• 0 Posts
  • 30 Comments
Joined 3 years ago
Cake day: June 14th, 2023
  • Serinus@lemmy.worldtoSelfhosted@lemmy.worldBitwarden CLI distributed through NPM has been compromised. Bitwarden Statement on Checkmarx Supply Chain Incident.English
    48·
    6 days ago

    Larger standard libraries do a lot. It’s a lot harder to sneak vulnerabilities into the basic C# or Java or C++ libraries than it is to add a vulnerability to something one dude maintains in the javascript ecosystem.

    And since javascript libraries tend to be so small and focused, it’s become standard practice for even other libraries to pull in as many of those as they want.

    And it stacks. Your libraries pull in other libraries which can pull in their own libraries. I had a project recently where I had maybe a dozen direct dependencies and they ended up pulling in 1,311 total libraries, largely all maintained by different people.

    In a more sane ecosystem like C#, all the basics like string manipulation, email, or logging have libraries provided by Microsoft that have oversight when they’re changed. There can be better, third-party libraries for these things (log4net is pretty great), but they have to compete with their reputation and value over the standard library, which tends to be a high bar. And libraries made on top of that system are generally pulling all those same, certified standard libraries. So you pull in 3 libraries and only one of those pulls in another third party single library. And you end up with 4 total third party libraries.

    Javascript just doesn’t really have a certified standard library.

    (This certified standard library doesn’t have to be proprietary. Microsoft has made C# open source, and Linus Torvalds with the Linux Kernel Organization holds ultimate responsibility for the Linux kernel.)

  • Serinus@lemmy.worldtoSelfhosted@lemmy.worldI built a self-hosted period tracker because I couldn't find one worth usingEnglish
    2233·
    2 months ago

    It’s not realistic to expect no AI assistance in coding in 2026.

    It’s also not a stand-in for a human. There’s a huge field of gray where it’s unclear how much of it was fully vibe coded vs how much is carefully hand reviewed and/or written.

    I’ve been a professional developer for decades and I’ve done both. Obviously I’ve hand coded stuff for many years. The fully vibe coded stuff is personal, to test and learn the capabilities of the tech. My professional stuff I watch much more closely, and I’m much more targeted in what I’m having the AI do.

    That said, if I were gonna use this I’d actually review the code. I’m not recommending this guy’s stuff, but you can’t rule it out on the basis of ai assistance alone.

  • Serinus@lemmy.worldtoSelfhosted@lemmy.worldThe AWS outage hit us during the day in Australia. I didn't notice because I run my own server, btwEnglish
    2·
    6 months ago

    pushing people towards specific ideas using social media

    I’ve been incredibly concerned about this for more than a decade. Watching r/the_donald in action was incredible and validated all of that fear.

    And it’s still happening. On all social media, including here.

    Certain narratives are pushed hard, and it’s effective. Some of it is fully genuine. Some of it is/was seeded artificially and picked up some genuine steam, and is still being reinforced. The stuff that’s fully artificial seems to be dropped fairly quickly most of the time these days.

    After the artificial narrative picks up and gets genuine sentiment mixed with it, it becomes hard to tell the difference. If you can mix it in with existing emotions, like anger that we’re in this situation, and add in some seeds of truth it works even better.

    Propaganda works. On all of us. And just by being here, we’re being exposed. But I’m afraid to leave, too. The more real people leave the easier it is to manipulate the remainder.

    It’s just all so easy and effective and actually happening. And the alarm bells about it aren’t loud enough.