nightpool

Everyone is always rooting for you. Your parents want you to be a great son. Wife wants you to be a great husband. Your boss wants you to be a slam dunk hire. Every first date you’ve ever been on they’ve been rooting for you to get laid. Every time you started to tell a joke people hoped it would have a hilarious punch line. Your proximity to anyone is a reflection of themself, meaning the deck is never stacked against you, and your failures are completely your own

Supply chain attacks and OSS sustainability go hand in hand. I've semi-seriously joked for years that OSS upstreams should periodically purposely inject full vulns into their code and let downstreams fuck around and find out. Downstreams can pay to get the non-FAFO version. The not joke part is simply that OSS maintainers aren't a supply chain. OSS maintainers are not responsible for monitoring CVEs (because, they are not a supply chain). OSS maintainers are not at fault when bad shit happens to downstreams, because basically every OSS license (MIT, Apache, GPL, etc.) literally says: the software is provided "as-is, without warranty." You get what you pay for (that is to say: absolutely nothing!) Now, the joke part is that I do believe there is an ethical obligation to try to prevent harm downstream. But "try" is the key word. So, this isn't a serious proposal. But, if you're using OSS code and you're not paying for a license with a contract that promises some kind of warranty, you have no supply chain. You (the downstream user of an OSS lib) ARE the supply chain. To use a metaphor: physical goods have a real supply chain. Car manufacturers, chips, clothes, toys, etc. You have a signed commercial agreement with all your suppliers that promises quantity AND quality and blowback if either are missed. Thats a supply chain. If someone puts some chips on the side of the road with a "FREE" sign, then you integrate those into a product, then find out those chips are hacking customers, its your fault, not the person who dropped them on the side of the road.

In some very real sense, Ozempic was invented in 1990. Pfizer ran the human trials and just never published them. They showed it lowered blood glucose in diabetics, slowed gastric emptying, and killed hunger; the same 3 things that make Ozempic work today. The joint venture agreement said internal data stayed internal, and that was that. Pfizer killed the program in 1991. The reasoning, as far as I can tell, was that nobody would ever want an injectable diabetes drug besides insulin. So, the license went back to the hospital in Boston that held the patents. Novo picked it up in 1992 and spent the next two decades building liraglutide, then semaglutide. It's insane that data sat in a filing cabinet for 30+ years. I only know this because Jeffrey Flier, one of the Harvard scientists in the room, finally wrote it up. He's in his late 70s and didn't want the history to die with him. This makes you wonder what else is in those filing cabinets. Ozempic could've existed 27 years ago.