This is a problem fundamental to capitalism. Capitalist organizations are organized as dictatorships, with capitalists as the dictators. Captialists have their own class interests that is opposed to the workers'. And they also are the ones who unilaterally decide how increased productivity gains (revenue/profit) are distributed. They are not going to decide to give you another day off. They are going to maximize profit.

ALL technological progress under capitalism goes through this same conflict. It's why workers are sometimes pressed into reactionary positions like opposing self-checkout lanes. Capitalists decide to deploy the technology in a way that is worse for the workers. Technological progress could be liberatory. Technology could be used to make workers' lives better, like working less, if workers were in charge of the organizations in which they worked.

I don't know about a hole, but the reason why the tank didn't rupture, is because a crack was discovered, which relieved the pressure. They got lucky.

that audit has nothing to do with the president of the united states enriching themselves and frieds. If you want to go look at that audit, the summary usually is: the DoD can't place a bunch of black money going to CIA programs to do whatever shit they get up to.

It's not an equivalence of any merit.

Pretty ironic that this article was also written using LLMs. It has all the LLM-isms.

Surprised to not see more discussing this. It's so grating, and nobody noticing (or believing others that say it's AI generated) makes me feel like I'm going crazy

Or even just a proxy that can enforce the constraints

yes, props to pnpm for adding 1 day cooldown by default in v11.

I audited several postinstall scripts recently in popular packages. They seem to be mostly around using native binaries, downloading them, detecting if the platform is compatible, linking to it directly instead of having it bootstrapped by node, working around issues in older versions of npm, etc. Since dev toolchains (e.g. esbuild) are now being built in compiled languages and distributed as binaries via npm registry. If you are on a recent version of node/npm and a common/recent OS/platform, you should be able to disable all the postinstall scripts without legitimate issue.

Just dont use npm. Use a package manager which doesn't execute postinstall by default. The switch is incredibly simple.

It’s hard to enforce on developer machines - there are lots of ways to install npm even if you never use it for managing development dependencies.

Which package manager is that, and what caveats does it offer?

Pnpm - installs are faster to boot. We haven’t missed anything

pnpm

If you look at the last N npm worms, they all used postinstall scripts.

Is that even true?

shai-hulud and variants

https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-s...

So N=1? 2? 3?

at least 3 that i can remember off the top my head in these last couple months. If you look further back you will find more.

Turns out "its just an experiment, you all are overreacting" was just a lie to damp criticism.

https://qht.co/item?id=48019226

Merging a complete rewrite in another language in 9 days seems insane to me. Maybe I'm just too cautious but with something like this I'd split off as a separate binary and get some heavy use customers involved as testers first to see if it causes any unforeseen problems before slowly expanding it out.

I'd want to be pretty damn confident it won't cause any regressions before sunsetting the original codebase in favor of this one.

I don’t think you’re too cautious. Big upgrades and rewrites is somewhat of a „work hobby” of mine and this seems waaay too fast. I don’t know how the Bun canary process works and I guess their test suite is better than typical projects but still… I can’t imagine this working out well without testing it on a variety of big projects for a significant amount of time.

There’s probably loads(?) of observable behaviors that people rely on, consciously or not. Even _if_ the new thing is 100% spec compliant, it might still be breaking or otherwise problematic for heavy users.

That said, I’d love to be proven wrong. I use Bun from time to time on small stuff and I enjoy it, so I wish them well (:

> too cautious

No, you are perfectly normal.

The people who in one week decided to replace the whole codebase for a widely used tool with code no human has seen are the crazy ones.

Testing in production xD

Well I've got egg on my face.

I am in that post, defending bun.

I thought for sure the peanut gallery was overreacting. Especially when the concern was absurd - because who would do such an insance thing? Like, at the time I legitimately thought 'no way a project switches over in a few months'. Even as an absurd hypothetical, I couldn't even imagine the prospect of it being done in a matter of days.

Feeling really confused right now.

that’s the advertisement part of this ordeal you’re experiencing.

> Well I've got egg on my face.

Not at all. Supporting a methodical conversion to Rust seems reasonable. How could you have predicted they'd shotgun it?

It seems it was an experiment at that moment, and that it went well? I do hope they release it under 2.x though, cannot imagine how a 1M LoC can break in so many ways, especially if what xiphias says is true:

https://qht.co/item?id=48132902

> It seems it was an experiment at that moment, and that it went well?

There’s no way they can know that for sure. A change of this magnitude cannot go from experiment to success in such a short time frame. Even if all the code were 100% correct, you can’t call it a success until it’s battle tested in real world scenarios for a while, and that is impossible without time. Same way you can’t cook properly by throwing food into a vulcano. It’s not just about the temperature.

Either the “experiment” claim was a lie or they are being irresponsible.

If I got magically handed the perfect rust rewrite for a project of this magnitude, it would take way longer than 9 days to merge, because I would need to make sure it's actually good.

> it would take way longer than 9 days to merge, because I would need to make sure it's actually good

What if another (unstated) goal of your rewrite was to provide marketing material for how advanced your acquirers AI tools are? The faster the turnaround, the better they (and therefore you) look.

Maybe Anthropic decided to push this because of all the attention the experiment got.

If it works out it’ll be a good study case for marketing.

I'm no believer... 9 days later... Lessssssgoooooooo wooooooooo <sunglasses and rave>

The experiment might have turned out well, or the author might have spent enough time to bring it to a place they was comfortable.

Frustration moves mountains, I don't think this rewrite was done lightly.

The rewrite was obviously done lightly.

"We haven’t committed to rewriting. There’s a very high chance all this code gets thrown out completely."

People conflate “high chance of X” with “X will happen” all the time. See elections, for example.

The phrasing strongly implies that they are taking the migration seriously and carefully. Merging straight to canary after 9 days is insane.

I have a friend who get super mad when he fails ">80% chance of success" throws.

This isn't case of this tho. Even he said that there is a high chance of RIIR, 9 days still insanely short time for such rewrite if you're planning to have some sort of community around the project.

We all have eyes, it doesn't take a genius to spot a lie.

> was just a lie to damp criticism.

Citation needed. Couldn't it just as easily have been one person being as suspicious of the task as everyone else seemed to be?

Well it was 9 days ago, at the time they were not confident, but maybe the results were insanely good.

no matter how good the results are, this kind of rewrites deserves an experimental build to be battle tested by bleeding edge users.

It takes a lot of rigorous testing automated and manual and by community before such changes are cosnidered permanent.

One does not simply YOLO a full langugae rewrite without user feedback. it is insane.

>One does not simply YOLO a full langugae rewrite without user feedback. it is insane.

The whole ai thing today is pretty insane, I would say. Why not ride with it, especially if your company is one of the biggest leaders?

But the official canary/bleeding edge/nightly/whatever version is now the LLM rewrite, yes?

The page is not loading for me.

Does anything from that comment say that there was 0% chance the experiment wouldn't be merged into main? I see "very high chance all this code gets thrown out completely", which just means the low chance of it not being thrown out has occurred.

It doesn't say what will happen, but isn't their comment responding to people who don't like the look of this rewrite, and telling them basically that they don't have to think/worry about it? I definitely read it as 'not yet' and not 'another week or so'.