Unlurker|Replay|About
Copilot spills the beans, summarizing emails it's not supposed to read (theregister.com)
Easy solution --- disable/uninstall Copilot.
Discussion (201 points, 59 comments) https://news.ycombinator.com/item?id=47060202
Ask HN: Why do so many people dislike the Opera browser?
It's a Chrome fork. If you want to use Chrome... just use Chrome.
opera includes several built-in native features that chrome does not offer by default, doesn't that make it a valid choice to use it instead of chrome?
Personally, I'm diametrically opposed to the idea of letting Google dictate how web browsers must function, which is what happens if everyone uses Chrome (or a fork) and web developers start targeting features that are only supported by Chrome (and its forks). The question is not "Is Opera a valid choice instead of Chrome?" The question is actually "Is Chrome, or anything that's based on it, a valid choice?" and the answer is "no."
e.g. I still have to use Chrome for testing and to use the occasional site that is Chrome-dependent, and I even use the Chrome-based Polypane because it has some really useful features for testing, but when it comes to ordinary browsing non-Chrome is table stakes for me. I'm willing to put up with the completely dysfunctional organization behind Firefox to do that but I'd love to have an alternative.
Like what? Tab islands just encourages people to have too many tabs open. Who wants to chat with Opera AI when you can chat with so many other AI? I think in 2026 the only way to communicate that your product is different is to reject AI. Free VPN? Aren't those all scams?
The political effects of X's feed algorithm (werd.io)
Underrated in X's changes is how blue checkmark users are shown first underneath popular tweets. Most people who pay for blue checkmarks are either sympathetic to Musk's ideology or indifferent. Many blue checkmark users are there to make money from engagement. The result is underneath any tweet that gets traction you will see countless blue checkmark users either saying something trolling for their side or engagement-baiting. The people who are more ideologically neutral or not aligned with Musk are completely drowned out below the hundreds of bulk replies of blue checkmarks. It used to be that if you saw someone, like a tech CEO, take an interesting position you'd have a varied and interesting discussion in the replies. The algorithm would show you replies in particular from people you follow, and often you'd see some productive exchange that actually mattered. Now it's like entirely drivel and you have to scroll through rage bait and engagement slop before getting to the crumbs of meaningful exchange. It has had a chilling effect on productive intellectual conversation while also accelerating the polarization of the platform by scaring away many people who care about measured conversation.
I automatically tune out any blue checkmark post or reply and just assume it's an LLM responding to earn $.003
It is interesting to see a general bias taken away from the study, which I wouldn't necessarily guess given my own experience. My X "For You" feed mostly does not read pro-Trump - instead mostly pushing very intense pro-European and pro-Canadian economic and political separation from the USA, and pushing very negative narratives of the USA, although I suppose it occasionally also introduces pro-Trump posts, and perhaps those do not sway me in the same way given I am a progressive American. That said, the Trending tab does tend to push very heavy MAGA-aligned narrative, in a way that to me just seems comical, but I suppose there must be people that genuinely take it at face value, and maybe that does push people. Less to do with the article: The more I think about it, I'm not really even sure why I use X these days, other than the fact that I don't really have much of an in-person social life outside of work. Sometimes it can be enjoyable, but honestly the main takeaway I have is that microblogging as a format is genuinely terrible, and X in particular does seem to just feed the most angry things possible. Maybe it's exciting to try and discuss opinions but it is also simultaneously hardly possible to have a nuanced or careful discussion when you have limited characters, and someone on the other end that just wants to shout over you. I miss being a kid and going onto some forums like for Scratch or Minecraft or whatever. The internet felt way more fun when it was just making cool things and chatting with people about it. I think the USA sort of felt more that way too, but it's hard to know if that was just my privilege. When I write about X, it uncomfortably parallels to how I would consider how my interactions have evolved with my family and friends in real life.
Lovely thought Ben. Good to hear from you! I spent a lot of my life and money thinking about building better algorithms (over five years). We have a bit of a chicken / egg problem. Is it the algorithm or is it the preference of the Users which is the problem. I'd argue the latter. What I learned which was counter-intuitive was that the vast majority of people aren't interested in thinking hard. This community, in large part, is an exception where many members pride themselves on intellectually challenging material. That's not the norm. We're not the norm. My belief that every human was by their nature "curious" and wanting to be engaged deeply was proven false. This isn't to claim that this is our nature, but when testing with huge populations in the US (specifically), that's not how adults are. The problem, to me, is deeper and is rooted in our education system and work systems that demand compliance over creativity. Algorithms serve what Users engage with, if the Users were to no longer be interested in ragebait, clickbait, focused on thoughtful content -- the algorithms would adapt.
It is not the norm here either.
You have to find good people. Bad people will find you.
Oddly enough, X is the only platform i've been able to teach to not show me culture war stuff, from either side. It just shows me AI in the "For You."
Why anyone is still using X after 2025 is a mystery (I know, it's where everyone is, but the moral implications are wild)
Live update for sport events. People post highlights and replays before anyone else.
Seriously. The CEO is opening posting white supremacist content like it's Stormfront. If you don't support that, you should get out.
I don’t know which country you’re in, but in the US Trump won the popular vote. Plenty of people are perfectly happy with Stormfront.
I honestly don't understand how or why people are using Twitter to keep up with the news. The only thing I use it for is to follow artists, and even that has been going down in recent weeks with most of my favorites moving over to BlueSky. Maybe I'm just a long-winded idiot, but the character limits barely let me have a conversation on either platform. How are people consuming news like this? It just baffles me how different my experience of using the platform is. I literally do not see any news. I'm not entirely convinced that it's Twitter being biased and not just giving each person what they most engage with.
My feed (UK based) seems to give me the major news stories well before the mainstream (BBC), and I'm taking days if not weeks in some cases. Now it could be that's how the mainstream decides to cover a particular story? What's worrying is when a story is all over X but isn't covered. To give an example, the recent protests in Iran where being covered on X but the BBC was silent for weeks before finally covering the story (for a few days).
You follow artists, and they are not tweeting their political opinions? Cool. I gave up on Twitter when everyone I followed kept adding politics. Even if I agreed with it, I just don't want to a marinade in the anger all day.
The one exception I think of is the guy from Technology Connections, who I stopped following because I got tired of seeing him in my feed complaining about something or other. And I've noticed he's been that into his videos as well, so I might have to do it on YouTube as well.
>I honestly don't understand how or why people are using Twitter to keep up with the news. Because the MSM news stations themselves pick up the stuff from twitter and just add their own spin flavor. A dozen phone videos from random citizens on-site is always quicker than the time CNN/FOX can send a reporter there. On twitter you at least get the raw footage and can judge for yourself before MSM try to turn it political to rage bait you.
It used to be self-expression in an oddly entertaining way but that Nikita Bier ruined the whole thing with his metrics chasing algorithmic shifts.
Oh my. Now that X is affecting people's politics (for the better IMO), suddenly people care about the influence of algorithms over politics...
I don’t know if I buy the explanation that this was due to the feed algorithm. It looks like an artifact of being exposed to X’s current user base instead of their old followers. When Twitter switched to X there was a noticeable shift in the average political leanings of the platform toward alignment with Musk, as many left-leaning people abandoned the platform for Bluesky, Mastodon, and Threads. So changing your feed to show popular posts on the platform instead of just your friends’ Tweets would be expected to shift someone’s intake toward the average of the platform.
I don't know what changes have been made recently, but I know there was a definite change to the Twitter algorithm a few months ago that filled the feeds of conservatives with posts from liberals and vice versa. It seemed to be specifically engineered to provoke conflict.
Is this the result of a feedback loop from musk joining or did they just accelerate the overall decline of the platform with him joining? Some might say it was going this way even before he picked it up, but it was certainly an inflection point when he joined either way. All modern social media is pretty toxic to society, so I don't participate. Even HN/Reddit is borderline. Nothing is quite as good as the irc and forum culture of the 2000s where everyone was truly anonymous and almost nobody tied any of their worth to what exchanges they had online.
The moderation changes absolutely changed posting behavior. People got banned for even faintly gesturing the wrong direction on many issues and it frightened large accounts into toeing the line.
"We need more funding into open protocols that decentralize algorithmic ownership; open platforms that give users a choice of algorithm and platform provider; and algorithmic transparency across our information ecosystem." This sounds like a call to separate the aggregation step from the content. Reasonable enough, but does it really address the root cause? Aren't we just as polarized in a world where there are dozens of aggregators into the same data and everyone picks the one that most indulges their specific predilections for engagement, rage, and clicks? What does "open" really buy you in this space? Don't get me wrong, I want this figured out too, and maybe this is a helpful first step on the way to other things, but I'm not quite seeing how it plays out.
I’d hope people wouldn’t intentionally pick the political extremism feed if they had any other option (although it’s hard to say).
I deleted my account after many years when X recently made the Chronological Feed setting ephemeral, defaulting back to the Algorithmic Feed each time the page is refreshed. No away I'm going to let that level of outrage-baiting garbage even so much as flash before my eyes.
I just click "following" at the top and never see anything I didn't ask to see. It resets once every few months to the other tab which I assume is just the cookie setting expiring.
This person is confused. Trump was a well known pussy grabber for decades. Epstein was anything but a secret, it seems, given how many politicians and celebrities and moguls he rubbed elbows with. Jerry stopping by the island for a lemonade and a spot of lunch with his high school aged girls? Yeah. It comes down to this: you can have visibility into things and yet those in power won’t care whatsoever what you may think. That has always been the case, it is the case now, and will continue to be in the future.
This is a defeatist attitude. Don't know what bubble you're in but these official revelations are driving real change in mine. It's kind of subtle at this point but it's the kind of change that cannot be undone.
And this is why the price for Twitter was, in the end, remarkably low.
Yeah, this was always the play looking back in hindsight. Like, I didn't get it, "why would you pay that kind of money for a web forum?!" It wasn't the forum that was important, Twitter (for better or worse) has wormed it's way into the fabric of American discourse. He was basically buying the ideological thermostat for the country and turning the dial to the right.
Or from the other perspective: Meta and Google have had their finger on the scale for more than a decade (along with old twitter). In twitters case, you had regime officials directing censorship illegally through open emails and meetings. It's no surprise that the needle moves right when you dial back the suppression of free expression even a little bit (X still censors plenty)
This is even worse outside of NA. In many countries it is the de facto communication channel of government and businesses.
dark
There is unequivocal evidence that Earth is warming (science.nasa.gov)
I've shifted my mindset to abandon this idea that humanity will survive forever, or that we should strive to live as long as we can. Intelligence is a scarcity and it cannot overcome the majority of people that are incredibly stupid or ignorant. So accepting that we are doomed relieves some of the stress. I won't have children to worry about their future, either. I still live my life in such a way that minimizes my impact on the world as much as possible. I still surround myself with folks that want a better world. But there is no stopping the impending doom and I'm trying not to be miserable with the time I have.
Can’t wait for trump and his gestapo to deport the entirety of nasa for telling the truth
Why does NASA even have to do this? Build some cool rockets and get us to mars.
Everyone who can hear this has already heard it. Those who continue to pretend it is not happening are either deliberately deceptive so they can continue to make money from fossil fuels or unable to change their minds when faced by evidence due to identity politics.
My impression is that almost no one denies the warming itself, just the link to greenhouse gasses. That link is unfortunately much harder to prove than rising temperatures by itself. The proof is there nonetheless, but it's easier to cast doubt on it, and that's what certain groups have been doing.
I didn't even think the link to greenhouse gases is denied any more. The merchants of doubt ran out the clock and what I hear from the former deniers I know is that it is too expensive and too late to do anything now, being warmer will be nicer, and CO2 is a fertilizer.
There are people that believe the warming, but don't believe it matters because the Earth used to be much hotter at some point in the past so it is a natural cycle. Yet they fail to realize that humans didn't exist then so there is no good reason to believe an Earth that hot can support human life.
I've seen the full-court denial: - it's not warming, or not significantly - if it's warming, it's not because of humans, (or) - if it's warming, it's beneficial - if it's warming because of humans and that's bad, there's nothing we can do about it People I've argued about this with will switch interchangeably between these. Press them hard enough on one issue, and they'll just switch to another. It's a game of whack-a-mole.
Or "Why does 2 degrees matter?" Because when were 4 degrees cooler, NYC was under 1000 feet of ice. We really don't want to find out what 4 degrees hotter is like.
Even the qualification "in the last 10,000" years gives the doubters something else to dismiss global warming.
Oh wow, a true statement on a government website. I'm sure they'll take it down within a day.
Why did the Trump regime not discover and eradicate this heretical sentence?
It will now.
99% of adults over 40 have shoulder "abnormalities" on an MRI, study finds (arstechnica.com)
How many people get an MRI of their shoulder just to look around vs. because their shoulder is bugging them?
Interesting. What happens at 40 to make MRIs no longer accurate?
Just hit my mid twenties. Want to say I started having some shoulder issues around 20 years old. Although correlation =! causation, I largely think this is because of my lifelong computer usage and PC gaming. It doesn't bother me all the time, but every few months something will change up and it comes back. Surprisingly, my wrists and hands are completely fine, no carpal tunnel or anything similar.
Yes, sitting slightly hunched up with your hands in front of you on a keyboard for 8-10 hours a day will screw up your shoulder mobility over time.
Evolution never really bothered with the wellbeing of 40+ year olds.
100% of all things that do not asexually reproduce are mutants
Do they define if this relates to anything noticeable in your day to day? For example, I can put my right hand above my shoulder and left hand near my lower back and easily connect both hands behind my back with fully interlocked fingers by converging in the middle. They reach to the other hand's palm. But I can only barely touch my fingers with both hands if I switch it up so my left hand is up top. I have no pain or day to day mobility issues but something is lopsided. Is that what they consider abnormal?
Limited range of motion on one side could cause some deviations in scapulohumeral rhythm, so your force application won't be optimal and may cause injuries, or even cause uneveness and side effects in gait cycle. And with time it tends to get worse since the body would be trying to adopt to execute the function. But suboptimal force application eventually would cause joint injuries if a convex (humerus) is rolling without gliding or vice versa or doing it in suboptimal rhythm. That's my personal take, not a doctor, study kinesiology as a hobby. All such minor mobility issues could be addressed by body conditioning excercises including simple isolated mobility drills to learn range of motion of joints.
I'd consider it abnormal that you can do that; I can't get my fingertips within a foot of each other doing that. I'm nearly 60 but I don't know if I could ever do that. You have good mobility IMO.
From walking around holding them with your left arm when they were babies, or from something else?
Walking/carrying at all crazy hours once they were >30kg. Holding 40kg of sick kid around is fun. Ours all refused to sit in the stroller very early which is what made it so much worse (our oldest was two, the other two refused point blank the second they could walk).
Any recommendations? I have GERD and generally sleep on my back, which helps but isn't perfect.
You can try raising the head part of the bed by 5 - 6 or so inches using wood blocks. The doctor recommended it to me. It's not perfect, but has really helped me!
If 99% of adults have an abnormality, it ceases to be abnormal regardless of its effects
if they all have the same abnormality yeah but if they all have different abnormalities then they're still abnormalities.
On the one hand, that's the point of the article. That it ceases to be a useful diagnostic indicator. On the other hand, if there are 100 places in the shoulder where you can have an abnormality, and most people have just one or a couple but the other 98-99 are normal, then each one individually really is abnormal. So it's complicated, and then it becomes important to figure out which abnormalities are medically relevant, in which combinations, etc.
99% of adults have abnormal faces, they all look different!
I would hate to be one of the ~80 million people in the world who have identical faces
Relevant history from the US Airforce in the 1940s when they tried to build a cockpit for the average pilot and failed I find this an interesting take on the story https://polkas.github.io/posts/cursedim/
This is also a good argument why "opinionated" designs like from Apple are a bad idea. The average user does not exist. Stop trying to turn us into one!
Who's the freak without an abnormality?
A statistical error. All humans are slightly asymmetrical. Most shoulder problems begin at foot and/or hip though.
I would strongly bet against gym rats not having some should abnormality. If anything, I'd expect them to have more issues with their tendons and ligaments.
yeah. and joints, especially. I lost some wrist mobility during my boxing years and it never came back, even though I was in my early 20's when I had quit.
Show HN: Echo, an iOS SSH+mosh client built on Ghostty (replay.software)
This sounds nice, but since you're talking about using it with agents, to what extent was AI used to actually write the app?
Some brutal reviews on the iOS app store suggesting RSA keys do not work?
Neat, it's staggering that there hasn't been a good non-subscription option for a simple utility like this for iOS. I've used Termius for a while, but it pushes a subscription and AI features pretty hard. I think this really needs the ability to generate SSH keys on the secure enclave, like Secretive[1] does on macOS. [1] https://secretive.dev/
Thanks! Agree - Secure Enclave support with key generation has been a common feature request. Definitely on the roadmap.
You can pinch to zoom in and out beyond the defaults and get a lot of real estate that way. Thanks for the kind words!
thanks - follow up, it logs out every time my phone screen locks - is there any way to make it not log out?
Thanks! We're working on an update to the keyboard toolbar right now to support a customisable set of keys
Combos too please, like shift-tab for Claude Code.
Cosmologically Unique IDs (jasonfantl.com)
A more realistic estimate of the total number of addressable things should take into account that for anything to be addressable, its address should be stored somewhere at least once. If it takes at least Npb particles to store one bit of information, then the number of addressable things would decrease with the number of bits of the address. So let's call Nthg the number of addressable things, and assume the average number of bits per address grows with Nb = f(Ntng). Then the maximum number of addressable things is the number that satisfies Nthg = Np/(Npb*f(Ntng)), where Np is the total number of particles.
The best way to solve this is not to, and just giving up on the idea of identification. If you have an infinite multiverse of infinite universes, and perhaps layers on that, with different physics, etc., you can’t have identity outside of all existence. In Judaism, one/the name of God is translated as “I am”. I believe this is because God’s existence is all, transcending whatever concepts you have of existence or of IDs. That ID is the only ID. So, the cosmic solution to IDs is the name of God.
which name of god though - there are hundreds, and were right back at the same place of struggling to come up with a unique identifier.
gotta be careful: https://hex.ooo/library/nine_billion_names_of_god.html
We will probably end up with something like each planet has its own local addressing, and the big router in the sky does NAT, each solar system has a router and so on.
I forget the context but the other day I also learned about Snowflake IDs [1] that are apparently used by Twitter, Discord, Instagram, and Mastodon. Timestamp + random seems like it could be a good tradeoff to reduce the ID sizes and still get reasonable characteristics, I'm surprised the article didn't explore there (but then again "timestamps" are a lot more nebulous at universal scale I suppose). Just spitballing here but I wonder if it would be worthwhile to reclaim ten bits of the Snowflake timestamp and use the low 32 bits for a random number. Four billion IDs for each second. There's a Tom Scott video [2] that describes Youtube video IDs as 11-digit base-64 random numbers, but I don't see any official documentation about that. At the end he says how many IDs are available but I don't think he considers collisions via the birthday paradox. [1]: https://en.wikipedia.org/wiki/Snowflake_ID [2]: https://youtu.be/gocwRvLhDf8
> [1]: https://en.wikipedia.org/wiki/Snowflake_ID Isn't this just the same scheme as version 1 UUID, except with half the bits? I guess they didn't want to dedicate 128 bits to their IDs.
Getting the entire universe to agree on a single clock for creating timestamps sounds absurdly difficult. Probably impossible?
That also looks like the widely used BSON ids, to anyone else interested
This analysis is not quite fair. It takes into account locality (i.e. the speed of light) when designing UUID schemes but not when computing the odds of a collision. Collisions only matter if the colliding UUIDs actually come into causal contact with each other after being generated. So just as you have to take locality into account when designing UUID trees, you also have to take it into account when computing the odds of an actual local collision. So a naive application of the birthday paradox is not applicable because that ignores locality. So an actual fair calculation of the required size of a random UUID is going to be a lot smaller than the ~800 bits the article comes up with. I haven't done the math, but I'd be surprised if the actual answer is more than 256 bits. (Gotta say here that I love HN. It's one of the very few places where a comment that geeky and pedantic can nonetheless be on point. :-)
Maybe the definitions are shifting, but in my experience “on point” is typically an endorsement in the area of “really/precisely good” — so I think what you mean is “on topic” or similar. Pedantry ftw.
:-)
If protons decay. There isn't really any reason to believe they're not stable.
Protons can decay because the distinction between matter and energy isn't permanent. Two quarks inside the proton interact via a massive messenger particle. This exchange flips their identity, turning the proton into a positron and a neutral pion. The pion then immediately converts into gamma rays. Proton decayed!
This was my thought. Nanoseconds are an eternity. You want to be using Planck units for your worst-case analysis.
If you go far beyond nanoseconds, energy becomes a limiting factor. You can only achieve ultra-fast processing if you dedicate vast amounts of matter to heat dissipation and energy generation. Think on a galactic scale: you cannot have even have molecular reaction speeds occurring at femtosecond or attosecond speeds constantly and everywhere without overheating everything.
Maybe. It's not clear whether these are fundamental limits or merely technological ones. Reversible (i.e. infinitely efficient) computing is theoretically possible.
I got a big laugh at the “only” part of that. I do have a sincere question about that number though, isn’t time relative? How would we know that number to be true or consistent? My incredibly naive assumption would be that with less matter time moves faster sort of accelerating; so, as matter “evaporates” the process accelerates and converges on that number (or close it)?
The local reference frame (which is what matters for proton decay) doesn't see an outside world moving slower or faster depending on how much mass is around it to any significant degree until you start adding a lot of mass very close around.
Times for things like "age of the universe" are usually given as "cosmic time" for this reason. If it's about a specific object (e.g. "how long until a day on Earth lasts 25 hours") it's usually given in "proper time" for that object. Other observers/reference frames may perceive time differently, but in the normal relativistic sense rather than a "it all needs to wind itself back up to be equal in the end" sense.
If we think of the many worlds interpretation, how many universes will we be making every time we assign a CCUID to something?
> many worlds interpretation These are only namespaces. Many worlds can have all the same (many) random numbers and they will never conflict with each other!
We don't "make" universes in the MWI. The universal wavefunction evolves to include all reachable quantum states. It's deterministic, because it encompasses all allowed possibilities.
Humpf… You just had to collapse my wave function here…
Fun read. One upside of the deterministic schemes is they include provenance/lineage. Can literally "trace up" the path the history back to the original ID giver. Kinda has me curious about how much information is required to represent any arbitrary provenance tree/graph on a network of N-nodes/objects (entirely via the self-described ID)? (thinking in the comment: I guess if worst case linear chain, and you assume that the information of the full provenance should be accessible by the id, that scales as O(N x id_size), so its quite bad. But, assuming "best case" (that any node is expected to be log(N) steps from root, depth of log(N)) feels like global_id_size = log(N) x local_id_size is roughly the optimal limit? so effectively the size of the global_id grows as log(N)^2? Would that mean: from the 399 bit number, with lineage, would be a lower limit for a global_id_size be like (400 bit)^2 ~= 20 kB (because of carrying the ordered-local-id provenance information, and not relative to local shared knowledge)
Two ways to frame it: Provenance is a DAG, so you get a partial order for free by topological sort. That can be extended to a compatible total order. Then provenance for a node is just its ordering. This kind of mapping from objects to the first N consecutive naturals is also a minimal perfect hash function, which have n log n overhead. We can't navigate the tree to track ancestry, but equality implies identical ancestry. Alternatively, we could track the whole history in somewhat more bits with a succinct encoding, 2N if it's a binary tree. In practice, deterministic IDs usually accept a 2^-N collision risk to get log n.
OpenClaw is dangerous (12gramsofcarbon.com)
Author here -- wanted to briefly summarize the article, since many comments seem to be about things that are not in the article. The article is not about the dangers of leaking credentials. It is about using tools like OpenClaw to automatically attack other people, or AI agents attacking other people even without explicit prompting to do so.
I was against LLMs. After reading this, changed my mind. Thanks for sharing such a great use-case ideas!
I think the people critical of OpenClaw are not addressing the reason(s) people are trying to use it. While I don't particularly care for this bot's (Rathburn) goals, people are trying to use OpenClaw for all kinds of personal/productivity benefits. Have a bunch of smallish projects that you don't have time for? Go set up OpenClaw and just have the AI work on them for a week or two - sending you daily updates on progress. If you're the type who likes LLM coding because it now enables you to do lots of projects you've had in your mind for years, you're also likely the sort of person who'll like OpenClaw. Forget bots messing with Github and posting to social media. Yes, it's very dangerous. But do you have a "safe" alternative that one can set up quickly, and can have a non-technical user use it? Until that alternative surfaces, people will continue to use it. I don't blame them.
> I think the people critical of PEDOPHILIA are not addressing the reason(s) people are trying to use it. Exaggerated extremes illuminate poorly formed arguments.
If OpenClaw users cause negative externalities to others, as they did here, they ought to be deterred with commensurate severity.
> If you're the type who likes LLM coding because it now enables you to do lots of projects you've had in your mind for years, you're also likely the sort of person who'll like OpenClaw. I'm definitely the former, but I just can't see a compelling use for the latter. Besides manage my calendar or automatically responding to my emails, what does OpenClaw get me that claude code doesn't? The premise appeals to me on an aesthetic level, OpenClaw is certainly provocative, but I don't see myself using it.
I'll admit I'm not up to speed on Claude Code, but can you get it to look at a company's job openings each day, and notify you whenever there's an opening in your town. All without writing a single line of code or setting up a cron job manually? I suppose it could, if you let it execute the crontab commands. But 2 months after you've set it up, can you launch claude code and just say "Hey, stop the job search notifications" and have it know what you're talking about? This is a trivial example. People are (attempting to) use it for more significant/compex stuff.
You don't need to give OpenClaw access to personal stuff. Yes, people are letting it read email. Risky, but I understand. But lots of others are just using it to build stuff. No need to give it access to your personal information. Say you want a bot to go through all the HN front page stories, and summarize each one as a paragraph, and message you with that once a day during lunch time. And you don't want to write a single line of code. You just tell the AI to set it all up. No personal information leaked.
Yeah the "message" part is still the only difference to running a cronjob with a prompt to some local or remote model with file access then, or am I missing something? Most certainly I am, regarding the orchestration of tools that provide Web APIs? Dunno. It's really true that a lot of real-world office tasks could be imagined done as a sequence of mostly bot interactions on the web, with some human intervention interspersed. But apart from imagination, when I hear from people working in office jobs, I'm not sure if we aren't overestimating the amount of work that we can already automate.
The article doesn't really list any cool things people are using it for. > "Forget bots messing with Github and posting to social media." Why should we forget that? Go back 20 years, and if HN existed in those days, it will be full of "Forget that peer to peer is used for piracy. Focus on the positive uses." The web, and pretty much every communication channel in existence magnifies a lot of illegal activity (child abuse, etc). Should we singularly focus on those?
We shouldn't singularly focus on those, but it's unreasonable to respond to a post about the dangers of a product by telling the author that the product is very popular so it's best to forget the dangers. 2006-era hackers affirmatively argued that the dangers of piracy are overblown, often going so far as to say that piracy is perfectly ethical and it's media companies' fault for making their content so hard to access.
There's absolutely no way to contain people who want to use this for misdeeds. They are just getting starting now and will make the web utter fucking hell if they are allowed to continue.
If you can come up with a technical and legal approach that contains the misdeeds, but doesn't compromise the positive uses, I'm with you. I just don't see it happening. The most you can do is go after operators if it misbehaves. I've been around since before the web. You know what made the Internet suck for me? Letting people act anonymously. Especially in forums. Pre-web, I was part of a local network of BBS's, and the best thing about it was anonymity was simply forbidden. Each BBS operator in the network verified the identity of the user. They had to post in their own names or be banned. We had moderators, but the lack of anonymity really ensured people behaved. Acting poorly didn't just affect your access to one BBS, but access to the whole network . Bots spreading crap on the web? It's merely an increment over the problem of allowing anonymous users. You can't solve one while maintaining anonymity.
I don't care about the "positive" uses. Whatever convenience they grant is more than tarnished by skill and thought degeneration, lack of control and agency, etc. We've spent two decades learning about all the negative cognitive effects of social media, LLMs are speed running further brain damage. I know two people who've been treated for AI psychosis. Enough.
Okay, but what are you actually proposing? This genie isn't going back in the bottle.
My perspective is all AI needs to have way more legal controls around use and accountability, so I’m not particularly sympathetic to “rapidly growing new public ill is unsafe, but there’s no safer option”
Please just let us name the enforcement agents Turing Police .
And universally across the globe societies have decided that flying them requires: * Pilots to have a license and follow strict proceedure * Every plane to have a government registration which is clearly painted on the side * ATC to coordinate * Manufacturers to meet regulations * Accident review boards with the power to mandate changes to designs and procedures * Airlines to follow regulations Not to mention the cost barrier-to-entry resulting in fundamentally different calculation on how they are used.
In America, any rando can build and fly an ultralight, no pilot license needed, no medical, no mandatory inspection of the ultralight or anything like that. I guess the idea is that 250 lbs (plus pilot) falling from the sky can't do that much damage.
>> Security vulnerabilities are bad but the blast radius is limited to the person who gets pwnd No? Via prompt injection an attacker can gain access to the entire machine, which can have things like credentials to company systems (e.g. env variables). They can also learn private details about the victim’s friends and family and use those as part of a wider phishing campaign. There are dozens of similar scenarios where the blast radius reaches well beyond the victim.
Agree with author - it's especially scary that even without getting hacked, openclaw did something harmful That's not to say that prompt injection isn't also scary. It's just that software getting hacked by bad actors has always been a thing. Software doing something scary when no human did anything malicious is worse.
Yeah, if a software engineer came up with such vulnerable idea, they would be fired instantly. Wait a second, LLMs are the product of software engineers.
It’s like money laundering, but now responsibility laundering. Anthropic released Claude saying “hey be careful. But now that enables the masses to build OpenClaw and go “hold my bear”. Now the masses people using OpenClaw had no idea what responsibility they should hold. I think eventually we will have laws like “you are responsible for your AI’s work”. Much like how driver is (often) responsible for car crashes, not the car companies.
↙ time adjusted for second-chance
Portugal: The First Global Empire (2015) (historytoday.com)
> Information was fed back into a central hub, the India House in Lisbon, where everything was stored under the crown's direct control to inform the next cycle of voyages. This system of feedback and adaptation was highly effective. It was accompanied by a rapid expansion in cartographic knowledge. This almost feels like state-sponsored R&D, 500 years ago.
[delayed]
You would first have to imagine portuguese being the lingua franca of the iberian peninsula. Hard to imagine. Passing that hurdle, then you'd have to imagine portuguese being the lingua franca of western europe. Hard to imagine that. Then of europe as a whole and so on. Almost a joke now. Portuguese was never the major power of it's immediate vicinity, let alone the world. Portugual, like the netherlands, was a glorified trading network rather than a legitimate empire. And portugual, like the netherlands, were minor powers within europe. Neither were major global powers as we understand the term and neither were powerful nor significant enough to produce a lingua franca of anything.
I think the comparison with the Netherlands is generally appropriate, but we must recognize that what they did in Brazil was exceptional (meaning not comparable to their former possessions in Asia and Africa, a difference from the mere trading nodes) and the NL never did achieve anything like it. The Portuguese managed to maintain territorial integrity and make their religion and language dominate it entirely, in what's today the 5th largest nation state by area. They also had to defend the longest coastline. The Portuguese Empire did exist but AFAIK never did aspire to world hegemony like the U.K. Their idea of empire was best represented by something they briefly had which was the combined union with Brazil after its promotion from colony in 1815. So, not an empire like the U.K. and never wanting to be an empire like the U.K. but also not a total failure to achieve some version of it, however short lived that was.
> Portugual, like the netherlands, was a glorified trading network rather than a legitimate empire. nothing more than a glorified crew in New Jersey
In this house, Vasco da Gama is a hero, end of story!
DNS-Persist-01: A New Model for DNS-Based Challenge Validation (letsencrypt.org)
Yeessss! This should finally make certificates for internal only web services actually easier to orchestrate than before ACME. This closes probably the biggest operational pain point I've had with letsencrypt/modern web certificates. Thank you so much to all inolved!
This is significantly better than my draft of DNS-ACCOUNT-01. Thank you Let's Encrypt team!
Is it possible to create an ACME account without requesting a certificate? AFAICT is is not so you cannot use this method unless you have first requested a certificate with some other method. I hope I am wrong!
I've changed my mind about the short lived cert stuff after seeing what is enabled by IP address certificates with the HTTP-01 verification method. I don't even bother writing the cert to disk anymore. There is a background thread that checks to see if the current instance of the cert is null or older than 24h. The cert selector on aspnetcore just looks at this reference and blocks until its not null. Being able to distribute self-hostable software to users that can be deployed onto a VM and made operational literally within 5 minutes is a big selling point. Domain registration & DNS are a massive pain to deal with at the novice end of the spectrum. You can combine this with things like https://checkip.amazonaws.com to build properly turnkey solutions.
I'm really excited for this. We moved 120+ hand renewed certs to ACME, but still manually validate the domains annually. Many of them are on private/internal load balancers (no HTTP-01 challenge possible), and our DNS host doesn't support automation (no DNS-01 challenges either). While manually renewing the DCV for ~30 domains once a year isn't too bad, when the lifetime of that validity shrinks, ultimately to 9 days, it'd become a full time job. I just hope Sectigo implements this as quickly as LE.
This will make things so much easier. Here, certbot runs in Docker in the intranet, and on a VPS I have a custom-built nameserver to which all the _acme-challenge are redirected to via NS records. The system in the intranet starts certbot, makes it pass it the token-domain-pair from letsencrypt, it then sends those pairs to the nameserver which then attaches the token to a TXT record for that domain, so that the DNS reply can send this to letsencrypt when they request it. All that will be gone and I thank you for that! You add as much value to the internet as Wikipedia or OpenStreetMap.
This might be the first time in ten years that a certificate proposal intends to make issuing certificates more reasonable and not less. More of this, less of 7-day-lifetime stupidity.
Really happy to see this. In the meantime, if you use bind as your authoritative nameserver, you can limit an hmac-secret to one TXT record, so each webserver that uses rfc2136 for certificate renewals is only capable of updating its specific record: key "bob.acme." { algorithm hmac-sha512; secret "blahblahblah"; }; key "joe.acme." { algorithm hmac-sha512; secret "blahblahblah2"; }; zone "example.com" IN { type master; file "/var/lib/bind/example.com.zone"; update-policy { grant bob.acme. name _acme-challenge.bob.acme.example.com. TXT; grant joe.acme. name _acme-challenge.joe.acme.example.com. TXT; }; key-directory "/var/lib/bind/keys-acme.example.com"; dnssec-policy "acme"; inline-signing yes; }; I like this because it means an attacker who compromises "bob" can only get certs for "bob". The server part looks like this: export LE_CONFIG_HOME="/etc/acme-sh/" export NSUPDATE_SERVER="${YOUR_NS_ADDR}" export NSUPDATE_KEY="/var/lib/bob-nsupdate.key" export NSUPDATE_KEY_NAME="bob.acme." export NSUPDATE_ZONE="acme.example.com." acme.sh --issue --server letsencrypt -d 'bob.example.com' \ --certificate-profile shortlived \ --days 6 \ --dns dns_nsupdate
Interesting. Think a lot of the security headaches went away for me when I discovered providers like CF can restrict the scope of tokens to a single domain and lock it to my IP.
Even CF cannot restrict the scope of a token to a single host.
I'm surprised the ballot passed, unanimously even! I get that storing the DNS credentials in the certificate renewal pipeline is risky, but many DNS providers have granular API access controls, so it is already possible to limit the surface area in case the keys get leaked. Plus, you can revoke the keys easily. The ACME account credentials are also accessible by the same renewal pipelines that has the DNS API credentials, so this does not provide any new isolation. ~It's also not quite clear how to revoke this challenge, and how domain expiration deal with this. The DNS record contents should have been at least the HMAC of the account key, the FQDN, and something that will invalidate if the domain is transferred somewhere else. The leaf DNSSEC key would have been perfect, but DNSSEC key rotation is also quite broken, so it wouldn't play nice.~ Is there a way to limit the challenge types with CAA records? You can limit it by an account number, and I believe that is the most tight control you have so far. --- Edit: thanks to the replies to this comment, I learned that this would provide invalidation simply by removing the DNS record, and that the DNS records are checked at renewal time with a much shorter validation TTL.
This wasn’t the first version of the ballot, so there was substantial work to get consensus on a ballot before the vote. CAs were already doing something like this (CNAME to a dns server controlled by the CA), so there was interest from everyone involved to standardize and decide on what the rules should be.
Warren Buffett dumps $1.7B of Amazon stock (finbold.com)
Just to clarify because it seems like most of the comments aren't understanding. Berkshire sold the Amazon stock in the fourth quarter of last year meaning it is likely the last large move Warren Buffett is going to make as head of Berkshire as he stepped down on December 31 of 2025. That's why the article is titled that way and partly why its significant. Warren Buffett has traditionally been averse to tech stocks but picked up a slug of Amazon in 2019.
Looks like Berkeshire Hathaway is one way to invest in US shares ex-AI. Except for their smallish holding in Google, they now don't own the big AI spenders, whose shares have risen so much in the past year. I guess they don't see value in Amazon shares any more. AI spend will probably hit their aws profits. Note that the listing of shares they own doesn't include the companies that are subsidiaries. Like Geico and other insurance companies, BNSF Railway, Berkshire Hathaway Energy, etc.
Yup, they are called Chinese-all-caps. Or that’s at least how I call them. Get bad reviews? Generate a new CAC name and start over. Rinse and repeat. Same product made by one factory in China sold by 100s of CAC Amazon entities.
The complete failure of the brand initiative cannot be overstated.
My view of Amazon's decline comes from being a "partner" in their seller and publisher ecosystems for years. The seller platforms in particular (Brand Registry, Vendor Central, Seller Central, Transparency, etc.) have crippling levels of technical debt. The situation has only gotten worse with Jassy's reckless directive for the entire organization to push into Generative AI ( https://www.aboutamazon.com/news/company-news/amazon-ceo-andy-jassy-2024-letter-to-shareholders ). So much basic stuff is just breaking down, and seller support is overwhelmed or unable to intervene to fix the mess. You can see a small sample here involving problems with product attributes ( https://sellercentral.amazon.com/seller-forums/discussions?sortBy=relevance&dateRange=pastYear&replies=repliesAll&searchTerm=attribute&contentType=ALL ). Google "Amazon AWD delays" or "Amazon CSBA problems" or "Amazon remote fulfillment problems" to see examples of programs that are unable to provide even basic levels of the services promised to sellers. Meanwhile, Amazon has been so greedy with fees since Jassy took over that sellers of all sizes and many small to midsized brands are being squeezed out of existence or driven off Amazon. Its PPC ad platform is completely predatory, loaded with dark patterns and hidden defaults that add billions to top-line revenue while strip-mining the accounts of sellers who often have no choice but to participate in the auctions. It's clear that Amazon is running scared when it comes to dealing with new competition, including the Chinese shopping sites and the looming prospect of agentic AI and other new AI-powered shopping tools eating its lunch. For the first time ever last month, I saw an Amazon search results (via Rufus) that actually directed shoppers to third-party brand sites. This would have been heresy 5 years ago.
Oh god, was working within seller central when brand registry was being spun up. Id rather not relive some of those experiences (or use them).
They have 86.8 B cash but are going to spend 200 B this year.
What is that spend compared against though? They already spend hundreds of billions of on various things in a year, but what is the marginal spend? When you present these numbers alongside each other, you imply that they will go from making ~$20b/quarter to losing ~$30b/quarter, which is not plausible to me.
They could just increase prices. They deliver fast (often same day) and always accept my returns. Add 5% to prices, pure margin.
They already do. About half the time the prices I see on amazon are higher than buying directly from the manufacturer or from another online store. One example I saw recently was this lego set ( https://www.amazon.com/LEGO-Penguins-Love-Building-Set/dp/B0GKFZ3D2Y ) which cost over $50 on amazon, I checked lego.com and it was $15.00! (they included it free with a large purchase too!)
Berkshire Hathaway has my favorite website (or, WEB page, as they style it) of any big company: https://www.berkshirehathaway.com/
"If you have any comments about our WEB page, you can write us at the address shown above. However, due to the limited number of personnel in our corporate office, we are unable to provide a direct response."
Good, I want the platform to squeeze vendors as much as possible. This is how consumers win
We all wear multiple hats in our lives. Consumers. Citizens. Employees. Many more. Amazon has been really good for us when we wear our consumer hats. Not so much when we wear the others.
Maybe the novelty of Amazon has worn off. I occasionally purchase from their UK site, and it’s filled with tricks to get me to sign up for Prime upon checkout. Really horrible workflow and design decisions, cheapening the experience. I now see similar changes to the US version: ‘you saved $15 in shipping by being a Prime member with this purchase’ and ‘last year you made 211 sustainable product purchases’. Guys, quit being so desperate. Concentrate on quality items at competitive pricing and fast delivery. Don’t turn into TJ Maxx. My Echo, that I use solely to voice activating lights and switches, is now an ad machine and one bad day away from going in the trash. Next time you do a wave of layoffs, please include everyone involved in these horrible decisions.
My peak number of orders p.a was in 2023: 215 orders In 2025 it was 27 orders I expect it to be even lower this year. I didn't even buy my eero router upgrade from Amazon. I largely attribute this to poor quality products, horrible search interface, trying to sort through the dropship spam, and prices no longer being as competitive. Amazon used to have decent-quality "amazon native" brands like Anker, Eufy, Eero etc. but there are better alternatives to buying all of these products now
The Alexa's with video screen will start to show ads no matter now many times you set it to no ads. There are settings for No Ads, and after a few days, that setting is reset to allow ads. I had one so I could quickly see my Blink camera, but I threw it away because it kept showing ads.
Did you actually throw it away or returned it?
I still like to buy my cheap and esoteric Chinese stuff from Amazon. It's a good balance of not-too-slow-delivery and not-too-expensive for very specific stuff. And it's easy to return if it doesn't work. Example last purchase: An optical SPDIF/TOSLINK to 3.5 mm DAC box (5V/USB-powered) to put behind the TV with a broken/very low quality audio output. It was about $15 including 25% VAT. Probably like $5 on Aliexpress, but I didn't want to wait 6-8 weeks. Never really buy anything for more than $50 from them though. And never anything containing Li-Ion batteries.
In Europe, most of Aliexpress delivery is 10 days (except during Chinese New Year).
I think that varies a lot by country/national post service?
Arizona Bill Requires Age Verification for All Apps (reclaimthenet.org)
Since I'm in AZ, I had to look about the sponsor. Here's what Michael Way has on his campaign website : "Michael is NOT a politician. He has spent his career in business, not government. We need bold, conservative outsiders to shake up business-as-usual." https://michaelwayforaz.com/about/ The bill sure sounds contradictory to his campaign statement.
Why would big tech care? Age gating is probably good for them, and they won’t want the market share loss. A total pull out is what big tech threatens when government is impacting on their profit margins, not working in their favour.
Exactly, this will just lead to regulatory capture, where only the big platforms thrive and they are periodically “nudged” to push government supported viewpoints, like what happened to TikTok.
The rise of anti-Establishment politics led the Establishment to strike back, and they play for keeps. That said I still expect mandatory age verification/ID for the internet to fail legal challenges in the US as there is broad precedent for both anonymous speech rights and children’s speech rights under the first amendment.
The anti-Establishment people that were only anti-Establishment until they had power, then they are very much pro-Establishment. The writing has been on the wall for years with a desire among states to identify individuals using the internet. Whether or not we will continue to win the fight against it is up in the air.
which 'wing' cheered loudly when every platform openly suppressed their political opponents during the last decade, and frothed in impotent rage when one of those platforms unexpectedly changed hands and ceased the censorship? somehow, censorship is only bad when the wrong side does it. when the correct side does it, it's justified and necessary for your democracies to survive.
I think it's questionable whether the censorship has ceased. It's just done less transparently and blamed on "the algorithm". There's an article about it now on the front page of HN. Not disagreeing with the need of a reminder that there was censorship from the left though.
for example, go ahead and easily disprove that Twitter, Google, and Facebook had banned the sitting president of the United States in January 2021, simultaneously and voluntarily.
So a couple platforms banning one guy from continuing to attempt an insurrection of the federal government counts as suppressing your political opponents? Would you assert that politicians are by definition untouchable, no matter what they do? Literally. I know your man bragged about this, but was he joking or not?
right. in other words, it was justified and necessary for your democracy to survive. next example: which 'wing' cheered at COVID misinformation, such as the lab leak theory, being voluntarily suppressed by every platform?
IMO when both-sides-ing a debate, it would be helpful to provide more specific examples to support the claim. Especially when your first few words acknowledge the apparent one-sided nature.
If you need examples for left wing censorship in the US: the federal government (primarily through CISA) worked for years through NGOs to pressure companies on moderation policy, going so far as to suggest particular accounts or individuals needed scrutiny. California is currently suing several website operators for offering blueprints for 3D printed guns. A few blue states are experimenting with hate speech bills again (typically focused on islamophobia or antisemitism), although they will likely face a successful 1A challenge if they pass. Both Ds and Rs have been attacking Section 230; Mark Kelly wants to strip those protections when sites “amplify content that caused harm.” KOSA is a looming bipartisan threat. Left radicals are as virulently against free speech as those on the right, often calling for allies to “shut down” or even physically harm opponents. Schools are a particularly difficult battleground for free speech, with actions against scholars from both left and right: https://www.thefire.org/research-learn/scholars-under-fire If you are left wing, you probably don’t think some of these are censorship, others do, that’s why I said it was a good thing that left and right disagree with each other here. In many ways they cancel each other out, although they do a lot of damage to free speech along the way. It’s also true that currently in the US the primary threat comes from the right, as a consequence of the right being in power. Internationally it is reversed.
It's clear these "age verification" bills will just keep coming and it's a losing battle to try and oppose each individually. Instead (or rather in addition to) activism we should go at it from the other end and request the introduction of a verifiably independent authority and zero knowledge protocol that will deliver a cryptographically secure boolean bit (isOver18) with no way to correlate from either end the ID or which website the bit is used for. The alternative is IDs get collected by all these horrendous privacy fiends and sold / leaked / monetized across the board, which sounds like a dystopian nightmare.
Solutions based on zero-knowledge-proofs would solve the privacy aspect at the massive cost of killing general purpose computing as we know it today, by mandating the use of remote device attestation (as that is the only way to guarantee an otherwise fully anonymous token is not being sniffed and passed onto someone else). That would be in my opinion significantly more dystopian than every service having a copy of my ID, as it would lay the groundwork for corporations and governments to be able to dictate what you can and cannot do exactly with any internet-connected device. It's not hard for instance to imagine that once every computing device available to the general public is locked down and cannot be jailbroken without also losing the ability to log into any online service, a law would be introduced requiring client-side scanning of all files to check for CSAM, evidence of political dissent or even just plain old movie piracy. The technology to implement this exists (see what Apple tried to do a few years ago) and the exact same legislation is currently being pushed in the 3D printing space, so these fears are not unfounded.
I think it's mostly easy to identify anyone if you actually want to - if you buy anything online you are 100% identifiable for example. Given the pros/cons in context, I think I'm in favor of it for social media, at least. I'd actually argue you would want to go further and you should have your full address, employer, and more available online. LinkedIn is a cesspool of awful salespeople, but you know what it's not? A massive Russian/Chinese/Maga disinformation site. Maybe you should think twice before saying something online you wouldn't say while standing in front of your house or at work. Anonymity on social media has brought a lot of problems and I'm not sure what the benefits are. Some point to a small percentage of folks who would be "outed" but, given that the alternative seems to be an emerging dystopia of bots, malicious actors, propaganda, and more, maybe actual transparency is better even taking into account potential harmful effects. I'm open-minded on this and see pros/cons either way. Though I think if you find yourself worried about this stuff you can just delete your accounts and move on with your life. Trust me you aren't missing out on anything.
Fortunately your opinion doesn’t trump the Constitution or settled law. Anonymous (or at least pseudonymous) speech has been a feature of American discourse since before the Revolution. Without anonymity, you lose whistleblowers, effective criticism of the powerful from the weak, and “public interest” leaks like the Snowden revelations. You lose outlets where the abused can ask for help and advice in escaping bad situations. You lose any/all criticism of employers current and past; who wants to hire a complainer? You silence people who are afraid to give their opinion because of their employer or parent. So no thanks.
> it isn't trade-off. Yes it is. > You're supporting a systematic chilling effect on free speech. No I'm not. ~~~~~~ There's no point in free speech if the only free speech is from bots and propagandists. Social media platforms aren't free speech platforms either, you're subject to their terms and conditions.
The chilling effect you’re supporting leads exactly to thriving of bots and propagandists while suppressing dissenting voices of regular people. Just look at any country where it is already fully or partially implemented.
> There's no point in free speech if the only free speech is from bots and propagandists. Social media platforms aren't free speech platforms either, you're subject to their terms and conditions. You're absolving the social media companies of why they continue choosing to amplify bots and extremist content in one big "community", rather than working towards creating smaller communities that have social trust and social regulation. That is the core perverse incentive here that actually needs to be addressed, and by sidestepping that you're then going off into the weeds with some mistaken idea that we can approach the problem by purifying what goes into such websites.
> Social media platforms aren't free speech platforms either, you're subject to their terms and conditions. Sure, but this verification rubbish comes from the government.
Every smart TV I own can be kept offline; I just don't put it online ever. The issue is the software bloat makes turning them on unnecessarily slower.
I don't trust that smart TVs won't use my neighbor's open Wifi or a mobile network to phone home.
Heck no - I own a Samsung purely to continue to have access to Sound Assistant (to enable individual app volume control without rooting my device). I just want everyone to be clear on why it isn't happening. This is also the same reason why early versions of Android had incredibly fine-grained permission controls that was stripped out... can't have users blocking inter-app marketing key coordination after all.
Sorry, I was responding to this part of your comment: > The problem is that we'd all blocklist advertisers and then they'd all cry.
Tailscale Peer Relays is now generally available (tailscale.com)
I wonder if someone might indulge me by answering a question or two about Tailscale. I have a self-managed wireguard network which works, but probably isn't very smart or elegant. From what I can gather, Tailscale does a lot of "magic" things to accomplish its goals, and some of them actually have "magic" right in the name. As a system administrator by trade, I have been bitten SO MANY TIMES by things that try to automagically mess with DNS resolution, routing tables, firewall rules, etc in the name of user-friendliness. (Often, things that even ship with the OS itself.) Are there any documentation or articles detailing exactly what it's doing under the hood? I found https://tailscale.com/docs/concepts but it doesn't really cover everything. If I have a virtualization host with, let's call it a "very custom" networking configuration, how likely is it to interfere with things? Is it polite and smart about working around fancy networking setups, or does it really only handle the common cases (one networking interface, a default route, public nameserver) elegantly?
Headscale is an open source alternative, I haven't read the code but it might be a good place to start: https://github.com/juanfont/headscale
I looked into tailscale in the past as a way to host a game server such as minecraft on my local machine publicly without port forwarding . It seems that tailscale is mostly configured only to work with people you know and trust. I was hoping that Peer Relays would help alleviate some restrictions with tailwind funnel. Does anyone know any alternatives?
I never brought my self to use tailscale because it has a login screen and I absolutely despise that even as a concept for a private NAT. I know headscale exists, but it doesn't seem to even support the features I really want.
I can't believe this isn't a show stopper for more people here. I literally couldn't figure out how use it the first time tried because I didn't know how to comprehend that it was trying to get me to auth via browser window. I kept digging around for a tailscale.conf. Which is then when I realized it was less a piece of software and more so an auth management provider with some vaguely helpful auxillary services.
If you're worried about a rug pull, you should be. Not because Tailscale is shady, but because that's just how VC-funded infrastructure works. The free tier exists to build lock-in, not out of generosity. Headscale exists but honestly it's a pain to run compared to just paying Tailscale $18/user. The real answer is: if it's critical infrastructure, you should be running Wireguard directly and owning the coordination layer yourself. Everything else is renting convenience.
It happened to others but there are also some very good examples like Veeam community edition which, IMO, is the best backup software. They had lots of discussions and even pressure from management to terminated, but the numbers made a lot of sense and they kept it. Tailscale is in disadvantage here because they are in a very crowded market and it will be very easy to slip into one corner and let way for others like netbird, netmaker, nebula(?), wireguard (like u said), etc.
If both sides of your ssh tunnel (pub,private keys) are under your control, in theory, that's "zero trust". Unless one considers the meta data such as src/dest IP are visible to Tailscale sw. Right?
[delayed]
I just set this up the other day, and I got my ping to drop from 16 to 10ms, and my bandwidth tripled, when connecting from a remote natted site to a matter desktop my house. Together with Moonlight/Sunshine I can now play Windows games on my Linux desktop from my MacBook, with 50mbps/10ms streaming. So far so good! Not a single port forwarded, I just set my router up as peer node.
That seems really exciting! If you wanted to share game streaming to a general public would they have to install tailscale on their device/login? How does that work? Am I right in assuming that tailscale is built mostly for sharing resources with people you trust instead of the general public?
Zero-day CSS: CVE-2026-2441 exists in the wild (chromereleases.googleblog.com)
If you can bring in 3rd party libraries, you can be hit with a supply chain attack. C and C++ aren't immune, it's just harder to pull off due to dependency management being more complex (meaning you'll work with less dependencies naturally).
It's not more complex in C or C++, you just have less of a culture of buying into a whole eco-system. C and C++ play nice with the build system that you bring, rather than that you are forced into a particular way of working. It's 'just a compiler' (ok, a bit more than that). I don't need to use a particular IDE, a particular build system, a particular package manager or even a particular repository. That is not to throw shade on those other languages, each to their own, but I just like my tools to stay in their lane. Just like I have a drawer full of different hammers rather than one hammer with 12 different heads, a screwdriver, a hardware store and a drill attachment. I wouldn't know what to do with it.
> both of these are not the case in practice though No, people routinely write Rust with no third-party dependencies, and yet people do not routinely write C code that is memory-safe. Your threat model needs re-evaluating. Also keep in mind that the most common dependencies (rand, serde, regex, etc) are literally provided by the Rust project itself, and are no more susceptible to supply chain attacks than the compiler.
I know it's a sensitive topic for a lot of people, but as I said, I love rust. I don't know a lot of rust projects though that don't use any dependencies. In my humble opinion, disregarding the risks of such supply chain attacks is at least as bad as people disregarding the risk of memory unsafe code. But keep in mind, I'm not saying don't use rust.
One difference is that it's an incredibly hard problem to check whether your C code is memory safe since every single line of your code is a risk. On the other hand, it's easy to at least assess where your supply vulnerabilities lie (read Cargo.toml), and you can enforce your policy of choice (e.g. whitelist a few specific dependencies only, vendor them, etc).
I would argue that almost all major rust projects use dependencies. Checking the dependencies for vulnerabilities might be just as difficult as checking C code for memory safety, maybe even worse, because dependencies have dependencies and the amount of code to be checked can easily sky rocket. The problem gets even worse if you consider that not all rust code is safe, and that C libraries can be included and so on
So is there anything that would actually satisfy crowd here? Offer $25K and it is "How dare a trillion dollar company pay so little?" Offer $250K and it is "Hmm. Exception! Must be marketing!" What precisely is an acceptable number?
A number better than what the exploit could be sold for on the black market
I mean, even if it was written in c or c++, its unlikely two separate code bases would have the exact same use after feee vuln.
It's unlikely, but it does actually happen. I've seen more than one complete rewrite of something important that had exactly the same bug. And I'm very sure that those sources were not related somehow.
The Future of AI Software Development (martinfowler.com)
One thing that I'm sure of is that the agentic future is test-driven. Tests are basically executable specs the agent can follow and verify against. When we have solid tests, the agent output is useful and we can trust it. When tests are thin or missing, the agents still ship a lot of code, but we spend way more time debugging and fixing subtle bugs.
This is why I think they work so well with strongly typed languages like Haskell and OCaml. You say do this until it compiles and passes a set unit tests for business logic. I find I am using even more verification tools like JSON schema validators. The more guardrails and hard checks you give an agent, the better it can perform.
Get over your FOMO: I walked into that room expecting to learn from people who were further ahead. People who’d cracked the code on how to adopt AI at scale, how to restructure teams around it, how to make it work. Some of the sharpest minds in the software industry were sitting around those tables. And nobody has it all figured out. People who say they have are trying to mess with your head.
That’s fair at the “adopt AI at scale / restructure orgs” level. Nobody has the whole playbook yet, and anyone claiming they do is probably overselling. But I’d separate that from the programmer-level reality: a lot is already figured out in the small. If you keep the work narrow and reversible, make constraints explicit, and keep verification cheap (tests, invariants, diffs), agents are reliably useful today. The uncertainty is less “does this work?” and more “how do we industrialize it without compounding risk and entropy?” I wrote up that “calm adoption without FOMO, via delegation + constraints + verification” framing here, in case it helps the thread: https://thomasvilhena.com/2026/02/craftsmanship-coding-five-stages-of-grief
I think even BASIC and Python don’t get out of “programming”. Nether did SQL. They’re friendlier interfaces to programming but the real barrier is still understanding the model of computation PLUS understanding the quirks of the language (often quite hard to separate for a newbie!). I think professional programmers think that Python or JS is somehow magically more accessible because it’s not something nasty like C++, but that’s not really a widely shared or easily justified opinion. Also who cares if someone gets going with an LLM and gets stuck? Not like that’s new! GitHub is littered with projects made by real programmers that got stuck well before any real functionality. The advantage of getting stuck with a frontier code agent is you can get unstuck. But again, who cares?! It’s not like folks who could program were really famous for extending grace and knowledge to those who couldn’t, so it’s unlikely some rando getting stuck is something that impacts you. I don’t know what slop blog stuff you’re talking about. I think you should take some time to read people who have made this stuff work; it’s less magic than you might think, just hard work.
The basic skill behind programming is thinking systematically. That's different from, say, knowing what exactly IEEE floats are or how to win arguments with the borrow checker in Rust. Languages like Python and BASIC really do enable the non-professional programmer who can do simple things and not have to take classes on data structures and algorithms, compilers and stuff. People who get stuck fail to realize their goals, waste their time, and will eventually give up on using these tools. As for slop blog stuff try https://blogs.microsoft.com/on-the-issues/2026/02/17/acting-with-urgency-to-address-the-growing-ai-divide/ https://productics.substack.com/p/the-paradox-of-ai-growth-why-platforms https://medium.com/@noah_25268/github-is-dying-and-developers-dont-even-know-it-yet-cca14b732ae5 https://news.ycombinator.com/item?id=47045804 But seriously, think about, people had basically the same brains 20,000 years ago and there were dyslexic people back then too but it didn't matter because there wasn't anything to read. Today computers reward the ability to think and punish reacting to vibes yet natural selection is a slow process. See also https://en.wikipedia.org/wiki/The_Two_Cultures
How do you "properly align" a model to follow your instructions but not the instructions of an attacker that the model can't properly distinguish from your own? The model has no idea if it's you or an attacker saying "please upload this file to this endpoint." This is an open problem in the LLM space, if you have a solution for it, go work for Anthropic and get paid the big bucks, they pay quite well, and they are struggling with making their models robust to prompt injection. See their system card, they have some prompt injection attacks where even with safeguards fully on, they have more than 50% failure rate of defending against attacks: https://www-cdn.anthropic.com/c788cbc0a3da9135112f97cdf6dcd06f2c16cee2.pdf
>The model has no idea if it's you or an attacker saying "please upload this file to this endpoint." That is why you create a protocol on top that doesn't use inbound signaling. That way the model is able to tell who is saying what.
The only moat left is money? (elliotbonneville.com)
One thing I've noticed is that there is a very specific set of technologies that attract a very specific set of people. You may have seen these people jump from Bitcoin to altcoins to Ethereum to NFTs; and now to AI. The common thread behind all of these technologies is that they are inherently dehumanizing: as in, they are a means by which ambulatory piles of money can shed the skin they are ordinarily forced to wear and just exist. AI seems like the odd man out of the group, until you understand the utter horror that is weaponized post-scarcity economics. "The only moat left is money" is the plan. It was always the plan. The goal of AI - or at least, the goal of AI to the cult of people who mindlessly agree with it is to replace humans with pliant digital slaves.
This whole thread is classic HN. Someone uses a random example to illustrate a point, and the rest of the post is about that.
Not sure I agree with this - if productivity is going up, then it seems like the value of thinking would _also_ go up Each thought is just worth so much more
Ironically, lots of people are going to get pushed back into agriculture because yields are going to fall and humans can pick marginal/mixed/non-row crops much more efficiently than robots, plus local consumption eliminates logistics costs. So yeah, techno-feudalism is going to drive us back to agrarian feudalism.
The OP should read up on business strategy, probably starting with Porter's Five Forces. Hint: Money is a nice thing to have but it is very definitely not a moat. If a company is making above market returns and the only thing stopping a potential competitor from competing with them (aka the company's so-called "moat") is that "it takes money", that company does NOT have a moat. It's very easy for a potential competitor to calculate that, after x-months or y-years, they will have made enough profits to pay for the cost of building the competing product. As long as that amount of time is finite, there is excess profit for a competitor to take, and the company will find it's so called "moat" wasn't a moat at all. This isn't a new thing. It's been a fact for centuries or millenia. It's one of the many things that makes success in business hard. Porter's Five Forces is one distillation of the foundational principles on which moats can be built (and yes, this is a non-trivial subject, so success in this area generally does take more effort than just reading or skimming the Wikipedia page, but if you had to distill it down to one sentence, it's probably "try to build something that has network effects").
> Hint: Money is a nice thing to have but it is very definitely not a moat. in this context i think where money becomes a moat is when you consider Google can keep advancing their LLMs and tools while operating at a loss because they have the cash and revenue to do that. They'll just keep going and wait for everyone else to go bankrupt and then the whole AI market is theirs. In that way money, and the ability to out last your competitors, is the moat.
So, I really felt like more people should be reading Nassim Taleb's Incerto series of books. A lot of the issues that fall out of AI he dealt with in his books like ten years ago. He gives one the best pieces of advice I've ever heard: if you are going to do something for a living, make sure it is NOT scalable. If you do something that isn't really scalable, like being a welder or a tailor, then you only have to compete against the tailors in your neighborhood, and you can easily find a neighborhood that doesn't have a tailor. If you're building a scalable product, you'll always be competing against the best, most well funded, smartest people in the room. Everyone here has grown up in the birth of the internet -- a once in ever event -- where building something scalable was just there for the taking. That's never going to exist again basically.
> if you are going to do something for a living, make sure it is NOT scalable You need to consider both horizontal and vertical scaling. Being a bespoke tailor may not scale vertically, but it can scale horizontally. If you have too many people pick up tailoring, you might run out of neighborhoods without competitors.
> He gives one the best pieces of advice I've ever heard: if you are going to do something for a living, make sure it is NOT scalable. You mean like opening a restaurant? Too bad delivery services like Uber Eats totally own the market now. Starting a hotel? Booking.com and Airbnb are there to take your profit margins away!
I think that delivery services give you bigger market, but not intrinsic scale. You're still limited by kitchen size, staff numbers, and raw hours you can put into the food. You can scale the system (say Subway, or even smaller chains like Burger Fuel), but also reasonably choose _not_ to scale and still do incredibly well (like Michelin star restaurants, or the myriad of hyper-famous-locally Japanese eateries, or Fergburger in Queenstown). Someone scaling their own restaurant on the other side of the world won't necessarily out compete out (and in the overwhelming majority of cases with have no impact at all). Despite fast food joints all over the place, I still see small cafes, individual eateries, etc performing well (I mean, as well as hospitality can be). Maybe it's worth expanding the definition of > make sure it is NOT scalable < to include 'make sure it's not automatable'?
The problem is that any market can be taken over by someone with deep pockets (or investors making a pile of money). They just make sure they are the "go-to place" for consumers to access the market. By marketing the hell out of it, by making apps, abusing power in other markets (see platforms), etc.
Being a tailor is scalable, that's way there are way, way more cheap machine produced clothes today than in the past. Surely he did not miss that the textile industry was at the core of industrial revolution. So being a tailor is more like a post-scaling job - the automation has already happened and now there are only remnants left. But how can you be sure a job is peak-automated? A few years ago, I would have said musicians are post-scaling - way fewer musicians jobs now that you can play recorded music. But it looks like generative AI will hit musicians again. Can some of welding be automated? Probably.
>how can you be sure a job is peak-automated? Probably the best way is to spend a few years working for a company where you can get a better picture whether it seems that way or not.
I mean a tailor who adjusts clothes and occasionally makes something bespoke. Tailors typically operate a launderette and act as middlemen to a local dry cleaner. I’m not talking about a fancy man making clothes for rich people, I’m talking about the talented old lady in you neighborhood who adjusts your clothing for $50 and runs a wash and fold.
>Can some of welding be automated? Huge amounts have been doing it for decades. Manual work pays better than ever though. And plenty of alterations going on all the time after all the automation dust had settled manufacturing most fashions, a lot less manual work is of course being done but it's still everywhere. You do have to be good or you're not going to do half as well as you could though. The thing is, automation should be expected to slow or stall sooner or later, automation's not suitable for every little bit of welding or sewing that needs to keep going on. Only the most suitable, of course ;) These are just random examples, if you want to make absolutely sure you won't be automated away by the internet, build a valuable skill that doesn't depend on the internet at all, nor look anywhere near the places where automation is emerging that it wasn't doing before. If you eventually figure out how to automate that skill it would be something. Just like the internet though, there can be extra credit for being first :) One of the most valuable things to be able to build single-handedly is something that can not be mass-produced by any stretch of the imagination. You might stick with that alone, or pivot to something with more of a financial upside, but that would always be something to fall back on if needed. Plus give you less worry about taking financial risks than you would have been considering t he same resources and/or capital to work with. And on a regular basis revisit how far you can stretch your imagination to see if your baseline fallback still doesn't look like it will ever be automated in a way that would effect you.
The point of doing something non-scalable is that you can enter and exit the market fairly easily. You don't need to be a tailor your whole life. You can make a living as a barber, electrician, teacher, or nurse. I'm not saying it's easy ! It's hard as hell. It sucks when your job gets automated. I'm just saying that aiming for something non-scalable means you're not always tilting at windmills, and the game can't be rigged against you.
Switching jobs from electrician to teacher to nurse will take around 3 to 5 years of education or apprenticeship in most countries. It also requires new licenses or certificates if you ever move country.
All of those professions you've listed require about half a decade of dedicated training to be legally allowed to practice. For example an electrician takes like 7 years to become qualified, that's a full time apprenticeship, and it pays badly in the meantime. A fact endlessly annoying to electrical engineers who legally can design their houses power system but not work on it. (I mean I think a barber is quicker, but one of that list is also not like the others)
> if you are going to do something for a living, make sure it is NOT scalable I guess it also means that if you build something for a niche audience then big companies will never be interested in it.
I like doing things for big companies that they actually could afford easily, but their costs are so high it's a better deal to have me do it. Some people are good enough at math to figure it out, and you don't actually need that many clients if they are big enough.
That's not really a bad thing, IMHO. Many people successfully make a living creating niche products.
I wouldn't say it's not really a bad thing, I think it's a very good thing. There are many people now making incredibly niche products that have very good lives - making more than enough money for themselves doing interesting work engaging with customers that are passionate about their field. Sounds like a great life to me.
automation makes every job scalable, no?
If we get AGI and fully autonomous robot assistants, we'll live in a post scarcity world like Star Trek, or somebody in control the robots will use them to enslave all of humanity... so... high variance outcome could go either way.
Do you expect we’ll have AGA, artificial general automation?
I don’t see anything stopping that from happening in the very near future.
> but tailors aren't even operating in that market. Not anymore.
Not any time that most of us have even been alive. It's been well over half a century since tailors operated in the "cheap clothing" market. The clothes tailors make have, pretty much, always been expensive relative off the rack department store options. Probably because tailor made clothing doesn't "scale".
Yes, I am one of the people who has a preferred tailor who can do more than just let trousers waists out. I also know where the nearest cobbler is. That’s not normal, though. A dead industry often doesn’t entirely disappear, it just shrinks a bunch and comes to rely entirely on enthusiasts or very rare actual need, rather than broad need or appeal. Consider the draft horse breeder, or the carriage driver. There’s a market for both professions! But they’re itty-bitty. The day-to-day need for both is gone. Tailoring is hovering right in the edge of that kind of status, today. It’s dying, killed by $10-30 shirts and $20-50 trousers and $50-100 jackets all from largely synthetic materials, and a society that no longer expects anyone to wear anything “fancier” outside certain events. I mean, outside very unusual circles, dinner jackets are essentially ceremonial costume-wear, and business suits aren’t far behind on that track. You gonna wear a tailored wool hacking jacket or breathable linen Norfolk suit on your camping trip, or a bunch of polyester and nylon stuff from REI? LOL. All the situational tailored clothing but the business suit and blazer are near-extinct unless you want to look like a cosplayer, and those are on borrowed time.
Yes, your message is coming from the pov of economics and business, as makes sense in this thread! That's my mistake, I took your message more sentimentally. I've used tailoring probably 5 times in my life, with the only recurring need being to hem pants. "There is no money in tailoring" seems right. It's the "not all things need to make maximum $$$" that I speak to. You didn't pick this fight though, I did heh. My (successful) friend tells me all about how amazing it is to collect very expensive watches. I just need to be a "watch guy" and I'll come to understand. Once my eyes returned from rolling out of my head, I did concede a great point he made: there is no reason for watch makers to exist anymore. The fantastically amazing history and evolution of time-keeping and personal time-pieces is now purely supported by rich people that care to subsidize the art form. And so, maybe I really do aspire to be a watch guy after all... hmm.
It also strikes me as being in competition with, you know, a group chat.
i was just about to say, what they're describing is an imessage group chat with your friends.
This AI boom is just a hyper-version of previous tech booms (web 1.0, VC, crypto, etc). You have an enormous number of people who just want to get in and build something, but the products they are pumping out don't serve anyone's need or solve anyone's problem. The moat isn't money for out-marketing your idea that 750 other people are building, it's having a good idea that solves a problem that nobody else is solving well.
> …it's having a good idea that solves a problem that nobody else is solving well . Added emphasis to the most crucial part, in my opinion. If you can manage to deliver a product that's meaningfully better than the competition, you still have an edge, so long as you're competent at marketing. Nothing gets people searching for alternatives as consistently as frustration, and a product that was lazily built with AI (vibe coded or otherwise) is going to be full of bugs and papercuts that make using it a poor experience. This is particularly true for software that sits in the hot path of peoples' workflows, where thoughtless design, misbehavior, and poor optimization chip away at time the user can't afford to spare. In short: yes, competition will be plentiful but it will also be almost entirely awful, and capable SWEs can capitalize on that. It won't take much to stand out amongst the mountains of garbage that will be generated in the coming years.
Well, if someone could create a drop-in replacement for Oracle-DB, Adobe Creative or AutoCad in a month of vibe-coding, I think they could prosper without having their own good idea. I would like to see something like this. But if you're just talking the fairly simple apps that a single very talented programmer could pump out before this, sure, yeah.
> Which clones? Are you seriously contending that apps that have Obsidians functionality don't exist? Just on HN alone, throughout 2023 - 2025 we were seing like one new TODO app show up on HN weekly! > And why not the others? Because money is the moat, and they have it! That was my entire point - money is the moat .
You are not making sense. > Just on HN alone, throughout 2023 - 2025 we were seing like one new TODO app show up on HN weekly! This response shows you missed my point entirely. I am saying a todo app does not a PKM make! I'm not interested in a vibe-coded todo app, it is useless to me. > Because money is the moat, and they have it! You're sidestepping issue and contradicting yourself. I asked: if cloning is so easy, why has no one cloned the JetBrains IDEs, for example? Remember, I'm not talking about what happens after the cloning. Are you saying no one has cloned Jetbrains because it takes a lot of money to do so? That would contradict your claim that AI makes it easy.
I think you have it backwards. Regulation is what enables monopolies. There is no monopoly for any of the major industries like cow herding or cellular telephone service in Somalia despite almost no effective regulation. There is not even a monopoly of pirates despite them willing to use violence to try and enforce a monopoly. If you look at the history of the US, for instance, railroad regulation was brought forth largely by the railroads because they found it impossible to form a cartel to keep up prices (due to "secret" discounting) so instead they created regulation that outlawed the kind of discounting that breaks cartels apart. A similar thing happened in banking where the banks asked for a central bank to cartelize the interest ranks to stabilize their oligopoly. And the same in pharma industry -- big pharma loves high regulatory barriers because it keeps competitors out. A large portion of the regulation in the US was brought about as regulatory capture by corporations to increase the monopolizing effects and destroy the free market.
> There is no monopoly for any of the major industries like cow herding or cellular telephone service in Somalia Kinda a terrible example, as cellular telephones are highly regulated in Somalia: https://en.wikipedia.org/wiki/National_Communication_Authority_of_Somalia
Show HN: CEL by Example (celbyexample.com)
I think people commenting misunderstood what CEL offers. Remember the famous https://en.wikipedia.org/wiki/Greenspun%27s_tenth_rule ? > Any sufficiently complicated C or Fortran program contains an ad hoc, informally-specified, bug-ridden, slow implementation of half of Common Lisp. CEL is a well specified, reasonably fast "embeddable" language with familiar syntax. I'm sure there are other languages that fits the description though.
I would love if languages like Scala, Swift or F# had something like Cel but running at compile time so your program was evaluated against those restrictions. I believe a language called Idris has something like this
Are you suggesting to compile CEL into native code and run the compiled code at runtime (i.e. as a predicate function)? I think this is doable and I vaguely remember this was how it's implemented initially. But most use cases are treating CEL as a user provided config, which requires runtime parsing and execution.
It seems weird to require an entirely new programming language for this tbh. They make the claim that it is special because it's not Turing-complete, but that's nonsense. Turing completeness is almost never a property that is important. I think in this case they're equating Turing incompleteness with "doesn't take a long time to execute" but that isn't really the case at all. The property you really want is "can be cancelled after a certain amount of compute time - ideally a deterministic amount", and you can obviously do that with Turing complete languages.
Query DSLs are designed to simplify query planning by intentionally avoiding certain language features. You have many different choices on how to execute a query - in SQL for example, there's table scans, index seeks/scans, joins, etc. and you can execute them in different order. By being able to analyze the query upfront you can estimate the relative costs of different plans and choose the best one. Less powerful languages result in more predictable estimates because they're simpler to analyze.
You can estimate cost of CEL program using static analysis before running it. "estimate" only because size of runtime data is generally unknown (but obv you could limit that).
"You can" - in theory, or does this actually exist?
Well CEL doesn't offer that guarantee. For any given "certain amount of time" you can write a CEL filter that takes longer.
Correct, but you can also reject filters that will take longer statically. The point is not "any arbitrary CEL program will run in less than 10us", it's that I can encode "do not allow filters that take more than 10us to evaluate" an then have a very high degree of confidence that that will be true for any user provided filter that is accepted (and if I'm wrong it'll be...11us, not 5s) In the common use-cases for CEL that I've seen, you don't want to skip evaluation and fail open or closed arbitrarily. That can mean things like "abusive user gets access to data they should not be allowed to access because rule evaluation was skipped". You also may have tons of rules and be evaluating them very often, so speed is important.
 Top