The fundamental problem is that bad actors are willing to spend considerable money and resources to implement these attacks, and the consumers of this software are unwilling to spend the considerable money and resources to mitigate risk. Maybe there a business model for a firm/organization to say "Okay, we're going to own this", meaning creating an ecosystem (curated walled garden) along the following lines?

• Companies (customers) pay non-trivial fees for curating a secure set of NodeJS (or Python or whatever) packages
• Fees would go toward personnel and resources (including AI) to import and review new and updated packages posted on the "open" package managers (NPM, PyPi, etc.)
• Candidate packages to be added to this ecosystem would have to include unobfuscated source, build/transpile instructions and sufficient unit testing (and integration testing, when applicable)
• Packages that fail security scans, rely on packages/package versions not trusted in the ecosystem, have pre-compiled or obfuscated content, etc. will be rejected
• Packages with open source licenses (GPL, MIT, etc.) can be submitted for free. For-profit/restricted packages would require a fee.
• Indemnification / Insurance covering costs associated with supply-chain attacks that make it through this ecosystem. [Optional?]
• There is no reason why there couldn't be more than one of these ecosystems (if there is enough money to be made to support it)

It is likely that the indemnification/insurance part of this will be the most expensive part of this (profits and shareholder return notwithstanding). But without at least an option for this, I don't see how you get companies to take this seriously enough to pay for it.

Most of the package scanning tools that I know of only work once you have already retrieved packages that may have been compromised. Paying to secure the supply chain upstream is a better solution, if somebody could make money doing it.

It's like the sociopaths in Silicon Valley heard "social media is destroying society" and are responding with "hold my beer" and giving us AI to make us miss the "good old days" when we were just worried about Facebook destroying the political system and our youths' self-esteem..

I don't see how the US Congress would make any kind of positive impact here, where the activity has basically devolved into a series of limited continuing budget resolutions and virtue signaling via hearings and social media, Congress/POTUS can't even decide whether or not to sell best-of-class GPUs/APUs to our biggest international rival. It's not that much different than the Latin American cartels running around with weapons manufactured by US firms, as long as the right people are profiting, it's all good.

At this point, it kind of seems the genie is out of the bottle. It may not be too hyperbolic to argue that as these firms race to be first to AGI that our species is outsourcing our most differentiating evolutionary trait: the ability to reason, and putting into place our replacement as a dominant species within centuries or even decades.

My company uses Office365. After months of ignoring the "Use Copilot!!!" nagging, I was having a hard time finding an email and prompted CoPilot with information to find the email. It informed me that Copilot did not have access to my inbox for "security" reasons, and then gave me some generic text searches to try to enter myself.

If I'm going to be forced to use Microsoft's subpar agent and email at the office, at the very least they can make the damn things work together. If a company can't trust Microsoft to leverage agentic AI in their "assimilate everything" platform, how the hell does Satya expect their platform to drive out all white collar work in a couple of years?

AI is:

• Built using stolen intellectual property
• Eliminating white-color jobs driving us toward a "basic income" society
• Housed in data centers using huge amounts of fossil fuel and undoing progress toward moving to clean energy
• Spreading misinformation and undermining democracy
• Unleashing a torrent of "AI Slop" into the software ecosystem

Also, we are postponing the next PlayStation...

I intended no offense at mixing up carpentry and woodworking, you have my deepest apologies.

And yeah, there is plenty of Python and NodeJS apps that pulling umpteen unnecessary packages to do basic things, and suck up power/CPU/etc. And vibe coding is going to make this much worse. A plague on it all. But if you are saying that the same effort should go into something that directly affects the General Ledger versus something that somebody cobbles together to keep track of used toner cartridges, I'm not there with you, and that's cool. Sadly, I guess I suck at life.

Agreed. There are some things that I find pretty annoying about it that you have to tell it explicitly not to do. For example, pulling in really old versions of NPM or Python packages. It has a propensity to not know when it is correct or incorrect, or perhaps, it it is unable to share its level of uncertainty. Most of these things can be mitigated by updating and refining Claude's prompting.

I think there are some things those of us clutching our pearls at the thought of all of the AI slop ought to keep in mind:

• We are not all writing air traffic control systems or medical device firmware. There is an awful lot of "enterprise software" that is not much more than database CRUD and visualization. People are not going to die if that software is not using the most efficient data types, etc.
• Will somebody five years from now pick up your AI generated software and not know what to do with it? Possibly, but mostly only if you are not taking the time to generate unit and integration testing as well as documentation, and there is now basically no excuse now to skip doing either.
• Senior developers should be spending more of their time thinking about the architecture and use cases of their applications, and less time thinking about whether HashMap or FxHashMap is more efficient in a given scenario.
• If we are being honest, there is already a bunch of slop in our industry. Junior (or just bad) devs copying/pasting from StackOverflow... Shortcuts taken during unreasonable deadlines... Stuff we just aren't told or don't know... Software development has been in a race to the bottom for a while now.

Most of the furniture in my home is not hand-made by Amish carpenters, it is machine milled and partially assembled by cheap labor. It is not as good and will not last generations as hand-crafted furniture, and that is okay. For better and for worse, a lot of SMB executives look at software the same way (at least until it doesn't work), they want "good enough" software that works until the next merger or acquisition, so they can cash out and go on to the next thing. They are not intersted in paying for software built using hand-built assembler (SpinRite - we miss ya').

The good news is that there are things we can do, and if we get good at them, AI can do the mundane bits and software engineering will still be a thing. We get better at Specification and Test driven development. We review the hell out of the code AI generates and make sure our linting and bench-marking tools are up to snuff. We get really good at authoring prompts that keeps AI tools within the guardrails. And yes, we keep AI away from the really critical stuff, at least for now...

While I am not "vibe" coder I find myself increasingly using AI to get questions to answers that I used to post on SO, and getting pretty good results. Asking a question on StackOverflow has always been a last resort, because that is the way they want it. There is often as much energy expended on why a question shouldn't be answered as opposed to answering it. The mechanisms to search for an existing answer are not good enough to keep you from DEITY FORBID posting a duplicate. Also, the site is not good at dealing with stale content. The "accepted" answer is often no longer the currently correct answer. The level of snark and condescension is significant, and while I don't mind a bit of sarcasm now and then, I don't want to get in continual debates with someone on whether what I'm trying to do is worth doing.

Contrast the experience with AI tools. They do not yell at me for asking a question that could have been found via web search. I do not have to wait, I get an immediate answer. Yes, these tools are overly sycophantic, and sometimes they are wrong. But 90% of the time I will get a workable response and I can choose to have my code updated based upon the answer. In those cases where I don't get a workable result, I either post an issue on the repo (open source) or contact the vendor (closed), which isn't all that different from what I do with SO

Peer-based discussion are useful, and if sites like Stack Overflow disappear, we've lost something. SO can perhaps remain relevant by being better at facilitating deeper design and architecture discussions and leave the simple "how do I" questions to AI.

"Hey CoPilot, update Firefox so that I can easily use a free VPN..."

What can go wrong? :)

sigh...

When building a Rust application, you are typically pulling in multiple and often redundant crates to implement things like error management. While extension via crates is fine, I can see this going the way of NodeJS and Python where you end up making yourself highly vulnerable to supply chain attacks.

Setting aside the question of "how do we pay for it?", for the moment, I think there is a need to have some level of verification available once a crate reaches a certain level of ubiquity. Once you have a crate like anyhow or thiserror that is used all over the place, it would be useful to have some level of certification done by a panel empowered by The Rust Foundation that indicates the package is well-maintained, meets its purpose, safe to use, etc. Then add a switch to cargo to check for this and warn if you are using unverified packages. If you want to use "Joe's Awesome Crate" there is nothing to stop you from doing so. On the other hand, if you want some level of assurance that you are minimizing the risk of pulling in hostile code, it's available.

Rustscript! (ducks)

After all, who would know more than Yahoo about over-inflated valuation?

I have to agree. Given that there are only six episodes, I'm not sure there was room or need for a start-from-scratch origin story. But hey, this is prestige television, where the seasons keep getting shorter and the gaps between them longer. Maybe this is meant more as a mini-series and it will have a satisfying conclusion, but not holding my breath.