Currently we're at meme status: cloudy.social/captcha
Reverse CAPTCHA - Prove You're NOT Human
cloudy.social
November 8, 2025 at 9:40 PM
Currently we're at meme status: cloudy.social/captcha
You might say the reason they needed to do a switch atomically is because someone said “if you remove him I’ll add him back.”
If someone says that to you, does that make it right to respond by using your power to move first to do it by force so you don’t have to answer the concerns being expressed?
If someone says that to you, does that make it right to respond by using your power to move first to do it by force so you don’t have to answer the concerns being expressed?
November 1, 2025 at 4:11 PM
You might say the reason they needed to do a switch atomically is because someone said “if you remove him I’ll add him back.”
If someone says that to you, does that make it right to respond by using your power to move first to do it by force so you don’t have to answer the concerns being expressed?
If someone says that to you, does that make it right to respond by using your power to move first to do it by force so you don’t have to answer the concerns being expressed?
I have also had this problem. It is very inconsistent. Maybe this is why.
October 29, 2025 at 2:35 PM
I have also had this problem. It is very inconsistent. Maybe this is why.
Funny you should bring this up! I know some people that work on ruby packaging. I wonder if they need any help.
October 26, 2025 at 6:32 AM
Funny you should bring this up! I know some people that work on ruby packaging. I wonder if they need any help.
One takeaway is that the open source world is an amazing place! It's marvelous how well this usually works. This is distributed trust at scale via education and support (rather than control). All the work to help people learn security and provide best practices mostly seems to work. Wonderful!
October 26, 2025 at 12:03 AM
One takeaway is that the open source world is an amazing place! It's marvelous how well this usually works. This is distributed trust at scale via education and support (rather than control). All the work to help people learn security and provide best practices mostly seems to work. Wonderful!
Companies should scan their open source. Full adoption of trusted publishing could have foiled NPM’s Shai Halud. Fighting about shared ownership models is horribly destructive when it makes the people leave that understand these problems. That’s the real security vulnerability.
October 25, 2025 at 11:49 PM
Companies should scan their open source. Full adoption of trusted publishing could have foiled NPM’s Shai Halud. Fighting about shared ownership models is horribly destructive when it makes the people leave that understand these problems. That’s the real security vulnerability.
If all you need to make your supply chain secure is CLAs for devs and a non-profit administrative staff holding keys to the world, remember that most package managers still run untrusted code on install, packages go live with minimal scanning, and best practice publishing security adoption is low.
October 25, 2025 at 11:45 PM
If all you need to make your supply chain secure is CLAs for devs and a non-profit administrative staff holding keys to the world, remember that most package managers still run untrusted code on install, packages go live with minimal scanning, and best practice publishing security adoption is low.
You might wonder, “how can a group of friends be sufficient for global enterprise software supply chain security?” The answer for me is that these people were there BECAUSE it was so important. RubyGems.org has had no major outage in 14 years. This is not a fluke.
October 25, 2025 at 11:38 PM
You might wonder, “how can a group of friends be sufficient for global enterprise software supply chain security?” The answer for me is that these people were there BECAUSE it was so important. RubyGems.org has had no major outage in 14 years. This is not a fluke.
To the mild insult, sorry again. It’s tricky to say “I disagree slightly and wish to present a different perspective on a complex issue that has many different sides”. Well, not that difficult, I just said it there but I shortcutted significantly the first time. I appreciate you accepting my apology
October 25, 2025 at 4:43 PM
To the mild insult, sorry again. It’s tricky to say “I disagree slightly and wish to present a different perspective on a complex issue that has many different sides”. Well, not that difficult, I just said it there but I shortcutted significantly the first time. I appreciate you accepting my apology
I see no way around it. We’re in a gray world of questionable characters that usually do the right thing and sometimes act in their own best interest despite the damage. I don’t know what else to do besides hope. Rubygems maintainers had a great things going here. Imperfect yes, but honest.
October 25, 2025 at 4:41 PM
I see no way around it. We’re in a gray world of questionable characters that usually do the right thing and sometimes act in their own best interest despite the damage. I don’t know what else to do besides hope. Rubygems maintainers had a great things going here. Imperfect yes, but honest.
Also, I’m sorry. It seems like my way of saying “it’s confusing” did sound a bit like I was saying you were confused. It was not my intention. My goal is to give more nuance to a complex situation given all I know and to relate that it is difficult to know every conflicting detail.
October 25, 2025 at 4:15 PM
Also, I’m sorry. It seems like my way of saying “it’s confusing” did sound a bit like I was saying you were confused. It was not my intention. My goal is to give more nuance to a complex situation given all I know and to relate that it is difficult to know every conflicting detail.
The blame is squarely on Ruby Central here. None of this was necessary. If they wanted to assume more responsibility for their infrastructure they should have asked and we would have helped. The GitHub org only needed a few hours of work to fully separate infrastructural code.
October 25, 2025 at 4:08 PM
The blame is squarely on Ruby Central here. None of this was necessary. If they wanted to assume more responsibility for their infrastructure they should have asked and we would have helped. The GitHub org only needed a few hours of work to fully separate infrastructural code.