I feel like you were trying to help here, but anyone can do this for themselves. Providing information in this way sort of indicates that you don't believe that the person you're replying to can do it on their own, and for that reason it's considered rude.
I was, I was also seeing if the hackernews braintrust would freak out at AI much like reddit does, so it was sort of tongue-in-cheek experiment. And freak out they did.
I see what you mean, but I actually think there is a place for copy/pasting AI responses. I think of it as a kind of cache, surely a HN comment being served to n users means less resources used and faster access than if all n did their own AI query. But then of course you don’t get exactly your preference e.g. you might prefer a terser response than what is pasted here. Interesting to see how the etiquette around this plays out over time.
If you ever wanted to share an AI response, you probably should share your prompt, not the response. But likely you should not share anything, for the reasons already explained. Your argument about saving energy makes zero sense if you have any understanding of orders of magnitude but I won't share what AI says about it.
Ironically you are being incredibly rude trying to support an argument that posting AI responses is rude. I guess we can conclude you know nothing about anything.
Still ironic. Just so you know I might have considered what you said and changed my mind, but being rude made me dismiss you immediately. Just sharing my opinion
Also, HN hates machine generated replies, especially the lengthy and overly verbose slop variety -- I think that probably eclipsed any perceived rudeness.
I would agree if this were one of those `curl | sh` scenarios, but don't we consider things like `brew` to be sufficiently low-risk, akin to `apt`, `dnf`, and the like?
> Unfortunately, in the world of software there are bad actors that bundle malware with their apps. Even so, Homebrew Cask has long decided it will not be an active gatekeeper (macOS already has one) and users are expected to know about the software they are installing. This means we will not always remove casks that link to these apps, in part because there is no clear line between useful app, potentially unwanted program, and the different shades of malware—what is useful to one user may be seen as malicious by another.
---
So there might be pull requests, but Brew's official stance is that they do not actively moderate casks for malware. I guess there's something built into the MacOS packaging step that help mitigate the risk, but I don't know much about it outside playing w/ app development in XCode.
Agreed that it's a bit funny given the context and no community-managed package manager should be 100% trusted.
That said, I think rg is pretty well known to linux daily-drivers and they just wanted to share something quickly for powerusers who want to check their workspaces quickly. Probably better to just instruct n00bs to use grep than install a whole cli tool for searching
Come to think of it, I wonder if a 2-phase attack could be planned by an attacker in the future: Inject malware into a package, flood guidance with instructions to install another popular tool that you also recently compromised... lol
The xscreensaver dev managed to very easily slip a timebomb in to the debian repos. Wasn't obscured in any way, the repo maintainers just don't review the code. It would be physically impossible for them to review all the changes in all the programs.
Yes, the XZ attack affected Fedora nightly and Debian testing and unstable. Yes, it got caught before it made it into a stable distribution (this time).
> Many people also don’t vendor their own dependencies, which would slow down the spread at the price of not being instantly up to date.
npm sold it really hard that you could rely on them and not have to vendor dependencies yourself. If I suggested that a decade ago in Seattle, I would have gotten booed out of the room.
I have repeatedly been met with derision when pointing out what a gaping security nightmare the whole Open Source system is, especially npm and its ilk.
Yet here we are. And this is going to get massively worse, not better.
Nothing specific to open source is to blame in this instance. The author got phished. Open source software often has better code vetting and verification than closed source software. npm, however, does not.
I thought getting code into brew is blocked by some vetting (potentially insufficient, which could be argued for all supply chains), whereas getting code into npm involves no vetting whatsoever.
> Unfortunately, in the world of software there are bad actors that bundle malware with their apps. Even so, Homebrew Cask has long decided it will not be an active gatekeeper (macOS already has one) and users are expected to know about the software they are installing. This means we will not always remove casks that link to these apps, in part because there is no clear line between useful app, potentially unwanted program, and the different shades of malware—what is useful to one user may be seen as malicious by another.
ripgrep is quite well known. It’s not some obscure tool. Brew is a well-established package manager.
(I get that the same can be said for said for npm and the packages in question, but I don’t really see how the context of the thread matters in this case).
If it produces no output, does that mean that there's no code that could act in the future?
I first acted out of nerves and deleted the whole node-modules and package.lock in a couple of freshly opened Astro projects, curious if I should considered my web surfing to still be potentially malicious
The malware introduced here is a crypto address swapper. It's possible that even after deleting node_modules that some malicious code could persist in a browser cache.
If you have crypto wallets on the potentially compromised machine, or intend to transfer crypto via some web client, proceed with caution.
With the hopes that Apple engineers are scanning this discussion:
- Using the iPhone to scan documents from Finder has recently stopped working on the second scan. I need to restart my phone to get it to work again.
- iPhone mirroring is terrible: laggy, UI glitches, drops click events, scrolling is a nightmare. This is when it actually even manages to connect.
- Often, with Airpods on, lowering the volume, shutting down the iPhone display and putting it in my pocket quickly enough will entirely turn off volume. If you happen to increase the volume instead, you'll get blasted with maximum volume in your ears.
- Use vertical tabs on Safari for one day. You'll see it actually crash a few times. Not to mention the UI glitches.
- Open the App Store on macOS. It first opens empty, then the UI controls show up, then it flickers the entire UI. I am convinced it's a Web app.
- In System Settings, most of the sections you click have a delay in rendering. Nothing feels snappy in that app. I can actually click 3 sections quick enough for the second to never even be rendered.
- Sometimes dragging an application from the Dock popup menu into the Trash does nothing, even though it appears to have worked. I often find that it wasn't deleted at all, that I have to open Applications folder in Finder and hit Cmd-Backspace to delete it.
Good idea. I’ll add some that have annoyed me for years just in case:
- On iOS, the alarms app breaks down once you get to ~250 alarms. You can try to add/delete alarms and it’ll appear like they changed, but the change wont be saved. I can’t use the alarms app now and can’t fix it as I can’t delete alarms. By the way, would be nice to reuse alarms when creating at the same time as an existing alarm so you don’t end up with 250+ alarms in the first place.
- On iOS, the notes app breaks down in long documents (~10 pages of text with bullet points). When writing beyond that, some text will sometimes disappear only to reappear when you type some more. Other times, the cursor disappears. This only happens in long documents. All English text, mainly bullet points, often with some text pasted in.
It’s shocking to me that my iPhone 11 Pro can play gorgeous 3D video games, but can’t handle 250 alarms or 10 pages of text..
> It works well though, particularly over SSH and devcontainers, although it has severe bugs that they refuse to fix, and it isn't open source so you can't fix it yourself.
VS Code dev here. Would you like to share that list of severe bugs? Also, can you clarify what exactly isn't open-source in the entire VS Code with SSH and devcontainers flow? It's disheartening to read this, knowing that this simply isn't true.
The remote development extensions don't appear to be open-source. The marketplace page for the "Remote - SSH" extension will point you to a license that says, among other things, "You may not: work around any technical limitations in the software;".
The same page brings you to a github repo for the extension that contains no source code; it claims to be for gathering feedback only.
I don't know how you can imply everything about this is open source, maybe I'm not looking in the right place?
Not OP, but I've been trying to get remote development working for years but to no avail. The official response on the GitHub issue [0] in 2019 was:
> The "remote" functionality (SSH/WSL/Docker) is currently only available for VS Code proper, not 3rd party builds.
> [...] /cc @joaomoreno
Last time I checked, Arch Linux users who have the Arch Linux build of VS Code installed still cannot use remote SSH development nor dev containers. I definitely can't get it working on my own development machines.
Where is the Remote SSH extension code? I always thought that was closed source?
Edit: The reason I think it is closed source is because a StackOverflow answer says so[1]. I’d be very interested in seeing the code if you could link to its repo!
This is what posting sleep deprived gets you. I was referring to the cli[0] and server[1] components, which have most of the meat. Sorry for the misunderstanding. That being said, I'd love to know which severe bugs disrupt your usage.
Embrace, extend and extinguish.
Tell everyone that it is ok to use this crap because it is open source, despite our being impossible to have the exact same fully featured vscode built from source.
Speaking of "disheartening": your fellow devs who wrote the Pylance extension decided to mount a ReDoS attack against anyone who opens it in a debugger. I merely tried to investigate an issue that I had. [0] [1]
Being on the receiving end of a deliberate ReDOS attack feels more than disheartening. This is not shedding a good light on the VS Code development team as a whole. This is a despicable act.
No idea. All I know is whenever I try to execute the module in e.g. VS Code's debugger, it somehow triggers the attack and enters a de-facto-endless 100%-CPU-load loop.
I respect the hell out of Kenji but if properly caramelized onions are central to the dish (e.g. French onion soup, caramelized onions for a burger, etc.) I tend to come down on the side of Daniel Gritzer (also of Serious Eats).[0]
