From an investors point it's very unattractive to invest in a early-stage startup where half of the shares are in the hands of a person not working there anymore.
About the "as complex as you need": RLS can get slow very quickly for aggregate queries, and is hard to debug (since query planner doesn't work smoothly with RLS).
We have a dashboard that displays aggregated stats for our admin users, and we hit serious performance issues with ~600 users with our first implementation. This repo helped us: https://github.com/GaryAustin1/RLS-Performance
Thank you, that was really helpful and actionable: ex. I had stopped writing filters on queries recently if my RLS had it "built-in", easy to see now it's better for performance, and since it's better for safety anyway, why not do it?
Some additional feedback: In my opinion testing RLS is a problem.
Additionally, I find it hard to keep a good overview over the rules. E.g., in a multi-tenant application one needs to secure every table with a restrictive rule, and it's easy to make a rule permissive, since that is the default & it's not indicated in the Studio UI.
When generating migrations with 'supabase db diff' views are being recreated without 'WITH (security_invoker)' even though they had security_invoker turned on before, leaving your database exposed. Easy to miss, even when you're aware of that.
RLS is just so full of footguns that I find it hard to justify using it in a production system.
we have a lot of work to do for migrations and testing, especially RLS.
for this Launch Week we focused on generating policies (more on that in tomorrows launch week). This is hard for a lot of our audience who aren't familiar with SQL.
In the next few months we'll work on simulating a policy - being able to choose a specific user and see what data would be returned for that user.
We also have `supabase test db`, in case you missed it. It wraps pgTAP and pgProve so that you can write database tests.
> recreated without 'WITH (security_invoker)' even though they had security_invoker turned on before
we use migra for diff'ing. Thanks for raising this - we'll file a bug report asap.
Great news! Question to the Supabase team: How does Login with Azure (Social login) and SSO (Azure) differ? From my superficial understanding, implementing Login with Azure is enough for logging-in users with Azure AD accounts (and linking their accounts to existing ones).
Yes! If you resize your images correctly, your users use lesser data to load assets from Storage. A side benefit is you will be paying us lesser in egress fees.
Actually, that is perfectly normal in many tax systems, e.g. in Germany. Afaik the tax law doesn't care where the money comes from – it could be from a completely illegal activity, and you still own taxes on gains.
The last point always confuses me. Twitter can show ads to me without me having an account. Instead, they block me from reading on Twitter after a few tweets, thus loosing my eyeballs. Maybe that's compensated by signups, but it certainly didn't work for me.
Try it and see, I suppose. My experience of it is that you can read an individual conversation but if you just look at some random person's timeline it will only show you a few tweets before asking you to log in.
That specific behavior seems to have gone away when musk culled a whole bunch of microservices a couple weeks back. I know well what you're talking about and it annoyed the hell out of me, but now its gone! For now, on desktop browsers, anyway.
Could be desktop. Mobile browsing still seems to trigger demands for the app to be installed followed by login requests, though I just picked a few tweets at random rather than checking systematically.
That seems to not be true. I just made the mistake of not noticing a Hacker News post was to Twitter a few minutes ago, clicked on it, and couldn't even read the Tweet because it was covered by a modal telling me to turn on notifications, which I'd never seen before. What can Twitter even notify me of if I don't have an account? Everything that is ever Tweeted globally? That would probably be billions of notifications a day.
Old school webmasters (perhaps this is redundant phrasing) know that's okay. Back in the day, you'd say "I'll put your animated gif on my site for $500 per month" and if you had a networking forum Cisco or whoever would happily pay that secure in the knowledge that your viewers were in the market for their product.
Lesson: target the content, not the viewer. You know the general demographics of who is engaging positively with the tweet, and you show ads relevant to that group. A small fraction of the viewers need to be logged in for that to work.
Print magazines worked on the same principle; the ones that are left still do. I subscribe to one magazine. In it, all of the editorial content is up front and the back third is nothing but ads. I still read them -- sometimes I start there! -- because I genuinely want to know what's going on and what products are available in the niche this magazine covers.
This seems like so obvious an observation that I don’t get why advertisers haven’t made it. If I’m in work-mode, and you show me an ad related to a hobby of mine, I have a 0% chance of clicking it. If you show me an ad related to my work, it is probably more like .01%. Which is still an infinite-times improvement.
It's because there's an arms race to maximally exploit the massive amount of data they're collecting about individuals. The more specificity you can claim, the more the ad-buyers will pay. I'm not convinced it's doing any good, but I think a draw-down would be a hard sell for all parties involved in that market.
Re-targeting ads seem like a joke. Many times I've already bought their product or competitor's and am no longer interested. Hopefully they are paying for click throughs and not impressions.
