yeah i was gonna say, you could totally fuck this up without ai. it's a pretty classic infra mishap, alas.
i have had the lesson burned into me that if tfc plans imply divergence you need to lock the workspace and call up someone who knows why.
thinking about the word "manel" but what about "marchitecture review board", "mboard of directors"?
is this anything
you might enjoy looking at mkosi, which i think is basically a test runner and a systemd tech demo in a box :)
OH: we know the worst its gonna do is waste memory, and as any haskeller knows, allocating memory is not a side effect!
holy fuckin shit lmao
a supply chain attack perpetrated by a prompt injection in a github ISSUE TITLE
eh. coding agents? what could go wrong
TL;DR: apache avro RPC: looks actually pretty cool! just don't attach any of the official implementations to the public internet, they are not designed for possibly-malicious input.
CAPEC-141: Cache Poisoning, CWE-345: Insufficient Verification of Data Authenticity, CWE-602: Client-Side Enforcement of Server-Side Security
Bonus bug: clients can allocate 4gb if they want, for fun!
github.com/apache/avro/...
code which naively accepts whatever the client gives you:
github.com/apache/avro/...
2009 bug report: "WONTFIX, implementing canonical json cross language is hard" issues.apache.org/jira/browse/...
note this is fixable by the server simply hashing the client input and discarding the given hash.
full disclosure of an @apache.org avro rpc DoS vulnerability:
handshake with clientHash = victim-protocol's-hash, serverHash = whatever, clientProtocol = wrong-protocol
server now has a poisoned cache for the victim proto hash if they have not yet connected to the server, cannot deserialize it
omg. i need safety ii propaganda.
glean is not a sourcegraph alternative but merely a part of one. you need a symbol naming format and so you really need to run a glass service as well. and then you have to write an entire web ui, but you still need zoekt for text search. it's a whole project. i want to. just. lots of stuff to do.
remote build execution via the bazel protocol is real and fun. there's some hacks for supporting it with nix by making kinda evil docker images. currently everything is local but it will change.
the most unfortunate part is that the costliest patches to hold are the complete ones that have config threaded through and such. review difficulties discourage writing upstreamable code in the first place; writing unconfigurable patches is selfish but much better if they don't get reviews.
we really should probably switch to s3 with a periodic orphan upload fixing job. the only problem is making auth tractable (probably there is a proxy off the shelf for this though). either way this requires fb review my code. difficulty level: hard!
alas...
- linting?
- glean.software
- what if there was a golden test library for haskell but like, good
nah nix-otel was an experiment from 2022. i am thinking "ship it as a thing by default". lix wants it for internal infra, work wants it for internal infra, soooooo.
i just need to dig out from under my giant project pile:
- open source infra
- services
- otel collector on laptops
- test runners?
i use lix at work and would LOVE to have this. i want to build otel tracing in lix too, and i think that's going to be the first feature, but i *do* kind of want to do something like buck log too, to be able to examine perf traces.
wait. i wonder which of these two is easier... actually buck log.
it's like citc but for build logs. if your auth/infra story is good enough to make this easy, building this kind of thing is pretty easy and unbelievably valuable.
buck's build logs can be turned into chrome traces and like, loads of different useful products like what was run, hashes, etc.
fun good idea from buck2: `buck log --trace-id someuuid` works regardless of where the build was done: on CI, on your coworker's computer, on your computer, etc
*if you don't work for facebook, you need patches I (locally-euclidean) or Arian (S3) wrote for this.
what if nix could do this too?
at this point i am doing something indistinguishable from *purposely picking tools based on using starlark*. i am currently working on deploying copybara.
anyway, buck2 uses starlark-rust and thus has Types and also Features in its language
i love starlark so much, so you'll not stop me. starlark-rust in particular is really nice.
![Please use the sharing tools found via the share button at the top or side of articles. Copying articles to share with others is a breach of FT.com T&Cs and Copyright Policy. Email licensing@ft.com to buy additional rights. Subscribers may share up to 10 or 20 articles per month using the gift article service. More information can be found at https://help.ft.com/faq/gifting-and-sharing-an-article/what-is-a-gift-article/.
https://www.ft.com/content/7bbc4ad3-57f4-4cfd-b791-e50e625c2e0e
Amazon, Google and Microsoft staff are urging executives to back Anthropic in its escalating dispute with the Pentagon, pressing them to refuse any contracts that would enable autonomous weapons or mass domestic surveillance.
In a letter on Friday seen by the FT, worker groups representing thousands of tech employees said they would oppose any effort to dilute guardrails adopted by the AI start-up after its chief executive Dario Amodei rejected what he described as a βfinal offerβ to continue supplying the US military.
βWe know [the Pentagon] will rapidly seek to onboard other models without these guardrails in place, regardless of whether they try to force Anthropic to comply,β the letter reads.
βWe are writing to urge our own companies to also refuse to comply should they or the frontier labs they invest in enter into further contracts with the Pentagon,β the letter said.](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:u3smqiqgoclp6fi3qbkrgjwd/bafkreickf6t4xztfzq7exmh3otolyemzlypei4273qttdnegel44eork5y)
Please use the sharing tools found via the share button at the top or side of articles. Copying articles to share with others is a breach of FT.com T&Cs and Copyright Policy. Email licensing@ft.com to buy additional rights. Subscribers may share up to 10 or 20 articles per month using the gift article service. More information can be found at https://help.ft.com/faq/gifting-and-sharing-an-article/what-is-a-gift-article/. https://www.ft.com/content/7bbc4ad3-57f4-4cfd-b791-e50e625c2e0e Amazon, Google and Microsoft staff are urging executives to back Anthropic in its escalating dispute with the Pentagon, pressing them to refuse any contracts that would enable autonomous weapons or mass domestic surveillance. In a letter on Friday seen by the FT, worker groups representing thousands of tech employees said they would oppose any effort to dilute guardrails adopted by the AI start-up after its chief executive Dario Amodei rejected what he described as a βfinal offerβ to continue supplying the US military. βWe know [the Pentagon] will rapidly seek to onboard other models without these guardrails in place, regardless of whether they try to force Anthropic to comply,β the letter reads. βWe are writing to urge our own companies to also refuse to comply should they or the frontier labs they invest in enter into further contracts with the Pentagon,β the letter said.
The relative autonomy of tech workers, and the need for the bosses to obtains some degree of active consent from them, seems to me a central axis of the politics of big tech. There aren't many industries where you can imagine seeing something like this.
γͺγγγΌδΏ #shapoart
An open letter has been signed by 200+ OpenAI and Deepmind employees, who want their companies to adopt the same restrictions on use that Anthropic has. If this ends up occurring, then the DoD's only option for 'frontier' intelligence will be Grok.
*takes notes* PACs are co-unions
the port of LA and the port of long beach are gay and in love
Abolish the legal gender marker entirely. No government can be trusted to have a database of which people have changed theirs, no government has any business tracking what your gender is "supposed" to be in the first place.
