I think if the labor cost is a small part of total cost, it might be more valuable to investigate the roughly 1:2 output per worker. Some possibilities, none confirmed:
- Chinese workers work 2 shifts instead of 3 shifts, so the factory simply hires less workers. This should also show a difference of total output of cars;
- Chinese factory has better processes or/and automation, which is more interesting.
So when someone finds a bug in software, in your mind the only acceptable options are:
1) Fix it yourself
2) Sit on it silently until the maintainers finally get some time to fix it
That seems crazy to me. For one, not everyone who discovers a bug can fix it themselves. But also a patch doesn't fix it until it's merged. If filing a public bug report is expecting the maintainers to "drop everything and do free labor" then certainly dropping an unexpected PR with new code that makes heretofore unseen changes to a claimed security vulnerability must surely be a much stronger demand that the maintainers "drop everything" and do the "free labor" of validating the bug, validating the patch, merging the patch etc etc etc. So if the maintainers don't have time to patch a bug from a highly detailed bug report, they probably don't have time to review an unexpected patch for the same. So then what? Does people sit on that bug silently until someone finally gets around to having the time to review the PR. Or are they allowed to go public with the PR even though that's far more clearly a "demand to drop everything and come fix the issue NOW".
I for one am quite happy the guy who found the XZ backdoor went public before a fix was in place. And if tomorrow someone discovers that all Debian 13 releases have a vulnerable SSH installation that allows root logins with the password `12345`, I frankly don't give a damn how overworked the SSH or Debian maintainers are, I want them to go public with that information too so the rest of us can shut off our Debian servers.
Responsible disclosure policies for contributor-driven projects can differ from commercial projects. Also, if Google has the funds to pay for bug finding, they also have the funds for bug fixing the community projects they depend on.
> Responsible disclosure policies for contributor-driven projects can differ from commercial projects.
The can, but there's not an obvious reason why they should. If anything, public disclosure timelines for commercial closed source projects should be much much longer than for contributor-driven projects because once a bug is public ANYONE can fix it in the contributor-driven project, where as for a commercial project, you're entirely at the mercy of the commercial entities timelines.
> Also, if Google has the funds to pay for bug finding, they also have the funds for bug fixing the community projects they depend on.
They do. And they do. They literally higher the ffmpeg maintainers via the maintainer's consulting business (fflabs.eu) and they routinely contribute code to the ffmpeg project.
> The can, but there's not an obvious reason why they should.
Of course there are obvious reasons: corporations have the resources and incentives to fix them promptly once threatened with disclosure. Corporations don't respond well otherwise. None of these apply to volunteer projects.
> They literally higher the ffmpeg maintainers via the maintainer's consulting business (fflabs.eu) and they routinely contribute code to the ffmpeg project.
Great, then they should loop in the people they're paying on any notification of a vulnerability.
Of course, if this has truly been the case then nobody would have heard of this debacle.
How so? Volunteer projects have maintainers assigned to the project writing code. The "resources" to fix a bug promptly are simply choosing to allocate your developer resources to fixing the bug. Of course, volunteers might not want to do that, but then again, a company might not want to allocate their developers to fixing a bug either. But in either case the solution is to prioritize spending developer hours on the bug instead of on some other aspect of your project. In fact, volunteer driven projects have one huge resource that corporations don't, a theoretically infinite supply of developers to work on the project. Anyone with an interest can pick up the task of fixing the bug. That's the promise of open source right? Many eyes making all bugs shallow.
As for incentives, apparently both corporations and volunteer projects are "incentivized" to preserve their reputation. If volunteer projects weren't, we wouldn't be having this insane discussion where some people are claiming filing a bug report is tantamount to blackmail.
The only difference between the volunteer project and the corporation is even the head of a volunteer project can't literally force someone to work on an issue under the threat of being fired. I guess technically they could threaten to expel them from the project and I'm sure some bigger projects could also deny funding from their donation pool to a developer that refuses to play ball, but obviously that's not quite the same as being fired from your day job.
> Great, then they should loop in the people they're paying on any notification of a vulnerability.
If only there was some generally agreed upon and standardized way of looping the right people in on notifications of a bug. Some sort of "bug report" that you could give a team. It could include things like what issue you think you've found, places in the code that you believe are the cause of the issue, possibly suggested remediations, maybe even a minimum test case so that you can easily reproduce and validate the bug. Even better if there were some sort email address[1] that you could send these sorts of reports to if you didn't necessarily want to make them public right away. Or maybe there could be a big public database you could submit the reports to where anyone could see things that need work and could pick up the work[2] even if the maintainers themselves didn't. That would be swell, I'm sure some smart person will figure out a system like that one day.
xz was a fundamentally different problem, it was code that had been maliciously introduced to a widespread library and the corrupted version was in the process of being deployed to multiple distributions. The clock was very much ticking.
The clock is always ticking. You have no idea when you find a vulnerability who knows about it or how or whether it is currently being actively exploited. A choice to delay disclosure is a choice to take on the risk that the bug is being actively exploited in order to reduce the gap (and risk in that gap) between public disclosure and remediations being available. But critically, it is a risk that is being forced on the users of the software. They are unable to make an informed decision about accepting the risk because they don't know there is a risk. Public disclosure, sooner rather than later MUST be the goal of all bug reports, no matter how serious and no matter how overworked the maintainers.
That would be an acceptable response if it was just the last one president doing it, but it's been ongoing since WW2 at the very least.
I hold Russia as a whole accountable for Russia's recent war in Ukraine, it's their Responsibility to get rid of their leader when he started an unjustified invasion.
I hold the U.S. as a whole responsible for their successive presidents antics.
Persistently bad behavior can be anticipated and accounted for, random actions cannot. Importer have as much issue with the tariffs as they have with the unpredictability of those tariffs.
In theory, you try to limit the influence of a persistently bad actor, but it seems the U.S. didn't get the memo.
> America? The one with all the spying, NSA, Patriot Act, this America?
Yes. We do all of that. But so does practically everyone else. The difference is our federal structure and--until recently--independent courts provided a bit more oversight than other countries' citizens had access to. And we've had--until recently--respect for privacy held deeply enough by enough people that it turns into a stink at the federal level in at least some respect.
Most countries have national logging requirements, disclosure requirements and domestic police with the powers of the NSA. (America remains one of the few countries in which one can form a legal entity with zero identification.)
Climate change isn't driven by human defined borders either. It's driven by total CO2 emissions. If a per-capita rate is non sensical then border based emissions are even more non sensical. Greenland only emits 0.001% of the total. Greenland is 12000x a better country than the US wow. This is exactly why per-capita is used.
Yeah and this is clearest when you consider federations. Imagine if you count the US as 50 separate countries, suddenly they are much more climate friendly! That's of course absurd.
And no policy is gonna willingly reduce energy consumption which is directly co-related with QOL when other countries have much higher per-capita consumption. Politically humans need fairness.
We know. There are many reasons why countries choose more polluting sources of energy. Part of which is costs. The world runs on incentives. Maybe rich countries like the US can subsidize clean energy for poorer countries like India. Because consumption is definitely not going to come down.
You say you know then directly contradict yourself by bringing up consumption again.
The United States already supports clean energy in India. India is not “poor”. It has a larger economy than the United Kingdom. 46.3% of India’s installed capacity is renewable and that mix is growing.
> You say you know then directly contradict yourself by bringing up consumption again.
It's not a contradiction. Increasing consumption today will mean increase of greenhouse emissions. Any increase of consumption today still involves some increase in fossil fuels for many reasons like grid stability.
> The United States already supports clean energy in India.
They work together on projects. AFAIK the US doesn't subsidise anything for India or other countries.
> India is not “poor”.
It is. Its per capita GDP is $2,878. The US is $85,809. Thats a 30x difference. It is an incredibly poor country.
> It has a larger economy than the United Kingdom.
Philippines and Norway have the same total GDP too. It's silly to consider them equally rich.
> 46.3% of India’s installed capacity is renewable and that mix is growing.
Hell yeah! Hopefully it keeps growing. It's kinda hilarious that India is one of the few countries who will meet the Paris accord commitments. The US is still stuck at 23% and isn't even close to meeting its commitments.
People in India are poor but that doesn’t mean the country is poor. The Indian government has resources to build out renewables as evidenced by them doing exactly that. The United States does not provide much direct funding but you are the only one suggesting that is necessary.
> People in India are poor but that doesn’t mean the country is poor.
Please stop. By your logic any country with a lot of people is rich. I already pointed out Norway vs Philippines for you. It is dirt poor by all numbers. Their extreme poverty rate just dropped recently. Their annual budget is 1/10th of the US with 5x more people. Energy needs per person will grow by over 10x in the next few decades to match the US. There is a long way to go.
> The Indian government has resources to build out renewables as evidenced by them doing exactly that.
I'm actually very impressed to see India sticking to the Paris accords. What exactly is the excuse of the worlds greatest superpower? Maybe a century of polluting the world isn't enough.
> The United States does not provide much direct funding but you are the only one suggesting that is necessary.
You're right. It needs to first fix itself lol. Maybe ask India for help :p Then again if you don't understand why the rich countries need to try and incentivise the world to move faster to renewables then you don't understand the urgency of the matter.
No voter would. Humans would rather die from climate change than try and work together. Our innate tribalism is what makes solutions to this problem hard.
That seems to be a very American perspective. Several European countries have or had Green Parties being part of the government. A German Land (state in US terminology) has a had Green prime minister for 10 years. One could debate whether they have made sufficient impact, but it's certainly very far from "no voter".
Why the dig at Americans? This is nothing more than tock’s misinformed personal opinion. The United States does work with India to develop green energy.
California is famous for green initiatives and my state of Washington trades clean energy with Canada. I’d be shocked if we are unique in that.
These agreements have been in place for generations. It’s obvious they have voter approval.
Solar energy is currently the cheapest form of energy, cheaper than coal, cheaper than natural gas. You know the conspiracy theories about how the oil companies are keeping perpetual motion machines hidden? Solar panels are literally that. With the caveat that they only work in sunlight. So they're not great when you need energy at night. But even if you triple your costs to account for only working 8 hours a day, they're cheaper than anything else.
For a lot of industrial processes, being limited to running during sunny periods would cause costs to go up by a lot more than a factor of three. The grid scale storage necessary to make solar power work for heavy industry remains extremely expensive and capacity limited. Costs are starting to come down but it will take decades.
Solar + battery is now the cheapest. Except in the USA, where natural gas is heavily subsidized. Happily, deploying new gas plants is constrained by supply of turbines. So solar + battery wins by default.
Batteries (plus all the other associated equipment and maintenance) are hardly cheap in the quantities needed to keep heavy industry running 24×7. Battery storage holds promise for the future but so far it's only been used on relatively small demonstration projects. And some of those have been plagued by fires and outages.
I don't have any objection, I'm just stating a reality: it's going to take decades to build out enough battery storage to make renewable energy practical for the base load required for heavy industry. This stuff doesn't scale up quickly regardless of costs or incentives. The places where battery storage is used today generally have high electricity prices and low industrial capacity. If we want to have cheap stuff then we need to have cheap electricity (and cheap industrial heat) available to make that stuff 24×7.
Solar is also the most democratic, as long as you can tolerate it not working at night. I encourage you to experiment with a small portable system. I did - a 30W panel, 9Ax12V SLA battery, off-the-shelf car inverter, packet of crimp connectors, spool of wire, crimp tool, the cheapest over-voltage shutoff controller I could find (just search for solar charge controller - although lead-acid chemistries are moderately tolerant to charging out of bounds, unlike lithium, which is why I suggest lead-acid).
I really think home battery power is going to be a standard feature in the near future. Like indoor plumbing and central HVAC.
My utility just adopted time of use billing and by my napkin math a battery system with one day of capacity will pay for itself in 5 years. And that’s without solar at all. The additional solar panel cost would pay off in under 3 years. And I have cheap electricity.
But the reason emissions happen is for per-inhabitant benefits. It's a very reasonable idea [0] to set a per-inhabitant goal and criticize countries exceeding that threshold (which the US would still fail at, but I'm arguing against the metric itself rather than US faults).
Take your position to something of an extreme -- the Vatican could open up 200 coal power plants for its holy Bitcoin operations and still be sufficiently less impactful to CO2 than the US that nobody would target them during climate talks. Rephrased from the other direction, each US citizen would blow their CO2 budget by buying a shirt per decade to get down to the Vatican's levels.
That's a common mental failure mode, analogous to the sorites paradox. Countries are made up of many small actors and decisions, and pretending otherwise is unlikely to help you achieve your goals.
[0] Mostly -- transitive effects like one country generating all the goods another country uses are harder to account for. Assuming we could measure perfectly though...
In context of the United States, there are a small number of actors that stand to lose billions to renewables.
I live in the Northeast. Solar reduced my grid demand by 40%. That translates to a full recoup of the investment in 60-65 months with subsidy, 100-110 without. The unsubsidized payback period is 1/3 of the projected useful life of the panels.
You know it’s a good idea because opponents big argument is safety of rooftop installers and future workers disposing of solar panels, topics that these folks DNGAF about in the least.
Of course, Europe has relatively little carbon intensive industry. The US is the world's largest producer of oil, beef, and other things with an intrinsically high carbon footprint. The carbon intensity of industry is a byproduct of geography and geology.
Europe has a relatively high carbon footprint per unit of output for things like animal husbandry compared to the US, they just don't do enough of it for it to add up.
>Of course, Europe has relatively little carbon intensive industry. The US is the world's largest producer of oil, beef, and other things with an intrinsically high carbon footprint. The carbon intensity of industry is a byproduct of geography and geology.
This also works in reverse, eg. US importing goods from china and therefore not being on the hook for emissions generated by those goods. ourworldindata has another page that compares the difference between consumption based emissions and territorial emissions[1]. Looking at that page, consumption based emissions are 11% higher for the US vs 27% for the EU. That makes the US look better, but it's not enough to cancel out the fact that the US is 63% more carbon intensive than the EU.
You're kinda contradicting yourself. You're right that it's about absolute numbers. But then you use a percentage.
perhaps 12% for 5% of the global population is too high. But you dont want to relate it to population. Relating to number of countries is rather non-sensical. Some are big (by productivity, area, population, etc.), some are tiny.
Making it relative to countries is useful because that is the delination along which policy is made.
Making it relative to people, IMO, only serves to obscure the fact that the US/China/etc are by far the biggest producers of emissions.
Writing climate policy with them in mind makes more sense than pushing for somewhere like Monaco to reduce emissions, even if their emissions per person are high.
How is that fair when a lot of industrial production was shifted to one region of the globe specifically? It would be impossible without a lot of guessing and estimations, producing questionable data, but you would have to include CO2 attributable to exports and imports.
Which is just too hard, and too open to change assumptions to fit a desired result.
Because in reality, much of the globe's economy is waaayyyyy too interconnected, and the arrows don't just point one way. Feedback loops without end.
That whole "this/that country..." just does not work, except to fill comment sections. The systems are global.
>It would be impossible without a lot of guessing and estimations, producing questionable data, but you would have to include CO2 attributable to exports and imports.
>Which is just too hard, and too open to change assumptions to fit a desired result.
No, it's pretty straightforward. Count where a given good is consumed rather then where it's produced. It has to be estimated, but that's also the case for territorial emissions or other economic figures like GDP, but we don't throw our hands up and say "well it's too hard and too prone to fudging so we might as well not bother".
>Because in reality, much of the globe's economy is waaayyyyy too interconnected, and the arrows don't just point one way. Feedback loops without end.
What "feedback loops" are you talking about?
>That whole "this/that country..." just does not work, except to fill comment sections. The systems are global.
Ok but surely you must recognize that the US, where the average person drives a pickup/SUV to work is emitting more carbon than something like India where the average person gets around by walking or using motorbikes? That's the concept that conversations like "US emits more carbon per capita" are trying to capture. "The systems are global" sounds like an excuse to continue driving a F-150 to work because of some spurious arguments about how hard it's do to do carbon accounting 100% accurately.
From what I can find, those 7500 are 7500 pedestrians killed by vehicle a year, so we might as well round it up de 50k vehicular death a year and be done with it.
This is basically the opposite of how juror psychology works. Jurors in these cases tend to vote against defendants they identify with because they prefer to believe they’d never act like the defendant. Source: I’m a former jury consultant who researched and consulted on these kinds of cases.
Basically a speaker on wheel with a screen.