About a week ago, I uninstalled Node from my laptop, which felt great. :)
I'm trying to do all work in dev containers (or other sandboxes), limiting the blast radius if I'm unlucky enough to be hit by an exploit. The attackers may get a Claude token, but they won't easily be able to escape the container and scan my home dir.
Cooldowns and allow-listing of installer scripts are good additions to layered security, especially for CI. However, I think the fundamental thing that needs to change is the OS permissions model. The default of trusting third-party software with everything your user has access is no longer workable.
Are you using something like Bubblewrap/Firejail/Flatpak, or what does such a setup look like? I've been entertaining a similar idea for a while but haven't gotten to it
I'm using VSCode dev containers, powered by Podman on a Mac.
Most people would probably choose Docker over Podman but I'm weary of Docker and wanted to try something else. I would not consider myself an expert on containers but with the help of Claude I've been able to fight my way through various challenges:
* Persist a volume for Claude so that conversations don't get blown away with every container rebuild. An attacker may still be able to get a Claude token from me, which is something I'd like to tighten up in the future.
* Fix file permissions issues by running rootful inside the container. (The container process still runs on the host as an ordinary user. Since my threat model is "compromised dependency scanning for credentials in project dir and home dir" rather than "attacker escaping the container", I figured that was good enough to get started.)
* Work around architectural availability issues with precompiled PyPI libraries. This I punted on by choosing a different approach and eliminating the problematic dependency (by writing my hobbyist CAD 3d printing stuff using Blender extensions instead of CadQuery). I've gotten the impression that dependency compatibility with a container workflow is an ongoing challenge.
* Run a database in a docker-compose sidecar for integration testing.
For all the projects I'm containerizing I'm the solo dev with full control over the Git repo so I can make the call to add a `.devcontainer/devcontainer.json` config file. I haven't yet explored how to isolate projects I don't control.
From the perspective that a company is an amoral profit-seeking automaton, it's not a "terrible system", it's a successful initiative to reduce compensation.
You are trying waaaaaay too hard on this topic today. Your HN account is already bombed out and likely rate limited. Go take a break from posting and go outside. Maybe wave to a flock camera. After all, you have nothing to hide.
> The proposed deal drew opposition from lawmakers and activists because Solvinity provides infrastructure for DigiD, the digital ID system Dutch citizens use to access sensitive medical, pension and tax information.
Understandable that the Netherlands wouldn't trust the USA with its citizans' data.
I've never had the pleasure of encountering that situation.
But at what point do we call a spade a spade and say it's just them secretly inflating their prices? "everything is a penny but we charge a 1000000% service charge"
I used to wait tables once upon a time and it was standard practice to add a fixed service charge for any large party in lieu of a tip. Have you really never encountered that?
I've encountered large party service charges and that makes sense because it usually requires staff to do stuff they wouldn't normally do for smaller parties.
I'm talking about restaurants that just add service charge to everyone.
I think the lesson from the airline industry is that while consumers will get angry about surcharges, pricing transparency is what really gets punished in the marketplace. There are enough consumers who will always buy the deceptively priced item that it's suicidal to tell the truth (absent government regulation forcing the issue for all purveyors).
There are a fair number of well-meaning restaurateurs who have tried no-tip policies for ethical reasons. But the mass marketplace has not changed.
Kinda reminds me of when Burger King had a 1/3 lb burger and a 1/4 lb burger and more people bought the 1/4 lb because they thought it was more burger than the (rightfully) more expensive 1/3 lb burger.
Companies who wish for more casual subscribers should support services (such as Apple App Store subscriptions) and anti-dark-pattern laws which reassure the public that unsubscribing will be easy.
Then the complacency and other psychological effects that this article seeks to inoculate users against will be maximized.
I prefer the term "software developer" and that's what I use when I don't need the prestige of the term "software engineer". It's disadvantageous for organizations to do that with actual job titles, though.
Absent US government intervention to codify the term "engineer", probably the only way out of the "engineer" trap is through further title inflation, where the developers all become "vice presidents". :)
Yeah, it's 100% the better term. We've got rules against using engineer here in Canada though several companies I've worked for have called me an engineer. Apparently Professional Engineers Ontario sometimes goes after people for calling themselves engineers but I've never heard of it actually happening, and I don't know that they have any real teeth given that the places I worked that called me an engineer were Canadian-owned. (In fact, the only place where they checked if I could use the title was the one multi-national. Go figure.)
reply