Complain about them, denigrate them, upbraid them for performing analysis outside their primary expertise, fire and replace them.... none of that changes the incentive structure that shunts people in the implementation role towards conservatism out of a perceived need for self-preservation.

Engineers are not shielded by their implementer role if they participate in illegal activity. James Robert Liang was a rank-and-file engineer for Volkswagen and he got jailed for his role the VW emissions scandal[1].

No matter how much an enterprise architect or compliance officer promises "it'll be fine" to the developer, the developer needs documented CYA. An enlightened organization would perhaps find ways to expedite that CYA documentation rather than demonizing programmers as a class.

[1] https://apnews.com/general-news-988ea2ae45694b37b320e68cefe3...

If the company you work for actually had such a no-fault culture, I doubt you'd be criticizing programmers so aggressively for being sticklers, but would instead be trying to understand and account for the systemic factors (including human factors) behind their behavior.

These folks seem to be more up-front about the issue than many sites I’ve seen:

https://pdimagearchive.org/reusing-images/

> On each image page we communicate to the best of our knowledge the rights status of both the underlying work and the digital copy of this work. We provide this information based on a basic knowledge of copyright law and what is communicated by the source institution — it is strictly meant as a guideline and it should not be taken as legal advice. We admit no responsibility for any untoward consequences that may arise through reuse of material featured on our site. If you are requiring certainty as to usage allowed for an image, then you are encouraged to check with the source institution and make your own investigations.

* Persist a volume for Claude so that conversations don't get blown away with every container rebuild. An attacker may still be able to get a Claude token from me, which is something I'd like to tighten up in the future.

* Fix file permissions issues by running rootful inside the container. (The container process still runs on the host as an ordinary user. Since my threat model is "compromised dependency scanning for credentials in project dir and home dir" rather than "attacker escaping the container", I figured that was good enough to get started.)

* Work around architectural availability issues with precompiled PyPI libraries. This I punted on by choosing a different approach and eliminating the problematic dependency (by writing my hobbyist CAD 3d printing stuff using Blender extensions instead of CadQuery). I've gotten the impression that dependency compatibility with a container workflow is an ongoing challenge.

* Run a database in a docker-compose sidecar for integration testing.

For all the projects I'm containerizing I'm the solo dev with full control over the Git repo so I can make the call to add a `.devcontainer/devcontainer.json` config file. I haven't yet explored how to isolate projects I don't control.

I'm trying to do all work in dev containers (or other sandboxes), limiting the blast radius if I'm unlucky enough to be hit by an exploit. The attackers may get a Claude token, but they won't easily be able to escape the container and scan my home dir.

Cooldowns and allow-listing of installer scripts are good additions to layered security, especially for CI. However, I think the fundamental thing that needs to change is the OS permissions model. The default of trusting third-party software with everything your user has access is no longer workable.

The happiness of the aristocracy depends on the spectacle of miserable workers performing humiliating tasks.

"Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety."

— Benjamin Franklin

Understandable that the Netherlands wouldn't trust the USA with its citizans' data.

Comments URL: https://news.ycombinator.com/item?id=48302345

Points: 10

# Comments: 1

There are a fair number of well-meaning restaurateurs who have tried no-tip policies for ethical reasons. But the mass marketplace has not changed.

Then the complacency and other psychological effects that this article seeks to inoculate users against will be maximized.