The question is whether it has to be that way. Developers who are against slop don’t believe that the current state of software is the best possible world.

Regulation can cause freedom to be balanced differently between parties. For example, regulating smartphone manufacturers can result in more freedom for users. It’s not true that regulation necessarily reduces freedom overall (to the extent that that can even be graded). Just like rights, freedoms aren’t absolute, and one’s freedom often impinges on someone else’s freedom.

The increase of freedom of the users is an indirect side effect, intentional or not, which, as you put it, can happen, or not. But a direct effect, which is guaranteed to happen, is the loss of freedom of the manufacturer. Whether that's a good thing, that's another topic.

The increase of freedom of the slaves is an indirect side effect. But a direct effect, which is guaranteed to happen is the loss of freedom of the slaveholder.

That's certainly a perspective, specially given how slavery is often regulated into law.

But I digress, there's a plentiful discussion to be had about the ethics and morality of freedom/regulations, but my point is how there is, in fact, a dichotomy between both and it isn't just framing. Which, in a sense, you just corroborated.

> Sometimes a regex is the right tool.

I’d argue that in this case, it isn’t. Exhibit 1 (from the earlier thread): https://github.com/anthropics/claude-code/issues/22284. The user reports that this caused their account to be banned: https://news.ycombinator.com/item?id=47588970

Maybe it would be okay as a first filtering step, before doing actual sentiment analysis on the matches. That would at least eliminate obvious false positives (but of course still do nothing about false negatives).

Is this really the use-case? I imagine the regex is good for a dashboard. You can collect matches per 1000 prompts or something like that, and see if the number grows or declines over time. If you miss some negative sentiment it shouldn't matter unless the use of that specific word doesn't correlate over time with other negative words and is also popular enough to have an impact on the metric.

When you read the code, what you propose is actually its exclusive use... logging.

have you heard about rlhf?

Breaking free doesn’t require free will. Also, whether free will exists at all is still an open debate.

Technology won’t save us, but that doesn’t mean we shouldn’t be promoting ethics.

It really only makes sense on high-DPI displays (or large font sizes), which didn’t used to be that wide-spread.

Conversely, nobody seems to be doing pixel-based hinting anymore, which is why all newer fonts tend to look terrible at small font sizes on lower-DPI displays.

The “CEO” of Italy is a she.

Like pretty much every other word in that comment, we'll never know if the misgendering is intentional satire or not.

To be fair she wants to be referred to as "il primo ministro" with the masculine article.

Not sure if the CEO of the USA knows that, he confused Spain with Brazil.

if the USA CEO was she there would have been no confusion, education and all that ... :)

Oracle effectively still largely controls the evolution of the language and of OpenJDK, and Java is still a registered Oracle trademark. While it could be forked and renamed if necessary (as happened in the javax –> jakarta transition), that would likely end up being quite disruptive and costly.

That being said, Oracle’s valuation is based on their huge integrated ecosystem. That they also control Java, while not insignificant, probably only plays a minor role there.

Look at who is making OpenJDK distributions besides Oracle: Amazon, Microsoft, Red Hat, IBM, Eclipse, SAP, … It’s being used everywhere.

For some reason, NPM is the only ecosystem with substantial issues with supply-chain attacks.

Popularity

The number of issues is disproportionately larger than the one for Debian.

Debian is slower so npm is more attractive

apart from that python one the other day

The culture within the npm/js community has mainly been one of using the package manager rather than "re-inventing the wheel", as such the blast radius of a compromised package is much greater

It's more to do with the standard library being so barren of common application needs, and looking for a solution that the community has gotten behind. Axios has been a common dependency in many codebases, because it is a solid solution that many have already used. Every developer could try building all the libraries that they would reach for themselves, but then each company has now taken on the task of ensuring their own (much larger) codebase is free from security issues, on top of taking care of their own issues and bugs.

It’s not just NPM, though. Every Rails project and every Rust project I’ve seen ended up with massive numbers of dependencies vs what an equivalent project in Go or C# would have needed.

CPAN too, just try Hailo under Perl to test an old-fashioned chatbot based on Markov chains where very small LLM's and Hailo converge if used with the advanced training options for it. Yes, it will pull tons of dependencies, (less with cpanminus if run with 'cpanm -n Hailo'), but contrary to NPM, Pip and the like CPAN's repos are highly curated and before PHP and ubiquitoous Python Perl was used everywhere, from a sysadmin language (better than Bash/Sh for sure) to CGI, IRC bots and whatnot. How many issues did we have? Zero or near zero.

It is because it has the lowest barrier to entry with no quality control. Ever.

This is what happens when there is no barrier to entry and it includes everyone who has no idea what they are doing in charge of the NPM community.

When you see a single package having +25 dependencies, that is a bad practice and increases the risk of supply chain attacks.

Most of them don't even pin their dependencies and I called this out just yesterday on OneCLI. [0]

It just happens that NPM is the worst out of all of the rest of the ecosystems due to the above.

[0] https://news.ycombinator.com/item?id=47577183