Supply chain attacks and OSS sustainability go hand in hand. I've semi-seriously joked for years that OSS upstreams should periodically purposely inject full vulns into their code and let downstreams fuck around and find out. Downstreams can pay to get the non-FAFO version.
The not joke part is simply that OSS maintainers aren't a supply chain. OSS maintainers are not responsible for monitoring CVEs (because, they are not a supply chain). OSS maintainers are not at fault when bad shit happens to downstreams, because basically every OSS license (MIT, Apache, GPL, etc.) literally says: the software is provided "as-is, without warranty." You get what you pay for (that is to say: absolutely nothing!)
Now, the joke part is that I do believe there is an ethical obligation to try to prevent harm downstream. But "try" is the key word. So, this isn't a serious proposal.
But, if you're using OSS code and you're not paying for a license with a contract that promises some kind of warranty, you have no supply chain. You (the downstream user of an OSS lib) ARE the supply chain.
To use a metaphor: physical goods have a real supply chain. Car manufacturers, chips, clothes, toys, etc. You have a signed commercial agreement with all your suppliers that promises quantity AND quality and blowback if either are missed. Thats a supply chain.
If someone puts some chips on the side of the road with a "FREE" sign, then you integrate those into a product, then find out those chips are hacking customers, its your fault, not the person who dropped them on the side of the road.
Fork your dependencies, trim them to only your use case, never update unless it breaks for your users. I’ve been vocal about this for 10+ years. I’ve always said that updating is way riskier than latent bugs (which can be tracked and CVEs monitored).
If you are updating a dependency, it’s on you to analyze every single commit in the full transitive set of dependencies. If you dont see anything compelling, dont update!
I remember at HashiCorp once in awhile an engineer would try to update a dep or replace a DIY lib with an external one and id always ask “show me the commit we need.” Dont update for the sake of it.
Feeling pretty swell about this mentality with all the supply chain attacks happening.
I strongly believe there are entire companies right now under heavy AI psychosis and its impossible to have rational conversations about it with them. I can't name any specific people because they include personal friends I deeply respect, but I worry about how this plays out.
I lived through the great MTBF vs MTTR (mean-time-between-failure vs. mean-time-to-recovery) reckoning of infrastructure during the transition to cloud and cloud automation. All those arguments are rearing their ugly heads again but now its... the whole software development industry (maybe the whole world, really).
It's frightening, because the psychosis folks operate under an almost absolute "MTTR is all you need" mentality: "its fine to ship bugs because the agents will fix them so quickly and at a scale humans can't do!" We learned in infrastructure that MTTR is great but you can't yeet resilient systems entirely.
The main issue is I don't even know how to bring this up to people I know personally, because bringing this topic up leads to immediately dismissals like "no no, it has full test coverage" or "bug reports are going down" or something, which just don't paint the whole picture.
We already learned this lesson once in infrastructure: you can automate yourself into a very resilient catastrophe machine. Systems can appear healthy by local metrics while globally becoming incomprehensible. Bug reports can go down while latent risk explodes. Test coverage can rise while semantic understanding falls. Changes happens so fast that nobody notices the underlying architecture decaying.
I worry.
𝙰 𝚗𝚎𝚠 𝚎𝚛𝚊 𝚘𝚏 𝚎𝚟𝚒𝚕.
From the mind of Zach Cregger, director of Weapons and Barbarian. Watch the new teaser trailer for Resident Evil. Filmed for IMAX – in theatres 9.18.
If you're in the greater Seattle area and you like vintage computing, this Saturday the Interim Computer Museum is holding a vintage computer festival that might interest you: https://t.co/PwsQ1ZG2vm
A fundamental division between schools of thought in programming is (a) the elimination through simplifying of cruft, boilerplate, and extra abstraction layers, and (b) the automation of maintaining cruft, boilerplate, and extra abstraction layers.
One of the reasons I drifted away from C++ and newer languages with adjacent philosophies towards a subset of C is that I found myself in the first camp. Some problems were simply not as hard as I was making them. Memory management, threading, UI, and so on could be simplified such that not only the high level C code became simple, but the actual machine code also became simple.
This is starkly different from modern C++ and Rust programming culture, where the philosophy is simply that dealing with the complicated lower level details is a matter of *automation*. The compiler needs to generate something extra, it needs to check extra things, and so on.
“Agentic programming” falls into the latter camp, and this is also why I don’t employ it in my workflow (other than search engine usage and so on). I don’t need it to generate 10s of 1000s of lines of code. The requirement of 10s of 1000s of lines of code—for implementing something derived from the information content inside a tiny prompt—is an architectural red flag.
Perhaps a substantial portion of that code simply shouldn’t exist. I find that my programs become much better when I do that simplification pass first. After that, there’s drastically less boilerplate, less maintenance, and less busywork to begin with.
Ghostty is leaving GitHub. I'm GitHub user 1299, joined Feb 2008. I've visited GitHub almost every single day for over 18 years. It's never been a question for me where I'd put my projects: always GitHub. I'm super sad to say this, but its time to go. https://t.co/DQDemHdytV
You should watch this.
It just shows how disconnected we are from the small group of people making decisions that will impact our future heavily.
These people have so much ai psychosis. If you listen to how she speaks, everything is personified, it is undoubtable she believes this is a living computational organism.
Just like how a model can hype up an individual into psychosis through reinforcement, a small group of people are giving themselves psychosis through reinforcement.
Wild times we live in
Hello, Moon. It’s great to be back.
Here’s a taste of what the Artemis II astronauts photographed during their flight around the Moon. Check out more photos from the mission: https://t.co/rzM1P0QbOl
I wanted to use Notch's criticism of DLSS to talk a little bit about GPU hardware, so I did an impromptu livestream last night. VOD is here if you're curious:
https://t.co/rqlLnjNvmi
I also want to be able to use a website. I dont want multisecond time loading everything.
Honestly, these super vibe coded heavy apps FEEL like 1999 websites. They are SOO dang visibly slow it hurts me.
I want our world to feel good and to look good and i understand there is a trade off in time vs money. But this cannot be it.
guys, i honestly do not like clowning on Gary.
I don't find being the butt of a joke funny, so I imagine he does not either.
But, this is what worries me about where we are going. We are actively encouraging an entire generation that the tech is there when its not, and a couple of silly mistakes made on a website isn't the end of the world, but people's data and breaches are serious. We are entering a very VERY hackable world, and I do not like it one bit.
please shut the fuck up i don't even care about the specific thing you're saying i'm just so tired of hearing predictions one after the other telling me what the future is going to be like just please shut the fuck up
Theory:
We don't let LLMs control robots and operate freely in the physical world (yet?) because they'd fall all the time, break everything, and cause massive damage.
But in software the falling and the massive damage are invisible, so it's fine.
https://t.co/HMltzq20lp