This is true for a large number of software "security" issues

A software version earlier in date/time is not necessarily inferior (or superior) to a version later in date/time

As it is "updated" or rewritten,, software can become worse instead of better, or vice versa, for a vaariety of reasons

Checking software's release date, or enabling/allowing "automatic updates" is not a substitute for reading source code and evaluating software on the merits

Threat modeling: it keeps things realistic.

I complained many times that they were enabling my innate procrastination by proving over and over again that starting the homework early meant you would get screwed. Every time I'd wait until the people in the forum started sounding optimistic before even looking at the problem statement.

I still think I'd like to have a web of trust system where I let my friends try out software updates first before I do, and my relatives let me try them out before they do.

Is this surprising? My model is that keeping with the new versions is generally more dangerous than sticking with an old version, unless that old version has specific known and exploitable vulnerabilities.

Notepad++ site says The incident began from June 2025.

On their downloads page, 8.8.2 was the first update in June 2025 (the previous update 8.8.1 was released 2025-05-05)

So, if your installed version is 8.8.1 or lower, then you should be safe. Assuming that they're right about when the incident began.

edit: Notepad++ has published, on Github, SHA256 hashes of all the binaries for all download versions, which should let users check if they were targeted, if they still have the downloaded file. 8.8.1 is here, for example - https://github.com/notepad-plus-plus/notepad-plus-plus/relea...

As for whether anything else has been compromised, it depends on whether you were targeted. And the payload might have been tailored to each target, so there's no way to know unless you have access to the exact binary. Unfortunately, binaries downloaded through the auto update feature tend not to linger in your Downloads folder.

Since there are a lot of both Ukrainian and Russian software developers, this is personal for a lot of people in the industry.

Updates are a direct connection from the Internet to your computer. You want to minimize that.

Just do a manual update from time to time.

I distinctly remember their GH page being flooded with issues written in Chinese.

https://securelist.com/notepad-supply-chain-attack/118708/

Fuck'em and just donate ten bucks to notepad++ , I'd rather my pc breaks then reward this crap

What the fuck is that supposed to mean, lol. Ukraine isn’t done secessionist state.

> Seeing them engage in software maccarythism makes me very, very hesitant to provide them.

So are they wrong when flagging software or not? You haven’t provided any details.

Did I understand the attack wrongly? The software could have a 100% correct checksum, because the attack happened in a remote machine that deals with call home events from Notepad++, I guess one of those "Telemetry" add-ons. The attackers did a MITM to Notepad++ traffic.

> Can anyone suggest a solid alternative on Windows

What a weird reason to switch. I don't know why you'd believe any other piece of software is somehow more secure against state actors.

My opinion is that open source documentation is like polite dinner conversation: It’s not the proper place to discuss politics.

If an author wishes to use their open source project as a platform to discuss politics, that’s the author’s prerogative. But then, as perhaps in this instance, it could be to the detriment of the project itself.

It is also annoying that all these three countries think they can bully other countries too. That is basically them saying they can kill other people in other countries at all times no matter the real "reason" (just make up a fake reason, such as Russia with regard to Ukraine) - annoying to no ends.

Having said that, and I just pointed out I disagree with mainland China bullying the Taiwanese, I think it would actually be better to have software itself be completely apolitical. I never understood why people felt a need to tie political goals into software. That is a valid statement even if I happen to agree with the political goals here.

It really doesn’t compute in my head why would any macOS user not use a network firewall like this, or similar, to block unwanted outgoing HTTP(s) requests. You can easily inspect the packet with tools like Wireshark or Burp Suite Professional (or Community) edition, or any other proxy tool, of which there are many in the macOS ecosystem.

And this is not unique to macOS, this is all possible in Windows, Linux and any other OS.

[1] https://www.obdev.at/products/littlesnitch/index.html

https://www.heise.de/en/news/Notepad-updater-installed-malwa...

https://doublepulsar.com/small-numbers-of-notepad-users-repo...

The TLDR is that until version 8.8.7 of Notepad++, the developer used a self-signed certificate, which was available in the Github source code. The author enabled this by not following best practices.

The "good news" is that the attacks were very targeted and seemed to involve hands on keyboard attacks against folks in Asia.

Blaming the hosting company is kind of shady, as the author should own at least some level of the blame for this.

They should also be more helpful with not plundering the oceans, even including the territorial waters of far-flung nations, of fish.

FTA.

And there isn't really a way to confirm if it is configured in a secure way.

You either trust the developer or not.

I once worked at a company where the Security team were very proud of this and all the other tricks they used to catch leakers by figuring out who was on campus, where, at what time, usually via fingerprinting personal devices carried alongside corporate devices.

"The security exper’s analysis indicates the attack ceased on November 10, 2025, while the hosting provider’s statement shows potential attacker access until December 2, 2025. Based on both assessment, I estimate the overall compromise period spanned from June through December 2, 2025, when all attacker access was definitively terminated."

Love notepad++ and will continue to use it.

> The attackers specifically targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++.

who signed the binaries was irrelevant for this attack, because the issue was not checking any signature

notepad-plus-plus.org currently has an A record of 95.128.42.184, owned by "Aqua Ray SAS".

It switched up from 191.101.104.10 and 212.1.212.49 on 17/1, which is are Hostinger IP addresses.

No, it should be a hardcoded key held by the developer, preferably using a HSM, and maybe with some sort of notification capability in case the key was lost. Adding a second server adds marginal security. For instance if the developer's mail was hacked, an attacker would likely be able to reset passwords for both hosting providers.

> 2. Even though the bad actors have lost access to the server from the 2nd of September, 2025, they maintained the credentials of our internal services existing on that server until the 2nd of December, which could have allowed the malicious actors to redirect some of the traffic going to https://notepad-plus-plus.org/getDownloadUrl.php to their own servers and return the updates download URL with compromised updates.

I'm pretty surprised that they got away with unsigned updates and shared hosting as long as they did. I wonder how many similar popular projects are out there on dodgy infrastructure.

I mean for such a dev focused and extremely performant app, that’s disappointing.

Glad I’m off windows as of late

I expect to know it one day, but it may be too early to provide the name now.

This is acceptable. Why shouldn't most things started by people not willing to put in the work to keep them going not fizzle out? The important thing is that anyone who actually cares to can jump in and pick up right where the open source software fizzled out and get it going again. Anyone can learn from the code and use it for anything they want, even things that have nothing to do with the goals of the original project.

It's not as if there aren't countless examples of corporate vendors dying off and leaving their customers on the hook with nothing, or just changing the product drastically after the sale. At least in the open source case you have the option to fork the project and continue using it as you always have.

Now I need to worry about this one. I've been anxious about vscode lately: apparently vscode extensions are a dumpster fire of compromises.

I know this is a common turn of phrase, but I can not help thinking that if the political conversation is impolite it is because some in the conversation is being impolite not due to the topic itself.

You can ignore politics, but at certain point, politics cease to ignore you.

Having said that, I absolutely despised the implementation that stole keyboard focus; if it popped up when I was typing it frequently disappeared before I head a chance to read it and I had to go into settings to try and find what had changed. Nothing should ever steal keyboard focus unless it's urgent, and then it should website that you can't accidentally manipulate it with a keyboard (see UAC prompt where it opens in the background if the calling program is in the background, and where once you activate it, you have to hold alt+y/n or tab to a button before it accepts the input; just hitting the y/n key alone won't do anything).

And who do they let try the software before they do? And so on... Where does it ended?

Something doesn't seem right here.

The odds may be better if you operate the way OpenSSH does: move slow, security first, architect everything to be very difficult to attack. But if you're building a text editor, it's not your mindset, and probably never will be.

After a machine is compromised by malware, there's rarely-to-never a trustworthy way to ever fix it with 100% certainty. And especially worrisome is "repair" from the host itself which maybe infected with a rootkit that hides and repairs the malware. Thus, the only correct solution is to completely reimage/reinstall from trusted sources. Deviate from this path at one's own extreme cost/risk.

There also exist a tiny amount of even worse, specialized malware, usually deployed by state actors, that infect hardware in such a way that makes them difficult and sometimes uneconomical to repair.

PSA: Never run untrustworthy shit on any machine that matters. This also includes FOSS projects that don't have their shit together.

Please refer to it for context.

When I see politics in software updates or documentation, nothing happens because I'm not looking to use the software for political activism. Maybe I tell my adblocker to remove the messaging, and carry on with my task.

I can engage with politics in a social context, when political messaging isn't interrupting something else I'm doing; that's a better place for activism, IMHO.

I almost always see activists using the argument that if I don't like the messaging then I'm part of the problem. Somehow I doubt that, given I don't mind messaging at all, where it's appropriate.

I'm going to place the blame on the party committing the crimes, not the person exercising free expression.

If anything, we need much more politics in software, ideally exercised by those who write that software instead of "apolitical" software writers who end up executing the political software of those who pay them.

If you meant to scope your statement only to FOSS, then this still applies (in fact, FOSS is inherently political), plus I suppose some people who invest their time to write software want to also use the same effort for political activism and there is nothing wrong with that. This can be expressing their political views via that software (e.g., vim and the support to children in Uganda) or can be using a license that only allows co-ops to run their software, or many other ways.

The idea that software even could be apolitical stems from the idea that technology can be neutral, which again, in 2026 is really a tough idea to support.

And, in many cases you can get some protection from a developer going rogue (or not writing perfect code), it's not an all or nothing.

Thanks for your nonanswer, though. It was about as unhelpful and unspecific as the original blogpost for this.

The thing is that most supply chain attacks are going to hit you when you are least prepared to deal with them, because that's exactly how they get you. When you're distracted.

Upgrades are deep work, but the commands to start them feel like shallow work.

On the other hand, any server running old, unpatched versions of apache or similar will get picked up by script kiddies scanning for publicly known vulns very, very fast.

The notepad++ attack is politically targeted and done through unconventional channels (compromise in the hosting provider). I don't think 99% of the people reading this thread has a comparable threat model.

Loved that class.

However, there are ways around this, too. No solution is perfect.

The threat model for a server and for a personal computer are very different. On a consumer device, typically only the OS mail app and browser have direct contact with the outside world.

Being political isn’t a hobby you attend on Tuesdays, it’s real decision that affect people’s lives every single day, sometimes with deadly consequences.

One comment there points out that XP is old enough for infected attack vectors to have all died out. I dunno.

amount? ;)

I mean, if you look at the Notepad++ website this developer seems just as concerned at spamming political messaging all over everything as much as he is with writing the software he's distributing. It's pretty crazy he apparently didn't think to take more basic precautions given he is basically permatrolling Russia and China with his messaging. Big brain moment for him. And meanwhile, after reading that disclosure nonsense none of us even know what's going on - like, should we be formatting machines that were affecting during that timeframe? Was the attack targeted and specific only? Who the fuck knows!

American and European infrastructure is subject to cyber attacks that that are effectively hostile military acts already. I don't think a vocal stance on Ukraine and an exclusion of Russian developers deserves the rhetoric of McCarthyism or being 'too political' as is these days a fashionable accusation. This is no red scare, this is speaking up for people bombed on a daily basis.

And these updaters almost universally use HTTPS, which network-based adversaries can't see except for SNI, and even that's going away...?

Where's the bar where you shut down discussion? I mean, even politics is contextual, right?

You entering a campaign about the plight of Myanmar and getting annoyed at people who don't want to hear your message about Gaza puts the blame for any conflict arising on that purely on ... YOU!

IOW, Even within political discussion, you can still be off-topic!

> If you meant to scope your statement only to FOSS, then this still applies (in fact, FOSS is inherently political)

Entering a GNU project (which has the political context of Copyleft and IP reform), and attempting to use it to spread a message about ICE behaviour still makes that asshole behaviour.

Only the most extremist true-believers feel that every platform is for their benefit. Trust me, it's not.

We also need better computer science education in high schools, teaching students how to inspect network packets, verify SSL certificates, and evaluate whether a binary blob might contain malicious code.

People have gotten complacent about the internet, which is why they still get hacked, when it should be the other way around. With everything we’ve learned over the years, why are breaches more common than ever? I don’t understand why people are so careless about online security today, compared to decades ago when we were taught not to share personal information and not to trust anything on the internet.

The state of the world is such that I have started running everything inside VMs. Baseline OS install + virtual machine management and that is it. Which is still not immune, but makes me feel a lot better than core OS utilities are probably getting better vetting than nifty-utility-123 on which I depend.

Source. I work for a company for longer than the internet has been alive.

> Until version 8.8.7 of Notepad++, the developer used a self-signed certificate, which is available in the Github source code. This made it possible to create manipulated updates and push them onto victims, as binaries signed this way cause a warning „Unknown Publisher“

It also mentions "installing a root certificate". I suspect that it means that users who installed the root cert could check that a downloaded binary was legit but everyone else (i.e. the majority of users) were trained to blindly click through the warning.

Freedom of speech is political.

The right to privacy is political.

Letting people on to the Internet without censorship is political.

Government policies that support startups are political.

Threatening to arrest teens for pirating mp3s is political.

> I can engage with politics in a social context, when political messaging isn't interrupting something else I'm doing; that's a better place for activism, IMHO.

For the people actually impacted by politics, reality rarely waits for a convenient time to interrupt.

Political reality tends to knock down doors and blow up buildings when it wants to really get someone's attention. "Don't bother me during my software updates" is a privileged position to be able to take.

The Taiwanese government has never formally declared itself independent from the mainland. Such a declaration would likely cause the PRC to invade.

https://en.wikipedia.org/wiki/1992_Consensus

I suppose, though that's not really how I tend to see it phrased on socials or in the media.

I'm sure it felt very real at the time.

You are confusing cause with effect. Leaking this type of fingerprint data over time is what allows users of Palantir-like systems to decide you're somebody worth individually targeting.

That would be two things that would have to be compromised and redirected simultaneously to malicious versions. Way more likely to be noticed too because one of them would be GitHub, and unless they mirror the entire rest of the package metadata index and keep it up to date for everything else besides their targeted malicious package.

And for more modern software distribution mechanisms (e.g., Nix, Guix, Flatpak), centralized package updates may not actually run any vendor code with high privileges at all.

The norm for proprietary software updates on Windows is indeed a free-for-all of every publisher downloading and running code with admin rights, and it is indeed a terrible way to operate. Avoiding that kind of madness doesn't necessarily mean running lots of old, vulnerable software.

http://iccf-holland.org/ http://www.vim.org/iccf/ http://www.iccf.nl/

You can also sponsor the development of Vim. Vim sponsors can vote for features. See |sponsor|. The money goes to Uganda anyway.

I would argue that this has been an effective avenue for messaging/protest. You’re responding to it on this very board - that means you’re thinking about it.

Another angle: would such free protest be allowed if the developers of Notepad++ were based in China or Russia? I seriously doubt it.

How do they know it was a Chinese group or even a state sponsored one?

"Fixed some bugs" Yes thank you very helpful that! Now I can make a very informed decision.

But good we are talking about my point rather than than the example.

Something of Notepad++ size might think about it now

That is a very controversial statement, and one that both Taipei and Beijing disagree with.

Being political for software means for example making some specific choices while designing it and advertising them as such. Means choosing a license over another. Means announcing political positions and possibly aligning the software to them (depending on what it is).

It doesn't mean going in forums related to that software to discuss random political topics.

In the context of forums, the political threads are generally /not interesting/[0]. Political threads often devolve; they bring nothing 'new' or 'fresh' to the table, and they lead absolutely no where. It's a fart-in-the-wind situation no matter what your position is. Leave that stuff on reddit where the rest of the farts-in-the-wind go to waste. It's like watching commentators on Fox News or CNN or <insert favorite cable TV show here>. They're a large waste of time and they're often geared towards re-enforcing your side, aka echo chamber.

Now, if a thread actually evolved into real measurable action, that might actually be interesting. But that's not what happens on these forums. There's probably very few of us that see some HN thread talking about something awful happening somewhere and they take direct action, such as petitioning their government, protesting, etc. It's probably happened once or twice, but most of the farts in those threads just hang around and stink up the place.

Please stop stinking up HN.

[0] https://news.ycombinator.com/newsguidelines.html

HN discussions are usually very high quality and respectful disagreement therein, which is unique online nowadays.

I’ve come here to escape Reddit, which is all politics all the time. If this place turns as political as Reddit, I’m out.

He who politicizes everything politicizes nothing.

So, while I fully agree with your stance that banning political discourse is support for the status quo, I also think that it's reasonable to ask for it to be toned down a bit, especially when the politics and social issues of one country is basically drowning out everything else.

All that said, I'm talking mostly about HN or other community forums here. The owner of Notepad++ has the right to put whatever they want into their software, and if we're discussing that here on HN then it's an occasion where discussing politics is valid.

I read about politics all day long in many different places. My belief that HN should be relatively free of such stories is not because I believe I can detach myself from politics, but because I believe topic based forums are more valuable and useful than “anything goes” forums.

Political opinions about how things should be don't automatically dictate the actions that should be taken in support of those opinions. I can be mad about a law or a court decision and still have the good sense to, for example, not throw red paint on a lawmaker or judge.

Some behaviors just aren't helpful, and neither being right nor being upset changes that.

If this is true, I'd like to know what a weak political view is instead!

No, it explicitly is not, and this "deepity" doesn't change any rational analysis. The injection of politics into every aspect of society must and should be refused.

There is such a thing as being able to act and think in ways that aren't political in nature. Maybe not for you, but it absolutely is possible.

apparently, it's OK to have this stance of "if you're not with us, you're against us".

It's absolutely possible to not want political discussions in various places - it doesn't mean you support one or the other side. It simply means you don't want that discussion here. You could support the incumbents or not - not wanting the discussion does not imply support for the incumbents.

I don’t think I am the only one who has this reaction. People who do this should consider if it’s actually helping their cause. If not it’s just feelgood signaling, or possibly even counterproductive.

- US arguing for independence of any of the States for whatever reasons?

- Spain for Catalonia?

- France for Basque?

and many more just in Europe.

https://en.wikipedia.org/wiki/List_of_active_separatist_move...

our enemy. It must be Chinese, North Korean or Russian.

> state sponsored one

"our software/our provider is so good that only a state actor can compromise us" (see Microsoft's AD keys hack for details)

As one should, I avoid stuff that have a very loud fascist author/owner. So we should be happy for this people to show what they believe in, this way we can decide not to help fascists(and others can decide to support them and not to help one of the other sides)

I definitely am not upset at the commenter I replied to, and while I'm definitely upset at the maker of Notepad++ I don't think he qualifies as some random person on the internet. If you publish software that security conscious people use (and certainly Notepad++ is used by tech savvy security-conscious people) then you, really by definition, aren't some random person - that's kinda the whole point. Security conscious and tech savvy people tend not to install things from random people on the internet.

Notepad++ was a trusted website/trusted developer, and they got caught with their pants down doing some truly dumb and lazy shit, and then they published a blogpost that doesn't explain much of anything. So yeah, that's pretty infuriating my friend.

Okay, lets assume you are correct[1]; is that a counterargument to my main argument:

>> IOW, Even within political discussion, you can still be off-topic!

------------------------------------

[1] I don't think I am confused about the difference, TBH - I explicitly called out political preference of a project and political discussion within the project.

I think about a lot of things I do absolutely nothing about (or with).

Thinking about whatever messaging is here is like saying "thoughts and prayers". It means shit all nothing. The messaging was a waste of my time and your time. It was an ad for a product you'll never purchase.

You know that's official position of 99% countries in the world, including all superpowers and every NATO member?

See something in the release notes of an app you don’t like? Go use a different app, give your money to a different entity. Don’t spend your time and resources messing with the producer or user of the thing you don’t like.

This of course runs the risk of maximal polarization once everyone has filtered themselves into their neat and tidy little bubbles. What happens then, everybody leaves each other alone? Or do the echo chambers slide into further radicalized detachment from each other?

The video referenced in that article explicitly connects directly to the internet, using a VPN to bypass any ISP and router protections and most importantly disables any protections WinXP itself has.

So yeah, if you really go out of your way to disable all security protections, you may have a problem.

So the free expression is considered by everyone according to their own ethical and moral values.

There are more steps you can take to ensure greater safety. The above is the minimum a I do for myself and what the minimum IT department and my company executes.

Like saying pstn and fiber are different things.

I mean, yeah. Most major social media services used in the West are based in the US. The single largest English as a first language population is in the United States.

Given how many users from outside the US are oft wont to opine on our state of affairs even during the good times - often without even being asked - I like to think they'll endure our discourse.

The good sense is your judgement. At some point a real, direct, disruptive protest is going to be the right solution for a big enough group of people. Peaceful protests are just a "we're starting to get there" signal. It's not like politicians normally say "gee, lots of people don't like how I abuse power, I guess I'll stop now". It's all about being collectively upset enough about status quo.

https://neovim.io/sponsors/

When you launch a plain nvim instance you get the following:

> Help poor children in Uganda!

> type :help Kuwasha<Enter> for information

Everyone, including 99% of the world's politicians that don't have their heads up their asses, including the ones who wrote the official positions that Taiwan is not a country, knows Taiwan is a country.

To get back on topic though, I think conflating using Y app with holding X position on a topic like politics is a dangerous road. Which is where I think having a dedicated space for those politics makes more sense. Whether that's a blog, twitter, etc. It allows those most dedicated to you to know you better without making the product or program a political stance. But the developer is ultimately free to do what they want. So it's not like anyone here can tell the developer to change in any way.

My point is, statistically, it is more secure to install updates as fast as possible.

We can take another example: search for “shitrix”, there’s thousands more CVEs out there to use as example.

Unfortunately, US politics also drives tech issues elsewhere like the EU. For example, local data control is a big thing that some of us have been screaming about forever but nobody paid attention to--until US politics made it a hot button issue.

And, to be honest, if the EU would get off its ass and at least try to foster some alternatives, even those of us in the US would benefit. EU alternatives would mean that people in the US could finally vote against the megajillionaires with their wallets.

> Americans, including people here, seem uniquely incapable of nuance in their thinking when it comes to politics.

Bullets and beatings don't leave much room for nuance regardless of country.

Notepad++ is free, open source software for which there are dozens of alternative packages of equivalent quality. The entire cost of using this software and benefiting from the work of the developer, is having to scroll past or close a few political opinions.

If the reaction, if someone vehemently dislikes this sort of thing, is to tell that developer to "just shut up and make your software" rather than to stop using that software? Then I think that's possibly the most entitled and hypocritical position that I think it's possible to have.

Politics are quite literally life-or-death for many people. War is politics. Access to healthcare is politics. Economic policy that determines whether businesses and careers succeed or fail is politics. Freedom to say what you want, believe or not believe in whatever religion you want, and be who you are without being imprisoned is politics. The people who make the most noise about politics are the people who are literally dying for as long as the rest of society ignores their plight.

If this isn't the case for you, it's because you benefit from the status quo. It is the definition of privilege to be able to "ignore politics". That means you are currently benefitting from politics. Of course you don't want to hear about politics, politics are doing just fine for you. And the comment you were asking to was asking you to reflect on that: if the biggest problem gracing you is hearing other people make noise about circumstances, the least you could do is deal with it. Your problems are trivial if that is what gets you upset. Other people are complaining about things that affect the outcome of their lives and you're complaining about... having to hear it.

So what about protesting the Russian invasion of Ukraine seems objectionable to you?

> it is fair to say that Notepad++’s freedom to protest would depend on who and what they are protesting.

What? In the US, UK, and Australia, the right to protest (i.e. of speech) does not depend on what’s being protested in the way you’re implying.

> Yeah, Notepad++ is known for political messaging in their updates. Taiwan, Ukraine, etc.

If you’re calling Ukraine in particular a “separatist movement”, I don’t think we can have a productive conversation.

You can’t be against the Ukraine war in Russia because Putin is an evil dictator

99% countries, as they say, "acknowledge China's viewpoint".

How do you "factory reset" a PC ?

https://support.certum.eu/en/code-signing-required-documents...

https://shop.certum.eu/open-source-code-signing-on-simplysig...

$49 (EU) Gross

Conveniently, it's never here, and it's never now. I think MLK Junior wrote a speech about this? Letter from a Birmingham Jail: https://www.africa.upenn.edu/Articles_Gen/Letter_Birmingham....

I see this as a bad analogy though: you wouldn't hear about it every time you go to the grocery store. Or, at the very least, you wouldn't stop and listen for the fifth time. You already know, and that's the point: the intention of most activism in technology (at least that I see) is to make you initially aware of it so you start to seek the information out and learn more elsewhere. (...And to give themselves good PR. We love rainbow capitalism /s)

Instagram and Twitter both get your attention during election season because they want you to be informed about how to vote. To me, that's a similar thing.

I don't want to either, and indeed I really want others to do it for me. As such, I really want to see even MORE political stuff like this to hopefully create folks who will actually protest and put their neck on the line.

Similar reason why US military propaganda is good. I never EVER want to be drafted and indeed if you put a gun in my hand and military fatigues on me, I will die with a shot in the ass (because I am running away). Thankfully, we have a bunch of hardened 20-somethings "manipulated" into joining the military and protecting us so that I can be lazy.

So please ratchet up the politics and get others out so I don't have to. It's not that hard to ignore yet another plea for help. We do it every hour of every day.

What exactly do you want the EU, the Brussels based institution, to do here? Because AWS didn't come into existence because Uncle sam came in and twisted Bezo's hand telling him to invent a hyperscaler that will conquer the world.

EU's lack of comparable domestic alternatives is a consequence of the failure of its entrepreneurship and free market in the SW private sector, and nothing that EU institution can do about it to magically fix this since the solution is not MORE regulatory interference form government bureaucrats who don't know how the internet works.

You might be able to force innovation if the governments can throw money at the problem if the VC sector is lacking, but they can't force economies of scale and mass adoption without a China style great firewall, in which case you'd then have even bigger issues.

I considered the majority of the population to be affected by repeated messaging, messages in the background, or in other words availability bias. So the messaging be having the desired effect on society in general but not on some subset who filter it out completely.

Try to point out to a democrat that Trump is doing something right or to a Trump voter that Biden did something right. Most of them can’t accept that. The “other” side has to all bad. I don’t see this to such an extreme in other countries I know like Germany or Spain.

Capitalists can also start software businesses and sell their software, but those are all in Silicon Valley because the money is there because the US has a privileged financial position.

If tomorrow there would be a war or protests in, say, Burundi. Will Americans stay with Burundi or against it? Or with the country the media will tell them is "good" because their interests align with US interests?

I think answers to all these questions are obvious.

- Ukraine for Donbas

Which is so much weaker than all others. There are Ukrainians, Russians, Chinese, Tibetans. But there is no such ethnicity as People of Donbas.

OTOH in a democratic state you're still have the right to demonstrate peacefully for whatever you want, even if it doesn't make much sense. But would you allowed to demonstrate in Ukraine for Donbas independence if they are considered separatists according to the law?

I was glad after discovering [1]. In one of the videos the interviewer explains, why he was not arrested. The channel is for English-speaking auditory outside of Russia. It was enough to "close eyes" for some openly expressed critiques. Though it was painfully to listen to some people who were not against the war.

[1] https://www.youtube.com/@1420channel/videos

Not only does politics and general stories crowd out everything else over time on other sites, there are HN submitters who seem to be trying to accelerate this.

During the war, when HN was getting Israel-Palestine stories constantly, I started looking at the submission history of some of the submitters, and some of them were just pushing these types of stories every day for months and months.

So yes, I think allowing politics will eventually mean being dominated by politics and general interest.

As problematic as the assertion "by definition" is aside, it should be noted that endlessly commenting about politics on internet forums effectively changes nothing.

I've been kettled by mounted officers and hit by high pressure hoses on cold evenings, something that also rarely effects change .. but that's a least a fun night out with people and better than wasting bits on the intertubes.

"Say" in the sense of demonstrate peacefully for this? Then I'm impressed. If someone else can confirm this? Is this because of USA being a federal union? Before Ukraine declared independence, there were voices to make Ukraine a federal state, so that people in the West part of Ukraine can live their way of life and people living 1600 km (!) away in the East and Southern parts would be not much affected from that and vice versa. Voices for the unitary state were stronger because of stability of the state. Would be interesting to see some documentary "what if", whether a federal state would be more stable against pulling from the west (Europe, US) and the east (Russia).

Mr. Ho already has hosting charges and he uses GitHub. For those who use GitHub, he could continue his GnuPG method for signing. Additionally, GitHub integrates with Sigstore. Windows wouldn’t trust his signature but at least there would be better traceability. Version 8.8.7 labeled “authenticity guaranteed” is a step in that direction.

The real “issue” here was his outside hosting platform for updates from my reading of the article.

> There are more steps you can take to ensure greater safety.

There are firmware infections that can persist even after hard drive format. Though to my understanding os/user space to firmware infections are rare. As far as I know a 'factory reset' on phone and some laptops does not reinstall firmware and clear out firmware infections. So to my understanding the 'factory reset' found on phones is analogous to formatting your hard drive, reinstall the os, software, and data required for your use.

However much the code is hidden and obfuscated, some parts of the source code are going to be looked upon.

For a binary, none, ever, except in the extremely rare case that someone disassembles and analyzes one version of it.

The fact that open-source doesn't coincide with security doesn't mean that it isn't beneficial to security.

1. I don't want to see political messages in unrelated delivery mechanisms

and

2. I created $PRODUCT as a delivery mechanism for a political message

are equally valid.

I feel that the problem that comes about is when a $PRODUCT was not created as a delivery mechanism but is being co-opted into being one at some later stage; the audience feels deceived and the creator feels that the audience is ungrateful.

I'm not very familiar with Notepad++ (having never used it, nor experienced any desire to try it), but I'm fairly certain that the creator has been political long enough now that the audience cannot complain about the message being delivered with the product.

It's like complaining about Vim having a message for the plight of Ugandans - it's been there for decades; too late to complain now about it.

I'm more sympathetic to complaints over projects which never had a specific political message suddenly acquiring one when they realised what a large audience they had, or when new people join a decades-old project and introduce a political message that was never there before. I can sorta understand outrage then.

Activists wanting something is not synonymous with that thing being a good idea. It just means that someone wants something out of you could be good, could be very bad. No different than a sales person trying to get you to buy something.

Yes, yes, and yes again.

> Many activists would certainly have you think otherwise. As far as I can tell, fighting that habit is a huge goal of activism.

That's their problem. As soon as you start contributing to them, you will not pursue your own goals, living your own life, but those imposed by activists or their supervisors.

It's convenient for them, you give them a political resource. But why do you need it?

could you remind me what country is the afd based out of thnx

If in another country I vote for these guys or sometimes those other guys, and once this little party that got a seat, but not really those ones, and I really hate these ones, then your "political identity" already has a lot of nuance. In Australia with preferencial voting, a single vote has a lot of naunce.

What can you get in America? Green Party supportors who "strategically" vote for a democrat? Not much else...

Well, gee, let's look at the sponsorship page for KiCad: https://www.kicad.org/sponsors/sponsors/

I see a couple EU companies, but no EU governments. It takes a paltry $15K to be a Platinum sponsor.

I picked KiCad because PCB design is critical military infrastructure, the alternative programs are almost all under non-EU jurisdictions and could be pulled, and KiCad is both open source and local desktop to top it all off. This is exactly the kind of quiet, unflashy toil that desperately needs support from a government entity.

Lots of areas need support for open source alternatives that are controlled by proprietary software that might vaporize. I picked PCB design because it's an easy target. Cadence and Synopsys have locks on VLSI design domains that could get yanked from the EU. VHDL tooling is still disastrously poor. Everybody could use an alternative 3D modeling kernel (the EU is a little better here because the dominant proprietary kernels are from Dassault Systèmes and Siemens). I'm sticking to software as the domain because the purpose of the funding is obvious (pay developers, duh), but it also applies to things like small manufacturing and maintaining domestic supply chains (but the purpose and focus becomes a lot messier).

And yet, everywhere I look, any project I pick, crickets.

I don't expect the EU to front run, but something like KiCad is 3 bloody decades old.

> those are all in Silicon Valley because the money is there because the US has a privileged financial position.

And yet you had the rise of Akihabara as an electronic parts mecca which then later got eclipsed by Shenzhen. And that's not even talking about the fact that the modern computing sits atop a mountain of stuff developed out of the VLSI Project (https://en.wikipedia.org/wiki/VLSI_Project).

All of those occurred because their respective governments threw money around.

Sure, maybe you won't create another Silicon Valley hare, but, perhaps, just perhaps, you might create a relentless, open source EU tortoise that slowly displaces the proprietary software. The EU is good at slow--relentless, not so much.

Sadly, a continual state of inertia and sclerosis and failure around tech seems to be historically European: https://www.phenomenalworld.org/analysis/the-eurochip/

I don’t agree with them and I don’t think they should be in my software, or dealing with anything they don’t understand (for instance crime, homeless people, geopolitics, or really anything outside of overpriced vegan coffee shops). All they really do is end up getting Fox News people to vote for fascists like Trump out of spite

When I care about politics I’ll deal with actual politics. Reddit won’t change my mind nor the world.

No one has the time to pay attention to every little injustice in the world. For all the people crying about Gaza, how many of them are dedicating as much energy to the wars in Sudan, Yemen, or Myanmar, or the abuses by Russian security services (like imprisoning a guy for holding up a blank card)? This isn't to say that we should just ignore Gaza or Ukraine or ICE in the US, but we need to make a choice: either we spend ALL our energy addressing every injustice in the world, until there is no more injustice left (and this means we need to stop everything else we're doing now, including keeping society running, making food, etc.), or we need to choose when and how much attention we'll devote to various issues.

If HN is going to allow accusations to be slung against groups of people it has to allow others to respond, and that sets off endless debate amongst people who will not be changing their minds on the matter but will repeat the same argument on the next post.

But if I were a nihilist I might agree with you.

You are falling for Russian propaganda about evil western-Ukrainian nazis attempting to enslave peaceful-Russian-speaking-peoples-of-Donbass-or-whatever who were just minding their own business ("way of life"). As a Russian-speaking Ukrainian neither do I want Putin to protect me (apparently by looting my apartment and raping my girlfriend or in whichever way he is trying to do it these days), nor do absolute majority of population of, say, Kharkiv, Odesa or Kherson.

> Voices for the unitary state were stronger because of stability of the state. Would be interesting to see some documentary "what if", whether a federal state would be more stable against pulling from the west (Europe, US) and the east (Russia).

As a Ukrainian I find that idea quite laughable. It is not really possible for a part of federal union (say a state of USA or a Swiss canton) to join NATO and for other part to "decide" to become a Russian-occupied quasi-state like Belarus. Same goes for a part of it joining EU while some other part decides it wants to be part of EAEU Customs Union. State's foreign affairs are still decided by some central government.

Also, you can research how great "deciding on their own way of life" works in Russian Federation. You could start with first and second Chechen Wars.

In reality it is not. It is a spectrum of parties. People vote often for smaller parties in the state and larger ones in the national.

It has been like that since forever. They don't know how a left leaning party looks.

By all means make a considered and thoughtful point, please.

Something similar, significantly different though, happen to a friend. They started distrusting the incogni.com after seeing their advertisements over and over again. To them they saw/felt/reasoned that only an untrustworthy actor would be pushing the messaging so much and a trustworthy actor would rely more on word of mouth via their good product inspiring people to speak up about them. I had to point out that they probably saw much more of incogni's advertising due to their rate and type of media consumption and most people probably do not get that level of exposure. If incogni lowered their advertisements to hit them correctly it would not be nearly enough advertising to reach the average consumer.

I see the frustration at the repeated messaging to likely be a natural protective mechanism. Instinctively reject repeated messages is not necessarily a bad instinct since manipulative people will use repeated messaging to manipulate, but repeated message exposure does not only happen due to an attempt to manipulate.

There are already alternatives to KiCad for PCBs. And I repeat myself: NLNET can only rule on the proposals it receives. Have you proposed to spend a year improving the KiCad UX?

Activism can be annoying, but it's never pointless (not even when it fails to be effective).

> All they really do is end up getting Fox News people to vote for fascists like Trump out of spite

It wouldn't be worthwhile for activists to resign themselves to inaction out of fear of offending the "Fox news people". "Fox news people" are already more likely than not to vote for fascists like Trump, and they'll use any excuse/justification they're being fed including "I don't like the way the wrong people are using their freedom to protest the wrong things".

Politics is a game. It is played with one single objective: to make sure that the people with no political power remain fighting among themselves instead of fighting those with power. If you believe some favored political faction will solve these problems you mention, then it is you who is missing the entire point.

When last we crossed you appeared to be lecturing people while incorrectly paraphrasing their actual position (aka strawmanning)( https://news.ycombinator.com/item?id=46793399 ).

FWiW I recall handing a guitar (I hear they kill facists) to Billy Bragg way back when he was on tour Talking to the Taxman About Poetry and FYI he's back, again, following Springsteen: https://www.youtube.com/watch?v=IKOW2ZikGW8

So, good luck https://www.youtube.com/watch?v=NJ2QOwQdHL8

Maybe sidestep becoming a parody: https://www.youtube.com/watch?v=W1_uEbGJtnY

>A majority of countries (119 or 62 per cent of UN member states) have endorsed Beijing’s one-China principle, which entails that Taiwan is an inalienable part of the People’s Republic of China.

I was being generous bucketing 20 mixed signallers with 40 status quoist. 120 agree TW inalienable part of China, as in TW can never be independent from one China construct (PRC's position). 20 agree it's part of China but not necessarily inalienable, i.e. TW/ROC should have pathway to independence but until they formalize, still part of China. AKA 75% is in recognize tier.

I don't agree. Even if proprietary software is somehow "better" (and I don't concede that automatically), proprietary software is always at the risk of disappearing--see: VMWare after the Broadcom purchase. Your critical software being open source means that you have the right to fork/copy and just keep going without needing to do anything else. Proprietary software disappearing means that you need to file legal paperwork and get a judge to care and then wrench the source code out of someone's hands.

The failure modes are vastly different.

And this is before we get into the whole undocumented, proprietary storage formats issue.

> Have you proposed to spend a year improving the KiCad UX?

I am in the US. Can a US citizen propose that? I would assume that this has to come from EU citizens, no?

To be honest, if I could get KiCad some funding simply by filing some paperwork, that's probably a good investment of time.

> There are already alternatives to KiCad for PCBs.

Not really. Autodesk bought Eagle. Renesas bought Altium. Cadence bought Orcad. There's a whole host of stuff controlled by China. Most of the other free things aren't even close to KiCad.

I guess maybe PADS, since it's owned by Siemens? But I haven't bumped into a PADS user in a very long time--I wonder if it's considered legacy or just far too expensive.

For example it's very normal for the Tor project to talk about censorship and privacy. It's also fairly normal for Russian maintainers to speak out about how it's no longer possible for them to receive support due to sanctions. And I can understand if a Ukrainian maintainer has to focus on trying to survive or escape the country instead of developing their software. All of that stuff is completely fine and I wholly empathize with it. It doesn't bother me because it's not extraneous; it is directly relevant to the project. I also don't mind projects listing their preferred charities.

But I do roll my eyes when projects continue to pine on about Taiwan's independence or the genocides in Gaza. If there isn't a reason why it's actually relevant to the project, I don't think the project page is a good space to push it.

> How the produce of society is distributed and how people are cared for has zero relevance to an article about hacking a text editor,

The article is political. People make noise about Taiwan because an invasion of Taiwan would kill many and oppress more, in other words because it, like all political matters, is something that determines the course of lives of millions. Even if they are not directly affected, noise about politics escalates as a mechanism for people to protect themselves. When you are at the wrong end of a group that outnumbers you trying to kill you, you will require the aid of others. But will others come to your aid if you were not willing to come to their aid? This is how the concept of a "conscience" and "empathy" evolved -- because they give an evolutionary advantage, of providing for your own survival by ensuring collective survival.

Edit: for posterity, the comment I was replying to mentioned a "belief in either team leading you to the promised land", which has been edited out.

How attention works, whether training on scraped data is legal, and whether or not the latter should be permissible are three distinct topics. Only the third is inherently political. The second has a close relation to politics but is ultimately a legal question as opposed to a political contest. The first has absolutely nothing to do with politics in and of itself.

> politics pervades everything

That's exactly the problem. Sometimes I don't want it to. If I pull up a spec sheet for a microcontroller I don't want to be bombarded with propaganda pertaining to the political tug of war of the day.

The fact that mundane actions can have political impacts when considered en masse does not imply that we can't or shouldn't have spaces for discussions that are reasonably free of political topics. It isn't always appropriate (imo) to discuss the political impacts of the task at hand. It's okay to have a space in which only the task itself is permitted.

What activism was that? Were there sit-ins? Millions marching in the streets? Were trans people chaining themselves to bathrooms? What was the terrible activism so extreme that it pushed "fox news people" into voting for an R when they'd normally vote for a D? My guess is that there are effectively 0 "fox news people" who'd ever vote for a D to start with and that fox news watchers didn't actually see or experience much activism on the transgender issue. Instead what they mostly had a problem with was policy put in place by non-transgendered people, library books that included transgender characters, and the existence of trans people generally. No activism needed.

Microcontroller is a broad category of electronic components. Maximum I/O current is orthogonal to microcontroller. Spec language is orthogonal to microcontroller. Politics is orthogonal to microcontroller, and orthogonal to maximum I/O current. The letter "x" is orthogonal to all of the above.

If we make a category of microcontrollers with French data sheets, we are intersecting two axes. That's analogous to vegetables that contain saturated fat or vegetables that begin with the letter "a" in Flemish.

Saturated fats pervade foods (but not all of them), the Flemish letter "a" pervades foods (but only 1/26 of them), electrical concepts pervade microcontroller spec sheets (all microcontrollers, but not all documents describing them) and politics pervades everything (some exceptions here too?)

You seem very angry at a stranger on the internet. I think a break from thinking about everything through the lens of politics might be good for you.

The same with politics. When politicians keep their hands off the society, no one feels pressed to talk about politics. When an authoritarian regime compromises a widely used open source software to conduct espionage, of course people will start talking about politics.

Articles about families living close by, which water bills exploded recently?

On the other hand, you don't see commenters saying that they are indifferent to their access to water, and that they are tired seeing others being engaged in the conversation.

If it's not impacting you, I don't blame you not participating. But I feel (general) you don't get to push down on others because they are discussing important topics (to them).

Access to water is political. If you get water from the city, the building of infrastructure delivering water to your residence is political. Whether or not that water is polluted is political. If you get your water from a well on your own property, your ownership of that land is political. None of that is achieved without group consensus, and group consensus can take all of it away from you. You are able to ignore that fact because all of those political consensuses are currently going in your favor, but the same is not true for everyone, and when it isn't true for them, they can be predicted to make noise about not having access to water for obvious reasons. They will make noise about it everywhere they can because it will be more important than anything else to them, given that it will determine whether they live or die and they need to galvanize communal support in order to reverse their fortunes.

> You seem very angry at a stranger on the internet. I think a break from thinking about everything through the lens of politics might be good for you.

My previous comment was written entirely neutrally, so I'm not sure how you came to that conclusion. Incidentally, I happen to live in a prosperous and stable society that I have confidence will remain secure for decades to come, so I have the privilege to ignore politics at my leisure. I am grateful for that opportunity, but I also understand how much of a privilege it is that politics are going well and not actively creating problems for me, so when other people complain about political processes creating problems for them, like the threatened invasion of their country, I listen without complaining.

I took HN as a place for rational discussion, so I made an effort to communicate to you why politics are so important to many, but in the end it seems this discussion is fruitless. If there is any emotion I feel, it is that of disappointment for wasting my time trying to discuss things logically and rather than being met with any kind of reasoned rebuttal, I get a childish dismissal the likes of which I could've gotten on Reddit, which I stopped using for that very reason a decade ago.

Ah but didn't you know, some activist professor with a stick up his ass once said "everything is water" - so even not wanting to talk about water is in fact your water privilege of not talking about water. /s