(I previously lived about a ~10 minute walk from that public market.)

(This is the theory, the practice will be challenged by NYC’s ability to acquire land in neighborhoods that are underserved by groceries and develop a supply chain for these stores. This will be harder, but I personally don’t vote for mayors to only have easy problems to solve.)

You could be right about it losing millions of dollars, we’ll see. Millions isn’t very much on the scale of NYC’s civic infrastructure; it would be difficult to even call it a waste at that scale, since the results will themselves be valuable.

(This is in pointed contrast to our last mayor.)

(I say this as someone who is broadly in favor of NYC trying to run city-owned groceries in areas that are underserved.)

You don’t need an LLM to know that AEI and FDD are hawkish and pro-Israel, they have over 20 years of public track record that the Quincy Institute should be citing directly (and ideally drawing novel conclusions from).

[1]: https://en.wikipedia.org/wiki/Quincy_Institute_for_Responsib...

The $1 I put into that doesn't "come back" to me in cash; I get it in the form of a society that has fewer people going hungry, dying from treatable conditions, etc. This is where the argument around efficiency, waste, etc. can be made, but waxing about inflation, etc. has essentially nothing to do with the matter.

Comments URL: https://news.ycombinator.com/item?id=47732945

Points: 21

# Comments: 0

This is an essentially unquantifiable statement that makes the underlying claim harder to believe as an external party. What does “much” mean here? The end state of vulnerability exploitation is typically eminently quantifiable (in the form of a functional PoC that demonstrates an exploited end state), so the strong version of the claims here would ideally be backed up by those kinds of PoCs.

(Like other readers, I also find the trick of pre-feeding the smaller models the “relevant” code to be potentially disqualifying in a fair comparison. Discovering the relevant code is arguably one of the hardest parts of human VR.)

My point was that Debian, etc. as conceptually distinct organizations, and so there’s no point in centralizing beyond their organizational boundaries. Each already performs centralized key management, but nobody would particularly benefit from a single global keyring for all Linux distributions, because nobody (?) is transferring package formats across distribution families.

(There’s no particularly consistency with this, it’s just what sounds “good” to American ears. We’re perfectly fine with “as a German” or “as a Lithuanian.”)

In the context of security scanning (versus, say, listing), I think it's reasonable to expect the tool to be resilient to attempts at obfuscation (or just badly written code that doesn't adhere to normal Python idioms around import paths).

[1]: https://github.com/PwnKit-Labs/foxguard/blob/a215faf52dcff56...

[1]: https://github.com/geiger-rs/cargo-geiger

[2]: https://github.com/trailofbits/siderophile

I think this post has some good information in it, but this is essentially overstated: I look at crate discrepancies pretty often as part of reviewing dependency updates, and >90% of the time it's a single line difference (like a timestamp, hash, or some other shudder between the state of the tree at tag-time and the state at release-time). These are non-ideal from a consistency perspective, but they aren't cause for this degree of alarm -- we do know what the code does, because the discrepancies are often trivial.

I think it matters if you want to call it a WoT. But also, I don't think any signatures originating from these keys are being verified usefully at any meaningful scale.

> Are you really going to say this has no trust or security value?

I think it has marginal security value, maybe net-negative if you balance it with the fact that cryptographers and cryptographic engineers have to waste time arguing against using PGP.

> What is the outcome you are actually arguing for here.

I like binary transparency. I also think identity-based signing is significantly more ergonomic, and has seen more adoption in the last 4 years than PGP has in the last 35. And I think this is actually a stunning indictment, because I'd say that identity-based signing schemes like Sigstore are still running behind my expectations.

(And this is before a more brute statistical argument: even at its greatest extent, the PGP ecosystem was minuscule[1].)

[1]: https://moxie.org/2015/02/24/gpg-and-me.html