Just to clarify, and I know you weren't saying they are related, but this has absolutely nothing to do with AI or vibe coding or manager code.
It's a continuation of the Shai Halud worm and the lack of security around developer dependnecy installations, which has existed for a very long time.
Hackers have figured out that developers themselves are an ideal target due to how easy it is to trick them into installing something and how much private information they have on their machines (creds, cloud clis, mcps, etc.).
> due to how easy it is to trick them into installing something
You have tools from large corporations where the official installation procedure involves copy pasting a command from a random blog post, run it with sudo and watch it download and execute a script from a random filehost. This is somehow deemed acceptable by everyone involved.
Meanwhile I can't use teams in our meeting rooms, since any form of internet access was deemed a security risk in rooms where customer projects could be discussed. This is in a day and age where 90% of customer meetings are done over the internet.
Anyone trying to follow sane practices in this industry just asks to end up in a padded cell.
> Meanwhile I can't use teams in our meeting rooms, since any form of internet access was deemed a security risk in rooms where customer projects could be discussed. This is in a day and age where 90% of customer meetings are done over the internet.
I hope this is in jest. Are you saying in order to discuss any customer project you have to book a meeting room? So no discussions of customer projects at the open plan desks or even in your boss' office for fear that something might overhear that conversation? Or is this only when the customer happens to be on-site to discuss their project? Does your organization assign U.S. Military style NICKA code names to everything?
As with many other things, AI exacerbates this problem. It’s so easy for many more of things things to happen unattended and in greater volume, and the AIs themselves can be tricked into doing these things, not helped by their patten of “prompt the user to approve 30 different inscrutable pythons and bash scripts”.
I see the problem everyday and am just playing devil's advocate but it doesn't really do a good job explaining the "why".
They hint at Django being a different level of quality compared to other software, wanting to cultivate community, and go slowly.
It doesn't explain why LLM usage reduces quality or they can't have a strong community with LLM contributions.
The problem is that good developers using LLM is not a problem. They review the code, they implement best practices, they understand the problems and solutions. The problem is bad developers contributing - just as it always has been. The problem is that LLMs enable bad developers to contribute more - thus an influx of crap contributions.
The last section focuses on how to use LLMs to make contributions:
> Use an LLM to develop your comprehension.
I really like that, because it gets past the simpler version that we usually see, "You need to understand your PR." It's basically saying you need to understand the PR you're making, and the context of that PR within the wider project.
The "hide" link is right next to the "flag" link. Using flag instead of hide puts more strain on the mods, and is not the right thing to do for "this topic doesn't apply to my interests."
If your problem is that you have no means to control what other people find important enough to talk about on a public forum, in their spare time, or that the means at your disposal to do so are insufficient to make other people saying things that make you uncomfortable go away... That isn't a problem that can or should should be fixed. Hell, the desire you've expressed could be uncharitably interpreted being contributory to part of the problem that has people around you discussing politics in the first place.
FWIW I agree with you and recognize that to be one of the reasons it frequently isn’t allowed.
I also think there’s very few places with the power to meaningfully dialog with and among people who build stuff in Silicon Valley. I have dozens of friends, coworkers, etc who are in FAANG or the newer big tech companies, and all of them are extremely well paid, and most will insist they work for positive reasons. I believe in that most of them believe in other people, and don’t want to build a surveillance society or one that concentrates all wealth and power in a few.
For this reason, I think that some conversations on here are important to have - the impact technology is having on people who are outside the tech sphere, the effect of leaders of our companies on the economy, geopolitics, and power generally. Mark Facebook is a powerful player on the world stage. So is Paul Graham, and Sundar Pichai. Davos just took place - leaders from major economies are seeking guidance from these people who many people here work for. Let nobody say they aren’t participating in politics. Where you work matters, what you build matters. It’s not tinkering around in people’s garages anymore - they’re building the infinity gauntlet and someone is gathering all the gems. The Death Star plans are on AWS.
To pretend otherwise is to deny one’s responsibility - in the short term frequently profitable. In the long term, the pendulum tends to swing back..
But it is the right thing to do for "this topic violates HN guidelines both in letter and in spirit, as well as predictably causing low-quality discussion threads".
> Please don't use Hacker News for political or ideological battle. It tramples curiosity.
To the latter point, hundreds of comments in, and nobody has even brought up the intellectual curiosity angle of this (what limits are in place to the Federal government using data from Federal programs for law enforcement purposes? and does it matter if the program is administered by individual states?).
Instead it's just political rage bait, including citing the Rev Niemöller poem as if we're talking about Nazis.
(It used to be part of Internet culture that the moment you compared something mundane to the Nazis, you automatically lost the argument and were mocked mercilessly. We should bring that back.)
I've never had a good experience with individual metrics leaderboards. On one team we had a JIRA story point tracker shown on a tv by a clueless exec. Devs did everything they could to game the system and tasks that required uncertainty (hard tasks) went undone. I believe it contributed to the cog culture that caused an exodus of developers.
However, I love the idea of an occasional team based leaderboard for an event. I've held bug and security hackathons with teams of 3-5 and have had no problem with them.
> But Omarchy is a reminder that we live in a world where software isn’t just software, but the people who make it.
I get people are totally within their rights to ban movies/software/sports, etc. for creators whose beliefs they disagree with. However, software is the people who make it? I rarely, if ever, know the authors who create software or what they believe in.
Not shocking, a lot of time goes into making Vite and they need to make money.
One approach is to setup consulting services. Looks like Void Zero's approach is to start building value-add tools and features on top of Vite that are no longer free.
The decision that users must make now is whether it's worth the risk investing in Vite, assuming that more and more functionality will move to the paid tier.
Consulting doesn't scale though and draws resources from development itself, harming both the OSS and the business side.
All functionality as part of OSS projects will stay there. OSS projects such as Vite, Vitest, Rolldown and Oxc will stay open source.
Eventually, the (financial) success of Vite+ is directly tied to the health, stability, and adoption of the free, open-source Vite ecosystem, so the incentive is rather low.
Nearly everything we discuss here is political. Some people get triggered when the current administration gets criticized and pretend that's the line where politics starts, but it isn't. Accepting what the government does without question is the height of incuriosity. If the site owners had any interest in enforcing the guidelines, this place wouldn't be a cesspool of LLM shovelware self-promotion.
Come on now, security isn't easy but it's not rocket science. If someone is competent enough to be developing applications they're certainly competent enough to do security correctly by researching first.
It's a continuation of the Shai Halud worm and the lack of security around developer dependnecy installations, which has existed for a very long time.
Hackers have figured out that developers themselves are an ideal target due to how easy it is to trick them into installing something and how much private information they have on their machines (creds, cloud clis, mcps, etc.).
reply