I’m considering getting a Switch 1 now. I can find hackable ones for €100 in my area.

But then again, it doesn’t really do anything I can’t do with my other devices.

Well, IRL hacking doesn’t have exciting gameplay mechanics. So more realistic hacking game might not be such a clever idea.

Well, you said you only have experience from the outside.

Again, support is not development. Experiences with support does not allow conclusions on development.

And having no experience in development doesn’t qualify you to make statements about development.

You can not change history for any published changes - like I said, doing so makes your repository incompatible with any other clone.

That’s the same on Git.

Looks like Mercurial can change the history just fine using the hg command. You just need to enable it first.

https://book.mercurial-scm.org/read/changing-history.html

Git can also be configured to disable history rewrites.

https://stackoverflow.com/questions/2085871/strategy-for-preventing-or-catching-git-history-rewrite

So the difference between git and hg really just comes down to the defaults.

I got weirdly invested in this, and by the end I was kinda happy that it was “just” a bug in the tooling and not anything actually malicious.

Thanks for the warning. I am currently running Fedora (because “it just works”) and I’m drowning in bugs and incompatibilities.

I was considering Bazzite because of all the recommendations, but considering my luck (and probably my hardware combination) I’d probably end up just like you described.

It seems like you don’t have a very broad exposure to closed source development.

Probably not. 15 years is not that long, what do I know, I’m just on senior expert level.

Companies run skeleton crews on crap products that don’t make money. Stuff they give away for free or that’s only used by legacy customers. Stuff they can’t shutdown because of contracts or because it still making a bit of money.

You might notice if you get escalated to development enough that it’s always like the same guy or two. It’s because they might only have a couple of guys working on it.

This is where your lack of knowledge about products like that shines through. It’s common to only get the same guy or two, because that’s the people designated (or willing) to talk to customers.

In real life, OpenSSL was run by a single person. That’s not a skeletton crew, that’s abandonment.

From what you are writing you aren’t a programmer and you haven’t worked in a software corporation before, but instead just extrapolate from your experiences with customer support.

OSS on the other side has the downside of being free.

That means it’s:

• massively underfunded because nobody donates
• no SLA-style contracts to hold anyone accountable
• most of the time no 3rd party security audits because free software (especially libraries or system tools) don’t go through procurement and thus don’t require them
• everyone expects that “someone” will have already reviewed it becouse the code is open and used by millions of projects, while in reality they are maintained by some solitary hero hacking away in his basement

If stuff like OpenSSL was CSS, it would be at least a mid-sized company making lots of revenue (because it’s used everywhere, even small license fees would rack up lots of revenue), with dozens of specialists working there, and since it would go through procurement there would be SLAs and 3rd party security audits.

But since it’s FOSS, nobody cares, nobody donates and it was a singular developer working at it until heartbleed. Then some of the large corporations which based their whole internet security on this singular dude’s work realized that more funding was necessary and now it is a company with multiple people working there.

But there are hundreds of other similarly important FOSS projects that are still maintained by a solitary hero not even making minimum wage from it. Like as shown with the .xz near miss.

Just imagine that: nobody in their right mind would run a random company’s web app with just one developer working in their spare time. That would be stupid to do, even though really nothing depends on that app.

But most of our core infrastructure for FOSS OSes and internet security depends on hundreds of projects maintained by just a single person in their free time.

Could be the AMD CPU (had a few kernel issues with that CPU, for example on anything newer than 6.10 the laptop doesn’t wake from sleep, that’s a well-documented issue either with the CPU or the chipset), could be the mobile 4070, could be because I’m using Fedora (some of the issues I have like the one with performance randomly dropping to single-digit FPS and that not clearing up with a reboot are reported quite often on Fedora), could be something entirely different.

I’m on a budget gaming laptop (Lenovo LOQ), could be that they messed up something there, don’t know.

I haven’t even touched HDR so far, because the base function isn’t there.

Games on Steam don’t tend to give me trouble, for some reason it works better there, but I don’t have 300 or so free games on Steam.

That’s definitely a problem with every bit of code, that everyone relies on stuff they don’t or can’t review.

My point is that FOSS provides a false sense of security (“Millions of people use this library. Someone will already have reviewed it.”).

But the bigger issue is that FOSS is massively underfunded. If OpenSSL was for-profit, it would be a corporate project with dozens if not hundreds of developers. Nobody would buy a piece of core security infrastructure from a self-employed dude working away in his basement. That would be ridiculous to even think about that. And if this standard component was for-profit, even very low license fees would generate huge amounts of revenue (because it’s used in so many places) and this would allow for more developers to be employed.

And since it would be an actual thing that companies would actually buy, they’d demand that third-party security audits of the software would be done, like on any paid-for software that companies use. They’d also demand some SLA contracts that would hold this fictional for-profit OpenSSL accountable for vulnerabilities.

But since it’s FOSS, nobody cares. Companies just use it, nobody donates. It’s for free, so the decision to use it usually doesn’t even go through procurement and anything related to it. I tried to get my old company to donate to OpenSSL in the wake of Heartbleed, and the company said they don’t have a process to donate to something, so can’t be done.

So everyone just uses this little project created by one solitary hero and nobody pays for it. And so that dude works alone in his basement, with literally the online security of the whole world resting on his shoulders.

Luckily after Heartbleed a lot of large corporations started to donate to OpenSSL, but there are hundreds of other equally important projects that still nobody cares about. As seen e.g. with the .xz near miss.

My former argument? You might be confusing who you are talking to, since you answered to my first post in this thread.

You also seem to remember leftPad wrong. What happened there was that someone made a tiny library that did nothing but to pad a string. Something so trivial that any programmer should be able to do that within a minute. But still tens of thousands of projects, even large and important libraries, would rather add a whole dependency just to save writing a line of code. In fact, in most dependency management systems it requires more characters to add that dependency than to write that oneliner yourself.

The issue with leftpad was that the maintainer of that “library” was angry for unrelated reasons and pulled all his libraries, which then broke thousands of projects and libraries because leftpad wasn’t available any more.

My point was that everyone just relies on upstream doing their stuff and hardly anyone bothers to check that the code they include is actually doing what it should. And everyone just hopes that someone else already did their job of reviewing upstream, because they can’t be bothered to do it themselves.

A better example though would be Heartbleed. OpenSSL is used in everything. It’s one of the core libraries for modern online communication. Everyone and their grandma used it, most distros, all the cloud providers and so on. Everyone has been making money using the security that OpenSSL provides. Yet OpenSSL was massively underfunded with only one permanent developer who was also underpaid for what he was doing. And apparently nobody thoroughly reviewed the OpenSSL code. Somehow in version 1.0.1 someone made a mistake and added the Heartbleed bug. Stuff like that happens, nobody’s perfect, and if there’s only one person working on this, mistakes are bound to happen.

And then this massive security vulnerability just stayed in there for over two years, allowing anyone to read out whatever’s in the memory of any server using OpenSSL. Because nobody of the billions of people using OpenSSL daily actually reviewed and analysed their code. Because “so many people use OpenSSL, someone surely already reviewed it”.

Or take Log4Shell. That’s a bug that was so trivial it was even documented behaviour. To find this, someone wouldn’t even have had to review the code, just reviewing the documentation of Log4J would have been enough. And still this one was in production code for 8 years. For a library that’s used in almost every Java program.

Nobody reviews upstream.

If upstream makes a mistake, that mistake is in the code. And then everyone just happily consumes what they get.

And upstream is often just a random library thanklessly maintained by some dude in their spare time.

Edit: Just to prove my point: Think of your last big FOSS project that you worked on. Can you list every single dependency and every single transient dependency that your project uses? For each of these dependencies, do you know who maintains it and how many people work on each of these dependencies? Do you know if everyone of these people is qualified and trustworthy enough to put reliable and secure code in your project? Or do you, like everyone else, just hope that someone else made sure it’s all good?

Are you sure?

All I’m saying is leftPad, if you still remember.

As a programmer I do not believe you when you claim that you read through all the code of all the libraries you include.

Especially with more hardcore dependencies (like OpenSSL), hardly anyone reads through that.

You are confusing who you are talking to.

Fair point. But my point still stands since quite a few peertube instances do the same.

Just the right kind of humour.

People with selection bias who lucked out that their setup doesn’t cause issues and who then think they are somehow morally better people because of that.

It’s basically the Gospel of Prosperity but for Linux.

Yes, my CPU is an AMD Ryzen 7 7435HS which doesn’t have an iGPU. My Nvidia 4070 is the only GPU present on my system.

My GPU driver version is 570.153.02, which is the currently newest production version. When installing it, I used this guide: https://rpmfusion.org/Howto/NVIDIA

I tried Wine-GE-Proton8-26, GE-Proton-latest, Proton Experimental and Proton 9 (Beta). I tried each of these options with Esync and Fsync enabled and disabled and every combination of these two options.

I tried enabling/disabling VKD3D and DXVK-NVAPI.

And of course I tried rebooting.

I found quite a few people with similar issues online, but never with a fix that actually works. Most of the people with the same issues don’t get any replies at all, and if they do it’s some condescending posts from people who lucked out and don’t have the same issue and think that that makes them better people or something.

(For context, I am a software developer, I programmed for embedded Linux devices for 12 years now. I used Linux as my work OS for the last 7 years until I changed jobs half a year ago and my new company mandates Windows and now I have to deal with WSL. I use Linux as my main private OS for the last 3 years. I compiled kernels for embedded devices quite a few times. It’s fair to say that I do have a little bit of experience when it comes to troubleshooting Linux issues, and I’ve gone through a lot of troubleshooting.)

Because Youtube autotranslates these stupid titles. I hate that, since it makes it really hard to know whether you are going to understand the video before clicking it.

I so wish that was the case.

Half the games I tried on Heroic don’t run and most of them run at <5 FPS even though I own a 4070 and the games I try to run are e.g. Bioshock. Number 1. The original, non-remastered one.

And stuff like Dawn of War crashes once I start the game, same as Bioshock 2, Neverwinter Nights and quite a few other older titles.

And even games that generally work fine (like Shadow of Mordor) sometimes randomly decide to run at 2 FPS.

If anyone has advice about what could cause that, I’d be grateful.

I’m on Fedora 41, running newest proprietary Nvidia drivers.