.
Er? social security covers more than just healthcare and the issue with on-line data in context of healthcare is patients' history, which i) is sensitive and ii) needs to be shared among health care providers.
Tough luck, i've never used any machine learning in my life (that i know of). AI tools are part of the same problem, the same techno-fascism i was decrying in my comment. I'm just curious how you could even think i was using AI????
You don't seem to realize the difference between those 2.
> The way to fix it is to empower one government agency to do aggressive pentesting against every other agency, hospitals, banks, infrastructure, and big corporations, with salaries matching the private sector. Impose ...
And now you've got private people empowered to attack specific government officials. In fact, that's their job. Btw: you forgot to specify "in public", and that needs to be how it works, otherwise it will just result in officials attacking this security agency. Oh, AND you're giving government officials an obvious point of attack: "salaries matching the private sector".
> Forget compliance checklists, KPMG "audits" and all that crap, just have government-sponsored hackers trying to get into everything like an attacker would.
You mean forget the way even the dumbest of the dumb can "provide security"? Do you think government officials in France got their position based on their IQ?
Of course this is the only way it can work, but this needs a very un-French form of government to get it to work.
> this needs a very un-French form of government to get it to work
I'm usually not one to defend french culture, but i believe your interpretation is wrong. What went wrong in this case is the americanization of the french administration: make everything complex, remove all local government branches and workers who can help you, remove every sensical administrator from their position, ignore all the privacy laws that were passed after Vichy and the nazi/IBM databases, "just make all the NUMÉRISATION".
The french government didn't have a proper national ID system until the nazi administration (Vichy) who invented the CNI and the Ausweis. There was strong sentiment against this well into the 70s and the Loi Informatique et Libertés, and it's only the more recent startup generation that started undoing all our ancestors hard fought battles against data collections/centralization.
Someone(s), somewhere, is paid "big bucks" to be in charge.
That's the person we should charge. If they cannot be charged for this kind of fuck-ups, then they should not be paid anything for simply rubber-stamping anything going over their desk. A simple machine could do their job.
If it’s related to compliance? Yeah I think that’s a pretty dangerous culture to have. Compliance requirements need owners who will ensure standards are met. If they don’t do their jobs, then they should face the consequences for the harm they allow.
I would not want to run any code on my machines made by people who think like this. And I'm pro-Rust. Rust is only "more secure" all else being equal. But all else is not equal.
A rewrite necessarily has orders of magnitude more bugs and vulnerabilities than a decades-old well-maintained codebase, so the security argument was only valid for a long-term transition, not a rushed one. And the people downplaying user impact post-rollout, arguing that "this is how we'll surface bugs", and "the old coreutils didn't have proper test cases anyway" are so irresponsible. Users are not lab rats. Maintainers have a moral responsibility to not harm users' systems' reliability (I know that's a minority opinion these days). Their reasoning was flawed, and their values were wrong.
reply