One easy change would be that before any package can be published, it has to wait a minimum of two weeks in a state where it can be reviewed but it can't be installed without jumping through several hoops with big warning signs, things like "INSTALL_INTENTIONALLY_DANGEROUS_PACKAGES_THAT_WILL_BREAK_MY_COMPUTER=1", selecting yes in a dialogue that asks if they want to install software that likely has viruses, and pointing to a different package repository URL.
If there's some change that must get out sooner, then there can be some fee to pay to npm to have their security team do their own review.
Critically, there must be time for someone to review before it's the default to be selected.
I'm sure there are issues with this, this was off my head, but it seems like a really easy step to at least stem the problem for now. And there are a bunch of ideas like this that would help, but NPM doesn't seem willing to take it seriously as an existential threat to the ecosystem, rather than taking trivial steps.
> Critically, there must be time for someone to review
By who? No one at npm is reviewing anything. "Someone" is doing a lot of work here.
Linux distributions have trusted maintainers who are responsible for their packages. People who cared enough to figure out PGP and set up an actual web of trust. That's where the verification happens. All these programming language package managers have nothing of the sort. PyPI, Rubygems, crates, npm, it doesn't matter. I can just make an account and push whatever I want.
These package managers are like this because that's what developers actually want. They don't want to deal with Linux distribution maintainers in order to get their software into the official repositories. They want to just run $packager push and have it out there with zero friction.
Pyramid schemes are defined by the price and structure. A business that sells knives is a fine business. A business that sells overpriced knives by promising that you can then find someone else to sell more knives for you at an even higher price is a pyramid scheme.
Selling tulips is a fine business. Selling tulips at an insanely high price by promising that the market for tulips will keep on expanding and increasing the price of tulips is a pyramid scheme. (Well, maybe not quite a pyramid scheme, the structure isn't right. But it certainly wasn't a sustainable business model.)
At least for my software job in the US, and other salaried jobs I’ve seen, there are explicitly no hours listed, and it’s supposedly based only on your output. In practice though, if your butt isn’t in the seat 40 hours a week or so, and usually more, the boss will be mad.
> The figures were almost universal across all categories: 62 percent of those surveyed across the five European countries said they favored or had considered replacing US data storage and payment services, while 59 percent of respondents said they would back a change from American video-conferencing companies like Zoom.
(Technically only five countries in the EU in this survey, but the five most populous countries, and presumably other countries generally agree)
thanks for sharing .. given tech policy press's editorial perspective, i'd take the result with a grain of salt. … also tbh .. the existence of the poll is almost as interesting as the outcome .. reminds me of taleb's "wittgenstein's ruler" from black swan .. before using a ruler to measure a table, you should probably know whether the ruler itself is trustworthy.
the poll may be telling us as much about the priorities and assumptions of the people asking the question as it does about public opinion… in fact, the need to run a poll on this specific question arguably says more about the agenda behind it than the resuglt itself ..
So, before October, they were lousy at tracking downtime issues for 2 years (no downtime from 2016 to 2018), but in November, Microsoft came and gave them the technology to correctly track downtime, and they had their first downtime logged in November.
If you want to do it occasionally, sure, whatever. I have a coworker who solely communicates in the form of screenshots of him asking Cursor my question, even when they’re questions that are interested in his motivation or plans, not the code base, and that Cursor does a bad job answering. I’ll ask a Slack channel “does anyone have experience with tools A and B, so they can suggest which matches our use case better”, and he’ll respond with a screenshot.
I don’t need him to pass on LLM answers. I can and do ask them myself. I’m asking questions because I’m interested in the experience my coworkers have beyond what AIs have trained on.
This is Java, but recently I had a case where one library depended on a version of an Apache Commons library, and another library depended on a different version of the same Apache Commons library, and neither version worked with both libraries. In my case, I was able to upgrade one of them to a newer version so that I could use just one Apache Commons version, but I got lucky there.
It's a lot. Us parents joke how insane it all is but realistically it will taper off soon as kids start having smaller birthday celebrations. At this age it's kind of a "invite everyone in your class/grade" and has naturally reduced a bit already as boy/girl only parties started. I think next year or two it will become more common to have "invite 3-5 good friends to an event" type of birthdays and that will reduce it a lot further. Usually that's also the beginning of "drop-off birthday parties" where us parents don't have to attend with our guest. There was only one this year, my son was picked up and a group of ~10 went to a sport event.
Oddly enough, there are practically none in summer. If you have a summer birthday you either don't have a big party or you have a half birthday or something similar where the party occurs during the school year. Too many people travel throughout the summer and kids are doing different camps and things so it would not get well attended. Our group of parents kind of have unspoken rule to not do anything that feels required when school is out. That goes for fall/summer/spring breaks and holidays too.
The logistics part probably sounds crazy but probably only ~10% of these parties are at someone's house. We've never hosted a party at our house, well when he was 1-2 for family only, but not these huge parties with so many kids, parents, siblings, etc. Most people rent out a venue. Arcades, trampoline/slide parks, skating rinks are popular with the girls, sports themed places are popular with boys, chuck-e-cheese was popular for a bit, those kinds of things. It's too much work for a 2 hour party to have that many people in your home.
My birthday was in the summer. I was in the RV away from friends all summer. I never got a birthday with friends, and get this, I didn’t get invited to birthdays because I wasn’t participating in the shared economy of gift giving!
Yep, and I hate it. For our kids we’ve started just inviting a bunch of the kid’s friends and extending the invitation to each friend’s whole family and just having a chill house party. We also invite a friend’s family for the kid not having a birthday so they have at least one of their friends to play with too. Kids running around outside, inside, doing whatever they want while the parents all get to hang out and talk. We order some pizzas and other food, set out a few coolers of drinks and some adult beverages too, and it’s always a great time. It helps that the birthdays are in the fall in it’s usually really nice out still.
We also very clearly specify “no gifts”. We don’t have room for more stuff and they’ll get more gifts than they need from grandparents.
I’d say a majority of the parties we get invited to also are asking people to not bring gifts.
I think it's more scary than impressive. What kind of adults are all of those children going to grow up to and become, where multiple parties are the weekly norm?
Maybe you can clarify because I don't understand your fear or what you think it means for these kid's future adulthood?
The kids just see it as a fun 2 hour playdate with lots of friends in an interesting setting with dessert. It's the same friends they see at school, sports, etc. so it's their time to have some less structured play time, which - not sure if you've heard - is in rare supply for many children these days.
When I was a kid, even at this age, I was roaming all over town on a bike with my friends, I basically had the Stranger Things childhood experience, and I feel very confident there was a lot more to fear in that timeline of childhood.
Playing (and roaming) is great, non-stop parties is not.
Excessive partying can foster a mindset in children that equates fun with extravagance rather than simple enjoyment.
Frequent extravagant parties can foster a mindset in children that equates fun with material possessions and lavish events, rather than personal connections and shared experiences.
Not sure if the picture I painted originally was unclear but these kids are already living a very comfortable lifestyle by most standards. Most outsiders looking in would say they are all spoiled brats which is basically what I feel like you're trying to say more politely. But, this is just their norm, it's very much a part of their interpersonal connections and shared experiences which is exactly why we try to attend as many as we can. We try to engage in the community and support these kids as a group by celebrating their milestones and achievements; birthdays are one such example. What you fail to consider is these kids do not care about the material possessions at all. They've never had a shortage of that so they have no want for it. That is not special. I've never seen a kid even look at the presents during a party. They get loaded up and opened at home. I know my kid often doesn't open them for days or even weeks after the party. At this moment, he has a shelf full of toys he got as gifts half a year ago that are unwrapped but unopened. He's never even played with them. Some of them he already had and so he'll probably donate them at Christmas. However, the idea that they got to pick a theme and an venue that represents their personality/interests and share it with their friends during a day of fun is what they thrive on. Being the guest of honor at such an event has plenty of social-emotional benefits (https://pmc.ncbi.nlm.nih.gov/articles/PMC6130922/).
There's nothing lavish about these events unless you seem to think so. A $20/day trampoline park is not lavish. A 2 hour arcade card at D&B is not lavish. I don't know what your frame of reference is but this is what we do on a normal weekend if we have no plans too, just with a smaller group and withot birthday cake to eat.
Speaking as someone who is a bit more familiar with your site, the variety of content you post is really valuable. I know multiple people, myself included, who have either gone from EA to Contra or Contra to EA thanks to both being on your blog.
More broadly, I love it when an author I trust in one area writes about other topics.
If there's some change that must get out sooner, then there can be some fee to pay to npm to have their security team do their own review.
Critically, there must be time for someone to review before it's the default to be selected.
I'm sure there are issues with this, this was off my head, but it seems like a really easy step to at least stem the problem for now. And there are a bunch of ideas like this that would help, but NPM doesn't seem willing to take it seriously as an existential threat to the ecosystem, rather than taking trivial steps.
reply