You don't have to use Debian stable, if you'd prefer Ubuntu every 6 months, or Fedora (6 months? 9 months?), or even Arch Linux updated daily ...
I use Arch on my laptop, when I got it 2 years ago the amd gpu was a bit new so it was prudent to get the latest kernel, mesa, everything. Since I use it daily it's not bad to update weekly and keep on top of occasional config migrations.
I use Debian stable on my home server, it's been in-place upgraded 4-ish times over 10 years. I can install weekly updates without worrying about config updates and such. I set up most stuff I wanted many years ago, and haven't really wanted new features since, though I have installed tailscale and jellyfin from their separate debian package repos so they are very current. It does the same jobs I wanted it to do 8 years ago, with super low maintenance.
But if you don't want Debian stable, that's fine. Just let others enjoy it.
Yup, I've had "nomodeline" in my vimrc for years. I used to add the "securemodelines" plugin https://www.vim.org/scripts/script.php?script_id=1876 but just recently removed that too (I think I may have ran into an annoyance after a vim update, and decided I never really use automatic modeline support anyway)
I'm still using Xorg after all these years, on a laptop with 150% scaling, which I occasionally plug into an external monitor with 100% scaling. Somewhat surprisingly, it works great. (Cinnamon desktop, Ryzen 7840u integrated graphics. And also a desktop machine with Radeon RX 6800XT, but it's not surprising that still works great.)
Exactly! I can’t even count the number of times we’ve been in the discovery phase of a project and see “Oh this MS product does that! Cool”. Then when we get to the actual implementation realize it’s a broken mess. It’s sales driven software development, they just need to get you far enough along to sign the contract, then it’s too late to back out.
So you're saying 'fish' intercepts it on the far end? The ssh server on the far end shouldn't be sending it to 'fish' until it knows what's coming next.
Is this a current-ish version of OpenSSH or some other client/server?
EDIT Interesting! I tested it with fish and it does indeed intercept it! Wonder how that works.
This is how it works in NYC, but the wires are almost twice as expensive as the power. (If you add taxes and the numerous weird fees, the total bill is a solid 3x the cost of the power.) It's really all about the grid maintenance and management these days.
A comparison: the giant Dogger Bank offshore wind farm project (multi-GW) cost somewhere in the $10bn range. On the other hand, Germany calculates with >$100bn for grid buildout within the next decade (https://www.netzentwicklungsplan.de/sites/default/files/2023...).
Also, having customers that rely on your grid but buy very little of your power is simply unappealing for operators, so I would assume that their pricing tries to disincentivise as much as possible (=> "they gonna overcharge you for the grid connection").
The not-so-hidden costs of collecting extremely diffuse wind / solar is the elephant in the room 10x bill for the supporting grid infrastructure.
Nuclear advocates, like myself, claim drop in replacement nuclear power reactors at existing coal / gas sites would largely obviate this.
Even adding new nuclear power reactors at greenfield sites would constitute a significantly reduced grid build cost, as the power is highly concentrated.
And nuclear is so say that nuclear power reactors employees are routine exposed to less radiation at work than they are at home in their kitchen with granite bench tops.
I can see that argument applying to wind, but for solar its the opposite because that is really easy to get closer to consumers than a conventional plant ever could be (i.e. on the rooftop).
At this point, I don't believe in a nuclear renaissance, because it seems to me that nuclear power got left behind too far; catching up in cost metrics is already hard enough, but matching growth rates (in "installed TWh/a" of wind/solar) seems virtually impossible by now. The only remaining holdouts (China, US, France, ...) are basically doing it as a hedge and/or to keep/obtain related engineering capabilities (and at the very least an easy path toward weapon-grade material).
It is clear to me that no one "actually believes" in nuclear power (by stating clearly: we are solve gonna current and future energy problems by mainly relying on freshly built nuclear power), so I can only see its relevance dwindling (I'd argue that China comes closest, but even they are much more in the hedging/securing capabilities category than anything else).
We do this for gas. IMHO you end up paying monopoly rates for the pipes and then stupid game prices for the gas. Maybe the savvy consumer comes out ahead but seems like a net negative to me.
It's not monopoly rates, it's actual utility rates. The only problem here is if the utility is allowed to make a profit. Gas pipes, electric lines and internet connections are like roads in today's society. Can't really live without them.
So assuming the pipe maintenance is done at cost, with no money not being spent on the network. What would your better net positive solution even look like?
People can live without gas pipes. One of the big tasks at the moment is planning to stop people building new gas pipes that won't be used enough to justify the price and how to phase out the existing gas pipes so the pricing doesn't enter a "death spiral" as people start leaving the network, leaving the government to bail it out.
If you don't put in heat pumps, nuclear reactors are one of the more expensive ways to heat a home.
If you do put in heat pumps, nuclear reactors are still one of the more expensive ways to heat a home, but you need a third as many of them as compared to the no-heat-pumps case, if you insist on heating only with nuclear power.
Nuclear power is really only important if you also want spicy atoms, because it's by far the cheapest source of spicy atoms. Annoyingly, this is now a thing a lot of countries have a solid reason to want.
The previous company I was working at (6 months ago) had a bunch of microservices, most in python using fastapi and pydantic. At one point the security team tuned on CodeQL for a bunch of them, and we just got a bunch of false positives for not validating a UUID url path param to a request handler. In fact the parameter was typed in the handler function signature, and fastapi does validate that type. But in this strange case, CodeQL knew that these were external inputs, but didn't know that fastapi would validate that path param type, so it suggested adding redundant type check and bail-out code, in 100s of places.
The patterns we had established were as simple, basic, and "safe" as practical, and we advised and code-reviewed the mechanics of services/apps for the other teams, like using database connections/pools correctly, using async correctly, validating input correctly, etc (while the other teams were more focused on features and business logic). Low-level performance was not really a concern, mostly just high-level db-queries or sub-requests that were too expensive or numerous. The point is, there really wasn't much of anything for CodeQL to find, all the basic blunders were mostly prevented. So, it was pretty much all false-positives.
Of course, the experience would be far different if we were more careless or working with more tricky components/patterns. Compare to the base-rate fallacy from medicine ... if there's a 99% accurate test across a population with nothing for it to find, the "1%" false positive case will dominate.
I also want to mention a tendency for some security teams to decide that their role is to set these things up, turn them on, cover their eyes, and point the hose at the devs. Using these tools makes sense, but these security teams think it's not practical for them to look at the output and judge the quality with their own brains, first. And it's all about the numbers: 80 criticals, 2000 highs! (except they're all the same CVE and they're all not valid for the same reason)
Interesting, thanks. In the UUID example you mentioned, it seems the CodeQL model is missing some information about how FastAPI’s runtime validation works and so not drawing correct inferences about the types. It doesn’t seem to have a general problem with tracking request parameters coming into Python web frameworks — in fact, the first thing that really impressed me about CodeQL was how accurate its reports were with some quite old Django code — but there is a lot more emphasis on type annotations and validating input against those types at runtime in FastAPI.
I completely agree about the problem of someone deciding to turn these kinds of scanning tools on and then expecting they’ll Just Work. I do think the better tools can provide a lot of value, but they still involve trade-offs and no tool will get everything 100% right, so there will always be a need to review their output and make intelligent decisions about how to use it. Scanning tools that don’t provide a way to persistently mark a certain result as incorrect or to collect multiple instances of the same issue together tend to be particularly painful to work with.
In addition to the all the other stuff, including light spectrum differences, you can't just trust that a "37000 lumen" light (cheap from China ...) is such a thing. Some examples of "100,000 lumen" flashlights that ended providing more like 2000 to 3000 lumens: https://www.youtube.com/watch?v=6q_0wxzClkg
It's possible, they exist, many such LEDs are probably manufactured in China ... but the legit ones are probably more expensive, and you may need a more recognizable brand to do some QA, and keep pressure on the factory to not slip quality or inputs.
Consider the cheap screwdriver included with the lamp in this story: unexpectedly, many were more faulty than the cheapest $4 screwdriver you'd find in any hardware store. The more stories you read about manufacturing stuff in China, the more you'll see very strange things. It's not about nationality or anything, it's an extreme kind of optimization. If you didn't catch it already, maybe you didn't really need what you thought you asked for ... they're just checking/optimizing
I just worry that the voltage of these is a bit too high, if the device takes 3 or 4 in series. They tend to be around 1.8 volts per cell, significantly higher than a fresh alkaline AA at around 1.6 volts, and even after half the energy is discharged, if the device is off for a long while, the initial voltage for next turn-on creeps all the way back up.
(The price doesn't bother me ... it's worth the much lower chance of leaking than alkaline, if you leave it in a remote or gadget for years. But I've come to think that rechargeable NiMH like eneloops are a better idea due to the voltage.)
I can't think of too many places I'd use Li-FeS2 other than maybe in smoke alarms. They're available in 9-volt form factor. I use NiMH or Li-ion pretty much everywhere else these days.
I use Arch on my laptop, when I got it 2 years ago the amd gpu was a bit new so it was prudent to get the latest kernel, mesa, everything. Since I use it daily it's not bad to update weekly and keep on top of occasional config migrations.
I use Debian stable on my home server, it's been in-place upgraded 4-ish times over 10 years. I can install weekly updates without worrying about config updates and such. I set up most stuff I wanted many years ago, and haven't really wanted new features since, though I have installed tailscale and jellyfin from their separate debian package repos so they are very current. It does the same jobs I wanted it to do 8 years ago, with super low maintenance.
But if you don't want Debian stable, that's fine. Just let others enjoy it.