Not sure how feasible this is in Java, but if your distributable is just a tiny installer with its own cryptographic verification, you would a) have a smaller chance of hitting a false positive and b) if you do get hit, at least your customers can still launch and use the program, even if they can temporarily not do new installations.

Even worse, Go programs cannot be linked dynamically. That means that if a vulnerability is found in (say) a crypto library, all programs using it need to be recompiled.

And because the Go package manager (like most language specific package managers) is developer-centric, you have to rely on the developer to keep an eye out for CVE announcements for all the libraries they use. The number of developers that actually do this consistently is very small.

Wait, are you saying you want to own the means of production?

Maybe read this?

That's all fine and dandy, until your servant becomes part of a botnet and starts DDOSing me.

I don't think he's blaming the user, just making a polite request. If anything, he's blaming Slashdot for the bug (correctly).

That's odd, one of the reasons I like systemd is that it *doesn't* eat process output. With sysvinit, non-syslog output would end up on /dev/console, scroll up and be lost forever (especially relevant for headless servers). With systemd's journalctl I can easily review the output of any process together with its syslog logs. There's plenty of things about systemd that annoy me but that ain't one.

IRC and XMPP for me.

Always 20/20.

Sounds like you never had to debug a use-after-free bug.

Qihoo are also the owners of Startcom and Wosign. Oh dear.

Assuming Signal uses some form of (elliptic curve) diffie-hellman, subpoenaing the private key will not allow the FBI to decrypt a single message. And since Moxie Marlinspike designed this system you can be sure it does.

The core functionality (WebRTC) is still there, they just removed their frontend. You can still use WebRTC in Firefox (or Chromium/Chrome) by visiting https://opentokrtc.com/. Chromium may be a better bet if you're behind a crappy firewall, because it supports TCP as well as UDP (Firefox only supports UDP).

We host an apt repository with a few packages for a bunch of debian and ubuntu releases. Of course you have to target the right dependency set, but that's true even when you target a specific version of either OS.

I was just miffed by the remark that Debian would not support PPAs, when in fact the whole technical groundwork is actually Debian's and all Ubuntu did was build a thin command interface over it and suddenly gets credited for the whole invention.

PPAs are basically just extra entries in /etc/apt/sources.list. That's a Debian feature, not an Ubuntu one. I certainly do appreciate the fact that Canonical offers easy and free hosting for personal repositories, but saying that Debian doesn't support PPAs is a bit weird.