We can build capacity to manufacturer renewable power domestically. But I suspect this administration is more interested in protecting the business interest of those that gave them the largest campaign donations than they are in long term energy sustainability.

Comments URL: https://news.ycombinator.com/item?id=47886695

Points: 1

# Comments: 0

Comments URL: https://news.ycombinator.com/item?id=47874440

Points: 8

# Comments: 0

That's a really big "if". Particularly since so many companies don't even know all of the OSS they are using, and they often use OSS to offload the cost of maintaining it themselves.

My hope is when the dust settles, we see more OSS SAST tools that are much better at detecting vulnerabilities. And even better if they can recommend fixes. OSS developers don't care about a 20 point chained attack across a company network, they just want to secure their one app. And if that app is hardened, perhaps that's the one link of the chain the attackers can't get past.

Without that, we are quickly spiraling into the dystopia where privacy is gone, and when the wrong person gets access to the data, entire populations are threatened.

Value isn't just slapping a license on something and pushing to GitHub. It's maintaining and curating that software over years, focusing the development towards a goal. It's as much telling users what features you're not willing to add and maintain as it is extending the project to interoperate with others.

And that long term commitment to maintenance hasn't come out of the vibe coded ecosystem. Commitment is exactly what they don't want, rather they want the fast sugar high before they drop it and move on to the next thing.

The biggest threat to open source is the strip mining of the entire ecosystem, destroying communities and practices that have made it thrive for decades. In the past, open source didn't win because it always had the best implementation, but because it was good enough to solve problems for enough people that it became self sustaining from the contribution of value.

I feel that will continue, but it's also going to take a set back from those that aren't interested in contributing value back into the ecosystem from which they have extracted so much.

This is made even worse by the golang.org/x packages updating their minimum Go version without any other changes to the code that require that bump. It ripples through all projects that have any dependencies on those packages, and it forces everyone to choose between security updates and backward compatibility.

I've ranted about this before in my blog [1].

[1]: https://bmitch.net/blog/2025-06-07-go-broke-v1/

Or they redirected funding that previously went to education to other budget items. If a trust fund is created to send $7B to education, but the government cuts their previous $10B in funding, the trust fund can be perfectly followed, while educators see a $3B cut in their funding.

It makes those breakages less painful. A project can eventually remove a deprecated API after notifying other projects to run `go fix`. And when projects ignore that advice (some always will), they can revert to a previous working version, run `go fix`, and then upgrade, without spending time in the code identifying how to replace each removed API.

And for those projects that routinely update and run `go fix`, they'll never notice the removal of deprecated code. Given the other benefits of `go fix`, switching to easier to read methods, and leveraging more efficient methods, in addition to security fixes that come with regular updates, this should be the workflow for most maintained projects.

But this administration wants to say everything is fine, and fires those that say otherwise. So now unemployment seems under control even though it's not great.

Now the Fed, with their dual mandate to maintain a healthy labor market and control inflation, is considering raising rates. If it turns out the job market was much worse than we realized, raising rates could tank the economy more than it already is tanking. All because they wanted to pretend everything is fine.

It's not just the timestamps you need to worry about. Tar needs to be consistent with the uid vs username, gzip compression depends on implementations and settings, and the json encoding can vary by implementation.

And all this assumes the commands being run are reproducible themselves. One issue I encountered there was how alpine tracks their package install state from apk, which is a tar file that includes timestamps. There are also timestamps in logs. Not to mention installing packages needs to pin those package versions.

All of this is hard, and the Dockerfile didn't make it easy, but it is possible. With the right tools installed, reproducing my own images has a documented process [2].

[1]: https://regclient.org/cli/regctl/image/mod/

[2]: https://regclient.org/install/#reproducible-builds

There's also a stagnation of salaries relative to inflation and a slow hiring market that has people locked into a job when they'd like to find something better. The K-shaped recoveries have people slipping out of the middle class. Combine with housing increasing faster than inflation, future generations having a lower quality of life than their parents.

The wealthy are doing what they can to try to direct the narrative elsewhere, by controlling media sources, blaming immigrants, blaming China, and blaming the government. But we really have far too much wealth concentration to be sustainable, not unlike the ending of a game of monopoly. If a more stable solution isn't found soon, I fear things will get much worse than they already are.

[1]: https://www.bls.gov/news.release/empsit.t15.htm

Comments URL: https://news.ycombinator.com/item?id=47217476

Points: 6

# Comments: 0

Reaction 2: it's open source, make the lawmakers do submit the changes.

Reaction 3: how would this ever be enforced? Would they outlaw downloading distributions, or even older versions of distributions? When there's no exchange of money, a law like this is seems like it would be suppression of free speech.

Reaction 4: Someone needs to maliciously comply, in advance, on all California government systems. Shutdown the phones, the Wi-Fi, the building access systems, their Web servers, data centers, alarm systems, payroll, stop lights, everything running any operating system. Get everyone to do it on the same day as an OS boycott. And don't turn things back on until the law is repealed.

But the real hidden power of buildkit is the ability to swap out the Dockerfile parser. If you want to see that in action, look at this Dockerfile (yes, that's yaml) used for one of their hardened images: https://github.com/docker-hardened-images/catalog/blob/main/...