Disclaimer: I've never used pytorch and I also know nothing about software security practices.
But I don't see a scenario where pytorch needs network access. It seems wrong that at any level within the codebase I can import any module and use its API.
I think there need to be additional import restrictions or static analysis.
This also seems like languages do not have the right abstractions to talk about this stuff. As a comparison, I like how in rust I can look at the function signature and see the mutability and lifetimes of everything without understanding any of the code underneath.
I feel there needs to be something similar here with dependencies. A dev should be able to audit all their dependencies easily and see "oh dep X uses eval()" or network access, etc without looking at any underlying code.
Mobile apps enforce permissions. Shouldn't a dev be able to whitelist certain functionality and not take everything including the kitchen sink.
It's cool to see CT mentioned on HN. I haven't seen any mentions until today.
My family has installed solar on every house we've lived while there. There is a strong economic incentive. CT has some of the most expensive avg. electricity cost in the country (a few cents cheaper than California for comparison). And Eversource, the utility company, is universally hated. Most people want to switch from their terrible service and are looking for any reason to.
I want to add that Moritz Klein's DIY synthesizer videos are top notch, especially for beginners in electronics. As somebody who is just working through AoE it feels like a great compliment and is very satisfying.
As a new college grad I might be able to add some insight.
We're stuck in a stalemate where the sheer volume of applications for employers to handle and applicants to send makes them take shortcuts, leaving both sides wonder why people aren't trying.
If somebody has to send in 300-500 applications (which is not unheard of) and answer the same questions till they go blind, it's not surprising that certain things are missing or people don't care. Applicants don't have any reason to believe their info isn't thrown in the trash by an LLM as soon as it is sent.
Lazy people will always be a problem but until there is transparency or trust developed I doubt we will see meaningful change.
I agree that is excessive. But I would hate equally, if not more, learning with magic rules delivered by the professor in the sky. The info doesn't stick for me unless I understand the intuition behind the reasoning.