AI doesn't "siphon up and launder" code any more than your brain does. Both *can* memorize (which is why sometimes comedians can accidentally steal a joke), but both are also learning from patterns.

AI isn't going to make people stop contributing to open source.

Source addresses of the attack are known. The ISPs know which customer was using that address at that time, and dealing with the customer is their problem not the attack target's. If they don't deal with it, they get to deal with lots of angry customers who've suddenly lost connectivity to the majority of the Internet because entire blocks of the ISP's address space are being blocked by Cloudflare et. al..

Time for a law that says that if the manufacturer removes any functionality from a product that was present when it was purchased or originally offered for purchase, any owner of that product is automatically entitled to a refund of 100% of the original purchase price (if they can provide a receipt) or 100% of the initial manufacturer's recommended price (if no receipt is available) upon demand. The manufacturer may, if the owner can't present a receipt, require the owner to provide the serial number, photograph of the serial number and/or photograph of the entire item to claim the refund, and may require the owner to return the item at the manufacturer's expense.

It's time to go after the source of the problem: the compromised devices. Identify them and force the ISPs that serve them to block outgoing traffic from that customer, on pain of having entire netblocks blocked by Cloudflare etc..

At a minimum repositories should require that all packages be signed by the maintainer(s), with signatures verified upon download by keys not fetched from the repository itself. The tech is already there using GPG. The main thing that should be added is that the repository should sign maintainer GPG keys after having verified that that maintainer owns the packages signed by his key, that way clients can check for that as well and avoid packages signed by keys that don't own the package. Best practice here would be for maintainers to use a separate key for signing packages.

Requiring 2FA and such would be recommended, but with signature checking even if an attacker compromised the maintainer's account on the repository they still couldn't upload a package with the correct signature.

This won't solve the problem of maintainer systems being compromised, but that's a very non-trivial problem to solve. Nor would it solve the problem of a maintainer giving legitimate privileges to upload official packages to a party they don't realize is untrustworthy, but again that's non-trivial to solve. Neither of those problems is something there's a technical solution for, I'm afraid. And of course it creates a problem with key rollover and succession, getting clients to use the new keys at the correct point, but that merely requires some effort to get the protocol right.

This is one of those "practitioner skilled in the art" kind of things. We've had SQL and UML for ages that use and visualize parent-child relationships. Once you know them, this is an obvious application for making queries about the relationships. Given how ubiquitous trees of various kinds are, I doubt their specific implementation is particularly novel.

Most of the things people complain about involve third-party cookies of one sort or another. Very few people would object to most first-party cookies or the reasons they're used. After all, if you visit a site obviously they know everything you do there. So, my ideal rules:

1. No consent required for cookies when being set by or sent to the site you're visiting. Site in this case being the 2nd-level or 3rd-level domain of the host you're visiting (depending on the TLD).
2. As an exception to the previous rule, consent required for any cookie being sent to a server for the site you're visiting that is controlled or operated by any entity other than the entity that controls and operates the site. This is to close the loophole of third parties requiring a hostname in the site's domain pointing at their servers to conceal the fact that they're third-party hosts.
3. Consent required for cookies being set by or sent to any site other than the one you're visiting.
4. The operator of the server or domain setting or sending cookies is responsible for obtaining consent, not the site being visited. If consent has not been affirmatively obtained, it must be assumed to have been denied.
5. Any server or domain that requires consent be obtained MUST NOT present any content that obscures content on the site being visited, that materially negatively impacts viewing of the site being visited, or that materially negatively impacts use or operation of the site being visited. No pop-ups, no overlays, no blocking or obscuring content on the site until the user consents.
6. 1. That should let users simply reject all third-party cookies in their browser and be done with it.

a.) There's little interest in interrogating the downsides of generative AI, such as the environmental impact, the data theft impact, the treatment and exploitation of data workers.

That's all the press ever fucking talks about, to the point where you've got people who use the cloud for everything bitching about AI like the rest of their cloud use isn't impacting the environment. Also, analyzing data isn't theft.

b.) There's little interest in considering the extent to which, by incorporating generative AI into our teaching, we end up supporting a handful of companies that are burning billions in a vain attempt to each achieve performance that is a scintilla better than everyone else's.

People need to learn about and use open source AI. There are plenty of very good options.

c.) There's little interest in thinking about what's going to happen when the LLM companies decide that they have plateaued, that there's no more money to burn/spend, and a bunch of them fold—but we've perturbed education to such an extent that our students can no longer function without their AI helpers. ...so AI is going to magically disappear if/when it plateaus and there are still gazillions of customers who want to use it? Some companies will probably go under when the investment cash dries up, but not all of them. AI isn't going to vanish.

Oh, and if all those companies crap out, open source AI is still going to exist. Those models won't magically vanish either.

Did you just pick a random person to say that to?

...probably aren't going to do their research, and will be willing to buy a shittier version for a higher price.

This camera is a fashion accessory for shallow people.

It's a good way of laying off the people who are good enough at what they do that they can find other jobs.

Found the office building real estate investor. Or the sociopath from upper management.

I haven't seen much if any slow-down as I age, and I'm 60. What I have seen is that I spend more time thinking so I write less code to get the same result and need to do less debugging to get it working correctly. I also have a bigger library of code I can use without having to write it all from scratch so again I end up writing less code. This last is especially true for tests, and I already know the corner cases and odd cases out that many of my co-workers don't even realize need tested. But the correct measurement isn't "How much code do you write and how quickly?" but "How much time and effort does it take for you to get the functionality production-ready?". There I (and my managers) can see a clear difference between those who do it fast vs. right.

One would think, right? Yet there's a constant stream of "new" done-to-death games in the Play Store that exist solely to appear at the top of the listings (because they're newer) and attract clicks to the ads in them. The people who write those games absolutely would use AI to do it if it'd let them do it faster, and we'd see that in the number of new releases (those lists don't care about how substantial the software is). It'd also make it less boring to create Yet Another X Clone. So, as Mike asks, where is the uptick in the number of these titles?

The problem with this survey is we can't trust developer estimates of how long it took them or how much time they saved. The METR report and Mike Judge's write-up show that quite clearly. Talk to me when Fastly includes actual timings of how long developers actually took to do the job with AI vs. without showing a statistically significant difference.