> Imagine a big codebase with this somewhere in it:
fn processThing(thing: Thing) void {
// this function must always be invoked on
// a thing that has already been started
assert(thing.is_started);
// ...
}
I know you mentioned fuzzing earlier in the article but seriously, fuzzing deserves an extra mention after asking me to imagine that.
Eh, it's worse than that. The GP comment is repeating a joke derived from an Onion headline about gun control. Where the very poignant message is about political will to make change. However, the npm ecosystem is very much willing and has already made several changes. If we're going to engage in discussion instead of meme-posting, the GP should have (imo) included real commentary _in addition to_ the meme they really wanted to post. What is the policy they want? Why do they see the NPM ecosystem as still resistant to change?
One easy change would be that before any package can be published, it has to wait a minimum of two weeks in a state where it can be reviewed but it can't be installed without jumping through several hoops with big warning signs, things like "INSTALL_INTENTIONALLY_DANGEROUS_PACKAGES_THAT_WILL_BREAK_MY_COMPUTER=1", selecting yes in a dialogue that asks if they want to install software that likely has viruses, and pointing to a different package repository URL.
If there's some change that must get out sooner, then there can be some fee to pay to npm to have their security team do their own review.
Critically, there must be time for someone to review before it's the default to be selected.
I'm sure there are issues with this, this was off my head, but it seems like a really easy step to at least stem the problem for now. And there are a bunch of ideas like this that would help, but NPM doesn't seem willing to take it seriously as an existential threat to the ecosystem, rather than taking trivial steps.
> Critically, there must be time for someone to review
By who? No one at npm is reviewing anything. "Someone" is doing a lot of work here.
Linux distributions have trusted maintainers who are responsible for their packages. People who cared enough to figure out PGP and set up an actual web of trust. That's where the verification happens. All these programming language package managers have nothing of the sort. PyPI, Rubygems, crates, npm, it doesn't matter. I can just make an account and push whatever I want.
These package managers are like this because that's what developers actually want. They don't want to deal with Linux distribution maintainers in order to get their software into the official repositories. They want to just run $packager push and have it out there with zero friction.
As discussed elsewhere in this forum, these exploits are being found by security companies in the first few days after they're published, that's just already too late. For example, the auditor who made the very post that we're discussing! For another, many security-focused AI companies have automated checks on NPM packages. Many people are implementing it on their end by having their client wait seven days before pulling new packages, but that's O(N) rather than O(1), and it's not evenly spread.
If no one reviews it and it still gets out, then we can address it then, but that seems much less likely.
Ideally, the solution is that all of these language package managers need to get serious and have maintainers, but lacking that, at least having the waiting period be built into the server instead of the client is a clear win.
They didn't back up their meme with real commentary because they have no real commentary to stand on:
They're spreading cheap disdain & scorn for npm ("only package manager" framing). But most other package management systems have similar abilities to run pretty un-sandboxed code.
I've been oncall for a different G service that nearly paged on every error. It used the standard error budget tooling, but on hundreds of user buckets because the engineering around locality-specific configuration was... suspect. Many of these buckets had single-digits user. If a user was on their phone and lost signal, I was paged. Very poor oncall experience.
People are quick to point out that induced demand exists - especially people that aren't fond of change.
Very broadly speaking, people mis-estimate effect sizes in economics by orders of magnitude. Induced demand is just their foothold to claim an effect exists, before they go about claiming the effect size they want to see.
How would induced demand work for housing? I understand it for say transit use or car travel or like Facebook visits, but when there's twice as much housing do I... buy another home? Buying extra houses as "an investment" in a culture that is hell bent on depreciating my investment by building more housing is one of those "r/WallStBets" crazy plays, if I'm wrong I will lose my shirt and everybody will laugh at me.
Also, even if that were a problem, which seems dubious, you can regulate it. Massive tax hikes for second and subsequent homes are a thing in some places.
I love induced demand. I'm going to use it to get rich - buy up some abandoned town somewhere, and then pay to run a 100 lane superhighway to it; induced demand means the town will fill up instantly and be hugely valuable!
It doesn’t work unless there is currently repressed demand for living in that abandoned town because not enough housing or other factors.
No one is complaining about a housing shortage today in buffalo which used to have twice as much housing stock as it does today, because the demand simply isn’t there now.
Exactly - induced demand is just a misnomer/misunderstanding. "Pent-up demand" would be a much better way to explain it - but that would reveal that at some point the demand ceases; even SF has some limit - once all 12 billion people live there, demand will level off.
Good analogy. I've always considered induced demand a bit of a fantasy.
New businesses the sprout up that market themselves certainly induce a bit of demand, but more lanes and stoplights doesn't exactly motivate people to want to go somewhere.
I use a PR notifier chrome extension, so I have a badge on the toolbar whenever a PR is waiting on me. I get to them in typically <2 minutes during work hours because I tab over to chrome whenever AI is thinking. Sometimes I even get to browse HN if not enough PRs are coming and not too many parallel work sessions.
I've had great experiences being managed twice by very humble engineers who've made the transition to EM. Both were sacked within the year by their boss because they didn't play the corporate politics game.
It's so disheartening to learn that one works for a manager who doesn't care about having the most skilled team, or best product, but rather someone who has selected for "Who will kiss up to me no matter what? Who will never tell me anything I don't want to hear?"
If you're following a pipe (such as `kubectl logs | less +F`), <C-c> is sent to all processes in a pipeline, so it stops less from following and it stops the other process entirely. Then you can't start following again with F, or load more data in with G.
Less provides an alternative of <C-x> to stop following, but that is intercepted by most shells.
Funnily enough, it literally tells you right there on the bottom line: “Waiting for data... (^X or interrupt to abort)”. No shame in not noticing, just another case of blindness to long-familliar messages I guess.
By the shell or by the kernel’s terminal discipline or by the terminal emulator? AFAIU the shell is basically out of the picture while `less` is running.
> I can <C-z> while less is running to background that process using the shell, so the shell is clearly not completely gone.
The shell isn’t gone, but it isn’t active either from what I understand. The function of converting the user’s typing ^Z on a terminal (or a ^Z arriving on the master end of a pseudoterminal) into a SIGTSTP signal to the terminal’s foreground process group is[1] a built-in function of the kernel, much like for ^C and SIGINT or ^\ and SIGQUIT. (The use of ^Z resp. ^C or ^\ specifically, as well as the function being active at all, is configurable via a TTY ioctl wrapped by termios wrapped in turn by `stty susp` resp. `stty intr` or `stty quit`.) So is the default signal action of stopping (i.e. suspending) the process in response to that signal. The shell just sees its waitpid() syscall return and handles the possibility of that having happened due to the process stopping rather than dying (by updating its job bookkeeping, making itself the foreground process group again, and reëntering the REPL).
I am not saying that doing job control by filtering the child’s input would be a bad design in the abstract, and it is how terminal multiplexers work for instance. I admit the idea of kernel-side support for shell job control is pretty silly, it’s just how it’s traditionally done in a Unix system.
Whew! Advanced Unix system programming level stuff. I've dabbled a bit in that field, in C, on Unix, some older versions on PCs. It was fun. Any recommendation for a tutorial style book or site or blog on the subject, other than man pages and the Kerrisk book (TLPI, which is more of a reference), for Linux?
It’s not. It’s been through several editing rounds. (I was one of the editors.) In theory, we don’t have a problem with AI generated content if it meets our high editorial requirements, but all Tweag technical blogs go through a rigorous, manual review and editing process to keep standards high.
As I've read through the post, seeing phrases like "Why this matters for performance", usage of em-dashes and lists/bullet points, screams AI written to me. I appreciate you saying it wasn't, but such is the fate of who wrote this to write like LLMs do nowadays. I also liked to use em-dashes and bullet lists but am consciously avoiding them now.
My current company started on AWS/GCP for the credits. Right now we're on Lambda for the GPU prices and GKE for some webservers that we cba to move. We dual-upload data to s3 and gcs still (which isn't too expensive, it's effectively write-only and the auto-archive features work for us). Cloud SQL database but pgBackRest to the other cloud.
We're not HA across clouds; we decided to chase RPO over RTO.
About once a week I see someone cut in even though the person is literally tailgating. The driver at the back has to brake+swerve to not cause a high speed collision. There's actually nothing you can do to prevent these people from getting ahead of you. Don't worry about what they'll do, it's insane anyways. Just try not to die.
reply