It strikes me as a classic case of "we need all the interested people to pull in one project, not each start their own". AI may have made this worse then ever.

Go isn't immune to supply chain attacks, but it has built in a variety of ways of resisting them, including just generally shorter dependency chains that incorporate fewer whacky packages unless you go searching for them. I still recommend a periodic skim over go.mod files just to make sure nothing snuck in that you don't know what it is. If you go up to "Kubernetes" size projects it might be hard to know what every dependency is but for many Go projects it's quite practical to know what most of them are and get a sense they're probably dependable.

[1]: https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck - note this is official from the Go project, not just a 3rd party dependency.

One is a couple of squirts of vanilla, a couple of squirts of lemon juice, and a bit of salt. Salt is probably an underappreciated drink ingredient for this sort of thing. It turns out it isn't in your soft drinks just to make you want to drink more. This makes something that is related to cream soda, except for the aspects of cream soda that come from being crammed full of sugar, which I can't do much about.

I also have a mix I keep around made out of 3 tablespoons salt, 1 cup vanilla, 1/2 cup lemon juice, 1/2 cup lime juice, and about 1/3rd cup almond extract. I measure it all (except the salt which I just put in directly) into a single 2 cup Pyrex dish and just sort of eyeball the last 1/3rd cup of almond extract, then funnel it in to a holder. I use McCormick 32 oz vanilla and almond extract for this and order bulk RealLemon and RealLime juice for this from Amazon, and mix it into one of the leftover bottles and keep it around refrigerated. 3 squirts and "whatever dribbles in" as I'm removing the bottle is what I used for one DrinkMate bottle. To taste, as all of this is, of course. If nothing else this is pretty cheap per drink.

You can also mix unsweetened electrolytes in, but you have to wait until after you dilute the mixture with water or it'll react with the lemon & lime juice. Salt you can keep in the mix but not electrolytes in general. It adds a certain body to the mix even if you're not interested in the electrolytes per se, and a single packet of them lasts a long time.

You're not going to go into business selling this stuff, but if you're already drinking unsweetened apple cider vinegar & lemon/lime juice as a beverage flavoring we might just have some compatible tastes here. Carbonation is required, though, otherwise the vanilla and the almond extract don't come through at all.

I kind of think there's room for a new dynamically-typed language that is designed around being fast to execute and doesn't cost such a huge performance multiple right off the top, and starts from day 1 to be multi-thread capable, but on the whole the trend is clearly in the direction of static typing.

That, and forgoing fancy compile-time optimization steps which can get arbitrarily expensive. You can recover some of this with profile-guided optimization, but only some and my best guess based on the numbers is that it's not much compared to a more full (but much more expensive) suite of compile-time optimizations.

(One candidate example for this is the discussion I've seen in the last few days about not trying to negate something, to say "Don't do X", but instead stay positive because eventually the negation gets lost in the context window and you're better off just not putting the idea in the LLM's mind at all, where "Don't do X" comes to be seen as an LLM antipattern.)

One of the consequences of none of us having used AI for long enough is that we don't know how to onboard developers in an age of AI. This will be, by necessity, transient. Eventually we're going to max out what a person can do and we'll need more people. The supply of existing engineers will be limited. We will be forced to discover how to onboard new engineers.

But at the moment we've got our hands full, and we don't know how to do it.

The irony is, the best time to join a field is often exactly when the enrollment dips and the worst can be precisely when it is the most popular. Start a programming college program today and the odds that in 4 years we'll have onboarding figured out and have developed some sort of need for fresh developers is pretty decent.

But I don't know what to do about the fact that the standard CS curriculum was already of debatable relevance to me in the late 90s and I don't know of what relevance it will be in four years except to guess that it very likely to be even less. I do know that we are again affected by the fact nobody has been doing this for 20 years, like I mentioned above. There is no body of "wisdom" for an AI-powered world to draw on to construct a new curriculum. Universities would be inclined to do the obvious thing and try to chase our current practices with AI but those aren't going to be stable enough to build a curriculum on any time soon, and a real fundamentals-based curriculum may involve less AI than people may think.

I know one advantage I have over my younger peers at this point is just a knowledge of what terms to say to the AI to get it to do what I want, words like "event sourced" or "message bus" or "stored procedures", where simply knowing that the concept exists is the bottleneck. I could see a programming curriculum based on touring through a whole whackload of concepts with their pros and cons, or at least, where that is a much larger portion of it.

Ask me in 5 years though and I'd almost certainly suggest a completely different curriculum than I would now, though.

"good old-fashioned computing is interesting at all"

"Computronium" is defined as "the best computing power available". I deliberately selected it as a neutral term that does not depend on any particular model of QM or black holes or anything else.

Personally I doubt it's exactly one thing because optimizing for different types of computing is likely to result in a spectrum of computroniums rather than just the one, but the term flexes to encompass that easily enough.

The point is, you build something in that system over there for the same reason a normal human might buy a bit of property and put a house on it. The human in question isn't going "oh, I don't need to do that because the world already has hundreds of millions of residences". The human does that so that the residence belongs to them. The hundreds of millions of residences that do not belong to them do not factor into that question.

However we can say based on the architecture of the LLMs and how they work that if you want them to not do something, you really don't want to mention the thing you don't want them to do at all. Eventually the negation gets smeared away and the thing you don't want them to do becomes something they consider. You want to stay as positive as possible and flood them with what you do want them to do, so they're too busy doing that to even consider what you didn't want them to do. You just plain don't want the thing you don't want in their vector space at all, not even with adjectives hanging on them.

It appeals to me because if you've ever taken a flight you can see how the details get progressively erased as you lift. Details that matter for a lot of reasons even if you can't see them.

There's a lot of angles you take from that as a starting point and I'm not confident that I fully understand it, so I'll leave it to the reader.

You also can't put ads in code completion AIs because the instant you do the utility to me of them at work drops to negative. Guess how much money companies are going to pay for negative-value AIs? Let's just say it won't exactly pay for the AI bubble. A code agent AI puts an ad for, well, anything and the AI accidentally puts it into code that gets served out to a customer and someone's going to sue. The merits of the case won't matter, nor the fact the customer "should have caught it in review", the lawsuit and public reputation hit (how many people here are reading this and salivating at the thought of being able to post an angrygram about AIs being nothing but ad machines?) still cost way too much for the AI companies creating the agents to risk.

Opus "found" 8 issues. Two of them looked like they were probably realistic but not really that big a deal in the context it operates in. It labelled one of them as minor, but the other as major, and I'm pretty sure it's wrong about it being "major" even if is correct. Four of them I'm quite confident were just wrong. 2 of them would require substantial further investigation to verify whether or not they were right or wrong. I think they're wrong, but I admit I couldn't prove it on the spot.

It tried to provide exploit code for some of them, none of the exploits would have worked without some substantial additional work, even if what they were exploits for was correct.

In practice, this isn't a huge change from the status quo. There's all kinds of ways to get lots of "things that may be vulnerabilities". The assessment is a bigger bottleneck than the suspicions. AI providing "things that may be an issue" is not useless by any means but it doesn't necessarily create a phase change in the situation.

An AI that could automatically do all that, write the exploits, and then successfully test the exploits, refine them, and turn the whole process into basically "push button, get exploit" is a total phase change in the industry. If it in fact can do that. However based on the current state-of-the-art in the AI world I don't find it very hard to believe.

It is a frequent talking point that "security by obscurity" isn't really security, but in reality, yeah, it really is. An unknown but presumably staggering number of security bugs of every shape and size are out there in the world, protected solely by the fact that no human attacker has time to look at the code. And this has worked up until this point, because the attackers have been bottlenecked on their own attention time. It's kind of just been "something everyone knows" that any nation-state level actor could get into pretty much anything they wanted if they just tried hard enough, but "nation-state level" actor attention, despite how much is spent on it, has been quite limited relative to the torrent of software coming out in the world.

Unblocking the attackers by letting them simply purchase "nation-state level actor"-levels of attention in bulk is huge. For what such money gets them, it's cheap already today and if tokens were to, say, get an order of magnitude cheaper, it would be effectively negligible for a lot of organizations.

In the long run this will probably lead to much more secure software. The transition period from this world to that is going to be total chaos.

... again, assuming their assessment of its capabilities is accurate. I haven't used it. I can't attest to that. But if it's even half as good as what they say, yes, it's a huge huge huge deal and anyone who is even remotely worried about security needs to pay attention.

All that stuff about support, though, inevitable.

It isn't reasonable to ask a platform to host content that is literally about suing them, not because of "freedom" concerns or whether or not Facebook is being hypocritical, but more because in the end there isn't a "fair" way for them to host that. The constraints people want to put on how Facebook would handle that ends up solving down to the null set by the time we account for them all. Open, public rejection is actually a fairly reasonable response and means the lawyers at least know what is up and can respond to a clear stimulus.

There was some chatter yesterday on HN about the very strange capability frontier these models have and this is one of the biggest ones I can think of... a model that de novo, from scratch is generating megabyte upon megabyte of really quite good video information that at the same time is often unclear on the idea that a knock-knock joke does not start with the exact same person saying "Knock knock? Who's there?" in one utterance.

That exposes me to when the models are objectively wrong and helps keep me grounded with their utility in spaces I can check them less well. One of the most important things you can put in your prompt is a request for sources, followed by you actually checking them out.

And one of the things the coding agents teach me is that you need to keep the AIs on a tight leash. What is their equivalent in other domains of them "fixing" the test to pass instead of fixing the code to pass the test? In the programming space I can run "git diff *_test.go" to ensure they didn't hack the tests when I didn't expect it. It keeps me wondering what the equivalent of that is in my non-programming questions. I have unit testing suites to verify my LLM output against. What's the equivalent in other domains? Probably some other isolated domains here and there do have some equivalents. But in general there isn't one. Things like "completely forged graphs" are completely expected but it's hard to catch this when you lack the tools or the understanding to chase down "where did this graph actually come from?".

The success with programming can't be translated naively into domains that lack the tooling programmers built up over the years, and based on how many times the AIs bang into the guardrails the tools provide I would definitely suggest large amounts of skepticism in those domains that lack those guardrails.

They won't let you secure your drive the way you want. They won't let you secure your network the way you want (per the top-level comment about Wireguard). In so doing they are demonstrating not just that they can stop you from running these particular programs but that they are very likely going to exert this control on the entire product category going forward, and I see little reason to believe they will stop there. These are not minor issues; these are fundamental to the safety, security, and functionality of your machine. This indicates that Microsoft will continue to compromise the safety, security, and functionality of your machine going forward to their benefit as they see fit. This is intolerable for many, many use cases.

I think it is becoming clear that Microsoft no longer considers Windows users to be their customers any more. Despite the fact that people do in fact pay for Windows, Microsoft has shifted from largely supporting their customers to out-and-out exploiting their customers. (Granted a certain amount of exploitation has been around for a long time, but things like the best backwards compatibility in the industry showed their support, as well.)

I suspect this is the result of a lot of internal changes (not one big one) but I also see no particular reason at the moment to expect this to change. To my eyes both the first and second derivative is heading in the direction of more exploitation. More treating users like a cattle field and less like customers. When new features or work is being proposed at Microsoft, it is clear that it is being analyzed entirely in terms of how it can benefit Microsoft and users are not at the table.

No amount of wishing this wasn't so is going to change anything. No amount of complaining about how hard it is to get off of Windows is going to change anything; indeed at this point you're just signalling to Microsoft that they are correct and they can treat you this way and there's nothing you will do about it for a long time.