I'd want to be pretty damn confident it won't cause any regressions before sunsetting the original codebase in favor of this one.

If Linux was measurably 5% slower on all benchmarks, would that mean you wouldn't do it even if you wanted to? Is every single nanosecond of performance really that important to you? I switched 10 years ago when things were a lot rougher than this, and in the end everything still worked well enough that I never cared to swap back.

1) Package owners will often realise they've been hacked quickly, since there are releases they never authorised. This gives them plenty of time to raise the alarm and yank the packages

2. Independent security researchers and other automated vulnerability scans will still be checking the latest releases even if users aren't using them

Yes it's not a perfect defense but it would help a lot.

That's a pretty big asterisk though. Taking on a supply chain risk in exchange for reducing developer friction is not worth it in a lot of situations. Every dependency you take increases your risk of getting pwned (especially when it pulls in it's own dependencies), and you seriously need to consider whether it's worth that when you install it.

Don't get me wrong, sometimes it is; I'm certainly not going to create my own web framework from scratch, but a web request helper? Maybe not so much.

That's great for you, and no offense, but what about developers who can't get buzz in a HN thread? Are they just doomed? Why is support only available to those who can raise a ruckus on social media?

Please don't reward these companies with money.

Ok, but why is this advertised to applications in the first place? It's quite literally none of their business that developer options are enabled and it's a constant source of pain when some government / banking apps think they're being more "secure" by disallowing this.

The main site https://xmpp.org/software/ lists lots of different options but I have no idea what core/advanced means and comparing all of these would take ages.

Comments URL: https://news.ycombinator.com/item?id=46836422

Points: 1

# Comments: 0

TSB still works for now, but even for a bank they're technologically incompetent so I'm going to just assume they're behind the curve rather than willingly not using SafetyNet.

The only one I would bank on still working in the future is Monzo, since, like you say, they detect it and just give you scary warning and let you continue.

I have this set as my OS default and also forced for all webpages, I just find it so clear and easy to read. On the occasion that I have to browse the web without it, I don't struggle per-say, but I definitely find that I have to read slower, and find myself rereading words more often.

> Everyone knows that debugging is twice as hard as writing a program in the first place. So if you’re as clever as you can be when you write it, how will you ever debug it?

https://www.laws-of-software.com/laws/kernighan/

For me, personally, I just don't see the point of putting that same effort into a machine. It won't learn or grow from the corrections I make in that PR, so why bother? I might as well have written it myself and saved the merge review headache.

Maybe one day it'll reach perfect parity of what I could've written myself, but today isn't that day.