Hacker News: carols10cents

New comment by carols10cents in "Decisions that eroded trust in Azure – by a former Azure Core engineer"

carols10cents — Fri, 03 Apr 2026 21:17:44 +0000

If you're writing the tests after writing the code, you're not doing TDD though.

New comment by carols10cents in "Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised"

carols10cents — Wed, 17 Sep 2025 17:54:46 +0000

Since Shai-Hulud scanned maintainers' computers, if the signing key was stored there too (without a password), couldn't the attackers have published signed packages?

That is, how does signing prevent publishing of malware, exactly?

New comment by carols10cents in "Crates.io phishing attempt"

carols10cents — Fri, 12 Sep 2025 16:28:53 +0000

Yeah, npm has orders of magnitude more users than crates.io. This attack's success, or lack thereof, has no bearing on the savviness of JavaScript or Rust developers.

New comment by carols10cents in "Malicious versions of Nx and some supporting plugins were published"

carols10cents — Thu, 28 Aug 2025 03:00:28 +0000

So why are you upgrading?

New comment by carols10cents in "Malicious versions of Nx and some supporting plugins were published"

carols10cents — Thu, 28 Aug 2025 02:59:07 +0000

Who is requiring you to use large numbers of transitive dependencies? You can always write all the code yourself instead.

New comment by carols10cents in "Why is everybody knitting chickens?"

carols10cents — Thu, 29 May 2025 20:59:15 +0000

Why wouldn't you knit a chicken???

New comment by carols10cents in "When Compiler Engineers Act as Judges, What Can Possibly Go Wrong?"

carols10cents — Mon, 12 May 2025 14:26:05 +0000

And the architect is a volunteer for Habitat for Humanity.

New comment by carols10cents in "Tj-actions/changed-files GitHub Action Compromised – used by over 23K repos"

carols10cents — Sat, 15 Mar 2025 14:23:29 +0000

who is going to pay for the review of packages and updates? how do we know we can trust the reviewers?

github actions are name-spaced and that didn't help anything here...

New comment by carols10cents in "Rust Just Failed an Important Test"

carols10cents — Thu, 01 Aug 2024 20:11:25 +0000

Do not try to equalize a maintainer guarding their time and energy from having to deal with an issue that has already been fixed and users that refuse to search or read with trying to cover up for gross negligence and bugs.

New comment by carols10cents in "Rust Just Failed an Important Test"

carols10cents — Thu, 01 Aug 2024 17:07:14 +0000

No maintainer is obligated to maintain access to a discussion space for their users.

> One now doesn't even know and cannot even estimate the number of other issues that must have gone unreported. It's not safe or wise to use a package that is so shrouded in mystery. It is in fact foolhardy.

Issues don't get reported for any number of reasons. All open source is use at your own risk.

New comment by carols10cents in "Fern Hollow Bridge should have been closed years before it collapsed"

carols10cents — Wed, 19 Jun 2024 11:10:14 +0000

It's the Charles Anderson Bridge. https://engage.pittsburghpa.gov/charles-anderson-bridge

New comment by carols10cents in "Timeline of the xz open source attack"

carols10cents — Tue, 02 Apr 2024 16:52:40 +0000

What would prevent the sock puppet accounts from signing each others' keys?

New comment by carols10cents in "C++ creator rebuts White House warning"

carols10cents — Wed, 20 Mar 2024 16:34:49 +0000

How are these two problems unique to Rust though?

New comment by carols10cents in "Show HN: Little Fixes – a spatial forum to improve your city"

carols10cents — Fri, 23 Feb 2024 22:06:23 +0000

It looks like accounts can be entirely anonymous. How are you planning on handling moderation of comments? What happens if I post on a neighbor's house "jagoff who lets their dogs poop everywhere lives here, please evict"?

New comment by carols10cents in "When every ketchup but one went extinct (2022)"

carols10cents — Thu, 15 Feb 2024 21:52:04 +0000

Tell me you don't know anyone from Pittsburgh without telling me you don't know anyone from Pittsburgh.

New comment by carols10cents in "Standards for Software Liability: Jim Dempsey, Lawfare, UC Berkeley Law"

carols10cents — Fri, 26 Jan 2024 14:40:23 +0000

> these are the folks who do the Lawfare podcast, right?

Yep, and they had a podcast episode with the author of this paper: https://www.lawfaremedia.org/article/the-lawfare-podcast-jim...

New comment by carols10cents in "How Australia’s ‘Bluey’ conquered children’s entertainment"

carols10cents — Fri, 05 Jan 2024 15:48:07 +0000

I wish Bluey hadn't introduced the concept of a "bush wee" to my kid, I've had to explain that no, we can't pee in someone's yard in the middle of our busy neighborhood...

New comment by carols10cents in "Was Rust Worth It?"

carols10cents — Thu, 26 Oct 2023 17:13:50 +0000

Namespaces can't be typosquatted?

New comment by carols10cents in "Was Rust Worth It?"

carols10cents — Thu, 26 Oct 2023 13:34:11 +0000

Crates.io has publisher information-- namespacing is not required for that. For example, here are all the crates owned by the `azure` GitHub organization and published by the `azure-sdk-publish-rust` team: https://crates.io/teams/github:azure:azure-sdk-publish-rust

New comment by carols10cents in "Was Rust Worth It?"

carols10cents — Thu, 26 Oct 2023 13:30:17 +0000

How do namespaces measurably increase security?