Having assets under management doesn't mean you have that money. You don't own it, you are just taking care of it for somebody. When describing a company as an $X billion company, conventionally this is referring to the market cap. You could use it to describe other things they possess if you wanted to, but assets they manage will never be something they possess.

Ok, so we're engaging in sophistry. Got it.

Language is a communication tool. If you misuse language you will be badly understood. The solution is to use the correct word for what you mean, not to accuse others of sophistry.

How about 'pedantry'. I'd go with 'condescending', but that was clearly your intent.

People misunderstood your original reply. Correcting you is not pedantry.

> One of our developers was compromised by a recent supply-chain compromise on Tanstack

...which in turn was caused by bad design of github's CI pipeline. Funny how it all comes back around like that.

Yeah..full circle

Interestingly fails as well, in two ways. First:

> The string may begin with an arbitrary amount of whitespace (as determined by isspace(3))

Second is that it only applies to signed long long, not unsigned.

Some people would set up tooling to look for compromises the moment they get published. What's neat about this is that as an attacker you have no way to determine beforehand whether you'll get caught by this. So you would run your attack, it would lead to a compromised package being published, then the world would get a chance to look at it and see if they can detect the issue with it. This would of course lead to attackers being a lot sneakier. But I think due to the opaque nature of what checks people are running against packages and what they might notice, a much smaller number of attacks would make it through. Of course the ones that did by definition would be the ones that were impossible to detect and would thus stick around a lot longer.

open source does not mean open community. you can just throw tarballs over the wall

Missed the original. That seems like a reasonable way to highlight software that you believe is fundamentally insecure. Obviously you can't be on the hook to fix deep architectural issues yourself, but just submitting a single PR will be treated as "problem solved". Since most of any software contains some vulnerability, just saying "this software has an RCE" isn't actually a disclosure at all. The real issue is that the given vulnerability was (supposedly) easy to find, which if true is not something that will be fixed by targeting just that exploit chain, and needs deep changes to fix.

There are no "defaults that work for everyone". Well designed tooling acknowledges that and makes it easy to tune the software to your preference.

Only true for non US politics.

>How do they get money for free?

market power

>What is stopping everyone else from doing the same?

see above

Nice circular reasoning you got there. How do they have market power? Did they get it for free?

No, they got it by Gmail being a loss leader paid by Google AdSense in the search engine. Now they have AdSense in Gmail directly, so I guess it pays for itself.

So, Google built a superior product that is profitable and we are supposed to be mad about this?

AT&T was once broken up and then after that you could connect a modem to a phone line. The whole public use of the Internet is a consequence of breaking up a “superior product” that became a bloated market incumbent resting on its laurels.

No, we should be mad at Google or any other BigTech taking over a big enough chunk of a federated system to basically dictate what can be sent/received and what not. With no human in the loop if you don't agree with their decisions.

That's protection money, though trump so far hasn't demonstrated to be particularly worried about honoring those payments.

Hear me out: Altman is signing deals with the pentagon and AWS (government sector) in the last thirty days or so. And blacklisting competitors (Anthropic). I’d say the protection money paid dividends.