We know the cost. We've conducted that type of warfare before. It's incredibly destructive and barbaric and requires huge amounts of human sacrifice to positively take control of territory after you've finished battering it with high explosives from every available angle. It looks really bad on TV.
> cruise missile carriers
You don't get very large payloads this way. It's fine if you want to pierce the armor of another ship or if you want to launch an "assassination missile" at a single unit but not awesome if you want to replace the capabilities of carriers and battleships and the literal BFGs they carry.
> If you build ships good for real wars you tend to get into wars.
It was meant to be a deterrent against other nation states and one particular form of naval warfare. In the modern world of terrorist cells and asymmetric warfare this may be a moot point.
Hardly. They're clearly trying to influence a group at large using a flawed logical tactic. I'm pointing that out with a device that suggests their same futility they expect others to adapt should be primarily experienced by them instead.
If pointing out bullies is bullying then you're in a ridiculous mindset.
Those who write the code have more of a right than those who pay the bills. Anyone can write a check. A select few have the acumen and experience to actually write the code.
You can't unilaterally declare someone "sketchy" and then kick them out in the name of conveience.
No I'm calling him sketchy because that's the sentiment anyone who has been around in the community long enough and dealt with Andre has about him. This is very openly discussed and documented and not just in the aftermath of this event.
People having concerns about Andre's behavior around his money and his open source contributions can't even be called an open secret.
The narrative that one side of this is pushing that this is some little guys vs evil corporate overlords problem is short-circuiting so many peoples' ability to rationalize about this topic.
This is about the personal failings to communicate and organize among a very small group of highly skilled, highly productive people. It's also about how they have fallen into camps and try to apply institutional and social leverage in order to influence millions of bystanders in order to maintain/wrest control. Each credibly accusing the other of doing it for their own benefit.
Nobody is in the right here. If you can't engage with that as your starting point, you aren't serious about this conversation and are just spouting one side's propaganda.
In the aftermath us bystanders are left wanting either stability or revolution. Revolutions generally aren't good for anyone. Especially the people who want it the most.
Honestly fair. There's a little too much of my personal distaste with his actions coming through here.
I think it's fairer to say that if you know him and you are in the community than you know that these opinions of him are had. That is not normal.
I also want to make it clear that there is a separation here. I do not think that Andre is a malicious or bad person. I just have questions about his decision-making based on things he's said & actions that he's taken and that leads me to think that he is untrustworthy. Not in the "will steal from me" sense but in the "will fuck up shit that I care about" sense (which ultimately he did, at least partly, whether through direct actions or poorly maintained relationships with key people). I work with this kind of infrastructure though and that's the kind of attitude that you want to have towards people to be able to do this job effectively. I don't trust a lot of people -- I want any access they have to be out in the open, limited to what's needed, etc. Governance of the project/organization was obviously a shit-show.
When I say that it's obvious to cut ties with him, I'm looking at it from the perspective of someone responsible for a high-profile project. I would make that decision 10 times out of 10 without regret. They still absolutely bungled the crap out of how that went down.
Also, I hate that this crap gets associated with the "Ruby Community". It's really just a subset of the western Ruby ecosystem that cares about foundations and events and semi-social functions. Ruby's core and a whole ecosystem of people working on and around Ruby couldn't give a crap about any of this and it's all just a massive inconvenience. Meanwhile on boards like this everyone is planting their flags and trying to exploit chaos to create change in critical services that people absolutely depend on.
> that's the sentiment anyone who has been around in the community long enough and dealt with Andre has about him.
I've known him personally for years and find him perfectly fine as a person. The Rubygems maintainers worked with him for the past decade without issue. Until you cite actual issues, not vague "concerns", you're just spreading FUD and innuendo.
I don't need to rehash 10+ years of documentation that's all over blog posts and prior threads on this very topic. Even if someone is unfamiliar with the details they can casually google RubyTogether and Andre and find out all kinds of details.
Don't pretend like I'm some nutter flinging wild accusations when primary and secondary actors in this story literally voiced these concerns in emails during this event.
Anyone who has been following this saga and actually cares knows because they read it already.
I have read many of the allegations against Andre, and find them to fall into:
1) Hyperbolic takes on a perceived 'communication problem' when Andre defends strong design decisions that have impacts on the Ruby ecosystem. Anyone doing what Andre does is going to have impacts on the ecosystem, that is the point. I think the ease of maintaining Ruby systems speaks to the overall good outcomes these discussions have had, and Andre's part in them.
2) Personal dislike of Andre due to disagreements over politics and/or worldviews, usually stemming from assertions of 'woke code' or something like that.
3) Distaste over Andre trying to make a living off doing what they love. This is usually couched in the 'shady' type language you have used a few times. I think that is a weird take on what are just common schemes to use data for monetization purposes, so that Andre can make a living doing design and maintenance. Nothing I have ever seen makes me worried for my data in Bundler or Rubygems.
If your main concern is that 'bad things could happen with Andre running Bundler' I have to question if it isn't just as likely, if not more likely, that bad things will happen with a Shopify run RC board running Bundler. Their motivations are much less clear other than being a corporation that is profit driven, so I can't say with confidence they won't put that motive above 'good software decisions' when push comes to shove. I don't see them as de-facto making the Ruby supply chain better by any means. Time will tell.
> is short-circuiting so many peoples' ability to rationalize about this topic.
It appears unfair. That's the extent of my rationale. I've not seen any concrete evidence to draw any further conclusion than this. If you're managing a project and you're not cognizant of this, you probably shouldn't be managing projects; in particular, you should stay away from open source projects with a large base of volunteer contributors.
> Nobody is in the right here.
So, they went through all of this, made themselves look bad, cast tons of aspersions, and in the end, they weren't even in the right? This seems a shabby defense.
> are just spouting one side's propaganda.
I don't care about one side or the other. You see this giant crater left by these decisions though? Yea.. that's the problem.
> I think this outcome is locked in. That we’re starting to see its first clear indications.
Hardly. The linked anthropic paper is extremely underwhelming. It portrays no tectonic shifts.
> Practitioners will suffer having to learn the anatomy of the font gland or the Unicode text shaping lobe or whatever other “weird machines” are au courant
That's absurd. Do the vulnerability writers _start_ with this knowledge? Of course they don't. They work backwards. Anyone can do this. It just takes time in a category of development that most open source authors don't like to be occupied by.
> You can’t design a better problem for an LLM agent than exploitation research.
Did you read the anthropic article you linked? It found absolutely nothing and then immediately devolved into a search for 'strcat.' That's it. Again, literally _anyone with the time_ could just do this.
> a frontier LLM already encodes supernatural amounts of correlation across vast bodies of source code.
'grep strcat' is "supernatural?"
This starts sprawling very quickly after this. The AI revolution is not real. The cargo cult is headed for a new winter. I only see articles proclaiming the sky is just about to fall any day now, yet, I see no real world evidence any such thing is happening or likely to happen.
Why not just release escrow? If I try to push a new release version another developer or developers have to agree to that release. In larger projects you would expect the release to be coordinated or scheduled anyways. Effectively we're just moving "version pinning" or "version delay" one layer up the release chain.
xz has dozens of contributors and two active maintainers. It was the actual example I was thinking of. The code was submitted by a third party and not a result of a developer machine compromise.
left pad wasn't a security incident. It was a capitalism incident.
> if a commercial crew capsule (SpaceX Dragon or Boeing Starliner) returned to Earth with the kind of damage seen on Orion, NASA would insist on a redesign and an unmanned test flight to validate it.
Did they demand an unmanned flight just to prove it worked? Or did they accept an entirely new design based on modeling and ground tests and then immediately flew it with crew on board?
Then again I'm not one of those people who roots for NASA to fail for some reason.
They had a heat shield on the capsule that failed testing, so they swapped out the interchangeable heat shield for one that passed testing.
There was no entirely new design, there was no new material science, it was the same heat shield that the previous crewed capsules have used without the manufacturing defect.
> SpaceX's next Crew Dragon mission (Crew-5) will fly with a different, updated heat shield structure after a new composite substrate failed acceptance testing
I don't know what "new" or "different" or "updated" or "structure" mean then anymore.
Looking at other articles, nobody else mentions an updated structure. I think that was a misunderstanding. This was a manufacturing defect caught in testing and they used a different unit as a result.
The APIs in question are client-side iOS and Android APIs. Most of these apps are just WebViews wrapped in spyware, which is the point. It doesn't matter that most of the content is static or already uses browser-native APIs for functionality like forms, gating access to this information behind a surveilance device is the point.
We know the cost. We've conducted that type of warfare before. It's incredibly destructive and barbaric and requires huge amounts of human sacrifice to positively take control of territory after you've finished battering it with high explosives from every available angle. It looks really bad on TV.
> cruise missile carriers
You don't get very large payloads this way. It's fine if you want to pierce the armor of another ship or if you want to launch an "assassination missile" at a single unit but not awesome if you want to replace the capabilities of carriers and battleships and the literal BFGs they carry.
> If you build ships good for real wars you tend to get into wars.
It was meant to be a deterrent against other nation states and one particular form of naval warfare. In the modern world of terrorist cells and asymmetric warfare this may be a moot point.
reply