Yeah, I'm reminded of 15 years ago being told Linux was super secure because people were popping Windows all the time. Turns out it was mostly just a function of effort pointed at the target, and I don't have any reason to believe that's not the case here too.

Linux has had 100% market penetration for 20 years or so now. Everyone using a computer uses Linux *somewhere* in it.

You'd think if it was that easy, there would be exploits all over the place.

Why isn't every single desk phone and router part of a botnet?

Kimwoolf and Aisuru kind of make my point better than yours, I think?

I mean? Many of them are…

I deeply appreciate Mullvad's thorough approach to privacy and ethics. In this day and age, you all are an absolute breath of fresh air. Thanks for that.

Postgresml closed up shop, the guy you're replying to was one of the key players there. Pgrx is trucking right along, and gaining speed at the moment.

Cloudflare's developer platform uses them. That's what their "bindings" are.

It is not. They went about 5 years without one of these, and had a handful over the last 6 months. They're really going to need to figure out what's going wrong and clean up shop.

Engineers have been vibe coding a lot recently...

The featured blog post where one of their senior engineering PMs presented an allegedly "production grade" Matrix implementation, in which authentication was stubbed out as a TODO, says it all really. I'm glad a quarter of the internet is in such responsible hands.

It's spreading and only going to get worse.

Management thinks AI tools should make everyone 10x as productive, so they're all trying to run lean teams and load up the remaining engineers with all the work. This will end about as well as the great offshoring of the early 2000s.

there was also a post here where an engineer was parading around a vibe-coded oauth library he'd made as a demonstration of how great LLMs were

at which point the CVEs started to fly in

Matrix doesn't actually define how one should do authentication though... every homeserver software is free to implement it however they want.

the main bit of auth which was left unimplemented on matrix-workers was the critical logic which authorizes traffic over federation: https://spec.matrix.org/latest/server-server-api/#authorizat...

Auth for clients is also specified in the spec - there is some scope for homeservers to freestyle, but nowadays they have to implement OIDC: https://spec.matrix.org/latest/client-server-api/#client-aut...

Thats a classic claude move, even the new sonnet 4.6 still does this.

It’s almost as classic as just short circuiting tests in lightly obfuscated ways.

I could be quite the kernel developer if making the test green was the only criteria.

Wait till you get AI to write unit tests and tell it the test must pass. After a few rounds it will make the test “assert(true)” when the code cant get the test to pass

No joke. In my company we "sabotaged" the AI initiative led by the CTO. We used LLMs to deliver features as requested by the CTO, but we introduced a couple of bugs here and there (intentionally). As a result, the quarter ended up with more time allocated to fix bugs and tons of customer claims. The CTO is now undoing his initiative. We all have now some time more to keep our jobs.

Thats actively malicious. I understand not going out of your way to catch the LLMs' bugs so as to show the folly of the initiative, but actively sabotaging it is legitimately dangerous behavior. Its acting in bad faith. And i say this as someone who would mostly oppose such an initiative myself

I would go so far as to say that you shouldnt be employed in the industry. Malicious actors like you will contribute to an erosion of trust thatll make everything worse

Might be but sometimes you don’t have another choice when employers are enforcing AIs which have no „feeling“ for context of all business processes involved created by human workers in the years before. Those who spent a lot of love and energy for them mostly. And who are now forced to work against an inferior but overpowered workforce.

Don’t stop sabotaging AI efforts.

Honestly i kinda like the aesthetic of cyberanarchism, but its not for me. It erodes trust

Forcing developers to use unsafe LLM tools is also malicious. This is completely ethical to me. Not commenting on legality.

I dont like it either but its not malicious. The LLM isnt accessing your homeserver, its accessing corporate information. Your employer can order you to be reckless with their information, thats not malicious, its not your information. You should CYA and not do anything illegal even if your asked. But using LLMs isnt illegal. This is bad faith argument

You're talking about legality again. I'm talking about ethics.

Using LLMs for software development is a safety hazard. It also has a societal risk, because it centralizes more data, more power, more money to tech oligarchs.

It's ethical to fight this. Still not commenting on legality.

You're not forced to work there and use those tools. If you don't like it, then leave the job. Intentionally breaking things is unethical especially when you're receiving a paycheck to do the opposite.

It may be illegal, but it's not unethical.

Doing unethical things because someone pays you would still be unethical. Opposing those while someone pays you is still ethical.

Again, no one is forcing him to be there. He's breaking something on purpose. I think you should read up on ethics because this take "I don't like it therefore whatever I do is ethical" is juvenile.

That's quite the strawman. The reason it's ethical is not that LLM's are unpopular or someone dislikes them. It's ethical because LLMs introduce safety hazards, i.e. they cause harm.

Sounds like what an LLM would post if it were tasked to advertise LLM coding abilities. Nice manipulation of human emotions, well played.

I see someone is not familiar with the joys of the current job market.

That's extremely unethical. You're being paid to do something and you deliberately broke it which not only cost your employer additional time and money, but it also cost your customers time and money. If I were you, I'd probably just quit and find another profession.

Typo: "shop", should have been with an 'el'.

(: phonetically, because 'l's are hard to read.

Nope. The slope has been slippery, but way back at the top of it there were zero ads on the page.

I'd argue that Go is somewhere in between static C and memory safe VM languages, because the compiler always tries to "monomorphize" everything as much as possible.

Generic methods are somewhat an antipattern to how the language was designed from the start. That is kind of the reason they're not there yet, because Go maintainers don't want boxing in their runtime, and also don't want compile time expansions (or JIT compilation for that matter).

So I'd argue that this way of handling compilation is more low level than other VM based languages where almost everything is JITed now.

I happen to work at a company that uses a ton of capnp internally and this is the first time I've seen it mentioned much outside of here. Would you mind describing what about it you think would make it a good fit for something like bcachefs?

Cap'n proto is basically a schema language that gets you a well defined in-memory representation that's just as good as if you were writing C structs by hand (laboriously avoiding silent padding, carefully using types with well defined sizes) - without all the silent pitfalls of doing it manually in C.

It's extremely well thought out, it's minimalist in all the right ways; I've found the features and optimizations it has to be things that are borne out of real experience that you would want end up building yourself in any real world system.

E.g. it gives you the ability to add new fields without breaking compatibility. That's the right way to approach forwards/backwards compatibility, and it's what I do in bcachefs and if we'd been able to just use cap'n proto it would've taken out a lot of manual fiddly work.

The only blocker to using it more widely in my own code is that it's not sufficiently ergonomic in Rust - Rust needs lenses, from Swift.

Anyone who still takes predictive statements from leadership at AI companies as anything other than meaningless noise isn't even trying.

You don't get it. They couldn't do it yet because it would be too powerful and kill us all!

I think you're mistaking the name of a cardinal direction for a cohesive set of political ideologies.

From America's perspective the East is Europe and West is Asia. If we're going to talk about cardinal directions.

China is west of the USA.

The globe is one-half empty water (Pacific) and one-half continents. China is east on the continent half.

Europe is west of the US

No, it’s east. Far east.

OP is. Otherwise there's always a west to any west.

Not if the earth is flat!

Have you played Asteroids lately? Finite and flat, but unbounded!

Asteroids exists on a torus, therefore it's not flat

That is not true. A topological taurus can be flat or not.

A physical taurus embedded in our 3D universe, i.e. a donut, cannot be flat. Which may be the confusion.

But video game spaces are neither logically embedded or restricted by our 3D space. All its physics, including its spacial topology and geometry, flat or otherwise, were completely up to the game designers.

And the Asteroid game designers chose a flat space.

• Two parallel line segments stay parallel, no matter how long you extend them. Or how many times they wrap around the Asteroid space. (They also never intersect, but can overlap, just as in any flat 2D space.)

• Any number and distance of moves in any two perpendicular directions, are commutative. I.e. you can change the order of the moves, and you will still end up at the same spot.

• The three angles of any triangle in Asteroid space adds up to 180 degrees.

None of which applies to the surface of a donut.

You wrote "west" not "The West". Not that the latter would make any more sense.