Dell will design the worst laptop power rail circuits, even after that awful power adapter barrel connector, and still DRM the battery to ensure they alone get revenue on things they designed to fail.
Something is seriously wrong when we say "hey, respect!" to a company who develops an unauthenticated RCE feature that should glaringly shine [0] during any internal security analysis, on software that they are licensing in exchange for money [1], and then fumble and drop the ball on security reports when someone does their due diligence for them.
If this company wants to earn any respect, they need at least to publish their post-mortem about how their software development practices allowed such a serious issue to reach shipping.
This should come as a given, especially seeing that this company already works on software related to security (OpenAuth [2]).
It’s like an unwritten rule to only praise each other because to give honest criticism invites people to do the same to you and too much criticism will halt the gravy train.
I've struggled a bit on this: LinkedIn's positivity echo chamber vs. the negativity-rewarding dunk culture here. No greater power exists on HN than critical thinking using techno-logic in a negative direction, revenue and growth be damned.
Opencode don't have to maintain Zen for so cheaply. I don't have to say anything positive nor encouraging, just like I don't have to sh!t on youtuber 'maintainers' to promise incredible open source efforts which do more to prove they should stick to videos rather than dev. Idk. Not exactly encouraging me to comment at effing all if any positivity or encouragement is responded with the usual "hm idk coach better check yoself"
ya honestly I think i know exactly what to do
It's called "the world wide web" and it works on the principle that a webpage served by computer A can contain links that point to other pages served by computer B.
Whether that principle should have been sustained in the special case of "B = localhost" is a valid question. I think the consensus from the past 40 years has been "yes", probably based on the amount of unknown failure possibilities if the default was reversed to "no".
owasp A01 addresses this: Violation of the principle of least privilege, commonly known as deny by default, where access should only be granted for particular capabilities, roles, or users, but is available to anyone.
Indeed, deny by default policy results in unknown failure possibilities, it's inherent to safety.
I completely agree with this, programs are too open most of the time.
But, this also brings up a conundrum...
Programs that are wide open and insecure typically are very forgiving of user misconfigurations and misunderstandings, so they are the ones that end up widely adopted. Whereas a secure by default application takes much more knowledge to use in most cases, even though they protect the end user better, see less distribution unless forced by some other mechanism such as compliance.
Ah, you new 'round these parts? It's unfashionable to speak directly--we must fragment, hypothesize, add complexity and nuance rather than simply leave someone's slightly vague statement uncorrected. -_-
Has docling improved? I had a bit of a nightmare integrating a docling pipeline earlier this year. Docs said it was VLM-ready, which I spent lots of hours finding out was not true, just to find a relevant github issue which would've saved me a ton of hours :/ allegedly fixed, but wow that burned me bigtime.
our team has tested docling pretty extensively, works well for simpler text-heavy docs without complex layouts, but the moment you introduce tables or multi-column stuff it doesn't maintain layout well.
Interesting perspective. I've mainly felt like i have 'American privilege' regarding the ease with which i open accounts of basically any sort on a whim, usually with little friction.
Oh no, this is just a Google thing. I've done the same verification bs for four different companies now, multiple times for each of them. I just keep an image of my license on my computer so I can upload it on demand. Google's payment verification is byzantine.
It'll trigger when you sign up.
It'll trigger if you create an Android developer account.
It'll trigger if you get a new phone.
It'll trigger if your card expires.
It'll trigger the month before your card expires. Why? Fuck you, that's why.
And it just happened to me again. I got a new phone and my personal payment account went into some verification status and I can't use my wallet. Even though Google itself moved the card. And I was able to add the card and use the wallet with my gmail account. Wtf.
As critical as I am of LLM use, the nice thing about it here is your configs can be version controlled, and rolling back changes is pretty painless.
I'd still want to go through any changes with a fine tooth comb to look for security issues and to make sure I know what it is adding and removing, but it's saner than letting an LLM run amok on a live system.
Hilarious and frightening. I don’t want LLMs anywhere near anything remotely important. We’ve already had to remove a few dependencies from our projects because of CVEs caused by careless LLM usage upstream.
Exactly.
I'm a little interested to see if perhaps designer's eyes will continue to open to the power of licensing terms and control of their work with the whole AI conversation. The only designers i've heard say they care about open source are on the web side of design.
reply