341 entries under "article"

How n8n Handles Vulnerability Disclosure - and Why We Do It This Way

[Closed-source security updates are hidden from attackers, which means the time they need to reverse-engineer a patch is a window for users to safely apply the update. Open-sources security patches are immediately visible and become a roadmap for attackers to target those who haven't updated yet.]

[We currently publish patches and advisories on the same day to minimize the exploitable window. We also develop fixes in private and merge into public only when it's announced.]

Sustainable Open Source

newcomer’s contributions aren’t as complete or far-reaching than those of experienced contributors, so it is doubly important for you care about the people and their enthusiasm about your project more than that typo-fix they put on the website. We’ve turned someone who fixed a single typo on the website to a steady contributor and well respected community member that now helps out all over the project

How I Learned to Stop Caring and Love Open Source

For early stage projects, care is the only thing you can give them. But once you’ve shipped version 1.0.0 or even 2.0.0, once you wrote all the documentation, once people start using the project in production with success, once you’ve talked the 100th person through getting started on IRC or Slack, your priorities have to change.

always bet on text

Text is the most socially useful communication technology. It works well in 1:1, 1:N, and M:N modes. It can be indexed and searched efficiently, even by hand. It can be translated. It can be produced and consumed at variable speeds. It is asynchronous. It can be compared, diffed, clustered, corrected, summarized and filtered algorithmically. It permits multiparty editing. It permits branching conversations, lurking, annotation, quoting, reviewing, summarizing, structured responses, exegesis, even fan fic. The breadth, scale and depth of ways people use text is unmatched by anything. There is no equivalent in any other communication technology for the social, communicative, cognitive and reflective complexity of a library full of books or an internet full of postings. Nothing else comes close.

Provisional Guidance for Users of LLM-Based Code Generators

I’m sure there will be links like “Court Rules AI Art Can’t Be Copyrighted” aplenty. They will be wrong. The court didn’t rule that AI art can’t be copyrighted. It ruled that copyright requires human authorship, surprising approximately zero copyright lawyers…or people who have read the Wikipedia page.

If you’re looking for a “simple legal rule” so that you can game it, nitpick its terms, or run right up to its line, you’re looking for trouble. Don’t blame me when you find it. But if you’re a realistic player just looking for a sense of odds so you can place wiser bets, the amount of output you accept from an LLM into your codebase at once, and the extent to which it makes what look like implementation choices, rather than simply invoking APIs or established boilerplate, probably represents your best intuitive heuristic. Your working sense of whether it looks like code completion, template-based code generation, or what coders used to have to unavoidably think through and type for themselves, before Copilot and the like came around, can serve as first-pass proxy for legal peril.

If it’s what everybody else checks in to use the same APIs, that’s unlikely creative expression that anyone can claim to own and see infringed. The more specific, creative routines that go within that boilerplate? Yes, potentially. The rigging, patterns, and boilerplate everybody else is filling in, too? Not so much.

the newer a novel, commercially relevant phenomenon, the less specifically-worded, algorithm-like rules determine outcomes at law, and the more important the purposes behind more generally worded rules become. Lawyers call abstractly stated, syllogism-like rules “black letter law” and the more generalized purposes “policies”. When how to apply black letter law isn’t clear, we cite and fight about policies in arguing how to read in context.

When you prompt and take big chunks of code from LLMs that rate high on the intuitive completion-generation-authorship scale, document your code input state, prompts, and further edits. Create a written record of your innocent use of LLMs.

If you were going to code a key part of a project ten years ago, and worried you’d be accusing of plagiarism, the natural advice would’ve been to document your process. Don’t just phone it in with an “Implemented $foo” commit message. Write a nice long one, and maybe blog work in progress or keep a “lab notebook”, too.

Running out of narratives

Crypto is here to stay and it’s big! But it’s mostly a financial asset class built on narratives, self-referential applications, and a side order of niche use cases. The killer use case is stablecoins. That’s pretty boring.

Bitcoin is not a viable high-volume payment system. It’s not a safe haven. It’s not a hedge against a weak USD or inflation. It was a risky asset. But then it didn’t rally when every other risky asset in the world exploded higher. It was digital gold. Then gold and silver doubled and tripled and bitcoin stood still, looking on with jealous awe.

So my view is that crypto is maturing into a small but meaningful asset class with some important but kinda niche use cases. That’s about it. Like video games, or 3D printing, or VR. Exciting, useful, and important industries. But not the internet. Not railroads. Not AI. There is no coming wave of innovation that will take it to the promised land. Crypto has arrived. It’s maturing. It’s not early. What you see is what you get.

OAuth, or, The Elaborate Ceremony of Not Giving People Your Password

[Implicit Grant throws your key to you across a lobby full of interested parties. Proof of Code Key Exchange ensures that the one who requested the key gets it. Neither will solve impersonation attacks via social engineering.]

Tactical tornado is the new default

When it comes to implementing a quick feature, nobody gets it done faster than the tactical tornado. In some organizations, management treats tactical tornadoes as heroes. However, tactical tornadoes leave behind a wake of destruction. They are rarely considered heroes by the engineers who must work with their code in the future. Typically, other engineers must clean up the messes left behind by the tactical tornado, which makes it appear that those engineers (who are the real heroes) are making slower progress than the tactical tornado.

How StrongDM’s AI team build serious software without even looking at the code

[Describe tests as 'scenarios' that represent user stories, and 'satisfaction' to quantify that it's happening, then store it where agents can't see them.]

We built twins of Okta, Jira, Slack, Google Docs, Google Drive, and Google Sheets, replicating their APIs, edge cases, and observable behaviors.

Eight more months of agents

I know local models will win. At some point frontier models will face diminishing returns, local models will catch up, and we will be done being beholden to frontier models. That will be a wonderful day, but until then, you will not know what models will be capable of unless you use the best. Pay through the nose for Opus or GPT-7.9-xhigh-with-cheese. Don't worry, it's only for a few years.

The Anthropic Hive Mind

But I managed. People usually figure out I’m harmless within about 14 seconds of meeting me. I have developed, in my wizened old age, a curious ability to make people feel good, no matter who they are, with just a little conversation, making us both feel good in the process. (You probably have this ability too, and just don’t know how to use it yet.)

During Golden Ages, there is more work than people. And when they crash, it is because there are more people than work.

“I AM GOING DOWN TO GET A DONUT NOW,” they will say, and someone will yell from the nap couch, “GET ME A DONUT.” “I AM ALSO DELETING THE DATABASE.” “OK.”

A lot of engineers like to work in relative privacy, or even secrecy. They don’t want people to see all the false starts, struggles, etc. They just want people to see the finished product. It’s why we have git squash and send dignified PRs instead of streaming every compile error to our entire team.

The Settlers of Catan inventor Teuber famously built new games for his own family to playtest for years, before they finally found the formula for Catan through many iterations.

The center of the campfire is a living prototype. There is no waterfall. There is no spec. There is a prototype that simply evolves, via group sculpting, into the final product: something that finally feels right. You know it when you finally find it.

Anthropic’s Hive Mind is described by employees as “Yes, and…” style improvisational theater. Every idea is welcomed, examined, savored, and judged by the Hive Mind. It’s all based on vibes. There is no central decision-making authority. They are just trying everything, and when magic happens, they all just kind of realize it at once.

all companies are asking variations of just the same two questions. They bluster and bluff and try to act informed, but they are all terrified. When you cluster their questions, they break down into, “Will everything be OK?” and “Will we be here in five years?”

We mourn our craft

I didn’t ask for the role of a programmer to be reduced to that of a glorified TSA agent, reviewing code to make sure the AI didn’t smuggle something dangerous into production.

The Great Realtime Collaboration Misdirection

the need for realtime editing in applications is greatly exaggerated. Think about how rare it is to:

get two people to be in the same place at the same time
have a task where more than one person makes changes at a time
want other people peering over their shoulder while they work

Permissioned Data Diary 1: To Encrypt or Not to Encrypt

[End-to-end encryption may have become the baseline for messages, but not everything needs that. Nobody expects a large group forum or Patreon-style membership area to deal with secret keys.]

this inherent complexity isn’t something that the protocol team at Bluesky can just handle - it gets pushed out to every dev trying to build a client that works with encrypted data.

The Green Room

People who end up in positions of power are often not there because they’re particular profound, or strong, or even nefarious, but rather because they’re trauma-ridden vessels who offer the least resistance to the inhuman forces of our economic system, and who are therefore, almost evolutionarily, ‘selected’ by it.

Before You "Build a Community," Decide: Library or Coffee Shop?

[Popular communities can be categorized as either "libraries" (where visitors look for an answer, then leave without ever signing up), and "cafes" (where people of shared interests come to have open-ended discussions). Each requires different approaches to be successful.]

X : All your talk about reasoning make you seem very anti the AI era.

When an entire culture decides that producing outputs matters more than understanding mechanisms, it works fine right up until the environment shifts and nobody remembers how to reason from first principles.

A spoiler for the future - Bitcoin

Austerity measures will have taken the route of unprecedented and radical decimation of the state - everything from state provided healthcare to coastguards to income support to education will be practically gone replaced with numerous forms of bitcoin based insurance. If you can't afford it then you won't be able to gain access to it. There will be no state help as the state can neither fund universal care nor determine whether you deserve support.

Is there a better word for 'hackathon'?

[Common hackathon activities like coding are not a good use of my time for an in-person event. I need quiet focus time and good ergonomics to do programming. Better to use these rare encounters with colleagues to chat, brainstorm, do exploratory design work for instance. I already start hacky prototypes on a whim anyway and don’t need an event do to it.]

WE ALL FEEL THE TRANSITION

I don't think it's the changeover itself that hurts. It's the speed. We all feel this transition. It creates a kind of thin corridor where many so-called shortcuts are currently being taken that are not really shortcuts at all. Outcomes and effects will simply be different. Efficiency is increasingly confused with impact.

i hope more people hear the call to be thoughtful in how they approach these new possibilities. with great speed, many are adopting something on shaky ground, ready to lock themselves in and throw away the key.