You're making a distinction not between open source and proprietary software but rather between hobbyist and corporate software.

There are open source projects made by companies with no external contributions allowed (sqlite sorta, most of google and amazon's oss projects in practice etc)

There are proprietary software downloads with no name attached, like practically every keygen, game crack, many indie games posted for free download on forums or 4chan, etc etc.

> hobbyist and corporate software.

OpenSSL was maintained by like two guys in their spare time, and underpinned trillions of dollars worth of systems and secure transfers.

Would you categorise that as “hobbyist”?

The semantics matter, so I’m going to agree with you and clarify that my concern is with the risks associated with “effectively anonymous contributors allowed” software, where personal consequences for bad actors are near zero.

On the Venn diagram of software licenses and source accessibility, this “especially risky” category significantly overlaps FLOSS and has little overlap with most proprietary software products.

I personally had no bias or aversion to FLOSS software for either personal or professional use, but in all seriousness the XZ attack after the Heartbleed vulnerability made me reconsider my priors.

You pay for nginx plus? Oops, that uses openssl. F5 load balancers since you want to get even more proprietary and expensive? Some of those used OpenSSL too.

Microsoft IIS? Lemme tell you about the history of absolutely bafflingly bad vulnerabilities in that software, far worse than open source nginx ever had.

Effectively anonymous contributions are not what caused heartbleed, they're not what caused the vast majority of breaches and hacks into proprietary software companies nor the vast majority of vulnerabilities.

Bad code is what causes these bugs, and as far as I can tell, the easiest recipe to bad vulnerable code is to have a manager repeatedly tell an engineer "deliver this by friday or you're fired", which happens much less in free software projects.

I'm just trying to get a coherent idea of what you think the right thing to do here is.

How do I stay secure? What OS do I use that doesn't include a ton of open source components and reviews every line of code that goes into it? As far as I can tell, this has already excluded ChromeOS (based on open source packages, many imported without reading all the LoC), macOS (even worse, and an even greater history of vulnerabilities)... I guess windows is the best by this standard? But statistically it's also the most vulnerable, so it doesn't seem like this standard has gotten us to a logical conclusion, does it?

"I love eating delicious food" is a totally sensible sentence with involves only the self and an inanimate object, and arguably only the self because it is about your own enjoyment and actions more so than the food itself.

"I love computers", etc etc.

Love is broad, it can be shared, it can be unrequited, it can be with an inanimate object or with an abstract concept. The object can certainly be the self.

There's also something akin to the Python Paradox here: https://www.paulgraham.com/pypar.html

Rust is an interesting and intellectually stimulating language, it lets you use your brain to write clean and pretty code, and rewards you for making clean powerful abstractions.

Java and Go are both anti-intellectual languages that reward you for turning off your brain and writing the most verbose awful code you can think of, and will leave anyone who has ever studied type-theory with a massive migraine for hours after each coding session (go moreso than java).

I think those two factors, C bindings, and whether they respect the programmer's intelligence, are the main reason.

Maybe if the US was willing to perform an air strike on each business that violated CAN-SPAM we'd get some real compliance.

This is not really true any more at this point in history. European countries have either backed away from pediatric gender affirming care, or they never allowed it in the first place. It's increasingly the case that the US and Canada are the outliers in the broader consensus that the evidence for the benefits of endocrine interventions in children is too weak to justify routine prescription.

> I assume you're opposed to cosmetic dental braces for children? Even though just like gender-affirming care, they can lead to better self-perception and better outcomes (but 'disfigure' the child by making their teeth more aligned with stereotypical norms)

Are we really going to try and draw an equivalence between cosmetic dental braces and permanently-altering hormones? A wire pulling a kid's teeth into places is not comparable to chemically castrating the kid for a few years and giving them opposite-sex hormones in their mid-teens. The measured benefits to the latter have to be way higher to justify that level of invasiveness and permanent change.

These kinds of blithe comparisons to the seriousness of gender-affirming care no small part of why trust on this issue has waned so fast.

No, let’s be real, this isn’t a dominant narrative in public discourse outside this thread. You’re irritated that you can’t simply assert a de novo principle of pediatric ethics that bans gender-affirming care without absurd collateral damage.

What "absurd collateral damage" have the UK, Sweden, Denmark, Finland, or Norway encountered when they banned endocrine interventions for treating gender dysphoric youth?

OP said:

>>> How is it 'disgusting' to try to let someone live as they were born?

Asserting this as an ethical principle leads to absurdities. That’s all that occurred here.

> What "absurd collateral damage" have the UK, Sweden, Denmark, Finland, or Norway encountered when they banned endocrine interventions for treating gender dysphoric youth?

This is irrelevant to the point at hand (nobody here was discussing European medical policy), but this is not accurate. It’s strange, because you’ve correctly summarized what occurred elsewhere.

Let’s go review the situation at https://en.wikipedia.org/wiki/Puberty_blocker

> Danish guidelines published in 2023 recommend the use of puberty blockers on transgender patients at either Tanner stage two or three, as a means of buying time for patients to consider their gender more fully before making a decision.[119]

> In 2020, Finland revised its guidelines to prioritise psychotherapy over medical transition.[120] However, these guidelines are a recommendation, not a mandate.[121][122] The Council for Choices in Health Care allows the use of puberty blockers in transgender children after a case-by-case assessment if there are no medical contraindications.[123][124]

> In 2023, the Norwegian Healthcare Investigation Board, an independent non-governmental organization, issued a non-binding report finding "there is insufficient evidence for the use of puberty blockers and cross sex hormone treatments in young people" and recommending changing to a cautious approach.[148][149] The Norwegian Healthcare Investigation Board is not responsible for setting healthcare policy, and the Directorate, which is, has not implemented the recommendations, though they have said they are considering them.[148][146][125] Misinformation that Norway had banned gender affirming care proliferated on social media.[146]

Misinformation, by the way, that you continue to peddle in.

> While European health authorities aren’t instituting bans on treatment, currently minors in six European countries—Norway, U.K. Sweden, Denmark, France and Finland—can access puberty blockers and cross-sex hormones only if they meet strict eligibility requirements, usually in the context of a tightly controlled research setting. (Italics in the original)

Read through your quotes carefully:

> The Council for Choices in Health Care allows the use of puberty blockers in transgender children after a case-by-case assessment if there are no medical contraindications.

And how many of such cases were granted? This could be a de facto ban, if no such cases are granted.

> issued a non-binding report finding "there is insufficient evidence for the use of puberty blockers and cross sex hormone treatments in young people" and recommending changing to a cautious approach.

Again, how many new patients are being put on blockers after this recommendation?

You're trying to spin this false narrative that patients with gender dysphoria are still being prescribed puberty blockers as normal treatment for GD. This is not the case. Even though the legislatures in these countries haven't banned the treatment, effectively nobody is getting puberty blockers for childhood GD in these countries.

Actions speak louder than words. You can split hairs about how "recommending" the discontinuation of puberty blocks is not ban. But at the end of the day, what unambiguously true is that the vast majority of patients who are prescribed blockers in the US would not be prescribed blockers in these countries. If you have actual stats on the number of new patients prescribed blockers in these countries in 2025, by all means share it.

I think the average person will happily pay the same price to OpenAI (being micro-brainwashed by the AI to buy things they don't need, i.e. ads). I feel confident OpenAI will be able to charge even more for ads than Google since OpenAI will be able to influence people even more strongly, and hide the ads even better.

Like, the lua scripting feature is there for developers to write static trusted lua, check it in, and run transactional stuff etc, and so anyone uploading arbitrary user code as a script is already wildly outside of a normal use of redis.

Seems wild that something which requires using the thing wrong, and also which impacts close to 0 real deployments of the thing, gets a CVSS 10.

Do you have your redis exposed without any authentication on the public internet?

If you do either of those, sure, this is bad for you.

I've worked with quite a few redis setups and know the details of even more, I do not know a single redis setup which would be vulnerable to this.

I've never heard a single instance of someone deciding that redis's lua sandbox is secure enough that they'll let their users upload arbitrary lua code and run it, and trust the lua sandbox to keep that redis box safe.

Like, because it's a use-after-free in the lua environment which requires a malicious lua script, this is just such a giant nothing-burger to me and every redis setup I've ever used, all of which only run trusted lua scripts.

I will somewhat ashamedly admit to having had a test/development Redis server running on EC2 exploited because I did that. In my defence, it was purely a development/learning exercise and had no real data on it. And it was about 10 years ago. It was an important learning opportunity for me.

There is something novel here.

Google Books created a huge online index of books, OCRing, compressing them, and transforming them. That was copyright infringement.

Just because I download a bunch of copyrighted files and run `tar c | gzip` over them does not mean I have new copyright.

Just because I download an image and convert it from png to jpg at 50% quality, throwing away about half the data, does not mean I have created new copyright.

AI models are giant lossy compression algorithms. They take text, tokenize it, and turn it into weights, and then inference is a weird form of decompression. See https://bellard.org/ts_zip/ for a logical extension to this.

I think this is the reason that the claim of LLM models being unencumbered by copyright is novel. Until now, a human had to do some creative transformation to transform a work, it could not simply be a computer algorithm that changed the format or compressed the input.

A better example is Google Image Search. Thumbnails are transformative because they have a different purpose and aren't the same data. An LLM is much more transformative than a thumbnail.

It's more lossy than even lossy compression because of the regularization term; I'm pretty sure you can train one that's guaranteed to not retain any of the pretraining text. Of course then it can't answer things like "what's the second line of The Star Spangled Banner".

https://news.ycombinator.com/item?id=45489807

The fact that compression is incredibly lossy does not change the fact that it's copyright infringement.

I have a lossy compression algorithm with simply outputs '0' or '1' depending on the parity of bits of the input.

If I run that against a camcording of a disney film, the result is a 0 copyrighted by disney, and in fact posting that 0 in this comment would make this comment also illegal so I must disclaim that I did not actually produce that from a camcorded disney film.

If I run it against the book 'dracula' the result is a 0 under the public domain.

The law does not understand bits, it does not understand compression or lossiness, it understands "humans can creatively transform things, algorithms cannot unless a human imbues creativity into it". It does not matter if your compressed output does not contain the original.

?

No. It's a decided case. It's transformative and fair use. My understanding why it's transformative is that Google Books mainly offers a search interface for books and it also have measures to make sure only snippets of books are shown.

If someone has arbitrary code execution on your machine as your user, then of course they can access things your user can access.

They could just as easily keylog your password, or replace the onepassword-cli binary with one that exfiltrates data, or steal your browser cookie to get into your email account and use that to hijack recovery flows...