This sort of attack is inevitable when you have open-access software repositories. If anybody can upload a package, that implies any bad guy can upload a package. So:

• Ask yourself if you really need a package for this, or is it simple or straightforward enough you can code it yourself and avoid the dependency and the associated supply-chain risks.
• Do your research. Don't just grab the first package that looks like it fits your needs. Review all of the results, then look at who published them and look them up on the web. Look at their web site. Look at what other packages they've published. Look at how active they are aside from the package you're looking at. Toss any that have red flags like no history aside from this package.
• Validate your packages. Authors often sign packages. If they do, get their keys and enable validation so you only accept packages signed by the author you know. That way if a package gets hijacked it'll fail the signature check.

One would think the third-party doctrine would pretty much scuttle OpenAI's objections.

If a store does this and they give you any guff at all about being let out you pull out your phone, call 911 and report a kidnapping in progress. Because that's what it is. The store's within it's rights to deny you entrance, but to deny you exit they have to have reason to believe you've broken the law in some way. You haven't. Their policy isn't the law. Let the authorities explain this to them.

I think the backdoor isn't Chinese in the sense of the government or the country, it's more of a vendor problem globally. Vendors do this to keep control of what they sell, to be able to force customers to buy support subscriptions on pain of having the product stop working if they don't. Vendors from countries other than China do this just as often. We should be worried about what all vendors do, not just Chinese vendors.

Bypass the Senate. The law regarding DST requires Federal law to make DST permanent, but doesn't require any special law for states to eliminate DST entirely and go on Standard Time year-round. Cotton can't do a thing about that, and maybe he'll develop some sense when the choice is between Standard and DST year-round rather than DST year-round vs. only in the summer.

I don't think genAI is a threat to the open-source ecosystem as far as it's copying of FOSS code goes. The people looking for that kind of code wouldn't be looking for the source code for FOSS projects anyway. The threat, if any, will be from genAI code being contributed back to FOSS projects. Aside from provenance issues, it tends to be low-quality and buggy and will just increase the workload for FOSS maintainers without offering anything useful. Witness genAI offering a suggestion to a bugfix submission: https://social.hails.org/@hail...

Thanks to Google LLC v. Oracle America, Inc., 593 U.S. 1 (2021), even relatively small pieces of code (such as function declarations in header files) must be considered copyrightable. It's possible they aren't, but the appeals in that case resulted in rulings that they were copyrightable, and the SC decision in favor of Google turned on fair use, not whether the code in question was copyrighted or not, so it can't really be used to stand for the proposition that the appeals courts got it wrong.

With AI-generated snippets, it's going to turn on whether the snippet is close enough to identical to the original code to be considered a copy and whether that copying could constitute fair use. I think any lawyer would tell you that's not the kind of thing you want to bet on in court. If the code's simple enough that it clearly wouldn't be a copyright violation even if it were nigh-identical, it's simple enough you're better off not using AI and having your engineers write the code themselves, and if it's significant enough that that's not feasible then it's almost certainly copyrightable and the fair-use argument is going to be an uphill battle for something that significant. Either way, you're better off avoiding anything where you don't know the provenance of every line of your code.

the core challenge of renewable energy is it's inconstancy. Physical batteries are a bandaid and long distance grids are a council of despair. The real solution for reliable renewable energy is to just build out four or five times the peak load. Then when it's cloudy or not windy you still have way more power than you need to supply the peak load. But of course this has the problem that you just spent four of five times as much capital. And that's a non-starter. But the easy, though bad solution, to this is bitcoin batteries. Just mine bitcoin with the excess and shut off the mining when it's cloudy .

Now along some AI. What a match made in heaven. A completely portable task. Move the calculation to whatever data center currently has power whether it's Norway or Texas. You can soak up all that excess renwable power. Plus there's plenty of non-real time batch jobs you can run that can adapt. For example training.

Perfect.

Shame the US decided to lose the AI power race by nixing renewables

HA. The whole point of being retro is the hipster aspect of being cooler. But no one can be cool if they are not socially observed as being cool. It's the tree falling in the forest. You are only cool if people know you are cool. Affectations of retro style require humble bragging.

I really need to get some self discipline. As much as I try I keep checking Reddit. I loath myself. The only good thing to happen in the last few years was Elon buying twitter. That made getting unhooked on that time waste easy. But Reddit became my methadone.

I've resolved that I'm going to start hitting you tube for educational videos. Gonna learn Lie Group theory!

The problem is Trump. Everyday I have to see what fresh hell he's caused. Life was so placid when we had Biden or Obama or George Bush. Like them or loathe them it wasn't insanity.

Source addresses of the attack are known. The ISPs know which customer was using that address at that time, and dealing with the customer is their problem not the attack target's. If they don't deal with it, they get to deal with lots of angry customers who've suddenly lost connectivity to the majority of the Internet because entire blocks of the ISP's address space are being blocked by Cloudflare et. al..

Time for a law that says that if the manufacturer removes any functionality from a product that was present when it was purchased or originally offered for purchase, any owner of that product is automatically entitled to a refund of 100% of the original purchase price (if they can provide a receipt) or 100% of the initial manufacturer's recommended price (if no receipt is available) upon demand. The manufacturer may, if the owner can't present a receipt, require the owner to provide the serial number, photograph of the serial number and/or photograph of the entire item to claim the refund, and may require the owner to return the item at the manufacturer's expense.

It's time to go after the source of the problem: the compromised devices. Identify them and force the ISPs that serve them to block outgoing traffic from that customer, on pain of having entire netblocks blocked by Cloudflare etc..

At a minimum repositories should require that all packages be signed by the maintainer(s), with signatures verified upon download by keys not fetched from the repository itself. The tech is already there using GPG. The main thing that should be added is that the repository should sign maintainer GPG keys after having verified that that maintainer owns the packages signed by his key, that way clients can check for that as well and avoid packages signed by keys that don't own the package. Best practice here would be for maintainers to use a separate key for signing packages.

Requiring 2FA and such would be recommended, but with signature checking even if an attacker compromised the maintainer's account on the repository they still couldn't upload a package with the correct signature.

This won't solve the problem of maintainer systems being compromised, but that's a very non-trivial problem to solve. Nor would it solve the problem of a maintainer giving legitimate privileges to upload official packages to a party they don't realize is untrustworthy, but again that's non-trivial to solve. Neither of those problems is something there's a technical solution for, I'm afraid. And of course it creates a problem with key rollover and succession, getting clients to use the new keys at the correct point, but that merely requires some effort to get the protocol right.

Let's consider history and debt. The economies of the world have passed through several stages. Prior to the gold standard things could only scale so far before it failed. The gold standard reintroduced stability and fostered even more international trade. The principle of the gold standard was to maintain the peg of a currency to gold. This worked really well up till world war one. Its weaknesses had started to become carat before that where the need for currency expansion could not be satisfied till the next unpredictable gold rush discovery. As a result under capitalized banks became at risk and eventually their were crises that led into world war 1 and utterly failed after it leading to the great depression

We got out of the Great Depression largely in part ti temporary suspension of the gold standard.
A new way of pegging currency emerged with the Brettin woods agreement. All countries would peg to the us dollars and use treasuries as the medium of international money transfer not gold. The us would remain on the gold standard because it could afford to buy gold with all those treasury purchases.

But eventually this too saturated and limited growth. Under Nixon the us left the good standard.

The goal of the fed central bank was not to maintain the dollar per se since the dollar stood alone as the international benchmark. But instead the goal of the Fed was to curb inflation and curb unemployment. The weakness is the Fed only can use monetary policy not fiscal policy. As a result those two goals are in conflict since they cannot be decoupled with a single point of control ( monetary policy without fiscal policy)

But somehow we've done a great job using that system.

But now the international system has again scaled to a new problem which is deficit spending is reaching a point where debt service is a burden.

The next evolution of this is well known. It was beta tested in The depression when the us both went off the gold standard briefly but also excersized both monetary policy abs fiscal policy in concert.

The approach is called modern monetary theory. It has its critics but critics fixate on sound bite summaries of mmt and really fail to grasp that actually it not only can work but has worked in all the instances it has been tried ( us, Italy, Venezuela all recovered from crises under mmt approaches)

The fact that Europe is having problems is in fact due to the euro not allowing fiscal policy since states can't control their own money supply any longer.

The Fed not true problem with mmt is tgat one cannot actually trust politicians to conduct proper discipline in fiscal policy. That has to be solved before it can be implemented. What allowed its implementation in the past was the automatic and not political and transient spending needed to meet crises like the Great Depression. But to do it outside of unemployment periods is dangerous unless it can be done by an apolitical entity -- something similar to the Fed but with different powers and madates.

In any case the bottom line is this, under mmt a debt equal to your gdp is not a bad thing! No need to panic.