i like the efforts behind sigstore.dev project.

And while I do think code signing alone would’ve helped in the recent issues, what I’d like to see is a sort of automated package scanner that searches for this kind of malware and then publishes a signed report enumerating the things verified alongisde package pypi metadata.

Then I could verify both the package and the scanners result and decide to update or not.

i know this is day dreaming cause who would sponsor scanning and attesting every open source project, anthropic?

NYT has more than enough bandwidth and process to vet every ad they run, which must be in the order of 10s or 100s.

Meta runs ads in the order of hundreds of thousands or millions, and constantly allows very questionable things.

Thought it was clickbait/circumstantial but they are quoting an actual spokesperson saying they are doing it on purpose !!

> "We're actively defending ourselves against these lawsuits and are removing ads that attempt to recruit plaintiffs for them," a Meta spokesperson tells Axios.

Legally finding plaintiffs, who can sue us for our illegal machinations is not allowed on our platform. What a world we live in. If this isn't the simplest demonstration of monopolization of social media that Facebook has, then I don't know what is.

Would you allow it on yours? As a shareholder or on the board of directors of your company I would not be pleased.

Nothing nefarious about that.

It’s not illegal, just stupid because. Because plaintiffs can use this as evidence that they can police their own platforms

There's a strong chance it's illegal so admitting to it is pretty breathtaking. They must be very confident they're in the clear, or the spokesperson didn't run this by the right people.

What is illegal about it? What law does it break?

Could these removals indicate editorial discretion that would remove § 230 protections from Facebook?

So what's the current data centers footprint in Maine?

Does the move benefit companies with existing DCs whose competition can no longer establish a region there?

I'm good with my Iosevka ExtraLight with iTerm2's thin strokes enabled.

But the bitmaps do make me nostalgic, maybe useful to read my own old code and cringe a little less.

Any chance they keep an RSS?

Yes: https://www.eff.org/rss/updates.xml

that's such a loaded statement.

This is the power of language.

The bias is built into it.

I thought Codex at least already can handle interactive sessions of programs, e.g. GDB.

Calling squash stupid sounds like a case of Dunning-Kruger.

If you've worked on a large team without squashing and without increasing frustration I'd be greatly interested to hear about it.

Now we have to wonder if they ran Mythos on their Calude source and it missed it or why they chose not to run it.

I do agree and wonder why that's not marked as security. In their security page [0] it says: > Since exploitability is not proven for many of the fixes we make, do not expect the relevant commit message to say "SECURITY FIX!".

Does that mean they considered it not to be exploitable?

[0] https://www.openbsd.org/security.html

I really don't know, all I know is that usually when you find a critical vulnerability, and it's patched, it comes with a CVE, even a low one, that's the process for the past 27 years when the CVE program started (as old as the vulnerability itself it seems..) but maybe with AI-native, CVEs don't matter because everyone will just rewrite their clean room open source alternative (I wish this was a joke...)