Lucas Gonze

Attribution requirements are a common features of open-source licenses, but exactly when and how to do attribution are left to the implementor's judgement. I have done it wrong many times. In the spirit of doing one small thing well, I have researched and compiled guidelines. These are both for my own use, for my OSPO consulting clients, and for any potential reader. Open Source Attribution How-To Avoid redistribution. Prefer package managers. When you must redistribute, include a comprehe...

Problem Security problems in application development can be subtle. Generative ML for code leads to novel problems in application security. First, code generation reduces developer understanding. Even when the developer has a deep understanding of their system they are likely to miss vulnerabilities. The use of generation means the developer will not have to pay attention to the meaning of default choices and will have a lesser mastery. Second, greater ease of generation will reduce the need...

I have pushed a new music transcription project to Github. This repository contains my digital transcription of a song in a book titled "William Litten's Fiddle Tunes: 1800-1802." The book was published in 1977 in Vineyard Haven, Massachusetts, by Hines Point Publishers. As far as I can tell the original had only a single run, maybe self-published by a company that only produced this one title. I came across it in the back stacks of a sheet music store in Boston ("The Beehive: Jazz Hive - No Ji...

Make things that are good in themselves. Stories that move the reader. Software that is immediately useful. Songs that are loved. Don't have a revenue model. For money, get a job. Make open source that is 100% open. Be an absolutist for value. Hold nothing back. Don't identify a scalable opportunity. The world doesn't need another Facebook / Apple / Amazon / Google / Microsoft. They are bad enough. Don't even think about raising money. You don't want this. Everything venture capital touc...

I have been investigating problems incorporating third-party sources into proprietary code bases. The goal is to help companies follow the rules when they work with open source. I'm looking at snippets, not standalone packages tidily encapsulated in their own directories. This kind of copying is free range and messy. It's everywhere. Copy-pasta is just how developers do their jobs. They snarf code anywhere and everywhere. That means compliance problems are super common. Managers mainly aren...

I woke up today to find that a particularly troublesome pull request was merged at last. My PR hardened build security by pinning Github Actions, using a hash to identify the version we intended to use rather than a tagged release. The idea is that the maintainer of an action can easily inject malicious code into releases that have adoption already. It doesn't matter that the commit labeled v1.2.3 was originally benign if users of their Action are simply adopting any commit with that label. Wh...

Following up on my blog entry Systemic Improvements to License Preambles , I found that many of my ideas are addressed already in the REUSE guidelines and the SPDX documentation on short identifiers. I was familiar with the SPDX work already, but I didn't focus on it. On thinking and reading more - this time with explicit awareness of the prior art - some interesting questions remained. How to contact the developers or copyright holders when there is a need for extended permissions? For examp...

Open source is deeply reliant on blurbs in files or directories. For example, the GPL how-to: This involves adding two elements to each source file of your program: a copyright notice (such as “Copyright 1999 Terry Jones”), and a statement of copying permission, saying that the program is distributed under the terms of the GNU General Public License (or the Lesser GPL, or the Affero GPL). There are obvious systemic problems: Free text is hostile to machine processing. Programs to analyze...

Big vulnerabilities in upstream dependencies can linger in deployed software long past the point when a patch is available. Maven estimates that 35% of Log4J downloads continue to pull the version with the world-famous vulnerability. What's the cause? Why aren't developers applying patches? National Ecosystems If you follow the 35% link above you'll see that countries have characteristic exposure profiles. Taiwan is far and away the worst, and China next. Taiwan and China share a language ...

NFT metadata could easily be simpler to code, faster to load, less bug-prone, and easier to understand than with current specs. See example at the bottom. To comment, use GitHub Discussions. ERC-1155 metadata has bits that are clumsy and inefficient. The decimals feature mixes presentation with data. ("The number of decimal places that the token amount should display - e.g. 18, means to divide the token amount by 1000000000000000000 to get its user representation"). This feature is a produc...

I have had a PR merged into OWASP for the first time, a new Attacks On Logs section in the Logging Cheat Sheet. Given how much trouble it can be to get a PR merged into a new project, it's good to get a win. This grew out of the Blog On Logs entry here. ...

Markdown has massive adoption. It clearly meets a need. The cost of HTML's power is verbosity, and sometimes that's the wrong tradeoff: More typing. Writing HTML is slow. More visual noise. Reading HTML is hard. Browsers should support Markdown natively. The syntax should be part of HTML. There should be no need for a shim to translate. This is very practical: There is no Markdown syntax that can't be represented in HTML. Markdown-to-HTML conversion is easy to implement. Security risks...

I am brainstorming security requirements for system logging. Can you think of others? Are some of these too lame to bother with? Do you know of specific attacks that might be relevant? You can reply using an issue or email. (Update Feb 21: This is documented by OWASP as Log Injection and by CWE as CWE-117. That documentation includes well-defined threat models). Confidentiality Who should be able to read what? A confidentiality attack enables an unauthorized party to access sensitive inform...

Cheney: I Do Not Recognize Those In My Party Who Have Abandoned The Constitution To Embrace Donald Trump That seems familiar. Could it be the The heel-face turn? When a bad guy turns good. The term "Heel Face Turn" comes from Professional Wrestling, in which an evil wrestler (a "heel") sometimes has a change of heart and becomes good, thereby becoming a "babyface". Magazines and other promotional material from the various wrestling leagues comment on various wrestlers' changes in alignment ne...

Two years ago I did a lot of work related to badging (Example) using the Open Badges 2.0 standard. At the time I had little intuition about the value. Yesterday I got a certificate for completing a Linux Foundation course. It was surprisingly satisfying, so much so that I added it to my LinkedIn profile. When I took the course, it was partly for the learning and partly for the badge. I want to be able to position myself as a subject matter expert, and both the learning and the credential are u...

If you're working on diversity, equity and inclusion in open source and you're American, don't assume America. The world is big. Don't assume race as understood in the US is the central issue. Every part of the world has their own hierarchy of privilege. Diversity and Inclusion in Nigeria: The issue of diversity has world wide relevance. As Chairman Mao Tse-Tung said: “Let a thousand flowers bloom”. However I believe, like most issues, diversity adopts different meaning and flavor, dependi...

CHAOSS: created a draft metric model for security facets of sustainability. XSPF: went to add Tess Gadwa and Evan Boehs to "about" page, made the changes, got ready to push, realize I did this already two months ago. As a potential consumer of an open-source package, I must judge whether it is likely to introduce vulnerabilities or require updates in order to patch vulnerabilities. Pwsafe: donated $20 to the maintainer, Rony Shapiro (GitHub). This is the second donation I have made in ro...

Introduction This document is intended as a jumping-off point for people who need specifics about privacy regulations that affect open source development, whether in law or contracts. I can’t and shouldn’t offer legal advice. However, developers need to be able to educate themselves. This is a directory of resources. This document is intended to evolve and grow. I invite you to contribute information on any jurisdictions you are familiar with. Government UN Article 17 of International Coven...

The organizational structure of open source teams resembles town meetings - small-scale government with minimal hierarchy. (By Redjar, CC BY-SA 2.0, Link) Wikipedia on town meetings: A town meeting is a form of direct democracy in which most or all of the members of a community come together to legislate policy and budgets for local government. It is a town- or city-level meeting in which decisions are made, in contrast with town hall meetings held by state and national politicians to answer...

In the spirit of del.icio.us, here are some links I wanted to save without taking action and that might be useful to you as well as me. https://woob.tech/: Web Outside of Browsers a collection of applications able to interact with websites, without requiring the user to open them in a browser. It also provides well-defined APIs to talk to websites lacking one. https://clearlydefined.io/: Helping FOSS projects be more successful through clearly defined project data. ClearlyDefined and our ...

These insightful Moxie Marlinspike comments on quote-unquote web3 are helpful to gather product requirements for a next-generation vision of NFTs: Instead of storing the data on-chain, NFTs instead contain a URL that points to the data. What surprised me about the standards was that there’s no hash commitment for the data located at the URL. Looking at many of the NFTs on popular marketplaces being sold for tens, hundreds, or millions of dollars, that URL often just points to some VPS running ...

I have created a custom domain for my listed blog, so I can own this should it wind up mattering. The URL of this post is https://writing.gonze.com/31203/enter-writing-gonze-com ...

This is my very very first post on https://listed.to. The URL of this post is https://listed.to/authors/19771/posts/31190 Welcome to me! ...