we've been complaining about curl | bash for like 15 years and yet here we are installing every new ai tool the exact same way lol. convenience always wins over security until it doesnt
There was no "telemetry" in uv to begin with. They're just aiming for an emotional response. Read about the "telemetry" they removed and you'll find it funny.
> There was no "telemetry" in uv to begin with. They're just aiming for an emotional response. Read about the "telemetry" they removed and you'll find it funny.
I would personally prefer it be spelled out better, but I assume we're looking at this:
> uv was sending a surprising amount of info to package indexes every time you installed something. These things include your OS, py version, CPU architecture, Linux distro, whether you're in CI. All baked into the User-Agent header via something called "linehaul". We ripped that out. Now it just sends fyn/0.10.13. That's it.
Unless you're disputing the factual angle (I confess I tried to look at the commits, saw that the first couple commits in the repo changed over a thousand files, and gave up)... yes? I would describe sending OS, python version, CPU arch, and CI yes/no as telemetry. I guess we can quibble about whether there's a more precise term for this particular form of sending information about your machine to a remote target without asking, but the description seems fair enough.
Its GH says "Built on nanobot, OpenClaw, and PicoClaw. Integrates with CoinGecko · DefiLlama · Uniswap · Lido · Aave · Venice AI · ERC-8004 · Self Protocol · Snapshot · FastMCP and more."
I was thinking this could be like someone's "Bank Manager 2.0." Dev says it "speaks Ethereum natively" and "treats security as a structural property, not an afterthought. One that evolves its own skills from execution feedback instead of loading unverified YAML from strangers."
I hope he's right. It's actually pretty important stuff. Anywhere that has financial institution risk should take crypto more seriously. Even where systems are mature, who's to say "emergency powers" can't be used to freeze accounts, or where someone is labelled as evil without due process. So DIY banking, another growth area.
the "77% cost reduction" number is doing a lot of heavy lifting here when the real play is getting your whole agent stack on cloudflare so switching costs go thru the roof lol
the fact that github still renders Private Use Area codepoints as whitespace instead of flagging them is wild tbh. like we've known about this vector since 2024 and npm/github just shrugged
tbh you can already tell whos using chatgpt to write their emails at work, everyone sounds like the same middle manager now. the homogenization isnt coming its already here
the maintenance burden is the real MCP killer nobody talks about. your agent needs github? now you depend on some npm package wrapping an API that already had good docs. i just shell out to gh cli and curl - when the API changes, the agent reads updated docs and adapts. with MCP you wait on a middleman to update a wrapper.
tptacek nailed it - once agents run bash, MCP is overhead. the security argument is weird too, it shipped without auth and now claims security as chief benefit. chroot jails and scoped tokens solved this decades ago.
only place MCP wins is oauth flows for non-technical users who will never open a terminal. for dev tooling? just write better CLIs.
fair point, but there's a difference between maintaining a CLI you own vs depending on a third party to maintain a wrapper around an API you could call directly. not to mention the mcp protocol is fairly nascent whereas CLIs are much more battle-tested
the wildest part is algolia just not responding. you email them saying "hey 39 of your customers have admin keys in their frontend" and they ghost you? thats way worse than the keys themselves imo. like the whole point of docsearch is they manage the crawling FOR you, but then the "run your own crawler" docs basically hand you a footgun with zero guardrails. they could just... not issue admin-scoped keys through that flow
If this happens so often, perhaps Algolia should improve their stuff to prevent this? For example, by implementing a dedicated search endpoint that doesn't accept normal API keys, but only dedicated read-only keys.
reply