Here here. I also have ADHD though I couldn’t use stimulant medications due to bad reactions to it, but I’ve had success with non-stimulant medications (Straterra aka atomoxetine [1]).
A big thing I struggled with prior to medical treatment that I don’t often hear discussed about ADHd was rejection sensitivity.
For those unfamiliar: imagine a time someone said something that hurt your feelings or caused a strong emotional reaction.
Now imagine that as a routine emotional response to day to day interactions. Feeling intensely sad, irritated, insulted, etc. to extents completely o it of proportion to whatever was said or even implied.
It’s brutal. It contributes to a lot of depression and social anxiety for folks with ADHD. It doesn’t matter if you’re aware of the response being disproportionate—you get to go on that emotional roller coaster whenever somebody says they don’t care for your favorite food, accidentally cut you off in a conversation, or the day just turns out differently than you were expecting.
Medical treatment makes a huge difference—in my particular case the difference between feeling like I had the emotional regulation of a toddler and not needing to constantly question every emotion I felt prior to responding to things I was reacting to.
Stimulant medications didn’t work for me, but they do this for most people with ADHD (more effectively, too!) and like alterom it saddens me whenever FUD like this crops up.
Rejection sensitivity may be the reason I detest to-do lists. The lists inevitably languish and slowly turn into a perpetual reminder of who I haven't become, i.e. a rejection from past-me.
If I were to put on my security hat, things like this give me shivers. It's one thing if you control the script and specified the dependencies. For any other use-case, you're trusting the script author to not install python dependencies that could be hiding all manner of defects or malicious intent.
This isn't a knock against UV, but more a criticism of dynamic dependency resolution. I'd feel much better about this if UV had a way to whitelist specific dependencies/dependency versions.
If you’re executing a script from an untrusted source, you should be examining it anyway. If it fails to execute because you haven’t installed the correct dependencies, that’s an inconvenience, not a lucky security benefit. You can write a reverse shell in Python with no dependencies and just a few lines of code.
it's a stretch to "executing a script with a build user" or "from a validated distro immutable package" to "allowing something to download evergreen code and install files everywhere on the system".
I've used Tiger/Saint/Satan/COPS in the distant past. But I think they're somewhat obsoleted by modern packaging and security like apparmor and selinux, not to mention docker and similar isolators.
most people like their distro to vet these things. uv et all had a reason when Python2 and 3 were a mess. i think that time is way behind us. pip is mostly to install libraries, and even that is mostly already done by the distros.
Sorry I was half asleep! Meant that you can easily look at the code in the script and audit what it does – you can just run `cat` in it and you’re done!
But it’s much harder to inspect what the imports are going to do and be sure they’re free of any unsavory behavior.
If that’s your concern you should be auditing the script and the dependencies anyway, whether they’re in a lock file or in the script. It’s just as easy to put malicious stuff in a requirements.txt
There's a completely irrational knee-jerk reaction to curl|sh. Do you trust the source or not? People who gripe about this will think nothing of downloading a tarball and running "make install", or downloading an executable and installing it in /usr/local/bin.
I will happily copy-paste this from any source I trust, for the same reason I'll happily install their software any other way.
It really depends on the use case. A one-off install on a laptop that I don't use for anything that gets close to production - fine by me.
For anything that I want to depend on, I prefer stronger auditability to ease of install. I get it, theoretically you can do the exact same thing with curl/sh as with git download/inspecting dependencies, installing the source and so on. But in reality, I'm lazy (and per another thread, a 70s hippie) and would like to nix any temptation to cut corners in the bud.
I hate that curl $SOMETHING | sh has become normalized. One does not _have_ to blindly pipe something to a shell. It's quite possible to pull the script in a manner that allows examination. That Homebrew also endorses this behaviour doesn't make it any less of a risky abdication of administrative agency.
But then I'm a weirdo that takes personal offense at tools hijacking my rc / PATH, and keep things like homebrew at arm's length, explicitly calling shellenv when I need to use it.
It’s not an unreasonable take given historic behavior. Rather than decrying the cynicism, what steps can we take to ensure companies like Tesla/Waymo/etc are held accountable and incentivized to prioritize safety?
Do we need hasher fines? Give auto regulators as much teeth as the FAA used to have during accident investigations?
Genuinely curious to see how addressing reasonable concerns in these areas can be done.
Why isn't allowing people to sue when they get hurt and general bad PR around safety enough? Did you see what happened to Boeing's stock price after those 737 crashes?
I’d counter that with the Equifax breach that raised thei stock prices when it became clear they weren’t being fined into oblivion. Suing is also generally only a realistic option if you have money for a lawyer.
Right. We have a precedent for how to have an ridiculously safe transportation system: accidents are investigated by the NTSB, and every accident is treated as an opportunity to make sure that particular failure never happens again.
I agree. But Google has gone in that direction long ago: ads are now harder to distinguish from genuine search results. In many cases, the organic results are buried so deep that they don’t even appear in the first visible section of the page anymore.
Google could also have allowed invisible pay-for-placement without marking it as an ad. Presumably they didn't do that because undermining the perceived trustworthiness of their search results would have been a net loss. I wonder if chat will go in that same direction or not.
Pretty sure it's illegal to present advertisement and not label it as such in some form.
But as with everything, as new technologies emerge, you can devise legal loopholes that don't totally apply to you and probably need regulation before it's decided that "yeah, actually, that does apply to me".
Let's keep this conversation productive. I don't read OP's comment anything like your response seems to imply.
While I don't think OP's point about morals is relevant here (they vary widely from culture to culture), equating the stock market to gambling misses out on a lot of nuance. Your average 401k retirement fund is going to outperform your average gambler 100% of the time over one's lifetime. Long term investments also tend to not prey on addictive patterns of behavior.
I personally think for a society to function well, it behooves ourselves to recognize when there are certain patterns or behaviors that are self destructive if left unchecked. I feel addictive drugs and gambling fall into this category. That's not to say banning this behavior is the right call, but there's a lot of space to explore productive policies between full on bans and anything-goes.
Former Shopifolk here. As of 2022 - 2023 they had some private packages in their SCM and an internal Artifactory deployment that was a caching proxy of Rubygems and other upstream dependencies. This may be changed since, but as far as I’m aware many Shopify devs occasionally volunteer time and fixes to Rubygems and related projects from time to time.
They certainly have the capacity to run their own full on mirror service, but I doubt they have serious incentive to do so given exciting controls and culture re: Ruby and OSS contributions.
Absolutely. A lot of data security risk is gauged by who has access to what, and the sad fact is that many teams don’t use row or column level security for ergonomic reasons. Features like this would do a lot to make these features easier to reason about, understand, and verify.
"Don't get greedy" and similar variations assumes intent rather than what I see as the reality of how companies operate within the US--not a failing of individual virtues. If you're a public company, your shareholders will want stock prices to go up and are more than happy to use their shares to vote for whoever is willing to make that happen.
This is, of course, an exaggeration. Not all shareholders value profits above all else, but many big ones do. Ignoring what incentives (and disincentives) are put on a business drive it's behavior. If you want something contrary to those incentives, you need to change those pressures or you're doomed to be disappointed.
Is there a minimum percentage of voting stock you have to issue in US law? IIRC, google is split in half into voting and non-voting shares with a clause in their incorporation to buy back shares to keep their prices roughly equal.
I came to similar conclusions. I was very off-put by equivocating what’s effectively free speech to political violence.
We’re entitled as citizens of the US to say things. We are not entitled to not be made fun of if our ideas aren’t acceptable to someone else. This cuts both ways.
Odd article. I agree on points made about political violence being counterproductive, but the author goes on to imply ridicule of others is as problematic in the same sentence.
Killing someone is a very, very different thing from ridicule and it’s important to recognize this.
While I wouldn’t say ridicule is productive, criticism of problematic ideas absolutely is. I don’t think Charlie deserved to be shot.
At the same time, it is absolutely healthy and important to reject certain ideologies that are counter to the foundational ideas of a society if you want to maintain said society. For the US, I believe that’s anything that erodes the rule of law and disenfranchises citizenry from participating in the democratic procsss.
I’m not deeply familiar with Kirk or his assailant’s ideologies, but I sure as hell hope the US as a country can move away from a lot of the political extremism motivating this violence. I suspect I’ll be disappointed—a lot of people are hurting and that’s hard to come back from—but I hope.
A big thing I struggled with prior to medical treatment that I don’t often hear discussed about ADHd was rejection sensitivity.
For those unfamiliar: imagine a time someone said something that hurt your feelings or caused a strong emotional reaction.
Now imagine that as a routine emotional response to day to day interactions. Feeling intensely sad, irritated, insulted, etc. to extents completely o it of proportion to whatever was said or even implied.
It’s brutal. It contributes to a lot of depression and social anxiety for folks with ADHD. It doesn’t matter if you’re aware of the response being disproportionate—you get to go on that emotional roller coaster whenever somebody says they don’t care for your favorite food, accidentally cut you off in a conversation, or the day just turns out differently than you were expecting.
Medical treatment makes a huge difference—in my particular case the difference between feeling like I had the emotional regulation of a toddler and not needing to constantly question every emotion I felt prior to responding to things I was reacting to.
Stimulant medications didn’t work for me, but they do this for most people with ADHD (more effectively, too!) and like alterom it saddens me whenever FUD like this crops up.
reply