HackerLangs
TopNewTrendsCommentsPastAskShowJobs

stephenr

no profile record

comments

stephenr
·il y a 23 jours·discuss
I would happily write stored procs using the current language support for a decade without pay, before I'd subject myself to putting javascript in a fucking database engine.

> And how is it "minutiae" to be able to figure out "is my database version actually supported"?

Remembering "8.4", "9.7" and ".4" just doesn't seem like a particularly big deal to me. The number* has only changed 3 times in the last 10 years.
stephenr
·il y a 23 jours·discuss
> such as vector indexes and JS stored procedures

So, the stuff that basically appeals to people chasing the AI dragon, and has zero practical use for 99.999% of developers making real products?

> I wish I was joking!

I wish I could care even a little bit about such minutiae.
stephenr
·il y a 23 jours·discuss
To me the biggest "unknown" with Percona is that MariaDB (the company) bought out Codership (the creators of Galera Cluster, which XtraDB Cluster is based on) and it doesn't seem to be OSS any more.

I'm sure for some shops this will drive them to pay for the same feature in MariaDB cluster, but I'm more likely to just transition to MySQL Group Replication.

This is my whole point about MariaDB - they are steadily making their OSS software completely dependent on the company (paid) versions for anything beyond toy scale.
stephenr
·il y a 23 jours·discuss
The comparison with MySQL/MariaDB is unfortunate, given that since the "split" MariaDB has shown itself to be every bit the corporate owned "FOSS" project while its supporters still harp on about how terrible oracle is for OSS, without actually acknowledging the real history of each respective project and accompanying company.

Given that MariaDB the company is now owned by a private equity firm, I doubt it's going to get better.
stephenr
·le mois dernier·discuss
We are clearly talking about different things.

Access to source control is required on a developer workstation.

It is not required inside an application environment on that workstation (eg a VM or other such system that both provides a standard environment and creates separation)

I'm not making any claims about the security of react.
stephenr
·le mois dernier·discuss
> Most of the recent supply chain attacks specifically target stealing secrets from development environments.

If your secrets in a dev environment can actually do any damage if leaked, you're doing something very fucking wrong.

> React's last minor version bump included 100 files and ~5k changes.

So you're choosing over engineered dependencies and then complaining they're too big.

Somehow I think the problem, as usual, started with the meat sack on the chair.
stephenr
·il y a 2 mois·discuss
> If you already had left pad cached then you were not affected by its disappearance.

The evidence of course is that when you say "left pad" no one knows what you're referring to because nothing bad ever happened.

> If a package needs an install script to be used, to compile some native code for example, you still need to run the install script before you can use the package.

This already sounds like a giant red fucking flag, but sure whatever, what you're using needs some compile step. You can be in control of what runs when and where. Heck you could even take the fucking maverick solution and compile the shit once out of band and deploy the compiled binary to your production environment. I know that forethought and planning ahead will come as a fucking shock to the NPM using community, but try it some time, it's really kinda good.

> Manually repeating the actions npm does automatically does nothing to protect you from supply chain attacks.

I mean it does, inherently, if you're running those actions locally in an environment without production access...

Oh noes, your compromised module stole your DB credentials, and your SES credentials to spam all your customers..... and just got a bunch of failures or sent messages to no-one because the environment has dummy data and uses a locked down sending configuration for SES.

There is 100% benefit in running that shit in a development environment.

> The only thing that helps is to review code before you run it.

Right, and somehow you think having the code in question literally in your VCS, waiting for a merge like all the other code... that's not apparently helpful.

But hey thanks for proving me right about the unhinged complaints. Stong echoes of "we've tried nothing and we're all out of ideas".
stephenr
·il y a 2 mois·discuss
I mean even if you blindly copy in the dependency (I'm not saying you should) you've already solved two supply chain issues with install-on-prod:

- dependencies "disappearing" (aka left pad 2, electric boogaloo)

- dependencies running nefarious "install scripts" on prod

Apparently some language package managers also will silently install newer versions than a lock file specifies, if you use the wrong install command. So that's arguably more a case of saving you from yourself but the example I saw said that "... install" is wrong you need to use "... ci" which is kind of asinine IMO.

Things like sudden changes in dependencies should also be noticed more readily.
stephenr
·il y a 2 mois·discuss
I'm glad other people are starting to realise this.

Just a word of warning from someone who's always advocated for this approach:

Prepare to be inundated with ridiculous, nonsensical arguments about why it's impossible to work that way.
stephenr
·il y a 2 mois·discuss
If I show a person on the street a Fuji apple and a Honeycrisp and ask if they're approximately the same, they're going to say yes even if they're labeled.

Php has had a strict equals operator for decades. You not using it is not a language fault.

For the second point: I doubt you'll fine any language where you can just do an equals comparison on floats and it works as expected. That's the nature of floating point numbers.
stephenr
·il y a 2 mois·discuss
I'm pretty sure it is actually.
stephenr
·il y a 2 mois·discuss
South Australia. Possibly other Australian states too, I haven't checked (I live overseas currently)
stephenr
·il y a 2 mois·discuss
> Yes, we punish the individual driver that did it, but we still allow humans to drive cars.

Yes because bad drivers aren't representative of all drivers. You also missed the part where laws are changed, safety laws are strengthened.

Oh wait. You're American aren't you.

In most of the world, laws are put in place to protect people. The Cybertruck for example, cannot be legally driven (regardless of not being for sale) in many countries because it doesn't meet pedestrian safety standards.

In my home state it's a finable offence to touch or even have your phone sitting in your lap while driving a car, and they've put detection cameras in place to enforce these laws.

So maybe define who you mean by "we" before claiming that people think kids being mutilated by negligent drivers of either the robotic or fleshy kind, is "good enough".
stephenr
·il y a 2 mois·discuss
If a child is "folded in half" by someone looking at their phone, no one accepts that as "good enough", and there is a direct action: the driver responsible will lose their licence and likely end up in prison. If it happens often enough, laws are changed.

What happens when a Tesla does the same thing? Besides them lying and hiding information I mean. What remedial action is taken to reduce that specific risk from reoccurring?
stephenr
·il y a 2 mois·discuss
... the only sarcasm I posted was about screaming at the universe in response to his suggestion that the only alternative to people loading up a text editor with a million shonky plugins to try and make it an IDE, is to eschew all IDEs.

The sarcasm was because this suggestion is ridiculous IMO. It's like saying "Tesla refuses to use state-of-the-art LIDAR for their attempts at an autonomous vehicle, therefore I shall only travel in vehicles that have both a driver and a conductor, and are propelled by beasts!".

VSCode being a turd isn't a reason not to use an IDE. It's a reason to use an actual IDE, rather than a glorified text editor, with the aforementioned millions of shonky plugins trying to recreate IDE levels of functionality.
stephenr
·il y a 2 mois·discuss
Your comment implies that you've somehow misunderstood my comments and thus think that I am using Microsoft's hot garbage text editor with a million plugins.

I can assure you I am not.
stephenr
·il y a 2 mois·discuss
Good point. Any editor is a needless dependency.

True developers just scream at the universe and it responds with cosmic radiation that flips the correct bits to form the binary code they intended.
stephenr
·il y a 2 mois·discuss
So what you're saying is, you don't really know what spicy autocomplete is generating because you aren't reading it.

Great stuff champ. Really dispelling the idea that vibe coders have no idea what slop is being churned out. Top marks.
stephenr
·il y a 2 mois·discuss
Which other community imports a third party package rather than writing `% 2 === 0` (or it's equivalent) code to test if a number is even or not?
stephenr
·il y a 2 mois·discuss
If you've all been reduced to vibe coding and hoping for the best I'd suggest that you aren't really participating in the software industry either mate.