What you can do is expose your kid to a lot of things and help them find something they're passionate about. Ideally something they can use to pay their bills too when their business fails. I don't see why some programming/tech exposure can't be one of those things.

I work fewer hours and have more lateral mobility than pretty much all my friends that make as much money as I do. Software engineering is a good field. Nobody is saying you have to force it down anyone's throat, and that's not what a Minecraft scripting API is doing.

What a great creative opportunity though for kids out there to dabble in programming due to a game they love. That doesn't preclude them from being financially savvy in the future. They're kids.

It's like chargebacks. 99.9% of my purchases I will never issue a chargeback for, so most of the time I choose to use a payment mechanism (cash, bitcoin when I can) that doesn't come with all that overhead. If I was frequently getting screwed by merchants, then my payment habits would change accordingly.

My parents didn't even suspect that I'd do such a thing. But they could've trivially stopped it. If they knew I was doing it, they would've removed the computer from the game room. Luckily for my kids, I know how addicting gaming can be unlike my parents did back then.

I don't really know what you're trying to say. Kids have almost zero resources. If they have an internet-connected device they can use 24/7, it's because you got them one and you let them.

Kids do have more disposable time than parents do, but that's also why kids are so good at creatively filling the void when they can't just turn on their dopamine machine. When I was bored at my grandma's house without electronics, that's when I learned to draw, a hobby I've taken into my 30s.

Which is true, but doesn't change the fact that I look back at all gaming I did as a massive waste of time, wishing I spent even 10% of that time doing anything else. And even in my early 20s, I couldn't get out of that "just one more game" compulsion many nights and it would impact my work performance and social life. Not really something I want for my children.

I'm in my 30s now and have healthy hobbies again like language learning, reading, and drawing.

I have a feeling a lot of these "gaming are no different than reading or playing a sport" are from young HN gamers. I would've argued the same thing when I was a kid. Not til later did I start wanting to live my life to maximize my sense of fulfillment and minimize regret, and I have a hard time believing gaming does that for anyone.

Changing the interpretation of what someone said to fit your argument can be seen on the school playground and in Plato's Gorgias. It's not going away anytime soon.

Agreeing on an interpretation is the first step to conceiving an argument. Wrestling through this is a big part of having a discussion, and someone can always try to unfairly assume the interpretation that suits them, often the least charitable one.

You mentioned Emacs as a solution which has a Rust plugin that has problems like most other Rust tooling. Yes, Rust's tooling landscape is immature and still a work in progress.

Obviously you can just forgo editor integration all together. But you can do that in any editor.

Integration has a lot of benefits like tell you the inference of intermediate types. "Don't care about good integration" isn't really advice.

It's like people who brag about syntax highlighting. The 99.9% rest of us consider it a good tool that improves our workflow.

The re-trending of the local application is a step back in this regard. And "when will this internet fad die off so we can return to native applications" throws a lot of baby out.

Maybe you'd agree with that. I just never was a fan of the "oh, it's those people who are doing it wrong" as we ourselves indulge in a different set of the same thing.

I still have nightmares that I'm getting woken up into a hellish situation to fix code I've never seen at 3am. Or that I'm out on a date or having a beer or trying to enjoy my life when I get called.

I remember the constant state of anxiety just knowing I could be called. Couldn't even wind down watching a movie much less read a book. I quit when I realized I felt a sense of relief commuting to work the next morning because I wouldn't have to field an emergency by myself.

I also remember fantasizing about being a cafe barista or security guard that year. Waited way too long to get out.

Though 4 Euros ($4.50) is less than half what I pay for most books I want on Amazon.

It would be very expensive for me to feed my book-reading habit like that. I couldn't afford it without libraries.

It's nice that you can afford to spend money on books, but we need a solution for everyone else, especially if we agree that books are a good thing for society.

Recently there was that op-ed in Forbes that said we don't need libraries because we have Amazon: https://qz.com/1334123/forbes-deleted-an-op-ed-arguing-that-... -- Was such a disaster that Forbes limped away from it by deleting it.

You pitch a really good one: Any time you npm update/install, display ownership changes (especially compared to your prev version).

Another one is to show the source code on the NPM website itself instead of hiding it in a tarball. NPM basically trains people to assume the published code == the code at the linked repository. It's a hacky honor system that only helps attackers.

NPM modules don't even have source code on display. Someone has to download and check the tarball before npm install.

Also, Elm packages are qualified by a github username so there isn't an ecosystem of ownership transfer. No juicy name squatting. People just fork.

Finally, don't forget that my point is "there are a few issues with NPM that make this kind of thing especially easy/lucrative". That's a far cry from "everything else is bullet-proof" but it's tempting to argue with me as if I'm saying that.

In fact, if you had the energy to do the attack at all here (which took some work), having to fake trustworthiness doesn't require much more effort. Just look like a super enthusiastic contributor, put work into the readme, bike-shed over some issues every month, and bam.

If you think that ownership transfer should exist at all, then the attack vector still exists no matter how long you wait to trust right9ctrl.

Node, a general purpose language, has a scope that's much, much larger.

- An ecosystem of massive amounts of transitive dependencies increases the number of people you need to trust. If I wanted to attack a project that used NPM, their package.json dependencies would be a really good place to start. Find the least popular transitive dep they use and email the owner to see if you can be a contributor (repeat for all of their xdeps). If they don't immediately give you publishing rights like OP did, then show some chutzpah and make valid commits until they do. While this attack works on any programming language's dep system, it's easier the more transitive deps a project has. People ITT blaming the OP don't understand this attack always works on a long enough timescale. Do you think there isn't someone out there who would make high quality contributions to an xdep of primedice.com (online gambling site) for 5 years to finally get publish access?

- Anything may run during `npm install`. npm install supports an --ignore-scripts argument to not run any scripts during install. This should be the default.

- Unqualified module names make it more desirable to "take over" a package than just publish your own package "npm install /event-stream", so it contributes to an ecosystem of ownership-transfer that's far less likely to exist on, say, https://package.elm-lang.org/ where everything is qualified by a Github username.

- NPM website doesn't show you source code. The github link on the project page is just a convention. I think the NPM website should have a light source code browser of whatever is in the tarball that you download and execute during `npm install`. Bonus points for reproducible builds from that source.

- Developers don't actually review every bit of code they use and execute, especially not transitive deps. And we certainly aren't going to bother to download the tarball from NPM and unpack it to inspect the code of every dep. Most people reading this don't even know how to do that.

I've thought of some ideas to help the situation, like creating a Github shield that verifies that a conventional build script like `npm run publish-build` reproduces the tarballed code on NPM, but then I would just be doing free work for the NPM organization, and it's still just a hack.

I hear this a lot and I don't get it. Just because I'm tech savvy doesn't mean I want to do everything myself. My time on earth is finite like everyone else's. I don't value it less just because I can program.

I've built my own blog many times, actually. But the purpose of a blog is to write and share content. Every second I spend messing with the blog is energy I could've allocated towards writing content.

Also, static site generators tend to not have nice publishing editors, like the ability to just drag an image in.

But we really need to dispose of this idea that "you can build anything so why don't you want to build everything?" I also think hosting my email is a waste of my time.