HackerLangs
トップ新着トレンドコメント過去質問紹介求人

gred

no profile record

コメント

gred
·8 日前·議論
Do you mean A&E the television channel?
gred
·10 日前·議論
[flagged]
gred
·10 日前·議論
[flagged]
gred
·10 日前·議論
> Conservative bias in the media.

Depending on how you count, something like 96%, 94%, 65% or 87% of mainstream media employees lean left. Of course this matters less and less as customers tune out and their influence wanes.

https://ballotpedia.org/Fact_check/Do_97_percent_of_journali...
gred
·先月·議論
Thanks for the link. However, a 7x size differential does not fully explain a 100x security incident differential -- although I'm sure it's part of it. Some of the root causes are very hard to address (e.g. a very limited standard library which encourages dependency explosions), some are just hard (e.g. established cultural norms around version pinning and upgrades, well-established reliance on install scripts) and some are easier (e.g. small tool improvements like min-release-age). I'm personally not going to touch npm with a ten foot pole in the next year or two, but I'd love to see significant improvement, so that I have that option again in 2 or 3 years. Stay safe!
gred
·先月·議論
Days since last malicious packages in NPM: 0 (evergreen)

Days since last malicious packages in PyPI: 30

Days since last malicious packages in Maven: 120

I'm sure this isn't 100% accurate, and there are probably better metrics (average number of malicious packages per year, average number of developers affected per year, etc) but they aren't as easy as a quick Google News search.
gred
·先月·議論
We're halfway there!
gred
·先月·議論
New PR: revert GitHub software and infrastructure to version of June 1st, 2018.

New PR: disable new user signups for 6 months

HR initiative: all future KPIs automatically require three-nines availability; all bonuses are forfeited, regardless of accomplishments, if annual availability falls below target

HR initiative: fire CEO and CTO
gred
·2 か月前·議論
[dead]
gred
·2 か月前·議論
> The thing keeping maven safe for now is that most people pin [...] versions

Yes, and also the signing of JARs that are uploaded to the repository, and the fact that most release processes are not fully automated, and the batteries-included standard library which reduces the total number of dependencies, and the fact that a run-of-the-mill third-party library can't execute code at build time, and the very small number of people with credentials to publish new versions of major Maven plugins, etc.
gred
·2 か月前·議論
Your example of security issues in Maven is... npm guys setting up processes to auto-publish infected npm packages into the Maven Central repository?

Wake me up when the daily npm security breach headlines are typosquatting stories, not RCE-on-build or RCE-on-upgrade.
gred
·2 か月前·議論
There are npm supply chain exploits in the news every other day. I'm honestly surprised that something as decentralized as Go Modules is more reliable, but here we are. The fact that we're not seeing these stories about e.g. Maven is not at all surprising, given the limited need for third party libraries and the culture of careful upgrades in the Java ecosystem. If npm proponents want the ecosystem to survive, they need to demand / create better and stop making excuses.
gred
·2 か月前·議論
The future may be distributed quite unevenly here, as they say, with a divergence between a small amount of "responsible" code in systems which leverage AI defensively, and a larger amount of vibe-coded / prompt-engineered code in systems which don't go through the extra trouble, and in fact create additional risk by cutting corners on human review. I personally know a lot of people using AI to create software faster, but none of them have created special security harnesses a la Mozilla (https://arstechnica.com/information-technology/2026/05/mozil...).
gred
·2 か月前·議論
They should have had the UTF-8 guys tackle IPv6. Talk about elegant.
gred
·3 か月前·議論
> run your systems outside of Spain

So much for digital sovereignty :-)
gred
·3 か月前·議論
Disagree with so much here. But if, in your mind, the US is turning authoritarian, this is a "cut off your nose to spite your face" move. They should be taking the fight where it most needs fighting. They should not be making donors like myself question whether we still share objectives.
gred
·3 か月前·議論
> they have been silenced by the platform

Where do you see that? All I see is a claim that it no longer makes sense from a financial standpoint (but no comparative numbers provided for the other platforms they are keeping, which is sus, especially given their presence on very niche platforms like Bluesky), and vague justifications based on identity politics and "community care" loci, which is either nonsense or deep argot unsuitable for the intended audience.
gred
·3 か月前·議論
He's saying that they have ideological concerns beyond the ideological concerns you would tend to associate with the EFF (digital privacy, open source, patent trolling, etc). I for one am sad to see that this is the case. There are fewer and fewer organizations protecting civil rights without being dragged into left/right tribalism.
gred
·3 か月前·議論
> this obviously doesn't make any sense

That's debatable, but it's a moot point; it's pastiche, so it doesn't have the same goals or motivations as the original.

https://en.wikipedia.org/wiki/Pastiche
gred
·4 か月前·議論
Three years too late, in my case. I've moved on.