bauerm97's comments

It’s a seriously dark day in America when our government is weaponizing institutions to target political enemies

Also, if you're a DevRel, maybe you should have strong verbal and written communication skills in the language of your users? Just an idea

Anybody know where the fuck the opt out button is? I literally can't find it on mobile

Edit: For anyone else struggling to find it, look for the box with the heading "Profile URL". There's a link in the upper right corner of the box that says "Visibility Settings". It's light grey text and kinda hard to notice that's a link.

Just for anyone else, if you're forcing users to opt out of something like this it should be a BIG BUTTON AT THE TOP OF THE PAGE.

But as the programmer finds bugs and corrects them, they are simultaneously generating more, accurate data for training. So over time this should theoretically improve

I'm sure in the early days of compilers (I wasn't around back then, so I'm just assuming) they could also be fairly unreliable. Maybe they translated something in a completely idiotic way, lots of bugs, etc... But over time they improved and improved to the point that 99% of programmers never worry about anything except high level abstractions. This could be signalling the beginning of another such paradigm shift to a higher level abstraction

I don't think people are upset about the repo being "archived" and having lost access to the issue, per se. I think people are (justifiably) furious because you offer a product which is fundamentally insecure in it's current state and seem to refuse to fix it. And it's not that websites which are using your product are susceptible to attacks, but that a malicious website can impersonate your product and it will be indistinguishable from a legitimate site. Let that sink in. A malicious website can be indistinguishable from a legitimate customer of yours, and users WILL enter their banking information. That is the heart of people's completely justified outrage here, and it's baffling that anybody on your security team could have possibly signed off on this. If people on your security team don't see the problem here they should be immediately fired and never work in the security field again. You guys better have some really expensive lawyers, because it feels like you are being criminally negligent here and should absolutely be held liable when some users inevitably have their lives destroyed as a result.

If you're looking for cryptographic signatures on container images, check out what my company Sylabs.io is doing. I wrote a comment on the other HN thread about this breach: https://news.ycombinator.com/item?id=19769590

> We don't fine banks for being robbed. It's the robbers fault something bad happened, not the bank's.

No, we don't fine banks for being robbed. However, if the bank had clearly insufficient security on their vault, was notified of this being a problem, and made zero efforts to fix the problem then yes they should be held liable.

The company I work for, Sylabs, is taking what I think to be a pretty great approach to solving this problem. Essentially we've introduced a container image format where the actual runtime filesystem can be cryptographically signed (you can read about that here: https://www.sylabs.io/2018/03/sif-containing-your-containers...). The Singularity container runtime we develop treats this concept of "end-to-end integrity" as a core philosophy. Our docker hub analogue, the container Library, is working to make cryptographic signing one of the fundamentals of a container workflow. We're also actively working on container image encryption, which I think will bump container integrity up a few notches.