newsletter:2024 Spring edition
Welcome to the 2024 Spring edition of the FreeSewing newsletter.
Here's what we've got for you today, no joke:
- π FreeSewing 3.2 brings Tristan, Lumina, Lumira, and more (3-minute read by joost)
- π¨ Email just got harder, again (1-minute read by joost)
- πΈοΈ Building FreeSewing's web of trust in the wake of the XZ backdoor attempt (5-minute by joost)
- π€ How FreeSewing's challenges have shifted over time (2-minute read by joost)
Shall we get started?
Β
Β
π FreeSewing 3.2 brings Tristan, Lumina, Lumira, and moreβ
We released FreeSewing v3.2 earlier during Q1 2024 and it includes 3 new designs, as well as a range of bug fixes and improvements.
Let's have a look at the highlights:
The Tristan Topβ
First up, there is the Tristan Top. Tristan is a top with princess seams and (optional) lacing at front or/and back. Itβs origin story is the need for a costume for a Renaissance festival, so that is probably a good indicator of what to expect.
Tristan was design by Natalia who also wrote a blog post about the new Tristan design, so that's a great place to get all the details about this new design.
The Lumina and Lumira Leggingsβ
Iβll give you a second to scan that title again, but yes there are two different leggings patterns with similar names: the Lumira Leggings and the Lumina Leggings.
Both were born out of Wouterβs desire for good cycling gear, and I suggest you check out the designer notes for both Lumina and Lumira to fully appreciate the difference between these designs, why they differ, and what would work best for you.
Bug fixes and improvementsβ
Regular readers of the newsletter will know that we continiously roll out improvements on FreeSewing.org and that those are not tied to a new release, but it's a good opportunity to list them so here are some highlights of the bug fixes and improvements that went into the 3.2 release:
- Sandy has a new panels option that was added by Paula. You could aways create your circle skirt out of a number of a similar patterns by doing the match yourself, but now the pattern will take care of that for you.
- What started out as a bug report for the biceps ease on Jaeger ended with a change to the way the armscye is calculated on Brian, in particular the depth of the armhole. Given that Brian is our most foundational block, this will have ripple effects on many other designs, you can expect that out-of-the-box the armscye will reach a bit lower.
- In Carlton β and thus in Carlita β we have fixed and issue where the seam allowance on the undercollar was incorrectly drawn.
- In Charlie, the back pocket welt (4) and front pocket facing (8) incorrectly indicated to cut 2 instead of 4 in the cutlist. This too is resolved.
- In Hugo, we fixed a bug that caused the design to error when the complete setting was off, and we fixed an issue where the front pocket opening would get increasingly narrow as the hip circumference increased.
- Weβve added a new
Path.combine() method to
our core API. Its origins lie in a
discussion in issue
#5976 which was
originally filed as a bug report about how Path.join() connects gaps in the
joined paths β caused by either
move
operations, or a difference between the end and start point of joined paths β to be filled in with a line segment. That behaviour is expected/intended, but weβve addedPath.combine()
to faciliate the other behavior: Combining different paths into a single Path object without alterning any of its drawing operations. - The title macro now can be
configured with a
notes
andclasses.notes
setting in its config, allowing designers to add notes to (the title of) a pattern part. - Our i18n plugin now supports now supports translation of nested arrays of strings, which gives designers more flexibility to concatenate translated parts of strings.
The FreeSewing 3.2 announcement blog post has all the details.
Β
Β
π¨ Email just got harder, againβ
If you are reading this in your inbox, and not an archived copy on FreeSewing.org, then we were able to deliver this email to you, which is good news.
What you may not realize is that doing so is not exactly trivial, and hasn't been for years. But recently, things have gotten even more complex. Gmail (Google) and Yahoo for example have implemented new restrictions in the first quarter of 2024 which requires additional work on our end to maximize the chances of this email actually landing in your inbox.
Furthermore, so-called bulk email senders are subject to the most stringent checks. If you send 5000 messages a day, you are considered a bulk sender and will be subject to extra scrutiny. As this newsletter has about 14k subscribers, we are being held to the highest possible standards.
Obviously, nobody likes spam, and I am not advocating against these rules. It's just that the amount of time and effort required to make something as seeminly trivial as sending out an email work at scale is ever-increasing as the internet trends towards a de-facto pay-to-play model.
For now, I am still making those efforts, and hopefully they proved sufficient to get this to your inbox. But it's something we may need to revisit at a later time if it becomes an increasing strain on our limited time and resources.
Β
Β
πΈοΈ Building FreeSewing's web of trust in the wake of the XZ backdoor attempt (5-minute by joost)β
Depending on where you get your news from, you might have heard or read about the backdoor attempt of the xz compression utility.
In a nutshell, a malicious actor attempted to introduce a backdoor in this utility, which ultimately was an attempt to smuggle a gated RCE exploit into SSHd.
Or, in ELI5 terms: Somebody contributed code to a small library that had nefarious intent. It was done in a sneaky way and the ultimate target was not the library itself, but rather another software project that uses this library: The Secure Shell Deamon. A daemon is just a cooler word for a service on a computer, because why not make things cooler. This particular daemon or service, the secure shell daemon is responsible for handling secure shell (SSH) connections. It's the gold standard for remote management of Linux (and unix) systems.
The code smuggled in a gated RCE backdoor. RCE stands for remote code execution, meaning it allows you to do stuff remotely without needing to authenticate or anything. Or to put it differently, it allows one to control a remote computer system they normally should not have access to. The fact that it is gated means that the author of the malicious code took steps to ensure that only they could use the malicious code. Like a backdoor with a key.
It's hard to overstate the gravity of this attempt at backdooring essentially every Linux system on the planet. It's not only the world's most widely used operating system, its dominance of server operating systems is overwhelming. Or as I often say: Anything that matters runs on Linux.
This is an ongoing story and I for one am hoping it will be made into a Netflix mini-series starring David Cross in the role of Andres Freund, but I digress. This is the FreeSewing newsletter, so I wanted to lift something out of this story that I think is relevant to FreeSewing, or really to any open source project out there.
Maintainer burnout and the long con of gaining trustβ
One of the fascinating elements of this story is who contributed the changes, and why they were accepted without sufficient scrutiny to reveal the malicious intent of the contribution.
Because the user who made them had been contributing for years to the project
and in light of this work had risen in status to a level where there was a lot
of implicit trust based on their work, despite knowing next to nothing about
who or what goes behind username JiaT75
(in this case). Such a long con is
a significant investment of time and effort, so the currently held assumption
is that this was a nation-state actor (think NSA or some other country's
equivalent). It's also important to note that the xy maintainer was having a
hard time dealing with the long tail of responsibilities of maintaining
software and was actively looking for help to stave off burnout. It's a
scenario that is shockingly common across open source projects and creates a
situation where malicious actors can all too easily take advantage of exhausted
maintainers desperate to offload some of the work.
Establishing a web of trustβ
This problem of who can you trust is of course not new. One way to counter it is by establishing a web of trust. This is how things are done in larger open source software projects involving many volunteers, such as the Debian project.
In practical terms, such a web of trust is built upon relationships between people who know and have verified each other's true identity. For example, there's a number of people in the FreeSewing community that I have met in real life. We've not merely met face to face, but have spent time together, we know where we live, we know each other's partners or family, or have some other tangible way that provides a high level of assurance that this person really is who they claim to be.
Those people, in turn, can have similar connections with others who they know, have met, and trust to a level that goes well beyond the online world. This creates a web of trust where you can trust your friends, and the friends of your friends and so on.
In light of current events, and in acknowledgment of the rapid accelaration of what is possible with generatative artificial intelligence, FreeSewing will henceforth restrict all write access or elevated privileges to community members who are part of FreeSewing's web of trust.
We will of course continue to accept -- or rather review -- contributions from everyone. But permissions that unlock the potential to do harm will be restricted to people for whom trust has been established AFK (away from keyboard).
In order to facilitate building such a web of trust, we will start documenting these connections between people. This will allow people who are looking to take on more responsibilities within FreeSewing to look at its web of trust and see who lives close to them so they can hook in to our web of trust through that person.
I realize that FreeSewing is extremely unlikely to be the target of a backdoor attempt by a nation state actor, but adopting best practices and being transparent about how we do things is a good idea regardless.
So, I will start building and documenting this web of trust over the next couple of weeks, and review all access control and permissions to make sure we are doing everything we can to prevent even the most dedicated actors from poisoning the well.
Β
Β
π€ How FreeSewing's challenges have shifted over timeβ
Did you know that FreeSewing v1 was released 7 years and 7 days ago? Since that time we've made many changes big and small, and our core library and plugin system have matured into a reliable -- and certainly opinionated -- way to design parametric sewing patterns.
The challenges that are most interesting from a technical point of view have been more or less solved. What's left is the user-facing side of things, or the user experience (UX) as we like to call it.
FreeSewing can do a lot, so how make all of that functionality available to the users without overwhelming them? Is that even possible on mobile, which is the dominant way in which people go online now. How do you create it an intuitive experience, or guide someone who arrives on FreeSewing.org after a free sewing patterns Google search towards an understanding of what FreeSewing is and does in the handful of seconds that people are likely to give it a chance before moving on to the next link in their search results.
To be clear: I do not know the answer to these questions. But it is increasingly what we spend our time on. The percentage of people out there who use our software directly is insignificant compared to the amount of people who (only) consume our software through our website. For most visitors, FreeSewing is a website and if it is anything else, that is probably not clear to them, or even relevant.
Obviously there is room for improvement, but often there is no one obvious path forward. Perhaps -- or should I say almost certainly -- this is an area where I lack the talent or skill to come up with some sort of grand overarching strategy. But I find myself second-guessing a lot of my own ideas or impulses in this area.
So, I was wondering if we could do a little experiment. An experiment where I ask you -- my dear reader -- a simple question. Are you ready for it? Here is the question:
What is FreeSewing?
I'd love to hear your answer. You can simply hit reply to let me know.
PS: I burried this question at the end because I feel if you read through all of what came before, I probably want to hear your thoughts.