I find it to be pretty reasonable, and also consistent with what GrapheneOS previously said. They were consistently against company-owned verification. I don't see anything offensive here: they aren't attacking individuals or projects, but rather attacking an approach that is harmful.
I often see them being on point and highlighting important details. Majority of custom roms aren't taking security seriously, so I don't think there's anything wrong with calling them out on that.
Last time I tried JLCPCB, it was way too expensive on a smaller scale. Simple PCB with a cheap Nordic nRF, a few other basic components, 10cm x 5cm: ~17 euros/unit (including shipping) at 5 units which was the minimum amount to order.
I feel like the article ignores the elephant in the room — production costs.
Producing PCBs (say, 5 or 10 units) is pretty expensive, and components are also costly on such a small scale. Combining these two requires additional money or time. Beyond that, you need to consider that you probably won't get it right the first time, and every attempt multiplies the cost.
It'll be a deal-breaker for many people — the risk is just too high.
> During the first week of June I merged 293 PRs, and have found no production defects tracing back to those changes so far. The latter part is a bit of good luck — I think 2-3 minor and 1 major defect would be acceptable for this volume.
At this point, articles about LLMs paired with meaningless metrics have become a classic combo. I get that it's typical corporate BS, but publishing this widely is just weird. "Look, my productivity is skyrocketing according to a chart that only my manager cares about!"
In terms of apps, I fully believe it will only get worse from here: Google’s trajectory has been pretty hostile, and third‑party developers tend to follow it.
That’s why I have two phones. One runs GrapheneOS and is my daily driver; the other (considerably less private and secure) stays at home connected to my server so I can always scrcpy into it.
And how many options are there exactly? How many of them are capable of at least making and receiving a phone call without any issues 99% of the time?
While I agree with your general sentiment, I feel necessary to acknowledge that it's just not there (yet?). GrapheneOS is a great option if you want to have a fully working and secure device.
Local models are looking better and better each day. Still, not as capable, but you can be sure that nobody will take it away from you at a moment's notice.
IMO if numbers on Socket.dev can be trusted, then impact seems rather small (luckily). It also makes sense — I know some packages from the affected list, they're heavily outdated and their upstreams aren't maintained anymore.
Other than this — I don't know how many there are affected people in total, but AUR team probably has an exact number. I am also sure, they're doing their best to handle it accordingly to the impact.
I'm so glad that the LLM hysteria at $WORK is barely scratching the surface. These Twitter-brained CEOs are living in a completely different reality, so I am really happy I don't have to experience it firsthand.