Keep OSNews alive by becoming a Patreon, by donating through Ko-Fi, or by buying merch!

Servers and thin clients in every home is the future they stole from us

I’ve used thin clients at home for quite a while – both for their intended use (remotely accessing a desktop of another system); and in the sense of “modern thin clients are x86 boxes that are wildly overpowered for what they run, so they make good mini servers.”

Recently, I saw a bulk lot of Sun Ray thin clients pop up on Trade Me (NZ’s eBay-like auction site) – and with very little idea of how many clients were actually included in this lot, I jumped on it. After a 9 hour round-trip drive (on some of the worst roads I’ve seen!), I returned home with the back of my car completely packed with Sun Rays. Time for some interesting shenanigans!

↫ catstret.ch

I was unaware you could still set up a Sun Ray environment with latest versions of OpenIndiana, and that has me quite interested in buying a few Sun Rays off eBay and follow in the author’s footsteps. It seems like it’s not too difficult, and while there’s some manual nonsense you have to do to get everything to install correctly, it’s nothing crazy.

To this day, I firmly believe that the concept of dumb thin clients connected to powerful servers is an alluring and interesting way of computing. I’m not talking about connecting up to servers owned by massive technology corporations – I’m talking about a few powerful servers down in your own basement or attic or whatever, serving applications and desktops straight to basic thin clients all around your house. These thin clients can take the shape of anything, from something like a desktop setup in your office, down to a basic display in your kitchen for showing recipes, setting timers, and other basic stuff – and everything in between.

Sun Rays could ‘hot desk’ using personal smart cards, but of course, in this day and age you’d have your smartphone. The thin clients around your house would know it was you through your smartphone, and serve up the applications, desktop, tools, and so on that you use, but everything would be running on the servers in your house. Of course, my wife would have her own account on the server, as would our children, when they are old enough.

None of this is impossible with today’s tools and computing power, but it wouldn’t be easy to set up. There are no integrated solutions out there to make this happen; you’d have to scrap it together from disparate parts and tools, and I doubt such a house of cards would end up being reliable enough not to quickly become a massive annoyance and time sink. On top of that, we live in a rental apartment, so we don’t even have a basement or attic to store loud servers in, nor are we allowed to drill holes and route Ethernet cabling for optimal performance.

Anyway, there’s no chance in hell any of the major technology companies would build such a complex ecosystem in a world where it’s much easier and more profitable to force people to subscribe to shitty services. In my ideal computing world, though – a server in every home, with cheap thin clients in every room.

The new troll diet

We need a new framework for how to defend against “trolls”. The feeding metaphor ran its course many years ago. It is done and will not be coming back.

New online risks demand that we adapt and become proactive in protecting our spaces. We have to loudly and proudly set the terms of what is permissible. Those holding social or institutional power in communities should be willing to drop a few loud fuck offs to anyone trying to work their way in by weaponizing optics, concern trolling, or the well known “tolerance paradox”. Conceding through silence, or self-censorship, only emboldens those who benefit from attacking a community.

↫ diegoebe

Een volk dat voor tirannen zwicht, zal meer dan lijf en goed verliezen, dan dooft het licht.

Donkey Kong Country 2 and open bus

Apparently, Donkey Kong Country 2 has runs into a bug in the old SNES emulator ZSNES, where one of the barrels that you’re supposed to be able to precisely control the spinning direction of ends up spinning forever.

This bug is caused by ZSNES not emulating open bus behavior. I believe this was originally discovered by Anomie roughly two decades ago, who subsequently fixed the same bug in Snes9x. This original fix hardcoded the specific addresses to return the values that the game depends on rather than properly emulating open bus, but it fixed DKC2 and probably didn’t break anything else. The bug was never fixed in ZSNES, which is now a long abandoned project (last release in 2007).

Purely out of curiosity, I wanted to dig into this a little more to figure out what exactly in the game code causes these barrels to spin forever in an emulator that doesn’t emulate open bus behavior.

↫ jsgroth

Just in case you’ve always wanted to know.

Wayback: experimental layer to run X desktop environments on Wayland

With X.org being in maintenance mode, with the process of replacing it with Wayland accelerating pretty quickly now, a lot of projects using X.org are looking for ways to prepare for the future. Alpine Linux, a distribution focused on musl, BusyBox, and OpenRC, also wants to reduce its maintenance burden for X11 applications, and so Alpine Linux maintainer Ariadne Conill has come up with something interesting.

Wayback is an experimental X compatibility layer which allows for running full X desktop environments using Wayland components. It is essentially a stub compositor which provides just enough Wayland capabilities to host a rootful Xwayland server.

It is intended to eventually replace the classic X.org server in Alpine, thus reducing maintenance burden of X applications in Alpine, but a lot of work needs to be done first.

↫ Wayback GitHub page

It’s nowhere near done and most likely contains massive amounts of bugs and issues, but the seed has been planted. Wayback will make it possible to keep running X11-based desktop environments even in a full-Wayland environment. This may be necessary in case you need a specific feature not yet available in the Wayland version of your desktop environment, or if your desktop environment of choice simply isn’t going to move to Wayland at all (due to lack of maintainers or whatever).

It’ll also be a boon for retrocomputing, especially as over the coming years and decades unmaintained X11 desktop environments become become ever harder to keep running on modern Linux distributions. While X.org as it exists today certainly isn’t going anywhere any time soon, it will, eventually, stop working properly on Linux distributions who don’t ship it by default anymore, and it’s awesome to already have the beginnings of a project to address this problem.

Microsoft to remove all but the latest versions of drivers from Windows Update

This blog post is intended to notify all Windows Hardware program partners that Microsoft has taken a strategic initiative to clean up legacy drivers published on Windows Update to reduce security and compatibility risks. The rationale behind this initiative is to ensure that we have the optimal set of drivers on Windows Update that cater to a variety of hardware devices across the windows ecosystem, while making sure that Microsoft Windows security posture is not compromised. This initiative involves periodic cleanup of drivers from Windows Update, thereby resulting in some drivers not being offered to any systems in the ecosystem.

↫ Microsoft’s Hardware Dev Center

The general gist is that Microsoft is going to remove all drivers from Windows Update for which newer versions exist – or, to put it in a different way, only the latest versions of a driver are going to remain available on Windows Update. It’s effectively a clean-up of Windows Update, and the only way older versions of drivers will remain available on Windows Update is if the manufacturer in question can make a “business justification” to keep them around.

Some of this may sound surprising, since many people assume Windows Update only offers the latest versions of drivers – annoyingly so, sometimes – but this isn’t the case. Corporations with fleets of devices can actually determine exactly which drivers get sent to their devices, including opting for older versions in case newer versions have regressions or otherwise cause issues. Sometimes you just don’t have a choice.

According to Adam Demasi, the creator and maintainer of the amazing Legacy Update service, Microsoft hasn’t deleted a single driver or update from Windows Update since 2001 (save for problematic updates). This results in a truly massive collection of updates and drivers, and that’s causing real problems for Microsoft.

Windows Update has a pretty cool system of describing whether an update is necessary to be installed on the current system, or if it is already installed. It also builds a relationship graph between updates, to indicate when they have been replaced by a newer update that includes all changes from the previous update. That system is also its downfall, causing the Windows Update service to be incredibly slow in checking for updates, possibly never completing the check at all. This issue also applies to WSUS, which despite being based on the very robust SQL Server, struggles with the number of drivers Microsoft hosts on Windows Update. As of April, we know that Windows Update hosts 1,799,339 drivers, and this creates a 138 GB database that requires almost 16 days to synchronise down from the main servers. The WSUS server is brought to its knees, with frequent timeouts while it furiously tries to complete database queries. (The PC used is a Ryzen 5700G with 32 GB of 3600 MHz RAM and 500 GB of NVMe, running Windows Server 2025 and SQL Server 2022.)

↫ Adam Demasi

From this, it’s easy to understand why Microsoft would want to perform some housekeeping, followed by a new set of rules around only keeping the latest versions of drivers around in Windows Update. Demasi also notes that these plans by Microsoft won’t affect drivers for old devices, since they will still be served their “newest” driver version, and it won’t affect Legacy Update either.

“I want a good parallel computer”

The GPU in your computer is about 10 to 100 times more powerful than the CPU, depending on workload. For real-time graphics rendering and machine learning, you are enjoying that power, and doing those workloads on a CPU is not viable. Why aren’t we exploiting that power for other workloads? What prevents a GPU from being a more general purpose computer?

↫ Raph Levien

Fascinating thoughts on parallel computation, including some mentions of earlier projects like Intel’s Larabee or the Connection Machine with 64k processors the ’80s, as well as a defense of the PlayStation 3’s Cell architecture.

Windows gets new “blue” screen of death and automated boot recovery

The blue screen of death has been such a core part of Windows that’s it’s become part of humanity’s collective consciousness. They’re not nearly as common anymore as they used to be back in the Windows 9x and early Windows XP days, but they do still occasionally when dealing with broken hardware, shoddy drivers, or other such faults.

Well, the blue screen of death is losing its eponymous blue colour, and will now clearly mention the stop code and where – in which driver – the kernel panic occurred.

The Windows 11 24H2 release included improvements to crash dump collection which reduced downtime during an unexpected restart to about two seconds for most users. We’re introducing a simplified user interface (UI) that pairs with the shortened experience. The updated UI improves readability and aligns better with Windows 11 design principles, while preserving the technical information on the screen for when it is needed.

↫ David Weston at the Windows Blogs

This is part of a new feature in Windows 11 called quick machine recovery, or QMR. If a Windows PC gets stuck in a boot loop, ending up in the Windows Recovery Environment, Microsoft can now deploy fixes and remediations through WinRE. This feature will become available later this year by default on Windows 11 Home, while on Windows 11 Pro and Enterprise, administrators can control how this feature works.

So far, it seems QMR is only intended to be used for widespread outages, but I wonder if it would be possible to eventually use QMR locally. It would be pretty neat if Microsoft released the server-side component of QMR so individuals can run and (ab)use it locally for their own machines.

Snow, a new classic Macintosh emulator

The world isn’t short of classic Macintosh emulators, but one more certainly cannot hurt.

Snow emulates classic (Motorola 680×0-based) Macintosh computers. It features a graphical user interface to operate the emulated machine and provides extensive debugging capabilities. The aim of this project is to emulate the Macintosh on a hardware-level as much as possible, as opposed to emulators that patch the ROM or intercept system calls.

It currently emulates the Macintosh 128K, Macintosh 512K, Macintosh Plus, Macintosh SE, Macintosh Classic and Macintosh II.

↫ Snow’s homepage

Snow is written in Rust and open source under the MIT license.

Microsoft is moving antivirus providers out of the Windows kernel

It’s been nearly a year since a faulty CrowdStrike update took down 8.5 million Windows-based machines around the world, and Microsoft wants to ensure such a problem never happens again. After holding a summit with security vendors last year, Microsoft is poised to release a private preview of Windows changes that will move antivirus (AV) and endpoint detection and response (EDR) apps out of the Windows kernel.

↫ Tom Warren at The Verge

After the CrowdStrike incident, one of the first things Microsoft hinted as was moving antivirus and EDR applications out of the kernel, building an entirely new framework for these applications instead. The company has been working together with several large security vendors on these new frameworks and APIs, and it’s now finally ready to show off this new work to the outside world. Instead of designing the new frameworks and APIs in-house and just dumping them on the security vendors, Microsoft requested the security vendors send them detailed documentation on how they want the new frameworks and APIs to work.

This first preview of the new implementation will be private, and will allow security vendors to request changes and additional features. Microsoft states it will take a few iterations before it’s ready for general availability, and on top of that, security software is only the first focus of this new effort. It turns out Microsoft wants to move more stuff out of the kernel, with anti-cheat software – more accurately described as rootkits, like Riot’s Vanguard – being an obvious next target.

Perhaps this effort could have some beneficial side effects for gaming on Linux, which you should be doing anyway if you want better performance, because Windows games seem to perform better on Linux than they do on Windows.

PNG gets its first specification update in 20 years

Jokes aside, this is exciting news. PNG is back to its former glory after its progress stalled for over two decades. Did you know the U.S. Library of Congress, Library and Archives Canada, and the National Archives of Australia recommend PNG? It is important that we keep PNG current and competitive. After 20 years of stagnation, PNG is back with renewed vigor!

[…]

With these titans behind it, the image format is back with full momentum. Work has already begun on the next two PNG spec updates.

↫ Chris Blume

The new PNG specification update adds proper HDR support, which is probably its most important new features. Chris Lilly, one of the original creators of PNG and actively involved in these new updates as well, has a detailed blog post diving into how HDR in PNG works. Other changes include officially adding Mozilla’s animated PNG implementation to PNG, support for EXIF data, and a ton of smaller changes and cleanups.

Microsoft grants stay of execution for Windows 10 users: use OneDrive, and get one additional free year of security updates

For a while now I’ve been wondering if Microsoft would blink when it comes to Windows 10’s rapidly approaching end of support date. Only a few weeks ago, Microsoft at the very least twitched by extending support for Microsoft Office on Windows 10, which should’ve been an indication of what was to come. Today, Microsoft actually blinked: regular consumers wishing to keep using Windows 10 after support ends in October will now be able to sign up for an additional year of security updates.

Microsoft is making this possible by allowing Windows 10 users to sign up for the Windows 10 Extended Security Update program for one year of extended updates, for free. This program is normally only available to paying enterprise customers, and this marks the first time the company is letting regular consumers make use of it. The “for free” requires some serious caveats, though, as depending on how you look at it, it’s not free at all. You options are to either pay around $30, pay 1000 Microsoft points, or to sign up for the Windows Backup application to synchronise your settings to Microsoft’s computers (the “cloud”).

This last option is technically free, but not only does the free tier include just 5GB of online storage, it also makes use of OneDrive, so if you’re using OneDrive to store your documents and other files you may need to pay for additional storage. On top of that, anything that requires the use of OneDrive is simply not “free”, and only allows Microsoft to further get its claws in you. If Sartre was alive today, Huis clos would’ve declared “L’enfer, c’est OneDrive” instead.

Regardless, it’s the stay of execution many Windows 10 users have been waiting for, even if it isn’t entirely perfect. Sure, choosing between an unmaintained Windows 10, Windows 11, and using OneDrive is about as pleasant as shoving shards of glass underneath your fingernails, and I have a feeling quite a few people are about to find out.

If you want to keep using KDE and GNOME, you’re going to have to move to Wayland

With the transition from X11 to Wayland in full swing, from popular distributions removing X11 sessions altogether and the two major desktop environments planning for the removal of X11 support as well, there’s a ton of questions people are dealing with. Both the KDE and GNOME project published detailed blog posts about the matter.

First, KDE’s Nathan Graham makes it very clear that KDE Plasma’s X11 sessions continues to be maintained. This means KDE Plasma will continue to work on X11, major bugs in the session (e.g. can’t log in) will be fixed, and really bad regressions in the session may eventually be fixed. That being said, minor bugs will probably not be fixed unless someone pays for it, and new features in the X11 session will not happen at all, unless someone pays for it.

KDE currently has no time frame for when X11 support will be dropped from KDE Plasma, and Graham doesn’t expect it to happen within the next two years. The KDE project maintains a list of known significant issues with KDE Plasma on Wayland, and KDE plans on addressing everything on that list before removing X11 support. Graham notes that in the end, dropping X11 support from KDE Plasma is mostly up to distributions, as it wouldn’t make any sense to drop it if distributions aren’t on board. At the moment, about 70-80% of KDE Plasma users are using Wayland, he notes.

On the GNOME side of things, Jordan Petridis also detailed GNOME’s position on Wayland and X11. GNOME will be disabling the X11 session in GNOME 49, with a full removal of the X11 code in GNOME 50. This won’t break any X11 applications (on either GNOME or KDE), since even if they don’t have a Wayland backend, they’ll run just fine using XWayland, which is an X server running on top of Wayland. XWayland isn’t going anywhere any time soon.

According to Petridis, the Wayland session is as functional as the X11 session, and “in plenty of cases a lot more capable and efficient”. He further adds that “there’s some niche workflows that are only possible on X11, but there isn’t any functionality regression”. Basically, if you’re using your spacebar as a heater, you might run into problems.

As for accessibility, Wayland is actually doing pretty great.

There has been a lot of concerned trolling and misinformation specifically around this topic sadly from people that don’t care about it and have been abusing the discourse as a straw man argument. Drowning all the people that rely on it and need to be heard. Thankfully Aaron of fireborn fame wrote recently a blogpost talking about all this in detail and clearing up misconceptions.

↫ Jordan Petridis

Finally, Petridis summarises why the Linux desktop world is moving to Wayland:

No, the Xorg Server is still very much maintained, however its development is halted. It still receives occasional bugfixes and there are timely security releases when needed.

The common sentiment, shared among Xorg, Graphics, Kernel, Platform and Application developers is that any future development is a dead-end and shortcomings can’t be addressed without breaking X11. That’s why the majority of Xorg developers moved on to make a new, separate, thing: Wayland.

↫ Jordan Petridis

This pill is so hard to swallow for some people that they go full bananas and start seeing red hats and Illuminati symbols everywhere, losing their minds and spiraling deep into ludicrous conspiracy theories. The truth of the matter is, however, blatantly banal: the people developing X.org realised long ago that meaningfully improving it would irrevocably break it, and as such they developed something new so they wouldn’t have to break X11. That’s it.

X.org will continue to exist and live on in its maintained state, and desktops relying on it will continue to function. If you want to keep using GNOME and KDE, though, you’ll have to drop X11, because the kinds of features and improvements these desktops want to deliver are not possible without breaking X11. Would you want an X11 that’s broken for everyone, or an X11 that keeps working as-is, while those that want to move on do so somewhere else?

Asterinas: a new Linux-compatible kernel project

Asterinas is a new Linux-ABI-compatible kernel project written in Rust, based on what the authors call a “framekernel architecture”. The project overlaps somewhat with the goals of the Rust for Linux project, but approaches the problem space from a different direction by trying to get the best from both monolithic and microkernel designs.

↫ Ronja Koistinen at LWN.net

Ronja Koistinen has done an outstanding job diving into this new operating system kernel and approach to kernel architecture, including its intended focus and goals. Head on over to the source and read it over there.

The X Window System didn’t immediately have X terminals

For a while, X terminals were a reasonably popular way to give people comparatively inexpensive X desktops. These X terminals relied on X’s network transparency so that only the X server had to run on the X terminal itself, with all of your terminal windows and other programs running on a server somewhere and just displaying on the X terminal. For a long time, using a big server and a lab full of X terminals was significantly cheaper than setting up a lab full of actual workstations (until inexpensive and capable PCs showed up). Given that X started with network transparency and X terminals are so obvious, you might be surprised to find out that X didn’t start with them.

↫ Chris Siebenmann

I did indeed assume X terminals were part of the ecosystem from day one, but it makes sense that it took a while, and that they didn’t enter the scene until X had established itself as the standard windowing system in the UNIX world. I’ve been trying to get my hands on specifically the last HP X terminal, but they’re hard to find and often very expensive. I’d love to get a taste of a proper networked X environment on real UNIX, in the way people actually used to use it professionally.

As a sidenote, Siebenmann is doing such an excellent job with these stories about UNIX, X11, and related matters. He’s like the Raymond Chen of the UNIX world.

postmarketOS v25.06 released with systemd

This is it, the one that adds systemd to postmarketOS! We have talked about the decision at length on this blog, make sure to read the initial announcement if this is the first time you are hearing about this.

↫ postmarketOS v25.06 release announcement

While adding systemd to postmarketOS is certainly the tentpole feature of this release, it also updates the various user interfaces – GNOME’s and KDE’s mobile shells and applications – and moves to Alpine Linux 3.22 as its base. The mobile user interfaces for both Firefox and Thunderbird have been updated as well, there’s a ton of improvements and additions for individual devices, and a lot more.

PostmarketOS, in case you are unaware, is a Linux distribution optimised for smartphones, focused on running mobile shells and applications. It’s not ready for prime-time quite yet, and device support will probably be the biggest hurdle for anyone wanting to try it out.

YouTube’s new anti-adblock measures

Over the past few months, YouTube has been trying another round of anti-adblock measures. Currently the anti-adblock stuff is being A/B tested, and one of my accounts is in the experimental group. I wrote a filter that partially avoids one of the anti-adblock measures, fake buffering, on uBlock Origin (and Brave browser, since it uses the same filter rules). (It’s already in the default filter lists, you don’t need to manually add the filter.)

One thing that people have ran into is “fake buffering”, where videos will take a while to load due to a lot of buffering, but only at the very start of the video (there’s no mid-video fake buffering). As I’ll explain, the fake buffering is 80% of the length of the ads you would’ve seen, so even with fake buffering you’re still saving time using an adblocker.

↫ iter.ca

The battle between YouTube on one side, and users wanting a non-shitty experience without paying for YouTube Premium on the other, is unlikely to end any time soon. Your computer, your rules, so I’m on the side of the people wanting to block ads on YouTube – the same applies to OSNews if you don’t want to pay for our ad-free version – but I’m still intrigued to find out just how far Google is willing to go.

I sometimes see YouTube with ads at other people’s homes. It’s a nightmare.

Cosmoe, BeOS/Haiku on Linux, returns from 18 year hiatus

It’s 2025, and we’re going to talk about BeOS, AtheOS, Cosmoe, and OpenBeOS, all in one news item, right here, right now, on OSNews.

In the very early 2000s, Cosmoe was a unique project that started out as a merger of the AtheOS userland with the Linux kernel. AtheOS, in turn, was one of the quintessential hobby operating systems of the golden age of the advanced hobby operating systems, the early 2000s. AtheOS would eventually be abandoned in 2002, but would be forked into Syllable and continue development until it, too, was eventually abandoned in 2012.

Cosmoe was the brainchild of Bill Hayden, and originally consisted of the AtheOS userland running on top of the Linux kernel, in order to address the lack of supported hardware a custom operating system kernel inevitably has to deal with. Not long after the start of Cosmoe, AtheOS was abandoned, as mentioned above, but a new project had entered the scene: OpenBeOS, now known as Haiku. Hayden switched gears, and instead started porting the parts that made up OpenBeOS to run on the Linux kernel.

This project progressed nicely, but in 2007 Cosmoe came to a halt (ironically, our last item about Cosmoe is “Cosmoe is back“) as Hayden had no more free time left to work on it, being a father of five, and so he decided to put the project on hold indefinitely. That is, until last year, when everything changed.

In mid-2024, my 3rd son Joshua, not even born when I started this project but who is now in college studying to be a programmer himself, had some questions about operating systems. I decided to dust off Cosmoe and see if I could get it running again, to show him what I had worked on. At first it would only compile and run on extremely old 32-bit versions of Mandrake Linux from 2007. But I had caught the bug again. Not only had I forgotten how fun Cosmoe was to program, but the intervening 17 years of progress made by OpenBeOS (now Haiku) made the certain aspects of this revival come at lightning speed. Day by day, week by week, I got it running on newer versions of Linux, and re-synchronized it with ever-more-recent releases of Haiku. After about 2 months of late-night effort, I had a version of Cosmoe that was 64-bit compatible, ran on multiple modern Linux releases, and was almost completely up-to-date with the latest Haiku source changes.

↫ Cosmoe’s history page

We’re halfway through 2025 now, and Cosmoe now exists as two separate, but related projects. There’s Cosmoe Classic, which is the updated and modernised incarnation of Cosmoe’s original concept: Haiku’s userland running on top of the Linux kernel. In its current form, it runs inside an SDL window on your Linux desktop, as there’s no native video driver. Cosmoe Classic, however, is not what Hayden is focusing on.

Instead, Hayden is focusing on the new Cosmoe, which takes the same idea – the Haiku userland running on a Linux kernel – but implements it in a completely different way:

Cosmoe is a C++ class library that allows developers to build rich, native Linux apps with the easy-to-use BeOS API. This library is a light-weight, serverless version of Cosmoe Classic which targets the Wayland compositor on Linux.

↫ Cosmoe’s GitLab page

What Cosmoe on Wayland (to differentiate it from Cosmoe Classic) allows you to do is run BeOS/Haiku applications on Linux, provided you are running Wayland. The project is in an alpha state, but once compiled, it comes with a few BeOS/Haiku sample applications you can run right on your Wayland-based Linux desktop. Hayden states that about 95% of the BeOS API is implemented in Cosmoe, with the TODO file giving an idea of what tasks need to be done to improve compatibility and implement other improvements.

The return of Cosmoe is certainly not something I saw coming, but I’m incredibly excited. I’m not entirely sure about the usefulness of running Haiku applications on Wayland on Linux, but who the hell cares – this is an awesome project, with a ton of cherished history behind it that gives me butterflies in my stomach. It’s absolutely beautiful to see a project like this come back to life in 2025.

Cosmoe is back. Again.

libxml2 maintainer ends embargoed vulnerability reports, citing unsustainable burden

The lone volunteer maintainer of libxml2, one of the open source ecosystem’s most widely used XML parsing libraries, has announced a policy shift that drops support for embargoed security vulnerability reports. This change highlights growing frustration among unpaid maintainers bearing the brunt of big tech’s security demands without compensation or support.

[…]

Wellnhofer’s blunt assessment is that coordinated disclosure mostly benefits large tech companies while leaving maintainers doing unpaid work. He criticized the OpenSSF and Linux Foundation membership costs as a financial barrier to single person maintainers gaining additional support.

↫ Sarah Gooding

The problem is that, according to Wellnhofer, libxml2 was never supposed to be widely used, but now every major technology company with billions in quarterly revenue are basically expecting an unpaid maintainer to fix the security issues – many of which questionable – they throw his way.

The point is that libxml2 never had the quality to be used in mainstream browsers or operating systems to begin with. It all started when Apple made libxml2 a core component of all their OSes. Then Google followed suit and now even Microsoft is using libxml2 in their OS outside of Edge. This should have never happened. Originally it was kind of a growth hack, but now these companies make billions of profits and refuse to pay back their technical debt, either by switching to better solutions, developing their own or by trying to improve libxml2.

The behavior of these companies is irresponsible. Even if they claim otherwise, they don’t care about the security and privacy of their users. They only try to fix symptoms.

↫ Nick Wellnhofer

It’s wild that a library never intended to be widely used in any critical infrastructure is now used all over the place, even though it just does not have the level of quality and security needed to perform such a role. These are the words of Wellnhofer himself – an addition to the project’s readme now makes this point very clear, and I absolutely love the wording:

This is open-source software written by hobbyists, maintained by a single
volunteer, badly tested, written in a memory-unsafe language and full of
security bugs. It is foolish to use this software to process untrusted data.
As such, we treat security issues like any other bug. Each security report
we receive will be made public immediately and won’t be prioritized.

↫ libxml2’s readme

If you want libxml2 to fulfill a role it was never intended to fulfill, make it happen. With contributions. With money. Don’t just throw a whole slew of security demands a sole maintainer’s way and hope he will do the work for you.

rou2exOS: a DOS-like hobby operating system written in Rust

rou2exOS is a 64-bit DOS-like operating system (OS). The system is mainly written in Rust, but some portion of x86 assembly is used as well (inline + freestanding code for the stage2 kernel loading).

↫ Blog post about rou2exOS at blog.vxn.dev

It can do basic VGA operations, comes with a very barebones networking stack, realtime clock support, a FAT12 driver, and a few more tidbits. It’s a rewrite of the previous iteration of the hobby operating system.