The bug here isn't that we need to better authenticate already-trusted upstreams for packages, it's that the upstreams cannot be trusted as the sole source for security at all. Upstreams are a bunch of hackers[1] who aren't really interested in, nor will ever be good at, solid release engineering practices.

But some people are! The solution in the Linux world (and the one that saved us from xz-utils) is that there is a second level of human beings responsible for reviewing, auditing, packaging, and customizing those hacker-generated upstreams for the benefit of their users. These people have different eyes, different consumer requirements and different quality metrics. And they catch bugs and malfesance that the upstreams aren't prepared to do.

NPM (and cargo/PyPI et. al.) continues to think it can short circuit this requirement for human labor. It can't.

[1] In NPM's particular ecosystem, a bunch of web jockeys used to extremely fast release processes, loose compatibility requirements, and extreme reliance on reuse. This really explains why we see this with node packages more than Python or Rust: older and more conservative programmers just don't have as many rakes to step on.

AKA "unpaid labor". I don't think that's a good solution, either. Certainly it's only by pure luck that no malefactors have infiltrated the ad hoc, anonymous social proof communities that Linux depends on, and I don't think other systems should emulate it.

The real solution (for Linux too) is a paid package curation service. Or really, a small handful of them competing on price, speed, reliability.

> The real solution (for Linux too) is a paid package curation service. Or really, a small handful of them competing on price, speed, reliability.

That was also what I was thinking aloud a moment ago. And there would be a business opportunity, too. Perhaps not like RHEL et al. full-blown stuff per se, but say smaller scale guarantees with different pricing; web, AI, scientific computing, and whatnot. At the pace things are progressing, I'd guess you might even get desktop etc. users on board (for nominal pricing).

Yeah... no. Sorry, that's a wild misunderstanding of the economics of the Linux ecosystem, modern libertarian thought and the employment status of people with write access to the packaging layers.

If I'm reading the secondarily-linked blog post correctly, this was live for 12 days before discovery.

Mandating that the final binary is compiled without having any access to any test file though would have prevented the xz-utils backdoor as it was conceived though.

A proper packaging setup would first verify that all the tests are passing and happen in an isolated environment. And that isolated environment either returns which tests failed or gives the green light.

When the greenlight is given (that all tests are passing), another environment should first delete all files related to tests and then build (in a bit-for-bit reproducible way btw and we're basically here already so that's good) the final binary / package.

If you prepare your final package in an environment that has access to test files, there are simply way too many ways obfuscated binary data can be hidden in test cases / test files.

I'm not saying the NSA (sorry, Jia Tan) wouldn't have tried something else but I think we should really move to build/packaging that discards non essential data/files before compiling.

P.S: note that as a side-effect of reproducible builds... If we have reproducible builds and if we add, later on, a builder/packager that discards tests files and ends up with a final package that's not bit-for-bit identical to the package created while having access to the test files during the build, we've just detected a backdoor hidden inside test files (like the XZ utils one). As a really mindboggling food for thoughts: if we were to recompile all the Debian binary packages that are already reproducible today (95% of them), but while discarding all tests files before the build, we may catch other backdoors.

It would, but I'm not seeing that as a suggestion? That was a very clever side channel for hiding the build-time payload. It wasn't remotely the "root cause" of the exploit, which was that a malicious actor got write access to the release process of trusted software. I mean, if you can do that, you can surely find other clever ways to hide your junk.

To wit: you're not wrong, you're just stuck on minutiae. By all means make the case, but at best you're proposing a small constant factor optimization.

Indeed, AUR is bad as a software distribution mechanism (really it's best understood as a proving ground for baby packages before they get real maintainers and distro blessing), but it's less bad than NPM which puts the malware in the trusted/default/automated path.

As a data point: I'm 100% converted personally. A Chromebook is what goes into my backpack and the device I use for all my general day-to-day UI clickery, and it's a better fit for my needs than Windows (not nearly as bad as it used to be but still sort of a PITA to make work as a Linux-focused dev environment) or Linux (not nearly as much of a PITA for a connected consumer network device but still has the occasional wart trying to get something weird to run).

Run Windows and Windows programs that I use.

> it's a better fit for my needs than Windows

Happy for you. The key here is your needs.

Well... yeah. Likewise your post is clearly about your needs, which are different. But that's not what you said, you said it "wasn't a computer" and you couldn't use it "like a normal computer". Which is obviously wrong. But I guess "normal computer" means "windows" to you, which (especially given the forum you posted on!) is a little surprising.

So what you wrote (but apparently not meant) seemed mistaken to me, thus the correction. But if you want windows then just buy windows. Your market is well served.

Normal computer means a choice of OS to run on it without having to hack it to do that job.

Chromebooks aren't sold as general-purpose computing devices. They aren't "normal computers" in the same sense that cell phones aren't.

>which (especially given the forum you posted on!) is a little surprising.

I'm a CAD developer and user. I need Windows for my work.

I would hope that this forum includes people who are in touch with the real world.

That's too high a standard. When we consider MacOS along with Windows and Linux, there are basically no computers that let you freely choose between all three without hacks.

And even just considering Windows and Linux, a big chunk of the laptop market only supports Windows properly.

A laptop that runs any normal desktop OS is a normal computer.

If you must use windows, then you must use windows and you don't have a choice. None of that has anything to do with the nonsense about Chromebooks not being "real computers" or whatever, that's just the rationalization you've decided on. Obviously they are real computers.

Psh, Fuck that. Install actual Linux on it (I have Debian on mine) and don't deal with ChromeOS (if you don't want to).

A Chromebook is a first class consumer device backed by a Big Threatening Tech Giant that works on all sites everywhere because no one wants to piss off Google. And it's still Linux and runs great. I'll take it.

I was too, and then AI came out, and now Codex just makes my Linux work how I want it, no needing to fiddle with .config/gconf whatever crap. I just tell it to fix my two finger scrolling on my trackpad, and it does it.

I mean, sure, I can torrent a copy or whatever. But there's a point at which you just don't want to deal with that nonsense. ChromeOS is Linux, in all the ways I care to measure. But it codes as "not Linux" to all the corporate overlords afraid of the nerds and hippies, and that has value too.

> ChromeOS is Linux, in all the ways I care to measure.

It's Linux the same way Android is technically Linux. You get this little box called Linux, and /proc isn't actually the "real" /proc because it's inside a VM. To each their own, but it's not (GNU) Linux enough for me.

And the answer is that the FBI wasn't involved. That was a threat the pilot made, which comes psychologically from the same place as terrorist bomb threats (and also "eat your vegetables or you'll die early" parenting). You want to control someone's behavior so you threaten maximalist retaliation.

Well, more correctly that they think the commercial base has grown, and that there's revenue on the table by forcing their standard-edition-using commercial Linux users into contracts.

Maybe the thinking is that the Linux users are more sophisticated and able to self-support than windows shops, and so they're choosing not to buy support even though they could? Seems not implausible, though hard to measure even from within AMD.

Basically this seems like a "good beancounting but terrible marketing" decision out of product management. They're not being deliberately mean to their amateur users, they're just trying to squeeze out a few more dollars for their department's quarterly.

I think it was a dev of the reboot of Planetary Annihilation that said their Linux users / build made up a few percent of the sales but over 90 percent of all support tickets (!). Mind you that this was before Valve's Proton.

Edit: It was <0.1% sales but 20% of all support tickets: https://xcancel.com/bgolus/status/1080213166116597760

in other words, if you want your game tested and get good feedback for it, do release on linux. maybe even release on linux first. linux users will love you for it, and you get to release a more polished game for a wider audience on windows.

Compared to the dylib nightmare that Microsoft keeps shipping in Windows, native Steam/Linux is actually pretty consolidated.

Where I work now the top 10 customers are Linux shops. They probably account for 80% of our revenue. The remaining hundreds of customers are more evenly split between Linux and Windows.

So I guess it depends very much on what industry you're in. For consumer games it might be Windows, but outside of financials and administrative realms and into the world of embedded it's a heckuva lot of Linux. Support costs tend to be lower, and you really only have to target Red Hat and Ubuntu.

Linux users write highly detailed bug reports because it's the only way to get things fixed without coding the fix yourself.

Even the "0.1% of sales" figure is quite atypical.

It was about scratching an itch, not "spreading democracy".

Considering the US history of meddling south of the border, it was pretty low key. Fucked up, but low key.

And the only reason I mentioned that, is because invading a sovereign nation is a significant event and it would be safe to assume that they are emboldened by the success of their prior effort and think that Cuba may be a cookie-cutter repeat of that.

tl;dr -- Venezuela was easy peasy, so how hard can Cuba be?

The legality, morality, and value of this are separate matters (but I bet you can guess where I sand on them).

I do think the tech industry would be wise to do more outreach and less sneering, though. Freakouts about AI (which ultimately is what this is) aren't "rational" but they're eminently "reasonable". This isn't like electrification or aviation or the internet or whatnot (technologies that had clear, tangible benefits that everyone could see and understand), there is real discussion happening, by real experts, about essentially all non-physical labor being replaced!

And... what do regular folks get from that? Talking to robots doesn't look like a quality of life improvement!

Basically we in the upper stands here are having a "Let Them Eat Cake" moment, and we should stop. Things are getting ugly.

When I see a protest over a golf course opening, I'll take data center water use concerns seriously.

The data centers the industry wants are all going to get built. People are being hypnotized by concentrated minority interests in specific spots in the country. The only big picture thing about it is the left-populist sideshow it's created.

If that was the case then why are the majority of data center projects getting scrapped?

https://gizmodo.com/data-center-project-cancellations-quadru...

Why are insiders saying they only expect about 10% of data center projects to ever be completed?

Why is 2026 already shaping up to have less than half of planned data centers break ground on construction?

Local community opposition is a big driver but so is permitting and infra procurement.

https://www.datacenterknowledge.com/energy-power-supply/why-...

All of this is inconvenient to big tech's "inevitability" narratives.

Except sorta - "Peter Freed, Meta’s former director of energy strategy, who spoke to Heatmap, expects only about 10% of the projects that are currently underway to ever be completed."

Perhaps that's why he's a "former director" but that doesn't really qualify as an "insider."

More accurate to say would be that a big chunk of the AI data center pipeline looks delayed/speculative. 16GW is slated for 2026, but only 5GW is actually under construction. https://www.sightlineclimate.com/research/data-center-outloo...

I do think it's a bit ridiculous though to not consider someone a tech insider who was a director for a decade at one of the biggest tech companies in history...

That seems very untrue - multiple areas have already banned data centers, and senators like Bernie Sanders have proposed stopping data centers nationwide. This is just the next phase of NIMBY-ism. Alternatively, source that the "data centers the industry wants are all going to get built"?

> I've seen fiercer opposition to a 4-story apartment building than to some of these data centers.

I'm guessing you're referring to rather cherry-picked data? I've seen data center opposition making even the national news, but I don't recall any '4-story apartment buildings' opposition doing so? And senators like Bernie Sanders are proposing halting data centers nationwide - are there any similar proposals to similarly outlaw such housing construction nationwide?

> People just like opposing development.… When I see a protest over a golf course opening, I'll take data center water use concerns seriously.

Agreed.

I feel like what's obviously happening here is that people have a rooting interest against AI, and highly-publicized pushes against "AI data centers" in specific areas are simply sparking joy for people.

Many people similarly have a 'rooting interest' against public housing, public transit, even new housing in general in their area, and similarly celebrate when housing, transit, etc. get stopped. <shrug>

A lot of the "sneering" I see from everyone who isn't an investor or an executive is a consequence of resistance to outreach. It's very difficult to discuss subjects with people when many now interpret factual explanations as propaganda and reassurance as manipulation.

By the way, plenty of people feared electricity a great deal (and it wasn't exactly implemented safely when it was new). In the 90s, many people also thought the Internet was a temporary fad, a mere novelty that would fade in some years.

There's no reason for someone to trust any "reassurance" when there are so many signals indicating they shouldn't.

If people want to throw up their hands and start believing whatever feels right, they are permitted to do so. Though they have a duty not to as citizens of a democracy, they have the right to actively pursue policies based on falsehoods. Let's not pretend it's a reasonable or respectable reaction to seeing billboards.

If somebody does want to give up on research and working out the truth, please actually give up and say you don't know. Stop coming to the city council meetings and plastering "millions of gallons" on even the social medias where that's surprising.

> Let's not pretend it's a reasonable or respectable reaction to seeing billboards.

Being angry after seeing and hearing your livelihood threatened by rich CEOs on a daily basis is a reasonable reaction. If you aren't willing or able to muster up a modicum of empathy to see that, that's concerning, and you won't ever really be able to grasp what's going on here and why AI is so despised. You've only served to make people (including myself) despise AI even more.

Just stop lying and defending liars while slandering the honest people who notice! I don't care how rich the ceos making you angry are, I don't care how pure the hatred in your heart is for this technology, none of that makes it okay! You don't get to demand my empathy while defacing the commons, sorry.

I don't think tech companies appreciate the extent to which they used to get the benefit of the doubt just because people liked them.

The industry is actually doing real work on water issues in response to these complaints. Big tech companies are funding projects that will allow them to replenish more water than their datacenters consume. This isn’t actually that hard of a goal for them to meet, because as we know, the amount of water we’re talking about isn’t much on a national scale. Regardless, this will mean companies making some positive change in the communities where they build datacenters.

Anyway, all of this is a distraction compared to the real problem of carbon emissions. It confuses me that environmentalists are getting sidetracked by the water use distraction here when more natural gas and coal plants are coming online.

Water issues are always local issues. There is no national water distribution system or national aquifer.

>this will mean companies making some positive change in the communities where they build datacenters.

This will remain to be seen. So far, if it had worked out that way then there would be less vocal opposition to these data centers. Local perception seems to be that there will be nuisance to dangerous noise levels; heat islands which can cause local disruptions to weather events; closed-door agreements to build this infrastructure instead of open community involvement in the process; and other issues including concerns about excessive water usage especially in areas where there are already troubling water availability trends due to other forms of development.

>when more natural gas and coal plants are coming online.

Here in NTexas, the availability of and proximity to natural gas compression stations is key to data center siting from the ones that I have monitored. Plans seem to include construction of gas turbine generators to power the new data centers and these generators are sited on parcels very close to existing compressor stations and high-voltage power lines and small or medium local lakes.

AI does have clear tangible benefits everyone can see and understand! That's why ChatGPT has 800M+ actives! Those people aren't just experimenting anymore, they're getting real value. I myself ask models questions about all kinds of things many times per day, it's entirely replaced search engines for me. It's much more immediately useful than something like aviation which created a lot of noise and risk (objects falling out of the sky!) yet took many decades to become available at a price point ordinary people could afford.

That seems needlessly pedantic, even for HN. I genuinely thought the scare quotes were spelling out the distinction I was making, but for the record:

"Rational" is used in the sense of "derived from logic", or "correctly understood". "Reasonable" is used in the sense (this is very common in legal paradigms, for example) of "an understandable opinion", or "an idea likely to be held by a typical person".

This particular neighborhood in Orange County certainly looks aerospacey, but I bet the Disney-centered service workers in Anaheim made up just as much of the population as the industrial folks.

Big cities are big for a bunch of reasons, basically. There are no simple answers at this scale.