InsanityBit
@insanitybit.bsky.social
Like (a) it doesn't make sense and won't be effective (b) it isn't happening anyway (c) it has strict security downsides
So why prioritize it over the solutions that are decades old and actually work and have been proven to work? Browsers did this in 2003.
So why prioritize it over the solutions that are decades old and actually work and have been proven to work? Browsers did this in 2003.
November 25, 2025 at 7:18 PM
Like (a) it doesn't make sense and won't be effective (b) it isn't happening anyway (c) it has strict security downsides
So why prioritize it over the solutions that are decades old and actually work and have been proven to work? Browsers did this in 2003.
So why prioritize it over the solutions that are decades old and actually work and have been proven to work? Browsers did this in 2003.
Sandboxing is older than I am, I don't see why it should be something that can't be implemented in the short term. Orgs aren't going to change their patch management on a dime either and delays go against current fed recommendations anyways.
I just don't see the reason to think about the approach.
I just don't see the reason to think about the approach.
November 25, 2025 at 7:17 PM
Sandboxing is older than I am, I don't see why it should be something that can't be implemented in the short term. Orgs aren't going to change their patch management on a dime either and delays go against current fed recommendations anyways.
I just don't see the reason to think about the approach.
I just don't see the reason to think about the approach.
Also, sandboxing and attestation aren't new. I advocated for mandatory 2FA in crates.io back in 2016. Package signing has never been easier. Sandboxing package managers isn't a new idea either.
I don't think we're in a "do this while we wait" phase here, it's time to just do that work.
I don't think we're in a "do this while we wait" phase here, it's time to just do that work.
crates.io: Rust Package Registry
crates.io
November 25, 2025 at 2:12 AM
Also, sandboxing and attestation aren't new. I advocated for mandatory 2FA in crates.io back in 2016. Package signing has never been easier. Sandboxing package managers isn't a new idea either.
I don't think we're in a "do this while we wait" phase here, it's time to just do that work.
I don't think we're in a "do this while we wait" phase here, it's time to just do that work.
I basically think it's all cost, no value. It's also not even possible to implement under some conditions - if a CVE is published for a dependency, I have *no choice* but to patch it if I distribute software to specific orgs + I'm vulnerable for longer to that CVE.
November 25, 2025 at 2:09 AM
I basically think it's all cost, no value. It's also not even possible to implement under some conditions - if a CVE is published for a dependency, I have *no choice* but to patch it if I distribute software to specific orgs + I'm vulnerable for longer to that CVE.
This is actually an incredibly easy problem to solve if you set the time aside and decide it's a priority. The hard work was done a long time ago.
There is 0 need for complex language features like effects to solve it.
There is 0 need for complex language features like effects to solve it.
September 25, 2025 at 3:18 PM
This is actually an incredibly easy problem to solve if you set the time aside and decide it's a priority. The hard work was done a long time ago.
There is 0 need for complex language features like effects to solve it.
There is 0 need for complex language features like effects to solve it.
I have a prompt for (1) that instructs it to first generate the expected properties of the project from a UX/ semantic point of view, and to write tests that may fail because of mismatches in implementation and UX expectations. Otherwise I find it can write bad tests.
September 1, 2025 at 8:21 PM
I have a prompt for (1) that instructs it to first generate the expected properties of the project from a UX/ semantic point of view, and to write tests that may fail because of mismatches in implementation and UX expectations. Otherwise I find it can write bad tests.
I think maybe people don't understand that investors fundamentally *invest* in future value? Or something? You would never buy a stock based on its current value, you buy it based on the potential value. There's a gap between current and maximum, but that doesn't matter much.
August 13, 2025 at 6:27 PM
I think maybe people don't understand that investors fundamentally *invest* in future value? Or something? You would never buy a stock based on its current value, you buy it based on the potential value. There's a gap between current and maximum, but that doesn't matter much.
did the same thing for a toy language recently - I had a few restrictions on returning borrows and storing them, but otherwise it was no-gc safety with no borrow checker.
I'll look forward to what you come up with.
I'll look forward to what you come up with.
August 3, 2025 at 3:04 AM
did the same thing for a toy language recently - I had a few restrictions on returning borrows and storing them, but otherwise it was no-gc safety with no borrow checker.
I'll look forward to what you come up with.
I'll look forward to what you come up with.
Extremely common tactic in pseudo science and misinfo. It's even common in really fringey nutty stuff like flat earth arguments.
August 2, 2025 at 3:12 AM
Extremely common tactic in pseudo science and misinfo. It's even common in really fringey nutty stuff like flat earth arguments.
Oh, in the case before X and Y are individual types, Point is its own type. So the generated code is just moving the struct fields of X an Y into Point.
No implicit nullability.
No implicit nullability.
June 25, 2025 at 9:06 PM
Oh, in the case before X and Y are individual types, Point is its own type. So the generated code is just moving the struct fields of X an Y into Point.
No implicit nullability.
No implicit nullability.
Hm, not sure what you mean then. I do have struct fields, not just methods, or I'm misunderstanding.
June 25, 2025 at 6:11 PM
Hm, not sure what you mean then. I do have struct fields, not just methods, or I'm misunderstanding.