Except for the unfortunate minority of normal visitors who always get misclassified as bots and get denied access regularly.

I wouldn’t be complaining if Cloudflare’s misclassifier bit any user with the same small probability. But it keeps biting the same users over and over again.

Also Cloudflare: let's send normal humans who are trying to go about their daily lives into endless Turnstile spinner loops with absolutely zero recourse, grievance, or support infrastructure.

Your comment compares Lithuanian homebrew tech to Ukrainian military-funded tech and claims that the former is grossly inferior to the latter. That comparison is what they're challenging.

> What are you saying about nukes?

According to your comment, homebrew tech was not going to prevent World War III. This can come across as unconstructive because in general, even small things can make a difference (or be a first step towards something that will.)

Their comeback "explain what your plan is against nukes" is just another way of saying "your comment just dismissed an idea but failed to present a better idea on its own," or more generally, "let's remain constructive."

What's with that "vs" trade-off?

You're saying avoiding detection requires high altitudes.

What do interceptors have to do with that?

Maybe all three are, in their respective current form, good enough. Replacing them would almost certainly be a net loss.

[0]: https://anubis.techaro.lol

Then don’t install the package.

It’s on you to decide whether you trust upstream or not.

You’re free to use any scanner you want on the upstream sources if it makes you feel safer. (I’m currently working on a makepkg extension that allows just that.)

The core and extra repos are curated, and every package maintainer is doing their due diligence (and more) to protect the users. But on the AUR, nobody is going to do that work for you.

PKGBUILDs are not packages. They’re (user-contributed) instructions on how to build packages.

> available through the OS's repos.

No. The AUR is a platform, similarly to NPM or PyPI, that allows users to upload PKGBUILDs. It is not part of “the OS’s repos,” and it says that loud and clear, multiple times, including on the front page.

That's not the reason why Spotify is not on extra.

Spotify is not on extra because it's not FOSS.

True. But you still go through the fucking checklist.

This is generally not true. Look at a PKGBUILD of:

- any Node.js package. You'll see that the `prepare` step downloads the entire transitive dependency tree from NPM. (This is because it has a massive number of leaves and no system package maintainer can curate them all (let alone resolve each one to a single version that works across all dependees).

- any Rust program. Rust uses static linking, so publishing a system-level package for each library would be pointless. Therefore, during `prepare`, `cargo fetch` it is.

> A less than 100% reliable mechanism sure beats the current situation which is "wait for users report on the forum that they have been pwn3d". May I remind that this is the third time AUR-hosted PKGBUILDs have been compromised?

Are you going to pay the monthly token bill?

[0]: https://en.wikipedia.org/wiki/Concrete_Island

[1]: https://en.wikipedia.org/wiki/High-Rise_(novel)

Google’s index is by far the largest, and my impression is that a search engine is hardly useful unless it includes Google’s results.

Comments URL: https://news.ycombinator.com/item?id=48397787

Points: 4

# Comments: 0

https://news.ycombinator.com/item?id=48108207