Yeah I suppose one would need not only the source and binaries but also the IR in AI training data which may be rare but could probably be easily generated for a lot of software.
It doesn't improve readability for sure but for me it comes across way worse as "I don't have time for this, deal with it" because all of the people I know doing that are self-important executives.
English is a second language for me and I feel really bad when I impose a grammar mistake or a badly put together sentence to my readers!
So for me pushing that on purpose is borderline insulting to the reader ie. suffer so I don't have to press the shift key, this extra effort is below me.
> for me it comes across way worse as "I don't have time for this, deal with it" because all of the people I know doing that are self-important executives.
Same for me. See Sam Altman, for example.
> suffer so I don't have to press the shift key, this extra effort is below me.
These days you actually have to fight against spell checkers to avoid having capitals after a period.
Which is how the vast majority of the world is and how most of America is. I mean, it's not bad to be around people with different ideas or backgrounds, but it is also not some great requirement.
Feels like the tragedy of the commons: I don't want to look at the change, I don't want to take responsibility, somebody else will take care or it, I just have to wait.
Ok if this is an amazing advice and the entire ecosystem does that: just wait .... then what? We wait even more to be sure someone else is affected first?
Every time I see people saying you need to wait to upgrade it is like you are accumulating tech debt: the more you wait, the more painful the upgrade will be, just upgrade incrementally and be sure you have mitigations like 0 trust or monitoring to cut early any weird behavior.
You're not taking on any meaningful tech debt by waiting a week after a new version goes public to adopt it. As the OP says, there are services that scan popular open source tools for vulnerabilities as soon as they are released; even if a large percentage of the user base is waiting a week to update, many will still be caught in that period. And for various reasons some will still upgrade immediately.
You’re implicitly assuming that it’s exposure to downstream consumers that causes the malicious packages to be discovered, but we haven’t actually seen that in the last couple of major supply chain attacks. Instead it just buys time for the maintainers to undo the damage.
Even if less consumers will notice a compromise and report it, it still gives additional time for security researchers to analyze the packages, and for maintainers to notice themselves they got compromised
There are a lot of companies out there, that's scan packages and analyze them. Maintainers might notice a compromise, because a new release was published they didn't authorize. Or just during development, by getting all their bitcoin stolen ;)
The update tech debt tends not to compound or even accumulate at all. Usually you'd pay the same to update v1 to v2 as you would for v1 to v3. Maybe skipping v2 has a negative cost even.
I've seen this plenty of times: v1 of some library has one way of doing things, v2 of that library changes to a new incompatible way, and then v2.1 introduces a few extra changes to make it easier to port from the v1 way. If you wait a while, you have to do less work to update than if you had updated immediately.
One example is Python 3. After the first few Python 3.x releases, a few "useless" features were introduced to make it easier to port code from Python 2.7 (IIRC, things like reintroducing the u'...' syntax for unicode strings, which had been removed by Python 3.0 since normal '...' strings are now always unicode strings).
Optionals in protobuf 2 vs 3 is another one. The feature wasn't even useless, it's just that v3 was really opinionated against them and later conceded.
This is just completely wrong. If you are talking about a sizeable number of devices, you're not getting anything updated immediately even if you wanted to. You roll out to groups over a period of time because you don't want to break everything if there are unintended consequences. Your personal device? Sure whatever, but any fleet of devices absolutely does not get immediate updates across the board.
Guess why it was asymmetrical in the first place ... Telcos wanted to sell the upload bandwidth to streaming companies. Another double dipping Telco monopoly squeeze and customer boxing / enshitification from very early on.
Yet another impressive rust/ratatui tool! I am really a fan of those projects (kudos to Orhun).
At Copper Robotics we use it for our monitoring console, it is so easy to just ssh on a robot and get all your monitoring state in super snappy TUI screens instead of web stuff.
Simple enshitification, literally everything is going down that road.
Somewhere a VP with a dashboard is super happy: they will get their $1M bonus and "après moi le déluge".
Even local businesses get snatched by PE firms left and right, prices skyrocket, customers are pissed....
Is the business-consumer relationship valued at exactly $0?
Not op, but usually this is a shortcut of saying that the regulator prioritizes businesses instead of consumers and it predictably makes the market not as efficient for consumers as it is for businesses, i.e. consumers don’t even have a choice of getting what they want.
Believe that governments are capable of more than venal corruption and committing violence against their citizens and build a society in which people have value beyond what the market can extract from them.
reply