civilization Mycenaean the of practices religious and economic, administrative the into insights invaluable provides and B Linear as known script the in recorded was language Greek the of form attested earliest The
Oh, interesting, what do you get when you specify that the letters need to be reversed, too? (That was what I meant and the original prompt explicitly stated that requirement. I forgot to include it in the summary of my 'test' here.)
Say they, hypothetically, the police just looked at every drivers license photo of people living in a 1 mile radius. And they find the suspect, and go to a judge saying a combination of appearance, perpetrator in suspects driveway, and criminal history gives probable cause for a search. I don’t think that’s any different.
If they came to the judge and said “an informant said we’ll find the gun here” and the informant was actually Clearview, thats obviously a problem.
The big risk that we need regulation for is not that insurance charges too much, but too little. There will always be the temptation to charge less than the other guy, get lots of customers and hope nothing really bad happens.
This is a great callout, although I suspect the two main things insurers need but can't get today, due to regulations:
1. Ability to raise price based on risk. Regulation example: State won't let insurance company modify their fire risk maps. I believe this has come up in central Oregon for example.
2. Ability to drop people out right. i.e. if they think risk of home insurance is 50/50 next 10 years, they won't insure at all.
1 can accommodate for 2, but then its basically insurer charging the actual price of the home, year one. Maybe they can work out a deal though, like you get the money back if it doesn't burn down. (Mostly parroting things I've heard that seems to make sense).
It’s not like this is unique to rust; you see similar issues with node and python. Distributions have many jobs, but one was solving the lack of package management in C. Now that every modern language a package manager, trying to apply the C package management philosophy is untenable. Specifically, the idea of a single version, globally installed, and producing distro packages for every language specific packages.
Guix is also a distro that allows for any number of versions of the same package globally, something that language specific dependancy managers do not.
Distors are there for a reason, and anyone who doesn't understand that reason is just another contributor to the ongoing collapse of the tower of abstractions we've built.
This is outdated information. Debian (and other distros) already had their own SBOM format called buildinfo files that encodes this kind of information.
In Debian stable ripgrep on amd64 is currently on version 13.0.0-4+b2.
Using language-native packaging doesn't imply that you have to use binaries from wherever. In the pytorch example you can still build it as a regular part of the distribution, using the C++ dependencies/toolchain, it just means you don't try to stuff it into a versioning/distribution/install model that doesn't match the languages expectations.
Except from a management and maintenance perspective...this is a nightmare. When a security vulnerability drops somewhere, everywhere needs to be patched ASAP.
Distros (and the people who run most scales of IT org) want to be able to deploy and verify that the fix is in place - and its a huge advantage if it's a linked library that you can just deploy an upgrade for.
But if it's tons and tons of monolithic binaries, then the problem goes viral - every single one has to be recompiled, redeployed etc. And frequently at the cost of "are you only compatible with this specific revision, or was it just really easy to put that in?"
It's worth noting that docker and friends also while still suffering from this problem, don't quite suffer from it in the same way - they're shipping entire dynamically linked environments, so while not as automatic, being able to simply scan for and replace the library you know is bad is a heck of a lot easier then recompiling a statically linked exe.
People are okay with really specific dependencies when it's part of the business critical application they're supporting - i.e. the nodejs or python app which runs the business, that can do anything it wants we'll keep it running no matter what. Having this happen to the underlying distributions though?
(of note: I've run into this issue with Go - love the static deploys, but if someone finds a vulnerability in the TLS stack of Go suddenly we're rushing out rebuilds).
This is conflating static linking with how the distribution handles updates. If a language is always statically linking dependencies (like Go or Rust), the distribution will have to rebuild everything that depends on a patched package whether or not they are using the language's native tools or some import into the distro package system.
What I'm specifically suggesting is:
* Distributions package *binaries*, but not the individual libraries that those binaries depend on.
* Distributions mirror all dependencies, so that you can (in principle) have a completely offline copy of everything that goes into the distribution. Installing a binary uses the language-specific install tools to pull dependencies, targeting the distribution's mirror.
* Enough dependency tracking to know what needs to be rebuilt if there's a security update.
* Any outside dependencies (e.g openssl) will continue to depend on whatever the distribution packages.
* Dependencies are not globally installed, but use whatever isolation facilities the language has (so e.g, a venv for python, whatever npm does)
As I see it, this all doesn't matter though as soon as "security update" enters the picture.
The problem here is upstream dev's saying "my dependency needs are absolute". And a security update ruins that: because as soon as one happens, now no matter what we're going to be replacing libraries anyway. Even your prosposal includes this: we're going to strip out openssl librares and use distro ones.
At which point everything might break anyway, because whether a security hole can be fixed at all depends on which versions of a library it affects and how. Not to mention problem's like finding the issue in one version, but it's changed enough that it's not clear whether a different version is impacted the same way.
Why is this an issue? Simply recompile and download each package. If the distro worries that the maintainers would take too low just fork and recompile the packages themselves. These days its really not that big of a problem in terms of disk space or network traffic. And if some packages are large its often because of images resources which can be packaged separately. It seems like a lot less effort then trying to guess if dynamicly linked library will work with every package in every case after the update.
It's "whoever turns up to do the work" but I would point out that distros generally have more people in the process who can pick up the work.
The issue is one way or another it needs to happen ASAP: so either the distro is haranguing upstream to "approve" a change, or they're going to be going in and carrying patches to Cargo.toml anyway - so this idea of "don't you dare touch my dependencies" lasts exactly as long as until you need a fix in ASAP.
Probably most of these tiny crates have 1 or 0 maintainers. Chances are that they will not be quick to fix a vulnerability.
And even if they are, for rust software that doesn't come from debian, there is no way to ensure it all gets rebuilt and updated with the fix.
Also, projects are generally slow (taking several months) to accept patches. When a distribution has fixed something and the users notice no issue, the upstream project if downloaded and compiled would be a different matter entirely.
> Now that every modern language a package manager...
...they fail to integrate with dependencies written in any other language.
It's fine if you just want to sit a monoculture language software stack on top of a multilingual base platform. You can't make a functional system with one language alone, yet those who criticise distribution packaging architecture do so while simultaneously depending on this ability that language-specific package managers do not have. There is no viable alternative today. Most critics think they understand the general problem but only have narrow practical experience, so end up believing that their solution is superior while not considering the general multilingual software supply problem.
Nix isn't a solution either, because in the general case Nix isn't security-supporting arbitrary and multiple dependency versions either.
The doctor / hospital that refuses to treat when insurance declines is also involved in the “omission of expected care”. Would they also be guilty of premeditated murder?
Murder is by definition an unlawful homicide. This isn’t just pedantry; it’s the most parsimonious explanation for why someone would support the death penalty and object to something like the assassination.
Until the day we can point to a country that implements a direct democracy with a fair way to obtain citizenship for whoever is involved in its society, all laws will always remain a tool of a minority to arbitrarily rule a majority.
The concern is not whether laws are rights or wrongs, but which privileges and which hurts they reinforce for which classes in the society where the national myth is eager to present them as the applied rules.
> Until the day we can point to a country that implements a direct democracy with a fair way to obtain citizenship for whoever is involved in its society, all laws will always remain a tool of a minority to arbitrarily rule a majority.
For the same reason we might want to distinguish between well functioning government and direct democracy.
First, direct democracy is kind of a pleonasma, that is in its core democracy has to put equals duties and means to all its citizens. It's clear probably why such a system can easily attract masses, as it promises to maintain political power in the hands of those who have to obey it. Note that this definition insist more on duties and means, which is a very different promise from a populist statement on "righteous rights for everyone thanks to a turn key plan you don't even need to investigate on applicability". People certainly are interested with more democracy, so their slavers scam them with all kind of system under the label democracy which never give them these duties and means that you can expect to see attached to an effective democratic citizen.
The initial proposition was that it is pedantry to distinguish between the quality of the killing when the form of governance is not a well functioning democracy - something that would appear to be well established as the US has no issues going into other countries and kill leaders under the argument that it is not democracies.
The question is not so much the quality of the US democracy but to what extend it can even be classified as a well functioning democracy.
The US resembles an oligarchy, and when the laws are written by the rich and profit seeking that will affect how killings are perceived such as killing in the name of corporate profits will become alright.
The cost of shipping contributes to the cost of every product we export and import. Treating this as a purely zero-sum transfer between longshoreman and shippers is ignoring all the reasons this is interesting & important.
As a hypothetical example, if there was some new method of transport that bypassed ports entirely at 1/10th the cost, would you support an effort to scuttle it to support longshoreman?
This same issue played out with the introduction of the shipping container; if history had played out differently and we were still manually packing ships I don't think you'd choose that world over what we have today.
Great comment, and I'm glad you brought this point up so we can deep dive. If you read the book "The Box: How the Shipping Container Made the World Smaller and the World Economy Bigger by Marc Levinson," (Chapter 6: Union Disunion) [1] it covers the historical negotiation and agreement between the longshoreman unions and shippers when the shipping container improved efficiencies; they split the gains from the efficiency improvements knowing it was going to reduce the need for labor into the future.
If that was on offer today, I would have a different opinion, for sure. I would strongly support Automating All The Things. I think the grand bargain that was previously made when the world standardized on shipping containers was reasonable and fair. But that is not what is on offer. What is on offer is the Robber Barron equivalent of folks attempting to automate as much as possible to the detriment of labor for shareholder and management returns, and because of that, I hold the opinion that I do. With the decline in labor unions and lack of labor regulation in the US for the last several decades (since the Ronald Reagan era, broadly speaking), Capital has ground down Labor, and Labor needs to grind back to make up for lost time and ground [2] [3].
Is modularity an unalloyed good? Modularity comes with tradeoffs that mean you end up with, well, a bunch of discrete modules rather than something that works cohesively. That's why systemd was adopted pretty much everywhere, ignoring the arbitrary modular boundaries results in a more useful tool.
Some analogs: modern filesystems like ZFS and BTRFS that combine volume management with the filesystem, every service that's consciously chosen to deploy a monolith instead of microservices, and so on, every deployment that chooses to statically link, etc.
civilization Mycenaean the of practices religious and economic, administrative the into insights invaluable provides and B Linear as known script the in recorded was language Greek the of form attested earliest The