I think the bigger social problem is that too many people think it is counter-cultural to be defending rich people and billionaires, and an act of rebellion to mindlessly consume.
> One place where the threat is more real is in the possibility of vibe coding a pandemic virus, but that should be narrowly targeted at generating DNA sequences for viruses. Labs which generate custom DNA should also have reasonable heuristics for detecting likely dangerous product. The chances of covid coming from a lab leak are in the maddening 25-75% range which vaguely means ‘We don’t know’, but ‘lab leak’ includes a lot of things.
No it didn't. It differs by 1,000 base pairs from the closest known relative virus that we knew about before the pandemic, and we have no good idea what all those mutations wind up doing. And the PRAAR furin cleavage site was a previously unknown sequence and not one that humans would have guessed.
And we don't have good heuristics for what mutations would completely inactivate a virus versus enhancing its virulence.
Actual scientists won't be able to vibecode up some pandemic viruses because we have no idea how to do that and LLMs are just going to hallucinate.
I tend to think this is all just PR and hype, baking in the idea that Fable/Mythos is so good that it attracted all these regulations and controls. So you need to spend >$20k per developer per month, or you'll fall behind. Don't try to get by on Opus, you need to really open that wallet up...
And the people involved in climate policy have solutions to climate change which don't involve enormously large restrictions on consumption, but just require more energy efficiency (which is savings) and investment into carbon-neutral energy. And they've had those solutions for at least the past 20 years.
This isn't an insolvable problem, but the carbon-based energy sector will be big losers, and they're fighting tooth and nail against it.
An awful lot of our politics and geopolitics right now is symptomatic of the carbon energy sector fighting against the reality that it needs to die for the good of the human race, but it is also extraordinarily powerful.
> The whole idea of "third-party voting is a complete waste in the US" is incredibly dumb because a vote for someone who loses isn't a wasted vote. It shows the others that there's a voter there who can be convinced if catered to, if they select a better candidate.
Tried that in 2000, voting for Nader as a protest vote against Clinton/Gore third way neoliberalism. I did that in a state where the electoral votes for Dems were 100% safe. Still just got blamed for Bush and there was zero self-reflection on the part of the Democratic Party.
...
I would urge everyone to stop fixating on the Presidential vote as the only fight to win and everything being win/lose based on that outcome. If the Congressional Progressive Caucus in the House exceeds 50% of Democrats in the House, then we can start thinking about a world where e.g. AOC might be the speaker of the House rather than Nancy Pelosi.
> It's a symptom of the terminal disease which has infected all layers of American society and has gotten it to where it's at: short-termism. Everyone just looks at the next quarter, the next election.
Yeah, and the Office of the President is 4-8 years and is just more short-termism, along with individualism / cult of personality / CEO-leadership. If you want to make lasting change in the DNC, start by flipping more and more House seats to progressive from neoliberal.
The legislative seats are barely more malleable than the executive ones, and they’re a lot cheaper to buy off. Even with grassroots efforts to elect local candidates and move them up, it takes a perfect storm to actually get someone that’s even modestly different than the empty suits that largely fill those seats already.
I have zero faith in this system to execute anything other than purchased policy agendas, or empower any more than a tiny symbolic collection of people who oppose them… just enough to give the illusion of agency and stop any real organizing. I have no idea what could possibly break this pattern.
The Republicans were successful with the Tea Party in taking over the House and the Presidency, that's a model which I'd argue is really proven to work in our two party system because we all just literally watched it play out in real-time.
Arguing against that, probably comes from a cynical neoliberal perspective where the Democratic Party can't change because the argument assumes that the Democratic Party can't change.
And the alternative is definitely outright fascism and the suspension of Democracy. They've told us what they're planning on doing, just like we knew they wanted to get rid of Roe vs. Wade, we just accepted the lies about it being settled law and a political football.
If you're not willing to vote against that, then you're comfortably middle class and don't think you'll be one of the ones that are going to be hurt.
I've voted against Trump 3 times and threw money behind trying to get Sanders the nomination in 2020 instead of Biden, so when all the horrible stuff has been going down this term I don't have to tie myself in knots with rationalizations about my actions.
The Tea Party had the support of the Koch brothers, Fox News, the Heritage Foundation, et al. They had a VP puppet on the bill, Palin, almost immediately after their inception, despite McCain being a center-leaning Republican. It was not a grassroots movement. Make any unfounded assumption you like about my motivation, and construct and straw men you want between you and that reality, but it is reality. It was bought and paid for before anybody had even heard of it. The closest thing the democrats have seen to a national-scale grassroots political initiative was Sanders, and the DNC torpedoed it reflexively.
That is a terrible way to run a package repo in this day and age.
Maintainers need to have some level of vetting, and should own a repo or three for a while to establish a track record, before they get to blast out contributions to 100 of them without any review.
AUR isn't a package repo. It's a collection of user-contributed PKGBUILD scripts, to make building packages from upstream source distributions more convenient. It's not meant to be treated like an official repo of binary packages.
That's a semantic detail based on the choice of build from source over binary distribution.
This is also a terrible way to run a package build system in this day and age as well, if you like. I feel exactly the same way about it, and when I wrote that I understood what it was, so I didn't need that helpful correction (I first used the FreeBSD ports system sometime around the turn of the millennia).
> That's a semantic detail based on the choice of build from source over binary distribution.
It's not, AUR is more like GitHub, anyone can upload content there, not like a proper repository where things are reviewed, verified and cared for.
You're complaining about "curl https://random-website.com | bash" being "a semantic detail" while it's a major difference in how much trust you can put into it. If you don't trust random-website.com, you shouldn't trust AUR packages. But very different from BSD Ports or Arch's official repositories.
GitHub doesn't allow me to put up my old repos for adoption by any old rando, or to allow randos to request to take over my repos if I don't respond for 2 weeks.
GitHub also actually protects against repojacking and tombstones username/reponame combinations (that exceed a certain minimum popularity) and never lets anyone ever use them again.
The utility of AUR is also really based around being able to reuse the same repo without having to re-vet every single time. This kind of attack, that forces you to re-vet on every single upgrade so that trust inherently can't be established, is also not GitHub's model at all.
And go has a software package manager that heavily uses GH for distribution, and is arguably more VCS decentralized, but isn't vulnerable to this kind of attack, because it inherts GH's threat model, and doesn't implement the kind of choices that AUR decided to deliberately build into their system.
> GitHub doesn't allow me to put up my old repos for adoption by any old rando, or to allow randos to request to take over my repos if I don't respond for 2 weeks.
Changing your username would let anyone reuse the old username for whatever they want. Probably still today there are bots squatting any renamed accounts. Also, you bet Microsoft would hand over your GitHub username if it was reported by someone who holds a registered trademark in the US over that username, regardless of impact.
> The utility of AUR is also really based around being able to reuse the same repo without having to re-vet every single time.
I don't think they promise that anywhere, nor should you have that expectation. That would be like since you got legit copy from random-website.com/bin.exe today, you'd get that tomorrow too, clearly not true unless you know the owner of the domain or otherwise trust it.
> go has a software package manager that heavily uses GH for distribution, and is arguably more VCS decentralized, but isn't vulnerable to this kind of attack
Unless Golang suddenly have peer-reviewed packages, Golang has exactly the same problem as AUR in that anyone can create packages, and it's up to users to decide what to trust or not. Fair that the whole "orphaned packages" thing doesn't exists in Golang, but I think Arch probably favors stability more than people expect/think, that's why people can continue to maintain packages even though original maintainer disappears. Ultimately it's a trade-off, I don't think there is some absolute truth what is correct or incorrect.
Regardless of who maintains the package, if you use AUR as intended, it seems you'll avoid most security issues. It's when your expectations aren't aligned with what AUR actually promise, that people start getting hacked.
I don't know how it works these days, but a few years ago GitHub was happy to give away usernames from users who haven't touched their accounts in a long time to anyone who asked. Several people I know got vanity usernames that way. All you had (have?) to do is drop an email to GitHub's support.
Only thing I can find on requesting to take over an inactive account is here:
> We do not accept requests to release, transfer, or reclaim usernames on the basis that they appear inactive or unused. If the username you want has already been claimed, you will need to select a different available name unless you are submitting a trademark complaint as described below.
Also even the original user renames or deletes their account any popular repos they have will get tombstoned, so the new owner can't recreate them:
> GitHub uses a tombstoning algorithm to reduce the risk of repo-jacking by permanently retiring specific owner name, repository name combinations. The github/cmark-gfm example above is purely hypothetical, because, in that scenario, the old name would get automatically tombstoned. For example, even if an attacker managed to register the username github, they would still be prevented from creating a new repository with the name cmark-gfm because that owner name, repository name combination (github/cmark-gfm) would be permanently retired. Therefore, repo-jacking is only a risk for repositories that fall below a certain usage threshold. We don’t tombstone all renamed repositories because there’s a tradeoff between usability and security: a tombstone is a potential inconvenience for our users which we don’t want to impose unless there’s a genuine security-related reason to do so. That’s why our tombstoning policy only kicks in after the repository has met certain criteria, such as exceeding a specific number of clones.
Before that it was possible to contact support to reclaim any username provided that they had no meaningful public repos and they were inactive for a long time. It was at the staff's discretion, there wasn't an elaborate policy of what constitutes inactive, but I've successfully reclaimed a username inactive for 2 years myself.
The old policy was:
GitHub account names are provided on a first-come, first-served basis, and are intended for immediate and active use. Account names may not be inactively held for future use. GitHub account name squatting is prohibited. Inactive accounts may be renamed or removed by GitHub staff at their discretion. Keep in mind that not all activity on GitHub is publicly visible. Staff will not remove or rename any active account.
Attempts to sell, buy, or solicit other forms of payment in exchange for account names are prohibited and may result in permanent account suspension.
Meanwhile sometime around there I changed my GitHub username, and not reading up on the suggested process before doing so. The idea was to rename my account, then create a new account with the previous username, so no one else could squat it, as it's my firstname + lastname and the combination seems unique in the world, so it's basically just me. But a few seconds after renaming the account, it got squatted and even requesting to GitHub to reclaim it somehow, has fallen on deaf ears.
Lesson learned, create new accounts and never rename usernames, regardless of what rules the platform might share publicly.
reply