Won't pinning a version lead to dependency hell, not to mention potentially using vulnerable versions if you don't a new version after it has some CVE fixes ?
MS Nuget is also lock-by-default. Latest-by-default should be considered harmful unless the package manager is directly vouching for the veracity and reputability of the packages.
NuGet is lock-by-default for the parent package, but with the move from packages.config to <PackageReference> it's no longer lock-by-default for dependencies.
It never made sense the other way. If I reference a package, logically I'm also referencing its dependencies at the version that the package uses. Forcing the user to also reference dependencies of dependencies of dependencies means the package reference lists aren't DRY.
But just the dependency list isn't sufficient to pick a specific version, thanks to dependency ranges. If Package A depends on Package B >= 1.0, and Package B has v1.0 and v1.1 available, it will use v1.0. But if Package B suddenly unlists v1.0, then future restores will change to v1.1.
Ah, I see the worry. A supply-chain attacker can use de-listing to force an upgrade to the malicious version if clients have dependency ranges that reach into the future.
I didn't know about that one.
In general, any dependency system that allows "you can silently upgrade to versions of the package that did not exist at the time the packagereference list was created" seems to be a vulnerability.
It's frustrating since this vuln seems trivially simple to fix, at a glance... although it would require an API change in PackageReference. Mandatory lockfiles by default, or getting rid of the floating versions misfeature. BindingRedirects let you override declared dependency versions anyways, they're not a blood pact.
It seems trivially simple until you have two dependencies with conflicting exact version requirements... So I don't think you can get rid of floating versions entirely. They did add NPM-style lockfiles for PackageReference, but currently not mandatory.
The version numbers for BindingRedirects are orthogonal to the package versions. You can have multiple package versions use the same AssemblyVersion so that applications don't need to create BindingRedirects. (e.g. Newtonsoft.Json - 13.0.0, and 13.0.1 in NuGet are both 13.0.0.0 for binding redirect purposes) And .NET Core/5+ don't need BindingRedirects at all!
they said, podcasts had 12 million downloads. 750k weekly at the moment.
They get people listening. And when you download you don't know it will be crap AI slop.
I now get a bunch of this in youtube - just endless drivel about some theme I am interested in. They create so much crap it's hard to see which one is real. I started banning the accounts that are making AI crap, but there are so many now.
If you read what happened it's not that cut&dry. Railway (their cloud provider) gave them a token for operations. The AI was working on staging at the moment. Since the token had wide range permissions AI used it in it's routine operations to delete a volume to fix something and this resulted in their prod and backup data deletion.
So, here at least some of the blame belongs to Railway - how they organized their security, how the volume deletion deletes backups as well.
They since fixed some of these issues, so a similar mistake from someone won't be as catastrophic.
one of the biggest health problems in US is obesity.
30 to 40% of the food produced in US goes to waste.
Just these two facts will tell you that while, yes, we do need food to live, but on another hand we have an abundance of food and if AI data centers use 0.05% of the water used for humans.
Do you need to calibrate it to be able to repeat it, and does that calibration change if you are at a different altitude and in different conditions, such as humidity?
Does merely changing altitude (or ambient pressure) change voice enough to be considered different by a recognition or synthesizing system?
Do you have a source for that? I can tell with pretty good accuracy whether my students smoke from their voices (adult language learners, we take smoke breaks together and they have no reason to conceal it), and would be very surprised if I’m just that lucky and there’s nothing a person can pick up on acoustically.
There's this myth (that came to you in pop culture) that you end up sounding like Tom Waits.
In reality, some phlegm aside, their voice is still the same in any way that matters.
If you knew people who didn't smoke and started (not uncommon in the 80s and 90s, quite a few people I know started smoking in university, or after the stress of a first job, some even later), and also the inverse, you can trivially hear it for yourself.
My voice is exactly the same as before I started smoking heavily, and I have never had any of the associated problems that most people seem to have (lung capacity, stamina, infections, phlegm etc) - pot luck I guess, like most things
EU doesn't forbid including. The new law requires there to be an option without the adapter. If the manufacturer chooses so they can have an option with and without the adapter.
I think you’re misreading this. OP has an email account. Someone else signed up for some website that doesn’t verify that you own the address before allowing you to log in and use the service. If the site did verify it, the user wouldn’t have been able to log in because OP would have been getting the verification emails, and not the user.
Later, after OP told the user and they failed to change their address, OP logged into the site and changed their password, putting an end to the spam they were receiving from the user’s actions.
I don’t have an ethical qualm with this. He didn’t want to sign up for the service. Someone else signed his email address up for it. Legally, I can’t imagine that being prosecutable.
One thing I've found, occasionally the hard way, is that helpful bystanders are always offering advice based on "ethical", "intuitive", "logical" and "common sense", usually without any aspect of "legal".
I got divorced a decade ago, and every well-wishing person in my life was strongly urging me to do things which were shockingly counter-productive / dangerous / wrong, based on their confident understanding (assumption, really) of the law which was completely and dangerously inaccurate.
Hacker News audience is global. People start accounts for various purposes. Yet people still freely share the notion that logging in to some unknown website run by an unknown company from a hard to spell country and then touching things is universally safe.
I miss the old "IANAL" tag which at least provided basic warning and self-awareness :-).
While true, I think that's implicit in all online conversations. I'm certain my thinking is 100% wrong in some jurisdictions elsewhere. Anything I say is wrong somewhere.
"It's OK: you can curse on the Internet." "Not when you're typing from Iran!" "Well, OK, if you're in Iran, don't take this American's advice for dealing with a government."
Part of our obligation as a reader is to consider what others are saying in the context of our own circumstances and experiences before trying to apply it. If you don't, and things end badly, that's on you.
But I stand on my words: I think it's ethically OK. You may not. That's alright. We're not required to have the same ethics or morals. And I don't think that's prosecutable. That's my opinion, based on my circumstances, not a statement of fact that applies in all jurisdictions around the world.
Above all else, I got tired of giving disclaimers about every single thing I say lest someone jump in with a "gotcha! scenario" I hadn't considered because it's not relevant to the context of the discussion.
IANYL, though! Offering legal advice with the disclaimer “I am not a lawyer” could be prosecuted as practicing law if a reasonably party could still infer a potential lawyer-client relationship from your message and/or intent. Instead, “I am not your lawyer” explicitly denies the lawyer-client relationship, which closes the door on both being accused of practicing law illegally and on being found as party to a lawyer-client relationship whether or not you have the appropriate certifications.
> closes the door on [...] being accused of practicing law illegally
Does it? So I can say, "I'm not your lawyer, but I'm happy to go ahead and give you specific legal advice on your case." and I can't be accused of illegally practicing law? I was under the impression that this could still get you into hot water. But not being your lawyer, due to the fact that I am not a lawyer at all, I don't know if it is true or not.
As with all things, who are you going to get in trouble with? And what's so magical about legal practice as opposed to, say, giving shitty medical advice or telling someone how to build porch? Asking genuinely. No one falls all over themselves to say "I am not a doctor, but...", even though their next words could kill someone. The implication is that they don't have formal training but they saw something on Facebook that you should try. What happens next is on you, not on them.
> No on falls all over themselves to say “I am not a doctor, but”
This is precisely why I’m pointing this out: IANAL is a very curious case of people self-labeling their statements as “not trustworthy for the topic”. I can think of perhaps no other cases where it is so popular to claim to not be a professional in the relevant field, which suggests that IANAL is a ‘badge of honor’ rather than a proper legal disclaimer. Certainly few (if any) claim IANAD before writing about their experiences with medical issues, body things, or nutritional supplements here, even though those topics are (as you correctly indicate) potentially lethal.
Thus, IANYL: if your goal is to ensure that the recipient of your advice / opinion / whatever does not have grounds to claim that you provided legal advice, and therefore are their lawyer, then you can either do so weakly with TINLA (“this is not legal advice”), which still leaves the door open for awkward claims by some desperate grifter-rando to reach a bench, or you can do so strongly with IANYL (“I am not your lawyer”), which closes that vulnerability in full.
Not once in years of using IANYL have I seen anyone else properly protect themselves from this vulnerability; meanwhile, “IANAL but” remains in use as a badge of honor. So, yeah, I don’t think anyone considers the particular avenue of vulnerability a serious threat, and yeah, the general context of IANAL here is prideful rather than protective. But after twenty years of dealing with a stalker who was adept at internet and tried to fuck with my job at one point, I do now tend to value closing off legal vulnerabilities with certainty, and as a bonus it doesn’t imply insult to the professions of law.
Right. Techies are always quick to suggest I do something naughty or funny with this "great power" I've unwittingly gained, but in reality it's just a liability. If I ignore it and they do something nasty and implicate me, it's a pain. If I touch it with a 10 ft pole, now I'm even more actively involved.
Just include "not me!" In the verification email, dam it
I think it’s more like you registered the car in their name. Now they’re allowed to use it, and also responsible for the thing which they didn’t want.
Consider that the “imposter” starts uploading child porn or something, and it’s on an account registered to your address. I think it’s perfectly A-OK to tell the service that it’s not me using the thing and I want them to close the account someone created in my name.
On the other hand, in Hong Kong it would be straight to jail. Someone was sent a link by the airlines, he changed a couple of characters and it ended up showing another person’s data. The guy voluntarily reported the vulnerability and all he got was a criminal charge and found guilty
I’m a different person, but this happens to me, too. I have the kstrauser@yahoo.com email address because I signed up for it like 25 years ago. I log in every 6 months to see what the few other kstrausers in the world have signed me up for.
Not jsmith, but kstrauser. Not Gmail, but Yahoo. And I still get banking docs, and HOA meeting minutes, and birthday party invitations, and Facebook logins, and other bizarre random stuff.
I have so many questions. I’ve typoed my address before and had to correct it. That’s understandable. But to wholly invent one and say, yep, that looks good even though I’ve never used it before, I’m sure it’ll be fine! I just don’t get it.
I have a catch-all on a .com.au domain where there exists a later 1000+ people organisation with the equivalent .gov.au. I get what you described but from many, many people - divorce proceedings, legal discussions, financial documents, health things, etc.
Yeah I have josephg@gmail. The amount of spam that account gets is wild - about 50-100 emails hit the inbox per day. I got soft-locked out of google docs a few months ago because my google account's 25gb quota was exhausted.
Some of the emails are really unfortunate stuff. "Your account was added as a backup address." - Then inevitably, a few weeks later, dozens of password reset emails. Sorry bud. I've received pay stubs. Orders and invoices. I get phone bills every month for someone in India. Its chaos.
Early on I'd sometimes reply to these random emails telling people they've got the wrong address. The most astonishing reply I ever got was from HSBC bank telling me I needed to come into the branch to change my email address. Over the course of a week, I explained about 3 times that that was impossible. That I live in Australia. That I'm not their customer, and its not my account. Eventually they told me they were disabling online banking on my account. Now I've given up replying at all.
Send emails into that pit of PII misery if you want. I don't read them.
Some of these banks are ridiculous. HDFC bank insists that I send them my photo id, address, phone number, and my Indian id number to prove that I'm not their customer. I tried explaining that I don't have an Indian id number because I don't live in India but they insisted they can't help me unless I provide all of this. Then they sent me legal notices threatening me for not paying "my" bills. I send all their stuff to spam now.
I had one that person seemed to think their @twitter name was the same thing as my gmail address. Haven't seen it in a while, maybe they figured it out after I told their kid's teacher they had the wrong person...
That may be what they're hoping for, using a similar modus operandi as those WhatsApp/IM messages from strangers who text you with things in the vein of ‘Hey, it was great meeting you at the conference’ or ‘Did Martha like your flowers?’ etc.
A few months later, the owner of the u/batman account added my mail as password reset mail.
I looked up the account. It was hardly ever used in 15 years, mostly for once in a blue moon dropping in a random comment role-playing as Batman. It was not obviously anyone I knew. It looked like they were basically inviting me to take over the account.
That was actually a bit tempting, but then the owner, whoever they were, would know who I was, and I still didn't know who they were.
(For that reason I've changed the name, it wasn't Batman, but it was equally "I can't believe you got THAT as your Reddit username" rare.)
So I clicked "this wasn't me" instead. After a few weeks the account was deleted by the owner. It seems they were willing to burn a 15+ year old account with a super-desirable (to many) name in order to get me back to Reddit, and then when I refused they just deleted it. That was VERY weird, and I wish I knew what was going on.
There are times where you just can't... someone uses my email address in person at tractor supply co. and I'm getting a ton of marketing email I can't usnsub to.
I've had this happen several times... There's a lawyer I used for a dispute a few years ago, and they now have another "First Last" name that matches mine, and he keeps emailing me... my reply, "Wrong Michael, again..."
It's kind of annoying all around... I need to get off my butt and get a few things shifted, then just start relying on my own MTA again, instead of forwarding *@mydomain to my gmail to. I'll still wildcard the domain, but to a single mailbox on my own mta.
I'm not sure how bad the spam might get though... I've had a test account on my mta for a couple years and it hasn't really recived any... my wildcard accounts either... I use the wildcard so I can do things like walmart@mydomain, to see if/where an email address is sold/leaked from regarding spam.
reply