Brian Krebs (Hacker News):
On April 9, Twitter/X began automatically modifying links that mention “twitter.com” to read “x.com” instead. But over the past 48 hours, dozens of new domain names have been registered that demonstrate how this change could be used to craft convincing phishing links — such as fedetwitter[.]com, which until very recently rendered as fedex.com in tweets.
[…]
The apparent oversight by Twitter/X was cause for amusement and amazement from many former users who have migrated to other social media platforms since the new CEO took over. Matthew Garrett, a lecturer at U.C. Berkeley’s School of Information, summed up the Schadenfreude thusly:
“Twitter just doing a ‘redirect links in tweets that go to x.com to twitter.com instead but accidentally do so for all domains that end x.com like eg spacex.com going to spacetwitter.com’ is not absolutely the funniest thing I could imagine but it’s high up there.”
I still go to twitter.com, which serves links to twitter.com rather than x.com. And if I go to x.com it redirects me to twitter.com.
Previously:
Phishing SpaceX Twitter Web
Daniel Stenberg (Hacker News, Slashdot):
The friendly reporter showed how the curl version bundled with macOS behaves differently than curl binaries built entirely from open source. Even when running the same curl version on the same macOS machine.
The curl command line option --cacert provides a way for the user to say to curl that this is the exact set of CA certificates to trust when doing the following transfer. If the TLS server cannot provide a certificate that can be verified with that set of certificates, it should fail and return error.
[…]
When this command line option is used with curl on macOS, the version shipped by Apple, it seems to fall back and checks the system CA store in case the provided set of CA certs fail the verification. A secondary check that was not asked for, is not documented and plain frankly comes completely by surprise.
[…]
This is a security problem because now suddenly certificate checks pass that should not pass.
Yet another case where Apple’s security team doesn’t agree about what constitutes a security issue.
Previously:
curl Mac macOS 14 Sonoma Open-source Software OpenSSL Security SSL/TLS
Steven Vaughan-Nichols (via Hacker News):
For those of you who aren’t open-source licensing experts, this means developers can no longer use Redis’ code. Sure, they can look at it, but they can’t export, borrow from, or touch it.
Redis pulled this same kind of trick in 2018 with some of its subsidiary code. Now it’s done so with the company’s crown jewels.
Redis is far from the only company to make such a move. Last year, HashiCorp dumped its main program Terraform’s Mozilla Public License (MPL) for the Business Source License (BSL) 1.1. Here, the name of the new license game is to prevent anyone from competing with Terraform.
Joe Brockmeier (via Hacker News):
So it should be apparent that code contribution is beside the
point. Redis is a venture-backed company that has taken more
than $350 million in funding over many rounds since 2011. The company,
and its investors, seem to have calculated that they can safely move
away from open source to try to capture more revenue.
They have some reason to believe this is the case, if MongoDB’s
results are any guide. The company went public in 2017 and moved to
the SSPL a little more than a year later. Shortly afterward, major Linux
distributions stopped packaging the database because it no longer met
their licensing standards. But, by that time, the company had set its sights
on a
platform model that would encourage developers (and their
employers) to use and pay for MongoDB and ancillary offerings with the
as-a-service model. Distributing a source-available version of
MongoDB could be seen as a loss-leader
strategy to reach developers that the company wagered did
not care about open-source.
[…]
Having to find a replacement to ship in place of Redis is not the
only problem for community distributions. Jacob Michalskie called
out several services in use by the openSUSE project that will need
a Redis replacement, including the Pagure
code-hosting software (created and used by Fedora as well) used for code.opensuse.org, and the Discourse forum software.
[…]
It is, of course, too soon to predict whether one or more of the forks will gain significant traction—but it seems likely that Valkey will be a credible alternative. The possibility of a swift fork with widespread community and industry backing should give pause to vendors who expect a smooth path after abandoning open source.
Previously:
Update (2024-04-24): Gergely Orosz:
Redis will probably be the case study on why it’s a terrible idea for a VC-funded company (Redis Labs) to take over a permissive open source project they did not start (Redis), become the de facto owners, and then “rug pull” (change the license).
Business Database Discourse Linux Open Source Open-source Software Programming Redis Web
Modular (Hacker News):
We firmly believe for Mojo to reach its full potential, it must be open source. We have been progressively open-sourcing more of Mojo and parts of the MAX platform, and today we’re thrilled to announce the release of the core modules from the Mojo standard library under the Apache 2 license!
[…]
Beyond just providing source code, we are also opening up revision history for the standard library, releasing nightly builds of the Mojo compiler, providing public CI, and allowing external contributions through GitHub pull requests. This is expensive and non-trivial to set up, but in our experience, it's critically important to allow the community to scale.
Previously:
Mojo Programming Language Open Source Programming
