You're thinking of this like a game where the only point is to "win". That's not how this would actually work in practice.
Blue is the only moral and logical choice. If red gets over 50% and you picked it, therefore contributing to the "red" outcome, you are now effectively a murderer. Plus you now get to live in a world where everyone else alive are sociopaths that picked red, where everyone with a conscience is now dead.
You also can't count on everyone picking red, or "if you picked blue, then you voted for suicide".
It's reasonable to assume that, leading to the button press event, the usual low-trust, "every man by himself" types will rally for red, with the usual excuses, where high-trust societies will make it clear that it's your moral duty to pick blue, to get the votes to the 50% threshold and ensure no one dies. Around the world there would be debates nonstop that would permeate every social circle and families. You'd have huge arguments where the typical selfish types would scream at their family members "how dare you say you're going to press blue, do you want to leave your poor mother alone without their only child?", only pushing red-leaning voters more into red and blue-leaning voters more into blue.
Plus, if you look at the possible outcomes:
- Red wins, you picked red: Depending on where you live, a reasonable portion to the large majority of the population is now dead. The ones alive have, by definition, a strong bias towards individualism and noncooperation. It's extremely likely civilisation will collapse. Pick your favourite fictional dystopia and you might have a reasonable chance of it actually coming somewhat real.
- Red wins, you picked blue: You are now dead, but at least you don't have to live in the world above.
- Blue wins, you picked blue: Things carry on as normal and your conscience is safe in knowing that you didn't vote to kill and that over 50% of your fellow humans also didn't vote to kill.
- Blue wins, you picked red: Things carry on as normal, but you now have a guilty conscience, or, if your vote was made public, people around you know you would have killed them to save your skin.
> Depending on where you live, a reasonable portion to the large majority of the population is now dead. The ones alive have, by definition, a strong bias towards individualism and noncooperation.
Anyone who picked blue gambled their own lives over nothing. There is nothing altruistic about pressing the blue button and especially nothing altruistic about trying to convince people to press the blue button. The altruistic thing is to convince everyone that they don't need to kill themselves by pressing the blue button.
By picking red you didn't contribute to anything at all, this button does absolutely nothing in practice. If you remove the red button, leaving the choice between pressing blue and not participating at all, the choice to not participate seems quite obvious. The red button adds some "weight" to the decision, but it's materially the same
You're ignoring the dimension of universalism versus insularity. In practice, high-trust, high-cooperation communities are also insular. They cooperate within their community, but not people outside their community. Those communities can ensure the survival of their members by using their social infrastructure to ensure everyone votes red.
Assuming that the red/blue choice doesn't have a theological valance, you'd have a lot of tight-knit Mormon, Muslim, and Orthodox Jewish communities surviving in the red scenario. I suspect also all the highly authoritarian Asian countries.
Correct. If you can always either fix it forwards or roll back, which you should be able to unless you're building software that needs to go out in releases with versions tracked separately that need to keep getting fixes, trunk-based development simplifies everyone's lives greatly.
I've never seen an organisation that insists on release branches and complicated git merge flows to release their web-based software gain any actual benefit from it that isn't dwarfed by the amount of tooling you need to put around it to make it workable to the dev team, and even then, people will routinely screw it up and need to reach out to the 5% of the team that actually understands the system so they can go back to doing work.
I've done branchy development to good effect for user-installable software, where we committed to maintain e.g. 3.2.x for a certain time period, so we had to keep release branches around for a long while.
But for continuously deployed SaaS or webapps, there's no point.
I've worked on software where we had multiple maintained release branches and we always just worked off master and then cut long-lived release branches from master at some point. Once a branch was cut we'd never merge master into it again and instead backport just specific fixes, which is quite different from git-flow.
Well in that case it sounds like you're shipping multiple versioned instances of your software for different clients, which is much closer to shrink-wrapped software than it is to e.g. gmail.
Baseline requirements are not an imaginary problem. All of them have a legitimate reason for existing. You could argue that some "are not that big of a deal", but that's exactly the point, the overbearing and overly specific requirements serve both their own purpose and double as Van Halen's "no brown M&Ms" clause: if the CA screws them up, either by malice or incompetence and doesn't immediately catch them and self-report, then you know they have no way of telling what other things they are screwing up. And if you're in the business of selling trust, that instantly makes you untrustworthy.
There are countless Bugzilla reports of clearly unprofessional CAs trying to get away with doing whatever they want, get caught, say "it's no big deal", fail to learn the lesson and eventually get kicked out, much to the chagrin and bewilderment of their management, irate that some nerds on the Internet could ruin their business, failing to understand that following the scripture of the Internet nerds is the #1 requirement of the business they chose to run.
Yes. Brown M&M tests are exactly what's called for here. You want a strong psychological urge to obey rules just because they're rules. There are roles where this isn't the right thing, but operating a Certificate Authority isn't one of them.
In my experience every case in the Web PKI where we found what seems obviously to be either gross incompetence or outright criminality there were also widespread technical failures at the same CA. Principles who aren't obeying the most important rules also invariably don't care about merely technical violations, which are easier to identify.
For example, CrossCert had numerous technical problems to go along with the fact that obviously nobody involved was obeying important rules. I remember at one point asking, so, this paperwork says you issue only for (South) Korea, but, these certs are explicitly not for Korea, so, what technical measure was in place to ensure you didn't issue them and why did it fail? And obviously the answer is they didn't give a shit, they'd probably never read that paperwork after submitting it, they were just assuming it doesn't matter...
If you purposely go into your phone settings and turn off auto-capitalization (which is what the kids do, since they're all typing on their phones), isn't it the very definition of pretentiousness? You're going into extra trouble to signify you're part of a clique, while feigning "laid-backness" and "i dont even care bro".
But you do care. You care so much to project your appearance of being cool and that you don't even care that you go through extra trouble to keep it up, even though paradoxically it would be LESS effort to not do it.
I think you are reading to much into kids trying to break norms and trying to be "part of a clique". It's not pretentiosness, it's part of finding yourself. They are also actively trying to get you to not read them because you are old and think they "are not serious" so mission accomplished I guess. And time will tell if these kids will invent something you have to respect. (Spoiler alert, we did and they will to)
I turn off autocapitalization on my phone so I can be consistent with my computers where it IS more effort to use capitalization. I also believe quite dogmatically that computers should not try to be smarter than me, I can press the buttons I intend to press, including the shift key on a phone keyboard.
This is not because I’m super cool, it’s because I’m an old man and I’m still typing in 2025 like I was typing on IRC in 1998 when nocapsing was absolutely dominant.
But if I type in a space where proper capitalization is expected, like HN, I do it (this was typed on my phone with no autocorrect, suggestions or autocapitalization — I know, I’m dumb and my opinions and settings are wrong). If it was my personal blog however I would do whatever I felt like doing.
Of course you are free to do what you want on your blog, but some choices make it harder to read. IMO not capitalising is similar to using hard to read fonts or colours.
You're describing a 15 second effort that is performed at most once per phone purchase, and at its least once in the owner's entire history of iOS backup/restore processes. Less total effort than our comments took to write. You're then reading a whole lot into that.
> If you purposely go into your phone settings and turn off auto-capitalization (which is what the kids do, since they're all typing on their phones), isn't it the very definition of pretentiousness?
That's incredibly presumptuous of you. That they're on their phone, that they had auto capitalization defaulted to on, that it's them who turned it off, that they didn't turn it off for whatever other reason (bugginess).
Cat's out of the bag there already. We all have general purpose computing devices in our pockets, locked down on purpose. Android used to allow you to gain admin rights but it's been getting more and more impossible to do so while still keeping most of your programs working. It's not only a cat-and-mouse game against "rooting detection" SDKs companies licence and plug into their apps out of a misguided duty of care, but it's especially bad with anything that uses Google's remote attestation lately.
Android is also about to lock down "sideloading", another "great" dysphemism for "installing software".
Moving the Overton window on this has been so successful, that even people in our industry happily accepted the much maligned dysphemisms of "jailbreaking" and "rooting" for what used to be called "local admin rights" and look upon such access as if it's only something pirates, criminals or malware spreaders would want to do.
I say this as someone who is running an Android phone with a kernel with some backported patches applied and compiled by myself. The fact that I can do it is great. The fact that the entire industry is trying to make it as frustrating as possible for me to do this under the guise of false premises such as "security" is disheartening.
Correct. Age verification and privacy consents belong on the browser. The issue is that on the browser, things work a bit too well (remember https://en.wikipedia.org/wiki/P3P ?), so the big players are incentivized to ignore completely the browser-based mechanisms and say/do nothing whenever they see lawmakers going on a dumb direction (risking fines is a reasonable price to pay in order to kill adoption of an actual browser/OS based control that would cause a dent to their tracking operations) that puts the onus on individual website operators.
The insane question here is, why would the EU mandate hardware attestation controlled by two private American companies in order to access services?
That seems completely contrary to the spirit of EU laws and regulations, which tend to be about protecting the consumer, preventing monopolies, ensuring people can generally live their lives where all things that are mandatory are owned and ran by the state and foster a certain degree of EU independence, with a recent focus on "digital sovereignty".
This one is a five for one against all of those goals? Harms the customer (you could see this as the polar opposite of GDPR), strengthens entrenched monopolies, force citizens to be serfs of one of two private corporations in order to access information, and on top of that, like it wasn't enough, willingly capitulates to the US as the arbitrates of who is a valid person or not.
This is so against the spirit of the EU itself that it would almost be funny if people weren't serious.
> The insane question here is, why would the EU mandate hardware attestation controlled by two private American companies in order to access services?
Because the EU doesn't actually care about privacy, otherwise they wouldn't be trying to do this and ChatControl. They care about being the main ones to spy on you, and maybe using fines as additional "taxes" on rich foreign companies. That's it.
Take any group of a hundred tech people (devs, analysts, architects, etc.), and 95 of them will do everything with their stock Android or IOS smartphone. Maybe 3 will consciously limit their use of that device, and the remaining 2 reluctantly use something sane like GrapheneOS. Those two might pipe up and take a stand for people without smartphones (which includes a very varied swath of people, from Luddites to people with disabilities), but they'll get drowned out by sighs, sheepish looks, and the chorus of 'let's just start with those two smartphone OSes, and if after a year or two people still really need something else, a new project can be started to address that'.
It's not an insane question, it just doesn't get asked.
> The insane question here is, why would the EU mandate hardware attestation controlled by two private American companies in order to access services?
Please (kindly) ask Paolo De Rosa [1], Policy Officer at the European Commission and driver of many of the decisions behind the wallet and the ARF. His position is one of fatalism: that it's "too late"; the duopoly of Goople is entrenched, and it's therefore not a problem if the wallet project entrenches it even further. Regrettably quite a lot of member states agree, although representatives of France and Germany specifically are frequently standing up to the fatalism.
> The insane question here is, why would the EU mandate hardware attestation controlled by two private American companies in order to access services?
Because this is being pushed by lobbyists to use hardware attestation to make it piratically mandatory for every citizen in the EU to be registered to either Apple or Google with a real id for all non-trivial online interactions at all times. The people behind this push neither have the technical knowledge nor care in the slightest that this is the consequence.
The app this discussion is about is a reference implementation that is part of a long-term process for building a digital identity app. Specifically, this discussion is about the age verification part of the app, which is the first part expected to be finished but is also only a small part of a much wider ideal.
Europe's dependence on American tech is a major pain point but realistically, there are only two smartphone vendors. If a European vendor does rise up, I'm sure whatever app comes out of this process will happily hook into the hardware attestation API for that OS as well.
But you could do attestation on GrapheneOS, no need to require the users to have Google spyware preinstalled. Google is abusing its position here, attestation should be to verify the security model, not Google's business model..
When scoped to attest the full software stack down to the kernel, yes, because it takes control away from the general purpose computing device that the user supposedly owns. I don't however have a problem with attestation scoped to dedicated hardware security devices such as Yubi Keys.
And if such dedicated hardware is ever required by the law, the manufacturer should be prohibited from bundling any business-related functionality there (such as displaying ads) that can't be turned off without breaking the certification.
Google's ad business model should never be mandated by law, unfortunately lawmakers seem to be unaware that this is what requiring Play Integrity effectively means.
Yes, and remote attestation should be illegal on any general purpose computing device, for some reasonable definition of what that is. General purpose computing should be a human right, in particular the right to change the software running on devices that you own.
This "identity wallet" is such a hostile idea, require identification for everything instead of thinking about how to remove identification (for example, allow anonymous banking, traveling).
Agreed. I refuse to use the terms "rooting" and "jailbreaking" in professional environments, I always use terms like "admin access to the mobile device".
Because that's what it is, despite the extremely successful campaign to paint people who want admin access on their mobile computers to be painted in the same light as pirates.
We have a near perfect system for finding the location of phone thieves, yet the police will not go and knock on the doors of criminals even when explicitly shown proof of "this is where the thief is currently".
Yeah it's odd and annoying. I realize the prisons are full but you could fine them £50k and have them pay it off over then next few decades or something.
Blue is the only moral and logical choice. If red gets over 50% and you picked it, therefore contributing to the "red" outcome, you are now effectively a murderer. Plus you now get to live in a world where everyone else alive are sociopaths that picked red, where everyone with a conscience is now dead.
You also can't count on everyone picking red, or "if you picked blue, then you voted for suicide".
It's reasonable to assume that, leading to the button press event, the usual low-trust, "every man by himself" types will rally for red, with the usual excuses, where high-trust societies will make it clear that it's your moral duty to pick blue, to get the votes to the 50% threshold and ensure no one dies. Around the world there would be debates nonstop that would permeate every social circle and families. You'd have huge arguments where the typical selfish types would scream at their family members "how dare you say you're going to press blue, do you want to leave your poor mother alone without their only child?", only pushing red-leaning voters more into red and blue-leaning voters more into blue.
Plus, if you look at the possible outcomes:
- Red wins, you picked red: Depending on where you live, a reasonable portion to the large majority of the population is now dead. The ones alive have, by definition, a strong bias towards individualism and noncooperation. It's extremely likely civilisation will collapse. Pick your favourite fictional dystopia and you might have a reasonable chance of it actually coming somewhat real.
- Red wins, you picked blue: You are now dead, but at least you don't have to live in the world above.
- Blue wins, you picked blue: Things carry on as normal and your conscience is safe in knowing that you didn't vote to kill and that over 50% of your fellow humans also didn't vote to kill.
- Blue wins, you picked red: Things carry on as normal, but you now have a guilty conscience, or, if your vote was made public, people around you know you would have killed them to save your skin.
reply