HackerLangs
TopNewTrendsCommentsPastAskShowJobs

Kalium

no profile record

comments

Kalium
·4 lata temu·discuss
There are helmets you can lock with your bike.
Kalium
·5 lat temu·discuss
At the risk of being confrontational, show me a language without built-in footguns and we can talk. I've seen people fail to check their inputs in every language I've ever touched. I've seen people cobble together their own horrifically insecure SQL query builders. And so on.

Meanwhile, I have to argue with developers on a regular basis to convince them that they actually need to patch the libraries in their systems. Yes, even if they don't see an obvious exploit path. Yes, even if it's more work than drop-in-and-ship.

Getting them to use static analysis is a nightmare. Entirely too many developers view each finding as an attack on their style they can negotiate away.

As you so wisely and correctly say, we're at a point in time where we mostly have the tools to employ safer software development lifecycle methodologies. It is telling, then, how often we don't.
Kalium
·7 lat temu·discuss
That's actually exactly my point. Dependabot did Github security alerts so much better than Github did, that Github gave up on trying to compete entirely.

Which is to say that it's incontrovertibly possible to beat Github at their own game and on their own platform. To the point where even Github agrees they've been beat.
Kalium
·7 lat temu·discuss
What kind of critical engagement do you think we are failing to offer? What kind of response would leave you thinking "This person engaged critically with the issue at hand, but still came away with a strongly positive position"?

For my own part, I don't think anybody is owed a position in a space. I also don't think the existence of small players that get displaced by a big player means that the small players were destined to become big players. It's worth considering that LiberaPay and OpenCollective would never have gotten somewhere great. Perhaps they would always have been doomed to be small and essentially irrelevant. We'll never know, obviously, but it's worth considering.

But let's talk about OpenCollective and how Github could have worked with them. Do you think OpenCollective would have passed a security audit? Are they SOC compliant? Could they have handle the scale?

An even more interesting question: has Github ever claimed to be an OPEN company? I'm certainly not aware of such, though of course my knowledge is less than comprehensive. Charging them with failing to be something that they've never claimed to be seems odd.

Yes. Your charge is correct in an important detail. Github isn't an open source company. As far as I can tell they never have been. It's perhaps somewhat less than maximally reasonable to expect them to become one.

For my own part, this enhances my positive feelings about Microsoft running Github. They're making changes to popularize the idea that it's OK to pay developers to do open source, and doing so in a way that lets developers get paid in a manner of their choice.

It could still be an open platform, of course. Someone just needs to be able to do it better than Github. As Dependabot shows, that's absolutely possible.
Kalium
·7 lat temu·discuss
I agree that our perspectives are different.

I see this from the perspective of someone who wants to see developers get paid. Safely and securely, in a way that makes it easy for them to get paid the next time too.

I'm also looking at this from the angle of "What non-nefarious reasons would GitHub have for making these decisions?". One of the first that sprang to mind is credit card security, which touches on quite a few issues at once.

Further, my experience is that most of the time decisions that can be interpreted as being done for nefarious reasons were rarely actually made that way. I am willing to extend the HN-guideline principle of charity to GitHub, especially because I can see clear, real, valid reasons for standing up their own service over a partnership with a third-party service. I understand that some people will find these unconvincing or decide they are just a ploy.

I haven't even touched on AML or KYC issues!

You are definitely right about the importance of infrastructure made entirely of open source software. My perspective is, in essence, that there are other features that matter that may not fully live in code.
Kalium
·7 lat temu·discuss
> Seems what they are planning to offer is not better nor different than what others already are providing (see OpenCollective or LiberaPay).

It's got a major company with deep and signficant expertise in security, payments, and accouting. A name that people and companies already trust with a raft of compliance all handled already. It might just be me, but if I were to speculate I would guess that OpenCollective and LiberaPay can't quite claim the same. I know that if I want to, I can get a SOC 2 report from GitHub.

These are nor minor administrative details to be brushed aside idly. They matter, particularly to a company keen to ensure that they never have to apologize for a partner fucking up credit card handling or to someone with a corporate card who has to be careful how they use it. These things are major features.
Kalium
·7 lat temu·discuss
> It's great that you can now have a fancier link to OpenCollective. Thank you for that, Githubbers who are reading the HN comments.

It improves discoverability, which is important enough that it's a big part of why people use GitHub. It might just be me, but that seems like it might benefit open source developers no matter what platform they use.
Kalium
·8 lat temu·discuss
You're absolutely right! We could search for funding models, plural, to support a network of federated and distributed platforms! We could even couple it with ways we know that enable distributed and federated platforms to interoperate and keep at bay the problem that come from that.

Of course, it's possible that this may be a sufficiently non-trivial problem where the best answer anyone's found to date is a centralized business. But hey, we won't know until we try! Also, email as a federated system and its history doesn't count, because that runs directly against the basic thesis that nobody has seriously tried.