I think the continuous churn of versions accelerates this disregard for supply chain. I complained a while back that I couldn't even keep a single version of Python around before end-of-life for many of the projects I work on these days. Not being able to get security updates without changing major versions of a language is a bit problematic, and maybe my use cases are far outside the norm.

But it seems that there's a common view that if there's not continually new things to learn in a programming language, that users will abandon it, or something. The same idea seems to have infected many libraries.

Maybe they spent more on labor to comb through reports than they did on the hardware costs of discovery, but if so I think we'd be hearing from third parties about how useless those millions in Mythos credits were that they got.

The form programmer had done some super stupid validation that didn't allow me to edit it directly. Every change moves the cursor to the end of the input. More than 16 characters could not be typed.

Any person who codes that PoS should have their software license revoked and never be allowed in the industry again. Far better to use a plain text input than all the effort used to make users lives hell.

They measured false negatives on a handful of cases, but that is not enough to hint at the system you suggest. And based on my experiences with $$$ focused eval products that you can buy right now, e.g. greptile, the false positive rate will be so high that it won't be useful to do full codebase scans this way.

Impressive, and very valuable work, but isolating the relevant code changes the situation so much that I'm not sure it's much of the same use case.

Being able to dump an entire code base and have the model scan it is they type of situation where it opens up vulnerability scans to an entirely larger class of people.

Even if you're not an Apple fan, these sorts of stories are kind of great for learning about product development and companies in general, I think. jwz's stories of Netscape are also phenomenal. (Just don't click on any HN links that go to jwz.org, or you'll have to clear cookies to see any content there in the future. He's not a fan of the exploitation that startups frequently do to their employees and views HN as a primary channel of promoting that exploitation.)

Anonymous contributions, up to the point of somebody compromising the service? With the quantity of password hash thefts, I suspect we'll see even more ID thefts this way.

I can't imagine using any service that asks for ID, except perhaps from the well-established giants, so an exception for identifiability would effectively be a gigantic moat granted to the largest internet companies to keep out competition. Anything like that would need to be paired with massive anti-trust changes, as well as perhaps government take-over of the giants as utilities, none of which sounds very appealing...

That said, don't take any of my rambling as discouragement, your type of thinking is exactly what we need, we need massive amounts of policy discussion and your suggestion is very innovative.

It's a gathering of information so that people can get more comments.

But, if you had an amazing reputation for paying your debts, and get super low interest rates because of it, and all of a sudden you change your reputation and demand for holding your debt and currency goes down, well, then that's created a massive problem for the currency that reduces everyone's quality of life drastically.

The idea of counting "reliance" based on the exact shipping route that serves you today is nonsense.

It literally doesn't matter where the oil comes from, it only matters how much gets shipped! Only an utter fool could say something like "closing off the strait of Hormuz doesn't matter because our oil doesn't come from there." One merely has to look at current US gas prices to see how utterly silly that notion is!

The challenge now is how to plan architectures and codebases to get really big and really scale, without AI slop creating hidden tech debt.

Foundations of the code must be very solid, and the architecture from the start has to be right. But even redoing the architecture becomes so much faster now...

What are you using to drive the Chinese models in order to evaluate this? OpenCode?

Some of Claude Code's features, like remote sessions, are far more important than the underlying model for my productivity.

AI runs on data above all else. Gotta feed the compute.

There needs to be more public naming and shaming in science social media and in conference talks, but especially when there are social gatherings at conferences and people are able to gossip. There was a bit of this with Google's various papers, as they got away with figurative murder on lack of reproducibility for commercial purposes. But eventually Google did share more.

Most journals have standards for depositing expensive datasets, but that's a clear yes/no answer. Reproducibility is a very subjective question in comparison to data deposition, and must be subjectively evaluated by peer reviewers. I'd like to see more peer review guidelines with explicit check boxes for various aspects of reproducibility.