gitgrump's comments

gitgrump | 4 years ago | on: What NPM should do to stop a new colors attack

Dear Christ, I'm sick of this dichotomy. Deliberately releasing code like this is malicious, and was clearly done with intent. I'm not sure if you could sue, but there is such a thing as torts. You can't booby trap your yard and then be like "BUT I SAID NO WARRANTY!" when someone expects it to be a normal yard and then blows their leg off.

> If Lodash issued a breaking change...

It's called intent. Did Lodash _intend_ to break users' programs? Probably not. That's for a court to decide. Did this dude intend to break users' programs? The legal system is set up to resolve questions like this, not get fooled by clever gotchas from software developers. Intent matters in the eyes of the law and I'm utterly flummoxed and quite frankly concerned that so many developers don't understand that.

Simultaneously, pulling thousands of double digit layers deep of random-ass dynamic code dependencies is _also_ a bad idea at best, and professional negligence at worst.

The package author can be liable. The people who rely on him can, at the same time, make bad professional choices. Both things can be true.

gitgrump | 4 years ago | on: What NPM should do to stop a new colors attack

I mean, the bare naked reality is that software, web software in particular, is still like... a hundred-billion dollar industry. Maybe more. As long as it's still profitable enough to deal with these supply chain attacks occasionally, and nobody legislates or regulates things, we'll keep lumbering along like this. I'm disappointed, and I don't like the current state of affairs, but we can't just expect anything to change in the absence of any kind of external pressure.

gitgrump | 4 years ago | on: U.S. surgeons transplant pig heart into human patient

Transplant recipients are on immunosuppressants forever anyway, so this is as inconvenient as receiving a human heart. And hey, it beats being dead!

gitgrump | 4 years ago | on: U.S. surgeons transplant pig heart into human patient

Careful, or they might eventually become a human heart attack!

gitgrump | 4 years ago | on: More Americans are saying they’re ‘vaxxed and done’

And we're having a discussion. You asked for proof, then said it wasn't good enough. So why ask for it in the first place?

gitgrump | 4 years ago | on: More Americans are saying they’re ‘vaxxed and done’

I'm not going to prove to you that vaccines work, sorry. Do your own homework, but remember that you're (probably) not an immunologist. Do what thou wilt.

gitgrump | 4 years ago | on: More Americans are saying they’re ‘vaxxed and done’

But statistically it is. Unvaccinated people die more. Vaccinated people die less. You can't _know_ in a meaningful sense in your specific instance, but your risk is what it is no matter what. I'm not sure what's hard about this.

gitgrump | 4 years ago | on: More Americans are saying they’re ‘vaxxed and done’

Risk after-the-fact doesn't work like that. Probabilities cease to be probabilities after the event happened. Plus, don't forget about all of the dead people who are unable to write posts like this. I'm glad you're okay, but as the sibling comment said, your risk was higher, especially being overweight and asthmatic. If you win a slot machine one time, it doesn't mean everyone else will also win the slot machine. Getting lucky doesn't mean there was never any risk, it just means you got lucky this time.

gitgrump | 4 years ago | on: More Americans are saying they’re ‘vaxxed and done’

> at this point I want better public health evidence from CDC

> At this point I don't really think that pointing at CDC public health releases is going to convince a scientist like me.

I just watched you move the goal posts in realtime.

gitgrump | 4 years ago | on: Dev corrupts NPM libs 'colors' and 'faker', breaking thousands of apps

This wasn't AWS CDK, it was a package to fake data and a package with some ANSI escape sequence constants. The comparison doesn't make sense. The problem is that developers apparently can't even differentiate between when you should use a library and when you shouldn't; they just pull in the first result from an NPM search. You can probably trust AWS, which is good because CDK is complicated. You can't necessarily trust random NPM package authors, which is good because rewriting `colors` is not a Herculean task.

gitgrump | 4 years ago | on: Dev corrupts NPM libs 'colors' and 'faker', breaking thousands of apps

No. JavaScript developers (and Go developers) live in the "wild, wild west". Those of us using system package repositories with proper maintainers have been doing just fine for years, thanks.

gitgrump | 4 years ago | on: Dev corrupts NPM libs 'colors' and 'faker', breaking thousands of apps

Honestly? They probably don't know how, or that's just not part of the JS culture. I've met a lot of JS-only developers, and most probably don't even know what ANSI escape sequences are, let alone how to work with them. The lack of basic computer knowledge from the JS ecosystem is shocking. I don't expect this to poll well in Peoria, as it were, but this has been my consistent observation.

gitgrump | 4 years ago | on: James Webb is fully deployed

I keep telling people that, no matter what, we're going to learn something cool about the universe. I'm so excited to see these images. I mean, imagine humans 10,000 years ago, just surviving, maybe figuring out agriculture, and thinking about their place in the world. They looked up at the stars in wonder. Now, we've progressed to the point where we can polish gold down to the nanometer, and we're sending a giant hunk of origami circuits out to L2 to squint back to nearly the beginning of time as part of our eternal quest for answers.

Your comment is not silly.

gitgrump | 4 years ago | on: James Webb is fully deployed

Yup! If the universe's age were a single year, we're looking back to January 6th. Truly remarkable. :)

gitgrump | 4 years ago | on: In Response to My first impressions of Web3

Why would I bother with an NFT when I can already effortlessly copy bits? Digital property is not physical property and I'm not sure why people are still so intent on shoehorning the characteristics of the latter into the former.

gitgrump | 4 years ago | on: Tell HN: Full macOS reinstall because Apple ID

I meeeaan, "wants to wipe out another country" and "former president denied the Holocaust ever happened" can apply to a surprising number of places.

gitgrump | 4 years ago | on: Canon is telling customers how to override counterfeit cartridge warnings

The hygrometers in my house swing between 30% and 70% depending on the season, but I apparently don't need to take that into account when buying printer ink. "Uh oh, it's raining! Honey, get the South America ink cartridge, quick! I have a form to print!"

gitgrump | 4 years ago | on: Tips to grow your North Korean Startup

Erm, no? That's unnecessarily reductionist. "Can compel you to pay taxes" is not the same as "authoritarian". Go ahead, criticize the President online in the United States. Notice how you weren't jailed or executed? Now try something similar in an authoritarian nation.

gitgrump | 4 years ago | on: Inviting another GitHub user to be your successor

There are more resilient solutions to this problem. Don't rely on unreliable software.

gitgrump | 4 years ago | on: How programmers make sure that their software is correct

Software will never be perfect, but most people aren't actually arguing for perfect. I've seen complicated web apps shit the bed with single-digit requests per second, and those developers also said it doesn't need to be perfect. Forget perfect, how about "doesn't immediately fall over under load"?