dbt fusion

Seems to use the Elastic License: https://github.com/dbt-labs/dbt-fusion/blob/main/LICENSES.md

Which is simply not open source in the first place: https://en.wikipedia.org/wiki/Elasticsearch#Licensing_changes

Elasticsearch and Kibana would be relicensed from Apache License 2.0 to a dual license under the Server Side Public License and the Elastic License, neither of which is recognised as an open-source license.[

(although elasticsearch later changed back to the AGPL. As did Redis, and Mongo which also tried similar moves lmao).

It looks like there are a mere 4 Apache 2 (open source license) programs inside, but the other 40+ programs are behind that ELv2 license, so the program can't really be called open core even (term when some of the program is open source but some features are paid only and not open source).

So no, DBT fusion is not FOSS. DBT Fusion is source available, which is the term used to refer to when you can read the source code but there are legal restrictions on what you can do with it.

Ruffle has been around for a while.

This project: https://github.com/WumboSpasm/flashpoint-nano/

Uses ruffle to play flash games it downloads from Flashpoint Archive. You can search the archive here.

EDIT: I tried to submit this with the "English" langauge but it didn't let me, saying "Language not allowed". :(

it sucks that there seem to be no real non dead movement shooters. I am currently keeping an eye on:

• Quake live: has an active NA pickup games community
• Krunker.io : Mostly dead but many of the more dedicated players are still online, plus they host tournaments. Open source native Linux client.
• Warsow

And there were probably others. But so few.

Moderation, much as the average internet user loves to lambast it, is not an easy task at all.

This is exactly why you should use ~~reddit~~ lemmy as a forum instead of discord. One of the repeated problems I have seen in the emulation on android community, is that there are many entittled children, who harass and troll in these communities. Moderators have to ban them, but the bans are per server. That means that each server has to deal with the same troll who kicks up a fuss, and then ban them. And then they create a new account and repeat. I have seen communities and projects die due to harassment and trolling and it makes me sad.

But on ~~reddit~~ Lemmy, instance bans could be applied to ban problematic users from many communities at once, saving and deduplicating work.

Moderation is a lot of work, but moderating a ~~reddit~~ Lemmy community is ultimately a team sport, rather than an individual one.

some of us really care about ethics outside the scope of just what happens with the source.

And some don't. There are a ton of corporate open source projects that use slack as their main communication channel. You can try to convince them. But here you're just kind of preaching to the choir tbh.

What do you think the “F” in “FOSS” is all about?

Read the article I linked. It discusses problems with the term "FOSS".

Though, you should also take a look at: https://en.wikipedia.org/wiki/The_Cathedral_and_the_Bazaar . Not every project actually wants to receive contributions from the public. Sometimes they only want to just dump the code on the net for people to review or fork.

https://www.gnu.org/philosophy/open-source-misses-the-point.en.html

There is a term to refer to projects like these: Open source. Open source, means to allow for collaborative development. User control of their systems, and/or privacy are not concerns when it comes to open source projects.

I disagree. There are many process failures and areas where security can be improved, independent of trusting a distro maintainer or developers.

For example, 2FA should probably be enforced for the process of publishing packages. It does appear to be enforced for new packages but older packages still have legacy settings. Github now forces 2fa for basically everything, and they applied that even to existing organizations and repos. There is no real reason that NPM (owned by Github) isn't able to do the same.

Or another example, is sandboxed builds. Many of these packages, like NPM and Rust packages, have build time scripts, which are executed unsandboxed at compile/install time of these programs. That is how these NPM worms have been so pervasive. You don't have to actually run the javascript package for it to do bad things, just merely installing it.

On the other hand, the build systems that distro's use, often involve sandboxing the builds to limit the attack surfaces (including limiting network access). Although, Linux distros usually rip out build scripts and build systems in order to replace them with their own, but this also further limits the code you have to audit.

Even better is to sandbox the program itself to further limit harm but that's not done on Linux distros and is somewhat outside the scope of this discussion.

If you are an NPM developer, I recommend Deno, with it's built in, on by default sandboxing... that people like to disable. But it's there and is better than giving random NPM package #245 access to your home directory. You could also use podman or docker but yeah.

Hello, I also run k3s on a single node here.

Yes, it is more complex in some ways. But what I love about kubernetes, is the helm package manager and it's ecosystem, that makes it easier to user packages from other people and organizations.

They can be searched here: https://artifacthub.io/

There are many that you may be interested in, like forgejo.

The big thing I like about helm vs docker-compose, is helm is another layer on docker-compose. If an app receives an update that causes it to need another service/container deployed, that will be reflected in the helm release, which orchestrates containers. But with docker-compose, you would have to manually update the config file format in order to handle such changes.

Because this setup is more resilient, I actually just auto update all my apps to the latest version on kubernetes, and this is one of the big reasons why I use kubernetes instead of docker. Yes, things do occasionally break, but they mostly break in predictable, easy to handle ways like "config option changed" or "database needs migration". Plus backups/snapshots to ensure if there is a bug or something I can simply roll back.

One of the biggest difference is package signing, which is often multi party where multiple developers review changes and coordinate uploads.

There are others, like how Debian and Red Hat essentially maintain forks of software which they only apply cherry picked security updates to. This blocked the XZ utils backdoor, for example. Debian Unstable, Arch, and other distros which shipped newer versions of software got the backdoor. But not Debian Stable and Red Hat.

I wrote a long post here, in which I go more in depth: https://programming.dev/post/48171483/23081855

Not linux distro package managers.

Rust

Rust is doing pretty poorly right now.

among the 999 most popular crates on crates.io, around 17% contained code that do not match their code repository.

https://kerkour.com/rust-supply-chain-nightmare

Rust programs that are compiled with cargo, when compiled as dependencies of another program or when compiling a binary itself, can execute arbitrary code via build time scripts, and they are executed unsandboxed. This is a security nightmare.

push whatever you want to an NPM package if you have the author’s login

This is how all language package managers work, unfortunately. The login's security can be improved, via things like 2fa, but it's currently very bad. Having multiple parties use keys to sign packages after reviewing all changes, is a thing unique to distro package managers, and it is why Linux distros are extremely resilient against supply chain attacks.

Yes. Install scripts. But also pypi started enforcing 2fa for package pushes, which helps a lot.