The way it's written this seems like it's exclusive. But it appears that both cases are possible at the same time. Maybe I'm reading the "OR" too much from the colloquial sense instead of the mathematic sense compared to "XOR".
This view, though probably correct, is incompatible with democracy. We can't have rule by the people if the people aren't capable of ruling themselves. I still believe democracy is the best way forward, but it depends on critical thinking and there seems to be a decline in that area recently.
> it depends on critical thinking and there seems to be a decline in that area recently.
Respectfully, I call bullshit. There has always been a lack of critical thinking, we just didn't have the internet to bear witness. I think people are complaining about a lack of critical thinking more now because there are more educated people around to think critically.
So I agree that we need critical thinking, but let's not be alarmists about it just because some people are dumb or voted dumb people in.
Some time ago, here on HN, user api described social media as a "hate laser". I thought that was a brilliant term - stimulated emissions of hate. But maybe social media is a "stupid laser" as well.
> This view, though probably correct, is incompatible with democracy.
Which is fine, because (at least in the US) we don't live in a democracy. These views are very compatible with a plutocracy, which is what we currently have.
Why would an IQ test for admissions be ridiculous? Any knowledge test at all will eventually test and select for higher IQ so there’s really no getting around it unless all ability-based admissions standards are dropped.
Is he talking about Bitcoin specifically or cryptocurrency as a whole? If just Bitcoin, yes, I agree that the transactions per second (TPS) is too low for global adoption. But as far as I know, there's no technical reason it has to be that slow for all cryptocurrencies. Ethereum 2.0 is supposed to support 100,000+ TPS according to Vitalik. https://twitter.com/VitalikButerin/status/127796159495847116...
I never knew this, but I think it makes sense. Is there any documentation that explains why this is the case? I suspect it is to distribute bias to the first option, but I'd love to read about it.
It's a minor problem until it becomes a major one. All it takes is one common dependency to go rogue or a bug to be exploited without the maintainers being around to fix it and a large part of the ecosystem becomes unusable. Using a dependency implies an element of trust and now we have a huge web of trust between thousands of maintainers that we really have no way to check. The larger that number grows, the higher the chance of catastrophic failure.
Indeed you can't trust that many people and check all the code of that many dependencies. It's a chain of trust, but how is it different than other parts of your stack?
Do you trust every employee working on the Intel CPU microcode? Every maintainer of the Linux kernel? The people who maintain the glibc? The developers of V8 and nodejs? Do you do the same for your database? Your cloud provider? The codebase of your business partners?
I would guess you don't, despite most of what I cited being highly critical in terms of security, and some being written in memory unsafe programming languages with tons of critical issues all the time.
If a NPM dependencies goes rogue, you will get notified. It will also do the frontpage of HN and be mentioned in a comment of news about javascript for years.
But what will most likely happen : a maintainer will fix the issue. If the maintainer is in jail because s•he killed someone, well, someone else can still maintain it or someone else will fork it and other maintainers will use the fork.
In practice when a NPM dependencie of your project has a security issue, all you have to do is to accept a pull request from a robot on Github.
I know it's not perfect, but it's really not that bad.
You bring up very good points. I certainly don't trust most if any of the other critical pieces of the stack. I think those are attack vectors or points of failure as well and that risk needs to be mitigated. But on the other hand, the NPM package web is much larger and the barrier to entry is much lower so I would consider it to be much higher risk than the rest of the stack.
We as an industry need to put work into reviewing, simplifying, and increasing visibility at all levels of the stack, especially firmware. We're building high and fast and while standing on the shoulders of giants is a great place to be, we need to make sure the giant is more than just a house of cards.
The Linux kernel, glibc, V8 and nodejs are some of the most vetted software existing. Of course I trust them. If my business partner has security breach it's possible to sue them.
That is different than adding 1000 barely looked at dependencies to my JavaScript project. Every addition is another chance for an undetected security vulnerability. "It's really not that bad" is probably what Equifax thought before the magnitude of what happened was revealed.
It's impossible to make essential complexity disappear but it is certainly possible to reduce incidental complexity. Most software is much more complex than it needs to be and Kubernetes is no exception.
Before k8s every serious shop automated the crap out of their infra. Jump/kickstart recipes, rolling cluster patching that split RAID mirrors before applying, blue/green deployment scripts to tickle the loadbalancer, cron jobs to purge old releases ...
That stack is super complex and utterly bespoke to the company.
With k8s it’s standardised and usually better quality.
It's on a path to standardised, but not there yet: etcd vs. others, different ingress controllers, providers replacing most of network parts, storage is bumpy/not so standard, deploy may be kubectl apply/helm/operator.
I would really appreciate a more mature ecosystem.
Yeah I think there is a tension there. If you care about systems and internal quality and want to get paid for it, I'd suggest software performance or security as promsiing fields.
Performance and security are both cross-cutting concerns that span layers, i.e. you're not just thinking at the application level. It really is a separate kind of thinking and a separate kind of work.
Though it seems that it's mostly large companies (e.g. "big tech" and a few other places) that care enough about performance and security to have dedicate staff for them. Most other shops are too busy with "business stuff", and they may reasonably want to outsource that work to experienced consultants.
