Friend who is not a software person sent me this tweet, which amused me as it did them. They asked if “runk” was real, which I assume not.
But what are some good examples of real ones like this? xz became famous for the hack of course, so i then read a bit about how important this compression algorithm is/was.
There is a guy named Arthur David Olson who maintains a small database of all the time zones in the world, including things like leap seconds and such. It’s used by everybody and it is updated several times a year. See here:
I bet he’s paid nothing to do it. Then one day, when a timing attack happens that can be traced to the DB, some knobhead CTOs and tech influencers will start talking about “securing the supply chain”. They’ll want other such bullshit and responsibilities to be shoved unto volunteers.
Two quotes come to mind “Fuck you, pay me” and “Open source maintainers owe you nothing”.
It would make sooo much more sense for the ISO to set something up, and make governments each responsible for keeping it updated, since they’re the ones doing the changing.
Require all participants to amend their law/regulations, so there’s a note to prompt whoever is in power and changes it next.
I’m sure some places would still neglect to do it… Haha
It has organizational support from ICANN, so it’s not done in total isolation.
Oh neato, then all good!
It’s also worth pointing out that this was sued in a copyright lawsuit some time ago. The wikipedia article mentions it, but here’s the slashdot discussion if you want to feel like stepping into a time machine: https://m.slashdot.org/story/158778
It caused a momentary panic when everyone realized that this thing runs the system clocks for everything everywhere, and if it got taken down by a copyright suit it would be disastrous for, well, everybody.
If we could all just stop making changes to time zones, that would make my job very slightly easier.
Perhaps we’ll move to UTC+10¼, and then move forward 45 minutes in the summer.
If the day number is a prime, then we’ll go back π hours.
Hope that will help!
Wasn’t there also very recently a whole thing about the single guy who maintains the NTP spec threatened to retire so he could get a “real” job, which caused a gigantic internet-wide panic as pretty much everything we do relies on computer’s clocks being perfectly synced?
Runk in Swedish has a different meaning.
I mean, it was either Richard Stallman or Dennis Ritchie that created grep in an evening so that a buddy of his could do research on volumes of text that wouldn’t fit in the RAM of a PDP-11 (or similar machine. I’m telling this story from memory). It’s designed to do what you would do with the ancient text editor ed using the commands Global, Regular Expression, and Print. g re p. grep. Probably the most important piece of software ever written in a couple hours.
It’s also, in my opinion, the most verb-able of all *NIX commands.
I don’t know, rm being short for “remove” is very verbaceous.
Oh go fsck yourself (maybe that works better written…).
Verbaceous is a great word. I’m adding it onto my “favourite words” list ,(even if it isn’t technically a word "
Ah, pshaw, I don’t subscribe to the notion that there’s such a thing as “not a word.” Why bother having a system of root words, prefixes and suffixes if we’re not allowed to use that system to build the words we need? Especially for the fun of it. Verbaceous is adjectivacular.
Yeah I’ve told someone to grep something despite knowing they had a windows server
Wikipedia credits it to Ken Thompson, PDP-11 to me implies early Unix.
I’m telling this story from memory
pun intended? ;D
Relevant, for those interested in the history of grep. Computerphile
That’s actually the video I was retelling from memory.
If he hadn’t written it someone else would have. Searching through text is an obvious thing to want to do.
but thank fuck specifically he has cos now it’s a brilliant piece of software xD
Original grep was pretty much a wrapper around sed. That’s why it’s called g/re/p, which is the sed command to do the same thing.
TIL
corejs haha
Based on my cheatsheet, GNU Coreutils, sed, awk, ImageMagick, exiftool, jdupes, rsync, jq, par2, parallel, tar and xz utils are examples of commands that I frequently use but whose developers I don’t believe receive any significant cashflow despite the huge benefit they provide to software developers. The last one was basically taken over in by a nation-state hacking team until the subtle backdoor for OpenSSH was found in 2024-03 by some Microsoft guy not doing his assigned job.
And those are only fully packaged user-facing software.
I’d guess almost all of the Rust code for low level hardware access is maintained by a single person. Most of them once joined forces and created a standard, it had 4 developers last time I checked. The only usable cryptography library for C# has a single developer, and while on crypto, that meme got widespread because of OpenSSL, that had a single developer who spent most of his time on OpenSSH and other BSD user-facing software.
Also, while we are on crypto, the modern algorithms were all created by a single researcher, that got famous for a work on how to decide if you can trust a crypto algorithm. Almost everybody uses his code.
Anyway, that meme first appeared because of Javascript, when a developer removed his library (with ~10 lines of code) from the language’s repository and almost every Javascript software broke.
I heard about that last one on a podcast and it was the first thing I thought of when I saw this post. Genuinely interesting story (if you’re into that sort of thing). The pod was saying how it’s both a flaw of open source that it could happen that way and an advantage because it was discoverable due to the fact that the code is open source.
Which podcast? Sounds like something I’d be interested in listening to
Also replied to another comment, sounds like this one here: https://opensourcesecurity.io/2024/04/01/xz-bonus-spectacular-episode/
Do you have a link to the podcast?
Sounds like the open source security podcast. Specifically this episode: https://opensourcesecurity.io/2024/04/01/xz-bonus-spectacular-episode/
Kurt and Josh are great, one of my favourites.
I believe the quintessential example is curl Also here’s the relevant xkcd: https://xkcd.com/2347/
The curl author writes a lot about his struggles, but he’s also employed to maintain curl, so not really a good example
Imagemagick.
Every website that supports avatar images and has multiple sizes of the avatars uses imagemagick.
Another one is OpenSSL.
I like the imagemagick .desktop file that is always created when you install the package. It opens up a really terrible and dated paint-like program that no one ever uses.
Idk who needs to know this, but in Norwegian “runke” means to jerk off. “runk” is the word you add a prefix to in conjugation to get the different inflections
- runke - jerk off
- runker - jerking off
- runket - jerked off
Etc…
also the swedish meme subreddit is called r/unket
and runket translates to “the jerk”, as in a noun referring the act of (and/or the result of…) rubbing one out.
ie a Swedish circlejerk subreddit?
precisely
You meant suffix, not prefix. But this is pretty funny regardless
Hi, I’m a Finn. We also have a variation of this.
Ronald’s Universal Number Kounter sounds like someone did it on purpose.
There’s a lot of that in the software world. I’m thinking of gimp.
Graphics Image Manipulation Program, yeah right
deleted by creator
“especially today”? What’s today? Can you elaborate?
deleted by creator
Den Nasjonale Runkedagen
Tidligere kjent som “Allrunk”, navnet ble endret et par år etter TV3 våget å arrangere en aldri så liten “Allrunk på Grensen”, noe Svenskene var svært misfornøyd med.
Det gamle navnet og tradisjonene som hørte til er fortsatt gjeldende i deler av Vestlandet og i Trøndelag, men spesielt populært er det i Nordmøre.
There is a National Wank Day in Norway?
Everybody gets together on Runkedagen, it is where the English first observed the rumored circlejerk.
I’m surprised that no one seems to have brought up curl, which is maintained by Daniel Stenberg who is Just Some Guy™
Eh, bagder is more than “just some guy” to a lot of people! To me he’s kinda been my tech idol for 20 years lol, he also was a core part of building Rockbox (open source firmware for MP3 players) which was the first open source project I got seriously involved in as a kid ☺️
“Just some guy” doesn’t mean they aren’t amazing. I would argue the opposite. It just means they didn’t use their abilities to become rich and famous like some other assholes. They’re almost certainly more capable than them, not less.
I think that would be a great situation to be in.
You have created a cool thing a lot of people use, by being good at something. You’ve done something.
Also, people have no idea who you are. Nobody is digging through your trash, harassing the people you love, taking pictures of you wherever you go including on your bad hair days, etc. You’re just some guy.
Fair point! I think that’s part of why I admire him, humble greatness
I second Rockbox here, it’s fucking great.
Holy shit, I remember Rockbox… Big time nostalgia on that one!
Holy shit Rockbox was amazing. I might still be subscribed to the mailing list. I used that on a few different MP3 players as a kid. I had no idea. Fuck I am old.
Edit: For a list of what he has worked on - https://daniel.haxx.se/opensource.html
xz seems like another good example
I’d put the deflate algorithm over the LZMA algorithm just because deflate is used by both windows (zip) and Unix (gzip). Windows I don’t think has added LZMA/xz support until recently if at all.
I’d say ffmpeg is a good example, it’s used by almost every piece of software that has to manipulate audio or video (including messaging applications), yet not many people know about its existance.
And Fabrice Bellard, the original author of ffmpeg, went on to create qemu which pretty much made open-source virtualization possible. Also TCC (even if I don’t think that one is widely used), he established a world record for computing decimals of Pi using a single machine that had ~2000× less FLOPS than the previous record, and so much more…
Fabric Bellard’s body of work is fairly strong evidence for time travel having happened already.
Or just genius.
curl
Curl comes to mind. Libcurl is at the foundation of almost all networking.
And they still get emails from randos when some program that uses curl doesn’t work (the Readme is top notch).
I cannot for the life of me find what you’re referencing. I only remember the
sqlite/etilqsfiasco with McAfee.https://github.com/mackyle/sqlite/blob/a009acaca1fe25d909d8b5180c0120af1abc2b82/src/os.h#L56-L79
Here’s an example from NASA
I feel a bit split about this. Seems it is an actual law, and it kind of makes sense. You probably don’t want random components from unknown people and places in your multi million dollar space equipment. But it feels rather arrogant to just demand such things.
Is NASA actually a customer? Did they pay for a license to use curl (genuine question - I’m not familiar enough with it to know if enterprises and organisations require a paid license)? Are they planning on becoming a paying customer? Do they make donations to the project? If not, it feels kind of rude to send a demand letter to the lead developer of a free piece of software straight up demanding a formal letter stating where the free software is being developed and maintained (for free), or if outside the USA, that the free software has been tested in the USA. Oh, and a bonus demand that such information be returned within 5 business days (naturally with an implied “or else”, just to really make sure those pesky people maintaining open source software for free really get the memo)
In any case, why don’t all their scary 3 letter spy agencies go and figure it out on behalf of NASA themselves? It’s open source, they could just like, read the source, test the source, and audit the source themselves. Or fork it and make any modifications they’d like to ensure its safety
I don’t blame the person sending the emails, obviously, they’re just following orders, but the whole email reads as very entitled and arrogant, assuming NASA don’t provide any compensation to the project and projects maintainers for their use of curl
https://daniel.haxx.se/blog/2020/12/17/curl-supports-nasa/
https://daniel.haxx.se/blog/2023/02/07/closing-the-nasa-loop/
Their process for validating software doesn’t have a box for “open source”, and basically assumes it’s either purchased, or contracted. So someone in risk assessment just gets a list of software libraries and goes down it checking that they have the required forms.
As the referenced talk mentions, the people using the software understand that all the testing and everything is entirely on them, and that sending these messages is bothersome and unfair, and they’re working on it. Unfortunately, NASA is also a massive government bureaucracy and so process changes are slow, at best.
The TLAs don’t generally help NASA, and getting them involved would unfortunately only result in more messages being sent.As for contributions, I think that turns into an even worse can of worms, since generally software developed by or for the US government isn’t just open source, but public domain. I think you’d end up with a big mess of licensing horror if you tried to get money or official relationships involved. It’s why sqlite is public domain, since it was developed at the behest of the US.
Mostly just context for what you said. NASA isn’t being arrogant, they’re being gigantic. Doing their due diligence in-house while another branch goes down a checklist, sees they don’t have a form and pops of an email and embarrassing the hell out of the first group.
The time limit thing is weird, but it’s a common practice in bureaucracies, public or private. You stick a timeline on the request to convey your level of urgency and the establish some manner of timeline for the other person to work with. Read the line again, but extremely literally: “we have a time frame of 5 days for a response”. “Our audit timeline guessed that it would take a business week for you to reply, so if you take longer we’re behind schedule”. The threatening version is “your response is required on or before five business days from the date of this message”.
The presumption is that the person on the other end is also working through a task queue that they don’t have much personal investment in, and is generally good natured, so you’re telling them “I don’t expect you to jump on this immediately, but wherever you can find a moment to reply this week would keep anyone from bothering me, and me from needing to send another email or trying to find a phone number”
https://bagder.github.io/emails/ has the email collection.
Thank you!! I knew I must have been missing something.
Thanks for sharing these gems. I can almost feel the exasperation in some of the emails and their replies.
curl is most definitely not developed solely by one person though, it has thousands of contributors. in fact, there is so much red tape around curl that you can’t even discuss making a change to it without first writing an RFC and having it approved by a committee.
Libcurl is at the foundation of almost all networking.
That’s not remotely true, but it is nevertheless outstanding work and very much deserving of recognition and support.
Is-even and is-odd on npm.
For a while, openssl was maintained by 1 or 2 people.
Is-even and is-odd are the stupidest packages ever written. Except for all the others that guy wrote.
deleted
left-pad
The popularity of these two packages shows that something is very wrong with JavaScript.
No, it shows people are lazy.
Well, that as well, but it’s an also bit tricky to safely check if a number is even because JavaScript uses floats for numbers.
It’s not tricky. Modulus operator works fine.
I would love this even more if one depended on the other and just did a “not even” for example.
I thought that was the case tbh, has it changed?
Edit: is-even depends on is-odd.
It would be even better if each one depended on the other.
Well good news! Time to let yourself love again!
Like half of the npm is maintained by a single, arguably awful, person who writes his microprojects into large pieces of software to maximize how often his code gets installed.
Sounds like a fork is in order
Sindre Sorhus?
Just looked them up… holy hell. How does one have so many repos! And all the apps he’s made. What’s the story on them?
Jon Schlinkert, I believe. Sindre has a lot of stuff as well, but has a better reputation afaik
That’s them, yup!
