Here's to hoping that's the case. But the GGGP was arguing about that other case, where in fact Google manages to lock down the desktop to the point that you have to ask their permission in order to be able to ship a piece of software.

And since we've already seen two other players take that exact stance thinking that the third (who is already doing similar stuff on their mobile platform) is going to do the same thing is not just a theoretical risk.

Given that those tend to have positive effects for the societies that practice this is that what you wanted to say?

I still have a Marantz amp from the 80's that works like new, it hasn't even been recapped.

It's a bit of a fig leaf though, any high energy physics has military implications.

What does the LHC physics program have to do with military applications?

Research on interactions between particles can probably be helpful for nuclear weapons R&D.

You'd be surprised how creative the military can be when there's demand

Doesn't all of physics have some military implications?

But at least they make everything public knowledge, instead of keeping it secret and only selling it to one nation.

sure, though "have no concern with" comes across to me less like ""we avoid building anything that could be conceivably used as a weapon by anyone", and more as "We're not in that business, but it's not our concern if you manage to stab yourself with it. It's not secret".

> any physics has military implications.

Fixed that for you. That's been the case since we discovered sticks and stones, but it doesn't mean that CERN is lying when they say they want to focus on non-military areas.

Let's not assume the worst of an institution that's been fairly good for the world so far.

> Fixed that for you.

You didn't fix anything.

> Let's not assume the worst of an institution that's been fairly good for the world so far.

I'm not assuming the worst. I'm just being realistic, and I think it would be nice if CERN explicitly acknowledged the fact that what they do there could have serious implications for weapons technology.

By that logic a tire manufacturer should do the same.

You're really grasping at straws here. CERN doesn't need to do anything. Nor do universities, for example.

CERN is explicit about something they know isn't true. They could just say nothing.

I'm fine with CERN, its scientific mission and whatever they come up with there and have contributed to their cause in a minor way so I can do without the lecturing.

If you do research it is easy to stick your head in the ground and pretend that as an academic you have no responsibility for the outcome. But that's roughly analogous to a gun manufacturer pushing the 'guns don't kill people, people do' angle. CERN has a number of projects on the go whose only possible outcome will be more powerful or more compact weapons.

For instance, anti-matter research. If and when we manage to create anti-matter in larger quantities and to be able to do so more easily it will have potentially massive impact on the kind of threats societies have to deal with. To pretend that this is just abstract research is willfully abdicating responsibility.

Once it can be done it will be done, and once it will be done it is a matter of time before it is used. Knowledge, once gained can not be unlearned. See also: the atomic bomb. Now, CERN isn't the only facility where such research takes place and I'm well aware of the geopolitical impact of being 'late' when it comes to such research. I would just like them to be upfront about it. There is a reason why most particle accelerators and associated goodies are funded by the various departments of defense.

Your typical university research lab is not doing stuff with such impact, though, the biology department of some of these are investigating things that can easily be weaponized, and which should come with similar transparency about possible uses.

Antimatter would also revolutionize energy production...

Not necessarily. Making something go boom is a lot easier than making that same thing make controlled energy over a longer period of time.

It is, but unfortunately the fact that to you - and me - it is obvious does not mean it is obvious to everybody.

Quite. One would hope, though, that it would be clear to prestigious scientific research organizations in particular, just like everything else related to source criticism and proper academic conduct.

I like your progression. It makes me wonder if intelligence could lead to technology absent societies.

If we take a simple definition of technology - such as “tool” or some external inanimate thing we use as an extension of ourselves - then I think all animals on Earth that we have deemed intelligent to some degree use “technology”. Crows using sticks to pick things out holes, chimps crafting spears for hunting, dolphins wearing “hats”, octopuses building stone fortresses, etc. So I guess it’s important to define the limit of the definition of technology.

Someone stick a bag of moss spores on the next Voyager please.

I know they're doing everything to keep those craft sterile, I think we should go the other way: spread life across the universe while we can.

It will keep happening until someone takes responsibility and starts maintaining the whole of the node eco system. This is probably a viable start-up idea: Node but audited.

Maybe we can convince Shopify to hijack NPM too while they're at it.

You don't even need to enshittify Yet Another Service, you just need package maintainers. Debian manages to do this, and I'm guessing they get paid nothing (although, yeah, Amazon and The Goog really ought to chip in a few bucks, considering their respective empires). Unfortunately, it means you can't just YOLO your code into other people's programs anymore.

> Unfortunately, it means you can't just YOLO your code into other people's programs anymore.

That's a good thing, in my book.

Oh, agreed 100%. I find it endlessly frustrating that these same conversations happen every single time there's a supply chain attack like this, because nobody wants an _actual_ solution, they want an _easy_ solution that doesn't involve changing anything about how they work. So we just get 500 comments asking if we can solve the Halting Problem, and then everyone forgets until the next breach. It was ever thus.

But even then you are still depending on others to catch the bugs for you and it doesn't scale: if everybody did the cooldown thing you'd be right back where you started.

I don't think that this Kantian argument is relevant in tech. We've had LTS versions of software for decades and it's not like every single person in the industry is just waiting for code to hit LTS before trying it. There are a lot of people and (mostly smaller) companies who pride themselves on being close to the "bleeding edge", where they're participating more fully in discovering issues and steering the direction.

The assumption in the post is that scanners are effective at detecting attacks within the cooldown period, not that end-device exploitation is necessary for detection.

(This may end up not being true, in which case a lot of people are paying security vendors a lot of money to essentially regurgitate vulnerability feeds at them.)

To find a vulnerability, one does not necessarily deploy a vulnerable version to prod. It would be wise to run a separate CI job that tries to upgrade to the latest versions of everything, run tests, watch network traffic, and otherwise look for suspicions activity. This can be done relatively economically, and the responsibility could be reasonably distributed across the community of users.

It does scale against this form of attack. This attack propagates by injecting itself into the packages you host. If you pull only 7d after release you are infected 7d later. If your customers then also only pull 7d later they are pulling 14d after the attack has launched, giving defenders a much longer window by slowing down the propagation of the worm.

That worried me too, a sort of inverse tragedy of the commons. I'll use a weeklong cooldown, _someone else_ will find the issue...

Until no-one does, for a week. To stretch the original metaphor, instead of an overgrazed pasture, we grow a communally untended thicket which may or may not have snakes when we finally enter.

That is statistically not possible, unless you are dealing with very small sample size.

The "until no one does" is not something that can happen in something like npm ecosystem, or even among the specific user of "left-pad".

Did Phoenix not require npm at some point or is that not true?

At the beginning, but not anymore. You still have the option to pull libraries and packages but is not really required by default.

Oh that's great news I will have to look at it again then. That was a huge turn-off for me, to take one of the most well respected and reliable eco systems and then to pull in one of the worst as a dependency. Thank you for clearing that up.