HackerLangs
TopNewTrendsCommentsPastAskShowJobs

gred

no profile record

comments

gred
·8 days ago·discuss
Do you mean A&E the television channel?
gred
·10 days ago·discuss
[flagged]
gred
·10 days ago·discuss
[flagged]
gred
·10 days ago·discuss
> Conservative bias in the media.

Depending on how you count, something like 96%, 94%, 65% or 87% of mainstream media employees lean left. Of course this matters less and less as customers tune out and their influence wanes.

https://ballotpedia.org/Fact_check/Do_97_percent_of_journali...
gred
·last month·discuss
Thanks for the link. However, a 7x size differential does not fully explain a 100x security incident differential -- although I'm sure it's part of it. Some of the root causes are very hard to address (e.g. a very limited standard library which encourages dependency explosions), some are just hard (e.g. established cultural norms around version pinning and upgrades, well-established reliance on install scripts) and some are easier (e.g. small tool improvements like min-release-age). I'm personally not going to touch npm with a ten foot pole in the next year or two, but I'd love to see significant improvement, so that I have that option again in 2 or 3 years. Stay safe!
gred
·last month·discuss
Days since last malicious packages in NPM: 0 (evergreen)

Days since last malicious packages in PyPI: 30

Days since last malicious packages in Maven: 120

I'm sure this isn't 100% accurate, and there are probably better metrics (average number of malicious packages per year, average number of developers affected per year, etc) but they aren't as easy as a quick Google News search.
gred
·last month·discuss
We're halfway there!
gred
·last month·discuss
New PR: revert GitHub software and infrastructure to version of June 1st, 2018.

New PR: disable new user signups for 6 months

HR initiative: all future KPIs automatically require three-nines availability; all bonuses are forfeited, regardless of accomplishments, if annual availability falls below target

HR initiative: fire CEO and CTO
gred
·2 months ago·discuss
[dead]
gred
·2 months ago·discuss
> The thing keeping maven safe for now is that most people pin [...] versions

Yes, and also the signing of JARs that are uploaded to the repository, and the fact that most release processes are not fully automated, and the batteries-included standard library which reduces the total number of dependencies, and the fact that a run-of-the-mill third-party library can't execute code at build time, and the very small number of people with credentials to publish new versions of major Maven plugins, etc.
gred
·2 months ago·discuss
Your example of security issues in Maven is... npm guys setting up processes to auto-publish infected npm packages into the Maven Central repository?

Wake me up when the daily npm security breach headlines are typosquatting stories, not RCE-on-build or RCE-on-upgrade.
gred
·2 months ago·discuss
There are npm supply chain exploits in the news every other day. I'm honestly surprised that something as decentralized as Go Modules is more reliable, but here we are. The fact that we're not seeing these stories about e.g. Maven is not at all surprising, given the limited need for third party libraries and the culture of careful upgrades in the Java ecosystem. If npm proponents want the ecosystem to survive, they need to demand / create better and stop making excuses.
gred
·2 months ago·discuss
The future may be distributed quite unevenly here, as they say, with a divergence between a small amount of "responsible" code in systems which leverage AI defensively, and a larger amount of vibe-coded / prompt-engineered code in systems which don't go through the extra trouble, and in fact create additional risk by cutting corners on human review. I personally know a lot of people using AI to create software faster, but none of them have created special security harnesses a la Mozilla (https://arstechnica.com/information-technology/2026/05/mozil...).
gred
·2 months ago·discuss
They should have had the UTF-8 guys tackle IPv6. Talk about elegant.
gred
·3 months ago·discuss
> run your systems outside of Spain

So much for digital sovereignty :-)
gred
·3 months ago·discuss
Disagree with so much here. But if, in your mind, the US is turning authoritarian, this is a "cut off your nose to spite your face" move. They should be taking the fight where it most needs fighting. They should not be making donors like myself question whether we still share objectives.
gred
·3 months ago·discuss
> they have been silenced by the platform

Where do you see that? All I see is a claim that it no longer makes sense from a financial standpoint (but no comparative numbers provided for the other platforms they are keeping, which is sus, especially given their presence on very niche platforms like Bluesky), and vague justifications based on identity politics and "community care" loci, which is either nonsense or deep argot unsuitable for the intended audience.
gred
·3 months ago·discuss
He's saying that they have ideological concerns beyond the ideological concerns you would tend to associate with the EFF (digital privacy, open source, patent trolling, etc). I for one am sad to see that this is the case. There are fewer and fewer organizations protecting civil rights without being dragged into left/right tribalism.
gred
·3 months ago·discuss
> this obviously doesn't make any sense

That's debatable, but it's a moot point; it's pastiche, so it doesn't have the same goals or motivations as the original.

https://en.wikipedia.org/wiki/Pastiche
gred
·4 months ago·discuss
Three years too late, in my case. I've moved on.