Unit tests work well with PGlite, at least in the TS/JS world where it natively sits at the moment. You can have a unique Postgres instance for each unit test that's up and running in just a few ms.
It's possible to use PGlite from any language using native Postgres clients and pg-gateway, but you lose some of the nice test DX when it's embed directly in the test code.
I'm hopeful that we can bring PGlite to other platforms, it's being actively worked on.
The other thing I hope we can look at at some point is instant forks of in memory databases, it would make it possible to setup a test db once and then reset it to a known state for each test.
You don't even need to install it. It doesn't take a lot of code to run initdb to create a temporary instance, write a suitable configuration file, launch the postmaster process, and delete the temporary database directory tree after terminating the database after testing is complete. On a not-too-fast Linux system, the time for all that is around half a second. Too much overhead for individual unit tests, but fast enough to run once per test suite run.
I want test with the same API as my database, which means using the same database. Setting up an instance of Postgres/MySQL/whatever isn't hard. Maybe harder if you're using an online database that doesn't fit into a container, but that's a different problem.
This has certainly been my experience. It's pretty hard to get ChatGPT to tell me I'm fundamentally wrong about something. But I see the problem as similar to getting feedback from people, since most people are hesitant to outright disagree with you. So you have to phrase things in ways that encourage the person to be more forthright, and this works to an extent with LLMs as well.
If you want constructive feedback and be told you are wrong then you need to craft a system prompt for it. They have been trained to be agreeable and tell you your ideas are great.
If you ask for an assessment of something, it's often as easy as adding "be critical" to your prompt. e.g.:
"What do you think of this short essay?"
"What do you think of this short essay? Be critical."
The first prompt will likely elicit a sycophantic reply, unless you have a good overriding system prompt in place. You'll always get much better feedback with the second.
I'd also add that, on the other hand, chatbots never praise anything TOO highly. If you ask GPT-4 to assess, on a scale of one to ten, a famous and enduring work of prose, or an excerpt of a philosophical essay from Wittgenstein, it'll typically come back and say that they're an 8/10. Rarely 9/10. Never 10/10, no matter what you submit.
Getting LLMs to argue or to ask for more context rather than always offering an answer are among the most difficult interactions to elicit. There's a big gap between helpful and obsequious, and unfortunately society often selects for teh latter.
Might want to add `overflow: hidden` on the container with `border-radius` (.SharedDirectory-module__section___1ljf9). Currently hovering over the first link shows a background over the rounded corners.
I read this as “Steven Spielberg uses this: my 2020 desk setup” before I clicked through. I was so amazed that Spielberg used a tiling window manager before I went back and figured out my mistake!
You're probably coming out of an environment where you spent lots of time with lots of different people. Played sports with them, partied with them, studied with them, etc. Now you're going to spend your days in a possibly cramped apartment communicating over chat.
You're less likely to have the discipline or the experience to work on your own.
You may not have much of a separate social group where you're now living.
Obviously, everyone is a bit different. But I know I'm pretty happy to sit at home these days. I'm sure I would have hated it when I was starting out--and wouldn't have been nearly as effective.
Give me software updates for 7+ years, then we'll talk about buying your $700 phone. Lasting hardware means nothing without lasting software.
In the meanwhile, I'll keep buying $120 phones (Moto G4 with Amazon Ads FTW) and keeping them for ~2 years until they break or software updates stop. Even though as a Catholic (Laudato Si, Rerum Novarum) it kills me to waste all those materials every couple of years and be part of the environmental degradation of our planet.
I've had mine a year and a half, and it doesn't even feel close to struggling with things. Performance is great.
Yet, it's going to be artificially deprived of the latest Android releases starting one month from now, and won't even receive security updates after September 2018. It's absurd.
Note that it's a "guaranteed" date. Considering Android O works with Nexus 6P devices, I don't see them arbitrarily pulling the rug out from under us quite yet. I also don't imagine that any O point release will stop support either, so we'll likely see the 6P updated through the life of O.
That being said, three years seems like a ridiculously short "guaranteed support" lifetime... especially considering the iPhone 5 (released nearly 5 years ago) is losing support this year.
Well at least the 6P will get Android 8 and another year of security updates. Which is more than I can say for the rest of the Android phones not made by Google.
Lineage OS isn't a substitute for vendor support. Lineage is dependent on vendors for updated drivers and firmware blobs. So if there's a bug in the firmware, like the recent BCM43xx vulnerability, you are still SOL if the particular chip in your device is no longer supported by the vendor.
I have a Nexus 6P, and have to disagree on the hardware. I had to replace my battery to not have shutdown problems at about 25%. Also I also regularly see the need for 4gb or 6gb of memory instead of just 3gb.
> Even though as a Catholic (Laudato Si, Rerum Novarum) it kills me to waste all those materials every couple of years and be part of the environmental degradation of our planet
It's not your Catholicism that makes you feel bad for polluting, it's your humanity. If Pope Francis turned around and said there's no climate change and we should all have tyre bonfires for christmas, would you be on-board with that?
Though you wouldn't know it from observing many Christians, environmental stewardship is a Biblical mandate. Of course, it is possible to have the same conclusion through non-faith means, but that doesn't preclude the ability of a person to derive their view—at least in part—from their religious faith.
Also, despite the Catholic church's hierarchical structure, a large portion of the church does not blindly follow the Pope's every decree. 86 percent of catholics find birth control to be "morally acceptable", according to one survey ( https://www.nytimes.com/2015/01/25/opinion/sunday/frank-brun... ).
I was raised Catholic, in a Catholic country and I don't every recall being taught environment stewardship as being a biblical mandate. All that came from my parents, from common sense, from a love of nature and from 80s kids TV.
I don't want to get caught up in a religious argument, but I think its far more likely that people attribute a particular view to their religious beliefs as a way of validating them than they believe the environment is precious solely because the bible told them.
Well Pope Francis is not a denier, and in some sense the Church scientists are the least biased in the world, since they are beholden to no one but God. They don't need to be published or get tenure. They can go with or against both academic and political orthodoxy as they choose.
So if Francis came out and said climate change is not a concern I would actually pay pretty serious attention to that. And I'm not even Catholic.
I grew up in a Catholic family, that's what they teach you in catechism. They also teach you that the universe was created in literally seven days. But if you keep your chain of asking "how?" long enough before they yell at you, they'll also tell you that such statement is not to take "literally".
YMMV - I was raised a Catholic and never got any literalist stuff about creation, or nonsense about dinosaur bones being planted to confuse us. Nor is it in the catechism as such - there is quite enough unbelievable stuff in there as it is...
Hah, catholic guilt and environmentalism work together so well.
yeah, I feel bad for taking a similar lifetime on my phones - I wish there was a company with the kind of reputation for craftsmanship and long-term support that Apple has that would offer stock Google Android devices.
I know, but from an environmental perspective it would be nice to be confident that I could get a reasonable 4-year-life out of a new flagship phone, rather than going through rare earths and energy to make disposable 2-year phones.
I'm 90% sure this is because Qualcomm won't give out the source to various drivers. Instead you get a binary blob to deal with which makes the interface with other parts of the system untenable over time.
You are (mostly) correct. Either qcom doesn't give you blob updates (sometimes) or they don't update vendor/qcom/proprietary for new releases (most of the time). Partially on qcom, partially on OEMs.
I used an iPhone 5 for three years, but just replaced it this spring because the battery was worn down and the port was unreliable, and, mostly, I got tired of the newer OSes not performing very well :S. So I got a refurbished iPhone SE (300$) to replace it.
I'm on Android 4 as I'm typing this and the only reason I'm even considering a new phone is that apps have gotten a bit more demanding of the CPU, i.e. my hardware is too slow for a handful of apps now. What do you find so critical about OS/OEM software updates that you find a need to buy a new phone every 1-2 years?
But your email app will still get updates right? (I guess I'm using Gmail and assuming you are using something like it that gets updates too, but maybe I'm wrong.) Same with SMS - lots of apps that get updates. What's the exact issue?
Most will, some will drop support after its X major release behind. But that's not really the issue, the underlying system has a lot of security issues (as all complex systems do).
Granted, I'm sure a lot of these CVE are very low risk, and some are duplicates (because CVE). But there were a couple of notable really bad security issues. But this is just the Android, not all the of dependencies Android has.
StageFright was already mentions, and there has been a couple of iterations of this already, stemming from different bugs in a parsing library used with MMS. Included in this is a remote code execution and an privilege escalation.
Another fun one is Broadpwn, which is rather new one and was disclosed as BlackHat US this year. Its effects both iOS and Android and can be wormed trivially. It targets a widely used Broadcomm wifi chipset, and does not require _any_ user interaction. A malformed SSID broadcast allows for remote code execution. And when I say any user interaction, you can walk by something broadcasting this and you're infected.
Regarding Broadpwn: I wasn't aware of it, but at the same time -- has it actually been exploited, and has it been patched in more recent hardware or OSes? If the upgrade doesn't help mitigate an actual, existing threat then upgrading doesn't solve anything.
To put it another way: if you learn of a very serious exploit like this in the wild and an upgrade is the only way to solve it -- by all means, go ahead and upgrade. I'm not saying you should never upgrade, nor am I saying serious security vulnerabilities cannot pop up. But neither in any way implies you need a periodic 1-2-year hardware/OS refresh. A refresh could be justified in 1 day or in 10 years; it just depends on what the actual threats and mitigations are. Remember what the original discussion was about: it was about whether the periodic refresh is justified.
There is no way I'm going to be continually looking for new incoming CVE that affect my old phone and making sure I have solid workarounds. The risk is too high that I'd miss one, mess up a fix, and then be vulnerable. And even if the risk wasn't that high, we're talking about a lot of time sunk into looking through security postings and verifying my own fixes/workarounds. It doesn't have to take too many minutes per year before it's worth me buying a new $130 moto E or whatever. As in like, 1 hour per three years or something.
This is the same reason why I don't run a computer OS at home that isn't patched to the latest security updates. I am not going to run windows XP at home and just disable / find workarounds for every single one of the probably-thousands of risks. That's insane.
That's a total straw man. You don't need to keep up with CVE. You really think I learned about e.g. StageFright through reading CVE or expected you to do that? If there's a serious vulnerability that actually needs your attention, you will read about it in the news (certainly on HN, most likely also the general news if it affects a sizable population). You will become aware of it somehow, most likely before a patch is even released. You won't need to put any time into it until it happens, and even then the mitigation (like e.g. disabling automatic MMS download here) will usually be far faster than the time to buy a new phone, set up your apps again, and move everything over. Not to mention that the phone you buy won't be updated to that very day anyway, so you'll have more upgrading to do soon after. Seriously, you're way blowing it out of proportion.
> If there's a serious vulnerability that actually needs your attention, you will read about it in the news
The ol' security through tech press approach. Seriously though, you can't have the security of your devices dependent on whether or not someone has come up with a catchy name for their exploit. The exploits with names like broadpwn and stagefright are the exceptions, not the rules, there are plenty of critical CVE's that have never had cool names or tech articles written about them. Even if an exploit has a cool name and some press, what if people don't upvote it when it gets posted here (or reddit/wherever)?
You seem to think that a security hole being "critical" implies you need to care about it. You do not. You only need to care about actual threats, not mere security holes. A "critical" CVE that nobody exploits is pretty darn pointless to worry about, just like how the fact that cellular communication is plaintext isn't really tickling too many people because the average criminal isn't using a Stingray. And an expoit that becomes widespread will get the press attention, precisely because people will want to know about it. (Unless you're the kind of person who's always one of the first few to catch a virus, in which case either you're a security researcher, or you're looking for trouble, or you're hanging out on the wrong networks...)
With Broadpwn; Largely yes. Android and iOS both published security fixed before this was presented at Blackhat. But:
1. Android is kind of tricky though, as firmware updates generally come from the carrier not the manufacturers, and even if its from the manufacturers its still down stream of the actual patches. But the factor is kind of moot if a phone isn't getting security upgrades.
2. Google has been trying to decouple security and firmware updates, but this is only on more recent phones.
As for how much of an issue this is. Its kind of impossible to tell. It been out for less than a month at this point. And of course there are all the devices that are now unsupported and will not receive updates.
Ok for StageFright. Do you have those enabled? How many users do you think will?
re: Broadpwn: okay, so again: having upgraded every 1 year now wouldn't have helped you regarding Broadpwn as far as we're aware now, so I'm not sure what this example is supposed to show.
For StageFright: I assume by "enabled" you mean "disabled"? Yes, I've already mitigated; it took me like 30 seconds. See this comment [1]. I'm not claiming laymen would or should do this, but I wasn't making that claim originally either. I was responding to someone on HN who presumably understands something about technology and who felt guilty about buying phones and polluting the planet periodically just for the security updates. I'm saying he's most likely already more than capable enough to solve that problem without any tangible negative effects to himself. I'm doing that myself and it's working fine for me, I'm not losing any time to this at all, and I don't think I'm any better with phones than he is. It's completely possible and won't really cost you anything at all (it'll save you money and save the planet garbage); you just need to find the willpower. For a non-techy person the story might be different.
"Stagefright" is an Android vulnerability that allows attackers to exploit a device by sending a specially crafted MMS message. No user intervention is required, no dodgy apps need to be installed.
You're on Android 4, so your phone is vulnerable. If you use your phone for anything important, I'd suggest getting that new phone ASAP.
Actually I've already mitigated this by disabling automatic MMS download, and from what I read [1] it can be mitigated in other ways as well. It can't be done in every app, but then you can just use an app that lets you do this. So this is a non-issue. Any others you can think of?
The app-level "mitigation" is that media isn't automatically loaded. You are still just as vulnerable after you decide to play that innocuous-looking MP4 file.
I wasn't aware, thanks for mentioning that. However, the videos I watch are on YouTube and news sites and such... not sketchy sites. And I never play MP4s on my phone directly (unless they're videos I've recorded). I'm not sure many others do either, frankly. So how much do I need to worry and how much of a justification is this to upgrade the phone every 1-2 years?
Right this is sort of the point. You were not aware, if you had based your defense against unlatched vulnerabilities based on your knowledge 24 hours ago, you could quite easily have gotten pwned. Knowing about all vulnerabilities that could affect you and how they work is incredibly difficult. I don't want that risk (nevermind that even if I was ok with that risk, my company would throw a fit if they found out I was using an unpatched OS).
I think to a large extent (i.e. enough to eliminate the worry in practice) it is how things work, actually. See my reply to the sister comment here: https://news.ycombinator.com/item?id=15040745
Apps do get updates, but they aren't the issue. The system/kernel/system libraries don't get updates and if they are compromised all your apps are compromised too.
If someone know a vulnerability only in a normal app he can't do anything but look at only this one app, with system access well he can do way more.
(Also Android got some additional security/privacy features after Android 4)
But the thing is, even if 100% of your apps are vulnerable, it doesn't mean anything unless the attacker can reach your phone somehow. That can only happen in 5 different ways: (1) Low-level Wi-Fi bug exploit, (2) SMS exploit, (3) Cellular exploit (like a Stingray), (4) Cellular internet connection (open ports, etc.), (5) App-level exploits.
I don't know of any critical examples of #1 that I would need to protect against where upgrading is my only solution (maybe I'll upgrade if I find one). #2 can be mitigated at the app level (see my reply to the other comment here) and probably faster so than the update you'd receive. #3 can't really be mitigated by phone updates. #4 is impractical since cells are behind carrier-grade NATs and don't have dedicated IP addresses to be reachable via the internet. And #5 just involves updating the app, not the OS or hardware.
If you can give me an example of an actual attack that cannot be prevented without upgrading the hardware or the OS, I would find that far more convincing than a hypothetical.
Has this (a) been exploited in the wild, and more importantly, (b) even actually patched in more recent phones?
Otherwise, how is this a justification for upgrading your phone? It seems like you may have forgotten what the argument even was. I was arguing against routine 1-2-year upgrades, not against the entire concept of upgrading for something wiht a serious security vulnerability. If a serious exploit appears in the wild and your only solution is to upgrade -- by all means, go for it. But is that the case here? And this happened periodically every 1-2 years for you to justify upgrading equally often?
But you've got a point about newer apps becoming more demanding of the CPU. Ideally, this trend continues to slow down (Moore's law is essentially over) and software engineers start to find ways to do more with less. There's plenty of room to optimize most software out there, but historically very little incentive to do so. That's changing, or it should.
In the meanwhile, an expensive long-lasting phone should make it possible to upgrade the CPU and/or GPU in a phone for a fraction of the price of the whole phone, so that the phone can be used at its full potential for its complete lifetime. A similar provision applies to batteries, which usually die after a couple of years and would need to be replaced once or twice during the lifetime.
Frankly, I haven't been able to keep a phone long enough for the software to become obsolete because the hardware breaks after 1-2 years. So I want Essential to succeed. A long-lasting phone made with durable materials and with many years of guaranteed software updates is the product we need, if someone dares to make it.
What kind of security updates actually worry you though? Not trying to sound snarky, but do you install sketchy apps regularly? What are examples of actual threats are you trying to protect against? If you install untrusted apps regularly I could see why, but if not then what attack vector are you worried about? Are you worried about a WiFi attack in a coffee shop for example?
Not the person who you are replying to, but in my case, yes, connecting to a hostile WiFi and someone physically stealing my phone and having access to my entire life is exactly my fear.
Also, being able to fine-tweak app permissions is a huge plus for getting Android 6+ phone.
I've switched to Nexus 5x at the beginning of this month. Current price is around 250€, and I basically gained all the features of flagship models (fast charging, good camera, up to date software, security updates for a year from now etc).
But, up until that point, I refused to install apps that I would be scared of what would happen if they were compromised (so, nothing business-related) and apps that are asking me permissions that I don't want to allow them (as an example, no Facebook app what so ever).
Been that way ever since I became a smartphone user, which, because of my privacy fears and dissatisfaction with current market options didn't happen until like two years ago.
Regarding hostile Wi-Fi: okay, so that means when such an exploit comes out, you can then decide to buy a new phone if your phone is still not receiving updates and if your phone is vulnerable. And I would expect most such exploits to be specific to the phone brand, not the Android/Linux kernel in general. Out of curiosity, do you know of any actual such exploits that remain unpatched in (say) late versions of Android 4?
Regarding someone stealing your phone: I don't understand what this has to do with OS or hardware updates. You can put a PIN on your phone and encrypt it. Perfectly possible on older versions of Android.
Regarding fine-tweaking app permissions: Privacy Guard and XPrivacy do the same thing. Why necessarily update the OS? And in any case, why constantly keep updating the OS past Android 6 where this feature was introduced?
I certainly can see how there could be some injustice in the gap between men and women in the industry. And I could certainly see how the lack of perspective from women causes decisions that are suboptimal in some contexts. There are probably some companies in some subindustries that would benefit from hiring women programmers.
But every company being desperate to hire women? I don't see how most companies benefit from hiring a woman vs. a man.
To clarify, I'm saying that it seems that hiring a woman vs. a man has roughly the same value to most, but not all, companies. Thoughts?
I see it as related to what you are saying. You will be more likely to have software features or whatever you are designing have features that are applicable to women. You'll think of problems that men don't notice - the classic is startups full of 20 something guys solve different problems that women, such as women with families. Women just face different experiences than men. Similarly, someone from China will probably have a different idea about some things than someone from the US.
Companies avoid sexist choices - a female friend who was a layer was at a place that had an offsite activity where women couldn't be members at a golf club (really!).
The women you have will be more comfortable if they are not a super rare bird. An office with women should have supplies in the bathroom like tampons. A company with men might think of razors or deoderant but not that.
