Code that checks raw error strings is just plain bad and should be exempt from Go’s backwards compatibility guarantees. There is almost never an excuse for it, especially in stdlib.
China is a country of over 1 billion people. It has advanced and surpassed many Western countries in the span of just 40 years. Trying to put a leash on them with sanctions is futile, hostile, and will only increase their determination. We should be trying to find common ground and working with them instead of fabricating another boogeyman for no reason.
Look at China's neighbors. I'm sure the solution to their conflicts with China is "finding common ground and working with them". Would you have told Ukraine the same thing about Russia before Russia invaded? Hell, do you say it now?
No, I have always been strongly on Ukraine's side. The war began because diplomacy failed. We do not want the same to happen with Taiwan - again, we should be trying to find common ground and deescalate the situation. Sanctions are a band aid and escalate, and they only work for so long.
I didn't say that, or imply that, and it would make no sense for that to be my stance given that I said I support Ukraine. At least put some thought in before you hit reply.
Unironically yes since China wont move geographically from its position for million of years, US can be distracted by something else somewhere and pivoted from Asia, but China wont. It stays there.
Indeed, why not find common ground with a totalitarian regime that conducts genocides and violently suppresses democracy and dissent
take it from an old man that was born in eastern europe in another totalitarian regime, I've seen it in practice, I've seen the horrors behind closed doors: appeasement never works and only prolongs the suffering of the people.
lmaoo for everything that works they wouldn't be called appeasement, just treaty.
Is Paris Peace Accords an appeasement that doesn't work? It sealed the demise of the non-communist South Vietnam, but no one cared about South Vietnam today aside of fringe Vietnamese in California.
I like your optimism but this ship sailed a long time ago.
If you are outside the US and China it is hard not to empathize with the Chinese annoyance with the do-as-we-say-not-as-we-do “rules based order”, and deciding to play the exact game on the US that the US has played with everyone else.
The fairest way to do it I feel is a FIFO. Yeah you might give an organ to a 70 year old on their last legs, but they don’t have any less of a right to live than anyone else.
After the Horizon scandal, public trust in complicated computer systems are at an all time low. It shouldn’t be an opaque system making such important decisions. Everything should be in the open and explainable.
With FIFO the difficulty simply moves to whether you go on the list or not. What should the threshold be for being on the list. If you make it too high then people die without ever being given the opportunity for a liver, if you make it too low then too many people die waiting.
It also creates a weird scenario where all of the worst cases past some level will have no hope of getting a transplant. I.e. if the wait time is uniformly 3 years, then anyone with <3 years of expectancy has little hope despite being the ones who need it most, meanwhile everyone with >3 years expectancy can happily hang out on the list waiting for their transplant.
Simplified a little, but you get the idea. It’s arguably fairly obvious that livers should be assigned based on urgency in some form. I absolutely agree that this should be open and explainable though.
Very nice to see, my grandmother was recently scammed out of a large amount of money. Luckily the bank reimbursed her.
Scammers are a stain on the reputation of India. You could argue it's unfair to tar an entire country with the same brush, but quite clearly rule of law isn't properly functioning over there and there's complicity in letting them do this. Same goes for Nigeria.
Oh, believe me, Indians fucking hate the scammers, probably more than you do.
Jim Browning (the scambaiter who worked with O2 in this article) has successfully compromised several scam operations, gotten their physical address and other dox, and referred them to the police. The offices get raided, Jim gets some nice CCTV footage of the raid, the operators of the criminal enterprise get a nice perp walk... and then a month later the case is mysteriously dismissed with a bullshit reason about AI deepfakes and "IO" (influence operations, I presume).
The thing to keep in mind is that India's government is run by Modi, a Hindu ultranationalist who wants to deport all the country's Muslims to Pakistan[0]. There's a pretty straightforward pipeline from organized crime to fascism and I wouldn't be surprised if the scammers in question here are part of Modi's power base (or part of other organizations which are part of his power base).
The only thing I could think of to fix this would be to strategically suck people out of India through generous visas for migrants who want to live in a country with functioning[1] institutions. The thing about organized crime is that it relies on having a pool of suckers to continue joining the criminal enterprise - in other words, even the scammers are themselves being scammed. This is one of the less selfish reasons why I'm an open borders fanatic, but I also have to admit that such a policy in today's era has negative political capital.
[0] Which itself has money problems because it's budget gets siphoned off by their own military and they have to beg the IMF for scraps
[1] To be clear, India's institutions still exist, they're just mildly broken.
I'd imagine India will gradually crack down on it more over time. The tech industry there is growing massive and they surely aren't happy about being associated with scammers.
They won't. The companies that operate these scam centers are diversified criminal enterprises run by ultra-wealthy and politically connected individuals. These people own the police, they own the politicians, and until fairly recently, they owned the voters through massive vote-buying schemes.
You can get away with murder in India if you're wealthy enough (e.g. the case of Jessica Lal, murdered by a politician's son in front of at least a dozen witnesses). The egregious corruption of the INC or "Congress party" (which is ideologically progressive) over many decades has created a massive voter exodus to the conservative BJP party, the majority party in India since 2014. However, the corruption and inefficiency at all levels of civil society has remained endemic.
He was indeed sentenced to life, but was inexplicably allowed to go in and out of prison during his sentence - on one occasion he was paroled for thirty days under dubious circumstances. He was eventually released on parole 4 years ago for "good behavior", and is now trying to rehabilitate his public image (along with his extremely corrupt father).
GitHub needs to step up its security game in general. 2FA should be made mandatory. GitHub "Actions" are a catastrophe waiting to happen - very few people pin Actions to a specific commit, they use a tag of the Action that can be moved at will. A malicious author could instantaneously compromise thousands of pipelines with a single commit. Also, PR diffs often hide entire files by default - why!?!
Maybe accounts should even require ID verification. We can't afford to fuck around anymore, a significant share of the world's software supply chain lives on GitHub. It's time to take things seriously.
The rampant "@V1" usage for GitHub Actions has always been so disturbing to me. Even better is the fact that GitHub does all of the work of showing you who is actually using the action! So just compromise the account and then start searching for workflows with authenticated web tokens to AWS or something similar.
That's the second time for PyTorch, to the best of my knowledge. I know someone who found that (or something very much like it) back in 2022 and reported it, as I had to help him escalate through a relevant security contact I had at Meta.
It simply should not be allowed to do this. Nor maintain Actions without mandatory 2FA. All it takes is one account to be compromised to infect thousands of pipelines. Thousands of pipelines can be used to infect thousands of repos. Thousands of repos can be used to infect thousands of accounts... ad infinitum.
And thanks to the likes of composer and similar devs end up making non expiring tokens to reduce annoyance. There needs to be a better system. Having to manually generate a token for tooling can be a drag.
If tags are the way people want to work, then there needs to be a new repo class for actions which explicitly removes the ability to delete or force push tags across all branches. And enforced 2FA.
Using a commit hash is the second most secure option. The first (in my eyes) is vendoring the actions you want to use in your user/org's namespace. Maintaining when/if to sync or backport upstream modifications can protect against these kinds of attacks.
However, this does depend on the repo being vetted ahead of time, before being vendored.
From the GitHub UI, very simply. Go to a repo you administer, in the /tags page, and each tag has a ... Drop-down menu with a delete option. Then upload a new tag by that name.
Tags are not automatically updated from remotes on pull (they are automatically created locally if it's a new tag). This doesn't mean that the remote can't change what the tag points to, only that it's easy to spot.
Edit: and to be clear, for many years after release, this was the recommendation from the Visual Source Safe team (Yes, that team developed GitHub Actions) for managing your actions. Tell people to use "v1", then delete the tag update it each time.
Also the heuristic used to collapse file diffs makes it so that the most important change in a PR often can't be seen or ctrl-f'd without clicking first.
I've always considered the wider point to be that viewing diffs inline has been a laziness inducing anti-pattern in development: if you never actually bring the code to your machine, you don't quite feel like it's "real" (i.e. even if it's not a full test, compiling and running it yourself should be something which happens. If that feels uncomfortable...then maybe there's a reason).
>Your account meets this criteria, and you will need to enroll in 2FA within 45 days, by November 8th, 2024 at 00:00 (UTC). After this date, your access to GitHub.com will be limited until you enroll in 2FA. Enrolling is easy, and we support several options, starting with TOTP apps and text messages (SMS) and then adding on passkeys and the GitHub Mobile app.
I think the exact deadline depends on the organisation. I know that I only enabled 2FA for my throwaway work account (we don't use github at work, and I didn't want to comment using my personal one) last week.
TL;DR: Why not add a capability/permissions model to CI?
I agree that pinning commits is reasonable and that GitHub's UI and Actions system are awful. However, you said:
> Maybe accounts should even require ID verification
This would worsen the following problems:
1. GitHub actions are seen as "trustworthy"
2. GitHub actions lack granular permissions with default no
3. Rising incentives to attempt developer machine compromise, including via $5 wrench[1]
4. Risk of identity information being stolen via breach
> It's time to take things seriously.
Why not add strong capability models to CI? We have SEGFAULT for programs, right? Let's expand on the idea. Stop an action run when:
* an action attempts unexpected network access
* an action attempts IO on unexpected files or folders
The US DoD and related organizations seem to like enforcing this at the compiler level. For example, Ada's got:
* a heavily contract-based approach[2] for function preconditions
* pragma capabilities to forbid using certain features in a module
Other languages have inherited similar ideas in weaker forms, and I mean more than just Rust's borrow checker. Even C# requires explicit declaration to accept null values as arguments [3].
Some languages are taking a stronger approach. For example, Gren's[4] developers are considering the following for IO:
1. you need to have permission to access the disk and other devices
2. permissions default to no
> We can't afford to fuck around anymore,
Sadly, the "industry" seems to disagree with us here. Do you remember when:
1. Microsoft tried to ship 99% of a credit card number and SSN exfiltration tool[5] as a core OS component?
2. BSoD-as-service stopped global air travel?
It seems like a great time to be selling better CI solutions. ¯\_(ツ)_/¯
What does “slipstreamed” mean? Upon first look this just looks like a really lazy attempt, but maybe there’s something I’m missing. Jia Tan was at least clever about it.
Watching these videos made me sad. It's a stark reminder that the old internet I grew up with is over. And I'm not even that old. I miss the candid content, from when people just uploaded whatever they felt like without incentive. YouTube is an industrial clickbait farm now. Social media is driving people apart and turning them into narcissists.
Well, yes, if you weren't born in Japan or born to Japanese parents, you will never be Japanese. And isn't that fine? I don't understand why somebody who has immigrated to a foreign country must be accepted like a native. Why can't one just peacefully integrate the best they can and accept their differences?
> Why can't one just peacefully integrate the best they can and accept their differences?
Their complaint is that they want to integrate entirely and can not. They do not want to be different, they want to be the same. They want their kids to be treated the same. And the claim is, regardless of how well you integrate, how well you speak you will not be fully integrated.
I don't know why this mentality pervades the West - the mentality that as an immigrant you are entitled to be accepted by natives. Just because you speak the language and have stuck around for a while, doesn't make you one of them. There will always be irreconcilable differences.
FWIW I will be moving to Japan next year. I don't care if the Japanese 'accept' me. I don't expect to be treated the same, I know that they're somewhat xenophobic, and some of that might be for good reason. I fully accept that I will be a guest in their country. My goal is to do my best to minimise inconvenience to others and prioritise their cultural norms over mine.
I am not sure who talked about being entitled to be accepted or complaints.
I just highlighted some facts and compared it to other environments: many japanese do not give a hell about foreigners or interacting with them to the point they are not even interested in learning english and that is ok.
It is pretty simple, parties estimated how many votes and influence they could get. And decided it is too little. The only way is to be more noisy (protests, pressing politicians to do it).
reply