> Maven worked fine without semantic versioning and lock files.
No, it actually has the exact same problem. You add a dependency, and that dependency specifies a sub-dependency against, say, version `[1.0,)`. Now you install your dependencies on a new machine and nothing works. Why? Because the sub-dependency released version 2.0 that's incompatible with the dependency you're directly referencing. Nobody likes helping to onboard the new guy when he goes to install dependencies on his laptop and stuff just doesn't work because the versions of sub-dependencies are silently different. Lock files completely avoid this.
Always using exact versions avoids this (your pom.xml essentially is the lock file), but it effectively meant you could never upgrade anything unless every dependency and transitive dependency also supported the new version. That could mean upgrading dozens of things for a critical patch. And it's surely one of the reasons log4j was so painful to get past.
I’ve been out of the Java ecosystem for a while, so I wasn’t involved in patching anything for log4j, but I don’t see why it would be difficult for the majority of projects.
Should just be a version bump in one place.
In the general case Java and maven doesn’t support multiple versions of the same library being loaded at once(not without tricks at least, custom class loaders or shaded deps), so it shouldn’t matter what transitive dependencies depend on.
Right, that's the program. Let's say I really on 1.0.1. I want to upgrade to 1.0.2. Everything that also relies on 1.0.1 also needs to be upgraded.
It effectively means I can only have versions of dependencies that rely on the exact version that I'm updating to. Have a dependency still on 1.0.1 with no upgrade available? You're stuck.
Even worse, let's say you depends on A which depends on B, and B has an update to 1.0.2, if A doesn't support the new version of B, you're equally stuck.
Maven also has some terrible design where it will allow incompatible transitive dependencies to be used, one overwriting the other based on “nearest wins” rather than returning an error.
If in some supply chain attack someone switches out a version's code under your seating apparatus, then good look without lock files. I for one prefer being notified about checksums of things suddenly changing.
Sounds like the Common Lisp approach, where there are editions or what they call them and those are sets of dependencies at specific versions.
But the problem with that is, when you need another version of a library, that is not in that edition. For example when a backdoor or CVE gets discovered, that you have to fix asap, you might not want to wait for the next Maven release. Furthermore, Maven is Java ecosystem stuff, where things tend to move quite slowly (enterprisey) and comes with its own set of issues.
Infrastructure has long been a tiny portion of wikipedias costs.
I think Wikipedia even makes it easy to export all of its data, I don’t think AI scrapers would be a significant new cost
These are two very different cost factors. Scrapers don't use the available data dumps, that's why they scrape. They are also kind of dumb as they get lost in link structures constantly, which leads to unecessary traffic spikes.
I would like to see a chart that compares the disk price costs, versus cloud storage costs over the last 10 years.
It seems like they haven’t really kept pace at all.
Obviously cloud providers have many costs other than disks, but I’m a bit disappointed by how much more expensive it is.
Agreed, adding to this, if a malicious actor already has the ability to execute arbitrary LUA scripts on your redis instance, then you are probably already pretty screwed.
I've got nothing bad to say about the vuln research here, I'm sure it's a great bug, just this CVSS stuff is a farce and everyone seriously working in the field seems to agree, but we're just completely path-dependently locked in to it.
I believe the context is that the CVE is that this bypasses the sandbox entirely; so in this specific case this is a real, full-blown RCE. Your comment makes it seem at a glance that you're saying it's a DOS at worse.
Thanks for replying, but my comment is not saying that at all -- it's pushing back on someone making the claim that the new CVE is no worse than what could already be done, by pointing out that what could already be done was (presumably) only a DoS, while the new CVE is full RCE.
I've reread my comment and the parent comment, and I don't understand how this is not clear?
The Lua interpreter in Redis doesn’t allow you to run regular code, you can’t event to “print”, not to talk about load libraries as in regular Lua interpreter.
It’s a sanboxed one with very minimal operations you can do
This. I don't want a very thin phone — I want one that fits in my pocket smoothly, and the bump ruins that. Give me a thicker phone, with a bigger battery and rounded edges like the original iPhone.
You know, I forgot my razor and was on vacation in a very touristy place which only had expensive, "luxury" brands of everything just to pump up the price. So I got stuck buying one of those Mach 4's. I have to say, it was actually a very nice shave. I'm usually a total skeptic and this is obviously Mad did a great job with this commercial, but there is something to be said for that product. I haven't bothered paying the higher price for it in general, but I do kinda miss it.
Interesting! I hadn’t seen that Mad TV ad before. It’s quite reminiscent of this one from The Late Show on Australian TV in 1992. I can totally see people having a similar idea from the same blade escalation process.
No one would buy it (by Apple standards) because no one is asking for an over half pound phone. I bet a 17 Pro with a flat back that was all battery would approach a pound.
This is not true. None of the Apple cases (or third party cases) give a flush finish to the entire phone. They just add a new, bigger, larger bump below the camera bump which lets the phone basically lie flat. It does not make it easier to smoothly fit into a pocket or anything like that, and the phone is still wobbly while placed face-up on a surface.
Some more context from the linked github issue[0], the app was removed because of European sanctions against Russia, it seems that the app developer who now lives in Malta, has a Russian background.
What is interesting is that it's Apple enforcing these sanctions, rather than AltStore.
The amount of control that Apple exercises over these alternative app stores, really does seem to be against the spirit of the DMA.
That’s also weird to me. I don’t have current 2025 info on the sanctions, but back in early 2022 I had a colleague with Russian citizenship who was living in Ireland (with proper permission to live and work - I think even permanent residence). He was exempted from the nationality-based sanctions because of his EU residence, although he did have to prove it to e.g. his banks.
Do the sanctions applicable in 2025 apply even to EU residents of Russian nationality or origin without such an exemption, or is this person covered by more narrow sanctions like one which name him individually, or is Apple going beyond the sanctions rules here for a store they don’t even operate?
Edit: reading the linked GitHub discussion more closely, it seems that he expects to benefit from the same exemption as I was describing, with the problem being twofold: one, the developer had neglected to update his personal info in Apple’s dev portal - not Apple’s fault, at least assuming that sanctions enforcement is their job at all in this scenario. But two, Apple has taken a long time to react to this guy providing proof of his Maltese residence, so that’s on them for being an unresponsive bottleneck.
> But two, Apple has taken a long time to react to this guy providing proof of his Maltese residence, so that’s on them for being an unresponsive bottleneck.
Someone I know has Maltese citizenship. From the stories they've told, the unresponsive party might not be Apple.
(At one point, my friend had to show up at the Maltese immigration office in person to get them to respond to an inquiry.)
The proof of residence that he said he sent Apple was his Maltese residence permit, so unless Apple verifies provided documents with the issuing authorities (honestly doubtful), the bottleneck is within Apple and/or anyone to whom they outsource these appeals.
And 3, Apple asking for a photo of the ID instead of using eID so the entire process can be tap > Face ID (in your country’s eID app) > done.
Also for some reason on App Store Connect, Apple is asking for a country of birth, not citizenship so with that alone, it’s unclear to me how can they make a determination at all.
Once again, our random spawn point (of which we have no control) is interfering with what we can and can’t do in life. Oh and Apple totally not getting how people live and move in the EU.
My understanding is that the EU sanctions themselves do care about place of birth, separately from citizenship, not just Apple’s implementation. I’ve certainly seen such a question in non-Apple implementations of these sanctions.
As for not supporting eID, yeah that isn’t great, but so many people have non-electronic EU residence permits (including me within the last few years - though I don’t have Russian origin or citizenship) that they’d have to support the non-eID flow regardless. Maybe they wanted one fewer flow to implement, or maybe they felt that eID verification didn’t meet their compliance needs. No idea there.
last time I checked if there are no sanctions against you personally you shouldn't have any troubles?
I believe sancitons lists are public so that has to be verifiable by searching for "Daniil Vinogradov". Quick search on EU sanctions tracker [0] did not yield any results. Neither did [1]. So what's up with that?
That statement cannot be taken at face value. Russian developers and Russian registered entities are freely publishing apps on App Store. EU sanctions do not prevent that.
> What is interesting is that it's Apple enforcing these sanctions, rather than AltStore.
That's quite a red flag. Apple demonstrated that despite their seemingly compliance with the EU DMA, they are still indirectly in control of ALL digital markets.
This is still an uneven playing field, and I hope the EU is not blinded by this "feature demonstration" of Apple now...
Lots of Russian apps and services registered in Malta or Cyprus, but their devs continue to live in Russia. And naive users think they’re using a European app or service. For example Adguard.
It's not the first time I've noticed you spreading this misinformation on HN, so let me respond.
Most of AdGuard's staff relocated in 2022, and I (CTO and co-founder of AdGuard) personally live in Limassol, Cyprus. We commented on that publicly, but it seems that random forum posts often regarded as more reliable sources of information.
I am totally fine with anyone not trusting AdGuard for any reason, but please keep your statements factually correct.
PS: Sorry for sticking a small promo in the comment, but this year we're organizing the annual summit (adfilteringdevsummit.com) for ad blockers' devs on our home turf in Limassol, a perfect opportunity to meet us, other ad blockers and even browsers' devs.
If you've still got most of your devs working in Russia, and it looks like that from your github projects, I'm not sure what part of the comment you responded to is not correct or misinformation.
Most of the employees relocated including senior staff, devs and people with access. We still have some contractors working from there, mostly in support service, content and qa. Not "most" or "a lot", but nevertheless.
We encourage people to move closer to the head office, but as long as it's not required by law, we’re not going to force people to move out, as I know very well how hard it is.
> and it looks like that from your github projects
You do realize that a russian name != working in Russia, right?
> I'm not sure what part of the comment you responded to is not correct or misinformation
The parts where:
1. It's implied that the company is just "registered".
2. It's implied that the company is not European.
3. It's said that devs reside in Russia.
All three are factually incorrect.
AdGuard has been around for 16+ years, and throughout this time I've seen similar accusations many times. I am generally fine with them — that's life — but today I just wasn't in the mood, sorry for that. Anyways, this is one more reason to have more code published to open source, a win-win for all.
The AdGuards CTO and cofounder just replied to my comment, called it misinformation, but then confirmed that a large amount of their team continues to work from Russia.
If you trust Devs working in Russia with you or your companies dns security, you’re insane.
His detailed clarification came post my reply to you. Prior to that his statement was that most of their employees were no longer living in Russia. Which implied that some percentage of employees still lived in Russia. He claifies that it’s just contractors and supporter without access, which is much better that some of their employees still working from Russia.
AdGuard would still be outside my comfort margins because of exposure to the Russian government through friends and family.
Thanks for understanding and sorry if my comment sounded too harsh. Over the past few years we went through a lot and when I hear that AdGuard is just registered I may overreact.
What for your position, I respect it and as much as I’d like to say otherwise, under certain circumstances it can be reasonable.
Indeed, I thought the whole point of alternative app stores is that it’s not Apple’s decision any more whether an app can be installed or not. This looks like another case of malicious compliance.
There is a lack of proof that the developer is linked to a sanctioned entity. Not saying it isn't, but The Verge should be at least trying to verify that IMHO (instead of taking the statement at face value); I'd even trust a "we verified it but won't publish to protect the developer".
> Amazon doesn't provide useful tools for building durable multi-AZ applications. Most customers are not going to implement Paxos
Don't really agree here, yes they screw you financially on cross-AZ bandwidth, but all of their popular services are built to work well across availability zones.
Most people don't need access to a low level consensus service like Paxos, instead they will be using one of amazons managed database services, or s3, that provides higher level abstractions, and automatically manages consensus behind the scenes.
