well see when you’re too lazy to design a schema and just want to throw broken data into a black hole where you may or may not be able to retrieve it and deal with the repercussions in production - or better yet let the ops team handle it at 3am - then that’s when you’d choose mongodb
i’m not a member of a church, i’m very atheist, but also i kinda put churches around the same place as sports clubs… they’re largely non-profit entities that exist for the benefit of members… kinda like a co-op too
i think given that - ie their mission isn’t based around making money, but providing free services - it’s fair to put them on the same level as other membership-based orgs
all of these orgs have a “not for me” crowd, but just because it’s not for you doesn’t mean that they don’t provide services to their members in the same way that sports clubs, maker spaces, car clubs, youth clubs, etc all provide things and shouldn’t be taxed in addition to the income tax that their members already pay
Maybe fix the way taxes are spent and I’ll support
not the way taxes work mate
don't want to see the money people give out of their sense of faithfulness to be used to pay for
why does faith give them an exemption from participation in civilised society?
i’d love for tickets to various pride events not to be taxed, but they are… so why do i pay tax for participating in my culture and “faith” is exempt?
taxes largely only apply to profits, so if you’re being an actual charitable organisation, you won’t have too many profits and thus not a large tax burden… right?
they’d still have to pay various payroll taxes and things, and they still buy things: tax exemption in australia for example means you neither have to charge GST (our version of VAT) to customers, and you get to claim it back from any purchases you make
since GDPR came in TBH i haven’t heard of any EU data leaks… like sure they happen in the US all the time, but where the fines actually happen
same with australia: we’ve had pretty good privacy laws since like the 90s, and really we haven’t had a whooooole lot of breaches. there have been some high profile ones, but security is never a 100% kinda thing yknow
so now you’re paying a private entity in this round about bullshit way for a service that isn’t actually the service you want but the service you want kinda is a side hustle for them in order to bring down their costs
insurance may be the way forward because the situation is so far beyond fucked it’s incredible
… but insurance shouldn’t be the answer
just make the insurance compliance stuff law and also make sure to add that if the rules aren’t followed you’re on your own
saying Microsoft requires that you go out and obtain a signed certificate that proves your identity as a developer
clearly that’s not the case if this was exploitable… again, N++ has an auto update mechanism that they current use. if they used a microsoft signing key to sign a builds hash, this hijack would not be possible
thus they have an update mechanism that works around microsoft signing… how is irrelevant. that is the current state of the software
The update mechanism was successful hijacked because integrity checks and authentication checks were not properly in place
that part we definitely agree on
Notepad++ even said that they moved hosting providers after this happened to them
side note: doesn’t remotely solve the problem… software updates should be immune to this to start with. it’s a problem that the hosting provider was compromised, but honestly we’re talking about a state sponsored hack targeting other states: almost no hosting provider would include this in their risk assessment, let alone shared hosting providers
Can you point out an existing open source application that runs on Windows that only uses GPG signatures?
again, that’s irrelevant… the concept that we’re talking about isn’t even specific to GPG. signing a hash using a private key is basic crypto, and GPG is a specific out of the box implementation
if we remove microsoft signing as an option for whatever reason (which we have) then it’s still very possible, and very easy to implement signed updates into your own custom update mechanism
I think they want to, but Microsoft has made it expensive for open source developers who do this as a hobby and not as a job to sign their software. I know not too long ago, this particular dev was asking its users to install a root certificate on their PC so that they wouldn't have to deal with Microsofts method of signing software, but that kind of backfired on them.
the part that we’re arguing against isn’t that a microsoft signing key would have fixed the problem, it’s
No, because you wouldn't be able to execute the updated exe without a valid signature. You would essentially brick the install with that method, and probably upset Microsoft's security software in the process.
this update mechanism already exists: it’s the reason the hijack was possible. whatever the technical process behind the scenes is irrelevant… that is how it currently works; it’s not a “what if”
adding signing into that existing process without any 3rd party involvement is both free, and very very easy
which is why this is a solved (for free) problem on linux
Windows and MacOS do not use that method to verify the authenticity of developer's certificates.
completely irrelevant… software authenticity doesn’t have to be provided by your OS… this is an update mechanism that’s built into the software itself. a GPG signature like this would have prevented the hack
The update mechanism works fine, but you will not be able to execute the binary on a Windows or MacOS system
that’s what we’re saying: this update mechanism already exists, and seems to install unsigned software. that’s the entire point of this hack… the technical how it works is irrelevant
there are more ways to do signing than paying microsoft boat loads of money… just check a gpg sig file ffs (probably using detached signatures: again, it’s already built into existing tools and it’s a well-known, easily solved problem)
what’s irrelevant is the argument about how the auto update mechanism would work because it already exists
that’s all completely irrelevant.., there is already an update mechanism built into NPP: that’s the entire point of the attack… it’s this update mechanism that got hijacked
technicality remains more important than ever in your current political climate