I recently removed all advertising from OSNews, and one of the reasons to do so is that online ads have become a serious avenue for malware and other security problems. Advertising on the web has become such a massive security risk that even the very birthplace of the world wide web, CERN, now strongly advises its staff to use adblockers.

If you value your privacy and, also important, if you value the security of your computer, consider installing an ad blocker. While there is a plethora of them out there, the Computer Security Office’s members use, e.g. uBlock origin (Firefox) or Origin Lite (Chrome), AdblockPlus, Ghostery and Privacy Badger of the US-based Electronic Frontier Foundation. They all come in free (as in “free beer”) versions for all major browsers and also offer more sophisticated features if you are willing to pay. Once enabled, and depending on your desired level of protection, they can provide another thorough layer of protection to your device – and subsequently to CERN.

↫ CERN’s Computer Security Office

I think it’s high time lawmakers take a long, hard look at the state of online advertising, and consider taking strong measures like banning online tracking and targeted advertising. Even the above-board online advertising industry is built atop dubious practices and borderline criminal behaviour, and things only get worse from there. Malicious actors even manage to infiltrate Google’s own search engine with dangerous ads, and that’s absolutely insane when you think about it.

I’ve reached the point where I consider any website with advertising to be disrespectful and putting its visitors at risk, willingly and knowingly. Adblockers are not just a nice-to-have, but an absolute necessity for a pleasant and safe browsing experience, and that should be an indicator that we need to really stop and think what we’re doing here.

As if Francesco P. Lovergine heard my prayers, he wrote an article detailing his experiences with using Guix. Considering he’s a longtime Debian developer, we’re looking at someone who knows a thing or two about Linux.

In the last few months, I have installed and upgraded my second preferred GNU/Linux system, GNU Guix, on multiple boxes. Regarding that system, I have already written a few introductory posts in the recent past. This is an update about my experiences as a user and developer. I still think Guix is a giant step forward in packaging and management, in comparison with Debian and other distributions, for elegance and inner coherence.

↫ Francesco P. Lovergine

Lovergine found some problems with Guix, most notably those stemming from a lack of manpower. It’s not a hugely popular package management system and associated distribution, so the team of developers behind it is relatively small, and this leads to issues like outdated packages, problems arising from updates, and possible security issues. There’s no specific security team, for instance, but at least it’s easy to roll back updates due to the nature of Guix.

Another problem, partially related to the lack of manpower, stems from the fact that the GNU Guix System uses some unusual systems, most notably GNU Shepard. This init system is an alternative to the widely-used systemd, alongside other alternatives like runit (which I use through Void Linux), but due to its relative lack of popularity, it can take some time for more complex packages to be made compatible with it. Especially some packages – like GNOME – that depend more and more on systemd are going to lag behind on Guix.

For anyone with decent Linux experience and a willingness to tinker, I don’t think any of these issues – and the others Lovergine mentions – are dealbreakers. Sure, you might not want to deploy the GNU Guix System on a production system or anything that requires solid, strong security, but for personal and enthusiast use it seems like an interesting and somewhat unorthodox Linux distribution.

Microsoft has been working on allowing driver developers to write Windows drivers in Rust, and the company has published a progress report detailing this effort. In the windows-drivers-rs GitHub repository you’ll find a bunch of Rust crates for writing Windows drivers in Rust.

Using these crates, driver developers can create valid WDM, KMDF, and UMDF driver binaries that load and run on a Windows 11 machine.

[…]

Drivers written in this manner still need to make use of unsafe blocks for interacting with the Windows operating system, but can take advantage of Rust’s rich type system as well as its safety guarantees for business logic implemented in safe Rust.  Though there is still significant work to be done on abstracting away these unsafe blocks (more on this below), these Rust drivers can load and run on Windows systems just like their C counterparts.

↫ Nate Deisinger at the Windows Driver Developer Blog

As mentioned above, there’s still work to be done with reducing the amount of unsafe Rust code in these drivers, and Microsoft is working on just that. The company is developing safe Rust bindings and abstractions, as well as additional safe structs and APIs beyond the Windows Driver Framework, but due to the complexity of Windows drivers, this will take a while.

Microsoft states that it believes memory-safe languages like Rust are the future of secure software development, but of course, in true Microsoft fashion, the company doesn’t want to alienate developers writing traditional drivers in C either.

A little over a year ago, DC District Court Judge Amit Mehta ruled that Google is a monopolist and violated US antitrust law. Today, Mehta ruled that while Google violated the law, there won’t be any punishment for the search giant. They don’t have to divest Chrome or Android, they can keep paying third parties to preload their services and products, and they can keep paying Apple €20 billion a year to be the default search engine on iOS.

Mehta declined to grant some of the more ambitious proposals from the Justice Department to remedy Google’s behavior and restore competition to the market. Besides letting Google keep Chrome, he’ll also let the company continue to pay distribution partners for preloading or placement of its search or AI products. But he did order Google to share some valuable search information with rivals that could help jumpstart their ability to compete, and bar the search giant from making exclusive deals to distribute its search or AI assistant products in ways that might cut off distribution for rivals.

↫ Lauren Feiner at The Verge

Mehta granted Google a massive win here, further underlining that as long as you’re wealthy, a corporation, or better yet, both, you are free to break the law and engage in criminal behaviour. The only thing you’ll get is some mild negative press and a gentle pat on the wrist, and you can be on your merry way to continue your illegal behaviour. None of it is surprising, except perhaps for the brazenness of the class justice on display here.

The events during and course of this antitrust case mirrors those of the antitrust case involving Microsoft, over 25 years ago. Microsoft, too, had a long, documented, and proven history of illegal behaviour, but like Google today, also got away with a similar gentle pat on the wrist. It’s likely that the antitrust cases currently running against Apple and Amazon will end in similar gentle pats on the wrist, further solidifying that you can break the law all you want, as long as you’re rich.

Thank god the real criminal scum is behind bars.

My goal with this article is to share my perspectives on the web, as well as introduce many aspects of modern HTML/CSS you may not be familiar with. I’m not trying to make you give up JavaScript, I’m just trying to show you everything that’s possible, leaving it up to you to pick what works best for whatever you’re working on.

I think there’s a lot most web developers don’t know about CSS.

And I think JS is often used where better alternatives exist.

So, let me show you what’s out there.

 ↫ Lyra Rebane

As someone who famously can’t program, the one thing I like about CSS is that I find it quite readable and generally easy to figure out how I can change things like colours, fonts, and so on. Of course, anything more complex will still break my brain, but even the more complex elements are still at least nominally readable, and it’s often quite easy to determine what a piece of CSS does, even if I don’t know how to manipulate it or how to get even close to any desired result. It’s like how the fact I learned Latin and French in high school makes it possible for me to nominally understand a text in Spanish, even if I have never spent a single second studying it.

JavaScript, on the other hand, is just a black box, incomprehensible gibberish I can’t make heads or tails of, which in my mind goes against what the web is supposed to be about. The web is supposed to be an open platform in more ways than one, and the ability to make a website should not be hidden behind complex programming languages or website builder gatekeepers. The fact JavaScript is a resource hog and misused all over the place sure doesn’t help, either.

If you want to know more about the current state of CSS, the linked article by Lyra Rebane is a great place to start. I wish I had the skills to finally give OSNews a full makeover, but alas, I don’t.

Jussi Pakkanen, creator of the Meson build system, has some words about modules in C++.

If C++ modules can not show a 5× compilation time speedup (preferably 10×) on multiple existing open source code base, modules should be killed and taken out of the standard. Without this speedup pouring any more resources into modules is just feeding the sunk cost fallacy.

That seems like a harsh thing to say for such a massive undertaking that promises to make things so much better. It is not something that you can just belt out and then mic drop yourself out. So let’s examine the whole thing in unnecessarily deep detail. You might want to grab a cup of $beverage before continuing, this is going to take a while.

↫ Jussi Pakkanen

I’m not a programmer so I’m leaving this for the smarter people among us to debate.

DistroWatch’s Jesse Smith is bringing some attention to an issue I have never encountered and had never heard of, and it has to do with antivirus software on Windows. It seems it’s not uncommon for antivirus software on Windows to mark Linux ISOs as malware or otherwise dangerous, and it seems people are reporting these findings to DistroWatch, for some reason. DistroWatch makes it clear they don’t host any of the ISOs, and that close to all of these warnings from antivirus software are false positives.

So why do multiple Windows virus scanners report that they find malware in Linux downloads? Putting aside the obvious conspiracy theories about anti-virus vendors not wanting to lose customers, what is probably happening is the scanners are detecting an archive file (the ISO) which contains executable code, and flagging it as suspicious. Some of the code is even able to change the disk layout, which is something that looks nasty from a security point of view. It’s entirely understandable that a malware scanner which sees an archive full of executable code that could change the way the system boots would flag it as dangerous.

↫ Jesse Smith at DistroWatch

I wonder how many people curious about Linux downloaded an ISO, only to delete is after their Windows antivirus marked it as dangerous. I can’t imagine the number to be particularly high – if you’re downloading a Linux ISO, you’re probably knowledgeable enough to figure out it’s a false positive – but apparently it’s a big enough issue that DistroWatch needs to inform its readers about it, which is absolutely wild to me.

Another small release for the IceWM window manager – one of the staples of the open source world. IceWM 3.9.0 seems focused mostly on cursor-related changes, as it adds libXcursor as an alternative to XPM cursors. This means IceWM is no longer dependent on libXpm, and gains the benefits that come with Xcursor. There’s the usual few bugfixes and translation updates as well.

I am a huge fan of my Rock 5 ITX+. It wraps an ATX power connector, a 4-pin Molex, PoE support, 32 GB of eMMC, front-panel USB 2.0, and two Gen 3×2 M.2 slots around a Rockchip 3588 SoC that can slot into any Mini-ITX case. Thing is, I never put it in a case because the microSD slot lives on the side of the board, and pulling the case out and removing the side panel to install a new OS got old with a quickness.

I originally wanted to rackmount the critter, but adding a deracking difficulty multiplier to the microSD slot minigame seemed a bit souls-like for my taste. So what am I going to do? Grab a microSD extender and hang that out the back? Nay! I’m going to neuralyze the SPI flash and install some Kelvin Timeline firmware that will allow me to boot and install generic ARM Linux images from USB.

↫ Interfacing Linux

Using EDK2 to add UEFI to an ARM board is awesome, as it solves some of the most annoying problems of these ARM boards: they require custom images specifically prepared for the board in question. After flashing EDK2 to this board, you can just boot any ARM Linux distribution – or Windows, NetBSD, and so on – from USB and install it from there. There’s still a ton of catches, but it’s a clear improvement.

The funniest detail for sure, at least for this very specific board, is that the SPI flash is exposed as a block device, so you can just use, say the GNOME Disk Utility to flash any new firmware into it. The board in question is a Radxa ROCK 5 ITX+, and they’re not all that expensive, so I’m kind of tempted here. I’m not entirely sure what I’d need yet another computer for, honestly, but it’s not like that’s ever stopped any of us before.

Blocky Planet is a tech demo I created in the Unity game engine that attempts to map Minecraft’s cubic voxels onto a spherical planet. The planet is procedurally generated and fully destructible, allowing players to place or remove more than 20 different block types.

While much of the implementation relies on common techniques you’d expect from your average Kirkland brand Minecraft clone, the spherical structure introduces a number of unique design considerations. This post will focus on these more novel challenges.

↫ Bowerbyte

What a great read. Turning a ‘flat earth’ game like Minecraft into something taking place on a spherical world seems impossible at first, but it seems Bowerbyte managed to do it. If you’ve ever wondered what it would be like to play a Minecraft-like game on an actual sphere, this is it.

Open source, the thing that drives the world, the thing Harvard says has an economic value of 8.8 trillion dollars (also a big number). Most of it is one person. And I can promise you not one of those single person projects have the proper amount of resources they need. If you want to talk about possible risks to your supply chain, a single maintainer that’s grossly underpaid and overworked. That’s the risk. The country they are from is irrelevant.

↫ Josh Bressers

If the massive corporations that exploit the open source world for massive personal profit don’t want to contribute back, perhaps it’s time we start making them.

I envision an European Economic Area-wide “open source contribution tax”, levied against any technology corporation operating within the European Economic Area, whether they actually make use of open source code or not, not entirely unlike how insurance works – you pay into it even if you don’t make any claims. Such tax could be based on revenue, number of users, or any combination thereof or other factors. The revenue from this open source contribution tax is put into an EEA-wide fund and redistributed to EEA-based open source maintainers in the form of a monetary subsidy.

Such types of taxes and money redistribution frameworks already exist in virtually every country for a whole wide variety of purposes and in a wide variety of forms, both in non-commercial and commercial settings. While it may seem complicated at first, it really isn’t. The most difficult aspect is definitely figuring out who, exactly, would be eligible to receive the subsidy and how much, but that, too, is a question both governments and commercial entities answer every single day. No, it will never be perfect, and some people will receive a subsidy who shouldn’t, and some who should receive it will not, but if that’s a valid reason not to implement a tax like this, no tax or insurance should be implemented.

The benefits are legion. Of course, there is the primary benefit of alleviating the thousands of open source maintainers who form the backbone of pretty much out entire digital infrastructure, which in and of itself should be reason enough. On top of that, it would also strengthen the open source world – on which, I wish to reiterate, our entire digital infrastructure is built – against the kind of infiltration we saw with XZ Utils. And to put another top on top of that, it would cement Europe, or the EEA more specifically, as the hub for open source development, innovation, and leadership, and would surely attract countless open source maintainers to relocate to Europe. In other words, it would serve the grander European ambition to become less dependent on the criminal behaviour US tech giants and the erratic behaviour of the US government.

We can either wait indefinitely for those who exploit the free labour of open source maintainers to contribute, or we make them.

A long, long time ago, Android treated browser tabs in a very unique way. Individual tabs were were seen as ‘applications’, and would appear interspersed with the recent applications list as if they were, indeed, applications. This used to be one of my favourite Android features, as it made websites feel very well integrated into the overall user experience, and gave them a sense of place within your workflows.

Eventually, though, Google decided to remove this unique approach, as we can’t have nice things and everything must be bland, boring, and the same, and now finding a website you have open requires going to your browser and finding the correct tab. More approachable to most people, I’d wager, but a reduction in usability, for me. I still mourn this loss.

Similarly, we’ve seen a huge increase in the use of in-application browsers, a feature designed to trap users inside applications, instead of letting them freely explore the web the moment they click on a link inside an application. Application developers don’t want you leaving their application, so almost all of them, by default, will now open a webview inside the application when you click on an outbound link. For advertising companies, like Google and Facebook, this has the additional benefit of circumventing any and all privacy protections you may have set up in your browser, since those won’t apply to the webview the application opens.

This sucks. I hate in-application browsers with a passion. Decades of internet use have taught me that clicking on a link means I’m opening a website in my browser. That’s what I want, that’s what I expect, and that’s how it should be. In-application webviews entirely break this normal chain of events; not because it improves the user experience, but because it benefits the bottom line of others.

It’s also a massive security risk.

Worst of all, this switch grants these apps the ability to spy and manipulate third-party websites. Popular apps like Instagram, Facebook Messenger and Facebook have all been caught injecting JavaScript via their in-app browsers into third party websites. TikTok was running commands that were essentially a keylogger. While we have no proof that this data was used or exfiltrated from the device, the mere presence of JavaScript code collecting this data combined with no plausible explanation is extremely concerning.

↫ Open Web Advocacy

Open Web Advocacy has submitted a detailed and expansive report to the European Commission detailing the various issues with these in-application browsers, and suggests a number of remedies to strengthen security, improve privacy, and preserve browser choice. I hope this gets picked up, because in-application browsers are just another way in which we’re losing control over our devices.

We usually at least recognize old computer hardware and software names. But Asianmoetry taught us a new one: Pick OS. This 1960s-era system was sort of a database and sort of an operating system for big iron used by the Army. The request was for an English-like query language, and TRW assigned two guys, Don Nelson and Dick Pick, to the job.

The planned query language would allow for things like “list the title, author, and abstract of every transportation system reference with the principal city ‘Los Angeles’.” This was GIM or generalized information management, and, in a forward-looking choice, it ran in a virtual machine.

↫ Al Williams at Hackaday

The linked article is a short summary of a YouTube video by the YouTube channel Asianometry, which goes into a lot more detail about Pick OS, where it came from, what it can do, who the people involved were, and where Pick OS eventually ended up. I had never heard of this system before, and it’s easy to see why – not only was it used almost exclusively in vertically integrated complete solutions, it was also whitelabeled, so it existed under countless different names.

Regardless, it seems the people who actually had to use it were incredibly enthusiastic about it, and to this day you can read new comments from people fondly remembering how easy to use it was. It has always been proprietary, and still is to this day, apparently owned by a company called Rocket Software, who don’t seem to actually be doing anything with it.

While Nix and NixOS get all the attention when it comes to declarative package management, there are other, competing implementations of the same general idea. Guix, developed as part of the GNU Project, was originally based on Nix, but grew into its own thing. The project recently announced a major change to how it packages Rust and its countless dependencies and optional ‘crates’.

We have changed to a simplified Rust packaging model that is easier to automate and allows for modification, replacement and deletion of dependencies at the same time. The new model will significantly reduce our Rust packaging time and will help us to improve both package availability and quality.

↫ Hilton Chain at the Guix blog

I hear people talk about Nix and NixOS all the time – I tried it myself, too, but I felt I was using an IBM z17 mainframe to watch a YouTube video – and in fact, Nix has kind of become a meme in and of itself, but you never hear people talk about Guix. With this being OSNews, I’m assuming there’s going to be people here using it, and I’m incredibly curious about your experiences. What are the features and benefits that make you use it?

If you’re curious – the best way to try Guix is probably to install the GNU Guix System, the Linux distribution built around Guix and Shepard, GNU’s alternative init system. It’s available for i686, x86_64, ARMv7, and AArch64, and can be virtualised too, of course.