More

chinathrow · 2026-05-03T20:30:58 1777840258

Yes, that looks like an escape rope for pilots.

https://www.aviation-gadgets.com/photo/virgin-australia-boei...

KatiMichel · 2026-05-03T20:49:55 1777841395

I am glad you found that. Someone asked our guide, and I missed the explanation!

chinathrow · 2026-05-03T18:00:12 1777831212

> Yeah, so, to be clear: I'm fairly sure Linux will also have its fair share of issues that I occasionally would have to repair.

Issues with account, login and passwords would be none of them. Sure, there are other areas of common issues at times, but I have never, ever had issues logging into any of the linux OS I ran for the last 23years or so.

charcircuit · 2026-05-03T18:16:13 1777832173

I've had PAM break due to distro's ridiculous policy of updating the system in place allowing for invalid combinations of files to exist. I've had Linux distros break the booting process countless times.

chinathrow · 2026-04-27T20:25:52 1777321552

This triggered a freeze with subsequent shutdown of my Lenovo X1 running Ubuntu.

chinathrow · 2026-04-19T18:33:14 1776623594

It's also trivially easy to fix. 1 min delete and deploy.

varenc · 2026-04-19T19:33:03 1776627183

I'm guessing it's not trivial to fix without breaking other things? The weakness seems to be that anyone can turn UUIDs into details like email. But I assume this functionality is necessary for other flows so they can't just turn off all UUID->email/profile look ups. And similarly hiding author UUIDs on posts also isn't trivial.

Conceptually, I agree it should be easy, but I suspect they're stuck with legacy code and behaviors that rely on the current system. Not breaking anything else while fixing this is likely the time consuming part.

reactordev · 2026-04-19T20:24:22 1776630262

This is a rendering artifact, nothing more. If you can tokenize and protect PII on your platform, you can protect PII on your public pages.

    if (metadata.is_public)

Simple fix.

varenc · 2026-04-20T02:46:09 1776653169

But a user's email isn't always forbidden. The API endpoint which turns UUIDs into a user email presumably also has use cases where you do want to expose the user email. For example, when seeing a list of people you've already invited via email to collaborate with, or listing users within your organization, etc. So a user's email isn't always forbidden PII, it depends on the context.

The trouble is the UUID->email endpoint has no idea what the context is and that endpoint alone can't decide if it should expose email or not. And then public Notion docs publicly expose author UUIDs.

Their mistake was architecting things this way. From day 1 they should have cleanly separated public identifiers from privileged ones. Or have more bespoke endpoints for looking up a UUID's email for each of the narrow contexts in which this is allowed. They didn't do this, and they certainly should have, but fixing this mess is likely a non-trivial amount of work. Though I bet it could be done immediately if they really cared and didn't mind other things breaking.

I'm absolutely not defending their choice to expose emails in this way. They should have addressed this years ago when it was first reported, and I want them shamed for failing to care. But just trying to say it's likely not a one line fix.

reactordev · 2026-04-20T11:55:10 1776686110

A users email should always be forbidden…

It is not a public marker, it’s PII.

chinathrow · 2026-04-19T19:43:41 1776627821

Of course they can fix it, come on.

They can easily withold information they put out intenionally.

csallen · 2026-04-19T19:55:27 1776628527

The whole point of that comment is that it's not that easy. There are potential side effects and consequences that are difficult to architect around.

chinathrow · 2026-04-20T14:18:45 1776694725

The fix IS easy. The side effects need to be dealt with accordingly. Why do you defend shit like this?

markdown · 2026-04-20T01:36:37 1776648997

Except it is.

If you can't easily architect around it, then don't do what you're trying to do.

"Oh I needed to disclose user data in order to make more money" isn't an acceptable excuse.

csallen · 2026-04-20T04:26:12 1776659172

No one's talking about excuses.

chinathrow · 2026-04-20T14:19:14 1776694754

Looks like everyone does talk about excuses though.

sysguest · 2026-04-20T12:09:21 1776686961

> Oh I needed to disclose user data in order to make more money

hmm maybe they should've paywalled?

UqWBcuFx6NV4r · 2026-04-20T00:33:08 1776645188

You literally don’t know that. Add this to the mammoth file titled “HN comments in which the author makes some completely unsubstantiated technical claim”

account42 · 2026-04-28T09:15:17 1777367717

It literally is easy to fix. For example they could shut down the servers. Which is what they should do immediately if there is no faster fix for a privacy leak like that.

chinathrow · 2026-04-19T17:31:26 1776619886

This is, as a notion user with public pages, beyond stupid.

ArchieScrivener · 2026-04-19T20:34:15 1776630855

Don't attribute to stupidity what can be explained by malice.

sph · 2026-04-20T05:55:10 1776664510

Yes! I’ve always maintained Hanlon’s razor needs to be reversed in matters of computer security.

protocolture · 2026-04-20T06:24:16 1776666256

Theres just a higher form of malicious stupidity, where the people who own these platforms can be selectively, maliciously stupid where it comes to security.

gib444 · 2026-04-20T05:29:14 1776662954

This phrase needs way more traction.

chinathrow · 2026-04-19T16:14:05 1776615245

Middle ages, in 2026. Dubai hasn't changed.

chinathrow · 2026-04-16T19:22:01 1776367321

The fun fact about PHP is that, there is no Pipeline problem at all. You can serve your scripts the hell you like to do. You can scale as you wish, either with vertical or horizontal. You can use Apache, nginx, etc, no one cares.

embedding-shape · 2026-04-16T20:13:59 1776370439

Yeah, PHP is very simple to deploy, once you have either apache/nginx/caddy/$webserver and also PHP-cgi/PHP-fpm/$php-backend and also understand unix + permissions + files and a whole lot of other things. Or alternatively, learn how to use cPanel as a user, or worse, learn what (s)FTP is, or whatever the really low end web hosters use nowadays.

I wish others learnt the "boring" way of managing your own servers, setting things up as they should, deploy processes and what not, but realistically, some people just want to run one command/click a button and have it updated, and probably that's for the better too. This Laravel Cloud thing are for those, not for people who want to/know how to run their own servers.

aarondf · 2026-04-16T21:38:14 1776375494

I think you're conflating a talent pipeline with ease of running PHP. Those are not the same thing at all

chinathrow · 2026-04-16T19:15:25 1776366925

Wow Taylor, if you read this: as someone who just bought in to the Laravel ecosystem, how about no?

chinathrow · 2026-04-16T18:58:57 1776365937

> We're well aware of this.

Then how about not market it as "for agents" when said agents are just LLM output?

chinathrow · 2026-04-16T18:56:37 1776365797

paying for - so some form of return is expected.

whateveracct · 2026-04-16T19:07:00 1776366420

the issue is the return is amorphous and unstructured

there's no contract. you send a bunch of text in (context etc) and it gives you some freeform text out.

chinathrow · 2026-04-16T19:14:23 1776366863

Sure, but I pay real money both to Antrophic and to JetBrains. I get a shitty in line completion full of random garbage or I get correct predictions. I ask Junie (the JetBrains agent) to do a task and it wanders off in a direction I have no idea why I pay for that.

gowld · 2026-04-16T19:19:37 1776367177

> I have no idea why I pay for that.

And Claude have no idea why it did that.

chinathrow · 2026-04-16T19:23:05 1776367385

Exactly, and we feel vindicated when it works but sold when it fails. Something will have to change.

SyneRyder · 2026-04-16T19:23:30 1776367410

> Sure, but I pay real money both to Antrophic...

I misread that as Atrophic. I hope that doesn't catch on...