Or they're trying to hype up an investment...

That doesn't really make sense. If Amazon wanted to build hype, wouldn't they have talked publicly about this? What's the point of working hard on a hype strategy and then delivering it only in private to government officials?

The export ban exists to hype the capabilities of the much more expensive but only marginally better model.

The model that they can't currently sell at all because they don't have the capability to limit it to US persons?

Opus was already rate limited. If the capacity isn't there its better just used for hype.

Thanks for sharing. Funny enough, I was just asking GPT to chart this for me a few days ago. And people say postmillennialism is a pipe dream...

Now if only we had a service that could generate OpenAPI specs automatically...

The OpenAPI autogenerated clients kinda suck though.

My preferred approach for doing this is to have a hand-rolled SDK generator that reads the request, response and error models out of the microservice project and emits the same in each language targeted by the SDK, along with a minimal stub that calls the API.

You then spend 15 minutes at most, customizing the stub if needed, if you need custom behaviours like streaming.

Not talking about the generated clients, I'm talking about the spec itself. If the majority of API services don't even have an OpenAPI spec, they can't use tools like Stainless even if they wanted to. A lot is being left on the table by not working on that first issue: companies don't have an OpenAPI spec. Been on my mind to explore that issue, because I run one of those API services that don't have an OpenAPI spec, but I have other priorities pulling my attention away from that. I just wish it was all handled.

I generally recommend FastAPI, their OpenAPI generation isn’t always perfect if you have very polymorphic endpoints but it is really good compared to other tools I experienced. And is just a neat library that has been battle tested

Just say no. Serious.

That all depends on the balance of power ...

Yes and no: https://www.anthropic.com/news/anthropic-acquires-bun-as-cla...

> Unpublish was unavailable for nearly all affected packages because of npm's "no unpublish if dependents exist" policy. We have to rely on npm security to pull tarballs server-side, which adds hours of delay during which malicious tarballs remain installable

Per https://docs.npmjs.com/policies/unpublish:

> If your package does not meet the unpublish policy criteria, we recommend deprecating the package. This allows the package to be downloaded but publishes a clear warning message (that you get to write) every time the package is downloaded, and on the package's npmjs.com page. Users will know that you do not recommend they use the package, but if they are depending on it their builds will not break. We consider this a good compromise between reliability and author control.

I don't even know what to say here, npm.

I do not envy the position the npm team are in. They removed the ability to unpublish packages as a response to the left-pad incident[1] because it wasn't desirable for individual developers to break downstream dependencies by pulling their package maliciously.

Of course the side effect is that now it's much harder to pull packages for legitimate reasons :/

[1] https://en.wikipedia.org/wiki/Npm_left-pad_incident

Maybe give publishers a way to quarantine versions with a warning that stops the install, but allows users can override if they choose to is the next step?

Give a publisher a way to tag a version as malicious and then in those hours between the exploit being noticed and the package being removed anyone who tries to install gets a message about that version being quarantined and asking whether they want to proceed.

It's not a perfect solution, but I think it's better than just waiting for NPM to take action without opening the door up to another left pad situation.

I think cargo's yank is a good balance. It makes it difficult to pull the yanked version in as a dependency, but doesn't break existing usages, as long as the version is in the lockfile. And I think even then gives you a warning that you are using a yanked package.

The obvious solution is that unpublish should be available within a time window after a new version is published and then unavailable after that.

There is a time window - https://docs.npmjs.com/policies/unpublish

Yes but they didn't do it properly. They only allow unpublishing if there are no dependants, which means it can't be used to pull a package version for security reasons.

It should be that within the first X hours you can pull a version regardless of dependants, after that you should need approval.

I would prefer my builds to break than the ecosystem to be compromised.

That said, once unpublished the version should be permanently unavailable to prevent publishing over known good versions.

If a package developer maliciously breaks everyone's builds,

isn't that pretty great?

Because now you have learnt that you can't trust them

I mean they brought that incident on themselves...

Yeah, all left pad incident showed was that NPM cares more about their corporate users than open source developers.

The baffling part is why it takes hours for the npm security team to unpublish packages that contain malware, as attested by multiple independent sources? That should be able to happen in minutes.

It would take longer than minutes to validate the claims themselves.

Who vets the sources, and using what scheme?

If email matches owner of repo, pull now. If not verified, ban and restore later.

Some sort of middle ground should have been found where the unpublished package is still accessible as an archive or something. I'd much rather get my package broken than get hacked

In my experience, an LLM "refactoring" autonomously doesn't actually improve code quality, it simply reorganizes the mess into a new mess.

This is my experience with human developers too so I'm not sure if there's a meaningful difference.

I think this is also starting to cause issues at Heroku too

Do you just use a Roku to watch stuff or what?

Apple is producing multiple series that each could be in contention for a top spot on best sci Fi TV shows of all time.

Which ones?

Foundation, For All Mankind, Silo, Pluribus, Monarch. See was pretty good but is over

Invasion isn't as good as the above but still better than a lot of shows before it.

Severance second season made me question the show's quality sadly

Dunno what gp likes, but IMO Foundation is incredible.

Amazon fire stick

There's a wonderful thing that we used to have and still do have, but might be going away soon. It's called "terrestrial television". For decades people streamed programming over the airwaves, straight off the antenna! For free! Ad-supported of course, but... no tracking! (Actually opt-in tracking with a Nielsen People Meter.)

You can also use a DVR to record terrestrial broadcast TV, and there's even tools to automatically skip ads: https://github.com/Protektor-Desura/jellyfin-dvr-comskip

Thunderbird showed up in the last thread: https://github.com/thunderbird/appointment