> and doesn't shit itself when a transitive dependency gets yanked from npm
For non-trivial golang apps you're still gonna find npm in the mix. I recently packaged forgejo, yopass, and a few others, and if you don't have `npm` on the build machine, the resulting daemon won't serve the front end.
I'm suggesting that if you build an online community of immigrants to the US and you allow accounts for whom no one can vouch, at some point this mechanism will bring you an ICE agent.
> Okay, so… what are those cases? I’m also curious.
If you're willing to make a third party SaaS's uptime the ceiling for your own org, you can delegate auth. Github might not be a good choice for SSO.
If you're not threatened by per-user-per-month fees, you can delegate auth.
If your threat model is compatible with a third party having visibility into your user's network location and the frequency and duration of their activities across your org, you can delegate auth. (Okta will probably not inform your competitor that your main sales guy is in North Carolina this week and has logged in from the conference room wifi of your competitor's main client.)
If you can trust the third party to not allow an interloper to bypass your requirements, you can delegate auth.
A former coworker of mine walks funny because he had polio as a child, and his father worked for the railway union after WWII. He told me one day in high school, one of his friends came to school with bruises couldn’t hide, inflicted by his drunk father. Everyone in school knew, everyone in town knew, but no one did anything.
My coworker informed his dad, about the egregious injuries that day. His dad drove to the drunk man’s house and knocked on the door and seized the drunk man by the collar: “if you ever touch that boy again, I’ll kill you.”
The threat must have been believable coming from a rail union worker, because it rehabilitated the recipient’s decision making processes going forward.
> father would lose the responsibility for his child
This HN discussion of systemic abuse in US Catholic orphanages last century also discusses vast, documented ongoing abuse in both religious and state run care/foster systems around the globe. Statistically, these systems cause more abuse than they prevent, and should only be a last resort.
I'm not an expert in all nations but systemic abuse in abuse prevention systems is not uniquely american. For instance, the British care system seems consistent with American results - a Brit I talked to told me that in year, roughly 1 in 2 children report sexual abuse at the hands of their caretaker or an older child. It's hard to tell the extent of the unreported abuses. And yet, widespread abuses doesn't preclude the possibility of children escaping unharmed. I'm glad you made it through.
This is a horrendous rate. But given the discussion context the success rate of a punch into the face of an alcoholic father is less than 50 % (I claim that given my knowledge with alcoholism) so even the bad British system is better.
Also given the lack of scandals in the German system (better most scandals are about how the system wasn't strict enough against abusive parents) I see it is clearly possible to build a better system.
> My coworker informed his dad, about the egregious injuries that day. His dad drove to the drunk man’s house and knocked on the door and seized the drunk man by the collar: “if you ever touch that boy again, I’ll kill you.”
Yeah that wouldn’t fly nowadays. Your friend’s father would be hot with a slew of charges from “terroristic threats” to “meanacing”
I've considered hard-coding some addresses into firmware as a fallback for a DNS outtage (which is more likely than not just misconfigured local DNS.) Events like this help justify this approach to the unconcerned.
The global and distributed system relies on the system actually returning valid responses. If the root servers are broken, whether it's a problem with RRSIG records or A records, the TLD is broken.
If my domains' DNS servers start pointing at localhost, that doesn't mean DNS is a broken protocol.
Why should this be any different than when telling/paying a human to write the program?
You're free to enter an agreement assigning all rights to the employer or the worker, to license the work ir/revokably and/or non/transferably. There is no need to wait for a court decision to understand what the results will be.
You may not see it as “security“, but any entity that is actively monitoring their logs benefits when the false positives decrease. If I am dealing with 800 failed login attempts per minute I cannot possibly investigate all of them. But if failed logins are rare in my environment, I may be able to investigate each one.
Obscurity that increases the signal to noise ratio is a force multiplier for active defense.
I'll grant you smartphones, but smart TVs usually don't have cameras/microphones. The problem with smart glasses is that they constantly capture video and upload it to $VENDOR like in this case.
For non-trivial golang apps you're still gonna find npm in the mix. I recently packaged forgejo, yopass, and a few others, and if you don't have `npm` on the build machine, the resulting daemon won't serve the front end.
reply