Hacker News: pledess

New comment by pledess in "Why MIT switched from Scheme to Python (2009)"

pledess — Fri, 25 Jul 2025 21:42:33 +0000

His top students were capable of entirely understanding Scheme within a day or so (but not capable of entirely understanding all of Python and all of PyPI). He wanted students to be even better than that. He wanted them to lead productive and resilient collaborations even when they didn't or couldn't entirely understand the small parts.

New comment by pledess in "Ask HN: Should movie theaters allow you to watch movies in 30 minute chunks?"

pledess — Thu, 05 Jun 2025 23:18:05 +0000

Reformulating this slightly:

Yesterday, you saw the first 30-minute segment. Today, you arrive at the multiplex, and are informed that the three 30-minute segments (1, 2, 3) are starting shortly on screens A, B, and C. However, you are not told the mapping of segment to screen. You are asked to select a screen, and choose screen B. You are then informed about the status of either screen A or screen C: that status may be that it will play segment 1 (from your perspective: a duplicate) or that it will play segment 3 (from your perspective: out of order). Finally, you are asked whether you will be watching screen B, or the other, unrevealed screen. (If you don't actually watch your final choice, you're banned from the multiplex forever.)

Is this harder (e.g., not solvable at all) compared to the Monty Hall problem, because segment 1 is merely an annoyance, but segment 3 is a spoiler (permanently impacting your enjoyment of the movie)?

New comment by pledess in "Ask HN: What should you ask to understand a new team and company?"

pledess — Mon, 02 Jun 2025 00:56:46 +0000

In my experience, things you can ask include:

What's the history of this first project I've been assigned to?

Who are the most important customers, or types of customers?

What's the risk tolerance (unless you've been told Move Fast Break Things)?

Things you usually can't ask directly, but need to learn quickly:

Is this a meritocracy? If not, what other factors matter?

What types of actions are perceived as throwing a co-worker under the bus?

Is most of my job to figure out what my job is (i.e., exploring how I can contribute most effectively)?

New comment by pledess in "What if we stop treating security testing as a separate thing?"

pledess — Mon, 02 Jun 2025 00:23:45 +0000

For "With your threat model in mind, they should identify opportunities to add new test cases," one common reason is that security engineers are shared across a large company and it may be very expensive for them to learn the different testing frameworks used on many different projects. Also, independent review (without any exposure to developers' conceptions about what should be tested, or why, or how) may be economically justified because outcomes of security bugs are sometimes much worse than outcomes of many categories of ordinary bugs. Other reasons may include that the security engineers want to run a test that can't be expressed in your testing framework without a huge change to the framework, they may want to develop their test cases adaptively such that most of the tests turn out to be useless and the cost of capturing every test under version contol may be very high, they may want to run tests from a commercial testing product for which the license does not allow bulk copying of the tests into a customer's testing framework, or (if they aren't in-house engineers) their business model is that they won't tell you every test that was run unless there's an associated defect finding.

New comment by pledess in "Ask HN: Anyone used LLM for UI E2E testing?"

pledess — Tue, 20 May 2025 03:33:47 +0000

We added ChatGPT Operator to UI testing, starting soon after it launched. It's only used as an extra testing step on top of everything we had previously used. A quick summary is: on the plus side, it sometimes gives us a much faster feedback cycle. On the minus side, it sometimes dives headfirst into advanced UI features, and can't find a way to backtrack when it makes a mistake there.

New comment by pledess in "JPMC: An open letter to third-party suppliers"

pledess — Mon, 05 May 2025 05:13:04 +0000

The letter mentions OAuth but doesn't mention the ongoing work to address the https://eprint.iacr.org/2025/629 findings, CVE-2025-27371.

New comment by pledess in "Why can't HTML alone do includes?"

pledess — Wed, 30 Apr 2025 00:15:23 +0000

Both rendering and security issues were relevant. Some of this is discussed under "Deprecate HTML Imports" at https://developer.chrome.com/blog/chrome-70-deps-rems

New comment by pledess in "You might want to stop running atop"

pledess — Wed, 26 Mar 2025 16:55:47 +0000

The TOCTOU is relevant (without suid) if someone can quickly make the right prediction of the tmpname2 value that's generated by the PRNG used by mkstemp, and create a symlink with that value before gunzip is executed. After calling mkstemp, the code should use the returned file descriptor, and thereby eliminate all TOCTOU risk. However, on (perhaps?) most devices that would realistically use atop, the PRNG works well enough that that prediction would fail.

New comment by pledess in "NIH fixes indirect rates on new grants to 15%"

pledess — Sat, 08 Feb 2025 14:46:15 +0000

https://newscience.org/nih/ suggests that the higher indirect rates at private research institutions may occur because "universities do subsidize research out of their own pockets."

New comment by pledess in "Redis is trying to take over the all of the OSS Redis libraries"

pledess — Tue, 26 Nov 2024 14:04:50 +0000

There is a new comment by antirez in the past few minutes: https://github.com/redis-rs/redis-rs/issues/1419#issuecommen...

New comment by pledess in "Undergraduates with family income below $200k will be tuition-free at MIT"

pledess — Wed, 20 Nov 2024 22:15:02 +0000

This may have unintended consequences on chances of a successful application. Now, as a high school senior, you have to compete against an additional pool of strong students who aren't especially interested in MIT's offerings, but have parents pushing them toward the least expensive of all top universities.

New comment by pledess in "With more legal action on the horizon, how long before Archive.org closes?"

pledess — Sun, 08 Sep 2024 20:40:38 +0000

it may actually be reasonable to start a page under https://wiki.archiveteam.org/index.php/Category:Closing_proj... to track this

New comment by pledess in "Judge dismisses DMCA copyright claim in GitHub Copilot suit"

pledess — Tue, 09 Jul 2024 19:55:11 +0000

I thought "the Copilot coding assistant was trained on open source software hosted on GitHub and as such would suggest snippets from those public projects to other programmers without care for licenses" was explicitly allowed by the GitHub Terms of Service: https://docs.github.com/en/site-policy/github-terms/github-t... "If you set your pages and repositories to be viewed publicly, you grant each User of GitHub a nonexclusive, worldwide license to use, display, and perform Your Content through the GitHub Service." In other words, in addition to what's allowed by the LICENSE file in your repo, you are also separately licensing your code "to use ... through the GitHub Service" and this would (in my interpretation) include use by Copilot for training, and use by Copilot to deliver snippets to any other GitHub user.

New comment by pledess in "Recommended Stripe Radar Rules for combating fraud"

pledess — Tue, 18 Jun 2024 18:05:24 +0000

I think "Block if :card_count_for_ip_address_daily: > 4" might translate to "As a customer using Stripe, obtain an IPv6 address from your mobile network operator. Do not share Wi-Fi with a group, such as by renting a house with four college buddies or by having more than two teenage children."

New comment by pledess in "Debian's /tmpest in a teapot"

pledess — Tue, 04 Jun 2024 23:28:31 +0000

The essence of the problem is that there's no standard pathname for a personal directory that's guaranteed to be on local disk, even if $HOME isn't. Consequently, people have relied on /var/tmp/$USER for this. There are realistically affected users who can't change the new defaults.

Cleaning up /var/tmp on a timer is relevant to this academic environment (desktop-based research computing):

1. Each Debian machine is used by only one graduate student, but students do not have root access.

2. Today, /var/tmp is the only persistent local directory where the student has write access ($HOME is on a network filesystem backed up by the university).

3. Within the student population, there is strong institutional memory that /var/tmp isn't backed up by the university and isn't extremely robust (e.g., RAID), but also that nothing there is automatically deleted.

4. Students use /var/tmp for hundreds of Gb of data from simulations that take days or weeks. $HOME is too small and too slow for this.

5. In practice, less than 1% of students lose data through disk failure, accidents, etc.

6. A much larger fraction of students will lose data when sysadmins, who didn't get the memo about the /var/tmp change and thus haven't addressed the ingrained institutional memory, deploy new Debian machines.

7. Some of the students who lose data won't graduate on time.

New comment by pledess in "Request for Comments: New API Design Concept [pdf]"

pledess — Mon, 22 Apr 2024 00:52:57 +0000

For example, GET /tickets/12/messages/5 has these advantages over api_get_message_from_ticket?ticket_id=12&message_id=5

Avoids writing everything twice: you don't need to name the data fields both in the base URL and in the query string

If there are several parameters, writing everything twice may make the URL longer than one physical line in a text editor

The ? and & characters need to be quoted in most shells

The _ characters are sometimes hard to read if the entire URL is underlined

Names with api_json don't make it clear whether the request body must be sent as JSON, the response will be JSON, or both

New comment by pledess in "Show HN: Purl – A Simple Tool for Text Processing"

pledess — Mon, 15 Apr 2024 02:39:59 +0000

Another name conflict is with https://github.com/package-url/purl-spec - which is used for software identification (e.g., see the https://www.cisa.gov/sites/default/files/2023-10/Software-Id... report).

New comment by pledess in "YouTube is testing a new design that you'll probably hate instantly"

pledess — Fri, 12 Apr 2024 17:43:47 +0000

with Gemini, maybe every video that says "comment down below" can be automatically modified to say "comment on the right"

New comment by pledess in "JetBlue introduces dynamic baggage pricing"

pledess — Tue, 02 Apr 2024 20:40:01 +0000

It's not quite as bad as hunger-based pricing where EatUp would cost more on longer flights.

New comment by pledess in "Hackers found a way to open any of 3M hotel keycard locks"

pledess — Fri, 22 Mar 2024 05:13:35 +0000

Many U.S. hotels changed that after the Mandalay Bay hotel incident in October 2017. A guest can no longer assume that their deadbolted hotel room door will only be opened in an emergency. Routinely, hotel staff (not accompanied by police) may knock and then immediately open a guest's door for what they consider a "welfare check" (e.g., guest has had a Do Not Disturb sign for 2 days). And, yes, guests may be strongly opposed to this for a variety of reasons (in the room but undressed, etc.) but it often is part of a hotel's normal operating practices. One of many references: https://www.reddit.com/r/askhotels/comments/vaxae2/comment/i...