Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/dymaxion/statuses/113866675697108650">Eleanor Saitta (dymaxion@infosec.exchange)'s status on Tuesday, 21-Jan-2025 22:57:11 JST</a><a href="https://infosec.exchange/@dymaxion" title="dymaxion@infosec.exchange"><img src="https://gnusocial.jp/avatar/92115-48-20240110063025.webp" width="48" height="48" alt="Eleanor Saitta" style="position: absolute; left: 0; top: 0;">Eleanor Saitta</a><div><a href="https://provably.online/@ktemkin/113866421168080247" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/315096" title="ktemkin@provably.online">Kate Temkin</a></li></ul></div></section><article><p><a href="https://provably.online/@ktemkin">@ktemkin</a><br>One of the things I hope we can strongly agree on is that the place where we should be asking a lot more is at the library and language level. I agree it's implausible that small teams will fix annoying and subtle bugs and also do the basic security design work they're already not doing.  However, it seems equally unlikely that people are going to stop doing dumb shit like connect things to the internet that really shouldn't be. Teaching the entire world how systems work to a level that allows them to have good intuition about what's a safe action is as hard as getting all the small dev teams to do the work. And harassing either users or devs about things outside of their scope of effective control of dumb and mean. </p><p>So that means we need language, framework, and library issues fixed at those levels, and then we need shaping incentives like liability to force migrations and rewrites, once we have meaningful solutions. When we get to that point, yes, a lot of small teams will need to end of life products or accept that they're going to need to write a lot less code — but at least they won't be playing whack-a-mole with problems further up stack and above their pay grade.<br><a href="https://hachyderm.io/@dalias">@dalias</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4409293#notice-8642181">In conversation</a><time datetime="2025-01-21T22:57:11+09:00" title="Tuesday, 21-Jan-2025 22:57:11 JST">about 4 months ago</time> <span>from <span><a href="https://gnusocial.jp/notice/8642181" rel="external" title="Sent from gnusocial.jp via ActivityPub">gnusocial.jp</a></span></span><a href="https://gnusocial.jp/notice/8642181">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Eleanor Saitta (dymaxion@infosec.exchange)'s status on Tuesday, 21-Jan-2025 22:57:11 JSTEleanor Saitta
in reply to
- Rich Felker
- Kate Temkin
@ktemkin
One of the things I hope we can strongly agree on is that the place where we should be asking a lot more is at the library and language level. I agree it's implausible that small teams will fix annoying and subtle bugs and also do the basic security design work they're already not doing. However, it seems equally unlikely that people are going to stop doing dumb shit like connect things to the internet that really shouldn't be. Teaching the entire world how systems work to a level that allows them to have good intuition about what's a safe action is as hard as getting all the small dev teams to do the work. And harassing either users or devs about things outside of their scope of effective control of dumb and mean.
So that means we need language, framework, and library issues fixed at those levels, and then we need shaping incentives like liability to force migrations and rewrites, once we have meaningful solutions. When we get to that point, yes, a lot of small teams will need to end of life products or accept that they're going to need to write a lot less code — but at least they won't be playing whack-a-mole with problems further up stack and above their pay grade.
@dalias
In conversationabout 4 months ago from gnusocial.jppermalink

Public

Embed Notice

HTML Code

Corresponding Notice