The difference is that social media is amplifying things a lot more and there is a culture of destroying people in public (made easier by social media amplification).

It’s really the same issue as outside FOSS, social media creates stronger bubbles, more extremes, more grifters, and more amplification of crap.

Matthew Green has some great posts about iMessage security. This one describes the key lookup issue:

https://blog.cryptographyengineering.com/2015/09/09/lets-tal...

Looking at the linked Apple Platform Security, it seems like the Apple Identity Service is still used as a public key directory.

I wouldn't say they are sound. First, macOS provides the freedom to install your own applications (ok, they need to be signed and notarized if the quarantine attribute is set) and it's not the case that the Mac has mass malware infestations. Second, the App Store is full of scams, so App Store - safe, external - unsafe is a false dichotomy.

Apple uses these arguments, but of course the real reason is that they want to continue to keep 30% of every transaction made on an iPhone or iPad. This is why they have responded to the DMA with a lot of malicious compliance that makes it nearly impossible to run an alt-store financially.

(Despite my qualms about not being able to install apps outside the app store, I do think they are doing a lot of good work of making the platform more secure.)

Nix already existed in 2003. Besides that Nix store directories are more ingenious than versioned application directories (or hashed directories), the hash in the output path is the hash of the normalized derivation used to build the output path (well, in most cases, let's keep it simple). Derivations work similarly (also using hashes). Moreover, since a derivation can contain other derivations as an input, the Nix store represents hash/Merkle trees.

This makes it very powerful, because you can see which parts of the tree need to be rebuilt as a result of one derivation changing.

But with all its pros, the thing I hate by far the most in NixOS is .. nix.

I think it depends on your background. I did some Haskell at some point in my live and I like Nix. It is a very simple, clean, lazy, functional programming language. The primary thing I'm missing is static typing.

I instead opted for a less sophisticated solution in that ruby acts as the ultimate glue to whatever underlying operating system is used. What I would like is a NixOS variant that is simpler to use - and doesn't come with nix. Why can't I use ruby instead?

Because what nixpkgs does is not easily expressible/doable in Ruby. First, the package set is one huge expression in the end. That might seem weird, but it allows for a lot of powerful things like overlays. However, for performance reasons this requires lazy evaluation. Also other powerful abstractions require lazy evaluations (e.g. because there are some infinite recursions in nixpkgs).

Second, the Nix packaging model requires a purity (though this gap was only properly closed with flakes). You have to be able to rely on the fact that evaluating an expression evaluates to the same result. Otherwise a lot of things would break (like substitution from binary caches).

Third, things like overlays rely on fixed points, which can be done easily in a lazy functional language.

---

Having used Nix for 8 years now, I have a long list of criticisms as well though :).

I haven’t written a line of Nix since I started using it, yet it defines three of my systems. I just read diffs that an LLM created when editing my config.

Making a big deal about the language substrate feels like someone still trying to argue over vim vs emacs. It’s trivial and uninteresting.

Where I live in Europe, Fairphones are becoming fairly popular (as in, I encounter non-tech people using Fairphones). A subset of those users run /e/OS (anti-Google/big tech sentiment is growing pretty strong). This is increasingly becoming a risk for Google, because if /e/OS takes off big time in Europe, it would be easy to support a European app store besides Google Play and F-Droid (which the /e/OS App Lounge already support), leading to a loss of 30% on app spending.

Google will abuse their remote attestation implementation to shut out competitors. If all they cared for was security, they would have worked with other Android-based operating system vendors that support bootloader locking to come with an industry-wide standard.

Google actually "gave" customers the choice here, although I agree with you that it's crappy and there was almost surely some monopolistic intent -

There _is_ a standard implementation, the Hardware Attestation API. Unfortunately it is annoying to use in a practical way; it requires a fair amount of PKI-wrangling (although there's a Google library for it) and more importantly to allow non-Google trust chains but still enforce boot security, app developers need all of the verifiedBootKey hashes for the non-Google trust chains they want to trust. This makes sense, but unfortunately becomes a maintenance problem and turns app developers off of this.

So, app developers choose the Play Integrity API instead because it's easy, even though they get the side effect that they verify that the device is a licensed Google Play device rather than just a "clean" Android device.

All this is to say that if something like /e/OS were to actually take off, app developers could upgrade their apps to support attestation with the Hardware Attestation API with some extra effort - Google aren't really preventing them and the feature is there.

Anyway, going all the way back to the original story again, I still can't buy into the hand-wringing. A verified, attestable Linux on the server (or for stuff like forward deployed devices) seems quite cool and useful to me, and while I respect the issues with client attestation and the negative effect it can have on hardware ownership, I both don't see it as a practical outcome from this company and don't see it as a practical threat on the desktop at this time.

Since app distribution is not a fair market anymore, it needs to be regulated. Either the fees have to go down close to cost or alternative app stores should be allowed. And not the malicious compliance version of it (as Apple is trying in the EU).

ASML wil zo’n 3000 van de 4500 banen van managers in de engineeringtak laten vervallen. De verwachting is dat ongeveer 1400 mensen een nieuwe functie als engineer kunnen gaan vervullen. „Van ongeveer 1700 mensen verwachten we afscheid te moeten nemen”, stelt financieel topman Roger Dassen in een toelichting.

Of course, it's hard to tell how much is PR and how much reality. However, if there is substance to it, it would want me to work there even more, since they value engineering culture over management culture. Having more velocity is good.

Interesting. In old companies the only way to climb the ladder (get a raise) was to get into management. And then if they were a bad manager, they might get 'sidemoted' into some position where they could still contribute. Anyway, back in the old days, it was not uncommon to see 'managers' or even 'directors' with no direct reports.

That would be disappointing for engineers that were actually doing engineering, as yet again their grade increases would be taken by management types.