I guess my habit of running a firewall and not allowing programs to access the internet unless they actually need it is helpful for stuff like this.
Absolutely no reason a text editor needs internet access.
I only update stuff through winget, which fetches the installer from github in a lot of cases, and changing a package requires a PR to the winget repo AFAIK. Not foolproof of course though.
It shouldn't! Fort just flashes the tray icon if there's a new connection request and you can click it whenever you want, instead of a popup in your face in the middle of something.
As for updates - my OS has a built-in package management system, which is responsible for installing and updating packages. Why should notepad++ bypass that and do its own independent update process?
Because other OSs do not and the notepad++ team wants all users to have a similar experience.
If you don’t need auto updates, just disable them.
More importantly, notepad++ being able to update itself is not the exploit here. Your OS’ package manager would download the same compromised binary as notepad++’s built in updater.
A browser can download updates and plugins to be installed locally. I too do not want all my apps making internet connections. Sandboxes / namespaces can help a little.
I think these days updates through the OS package manager is a better option, windows has had winget for 5+ years now, and obviously linux and macos both have their own established systems.
LittleSnitch is great for MacOS; it is easily configured to alert you every time your machine makes ip/domain connections, which can then be accepted, denied, or rules made
> LittleSnitch is great for MacOS; it is easily configured to alert you every time your machine makes ip/domain connections, which can then be accepted, denied, or rules made
For an open-source alternative, consider checking out - Lulu [0]. It's not as feature rich nor has impressive UI like the former but gets the main work done.
I use LuLu, it works great. Its kept my older versions of Photoshop and Acrobat from complaining and showing me ads for newer versions for the last couple years!
Yeah I've been using Fort on windows, it's easy to use and not closed source and full of bloat like the commonly suggested windows firewalls from various security companies.
Binisoft WFC for Windows is a free outbound firewall. It was acquired by MalwareBytes awhile back, but they have not interfered with development so far.
It has some areas where improvement is needed, but the fundamentals work and the user interface design is decent.
I am surprised it's not more popular for Windows users. All of the alternatives I've tried have critical issues which made me dismiss them as unserious.
It doesn't matter really because nowadays all of them are just a front-ends to Windows Firewall.
Also legitimate software (i.e. firewall/AV) cannot use "oldschool" tricks like system service descriptor table hooks to obtain godlike privileges these days, while malware sometimes can do this by exploiting vulnerabilities, so in such cases it may be an unequal fight.
It's the best one I found after trying a few, because it's pretty easy to use, and lets me disable notification popups which is a part that always frustrates me about other options.
Why am I hearing about that specific FW in year 2026, this seems really good, at least the features written if it really supports rules based on parent processes, wildcards, SvcHost granularity without gotchas.
Been wrangling with Windows FW for ages, trying to get some badly behaved programs to update like Discord, Teams and others that change install paths or updater executable names or hiddenly use msedgewebview2.
PolicyAppId and tagging based rules have given some success but Windows FW is still really broken. Definitely giving Fort a try.
> A "Core Isolation: Memory Integrity" feature of Windows 10+ prevents creating such memory area (leading to BSOD).
> We tried to attestation sign the driver via new EV certificate by MS to fix the driver's limitation, but failed (see #108).
> So for now users have to disable the "Core Isolation: Memory Integrity" feature
Disabling HVCI doesn't sound like a good idea honestly. I mean they abuse kernel memory protection to bypass EV Certificate restrictions leaving the system in a state where another driver can mess with FW's internal structures using the same trick.
It looks like using Chocolatey [1] saved me from this attack vector because maintainers hardcode SHA256 checksums (and choco doesn't use WinGuP at all).
So, let me get this straight. If I've been lazy, postponed updates and I'm still on 8.5.8 (Oct 2023) - it turns out I'm actually...safer?
Anyway, I hope the author can be a bit more specific about what actually has happened to those unlucky enough to have received these malicious updates. And perhaps a tool to e.g. do a checksum of all Notepad++ files, and compare them to the ones of a verified clean install of the user's installed version, would be a start? Though I would assume these malicious updates would be clever enough to rather have dropped and executed additional files, rather than doing something with the Notepad++ binaries themselves.
And I agree with another comment here. With all those spelling mistakes that notification kind of reads like it could have been written by a state-sponsored actor. Not to be (too) paranoid here, but can we be sure that this is the actual author, and that the new version isn't the malicious one?
This reminds me of college, when some of my professors were still sorting out their curriculum and would give us homework assignments with bugs in it.
I complained many times that they were enabling my innate procrastination by proving over and over again that starting the homework early meant you would get screwed. Every time I'd wait until the people in the forum started sounding optimistic before even looking at the problem statement.
I still think I'd like to have a web of trust system where I let my friends try out software updates first before I do, and my relatives let me try them out before they do.
Ah, I remember those days. One that wasn't an error exactly was an assignment that had a word limit of 2000 words or something. I'd written maybe 3000 words and spent quite some time cutting it down, getting it to just under the limit. Then someone else who also wrote too many words asked the professor if that was okay and they sent out an update to everyone saying it's fine to ignore the word limit.
There's a few months every year when I'm feeling brave or crazy. We could take turns.
The thing is that most supply chain attacks are going to hit you when you are least prepared to deal with them, because that's exactly how they get you. When you're distracted.
Upgrades are deep work, but the commands to start them feel like shallow work.
I work in a lab as an analyst (bioinformatician), we are register and pay for quality assurance programs that contain an embarrassing about of technical errors.
> So, let me get this straight. If I've been lazy, postponed updates and I'm still on 8.5.8 (Oct 2023) - it turns out I'm actually...safer?
Is this surprising? My model is that keeping with the new versions is generally more dangerous than sticking with an old version, unless that old version has specific known and exploitable vulnerabilities.
Yes, it is very much atypical. Most hacks happen because admins still haven’t applied a 2 years old patch. I hate updates, but it‘s statistically safer that running an old software version. Try exposing a windows XP to the internet and watch how long it takes before it‘s hacked.
To be fair I doubt there are that many people scanning for internet facing XPs in 2026.
On the other hand, any server running old, unpatched versions of apache or similar will get picked up by script kiddies scanning for publicly known vulns very, very fast.
The notepad++ attack is politically targeted and done through unconventional channels (compromise in the hosting provider). I don't think 99% of the people reading this thread has a comparable threat model.
I hate that. “Bug fixes and improvements” every time. And then there are the ones who think they’re being cute with “our bird Fernando has been hard ar work eating those nasty bugs and flying over the rainbow to bring you an ever delightful experience”. Just, no. I don’t mind you flexing some creative writing muscles in your release notes if you provide actual clear information, but if you’re going to say nothing like everyone else, might as well use the same standard useless message so I can dismiss it quick.
> YouTuber Eric Parker demonstrated in a recent video how dangerous it is to connect classic Windows operating systems
The video referenced in that article explicitly connects directly to the internet, using a VPN to bypass any ISP and router protections and most importantly disables any protections WinXP itself has.
So yeah, if you really go out of your way to disable all security protections, you may have a problem.
You assume that the old software version has critical vulnerabilities. If it does not, then yes, updating is more of a risk since the new versions are unknowns.
My assumption is statistical. All software has critical vulnerabilities, not just the old ones. It’s just that these vulnerabilities are known, in the case of the old ones, which significantly increases the risk.
It depends if the application itself touches the Internet or only when conducting updates.
The threat model for a server and for a personal computer are very different. On a consumer device, typically only the OS mail app and browser have direct contact with the outside world.
Steve from Security Now podcast has been specifically using Notepad++ as an example of not being able to leave good enough alone for years now. Can't wait to hear him claim his told you so next week.
"So, let me get this straight. If I've been lazy, postponed updates and I'm still on 8.5.8 (Oct 2023) - it turns out I'm actually...safer?"
This is true for a large number of software "security" issues
A software version earlier in date/time is not necessarily inferior (or superior) to a version later in date/time
As it is "updated" or rewritten,, software can become worse instead of better, or vice versa, for a vaariety of reasons
Checking software's release date, or enabling/allowing "automatic updates" is not a substitute for reading source code and evaluating software on the merits
>I'm still on 8.5.8 (Oct 2023) - it turns out I'm actually...safer?
Notepad++ site says The incident began from June 2025.
On their downloads page, 8.8.2 was the first update in June 2025 (the previous update 8.8.1 was released 2025-05-05)
So, if your installed version is 8.8.1 or lower, then you should be safe. Assuming that they're right about when the incident began.
edit: Notepad++ has published, on Github, SHA256 hashes of all the binaries for all download versions, which should let users check if they were targeted, if they still have the downloaded file. 8.8.1 is here, for example - https://github.com/notepad-plus-plus/notepad-plus-plus/relea...
Just checked my 8.7.9 that I installed in April 2025 and never updated. The hash seems to be identical to the version I installed around that time. Seems like it was a good choice to always skip the Update Dialog when using Notepad++ lol.
I disable auto update for everything that does not have direct contact with the Internet otherwise (mail app, browser, OS, router,...).
Probability for some random app being exploited because updates were skipped is insignificant compared to the probability of a malicious update.
Updates are a direct connection from the Internet to your computer. You want to minimize that.
> And perhaps a tool to e.g. do a checksum of all Notepad++ files, and compare them to the ones of a verified clean install of the user's installed version, would be a start?
Did I understand the attack wrongly? The software could have a 100% correct checksum, because the attack happened in a remote machine that deals with call home events from Notepad++, I guess one of those "Telemetry" add-ons. The attackers did a MITM to Notepad++ traffic.
The remote machine that was compromised was responsible for Notepad++ updates, so the concern is that it could cause a compromised version of the software to be installed. But if it could do that, it could probably cause anything to be installed anywhere on the user's machine, so inspecting the installed N++ binary probably wouldn't be too useful.
Checksums are useless in this case. The binary would have to be signed and the installation routine would have to check that the new binary would have been signed with the certificate. That adds complexity, but would have thwarted this specific attempt.
However, there are ways around this, too. No solution is perfect.
“ The incident began from June 2025. Multiple independaent security researchers have assessed that the threat acotor is likely a Chinese state-sponsored group, which would explain the highly selective targeting obseved during the campaign.”
How do they know it was a Chinese group or even a state sponsored one?
I didn't say that to be pedantic, but to avoid that particular type of asker who isn't actually asking a genuine question here. After listing all the ways that Notepad++ (as an example here) suspects who they suspect, the asker then comes back with "Yeah, but how do you know?", as if that's some sort of gotcha. It's disingenuous. Even if the person I replied to isn't attempting this, I find it good to call out and get people to ask a better question: what's the evidence and why does that evidence point to this conclusion?
With enough effort, anything can be obfuscated. But effort costs money and also state level actors have limited funds and time and want to go home to their families ar some point and if the purpose was to get a message across (don't mess with china, otherwise face the consequences) there is no need to really hide the origin.
I can't help but feel there must some better venue for such messaging.
When I see politics in software updates or documentation, nothing happens because I'm not looking to use the software for political activism. Maybe I tell my adblocker to remove the messaging, and carry on with my task.
I can engage with politics in a social context, when political messaging isn't interrupting something else I'm doing; that's a better place for activism, IMHO.
I almost always see activists using the argument that if I don't like the messaging then I'm part of the problem. Somehow I doubt that, given I don't mind messaging at all, where it's appropriate.
Similar comments also come up in the [now regular] "I don't want to see political articles on HN" threads, and I think the response is similar: Asking for "no politics" is itself a strong political view: One in support/service of whatever the current status quo is. Trying to set oneself apart from (or above) politics is itself political. If you're lucky enough to be one of the fortunate people on earth who are not under attack by political forces or who benefit from status quo politics, I'd encourage you to simply reflect on that good luck and try to ignore the "politics" that others are deeply affected by and care about.
I partially agree, but as a non-US user of the English speaking internet, the issue is with specifically US politics and social issues being everywhere. It drowns out all attempts at discourse for anything else, and Americans, including people here, seem uniquely incapable of nuance in their thinking when it comes to politics.
So, while I fully agree with your stance that banning political discourse is support for the status quo, I also think that it's reasonable to ask for it to be toned down a bit, especially when the politics and social issues of one country is basically drowning out everything else.
All that said, I'm talking mostly about HN or other community forums here. The owner of Notepad++ has the right to put whatever they want into their software, and if we're discussing that here on HN then it's an occasion where discussing politics is valid.
I am an American and I make a very conscious effort to appreciate social and political nuances. And I go out of my way to point out nuances to others who, in my opinion, oversimplify their statements. It could be argued that the expression of stereotyping Americans as lacking nuance, itself lacks nuance. I believe really most people are similar in that we have our biases, differences in context and experiences. We can all try our best to be as nuanced as possible.
I think that the stereotype of Americans lacking nuance around political issue is valid. Obviously, like all stereotypes, it’s not 100% true but Americans seem to feel obliged to pick one side of an issue, most of the time aligned with the worth of their choice, and then to view everything that’s happening through that lens.
Try to point out to a democrat that Trump is doing something right or to a Trump voter that Biden did something right. Most of them can’t accept that. The “other” side has to all bad. I don’t see this to such an extreme in other countries I know like Germany or Spain.
Saying Americans lack nuance is like saying Germans are bureaucratic or British have shit food. It's not true 100% of the time but it's true enough broadly enough to be a valid statement.
My personal take is this is a consequence of the two-party system. In the US you can "identify" as a democrat or republican. Once you do that, you don't _have_ to think, you can let tribalism guide you.
If in another country I vote for these guys or sometimes those other guys, and once this little party that got a seat, but not really those ones, and I really hate these ones, then your "political identity" already has a lot of nuance. In Australia with preferencial voting, a single vote has a lot of naunce.
What can you get in America? Green Party supportors who "strategically" vote for a democrat? Not much else...
Does the existence of an alt-right WannaBeNazi party in modern Germany preclude the existance of a spectrum of views within Germany and usher in an inability of a majority of Germans to express themselves with nuance though?
By all means make a considered and thoughtful point, please.
What really do Americans know about Ukraine or Taiwan? E.g. can even 1% of US population show Ukraine on the world map (without using Google Maps)? Could they do it before 2022? Before 2014? Do they know anything about Ukraine or Taiwan history? How many Americans know a single foreign language?
If tomorrow there would be a war or protests in, say, Burundi. Will Americans stay with Burundi or against it? Or with the country the media will tell them is "good" because their interests align with US interests?
I think answers to all these questions are obvious.
To be fair, lack of knowledge of other countries is hardly uniquely American. As an Irish person travelling around the non western world, there's a lot of people who don't know that Ireland is a country separate to the UK, or even that it exists.
> the issue is with specifically US politics and social issues being everywhere. It drowns out all attempts at discourse for anything else
Unfortunately, US politics also drives tech issues elsewhere like the EU. For example, local data control is a big thing that some of us have been screaming about forever but nobody paid attention to--until US politics made it a hot button issue.
And, to be honest, if the EU would get off its ass and at least try to foster some alternatives, even those of us in the US would benefit. EU alternatives would mean that people in the US could finally vote against the megajillionaires with their wallets.
> Americans, including people here, seem uniquely incapable of nuance in their thinking when it comes to politics.
Bullets and beatings don't leave much room for nuance regardless of country.
The EU is trying but these things have to happen bottom–up. The EU Council or EU Parliament isn't a software development shop. They allocate funds to groups like NLNET who allocate them to a selection of the projects they get proposals for. NLNET can only allocate funds to something an individual or small group proposes. If you want to propose something, please go ahead.
Capitalists can also start software businesses and sell their software, but those are all in Silicon Valley because the money is there because the US has a privileged financial position.
I see a couple EU companies, but no EU governments. It takes a paltry $15K to be a Platinum sponsor.
I picked KiCad because PCB design is critical military infrastructure, the alternative programs are almost all under non-EU jurisdictions and could be pulled, and KiCad is both open source and local desktop to top it all off. This is exactly the kind of quiet, unflashy toil that desperately needs support from a government entity.
Lots of areas need support for open source alternatives that are controlled by proprietary software that might vaporize. I picked PCB design because it's an easy target. Cadence and Synopsys have locks on VLSI design domains that could get yanked from the EU. VHDL tooling is still disastrously poor. Everybody could use an alternative 3D modeling kernel (the EU is a little better here because the dominant proprietary kernels are from Dassault Systèmes and Siemens). I'm sticking to software as the domain because the purpose of the funding is obvious (pay developers, duh), but it also applies to things like small manufacturing and maintaining domestic supply chains (but the purpose and focus becomes a lot messier).
And yet, everywhere I look, any project I pick, crickets.
I don't expect the EU to front run, but something like KiCad is 3 bloody decades old.
> those are all in Silicon Valley because the money is there because the US has a privileged financial position.
And yet you had the rise of Akihabara as an electronic parts mecca which then later got eclipsed by Shenzhen. And that's not even talking about the fact that the modern computing sits atop a mountain of stuff developed out of the VLSI Project (https://en.wikipedia.org/wiki/VLSI_Project).
All of those occurred because their respective governments threw money around.
Sure, maybe you won't create another Silicon Valley hare, but, perhaps, just perhaps, you might create a relentless, open source EU tortoise that slowly displaces the proprietary software. The EU is good at slow--relentless, not so much.
There is an EU initiative to bring in chip manufacturing but it's not related to open source. For sovereignty purposes, airgapped software or locally made software is as good as open source and it's usually higher quality.
There are already alternatives to KiCad for PCBs. And I repeat myself: NLNET can only rule on the proposals it receives. Have you proposed to spend a year improving the KiCad UX?
>And, to be honest, if the EU would get off its ass and at least try to foster some alternatives, even those of us in the US would benefit.
What exactly do you want the EU, the Brussels based institution, to do here? Because AWS didn't come into existence because Uncle sam came in and twisted Bezo's hand telling him to invent a hyperscaler that will conquer the world.
EU's lack of comparable domestic alternatives is a consequence of the failure of its entrepreneurship and free market in the SW private sector, and nothing that EU institution can do about it to magically fix this since the solution is not MORE regulatory interference form government bureaucrats who don't know how the internet works.
You might be able to force innovation if the governments can throw money at the problem if the VC sector is lacking, but they can't force economies of scale and mass adoption without a China style great firewall, in which case you'd then have even bigger issues.
This is a good point. What would people think if there was constant political discussion here about, for instance, South Sudan and things happening there now? I'm sure there's bad stuff going on there and it's unfortunately, but if we had constant references to and discussions about the internal politics of South Sudan, I think a lot of people would get annoyed about issues that don't affect them at all in their day-to-day lives, esp. when they're coming here for discussions about technically- and computer-related topics. That must be how it seems for American political discussions.
Do you think it's socially acceptable to ignore everything that doesn't affect you personally? Many activists would certainly have you think otherwise. As far as I can tell, fighting that habit is a huge goal of activism.
That may be a huge goal of activism, but activists do not get to control what other people want to do.
Activists wanting something is not synonymous with that thing being a good idea. It just means that someone wants something out of you could be good, could be very bad. No different than a sales person trying to get you to buy something.
Yes. Activists also don’t focus on all causes, not even most. They cherry pick whatever topic is hot in that moment. Sorry, I don’t care about that when I’m browsing something about software.
When I care about politics I’ll deal with actual politics. Reddit won’t change my mind nor the world.
Same. I go to technical or other forums in order to pursue hobbies of interest and escape the political shitshow of the real world, not be reminded of it every step of the way. I don't want to be bombarded with their opinions on the matter, even if they were to align with my own. Virtue signaling becomes a slippery slope that only induces more division, anxiety and fatigue over those issues, while not actually helping with solving them in any meaningful way.
I find it can be appropriate to talk about politics around a project when a political situation is directly affecting a maintainer of the project or the project itself and is a genuine reason why there are delays, weirdness or other impacts somewhere. I appreciate hearing about such things for transparency's sake. It's just all the other stuff that gets on my nerves, where it's just tacking politics onto the project just because there's injustice.
For example it's very normal for the Tor project to talk about censorship and privacy. It's also fairly normal for Russian maintainers to speak out about how it's no longer possible for them to receive support due to sanctions. And I can understand if a Ukrainian maintainer has to focus on trying to survive or escape the country instead of developing their software. All of that stuff is completely fine and I wholly empathize with it. It doesn't bother me because it's not extraneous; it is directly relevant to the project. I also don't mind projects listing their preferred charities.
But I do roll my eyes when projects continue to pine on about Taiwan's independence or the genocides in Gaza. If there isn't a reason why it's actually relevant to the project, I don't think the project page is a good space to push it.
>Do you think it's socially acceptable to ignore everything that doesn't affect you personally?
No one has the time to pay attention to every little injustice in the world. For all the people crying about Gaza, how many of them are dedicating as much energy to the wars in Sudan, Yemen, or Myanmar, or the abuses by Russian security services (like imprisoning a guy for holding up a blank card)? This isn't to say that we should just ignore Gaza or Ukraine or ICE in the US, but we need to make a choice: either we spend ALL our energy addressing every injustice in the world, until there is no more injustice left (and this means we need to stop everything else we're doing now, including keeping society running, making food, etc.), or we need to choose when and how much attention we'll devote to various issues.
> Do you think it's socially acceptable to ignore everything that doesn't affect you personally?
Yes, yes, and yes again.
> Many activists would certainly have you think otherwise. As far as I can tell, fighting that habit is a huge goal of activism.
That's their problem. As soon as you start contributing to them, you will not pursue your own goals, living your own life, but those imposed by activists or their supervisors.
It's convenient for them, you give them a political resource. But why do you need it?
A huge chunk of activism is pointless and annoying. Especially when every cause is lumped together into Activism (TM) and the Omnicause.
I don’t agree with them and I don’t think they should be in my software, or dealing with anything they don’t understand (for instance crime, homeless people, geopolitics, or really anything outside of overpriced vegan coffee shops). All they really do is end up getting Fox News people to vote for fascists like Trump out of spite
> A huge chunk of activism is pointless and annoying.
Activism can be annoying, but it's never pointless (not even when it fails to be effective).
> All they really do is end up getting Fox News people to vote for fascists like Trump out of spite
It wouldn't be worthwhile for activists to resign themselves to inaction out of fear of offending the "Fox news people". "Fox news people" are already more likely than not to vote for fascists like Trump, and they'll use any excuse/justification they're being fed including "I don't like the way the wrong people are using their freedom to protest the wrong things".
I don't think this is really true if you look at the results of the last election. Activism just on the transgender issue alone looks to have swung a lot of votes.
> I partially agree, but as a non-US user of the English speaking internet, the issue is with specifically US politics and social issues being everywhere.
I mean, yeah. Most major social media services used in the West are based in the US. The single largest English as a first language population is in the United States.
Given how many users from outside the US are oft wont to opine on our state of affairs even during the good times - often without even being asked - I like to think they'll endure our discourse.
best solution to this is a closing of borders and fragmentation of the internet to local regional segments. i know it sounds backwards but it seems thats where we're headed
Not wanting politics on HN, need not imply support of the status quo, or even a lack of interest in politics. It can simply be a different belief about the purpose of online forums.
I read about politics all day long in many different places. My belief that HN should be relatively free of such stories is not because I believe I can detach myself from politics, but because I believe topic based forums are more valuable and useful than “anything goes” forums.
Allowing politics on HN doesn't mean discussing politics in every thread. If it's a story about someone who improved performance of their system by using Rust then sure there's no need to bring anything political. But threads about Nvidia, Tesla, encryption, internet blackouts, social media, startups investments, etc, all warrants political discourse.
I wish that were true, but in my experience so far, it isn’t.
Not only does politics and general stories crowd out everything else over time on other sites, there are HN submitters who seem to be trying to accelerate this.
During the war, when HN was getting Israel-Palestine stories constantly, I started looking at the submission history of some of the submitters, and some of them were just pushing these types of stories every day for months and months.
So yes, I think allowing politics will eventually mean being dominated by politics and general interest.
Globalizing the intifada means pushing an agenda everywhere, including on HN, on posts where it is relevant and on posts where some obscure or conspiratorial connection can be made.
If HN is going to allow accusations to be slung against groups of people it has to allow others to respond, and that sets off endless debate amongst people who will not be changing their minds on the matter but will repeat the same argument on the next post.
Every Israel Palestine story was like that. Just hundreds of back & forth exchanges of fire that could be copy pasted from the last story, along with copious complaints that HN was censoring them even though the story was on the front page. Just a complete waste of time, and very dishonest & unserious people.
Nah, it doesn't mean they support the status quo. It just means some political tactics are pointless, incompetent, and counterproductive.
Political opinions about how things should be don't automatically dictate the actions that should be taken in support of those opinions. I can be mad about a law or a court decision and still have the good sense to, for example, not throw red paint on a lawmaker or judge.
Some behaviors just aren't helpful, and neither being right nor being upset changes that.
Maybe, but telling people who are speaking to their audience on the platforms that audience is voluntarily visiting that they need to shut up is even more pointless, incompetent, and counterproductive.
Notepad++ is free, open source software for which there are dozens of alternative packages of equivalent quality. The entire cost of using this software and benefiting from the work of the developer, is having to scroll past or close a few political opinions.
If the reaction, if someone vehemently dislikes this sort of thing, is to tell that developer to "just shut up and make your software" rather than to stop using that software? Then I think that's possibly the most entitled and hypocritical position that I think it's possible to have.
Notepad++ maintainers can do whatever they want. I don't care. I'm just taking apart this tedious, superficial, self-serving activist cliche about how not being an activist is supporting the status quo. Some people want change just as much as activists do, but they have different ideas about when and how it's helpful to be an activist.
The good sense is your judgement. At some point a real, direct, disruptive protest is going to be the right solution for a big enough group of people. Peaceful protests are just a "we're starting to get there" signal. It's not like politicians normally say "gee, lots of people don't like how I abuse power, I guess I'll stop now". It's all about being collectively upset enough about status quo.
> Whatever stance changes nothing .. is a vote for the status quo, by definition.
As problematic as the assertion "by definition" is aside, it should be noted that endlessly commenting about politics on internet forums effectively changes nothing.
I've been kettled by mounted officers and hit by high pressure hoses on cold evenings, something that also rarely effects change .. but that's a least a fun night out with people and better than wasting bits on the intertubes.
Whether it's a waste is not entirely up to you. There are plenty of people on this forum who are completely naive and live in a bubble. The chance that a comment they see her could make a lightbulb go off is non-zero.
So write good comments, neutral in tone, avoid preaching, stick to the facts, gently emphasize how laws are being broken without an excess of righteuosness, see the people whose opinions you oppose and find common ground to pivot to your position, etc.
FWiW I recall handing a guitar (I hear they kill facists) to Billy Bragg way back when he was on tour Talking to the Taxman About Poetry and FYI he's back, again, following Springsteen: https://www.youtube.com/watch?v=IKOW2ZikGW8
I wouldn't say that avoiding political discussion yourself because you can't handle it is a vote for the status quo, but telling others not to talk about politics is definitely a vote for the status quo.
Doesn't that depend entirely on the context? Telling the grocery store not to carry dairy products is an anti-dairy stance. Objecting to dairy products in the vegetable section is not anti-dairy it's pro-keeping-things-organized. Debating whether or not dairy ought to be allowed in the vegetable section is also not anti-dairy, at least in the general case.
Unlike milk, politics pervades everything. It's not like keeping milk cartons out of the vegetable section, it's like keeping the letter "p" out of the vegetable section.
You've broken the analogy. The broad categories of food equate to the broad categories of discussion topics.
How attention works, whether training on scraped data is legal, and whether or not the latter should be permissible are three distinct topics. Only the third is inherently political. The second has a close relation to politics but is ultimately a legal question as opposed to a political contest. The first has absolutely nothing to do with politics in and of itself.
> politics pervades everything
That's exactly the problem. Sometimes I don't want it to. If I pull up a spec sheet for a microcontroller I don't want to be bombarded with propaganda pertaining to the political tug of war of the day.
The fact that mundane actions can have political impacts when considered en masse does not imply that we can't or shouldn't have spaces for discussions that are reasonably free of political topics. It isn't always appropriate (imo) to discuss the political impacts of the task at hand. It's okay to have a space in which only the task itself is permitted.
The spec sheet being written in English is politics. The spec sheets of the most advanced microcontrollers, the cheapest microcontrollers, and the most widely used microcontrollers are exclusively written in Chinese. You don't have easy access to them. That's also politics.
Microcontroller is a broad category of electronic components. Maximum I/O current is orthogonal to microcontroller. Spec language is orthogonal to microcontroller. Politics is orthogonal to microcontroller, and orthogonal to maximum I/O current. The letter "x" is orthogonal to all of the above.
If we make a category of microcontrollers with French data sheets, we are intersecting two axes. That's analogous to vegetables that contain saturated fat or vegetables that begin with the letter "a" in Flemish.
Saturated fats pervade foods (but not all of them), the Flemish letter "a" pervades foods (but only 1/26 of them), electrical concepts pervade microcontroller spec sheets (all microcontrollers, but not all documents describing them) and politics pervades everything (some exceptions here too?)
> Similar comments also come up in the [now regular] "I don't want to see political articles on HN" threads
In the context of forums, the political threads are generally /not interesting/[0]. Political threads often devolve; they bring nothing 'new' or 'fresh' to the table, and they lead absolutely no where. It's a fart-in-the-wind situation no matter what your position is. Leave that stuff on reddit where the rest of the farts-in-the-wind go to waste. It's like watching commentators on Fox News or CNN or <insert favorite cable TV show here>. They're a large waste of time and they're often geared towards re-enforcing your side, aka echo chamber.
Now, if a thread actually evolved into real measurable action, that might actually be interesting. But that's not what happens on these forums. There's probably very few of us that see some HN thread talking about something awful happening somewhere and they take direct action, such as petitioning their government, protesting, etc. It's probably happened once or twice, but most of the farts in those threads just hang around and stink up the place.
> Asking for "no politics" is itself a strong political view
No, it explicitly is not, and this "deepity" doesn't change any rational analysis. The injection of politics into every aspect of society must and should be refused.
Politics is more of a way of thinking and speaking than about any specific topic. For those of us who see a lot of problems with society but know that things will never be how they "should be", it is healthy to limit amount of time spent thinking about problems that cannot and will not be solved.
please tell me about the intricate politics of a phone booth. just because you can make everything political doesn't mean it is inherently political or doesn't make you look like a terminal online annoying loser when you try to compensate for your vapid personality outside of ideological dogma.
Phone booths are made by the phone company to increase the money they make, that's political. Phone booths are made with more or less shielding implying a greater or lesser danger to their occupant, that's politics. The ones at the airport have glass dividers while the ones at the lonely gas station at night are fully enclosed with thick glass. Different ones have different amounts of graffiti and different likelihood of being vandalised at any given time. You will find this correlates with demographics. Phone booths have disappeared as we all got portable phones in our pockets, but those phones also track us and some people might prefer the relative privacy of an impersonal phone booth, but can't because they no longer exist.
I disagree. I want to separate my technology from politics. I consume politics through other venues. I don’t want HN full of political articles. It doesn’t mean I support status quo. It means I don’t want this one website pushing politics, which it increasingly does.
HN discussions are usually very high quality and respectful disagreement therein, which is unique online nowadays.
I’ve come here to escape Reddit, which is all politics all the time. If this place turns as political as Reddit, I’m out.
> One in support/service of whatever the current status quo is. Trying to set oneself apart from (or above) politics is itself political.
apparently, it's OK to have this stance of "if you're not with us, you're against us".
It's absolutely possible to not want political discussions in various places - it doesn't mean you support one or the other side. It simply means you don't want that discussion here. You could support the incumbents or not - not wanting the discussion does not imply support for the incumbents.
it's not the mere lack of being with, it's the enthusiastic, public advertisement that you are not with. If you are actually neither with nor against, then you don't have any need to say anything about the issue at all. If you make a big deal about not being with or against, most people who do that are against but don't want to say so.
Not wanting politics crammed into every nook and cranny of daily life is not a "political" view of one kind or another, it's a preference for how I want to consume information and interact with people.
There is such a thing as being able to act and think in ways that aren't political in nature. Maybe not for you, but it absolutely is possible.
Way to completely and totally miss the point. I don't actually think you could've missed the point any harder than you did.
Politics are quite literally life-or-death for many people. War is politics. Access to healthcare is politics. Economic policy that determines whether businesses and careers succeed or fail is politics. Freedom to say what you want, believe or not believe in whatever religion you want, and be who you are without being imprisoned is politics. The people who make the most noise about politics are the people who are literally dying for as long as the rest of society ignores their plight.
If this isn't the case for you, it's because you benefit from the status quo. It is the definition of privilege to be able to "ignore politics". That means you are currently benefitting from politics. Of course you don't want to hear about politics, politics are doing just fine for you. And the comment you were asking to was asking you to reflect on that: if the biggest problem gracing you is hearing other people make noise about circumstances, the least you could do is deal with it. Your problems are trivial if that is what gets you upset. Other people are complaining about things that affect the outcome of their lives and you're complaining about... having to hear it.
That you seem to believe politics exists to solve people's problems is probably the reason you feel it is so important. I'm sorry that you are so profoundly confused.
Oh, you're one of those bootstrappy libertarians, I'm taking it. Everything you've ever done is by your own two merits, right? Nevermind the fact that you take society's roads and use society's technology, which are the results of politics. You drink society's water and eat society's food, which are the results of politics. You enjoy the security of not being invaded by enemy tribes nor your neighbors, which are the results of politics. "Politics" is simply a word describing how humans act in groups. Given that how we act in groups determines the entirety of our lives, there is no separating anything from politics. You seem to have taken my comment as "the government is responsible for solving people's problems", but politics are just as much about dealing with the problems it creates. When politics are going well you can ignore it; when they are going poorly they can end your life so you make a lot of noise about it to get other people to try to care. In either case, though, your life is entirely the result of political forces unless you're living in the jungle completely detached from society.
I live in a society that feeds me and rewards me for work and does a whole host of other things for me. I am grateful for all of it. Many other people are not so well served by society. This is all true. None of that has anything to do with politics.
Politics is a game. It is played with one single objective: to make sure that the people with no political power remain fighting among themselves instead of fighting those with power. If you believe some favored political faction will solve these problems you mention, then it is you who is missing the entire point.
I'm taking you're from the US from the "either team" comment. That is a really elementary understanding of politics. Politics, again, is a word describing how humans behave in groups. Where are roads built? That's a political decision made by groups of humans reaching consensus. What is the budget for the local security force? That's a political decision made by groups of humans reaching consensus. How much money is going to be collected from everyone locally to pay for those roads and security? That's a political decision made by groups of humans reaching consensus. If you're even allowed to participate in the consensus process... that itself is politics! For most of recorded history, decisions were made by the consensus of clergy, nobility and royalty, who coerced the rest of society into supporting their consensus through organized violence. Are you allowed to own property? That is the result of your group reaching consensus saying you're allowed to.
> How the produce of society is distributed and how people are cared for has zero relevance to an article about hacking a text editor,
The article is political. People make noise about Taiwan because an invasion of Taiwan would kill many and oppress more, in other words because it, like all political matters, is something that determines the course of lives of millions. Even if they are not directly affected, noise about politics escalates as a mechanism for people to protect themselves. When you are at the wrong end of a group that outnumbers you trying to kill you, you will require the aid of others. But will others come to your aid if you were not willing to come to their aid? This is how the concept of a "conscience" and "empathy" evolved -- because they give an evolutionary advantage, of providing for your own survival by ensuring collective survival.
Edit: for posterity, the comment I was replying to mentioned a "belief in either team leading you to the promised land", which has been edited out.
You know what's even more important than politics? Water. That doesn't mean I need to read a prologue about water in every HN article reminding me that I require water to survive.
You seem very angry at a stranger on the internet. I think a break from thinking about everything through the lens of politics might be good for you.
People will start talking about water when a water shortage starts impacting their day to day life. For the average western world resident, water is not a problem, yet. But I bet you people in Tehran cares a fuckton about their water running out.
The same with politics. When politicians keep their hands off the society, no one feels pressed to talk about politics. When an authoritarian regime compromises a widely used open source software to conduct espionage, of course people will start talking about politics.
> You know what's even more important than politics? Water.
Access to water is political. If you get water from the city, the building of infrastructure delivering water to your residence is political. Whether or not that water is polluted is political. If you get your water from a well on your own property, your ownership of that land is political. None of that is achieved without group consensus, and group consensus can take all of it away from you. You are able to ignore that fact because all of those political consensuses are currently going in your favor, but the same is not true for everyone, and when it isn't true for them, they can be predicted to make noise about not having access to water for obvious reasons. They will make noise about it everywhere they can because it will be more important than anything else to them, given that it will determine whether they live or die and they need to galvanize communal support in order to reverse their fortunes.
> You seem very angry at a stranger on the internet. I think a break from thinking about everything through the lens of politics might be good for you.
My previous comment was written entirely neutrally, so I'm not sure how you came to that conclusion. Incidentally, I happen to live in a prosperous and stable society that I have confidence will remain secure for decades to come, so I have the privilege to ignore politics at my leisure. I am grateful for that opportunity, but I also understand how much of a privilege it is that politics are going well and not actively creating problems for me, so when other people complain about political processes creating problems for them, like the threatened invasion of their country, I listen without complaining.
I took HN as a place for rational discussion, so I made an effort to communicate to you why politics are so important to many, but in the end it seems this discussion is fruitless. If there is any emotion I feel, it is that of disappointment for wasting my time trying to discuss things logically and rather than being met with any kind of reasoned rebuttal, I get a childish dismissal the likes of which I could've gotten on Reddit, which I stopped using for that very reason a decade ago.
But you do see questions about water usage for AI in data centers?
Articles about families living close by, which water bills exploded recently?
On the other hand, you don't see commenters saying that they are indifferent to their access to water, and that they are tired seeing others being engaged in the conversation.
If it's not impacting you, I don't blame you not participating. But I feel (general) you don't get to push down on others because they are discussing important topics (to them).
> You know what's even more important than politics? Water. That doesn't mean I need to read a prologue about water in every HN article reminding me that I require water to survive.
Ah but didn't you know, some activist professor with a stick up his ass once said "everything is water" - so even not wanting to talk about water is in fact your water privilege of not talking about water. /s
Fully agree, it’s akin to atheists, they very often are convinced they are not religious. Agnostics are the unreligious ones. In fact, atheists are the most fanatical zealots in my friends circle.
I'm tired of this. I look anywhere, I see politics. At the end of the day all this does is alienate me from anything that isn't the status quo anywhere, because all I see of the opposition of it is constant incessant whining and the prevention of my relaxation. It's a selfish view but I don't care.
>Similar comments also come up in the [now regular] "I don't want to see political articles on HN" threads, and I think the response is similar: Asking for "no politics" is itself a strong political view: One in support/service of whatever the current status quo is.
Before I respond to your comment, allow me first to acknowledge the following injustices happening in the world:
* war in gaza
* war in ukraine
* civil war in sudan
* civil war in yemen
* civil war in myanmar
* ethnic violence in syria
* insurgent attacks in nigeria
* insurgent attacks in congo
* attacks on protesters in Iran
...
Wait, what's that? You don't want every comment to start with some sort of land acknowledgement-esque disclaimer of all injustices happening in the world? What are you, some sort of gaza war/ukraine war/sudanese civil war/ ... sympathizer? Tens, if not hundreds of millions have been affected by the event listed above, so at the very least you can spare a thought for them before discussing about some text editor getting compromised? You might argue acknowledging the war in gaza is beating a dead horse, but do you think the median HN reader has thought about the civil war in myanmar in the past month?
You can't take a break from that. I have transgender friends who fear for their life every day. They don't know what is going to happen to their rights or their healthcare. I have diabetic friends who can't work and also fear for their life because losing Medicaid would mean they will stop being able to afford insulin and will die. This is what people mean when they talk about politics being important. It's not just things that don't affect you, which is what most people mean when they say they don't care about politics. As soon as something affects you, you will understand.
And if all you do all day is worry about someone else's or your own problems and politics you will not survive. Everyone has problems. Every single person has an issue that could cause them to die or a political event that could cause them harm. Your friends are not special or unique. There are billions of people who don't know if they will have food for their next meal, don't have money to pay rent, struggle with an addiction, etc.
It's okay to watch a show about knights and demons and enjoy it. It's okay to use a piece of software that doesn't code every release as a protest against something. Instead of judging other people for not burning out, maybe take a break yourself. It's okay and normal.
I don't care for the current status quo at all. The current administration has wrecked this country and completely compromised its position in the global economy potentially forever. But there is a time and a place for those arguments and activism, as well as the same for other parts of the world suffering from similar or worse issues. Like, I wouldn't be receptive to hearing about Ukraine every time I go to the grocery store. When I want to hear about it I go to the YouTube channels documenting it! They're very interesting, but I need to be in a space to receive it. Similarly there are places where I'm not specifically looking for it but where I'd be receptive because it's not immediately irrelevant to something I'm doing. Otherwise it is just noise. This is absolutely no statement about the status quo, but just how my brain works. It's also not a statement against activism in general, just about my personal opinion of it in certain places.
It’s all well and good for you if you want to be a consumer of political content when it suits you, but for a creator, the creation’s whole purpose may be a delivery mechanism for their message which may otherwise go unheard. Not saying this is necessarily what Don Ho (Notepad++) is doing, but it’s possible. Create something so good that people can’t help but use it (preferably the demographic you most want to reach, for example a country with a huge base of Windows users) and then use it as your message delivery mechanism.
1. I don't want to see political messages in unrelated delivery mechanisms
and
2. I created $PRODUCT as a delivery mechanism for a political message
are equally valid.
I feel that the problem that comes about is when a $PRODUCT was not created as a delivery mechanism but is being co-opted into being one at some later stage; the audience feels deceived and the creator feels that the audience is ungrateful.
I'm not very familiar with Notepad++ (having never used it, nor experienced any desire to try it), but I'm fairly certain that the creator has been political long enough now that the audience cannot complain about the message being delivered with the product.
It's like complaining about Vim having a message for the plight of Ugandans - it's been there for decades; too late to complain now about it.
I'm more sympathetic to complaints over projects which never had a specific political message suddenly acquiring one when they realised what a large audience they had, or when new people join a decades-old project and introduce a political message that was never there before. I can sorta understand outrage then.
You may not be in the right state, but the point of that part of the website is that it's a donation link. It will drive some people to help. If it's at the cost of some others getting grumpy about too much messaging... that's probably still worth it.
> Otherwise it is just noise. This is absolutely no statement about the status quo, but just how my brain works. It's also not a statement against activism in general, just about my personal opinion of it in certain places.
I considered the majority of the population to be affected by repeated messaging, messages in the background, or in other words availability bias. So the messaging be having the desired effect on society in general but not on some subset who filter it out completely.
It has an effect on me too: it makes me begin to extra-quickly ignore any messaging of that sort. I become so tired of it that it starts actively frustrating me to see. And I bother people to take it elsewhere. This is a behavioral issue on my part, but I'm still struggling to justify to myself that they couldn't be getting more out of it by putting it somewhere more appropriate.
> I become so tired of it that it starts actively frustrating me to see.
Something similar, significantly different though, happen to a friend. They started distrusting the incogni.com after seeing their advertisements over and over again. To them they saw/felt/reasoned that only an untrustworthy actor would be pushing the messaging so much and a trustworthy actor would rely more on word of mouth via their good product inspiring people to speak up about them. I had to point out that they probably saw much more of incogni's advertising due to their rate and type of media consumption and most people probably do not get that level of exposure. If incogni lowered their advertisements to hit them correctly it would not be nearly enough advertising to reach the average consumer.
I see the frustration at the repeated messaging to likely be a natural protective mechanism. Instinctively reject repeated messages is not necessarily a bad instinct since manipulative people will use repeated messaging to manipulate, but repeated message exposure does not only happen due to an attempt to manipulate.
I want to start by saying it's good that you are at least taking the time to look for this information! Stay healthily informed.
I see this as a bad analogy though: you wouldn't hear about it every time you go to the grocery store. Or, at the very least, you wouldn't stop and listen for the fifth time. You already know, and that's the point: the intention of most activism in technology (at least that I see) is to make you initially aware of it so you start to seek the information out and learn more elsewhere. (...And to give themselves good PR. We love rainbow capitalism /s)
Instagram and Twitter both get your attention during election season because they want you to be informed about how to vote. To me, that's a similar thing.
The whole reason why Notepad ++, vim, etc have to do this is because no one wants to take one for the team and protest/put their neck on the line.
I don't want to either, and indeed I really want others to do it for me. As such, I really want to see even MORE political stuff like this to hopefully create folks who will actually protest and put their neck on the line.
Similar reason why US military propaganda is good. I never EVER want to be drafted and indeed if you put a gun in my hand and military fatigues on me, I will die with a shot in the ass (because I am running away). Thankfully, we have a bunch of hardened 20-somethings "manipulated" into joining the military and protecting us so that I can be lazy.
So please ratchet up the politics and get others out so I don't have to. It's not that hard to ignore yet another plea for help. We do it every hour of every day.
The issue with making something so universal as software, specifically scientific software political is that it operates in such a broad context that every political statement sooner or later will seem comical outside a very narrow scope.
Your comment is a good example of it; who is dictator? The people who hacked the software or the political pole they support? At what point did they become fascist enough to warrant politicalisation of everything ?
If the main problem is that "sooner or later it will seem comical" I don't think this problem is severe enough to justify the number of words that have been written on HN about this topic.
i dont see how saying "no politics" is similar to asking "why is there political messaging literally everywhere" , do you see how conflating the two is the exact behaviour that the original commenter was trying to discuss ?
Choosing not to engage politically is not a neutral action. Life is politics. The world is full of people that are trying to control your life in a thousand different ways. Choosing to not engage in support or opposition to that control doesn't mean you aren't participating, it means your default position is letting them do what they want.
Is choosing to set certain parts of one’s life apart from politics equivalent to “choosing not to engage politically?” If so then shouldn’t every action that you take be imbued with politics, including the choice of how long you brush your teeth and when, where, and how you sleep? Or are certain things exempt from the rule, but not posting on HN? If that’s the case, why does posting on HN require political engagement but not, say, your interactions with the clerk at the grocery store? Are those of us who fail to inform every person we meet about our political views choosing not to engage politically? Even if we dedicate a certain portion of our lives to political engagement?
Edit: I’ll also add that political messaging is highly contextual. What is appropriate and effective in one place may be counterproductive or actively harmful elsewhere. Format and tone actually matter if you care about your pet cause succeeding, believe it or not.
I think this is a good example you provide about the store clerk at the grocery store, and I think you can expand this even further. Sometimes when I go to a store and am checking out they will ask me to donate to some random charity. Whether or not I care about the cause they are asking for money for doesn't matter at all in that moment. It annoys me and I don't want it to be asked in that interactions as that's not what I'm there for and not what I care to be put on the spot to think about.
I view these kinds of weird virtue signaling political statements on things like software to be the same. They do absolutely nothing and are just visual noise for nothing. Actually, this is a good example of where it can go wrong as it likely made the software the target of Chinese state-sponsored actors. So not only does it serve no useful purpose, it also can make you a target and piss people off.
I do not think it is uncommon for someone to do this, then see the side they oppose win more in elections, public perception, etc then decide to engage more and that is "why is there political messaging literally everywhere".
Since we can't remove it, the next best alternative is to participate and advocate for responsible political engagement. I think until we have some shared understanding of what responsible political engagement is we will continue to have it everywhere.
the original commenter has explicitly stated willingness to engage politically , he has also stated this is not something he is willing to do when it is interrupting his seperate personal choices , concluding with an observation that others tend to conflate non-constant political will with a constant apolitical view. can you please explain how you are not conflating these two concepts ?
This is about being productive and weighing the overall value of things.
The politicisation of software is as harmful as requiring every research paper to be published with a political allegiance banner.
Software like most Sciences, Engineering, and, Trade is a much longer game for humanity than politics de jour.
It is easy to forget the extent of contributions from all sides of politics that has contributed to this trade, from Mohammed Algorithm to English, Russian, Chinese, and, everyone else to computing; but forgetting that and forging that for quick political hack points is a disservice to humanity.
>Software like most Sciences, Engineering, and Trade are much longer game for humanity than politics de jour.
Not really, software, like sciences and engineering must survive politics first. If humans start tossing around nukes like angry apes then those that survive may be scratching simple arithmetic with a charcoal stick on a cave wall.
Science has absolutely engaged in the politics du jour, including in major world wars. See, for example, the Szilárd petition[1]. (If you need a post-WWII example, those same scientists continued petitioning after the war on the dangers of nukes, too.)
Further, political banners in software have absolute helped, and have changed political outcomes. As an example of that, SOPA, and later PIPA, were defeated by websites such as Wikipedia (which are software) putting banners aimed at informing the public of those bills.
> whenever you engage in your trade or profession is not the same
Feels like this is overstating the facts. Afaik, twice did the author on N++ did include a small political message in a release.
Is it really "whenever"? Blowing this out of proportions because some are so allergic to any political message that twice in 10 years is being pushy..
In the end, everything involving more than 2 humans is politics. You may want to ignore some topics, but those may be important to others. Until the day you yourself want to bring some attention but you're met with an "apolitical" response saying it's not the time or place for it.
Vim is Charityware. You can use and copy it as much as you like, but you are
encouraged to make a donation for needy children in Uganda. Please see |kcc|
below or visit the ICCF web site, available at these URLs:
Letting people on to the Internet without censorship is political.
Government policies that support startups are political.
Threatening to arrest teens for pirating mp3s is political.
> I can engage with politics in a social context, when political messaging isn't interrupting something else I'm doing; that's a better place for activism, IMHO.
For the people actually impacted by politics, reality rarely waits for a convenient time to interrupt.
Political reality tends to knock down doors and blow up buildings when it wants to really get someone's attention. "Don't bother me during my software updates" is a privileged position to be able to take.
> I can't help but feel there must some better venue for such messaging.
I would argue that this has been an effective avenue for messaging/protest. You’re responding to it on this very board - that means you’re thinking about it.
Another angle: would such free protest be allowed if the developers of Notepad++ were based in China or Russia? I seriously doubt it.
Typically when I see such messaging in an out of place venue it nudges me slightly against both the message and the venue pushing the message. This occurs regardless of whether I agree with the message. I feel the same way as when I see an ad: this does not belong here.
I don’t think I am the only one who has this reaction. People who do this should consider if it’s actually helping their cause. If not it’s just feelgood signaling, or possibly even counterproductive.
Based on arrest of protesters in UK, US, and recent laws passed in Australia; it is fair to say that Notepad++’s freedom to protest would depend on who and what they are protesting.
Just try to protest decades long ethnical cleansing and war of occupation occurring in Palestine in the USA of the UK, for example, like some students and people did in good conscience.
You're a tad idealizing the limits of freedom of speech in the western countries.
> I would argue that this has been an effective avenue for messaging/protest. You’re responding to it on this very board - that means you’re thinking about it.
I think about a lot of things I do absolutely nothing about (or with).
Thinking about whatever messaging is here is like saying "thoughts and prayers". It means shit all nothing. The messaging was a waste of my time and your time. It was an ad for a product you'll never purchase.
I don’t see it as a waste of my time. I am not in the habit of seeing conflicts in which innocent people die as a “waste of my time”. The idea that my time is somehow more valuable than another person’s is narcissistic.
Yet more "thoughts and prayers" rhetoric. If you want to actually be engaged, go do something directly for those people. Until that point, it's simply thoughts and prayers.
I'm referring to (if we would continue with the list):
- Ukraine for Donbas
Which is so much weaker than all others. There are Ukrainians, Russians, Chinese, Tibetans. But there is no such ethnicity as People of Donbas.
OTOH in a democratic state you're still have the right to demonstrate peacefully for whatever you want, even if it doesn't make much sense. But would you allowed to demonstrate in Ukraine for Donbas independence if they are considered separatists according to the law?
"Say" in the sense of demonstrate peacefully for this? Then I'm impressed. If someone else can confirm this? Is this because of USA being a federal union? Before Ukraine declared independence, there were voices to make Ukraine a federal state, so that people in the West part of Ukraine can live their way of life and people living 1600 km (!) away in the East and Southern parts would be not much affected from that and vice versa. Voices for the unitary state were stronger because of stability of the state. Would be interesting to see some documentary "what if", whether a federal state would be more stable against pulling from the west (Europe, US) and the east (Russia).
> Is this because of USA being a federal union? Before Ukraine declared independence, there were voices to make Ukraine a federal state, so that people in the West part of Ukraine can live their way of life and people living 1600 km (!) away in the East and Southern parts would be not much affected from that and vice versa.
You are falling for Russian propaganda about evil western-Ukrainian nazis attempting to enslave peaceful-Russian-speaking-peoples-of-Donbass-or-whatever who were just minding their own business ("way of life"). As a Russian-speaking Ukrainian neither do I want Putin to protect me (apparently by looting my apartment and raping my girlfriend or in whichever way he is trying to do it these days), nor do absolute majority of population of, say, Kharkiv, Odesa or Kherson.
> Voices for the unitary state were stronger because of stability of the state. Would be interesting to see some documentary "what if", whether a federal state would be more stable against pulling from the west (Europe, US) and the east (Russia).
As a Ukrainian I find that idea quite laughable. It is not really possible for a part of federal union (say a state of USA or a Swiss canton) to join NATO and for other part to "decide" to become a Russian-occupied quasi-state like Belarus. Same goes for a part of it joining EU while some other part decides it wants to be part of EAEU Customs Union. State's foreign affairs are still decided by some central government.
Also, you can research how great "deciding on their own way of life" works in Russian Federation. You could start with first and second Chechen Wars.
I was glad after discovering [1]. In one of the videos the interviewer explains, why he was not arrested. The channel is for English-speaking auditory outside of Russia. It was enough to "close eyes" for some openly expressed critiques. Though it was painfully to listen to some people who were not against the war.
Any other venue would be less effective. Many people use Notepad++, few people care about the opinions of the person who makes it. Segregating their opinion to a space where it would be ignored by anyone who wasn't already interested would barely be better than staying silent.
Notepad++ is close to a personal project. The author can add any message he wants. Usually, he just wrote something in the updating log; most people do not read it anymore.
If the political messages said "gas the Jews", "exterminate the Ukrainians and give Ukraine to Russia", and "Taiwan has and always will be a province of china", you probably wouldn't use notepad++.
Only officially, because it's a requirement to retain trade relationships with China and China makes everything.
Everyone, including 99% of the world's politicians that don't have their heads up their asses, including the ones who wrote the official positions that Taiwan is not a country, knows Taiwan is a country.
>A majority of countries (119 or 62 per cent of UN member states) have endorsed Beijing’s one-China principle, which entails that Taiwan is an inalienable part of the People’s Republic of China.
I was being generous bucketing 20 mixed signallers with 40 status quoist. 120 agree TW inalienable part of China, as in TW can never be independent from one China construct (PRC's position). 20 agree it's part of China but not necessarily inalienable, i.e. TW/ROC should have pathway to independence but until they formalize, still part of China. AKA 75% is in recognize tier.
>If the political messages said "gas the Jews", "exterminate the Ukrainians and give Ukraine to Russia", and "Taiwan has and always will be a province of china", you probably wouldn't use notepad++.
As one should, I avoid stuff that have a very loud fascist author/owner. So we should be happy for this people to show what they believe in, this way we can decide not to help fascists(and others can decide to support them and not to help one of the other sides)
It’s an excellent venue, just like songs and movies.
Being political isn’t a hobby you attend on Tuesdays, it’s real decision that affect people’s lives every single day, sometimes with deadly consequences.
The GPL license is politics. Should it be removed from all software? Then you won't have any right to use the software. That could be a problem. Politics determines which software you're allowed to use.
> People will tell me again to not mix politics with software/business. Doing so surely impacts the popularity of Notepad++: talking about politics is exactly what software and commercial companies generally try to avoid. The problem is, if we don’t deal with politics, politics will deal with us. We can choose to not act when people are being oppressed, but when it’s our turn to be oppressed, it will be too late and there will be no one for us. You don’t need to be Uyghur or a Muslim to act, you need only to be a human and have empathy for our fellow humans.
I am just fine with people tagging their art and their craft with causes they believe in. The person behind the work is part of the work. If you didn't pay for it or contribute sweat equity you don't get to decide otherwise. Your only recourse is to not use it.
> When I see politics in software updates or documentation, nothing happens
I find this take deeply ironic.
And here due to alleged political take of some software (Notepad++), __state sponsored software__ was used to attack users of said software. Something actually happened!
You don't want to see politics in any software, but may be (or already are) a victim of political software attack (from state sponsored tracking, to sanctions, to political psy-ops through software distributing (social) media).
> <...> Maybe I tell my adblocker to remove the messaging, and carry on with my task.
>
> I can engage with politics in a social context, when political messaging isn't interrupting something else I'm doing; that's a better place for activism, IMHO.
You are clearly annoyed by ads, like many of us - maybe you should get public attention to change policy about ads? How they are annoying? How there are unskippable Ads in TV services that I pay money for? How there are big enterprises using their monopoly/oligopoly powers to make you stop being able to adblock ever again? Or do you only block ads you deem "political"?
_______
States (and not only them) will use software and even open source software (open source IMHO is also a political take/view) to get to you if it's ever needed. Though congrats you just got extra social credits in __both__: China's and Palantir's databases!
No politics in software, in sports, on HN, at work, at parties, ... it becomes a rare thing, widely 'censored' (socially, not by government), when it is the most important thing.
Bro, it's political. Political isn't synonymous with "bad" or with "propaganda". Wars are waged on many fronts, and securing economic and hardware support takes messaging.
I'd say politics is war by other means. First we killed each other for resources. Then we decided killing sucked, and if your tribe doesn't kill my tribe, my tribe won't kill your tribe, but now we have to decide how many resources we each get. It's hard work to keep things like this and avoid reverting back to the default state.
My opinion is that open source documentation is like polite dinner conversation: It’s not the proper place to discuss politics.
If an author wishes to use their open source project as a platform to discuss politics, that’s the author’s prerogative. But then, as perhaps in this instance, it could be to the detriment of the project itself.
This is a zero sum take. There are no winners, only the people you deem using free expression correctly. Would a developer who names releases like "Ukrainians are nazi's" or "Taiwan is China" be met with this same sympathy? Or would you brush them off as a mouthpiece for those governments? I'm thinking it's the latter. Free expression is rarely anything other than socially acceptable expression.
IMO the ethical response should be positive disengagement with entities with which you disagree, instead of negative engagement.
See something in the release notes of an app you don’t like? Go use a different app, give your money to a different entity. Don’t spend your time and resources messing with the producer or user of the thing you don’t like.
This of course runs the risk of maximal polarization once everyone has filtered themselves into their neat and tidy little bubbles. What happens then, everybody leaves each other alone? Or do the echo chambers slide into further radicalized detachment from each other?
I mean it depends what it is. If someone is talking about master races in patch notes I think that can be met with negative engagement. Splitting along an ideology binary can definitely lead to further entrenchment and possible radicalization. I think the danger there though is the binary choice itself. You of course have edge cases where it is a binary, but I think having people with more complex attitudes and opinions can only be a boon to cooperation and progress.
To get back on topic though, I think conflating using Y app with holding X position on a topic like politics is a dangerous road. Which is where I think having a dedicated space for those politics makes more sense. Whether that's a blog, twitter, etc. It allows those most dedicated to you to know you better without making the product or program a political stance. But the developer is ultimately free to do what they want. So it's not like anyone here can tell the developer to change in any way.
What a bad take. Not every political statement is morally equivalent nor worthy of the same respect. Supporting self-determination of people is not the same as supporting oppression of people - for example.
So the free expression is considered by everyone according to their own ethical and moral values.
> My opinion is that open source documentation is like polite dinner conversation: It’s not the proper place to discuss politics.
I know this is a common turn of phrase, but I can not help thinking that if the political conversation is impolite it is because some in the conversation is being impolite not due to the topic itself.
That’s true. My point was intended to be from the author perspective, rather than from the user perspective. Namely that an author using an open source project as a political platform can potentially put the project at risk. Rightly or wrongly, that’s the world we live in. So it’s a trade-off the author has to decide, one way or the other. I’d personally prioritise the project over the political. But the Notepad++ author is free to use their project how they like. It’s theirs, after all.
This is a very head in the sand approach to life that only those who are entitled may partake in. Reality is that most cannot live in ignorance of what is happening around them because it is also happening to them. Obviously not everything needs to remind you of stressful reality, but we also shouldn't avoid reality just because we are privileged enough to do so.
Ah, so this has to do with mainland China going after those who think the Taiwanese do not belong to mainland China. Well, I see them as independent folks. Mainland China needs to stop thinking it can occupy land willy-nilly; unfortunately with USA, Russia and China thinking they can bully other countries that lack nukes, I think these smaller countries absolutely need nukes for defensive purpose.
It is also annoying that all these three countries think they can bully other countries too. That is basically them saying they can kill other people in other countries at all times no matter the real "reason" (just make up a fake reason, such as Russia with regard to Ukraine) - annoying to no ends.
Having said that, and I just pointed out I disagree with mainland China bullying the Taiwanese, I think it would actually be better to have software itself be completely apolitical. I never understood why people felt a need to tie political goals into software. That is a valid statement even if I happen to agree with the political goals here.
In 2026 hoping that software could be (more) apolitical is a very brave stance. I look at the software world and I can see core political statements in almost every popular software. From privacy invasion, supporting shady industries (e.g., marketing) even at the expense of people (a reverse-welfare, in a sense), environmental destruction (e.g., complete lack of care for resource usage) and many more.
If anything, we need much more politics in software, ideally exercised by those who write that software instead of "apolitical" software writers who end up executing the political software of those who pay them.
If you meant to scope your statement only to FOSS, then this still applies (in fact, FOSS is inherently political), plus I suppose some people who invest their time to write software want to also use the same effort for political activism and there is nothing wrong with that. This can be expressing their political views via that software (e.g., vim and the support to children in Uganda) or can be using a license that only allows co-ops to run their software, or many other ways.
The idea that software even could be apolitical stems from the idea that technology can be neutral, which again, in 2026 is really a tough idea to support.
Okay, lets go with your reasoning - software should not be apolitical/should be more political.
Where's the bar where you shut down discussion? I mean, even politics is contextual, right?
You entering a campaign about the plight of Myanmar and getting annoyed at people who don't want to hear your message about Gaza puts the blame for any conflict arising on that purely on ... YOU!
IOW, Even within political discussion, you can still be off-topic!
> If you meant to scope your statement only to FOSS, then this still applies (in fact, FOSS is inherently political)
Entering a GNU project (which has the political context of Copyleft and IP reform), and attempting to use it to spread a message about ICE behaviour still makes that asshole behaviour.
Only the most extremist true-believers feel that every platform is for their benefit. Trust me, it's not.
You are confusing being political with carrying out political discourse. They are not the same thing.
Being political for software means for example making some specific choices while designing it and advertising them as such. Means choosing a license over another. Means announcing political positions and possibly aligning the software to them (depending on what it is).
It doesn't mean going in forums related to that software to discuss random political topics.
> You are confusing being political with carrying out political discourse. They are not the same thing.
Okay, lets assume you are correct[1]; is that a counterargument to my main argument:
>> IOW, Even within political discussion, you can still be off-topic!
------------------------------------
[1] I don't think I am confused about the difference, TBH - I explicitly called out political preference of a project and political discussion within the project.
i always worry about tools like this, maintained by small teams, that are so universal that even if only a small fraction of installs are somehow co-opted by malicious actors, you have a wide open attack surface on most tech companies.
e.g. iTerm, Cyberduck, editors of all shades, various VSCode extensions, etc.
I don’t get it, why don’t you all—absolutely all of you reading—use Little Snitch? [1]
It really doesn’t compute in my head why would any macOS user not use a network firewall like this, or similar, to block unwanted outgoing HTTP(s) requests. You can easily inspect the packet with tools like Wireshark or Burp Suite Professional (or Community) edition, or any other proxy tool, of which there are many in the macOS ecosystem.
And this is not unique to macOS, this is all possible in Windows, Linux and any other OS.
It’s a false sense of security, more or less. If an application wants to talk to a C2 they don’t have to make a connection at all, just proxy a connection through something already allowed, or tunnel through DNS. Those juicy cryptocurrency keys? Pop Safari with them in the URL and they’re sent to the malicious actor instantly. If you’re owned Little Snitch does nothing at all for you except give you the impression that you’re not.
This is far too cynical of a take. LittleSnitch might not save you from well-established malware on your machine, but it will certainly hamper attempts to get payloads and exploits on your machine in the first place
My example is “living off the land”, safari already has access to everything, open it and use it to communicate. Needs no permissions, bypasses little snitch entirely.
It wouldn't protect against this attack though. The Notepad++ update servers were hijacked. Presumably you would allow Notepad++ updates through Little Snitch so you would be equally as vulnerable.
No, why would you allow automatic updates? It makes no sense. You should audit every update as if each payload could contain malware. It’s a paranoid way to live, but that’s what it takes.
We also need better computer science education in high schools, teaching students how to inspect network packets, verify SSL certificates, and evaluate whether a binary blob might contain malicious code.
People have gotten complacent about the internet, which is why they still get hacked, when it should be the other way around. With everything we’ve learned over the years, why are breaches more common than ever? I don’t understand why people are so careless about online security today, compared to decades ago when we were taught not to share personal information and not to trust anything on the internet.
Do you go by the smell of the executable or just general vibes? Nobody has never reviewed even a tiny fraction of the software they run, closed source or open source.
The state of the world is such that I have started running everything inside VMs. Baseline OS install + virtual machine management and that is it. Which is still not immune, but makes me feel a lot better than core OS utilities are probably getting better vetting than nifty-utility-123 on which I depend.
I used to love Zone Alarm's ability to notify me on an application's first attempt to connect to the internet, and allow me to approve or deny it. I really wish there was still such an interface today.
Having said that, I absolutely despised the implementation that stole keyboard focus; if it popped up when I was typing it frequently disappeared before I head a chance to read it and I had to go into settings to try and find what had changed. Nothing should ever steal keyboard focus unless it's urgent, and then it should website that you can't accidentally manipulate it with a keyboard (see UAC prompt where it opens in the background if the calling program is in the background, and where once you activate it, you have to hold alt+y/n or tab to a button before it accepts the input; just hitting the y/n key alone won't do anything).
because i dont want to deal with constant whitelist management and i simply don't install applications i don't trust. if there's anything really absolutely essential or damaging if it were to leak i would not put it on a internet connected device to begin with
Similarly I worry about how these apps automatically update themselves. I know it can be done securely. I also doubt that these companies invest the engineering effort to do so.
It's not a matter of "immune" - larger organizations generally have more resources to allocate to things like this. That doesn't mean they get it right 100% of the time, but they are at least able to try, while small teams or volunteer projects often simply don't have the hours to spend on things like this.
I've sat in some pretty large orgs and my own experience was the "resources allocated" went to the PR team. I can assure you that they would have had a more boring, corporate sounding announcement with multiple references to their legal team and the actions they would have taken, alongside some useless information about being PCI compliant or something. I'm not convinced the practical output is any better.
lol larger organizations don’t spend money on this, they add some useless ‘secops’ tools to their CI and call it a day. They are certainly not doing things like reproducible builds, lol half of them don’t deploy signature verification.
> Traffic from certain targeted users was selectively redirected to attacker-controlled served malicious update manifests.
I'd be curious to know if there was any pattern as to which users were targeted, but the post doesn't go into any further detail except to say it was likely a Chinese state-sponsored group.
It might have been explicitly targeted, but they did say that there were older versions of Notepad ++ with ""insufficient update verification controls" so it might have just been there was only one subset of users actually susceptible to this.
No, the additional update verification was added after this attack was discovered. All Notepad++ installations were vulnerable during the time of the hijacking campaign.
This is where package managers shine. You never know if there are vulns in the update servers, and you don't know if they even bother with checksums. I never trust apps that self-update for exactly this reason. Turn that shit off and do
choco update notepadplusplus
or
winget upgrade Notepad++.Notepad++
Of course, this does nothing for bugs in the code.
The TLDR is that until version 8.8.7 of Notepad++, the developer used a self-signed certificate, which was available in the Github source code. The author enabled this by not following best practices.
The "good news" is that the attacks were very targeted and seemed to involve hands on keyboard attacks against folks in Asia.
Blaming the hosting company is kind of shady, as the author should own at least some level of the blame for this.
out of curiosity, why is a self signed cert bad for this case? Can't the updater check the validity of the cert just as well regardless? Or did the attackers get access to the signing key as well?
> Until version 8.8.7 of Notepad++, the developer used a self-signed certificate, which is available in the Github source code. This made it possible to create manipulated updates and push them onto victims, as binaries signed this way cause a warning „Unknown Publisher“
It also mentions "installing a root certificate". I suspect that it means that users who installed the root cert could check that a downloaded binary was legit but everyone else (i.e. the majority of users) were trained to blindly click through the warning.
Notepad++ has way too many updates for a text editor. I purposely decline most of the nags to update for precisely this reason. It is too juicy of a target and was bound to get compromised.
If the attackers did limit themselves to a small number of Asian machines they gave up an absolute goldmine. I would venture to say a lot of technical people use notepad++ at work in jobs that would be very lucrative for an attacker to exploit. I know I definitely had an 'oh shit' moment when I read this and thought about where I have notepad++ installed.
You’d be protected from this particular exploit if you used a package manager rather than the updater, though of course you’d still be vulnerable to the installer binary itself getting compromised.
Wonder how many packages in community package repos are compromised. Surely "Hubbleexplorer" can be trusted to provide arch users with a honest, clean version of npp.
Standard answer to a potentially compromised machine is to start with a factory reset machine and add the software and data you need to do your work/use the machine. Do not take executables from the compromised machine and use them any where since they too could be compromised.
There are more steps you can take to ensure greater safety. The above is the minimum a I do for myself and what the minimum IT department and my company executes.
My minimum is start with a freshly formatted hard drive then reinstall the os, software(fresh not transffered), and data required for your use.
> There are more steps you can take to ensure greater safety.
There are firmware infections that can persist even after hard drive format. Though to my understanding os/user space to firmware infections are rare. As far as I know a 'factory reset' on phone and some laptops does not reinstall firmware and clear out firmware infections. So to my understanding the 'factory reset' found on phones is analogous to formatting your hard drive, reinstall the os, software, and data required for your use.
Vindicated once again for turning off any update checks the moment I install any new piece of software.
Even if this sort of (obviously rare) attack is not a concern, it baffles me how few otherwise-intelligent people fail to see the way these updaters provide the network (which itself is always listening, see Room 641A and friends) with a fingerprint of your specific computer and a way to track its physical location based on the set of software you have installed, all of which want to check for updates every goddamn day.
It is baffling to me, as well. You know how you get a remote-code-execution vulnerability? You give a bunch of software permission to fetch code remotely and execute it.
At least JS code in a browser is sandboxed. A Notepad++ update is just rawdogging an executable on your bare metal, perhaps with admin privs even, and hoping for the best.
First, it wasn't even the developer who compromised people, here; second, scripts in most cases are orders of magnitude less dangerous than a windows executable.
And, in many cases you can get some protection from a developer going rogue (or not writing perfect code), it's not an all or nothing.
If the people with access to Room 641A want you, you're toast unless you're ready to make some REALLY big digital lifestyle changes that most people would not be amenable to, because you would have to be extremely paranoid on multiple fronts all the time. That kind of heightened vigilance is exhausting and really not worth it.
Sorry for assuming you'd be able to extrapolate from one example. It could be at any level of the funnel from your local machine to the wider Internet. Closer to home: this sort of fingerprinting could defeat things like MAC randomization in a PSK-authed business/university setting if those IT departments had some reason to want to track you.
I once worked at a company where the Security team were very proud of this and all the other tricks they used to catch leakers by figuring out who was on campus, where, at what time, usually via fingerprinting personal devices carried alongside corporate devices.
Ah, so, in addition to turning off automatic updates (everyone knows patches are for wimps! The real threat is supply chain compromise, not 1-days!), you also have taken all of the other necessary steps to protect yourself from the NSA? What if they just compel Microsoft to backdoor Windows/WinGet against you?
And these updaters almost universally use HTTPS, which network-based adversaries can't see except for SNI, and even that's going away...?
> What if they just compel Microsoft to backdoor Windows/WinGet against you?
You are confusing cause with effect. Leaking this type of fingerprint data over time is what allows users of Palantir-like systems to decide you're somebody worth individually targeting.
I use a package manager that checks the hash of the downloaded installer against what's recorded in the package listing for that version. WinGet has been built in to Windows since one of the 2018-era releases of Windows 10: https://i.ibb.co/VYGXdc56/2026-02-01-20-46-28-Greenshot.png
Integrity checks say nothing about the package authenticity, though. State sponsored actors could just... change the hash on the listing in a hypothetical attack.
That would be two things that would have to be compromised and redirected simultaneously to malicious versions. Way more likely to be noticed too because one of them would be GitHub, and unless they mirror the entire rest of the package metadata index and keep it up to date for everything else besides their targeted malicious package.
>This is also why update signatures should be validated against a different server; it would require hackers to control bother servers to go undetected
No, it should be a hardcoded key held by the developer, preferably using a HSM, and maybe with some sort of notification capability in case the key was lost. Adding a second server adds marginal security. For instance if the developer's mail was hacked, an attacker would likely be able to reset passwords for both hosting providers.
Previous NS records were pointing at dns-parking.com, which is Hostinger. Although hard to be certain without more details whether a reseller or other supplier is involved.
"The security exper’s analysis indicates the attack ceased on November 10, 2025, while the hosting provider’s statement shows potential attacker access until December 2, 2025. Based on both assessment, I estimate the overall compromise period spanned from June through December 2, 2025, when all attacker access was definitively terminated."
Yeah, that refers to the MITM attack on the update server. We have no fucking clue what they actually did while they were in the middle - whatever exploit code was running may very well be running right now on compromised machines. Nobody knows what the compromised exes actually did.
Thanks for your nonanswer, though. It was about as unhelpful and unspecific as the original blogpost for this.
> Based on both assessment, I estimate the overall compromise period spanned from June through December 2, 2025, when all attacker access was definitively terminated.
Download the latest version and install that, instead of using the auto update feature of an old version that might not properly check signatures.
As for whether anything else has been compromised, it depends on whether you were targeted. And the payload might have been tailored to each target, so there's no way to know unless you have access to the exact binary. Unfortunately, binaries downloaded through the auto update feature tend not to linger in your Downloads folder.
Disable auto-updates, just like you should with every piece of software on your machine. This was the result of letting other people silently replace your programs. Don't allow that.
Centralized automatic updates, like those of a Linux distribution or Microsoft's Windows Updates, involve giving permission to way fewer parties permission to download and run (unsigned, in the case of Notepad++ this time) code on your machine with high privileges.
And for more modern software distribution mechanisms (e.g., Nix, Guix, Flatpak), centralized package updates may not actually run any vendor code with high privileges at all.
The norm for proprietary software updates on Windows is indeed a free-for-all of every publisher downloading and running code with admin rights, and it is indeed a terrible way to operate. Avoiding that kind of madness doesn't necessarily mean running lots of old, vulnerable software.
Not notepad++!
(Opens WhatsApp)
OpenClawd express my discontent across all my channels and draft an email to send to IT tomorrow morning. Also turn off the lights off and go to bed.
(Somewhere in china, all the lights go out)
No, it's specifically the updates that were targetted. I'm unsure about the downloads but those too are presumably at risk.
> The attackers specifically targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++.
> With these changes and reinforcements, I believe the situation has been fully resolved. Fingers crossed.
I get that this is a difficult situation for a small developer, but ending with this line did not fill me with confidence that the problem is actually resolved and make me trust their software on my system.
That's the most honest assessment you can expect from any small-scale developer. What do you expect them to say or do? Their adversary is presumably a national intelligence agency of a superpower.
The odds may be better if you operate the way OpenSSH does: move slow, security first, architect everything to be very difficult to attack. But if you're building a text editor, it's not your mindset, and probably never will be.
> The odds may be better if you operate the way OpenSSH does: move slow, security first, architect everything to be very difficult to attack. But if you're building a text editor, it's not your mindset, and probably never will be.
I mean, if you look at the Notepad++ website this developer seems just as concerned at spamming political messaging all over everything as much as he is with writing the software he's distributing. It's pretty crazy he apparently didn't think to take more basic precautions given he is basically permatrolling Russia and China with his messaging. Big brain moment for him. And meanwhile, after reading that disclosure nonsense none of us even know what's going on - like, should we be formatting machines that were affecting during that timeframe? Was the attack targeted and specific only? Who the fuck knows!
First, you're getting upset at a random person on the internet for expressing their political views. Second, your objection almost certainly has nothing to do with this attack. It targeted some specific subset of users of Notepad++, not the maintainer.
You think the developer/publisher/maintainer of software as ubiquitous as Notepad++ is some 'random person on the internet'? Or are you referring to the commenter I was replying to?
I definitely am not upset at the commenter I replied to, and while I'm definitely upset at the maker of Notepad++ I don't think he qualifies as some random person on the internet. If you publish software that security conscious people use (and certainly Notepad++ is used by tech savvy security-conscious people) then you, really by definition, aren't some random person - that's kinda the whole point. Security conscious and tech savvy people tend not to install things from random people on the internet.
Notepad++ was a trusted website/trusted developer, and they got caught with their pants down doing some truly dumb and lazy shit, and then they published a blogpost that doesn't explain much of anything. So yeah, that's pretty infuriating my friend.
Binaries or source, it's pretty much the same unless you thoroughly vet the entire source code. Malicious code isn't advertised and commented and found by looking at a couple of functions. It's carefully hidden and obfuscated.
I don't think "we" would have been impacted since this specifically targets the updates, but recently Microsoft pulled Notepad++ from the list of apps we can use on our production management laptops. Some people were annoyed and whining about this. That predated this announcement by a few weeks. Probably the right move by the security folks.
Long ago, Canonical did some shady stuff with the now-deprecated apt-key "net-update" signing validation for updating of GnuPG keys over the network, an exclusive Ubuntu "feature" Debian didn't even adopt that in theory allowed the same thing.
First I thought CVE-2012-3587 was incompetence... but then seeing CVE-2012-0954 after it, I couldn't help think something more was at bay as something connected to a nation state. It does not surprise me in the least to see nation state attackers exploiting N++. Because I've also on very sensitive enterprise PAM systems in F500/research/academia, and about 10% of the time it felt like I'd see Notepad++ on internet-connected systems used for security tooling because vanilla notepad is indeed garbage. It does not surprise me at all this has been used as an attack vector.
Notably Notepad++ was recently shipping unsigned/self-signed updates, apparently overlapping with the time of this incident, see releases 8.8.2-8.8.6: https://notepad-plus-plus.org/news/
The lack of signing and/or checking the signature when updating is the real issue here. But the write up blames the attack on the hosting server. That doesn't bode well for future security.
Notepad++ is Windows-based and could use the Windows store instead of the built in updater. Microsoft charges a one time fee. It would pass SmartScreen checks. His website has a bunch of ads integrated which I assume are there to help pay for hosting.
Mr. Ho already has hosting charges and he uses GitHub. For those who use GitHub, he could continue his GnuPG method for signing. Additionally, GitHub integrates with Sigstore. Windows wouldn’t trust his signature but at least there would be better traceability. Version 8.8.7 labeled “authenticity guaranteed” is a step in that direction.
The real “issue” here was his outside hosting platform for updates from my reading of the article.
This time I unfortunately have to move on from Notepad++. Vibes have been negative for a while but out of inertia (and because there weren't obvious alternatives) I never pulled the trigger. Now it's time. The trust is gone.
Thanks NP++ for being free and useful for so many years.
Can anyone suggest a solid alternative on Windows? I'm fine with Linux and macOS but I have to keep a Windows machine around for some legacy, win only, software.
Maybe Sublime Text could be an option? At this point I'd rather pay for something lightweight, fast, and probably better.
I don't like tooling that increases my exposure to bad state actors (whatever state they're from).
For a while, I've been thinking that open source package portals will at some point take over making of binaries that get released. Dev teams will run their own CI with whatever automated test pipelines they think is appropriate. For a tests-pass situation and will pass the git hash to the portal system for release, which just runs compile and making the binary. Well, not all CI runs would result in a release, of course. Then the package portal's own software kicks in to calculate an independent since-last-release report that's attached alongside the maintainer release notes.
All such portals upgrade their hash/sig noting of binaries, and keep those in a history retaining merkle tree of sorts. Of nothing, else a git repo. Something like this https://github.com/hboutemy/mcmm-yaml/blob/master/aws/sdk/ko... but with SHA256s, and maybe not the entire world on one repo.
They were able to replace the downloaded executable with their own version. From the article:
> 2. Even though the bad actors have lost access to the server from the 2nd of September, 2025, they maintained the credentials of our internal services existing on that server until the 2nd of December, which could have allowed the malicious actors to redirect some of the traffic going to https://notepad-plus-plus.org/getDownloadUrl.php to their own servers and return the updates download URL with compromised updates.
That's sad. China should be more helpful with regards to open source.
Notepad++ is a great editor. I don't use it on Linux, because I have
an older editor I am very used to, but on Windows I like notepad++
a lot (though lately I have been using geany on Windows, mostly
for convenience - I think notepad++ is better but I sort of like
the github-based development of geany; either way notepad++ is
really excellent as well).
Many large companies allow employees to install software from the internet on their work laptops. How do they avoid being regularly hacked this way (presumably NPP is far from being the only one at risk, and presumably the money from theft of corporate secrets attracts skilled and motivated hackers).
The thought crossed my mind as well. Lots of typos, plus "old version compromised, use new version ASAP" could also be said to get people on a newly compromised version, right? Though it's probably just that the post author is stressed and rushed the post out. I do wonder if there's a way to verify the post was written by the real dev and that he still has control. Old known GPG sig?
Every shared hosting provider has this risk. Critical projects should be using dedicated or VPS hosting, preferably with encrypted filesystems too as even datacenter techs can fall victim to social engineering.
I'm pretty surprised that they got away with unsigned updates and shared hosting as long as they did. I wonder how many similar popular projects are out there on dodgy infrastructure.
It's also possible the update manifest contained an url that the updater blindly trusted, and by modifying that file you could change what got downloaded.
Most edr has a “this program is doing something bad” detector. But the number of folks running security on their build process is still not ubiquitous.
The whole approach of virus scanning is reactive and incomplete. This is because, except for some uncertain guesswork using "heuristics", it depends upon vendor analysis of submitted malware infection samples after it's already happened to determine specific malware file/process signatures. This doesn't and cannot catch all possible malware that has ever happened, especially if it's new, not widespread, or evaded analysis from ever being noticed. Thus, a fraction of malware will always slip and will always remain undetectable.
After a machine is compromised by malware, there's rarely-to-never a trustworthy way to ever fix it with 100% certainty. And especially worrisome is "repair" from the host itself which maybe infected with a rootkit that hides and repairs the malware. Thus, the only correct solution is to completely reimage/reinstall from trusted sources. Deviate from this path at one's own extreme cost/risk.
There also exist a tiny amount of even worse, specialized malware, usually deployed by state actors, that infect hardware in such a way that makes them difficult and sometimes uneconomical to repair.
PSA: Never run untrustworthy shit on any machine that matters. This also includes FOSS projects that don't have their shit together.
So uhh... what exactly did the "state-sponsored actors" do?
They go on about how their server was compromised, and how the big bad Chinese were definitely behind it, and then claim the "situation has been fully resolved", but there is zero mention of any investigation into what was actually done by the attackers. Why? If I downloaded an installer during the time they were hacked, do I have malware now?
The utter lack of any such information feels bizarre.
Exactly... Were they exflitrating files open in notepad++ , or was notepad++ installing additional malware for system wide access? What was the end goal?
> Even after losing server access, attackers maintained credentials to internal services until December 2, 2025, which allowed them to continue redirecting Notepad++ update traffic to malicious servers. The attackers specifically targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++.
I've been thinking a lot lately about open source.
It seems to be a lot like the communism - sounds great on paper but we are yet to see a proper implementation.
Between GIT, Linux and SQLite there are a few projects that has been led by weirdos that have time, resources and conviction to drive these through time.
Unless you create some sort of a an auxiliary business and get an acquihire deal most things will fizzle out.
Years ago when I started working for BigCo I was amazed by their denial of FOSS. At one point in the project I pointed out a problem, which was heard and recognized, to which I followed up with a solution using an open source package. I thought I was clever - we needed an extra package in our system, but I was able to find a suitable open source solution that would not add to the overall cost of the project. My proposal was immediately pushed back.
Initially I thought it was due to responsibility issue - if we'd employ a FOSS solution we'd be responsible for the outcome. Having a 3rd party vendor the management would have the opportunity to shell themselves.
But that doesn't have to be the case. The FOSS project could easily fizzle out. And if we don't have enough resources to incorporate it and make it our own, we can potentially risk being left out to dry.
> Unless you create some sort of a an auxiliary business and get an acquihire deal most things will fizzle out.
This is acceptable. Why shouldn't most things started by people not willing to put in the work to keep them going not fizzle out? The important thing is that anyone who actually cares to can jump in and pick up right where the open source software fizzled out and get it going again. Anyone can learn from the code and use it for anything they want, even things that have nothing to do with the goals of the original project.
It's not as if there aren't countless examples of corporate vendors dying off and leaving their customers on the hook with nothing, or just changing the product drastically after the sale. At least in the open source case you have the option to fork the project and continue using it as you always have.
Well, the update in Notepad++ was the single annoying thing and I made sure I turned it off as the first thing after the install. It was terribly annoying, interrupting my workflow every often so I have no idea how others managed. Why should it decide when to upgrade anyway? It's a notepad! Why should I even bother to upgrade? Everything I need is already there! A piece of software like this one shouldn't be allowed to send out traffic by default anyway, it should be opt-in.
You should see the apps on MacOS. Almost every single app that is not installed from Appstore has that shitty update popup, it is driving me nuts.
I think Linux has the best solution for this - good package managers for bases system and Flatpak with Flathub repo for other apps. So you never get stupid popups, and update managers use signed packages and check those signatures before installation.
I'm extremely wary about any application pushing politics.
I subscribe to MacPaw, who makes excellent apps like Setapp, Gemini, and CleanMyMac, all of which I use.
At some point, CleanMyMac started putting the Ukranian flag on the app icon and flagging utilities by any Russian developer as untrustworthy (because they are russian), and recommended that I uninstall them.
I am not pro russia/anti-ukraine independence by any means, but CleanMyMac is one of those apps that require elevated system permissions. Seeing them engage in software maccarythism makes me very, very hesitant to provide them.
Controversy doesn't change the reality. Stating that Taiwan is not independent is political posturing. Look to French Guiana, which is not independent.
Taipei only disagrees because they're under threat. Doublespeak should generally be called out. Taiwan lives under perpetual fear of occupation and forced assimilation.
if you're going to give in and avoid applications because, like in this case they take a strong stance on Ukraine or Taiwan the hack has literally achieved its purpose. Either silence the author directly or destroy its userbase.
Fuck'em and just donate ten bucks to notepad++ , I'd rather my pc breaks then reward this crap
I think I made it clear that I use (and pay for) their applications. I also think I made a sufficiently nuanced comment that doesn't suggest that I've "given in" to anything.
I can see where they got that idea from. You saying you won't provide permissions at the end ends up sounding a lot more like you won't use the app than I imagine you intended. (Although, subscribing to an app and then not using it would be silly.)
what I took a bit of offense with is the term "software maccarythism". That's a movement now remembered for an over-reaction to often imaginary enemies. Ukraine is right now fighting for its life in a hot war on our continent here in Europe. Taiwan is at the very real risk of being invaded.
American and European infrastructure is subject to cyber attacks that that are effectively hostile military acts already. I don't think a vocal stance on Ukraine and an exclusion of Russian developers deserves the rhetoric of McCarthyism or being 'too political' as is these days a fashionable accusation. This is no red scare, this is speaking up for people bombed on a daily basis.
I guess my habit of running a firewall and not allowing programs to access the internet unless they actually need it is helpful for stuff like this.
Absolutely no reason a text editor needs internet access.
I only update stuff through winget, which fetches the installer from github in a lot of cases, and changing a package requires a PR to the winget repo AFAIK. Not foolproof of course though.
Malwarebytes Windows Firewall Control may annoy me sometimes, but this is exactly why I run it.
It shouldn't! Fort just flashes the tray icon if there's a new connection request and you can click it whenever you want, instead of a popup in your face in the middle of something.
Checking for updates and pulling in plug-ins. Both are valid.
As for updates - my OS has a built-in package management system, which is responsible for installing and updating packages. Why should notepad++ bypass that and do its own independent update process?
Because other OSs do not and the notepad++ team wants all users to have a similar experience.
If you don’t need auto updates, just disable them.
More importantly, notepad++ being able to update itself is not the exploit here. Your OS’ package manager would download the same compromised binary as notepad++’s built in updater.
A browser can download updates and plugins to be installed locally. I too do not want all my apps making internet connections. Sandboxes / namespaces can help a little.
I think these days updates through the OS package manager is a better option, windows has had winget for 5+ years now, and obviously linux and macos both have their own established systems.
It's because of issues like these that I do not agree with your statement of validity. It's also cheaper code wise to not have these contraptions.
> Checking for updates
Why ? CADT ?
LittleSnitch is great for MacOS; it is easily configured to alert you every time your machine makes ip/domain connections, which can then be accepted, denied, or rules made
> LittleSnitch is great for MacOS; it is easily configured to alert you every time your machine makes ip/domain connections, which can then be accepted, denied, or rules made
For an open-source alternative, consider checking out - Lulu [0]. It's not as feature rich nor has impressive UI like the former but gets the main work done.
[0] https://github.com/objective-see/LuLu
Are you for realy using apple products? Yuh...
It's not open source, but I can also recommend Vallum[0] as a cheaper alternative to LittleSnitch.
[0] https://www.vallumfirewall.com/
I use LuLu, it works great. Its kept my older versions of Photoshop and Acrobat from complaining and showing me ads for newer versions for the last couple years!
Tossing in a suggestion for Vallum[0] here. It's not FOSS but very polished and a fraction of the cost of Little Snitch.
[0]: https://vallumfirewall.com/
Yeah I've been using Fort on windows, it's easy to use and not closed source and full of bloat like the commonly suggested windows firewalls from various security companies.
Binisoft WFC for Windows is a free outbound firewall. It was acquired by MalwareBytes awhile back, but they have not interfered with development so far.
https://www.binisoft.org/wfc.php
It has some areas where improvement is needed, but the fundamentals work and the user interface design is decent.
I am surprised it's not more popular for Windows users. All of the alternatives I've tried have critical issues which made me dismiss them as unserious.
Which firewall software do you use? I should probably start using firewalls in my computers as well...
It doesn't matter really because nowadays all of them are just a front-ends to Windows Firewall.
Also legitimate software (i.e. firewall/AV) cannot use "oldschool" tricks like system service descriptor table hooks to obtain godlike privileges these days, while malware sometimes can do this by exploiting vulnerabilities, so in such cases it may be an unequal fight.
I've been using Fort: https://github.com/tnodir/fort
It's the best one I found after trying a few, because it's pretty easy to use, and lets me disable notification popups which is a part that always frustrates me about other options.
Why am I hearing about that specific FW in year 2026, this seems really good, at least the features written if it really supports rules based on parent processes, wildcards, SvcHost granularity without gotchas. Been wrangling with Windows FW for ages, trying to get some badly behaved programs to update like Discord, Teams and others that change install paths or updater executable names or hiddenly use msedgewebview2. PolicyAppId and tagging based rules have given some success but Windows FW is still really broken. Definitely giving Fort a try.
> A "Core Isolation: Memory Integrity" feature of Windows 10+ prevents creating such memory area (leading to BSOD).
> We tried to attestation sign the driver via new EV certificate by MS to fix the driver's limitation, but failed (see #108).
> So for now users have to disable the "Core Isolation: Memory Integrity" feature
Disabling HVCI doesn't sound like a good idea honestly. I mean they abuse kernel memory protection to bypass EV Certificate restrictions leaving the system in a state where another driver can mess with FW's internal structures using the same trick.
It's quite good! It definitely deserves to be more popular, I hope it gets some more recognition.
Wildcards are great, like you said for those apps that change the directory name every single update.
It looks like using Chocolatey [1] saved me from this attack vector because maintainers hardcode SHA256 checksums (and choco doesn't use WinGuP at all).
[1]: https://chocolatey.org/
Solid idea
So, let me get this straight. If I've been lazy, postponed updates and I'm still on 8.5.8 (Oct 2023) - it turns out I'm actually...safer?
Anyway, I hope the author can be a bit more specific about what actually has happened to those unlucky enough to have received these malicious updates. And perhaps a tool to e.g. do a checksum of all Notepad++ files, and compare them to the ones of a verified clean install of the user's installed version, would be a start? Though I would assume these malicious updates would be clever enough to rather have dropped and executed additional files, rather than doing something with the Notepad++ binaries themselves.
And I agree with another comment here. With all those spelling mistakes that notification kind of reads like it could have been written by a state-sponsored actor. Not to be (too) paranoid here, but can we be sure that this is the actual author, and that the new version isn't the malicious one?
This reminds me of college, when some of my professors were still sorting out their curriculum and would give us homework assignments with bugs in it.
I complained many times that they were enabling my innate procrastination by proving over and over again that starting the homework early meant you would get screwed. Every time I'd wait until the people in the forum started sounding optimistic before even looking at the problem statement.
I still think I'd like to have a web of trust system where I let my friends try out software updates first before I do, and my relatives let me try them out before they do.
Ah, I remember those days. One that wasn't an error exactly was an assignment that had a word limit of 2000 words or something. I'd written maybe 3000 words and spent quite some time cutting it down, getting it to just under the limit. Then someone else who also wrote too many words asked the professor if that was okay and they sent out an update to everyone saying it's fine to ignore the word limit.
You were working within the system of academia, the other student in the system of the real world.
So you accidentally learned how to edit a text? Sounds like a win to me…
That's a nice positive way to view it. I would even say that was probably intended as a feature of the original assignment brief.
They should have just gave out extra credit for finding bugs.
I had a professor who did this. One letter grade bump *after curve* applied per assignment per bug found (reproduce case and fix required).
Loved that class.
> let my friends try out software updates first before I do
And who do they let try the software before they do? And so on... Where does it ended?
There's a few months every year when I'm feeling brave or crazy. We could take turns.
The thing is that most supply chain attacks are going to hit you when you are least prepared to deal with them, because that's exactly how they get you. When you're distracted.
Upgrades are deep work, but the commands to start them feel like shallow work.
There is always a fresh group of people who haven't learned that lesson yet acting as the guinea pigs.
For windows updates r/sysadmin has people who run updates and post their experience on patch Tuesday.
You can delay by a week or two very easily and automatically as well
I work in a lab as an analyst (bioinformatician), we are register and pay for quality assurance programs that contain an embarrassing about of technical errors.
> an embarrassing about of technical errors
amount? ;)
Autocorrect makes us all sound like jackasses these days. Have some pity.
Number?
> So, let me get this straight. If I've been lazy, postponed updates and I'm still on 8.5.8 (Oct 2023) - it turns out I'm actually...safer?
Is this surprising? My model is that keeping with the new versions is generally more dangerous than sticking with an old version, unless that old version has specific known and exploitable vulnerabilities.
Yes, it is very much atypical. Most hacks happen because admins still haven’t applied a 2 years old patch. I hate updates, but it‘s statistically safer that running an old software version. Try exposing a windows XP to the internet and watch how long it takes before it‘s hacked.
To be fair I doubt there are that many people scanning for internet facing XPs in 2026.
On the other hand, any server running old, unpatched versions of apache or similar will get picked up by script kiddies scanning for publicly known vulns very, very fast.
The notepad++ attack is politically targeted and done through unconventional channels (compromise in the hosting provider). I don't think 99% of the people reading this thread has a comparable threat model.
Debatable. "I connected Windows XP to the Internet; it was fine" - https://news.ycombinator.com/item?id=40528117
One comment there points out that XP is old enough for infected attack vectors to have all died out. I dunno.
I experienced this first hand in 2014. We got to a point where drive-by exploit kits just weren’t shipping IE8, Java 6 or Windows XP payloads anymore.
Anyone else noticed that we don't even GET patch notes anymore?
"Fixed some bugs" Yes thank you very helpful that! Now I can make a very informed decision.
I hate that. “Bug fixes and improvements” every time. And then there are the ones who think they’re being cute with “our bird Fernando has been hard ar work eating those nasty bugs and flying over the rainbow to bring you an ever delightful experience”. Just, no. I don’t mind you flexing some creative writing muscles in your release notes if you provide actual clear information, but if you’re going to say nothing like everyone else, might as well use the same standard useless message so I can dismiss it quick.
https://www.tomshardware.com/software/windows/idle-windows-x...
But good we are talking about my point rather than than the example.
> YouTuber Eric Parker demonstrated in a recent video how dangerous it is to connect classic Windows operating systems
The video referenced in that article explicitly connects directly to the internet, using a VPN to bypass any ISP and router protections and most importantly disables any protections WinXP itself has.
So yeah, if you really go out of your way to disable all security protections, you may have a problem.
Like leaving the lid off of my typewriter at lunchtime :-o
That’s still the example, not my point.
My point is, statistically, it is more secure to install updates as fast as possible.
We can take another example: search for “shitrix”, there’s thousands more CVEs out there to use as example.
I don't know about Windows, but I've been running all kinds of outdated Linux (Debian mostly) and it never once caused a security problem.
Debian backports security patches.
You assume that the old software version has critical vulnerabilities. If it does not, then yes, updating is more of a risk since the new versions are unknowns.
My assumption is statistical. All software has critical vulnerabilities, not just the old ones. It’s just that these vulnerabilities are known, in the case of the old ones, which significantly increases the risk.
It depends if the application itself touches the Internet or only when conducting updates.
The threat model for a server and for a personal computer are very different. On a consumer device, typically only the OS mail app and browser have direct contact with the outside world.
Steve from Security Now podcast has been specifically using Notepad++ as an example of not being able to leave good enough alone for years now. Can't wait to hear him claim his told you so next week.
Love notepad++ and will continue to use it.
"So, let me get this straight. If I've been lazy, postponed updates and I'm still on 8.5.8 (Oct 2023) - it turns out I'm actually...safer?"
This is true for a large number of software "security" issues
A software version earlier in date/time is not necessarily inferior (or superior) to a version later in date/time
As it is "updated" or rewritten,, software can become worse instead of better, or vice versa, for a vaariety of reasons
Checking software's release date, or enabling/allowing "automatic updates" is not a substitute for reading source code and evaluating software on the merits
>I'm still on 8.5.8 (Oct 2023) - it turns out I'm actually...safer?
Notepad++ site says The incident began from June 2025.
On their downloads page, 8.8.2 was the first update in June 2025 (the previous update 8.8.1 was released 2025-05-05)
So, if your installed version is 8.8.1 or lower, then you should be safe. Assuming that they're right about when the incident began.
edit: Notepad++ has published, on Github, SHA256 hashes of all the binaries for all download versions, which should let users check if they were targeted, if they still have the downloaded file. 8.8.1 is here, for example - https://github.com/notepad-plus-plus/notepad-plus-plus/relea...
Just checked my 8.7.9 that I installed in April 2025 and never updated. The hash seems to be identical to the version I installed around that time. Seems like it was a good choice to always skip the Update Dialog when using Notepad++ lol.
Older download links doesn't seem to work!?
I disable auto update for everything that does not have direct contact with the Internet otherwise (mail app, browser, OS, router,...). Probability for some random app being exploited because updates were skipped is insignificant compared to the probability of a malicious update.
Updates are a direct connection from the Internet to your computer. You want to minimize that.
Just do a manual update from time to time.
> And perhaps a tool to e.g. do a checksum of all Notepad++ files, and compare them to the ones of a verified clean install of the user's installed version, would be a start?
Did I understand the attack wrongly? The software could have a 100% correct checksum, because the attack happened in a remote machine that deals with call home events from Notepad++, I guess one of those "Telemetry" add-ons. The attackers did a MITM to Notepad++ traffic.
The remote machine that was compromised was responsible for Notepad++ updates, so the concern is that it could cause a compromised version of the software to be installed. But if it could do that, it could probably cause anything to be installed anywhere on the user's machine, so inspecting the installed N++ binary probably wouldn't be too useful.
Checksums are useless in this case. The binary would have to be signed and the installation routine would have to check that the new binary would have been signed with the certificate. That adds complexity, but would have thwarted this specific attempt.
However, there are ways around this, too. No solution is perfect.
8.4.7 here. phew
8.5.7 here (built Sept 6, 2023)
Now I need to worry about this one. I've been anxious about vscode lately: apparently vscode extensions are a dumpster fire of compromises.
If there’s anything I’ve learned from IBM, Red Hat, and CentOS, it’s that bleeding edge is actually what I’m supposed to want.
lol, im on 7.3.x for extra safety
Probably related to this: https://notepad-plus-plus.org/news/v869-about-taiwan/
Yeah, Notepad++ is known for political messaging in their updates. Taiwan, Ukraine, etc.
Probably the real motive.
“ The incident began from June 2025. Multiple independaent security researchers have assessed that the threat acotor is likely a Chinese state-sponsored group, which would explain the highly selective targeting obseved during the campaign.”
How do they know it was a Chinese group or even a state sponsored one?
They said "likely", so they don't "know." Yours is the wrong question.
The "likely" does give the impression that they have a pretty good idea.
I didn't say that to be pedantic, but to avoid that particular type of asker who isn't actually asking a genuine question here. After listing all the ways that Notepad++ (as an example here) suspects who they suspect, the asker then comes back with "Yeah, but how do you know?", as if that's some sort of gotcha. It's disingenuous. Even if the person I replied to isn't attempting this, I find it good to call out and get people to ask a better question: what's the evidence and why does that evidence point to this conclusion?
Perhaps it's "...because that would explain..."?
By analyzing payloads / C2 address, etc...
Yeah because a state level actor would be completely incapable of false attribution.
With enough effort, anything can be obfuscated. But effort costs money and also state level actors have limited funds and time and want to go home to their families ar some point and if the purpose was to get a message across (don't mess with china, otherwise face the consequences) there is no need to really hide the origin.
> Chinese group
our enemy. It must be Chinese, North Korean or Russian.
> state sponsored one
"our software/our provider is so good that only a state actor can compromise us" (see Microsoft's AD keys hack for details)
When you want to spread jingoist paranoia you can just make stuff up and claim any critique is from said actors.
I can't help but feel there must some better venue for such messaging.
When I see politics in software updates or documentation, nothing happens because I'm not looking to use the software for political activism. Maybe I tell my adblocker to remove the messaging, and carry on with my task.
I can engage with politics in a social context, when political messaging isn't interrupting something else I'm doing; that's a better place for activism, IMHO.
I almost always see activists using the argument that if I don't like the messaging then I'm part of the problem. Somehow I doubt that, given I don't mind messaging at all, where it's appropriate.
Similar comments also come up in the [now regular] "I don't want to see political articles on HN" threads, and I think the response is similar: Asking for "no politics" is itself a strong political view: One in support/service of whatever the current status quo is. Trying to set oneself apart from (or above) politics is itself political. If you're lucky enough to be one of the fortunate people on earth who are not under attack by political forces or who benefit from status quo politics, I'd encourage you to simply reflect on that good luck and try to ignore the "politics" that others are deeply affected by and care about.
I partially agree, but as a non-US user of the English speaking internet, the issue is with specifically US politics and social issues being everywhere. It drowns out all attempts at discourse for anything else, and Americans, including people here, seem uniquely incapable of nuance in their thinking when it comes to politics.
So, while I fully agree with your stance that banning political discourse is support for the status quo, I also think that it's reasonable to ask for it to be toned down a bit, especially when the politics and social issues of one country is basically drowning out everything else.
All that said, I'm talking mostly about HN or other community forums here. The owner of Notepad++ has the right to put whatever they want into their software, and if we're discussing that here on HN then it's an occasion where discussing politics is valid.
I am an American and I make a very conscious effort to appreciate social and political nuances. And I go out of my way to point out nuances to others who, in my opinion, oversimplify their statements. It could be argued that the expression of stereotyping Americans as lacking nuance, itself lacks nuance. I believe really most people are similar in that we have our biases, differences in context and experiences. We can all try our best to be as nuanced as possible.
I would say it's statistics, rather than stereotyping. I'm glad you're capable of nuance though, maybe you can teach that to some of your compatriots?
I think that the stereotype of Americans lacking nuance around political issue is valid. Obviously, like all stereotypes, it’s not 100% true but Americans seem to feel obliged to pick one side of an issue, most of the time aligned with the worth of their choice, and then to view everything that’s happening through that lens.
Try to point out to a democrat that Trump is doing something right or to a Trump voter that Biden did something right. Most of them can’t accept that. The “other” side has to all bad. I don’t see this to such an extreme in other countries I know like Germany or Spain.
Saying Americans lack nuance is like saying Germans are bureaucratic or British have shit food. It's not true 100% of the time but it's true enough broadly enough to be a valid statement.
My personal take is this is a consequence of the two-party system. In the US you can "identify" as a democrat or republican. Once you do that, you don't _have_ to think, you can let tribalism guide you.
If in another country I vote for these guys or sometimes those other guys, and once this little party that got a seat, but not really those ones, and I really hate these ones, then your "political identity" already has a lot of nuance. In Australia with preferencial voting, a single vote has a lot of naunce.
What can you get in America? Green Party supportors who "strategically" vote for a democrat? Not much else...
The other problem is the US has two parties: one center right (and i'm being generous with center) and another rabid right.
It has been like that since forever. They don't know how a left leaning party looks.
> to such an extreme in other countries I know like Germany
could you remind me what country is the afd based out of thnx
You do prove the extreme polarized politics. For you it is AfD vs others.
In reality it is not. It is a spectrum of parties. People vote often for smaller parties in the state and larger ones in the national.
Does the existence of an alt-right WannaBeNazi party in modern Germany preclude the existance of a spectrum of views within Germany and usher in an inability of a majority of Germans to express themselves with nuance though?
By all means make a considered and thoughtful point, please.
What really do Americans know about Ukraine or Taiwan? E.g. can even 1% of US population show Ukraine on the world map (without using Google Maps)? Could they do it before 2022? Before 2014? Do they know anything about Ukraine or Taiwan history? How many Americans know a single foreign language?
If tomorrow there would be a war or protests in, say, Burundi. Will Americans stay with Burundi or against it? Or with the country the media will tell them is "good" because their interests align with US interests?
I think answers to all these questions are obvious.
To be fair, lack of knowledge of other countries is hardly uniquely American. As an Irish person travelling around the non western world, there's a lot of people who don't know that Ireland is a country separate to the UK, or even that it exists.
> the issue is with specifically US politics and social issues being everywhere. It drowns out all attempts at discourse for anything else
Unfortunately, US politics also drives tech issues elsewhere like the EU. For example, local data control is a big thing that some of us have been screaming about forever but nobody paid attention to--until US politics made it a hot button issue.
And, to be honest, if the EU would get off its ass and at least try to foster some alternatives, even those of us in the US would benefit. EU alternatives would mean that people in the US could finally vote against the megajillionaires with their wallets.
> Americans, including people here, seem uniquely incapable of nuance in their thinking when it comes to politics.
Bullets and beatings don't leave much room for nuance regardless of country.
The EU is trying but these things have to happen bottom–up. The EU Council or EU Parliament isn't a software development shop. They allocate funds to groups like NLNET who allocate them to a selection of the projects they get proposals for. NLNET can only allocate funds to something an individual or small group proposes. If you want to propose something, please go ahead.
Capitalists can also start software businesses and sell their software, but those are all in Silicon Valley because the money is there because the US has a privileged financial position.
> NLNET can only allocate funds to something an individual or small group proposes. If you want to propose something, please go ahead.
Well, gee, let's look at the sponsorship page for KiCad: https://www.kicad.org/sponsors/sponsors/
I see a couple EU companies, but no EU governments. It takes a paltry $15K to be a Platinum sponsor.
I picked KiCad because PCB design is critical military infrastructure, the alternative programs are almost all under non-EU jurisdictions and could be pulled, and KiCad is both open source and local desktop to top it all off. This is exactly the kind of quiet, unflashy toil that desperately needs support from a government entity.
Lots of areas need support for open source alternatives that are controlled by proprietary software that might vaporize. I picked PCB design because it's an easy target. Cadence and Synopsys have locks on VLSI design domains that could get yanked from the EU. VHDL tooling is still disastrously poor. Everybody could use an alternative 3D modeling kernel (the EU is a little better here because the dominant proprietary kernels are from Dassault Systèmes and Siemens). I'm sticking to software as the domain because the purpose of the funding is obvious (pay developers, duh), but it also applies to things like small manufacturing and maintaining domestic supply chains (but the purpose and focus becomes a lot messier).
And yet, everywhere I look, any project I pick, crickets.
I don't expect the EU to front run, but something like KiCad is 3 bloody decades old.
> those are all in Silicon Valley because the money is there because the US has a privileged financial position.
And yet you had the rise of Akihabara as an electronic parts mecca which then later got eclipsed by Shenzhen. And that's not even talking about the fact that the modern computing sits atop a mountain of stuff developed out of the VLSI Project (https://en.wikipedia.org/wiki/VLSI_Project).
All of those occurred because their respective governments threw money around.
Sure, maybe you won't create another Silicon Valley hare, but, perhaps, just perhaps, you might create a relentless, open source EU tortoise that slowly displaces the proprietary software. The EU is good at slow--relentless, not so much.
Sadly, a continual state of inertia and sclerosis and failure around tech seems to be historically European: https://www.phenomenalworld.org/analysis/the-eurochip/
There is an EU initiative to bring in chip manufacturing but it's not related to open source. For sovereignty purposes, airgapped software or locally made software is as good as open source and it's usually higher quality.
There are already alternatives to KiCad for PCBs. And I repeat myself: NLNET can only rule on the proposals it receives. Have you proposed to spend a year improving the KiCad UX?
>And, to be honest, if the EU would get off its ass and at least try to foster some alternatives, even those of us in the US would benefit.
What exactly do you want the EU, the Brussels based institution, to do here? Because AWS didn't come into existence because Uncle sam came in and twisted Bezo's hand telling him to invent a hyperscaler that will conquer the world.
EU's lack of comparable domestic alternatives is a consequence of the failure of its entrepreneurship and free market in the SW private sector, and nothing that EU institution can do about it to magically fix this since the solution is not MORE regulatory interference form government bureaucrats who don't know how the internet works.
You might be able to force innovation if the governments can throw money at the problem if the VC sector is lacking, but they can't force economies of scale and mass adoption without a China style great firewall, in which case you'd then have even bigger issues.
To be clear, this is a Frenchman of Chinese descent advocating for Taiwanese independence and your complaint is about Americans.
This is a good point. What would people think if there was constant political discussion here about, for instance, South Sudan and things happening there now? I'm sure there's bad stuff going on there and it's unfortunately, but if we had constant references to and discussions about the internal politics of South Sudan, I think a lot of people would get annoyed about issues that don't affect them at all in their day-to-day lives, esp. when they're coming here for discussions about technically- and computer-related topics. That must be how it seems for American political discussions.
Do you think it's socially acceptable to ignore everything that doesn't affect you personally? Many activists would certainly have you think otherwise. As far as I can tell, fighting that habit is a huge goal of activism.
That may be a huge goal of activism, but activists do not get to control what other people want to do.
Activists wanting something is not synonymous with that thing being a good idea. It just means that someone wants something out of you could be good, could be very bad. No different than a sales person trying to get you to buy something.
Yes. Activists also don’t focus on all causes, not even most. They cherry pick whatever topic is hot in that moment. Sorry, I don’t care about that when I’m browsing something about software.
When I care about politics I’ll deal with actual politics. Reddit won’t change my mind nor the world.
Same. I go to technical or other forums in order to pursue hobbies of interest and escape the political shitshow of the real world, not be reminded of it every step of the way. I don't want to be bombarded with their opinions on the matter, even if they were to align with my own. Virtue signaling becomes a slippery slope that only induces more division, anxiety and fatigue over those issues, while not actually helping with solving them in any meaningful way.
I find it can be appropriate to talk about politics around a project when a political situation is directly affecting a maintainer of the project or the project itself and is a genuine reason why there are delays, weirdness or other impacts somewhere. I appreciate hearing about such things for transparency's sake. It's just all the other stuff that gets on my nerves, where it's just tacking politics onto the project just because there's injustice.
For example it's very normal for the Tor project to talk about censorship and privacy. It's also fairly normal for Russian maintainers to speak out about how it's no longer possible for them to receive support due to sanctions. And I can understand if a Ukrainian maintainer has to focus on trying to survive or escape the country instead of developing their software. All of that stuff is completely fine and I wholly empathize with it. It doesn't bother me because it's not extraneous; it is directly relevant to the project. I also don't mind projects listing their preferred charities.
But I do roll my eyes when projects continue to pine on about Taiwan's independence or the genocides in Gaza. If there isn't a reason why it's actually relevant to the project, I don't think the project page is a good space to push it.
>Do you think it's socially acceptable to ignore everything that doesn't affect you personally?
No one has the time to pay attention to every little injustice in the world. For all the people crying about Gaza, how many of them are dedicating as much energy to the wars in Sudan, Yemen, or Myanmar, or the abuses by Russian security services (like imprisoning a guy for holding up a blank card)? This isn't to say that we should just ignore Gaza or Ukraine or ICE in the US, but we need to make a choice: either we spend ALL our energy addressing every injustice in the world, until there is no more injustice left (and this means we need to stop everything else we're doing now, including keeping society running, making food, etc.), or we need to choose when and how much attention we'll devote to various issues.
I agree.
> Do you think it's socially acceptable to ignore everything that doesn't affect you personally?
Yes, yes, and yes again.
> Many activists would certainly have you think otherwise. As far as I can tell, fighting that habit is a huge goal of activism.
That's their problem. As soon as you start contributing to them, you will not pursue your own goals, living your own life, but those imposed by activists or their supervisors.
It's convenient for them, you give them a political resource. But why do you need it?
A huge chunk of activism is pointless and annoying. Especially when every cause is lumped together into Activism (TM) and the Omnicause.
I don’t agree with them and I don’t think they should be in my software, or dealing with anything they don’t understand (for instance crime, homeless people, geopolitics, or really anything outside of overpriced vegan coffee shops). All they really do is end up getting Fox News people to vote for fascists like Trump out of spite
> A huge chunk of activism is pointless and annoying.
Activism can be annoying, but it's never pointless (not even when it fails to be effective).
> All they really do is end up getting Fox News people to vote for fascists like Trump out of spite
It wouldn't be worthwhile for activists to resign themselves to inaction out of fear of offending the "Fox news people". "Fox news people" are already more likely than not to vote for fascists like Trump, and they'll use any excuse/justification they're being fed including "I don't like the way the wrong people are using their freedom to protest the wrong things".
I don't think this is really true if you look at the results of the last election. Activism just on the transgender issue alone looks to have swung a lot of votes.
People on HN are happy to talk about the internal politics of distant nations, so long as the name of the distant nation is Israel or Palestine.
> I partially agree, but as a non-US user of the English speaking internet, the issue is with specifically US politics and social issues being everywhere.
I mean, yeah. Most major social media services used in the West are based in the US. The single largest English as a first language population is in the United States.
Given how many users from outside the US are oft wont to opine on our state of affairs even during the good times - often without even being asked - I like to think they'll endure our discourse.
best solution to this is a closing of borders and fragmentation of the internet to local regional segments. i know it sounds backwards but it seems thats where we're headed
We're already there, but not geographically aligned. We talk in isolated forums, mostly on Discord. Big public melting pots like Twitter have failed.
Not wanting politics on HN, need not imply support of the status quo, or even a lack of interest in politics. It can simply be a different belief about the purpose of online forums.
I read about politics all day long in many different places. My belief that HN should be relatively free of such stories is not because I believe I can detach myself from politics, but because I believe topic based forums are more valuable and useful than “anything goes” forums.
Allowing politics on HN doesn't mean discussing politics in every thread. If it's a story about someone who improved performance of their system by using Rust then sure there's no need to bring anything political. But threads about Nvidia, Tesla, encryption, internet blackouts, social media, startups investments, etc, all warrants political discourse.
I wish that were true, but in my experience so far, it isn’t.
Not only does politics and general stories crowd out everything else over time on other sites, there are HN submitters who seem to be trying to accelerate this.
During the war, when HN was getting Israel-Palestine stories constantly, I started looking at the submission history of some of the submitters, and some of them were just pushing these types of stories every day for months and months.
So yes, I think allowing politics will eventually mean being dominated by politics and general interest.
Globalizing the intifada means pushing an agenda everywhere, including on HN, on posts where it is relevant and on posts where some obscure or conspiratorial connection can be made.
If HN is going to allow accusations to be slung against groups of people it has to allow others to respond, and that sets off endless debate amongst people who will not be changing their minds on the matter but will repeat the same argument on the next post.
Every Israel Palestine story was like that. Just hundreds of back & forth exchanges of fire that could be copy pasted from the last story, along with copious complaints that HN was censoring them even though the story was on the front page. Just a complete waste of time, and very dishonest & unserious people.
The use of Rust is already political!
Nah, it doesn't mean they support the status quo. It just means some political tactics are pointless, incompetent, and counterproductive.
Political opinions about how things should be don't automatically dictate the actions that should be taken in support of those opinions. I can be mad about a law or a court decision and still have the good sense to, for example, not throw red paint on a lawmaker or judge.
Some behaviors just aren't helpful, and neither being right nor being upset changes that.
Maybe, but telling people who are speaking to their audience on the platforms that audience is voluntarily visiting that they need to shut up is even more pointless, incompetent, and counterproductive.
Notepad++ is free, open source software for which there are dozens of alternative packages of equivalent quality. The entire cost of using this software and benefiting from the work of the developer, is having to scroll past or close a few political opinions.
If the reaction, if someone vehemently dislikes this sort of thing, is to tell that developer to "just shut up and make your software" rather than to stop using that software? Then I think that's possibly the most entitled and hypocritical position that I think it's possible to have.
Notepad++ maintainers can do whatever they want. I don't care. I'm just taking apart this tedious, superficial, self-serving activist cliche about how not being an activist is supporting the status quo. Some people want change just as much as activists do, but they have different ideas about when and how it's helpful to be an activist.
It's ok for you to have a different opinion. I'm sure both views are well reasoned. Neither one is "wrong".
> and still have the good sense to
The good sense is your judgement. At some point a real, direct, disruptive protest is going to be the right solution for a big enough group of people. Peaceful protests are just a "we're starting to get there" signal. It's not like politicians normally say "gee, lots of people don't like how I abuse power, I guess I'll stop now". It's all about being collectively upset enough about status quo.
It intrinsically does. Whatever stance changes nothing or prefers to change nothing is a vote for the status quo, by definition.
> Whatever stance changes nothing .. is a vote for the status quo, by definition.
As problematic as the assertion "by definition" is aside, it should be noted that endlessly commenting about politics on internet forums effectively changes nothing.
I've been kettled by mounted officers and hit by high pressure hoses on cold evenings, something that also rarely effects change .. but that's a least a fun night out with people and better than wasting bits on the intertubes.
Whether it's a waste is not entirely up to you. There are plenty of people on this forum who are completely naive and live in a bubble. The chance that a comment they see her could make a lightbulb go off is non-zero.
But if I were a nihilist I might agree with you.
So write good comments, neutral in tone, avoid preaching, stick to the facts, gently emphasize how laws are being broken without an excess of righteuosness, see the people whose opinions you oppose and find common ground to pivot to your position, etc.
When last we crossed you appeared to be lecturing people while incorrectly paraphrasing their actual position (aka strawmanning)( https://news.ycombinator.com/item?id=46793399 ).
FWiW I recall handing a guitar (I hear they kill facists) to Billy Bragg way back when he was on tour Talking to the Taxman About Poetry and FYI he's back, again, following Springsteen: https://www.youtube.com/watch?v=IKOW2ZikGW8
So, good luck https://www.youtube.com/watch?v=NJ2QOwQdHL8
Maybe sidestep becoming a parody: https://www.youtube.com/watch?v=W1_uEbGJtnY
Why should you be the dictator of what tone is appropriate? Particularly when mass murder is involved. Get real.
No, that isn't remotely true. It means that the alternative you offer isn't compelling, not that your interlocutor likes the status quo.
We're talking about the effect of non-action. To not act against a status quo is to enable it. Your feelings don't matter in that equation.
I wouldn't say that avoiding political discussion yourself because you can't handle it is a vote for the status quo, but telling others not to talk about politics is definitely a vote for the status quo.
Doesn't that depend entirely on the context? Telling the grocery store not to carry dairy products is an anti-dairy stance. Objecting to dairy products in the vegetable section is not anti-dairy it's pro-keeping-things-organized. Debating whether or not dairy ought to be allowed in the vegetable section is also not anti-dairy, at least in the general case.
Unlike milk, politics pervades everything. It's not like keeping milk cartons out of the vegetable section, it's like keeping the letter "p" out of the vegetable section.
You've broken the analogy. The broad categories of food equate to the broad categories of discussion topics.
How attention works, whether training on scraped data is legal, and whether or not the latter should be permissible are three distinct topics. Only the third is inherently political. The second has a close relation to politics but is ultimately a legal question as opposed to a political contest. The first has absolutely nothing to do with politics in and of itself.
> politics pervades everything
That's exactly the problem. Sometimes I don't want it to. If I pull up a spec sheet for a microcontroller I don't want to be bombarded with propaganda pertaining to the political tug of war of the day.
The fact that mundane actions can have political impacts when considered en masse does not imply that we can't or shouldn't have spaces for discussions that are reasonably free of political topics. It isn't always appropriate (imo) to discuss the political impacts of the task at hand. It's okay to have a space in which only the task itself is permitted.
The spec sheet being written in English is politics. The spec sheets of the most advanced microcontrollers, the cheapest microcontrollers, and the most widely used microcontrollers are exclusively written in Chinese. You don't have easy access to them. That's also politics.
Microcontroller is a broad category of electronic components. Maximum I/O current is orthogonal to microcontroller. Spec language is orthogonal to microcontroller. Politics is orthogonal to microcontroller, and orthogonal to maximum I/O current. The letter "x" is orthogonal to all of the above.
If we make a category of microcontrollers with French data sheets, we are intersecting two axes. That's analogous to vegetables that contain saturated fat or vegetables that begin with the letter "a" in Flemish.
Saturated fats pervade foods (but not all of them), the Flemish letter "a" pervades foods (but only 1/26 of them), electrical concepts pervade microcontroller spec sheets (all microcontrollers, but not all documents describing them) and politics pervades everything (some exceptions here too?)
> Similar comments also come up in the [now regular] "I don't want to see political articles on HN" threads
In the context of forums, the political threads are generally /not interesting/[0]. Political threads often devolve; they bring nothing 'new' or 'fresh' to the table, and they lead absolutely no where. It's a fart-in-the-wind situation no matter what your position is. Leave that stuff on reddit where the rest of the farts-in-the-wind go to waste. It's like watching commentators on Fox News or CNN or <insert favorite cable TV show here>. They're a large waste of time and they're often geared towards re-enforcing your side, aka echo chamber.
Now, if a thread actually evolved into real measurable action, that might actually be interesting. But that's not what happens on these forums. There's probably very few of us that see some HN thread talking about something awful happening somewhere and they take direct action, such as petitioning their government, protesting, etc. It's probably happened once or twice, but most of the farts in those threads just hang around and stink up the place.
Please stop stinking up HN.
[0] https://news.ycombinator.com/newsguidelines.html
> Asking for "no politics" is itself a strong political view
No, it explicitly is not, and this "deepity" doesn't change any rational analysis. The injection of politics into every aspect of society must and should be refused.
Can you name some aspects of society that are non–political? I can't think of many. Maybe the frequency spectrum of sunlight?
Politics is more of a way of thinking and speaking than about any specific topic. For those of us who see a lot of problems with society but know that things will never be how they "should be", it is healthy to limit amount of time spent thinking about problems that cannot and will not be solved.
please tell me about the intricate politics of a phone booth. just because you can make everything political doesn't mean it is inherently political or doesn't make you look like a terminal online annoying loser when you try to compensate for your vapid personality outside of ideological dogma.
Phone booths are made by the phone company to increase the money they make, that's political. Phone booths are made with more or less shielding implying a greater or lesser danger to their occupant, that's politics. The ones at the airport have glass dividers while the ones at the lonely gas station at night are fully enclosed with thick glass. Different ones have different amounts of graffiti and different likelihood of being vandalised at any given time. You will find this correlates with demographics. Phone booths have disappeared as we all got portable phones in our pockets, but those phones also track us and some people might prefer the relative privacy of an impersonal phone booth, but can't because they no longer exist.
I disagree. I want to separate my technology from politics. I consume politics through other venues. I don’t want HN full of political articles. It doesn’t mean I support status quo. It means I don’t want this one website pushing politics, which it increasingly does.
HN discussions are usually very high quality and respectful disagreement therein, which is unique online nowadays.
I’ve come here to escape Reddit, which is all politics all the time. If this place turns as political as Reddit, I’m out.
> Asking for "no politics" is itself a strong political view
If this is true, I'd like to know what a weak political view is instead!
"I think taxes should be 2% higher"
> One in support/service of whatever the current status quo is. Trying to set oneself apart from (or above) politics is itself political.
apparently, it's OK to have this stance of "if you're not with us, you're against us".
It's absolutely possible to not want political discussions in various places - it doesn't mean you support one or the other side. It simply means you don't want that discussion here. You could support the incumbents or not - not wanting the discussion does not imply support for the incumbents.
it's not the mere lack of being with, it's the enthusiastic, public advertisement that you are not with. If you are actually neither with nor against, then you don't have any need to say anything about the issue at all. If you make a big deal about not being with or against, most people who do that are against but don't want to say so.
Not wanting politics crammed into every nook and cranny of daily life is not a "political" view of one kind or another, it's a preference for how I want to consume information and interact with people.
There is such a thing as being able to act and think in ways that aren't political in nature. Maybe not for you, but it absolutely is possible.
Way to completely and totally miss the point. I don't actually think you could've missed the point any harder than you did.
Politics are quite literally life-or-death for many people. War is politics. Access to healthcare is politics. Economic policy that determines whether businesses and careers succeed or fail is politics. Freedom to say what you want, believe or not believe in whatever religion you want, and be who you are without being imprisoned is politics. The people who make the most noise about politics are the people who are literally dying for as long as the rest of society ignores their plight.
If this isn't the case for you, it's because you benefit from the status quo. It is the definition of privilege to be able to "ignore politics". That means you are currently benefitting from politics. Of course you don't want to hear about politics, politics are doing just fine for you. And the comment you were asking to was asking you to reflect on that: if the biggest problem gracing you is hearing other people make noise about circumstances, the least you could do is deal with it. Your problems are trivial if that is what gets you upset. Other people are complaining about things that affect the outcome of their lives and you're complaining about... having to hear it.
That you seem to believe politics exists to solve people's problems is probably the reason you feel it is so important. I'm sorry that you are so profoundly confused.
Oh, you're one of those bootstrappy libertarians, I'm taking it. Everything you've ever done is by your own two merits, right? Nevermind the fact that you take society's roads and use society's technology, which are the results of politics. You drink society's water and eat society's food, which are the results of politics. You enjoy the security of not being invaded by enemy tribes nor your neighbors, which are the results of politics. "Politics" is simply a word describing how humans act in groups. Given that how we act in groups determines the entirety of our lives, there is no separating anything from politics. You seem to have taken my comment as "the government is responsible for solving people's problems", but politics are just as much about dealing with the problems it creates. When politics are going well you can ignore it; when they are going poorly they can end your life so you make a lot of noise about it to get other people to try to care. In either case, though, your life is entirely the result of political forces unless you're living in the jungle completely detached from society.
I live in a society that feeds me and rewards me for work and does a whole host of other things for me. I am grateful for all of it. Many other people are not so well served by society. This is all true. None of that has anything to do with politics.
Politics is a game. It is played with one single objective: to make sure that the people with no political power remain fighting among themselves instead of fighting those with power. If you believe some favored political faction will solve these problems you mention, then it is you who is missing the entire point.
I'm taking you're from the US from the "either team" comment. That is a really elementary understanding of politics. Politics, again, is a word describing how humans behave in groups. Where are roads built? That's a political decision made by groups of humans reaching consensus. What is the budget for the local security force? That's a political decision made by groups of humans reaching consensus. How much money is going to be collected from everyone locally to pay for those roads and security? That's a political decision made by groups of humans reaching consensus. If you're even allowed to participate in the consensus process... that itself is politics! For most of recorded history, decisions were made by the consensus of clergy, nobility and royalty, who coerced the rest of society into supporting their consensus through organized violence. Are you allowed to own property? That is the result of your group reaching consensus saying you're allowed to.
> How the produce of society is distributed and how people are cared for has zero relevance to an article about hacking a text editor,
The article is political. People make noise about Taiwan because an invasion of Taiwan would kill many and oppress more, in other words because it, like all political matters, is something that determines the course of lives of millions. Even if they are not directly affected, noise about politics escalates as a mechanism for people to protect themselves. When you are at the wrong end of a group that outnumbers you trying to kill you, you will require the aid of others. But will others come to your aid if you were not willing to come to their aid? This is how the concept of a "conscience" and "empathy" evolved -- because they give an evolutionary advantage, of providing for your own survival by ensuring collective survival.
Edit: for posterity, the comment I was replying to mentioned a "belief in either team leading you to the promised land", which has been edited out.
You know what's even more important than politics? Water. That doesn't mean I need to read a prologue about water in every HN article reminding me that I require water to survive.
You seem very angry at a stranger on the internet. I think a break from thinking about everything through the lens of politics might be good for you.
People will start talking about water when a water shortage starts impacting their day to day life. For the average western world resident, water is not a problem, yet. But I bet you people in Tehran cares a fuckton about their water running out.
The same with politics. When politicians keep their hands off the society, no one feels pressed to talk about politics. When an authoritarian regime compromises a widely used open source software to conduct espionage, of course people will start talking about politics.
> You know what's even more important than politics? Water.
Access to water is political. If you get water from the city, the building of infrastructure delivering water to your residence is political. Whether or not that water is polluted is political. If you get your water from a well on your own property, your ownership of that land is political. None of that is achieved without group consensus, and group consensus can take all of it away from you. You are able to ignore that fact because all of those political consensuses are currently going in your favor, but the same is not true for everyone, and when it isn't true for them, they can be predicted to make noise about not having access to water for obvious reasons. They will make noise about it everywhere they can because it will be more important than anything else to them, given that it will determine whether they live or die and they need to galvanize communal support in order to reverse their fortunes.
> You seem very angry at a stranger on the internet. I think a break from thinking about everything through the lens of politics might be good for you.
My previous comment was written entirely neutrally, so I'm not sure how you came to that conclusion. Incidentally, I happen to live in a prosperous and stable society that I have confidence will remain secure for decades to come, so I have the privilege to ignore politics at my leisure. I am grateful for that opportunity, but I also understand how much of a privilege it is that politics are going well and not actively creating problems for me, so when other people complain about political processes creating problems for them, like the threatened invasion of their country, I listen without complaining.
I took HN as a place for rational discussion, so I made an effort to communicate to you why politics are so important to many, but in the end it seems this discussion is fruitless. If there is any emotion I feel, it is that of disappointment for wasting my time trying to discuss things logically and rather than being met with any kind of reasoned rebuttal, I get a childish dismissal the likes of which I could've gotten on Reddit, which I stopped using for that very reason a decade ago.
But you do see questions about water usage for AI in data centers?
Articles about families living close by, which water bills exploded recently?
On the other hand, you don't see commenters saying that they are indifferent to their access to water, and that they are tired seeing others being engaged in the conversation.
If it's not impacting you, I don't blame you not participating. But I feel (general) you don't get to push down on others because they are discussing important topics (to them).
> You know what's even more important than politics? Water. That doesn't mean I need to read a prologue about water in every HN article reminding me that I require water to survive.
Ah but didn't you know, some activist professor with a stick up his ass once said "everything is water" - so even not wanting to talk about water is in fact your water privilege of not talking about water. /s
Fully agree, it’s akin to atheists, they very often are convinced they are not religious. Agnostics are the unreligious ones. In fact, atheists are the most fanatical zealots in my friends circle.
> Asking for "no politics" is itself a strong political view
We are all Schmittian now
I'm tired of this. I look anywhere, I see politics. At the end of the day all this does is alienate me from anything that isn't the status quo anywhere, because all I see of the opposition of it is constant incessant whining and the prevention of my relaxation. It's a selfish view but I don't care.
I always imagine how long one can keep ignoring politics? When they bust down your door and put you in the black van?
They are making a mistake I was never political!
> Trying to set oneself apart from (or above) politics is itself political.
we are just sick of propaganda. And of pissing contests. And of "mine is longer than yours" content.
>Similar comments also come up in the [now regular] "I don't want to see political articles on HN" threads, and I think the response is similar: Asking for "no politics" is itself a strong political view: One in support/service of whatever the current status quo is.
Before I respond to your comment, allow me first to acknowledge the following injustices happening in the world:
* war in gaza
* war in ukraine
* civil war in sudan
* civil war in yemen
* civil war in myanmar
* ethnic violence in syria
* insurgent attacks in nigeria
* insurgent attacks in congo
* attacks on protesters in Iran
...
Wait, what's that? You don't want every comment to start with some sort of land acknowledgement-esque disclaimer of all injustices happening in the world? What are you, some sort of gaza war/ukraine war/sudanese civil war/ ... sympathizer? Tens, if not hundreds of millions have been affected by the event listed above, so at the very least you can spare a thought for them before discussing about some text editor getting compromised? You might argue acknowledging the war in gaza is beating a dead horse, but do you think the median HN reader has thought about the civil war in myanmar in the past month?
Sometimes when the politics deeply affects you, you just need a little break from it.
That's fine, it's also different from what was said
You can't take a break from that. I have transgender friends who fear for their life every day. They don't know what is going to happen to their rights or their healthcare. I have diabetic friends who can't work and also fear for their life because losing Medicaid would mean they will stop being able to afford insulin and will die. This is what people mean when they talk about politics being important. It's not just things that don't affect you, which is what most people mean when they say they don't care about politics. As soon as something affects you, you will understand.
And if all you do all day is worry about someone else's or your own problems and politics you will not survive. Everyone has problems. Every single person has an issue that could cause them to die or a political event that could cause them harm. Your friends are not special or unique. There are billions of people who don't know if they will have food for their next meal, don't have money to pay rent, struggle with an addiction, etc.
It's okay to watch a show about knights and demons and enjoy it. It's okay to use a piece of software that doesn't code every release as a protest against something. Instead of judging other people for not burning out, maybe take a break yourself. It's okay and normal.
I don't care for the current status quo at all. The current administration has wrecked this country and completely compromised its position in the global economy potentially forever. But there is a time and a place for those arguments and activism, as well as the same for other parts of the world suffering from similar or worse issues. Like, I wouldn't be receptive to hearing about Ukraine every time I go to the grocery store. When I want to hear about it I go to the YouTube channels documenting it! They're very interesting, but I need to be in a space to receive it. Similarly there are places where I'm not specifically looking for it but where I'd be receptive because it's not immediately irrelevant to something I'm doing. Otherwise it is just noise. This is absolutely no statement about the status quo, but just how my brain works. It's also not a statement against activism in general, just about my personal opinion of it in certain places.
It’s all well and good for you if you want to be a consumer of political content when it suits you, but for a creator, the creation’s whole purpose may be a delivery mechanism for their message which may otherwise go unheard. Not saying this is necessarily what Don Ho (Notepad++) is doing, but it’s possible. Create something so good that people can’t help but use it (preferably the demographic you most want to reach, for example a country with a huge base of Windows users) and then use it as your message delivery mechanism.
Both the points:
1. I don't want to see political messages in unrelated delivery mechanisms
and
2. I created $PRODUCT as a delivery mechanism for a political message
are equally valid.
I feel that the problem that comes about is when a $PRODUCT was not created as a delivery mechanism but is being co-opted into being one at some later stage; the audience feels deceived and the creator feels that the audience is ungrateful.
I'm not very familiar with Notepad++ (having never used it, nor experienced any desire to try it), but I'm fairly certain that the creator has been political long enough now that the audience cannot complain about the message being delivered with the product.
It's like complaining about Vim having a message for the plight of Ugandans - it's been there for decades; too late to complain now about it.
I'm more sympathetic to complaints over projects which never had a specific political message suddenly acquiring one when they realised what a large audience they had, or when new people join a decades-old project and introduce a political message that was never there before. I can sorta understand outrage then.
> There is a time and place for activism
Conveniently, it's never here, and it's never now. I think MLK Junior wrote a speech about this? Letter from a Birmingham Jail: https://www.africa.upenn.edu/Articles_Gen/Letter_Birmingham....
You may not be in the right state, but the point of that part of the website is that it's a donation link. It will drive some people to help. If it's at the cost of some others getting grumpy about too much messaging... that's probably still worth it.
> Otherwise it is just noise. This is absolutely no statement about the status quo, but just how my brain works. It's also not a statement against activism in general, just about my personal opinion of it in certain places.
I considered the majority of the population to be affected by repeated messaging, messages in the background, or in other words availability bias. So the messaging be having the desired effect on society in general but not on some subset who filter it out completely.
It has an effect on me too: it makes me begin to extra-quickly ignore any messaging of that sort. I become so tired of it that it starts actively frustrating me to see. And I bother people to take it elsewhere. This is a behavioral issue on my part, but I'm still struggling to justify to myself that they couldn't be getting more out of it by putting it somewhere more appropriate.
> I become so tired of it that it starts actively frustrating me to see.
Something similar, significantly different though, happen to a friend. They started distrusting the incogni.com after seeing their advertisements over and over again. To them they saw/felt/reasoned that only an untrustworthy actor would be pushing the messaging so much and a trustworthy actor would rely more on word of mouth via their good product inspiring people to speak up about them. I had to point out that they probably saw much more of incogni's advertising due to their rate and type of media consumption and most people probably do not get that level of exposure. If incogni lowered their advertisements to hit them correctly it would not be nearly enough advertising to reach the average consumer.
I see the frustration at the repeated messaging to likely be a natural protective mechanism. Instinctively reject repeated messages is not necessarily a bad instinct since manipulative people will use repeated messaging to manipulate, but repeated message exposure does not only happen due to an attempt to manipulate.
I want to start by saying it's good that you are at least taking the time to look for this information! Stay healthily informed.
I see this as a bad analogy though: you wouldn't hear about it every time you go to the grocery store. Or, at the very least, you wouldn't stop and listen for the fifth time. You already know, and that's the point: the intention of most activism in technology (at least that I see) is to make you initially aware of it so you start to seek the information out and learn more elsewhere. (...And to give themselves good PR. We love rainbow capitalism /s)
Instagram and Twitter both get your attention during election season because they want you to be informed about how to vote. To me, that's a similar thing.
The whole reason why Notepad ++, vim, etc have to do this is because no one wants to take one for the team and protest/put their neck on the line.
I don't want to either, and indeed I really want others to do it for me. As such, I really want to see even MORE political stuff like this to hopefully create folks who will actually protest and put their neck on the line.
Similar reason why US military propaganda is good. I never EVER want to be drafted and indeed if you put a gun in my hand and military fatigues on me, I will die with a shot in the ass (because I am running away). Thankfully, we have a bunch of hardened 20-somethings "manipulated" into joining the military and protecting us so that I can be lazy.
So please ratchet up the politics and get others out so I don't have to. It's not that hard to ignore yet another plea for help. We do it every hour of every day.
There’s a difference between arguing over the tax rate and ignoring fascism. At a certain point there is nothing more important than “politics”.
The issue with making something so universal as software, specifically scientific software political is that it operates in such a broad context that every political statement sooner or later will seem comical outside a very narrow scope.
Your comment is a good example of it; who is dictator? The people who hacked the software or the political pole they support? At what point did they become fascist enough to warrant politicalisation of everything ?
If the main problem is that "sooner or later it will seem comical" I don't think this problem is severe enough to justify the number of words that have been written on HN about this topic.
i dont see how saying "no politics" is similar to asking "why is there political messaging literally everywhere" , do you see how conflating the two is the exact behaviour that the original commenter was trying to discuss ?
Choosing not to engage politically is not a neutral action. Life is politics. The world is full of people that are trying to control your life in a thousand different ways. Choosing to not engage in support or opposition to that control doesn't mean you aren't participating, it means your default position is letting them do what they want.
Is choosing to set certain parts of one’s life apart from politics equivalent to “choosing not to engage politically?” If so then shouldn’t every action that you take be imbued with politics, including the choice of how long you brush your teeth and when, where, and how you sleep? Or are certain things exempt from the rule, but not posting on HN? If that’s the case, why does posting on HN require political engagement but not, say, your interactions with the clerk at the grocery store? Are those of us who fail to inform every person we meet about our political views choosing not to engage politically? Even if we dedicate a certain portion of our lives to political engagement?
Edit: I’ll also add that political messaging is highly contextual. What is appropriate and effective in one place may be counterproductive or actively harmful elsewhere. Format and tone actually matter if you care about your pet cause succeeding, believe it or not.
I think this is a good example you provide about the store clerk at the grocery store, and I think you can expand this even further. Sometimes when I go to a store and am checking out they will ask me to donate to some random charity. Whether or not I care about the cause they are asking for money for doesn't matter at all in that moment. It annoys me and I don't want it to be asked in that interactions as that's not what I'm there for and not what I care to be put on the spot to think about.
I view these kinds of weird virtue signaling political statements on things like software to be the same. They do absolutely nothing and are just visual noise for nothing. Actually, this is a good example of where it can go wrong as it likely made the software the target of Chinese state-sponsored actors. So not only does it serve no useful purpose, it also can make you a target and piss people off.
> Choosing to not engage in support or opposition
I do not think it is uncommon for someone to do this, then see the side they oppose win more in elections, public perception, etc then decide to engage more and that is "why is there political messaging literally everywhere".
Since we can't remove it, the next best alternative is to participate and advocate for responsible political engagement. I think until we have some shared understanding of what responsible political engagement is we will continue to have it everywhere.
the original commenter has explicitly stated willingness to engage politically , he has also stated this is not something he is willing to do when it is interrupting his seperate personal choices , concluding with an observation that others tend to conflate non-constant political will with a constant apolitical view. can you please explain how you are not conflating these two concepts ?
This is about being productive and weighing the overall value of things.
The politicisation of software is as harmful as requiring every research paper to be published with a political allegiance banner.
Software like most Sciences, Engineering, and, Trade is a much longer game for humanity than politics de jour.
It is easy to forget the extent of contributions from all sides of politics that has contributed to this trade, from Mohammed Algorithm to English, Russian, Chinese, and, everyone else to computing; but forgetting that and forging that for quick political hack points is a disservice to humanity.
>Software like most Sciences, Engineering, and Trade are much longer game for humanity than politics de jour.
Not really, software, like sciences and engineering must survive politics first. If humans start tossing around nukes like angry apes then those that survive may be scratching simple arithmetic with a charcoal stick on a cave wall.
This take is completely blind to how sciences has worked throughout history of humanity and specifically post major world wars.
Additionally, it is based on a false notion that political banners in software helps in pursuing anyone let alone change political outcomes.
Science has absolutely engaged in the politics du jour, including in major world wars. See, for example, the Szilárd petition[1]. (If you need a post-WWII example, those same scientists continued petitioning after the war on the dangers of nukes, too.)
Further, political banners in software have absolute helped, and have changed political outcomes. As an example of that, SOPA, and later PIPA, were defeated by websites such as Wikipedia (which are software) putting banners aimed at informing the public of those bills.
[1]: https://en.wikipedia.org/wiki/Szil%C3%A1rd_petition
A petition and including your political opinions whenever you engage in your trade or profession is not the same.
This is the entire point and objection with politicisation of everything.
> whenever you engage in your trade or profession is not the same
Feels like this is overstating the facts. Afaik, twice did the author on N++ did include a small political message in a release.
Is it really "whenever"? Blowing this out of proportions because some are so allergic to any political message that twice in 10 years is being pushy..
In the end, everything involving more than 2 humans is politics. You may want to ignore some topics, but those may be important to others. Until the day you yourself want to bring some attention but you're met with an "apolitical" response saying it's not the time or place for it.
Only for the ideologue every interaction must be burdened by partisan politics.
Are you really burdened because the N++ author put a small text inside their software, pertaining to current events?
Vim is Charityware. You can use and copy it as much as you like, but you are encouraged to make a donation for needy children in Uganda. Please see |kcc| below or visit the ICCF web site, available at these URLs:
http://iccf-holland.org/ http://www.vim.org/iccf/ http://www.iccf.nl/
You can also sponsor the development of Vim. Vim sponsors can vote for features. See |sponsor|. The money goes to Uganda anyway.
Yet another reason Neovim is the superior choice, I suppose
You can also sponsor the development of Neovim. The money goes to funding developers.
https://neovim.io/sponsors/
Tell me you haven't actually paid attention to Neovim without telling me.
When you launch a plain nvim instance you get the following:
> Help poor children in Uganda!
> type :help Kuwasha<Enter> for information
Open source has always been political.
Freedom of speech is political.
The right to privacy is political.
Letting people on to the Internet without censorship is political.
Government policies that support startups are political.
Threatening to arrest teens for pirating mp3s is political.
> I can engage with politics in a social context, when political messaging isn't interrupting something else I'm doing; that's a better place for activism, IMHO.
For the people actually impacted by politics, reality rarely waits for a convenient time to interrupt.
Political reality tends to knock down doors and blow up buildings when it wants to really get someone's attention. "Don't bother me during my software updates" is a privileged position to be able to take.
> I can't help but feel there must some better venue for such messaging.
I would argue that this has been an effective avenue for messaging/protest. You’re responding to it on this very board - that means you’re thinking about it.
Another angle: would such free protest be allowed if the developers of Notepad++ were based in China or Russia? I seriously doubt it.
Typically when I see such messaging in an out of place venue it nudges me slightly against both the message and the venue pushing the message. This occurs regardless of whether I agree with the message. I feel the same way as when I see an ad: this does not belong here.
I don’t think I am the only one who has this reaction. People who do this should consider if it’s actually helping their cause. If not it’s just feelgood signaling, or possibly even counterproductive.
Same, especially if I see they have a double standard.
Based on arrest of protesters in UK, US, and recent laws passed in Australia; it is fair to say that Notepad++’s freedom to protest would depend on who and what they are protesting.
I would have been interested in debating the content of your reply if your account had not been created 1 hour ago.
So what about protesting the Russian invasion of Ukraine seems objectionable to you?
> it is fair to say that Notepad++’s freedom to protest would depend on who and what they are protesting.
What? In the US, UK, and Australia, the right to protest (i.e. of speech) does not depend on what’s being protested in the way you’re implying.
Just try to protest decades long ethnical cleansing and war of occupation occurring in Palestine in the USA of the UK, for example, like some students and people did in good conscience. You're a tad idealizing the limits of freedom of speech in the western countries.
Whether people talk about something isn't a measure of success, it's whether it changes public sentiment.
He who politicizes everything politicizes nothing.
> I would argue that this has been an effective avenue for messaging/protest. You’re responding to it on this very board - that means you’re thinking about it.
I think about a lot of things I do absolutely nothing about (or with).
Thinking about whatever messaging is here is like saying "thoughts and prayers". It means shit all nothing. The messaging was a waste of my time and your time. It was an ad for a product you'll never purchase.
I don’t see it as a waste of my time. I am not in the habit of seeing conflicts in which innocent people die as a “waste of my time”. The idea that my time is somehow more valuable than another person’s is narcissistic.
Yet more "thoughts and prayers" rhetoric. If you want to actually be engaged, go do something directly for those people. Until that point, it's simply thoughts and prayers.
> would such free protest be allowed if the developers of Notepad++ were based in
- US arguing for independence of any of the States for whatever reasons?
- Spain for Catalonia?
- France for Basque?
and many more just in Europe.
https://en.wikipedia.org/wiki/List_of_active_separatist_move...
Not pertinent. My point is more in reference to the ancestor comment with respect to Ukraine and Taiwan:
> Yeah, Notepad++ is known for political messaging in their updates. Taiwan, Ukraine, etc.
If you’re calling Ukraine in particular a “separatist movement”, I don’t think we can have a productive conversation.
I'm referring to (if we would continue with the list):
- Ukraine for Donbas
Which is so much weaker than all others. There are Ukrainians, Russians, Chinese, Tibetans. But there is no such ethnicity as People of Donbas.
OTOH in a democratic state you're still have the right to demonstrate peacefully for whatever you want, even if it doesn't make much sense. But would you allowed to demonstrate in Ukraine for Donbas independence if they are considered separatists according to the law?
You can totally say Texas should be independent. A lot of Texans have.
You can’t be against the Ukraine war in Russia because Putin is an evil dictator
> You can totally say ...
"Say" in the sense of demonstrate peacefully for this? Then I'm impressed. If someone else can confirm this? Is this because of USA being a federal union? Before Ukraine declared independence, there were voices to make Ukraine a federal state, so that people in the West part of Ukraine can live their way of life and people living 1600 km (!) away in the East and Southern parts would be not much affected from that and vice versa. Voices for the unitary state were stronger because of stability of the state. Would be interesting to see some documentary "what if", whether a federal state would be more stable against pulling from the west (Europe, US) and the east (Russia).
> Is this because of USA being a federal union? Before Ukraine declared independence, there were voices to make Ukraine a federal state, so that people in the West part of Ukraine can live their way of life and people living 1600 km (!) away in the East and Southern parts would be not much affected from that and vice versa.
You are falling for Russian propaganda about evil western-Ukrainian nazis attempting to enslave peaceful-Russian-speaking-peoples-of-Donbass-or-whatever who were just minding their own business ("way of life"). As a Russian-speaking Ukrainian neither do I want Putin to protect me (apparently by looting my apartment and raping my girlfriend or in whichever way he is trying to do it these days), nor do absolute majority of population of, say, Kharkiv, Odesa or Kherson.
> Voices for the unitary state were stronger because of stability of the state. Would be interesting to see some documentary "what if", whether a federal state would be more stable against pulling from the west (Europe, US) and the east (Russia).
As a Ukrainian I find that idea quite laughable. It is not really possible for a part of federal union (say a state of USA or a Swiss canton) to join NATO and for other part to "decide" to become a Russian-occupied quasi-state like Belarus. Same goes for a part of it joining EU while some other part decides it wants to be part of EAEU Customs Union. State's foreign affairs are still decided by some central government.
Also, you can research how great "deciding on their own way of life" works in Russian Federation. You could start with first and second Chechen Wars.
> You can’t be against the Ukraine war in Russia
I was glad after discovering [1]. In one of the videos the interviewer explains, why he was not arrested. The channel is for English-speaking auditory outside of Russia. It was enough to "close eyes" for some openly expressed critiques. Though it was painfully to listen to some people who were not against the war.
[1] https://www.youtube.com/@1420channel/videos
I'm writing this comment from Russia, St. Petersburg, and yes, you can be against the Ukraine war in Russia.
Educate me then. The mental image I have from researching the topic seems contrary to what you’re saying.
Always hiliarious when westerners think they know how life works in Russia, China, etc because they heard from it on TV.
Of course it’s all propaganda, comrade, you can openly protest against the ~~war~~ SMO. Don’t forget your Z insignia, though.
Proving me right I see.
Any other venue would be less effective. Many people use Notepad++, few people care about the opinions of the person who makes it. Segregating their opinion to a space where it would be ignored by anyone who wasn't already interested would barely be better than staying silent.
Notepad++ is close to a personal project. The author can add any message he wants. Usually, he just wrote something in the updating log; most people do not read it anymore.
If the political messages said "gas the Jews", "exterminate the Ukrainians and give Ukraine to Russia", and "Taiwan has and always will be a province of china", you probably wouldn't use notepad++.
> Taiwan has and always will be a province of china
You know that's official position of 99% countries in the world, including all superpowers and every NATO member?
Only officially, because it's a requirement to retain trade relationships with China and China makes everything.
Everyone, including 99% of the world's politicians that don't have their heads up their asses, including the ones who wrote the official positions that Taiwan is not a country, knows Taiwan is a country.
No it's not and if you do believe that, you are taking an overly reductionist viewpoint.
99% countries, as they say, "acknowledge China's viewpoint".
~120 countries fully endorse One China Policy. ~60 acknowledge. ~10 recognize ROC.
https://interactives.lowyinstitute.org/features/one-china-co...
Yes, comports with my numbers.
>A majority of countries (119 or 62 per cent of UN member states) have endorsed Beijing’s one-China principle, which entails that Taiwan is an inalienable part of the People’s Republic of China.
I was being generous bucketing 20 mixed signallers with 40 status quoist. 120 agree TW inalienable part of China, as in TW can never be independent from one China construct (PRC's position). 20 agree it's part of China but not necessarily inalienable, i.e. TW/ROC should have pathway to independence but until they formalize, still part of China. AKA 75% is in recognize tier.
>If the political messages said "gas the Jews", "exterminate the Ukrainians and give Ukraine to Russia", and "Taiwan has and always will be a province of china", you probably wouldn't use notepad++.
As one should, I avoid stuff that have a very loud fascist author/owner. So we should be happy for this people to show what they believe in, this way we can decide not to help fascists(and others can decide to support them and not to help one of the other sides)
I generally agree with you. But I put up with it since Notepad++ is good software. It is what it is.
It’s an excellent venue, just like songs and movies.
Being political isn’t a hobby you attend on Tuesdays, it’s real decision that affect people’s lives every single day, sometimes with deadly consequences.
The GPL license is politics. Should it be removed from all software? Then you won't have any right to use the software. That could be a problem. Politics determines which software you're allowed to use.
From https://notepad-plus-plus.org/news/v781-free-uyghur-edition/
> People will tell me again to not mix politics with software/business. Doing so surely impacts the popularity of Notepad++: talking about politics is exactly what software and commercial companies generally try to avoid. The problem is, if we don’t deal with politics, politics will deal with us. We can choose to not act when people are being oppressed, but when it’s our turn to be oppressed, it will be too late and there will be no one for us. You don’t need to be Uyghur or a Muslim to act, you need only to be a human and have empathy for our fellow humans.
I agree, especially because they are so selective with their messaging and support causes as well.
I am just fine with people tagging their art and their craft with causes they believe in. The person behind the work is part of the work. If you didn't pay for it or contribute sweat equity you don't get to decide otherwise. Your only recourse is to not use it.
> When I see politics in software updates or documentation, nothing happens
I find this take deeply ironic.
And here due to alleged political take of some software (Notepad++), __state sponsored software__ was used to attack users of said software. Something actually happened!
You don't want to see politics in any software, but may be (or already are) a victim of political software attack (from state sponsored tracking, to sanctions, to political psy-ops through software distributing (social) media).
> <...> Maybe I tell my adblocker to remove the messaging, and carry on with my task. > > I can engage with politics in a social context, when political messaging isn't interrupting something else I'm doing; that's a better place for activism, IMHO.
You are clearly annoyed by ads, like many of us - maybe you should get public attention to change policy about ads? How they are annoying? How there are unskippable Ads in TV services that I pay money for? How there are big enterprises using their monopoly/oligopoly powers to make you stop being able to adblock ever again? Or do you only block ads you deem "political"?
_______
States (and not only them) will use software and even open source software (open source IMHO is also a political take/view) to get to you if it's ever needed. Though congrats you just got extra social credits in __both__: China's and Palantir's databases!
You don't know that nothing happens. Perhaps others are more empathetic than you. Perhaps it produces change. You have literally no way to know.
There's generally a better venue for a lot of messaging, but I don't get a vote in it.
The idea of using GPLed software and clutching pearls that it’s political boggles my mind.
Free Software is inherently political. It’s like ordering a cheeseburger and being shocked that it has meat in it.
No politics in software, in sports, on HN, at work, at parties, ... it becomes a rare thing, widely 'censored' (socially, not by government), when it is the most important thing.
I wouldn't brush off Taiwan or Ukraine as "political". In both cases it's about survival, and in one it's a literal fight.
That’s political, lol.
Bro, it's political. Political isn't synonymous with "bad" or with "propaganda". Wars are waged on many fronts, and securing economic and hardware support takes messaging.
In fact, Carl von Clausewitz is known for saying "War is politics by other means" (among many other great quotes)
I'd say politics is war by other means. First we killed each other for resources. Then we decided killing sucked, and if your tribe doesn't kill my tribe, my tribe won't kill your tribe, but now we have to decide how many resources we each get. It's hard work to keep things like this and avoid reverting back to the default state.
And this https://notepad-plus-plus.org/news/v781-free-uyghur-edition/
I distinctly remember their GH page being flooded with issues written in Chinese.
Everyone is entitled to their opinions.
My opinion is that open source documentation is like polite dinner conversation: It’s not the proper place to discuss politics.
If an author wishes to use their open source project as a platform to discuss politics, that’s the author’s prerogative. But then, as perhaps in this instance, it could be to the detriment of the project itself.
Skirt too short, in other words?
I'm going to place the blame on the party committing the crimes, not the person exercising free expression.
This is a zero sum take. There are no winners, only the people you deem using free expression correctly. Would a developer who names releases like "Ukrainians are nazi's" or "Taiwan is China" be met with this same sympathy? Or would you brush them off as a mouthpiece for those governments? I'm thinking it's the latter. Free expression is rarely anything other than socially acceptable expression.
IMO the ethical response should be positive disengagement with entities with which you disagree, instead of negative engagement.
See something in the release notes of an app you don’t like? Go use a different app, give your money to a different entity. Don’t spend your time and resources messing with the producer or user of the thing you don’t like.
This of course runs the risk of maximal polarization once everyone has filtered themselves into their neat and tidy little bubbles. What happens then, everybody leaves each other alone? Or do the echo chambers slide into further radicalized detachment from each other?
I mean it depends what it is. If someone is talking about master races in patch notes I think that can be met with negative engagement. Splitting along an ideology binary can definitely lead to further entrenchment and possible radicalization. I think the danger there though is the binary choice itself. You of course have edge cases where it is a binary, but I think having people with more complex attitudes and opinions can only be a boon to cooperation and progress.
To get back on topic though, I think conflating using Y app with holding X position on a topic like politics is a dangerous road. Which is where I think having a dedicated space for those politics makes more sense. Whether that's a blog, twitter, etc. It allows those most dedicated to you to know you better without making the product or program a political stance. But the developer is ultimately free to do what they want. So it's not like anyone here can tell the developer to change in any way.
What a bad take. Not every political statement is morally equivalent nor worthy of the same respect. Supporting self-determination of people is not the same as supporting oppression of people - for example.
So the free expression is considered by everyone according to their own ethical and moral values.
I'm not sure you realize but you're agreeing with my statement. So it's a bit odd that you call it a bad take.
Then the 2 of you probably just disagree on what constitutes socially acceptable free expression.
> My opinion is that open source documentation is like polite dinner conversation: It’s not the proper place to discuss politics.
I know this is a common turn of phrase, but I can not help thinking that if the political conversation is impolite it is because some in the conversation is being impolite not due to the topic itself.
Other take is … which is cool feature of OSS … you don’t have to use projects that do political statements.
That’s true. My point was intended to be from the author perspective, rather than from the user perspective. Namely that an author using an open source project as a political platform can potentially put the project at risk. Rightly or wrongly, that’s the world we live in. So it’s a trade-off the author has to decide, one way or the other. I’d personally prioritise the project over the political. But the Notepad++ author is free to use their project how they like. It’s theirs, after all.
This is a very head in the sand approach to life that only those who are entitled may partake in. Reality is that most cannot live in ignorance of what is happening around them because it is also happening to them. Obviously not everything needs to remind you of stressful reality, but we also shouldn't avoid reality just because we are privileged enough to do so.
That is a position of privilege.
You can ignore politics, but at certain point, politics cease to ignore you.
His code, his rules.
My understanding is they targeted particular users of Notepad++, not the author.
Ah, so this has to do with mainland China going after those who think the Taiwanese do not belong to mainland China. Well, I see them as independent folks. Mainland China needs to stop thinking it can occupy land willy-nilly; unfortunately with USA, Russia and China thinking they can bully other countries that lack nukes, I think these smaller countries absolutely need nukes for defensive purpose.
It is also annoying that all these three countries think they can bully other countries too. That is basically them saying they can kill other people in other countries at all times no matter the real "reason" (just make up a fake reason, such as Russia with regard to Ukraine) - annoying to no ends.
Having said that, and I just pointed out I disagree with mainland China bullying the Taiwanese, I think it would actually be better to have software itself be completely apolitical. I never understood why people felt a need to tie political goals into software. That is a valid statement even if I happen to agree with the political goals here.
In 2026 hoping that software could be (more) apolitical is a very brave stance. I look at the software world and I can see core political statements in almost every popular software. From privacy invasion, supporting shady industries (e.g., marketing) even at the expense of people (a reverse-welfare, in a sense), environmental destruction (e.g., complete lack of care for resource usage) and many more.
If anything, we need much more politics in software, ideally exercised by those who write that software instead of "apolitical" software writers who end up executing the political software of those who pay them.
If you meant to scope your statement only to FOSS, then this still applies (in fact, FOSS is inherently political), plus I suppose some people who invest their time to write software want to also use the same effort for political activism and there is nothing wrong with that. This can be expressing their political views via that software (e.g., vim and the support to children in Uganda) or can be using a license that only allows co-ops to run their software, or many other ways.
The idea that software even could be apolitical stems from the idea that technology can be neutral, which again, in 2026 is really a tough idea to support.
Okay, lets go with your reasoning - software should not be apolitical/should be more political.
Where's the bar where you shut down discussion? I mean, even politics is contextual, right?
You entering a campaign about the plight of Myanmar and getting annoyed at people who don't want to hear your message about Gaza puts the blame for any conflict arising on that purely on ... YOU!
IOW, Even within political discussion, you can still be off-topic!
> If you meant to scope your statement only to FOSS, then this still applies (in fact, FOSS is inherently political)
Entering a GNU project (which has the political context of Copyleft and IP reform), and attempting to use it to spread a message about ICE behaviour still makes that asshole behaviour.
Only the most extremist true-believers feel that every platform is for their benefit. Trust me, it's not.
You are confusing being political with carrying out political discourse. They are not the same thing.
Being political for software means for example making some specific choices while designing it and advertising them as such. Means choosing a license over another. Means announcing political positions and possibly aligning the software to them (depending on what it is).
It doesn't mean going in forums related to that software to discuss random political topics.
> You are confusing being political with carrying out political discourse. They are not the same thing.
Okay, lets assume you are correct[1]; is that a counterargument to my main argument:
>> IOW, Even within political discussion, you can still be off-topic!
------------------------------------
[1] I don't think I am confused about the difference, TBH - I explicitly called out political preference of a project and political discussion within the project.
i always worry about tools like this, maintained by small teams, that are so universal that even if only a small fraction of installs are somehow co-opted by malicious actors, you have a wide open attack surface on most tech companies.
e.g. iTerm, Cyberduck, editors of all shades, various VSCode extensions, etc.
I don’t get it, why don’t you all—absolutely all of you reading—use Little Snitch? [1]
It really doesn’t compute in my head why would any macOS user not use a network firewall like this, or similar, to block unwanted outgoing HTTP(s) requests. You can easily inspect the packet with tools like Wireshark or Burp Suite Professional (or Community) edition, or any other proxy tool, of which there are many in the macOS ecosystem.
And this is not unique to macOS, this is all possible in Windows, Linux and any other OS.
[1] https://www.obdev.at/products/littlesnitch/index.html
It’s a false sense of security, more or less. If an application wants to talk to a C2 they don’t have to make a connection at all, just proxy a connection through something already allowed, or tunnel through DNS. Those juicy cryptocurrency keys? Pop Safari with them in the URL and they’re sent to the malicious actor instantly. If you’re owned Little Snitch does nothing at all for you except give you the impression that you’re not.
Especially in this case where the attackers could've proxied you to their malicious servers through npp's good/trusted servers
This is far too cynical of a take. LittleSnitch might not save you from well-established malware on your machine, but it will certainly hamper attempts to get payloads and exploits on your machine in the first place
That's at the very least harder and less likely; security is not all or nothing.
I find it difficult to believe that there is levels of cooperation between different companies that would allow this to work.
Source. I work for a company for longer than the internet has been alive.
My example is “living off the land”, safari already has access to everything, open it and use it to communicate. Needs no permissions, bypasses little snitch entirely.
Ah . I was thinking of non web apps.
You have worked for the same company for >55 years? That's wild. Can you share the industry?
IBM, although I consider internet and arpanet different things.
Like saying pstn and fiber are different things.
It wouldn't protect against this attack though. The Notepad++ update servers were hijacked. Presumably you would allow Notepad++ updates through Little Snitch so you would be equally as vulnerable.
No you wouldn't allow updates with Notepad++
No, why would you allow automatic updates? It makes no sense. You should audit every update as if each payload could contain malware. It’s a paranoid way to live, but that’s what it takes.
We also need better computer science education in high schools, teaching students how to inspect network packets, verify SSL certificates, and evaluate whether a binary blob might contain malicious code.
People have gotten complacent about the internet, which is why they still get hacked, when it should be the other way around. With everything we’ve learned over the years, why are breaches more common than ever? I don’t understand why people are so careless about online security today, compared to decades ago when we were taught not to share personal information and not to trust anything on the internet.
Do you go by the smell of the executable or just general vibes? Nobody has never reviewed even a tiny fraction of the software they run, closed source or open source.
So you only run software on an operating system and on hardware that you have personally vetted each line of code for?
Tell me about your auditing workflow and procedures.
You don't understand because you compare a mythical view of the past with the current reality
Isn't Little Snitch exactly the sort of application they're worried about?
Zing!
The state of the world is such that I have started running everything inside VMs. Baseline OS install + virtual machine management and that is it. Which is still not immune, but makes me feel a lot better than core OS utilities are probably getting better vetting than nifty-utility-123 on which I depend.
Qubes OS?
No, poor man's Qubes with manually assembled VMs. I keep meaning to take the plunge, but have been too lazy to rebuild my system.
I used to love Zone Alarm's ability to notify me on an application's first attempt to connect to the internet, and allow me to approve or deny it. I really wish there was still such an interface today.
Having said that, I absolutely despised the implementation that stole keyboard focus; if it popped up when I was typing it frequently disappeared before I head a chance to read it and I had to go into settings to try and find what had changed. Nothing should ever steal keyboard focus unless it's urgent, and then it should website that you can't accidentally manipulate it with a keyboard (see UAC prompt where it opens in the background if the calling program is in the background, and where once you activate it, you have to hold alt+y/n or tab to a button before it accepts the input; just hitting the y/n key alone won't do anything).
If an application wants to talk to AWS, how am I supposed to know if it's legit or not?
If it began doing it after an update, you know that it's better to check if it's supposed to do it
Now you have to worry about Little snitch not "snitching" on all your traffic.
There’s an open source alternative: https://objective-see.org/products/lulu.html
because i dont want to deal with constant whitelist management and i simply don't install applications i don't trust. if there's anything really absolutely essential or damaging if it were to leak i would not put it on a internet connected device to begin with
Similarly I worry about how these apps automatically update themselves. I know it can be done securely. I also doubt that these companies invest the engineering effort to do so.
If you think large companies are somehow immune to this, you’re gonna have a bad time.
It's not a matter of "immune" - larger organizations generally have more resources to allocate to things like this. That doesn't mean they get it right 100% of the time, but they are at least able to try, while small teams or volunteer projects often simply don't have the hours to spend on things like this.
I've sat in some pretty large orgs and my own experience was the "resources allocated" went to the PR team. I can assure you that they would have had a more boring, corporate sounding announcement with multiple references to their legal team and the actions they would have taken, alongside some useless information about being PCI compliant or something. I'm not convinced the practical output is any better.
lol larger organizations don’t spend money on this, they add some useless ‘secops’ tools to their CI and call it a day. They are certainly not doing things like reproducible builds, lol half of them don’t deploy signature verification.
and unlike GPL software, there is typical an army of lawyers, an expressed warranty, legal liability, etc.
Terms of use typically disclaim all liability.
> Traffic from certain targeted users was selectively redirected to attacker-controlled served malicious update manifests.
I'd be curious to know if there was any pattern as to which users were targeted, but the post doesn't go into any further detail except to say it was likely a Chinese state-sponsored group.
I dont know who hacked the servers nor I do know how to find out. Let's blame state actors, who's going to come verify these claims.
It might have been explicitly targeted, but they did say that there were older versions of Notepad ++ with ""insufficient update verification controls" so it might have just been there was only one subset of users actually susceptible to this.
No, the additional update verification was added after this attack was discovered. All Notepad++ installations were vulnerable during the time of the hijacking campaign.
My guess would be certain IPs associated with universities, corporations and government institutions.
This is where package managers shine. You never know if there are vulns in the update servers, and you don't know if they even bother with checksums. I never trust apps that self-update for exactly this reason. Turn that shit off and do
or Of course, this does nothing for bugs in the code.Wow. I'd love to know more how the targeted systems were actually compromised.
There is more detail linked below:
https://www.heise.de/en/news/Notepad-updater-installed-malwa...
https://doublepulsar.com/small-numbers-of-notepad-users-repo...
The TLDR is that until version 8.8.7 of Notepad++, the developer used a self-signed certificate, which was available in the Github source code. The author enabled this by not following best practices.
The "good news" is that the attacks were very targeted and seemed to involve hands on keyboard attacks against folks in Asia.
Blaming the hosting company is kind of shady, as the author should own at least some level of the blame for this.
out of curiosity, why is a self signed cert bad for this case? Can't the updater check the validity of the cert just as well regardless? Or did the attackers get access to the signing key as well?
From the Heise article:
> Until version 8.8.7 of Notepad++, the developer used a self-signed certificate, which is available in the Github source code. This made it possible to create manipulated updates and push them onto victims, as binaries signed this way cause a warning „Unknown Publisher“
It also mentions "installing a root certificate". I suspect that it means that users who installed the root cert could check that a downloaded binary was legit but everyone else (i.e. the majority of users) were trained to blindly click through the warning.
Notepad++ has way too many updates for a text editor. I purposely decline most of the nags to update for precisely this reason. It is too juicy of a target and was bound to get compromised.
Well, some people use it as a IDE, so there are more feature they need. But I am not sure if a less frequent update routine would be safer.
It would still have been less than ideal, but he might have gotten away with it if the private key wasnt stored within the public Github repo.
If the attackers did limit themselves to a small number of Asian machines they gave up an absolute goldmine. I would venture to say a lot of technical people use notepad++ at work in jobs that would be very lucrative for an attacker to exploit. I know I definitely had an 'oh shit' moment when I read this and thought about where I have notepad++ installed.
If the exploit had been widespread, though, it would have been quickly discovered.
quickly as in months or years
Agreed. Supply chain attacks are scary. I open all sorts of secrets in NPP - did they all get leaked?
Depends. Are you a Chinese/Taiwanese national or diplomat who holds a strategic value to the CCP?
Probably backdooring end user machines by pushing updates with vulnerabilities for the purpose of spying, data exfiltration & control.
And who was targeted. The current messaging is very vague.
This all fascinating, but in the end: I have notepad++; what should I do?
You’d be protected from this particular exploit if you used a package manager rather than the updater, though of course you’d still be vulnerable to the installer binary itself getting compromised.
Wonder how many packages in community package repos are compromised. Surely "Hubbleexplorer" can be trusted to provide arch users with a honest, clean version of npp.
KDE's own kate is a good alternative, and available for install via chocolatey.
Gedit is an underrated alternative imo.
I don't know why that comment is being interpreted as a request for alternatives. They are clearly asking if their machine is compromised.
yes, that's my question: am I compromised? What should I do?
Standard answer to a potentially compromised machine is to start with a factory reset machine and add the software and data you need to do your work/use the machine. Do not take executables from the compromised machine and use them any where since they too could be compromised.
There are more steps you can take to ensure greater safety. The above is the minimum a I do for myself and what the minimum IT department and my company executes.
> Standard answer to a potentially compromised machine is to start with a factory reset machine
How do you "factory reset" a PC ?
My minimum is start with a freshly formatted hard drive then reinstall the os, software(fresh not transffered), and data required for your use.
> There are more steps you can take to ensure greater safety.
There are firmware infections that can persist even after hard drive format. Though to my understanding os/user space to firmware infections are rare. As far as I know a 'factory reset' on phone and some laptops does not reinstall firmware and clear out firmware infections. So to my understanding the 'factory reset' found on phones is analogous to formatting your hard drive, reinstall the os, software, and data required for your use.
I agree this is probably not the place to list alternatives, but listing them elsewhere (top level comment?) in this thread would probably be good.
Vindicated once again for turning off any update checks the moment I install any new piece of software.
Even if this sort of (obviously rare) attack is not a concern, it baffles me how few otherwise-intelligent people fail to see the way these updaters provide the network (which itself is always listening, see Room 641A and friends) with a fingerprint of your specific computer and a way to track its physical location based on the set of software you have installed, all of which want to check for updates every goddamn day.
It is baffling to me, as well. You know how you get a remote-code-execution vulnerability? You give a bunch of software permission to fetch code remotely and execute it.
Like… browser? Or anything with script loading capabilities like script engine in games. Executing remote script is almost unavoidable nowadays.
And there isn't really a way to confirm if it is configured in a secure way.
You either trust the developer or not.
At least JS code in a browser is sandboxed. A Notepad++ update is just rawdogging an executable on your bare metal, perhaps with admin privs even, and hoping for the best.
First, it wasn't even the developer who compromised people, here; second, scripts in most cases are orders of magnitude less dangerous than a windows executable.
And, in many cases you can get some protection from a developer going rogue (or not writing perfect code), it's not an all or nothing.
If the people with access to Room 641A want you, you're toast unless you're ready to make some REALLY big digital lifestyle changes that most people would not be amenable to, because you would have to be extremely paranoid on multiple fronts all the time. That kind of heightened vigilance is exhausting and really not worth it.
Threat modeling: it keeps things realistic.
Sorry for assuming you'd be able to extrapolate from one example. It could be at any level of the funnel from your local machine to the wider Internet. Closer to home: this sort of fingerprinting could defeat things like MAC randomization in a PSK-authed business/university setting if those IT departments had some reason to want to track you.
I once worked at a company where the Security team were very proud of this and all the other tricks they used to catch leakers by figuring out who was on campus, where, at what time, usually via fingerprinting personal devices carried alongside corporate devices.
Ah, so, in addition to turning off automatic updates (everyone knows patches are for wimps! The real threat is supply chain compromise, not 1-days!), you also have taken all of the other necessary steps to protect yourself from the NSA? What if they just compel Microsoft to backdoor Windows/WinGet against you?
And these updaters almost universally use HTTPS, which network-based adversaries can't see except for SNI, and even that's going away...?
> What if they just compel Microsoft to backdoor Windows/WinGet against you?
You are confusing cause with effect. Leaking this type of fingerprint data over time is what allows users of Palantir-like systems to decide you're somebody worth individually targeting.
How do you deal with the opposite, software that you forget to update but contains vulnerabilities discovered/exploited later?
I use a package manager that checks the hash of the downloaded installer against what's recorded in the package listing for that version. WinGet has been built in to Windows since one of the 2018-era releases of Windows 10: https://i.ibb.co/VYGXdc56/2026-02-01-20-46-28-Greenshot.png
Integrity checks say nothing about the package authenticity, though. State sponsored actors could just... change the hash on the listing in a hypothetical attack.
“Just” lol
That would be two things that would have to be compromised and redirected simultaneously to malicious versions. Way more likely to be noticed too because one of them would be GitHub, and unless they mirror the entire rest of the package metadata index and keep it up to date for everything else besides their targeted malicious package.
an auto-updater for a text editor is particularly infuriating
So the hosting provider was hacked? Who was their hosting provider?
This is also why update signatures should be validated against a different server; it would require hackers to control bother servers to go undetected
You can see this in their DNS history:
notepad-plus-plus.org currently has an A record of 95.128.42.184, owned by "Aqua Ray SAS".
It switched up from 191.101.104.10 and 212.1.212.49 on 17/1, which is are Hostinger IP addresses.
>This is also why update signatures should be validated against a different server; it would require hackers to control bother servers to go undetected
No, it should be a hardcoded key held by the developer, preferably using a HSM, and maybe with some sort of notification capability in case the key was lost. Adding a second server adds marginal security. For instance if the developer's mail was hacked, an attacker would likely be able to reset passwords for both hosting providers.
Previous NS records were pointing at dns-parking.com, which is Hostinger. Although hard to be certain without more details whether a reseller or other supplier is involved.
So what mitigations should the end user be doing? How do we know if anything compromised?
Right the writeup doesn't mention when it started and what versions are affected
The writeup says it right there:
"The security exper’s analysis indicates the attack ceased on November 10, 2025, while the hosting provider’s statement shows potential attacker access until December 2, 2025. Based on both assessment, I estimate the overall compromise period spanned from June through December 2, 2025, when all attacker access was definitively terminated."
Yeah, that refers to the MITM attack on the update server. We have no fucking clue what they actually did while they were in the middle - whatever exploit code was running may very well be running right now on compromised machines. Nobody knows what the compromised exes actually did.
Thanks for your nonanswer, though. It was about as unhelpful and unspecific as the original blogpost for this.
> Based on both assessment, I estimate the overall compromise period spanned from June through December 2, 2025, when all attacker access was definitively terminated.
FTA.
Download the latest version and install that, instead of using the auto update feature of an old version that might not properly check signatures.
As for whether anything else has been compromised, it depends on whether you were targeted. And the payload might have been tailored to each target, so there's no way to know unless you have access to the exact binary. Unfortunately, binaries downloaded through the auto update feature tend not to linger in your Downloads folder.
Disable auto-updates, just like you should with every piece of software on your machine. This was the result of letting other people silently replace your programs. Don't allow that.
that's why I still run Windows XP. Automatic updates are dangerous!
Centralized automatic updates, like those of a Linux distribution or Microsoft's Windows Updates, involve giving permission to way fewer parties permission to download and run (unsigned, in the case of Notepad++ this time) code on your machine with high privileges.
And for more modern software distribution mechanisms (e.g., Nix, Guix, Flatpak), centralized package updates may not actually run any vendor code with high privileges at all.
The norm for proprietary software updates on Windows is indeed a free-for-all of every publisher downloading and running code with admin rights, and it is indeed a terrible way to operate. Avoiding that kind of madness doesn't necessarily mean running lots of old, vulnerable software.
How's Windows 11 treating you, my man?
Not notepad++! (Opens WhatsApp) OpenClawd express my discontent across all my channels and draft an email to send to IT tomorrow morning. Also turn off the lights off and go to bed. (Somewhere in china, all the lights go out)
Can someone help clarify this for me?
Is it correct to say that users would only get the compromised version if they downloaded from the website?
Notepad++ has auto-update feature, is there any indication that updates from the AutoUpdate were compromised?
No, it's specifically the updates that were targetted. I'm unsure about the downloads but those too are presumably at risk.
> The attackers specifically targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++.
> With these changes and reinforcements, I believe the situation has been fully resolved. Fingers crossed.
I get that this is a difficult situation for a small developer, but ending with this line did not fill me with confidence that the problem is actually resolved and make me trust their software on my system.
That's the most honest assessment you can expect from any small-scale developer. What do you expect them to say or do? Their adversary is presumably a national intelligence agency of a superpower.
The odds may be better if you operate the way OpenSSH does: move slow, security first, architect everything to be very difficult to attack. But if you're building a text editor, it's not your mindset, and probably never will be.
> The odds may be better if you operate the way OpenSSH does: move slow, security first, architect everything to be very difficult to attack. But if you're building a text editor, it's not your mindset, and probably never will be.
I mean, if you look at the Notepad++ website this developer seems just as concerned at spamming political messaging all over everything as much as he is with writing the software he's distributing. It's pretty crazy he apparently didn't think to take more basic precautions given he is basically permatrolling Russia and China with his messaging. Big brain moment for him. And meanwhile, after reading that disclosure nonsense none of us even know what's going on - like, should we be formatting machines that were affecting during that timeframe? Was the attack targeted and specific only? Who the fuck knows!
First, you're getting upset at a random person on the internet for expressing their political views. Second, your objection almost certainly has nothing to do with this attack. It targeted some specific subset of users of Notepad++, not the maintainer.
You think the developer/publisher/maintainer of software as ubiquitous as Notepad++ is some 'random person on the internet'? Or are you referring to the commenter I was replying to?
I definitely am not upset at the commenter I replied to, and while I'm definitely upset at the maker of Notepad++ I don't think he qualifies as some random person on the internet. If you publish software that security conscious people use (and certainly Notepad++ is used by tech savvy security-conscious people) then you, really by definition, aren't some random person - that's kinda the whole point. Security conscious and tech savvy people tend not to install things from random people on the internet.
Notepad++ was a trusted website/trusted developer, and they got caught with their pants down doing some truly dumb and lazy shit, and then they published a blogpost that doesn't explain much of anything. So yeah, that's pretty infuriating my friend.
Yup, the only way to combat this as a smalltime dev would be to turn off auto updates and make people build from source.
Why woul building from source be safer? Are you veting every single line of third-party source code you compile and use?
You're sure not vetting any byte of an executable, so building from source is safer.
Binaries or source, it's pretty much the same unless you thoroughly vet the entire source code. Malicious code isn't advertised and commented and found by looking at a couple of functions. It's carefully hidden and obfuscated.
That's
However much the code is hidden and obfuscated, some parts of the source code are going to be looked upon.
For a binary, none, ever, except in the extremely rare case that someone disassembles and analyzes one version of it.
The fact that open-source doesn't coincide with security doesn't mean that it isn't beneficial to security.
yea `curl <url> | gcc` is much safer...
Security through ..rarity? Maybe not for nation state actors though.
and yet OpenSSH was almost the victim of a giant hack too (xz-utils)
Would you feel better if they had ended the blog post with corporate style assurances that Notepad++ is 100% secure?
Same here. I think I will probably look at some alternative to Notepad++.
Oh interesting, we had an internal mandate not to use Notepad++ come down from on high that was never explained. The timing matches up
I don't think "we" would have been impacted since this specifically targets the updates, but recently Microsoft pulled Notepad++ from the list of apps we can use on our production management laptops. Some people were annoyed and whining about this. That predated this announcement by a few weeks. Probably the right move by the security folks.
it was pulled because the binaries were self-signed for a short period, not because they knew something
who signed the binaries was irrelevant for this attack, because the issue was not checking any signature
Long ago, Canonical did some shady stuff with the now-deprecated apt-key "net-update" signing validation for updating of GnuPG keys over the network, an exclusive Ubuntu "feature" Debian didn't even adopt that in theory allowed the same thing.
First I thought CVE-2012-3587 was incompetence... but then seeing CVE-2012-0954 after it, I couldn't help think something more was at bay as something connected to a nation state. It does not surprise me in the least to see nation state attackers exploiting N++. Because I've also on very sensitive enterprise PAM systems in F500/research/academia, and about 10% of the time it felt like I'd see Notepad++ on internet-connected systems used for security tooling because vanilla notepad is indeed garbage. It does not surprise me at all this has been used as an attack vector.
Notably Notepad++ was recently shipping unsigned/self-signed updates, apparently overlapping with the time of this incident, see releases 8.8.2-8.8.6: https://notepad-plus-plus.org/news/
The lack of signing and/or checking the signature when updating is the real issue here. But the write up blames the attack on the hosting server. That doesn't bode well for future security.
So they just conveniently decided not to sign their releases right around the time they were supposedly "hacked"?
Something doesn't seem right here.
Code signing certs are unfortunately expensive
$0 at SignPath. Quite a few OSS projects use it.
$700+ at Sectigo for two years
Something of Notepad++ size might think about it now
"of Notepad++ size" is basically one guy in his free time, no?
"But look at those downloads, they magically print money"
Notepad++ is Windows-based and could use the Windows store instead of the built in updater. Microsoft charges a one time fee. It would pass SmartScreen checks. His website has a bunch of ads integrated which I assume are there to help pay for hosting.
Mr. Ho already has hosting charges and he uses GitHub. For those who use GitHub, he could continue his GnuPG method for signing. Additionally, GitHub integrates with Sigstore. Windows wouldn’t trust his signature but at least there would be better traceability. Version 8.8.7 labeled “authenticity guaranteed” is a step in that direction.
The real “issue” here was his outside hosting platform for updates from my reading of the article.
the issue was not the money, but that it was difficult to get a certificate without having some sort of legal entity
Certum.eu has this figured out.
https://support.certum.eu/en/code-signing-required-documents...
https://shop.certum.eu/open-source-code-signing-on-simplysig...
$49 (EU) Gross
Delaware LLCs are "cheap," but you're still looking at $300-500 a year in fees.
I’m on version 8.8.8, which says a lot.
This time I unfortunately have to move on from Notepad++. Vibes have been negative for a while but out of inertia (and because there weren't obvious alternatives) I never pulled the trigger. Now it's time. The trust is gone.
Thanks NP++ for being free and useful for so many years.
Can anyone suggest a solid alternative on Windows? I'm fine with Linux and macOS but I have to keep a Windows machine around for some legacy, win only, software.
Maybe Sublime Text could be an option? At this point I'd rather pay for something lightweight, fast, and probably better.
I don't like tooling that increases my exposure to bad state actors (whatever state they're from).
> I don't like tooling that increases my exposure to bad state actors
> Can anyone suggest a solid alternative on Windows
What a weird reason to switch. I don't know why you'd believe any other piece of software is somehow more secure against state actors.
Are we supposed to ignore announcements of documented compromises then? Or are you saying compromised software is the safest of all?
Sublime Text. It's art.
It was great 10 years ago before VS Code, but Sublime has been abandonware for years now.
Thanks. I'm on it right now. Testing.
If you update via Winget, you are probably safe.
Winget downloads the installer from GitHub: https://github.com/microsoft/winget-pkgs/blob/master/manifes...
For a while, I've been thinking that open source package portals will at some point take over making of binaries that get released. Dev teams will run their own CI with whatever automated test pipelines they think is appropriate. For a tests-pass situation and will pass the git hash to the portal system for release, which just runs compile and making the binary. Well, not all CI runs would result in a release, of course. Then the package portal's own software kicks in to calculate an independent since-last-release report that's attached alongside the maintainer release notes.
All such portals upgrade their hash/sig noting of binaries, and keep those in a history retaining merkle tree of sorts. Of nothing, else a git repo. Something like this https://github.com/hboutemy/mcmm-yaml/blob/master/aws/sdk/ko... but with SHA256s, and maybe not the entire world on one repo.
The article is not very clear.
Which versions where affected and how can people check if they have the infected version?
What was the impact of being compromised? Were they able to inject code into releases of Notepad++?
They were able to replace the downloaded executable with their own version. From the article:
> 2. Even though the bad actors have lost access to the server from the 2nd of September, 2025, they maintained the credentials of our internal services existing on that server until the 2nd of December, which could have allowed the malicious actors to redirect some of the traffic going to https://notepad-plus-plus.org/getDownloadUrl.php to their own servers and return the updates download URL with compromised updates.
It's ridiculous that any software developed by any developer on Earth can now claim to have been attacked by hackers supported by a certain country.
Why ? It works so well for other, big companies.
Supply chain attacks. What can an average developer do?
That's sad. China should be more helpful with regards to open source.
Notepad++ is a great editor. I don't use it on Linux, because I have an older editor I am very used to, but on Windows I like notepad++ a lot (though lately I have been using geany on Windows, mostly for convenience - I think notepad++ is better but I sort of like the github-based development of geany; either way notepad++ is really excellent as well).
> That's sad. China should be more helpful with regards to open source.
They should also be more helpful with not plundering the oceans, even including the territorial waters of far-flung nations, of fish.
Why the downvotes? I guess I should hope the CCP doesn't hijack this account the way they did Notepad++.
> Additionally, the XML returned by the update server is now singed (XMLDSig)
The latest and greatest cryptography powering everyone’s favorite SAML-based single-sign on.
I wonder who the targets were/what the malicious binaries did. Assuming some gov related shop + sent the contents of files on the host to attackers.
Many large companies allow employees to install software from the internet on their work laptops. How do they avoid being regularly hacked this way (presumably NPP is far from being the only one at risk, and presumably the money from theft of corporate secrets attracts skilled and motivated hackers).
why does this read like it was written by a state-sponsored actor
The thought crossed my mind as well. Lots of typos, plus "old version compromised, use new version ASAP" could also be said to get people on a newly compromised version, right? Though it's probably just that the post author is stressed and rushed the post out. I do wonder if there's a way to verify the post was written by the real dev and that he still has control. Old known GPG sig?
Posted with the new version not even out yet?
IIRC, the author, Don Ho, is French and was born in Taiwan, and accordingly, perhaps his English is somewhat idiosyncratic?
Would've been good if it named the hosting provider. That's the most informative part.
Every shared hosting provider has this risk. Critical projects should be using dedicated or VPS hosting, preferably with encrypted filesystems too as even datacenter techs can fall victim to social engineering.
I'm pretty surprised that they got away with unsigned updates and shared hosting as long as they did. I wonder how many similar popular projects are out there on dodgy infrastructure.
Maybe the hosting provider is currently undergoing an audit or implementing the changes?
I expect to know it one day, but it may be too early to provide the name now.
Lawsuits are expensive and I'd think that name and shaming would open npp up to one
> Additionally, the XML returned by the update server is now singed (XMLDSig)
XMLDSig is notoriously difficult to implement correctly and securely, I hope this doesn't backfire.
So they say at the provider level update traffic was redirected . Does this also mean their update endpoints didn’t do encryption?
It's also possible the update manifest contained an url that the updater blindly trusted, and by modifying that file you could change what got downloaded.
Yea, should have finished reading. Remediation was to “ verify both the certificate and the signature of the downloaded installer. “
I mean for such a dev focused and extremely performant app, that’s disappointing.
Glad I’m off windows as of late
Will malware/virus scanners detect any bad software?
Most edr has a “this program is doing something bad” detector. But the number of folks running security on their build process is still not ubiquitous.
The whole approach of virus scanning is reactive and incomplete. This is because, except for some uncertain guesswork using "heuristics", it depends upon vendor analysis of submitted malware infection samples after it's already happened to determine specific malware file/process signatures. This doesn't and cannot catch all possible malware that has ever happened, especially if it's new, not widespread, or evaded analysis from ever being noticed. Thus, a fraction of malware will always slip and will always remain undetectable.
After a machine is compromised by malware, there's rarely-to-never a trustworthy way to ever fix it with 100% certainty. And especially worrisome is "repair" from the host itself which maybe infected with a rootkit that hides and repairs the malware. Thus, the only correct solution is to completely reimage/reinstall from trusted sources. Deviate from this path at one's own extreme cost/risk.
There also exist a tiny amount of even worse, specialized malware, usually deployed by state actors, that infect hardware in such a way that makes them difficult and sometimes uneconomical to repair.
PSA: Never run untrustworthy shit on any machine that matters. This also includes FOSS projects that don't have their shit together.
PSA?: How to establish trust?
That's somewhat of a social problem beyond the scope of technological solutions.
Just downloaded NP++ for my new PC.
How scintilla-ating!
What’s a good alternative?
Another popular project I can think of to look out for is PuTTY. I'm fond of 2006 vibe, but Github probably has stronger security protections.
I love Notepad++ but for some reason it always had some kind of political BS going on and I don't appreciate that.
So uhh... what exactly did the "state-sponsored actors" do?
They go on about how their server was compromised, and how the big bad Chinese were definitely behind it, and then claim the "situation has been fully resolved", but there is zero mention of any investigation into what was actually done by the attackers. Why? If I downloaded an installer during the time they were hacked, do I have malware now?
The utter lack of any such information feels bizarre.
Exactly... Were they exflitrating files open in notepad++ , or was notepad++ installing additional malware for system wide access? What was the end goal?
> Even after losing server access, attackers maintained credentials to internal services until December 2, 2025, which allowed them to continue redirecting Notepad++ update traffic to malicious servers. The attackers specifically targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++.
Job well done!
Shared hosting for this, really? Fascinating.
I've been thinking a lot lately about open source.
It seems to be a lot like the communism - sounds great on paper but we are yet to see a proper implementation.
Between GIT, Linux and SQLite there are a few projects that has been led by weirdos that have time, resources and conviction to drive these through time.
Unless you create some sort of a an auxiliary business and get an acquihire deal most things will fizzle out.
Years ago when I started working for BigCo I was amazed by their denial of FOSS. At one point in the project I pointed out a problem, which was heard and recognized, to which I followed up with a solution using an open source package. I thought I was clever - we needed an extra package in our system, but I was able to find a suitable open source solution that would not add to the overall cost of the project. My proposal was immediately pushed back.
Initially I thought it was due to responsibility issue - if we'd employ a FOSS solution we'd be responsible for the outcome. Having a 3rd party vendor the management would have the opportunity to shell themselves.
But that doesn't have to be the case. The FOSS project could easily fizzle out. And if we don't have enough resources to incorporate it and make it our own, we can potentially risk being left out to dry.
> Unless you create some sort of a an auxiliary business and get an acquihire deal most things will fizzle out.
This is acceptable. Why shouldn't most things started by people not willing to put in the work to keep them going not fizzle out? The important thing is that anyone who actually cares to can jump in and pick up right where the open source software fizzled out and get it going again. Anyone can learn from the code and use it for anything they want, even things that have nothing to do with the goals of the original project.
It's not as if there aren't countless examples of corporate vendors dying off and leaving their customers on the hook with nothing, or just changing the product drastically after the sale. At least in the open source case you have the option to fork the project and continue using it as you always have.
Well, the update in Notepad++ was the single annoying thing and I made sure I turned it off as the first thing after the install. It was terribly annoying, interrupting my workflow every often so I have no idea how others managed. Why should it decide when to upgrade anyway? It's a notepad! Why should I even bother to upgrade? Everything I need is already there! A piece of software like this one shouldn't be allowed to send out traffic by default anyway, it should be opt-in.
You should see the apps on MacOS. Almost every single app that is not installed from Appstore has that shitty update popup, it is driving me nuts.
I think Linux has the best solution for this - good package managers for bases system and Flatpak with Flathub repo for other apps. So you never get stupid popups, and update managers use signed packages and check those signatures before installation.
I'm extremely wary about any application pushing politics.
I subscribe to MacPaw, who makes excellent apps like Setapp, Gemini, and CleanMyMac, all of which I use.
At some point, CleanMyMac started putting the Ukranian flag on the app icon and flagging utilities by any Russian developer as untrustworthy (because they are russian), and recommended that I uninstall them.
I am not pro russia/anti-ukraine independence by any means, but CleanMyMac is one of those apps that require elevated system permissions. Seeing them engage in software maccarythism makes me very, very hesitant to provide them.
Sorry, what does this have to do with notepad++?
Sorry, I meant to reply to this comment: https://news.ycombinator.com/item?id=46851664
Please refer to it for context.
You should repost under the intended post
The notepad++ author has publicly come out in favor of Taiwanese independence.
Taiwan is already independent. Surely the normal way to refer to it would be as coming out against assimilation with mainland China?
The official position of Taiwan (Republic of China) and the People's Republic of China is that they're rival governments of the same China.
The Taiwanese government has never formally declared itself independent from the mainland. Such a declaration would likely cause the PRC to invade.
https://en.wikipedia.org/wiki/1992_Consensus
>Taiwan is already independent.
That is a very controversial statement, and one that both Taipei and Beijing disagree with.
Controversy doesn't change the reality. Stating that Taiwan is not independent is political posturing. Look to French Guiana, which is not independent.
Taipei only disagrees because they're under threat. Doublespeak should generally be called out. Taiwan lives under perpetual fear of occupation and forced assimilation.
De facto sed non de iure
>Surely the normal way to refer to it would be as coming out against assimilation with mainland China?
I suppose, though that's not really how I tend to see it phrased on socials or in the media.
Before Trump set his sights on Greenland, Denmark also considered Kosovo to be independent.
> anti-ukraine independence
What the fuck is that supposed to mean, lol. Ukraine isn’t done secessionist state.
> Seeing them engage in software maccarythism makes me very, very hesitant to provide them.
So are they wrong when flagging software or not? You haven’t provided any details.
They flag AdGuard for Safari as suspicious. It's one of the most popular mac apps, if adguard is truly suspicious then it should be bigger news.
if you're going to give in and avoid applications because, like in this case they take a strong stance on Ukraine or Taiwan the hack has literally achieved its purpose. Either silence the author directly or destroy its userbase.
Fuck'em and just donate ten bucks to notepad++ , I'd rather my pc breaks then reward this crap
I think I made it clear that I use (and pay for) their applications. I also think I made a sufficiently nuanced comment that doesn't suggest that I've "given in" to anything.
I can see where they got that idea from. You saying you won't provide permissions at the end ends up sounding a lot more like you won't use the app than I imagine you intended. (Although, subscribing to an app and then not using it would be silly.)
what I took a bit of offense with is the term "software maccarythism". That's a movement now remembered for an over-reaction to often imaginary enemies. Ukraine is right now fighting for its life in a hot war on our continent here in Europe. Taiwan is at the very real risk of being invaded.
American and European infrastructure is subject to cyber attacks that that are effectively hostile military acts already. I don't think a vocal stance on Ukraine and an exclusion of Russian developers deserves the rhetoric of McCarthyism or being 'too political' as is these days a fashionable accusation. This is no red scare, this is speaking up for people bombed on a daily basis.
Adguard is flagged as "suspicious". If it is, I'd like to have a better reason than "because it's russian".
> a movement now remembered for an over-reaction to often imaginary enemies
I'm sure it felt very real at the time.
I support the Ukraine effort as well, but breaking my applications seems like a bridge too far.
I hate to say this, but wariness of software developed within Russia has been around for ages, long before the current war.
Since there are a lot of both Ukrainian and Russian software developers, this is personal for a lot of people in the industry.