HackerTrans
TopNewTrendsCommentsPastAskShowJobs

yearolinuxdsktp

98 karmajoined 2 года назад

comments

yearolinuxdsktp
·5 часов назад·discuss
Don't store any secrets in your repo. Don't store them in env vars. Strong long passphrase on your SSH keys, stop using unencrypted SSH keys. Everything in a keychain.

The practice of storing secrets in a .gitignore'd .env.local.json or whatever is a really bad idea and I can't believe that it has become a normalized, acceptable practice in the industry.
yearolinuxdsktp
·5 часов назад·discuss
Was it Codex or the desktop ChatGPT agent?
yearolinuxdsktp
·вчера·discuss
Pi.dev requires some plugins to work well. Using Qwen3.6-27B/35B locally at Q8, I was quite frustrated with failed tool calls and tried many things.

Ultimately this combo worked:

1. https://pi.dev/packages/pi-tool-guard —- corrects key name synonyms and common structure errors, so tool calls succeed automatically (e.g if the model hallucinates old_str instead of oldText). It also wraps top level oldText/newText in an edits array if the tool didn’t do it.

2. https://pi.dev/packages/@aboutlo/pi-smart-edit - white-space-tolerant edits, as Qwen would sometimes add a fifth space to a four space indent

Hashline edit tools didn’t work well for me at all, they confused the model and it still failed to edit correctly. Also line removals would invalidate the rest of the file requiring re-reads. I tried pi-hashline-edit-pro, though I see it now keeps a database of hashes to help keep them stable across edits. Regardless Qwen kept thinking that the hashline prefixes were part of the source.
yearolinuxdsktp
·13 дней назад·discuss
#2, name matching valid government ID excludes trans people who have not yet legally changed their name. Same reason they can’t get a Meta Verified status, even if paying. Thanks technology for keeping things accessible to everyone!</s>
yearolinuxdsktp
·2 месяца назад·discuss
Lock files were begrudgingly introduced after people who aren’t playing around with move fast and break things cried foul about dependencies being updated unexpectedly. The “semantic versioning” dogma and the illusion of safety that it brings was the original motivation. At NPM’s creation time, mature dep management ecosystems did not have floating versions, they were always pinned.

When you are talking about checking your dependencies in the source tree, you are effectively pinning exact versions, and not using floating/tilde versioning syntax.
yearolinuxdsktp
·2 месяца назад·discuss
I asked Claude to set up a new NPM project and it configured the install task as “npm ci || npm install”, which is stupid. That was on Opus4.7 xhigh. When I pointed out that doing so defeats the purpose, it said “oh yeah of course.”

Turns out there is no equivalent to “npm ci” that doesn’t clear node_modules first, and you can’t call npm install to simulate NPM ci behavior (sans clean).
yearolinuxdsktp
·2 месяца назад·discuss
Never use “npm install”, only “npm ci”. Using “npm install” is a willing act to run fresh exploits.
yearolinuxdsktp
·3 месяца назад·discuss
Merge queues are not as frequently used… ~2000 PRs affected over 4 hours. I reckon that’s on the order of 10 commits per tenant. It’s a feature with low traction, probably because it creates more problems than it solves.
yearolinuxdsktp
·3 месяца назад·discuss
Kotlin’s closed-by-default design choice makes it worse than Java, and thus not strictly better than Java. It’s premature optimization, and a design-up-front-influenced paranoia/fear of any extension in not-designed-for places. But when I write code, I prefer to keep it open to extension, and in practice, I found a lot of value in extending decently written code, that would not be possible with Kotlin without having to go back and modify things to be open.
yearolinuxdsktp
·3 месяца назад·discuss
A startup might have trouble with, and might not have enough automation for:

- proving churned customer data was deleted completely and within the agreed-on period of time

  - - not enough to have a record

  - - auditors will ask you to prove the data is not laying around
- proving all changes shipped are reviewed and linked to tracked work

- proving branch rules are set to require PRs and prohibit changing history on release/trunk branches

  - - auditors will ask you to show live that you can’t approve your own changes

  - - some auditors might ask you for an audit log to prove no unexpected branch rule changes occurred —- depending on the observation period, you might have to build your own audit log capture to prove this
- proving you performed penetration testing

- proving you performed a disaster recovery test in production with the frequency you claim (e.g. annually)

  - - running a DR test might be more than a few hours depending on your data size and level of infra automation

  - - this is often something that startups are ready to execute, but don’t invest a lot of time automating
- proving you have and enforce full-disk-encryption on all your employee laptops

  - - this is automated with MDM but a startup might not be running an MDM yet
- proving you are rotating credentials on the frequency you ascribe to in your policies

  - - automated reports are available for some credentials, e.g. AWS keys, but takes more work for smaller vendors

  - - even with AWS, you might discover you forgot to rotate something, and it might be because it’s non-trivial to execute
- perform quarterly access reviews

  - - some systems are more difficult/time consuming to inspect against your employee and permissions list

  - - ideally this is automated, but often times at a startup, you might not have fully automated authorization and access control, such that when employees change teams or leave the company, that you get notified and don’t miss it
- proving that you act on performance or reliability alerts

  - - auditors will ask you to show live some examples of past alerts and that someone handled it

  - - auditors will often ask you to show live that these alerts are consistently configured for all your production system —- startups might not have the alerting and PagerDuty-like setup be fully automated (e.g. with Terraform)
yearolinuxdsktp
·4 месяца назад·discuss
Tree shade means bird poop danger.
yearolinuxdsktp
·4 месяца назад·discuss
It’s impossible to install XCode without an Apple account. It’s only distributed through the Mac App Store, and downloads from Mac App Store require an Apple ID. And even XCode beta downloads are locked behind an Apple login.

You can install XCode CLI dev tools without an Apple account, which comes with clang and swift for example. With this, you can build most Mac software, but I don’t think you can run Swift tests without a full XCode.

As the sibling comment notes, you can install GCC/llvm and whatever other open source tools and build Mac software without full XCode.

You can also install Apple container support without an Apple account.
yearolinuxdsktp
·4 месяца назад·discuss
It’s because when placed inside the engine bay, the large wiring harness is shorter, which is not only cheaper, but also shorter wiring helps with the consistency of electrical timing and reduces noise.
yearolinuxdsktp
·4 месяца назад·discuss
Yes they do. They can tolerate engine bay heat, but not exhaust heat. They are usually shielded from getting soaked.

Some Mazdas put the metal-cased engine computer in a plastic air box that feeds cold air from the front, to help ensure the engine computer stays cool enough.

In general, I believe the cooling airflow from the frontal air and the cooling fans keeps engine bay in check.

For example, this is the board that’s used in Mazda CX-5 2017+ engine computers (mfr Denso), it lists max temperature range of +150C: https://www.renesas.com/en/document/mah/rh850e1l-users-manua...
yearolinuxdsktp
·4 месяца назад·discuss
> If it's so bad for gamblers, why don't they stop?

Because harm does not guarantee control.

When it becomes compulsive, it’s not a simple cost-benefit choice anymore. People can know it’s hurting them and still feel driven to keep doing it.

The dopamine rush of gambling means the brain can get stuck chasing relief, hope, or reward, despite also knowing that it is destructive.

> If gambling orgs do something that you know causes harm, why isn't the a legal sense of responsibility?

Because it’s not that easy to prove responsibility in the face of powerful money lobbying and victim-blaming. Shame and stigma around addiction means people don’t come forward. Freedom argument comes in that not everyone who gambles is an addict, so restricting it takes freedom away. The same argument is used to push the personal responsibility angle.

Ultimately I think the way the gambling orgs cover their ass is by advertising gambling addiction helplines and adding small disclaimers to call those lines if you have a problem: “that’s it, legislators, we are clearly giving them the tools to help themselves, and that shows us exercising responsibility. Bombarding gamblers with offers is simply marketing and creating engagement for our business, you can’t make that illegal.”

Do they have moral responsibility to not exploit addicted gamblers? I would argue, yes, they do. But unless you prohibit all gambling marketing, how would you accomplish this moral responsibility even if the gambling company agreed it had it? It’s not like addicts identify themselves or that you can filter your marketing easily to people without problems. This is why the solutions have been on outlawing the whole thing, because it’s really hard to operate as a business without the societal cost.
yearolinuxdsktp
·4 месяца назад·discuss
I disagree with the downvotes, but let me put it differently: if you don’t understand, have reviewed and be ready to own all of LLM output (the thoughtful part), then you aren’t owned the time to read them. If you didn’t try to reign in the verbose slop that’s the default for LLMs, I don’t want to read it.

Maybe the poster is running a local LLM.. you’d think that a SOTA model would have surmised that an overnight MacOS upgrade can only be a minor version.
yearolinuxdsktp
·4 месяца назад·discuss
Apple container CLI configures internal domains (`container system dns`) by adding an internal resolver and it worked for me when I specified an actual domain previously handled by external DNS and it showed up as a custom resolver.

Here’s a GitHub comment showing someone on MacOS 26 with a `.test` domain, which you claim is broken: https://github.com/apple/container/issues/856#issuecomment-3... —- maybe you are configuring it incorrectly.
yearolinuxdsktp
·4 месяца назад·discuss
Your AWS backup snapshots must go one-way (append-only) to a separate AWS account, to which access is extremely limited and never has any automated tools connecting to with anything other than read access. I don’t think it costs more to do that—-but it takes your backups out of the blast radius of a root or admin account compromise OR a tool malfunction. With AWS DLM, you can safely configure your backup retention in the separate AWS account and not risk any tools deleting them.

Terraform is a ticking time bomb. All it takes is for a new field to show up in AWS or a new state in an existing field, and now your resource is not modified, but is destroyed and re-created.

I will never trust any process, AI or a CD pipeline, execute `terraform apply` automatically on anything production. Maybe if you examine the plan for a very narrow set of changes and then execute apply from that plan only, maybe then you can automate it. I think it’s much rarer for Terraform to deviate from a plan.

Regardless, you must always turn on Delete Protection on all your important resources. It is wild to me that AWS didn’t ship EKS with delete protection out of the gate—-they only added this feature in August 2025! Not long before that, I’ve witnessed a production database get deleted because Terraform decided that an AWS EKS cluster could not be modified, so it decided to delete it and re-create it, while the team was trying to upgrade the version of EKS. The same exact pipeline worked fine in the staging environment. Turns out production had a slight difference due to AWS API changes, and Terraform decided it could not modify.

The use of a state file with Terraform is a constant source of trouble and footguns:

- you must never use a local Terraform state file for production that’s not committed to source control - you must use a remote S3 state file with Terraform for any production system that’s worth anything - ideally, the only state file in source control is for a separate Terraform stack to bootstrap the S3 bucket for all other Terraform stacks

If you’re running only on AWS, and are using agents to write your IaaC anyway, use AWS CloudFormation, because it doesn’t use state files, and you don’t need your IaaC code to be readable or comprehensible.
yearolinuxdsktp
·4 месяца назад·discuss
I’ve been using scroll back search for 15+ years with Terminal.app and iTerm2, and there’s no way that’s not the job of the terminal. You don’t know how good that is until you use it.
yearolinuxdsktp
·4 месяца назад·discuss
It’s a shame that version 1.2.x got abandoned and didn’t receive any important bug fixes. That has severely cut my trust into this project. It’s been over 4 months since the last 1.2.3 release, so the memory leak when using Claude is not addressed, my Ghostty crashes are not addressed (crash reporter doesn’t work), I don’t even bother looking at the issues anymore, as I know I am not getting the fixes for a long time.

And I’m not running a critical piece of productivity software on a nightlies channel!