Well, actually, no, not everyone is free to use alternatives. Anyone using CI for "Trusted Publishing" of packages to PyPI or npm needs to use GitHub Actions or GitLab CI/CD. CircleCI and Travis CI are not supported. So many big open source projects for the two most popular languages in the world are now locked out of the alternatives you propose.
(I find it extremely sketchy from a competition law perspective that Microsoft, as the owner of npm, has implemented a policy banning npm publishers from publishing via competitors to GitHub Actions - a product that Microsoft also owns. But they have; that is the reality right now, whether it's legal or not.)
Trusted Publishing on PyPI supports Google Cloud and ActiveState as well. It’s not tied to GitHub or GitLab. To my recollection I looked at CircleCI support a while back, and ran into limitations on the claims they exposed.
(It can also be extended to arbitrary third party IdPs, although the benefit of that is dependent on usage. But if you have another CI/CD provider that you’d like to integrate into PyPI, you should definitely flag it on the issue tracker.)
I was never convinced that trusted publishing solves any security problem, other than letting pypi eventually solve the problem of banning russian/iranian/whatever people just by relying on github doing it for them.
The 30% figure is "correct" if you look at the absolute number of deaths instead of deaths per VMT. But I basically agree with you; that clearly the wrong stat to cite if you are attributing the change to vehicle safety regulations.
Even that is still wrong because you'd have to use the high water mark during COVID and not the more recent numbers which are starting to come back down.
2020 wasn't just the start of Covid, but also the start of BLM. The narrative I always see from the American right is that BLM caused many police forces across the US to radically reduce traffic enforcement, since:
1. traffic offenders are disproportionately black,
2. stops for minor traffic offences can sometimes spiral into violence in various ways, and some viral ones have involved absurdly bad use of force decisions by officers involved, and
3. no force wants to take the blame for another George Floyd
Per this narrative, a significant antisocial tranche of the public has responded to the effective suspension of traffic law in the way that you would expect them to, and that is why road deaths are up.
The timing lines up but that's more of a vibes argument.
The majority of traffic stops in the US are, cop parks on the side of the highway somewhere the speed limit is lower than the speed people drive there, every car on the highway is doing 70 in a 55, whoever drives past gets a ticket and the government fills their coffers but the speed everybody actually drives on that stretch of highway remains 70.
Now suppose the cops stop doing that for the stated reason. If you then drive past them at 110 instead of 70, are they still going to not pull you over? Good luck with that. Even if they're actually trying to minimize traffic stops, that one's the one that makes the cut.
So then what happens if they stop doing the usual ones? People are then going to drive 70 in a 55 because they can get away with it, but that's what they were doing to begin with. You could argue that the fatality rate would be higher at 70 than 55, but then why would that change relative to the baseline where that was what was already happening?
So the argument would have to be that idiots had the impression that they could do 110 without getting pulled over, even if that wasn't true, and then did that and managed to make contact with an overpass before driving past a cop. Which doesn't seem as plausible, because speeds like that on empty desert highways shouldn't have raised the fatality rate that much (e.g. it's not that high on the autobahn in Germany), and speeds like that in traffic where there are other cars traveling significantly slower will trigger a visceral feeling of danger in nearly all humans unless they're on drugs or have significant mental health issues, and in those cases they wouldn't have been deterred by the prospect of traffic enforcement anyway. Which is why people drive somewhat over the speed limit even when that could get them a ticket -- because it doesn't feel dangerous -- but also why they don't drive a lot faster than the other cars -- because that does. Traffic enforcement or not.
Moreover, regardless of how much of a contribution was made by that vs. COVID, the numbers still don't line up with it being vehicle safety regulations.
I would guess that what matters most is stops for driving disqualified/uninsured/unregistered, DUI, running lights, and failing to yield (especially at crosswalks), and perhaps for speeding on non-highway roads where it has more of a safety impact. As you say, in the USA as in virtually every culture, almost everyone speeds in some contexts, and especially on big, multilane, motor-vehicle-only roads; enforcement of speed limits in that context is likely one of the lowest impact things police can do, but I think it's a massive error to treat "traffic stops" as a category as equivalent to that sort of enforcement specifically.
I assume you're an American? As a Brit, your comment confuses me. Why would anyone ever have high beams on at all in anything reasonably described as a "neighbourhood"? Do built-up areas in the US not reliably have street lighting?
Here in the UK, it is pretty much universally the case that if there are buildings, there are street lights. (Maybe there are occasional exceptions where there's a single building in the middle of nowhere on a rural road; I'm not sure. And I suppose there must be occasional outages of street lighting even in e.g. dense city centres. But such things are rare.) Having high beams on in almost any context where there are buildings around is therefore unnecessary, against the Highway Code, and quite possibly criminal under RVLR reg 27.
I'm not the one you asked, but I think a lot of 'wealthy' neighborhoods in the US mean suburbia with larger single-family-home lots, and roads often feel a bit more rural. In my area in California, these are often unincorporated (county) lands just outside larger towns.
You sometimes see a very clear boundary. The more middle-class housing is subdivisions built all at once somewhere in the 1960s-2000s, with underground utilities and street lights. This infrastructure was mandated by the city, when the developers were looking to get their newly built neighborhood annexed into it. Around the next corner, darker streets with overhead utilities and more spread out lots with oversized "McMansion" houses. These are following the more relaxed county building codes and had the space available for such construction.
These roads are also more likely to have expensive new cars with all the computerized functions. Walking in this limbo world at the edge of our town, I've also noticed being blinded by cars as a pedestrian with more dynamic effects. I suspect are the car's system actively painting me with more light. It is a little bit like the "fringing" you see when the cutoff of older HID projection lamps sweeps over you due to road undulation. But it happens too quickly and both vertically and horizontally. It feels like being hit with a targeted spot light.
I wish the engineers spent the same care to put a dark halo on a pedestrian face as they do for oncoming drivers. Even when carrying my own flashlight, such encounters can be dazzling enough to basically go blind and not be able to see the dark paving in front of me for a minute. My light is more to make me visible to the cars than to really illuminate my path for myself. It doesn't stand a chance against the huge dynamic range of these car lighting systems.
A point made deep in a comment thread by user "rck" below deserves to be a top-level comment - the clawback clause explicitly applies ONLY to violations of existing law:
> NSF reserves the right to terminate financial assistance awards and recover all funds if recipients, during the term of this award, operate any program in violation of Federal antidiscriminatory laws or engage in a prohibited boycott.
So there's no plausible way that agreeing to these terms would have contractually bound PSF in any way that they were not already bound by statute. Completely silly ideological posturing to turn down the money.
And if someone at the NSF decides to terminate the grant & 'recover all funds', does the dispute over the contract involve the same burden of proof and rights to appeal as a federal discrimation case?
Someone wrote it into the grant agreement. It's a fair bet that they think that has some effect beyond what the law already achieves.
The burden of proof is "on the balance of probabilities" in both cases as far as I know, and there's no limit in principle on how high a breach of contract case can be appealed.
Of course it has an effect, but that effect is giving the NSF the ability to sue over a grantee's alleged breaches of discrimination law, instead of that being limited to parties discriminated against and the EEOCs.
Why was the clause included if it's completely redundant? PSF's decision is based on the government's demonstrated track record of what they consider to be "illegal DEI", not what the law actually says. Grant cancellations have been primarily based on a list of banned words (https://www.urban.org/urban-wire/nsf-has-canceled-more-1500-...), and of course nobody involved with any of the thousands of cancelled grants has been charged with breaking a law, because they haven't broken any.
- CAREER: From Equivariant Chromatic Homotopy Theory to Phases of Matter: Voyage to the Edge
- Remote homology detection with evolutionary profile HMMs
- SBIR Phase II: Real-time Community-in-the-Loop Platform for Improved Urban Flood Forecasting and Management
- RCN: Augmenting Intelligence Through Collective Learning
- Mechanisms for the establishment of polarity during whole-body regeneration
- CAREER: Ecological turnover at the dawn of the Great Ordovician Biodiversification Event - quantifying the Cambro-Ordovician transition through the lens of exceptional preservation
When the federal government cancels your grant and claws back money you've already spent because they claim something innocuous is illegal, knowing in your heart that they're wrong is not very helpful.
> Why was the clause included if it's completely redundant?
It's not and I didn't suggest it was. It gives the NSF itself the ability to litigate discrimination by grantees (in order to claw back its funds) instead of only the people discriminated against and the EEOC being able to do that. That's a real effect! But it doesn't impose any new obligations whatsoever on PSF - just changes the recourse mechanism if PSF violates legal obligations they already had.
> When the federal government cancels your grant and claws back money you've already spent because they claim something innocuous is illegal
As far as I know this has not happened in any of the cases you mention and _could_ not happen. Yes, grants have been cancelled for dumb reasons, but nothing has been clawed back. Right? What would the mechanism for clawing back the money without a lawsuit even be?
I don't know if they've attempted to claw back any NSF grants yet, but they have done this with EPA grants. There was no lawsuit, they just ordered banks to freeze the funds and the banks complied: https://www.eenews.net/articles/epa-green-bank-recipients-lo...
Hmm. That'd be pretty nasty to be on the receiving end of (and may well have been an outrageous abuse of executive power), but still, an administrative freeze is temporary and is not in itself a clawback. Even if it was a certainty this would happen to PSF, it would still be worth it for $1.5 million!
How is there not a contradiction between 1 and 2? If 1 is true then the jobs are offered to non-white candidates who are undeserving. If 2 is true then the jobs are offered to non-white candidates who are deserving.
I don't understand what you're trying to say. It's obviously possible for the extremely weak claim made by statement 2 to be true (i.e. for some non-zero number of "deserving" nonwhites to exist and for existing hiring to not be a perfect meritocracy) in the same universe where the sort of programs typically labelled "DEI" tend to have anti-meritocratic effects. You seem to be suggesting that if competent nonwhites exist, then anything labelled DEI will automatically have the effect of causing orgs to hire more competent people, but... why? There's zero reason that should logically follow.
Well, not necessarily, on your last sentence. It might also be theft, depending on the precise nefarious purpose and on the jurisdiction. If you take somebody else's property without their consent, that's typically theft, even if the "property" is money in a bank account and no tangible physical object changed hands, and even if the method of taking involved deception. Fraud and theft overlap.
Why? I don't understand the objection to this. If the app was sending off any data to Notion without consent, that would obviously be a privacy issue, but why is it a problem for a desktop app to simply check if your mic is being used and offer to record?
The application is almost certainly sending off data to Notion without consent, you just wouldn't be able to tell.
If a company is willing to do even small privacy violations, I do not trust them at all. Feel free to run OpenSnitch or LittleSnitch - most apps are opening connections to many domains you won't recognize. Your guess is as good as anyone's what data they're exfiltrating. That is, of course, unless you use more privacy-preserving apps that are typically opensource.
I don't use notion, but it would be a fun experiment to install a root CA and see the traffic.
It's probably not always this easy. I see many connections on apps using UDP, so who knows how, exactly, they are encoded.
The data may also be "encrypted", similar to how Zoom "encrypted" data. That is to say, the data is encrypted, but the private key is on the same server. So, if you MITM, it looks encrypted - but there's no security.
it's electron so you can just open chromium dev tools and see almost all network activity - im pretty sure this is exposed to everyone in the debug menu. takes seconds. http proxy the rest. (i work at notion and do this all the time to debug)
Yes, virtually every commercial application I've ever seen allows exfiltration of data, usually close to all of it, and you agree to it by signing both an EULA and privacy policy.
Based off of that, I then assume that other companies are exfiltrating as much data as possible off my devices.
I mean, even your car, which, keep in mind, is a multi-tens-of-thousands dollar product, exfiltrates your location, all your texts, all your phone calls, and as much data from your phone as possible.
Yes, this is a "leap of faith". I am not bound by a purely evidence-based worldview - I consider that naivety. I do not need strong irrefutable evidence of bad things happening. When people are untrustworthy, I approach them with skepticism in order to protect myself.
For example, I have absolutely no proof that the NSA is surveilling SMS and telephony right now. None at all. But I know Prism was a thing. It is safe to assume the NSA is absolutely surveilling SMS and telephony.
Firstly, I don't believe that you require proof to believe the things you do. Yes, I am calling you a liar. You have noticed patterns, and make assumptions every day. Every functional human being does.
I don't need proof that some random man is a mugger to know to put my phone in my pocket and walk quickly at 3 AM. This is what I mean when I say your mentality here is naive - how many times do you need to get mugged to learn?
And, secondly, even if you DO require proof, this is an incredibly inefficient way to live. If you require proof for everything, you wouldn't be able to get much done. You'll be sitting around waiting, or searching. Sometimes, it's faster to assume, if your assumption is good.
This could be a good feature in open source software packaged by Debian and whose build is reproducible.
People being angry here shows how they distrust software they use and distrusting always online software causes fear and stress.
The best these people can do is relying on free software distributed in a sane way because that's what can help trust software, and, in a professional setting, to push their companies or their providers towards free software as well, and demand guarantees that their privacy is respected.
These matters are not theoretical and this discussion is a witness of this.
If Notion wants to be trusted, they should go open source. I see Notion people are here. Do it! Stop doing closed source software! That doesn't bring anything worth and see what badness it brings. Your value is elsewhere. It's in you expertise, your vision and how well you do things.
I work for an open source competitor (or at least in the neighborhood) and that works out well for us and has been for 20 years.
The day you open source your desktop client, you'll be able to show us the code and show that you indeed don't send audio records or related logs to your headquarters. We won't have to reverse engineer, sandbox just to be sure, and hope for the best.
I don't see the vulnerability. In fact, I think considering this a problem at all is ridiculous.
Obviously it's impossible to block all ways of "bypassing" the policy. If you are a developer who has already been entrusted with the ability to make your GitHub Actions workflows run arbitrary code, then OF COURSE you can make it run the code of some published action, even if it's just by manual copy and paste. This fact doesn't need documenting because it's trivially obvious that it could not possibly be any other way.
Nor does it follow from this that the existence of the policy and the limited automatic enforcement mechanism is pointless and harmful. Instead of thinking of the enforcement mechanism as a security control designed to outright prevent a malicious dev from including code from a malicious action, instead think of it more like a linting rule: its purpose is to help the developer by bringing the organisation's policy on third party actions to the dev's attention and pointing out that what they are trying to do breaks it.
If they decide to find a workaround at that point (which of course they CAN do, because there's no feasible way to constrain them from doing so), that's an insubordination issue, just like breaking any other policy. Unless his employer has planted a chip in his brain, an employee can also "bypass" the sexual harassment policy "in the dumbest way possible" - just walk up to Wendy from HR and squeeze her tits! There is literally no technical measure in place to make it physically impossible for him do so. Is the sexual harassment policy therefore also worse than nothing, and is it a problem that the lack of employee brain chips isn't documented?
The problem of audit of third-party code is real. Especially because of the way GitHub allows embedding it in users' code: it's not centralized, doesn't require signatures / authentication.
But, I think, the real security-minded approach here should be at the container infrastructure level. I.e. security policies should apply to things like container network in the way similar to security groups in popular cloud providers, or executing particular system calls, or accessing filesystem paths.
Restrictions on the level of what actions can be mentioned in the "manifest" are just a bad approach that's not going to stop anyone.
Two journalists criticised how their daughter's primary school handled her disabilities and were arrested for it, ostensibly on the grounds that their doing so was harassment and was grossly offensive, and you think this isn't worrying, isn't arbitrary, and doesn't hint that the standards set out in those laws are vague?
Here's a BBC article on the case. Obviously 1) there was more to this than just a few posts on Whatsapp, and 2) the situation did get out of control for a brief while and the police were called. Probably similar to common "affray" or public disorder cases.
>The school said it had "sought advice from police" after a "high volume of direct correspondence and public social media posts" that it said had become upsetting for staff, parents and governors.
I appreciate the hostile tone, very in vogue, but no, what I'm saying is that this...
> THE POLICE arrived at Maxie Allen’s door at midday on January 29th. None of the six officers seemed to know much about why they were there, recalls Mr Allen. But they read out a list of charges and searched the house, before arresting him and his partner and taking them to the police station, where they were held for eight hours. The couple’s alleged crime? Disparaging emails and WhatsApp messages about their daughter’s primary school.
...is a lot more vague and less compelling than what you drew up here.
Namely it doesn't mention:
- that these people are journalists
- that they were criticizing their daughter's primary school's handling of her disabilities
- how exactly were they criticizing it and to what audience
- any links to any of the court documents for people to inspect, to support these
Am I supposed to conjure up these details from thin air or something? I'm not from the UK, this is not a story I was familiar with. Literally all the article had to say in the way of the arbitrariness and vagueness of this case was:
> At one point during his questioning Mr Allen’s partner asked for an example of a WhatsApp message that constituted “malicious communication”. The detective had to stop and Google the crime.
Which sounds crappy enough, but then this is pretty on par for cops to begin with in my impression, topic nonwithstanding. So yeah, not very compelling.
> you think this isn't worrying, isn't arbitrary,
Correct, what was written in the article isn't particularly worrying at all, nor does it do a particularly good job of demonstrating the arbitrariness. That's exactly what I said.
> and doesn't hint that the standards set out in those laws are vague?
Law is written in natural language, imposing rules over things in the natural world. It will never not be vague, and it cannot in good conscience afford to not be vague either. It could be specific in some ways I'm sure, at the cost of effectiveness as usual, but the article doesn't exactly support or detail this idea much, by virtue of not saying anything more specific. Which is what I was talking about.
(I find it extremely sketchy from a competition law perspective that Microsoft, as the owner of npm, has implemented a policy banning npm publishers from publishing via competitors to GitHub Actions - a product that Microsoft also owns. But they have; that is the reality right now, whether it's legal or not.)
reply