If you ever wanted to know what it was like to be an engineer at Google during the early to late 2000s, here you go.

Now even though Google is fundamentally a spyware advertising company (some 80% of its revenue is advertising; the proportion was even higher back then), we Engineers were kept carefully away from that reality, as much as meat eaters are kept away from videos of the meat industry: don’t think about it, just enjoy your steak. If you think about it it will stop being enjoyable, so we just churned along, pretending to work for an engineering company rather than for a giant machine with the sole goal of manipulating people into buying cruft. The ads and business teams were on different floors, and we never talked to them.

↫ Elilla

Even back then, Google knew full well that what they were doing and working towards was deeply problematic and ethically dubious, at best, and reading about how young, impressionable Google engineers at the time figured that out by themselves is kind of heartbreaking. In those days, Google tried really hard to cultivate an image of being different than Apple or Microsoft, a place where employees were treated better and had more freedom, working for a company trying to make the web a better place.

Of course, none of that was actually true, but for a short while back then, a lot of people fell for it – yes, including you, even if you now say you didn’t – and reading about the experiences from people on the inside at the time, it was never actually true.

The lone volunteer maintainer of libxml2, one of the open source ecosystem’s most widely used XML parsing libraries, has announced a policy shift that drops support for embargoed security vulnerability reports. This change highlights growing frustration among unpaid maintainers bearing the brunt of big tech’s security demands without compensation or support.

[…]

Wellnhofer’s blunt assessment is that coordinated disclosure mostly benefits large tech companies while leaving maintainers doing unpaid work. He criticized the OpenSSF and Linux Foundation membership costs as a financial barrier to single person maintainers gaining additional support.

↫ Sarah Gooding

The problem is that, according to Wellnhofer, libxml2 was never supposed to be widely used, but now every major technology company with billions in quarterly revenue are basically expecting an unpaid maintainer to fix the security issues – many of which questionable – they throw his way.

The point is that libxml2 never had the quality to be used in mainstream browsers or operating systems to begin with. It all started when Apple made libxml2 a core component of all their OSes. Then Google followed suit and now even Microsoft is using libxml2 in their OS outside of Edge. This should have never happened. Originally it was kind of a growth hack, but now these companies make billions of profits and refuse to pay back their technical debt, either by switching to better solutions, developing their own or by trying to improve libxml2.

The behavior of these companies is irresponsible. Even if they claim otherwise, they don’t care about the security and privacy of their users. They only try to fix symptoms.

↫ Nick Wellnhofer

It’s wild that a library never intended to be widely used in any critical infrastructure is now used all over the place, even though it just does not have the level of quality and security needed to perform such a role. These are the words of Wellnhofer himself – an addition to the project’s readme now makes this point very clear, and I absolutely love the wording:

This is open-source software written by hobbyists, maintained by a single
volunteer, badly tested, written in a memory-unsafe language and full of
security bugs. It is foolish to use this software to process untrusted data.
As such, we treat security issues like any other bug. Each security report
we receive will be made public immediately and won’t be prioritized.

↫ libxml2’s readme

If you want libxml2 to fulfill a role it was never intended to fulfill, make it happen. With contributions. With money. Don’t just throw a whole slew of security demands a sole maintainer’s way and hope he will do the work for you.

It’s 2025, and we’re going to talk about BeOS, AtheOS, Cosmoe, and OpenBeOS, all in one news item, right here, right now, on OSNews.

In the very early 2000s, Cosmoe was a unique project that started out as a merger of the AtheOS userland with the Linux kernel. AtheOS, in turn, was one of the quintessential hobby operating systems of the golden age of the advanced hobby operating systems, the early 2000s. AtheOS would eventually be abandoned in 2002, but would be forked into Syllable and continue development until it, too, was eventually abandoned in 2012.

Cosmoe was the brainchild of Bill Hayden, and originally consisted of the AtheOS userland running on top of the Linux kernel, in order to address the lack of supported hardware a custom operating system kernel inevitably has to deal with. Not long after the start of Cosmoe, AtheOS was abandoned, as mentioned above, but a new project had entered the scene: OpenBeOS, now known as Haiku. Hayden switched gears, and instead started porting the parts that made up OpenBeOS to run on the Linux kernel.

This project progressed nicely, but in 2007 Cosmoe came to a halt (ironically, our last item about Cosmoe is “Cosmoe is back“) as Hayden had no more free time left to work on it, being a father of five, and so he decided to put the project on hold indefinitely. That is, until last year, when everything changed.

In mid-2024, my 3rd son Joshua, not even born when I started this project but who is now in college studying to be a programmer himself, had some questions about operating systems. I decided to dust off Cosmoe and see if I could get it running again, to show him what I had worked on. At first it would only compile and run on extremely old 32-bit versions of Mandrake Linux from 2007. But I had caught the bug again. Not only had I forgotten how fun Cosmoe was to program, but the intervening 17 years of progress made by OpenBeOS (now Haiku) made the certain aspects of this revival come at lightning speed. Day by day, week by week, I got it running on newer versions of Linux, and re-synchronized it with ever-more-recent releases of Haiku. After about 2 months of late-night effort, I had a version of Cosmoe that was 64-bit compatible, ran on multiple modern Linux releases, and was almost completely up-to-date with the latest Haiku source changes.

↫ Cosmoe’s history page

We’re halfway through 2025 now, and Cosmoe now exists as two separate, but related projects. There’s Cosmoe Classic, which is the updated and modernised incarnation of Cosmoe’s original concept: Haiku’s userland running on top of the Linux kernel. In its current form, it runs inside an SDL window on your Linux desktop, as there’s no native video driver. Cosmoe Classic, however, is not what Hayden is focusing on.

Instead, Hayden is focusing on the new Cosmoe, which takes the same idea – the Haiku userland running on a Linux kernel – but implements it in a completely different way:

Cosmoe is a C++ class library that allows developers to build rich, native Linux apps with the easy-to-use BeOS API. This library is a light-weight, serverless version of Cosmoe Classic which targets the Wayland compositor on Linux.

↫ Cosmoe’s GitLab page

What Cosmoe on Wayland (to differentiate it from Cosmoe Classic) allows you to do is run BeOS/Haiku applications on Linux, provided you are running Wayland. The project is in an alpha state, but once compiled, it comes with a few BeOS/Haiku sample applications you can run right on your Wayland-based Linux desktop. Hayden states that about 95% of the BeOS API is implemented in Cosmoe, with the TODO file giving an idea of what tasks need to be done to improve compatibility and implement other improvements.

The return of Cosmoe is certainly not something I saw coming, but I’m incredibly excited. I’m not entirely sure about the usefulness of running Haiku applications on Wayland on Linux, but who the hell cares – this is an awesome project, with a ton of cherished history behind it that gives me butterflies in my stomach. It’s absolutely beautiful to see a project like this come back to life in 2025.

Cosmoe is back. Again.

They were waiting for me when I got off the plane. Officer Martinez intercepted me before I entered primary processing and took me immediately into an interrogation room in the back, where he took my phone and demanded my passcode. When I refused, I was told I would be immediately sent back home if I did not comply. I should have taken that deal and opted for the quick deportation. But in that moment, dazed from my fourteen-hour flight, I believed C.B.P. would let me into the U.S. once they realized they were dealing with a middling writer from regional Australia. So I complied. [...]

Martinez came out and said that I needed to unlock the Hidden folder in my photo album. I told him it would be better for him if I did not. He insisted. I felt I had no choice. I did have a choice, of course: the choice of noncompliance and deportation. But by then my bravery had left me. I was afraid of this man and of the power that he represented. So instead I unlocked the folder and watched as he scrolled through all of my most personal content in front of me. We looked at a photo of my penis together. [...]

Martinez and another officer took me in the back, pushed me against the wall and patted me down. Martinez made sure that I carried no weaponry between my penis and my scrotum. They took the shoelaces out of my shoes and the string out of my elastic pants, presumably so that I would not be able to hang myself. This struck me as overly cautious, but as I entered the detention room I changed my mind.

Previously, previously, previously.

The ICE List is a public, open-source effort to document the people responsible for enforcing deportation, separating families, and carrying out immigration raids in the United States. All information is sourced from public records, social media, and tips.

Previously, previously, previously, previously, previously, previously, previously.

"We deserve to know who is shooting us in the face even when they have their badge covered up," McDonald told me when I asked if the site was made in response to police violence during the LA protests against ICE that started earlier this month. "fucklapd.com is a response to the violence of the LAPD during the recent protests against the horrific ICE raids. And more broadly -- the failure of the LAPD to accomplish anything useful with over $2B in funding each year."

"Cops covering up their badges? ID them with their faces instead," the site, which McDonald said went live this Saturday. The tool allows users to upload an image of a police officer's face to search over 9,000 LAPD headshots obtained via public record requests. The site says image processing happens on the device, and no photos or data are transmitted or saved on the site. "Blurry, low-resolution photos will not match," the site says.

"fucklapd.com uses data provided by the City of Los Angeles directly to the public," McDonald told me in an email. "This data has been provided in response to either public records requests or public records lawsuits. That means all of this information belongs to the public and is a matter of public record. fucklapd.com is not scraping any data."

In addition to potentially identifying officers by name and serial number, FuckLAPD.com also pulls up a police officer's salary.

Previously, previously, previously, previously, previously, previously, previously, previously, previously, previously.