DB has been reorganized as an AG in the 90s, i.e. a corporation under private law. They are forced to (at least try to) make a profit for their shareholders, which is a common trait of private organizations. They consistently do so via short-sighted (mis-)management, another common trait with many private organizations. This privatized corporation is indeed fully owned by the state as its only shareholder, but unfortunately that doesn't manifest in the DB being run as the critical infrastructure that it is. I suspect that the indirections in power over the corporation that the privatized structure imposes is a key reason for why it became such a disaster.
I wonder how many times a low-effort "truthy" sounding comment like that is written without someone like you to correct them and to clarify. There's also comments here suggesting UK's privatisation fixed BR that I do not have the energy to correct anymore, so they just sit there being wrong for all to see
> They are forced to (at least try to) make a profit for their shareholders,
This is not true at all.
The shareholders set the targets and since the shareholder is the government they can set any target they want: profitability, more trains, cheaper tickets etc..
If the shareholder wants to inject 10% every year in stead of taking a profit they are absolutely free to do so.
The DB AG has been specifically founded to be "market-oriented" and profit-making, so yes, it is true.
I am sure the state could try to do _something_ about it, but I am also sure that a very strong car lobby here in Germany is working against that. BTW, the road network, which I would consider to conceptually be the same kind of infrastructure as the rail network, is to my understanding mostly built and maintained by state organizations, so it is possible to do it that way.
I guess it is also harder to market "let's subsidize this private company with tax payer money so they can continue to offer mediocre service" to voters, compared to "let's use tax payer money to build and maintain one-of-a-kind critical infrastructure from which everyone (with a car, which due to the less-than-great alternatives is a lot of people) can profit".
Again, having it organized as a private company adds indirection, diffuses power and responsibility, and adds a certain more or less implicit expectation of what private companies are supposed to do. That's my main issue with it. Private companies aren't supposed to run critical infrastructure as a monopoly for profit. It's the states job to provide and maintain critical infrastructure in the interest of all.
>The DB AG has been specifically founded to be "market-oriented" and profit-making, so yes, it is true.
Again, if the shareholders decide this is the reason: yes.
But shareholders can just as easily set other targets or incentives.
>I guess it is also harder to market "let's subsidize this private company with tax payer money so they can continue to offer mediocre service" to voters,
The government owns DB AG, it is not a private company. It is a public company.
> The government owns DB AG, it is not a private company. It is a public company.
It is a private company, as in it is a legal entity under private law. This is in contrast to a "öffentlich-rechtliches Unternehmen" (I don't know if this even has a proper translation or equivalent in other jurisdictions). There is more than two options here, it can be both privatized and public according to your definition.
That's ridiculous. DB is not even trying to become profitable, not is there any evidence that it's sole shareholder, aka the government, sets it as a target.
Well apparently they have been somewhat profitable from 2016 to 2019, and they have been paying a dividend to the state more often than not. I don't think their goal is actively loosing money?
The site is pretty clear: "Free and works in browser", "Processed locally", "Private". But apparently the site (sorry for the harsh word, but I can't interpret it any other way) lies.
"is incorrect" is slightly less harsh, but in this case, I'd call it a lie. It's a rather subtle but important implementation detail. I don't think the author (who is here in this thread) is necessarily malicious because of this, but, well, it's a lie.
Even if the users knew exactly what the name of the entity whose website they wanted to visit was: that name is not unique, as is shown by the "Stripe, Inc" example in the parents linked blog post.
> Tying a phone number to a physical address and company is a lot more useful than just proof of control over a domain.
It might be useful in some cases, but it is never any more secure than domain validation. Which is why browsers don't treat it in a special way anymore, but if you want you can still get EV certificates.
Having used Forgejo with AGit now, IMO the PR experience on GitHub is not great when trying to contribute to a new project. It's just unnecessarily convoluted.
It's just how straightforward it is. With GitHub's fork-then-PR approach I would have to clone, fork, add a remote to my local fork, push to said remote, and open the PR.
With agit flow I just have to clone the repository I want to contribute to, make my changes, and push (to a special ref, but still just push to the target repo).
I have been making some small contributions to Guix when they were still using email for patches, and that (i.e. send patches directly to upstream) already felt more natural than what GitHub propagates. And agit feels like the git-native interpretation of this email workflow.
I said e.V., not EV. Codeberg is an e.V., i.e. a "registered association" in Germany. I am not actually sure if you could technically buy an e.V., but I am 100% certain that all of the Codeberg e.V. members would not take kindly to an attempt at a hostile takeover from Microsoft. So no, buying Codeberg is not easier than DDoSing them.
What do you mean by "orgs", and what do you mean by "the codeberg"?
Sure, they could try to bribe the Codeberg e.V. active members into changing its mission or disbanding the association entirely, but they would need to get a 2/3 majority at a general assembly while only the people actively involved in the e.V. and/or one of its projects can get voting rights. I find that highly unlikely to succeed.
Are there standards committees with 786 voting members, of which you would have to convince at least 2/3 to betray the ideals of the association they chose to actively take part in to get the association to disband or otherwise stop it from pursuing its mission?
~800 members? That's great to hear actually. I like Codeberg and want them to succeed and be protected from outside effects.
That's said, I believe my comparison checks out. Having ~800 members is a useful moat, and will deter actors from harming Codeberg.
OTOH, the mechanism can still theoretically work. Of course Microsoft won't try something that blatant, but if the e.V loses this moat, there are mechanisms which Microsoft can and would like to use as Codeberg gets more popular.
I think another big "moat" is actually that Codeberg is composed of natural people only (those with voting rights, anyway). Real people have values, and since they have to actively participate in Codeberg in some way to get voting rights those values are probably aligned with Codeberg's mission. I don't actually now the details of the standardization process you cite, but I think this is a big difference to it.
Additionally, from skimming the bylaws of Codeberg I'd say they have multiple fail-safes built in as additional protection. For one, you can't just pay ~1600 people to sign up and crash a general assembly, every membership application has to be approved first. They also ask for "support [for] the association and its purpose in an adequate fashion" from its members, and include mechanisms to kick people out that violate this or are otherwise acting against Codeberg's interests, which such a hostile attack would surely qualify as.
Of course it's something to stay vigilant about, but I think Codeberg is well positioned with regard to protecting against a hostile takeover and shutdown situation, to the point that DDoS is the much easier attack against them (as was the initial topic).
I've lost my laptops SSD (as in: no longer mountable, only got data out of it with some rescue tools) at some point between 2017 and 2020, don't remember when exactly. I've also had a weird experience where a btrfs filesystem formatted on my desktop PC was not mountable on a Raspberry Pi, and vice versa formatted on the Pi was not mountable on the desktop. That didn't instill confidence either.
On the other hand, I've been running a btrfs RAID1 on two HGST datacenter drives for a few years and haven't had issues with that.
A good package manager, e.g. GNU Guix, let's you define a reproducible environment of all of your dependencies. This accounts for all of those external headers and shared libraries, which will be made available in an isolated build environment that only contains them and nothing else.
Eliminating nondeterminism from your builds might require some thinking, there are a number of places this can creep in (timestamps, random numbers, nondeterministic execution, ...). A good package manager can at least give you tooling to validate that you have eliminated nondeterminism (e.g. `guix build --check ...`).
Once you control the entire environment and your build is reproducible in principal, you might still encounter some fun issues, like "time traps". Guix has a great blog post about some of these issues and how they mitigate them: https://guix.gnu.org/en/blog/2024/adventures-on-the-quest-fo...
As well as the toolchain used to compile your toolchain, through multiple levels, and all compiler flags along the path, and so on, down to some "seed" from which everything is build.
Re: delayed security fixes, if a vulnerability is not yet publicly known and there is no indication that it is actively abused it is common practice to schedule fixes and give advance notice of them to have administrators be prepared to update promptly. The fact that the vulnerability was leaked beforehand is unfortunate, but Forgejo handled it well with rescheduling their release in response.
Re: license change, hard forking, and new features: my understanding is that Gitea wasn't very open to contributions coming from Forgejo. The hard fork seems to be a consequence of that. Yes, there used to be weekly cherry picks, I assume they stopped exactly because Forgejo and Gitea diverged to much and they became too much of a maintenance burden. Yes, this means Gitea has gotten features that aren't present in Forgejo since then. But you miss the point of the hard fork if you count this as a negative: Forgejo is deliberately diverging from Gitea now. Cooperation didn't work out, so they are no longer a superset of Gitea, but an entirely separate project. And as such they don't have more maintenance burden than Gitea itself.
And Forgejo definitely does not lack development power as its own now-independent project. They have features themselves that Gitea doesn't have. One notable that comes to mind is storage quotas, but there are many more too.
reply