Yeah, mcp-go is a pretty well known project (i know it from godoc-mcp), but I don't know whether 'better' is the right word.
It looks like it's a case of builder pattern/runtime validated vs codegen/typed. The readme doesn't reference mcp-go by name, but it does lead with 'type-safe, intuitive', which could be a poke at it?
Do you know of anything that will autogen a golang mcp server from an OpenAPI spec? Seems completely do-able, and I'll write a tool for this myself if it doesn't already exist.
Isn't 'doctors political beliefs' just another axis(proxy) people can use to make a guess about the competency level of said doctor?
If you 1 - think X and also 2 - think that everyone who doesn't hold the same belief is "dumb"/evil. Isn't logical to think a doctor is less "capable" (whatever that means to you) if he/she doesn't hold the same beliefs that you do ?
My take is that the polarization/radicalization that is happening in the last 10 years made the second point pretty common (i.e. to think everyone who doesn't agree with you is dumb/evil) and this is just the consequence of this kind of thinking.
Maybe the take away from this is that healthcare becoming politicized is a problem in and of itself. Maybe then, we should consider who is driving this, anti-vaxers, people pushing poorly regulated supplements as alternatives to tested medicines, etc., and listen to them less or not appoint them to positions of power.
At this level, there's nothing good/evil about medical science. It's as amoral as the sun rising in the day and setting at night. It doesn't matter what you feel about immigrants, tariffs or the price of eggs. As long as the FDA is able to do its job, treatments are tested. We know the effects and side effects of treatments.
The democrats seem as likely to choke down on speech, but it tends to be speech that represses others. The republicans choke down on speech that contradicts their vision of society or their personal moral compass. Although both contradict free speech absolutism, they are IMO fundamentally different.
If I were possessed of a religious faith that considered my name to be so holy that it must not be spoken, would a law against saying my name repress others, or would lack of that law repress me?
I find democrats efforts misguided, but rarely are they "my views only, exclude all others". They don't typically involve library book challenges, what appear to be ctrl+f searches for specific terms that relate to people unlike them, don't involve "report on your coworkers" type demands, and so on.
And most of all they don't seem to identify any and all differing views as "enemies" and so on.
I asked myself this question before playing with it a bit. And now I have a slightly better understanding, I think the main reason was created as a way to give access of your local resources (files, envvars, network access...) to your LLM. So it was designed to be something you run locally and the LLM has access.
But there is nothing preventing you making an HTTP call from a MCP server. In fact, we already have some proxy servers for this exact use-case[0][1].
> it also makes it easier for people to coast, and turn in half assed work, which is certainly a pathway to the decline of knowledge work
I understand your sentiment and I partially agree with it. But this kind of phrasing implies that "doing the bare minimum" (to put it in another way) is a strictly bad thing.
Sure, its easy to condemn someone "half-assing" a job by labeling him as lazy or something like that. But the reality is that most of the time we don't need the best nor we are willing to pay properly for this effort.
Imagine your baker, for example. Do you really need 100% of his effort and care to be put into every single bread he makes? For me this answer is "no". All I care is that he comply with all regulations and that his bread tastes good, I don't really mind if it's not best bread in the world. And even if it was the best I probably would find it too expensive to buy in a daily basis.
Another example would be blacksmiths, at some point they we our only option to make something out of metal, and they would put quite a lot of care and attention to every piece they made. But at some we created some machines that can create things out of metal. These machines, at first, weren't really good and the products they made were of inferior quality. But they had enough quality to be useful, were cheaper and were able to produce immense quantities of goods.
What I'm trying to say is that sometimes the "low effort" option is the correct choice. And I don't think this means the decline of knowledge work, this just means we will see a change in what is considered "relevant skills" for knowledge work.
I guess the thing is I don’t want to do the “bare minimum” I want what I do in life to mean something. I want to work hard and care about everything I do. Whether that’s family or work or leisure. Coasting and doing the bare minimum is not a good way to live. Society is pushing people to spend more and more of their life on meaningless slop, then wonder why there is a mental health crisis.
Earnings for contributing to human knowledge also needs to be higher, which is why lots of people don't choose those paths and have to commit to grinding corporate ladders.
I'm not worried about them exactly. I'm sad that their need to be exploitative is influencing what products and features get made and what jobs are available.
I want to make things that respect the user and treats them with the love they deserve.
Looks like you already know what you want to do and how you want to do it; obsessing over assholes won't do anything for you, right? I'm only saying this to provide perspective
> Imagine your baker, for example. Do you really need 100% of his effort and care to be put into every single bread he makes?
But the analogy here is, if all bakers started using bread machines every day, and new bakers only learn how to ask the bread machine to make bread, the decline of baking will surely be a step closer.
And sure we can quibble over tools the baker uses such as ovens or dough mixers or what have you, but ultimately they must know how to make bread. AI platforms attempt to remove the need to understand the code, so that people don't need to learn how it works to make it.
>But this kind of phrasing implies that "doing the bare minimum" (to put it in another way) is a strictly bad thing.
It is. It shows a lack of character. Have some pride in your work. Have some pride in yourself. Being lazy is pathetic.
>Sure, its easy to condemn someone "half-assing" a job by labeling him as lazy or something like that. But the reality is that most of the time we don't need the best nor we are willing to pay properly for this effort.
There is no such thing as "need". You don't need anything. People lived for thousands of years on a diet of mostly grains living in uninsulated houses with open fires. Everything is a want. People's wants are never satisfied, you can always want more.
But even if nobody else will appreciate it, you should do the right thing anyway. You should do it because you take pride in your work.
>Imagine your baker, for example. Do you really need 100% of his effort and care to be put into every single bread he makes? For me this answer is "no".
Nothing to do with what I want. He needs to put in the effort. He needs to do it for himself.
>These machines, at first, weren't really good and the products they made were of inferior quality. But they had enough quality to be useful, were cheaper and were able to produce immense quantities of goods.
The men that designed the machine, or ran the machine, or made the moulds, or assembled the parts, all of them worked bloody hard and were proud to do so for their families and for themselves. Work ethic was prized. This wasn't low effort. It was a different tradeoff between material inputs and material outputs, but it required no lesser work ethic. It didn't permit laziness or idleness.
There is nuance to the two separate ideas of "doing the bare minimum" and "taking pride in your work". I agree with you that taking pride in your work is important; I wish it were more highly valued nowadays, honestly.
The flip side is that "taking pride in your work" nearly always results in being taking advantage of from your employer, at least in salaried positions. And if you can spot the social patterns and games played such as valuing employees that work overtime (without pay), on weekends, etc, it is clear that employers love getting more value from employees without compensating them. Work extra hard for 6 months to maybe possibly get a promotion? People are generally waking up to this reality, hence the 'quiet quitting' mindset.
One can both take pride in their work, and respect their time by adhering to their employer-employee contract as written.
Lastly, in the baker example, they have a direct reason to put in their best effort (assuming the baker owns their bakery): they will gain goodwill and repeat customers if they bake very well. A salaried worker is so far removed from being directly compensated for their work. I predict the situation would be very different if salary work got commission based on sales and overtime pay.
>All I care is that he comply with all regulations and that his bread tastes good, I don't really mind if it's not best bread in the world.
That's part of the issue. They ignore regulations and the bread has mold. But we eat it and say "well I'm not dead". Because we're being conditioned to eat, not taste. To consume, not question.
Meanwhile, I complain the bread tastes stale and moldy and I get argued down by fake bakers that "no you don't understand this is the future of bread". Well, it sucks. I don't csre how much you're paid to say otherwise or promise they it'll taste "good" (read: not crap) in a few years. I'll go to my bakery until then instead of having your bread shoved down my throat.
Make it taste like bread first instead of hyping up how it looks so close to bread. That's the whole issue causing the downfall of society.
There’s also the case that the regulations don’t exist.
And what’s more worrying is things where the negative impact is higher order.
If the bread has some poison that will kill you in 5 years time etc.
Currently we maintain a bar partially with human ethics and processes, whether that is directly preventing bad outcomes because of liabilities or reflecting on bad outcomes once they happen to improve regulations (a lot of which relies on introspectability).
Once AI starts replacing the decision-making layer, we lose the collective understanding of how processes fail. Once you start needing to constrain the space of machine error, you’ve basically arrived at almost solving the problem again.
Yes, I do appreciate my FDA making sure any properly rated eatery isn't potentially serving poison. Another big issue as of late to worry about asubgpvernmejr decides shilling crypto and EVs (which he ended the tax credit for... oh, and not tarriffs!) is more important than simply keeping regulatory bodies operating.
> I soon realized that NeoVim is hard. I keep on forgetting how to do things.
Please don't take it in a bad way, but I suspect you don't really grok Vi[0].
Vi/ViM/NeoVim is a language for text manipulation. If you keep thinking in terms of "a bunch of shortcuts" you will have a pretty bad time with this editor.
For example, in your cheatsheet 'gg' and 'dd' are presented in the same way. Sure, both are commands in the normal mode but the similarities end there. 'gg' is a motion command whereas 'dd' is a shortcut for 'delete the current line' which can also be expressed as: 'Vd', '0d$', '0D', '$d_', ...
The important part to note about 'dd' is that it has 2 parts: 'delete' and 'current line'. 'delete' define what you want to do and 'current line' defines where the action should be applied. When you understand this things get way easier because you just need to learn a couple 'actions' and a couple 'motions' to do most of the things. And every time you learn something new you can also combine it with everything you already know.
But don't be discouraged by what I just wrote, you are in the right path. Have fun and keep hacking!
Hey! I think you are absolutely right, thank you for noting this! I already realized that having an understanding of the "subcommands" is what will lead me to success, as they are also easier to remember, because from a "combo" they will become understandble bits. I actually plan on writing "breakdown" for these compound entries so I (and others) can also grok vi 8) Well... eventually :D
I agree with you, but this doesn't mean this data is useless.
You could could count how many people are using their phones by speaker.
"When Alice speaks 18% of the members use their phones for more than 15 minutes, but when Bob speaks the rate is 27%." could be a proxy to understand how important the parliament thinks the subject/speaker is.
This project doesn't seem to collect data, it posts the photo from the stream to social media and tags the politician. You might be able to derive the data you're talking about from the social media posts and timestamps, but that is obviously not the primary purpose.
The notion that you must have your phone away and be giving all your attention to a speaker is so antiquated and worthless.
I have issues with auditory processing and attention. If you deliver information to me verbally in a format where I cannot rewind/playback, have no subtitles or text to consume alongside it, and demand my full attention, I will have objectively worse reception of whatever information you're communicating. The way neurotypicals demand adherence to these, to be blunt, ceremonies of conveyance is tiresome and interferes with the goals they espouse of communication.
In fact I would go so far as to say a lot of the time, the goal is not communication at all; it is a demonstration of one's power and authority over others. If your goal is actually communication, text is better in every way. Every reader can read at a speed of their choosing, re-read parts they missed, have a speech-to-text program read it to them if they like, stop in the middle and tend to something time sensitive, what have you. A live speech allows none of this.
So yes, I probably use my phone while you're talking. I probably have my AirPods in too, because the settings where they remove background noise and just give me the person speaking are phenomenally useful. I might even be watching or having my phone transcribe what you're saying, too. And if you're going to try and chastise me for it, fine, that's your prerogative, but then I'm probably starting a job search for a place that will appreciate my skills and not demean me for not being able to perform "good worker vibes" to your arbitrary standards.
Preventing others from using tools that help them focus because you are in a position of power to determine what "focus" looks like is exactly the point the parent comment was making.
"Being able to focus on a speech" looks different for differently-abled people. Just because it doesn't look like focus to you doesn't mean you or anyone else should get to dictate the tools I or anyone else use to enhance our focus control.
Different people have different needs in order to focus fully on something. It reeks of entitlement to look at another person and decide how they get to manage their focus.
I think you stated this a bit better than I did, and certainly more concisely. It's immensely frustrating and exhausting to have to constantly defend myself against accusations of not being attentive enough, not being responsive enough, not "looking like I work hard" enough.
If you want someone who looks and runs about like a good little office bee, then I'm (quite evidently) not your girl. That said if you want your jobs handled on-time, to spec and beyond, and with care and consideration for the end users, that's me.
so.... in theory you should be able to create several visually identical links that give access to different resources?
I've always assumed links without any tracking information (unique hash, query params, etc) were safe to click(with regards to my privacy). but if this works for links I may need to revise my strategy regarding how to approach links sent to me.
"Visually identical" is never good enough. Have you heard of attacks confusing Latin letters and Cyrillic letters? For example C versus С. (The latter is known as CYRILLIC CAPITAL LETTER ES.) Have you heard of NFC forms versus NFD forms? For example é versus é (LATIN SMALL LETTER E + COMBINING ACUTE ACCENT versus LATIN SMALL LETTER E WITH ACUTE.)
Nothing that's important when it comes to security and privacy should rely on a "visually identical" check. Fortunately browsers these days are already good at this; their address bars use puny code for the domain and percent encoding for the rest of the URL.
As the sibling comment has mentioned Unicode in DNS uses a punycode encoding but even further then that the standard specifies that the Unicode data must be normalized to NFC[0] before being converted to punycode. This means that your second example (decomposed e with combining acute accent vs the composed variant) is not a valid concern. The Cyrillic one is however.
[0] https://www.rfc-editor.org/rfc/rfc5891 § 4.1 "By the time a string enters the IDNA registration process as described in this specification, it MUST be in Unicode and in Normalization Form C"
Sure, but the security concerns of that I feel are much less concerning than having multiple domain names with the same visual appearance that point to different servers. That has immediate impact for things like phishing whereas lookalike path or query portions would at least ensure you are still connecting to the server that you think you are.
Yes but I guess that the message was meaning that browsers now detect homographs and display the punycode instead. See also https://news.ycombinator.com/item?id=14130241; at that time Firefox wasn't fixed, but in the meantime it fixed the issue too (there's a network.idn.punycode_cyrillic_confusables preference, which is enabled by default).
My understanding is that "weird" unicode code points become https://en.wikipedia.org/wiki/Punycode. I used the 󠅘󠅕󠅜󠅜󠅟 (copy-pasted from the post, presumably with the payload in it) to type a fake domain into Chrome, and the Punycode I got appeared to not have any of the encoding bits.
However, I then pasted the emoji into the _query_ part of a URL. I pointed it to my own website, and sure enough, I can definitely see the payload in the nginx logs. Yikes.
Edit: I pasted the very same Emoji that 'paulgb used in their post before the parenthetical in the first paragraph, but it seems HN scrubs those from comments.
domains get "punycode" encoded, urls get "url encoded"[1], which should make unicode characters stand out. That being said, browsers do accept some non-ascii characters in urls and convert them automatially, so theoretically you could put "invalid" characters into a link and have the browser convert it only after clicking. That might be a viable strategy.
> I've always assumed links without any tracking information (unique hash, query params, etc) were safe to click(with regards to my privacy). but if this works for links I may need to revise my strategy regarding how to approach links sent to me.
Well, it was never safe, what you see and where the link are pointing at are different things, that's why the actual link is displayed at the bottom left of your browser when you move your mouse over it (or focus it via keyboard)
You need to decode the text after copy pasting it, I believe clicking on text will not interact with the obfuscated data since your computer will just find the unicode and ignore the obfuscated data.
This is just so that you can hide data and send it to someone to be decoded (or watermarking as mentionned)
but my fear is precisely that I my be sending data to a remote host while I'm completely unaware of this fact.
I tried to create a POC with some popular url shortner services, but doesn't seems to work.
what I wanted to create was a link like <host.tld>/innoc󠅥󠅣󠅕󠅢󠄝󠅙󠅔󠄪󠅑󠅒󠅓ent that redirects to google.com. in this case the "c" contains some hidden data that will be sent to the server while the user is not aware. this seems possible with the correct piece of software.
URIs with non-ASCII characters are technically invalid. Browsers and the like should (but likely don’t all do) percent-encode any invalid characters for display if they accept such invalid URIs.
For every account I create on the internet I create a new mail inbox, this way I can just compare the email title with the inbox it was sent to. So, when I receive a notice from my bank on my github email I know what happened. This genuinely saved me a few times already.
Most providers let you run a catch-all adress on your own domain. You usually set it up with just a check-box "catch-all" and where to send all mail, or you write the username as "*" in an alias.
Not GP either, but this. To name a specific provider, I use improvmx.com. They have a generous free tier, I eventually switched to some low paid tier. Not affiliated, happy user.
This feature is available for no extra cost from panix.com with the "+" (dcoder+anytext@panix.com) technique, and I can use filters on the address.
Since many sites can't believe that an email address can have a "+", I can also use "anytext@dcoder.users.panix.com" at most sites instead of dcoder@panix.com. ("anytext" typically, for me, being the name of the company or organization that I'm dealing with. Also, my Panix account is not really "dcoder".)
I have received phishing attempts for cryptoscams that still had my tagged address and identified the source of the leak that way... but I'm sure there are more cautious scammers and spammers who removes it, still can be the poorman's version of a catchall address I guess.
Sounds like it's time for someone to set up an email service that offers the same functionality without the +. There would be some headaches and it would limit the degrees of freedom users have with base email addresses, but I'd use it!
Fastmail lets you make as many redirects as you want, no + in them.
You can even get an api key for it and plug that into bitwarden, so that when you sign up for whatever, you click bitwarden, generate password, generate email, sign in and it's all set. So smooth. (I sound like an ad, but internet pinky promise no affiliation)
I'm curious - is there a benefit to doing so versus using Apple's Hide My Email (or a similar service) or appending +service to a gmail email address? Completely ignorant on the topic so apologies if this is a silly question.
I'm not really sure how Apple's Hide My Email works, but my impression is they work by creating a proxy email for you. If that is the case, it should be a good solution for protecting you privacy. The problem is you become hostage to Apple, because now if you loose access to your Apple account you also loose access to ALL your accounts(potentially). It's probably on the same level as using a password manager like BitWarden.
I've just explained the problem with the gmail tagging in another comment.
As far as I know Samsung isn't a Korean family name, it's just a brand.
That said, are you sure it wasn't the + that caused the problem? I've run into that a few times, presumably when someone tried to roll their own email validation.
It's probably a specific policy of Samsung which doesn't allow the word samsung in recipient addresses. I had the same issue, but with samsung@private-domain.tld
Sometimes you can sign up with the + but when you try to log in either on the homepage or an app, the login is invalid because of that + sign. Different validations. Stopped using that way after getting locked out of accounts 6 months later...
My usual "smasung" typo worked fine when I registered with them. I use a service for disposable addresses redirected to my main mailbox for potentially spammy registrations which I don't really care about, instead of just creating new accounts which is way too inconvenient to manage.
I'll make these intentional letter swaps every time just to avoid regexes and automatic filters.
Yup. Got my own domain(s) and use a different address for all my services (like with Gmail where you could append +service to your email but with a completely distinct email per service like paypal@mydomain.com). Helped my several times to identify spam & phishing without even having to check the E-Mail itself.
My guess is that you probably know what I'm going to write, but a lot of people don't realize this 'Gmail trick' doesn't really work.
The problem is that foo+bar@gmail.com and foo@gmail.com are delivered to the same inbox, so if you are trying to scam someone it is safe to remove anything after the + in a gmail address.
And having a custom domain on gmail doesn't improve your situation, because with just a simple 'dig mx' you can know if the domain is hosted on gmail and apply the same regex to remove all labels.
So, to be less inflammatory the feature works as expected. But it only protects you if the bad actor is really dumb/lazy or if he is honest.
I do the same as the person you're responding to. There is no '+' in my email, I just create random strings @mydomain. It's impossible for a scammer to know they all go to one inbox.
Some people really love putting dumb validation rules for emails in forms... You would be surprised to know how many system in the real world will just refuse anything that is not a letter or a number in your email.
And the 'fuck them, I won't do business with them' attitude doesn't really work if the system that wont accept your email is the local gas company.
And there is another problem, some systems will just remove any label without informing you. I've had this problem logging in some random websites. My account was created with foo+bar@gmail.com but to log I had to use foo@gmail.com.
Not surprised at all, I've been using the Internet and writing software for a couple decades now. Heck, I might've written one of the validators you're complaining about. But they are typically written to avoid +, for the exact reasons you described.
For those sites, you can add a dot in your username. Then you can ignore any emails sent to an address without the presence of a dot or a plus.
I'm sure there are sites that don't accept dots either, but I've never run into one. So you have to make an exception? Oh well.
I agree that it's easiest to do with service@domain.tld, like the grandparent suggested.
IIRC dot is one of the characters that can't be discarded when checking local addr part (RFC 5322). So fubar@domain.tld and fu.bar@domain.tld are different addresses really. As far as I understand - it's a Gmail's team decision to configure local addr interpretation and allow `helloworld@gmail.com` and `hello.world@gmail.com` to be treated as the same address.
I'd expect that dot trick rarely works anywhere outside of gmail world.
+ sign is part of the standard (`atext` token, RFC 5322), so sites, which disallow it in address are doing it wrong.
The fact, that industry adopted a practice of using everything after + sign as a "tag" is not captured anywhere so this creates even more mess in already messy space (e.g MS followed GSuite in this too and added subaddressing - https://learn.microsoft.com/en-us/exchange/recipients-in-exc...)
I use a similar approach due to me having the luxury of an owned domain.
The problem, however, is that most companies still rely on crappy Enterprise services like Microsoft Office. For most people managing identities like this is impossible to do - due to either lack of user-friendly options or due to too high thresholds of necessary IT knowledge.
I mean, we are speaking about having to configure Dovecot and Postfix and similar tools, and I fuck that up regularly. And we are also assuming that they have to be unguessable (you have github@? maybe I should target linkedin@, too, then!) which implies that they have to be random-looking which means they will likely be blocked by registration filters.
Newer projects like Maddy [1] kind of go towards that direction, but are still targeted at developers or sysadmins.
'Creating a new inbox' was an exaggeration on my part. What I have is a catchall on my fastmail account. But when I talk about creating creating inboxes it seems to make it easier for normal people to understand what I'm doing and the benefits it brings.
> we are also assuming that they have to be unguessable
That would be nice, but I don't have a nice way of doing it. I've tried to use something like rot13 to make it less obvious, but it is a pain to manage it. It would be nice it existed a cypher that was pretty easy to do in my head, but I never found anything like this.
> you have github@? maybe I should target linkedin@, too, then!
Yes, this is a problem. For a targeted attack this may become a weakpoint in my defense. But this is a calculated risk I'm willing to accept for now.
Microsoft used to let you get 500 free emails under any domain you added, for years. I miss those years. Had the nice benefit of putting you into Microsoft's ecosystem. I was able to make emails for different sites too.
