Hilarious. When working on a virtual reality VOIP product, someone added a test mode that played back your own speech with a delay. It was like part of your brain shut off, was a surprisingly strong effect.
I'm old enough to remember when cell phones were primarily used for voice calls. Sometimes you'd hear yourself when you were trying to talk to someone, and it was infuriating. You'd have to hang up and call back, if the call was going to go on any length of time.
Do they need software? Presumably the volunteer firefighters 30 years ago didn’t have this and did fine. Plenty of volunteer organizations are built on Airtable or some spreadsheets.
One anecdote I can provide - the department I volunteer for swapped to software based (see: mobile app) personnel calling because the county swapped to the system.
The software can quickly load box data (PDFs of hydrant locations and building details), as well as provide route mapping for individual at their location compared to call.
Additionally, every volunteer has a somewhat modern smartphone in my rural/suburban area. Pagers are not in huge demand anymore.
IMO corporate income tax is the first that should be removed, with a corresponding shift to income taxes. Those can be as progressive as you want, have much lower compliance costs, and don’t distort behavior in the same way. Thought in practice I’m not sure how tax collection from foreign owners would work.
- No PIT on dividend income, which is fair since CIT has already been paid on the money earned by the firm(and paid bt by you as a shareholder in that firm)
- CIT payable only on dividend distribution, not yearly so if a firm keeps on re-investing in the firm paying salaries/suppliers and investing in growth they don't pay any CIT.
Another side effect of 1) is that it would cause companies to distribute dividends rather than doing stock buyback since dividend would have a lower tax rate(0%) than the STCG/LTCG tax rate on stock appreciation.
This is how estonia does it, so we already have some data on effectiveness of this.
Can you quantify what you think that choice looks like?
Say you seized the entirety of Elon Musk’s assets: that could pay for a year and a half of the Dept of Transportation. Say you seized all the wealth (somehow) of the world’s 100 richest people. That’s 2 years of US non-discretionary spending (social security, Medicare and Medicaid). I often see comments that assume all problems could be solved by just taxing the rich more, but I just don’t think that’s true.
The Nordic countries pay for their social safety nets by taxing the middle class more heavily than we do in the US. If you want to change that, it’s less about capital vs labor, and more about your dentist vs labor (dentists be the classic example of jobs that earn high incomes without being “capital owners”).
civilization Mycenaean the of practices religious and economic, administrative the into insights invaluable provides and B Linear as known script the in recorded was language Greek the of form attested earliest The
Oh, interesting, what do you get when you specify that the letters need to be reversed, too? (That was what I meant and the original prompt explicitly stated that requirement. I forgot to include it in the summary of my 'test' here.)
Say they, hypothetically, the police just looked at every drivers license photo of people living in a 1 mile radius. And they find the suspect, and go to a judge saying a combination of appearance, perpetrator in suspects driveway, and criminal history gives probable cause for a search. I don’t think that’s any different.
If they came to the judge and said “an informant said we’ll find the gun here” and the informant was actually Clearview, thats obviously a problem.
The big risk that we need regulation for is not that insurance charges too much, but too little. There will always be the temptation to charge less than the other guy, get lots of customers and hope nothing really bad happens.
This is a great callout, although I suspect the two main things insurers need but can't get today, due to regulations:
1. Ability to raise price based on risk. Regulation example: State won't let insurance company modify their fire risk maps. I believe this has come up in central Oregon for example.
2. Ability to drop people out right. i.e. if they think risk of home insurance is 50/50 next 10 years, they won't insure at all.
1 can accommodate for 2, but then its basically insurer charging the actual price of the home, year one. Maybe they can work out a deal though, like you get the money back if it doesn't burn down. (Mostly parroting things I've heard that seems to make sense).
It’s not like this is unique to rust; you see similar issues with node and python. Distributions have many jobs, but one was solving the lack of package management in C. Now that every modern language a package manager, trying to apply the C package management philosophy is untenable. Specifically, the idea of a single version, globally installed, and producing distro packages for every language specific packages.
Guix is also a distro that allows for any number of versions of the same package globally, something that language specific dependancy managers do not.
Distors are there for a reason, and anyone who doesn't understand that reason is just another contributor to the ongoing collapse of the tower of abstractions we've built.
This is outdated information. Debian (and other distros) already had their own SBOM format called buildinfo files that encodes this kind of information.
In Debian stable ripgrep on amd64 is currently on version 13.0.0-4+b2.
Using language-native packaging doesn't imply that you have to use binaries from wherever. In the pytorch example you can still build it as a regular part of the distribution, using the C++ dependencies/toolchain, it just means you don't try to stuff it into a versioning/distribution/install model that doesn't match the languages expectations.
Except from a management and maintenance perspective...this is a nightmare. When a security vulnerability drops somewhere, everywhere needs to be patched ASAP.
Distros (and the people who run most scales of IT org) want to be able to deploy and verify that the fix is in place - and its a huge advantage if it's a linked library that you can just deploy an upgrade for.
But if it's tons and tons of monolithic binaries, then the problem goes viral - every single one has to be recompiled, redeployed etc. And frequently at the cost of "are you only compatible with this specific revision, or was it just really easy to put that in?"
It's worth noting that docker and friends also while still suffering from this problem, don't quite suffer from it in the same way - they're shipping entire dynamically linked environments, so while not as automatic, being able to simply scan for and replace the library you know is bad is a heck of a lot easier then recompiling a statically linked exe.
People are okay with really specific dependencies when it's part of the business critical application they're supporting - i.e. the nodejs or python app which runs the business, that can do anything it wants we'll keep it running no matter what. Having this happen to the underlying distributions though?
(of note: I've run into this issue with Go - love the static deploys, but if someone finds a vulnerability in the TLS stack of Go suddenly we're rushing out rebuilds).
This is conflating static linking with how the distribution handles updates. If a language is always statically linking dependencies (like Go or Rust), the distribution will have to rebuild everything that depends on a patched package whether or not they are using the language's native tools or some import into the distro package system.
What I'm specifically suggesting is:
* Distributions package *binaries*, but not the individual libraries that those binaries depend on.
* Distributions mirror all dependencies, so that you can (in principle) have a completely offline copy of everything that goes into the distribution. Installing a binary uses the language-specific install tools to pull dependencies, targeting the distribution's mirror.
* Enough dependency tracking to know what needs to be rebuilt if there's a security update.
* Any outside dependencies (e.g openssl) will continue to depend on whatever the distribution packages.
* Dependencies are not globally installed, but use whatever isolation facilities the language has (so e.g, a venv for python, whatever npm does)
As I see it, this all doesn't matter though as soon as "security update" enters the picture.
The problem here is upstream dev's saying "my dependency needs are absolute". And a security update ruins that: because as soon as one happens, now no matter what we're going to be replacing libraries anyway. Even your prosposal includes this: we're going to strip out openssl librares and use distro ones.
At which point everything might break anyway, because whether a security hole can be fixed at all depends on which versions of a library it affects and how. Not to mention problem's like finding the issue in one version, but it's changed enough that it's not clear whether a different version is impacted the same way.
Why is this an issue? Simply recompile and download each package. If the distro worries that the maintainers would take too low just fork and recompile the packages themselves. These days its really not that big of a problem in terms of disk space or network traffic. And if some packages are large its often because of images resources which can be packaged separately. It seems like a lot less effort then trying to guess if dynamicly linked library will work with every package in every case after the update.
It's "whoever turns up to do the work" but I would point out that distros generally have more people in the process who can pick up the work.
The issue is one way or another it needs to happen ASAP: so either the distro is haranguing upstream to "approve" a change, or they're going to be going in and carrying patches to Cargo.toml anyway - so this idea of "don't you dare touch my dependencies" lasts exactly as long as until you need a fix in ASAP.
Probably most of these tiny crates have 1 or 0 maintainers. Chances are that they will not be quick to fix a vulnerability.
And even if they are, for rust software that doesn't come from debian, there is no way to ensure it all gets rebuilt and updated with the fix.
Also, projects are generally slow (taking several months) to accept patches. When a distribution has fixed something and the users notice no issue, the upstream project if downloaded and compiled would be a different matter entirely.
> Now that every modern language a package manager...
...they fail to integrate with dependencies written in any other language.
It's fine if you just want to sit a monoculture language software stack on top of a multilingual base platform. You can't make a functional system with one language alone, yet those who criticise distribution packaging architecture do so while simultaneously depending on this ability that language-specific package managers do not have. There is no viable alternative today. Most critics think they understand the general problem but only have narrow practical experience, so end up believing that their solution is superior while not considering the general multilingual software supply problem.
Nix isn't a solution either, because in the general case Nix isn't security-supporting arbitrary and multiple dependency versions either.
The doctor / hospital that refuses to treat when insurance declines is also involved in the “omission of expected care”. Would they also be guilty of premeditated murder?
reply