(Again, I must emphasize that this does not make the US good. Only that the bar is perhaps lower than people who are assimilated into any particular country may realize.)

I'm not sure there's a "just" here: compared to peer countries, the US is either middle-of-the-pack[1] or significantly more accepting of immigrants[2] depending on which number you pick.

(This isn't to somehow imply that the US isn't hostile to its immigrants, because it is. But the question is whether it's more hostile.)

[1]: https://www.visualcapitalist.com/charted-the-share-of-foreig...

[2]: https://www.oecd.org/en/data/indicators/stocks-of-foreign-bo...

Comments URL: https://news.ycombinator.com/item?id=48235729

Points: 5

# Comments: 0

Much of this is useful feedback, even if phrased in a clickbait style. Some thoughts:

- Re: `pnpm outdated`: this is something that hasn't come up very much, even though it seems reasonable to me. I suspect this comes down to cultural differences between Python and JavaScript -- I can't think of a time when I've cared about whether my Python dependencies were outdated, so long as they weren't vulnerable or broken. By contrast, it appears to be somewhat common in the JavaScript ecosystem to upgrade opportunistically. I don't think this is bad per se, but seems to me like a good demonstration of discontinuous intuitions around what's valuable to surface in a CLI between very large programming communities.

- As Armin notes[1], uv's upper bound behavior is intentional (and is a functional necessity of how Python resolution works at large). This is a tradeoff Python makes versus other languages, but I frankly think it's a good one: I like having one copy of each dependency in my tree, and knowing that _all_ of my interdependent requirements resolve to it.

- `uv lock --upgrade` is written like that because it upgrades the lockfile, not the user's own requirements. By contrast, `pnpm update` appears to update the user's own requirements (in package.json). I can see why this is confusing, but I think it's strictly more precise to place under `uv lock`; otherwise, we'd have users with competing intuitions confused about why `uv upgrade` doesn't do their idea of what an upgrade is. Still, it's certainly something we could surface more cleanly, and there's been clear user demand for a uv subcommand that also upgrades the requirements directly.

[1]: https://news.ycombinator.com/item?id=48230048

(I wrote that Astral post.)

Edit: separately, I'll note that the risk of long-lived, highly privileged credentials is the primary motivating reason for Trusted Publishing: a developer's machine has (by necessity) a much higher degree of access than an ephemeral runner does, making it a much juicier target for an attacker. It also runs all kinds of stuff in a mostly unsandboxed manner, making it easier (in principle) to exploit. That's not to say there shouldn't be additional guards on publishing, but that I'm not remotely convinced that local publishing is any better by default.

(FWICT, the overwhelming majority of LF’s money comes from conference fees, and the biggest chunk of the rest comes from corporate dues. Private donations don’t appear to be a significant portion of their income.)

(In effect, they’re a coordinating body for fat companies. They do indeed fund things in those companies’ interests, but they do it with corporate money.)

(This is the core of the bigger problem with LF, IMO -- they simply don't represent non-corporate OSS interests at all, beyond some lip service.)

[1]: https://projects.propublica.org/nonprofits/organizations/430...

[2]: https://projects.propublica.org/nonprofits/organizations/460...

Both appear to be[1][2]. FreeBSD doesn't have a formal policy yet, but they appear to be leaning towards admitting some degree of LLM contribution.

[1]: https://docs.kernel.org/process/coding-assistants.html

[2]: https://forums.freebsd.org/threads/will-freebsd-adopt-a-no-a...

(Like TFA, I found Opus’s explanations/rationales implausible.)

python-build-standalone fetches CPython sources directly from python.org[1]. I don't even know where else we would get them from!

[1]: https://github.com/astral-sh/python-build-standalone/blob/a2...

You can see it in the source here[1].

[1]: https://github.com/zizmorcore/zizmor/blob/db5ed6b3bb445848a8...

[1]: https://github.com/actions/deploy-pages