Right, my bad, seems like I misunderstood the question. Glad you could still find an answer.
For more context on why I thought that link would have been helpful: In Go you download dependencies "straight" from the source[1], while in npm and other languages you download dependencies from a completely unrelated registry that can have any random code (i.e. whether the published artifact was built from the alleged source repository, is a flip of a coin).
So not having this kind of third party registry eliminates the point of failure that caused the issue commented in the article. The issue was caught because of a centralized place, yes, but it was also caused because npm dependencies are downloaded from a centralized place and because this centralized place only hosts artifacts unrelated to the source code itself; package authors can `npm publish` artifacts containing the exact source code from their repos if they want though. If.
With Go, having a mirror of the source code is still third party infra, but is more an optimization than anything else, and checksums are generated based on the source itself[2] (rather than any unrelated artifact). This checksum should match even for people not using any proxy, so if you serve different code to someone, there will be a mismatch between the checksum of the downloaded module and the checksum from the SumDB. This should catch force-pushes done to a git repository version tag, for example.
Also, Go downloads the minimum version that satisfies packages, so it's less likely that you'll download a (semver) "patch" release that someone pushed hours ago.
All this makes me both like and dislike how Go handles dependencies.
[1]: Well, from a mirror, unless you set `GOPROXY=direct`. Reasoning explained in next paragraph.
Then you have companies like AWS, they were sending invoices from `no-reply-aws@amazon.com` but last month they changed it to `no-reply@tax-and-invoicing.us-east-1.amazonaws.com`.
That looks like a phishing attempt from someone using a random EC2 instance or something, but apparently it's legit. I think. Even the "heads-up" email they sent beforehand looked like phishing, so I was waiting for the actual invoice to see if they really started using that address, but even now I'm not opening these attached PDFs.
These companies tell customers to be suspicious of phishing attempts, and then they pull these stunts.
> These companies tell customers to be suspicious of phishing attempts, and then they pull these stunts.
Yep. At every BigCo I've worked at, nearly all of the emails from Corporate have been indistinguishable from phishing. Sometimes, they're actual spam!
Do the executives and directors responsible for sending these messages care? No. They never do, and get super defensive and self-righteous when you show them exactly how their precious emails tick every "This message is phishing!" box in the mandatory annual phishing-detection-and-resistance training.
A few years ago our annual corporate phishing training was initiated by an email sent from a random address asking us to log in with our internal credentials on a random website.
A week later some executive pushing the training emailed the entire company saying that it was unacceptable that nobody from engineering had logged into the training site and spun some story about regulatory requirements. After lots of back and forth they still wouldn't accept that it obviously looked like a phishing email.
Eventually when we actually did the training, it literally told us to check the From address of emails. I sometimes wonder if it was some weird kind of performance art.
“We got pwned but the entire company went through a certified phishing awareness program and we have a DPI firewall. Nothing more we could have done, we’re not liable.”
If you're talking about the companies who provide the "training", either they're the lowest bidder, closely linked to someone who is buddies with someone important in the company [0], or both.
[0] ...so the payments serve the social function of enriching your buddy and improving your status in the whole favor economy thing...
I once got a "log into phishing training" email which spoofed the company address. No one even saw the email, it instantly hit the spam filter.
Our infra guy then had to argue with them for quite a while to just email from their own domain, and that no, we're weren't going to add their cert to our DNS, and let a third party spoof us (or however that works, idk). Absolutely shocking lack of self awareness.
I can't pass phishing training on my first try because it often has bad advice as answers they are convinced are correct. Reading headers is one of such gems.
<Link to document trying it's best to look like google's attachment icon but was actually a hyperlink to a site that asked me to log in with my corporate credentials>
---
So like, obviously this is a stupid phishing email, right? Especially as at this time, I had not used my corporate card.
A few weeks later I got the finance team reaching out threatening to cancel my corporate card because I had charges on it with no corresponding expense report filed.
So on checking the charge history for the corporate card, it was the annual tax payment that all cards are charged in my country every year, and finance should have been well aware of. Of course, then the expense system initially rejected my report because I couldn't provide a receipt, as the card provider automatically deducts this charge with no manual action on the card owner's side...
Yielding to anything you say is a no-no because part of the deal is that you, as a geek, must bend over to their unilateral veto over everything in the company
Is that for user email? I think that is semi-understandable as Facebook wouldn't want to mix their authority with that of the users, like github.com vs github.io.
They mention that they're "demonstrating that privacy-respecting AI services are feasible", knowing their duck.ai is sending the prompts to other AI services, and then in the same paragraph they mention leaks and hacks.
To their credit, their privacy policy says they have agreements on how the upstream services can use that info[1]:
> As noted above, we call model providers on your behalf so your personal information (for example, IP address) is not exposed to them. In addition, we have agreements in place with all model providers that further limit how they can use data from these anonymous requests, including not using Prompts and Outputs to develop or improve their models, as well as deleting all information received once it is no longer necessary to provide Outputs (at most within 30 days, with limited exceptions for safety and legal compliance).
But even assuming the upstream services actually respect the agreement, their own privacy policy implies that your prompts and the responses could still be leaked because they could technically be stored for up to 30 days, or for an unspecified amount of time in the case of the exceptions mentioned.
I mean, it's reasonable and a good start to move in the direction of better privacy, way better than nothing. Just have to keep those details in mind.
Take for example FreeBSD, it's not mainstream but also not too obscure, they get some funding through the FreeBSD foundation, and yet wifi drivers are still an issue.
Since we're talking about Europe, my first instinct here is that I want to double-check what they mean by "billion"[1].
This article being in English makes me assume short scale, but SAP being German makes it possible (even if unlikely) that it could be a mistranslation that everyone else just copied.
If only any of these articles could link to a source. But searching for literal quotes doesn't seem to return any authoritative source, or even any transcripts (if this was announced verbally).
and the relevant quote: "Durch eine langfristige Investition von über 20 Milliarden Euro setzt SAP einen klaren strategischen Fokus auf digitale Souveränität."
My 2 cents. I have been using Alpine Linux as my main Linux distro for... I don't know how long, but probably more than 5 years at this point.
My only issues have been:
* Nvidia proprietary drivers (when I was building a PC with an old GPU).
* DRM (Netflix).
* I think I also had problems with SQLite3 while trying to install the Twitch test server thingy inside an Alpine container.
Other than that it's just minor things, just like every distro has some things that are different but no big deal.
> I think that, if you have a very consistent usage of Alpine, where you are mostly doing the same thing and using the same tools, you could find a comfy workflow there.
Yeah, or in my case it's because I try to keep the host minimalist and clean, and do most of the dirty/experimentation stuff in Docker, just to be able to nuke it from orbit once I'm done.
It's also dumbproof to make your own native packages if you want, for example if you want to use fonts but you can't just `git clone` because they require a build step (!).
Apparently some people have had issues with DNS, but I've never had any. I don't know if it's because I always point to my Unbound instance for DNS, or if it's just been a coincidence.
Agreed. I find it quite rare to find something that does not build on MUSL. When I do, it is software that goes out of its way to abuse GNU specific stuff.
The most common problem for me is software distributed as binary that links to Glibc. That shows up on surprise places. For example, building the Ladybird browser uses vcpkg which needs Glibc. In these cases, I reach for Distrobox.
Pretty sure the DNs behaviour in MUSL was changed and is no longer an issue.
But I think it all began with disliking systemd and at the same time being obsessed with ricing and minimalism. Tiling window managers, simple terminals, LuaKit as a web browser (!), stuff like that.
Back then I was young and had very strong opinions, and also had the time to be switching OS whenever I wanted, and apparently I didn't mind setting up stuff again and again (ugh). My first choice was actually Artix Linux, but it broke at some point. I was already using Alpine Linux and FreeBSD in VPSs (Linode and Digital Ocean respectively), and they were still working fine so they seemed stable enough, so I started experimenting with installing FreeBSD locally and just setting up i3wm on it (also Poudriere got me curious about compiling packages by myself with only the flags I needed). Then when I got a laptop I went with Alpine Linux there, it was already a minimal distro that I was familiar with, so if I could get i3wm working there it should be good enough.
And I have survived with them so far with no reason to change, so it's probably just coincidence that I was using Alpine Linux (and FreeBSD) when I decided to "settle down".
But like I said, today it's mostly inertia, just a personal preference thing like buying Ketchup from a specific brand whenever possible because I'm most used to how this one tastes but no big deal if it's not available. It hasn't given me any surprises or any annoyances big enough for me to seriously consider switching.
I do have Linux Mint on a third[1] computer tho, mostly for Steam, but ready to be quickly repurposed in case of any surprises.
I still have some leftover dislike of systemd and its scope creep, but it's not a religious dislike like back then; today it's similar to a "why does this website have 20MB of JavaScript just to show text and why does it ask for my location"-kind of dislike, but back then was like "the GNU Project declaring war against any software that doesn't use specifically a GNU license even if that software has an OSI-approved license"-kind of dislike. Recently when I used Hetzner for some stuff and found out they don't have Alpine Linux or FreeBSD as (easy) choices, I was like "oh well, Fedora it is".
So yeah, there you have it.
[1]: Why a third computer? Well, you can thank two spicy pillow incidents for that. Don't buy Medion laptops.
With family and friends you can just be yourself[1] though. If they watch the recording after 5 or 10 years, they will probably look at it affectionately, at most with some light teasing.
They're not going to, for example, start harassing you online just because at some point during your presentation you said the word "blacklist" (or other words that are nowadays are considered worse than they were back then).
So I'd say part of the reason of why it's easy with family/friends but stressful with strangers, is subconscious fear of this kind of judgement where you don't know how this large amount of people will react, and fear that something you say or something you do will cause a response way more negative than you expect. Sure, you can imagine some possible negative responses, but because you don't know them personally, you don't know what's their "upper bound" for a negative response (how far they will go).
And once you start talking the nerves go away because, once you start, running away suddenly becomes a worse choice (easier to get a negative response) compared to finishing the talk.
That would be my guess.
[1]: Some might cross lines, but those should be the exception, and you probably wouldn't be relaxed with them anyway.
